Inference privacy for AI agents

Your agents. Invisible.

Shielded TAO · ZK proofs · Stealth routing · MCP-native

See how it works Read the code ↗
scroll
246
Passing tests
16
Packages
6
Phases complete
964
Bittensor chain ID
20
Merkle tree depth
Shielded TAO Anonymous Miner Routing ERC-5564 Stealth Addresses Groth16 ZK Proofs Poseidon Merkle Trees UTXO Shielded Treasury MCP Server Integration Bittensor Subtensor EVM Railgun Adapter 246 Passing Tests Double-Spend Prevention @noble/curves · Pure JS Crypto Shielded TAO Anonymous Miner Routing ERC-5564 Stealth Addresses Groth16 ZK Proofs Poseidon Merkle Trees UTXO Shielded Treasury MCP Server Integration Bittensor Subtensor EVM Railgun Adapter 246 Passing Tests Double-Spend Prevention @noble/curves · Pure JS Crypto

01 / Protocol

Privacy isn't a feature.
It's the foundation.

Peek-a-boo is a privacy middleware layer for AI agents on Bittensor. Shield payments. Route anonymously. Prove everything cryptographically.

01 Peek-a-boo shields agent payments +
Your agent deposits TAO into a ShieldedPool smart contract on Bittensor's Subtensor EVM. The deposit inserts a Poseidon commitment into a depth-20 Merkle tree. To withdraw, the agent generates a Groth16 ZK proof of pool membership — revealing nothing about the originating identity, amount path, or timing. A 30-root history buffer prevents race conditions between deposits and withdrawals.
commitment = Poseidon(nullifier, secret)
02 Peek-a-boo routes inferences anonymously +
Each inference request generates a fresh ERC-5564 stealth address via ECDH key exchange between your agent's ephemeral key and the miner's public key. The StealthAnnouncer contract emits events for off-chain scanning via viewTag fast-scan filter. Miners receive payment at a one-time address that can't be correlated back to your agent across sessions.
stealth = ECDH(ephemeralKey, recipientPub)
03 Peek-a-boo proves without revealing +
All cryptographic operations use pure-JS @noble/curves and @noble/hashes — no native bindings, no Node dependency. The Circom-based Withdraw circuit compiles to a depth-20 Merkle proof verifier with Poseidon hashing. Public inputs are bound to recipient + amount using a square-constraint anti-front-running technique from the Tornado Cash pattern.
nullifierHash = Poseidon(nullifier)
04 Peek-a-boo integrates with any agent framework +
The @pas/mcp-server package exposes all privacy operations as MCP tools — meaning any MCP-compatible agent (Claude, OpenClaw, custom daemons) can call shield, unshield, and stealth routing as native tool calls. LangChain and CrewAI wrappers are in active development. Constructor-injected storage adapters support in-memory by default and SQLite opt-in.
mcp-server · langchain · crewai

02 / Mechanism

How the privacy engine works

— 01
Shield your TAO
Deposit TAO into the ShieldedPool contract. A Poseidon commitment is inserted into the on-chain Merkle tree. Your agent holds the nullifier + secret off-chain.
— 02
Route via stealth address
A fresh ERC-5564 stealth address is generated per inference. The StealthAnnouncer emits events. Miners scan with viewTag for their payments — no public linkability.
— 03
Prove membership
Generate a Groth16 ZK proof of Merkle membership. The verifier contract checks the proof on-chain, validates the nullifier registry, and releases funds atomically.
01
Policy Engine
Per-transaction and cumulative spend limits with time windows. Whitelist/denylist. Chain restrictions. Priority-ordered rule evaluation. 20 tests passing.
02
Session Manager
Session lifecycle create → active → expired/terminated. Auto-expiry on access. Stale-session cleanup. Isolated per-agent context.
03
Shielded Treasury
UTXO note management. Nullifier-based double-spend prevention. Greedy UTXO selection. Multi-token balances. Transactional markSpent() for atomic nullifier marking.
PASResult<T> for all fallible ops
04
Stealth Addresses
ERC-5564 ECDH stealth generation. viewTag fast-scan filter. Round-trip generate → scan verification. secp256k1 point arithmetic via @noble/curves.
AI AGENT policy · sessions · treasury SHIELDED POOL Bittensor EVM · Chain 964 deposit TAO POSEIDON MERKLE TREE root ← new commit ZK PROVER Groth16 · Circom depth-20 Groth16 proof STEALTH ADDR ERC-5564 · ECDH viewTag MINER Bittensor subnet anonymous 246 tests · phases 0–6 complete

03 / Stack

Built in the open.
Production-grade.

16 packages. Turborepo monorepo. Bittensor-first with Railgun, Ethereum L2, and Aztec adapters.

@pas/core
Policy engine, sessions, shielded treasury, stealth addresses
@pas/contracts
ShieldedPool · StealthAnnouncer · Groth16Verifier · Poseidon
@pas/storage-sqlite
WAL-mode SQLite persistence · 8 tables · 41 tests
@pas/adapter-railgun
Shielded ERC-20 via ZK-SNARKs — 74 passing tests
@pas/adapter-bittensor
Subtensor EVM · Chain 964/945 · TAO native currency
@pas/types
Shared type definitions across 9 modules
@pas/sdk
Universal privacy interface — high-level agent API
@pas/mcp-server
MCP tools for any MCP-compatible agent
@pas/settlement
L1/L2 providers · gasless relay
@pas/agent-langchain
LangChain tool wrappers around SDK
@pas/agent-crewai
CrewAI tool wrappers around SDK
@pas/adapter-aztec
Native private execution — deepest guarantees
Complete In progress Planned
246
Passing tests
16
Packages
6
Phases done
~1M
Max deposits

04 / FAQ

Frequently asked
questions

What is Peek-a-boo?+
Peek-a-boo (formerly PAS — Private Agent Shell) is a privacy middleware layer for AI agents operating on Bittensor's Subtensor EVM. It provides shielded TAO payments, anonymous inference routing via stealth addresses, and ZK proof-based withdrawal — all composable as MCP tools or SDK calls.
Why Bittensor?+
Bittensor's Subtensor EVM is the primary market for AI agent inference. TAO-denominated payments between agents and miners create a natural surface for privacy attacks — correlating who queries what, from where, and how often. Peek-a-boo makes those payments opaque. Ethereum L2 and Aztec adapters are also in the roadmap.
How does the ZK proof work?+
A Circom Withdraw circuit generates a Groth16 proof proving the agent knows a (nullifier, secret) pair whose Poseidon hash is a leaf in the on-chain Merkle tree. The contract verifies the proof, checks the nullifier registry to prevent double-spend, then releases funds to the recipient. Public inputs — root, nullifierHash, recipient, amount — are bound via a square constraint trick to prevent front-running.
When is testnet deployment?+
Deploying to Bittensor testnet (Chain ID 945) is Priority 1. Hardhat config is already set with the testnet RPC. The deployment sequence is: PoseidonT3 library → Groth16Verifier → ShieldedPool → StealthAnnouncer. After contracts are live, the BittensorAdapter will be wired to the deployed addresses.
How do I integrate with my agent?+
The @pas/mcp-server package exposes all privacy operations as MCP-compatible tools. Any agent that supports MCP (Claude, OpenClaw, custom daemons) can call shield, unshield, and stealth routing natively. LangChain and CrewAI wrapper packages are actively being developed for direct framework integration.

Testnet deployment coming soon

Hide in
plain sight.

Bittensor testnet · ZK circuits · 246 passing tests · MCP-native

View on GitHub ↗ Join Discord ↗