Hi All,
I'm proposing a new ERC: a standard IAgentPermissionValidator interface for ERC-7579 validator modules that enforce cryptographically-scoped permissions on autonomous AI agent user operations.
The Problem
AI agents are operating on EVM chains at scale today — controlling wallets, executing DeFi trades, and managing DAO treasuries. ERC-4337 gives us the validateUserOp hook. ERC-7579 gives us modular validator modules. But there is no standard for what agent-specific constraints a validator should enforce.
Every team building AI agent access control today invents its own:
- Per-agent permission scope structure
- Spend cap denomination and accounting logic
- Revocation interface and event schema
- Violation signalling back to off-chain tooling
This prevents composability. A compliance dashboard, a monitoring system, or an auditor tool cannot interpret agent permissions across deployments without custom adapters.
The Proposal
A minimal, additive IAgentPermissionValidator interface deployable as an ERC-7579 validator module (module type 1):
interface IAgentPermissionValidator {
struct PermissionScope {
address[] allowedProtocols;
bytes4[] allowedSelectors;
address[] allowedTokens;
uint256 perTxSpendCapUSD;
uint256 dailySpendCapUSD;
uint48 validFrom;
uint48 validUntil;
uint8 windowDaysMask; // Mon–Sun bitmask
bool allowAnyProtocol;
bool allowAnyToken;
bool revoked;
}
event PermissionGranted(bytes32 indexed agentId, bytes32 indexed scopeHash, uint48 validUntil);
event PermissionRevoked(bytes32 indexed agentId, address indexed revokedBy);
event PermissionViolation(bytes32 indexed agentId, address indexed target, string violationType);
function grantPermission(bytes32 agentId, PermissionScope calldata scope, bytes calldata ownerSignature) external;
function revokePermission(bytes32 agentId) external;
function validateUserOp(PackedUserOperation calldata userOp, bytes32 userOpHash) external returns (uint256);
function getActiveScope(bytes32 agentId) external view returns (PermissionScope memory);
function hasActivePermission(bytes32 agentId) external view returns (bool);
}The PermissionScope struct captures the full set of agent constraints. Permission grants are signed by the principal via EIP-712. The windowDaysMask field enables weekday-only trading windows as a uint8 bitmask (bit 0 = Monday). USD spend caps use a sliding 24-hour window to prevent gaming at fixed daily resets.
A standardised violationType string registry in the ERC enables tooling to interpret violations across implementations without custom adapters.
Reference Implementation
This is not a paper proposal — there is a working deployed implementation (Bouclier Protocol, Base Sepolia) with:
- 5 source-verified contracts implementing this interface
- 143 unit + integration + invariant tests passing
- Certora Prover formal verification: 15 rules, 0 violations
- Echidna fuzzing: 10M iterations, 0 violations
- EIP-7702 adapter and ERC-6900 adapter
- TypeScript + Python SDKs
- LangChain, Coinbase AgentKit, and ELIZA integrations
- Deployed The Graph subgraph
Implementation: https://github.com/incyashraj/bouclier
Thanks for reading. Looking forward to the discussion.
— Yashraj Pardeshi | https://github.com/incyashraj/bouclier
Hi All,
I'm proposing a new ERC: a standard
IAgentPermissionValidatorinterface for ERC-7579 validator modules that enforce cryptographically-scoped permissions on autonomous AI agent user operations.The Problem
AI agents are operating on EVM chains at scale today — controlling wallets, executing DeFi trades, and managing DAO treasuries. ERC-4337 gives us the
validateUserOphook. ERC-7579 gives us modular validator modules. But there is no standard for what agent-specific constraints a validator should enforce.Every team building AI agent access control today invents its own:
This prevents composability. A compliance dashboard, a monitoring system, or an auditor tool cannot interpret agent permissions across deployments without custom adapters.
The Proposal
A minimal, additive
IAgentPermissionValidatorinterface deployable as an ERC-7579 validator module (module type 1):The
PermissionScopestruct captures the full set of agent constraints. Permission grants are signed by the principal via EIP-712. ThewindowDaysMaskfield enables weekday-only trading windows as a uint8 bitmask (bit 0 = Monday). USD spend caps use a sliding 24-hour window to prevent gaming at fixed daily resets.A standardised
violationTypestring registry in the ERC enables tooling to interpret violations across implementations without custom adapters.Reference Implementation
This is not a paper proposal — there is a working deployed implementation (Bouclier Protocol, Base Sepolia) with:
Implementation: https://github.com/incyashraj/bouclier
Thanks for reading. Looking forward to the discussion.
— Yashraj Pardeshi | https://github.com/incyashraj/bouclier