The problem Orloj solves

AI agents today can read about smart contracts, but they can't safely use them. To call a contract, an agent has to manage private keys, pick an RPC, handle network failures, estimate gas, and understand each ABI's quirks. Every one of those is a footgun — and a reason teams don't ship agentic on-chain workflows.

Today's wallet UX (hardware confirmations, simulation, allowance prompts) was designed for humans. None of that armor extends to a stochastic actor that's one prompt-injection away from approving a malicious token.

Orloj removes the entire surface. Each Sourcify-verified contract is published as its own MCP server, so the agent sees only typed, verified interfaces it can call like any other tool. NatSpec docstrings flow from the contract author straight to the LLM as tool descriptions; proxies are resolved automatically; Solidity types become Zod schemas the agent can construct arguments against.

Account management, signing, and gas live behind the MCP boundary. Private keys are minted inside hardware enclaves (1Claw HSM+TEE or SpaceComputer Orbitport orbital HSM+SpaceTEE) and never leave them. The registry sees only the digest to sign; the agent sees only the tool.

The result: agents act on-chain with the ergonomics of a REST call.

• Simplified mental model. Agents reason about interfaces, not RPCs, gas, or nonces.
• Lower model requirements. Even smaller tool-calling models execute on-chain operations reliably.
• Architectural safety. A compromised host or hallucinating agent can't exfiltrate keys or forge transactions — only request signatures on a digest, against a key it doesn't hold.
• Scoped, revocable agency. Per-agent bearer tokens + per-vault grants (permissions, expiry, secret-path patterns) make revocation a single row update.
• Permissionless surface. Any Sourcify-verified contract on any chain viem supports is instantly callable. No per-contract integration.

Challenges we ran into

One MCP for everything, or one MCP per contract? Our first sketch was a single "universal" MCP server that took a contract address as a tool argument and dispatched dynamically. Simple, but it broke the abstraction we cared about: the agent couldn't see what a contract could do — every call collapsed into an opaque "send this calldata to this address," the exact footgun we wanted to remove. We pivoted to one MCP per registered contract, with each ABI function as its own typed tool. The win: the LLM sees

WstETH.wrap(uint256)

with the author's NatSpec as the description, and the type system tells it what it's doing before it does it. That decision drove the rest of the architecture.

Node 24's strict ESM resolver vs.

@1claw/sdk

. The SDK ships extensionless imports the new resolver rejects. Rather than fork it, we wrote a custom loader hook that re-adds the

.js

suffix.

Solidity → Zod, recursively. Translating an arbitrary ABI into a typed MCP surface meant handling tuples, dynamic + fixed-size arrays, every integer width, and

bytesN

— and every nested combination — into Zod.

Proxies are most of mainnet. A registry that doesn't understand proxies is dead on arrival. Sourcify's

proxyResolution

field made it tractable: detect proxies at registration, fetch the implementation ABI, bind the agent to the proxy address. Upgrades surface as new tools on refresh.

Orbitport only signs digests. Orbitport KMS never sees an unsigned tx — it signs a 32-byte hash. We build the EIP-1559 tx with viem, hash it, send only the hash, recover y-parity from the recovery id, reassemble with

serializeTransaction

, and broadcast. The registry never holds the key.

Envelope encryption in the same security domain. Agents need off-chain credentials too. We provision a second Orbitport key per vault —

TRANSIT

AES-256-GCM — and store ciphertext in Postgres while the master key stays in orbit.