Aegis

Autonomous Solana trading agent with in-enclave key custody and attested execution. Private keys are generated inside a TEE. They never leave. Every trade is provably honest.

---

Most agents store private keys in .env files. One leak and everything is gone.

Aegis runs its entire decision loop inside a Trusted Execution Environment. The Ed25519 signing key is generated inside the enclave and sealed there permanently. The host machine, the cloud provider, and the operator cannot read it.

OBSERVE → REASON → ATTEST → SIGN → EXECUTE → LEARN

Every trade emits a remote attestation quote. Every decision is logged to an immutable JSONL audit trail. The agent that runs tomorrow is smarter than the one today. The key has never been seen by anyone.

---

Live Execution

Real-time view of Aegis running: strategy signals from Meteora DLMM, Drift perps, and Jupiter spot with live confidence scores and risk gate results, confirmed Solana transactions with truncated hashes, attestation status, and Claude's full reasoning for the current decision cycle.

System Architecture

Three-layer execution stack: hardware attestation (Intel TDX RTMR registers + AMD SEV-SNP VCEK chain), trusted enclave boundary (secp256k1 key that never exits), and network layer (RA-TLS to Jupiter v6 + signed transactions to Solana validator via Jito block engine).

---

Core Engine — TEE + MCP

Trusted Execution Environment

Layer	Component	Function
Key Custody	src/enclave/signer.ts	Ed25519 key gen inside TEE, sealed with AES-256-GCM
Attestation	src/enclave/attestation.ts	Remote quote per trade, verifiable externally
TEE Runtime	src/enclave/tee.ts	Intel TDX / AMD SEV-SNP / software mode

MCP Tool Surface

Tool	Source	Purpose
solana_get_price	Helius + Birdeye	Real-time token price, OHLCV
solana_get_pool_state	Meteora DLMM	Bin range, TVL, fee rate
solana_get_funding_rate	Drift Protocol	Perp funding rate, OI
jupiter_get_quote	Jupiter v6	Best swap route, price impact
solana_get_wallet_positions	Helius	Current positions, P&L
enclave_execute_trade	Internal	Final execution intent

---

Agent Decision Loop

flowchart TD
    A[Market Data Ingest\nHelius · Meteora · Drift] --> B[MCP Tool Layer]
    B --> C{Claude Agent SDK\nReasoning Loop}
    C --> D[Risk Engine\nDrawdown · Confidence Gate]
    D -->|rejected| E[Log Warning to Memory]
    D -->|approved| F[TEE Attestation Quote]
    F --> G[In-Enclave Ed25519 Signer]
    G --> H[Solana Transaction]
    H --> I[Outcome Capture]
    I --> J[Chroma Vector Memory\nTTL: 90d patterns / 60d warnings]
    J --> C
    E --> J

Loading

---

Performance Metrics

Metric	Target
Decision latency	< 3.5s
Attestation overhead	< 120ms
Tx confirmation	< 1.2s
Memory retrieval	< 80ms
Cycle interval	15 min (default)

---

Quick Start

git clone https://github.com/Aetheris-Labs/Aegis
cd Aegis && bun install
bun run setup         # interactive wizard
docker-compose up chroma -d
bun run dev

Paper trading is on by default.

---

Configuration

ANTHROPIC_API_KEY=sk-ant-...
HELIUS_API_KEY=...
SOLANA_RPC_URL=https://mainnet.helius-rpc.com/?api-key=...
TEE_MODE=software        # software | tdx | sev
PAPER_TRADING=true
CONFIDENCE_THRESHOLD=0.65
MAX_POSITION_SIZE_USD=500
GLOBAL_DRAWDOWN_LIMIT=0.15

See .env.example for all options.

---

Risk Infrastructure

• Global drawdown -15% halts all new positions
• Per-strategy drawdown -20% halts strategy
• Confidence gate: minimum 0.65 to execute
• Human approval required for trades > $500
• Circuit breaker: 3 losses in 1h → 4h cooldown
• Trade idempotency prevents duplicate execution

---

Technical Spec

Attestation & Key Custody

Intel TDX path

• Measurement registers RTMR[0]–RTMR[3] are extended at enclave init: [0] firmware, [1] OS kernel, [2] application, [3] runtime config
• RTMR[3] is re-extended on every config reload; a drift in its value indicates tampered runtime parameters
• Quote is generated per-trade, embedded in the audit log entry, verifiable against Intel PCS

AMD SEV-SNP path

• VCEK certificate chain: ARK (AMD root) → ASK (AMD signing key) → VCEK (per-chip, per-TCB)
• VCEK is fetched from kdsintf.amd.com at startup and cached; fetchedAt timestamp gates rotation detection
• VCEK rotation voids all in-flight attestation sessions — sessions must re-attest after chain refresh

Quote TTL & replay prevention

• Quote TTL: QUOTE_TTL_SECONDS (default 600s); stale quotes are rejected at the verifier
• Monotonic restartCounter field on TEERuntime: incremented on every cold start, embedded in quote UserData
• A quote with a lower counter than the current session is rejected — prevents pre-restart quote replay

Key lifecycle

• secp256k1 keypair generated inside enclave boundary using @noble/secp256k1 CSPRNG
• Sealed with AES-256-GCM, key derived from TEE measurement (hardware-bound, not operator-visible)
• decrypted.fill(0) called immediately after Keypair.fromSecretKey() — private key bytes do not persist on heap

Risk Engine

Check	Threshold	Notes
Slippage gate	MAX_SLIPPAGE_BPS (default 150)	Evaluated before RPC simulation; saves ~40ms per rejection
Confidence gate	CONFIDENCE_THRESHOLD (default 0.65)	Claude agent confidence score
Global drawdown halt	–15%	All new positions suspended
Per-strategy halt	–20%	Strategy-level circuit breaker
Human approval	> $500 single trade	Hard override; logged to audit trail

RA-TLS

All outbound connections from the enclave to Jupiter v6 and Solana RPC use Remote Attestation TLS. The TLS certificate is signed with a key whose public key is embedded in the attestation quote — the verifier confirms the certificate belongs to a genuine enclave before accepting the connection. No custom handshake code; handled by mbedTLS extension.

---

Roadmap

Phase	Status	Scope
Phase 1	✅	Agent loop, MCP server, memory, paper trading
Phase 2	🔄	Intel TDX production support, AMD SEV-SNP
Phase 3	🗓 Q3 2026	Live execution: Meteora DLMM, Drift perps, Jupiter spot
Phase 4	🗓 Q4 2026	On-chain vault (Anchor), multi-TEE threshold signing

---

License

MIT

---

built for the trenches. keys stay in the box.