opmsec 0.1.0 → 0.1.4

package/packages/cli/src/services/contract.ts

@@ -1,20 +1,22 @@
 import { ethers } from 'ethers';
-import { OPM_REGISTRY_ABI, getEnvOrThrow, getEnvOrDefault, BASE_SEPOLIA_RPC } from '@opm/core';
+import { OPM_REGISTRY_ABI, getEnvOrThrow, getEnvOrDefault, BASE_SEPOLIA_RPC, DEFAULT_CONTRACT_ADDRESS } from '@opm/core';
 import type { OnChainPackageInfo, AuthorProfile } from '@opm/core';
 
+function getContractAddress(): string {
+  return getEnvOrDefault('CONTRACT_ADDRESS', DEFAULT_CONTRACT_ADDRESS);
+}
+
 function getReadContract() {
   const rpc = getEnvOrDefault('BASE_SEPOLIA_RPC_URL', BASE_SEPOLIA_RPC);
   const provider = new ethers.JsonRpcProvider(rpc);
-  const address = getEnvOrThrow('CONTRACT_ADDRESS');
-  return new ethers.Contract(address, OPM_REGISTRY_ABI, provider);
+  return new ethers.Contract(getContractAddress(), OPM_REGISTRY_ABI, provider);
 }
 
 function getWriteContract() {
   const rpc = getEnvOrDefault('BASE_SEPOLIA_RPC_URL', BASE_SEPOLIA_RPC);
   const provider = new ethers.JsonRpcProvider(rpc);
-  const wallet = new ethers.Wallet(getEnvOrThrow('OPM_PRIVATE_KEY'), provider);
-  const address = getEnvOrThrow('CONTRACT_ADDRESS');
-  return new ethers.Contract(address, OPM_REGISTRY_ABI, wallet);
+  const wallet = new ethers.Wallet(getEnvOrThrow('OPM_SIGNING_KEY', 'OPM_PRIVATE_KEY'), provider);
+  return new ethers.Contract(getContractAddress(), OPM_REGISTRY_ABI, wallet);
 }
 
 export async function getPackageInfo(name: string, version: string): Promise<OnChainPackageInfo> {
@@ -105,8 +107,7 @@ export interface AuthorPackageSummary {
 export async function getPackagesByAuthor(authorAddress: string): Promise<AuthorPackageSummary[]> {
   const rpc = getEnvOrDefault('BASE_SEPOLIA_RPC_URL', BASE_SEPOLIA_RPC);
   const provider = new ethers.JsonRpcProvider(rpc);
-  const contractAddr = getEnvOrThrow('CONTRACT_ADDRESS');
-  const contract = new ethers.Contract(contractAddr, OPM_REGISTRY_ABI, provider);
+  const contract = new ethers.Contract(getContractAddress(), OPM_REGISTRY_ABI, provider);
 
   const packageMap = new Map<string, { name: string; version: string }>();
 
@@ -154,6 +155,38 @@ export async function getPackagesByAuthor(authorAddress: string): Promise<Author
   return results;
 }
 
+export async function registerAgentOnChain(
+  name: string,
+  model: string,
+  systemPromptHash: string,
+  proofHash: string,
+): Promise<string> {
+  const rpc = getEnvOrDefault('BASE_SEPOLIA_RPC_URL', BASE_SEPOLIA_RPC);
+  const provider = new ethers.JsonRpcProvider(rpc);
+  const wallet = new ethers.Wallet(getEnvOrThrow('AGENT_PRIVATE_KEY'), provider);
+  const contract = new ethers.Contract(getContractAddress(), OPM_REGISTRY_ABI, wallet);
+
+  const tx = await contract.registerAgent(
+    name,
+    model,
+    ethers.keccak256(ethers.toUtf8Bytes(systemPromptHash)),
+    ethers.keccak256(ethers.toUtf8Bytes(proofHash)),
+  );
+  const receipt = await tx.wait();
+  return receipt.hash;
+}
+
+export async function getRegisteredAgent(agentAddress: string): Promise<any> {
+  const contract = getReadContract();
+  return contract.getRegisteredAgent(agentAddress);
+}
+
+export async function getAgentCount(): Promise<number> {
+  const contract = getReadContract();
+  const count = await contract.getAgentCount();
+  return Number(count);
+}
+
 export async function getPackagesByAuthorDirect(
   authorAddress: string,
   knownPackageNames: string[],

package/packages/cli/src/services/ens.ts

@@ -4,21 +4,19 @@ import { addEnsContracts } from '@ensdomains/ensjs';
 import { getName } from '@ensdomains/ensjs/public';
 import { getRecords } from '@ensdomains/ensjs/public';
 import { getAddressRecord } from '@ensdomains/ensjs/public';
-import { getEnvOrDefault } from '@opm/core';
+import { getEnvOrDefault, ETH_SEPOLIA_RPC, ETH_MAINNET_RPC } from '@opm/core';
 
 function getSepoliaClient() {
-  const rpc = getEnvOrDefault('ETH_SEPOLIA_RPC_URL', 'https://ethereum-sepolia-rpc.publicnode.com');
   return createPublicClient({
     chain: addEnsContracts(sepolia),
-    transport: http(rpc),
+    transport: http(getEnvOrDefault('ETH_SEPOLIA_RPC_URL', ETH_SEPOLIA_RPC)),
   });
 }
 
 function getMainnetClient() {
-  const rpc = getEnvOrDefault('ETH_MAINNET_RPC_URL', 'https://eth.llamarpc.com');
   return createPublicClient({
     chain: addEnsContracts(mainnet),
-    transport: http(rpc),
+    transport: http(getEnvOrDefault('ETH_MAINNET_RPC_URL', ETH_MAINNET_RPC)),
   });
 }
 

package/packages/cli/src/services/fileverse.ts

@@ -1,24 +1,23 @@
 import type { ScanReport } from '@opm/core';
-import { getEnvOrDefault, safeJsonParse } from '@opm/core';
-
-const DEFAULT_API_URL = 'http://localhost:8001';
+import { getEnvOrDefault, safeJsonParse, FILEVERSE_DEFAULT_URL } from '@opm/core';
 
 export async function fetchReportFromFileverse(reportURI: string): Promise<ScanReport | null> {
   if (!reportURI || reportURI.startsWith('local://')) return null;
 
   const apiKey = process.env.FILEVERSE_API_KEY;
-  const apiUrl = getEnvOrDefault('FILEVERSE_API_URL', DEFAULT_API_URL);
+  if (!apiKey) return null;
 
+  const apiUrl = getEnvOrDefault('FILEVERSE_API_URL', FILEVERSE_DEFAULT_URL);
   const ddocId = extractDdocId(reportURI);
-  if (ddocId && apiKey) {
-    try {
-      const res = await fetch(`${apiUrl}/api/ddocs/${ddocId}?apiKey=${encodeURIComponent(apiKey)}`);
-      if (res.ok) {
-        const doc = await res.json() as { content: string };
-        return safeJsonParse<ScanReport>(doc.content);
-      }
-    } catch { /* local API not running */ }
-  }
+  if (!ddocId) return null;
+
+  try {
+    const res = await fetch(`${apiUrl}/api/ddocs/${ddocId}?apiKey=${encodeURIComponent(apiKey)}`);
+    if (res.ok) {
+      const doc = await res.json() as { content: string };
+      return safeJsonParse<ScanReport>(doc.content);
+    }
+  } catch { /* local API not running */ }
 
   return null;
 }

package/packages/cli/src/services/typosquat.ts

@@ -0,0 +1,166 @@
+const NPM_BULK_DL = 'https://api.npmjs.org/downloads/point/last-week';
+const NPM_SEARCH = 'https://registry.npmjs.org/-/v1/search';
+
+export interface TyposquatResult {
+  suspect: string;
+  likelyTarget: string | null;
+  confidence: 'high' | 'medium' | 'low' | 'none';
+  reason: string;
+  targetDownloads: number;
+  suspectDownloads: number;
+}
+
+export async function detectTyposquatBatch(names: string[]): Promise<TyposquatResult[]> {
+  if (names.length === 0) return [];
+
+  const dlMap = await fetchBulkDownloads(names);
+
+  const searchResults = await Promise.all(
+    names.map((n) => searchSimilar(stripScope(n)).catch(() => [] as SearchHit[])),
+  );
+
+  const candidateNames = new Set<string>();
+  for (const hits of searchResults) {
+    for (const h of hits) candidateNames.add(h.name);
+  }
+  const extraNames = [...candidateNames].filter((n) => !dlMap.has(n));
+  if (extraNames.length > 0) {
+    const extra = await fetchBulkDownloads(extraNames);
+    for (const [k, v] of extra) dlMap.set(k, v);
+  }
+
+  return names.map((name, idx) => {
+    const bare = stripScope(name);
+    const suspectDl = dlMap.get(name) || 0;
+    const hits = searchResults[idx] || [];
+    let best: TyposquatResult = {
+      suspect: name, likelyTarget: null, confidence: 'none',
+      reason: '', targetDownloads: 0, suspectDownloads: suspectDl,
+    };
+
+    for (const h of hits) {
+      if (h.name === name || h.name === bare) continue;
+      const cBare = stripScope(h.name);
+      const d = levenshtein(bare, cBare);
+      if (d === 0 || d > 2) continue;
+      if (d === 2 && bare.length < 5) continue;
+
+      const cDl = dlMap.get(h.name) || 0;
+      const ratio = cDl / Math.max(suspectDl, 1);
+
+      if (d === 1 && ratio >= 100) {
+        return {
+          suspect: name, likelyTarget: h.name, confidence: 'high' as const,
+          reason: `${h.name} has ${fmt(cDl)} weekly downloads vs ${fmt(suspectDl)}`,
+          targetDownloads: cDl, suspectDownloads: suspectDl,
+        };
+      }
+      if (d <= 2 && ratio >= 500 && rankHigher(best, 'medium')) {
+        best = {
+          suspect: name, likelyTarget: h.name, confidence: 'medium',
+          reason: `similar to ${h.name} (${fmt(cDl)} weekly downloads)`,
+          targetDownloads: cDl, suspectDownloads: suspectDl,
+        };
+      }
+      if (d === 1 && ratio >= 10 && rankHigher(best, 'low')) {
+        best = {
+          suspect: name, likelyTarget: h.name, confidence: 'low',
+          reason: `name close to ${h.name}`,
+          targetDownloads: cDl, suspectDownloads: suspectDl,
+        };
+      }
+      if (detectSeparatorTrick(bare, cBare) && ratio >= 50 && rankHigher(best, 'medium')) {
+        best = {
+          suspect: name, likelyTarget: h.name, confidence: 'medium',
+          reason: `separator variation of ${h.name} (${fmt(cDl)} downloads)`,
+          targetDownloads: cDl, suspectDownloads: suspectDl,
+        };
+      }
+    }
+    return best;
+  });
+}
+
+interface SearchHit { name: string }
+
+async function searchSimilar(name: string): Promise<SearchHit[]> {
+  const res = await fetch(`${NPM_SEARCH}?text=${encodeURIComponent(name)}&size=10`);
+  if (!res.ok) return [];
+  const data = await res.json() as {
+    objects: Array<{ package: { name: string } }>;
+  };
+  return data.objects.map((o) => ({ name: o.package.name }));
+}
+
+async function fetchBulkDownloads(names: string[]): Promise<Map<string, number>> {
+  const map = new Map<string, number>();
+  const scoped: string[] = [];
+  const unscoped: string[] = [];
+  for (const n of names) (n.startsWith('@') ? scoped : unscoped).push(n);
+
+  if (unscoped.length > 0) {
+    const chunks = chunkArray(unscoped, 128);
+    const fetches = await Promise.allSettled(
+      chunks.map(async (chunk) => {
+        const res = await fetch(`${NPM_BULK_DL}/${chunk.join(',')}`);
+        if (!res.ok) return;
+        const data = await res.json() as Record<string, { downloads: number } | null>;
+        for (const [pkg, info] of Object.entries(data)) {
+          if (info?.downloads) map.set(pkg, info.downloads);
+        }
+      }),
+    );
+  }
+
+  const scopedFetches = await Promise.allSettled(
+    scoped.map(async (n) => {
+      const res = await fetch(`${NPM_BULK_DL}/${encodeURIComponent(n)}`);
+      if (!res.ok) return;
+      const data = await res.json() as { downloads: number };
+      if (data.downloads) map.set(n, data.downloads);
+    }),
+  );
+
+  return map;
+}
+
+function chunkArray<T>(arr: T[], size: number): T[][] {
+  const result: T[][] = [];
+  for (let i = 0; i < arr.length; i += size) result.push(arr.slice(i, i + size));
+  return result;
+}
+
+function stripScope(name: string): string {
+  return name.startsWith('@') ? name.split('/').pop() || name : name;
+}
+
+function levenshtein(a: string, b: string): number {
+  const m = a.length, n = b.length;
+  const dp: number[][] = Array.from({ length: m + 1 }, () => Array(n + 1).fill(0));
+  for (let i = 0; i <= m; i++) dp[i][0] = i;
+  for (let j = 0; j <= n; j++) dp[0][j] = j;
+  for (let i = 1; i <= m; i++) {
+    for (let j = 1; j <= n; j++) {
+      dp[i][j] = a[i - 1] === b[j - 1]
+        ? dp[i - 1][j - 1]
+        : 1 + Math.min(dp[i - 1][j], dp[i][j - 1], dp[i - 1][j - 1]);
+    }
+  }
+  return dp[m][n];
+}
+
+function detectSeparatorTrick(a: string, b: string): boolean {
+  const norm = (s: string) => s.replace(/[-_.]/g, '');
+  return norm(a) === norm(b) && a !== b;
+}
+
+const RANK = { none: 0, low: 1, medium: 2, high: 3 } as const;
+function rankHigher(current: TyposquatResult, level: TyposquatResult['confidence']): boolean {
+  return RANK[level] > RANK[current.confidence];
+}
+
+function fmt(n: number): string {
+  if (n >= 1_000_000) return `${(n / 1_000_000).toFixed(1)}M`;
+  if (n >= 1_000) return `${(n / 1_000).toFixed(1)}K`;
+  return String(n);
+}

package/packages/cli/src/services/version.ts

@@ -1,10 +1,161 @@
-import { getVersions } from './contract';
+import { getVersions, getSafestVersion, getAuthorByENS } from './contract';
+import { resolveAddress } from './ens';
+import { queryOSV, getFixedVersion, type OSVVulnerability } from './osv';
+
+export interface ResolvedVersion {
+  version: string;
+  source: 'explicit' | 'latest' | 'ens' | 'auto-bumped';
+  ensName?: string;
+  authorAddress?: string;
+  reason?: string;
+  originalVersion?: string;
+}
+
+export function isENSVersion(version: string): boolean {
+  return version.endsWith('.eth');
+}
+
+export async function resolveVersion(
+  name: string,
+  version: string,
+  onStatus?: (msg: string) => void,
+): Promise<ResolvedVersion> {
+  const log = onStatus || (() => {});
+
+  if (isENSVersion(version)) {
+    return resolveENSVersion(name, version, log);
+  }
+
+  if (version && version !== 'latest') {
+    return { version, source: 'explicit' };
+  }
 
-export async function resolveVersion(name: string, version: string): Promise<string> {
-  if (version && version !== 'latest') return version;
   try {
     const versions = await getVersions(name);
-    if (versions.length > 0) return versions[versions.length - 1];
+    if (versions.length > 0) {
+      return { version: versions[versions.length - 1], source: 'latest' };
+    }
   } catch { /* no versions on-chain */ }
-  return version;
+
+  const npmVersion = await resolveNpmLatest(name);
+  return { version: npmVersion, source: 'latest' };
+}
+
+async function resolveENSVersion(
+  packageName: string,
+  ensName: string,
+  log: (msg: string) => void,
+): Promise<ResolvedVersion> {
+  log(`Resolving ENS: ${ensName}`);
+  const authorAddr = await resolveAddress(ensName);
+  if (!authorAddr) {
+    throw new Error(`Cannot resolve ENS name: ${ensName}`);
+  }
+  log(`Address: ${authorAddr.slice(0, 6)}...${authorAddr.slice(-4)}`);
+
+  let authorOnChain = false;
+  try {
+    const profile = await getAuthorByENS(ensName);
+    authorOnChain = profile.addr !== '0x0000000000000000000000000000000000000000';
+  } catch { /* not registered */ }
+
+  if (!authorOnChain) {
+    throw new Error(`Author ${ensName} (${authorAddr.slice(0, 10)}...) is not registered on-chain`);
+  }
+  log(`Author verified on-chain ✓`);
+
+  let safestVersion: string | null = null;
+  try {
+    safestVersion = await getSafestVersion(packageName);
+  } catch { /* no on-chain versions */ }
+
+  if (safestVersion) {
+    log(`Safest on-chain version: ${safestVersion}`);
+    return {
+      version: safestVersion,
+      source: 'ens',
+      ensName,
+      authorAddress: authorAddr,
+      reason: `Safest on-chain version, author ${ensName} verified`,
+    };
+  }
+
+  log(`No on-chain scores, resolving latest from npm`);
+  const npmVersion = await resolveNpmLatest(packageName);
+  log(`Latest npm version: ${npmVersion}`);
+  return {
+    version: npmVersion,
+    source: 'ens',
+    ensName,
+    authorAddress: authorAddr,
+    reason: `Author ${ensName} verified, latest npm version (no on-chain scores)`,
+  };
+}
+
+export async function findSafeVersion(
+  name: string,
+  unsafeVersion: string,
+  cves: OSVVulnerability[],
+): Promise<ResolvedVersion | null> {
+  let safeVer: string | null = null;
+
+  try {
+    safeVer = await getSafestVersion(name);
+  } catch { /* no on-chain data */ }
+
+  if (safeVer && safeVer !== unsafeVersion) {
+    const safeCves = await queryOSV(name, safeVer).catch(() => []);
+    const hasCritical = safeCves.some((c) => {
+      const sev = c.database_specific?.severity || '';
+      return sev === 'CRITICAL' || sev === 'HIGH';
+    });
+    if (!hasCritical) {
+      return {
+        version: safeVer,
+        source: 'auto-bumped',
+        originalVersion: unsafeVersion,
+        reason: `On-chain safest version (original ${unsafeVersion} has vulnerabilities)`,
+      };
+    }
+  }
+
+  let bestFix: string | null = null;
+  for (const cve of cves) {
+    const fix = getFixedVersion(cve, unsafeVersion);
+    if (fix && (!bestFix || compareSemver(fix, bestFix) > 0)) {
+      bestFix = fix;
+    }
+  }
+
+  if (bestFix) {
+    return {
+      version: bestFix,
+      source: 'auto-bumped',
+      originalVersion: unsafeVersion,
+      reason: `Upgraded from ${unsafeVersion} to fix ${cves.length} CVE(s)`,
+    };
+  }
+
+  return null;
+}
+
+async function resolveNpmLatest(name: string): Promise<string> {
+  try {
+    const res = await fetch(`https://registry.npmjs.org/${encodeURIComponent(name)}/latest`);
+    if (res.ok) {
+      const data = await res.json() as { version?: string };
+      if (data.version) return data.version;
+    }
+  } catch { /* npm registry unreachable */ }
+  return 'latest';
+}
+
+function compareSemver(a: string, b: string): number {
+  const pa = a.replace(/^v/, '').split('.').map(Number);
+  const pb = b.replace(/^v/, '').split('.').map(Number);
+  for (let i = 0; i < 3; i++) {
+    const diff = (pa[i] || 0) - (pb[i] || 0);
+    if (diff !== 0) return diff;
+  }
+  return 0;
 }

package/packages/contracts/circuits/accuracy_verifier.circom

@@ -0,0 +1,101 @@
+pragma circom 2.1.0;
+
+include "node_modules/circomlib/circuits/comparators.circom";
+include "node_modules/circomlib/circuits/poseidon.circom";
+
+/**
+ * AccuracyVerifier circuit for OPM agent registration.
+ *
+ * Proves that a candidate agent achieved 100% accuracy on a
+ * benchmark suite without revealing the individual test results
+ * or the expected outputs.
+ *
+ * Private inputs:
+ *   - expected[N]: expected risk level ordinals (0=LOW, 1=MEDIUM, 2=HIGH, 3=CRITICAL)
+ *   - actual[N]:   actual risk level ordinals from the candidate agent
+ *   - salt:        random blinding factor for the commitment
+ *
+ * Public inputs:
+ *   - commitmentHash: Poseidon hash of (salt, expected[0..N-1])
+ *
+ * Public outputs:
+ *   - passed: 1 if all expected[i] == actual[i], 0 otherwise
+ *   - proofHash: Poseidon hash binding the result to the commitment
+ *
+ * Compilation:
+ *   circom accuracy_verifier.circom --r1cs --wasm --sym -o build/
+ *
+ * Trusted setup:
+ *   snarkjs groth16 setup build/accuracy_verifier.r1cs pot12_final.ptau build/accuracy_verifier_0000.zkey
+ *   snarkjs zkey contribute build/accuracy_verifier_0000.zkey build/accuracy_verifier_final.zkey --name="opm-ceremony"
+ *   snarkjs zkey export verificationkey build/accuracy_verifier_final.zkey build/verification_key.json
+ *
+ * Prove:
+ *   snarkjs groth16 prove build/accuracy_verifier_final.zkey build/accuracy_verifier_js/accuracy_verifier.wasm input.json build/proof.json build/public.json
+ *
+ * Verify:
+ *   snarkjs groth16 verify build/verification_key.json build/public.json build/proof.json
+ *
+ * Export Solidity verifier:
+ *   snarkjs zkey export solidityverifier build/accuracy_verifier_final.zkey contracts/AccuracyVerifier.sol
+ */
+
+template AccuracyVerifier(N) {
+    // Private inputs
+    signal input expected[N];
+    signal input actual[N];
+    signal input salt;
+
+    // Public inputs
+    signal input commitmentHash;
+
+    // Public outputs
+    signal output passed;
+    signal output proofHash;
+
+    // Step 1: Verify commitment — hash(salt, expected[0..N-1]) must equal commitmentHash
+    // We chain Poseidon hashes since Poseidon has a limited arity
+    component commitHashers[N];
+    signal commitChain[N + 1];
+    commitChain[0] <== salt;
+
+    for (var i = 0; i < N; i++) {
+        commitHashers[i] = Poseidon(2);
+        commitHashers[i].inputs[0] <== commitChain[i];
+        commitHashers[i].inputs[1] <== expected[i];
+        commitChain[i + 1] <== commitHashers[i].out;
+    }
+
+    // Verify the commitment matches
+    commitChain[N] === commitmentHash;
+
+    // Step 2: Check equality for each test case
+    component isEq[N];
+    signal matchBits[N];
+
+    for (var i = 0; i < N; i++) {
+        isEq[i] = IsEqual();
+        isEq[i].in[0] <== expected[i];
+        isEq[i].in[1] <== actual[i];
+        matchBits[i] <== isEq[i].out;  // 1 if match, 0 if mismatch
+    }
+
+    // Step 3: Compute product of all match bits (1 iff all match)
+    signal product[N];
+    product[0] <== matchBits[0];
+    for (var i = 1; i < N; i++) {
+        product[i] <== product[i - 1] * matchBits[i];
+    }
+
+    passed <== product[N - 1];
+
+    // Step 4: Compute proof hash binding result to commitment
+    component proofHasher = Poseidon(3);
+    proofHasher.inputs[0] <== commitmentHash;
+    proofHasher.inputs[1] <== passed;
+    proofHasher.inputs[2] <== salt;
+    proofHash <== proofHasher.out;
+}
+
+// Instantiate with 10 benchmark test cases
+component main { public [commitmentHash] } = AccuracyVerifier(10);

package/packages/contracts/contracts/OPMRegistry.sol

@@ -47,6 +47,27 @@ contract OPMRegistry {
     event ReportURISet(string name, string version, string uri);
     event AuthorRegistered(address addr, string ensName);
     event AgentAuthorized(address agent, bool status);
+    event AgentRegistered(
+        address indexed agent,
+        string name,
+        string model,
+        bytes32 systemPromptHash,
+        bytes32 proofHash,
+        uint256 timestamp
+    );
+
+    struct RegisteredAgent {
+        address agentAddress;
+        string name;
+        string model;
+        bytes32 systemPromptHash;
+        bytes32 proofHash;
+        uint256 registeredAt;
+        bool active;
+    }
+
+    mapping(address => RegisteredAgent) public registeredAgents;
+    address[] public agentRegistry;
 
     modifier onlyOwner() {
         require(msg.sender == owner, "Not owner");
@@ -250,4 +271,46 @@ contract OPMRegistry {
         if (a.reputationCount == 0) return 0;
         return a.reputationTotal / a.reputationCount;
     }
+
+    function registerAgent(
+        string calldata name,
+        string calldata model,
+        bytes32 systemPromptHash,
+        bytes32 proofHash
+    ) external {
+        require(!authorizedAgents[msg.sender], "Agent already authorized");
+        require(registeredAgents[msg.sender].agentAddress == address(0), "Agent already registered");
+        require(proofHash != bytes32(0), "Invalid proof");
+
+        registeredAgents[msg.sender] = RegisteredAgent({
+            agentAddress: msg.sender,
+            name: name,
+            model: model,
+            systemPromptHash: systemPromptHash,
+            proofHash: proofHash,
+            registeredAt: block.timestamp,
+            active: true
+        });
+
+        agentRegistry.push(msg.sender);
+        authorizedAgents[msg.sender] = true;
+
+        emit AgentRegistered(msg.sender, name, model, systemPromptHash, proofHash, block.timestamp);
+        emit AgentAuthorized(msg.sender, true);
+    }
+
+    function getRegisteredAgent(address agent) external view returns (RegisteredAgent memory) {
+        return registeredAgents[agent];
+    }
+
+    function getAgentCount() external view returns (uint256) {
+        return agentRegistry.length;
+    }
+
+    function revokeAgent(address agent) external onlyOwner {
+        require(registeredAgents[agent].active, "Agent not active");
+        registeredAgents[agent].active = false;
+        authorizedAgents[agent] = false;
+        emit AgentAuthorized(agent, false);
+    }
 }

package/packages/contracts/scripts/deploy.ts

@@ -6,6 +6,11 @@ async function main() {
 
   const OPMRegistry = await ethers.getContractFactory("OPMRegistry");
   const registry = await OPMRegistry.deploy();
+  const deployTx = registry.deploymentTransaction();
+  if (deployTx) {
+    console.log("Deploy tx:", deployTx.hash);
+    await deployTx.wait(2);
+  }
   await registry.waitForDeployment();
 
   const address = await registry.getAddress();
@@ -14,9 +19,23 @@ async function main() {
   const agentKey = process.env.AGENT_PRIVATE_KEY;
   if (agentKey) {
     const agentWallet = new ethers.Wallet(agentKey);
-    const tx = await registry.setAgent(agentWallet.address, true);
-    await tx.wait();
-    console.log("Authorized agent:", agentWallet.address);
+    console.log("Authorizing agent:", agentWallet.address);
+
+    for (let attempt = 0; attempt < 3; attempt++) {
+      try {
+        const tx = await registry.setAgent(agentWallet.address, true);
+        await tx.wait(2);
+        console.log("Authorized agent:", agentWallet.address);
+        break;
+      } catch (err: any) {
+        if (attempt < 2 && err?.message?.includes("nonce")) {
+          console.log(`Nonce conflict, retrying (${attempt + 1}/3)...`);
+          await new Promise((r) => setTimeout(r, 3000));
+        } else {
+          throw err;
+        }
+      }
+    }
   }
 
   console.log("\nAdd to .env:\nCONTRACT_ADDRESS=" + address);