Ori Protocol

Ori is an open Solana credential protocol for delegated agent reputation.

Parent wallets have history, capital, behavior, and accountability context. Agent wallets start cold. Ori lets a parent wallet privately back an agent wallet with one global credential and a capability-aware OARS report, so protocols can verify inherited trust and public accountability without storing the parent wallet in public Ori state.

The core primitive is:

score parent wallet -> issue agent credential -> verify credential
-> monitor agent behavior -> slash or record outcome
-> anonymous backing authority reputation changes
-> future agents from that same authority inherit the risk

Current Status

Devnet core MVP is working end to end.

The shortest proven demo flow is:

score wallet -> issue credential -> verify credential -> slash credential
-> authority reputation gets flagged -> high-tier reissue is blocked

Program ID:

BEP9KGF6vYMB1LwGymsPZSYtkEXDU15NHUjAb9HMvPF3

Current devnet accounts used by the demo:

config: HD2YTj1j6MKszPyMopwaetiCUzfoMfzLVfq1EH9SHRK1
scoring_engine: xUBLkNB4brXD985FnofwXUmZ58s7dBKk4wp91jiBTmT
default_context_protocol: GQmkZ2ktNRxM5gYaUkkka9cpnaTciJVtsKyx8chQHMuT

What Ori Proves

Ori proves anonymous infrastructure-level accountability for delegated agents:

• An agent can present a credential backed by a parent wallet.
• The parent wallet is not stored in credential or nullifier state.
• The credential stores only compact public state: tier, risk band, commitment, status, counters, and timestamps.
• If the agent is slashed, the credential can be frozen.
• The backing authority is also dirtied through AuthorityReputationAccount.
• The authority reputation PDA is derived from authority_hash, not the parent public key.
• A flagged authority can still issue low-tier credentials, but cannot issue high-tier credentials.
• A blacklisted authority is blocked from issuance.
• Protocols can reject otherwise active credentials if the backing authority is not acceptable.

That means a parent cannot simply abandon a bad agent wallet and restart with a clean agent. The agent changes, but the anonymous backing authority reputation persists.

What Ori Does Not Claim

Ori V1 is intentionally precise about its claims.

Ori does not claim:

• The parent wallet is hidden from the scoring engine in V1.
• OARS fully captures every historical Solana behavior signal today.
• The score predicts all future agent behavior.
• A high score grants unlimited autonomy.
• OARS is a regulated credit, lending, or insurance score.
• V1 has complete staking lifecycle history, Realms vote history, or DeFi position lifecycle indexing.

The completed V1 claim is stronger and narrower:

Ori creates a privacy-preserving backing identity for agent credentials,
then enforces cumulative accountability for that backing identity on-chain.

Implemented

On-chain program:

• Anchor program core.
• Config PDA and admin authority.
• Scoring engine registry.
• Protocol registry.
• Credential issuance and verification.
• Parent revocation.
• Protocol outcome recording.
• Severity-based slashing.
• Nullifier tracking.
• Authority reputation tracking.
• Authority tier caps and blacklist checks.

SDK and scoring:

• TypeScript SDK helpers.
• PDA derivation helpers.
• OARS report validation and canonicalization.
• OARS report commitments.
• SAS compact attestations.
• Capability profile and protocol policy evaluator.
• Parent reputation context derivation.
• Agent reputation identity derivation.
• Authority reputation policy helpers.
• Read-only wallet scoring command.
• Guarded lifecycle demo scripts.

Data adapters:

• Dune SIM Solana balance and raw transaction evidence.
• Helius semantic transaction type/source/error evidence.
• GoldRush Solana balance and portfolio support.
• Solana RPC balance, signature, token-account, and stake-account snapshot evidence.
• Ori-history evidence from credentials, nullifiers, protocol stats, outcomes, slashes, and revocations.

API and monitoring:

• Read-only REST API wrapper.
• Credential lookup.
• Authority reputation lookup.
• Verify endpoint with authority policy.
• Agent compliance endpoint.
• Webhook registration endpoint.
• Event indexer for signed webhook dispatch on Ori events.

OARS Scoring Depth

OARS is the Ori Agent Reputation Score methodology. It is not just a score. It produces:

score -> tier -> risk band -> confidence -> risk envelope -> capability profile

V1 uses live and derived evidence from the parent wallet, the agent context, and Ori accountability history.

Current live scoring coverage:

• Capital depth from native SOL, token balances, portfolio value, and delegated stake snapshot.
• Wallet maturity from first-seen/signature evidence and observed activity age.
• Activity consistency from active days, transaction count, and time-series buckets.
• Protocol quality from recognized protocol/program interactions and suspicious/failure patterns.
• Mandate context from the disclosed or committed agent policy.
• Ori accountability from outcomes, slashes, revocations, and authority reputation.

V1 now includes time-series activity buckets:

{
  "behavior_profile": {
    "time_series": {
      "0_30d": {
        "transactions": 0,
        "timestamped_transactions": 0,
        "active_days": 0,
        "failed_transactions": 0,
        "failed_ratio_bps": 0,
        "protocol_interactions": 0
      },
      "31_180d": {
        "transactions": 0,
        "timestamped_transactions": 0,
        "active_days": 0,
        "failed_transactions": 0,
        "failed_ratio_bps": 0,
        "protocol_interactions": 0
      },
      "181_365d": {
        "transactions": 0,
        "timestamped_transactions": 0,
        "active_days": 0,
        "failed_transactions": 0,
        "failed_ratio_bps": 0,
        "protocol_interactions": 0
      },
      "365d_plus": {
        "transactions": 0,
        "timestamped_transactions": 0,
        "active_days": 0,
        "failed_transactions": 0,
        "failed_ratio_bps": 0,
        "protocol_interactions": 0
      }
    }
  }
}

This prevents the scorer from flattening every observed transaction into one recent window.

Every report can also expose scoring-depth metadata:

{
  "scoring_depth": {
    "time_series_activity": "live",
    "staking_snapshot": "live",
    "staking_history": "planned",
    "governance_history": "planned",
    "defi_position_history": "planned",
    "notes": [
      "staking_history_requires_indexed_stake_account_lifecycle",
      "governance_history_requires_realms_vote_record_indexing",
      "defi_position_history_requires_protocol_position_lifecycle_indexing"
    ]
  }
}

staking_snapshot is current stake-account evidence, not a claim of complete stake/unstake history. Full staking lifecycle history, Realms governance vote history, and DeFi position lifecycle history are planned indexed adapters.

Authority Reputation

The key accountability account is:

PDA: ["authority_rep", authority_hash]

It tracks cumulative reputation for the anonymous backing authority:

authority_hash
total_credentials_issued
active_credentials
total_slashes
severe_slashes
warning_slashes
risk_slashes
positive_outcomes
negative_outcomes
authority_status
first_credential_at
last_updated

Authority statuses:

0 = clean
1 = flagged
2 = blacklisted

Policy behavior:

• One severe slash flags the authority.
• Flagged authorities cannot issue credentials above tier 1.
• Three severe slashes blacklist the authority.
• Blacklisted authorities cannot issue new credentials.
• /v1/verify returns both credential validity and authority acceptability.

This is what closes the accountability loop.

Repository Docs

• Protocol spec: ORI_PROTOCOL_SPEC.md
• Scoring methodology: OARS_METHODOLOGY.md
• MVP demo flow: MVP_DEMO.md
• Devnet runbook: DEVNET_DEPLOY.md
• Localnet runbook: LOCALNET_DEMO.md
• Handover notes: HANDOVER.md

Prerequisites

Core tools:

• Node.js 18+
• npm
• Rust and Cargo
• Solana CLI
• Anchor CLI

For WSL/devnet execution:

cd /mnt/c/Users/ASUS/Ori
export ANCHOR_WALLET="$HOME/.config/solana/id.json"
export ANCHOR_PROVIDER_URL="https://api.devnet.solana.com"

Optional data-provider keys:

DUNE_SIM_API_KEY=<key>
HELIUS_API_KEY=<key>
GOLDRUSH_API_KEY=<key>

The project can still run without these keys, but OARS will fail closed with lower confidence and missing-data penalties.

Build And Test

Build demo/API/indexer scripts:

npm run build:demo

Run SDK tests:

npm run test:sdk

Run full Anchor tests from WSL:

cd /mnt/c/Users/ASUS/Ori
NO_DNA=1 anchor test

Expected current SDK result:

52 passing

The full Anchor suite has previously passed with:

73 passing

Score A Wallet

Read-only score:

npm run score:wallet -- \
  --cluster mainnet-beta \
  --parent <parent-pubkey> \
  --agent <agent-pubkey>

Compact summary:

npm run score:wallet -- \
  --cluster mainnet-beta \
  --parent <parent-pubkey> \
  --agent <agent-pubkey> \
  --summary

With live data providers:

DUNE_SIM_API_KEY=<key> \
HELIUS_API_KEY=<key> \
GOLDRUSH_API_KEY=<key> \
npm run score:wallet -- \
  --cluster mainnet-beta \
  --parent <parent-pubkey> \
  --agent <agent-pubkey> \
  --dune-sim-transaction-limit 1000 \
  --dune-sim-transaction-pages 3 \
  --helius-transaction-limit 100 \
  --helius-transaction-pages 2

Useful output fields:

• merged_features
• behavior_profile
• behavior_profile.time_series
• scoring_depth
• parent_reputation_context
• sybil_risk_flags
• agent_reputation_identity
• oars_result.risk_envelope
• privacy_checks

Devnet Demo Flow

Setup registry state:

npm run demo:setup -- --cluster devnet --send

Issue and verify a credential:

npm run demo:e2e -- \
  --parent <parent-pubkey> \
  --agent <agent-pubkey> \
  --send

The write path always:

• prints account pubkeys,
• simulates before submission,
• requires typing SEND,
• submits only after confirmation,
• verifies after submission.

Verify by credential id:

npm run demo:verify -- \
  --cluster devnet \
  --credential-id <credential_id_hex> \
  --agent <agent-pubkey>

Prove authority accountability:

npm run demo:authority-rep -- \
  --cluster devnet \
  --credential-id <credential_id_hex> \
  --send

Expected result:

{
  "post_slash_state": {
    "credential_status": 2,
    "credential_slash_count": 1,
    "authority_reputation": {
      "authority_status": 1,
      "total_slashes": 1,
      "severe_slashes": 1
    }
  },
  "high_tier_reissue_probe": {
    "expected_result": "AuthorityFlaggedTierExceeded",
    "blocked": true
  }
}

Use MVP_DEMO.md for the shortest complete walkthrough.

REST API

Start the API:

ORI_API_CLUSTER=devnet npm run api

Endpoints:

GET  /health
GET  /v1/score?parent=<pubkey>&agent=<pubkey>
GET  /v1/credential/<credential_id_hex>
GET  /v1/credential/<credential_id_hex>/authority
GET  /v1/authority/<authority_hash_hex>
POST /v1/verify
POST /v1/presentation/verify
POST /v1/compliance
POST /v1/webhooks/register

Verify a credential:

curl -X POST http://127.0.0.1:8787/v1/verify \
  -H "Content-Type: application/json" \
  -d '{"credentialId":"<credential_id_hex>","agentWallet":"<agent_pubkey>"}'

Important response fields:

{
  "is_valid": true,
  "authority_acceptable": false,
  "policy_valid": false,
  "score_tier": 0,
  "risk_band": 3,
  "permitted_action_classes": ["read", "quote"],
  "authority_reputation": {
    "authority_status": 1,
    "authority_status_name": "flagged"
  }
}

Meaning:

• is_valid means the individual credential is active, matches the agent, and is not expired.
• authority_acceptable means the backing authority is clean under default policy.
• policy_valid is the combined decision.
• permitted_action_classes is the recommended action vocabulary after score tier, risk band, and authority state.

Fetch authority reputation without exposing the parent wallet:

curl "http://127.0.0.1:8787/v1/credential/<credential_id_hex>/authority"
curl "http://127.0.0.1:8787/v1/authority/<authority_hash_hex>"

Event Indexer And Webhooks

Register a webhook:

curl -X POST http://127.0.0.1:8787/v1/webhooks/register \
  -H "Content-Type: application/json" \
  -d '{"protocolId":"<protocol_id_hex>","webhookUrl":"http://127.0.0.1:9999/ori","secret":"dev-secret"}'

Run the indexer:

ORI_API_CLUSTER=devnet npm run event:indexer

The indexer watches Ori program logs, decodes Anchor events, and dispatches signed webhook POSTs for:

• CredentialSlashed
• AuthorityStatusChanged
• CredentialRevoked

Webhook recipients verify:

x-ori-signature = HMAC_SHA256(secret, timestamp + "." + body)

Pitch Positioning

Use this claim:

Ori is a privacy-preserving delegated-agent reputation protocol.
It lets a parent wallet back an agent without storing the parent wallet on-chain,
and it makes that backing authority accountable across all agents it creates.

Use this technical proof:

An agent credential can be slashed.
The slash freezes the credential.
The anonymous backing authority reputation is flagged.
The same authority cannot issue a high-tier replacement credential.
Protocols see the authority status during verification.

Use this honest scoring claim:

OARS V1 uses live wallet evidence, time-series activity buckets,
current staking snapshot evidence, compliance checks, and Ori accountability.
Deeper staking lifecycle history, governance voting history, and DeFi position
lifecycle analysis are planned indexed adapters.

Safety

Demo write scripts are guarded:

• Localnet/devnet only.
• Dry-run by default where applicable.
• Transaction summary is printed before send.
• Transaction simulation runs before send.
• Operator must type SEND before submission.

Do not use local demo keypairs or printed seed phrases for real funds.

Do not deploy to mainnet for the MVP without:

• multisig admin,
• security review,
• published scoring methodology hash,
• data-provider reliability plan,
• monitoring,
• dispute process.