Clawlink: Sovereign Agent Networks with Cryptographic Identity and Economic Accountability

Hub-and-spoke MCP orchestration anchored on Cardano & Midnight

clawlink/whitepaper@1.0.0 • 18K+ lines • 1,245 tests • 8 Aiken validators

The convergence of three technologies — large language models capable of autonomous tool use, Anthropic’s Model Context Protocol (MCP) standardizing agent-to-tool communication, and Cardano’s extended UTXO model enabling programmable identity — creates the conditions for a new class of networked agent infrastructure. For the first time, AI agents can discover remote environments, authenticate with cryptographic credentials, execute arbitrary tool calls, and have every interaction recorded against an immutable on-chain identity.

Yet today’s agent deployments operate in an identity vacuum. When Claude Code connects to a remote MCP server, the connection is authenticated by a shared secret or SSH key that binds to a machine, not an agent. The operator of that server has no way to know whether the connecting agent has a history of good behavior, whether it is economically staked against misbehavior, or whether it has been banned from other networks. The trust gap is not merely theoretical — it is the primary barrier preventing operators from exposing production infrastructure to external agents.

An operator running a GPU cluster for code generation should be able to require that connecting agents hold at least a Gold-tier stake (10,000 $CLAW), maintain a contribution ratio above 0.5, and carry a cross-subnet trust score above 0.6. An operator running a documentation server should be able to admit guest agents with read-only access and a 10-request-per-minute rate limit. Both operators should be able to discover each other through a privacy-preserving registry that never reveals member lists to non-members.

This whitepaper describes the complete Clawlink system: its architecture, trust mechanics, blockchain identity layer, subnet discovery protocol, token economy, and security model. The design prioritizes three properties: sovereignty (operators set their own rules), accountability (agents bear economic consequences for misbehavior), and privacy (operational data is encrypted, membership is zero-knowledge verifiable).

2.1 Identity Vacuum in AI Agent Protocols

The Model Context Protocol defines a clean abstraction for tool calls — a client sends a JSON-RPC request, a server executes it and returns results — but it is silent on the question of who is calling. MCP’s transport layer supports stdio (local) and Streamable HTTP (remote), but authentication is left to the implementation. In practice, this means SSH keys, static API tokens, or no authentication at all.

This identity vacuum creates three concrete failures. First, agents cannot build portable reputation. An agent that has executed 10,000 tool calls across five subnets with zero disputes has no way to present this history to a sixth subnet. Second, operators cannot distinguish between a well-behaved agent and a Sybil attack — an adversary spinning up hundreds of agents to exhaust resources. Third, there is no mechanism for cross-network trust transfer: an agent banned from one subnet can immediately connect to another under a fresh identity.

2.2 The Free-Rider Problem

Networks that provide compute resources to external agents face the classic free-rider problem from peer-to-peer file sharing. An agent that only consumes tool calls (executing commands, reading files) without contributing resources (hosting its own MCP server, providing compute to others) degrades the network. Without economic incentives, rational agents will always consume and never contribute.

BitTorrent solved this problem with seeding ratios: peers that upload more than they download receive priority in peer selection. Clawlink adapts this model for agent networks. Every tool call has a cost in Compute Credits (1 CC = $0.001), determined by a tool cost map (e.g., exec = 10.0 units, read_file = 1.0 units, glob = 0.5 units). An agent’s contribution ratio is uploaded_cost / (downloaded_cost + 1). Agents with ratios below 0.1 are classified as freeloading and receive a trust score of 0.0 on the contribution dimension. A 7-day grace period allows new agents to establish themselves before ratio enforcement begins.

2.3 Privacy Leakage in Discovery

Subnet discovery — the process by which agents find networks offering specific capabilities — is inherently privacy-sensitive. A naive registry that lists all subnets with their member counts, capabilities, and operator identities leaks competitive intelligence. An adversary can enumerate all GPU subnets, identify operators with high member counts (indicating valuable services), and target them for resource exhaustion attacks.

Clawlink’s two-layer registry architecture addresses this by splitting discovery into a public identity layer (Cardano, where subnet listings are anchored with endorsement scores and maturity timestamps) and a private operational layer (Midnight, where member lists, endpoint addresses, and interaction histories are encrypted). An agent can discover that a subnet exists and assess its trustworthiness from on-chain data, but it cannot learn who the members are without being granted membership. Zero-knowledge ratio proofs allow an agent to prove it meets a subnet’s contribution requirements without revealing its actual ratio.

3.1 Hub-and-Spoke Topology

Clawlink implements a hub-and-spoke topology where a local Hub MCP server routes tool calls to remote Node MCP servers over authenticated HTTP connections.

The Hub (src/clawlink/hub/) is a local stdio MCP server that maintains a NodePool of persistent httpx connections to remote Nodes. When a client invokes a tool, the Hub’s ToolRouter performs a trust check (minimum score gate, anomaly detection, Compute Credit balance verification), selects the target node based on capabilities and trust scores, and forwards the request. The Hub supports broadcast mode for operations that must execute across all connected Nodes simultaneously.

The Node (src/clawlink/node/) is a remote Starlette+uvicorn MCP server listening at /mcp on port 7900. Each Node runs JWTAuthMiddleware that validates Bearer tokens using EdDSA (Ed25519) signatures. The Node’s sandbox executes commands via asyncio.create_subprocess_shell with configurable timeout, memory limits, and optional Docker containerization. Each Node exposes standard tools: exec, read_file, write_file, glob, grep, node_info, and agent orchestration tools.

3.2 One-Key Identity Model

A single Ed25519 keypair (~/.clawlink/agent.key, 32-byte seed) serves as the root of all cryptographic operations. This design eliminates key management complexity and ensures that every action — network authentication, blockchain transactions, privacy proofs, device binding — traces to a single verifiable identity.

3.3 Encryption and Data Sovereignty

All data at rest uses a uniform encryption scheme derived from the agent’s Ed25519 seed:

1. Key Derivation:  HKDF-SHA256(seed, info=b"clawlink-memory-encryption")  →  32-byte AES key
2. Encryption:      AES-256-GCM with os.urandom(12) nonce  →  authenticated ciphertext
3. Output Format:   nonce(12 bytes) || ciphertext || GCM_tag(16 bytes)

3.4 Module Overview

The Clawlink trust system is the primary mechanism by which subnets enforce quality of service. It operates at three levels: individual agent scoring, network-wide anomaly detection, and cross-subnet reputation portability.

4.1 Multi-Dimensional Trust Scoring

The TrustScorer computes trust as a weighted sum of normalized metrics. Each metric is clamped to empirically determined bounds and normalized to [0, 1] before weighting. Inverted metrics (where higher raw values indicate lower trust) are subtracted from 1.0 after normalization.

Agent Trust Metrics (7 dimensions):

Contribution ratio uses a tiered normalization:

Host Trust Metrics (7 dimensions):

4.2 Anomaly Detection

The AnomalyDetector identifies three categories of social-graph manipulation:

4.3 Contribution Ratio (BitTorrent Model)

The ContributionTracker implements peer-to-peer resource accounting inspired by BitTorrent’s seeding ratio. Every tool call is recorded as a ContributionInteraction with a cost derived from the tool cost map:

The ratio formula is: uploaded_cost / (downloaded_cost + 1). A 7-day grace period applies to new members — agents with no upload history receive a ratio of 1.0 until their first interaction ages past the grace window.

4.4 Cross-Subnet Reputation Oracle

The ReputationOracle enables agents to carry reputation across subnet boundaries using Ed25519-signed attestations. Aggregation uses recency-weighted scoring: each attestation’s weight is exp(-age_days / 30), ensuring recent attestations dominate the composite score.

When importing reputation into a target subnet, a trust discount of 0.5 is applied by default — an agent’s imported reputation is worth half its original value. The cross-subnet bonus is capped at 20% of the final agent trust score, preventing external reputation from overwhelming local observations.

4.5 Trust-Gated Routing

The Hub’s ToolRouter integrates trust evaluation into the tool call pipeline. Before routing a request, the router:

1. Retrieve agent trust score from TrustCache (TTL=300s)
2. Check against subnet min_score threshold (default 0.3)
3. Evaluate self_dealing_score vs self_dealing_threshold (default 0.7)
4. Verify active payment channel with sufficient $CLAW balance via DirectPaymentManager
5. Record tool call via NodeMidnightClient (utilization tracking)
→ Agents failing any gate receive an error — tool call is NOT forwarded

5.1 CIP-68 Agent Identity NFTs on Cardano

Every Clawlink agent has an on-chain identity implemented as a CIP-68 NFT pair on Cardano. CIP-68 defines a two-token pattern:

5.2 The Eight Aiken Validators

Eight validators written in Aiken (Cardano’s smart contract language, compiled to Plutus V3) enforce protocol rules on-chain:

5.3 Midnight Privacy Network Integration

Midnight serves as Clawlink’s privacy layer. The MidnightClient is an async httpx client that communicates with Midnight node endpoints for three categories of operations: Memory (encrypted key-value storage), Registry (node discovery with heartbeat TTLs), and Secrets (scope-based access control).

The system supports two Midnight backends: MockMidnightBackend (in-memory with HMAC-SHA256 32-byte proofs for development) and CompactMidnightBackend (production, invokes Midnight Compact runtime via subprocess generating 256-byte Groth16 proofs from compiled .zkey circuit files).

5.4 Zero-Knowledge Ratio Proofs

Clawlink uses zero-knowledge proofs for two privacy-sensitive operations:

6.1 Two-Layer Registry Architecture

Subnet discovery operates on a two-layer architecture balancing trust anchoring with operational privacy:

6.2 Trust-Weighted Discovery Ranking

discovery_rank = 0.5 × endorsement_score + 0.3 × maturity_score + 0.2 × member_score

  endorsement_score  (50%) = normalized from 0-10,000 bps; endorsements decay after 90 days
  maturity_score     (30%) = 0.0 for Genesis (<7 days); linear scale to full weight at 28 days
  member_score       (20%) = normalized from 0-1,000 members (logarithmic saturation)

6.3 Staked Relayer Service Market

Bridge daemon operators form a market for discovery relay services. Running a relayer requires 500 $CLAW minimum stake (Bronze tier) collateral, with a 100 $CLAW slashing penalty for delivering stale data and a 50 $CLAW/day base reward plus indexing bonus. This market structure ensures that discovery infrastructure is decentralized — no single entity controls subnet visibility.

6.4 Privacy-Preserving Membership

Subnet membership is never exposed on-chain. The MembershipRegistry stores all member entries encrypted on Midnight under the membership namespace. Member ranks follow a strict hierarchy:

Guest access is configurable per-subnet: operators can enable guest tokens with limited permissions, rate limits (default 10 requests/minute), and short TTLs (default 1 hour). Guest tokens can optionally be bound to device fingerprint or IP address for additional security.

7.1 Token Allocation

The $CLAW token has a fixed total supply of 1,000,000,000 (1 billion) tokens.

7.2 Emission Schedule and Halvings

Community rewards (400M tokens) are distributed through an emission schedule with halvings every 730 epochs (approximately 2 years at 1 epoch/day — Clawlink epochs are independent of Cardano’s 5-day mainnet epochs). Each epoch’s rewards are split:

7.3 Staking Tiers and Access Control

7.4 Burn Mechanisms

7.5 Network Sustainability Loop

1. Operators stake $CLAW     →  earn emission rewards (trust-weighted)
2. Agents hold $CLAW        →  pay per tool call via direct payment channels
3. Payments flow from agents to operators each epoch (on-chain settlement)
4. Operators earn more $CLAW from emissions proportional to trust scores
5. Higher trust scores attract more agents, increasing payment channel volume
6. Agent ID creation and listing fees burn $CLAW (deflationary)
7. Reduced supply + sustained payment demand → price appreciation
8. Price appreciation attracts more stakers → back to step 1

8.1 Bidirectional Authentication

8.2 Sandboxed Execution (Docker)

Memory:     256 MB hard limit  (mem_limit=256m)
CPU:        50% of one core    (cpu_quota=50000)
Network:    Disabled           (network_disabled=True)
Filesystem: Read-only root     (read_only=True) + tmpfs for /tmp
Privileges: No new privileges  (--security-opt=no-new-privileges)

8.3 Economic Deterrents

Beyond technical security, Clawlink’s economic design creates strong deterrents against misbehavior:

Clawlink occupies a unique position at the intersection of AI agent coordination, blockchain identity, and privacy-preserving networking.

Key Differentiators

Clawlink is in active development with significant infrastructure complete.

Completed Proposals

In Progress

Clawlink addresses the three fundamental gaps preventing AI agents from operating as accountable network participants: identity, trust, and privacy. By anchoring agent identity on Cardano as CIP-68 NFTs, implementing multi-dimensional trust scoring with anomaly detection, and encrypting operational data on Midnight, Clawlink creates the infrastructure for sovereign agent networks where operators set their own rules and agents bear economic consequences for their behavior.

The $CLAW token economy aligns incentives across all network participants: operators earn rewards proportional to their trust scores, agents burn tokens for compute access, and stakers provide economic security in exchange for emission shares. The halving schedule and three burn mechanisms ensure long-term sustainability without reliance on continuous external capital.

The convergence of MCP standardization, Cardano’s mature UTXO model, and Midnight’s zero-knowledge privacy layer creates a unique window for building the trust infrastructure that AI agents need to operate safely in adversarial environments.

Every operator should be able to run a sovereign agent network. Clawlink makes this possible.