sealed-precision-oracle 1.0.0

package/README.md

@@ -0,0 +1,109 @@
+# Sealed Precision Oracle (Track 1: Agentic Infrastructure)
+
+[![ClawHub](https://img.shields.io/badge/ClawHub-Published-blue)](https://clawhub.ai)
+[![0G Mainnet](https://img.shields.io/badge/Network-0G_Mainnet-green)](https://chainscan.0g.ai)
+
+The **Sealed Precision Oracle** is a cognitive backbone for autonomous intelligence. It resolves complex, data-dependent questions using a verifiable pipeline of **TEE-attested AI**, **0G Storage memory**, and **ERC-7857 agent identity**.
+
+## 🚀 Quick Install
+
+Boost your agent's reasoning with a single command:
+
+```bash
+clawhub install sealed-precision-oracle
+```
+
+## 🏗️ Architecture: The Cognitive Backbone
+
+This project implements a complete cognitive layer for agents, ensuring every decision is logically sound and cryptographically verified.
+
+```
+┌──────────────────────────────────────────────────────────────┐
+│                 Atomic Oracle Pipeline                        │
+│                                                              │
+│  1. Autonomous Data Fetching (Ground Truth)                  │
+│         │                                                    │
+│         ▼                                                    │
+│  ┌──────────────┐    Real-time     ┌──────────────────────┐ │
+│  │ Public RPCs  │ ──────────────▶  │ Gas, Prices, Block#  │ │
+│  └──────────────┘                  └──────────┬───────────┘ │
+│                                               │              │
+│  2. Hardware-Secured Reasoning (TEE Compute)  │              │
+│  ┌──────────────┐    ECDSA Sig     ┌──────────▼───────────┐ │
+│  │ 0G Compute   │ ──────────────▶  │ AI Reasoning (Qwen)  │ │
+│  │ (Direct TEE) │  (Per-Inference) │ Inside Secure Enclave│ │
+│  └──────────────┘                  └──────────┬───────────┘ │
+│                                               │              │
+│  3. Long-Context State Memory (0G Storage)    │              │
+│  ┌──────────────┐               ┌─────────────▼──────────┐  │
+│  │ 0G Storage   │ ◀──────────── │ Immutable Receipt JSON │  │
+│  │ (Audit Log)  │    Upload     │ (Merkle Root Hash)     │  │
+│  └──────┬───────┘               └────────────────────────┘  │
+│         │ rootHash                                           │
+│         ▼                                                    │
+│  4. On-Chain Settlement (0G Chain)                           │
+│  ┌──────────────┐  recordResolution()                       │
+│  │  0G Mainnet  │  ERC-7857 PrecisionOracleID               │
+│  │  (Anchor)    │  tokenId → storageRoot                    │
+│  └──────────────┘                                            │
+└──────────────────────────────────────────────────────────────┘
+```
+
+## 0G Stack Integrations (Track 1 Focus)
+
+| Component | Integration | Purpose |
+|-----------|-------------|---------|
+| **0G Compute** | Direct TEE Attestation | **Cognitive Layer**: Hardware-verified AI reasoning with per-inference signatures. |
+| **0G Storage** | Turbo Indexer | **Long-Context Memory**: Permanent archival of data snapshots and reasoning logic. |
+| **0G Chain** | ERC-7857 Smart Contracts | **Agent Identity**: On-chain ownership and verifiable anchoring of AI resolutions. |
+| **OpenClaw** | Specialized Skill | **Orchestration**: Seamless integration into autonomous agent frameworks. |
+
+## Feature Status
+
+| Feature | Status | Details |
+|---------|--------|---------|
+| Real-time Data | **REAL** | Live fetch from Ethereum RPCs and CoinGecko. |
+| TEE Attestation | **REAL** | **Per-inference ECDSA signatures** verified against on-chain TEE signers. |
+| 0G Storage | **REAL** | Receipts archived on Mainnet Turbo Indexer. |
+| On-chain Settlement| **REAL** | Resolutions recorded on 0G Mainnet via ERC-7857 contracts. |
+
+## 🛠️ Usage
+
+### 1. Zero-Config Demo (Recommended for Judges)
+Experience the full verifiable flow instantly without any setup. Our hosted API bridge handles the 0G gas and storage fees for you.
+```bash
+# Install globally
+npm install -g sealed-precision-oracle
+
+# Run instantly (Managed Mode)
+sealed-precision-oracle "Is the price of Solana above $200?"
+```
+
+### 2. Autonomous Mode (For Advanced Agents)
+Run the entire pipeline on your own hardware using your own 0G funds.
+```bash
+# Set your PRIVATE_KEY in your environment
+export PRIVATE_KEY="0x..."
+
+# Run locally (Autonomous Mode)
+sealed-precision-oracle "Is the price of Solana above $200?"
+```
+
+### 3. Smart Contract Integration
+The oracle records proofs to:
+- **Mainnet Address**: `0xf25E765eF573c26d6314Fd83822564E7AF11C9Ac`
+- **Network**: 0G Mainnet (Chain ID: 16661)
+
+## 📂 Project Structure
+
+- `contracts/`: ERC-7857 compliant smart contracts for AI agent identity.
+- `src/`: Core logic for data fetching, TEE inference, and storage.
+- `api/`: Backend bridge for secure TEE execution (Managed Mode).
+- `skills/`: OpenClaw skill manifest for ClawHub publication.
+- `bin/`: CLI entry point for global installation.
+
+## 🏁 Track 1 Alignment
+This project serves as a foundational **Cognitive Backbone** for agentic infrastructure. By combining real-time data ingestion with TEE-secured reasoning and 0G Storage state persistence, it creates an autonomous intelligence layer that is inherently trustworthy and fully auditable on-chain.
+
+## License
+MIT

package/bin/cli.js

@@ -0,0 +1,17 @@
+#!/usr/bin/env node
+const path = require('path');
+const { spawn } = require('child_process');
+
+// The dist directory where the compiled files live
+const oracleScript = path.join(__dirname, '../dist/src/oracle.js');
+
+// Pass all CLI arguments to the compiled oracle script
+const args = process.argv.slice(2);
+const child = spawn('node', [oracleScript, ...args], {
+  stdio: 'inherit',
+  env: process.env
+});
+
+child.on('exit', (code) => {
+  process.exit(code);
+});

package/contracts/IERC7857.sol

@@ -0,0 +1,86 @@
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.27;
+
+/// @title ERC-7857 Types and Interfaces
+/// @notice Faithful implementation of EIP-7857: AI Agents NFT with Private Metadata
+/// @dev See https://eips.ethereum.org/EIPS/eip-7857
+
+enum OracleType {
+    TEE,
+    ZKP
+}
+
+struct AccessProof {
+    bytes32 oldDataHash;
+    bytes32 newDataHash;
+    bytes nonce;
+    bytes encryptedPubKey;
+    bytes proof;
+}
+
+struct OwnershipProof {
+    OracleType oracleType;
+    bytes32 oldDataHash;
+    bytes32 newDataHash;
+    bytes sealedKey;
+    bytes encryptedPubKey;
+    bytes nonce;
+    bytes proof;
+}
+
+struct TransferValidityProof {
+    AccessProof accessProof;
+    OwnershipProof ownershipProof;
+}
+
+struct TransferValidityProofOutput {
+    bytes32 oldDataHash;
+    bytes32 newDataHash;
+    bytes sealedKey;
+    bytes encryptedPubKey;
+    bytes wantedKey;
+    address accessAssistant;
+    bytes accessProofNonce;
+    bytes ownershipProofNonce;
+}
+
+struct IntelligentData {
+    string dataDescription;
+    bytes32 dataHash;
+}
+
+/// @notice Verifier contract for validating transfer proofs (TEE or ZKP)
+interface IERC7857DataVerifier {
+    function verifyTransferValidity(
+        TransferValidityProof[] calldata _proofs
+    ) external returns (TransferValidityProofOutput[] memory);
+}
+
+/// @notice Metadata extension for ERC-7857
+interface IERC7857Metadata {
+    function name() external view returns (string memory);
+    function symbol() external view returns (string memory);
+    function intelligentDataOf(uint256 _tokenId) external view returns (IntelligentData[] memory);
+}
+
+/// @notice Core ERC-7857 interface — agent-specific functions only.
+///         Functions shared with ERC-721 (approve, ownerOf, etc.) are inherited
+///         from OZ's ERC721 implementation. This interface declares only the
+///         agent-identity additions defined by EIP-7857.
+interface IERC7857 {
+    event Authorization(address indexed _from, address indexed _to, uint256 indexed _tokenId);
+    event AuthorizationRevoked(address indexed _from, address indexed _to, uint256 indexed _tokenId);
+    event Transferred(uint256 _tokenId, address indexed _from, address indexed _to);
+    event Cloned(uint256 indexed _tokenId, uint256 indexed _newTokenId, address _from, address _to);
+    event PublishedSealedKey(address indexed _to, uint256 indexed _tokenId, bytes[] _sealedKeys);
+    event DelegateAccess(address indexed _user, address indexed _assistant);
+
+    function verifier() external view returns (IERC7857DataVerifier);
+    function iTransfer(address _to, uint256 _tokenId, TransferValidityProof[] calldata _proofs) external;
+    function iClone(address _to, uint256 _tokenId, TransferValidityProof[] calldata _proofs) external returns (uint256 _newTokenId);
+    function authorizeUsage(uint256 _tokenId, address _user) external;
+    function revokeAuthorization(uint256 _tokenId, address _user) external;
+    function delegateAccess(address _assistant) external;
+    function authorizedUsersOf(uint256 _tokenId) external view returns (address[] memory);
+    function getDelegateAccess(address _user) external view returns (address);
+}

package/contracts/OracleDataVerifier.sol

@@ -0,0 +1,72 @@
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.27;
+
+import "@openzeppelin/contracts/utils/cryptography/ECDSA.sol";
+import "@openzeppelin/contracts/utils/cryptography/MessageHashUtils.sol";
+import "./IERC7857.sol";
+
+/// @title OracleDataVerifier
+/// @notice ERC-7857 DataVerifier that validates transfer proofs using ECDSA signatures.
+///         The `proof` bytes in each AccessProof/OwnershipProof MUST be a 65-byte ECDSA
+///         signature over keccak256(abi.encodePacked(oldDataHash, newDataHash, nonce)).
+///         The recovered signer is returned in the output for the main contract to check
+///         against the token owner.
+contract OracleDataVerifier is IERC7857DataVerifier {
+    using ECDSA for bytes32;
+    using MessageHashUtils for bytes32;
+
+    function verifyTransferValidity(
+        TransferValidityProof[] calldata _proofs
+    ) external pure override returns (TransferValidityProofOutput[] memory outputs) {
+        outputs = new TransferValidityProofOutput[](_proofs.length);
+
+        for (uint256 i = 0; i < _proofs.length; i++) {
+            AccessProof calldata ap = _proofs[i].accessProof;
+            OwnershipProof calldata op = _proofs[i].ownershipProof;
+
+            // Validate non-zero target data hashes
+            require(ap.newDataHash != bytes32(0), "Access: empty new hash");
+            require(op.newDataHash != bytes32(0), "Ownership: empty new hash");
+
+            // Access and ownership proofs must agree on the data
+            require(ap.newDataHash == op.newDataHash, "Hash mismatch: access vs ownership");
+            require(ap.oldDataHash == op.oldDataHash, "Old hash mismatch");
+
+            // Non-empty nonces (replay protection)
+            require(ap.nonce.length > 0, "Access: empty nonce");
+            require(op.nonce.length > 0, "Ownership: empty nonce");
+
+            // Validate ECDSA signature in accessProof.proof
+            // The signer must have signed keccak256(oldDataHash, newDataHash, nonce)
+            require(ap.proof.length == 65, "Access: proof must be 65-byte ECDSA signature");
+            bytes32 accessDigest = keccak256(
+                abi.encodePacked(ap.oldDataHash, ap.newDataHash, ap.nonce)
+            ).toEthSignedMessageHash();
+            address accessSigner = accessDigest.recover(ap.proof);
+            require(accessSigner != address(0), "Access: invalid signature");
+
+            // Validate ECDSA signature in ownershipProof.proof
+            require(op.proof.length == 65, "Ownership: proof must be 65-byte ECDSA signature");
+            bytes32 ownerDigest = keccak256(
+                abi.encodePacked(op.oldDataHash, op.newDataHash, op.nonce)
+            ).toEthSignedMessageHash();
+            address ownerSigner = ownerDigest.recover(op.proof);
+            require(ownerSigner != address(0), "Ownership: invalid signature");
+
+            // Both proofs must be signed by the same entity (the current owner)
+            require(accessSigner == ownerSigner, "Signer mismatch: access vs ownership");
+
+            outputs[i] = TransferValidityProofOutput({
+                oldDataHash: ap.oldDataHash,
+                newDataHash: ap.newDataHash,
+                sealedKey: op.sealedKey,
+                encryptedPubKey: op.encryptedPubKey,
+                wantedKey: ap.encryptedPubKey,
+                // Return the recovered signer so PrecisionOracleID can verify it's the token owner
+                accessAssistant: accessSigner,
+                accessProofNonce: ap.nonce,
+                ownershipProofNonce: op.nonce
+            });
+        }
+    }
+}

package/contracts/PrecisionOracleID.sol

@@ -0,0 +1,328 @@
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.27;
+
+import "@openzeppelin/contracts/token/ERC721/ERC721.sol";
+import "@openzeppelin/contracts/access/Ownable.sol";
+import "@openzeppelin/contracts/utils/structs/EnumerableSet.sol";
+import "@openzeppelin/contracts/utils/Strings.sol";
+import "@openzeppelin/contracts/utils/cryptography/ECDSA.sol";
+import "@openzeppelin/contracts/utils/cryptography/MessageHashUtils.sol";
+import "./IERC7857.sol";
+
+/// @title PrecisionOracleID
+/// @notice On-chain identity for the Sealed Precision Oracle.
+///         Implements ERC-7857 (AI Agents NFT with Private Metadata) on top of ERC-721.
+///         Maps each agent token to its 0G Storage resolution receipts.
+contract PrecisionOracleID is ERC721, Ownable, IERC7857, IERC7857Metadata {
+    using EnumerableSet for EnumerableSet.AddressSet;
+    using ECDSA for bytes32;
+    using MessageHashUtils for bytes32;
+
+    // ─── State ──────────────────────────────────────────────────────────
+
+    uint256 private _nextTokenId;
+    IERC7857DataVerifier private _dataVerifier;
+
+    // TEE signer registry — addresses of verified TEE signers
+    mapping(address => bool) public registeredTeeSigners;
+
+    // ERC-7857: authorized users per token (enumerable for authorizedUsersOf)
+    mapping(uint256 => EnumerableSet.AddressSet) private _authorizedUsers;
+
+    // ERC-7857: delegate access (user => assistant)
+    mapping(address => address) private _delegates;
+
+    // ERC-7857: intelligent data per token
+    mapping(uint256 => IntelligentData[]) private _intelligentData;
+
+    // Oracle-specific: latest 0G Storage Merkle root per token
+    mapping(uint256 => bytes32) public storageRoots;
+
+    // Oracle-specific: full resolution history per token
+    mapping(uint256 => bytes32[]) public resolutionHistory;
+
+    // Oracle-specific: nonce per token (anti-replay for resolutions)
+    mapping(uint256 => uint256) public resolutionNonces;
+
+    // Oracle-specific: clone lineage
+    mapping(uint256 => uint256) public clonedFrom;
+
+    // ─── Events ─────────────────────────────────────────────────────────
+
+    event ResolutionRecorded(
+        uint256 indexed tokenId,
+        bytes32 indexed storageRoot,
+        uint256 nonce,
+        address indexed operator,
+        address teeSigner,
+        uint256 timestamp
+    );
+
+    event TeeSignerRegistered(address indexed signer);
+    event TeeSignerRemoved(address indexed signer);
+
+    // ─── Constructor ────────────────────────────────────────────────────
+
+    constructor(
+        address verifierAddress
+    ) ERC721("PrecisionOracleID", "PORID") Ownable(msg.sender) {
+        require(verifierAddress != address(0), "Zero verifier address");
+        _dataVerifier = IERC7857DataVerifier(verifierAddress);
+        _nextTokenId = 1;
+    }
+
+    // ─── Minting (owner-only) ───────────────────────────────────────────
+
+    function mint(address to) external onlyOwner returns (uint256 tokenId) {
+        tokenId = _nextTokenId++;
+        _mint(to, tokenId);
+    }
+
+    // ─── TEE Signer Registry ───────────────────────────────────────────
+
+    /// @notice Register a TEE signer address (from the 0G InferenceServing contract)
+    function registerTeeSigner(address signer) external onlyOwner {
+        require(signer != address(0), "Zero address");
+        registeredTeeSigners[signer] = true;
+        emit TeeSignerRegistered(signer);
+    }
+
+    /// @notice Remove a TEE signer
+    function removeTeeSigner(address signer) external onlyOwner {
+        registeredTeeSigners[signer] = false;
+        emit TeeSignerRemoved(signer);
+    }
+
+    // ─── Oracle Resolution Recording ───────────────────────────────────
+
+    /// @notice Record a resolution receipt with TEE attestation.
+    ///         Callable by token owner OR authorized users.
+    /// @param tokenId The Oracle agent token
+    /// @param storageRoot 0G Storage Merkle root hash of the receipt
+    /// @param signedText The raw text that the TEE signed
+    /// @param teeSignature The TEE's ECDSA signature over the signedText
+    /// @param teeSigner The TEE signer address to verify against (zero = skip verification)
+    function recordResolution(
+        uint256 tokenId,
+        bytes32 storageRoot,
+        string calldata signedText,
+        bytes calldata teeSignature,
+        address teeSigner
+    ) external {
+        require(_ownerOrAuthorized(tokenId, msg.sender), "Not owner or authorized");
+        require(storageRoot != bytes32(0), "Empty storage root");
+
+        // If TEE signature provided, verify it on-chain
+        if (teeSignature.length > 0 && teeSigner != address(0)) {
+            require(registeredTeeSigners[teeSigner], "TEE signer not registered");
+
+            // Recover signer from the signature over the raw signed text
+            bytes32 ethSignedHash = MessageHashUtils.toEthSignedMessageHash(bytes(signedText));
+            address recovered = ethSignedHash.recover(teeSignature);
+            require(recovered == teeSigner, "TEE signature verification failed");
+        }
+
+        uint256 nonce = resolutionNonces[tokenId]++;
+        storageRoots[tokenId] = storageRoot;
+        resolutionHistory[tokenId].push(storageRoot);
+
+        // Add as intelligent data (ERC-7857 metadata)
+        _intelligentData[tokenId].push(IntelligentData({
+            dataDescription: string.concat("Oracle Resolution #", Strings.toString(nonce)),
+            dataHash: storageRoot
+        }));
+
+        emit ResolutionRecorded(tokenId, storageRoot, nonce, msg.sender, teeSigner, block.timestamp);
+    }
+
+    function resolutionCount(uint256 tokenId) external view returns (uint256) {
+        return resolutionHistory[tokenId].length;
+    }
+
+    /// @notice Paginated query for intelligent data. Avoids gas bomb on large histories.
+    /// @param tokenId The token to query
+    /// @param offset Start index
+    /// @param limit Max items to return
+    function intelligentDataPaginated(
+        uint256 tokenId,
+        uint256 offset,
+        uint256 limit
+    ) external view returns (IntelligentData[] memory result, uint256 total) {
+        require(limit > 0 && limit <= 1000, "Limit must be 1-1000");
+        IntelligentData[] storage data = _intelligentData[tokenId];
+        total = data.length;
+        if (offset >= total) {
+            return (new IntelligentData[](0), total);
+        }
+        uint256 end = offset + limit;
+        if (end > total) end = total;
+        uint256 count = end - offset;
+        result = new IntelligentData[](count);
+        for (uint256 i = 0; i < count; i++) {
+            result[i] = data[offset + i];
+        }
+    }
+
+    // ─── ERC-7857: Core Functions ──────────────────────────────────────
+
+    /// @inheritdoc IERC7857
+    function verifier() external view override returns (IERC7857DataVerifier) {
+        return _dataVerifier;
+    }
+
+    /// @inheritdoc IERC7857
+    function iTransfer(
+        address _to,
+        uint256 _tokenId,
+        TransferValidityProof[] calldata _proofs
+    ) external override {
+        require(ownerOf(_tokenId) == msg.sender, "Not token owner");
+        require(_to != address(0), "Transfer to zero address");
+        require(_proofs.length > 0, "No proofs provided");
+
+        // Verify transfer proofs via the data verifier
+        TransferValidityProofOutput[] memory outputs = _dataVerifier.verifyTransferValidity(_proofs);
+
+        // Verify that the proof signer is the token owner
+        // (accessAssistant field carries the recovered ECDSA signer from the verifier)
+        for (uint256 j = 0; j < outputs.length; j++) {
+            require(outputs[j].accessAssistant == msg.sender, "Proof signer is not token owner");
+        }
+
+        // Execute transfer (ERC-721 internal, no approval check needed)
+        address from = msg.sender;
+        _transfer(from, _to, _tokenId);
+
+        // Publish sealed keys so new owner can decrypt agent metadata
+        bytes[] memory sealedKeys = new bytes[](outputs.length);
+        for (uint256 i = 0; i < outputs.length; i++) {
+            sealedKeys[i] = outputs[i].sealedKey;
+        }
+        emit PublishedSealedKey(_to, _tokenId, sealedKeys);
+        emit Transferred(_tokenId, from, _to);
+    }
+
+    /// @inheritdoc IERC7857
+    function iClone(
+        address _to,
+        uint256 _tokenId,
+        TransferValidityProof[] calldata _proofs
+    ) external override returns (uint256 _newTokenId) {
+        require(ownerOf(_tokenId) == msg.sender, "Not token owner");
+        require(_to != address(0), "Clone to zero address");
+        require(_proofs.length > 0, "No proofs provided");
+
+        // Verify proofs
+        TransferValidityProofOutput[] memory outputs = _dataVerifier.verifyTransferValidity(_proofs);
+
+        // Verify that the proof signer is the token owner
+        for (uint256 j = 0; j < outputs.length; j++) {
+            require(outputs[j].accessAssistant == msg.sender, "Proof signer is not token owner");
+        }
+
+        // Mint clone
+        _newTokenId = _nextTokenId++;
+        _mint(_to, _newTokenId);
+        clonedFrom[_newTokenId] = _tokenId;
+
+        // Inherit intelligent data from parent
+        IntelligentData[] storage parentData = _intelligentData[_tokenId];
+        for (uint256 i = 0; i < parentData.length; i++) {
+            _intelligentData[_newTokenId].push(parentData[i]);
+        }
+
+        // Inherit latest storage root
+        storageRoots[_newTokenId] = storageRoots[_tokenId];
+
+        // Publish sealed keys
+        bytes[] memory sealedKeys = new bytes[](outputs.length);
+        for (uint256 i = 0; i < outputs.length; i++) {
+            sealedKeys[i] = outputs[i].sealedKey;
+        }
+        emit PublishedSealedKey(_to, _newTokenId, sealedKeys);
+        emit Cloned(_tokenId, _newTokenId, msg.sender, _to);
+    }
+
+    /// @inheritdoc IERC7857
+    function authorizeUsage(uint256 _tokenId, address _user) external override {
+        require(ownerOf(_tokenId) == msg.sender, "Not token owner");
+        require(_user != address(0), "Zero address");
+        require(_authorizedUsers[_tokenId].add(_user), "Already authorized");
+
+        emit Authorization(msg.sender, _user, _tokenId);
+    }
+
+    /// @inheritdoc IERC7857
+    function revokeAuthorization(uint256 _tokenId, address _user) external override {
+        require(ownerOf(_tokenId) == msg.sender, "Not token owner");
+        require(_authorizedUsers[_tokenId].remove(_user), "Not authorized");
+
+        emit AuthorizationRevoked(msg.sender, _user, _tokenId);
+    }
+
+    /// @inheritdoc IERC7857
+    function authorizedUsersOf(uint256 _tokenId) external view override returns (address[] memory) {
+        return _authorizedUsers[_tokenId].values();
+    }
+
+    /// @inheritdoc IERC7857
+    function delegateAccess(address _assistant) external override {
+        _delegates[msg.sender] = _assistant;
+        emit DelegateAccess(msg.sender, _assistant);
+    }
+
+    /// @inheritdoc IERC7857
+    function getDelegateAccess(address _user) external view override returns (address) {
+        return _delegates[_user];
+    }
+
+    // ─── ERC-7857 Metadata ─────────────────────────────────────────────
+
+    /// @inheritdoc IERC7857Metadata
+    function intelligentDataOf(
+        uint256 _tokenId
+    ) external view override returns (IntelligentData[] memory) {
+        require(_requireOwned(_tokenId) != address(0), "Token does not exist");
+        return _intelligentData[_tokenId];
+    }
+
+    /// @dev Override required because both ERC721 and IERC7857Metadata declare name()
+    function name() public view override(ERC721, IERC7857Metadata) returns (string memory) {
+        return super.name();
+    }
+
+    /// @dev Override required because both ERC721 and IERC7857Metadata declare symbol()
+    function symbol() public view override(ERC721, IERC7857Metadata) returns (string memory) {
+        return super.symbol();
+    }
+
+    // ─── Interface Support ──────────────────────────────────────────────
+
+    function supportsInterface(
+        bytes4 interfaceId
+    ) public view override returns (bool) {
+        return
+            interfaceId == type(IERC7857).interfaceId ||
+            interfaceId == type(IERC7857Metadata).interfaceId ||
+            super.supportsInterface(interfaceId);
+    }
+
+    // ─── ERC-721 Transfer Override ────────────────────────────────────
+    // Disable bare ERC-721 transfers — all transfers MUST go through
+    // iTransfer() with proof verification per ERC-7857.
+
+    function transferFrom(address, address, uint256) public pure override {
+        revert("Use iTransfer() with proofs");
+    }
+
+    function safeTransferFrom(address, address, uint256, bytes memory) public pure override {
+        revert("Use iTransfer() with proofs");
+    }
+
+    // ─── Internals ──────────────────────────────────────────────────────
+
+    function _ownerOrAuthorized(uint256 tokenId, address caller) private view returns (bool) {
+        return ownerOf(tokenId) == caller || _authorizedUsers[tokenId].contains(caller);
+    }
+
+}

package/dist/hardhat.config.d.ts

@@ -0,0 +1,6 @@
+import { HardhatUserConfig } from "hardhat/config";
+import "@nomicfoundation/hardhat-ethers";
+import "@nomicfoundation/hardhat-chai-matchers";
+import "dotenv/config";
+declare const config: HardhatUserConfig;
+export default config;

package/dist/hardhat.config.js

@@ -0,0 +1,29 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+require("@nomicfoundation/hardhat-ethers");
+require("@nomicfoundation/hardhat-chai-matchers");
+require("dotenv/config");
+const PRIVATE_KEY = process.env.PRIVATE_KEY || "0x" + "0".repeat(64);
+const config = {
+    solidity: {
+        version: "0.8.27",
+        settings: {
+            evmVersion: "cancun",
+            optimizer: { enabled: true, runs: 200 },
+        },
+    },
+    networks: {
+        og_galileo: {
+            url: "https://evmrpc-testnet.0g.ai",
+            chainId: 16602,
+            accounts: [PRIVATE_KEY],
+        },
+        og_mainnet: {
+            url: "https://evmrpc.0g.ai",
+            chainId: 16661,
+            accounts: [PRIVATE_KEY],
+        },
+    },
+};
+exports.default = config;
+//# sourceMappingURL=hardhat.config.js.map

package/dist/hardhat.config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"hardhat.config.js","sourceRoot":"","sources":["../hardhat.config.ts"],"names":[],"mappings":";;AACA,2CAAyC;AACzC,kDAAgD;AAChD,yBAAuB;AAEvB,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,WAAW,IAAI,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;AAErE,MAAM,MAAM,GAAsB;IAChC,QAAQ,EAAE;QACR,OAAO,EAAE,QAAQ;QACjB,QAAQ,EAAE;YACR,UAAU,EAAE,QAAQ;YACpB,SAAS,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,GAAG,EAAE;SACxC;KACF;IACD,QAAQ,EAAE;QACR,UAAU,EAAE;YACV,GAAG,EAAE,8BAA8B;YACnC,OAAO,EAAE,KAAK;YACd,QAAQ,EAAE,CAAC,WAAW,CAAC;SACxB;QACD,UAAU,EAAE;YACV,GAAG,EAAE,sBAAsB;YAC3B,OAAO,EAAE,KAAK;YACd,QAAQ,EAAE,CAAC,WAAW,CAAC;SACxB;KACF;CACF,CAAC;AAEF,kBAAe,MAAM,CAAC"}

package/dist/scripts/deploy.d.ts

@@ -0,0 +1 @@
+export {};