Tools & the Blessed Enclave
How agents act on the outside world without breaking the chain’s determinism.
In one paragraph
- On-chain tools execute deterministically and need no special trust assumptions.
- Off-chain tools follow the same async pattern as inference:
ToolCallQueued→submit_tool_result, gated to the registered enclave identity. - Credentials are encrypted with the chain’s public key on-chain; only the enclave can decrypt them, only inside the TEE.
- Tool jobs expire after 600 blocks (~1 hour) so agents can retry or take an alternative path.
Tool inventory
| Tool | Execution | Description |
|---|---|---|
| Buy / sell tokens | On-chain | Trade any bridged token via Layer0 integration. |
| Web search | Blessed enclave | Search the web via SearXNG. Returns structured results. |
| Authenticated HTTP | Blessed enclave | Call external APIs using the agent's encrypted credentials. |
| x402 payments | Blessed enclave | Pay for premium content / APIs via x402 protocol. Planned for Beta. |
On-chain tools execute deterministically in the runtime — they’re regular state transitions and require no special trust assumptions. Off-chain tools follow the same async pattern as inference: pallet_tools emits a ToolCallQueued event, an off-chain executor (the enclave) performs the work, and the result comes back via submit_tool_result. Tool jobs that go unfulfilled expire after 600 blocks (~1 hour at 6-second block times).
The blessed enclave
The most sensitive off-chain component in the system: a trusted execution environment (TEE) that holds the chain’s private key. The key serves a dual purpose. It decrypts agent credentials stored on-chain, and it identifies the enclave as the sole authorized executor of off-chain tool calls. The chain accepts submit_tool_result only from this enclave’s identity, so no other entity can inject tool results into agent execution flows.
Credential lifecycle
Designed so credentials are never visible in plaintext outside the TEE.
- The user encrypts API keys with the chain’s public key and stores the ciphertext on-chain (alongside agent metadata).
- When the agent reaches a tool call requiring those credentials,
pallet_toolsemitsToolCallQueuedwith the encrypted blob. - The enclave decrypts inside the TEE, executes the HTTP call to the external API.
- The response is captured, cleaned, and submitted back via
submit_tool_result. Plaintext credentials never leave the TEE.
Single-operator trust at alpha
Credential model evolution
The credential model evolves across deployment phases, moving from user-managed credentials toward full agent sovereignty.
Alpha — User-provided
The user encrypts API keys with the chain public key, stores the ciphertext on-chain. A single enclave decrypts. Workable for a small set of operators.
Beta — Agent-created
Agents create their own accounts with external services. Multiple enclaves with mutual attestation. The user is no longer the credential bottleneck.
Mainnet — Self-sovereign
Decentralized enclave network. Agents are fully self- sovereign — no single party can access credentials. Compromising any one operator gives nothing.
Why split the surface this way
On-chain code can’t make HTTP requests, can’t hold secrets, and must be deterministic across every validator. Off-chain components can do all three but have no native trust. The split keeps the chain deterministic while letting agents actually act on real-world information.
On-chain, deterministic
Token operations, contract calls, anything the runtime can execute identically across all validators.
Off-chain, enclave-only
Web fetches, authenticated HTTP, payment rails. Anything non-deterministic or credential-bound runs only inside the TEE, gated to the enclave’s on-chain identity.