docs: add trustless AI guide

Author: ZigaMr

docs/build/README.mdx

@@ -13,9 +13,10 @@ right into it, check out our use cases that combine TEE and blockchain to
 build trustless distributed apps.
 
 <DocCardList items={[
-    findSidebarItem('/build/use-cases/price-oracle'),
-    findSidebarItem('/build/use-cases/tgbot'),
     findSidebarItem('/build/use-cases/key-generation'),
+    findSidebarItem('/build/use-cases/trustless-agent'),
+    findSidebarItem('/build/use-cases/tgbot'),
+    findSidebarItem('/build/use-cases/price-oracle'),
 ]} />
 
 ## The Oasis SDK

docs/build/use-cases/tgbot.mdx

@@ -1,6 +1,6 @@
 ---
 description: Build a private Telegram bot running in ROFL containing a simple python script and an Ollama LLM.
-tags: [ROFL, secrets]
+tags: [ROFL, AI, secrets]
 ---
 
 import Tabs from '@theme/Tabs';

docs/build/use-cases/trustless-agent.mdx

@@ -0,0 +1,209 @@
+---
+description: Deploy a trustless Eliza AI agent on Oasis using ROFL enclaves,
+  with enclave-managed keys and on-chain verification on Sapphire.
+tags: [ROFL, AI, appd, secrets]
+---
+
+import Tabs from '@theme/Tabs';
+import TabItem from '@theme/TabItem';
+
+# Trustless AI Agent
+
+Learn how to deploy a trustless Eliza agent on Oasis using ROFL enclaves.
+
+## What You’ll Build
+
+By the end you will have a working Eliza agent running inside a ROFL Trusted
+Execution Environment (TEE), registered and validated as a trustless agent in
+the [ERC-8004] registry. The agent's code can be fully audited and proved that
+the deployed instance really originates from it and cannot be silently altered.
+
+[ERC-8004]: https://eips.ethereum.org/EIPS/eip-8004
+
+## Prerequisites
+
+You will need:
+- Docker (or Podman) with credentials on docker.io, ghcr.io or other public OCI
+  registry
+- [Oasis CLI]
+- Node.js 22+ (for Eliza and helper scripts)
+- a Sapphire Testnet account funded with TEST
+- OpenAI API key
+- RPC URL for accessing the ERC-8004 registry
+- Pinata JWT for storing agent information to IPFS
+
+[Oasis CLI]: https://github.com/oasisprotocol/cli/blob/master/docs/README.md
+
+## Create an Eliza Agent
+
+Initialize a project using the ElizaOS CLI and prepare it for ROFL.
+
+```shell
+# Install bun and ElizaOS CLI
+bun --version || curl -fsSL https://bun.sh/install | bash
+bun install -g @elizaos/cli
+
+# Create and configure the agent
+elizaos create -t project rofl-eliza
+# 1) Select Pqlite database
+# 2) Select the OpenAI model and enter your OpenAI key
+
+# Test the agent locally
+cd rofl-eliza
+elizaos start
+# Visiting http://localhost:3000 with your browser should open Eliza UI
+```
+
+## Containerize the App and the ERC-8004 wrapper
+
+The Eliza agent startup wizard already generated the `Dockerfile` that packs
+your agent into a container.
+
+Next, we'll make sure that the Eliza agent is registered as a trustless agent in
+the ERC-8004 registry. A helper image called [`rofl-8004`] will do the
+registration for us. Create the following `compose.yaml` file:
+
+```yaml title="compose.yaml"
+services:
+  rofl-eliza:
+    build: .
+    image: docker.io/YOUR_USERNAME/rofl-eliza:latest
+    platform: linux/amd64
+    environment:
+      - OPENAI_API_KEY=${OPENAI_API_KEY}
+    volumes:
+      - eliza-storage:/root/.eliza
+
+  rofl-8004:
+    image: ghcr.io/oasisprotocol/rofl-8004
+    platform: linux/amd64
+    environment:
+      # RPC for ERC-8004 registry. e.g. https://sepolia.infura.io/v3/<YOUR_KEY>
+      - RPC_URL=${RPC_URL}
+      # Pinata token for storing token URI when registering new agent.
+      - PINATA_JWT=${PINATA_JWT}
+    volumes:
+      - /run/rofl-appd.sock:/run/rofl-appd.sock
+
+volumes:
+  eliza-storage:
+```
+
+Build and push:
+
+```shell
+docker compose build
+docker compose push
+```
+
+For extra security and verifiability pin the digest and use
+`image: ...@sha256:...` in `compose.yaml`.
+
+[`rofl-8004`]: https://github.com/oasisprotocol/erc-8004
+
+## Init ROFL and Create App
+
+The agent will run in a container inside a TEE. ROFL will handle the startup
+attestation of the container and the secrets in form of environment variables.
+This way TEE will be completely transparent to the agent app.
+
+```shell
+oasis rofl init
+oasis rofl create --network testnet
+```
+
+After creation, you should be able to find your app on the [Oasis Explorer].
+
+## Build ROFL bundle
+
+Eliza requires at least 2 GiB of memory and 5 GB of storage. Update the
+`resources` section in `rofl.yaml` to at least: `memory: 2048` and
+`storage.size: 5000`.
+
+Then, build the ROFL bundle by invoking:
+
+<Tabs>
+    <TabItem value="Native Linux">
+        ```shell
+        oasis rofl build
+        ```
+    </TabItem>
+    <TabItem value="Docker (Mac/Windows/Linux)">
+        ```shell
+        docker run --platform linux/amd64 --volume .:/src \
+        -it ghcr.io/oasisprotocol/rofl-dev:main oasis rofl build
+        ```
+    </TabItem>
+</Tabs>
+
+## Secrets
+
+Let's end-to-end encrypt `OPENAI_API_KEY` and store it on-chain. Also, provide
+the `RPC_URL` and `PINATA_JWT` values for ERC-8004 registration.
+
+```shell
+echo -n "<your-openai-key-here>" | oasis rofl secret set OPENAI_API_KEY -
+echo -n "<rpc-url-including-infura-key>" | oasis rofl secret set RPC_URL -
+echo -n "<your-pinata-key-here>" | oasis rofl secret set PINATA_JWT -
+```
+
+Then store enclave identities and secrets on-chain:
+
+```shell
+oasis rofl update
+```
+
+## Deploy
+
+Deploy your Eliza agent to a ROLF provider by invoking:
+
+```shell
+oasis rofl deploy
+```
+
+By default, the Oasis-maintained provider is selected on Testnet, but you can
+pick any other provider by passing the [`--provider <address>`][provider]
+parameter.
+
+[provider]: https://github.com/oasisprotocol/cli/blob/master/docs/rofl.md#deploy
+
+## Testing it out
+ 
+After deploying the agent, use the CLI to check machine status and view logs.
+ 
+```shell
+# Show machine details (IDs, state, proxy URLs, expiration).
+oasis rofl machine show
+ 
+# Fetch logs from your running ROFL app.
+oasis rofl machine logs
+```
+
+When spinning up the agent for the first time, the `rofl-8004` service will
+derive the ethereum address for registering the agent. Look for `Please top it
+up`  line in your logs and then send a small amount of ether to that address to
+pay for the fees.
+
+Also:
+
+- Expect standard output from your app container (anything your entrypoint
+  prints).
+- If your app initializes services on startup, those startup logs will appear
+  here.
+- Use this to check enclave startup issues and app readiness.
+ 
+:::warning
+
+Logs are accessible to the app admin and are stored unencrypted on the ROFL
+node. Avoid printing secrets. See the official docs:
+
+- [`oasis rofl machine logs`][machine-logs]
+- [ROFL workflow—logs and deploy notes][sdk-deploy-logs]
+
+:::
+
+Inspect on-chain activity and app details in the [Oasis Explorer].
+
+[machine-logs]: https://github.com/oasisprotocol/cli/blob/master/docs/rofl.md#machine-logs
+[sdk-deploy-logs]: https://github.com/oasisprotocol/oasis-sdk/blob/main/docs/rofl/workflow/deploy.md#check-that-the-app-is-running
+[Oasis Explorer]: https://explorer.oasis.io/testnet/sapphire

sidebarBuild.ts

@@ -17,9 +17,10 @@ export const sidebarBuild: SidebarsConfig = {
         slug: '/build/use-cases',
       },
       items: [
+        'build/use-cases/key-generation',
+        'build/use-cases/trustless-agent',
         'build/use-cases/price-oracle',
         'build/use-cases/tgbot',
-        'build/use-cases/key-generation',
       ]
     },
     {