@agenticprimitives/contracts 0.1.0-alpha.2

package/src/libraries/P256Verifier.sol

@@ -0,0 +1,47 @@
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.28;
+
+/**
+ * @title P256Verifier
+ * @notice Dispatcher for P-256 (secp256r1) signature verification.
+ *
+ *         **H7-C.2 / CON-P256-001 closure.** Previously this library
+ *         silently fell through to the Daimo P256Verifier at the hardcoded
+ *         address `0xc2b78104907F722DABAc4C69f826a522B2754De4` when the
+ *         RIP-7212 precompile was absent. Two problems:
+ *
+ *           1. `try fast catch slow` pattern — direct ADR-0013 violation
+ *              (one mechanism per security path; an attacker squatting that
+ *              address on a fork made the on-chain verifier accept whatever
+ *              the malicious contract returned).
+ *           2. Un-version-pinned third-party dependency — if Daimo's
+ *              upgrade keys (or address) ever change, every account on
+ *              every chain that fell back becomes compromised in lockstep.
+ *
+ *         This library now uses **RIP-7212 only**. Chains without the
+ *         precompile (e.g. pre-Pectra Ethereum mainnet) cannot use this
+ *         verifier and MUST wire a separate, explicitly configured
+ *         pure-Solidity P-256 verifier at the consumer layer. That config
+ *         is intentionally NOT in this library — a hardcoded fallback in
+ *         a security primitive is the exact pattern the audit rejected.
+ *
+ *         Live deployments at the time of H7-C.2:
+ *           - Base / Base Sepolia       ✓ RIP-7212 native
+ *           - Polygon zkEVM             ✓
+ *           - Optimism (post-Granite)   ✓
+ *           - Scroll, Linea             ✓
+ *           - Anvil (with --odyssey)    ✓
+ *           - Ethereum mainnet          ✗ (until Pectra activates RIP-7212)
+ *
+ *         Input layout: msgHash(32) || r(32) || s(32) || x(32) || y(32)
+ *         Output: bool — true iff the signature verifies.
+ */
+library P256Verifier {
+    address internal constant RIP7212_PRECOMPILE = address(0x100);
+
+    function verify(bytes32 hash, uint256 r, uint256 s, uint256 x, uint256 y) internal view returns (bool) {
+        bytes memory input = abi.encodePacked(hash, r, s, x, y);
+        (bool ok, bytes memory out) = RIP7212_PRECOMPILE.staticcall(input);
+        return ok && out.length >= 32 && uint256(bytes32(out)) == 1;
+    }
+}

package/src/libraries/SignatureSlotRecovery.sol

@@ -0,0 +1,196 @@
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.28;
+
+import "../ApprovedHashRegistry.sol";
+import {IERC1271} from "@openzeppelin/contracts/interfaces/IERC1271.sol";
+import {WebAuthnLib} from "./WebAuthnLib.sol";
+
+/**
+ * @title SignatureSlotRecovery
+ * @notice Safe-compatible 65-byte signature-slot recovery, factored out
+ *         of `QuorumEnforcer` so both the caveat path (via
+ *         `QuorumEnforcer.beforeHook`) and the account-direct path
+ *         (`AgentAccount.proposeAdmin` / `executeAdmin` / `cancelAdmin`)
+ *         can verify quorum signatures without duplicating ~40 lines
+ *         of ECDSA / ERC-1271 / approve-hash branching.
+ *
+ * @dev Per-slot layout (65 bytes):
+ *        {32 r/data}{32 s/data}{1 v/type}
+ *
+ *      v-byte type discrimination (Safe-compatible + AP extension):
+ *         v == 27 || v == 28 → ECDSA over `payloadHash`
+ *         v >  30            → eth_sign ECDSA (EIP-191 wrapped); v - 4 = recovery
+ *         v == 1             → pre-approved hash via `approvedHashRegistry`;
+ *                              r holds signer (left-padded), s unused
+ *         v == 0             → ERC-1271 contract sig; r holds signer
+ *                              (left-padded), s holds the byte offset into
+ *                              `signatures` to a length-prefixed sig tail
+ *         v == 2             → WebAuthn passkey sig (agenticprimitives
+ *                              extension; NOT in Safe). r holds the
+ *                              Passkey-Identity-Address (PIA, derived
+ *                              from the P-256 pubkey via
+ *                              `address(uint160(uint256(keccak256(abi.encode(x, y)))))`).
+ *                              s holds the byte offset into `signatures`
+ *                              to a length-prefixed tail containing
+ *                              `abi.encode(uint256 x, uint256 y, bytes32 rpIdHash, WebAuthnLib.Assertion assertion)`.
+ *                              The `rpIdHash` MUST equal the rpIdHash this credential was
+ *                              registered against — verified by `WebAuthnLib.verify`. Added
+ *                              in H7-C.1 / CON-WEBAUTHN-001 closure.
+ *                              The library re-derives the PIA from (x, y)
+ *                              and asserts it matches r before running
+ *                              the WebAuthn verify against (x, y).
+ *                              Caller-side authorization is unchanged —
+ *                              CustodyPolicy still checks
+ *                              `account.isCustodian(pia)` after recovery.
+ *
+ *      Library is `internal` so the bodies inline into each calling contract
+ *      (no DELEGATECALL hop, no proxy address juggling, no extra storage
+ *      lookup). Both callers pay the gas for one copy each but the
+ *      maintenance burden of "two diverging recovers" is eliminated.
+ */
+library SignatureSlotRecovery {
+    error InvalidSignature(uint8 v);
+    error ApprovedHashRequired(address signer);
+    error ContractSigInvalid(address signer);
+    error PasskeySigInvalid(address signer);
+    error PasskeyPubKeyMismatch(address claimed, address derived);
+    /// @notice H7-C.3 / CON-SIG-SLOT-001/-002 — a slot's tail (length + blob)
+    ///         claims to extend past the end of the `signatures` array.
+    ///         Without this check, the assembly load could read unallocated
+    ///         memory and pass garbage to the downstream verifier.
+    error SigTailOutOfBounds(uint8 v, uint256 sigOffset, uint256 sigLen, uint256 totalLen);
+
+    bytes4 internal constant ERC1271_MAGIC = 0x1626ba7e;
+
+    /**
+     * @notice Recover the signer for the i-th 65-byte slot in
+     *         `signatures`. Reverts with one of the library errors on
+     *         malformed input or failed sub-checks; returns the signer
+     *         address on success.
+     *
+     * @param payloadHash             The hash the signer signed.
+     * @param signatures              Packed sig blob (n * 65 bytes + optional
+     *                                ERC-1271 sig tails appended after).
+     * @param index                   Zero-based slot index to recover.
+     * @param approvedHashRegistry    Address of the v=1 path's companion
+     *                                registry. Pass `address(0)` if the
+     *                                caller does not want to allow v=1 sigs
+     *                                (e.g. quorum-of-owners admin paths
+     *                                that don't accept pre-approved hashes).
+     */
+    function recoverFromSlot(
+        bytes32 payloadHash,
+        bytes memory signatures,
+        uint256 index,
+        address approvedHashRegistry
+    ) internal view returns (address signer) {
+        bytes32 r;
+        bytes32 s;
+        uint8 v;
+        uint256 offset = index * 65;
+        assembly {
+            let pos := add(signatures, add(0x20, offset))
+            r := mload(pos)
+            s := mload(add(pos, 0x20))
+            v := byte(0, mload(add(pos, 0x40)))
+        }
+
+        if (v == 0) {
+            // ERC-1271 contract signature. r holds the signer
+            // (left-padded); s holds the offset into `signatures` to a
+            // (length, blob) tail.
+            signer = address(uint160(uint256(r)));
+            uint256 sigOffset = uint256(s);
+            // H7-C.3 / CON-SIG-SLOT-001: bound the length-prefix read.
+            // sigOffset must leave room for the 32-byte length word.
+            if (sigOffset + 32 > signatures.length) {
+                revert SigTailOutOfBounds(v, sigOffset, 0, signatures.length);
+            }
+            uint256 sigLen;
+            assembly {
+                sigLen := mload(add(signatures, add(0x20, sigOffset)))
+            }
+            // H7-C.3: bound the tail-blob copy. The tail (length + blob) must
+            // fit fully within `signatures.length`; otherwise the assembly
+            // copy below reads past the buffer and feeds garbage to the
+            // verifier.
+            if (sigOffset + 32 + sigLen > signatures.length) {
+                revert SigTailOutOfBounds(v, sigOffset, sigLen, signatures.length);
+            }
+            bytes memory dyn = new bytes(sigLen);
+            assembly {
+                let src := add(signatures, add(0x40, sigOffset))
+                let dst := add(dyn, 0x20)
+                for { let j := 0 } lt(j, sigLen) { j := add(j, 0x20) } {
+                    mstore(add(dst, j), mload(add(src, j)))
+                }
+            }
+            try IERC1271(signer).isValidSignature(payloadHash, dyn) returns (bytes4 magic) {
+                if (magic != ERC1271_MAGIC) revert ContractSigInvalid(signer);
+            } catch {
+                revert ContractSigInvalid(signer);
+            }
+        } else if (v == 1) {
+            // Pre-approved hash.
+            if (approvedHashRegistry == address(0)) revert InvalidSignature(v);
+            signer = address(uint160(uint256(r)));
+            if (!ApprovedHashRegistry(approvedHashRegistry).isApproved(signer, payloadHash)) {
+                revert ApprovedHashRequired(signer);
+            }
+        } else if (v == 2) {
+            // WebAuthn passkey slot. r holds the claimed PIA; tail
+            // holds (x, y, rpIdHash, Assertion). Verify the assertion
+            // against the supplied pubkey, then assert that the PIA
+            // derived from (x, y) matches the claim. Caller authorizes
+            // via `account.isCustodian(signer)`.
+            signer = address(uint160(uint256(r)));
+            uint256 sigOffset = uint256(s);
+            // H7-C.3 / CON-SIG-SLOT-002: bound the length-prefix read.
+            if (sigOffset + 32 > signatures.length) {
+                revert SigTailOutOfBounds(v, sigOffset, 0, signatures.length);
+            }
+            uint256 sigLen;
+            assembly {
+                sigLen := mload(add(signatures, add(0x20, sigOffset)))
+            }
+            // H7-C.3: bound the tail-blob copy.
+            if (sigOffset + 32 + sigLen > signatures.length) {
+                revert SigTailOutOfBounds(v, sigOffset, sigLen, signatures.length);
+            }
+            bytes memory dyn = new bytes(sigLen);
+            assembly {
+                let src := add(signatures, add(0x40, sigOffset))
+                let dst := add(dyn, 0x20)
+                for { let j := 0 } lt(j, sigLen) { j := add(j, 0x20) } {
+                    mstore(add(dst, j), mload(add(src, j)))
+                }
+            }
+            // H7-C.1 / CON-WEBAUTHN-001: slot now carries rpIdHash so the
+            // verifier pins the RP the assertion was produced for.
+            // Slot encoding: (uint256 pubX, uint256 pubY, bytes32 rpIdHash,
+            //                 WebAuthnLib.Assertion assertion).
+            (uint256 pubX, uint256 pubY, bytes32 rpIdHash, WebAuthnLib.Assertion memory assertion) =
+                abi.decode(dyn, (uint256, uint256, bytes32, WebAuthnLib.Assertion));
+            address derived = address(uint160(uint256(keccak256(abi.encode(pubX, pubY)))));
+            if (derived != signer) revert PasskeyPubKeyMismatch(signer, derived);
+            // requireUv=false at the slot level; account policy can layer UV
+            // requirement via a future policy module.
+            if (!WebAuthnLib.verify(assertion, payloadHash, pubX, pubY, rpIdHash, false)) {
+                revert PasskeySigInvalid(signer);
+            }
+        } else if (v == 27 || v == 28) {
+            signer = ecrecover(payloadHash, v, r, s);
+            if (signer == address(0)) revert InvalidSignature(v);
+        } else if (v > 30) {
+            // eth_sign-wrapped: signer prefixed with the "Ethereum Signed Message"
+            // wrapper before signing. Subtract 4 from v to recover the original
+            // recovery byte.
+            bytes32 wrapped =
+                keccak256(abi.encodePacked("\x19Ethereum Signed Message:\n32", payloadHash));
+            signer = ecrecover(wrapped, v - 4, r, s);
+            if (signer == address(0)) revert InvalidSignature(v);
+        } else {
+            revert InvalidSignature(v);
+        }
+    }
+}

package/src/libraries/WebAuthnLib.sol

@@ -0,0 +1,164 @@
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.28;
+
+import "./P256Verifier.sol";
+
+/**
+ * @title WebAuthnLib
+ * @notice Pure-computation library for verifying a WebAuthn assertion against
+ *         an expected challenge hash and a registered P-256 public key.
+ *
+ *   Reconstructs the signing message:
+ *     signingMessage = authenticatorData || sha256(clientDataJSON)
+ *     signingHash    = sha256(signingMessage)
+ *
+ *   Checks (H7-C.1 / CON-WEBAUTHN-001 closure):
+ *     - `authData[0..32]` (rpIdHash) EQUALS `expectedRpIdHash`
+ *       — kills cross-RP signing-oracle attacks where an attacker controls
+ *         a signing oracle at a different RP whose origin happens to be
+ *         under their control. WITHOUT this check the on-chain verifier
+ *         accepted any P-256 signature over `sha256(authData || sha256(cdj))`
+ *         regardless of which RP produced it.
+ *     - User-Present bit set (`authData[32] & 0x01 == 0x01`).
+ *     - If `requireUv = true`, User-Verified bit set (`authData[32] & 0x04 == 0x04`).
+ *     - `clientDataJSON` contains `"type":"webauthn.get"` at `typeIndex`.
+ *     - `clientDataJSON` contains `"challenge":"<base64url(expectedHash)>"`
+ *       at `challengeIndex`.
+ *     - `P256Verifier.verify(signingHash, r, s, x, y)` returns true.
+ *
+ *   The `clientDataJSON.origin` allowlist is NOT pinned here. Origin
+ *   semantics depend on multi-frontend account policy and live in the
+ *   account's stored policy if it adopts an allowlist — verifiers that
+ *   want origin-pinning supply a pre-hashed origin via the consumer's
+ *   own logic.
+ *
+ *   Used by both AgentAccount (native passkey path) and the standalone
+ *   PasskeyValidator (for external 1271-style verification).
+ */
+library WebAuthnLib {
+    /// @notice A WebAuthn-wrapped P-256 signature bundle.
+    struct Assertion {
+        bytes   authenticatorData;
+        string  clientDataJSON;
+        uint256 challengeIndex;
+        uint256 typeIndex;
+        uint256 r;
+        uint256 s;
+        bytes32 credentialIdDigest;
+    }
+
+    /// @notice Verify that `assertion` is a valid WebAuthn signature over
+    ///         `expectedChallengeHash` produced by `(pubX, pubY)`, AND was
+    ///         produced for the RP whose ID hashes to `expectedRpIdHash`,
+    ///         AND has the User-Present (and optionally User-Verified) bits set.
+    ///
+    /// @param assertion             The decoded WebAuthn assertion bundle.
+    /// @param expectedChallengeHash The 32-byte challenge the assertion must sign.
+    /// @param pubX, pubY            The registered P-256 public key (uncompressed).
+    /// @param expectedRpIdHash      `sha256(rpId)` of the RP the credential was
+    ///                              registered against. Pinning this kills the
+    ///                              cross-RP signing-oracle vector.
+    /// @param requireUv             Whether the User-Verified bit must be set
+    ///                              (the account's policy choice).
+    function verify(
+        Assertion memory assertion,
+        bytes32 expectedChallengeHash,
+        uint256 pubX,
+        uint256 pubY,
+        bytes32 expectedRpIdHash,
+        bool requireUv
+    ) internal view returns (bool) {
+        if (!_checkAuthData(assertion.authenticatorData, expectedRpIdHash, requireUv)) {
+            return false;
+        }
+        if (!_checkClientData(assertion.clientDataJSON, assertion.typeIndex, assertion.challengeIndex, expectedChallengeHash)) {
+            return false;
+        }
+        bytes32 cdjHash = sha256(bytes(assertion.clientDataJSON));
+        bytes32 signingHash = sha256(abi.encodePacked(assertion.authenticatorData, cdjHash));
+        return P256Verifier.verify(signingHash, assertion.r, assertion.s, pubX, pubY);
+    }
+
+    /// @dev Validates the authenticatorData header per WebAuthn spec §6.1:
+    ///      bytes [0..32]  = rpIdHash
+    ///      byte  [32]     = flags (bit 0 UP, bit 2 UV, bit 6 AT, bit 7 ED)
+    ///      bytes [33..36] = signCount (big-endian u32; informational, not checked here)
+    function _checkAuthData(
+        bytes memory authData,
+        bytes32 expectedRpIdHash,
+        bool requireUv
+    ) private pure returns (bool) {
+        if (authData.length < 37) return false;
+        // Compare 32-byte rpIdHash prefix.
+        bytes32 actualRpIdHash;
+        assembly {
+            // authData is `bytes`; first 32 bytes after the length word are the rpIdHash.
+            actualRpIdHash := mload(add(authData, 0x20))
+        }
+        if (actualRpIdHash != expectedRpIdHash) return false;
+        uint8 flags = uint8(authData[32]);
+        if (flags & 0x01 == 0) return false; // UP not set
+        if (requireUv && flags & 0x04 == 0) return false; // UV required but not set
+        return true;
+    }
+
+    /// @dev Validates the two structural invariants of clientDataJSON:
+    ///      (1) starts with `"type":"webauthn.get"` at typeIndex
+    ///      (2) has `"challenge":"<base64url(hash)>"` at challengeIndex.
+    function _checkClientData(
+        string memory cdj,
+        uint256 typeIndex,
+        uint256 challengeIndex,
+        bytes32 hash
+    ) private pure returns (bool) {
+        bytes memory buf = bytes(cdj);
+        bytes memory typeExpected = bytes('"type":"webauthn.get"');
+        if (typeIndex + typeExpected.length > buf.length) return false;
+        for (uint256 i; i < typeExpected.length; i++) {
+            if (buf[typeIndex + i] != typeExpected[i]) return false;
+        }
+        bytes memory challengePrefix = bytes('"challenge":"');
+        if (challengeIndex + challengePrefix.length + 43 + 1 > buf.length) return false;
+        for (uint256 i; i < challengePrefix.length; i++) {
+            if (buf[challengeIndex + i] != challengePrefix[i]) return false;
+        }
+        if (buf[challengeIndex + challengePrefix.length + 43] != bytes1('"')) return false;
+
+        // Decode the 43 base64url chars that follow the prefix and compare to `hash`.
+        return _base64UrlEqualsHash(buf, challengeIndex + challengePrefix.length, hash);
+    }
+
+    /// @dev Read 43 base64url chars starting at `offset` in `buf`, decode, and
+    ///      assert the 32 decoded bytes equal `hash`.
+    function _base64UrlEqualsHash(bytes memory buf, uint256 offset, bytes32 hash) private pure returns (bool) {
+        uint256 acc;
+        uint256 bits;
+        uint256 outIdx;
+        bytes memory decoded = new bytes(32);
+        for (uint256 i; i < 43; i++) {
+            int256 v = _b64UrlCharVal(buf[offset + i]);
+            if (v < 0) return false;
+            acc = (acc << 6) | uint256(v);
+            bits += 6;
+            while (bits >= 8 && outIdx < 32) {
+                bits -= 8;
+                decoded[outIdx++] = bytes1(uint8((acc >> bits) & 0xff));
+            }
+        }
+        if (outIdx != 32) return false;
+        for (uint256 i; i < 32; i++) {
+            if (decoded[i] != hash[i]) return false;
+        }
+        return true;
+    }
+
+    function _b64UrlCharVal(bytes1 c) private pure returns (int256) {
+        uint8 b = uint8(c);
+        if (b >= 0x41 && b <= 0x5a) return int256(uint256(b - 0x41));
+        if (b >= 0x61 && b <= 0x7a) return int256(uint256(b - 0x61 + 26));
+        if (b >= 0x30 && b <= 0x39) return int256(uint256(b - 0x30 + 52));
+        if (b == 0x2d) return 62;
+        if (b == 0x5f) return 63;
+        return -1;
+    }
+}

package/src/naming/AgentNameAttributeResolver.sol

@@ -0,0 +1,95 @@
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.28;
+
+import "./AgentNameRegistry.sol";
+import "../ontology/AttributeStorage.sol";
+
+/**
+ * @title AgentNameAttributeResolver
+ * @notice Per-node records resolver for the agent-naming registry.
+ *
+ * Inherits `AttributeStorage` so every (node, predicate) write is
+ * validated against the bound `OntologyTermRegistry` — predicates MUST
+ * be registered + active before they can be stored. The subject is the
+ * namehash node (already `bytes32`, no conversion). The on-chain
+ * `AgentName` shape (defined in `ShapeRegistry`) governs which
+ * predicates / datatypes / cardinalities are well-formed for a name.
+ *
+ * Authorization: `msg.sender == REGISTRY.owner(node)`. The owner Smart
+ * Agent's CustodyPolicy module gates the call upstream — this contract
+ * trusts `msg.sender` to be the gated entity per spec 215 § Phase 3.
+ *
+ * Per-spec simplifications kept from the pure key/value port:
+ *   - No multi-coin (ENSIP-9) address records. Other-chain identifiers
+ *     ride on the `atl:nativeId` predicate (a CAIP-10 string).
+ *   - No aliases, versioning, or operator approvals. Rotation flows
+ *     through the registry's `setOwner` (which changes who may write).
+ *
+ * SDK contract: `agenticprimitives/agent-naming/records` exposes
+ * the same predicate ids and routes encode / decode through the typed
+ * setters here. See `AgentNamePredicates.sol` for the canonical set.
+ */
+contract AgentNameAttributeResolver is AttributeStorage {
+    AgentNameRegistry public immutable REGISTRY;
+
+    error NotAuthorized();
+    error NodeNotFound();
+
+    constructor(AgentNameRegistry registry, address ontology) AttributeStorage(ontology) {
+        REGISTRY = registry;
+    }
+
+    // ─── Typed setters (predicate-active checked + owner-only) ──────
+
+    function setStringAttribute(bytes32 node, bytes32 predicate, string calldata value) external {
+        _requireAuth(node);
+        _setString(node, predicate, value);
+    }
+
+    function setAddressAttribute(bytes32 node, bytes32 predicate, address value) external {
+        _requireAuth(node);
+        _setAddress(node, predicate, value);
+    }
+
+    function setBoolAttribute(bytes32 node, bytes32 predicate, bool value) external {
+        _requireAuth(node);
+        _setBool(node, predicate, value);
+    }
+
+    function setUintAttribute(bytes32 node, bytes32 predicate, uint256 value) external {
+        _requireAuth(node);
+        _setUint(node, predicate, value);
+    }
+
+    function setBytes32Attribute(bytes32 node, bytes32 predicate, bytes32 value) external {
+        _requireAuth(node);
+        _setBytes32(node, predicate, value);
+    }
+
+    function setStringArrayAttribute(bytes32 node, bytes32 predicate, string[] calldata values) external {
+        _requireAuth(node);
+        _setStringArr(node, predicate, values);
+    }
+
+    function setAddressArrayAttribute(bytes32 node, bytes32 predicate, address[] calldata values) external {
+        _requireAuth(node);
+        _setAddressArr(node, predicate, values);
+    }
+
+    function setBytes32ArrayAttribute(bytes32 node, bytes32 predicate, bytes32[] calldata values) external {
+        _requireAuth(node);
+        _setBytes32Arr(node, predicate, values);
+    }
+
+    function unsetAttribute(bytes32 node, bytes32 predicate) external {
+        _requireAuth(node);
+        _unset(node, predicate);
+    }
+
+    // ─── Auth ───────────────────────────────────────────────────────
+
+    function _requireAuth(bytes32 node) internal view {
+        if (!REGISTRY.recordExists(node)) revert NodeNotFound();
+        if (msg.sender != REGISTRY.owner(node)) revert NotAuthorized();
+    }
+}

package/src/naming/AgentNamePredicates.sol

@@ -0,0 +1,74 @@
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.28;
+
+/**
+ * @title AgentNamePredicates
+ * @notice Canonical bytes32 predicate ids for the AgentName ontology
+ *         (`atl:*` CURIEs). Single source of truth shared by:
+ *           - Deploy.s.sol (registers these in OntologyTermRegistry)
+ *           - AgentNameAttributeResolver (typed-attribute setters
+ *             validate against these ids)
+ *           - agenticprimitives/agent-naming SDK (off-chain encoders /
+ *             decoders use the same ids)
+ *
+ * Naming convention: `ATL_<UPPER_SNAKE_NAME>` where the CURIE is
+ * `atl:<lowerCamelName>`. Use a library so the constants can be
+ * imported as `using AgentNamePredicates for *;` OR referenced
+ * directly as `AgentNamePredicates.ATL_DISPLAY_NAME`.
+ */
+library AgentNamePredicates {
+    // ─── Resolver-record predicates (forward record + typed metadata) ─
+
+    /// `atl:addr` — the forward record. Stored as `address` datatype.
+    bytes32 internal constant ATL_ADDR                       = keccak256("atl:addr");
+
+    /// `atl:agentKind` — discriminator (`person`/`org`/`service`/`treasury`).
+    /// Stored as `bytes32` (hashed enum value). Bound to AGENT_KIND_ENUM in ShapeRegistry.
+    bytes32 internal constant ATL_AGENT_KIND                 = keccak256("atl:agentKind");
+
+    /// `atl:displayName` — human-friendly label. `string`.
+    bytes32 internal constant ATL_DISPLAY_NAME               = keccak256("atl:displayName");
+
+    /// `atl:a2aEndpoint` — A2A service URL. `string`.
+    bytes32 internal constant ATL_A2A_ENDPOINT               = keccak256("atl:a2aEndpoint");
+
+    /// `atl:mcpEndpoint` — MCP service URL. `string`.
+    bytes32 internal constant ATL_MCP_ENDPOINT               = keccak256("atl:mcpEndpoint");
+
+    /// `atl:metadataURI` — off-chain JSON profile URL. `string`.
+    bytes32 internal constant ATL_METADATA_URI               = keccak256("atl:metadataURI");
+
+    /// `atl:metadataHash` — keccak256 of the canonical-JSON profile
+    /// (matches `agenticprimitives/agent-identity.profileContentHash`).
+    /// `bytes32`.
+    bytes32 internal constant ATL_METADATA_HASH              = keccak256("atl:metadataHash");
+
+    /// `atl:passkeyCredentialDigest` — keccak256 of the controlling
+    /// passkey credentialId (NEVER the raw credentialId). `bytes32`.
+    bytes32 internal constant ATL_PASSKEY_CREDENTIAL_DIGEST  = keccak256("atl:passkeyCredentialDigest");
+
+    /// `atl:custodyPolicy` — address of the owner Smart Agent's
+    /// CustodyPolicy module. `address`.
+    bytes32 internal constant ATL_CUSTODY_POLICY             = keccak256("atl:custodyPolicy");
+
+    /// `atl:nativeId` — CAIP-10 chain-agnostic account identifier
+    /// (per ADR-0008). `string`.
+    bytes32 internal constant ATL_NATIVE_ID                  = keccak256("atl:nativeId");
+
+    // ─── Shape + enum-set ids ───────────────────────────────────────
+
+    /// `atl:AgentName` — the class id for ShapeRegistry validation.
+    bytes32 internal constant CLASS_AGENT_NAME               = keccak256("atl:AgentName");
+
+    /// Enum set bound to `atl:agentKind`. Contains the three hashed
+    /// member ids below.
+    bytes32 internal constant AGENT_KIND_ENUM                = keccak256("atl:AgentKindEnum");
+
+    // agentKind is 3-valued (person/org/service). A treasury is a KIND OF
+    // SERVICE (agentKind=service), distinguished at the profile layer
+    // (ProfileType/serviceType='treasury'; specs 210/217/225 §6) — NOT its own
+    // agent kind. Do not re-add AGENT_KIND_TREASURY.
+    bytes32 internal constant AGENT_KIND_PERSON              = keccak256("person");
+    bytes32 internal constant AGENT_KIND_ORG                 = keccak256("org");
+    bytes32 internal constant AGENT_KIND_SERVICE             = keccak256("service");
+}