Add ERC: Agent Tool Registry

[ryanio]

Summary

Adds new ERC-8257: Agent Tool Registry - a permissionless onchain registry for AI agent tools with extensible predicate-based access control.

Each registration commits a metadata URI and a keccak256 content hash. Invocation access is gated by an optional external predicate contract, following the "pluggable external contract" pattern used by Seaport zones, Uniswap v4 hooks, and ERC-4337 paymasters. Registrations are anchored to a canonical off-chain manifest through origin-binding (manifest served at a well-known path on the endpoint's origin) plus creator self-attestation. Pricing hints are protocol-agnostic and live in the manifest; the registry never handles funds.

Status

Draft. Opening early to gather feedback. Once an editor assigns a number we will rename the file from erc-xxxx.md and set the eip: field accordingly.

Discussion: https://ethereum-magicians.org/t/erc-draft-agent-tool-registry/28457

Reference implementation

• Solidity reference impl + example predicates (ERC-721, ERC-1155, subscription, composite): https://github.com/ProjectOpenSea/tool-registry
• TypeScript SDK + CLI for building tools against the registry (manifest authoring, registration, gating middleware): https://github.com/ProjectOpenSea/tool-sdk
• Live deployments on Base mainnet - addresses in the tool-registry README

Author handles

Cody Sears (@CodySearsOS), Ryan Ghods (@ryanio)

[eip-review-bot]

File ERCS/erc-8257.md

Requires 1 more reviewers from @g11tech, @jochem-brouwer, @samwilsn, @xinbenlv

[github-actions]

The commit c4ca973 (as a parent of 217ea61) contains errors.
Please inspect the Run Summary for details.

[jochem-brouwer]

Mostly editorial comments, some security points/qs.

Main points: CAIP/RFCs should have URLs which is handy for the reader.
All abbreviations should on first-use be defined.

Very interesting ERC! 😄 👍

[ryanio]

@jochem-brouwer thanks for the thorough review — both passes have shipped. Below is a summary of what changed, organized by significance.

Substantive normative changes (1c1568d8)

• Predicate gas cap removed. Dropped the normative 200,000-gas staticcall ceiling and the illustrative 5k–60k gas table. Safety now relies on staticcall semantics alone: any failed sub-call returns (success=false) and EIP-150's 63/64 rule preserves the caller's gas for the failure path. The gas-bound decision moves to the call site — composers wrap hasAccess with staticcall{gas: budget} based on their target chain and fork. Cited EIP-8038 (Glamsterdam SLOAD repricing) as the reason the spec doesn't pin a number. The reference implementation keeps a 200k internal cap framed as defense-in-depth, not a conformance requirement. Downstream gas-cap mentions (ERC-165 probe, recursive-self-reference rationale, getRequirements introspection cap) updated to match.
• AccessProof challenge → EIP-712. Replaced raw keccak256(abi.encodePacked(toolId, account, chainid, deadline)) with EIP-712 typed data. The "\x19\x01" prefix and domain (name: "ERC8257-AccessProof", verifyingContract: predicate) prevent collision with EIP-7702 authorizations, eth_sign payloads, or other ERC challenge schemes. Follows the canonical anti-collision pattern; happy to take a dedicated security review on it if you want to flag someone.
• Init-code commitment. Acknowledged that runtime bytecode alone doesn't fully commit predicate behavior — init-code can SSTORE state that the runtime branches on. Counterfactual-deployment guidance now recommends pinning the init-code hash (which determines both runtime bytecode and constructor-planted storage) or inspecting post-deployment storage, and flags pure-logic predicates (no storage reads) as the safer choice for security-sensitive gates.
• Transient-storage caching note. Added non-normative pointer for composers: cache hasAccess results in EIP-1153 transient storage keyed by (toolId, account) to keep a stable answer across multiple calls within one transaction. Clears automatically at end-of-transaction so it can't leak across txs.

Editorial (451a1508 + 1c1568d8)

• Linked RFC 2119 / 8174 / CAIP-19 / CAIP-10 / CAIP-2 on first use
• Expanded abbreviations on first use: NFD, ACE, TEE, E2EE, TLS, TCB, IDN, BGP, EOA, UUPS, SSRF, MITM, CID; glossed RE2; defined "10 KiB (10,240 bytes)" inline; spelled out OOG as "out of gas"
• Dropped Solidity view framing in §Predicate Reentrancy in favor of staticcall (EVM concept, not Solidity)
• Escaped the pipe inside the amount regex (`^(0\|[1-9][0-9]*)$`) so the table cell no longer truncates at ^(0
• Differentiated the duplicate // e.g. "eip155:8453" parsing comments so the reader can see the function intent
• Tagged the verifyOriginBinding block as ```solidity and noted in prose that it's Solidity-flavored pseudocode
• Converted "Handling Verification Failure" bullets to a numbered list; clarified "check 4" as the creator-binding step from §Consumer Verification
• Confined remaining RFC 2119 keywords to §Specification (per EIP-1)

19 threads marked resolved. Particularly happy to discuss the gas-cap rework if you'd like to push back — it's a normative loosening, so worth confirming you're aligned.