Pohi
Proof of Human Intent (PoHI) - Cryptographically verifiable human approval for AI-driven development
Install / Use
/learn @pohi-protocol/PohiREADME
🔏 Proof of Human Intent (PoHI)
AI executes. Humans authorize. Machines verify.
Try the Live Demo - Verify your humanity with World ID
English | 日本語
🎯 What is PoHI?
Proof of Human Intent is a protocol that creates cryptographically verifiable proof that a real human approved critical software actions.
“Who approved this?” “The AI did.” This protocol ends that conversation.
World ID (ZK Proof) × Git Signing × Transparency Log
= Verifiable Human Approval
🔥 Why Now?
2024: GitHub Copilot writes code
2025: AI Agents create PRs autonomously
2026: AI Agents deploy to production ← We're heading here
Question: Can you PROVE a human approved it?
The Problem
| Traditional | AI Era | |-------------|--------| | Human writes code | AI writes code | | Human reviews | AI reviews | | Human merges | ??? |
Humans are shifting from "implementers" to "approvers."
But there's no way to cryptographically verify that a human—not an AI—actually approved an action.
💡 How It Works
PoHI answers three questions:
| Question | Technology | Proof | |----------|-----------|-------| | Who? | PoP Providers | Unique human verification | | What? | Git + DID | Specific commit approved | | When? | SCITT Log | Immutable timestamp |
Supported PoP Providers
| Provider | Verification Type | Sybil Resistance | Status | |----------|------------------|------------------|--------| | World ID | ZK proof (Orb/Device) | High | ✅ Tested | | Gitcoin Passport | Web3 identity score | Medium | ✅ Tested | | BrightID | Social graph verification | Medium | ✅ Implemented | | Civic | Gateway Pass | Medium | ✅ Implemented | | Proof of Humanity | Kleros registry | High | ✅ Implemented | | Holonym | ZK identity (Gov ID/ePassport) | High | ✅ Implemented | | Idena | AI-resistant CAPTCHA | High | ✅ Implemented | | Coinbase Verifications | KYC attestation (EAS) | High | ✅ Implemented | | Humanity Protocol | Palm biometric | High | ✅ Implemented |
📖 Provider Documentation - Configuration, usage examples, and integration guides for each provider.
Architecture
┌─────────────────────────────────────────────────────────────┐
│ Proof of Human Intent │
├─────────────────────────────────────────────────────────────┤
│ │
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ │
│ │ VERIFY │───▶│ BIND │───▶│ RECORD │ │
│ │ "Human?" │ │ "What?" │ │ "Proof" │ │
│ └──────────┘ └──────────┘ └──────────┘ │
│ │ │ │ │
│ ▼ ▼ ▼ │
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ │
│ │ PoP │ │ Git+DID │ │ SCITT │ │
│ │ Provider │ │ Signing │ │ Log │ │
│ └──────────┘ └──────────┘ └──────────┘ │
│ │
└─────────────────────────────────────────────────────────────┘
Approval Flow
sequenceDiagram
participant AI as 🤖 AI Agent
participant GH as 🐙 GitHub
participant Human as 👤 Human
participant PoHI as 🔏 PoHI
participant WorldID as 👁️ World ID
AI->>GH: Create PR
GH->>Human: Review request
Human->>PoHI: Request approval
PoHI->>Human: Show World ID QR
Human->>WorldID: Scan (World App)
WorldID-->>PoHI: ZK Proof (signal=commit SHA)
PoHI->>GH: Status: Verified Human ✅
GH->>AI: Merge enabled
🚀 Quick Start
Prerequisites
- Node.js 18+
- World ID App (Download)
- GitHub repository
Installation
# Core library (chain-neutral, zero dependencies)
npm install pohi-core
# EVM utilities (for on-chain recording)
npm install pohi-evm
# SDK (full client for World Chain)
npm install pohi-sdk
# CLI tool
npm install -g pohi-cli
Basic Usage
import { createAttestation, computeSignal, validateAttestation } from 'pohi-core';
// Create an attestation
const attestation = createAttestation(
// Subject: what is being approved
{
repository: 'owner/repo',
commit_sha: 'abc123...',
action: 'DEPLOY',
description: 'Production deployment v2.0'
},
// Proof: evidence of human verification
{
method: 'world_id',
verification_level: 'orb',
nullifier_hash: '0x...',
signal: computeSignal('owner/repo', 'abc123...')
}
);
// Validate structure and hash integrity
const result = validateAttestation(attestation);
console.log(result.valid); // true
CLI Usage
# Request human approval for a commit
pohi request --repo owner/repo --commit abc123
# Verify an existing attestation
pohi verify --repo owner/repo --commit abc123
GitHub Action
# .github/workflows/human-approval.yml
name: Require Human Approval
on:
pull_request:
types: [labeled]
jobs:
verify:
if: github.event.label.name == 'ready-to-merge'
runs-on: ubuntu-latest
steps:
- uses: pohi-protocol/action@v1
with:
world-id-app: ${{ secrets.WORLD_ID_APP_ID }}
required-level: orb
📦 Packages
| Package | Description | Status |
|---------|-------------|--------|
| pohi-core | Core types & validation (zero deps) | ✅ v0.1.0 |
| pohi-evm | EVM utilities (keccak256, encodePacked) | ✅ v0.1.0 |
| pohi-sdk | World Chain client | ✅ v0.1.0 |
| pohi-cli | Command-line tool | ✅ v0.1.0 |
| pohi-action | GitHub Action | ✅ v0.1.0 |
| pohi-gitlab-ci | GitLab CI Component | ✅ v0.1.0 |
| pohi-bitbucket-pipe | Bitbucket Pipe | ✅ v0.1.0 |
| pohi-contracts | Solidity contracts (Foundry) | ✅ v0.1.0 |
| pohi-demo | Next.js + World ID demo | ✅ Live |
📄 Paper
"Proof of Human Intent: Cryptographically Verifiable Human Approval for AI-Driven Software Development"
- 📝 IACR ePrint: Submitted (pending review)
- 📝 arXiv: Planned (after ePrint publication)
- 📁 Source:
paper/
Citation
@misc{pohi2026,
title={Proof of Human Intent: Cryptographically Verifiable Human Approval for AI-Driven Software Development},
author={Ikko Eltociear Ashimine},
year={2026},
howpublished={IACR Cryptology ePrint Archive}
}
⛓️ On-Chain Verification
On-chain attestation recording is optional and currently in development.
| Network | Status | Contract Address |
|---------|--------|------------------|
| World Chain Mainnet | 🔧 Coming Soon | TBD |
| World Chain Sepolia | ✅ Deployed | 0xe3aF97c1Eb0c1Bfa872059270a947e8A10FFD9d1 |
Note: PoHI works without on-chain recording. The core protocol uses off-chain attestations that can be independently verified. On-chain recording adds an additional immutable transparency layer.
🔐 Security Model
Security Considerations
PoHI has undergone an initial self-review focusing on:
- Replay attacks: Mitigated by binding attestations to specific commit SHAs
- Impersonation risks: Prevented by World ID's ZK proof of personhood
- CI/CD workflow integrity: Isolated verification in ephemeral containers
For full security documentation, see SECURITY.md.
Threat Model
| Attack | Mitigation | |--------|-----------| | Sybil (fake identities) | World ID nullifier hash | | Replay (reuse proof) | Commit SHA in signal | | Tampering | Merkle tree proofs | | Impersonation | ZK proof of personhood |
Trust Assumptions
- World ID Orb correctly identifies unique humans
- Transparency log is append-only
- Cryptographic primitives are secure
🗺️ Roadmap
- [x] Architecture design
- [x] Paper draft (Abstract)
- [x] Core library implementation
- [x] EVM utilities package
- [x] SDK for World Chain
- [x] CLI tool
- [x] GitHub Action
- [x] GitLab CI Component
- [x] Bitbucket Pipe
- [x] Smart contracts (Foundry)
- [x] Demo application (Next.js + World ID)
- [x] npm publish (v0.1.0)
- [x] Live demo deployment
- [x] Security self-review (see SECURITY.md)
- [x] IACR ePrint submission
- [ ] arXiv cross-posting
- [ ] External audit
- [ ] v1.0 release
📚 Related Work
| Technology | Purpose | Link | |-----------|---------|------| | World ID | Proof of personhood | docs.world.org | | IETF SCITT | Supply chain transparency | datatracker.ietf.org | | Sigstore | Keyless code signing | sigstore.dev | | W3C DID |
Related Skills
node-connect
326.5kDiagnose OpenClaw node connection and pairing failures for Android, iOS, and macOS companion apps
frontend-design
80.4kCreate distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, or applications. Generates creative, polished code that avoids generic AI aesthetics.
openai-whisper-api
326.5kTranscribe audio via OpenAI Audio Transcriptions API (Whisper).
commit-push-pr
80.4kCommit, push, and open a PR
