Introduction

ENShell is an on-chain firewall for AI agents. It intercepts every action an autonomous agent wants to take, encrypts the instruction, analyzes it with Claude via Chainlink CRE's Confidential HTTP, and writes a verdict on-chain -- all before a single wei moves.

Built for ETHGlobal Cannes 2026.

The Problem

AI agents are getting wallets. They're swapping tokens, bridging assets, and interacting with DeFi protocols autonomously. But there's no security layer between "the AI decided to do this" and "the transaction is on-chain."

An agent compromised by prompt injection, a hallucinated address, or a malicious instruction can drain funds in a single transaction. There's no undo button on Ethereum.

What ENShell Does

ENShell sits between intent and execution. Every action passes through four layers:

Layer Component What Happens
1 SDK / CLI protect() encrypts the instruction with ECIES and submits the action hash on-chain
2 Smart Contract Policy checks, action queuing, emits ActionSubmitted event
3 CRE Workflow Chainlink CRE fetches + decrypts the instruction, Claude analyzes it, verdict goes on-chain via onReport()
4 Human-in-the-Loop If escalated, the agent owner approves or rejects via CLI or Ledger Live

The instruction plaintext never appears on-chain. It exists only inside the CRE workflow during analysis, protected by Confidential HTTP and threshold-encrypted secrets via the Vault DON.

Key Features

  • End-to-end encryption -- ECDH key exchange (secp256k1) + AES-256-GCM via @noble primitives. Zero dependencies beyond audited cryptographic libraries.
  • Confidential AI analysis -- Claude analyzes instructions inside Chainlink CRE with threshold-encrypted API keys via Vault DON. No single operator sees the plaintext.
  • On-chain agent reputation -- EMA-based threat scoring written to ENS text records. Every agent builds a portable, verifiable trust history.
  • Trust mesh -- Agents can check each other's trustworthiness on-chain via checkTrust(). Trust events are recorded and visible to the entire network.
  • ENS-native identity -- Every agent gets an ENS subdomain (agent-name.enshell.eth) with threat score, strike count, and avatar as text records.
  • Human-in-the-loop -- Escalated actions surface Claude's full analysis. The owner approves or rejects with their connected wallet (including Ledger hardware wallets via Ledger Live).
  • ERC-7730 clear signing -- Ledger clear-signing descriptors for all firewall functions. Users see human-readable transaction details on-device.
  • Shared ecosystem -- Anyone can register agents on the same firewall contract. Access control is per-agent (owner-based), but reputation and trust are network-wide.

Deployed Infrastructure

Component Location
AgentFirewall Contract 0x410f4D...db78A7 on Sepolia
SDK @enshell/sdk on npm
CLI @enshell/cli on npm
Relay relay.enshell.xyz on Railway
Website enshell.xyz
ENS Domain enshell.eth (Sepolia, wrapped in NameWrapper)

Integrations

ENShell integrates deeply with three protocol ecosystems:

Chainlink CRE -- The analysis engine. CRE workflows run as compiled WASM, use Confidential HTTP for Claude API calls, and write DON-attested reports on-chain via the KeystoneForwarder. Secrets (API keys, oracle private key) are threshold-encrypted in the Vault DON.

ENS -- The identity layer. Agent registration creates NameWrapper-wrapped subdomains. Threat scores and strike counts are written as ENS text records after every CRE analysis. The trust mesh uses ENS as a portable reputation store.

Ledger -- The approval layer. A Ledger Live app provides freeze/activate controls and agent management. ERC-7730 clear-signing descriptors ensure users see human-readable transaction details on the Ledger device screen.

Next Steps

  • Quickstart -- Install the SDK and CLI, register your first agent, and run your first protect() call
  • Architecture Overview -- Understand the four-layer pipeline in depth
  • CRE Workflow -- How the Chainlink CRE analysis pipeline works (critical for understanding the simulation flow)