The cryptographic execution layer for autonomous AI on Solana.
Soloraa lets an AI agent hold and move funds under cryptographic boundaries the user controls. Funds live in a program-derived wallet that only accepts Ed25519-signed intents from a TEE-attested enclave. Compromise the agent and you get nothing.
canonical signed intent
Every byte is bound to a wallet, a nonce, and a recent blockhash. The chain re-checks all of them.
programs/solora/src/state.rsGenerative agents are about to become financial actors.
Today the only way to give an LLM the power to settle a trade, rebalance a treasury, or pay an invoice is to hand it a wallet key. The model becomes the security boundary. That assumption breaks the moment a model is jailbroken, prompt-injected, or simply wrong.
Hot keys for AI
The standard pattern hands an LLM a private key. That key is an unbounded license — every constraint is enforced by whichever process holds it. That isn't a security boundary, it's a code review.
Replayable approvals
Session keys with policy guards bolted onto the SDK can be re-broadcast across forks, after slot rollovers, or by a compromised relayer that captured a single signed message.
Hallucinated execution
Prompt injection, tool-misuse, and model errors regularly produce trades the user never asked for. Without an out-of-process check, the model's mistake reaches the chain.
Drift between policy and code
Slippage caps, allowlists, oracle freshness — typically all enforced in the same TypeScript that the agent talks to. One refactor and the policy disappears silently.
Move the security boundary into Solana.
The agent never holds a private key. A confidential-compute enclave holds a signing key sealed to its image hash and runs the policy. The Solana program is the verifier — every constraint is checked against the bytes of the signed intent.
AI agent
submits an intent
destination · amount · feed id · slippage cap
Attested enclave
policy + oracle + sign
Pyth merkle · Wormhole quorum · sealed Ed25519 key
Signed intent
169 canonical bytes
program · wallet · nonce · blockhash · payload hash
On-chain verifier
re-checks every byte
Ed25519 sysvar · SlotHashes · nonce bump
Constraints checked by the chain, not by the agent.
Each guarantee maps to a specific error code inprograms/solora/src/error.rsand is exercised by a LiteSVM test. The on-chain program rejects with a typed error you can grep.
IntentNonceMismatch · 6018Replay protection
Every signed intent commits to a wallet nonce that bumps on success. Resubmits with a fresh blockhash hit the program's verifier and bounce.
Ed25519 sysvar · index − 1Enclave verification
An Ed25519Program ix immediately precedes every execute call. The pubkey must equal wallet.enclave_signer; the message must be the canonical 169 bytes.
register_enclave_v2Attested rotation
Signer rotation requires the authority's signature AND a governor proof citing a measurement in the on-chain registry. Neither side alone can hijack.
Policy.allowed_programs[16]CPI allowlist
Authority-controlled. Even a perfectly-signed intent cannot CPI into a program the wallet hasn't pre-approved.
SlotHashes lookupFork-resistant binding
Signed messages bind a (recent_blockhash, slot) pair. The verifier binary-searches the SlotHashes sysvar. Cross-fork replays miss the entry.
Run an attested agent in two clicks.
Connect a wallet, delegate a bounded amount, and step through the cryptographic execution lifecycle in real time. Real devnet legs broadcast after the pipeline, and the replay demo is one click away.