Escrow-based settlement for AI agent delegation -- a reference implementation of "Intelligent AI Delegation" (Tomašev, Franklin, Osindero -- Google DeepMind, 2026). Deployed on Base Sepolia with verified transactions. See the live demo.
Agent A needs a code review. It posts the task with 0.01 ETH locked in a smart-contract escrow. Agent B picks it up, delivers the review, and submits proof. The buyer can approve directly, or route review through an optional verifier. Payment releases automatically on approval.
If the work is rejected by the buyer or verifier, a dispute can go to an arbitrator who splits the funds fairly. No trusted middleman -- the smart contract is the custodian.
As AI agents become more capable, the delegation problem becomes primary: not "can the agent do the task" but "how do we trust it did the task correctly, pay it fairly, and hold it accountable?"
Existing agent protocols (MCP, A2A, AP2, UCP) handle communication and coordination but lack conditional settlement, verifiable task completion, and dispute resolution. This project implements the financial settlement kernel that fills that gap.
- Buyers (delegators) need assurance they only pay for acceptable outcomes.
- Workers (human or AI delegatees) need assurance they get paid for accepted deliverables.
- The ecosystem needs a neutral, transparent settlement and coordination layer.
On-chain: TaskEscrowFactory deploys TaskEscrow instances on Base (Ethereum L2). Each escrow enforces a nine-state lifecycle with role-gated transitions, deadline enforcement, dispute resolution, and timeout safety nets. Supports both ETH and ERC20 tokens (USDC, etc.).
Off-chain: Single Go binary serving an MCP server, JSON REST API, and background event indexer, plus a thin escrow-cli client for shell workflows. SQLite storage, no external dependencies beyond an RPC endpoint.
The design principle: settle on-chain, everything else off-chain. Bidding, matching, reputation, task decomposition, and agent orchestration remain off-chain where they can iterate independently.
Contributor reading order: AGENTS.md for the repo harness, docs/ARCHITECTURE.md for system boundaries and code ownership, and docs/SPEC.md for settlement invariants.
For internal component wiring, see the detailed architecture diagram and docs/ARCHITECTURE.md.
The happy path above is five steps. But real delegation needs failure handling -- what if the worker disappears? What if the buyer disputes? What if nobody responds? The full state machine covers all of it:
Nine states, multiple resolution paths: direct buyer approval, optional verifier review/rejection, worker silence escalation, arbitrator resolution, and timeout-based refunds. Every path eventually settles or refunds -- funds never get stuck.
Deployed on Base Sepolia with verified ETH, USDC, and AP2 mandate-bridge flows.
Factory: 0x798830e2d3C25cF9296fe06a46D808CFB550e880
- Runbook + prerequisites:
demo/README.md - Full transaction logs:
demo/DEMO_RUN.md - Demo scripts:
demo/eth_demos.sh,demo/usdc_demos.sh,demo/ap2_demo.py
Each design decision traces to the paper. The settlement kernel (V1) covers the foundational layer; subsequent versions build toward the paper's full vision.
| Paper Pillar | V1 (Settlement) | V2 (Market) | V3 (Intelligence) | V4 (Ethics/Governance) |
|---|---|---|---|---|
| Dynamic Assessment (§4.1-4.2) | Fixed roles + task spec hash | RFQ + Bid_Object marketplace | Contract-first decomposition tooling | Curriculum-aware routing (planned) |
| Adaptive Execution (§4.4) | Timeouts + escalation paths | Milestones + backup agents | Checkpoint/resume + stability controls | Liability firebreaks (planned) |
| Structural Transparency (§4.5, 4.8) | Events + hash commitments | Milestone checkpoints + live events | Attestation chains + ZK slot + quorum | Higher-fidelity monitoring policy (planned) |
| Scalable Market Coordination (§4.3, 4.6) | Designated verifier/arbitrator | Reputation seed + complexity floor | Credentials + sealed bidding + market controls | DID trust layer + governance floors (planned) |
| Systemic Resilience (§4.7, 4.9) | Role gates + reentrancy guard | Emergency controls + stake-based Sybil friction | DCT attenuation + principal authz + service tiers | Insurance and governance hardening (planned) |
Canonical paper coverage + decision log: docs/paper-feature-map.json. Narrative mapping and sequencing: docs/ARCHITECTURE.md, docs/ROADMAP.md.
For shell-capable agents, use the skill and CLI path:
- Skill entrypoint:
skills/escrow-cli/SKILL.md - CLI binary:
go-server/bin/escrow-cli - Reference:
skills/escrow-cli/references/REFERENCE.md
The CLI is a thin HTTP client over the existing API; business logic stays in the Go server.
MCP remains first-class for MCP-native clients. Any MCP-compatible client (Claude, GPT, custom agents) can use escrow without Solidity or wallet libraries -- the server handles chain interaction.
Default configuration (EMERGENCY_ENABLED=true, EVENTS_ENABLED=true, A2A_ENABLED=true, UCP_ENABLED=false) exposes tools for:
- Escrow lifecycle and dispute resolution (single-shot + milestone flows)
- Verifier quorum + ZK-assisted approval paths
- Bidding and decomposition (
Task_RFQ, sealed bids, decomposition finalize) - Attestation chains and checkpoint/resume handoffs
- DCT mint/delegate/revoke/introspect + authorization audit views
- AP2/x402 mandate funding, event subscriptions, A2A discovery, and emergency controls
- UCP checkout operations (
ucp_*) whenUCP_ENABLED=true
The architectural rationale for MCP lives in docs/ARCHITECTURE.md. The authoritative current tool registration lives in go-server/internal/mcpserver/tools.go.
GET /api/v1/health
# Escrow lifecycle
POST /api/v1/escrows
GET /api/v1/escrows
GET /api/v1/escrows/{id}
POST /api/v1/escrows/{id}/fund
POST /api/v1/escrows/{id}/submit
POST /api/v1/escrows/{id}/approve
POST /api/v1/escrows/{id}/dispute
POST /api/v1/escrows/{id}/resolve
# Bidding + decomposition
POST /api/v1/rfqs
POST /api/v1/rfqs/{id}/bids/commit
POST /api/v1/rfqs/{id}/bids/reveal
POST /api/v1/rfqs/{id}/accept
POST /api/v1/decompositions
POST /api/v1/decompositions/{id}/finalize
# Advanced flows
POST /api/v1/dcts/mint
POST /api/v1/ap2/fund
POST /api/v1/ucp/checkouts
PATCH /api/v1/ucp/checkouts/{checkout_id}
POST /api/v1/ucp/checkouts/{checkout_id}/complete
POST /api/v1/ucp/checkouts/{checkout_id}/cancel
GET /api/v1/events
GET /.well-known/agent.json
GET /.well-known/ucp
The architectural rationale for the API surface lives in docs/ARCHITECTURE.md. The authoritative current route registration lives in go-server/internal/api/router.go.
V1 -- Settlement Kernel: Complete. 9-state escrow contracts, full test suite (unit, fuzz, invariant), Go server with MCP + HTTP + indexer, live on Base Sepolia.
V2 -- Market Primitives: Complete (11/11 items). ERC20/USDC payments, worker stake, milestone-based escrow, backup agent clause, on-chain reputation, complexity floor, bidding protocol (Task_RFQ + Bid_Object), A2A settlement adapter, AP2 mandate-to-escrow bridge, real-time event subscriptions (SSE/WebSocket + MCP polling), and emergency response protocol.
V3 -- Delegation Intelligence: Complete. Items 12-22 are implemented, including the UCP fulfillment provider as an adapter over shared escrow orchestration with REST/MCP/CLI parity.
V4 -- Ethical Safeguards and Ecosystem Maturity: Planned. Items 23-30 include curriculum routing, liability firebreaks, cognitive friction calibration, DID identity layer, insurance framework, governance safety floors, and newly explicit social-intelligence and user-training tracks.
Full roadmap sequencing: docs/ROADMAP.md. Canonical machine-readable paper mapping and per-item design decisions: docs/paper-feature-map.json.
src/,test/,script/: Solidity contracts, Foundry tests, and deployment scripts.go-server/: single Go service (MCP server, HTTP API, indexer, bidding, A2A/AP2/UCP adapters, storage, chain client).docs/: architecture/spec/roadmap/setup/deploy docs plus PlantUML diagrams.demo/: executable ETH/USDC/AP2 demos and on-chain run logs.scripts/: utility scripts (for example faucet helpers).
| Document | Contents |
|---|---|
AGENTS.md |
Repo harness: reading order, invariants, and change-coupling rules |
docs/SPEC.md |
Contract design intent: lifecycle, settlement math, invariants |
docs/ARCHITECTURE.md |
System map: boundaries, ownership, transport model, and evolution path |
docs/ROADMAP.md |
Delivery phases, execution order, and actionable checklists |
docs/paper-feature-map.json |
Machine-readable paper feature coverage + per-item design decisions |
docs/SETUP.md |
Local setup and configuration |
docs/DEPLOY.md |
Deployment workflow |
docs/DEPLOYMENTS.md |
Live deployed addresses |
docs/diagrams/ |
State machine, lifecycle, bidding, and architecture diagrams |
demo/README.md |
Demo prerequisites and run commands |
demo/DEMO_RUN.md |
Demo transaction traces |
CONTRIBUTING.md |
Contribution guidelines |
- Foundry (Solidity toolchain)
- Go 1.26+
make build # compile Solidity contracts
make test # Foundry unit + edge case tests
make test-invariant # invariant / fuzz tests
make go-abi # copy ABI artifacts from Foundry output
make go-build # compile Go binary
make go-cli-build # compile escrow-cli binary
make go-test # Go tests
make test-all # everything at onceexport RPC_URL=https://sepolia.base.org
export FACTORY_ADDRESS=0x...
export PRIVATE_KEY=0x...
make go-runThe server starts the HTTP API on port 8080 and the event indexer in the background. Set MCP_TRANSPORT=stdio to also enable the MCP server for agent integration.
make go-cli-build
./go-server/bin/escrow-cli --output json health
./go-server/bin/escrow-cli --output json escrow list
# DCT examples
./go-server/bin/escrow-cli --output json dct mint --data '{"escrow_id":1,"subject":"agent-b","operations":["submit_work"],"resources":["escrow:1"],"expires_at":1999999999}'
./go-server/bin/escrow-cli --output json dct introspect --data '{"token":"dct_xxx.yyy"}'HTTP DCT examples:
curl -sS -X POST http://localhost:8080/api/v1/dcts/mint -H 'content-type: application/json' -d '{"escrow_id":1,"subject":"agent-b","operations":["submit_work"],"resources":["escrow:1"],"expires_at":1999999999}'
curl -sS -X POST http://localhost:8080/api/v1/dcts/delegate -H 'content-type: application/json' -d '{"parent_token":"dct_parent.secret","subject":"agent-c","operations":["submit_work"],"resources":["escrow:1"],"expires_at":1999999000}'MCP DCT tools: mint_dct, delegate_dct, introspect_dct, revoke_dct.
See docs/SETUP.md for deployment and the full configuration reference.
This project implements the framework described in:
Tomašev, N., Franklin, M., & Osindero, S. (2026). Intelligent AI Delegation. arXiv preprint arXiv:2602.11865. Google DeepMind.