Interactive walkthrough · 5-min read
From intent to verifiable capsule, in 8 steps
Scroll to walk through the full SBO3L pipeline — every step shows the code that runs at that point. By the end, you'll know what ends up in a Passport capsule and why every byte is necessary.
{
"schema_version": 1,
"agent_id": "research-01",
"intent": {
"kind": "erc20.transfer",
"to": "0xabc...",
"token": "USDC",
"amount": 50000
},
"nonce": "01HZRG-7e8dC1...",
"timestamp_ms": 1714565000000
}APRP — Agent Policy Request Protocol
request_hash = sha256(jcs(aprp_envelope))
= 0xe044f1a7b9c2d385f602e1...Same hash on every implementation — Rust, TypeScript, Python.
if nonce_seen(envelope.nonce) {
return Decision::deny("protocol.nonce_replay");
}
nonce_store.commit(envelope.nonce, request_hash)?;[[intents]]
kind = "erc20.transfer"
where.to = { allowlist = ["acme-treasury", "payroll"] }
where.token = { allowlist = ["USDC", "USDT", "DAI"] }
where.amount = { lte_per_24h = 50000 }
require = [{ human_2fa = true, when = { amount = { gt = 10000 } } }]Policy override surface — inherits sbo3l.root@1
let mut tx = budget_store.begin()?;
let day = tx.spent_today(intent.token)?;
if day + intent.amount > policy.lte_per_24h {
return Decision::deny("policy.budget_exceeded");
}
tx.commit_spend(intent.token, intent.amount)?;let prev = audit_store.tip()?;
let event_canonical = jcs(audit_event)?;
let hash = sha256_concat(prev.hash, event_canonical);
audit_store.append(audit_event, hash)?;{
"schema": "sbo3l.passport_capsule.v1",
"receipt": {
"request_hash": "0xe044f1...",
"outcome": "deny",
"deny_code": "policy.budget_exceeded",
"policy_hash": "0x9bc7de...",
"audit_event_id": "01HZRG-D3F4...",
"signature": "ed25519:5f8A2B..."
},
"evidence": { ... },
"verifier_pubkey": "ed25519:5f8A2B..."
}capsule.json — drop into /proof to verify
import { verifyCapsule } from "@sbo3l/wasm-verifier";
const ok = verifyCapsule(JSON.parse(capsuleJson));
// → ✓ APRP signature
// → ✓ Policy hash matches signed_policy_store
// → ✓ Decision deterministic-replay matches
// → ✓ Audit chain link valid (prev_hash, sha256)
// → ✓ Public key is the registered ENS verifier
// → ✓ Strict-mode (no missing fields, no unknown fields)Bonus · Step 9 in practice
Pin the capsule to 0G Storage
Capsules are self-contained but a 30 KB JSON blob is awkward to
share. 0G Storage gives you a 32-byte content-addressed
rootHash you can paste into a tweet, a Discord
message, or an audit trail. Drop the capsule below and we'll
push it through the 0G testnet (or fall back to the manual
upload tool if the testnet's having a moment, which it often
is).
Upload a Passport capsule to 0G Storage
Drop a capsule JSON below. We'll attempt to push it to 0G's
Galileo testnet and return a content-addressed
rootHash. If the testnet's flaky (it has been all
week), we fall back to the manual web tool — same outcome, two
extra clicks.
0G SDK couldn't auto-push — manual fallback
Heads up: your browser blocked the new tab. Open the 0G storage tool manually (or allow popups for this site, then click Push to 0G Storage again).
- We've opened the 0G storage tool in a new tab.
- Drag the same file there and click Upload.
- Copy the
rootHashthe tool shows you. - Paste it below and we'll surface the permalink + verify it locally.
0G Storage is content-addressed — the rootHash is the proof of upload. No further verification needed beyond format.
Capsule pinned to 0G Storage
Note: couldn't save this rootHash to local history (browser storage quota exceeded). The rootHash above still works as proof of upload — just keep your own copy.