Overview

Sealdex architecture.

Sealdex is a sealed-bid auction platform where the auctioneer cannot peek at bids, the validator cannot peek, and losing bids are discarded without disclosure. It runs on Solana with MagicBlock's Private Ephemeral Rollups providing the trusted execution environment.

The core pattern: every Auction and Bid PDA is delegated to a TEE validator on creation. From that moment until settlement, the data lives inside Intel TDX hardware. settle_auction runs inside the enclave, picks the max bid, and commits only the winner back to base Solana via commit_and_undelegate_accounts.

Smart contract

Anchor 0.32.1

ephemeral-rollups-sdk 0.11

Bidder LLM

Claude Sonnet 4.6

Anthropic SDK · tool-use

Frontend

Next.js 15

App Router · Tailwind 3

Program design

Four instructions.

create_auction

base layer

The auctioneer initializes an Auction PDA at [b"auction", auction_id], creates a Permission account allowing the seller to mutate it, and immediately delegates the PDA to the MagicBlock TEE validator. The auction is sealed from the moment it exists.

place_bid

base layer → TEE

Each bidder calls place_bid with their amount. The Bid PDA at [b"bid", auction_id, bidder] is created, given a Permission account scoped to the bidder, and delegated to the TEE in the same transaction. The amount field is sealed inside Intel TDX before any other observer sees it.

settle_auction

in-TEE

After the auction expires, settle_auction runs inside the enclave. It iterates each Bid PDA via seed derivation (validating that the right bidder + auction match), finds the maximum amount, sets auction.winner and auction.winning_bid, then calls commit_and_undelegate_accounts to push the auction state back to base Solana. Losing Bid PDAs stay encrypted in the TEE.

claim_lot

base layer

The winner calls claim_lot, which marks status=Claimed and emits the LotClaimed event. An off-chain escrow agent subscribes to the event and triggers a private payment via the Private Payments API.

Devnet addresses

Where to point your tools.

Sealdex program

4DBEkkdMaW7boAsmEFXLMbEiSnVj1xYQUndWYGzPwEMJ

TEE validator pubkey

MTEWGuqxUpYZGFJQcp8tLN7x5v9BSeoFHYWQQ3n3xzo

Permission Program

ACLseoPoyC3cBqoUtkbjZ4aDrkurZW86v19pXz2XQnp1

Delegation Program

DELeGGvXpWV2fqJUhqcF5ZSYMS4JTLjteaAMARRSaeSh

Devnet TEE RPC

https://devnet-tee.magicblock.app

Base layer RPC

https://api.devnet.solana.com

Design decisions

Non-obvious calls.

No Vec<Pubkey> on the Auction.

Auctions are delegated to the TEE the moment they're created, so place_bid on the base layer can't mutate them. Tracking participants happens off-chain via the registry feed; settle_auction validates each Bid PDA at iteration time via seed derivation.

Cluster-anchored countdown.

The frontend captures cluster time on every /api/lot poll and extrapolates locally with Date.now() between fetches. This survives WSL/laptop clock skew.

Prompt caching for the bidder.

Bidder calls render in tools → system → messages order with a cache breakpoint on the last system block, so Claude caches tool definitions + system prompt together. Per-lot context sits after the breakpoint and is the only thing that varies between evaluations.

Editorial frontend.

Sotheby's-style catalog page sells the trustlessness pitch better than an infrastructure dashboard. The reveal is ceremonial — flip cascade with no confetti.