Skillget

orquestra

mcp
Security Audit
Fail
Health Warn
  • License — License: MIT
  • Description — Repository has a description
  • Active repo — Last push 0 days ago
  • Low visibility — Only 9 GitHub stars
Code Fail
  • rm -rf — Recursive force deletion command in package.json
Permissions Pass
  • Permissions — No dangerous permissions requested
Purpose
This tool converts Solana Anchor IDLs into production-ready REST APIs and MCP servers. It allows developers to upload an IDL and instantly generate API endpoints for blockchain instructions, accounts, and transactions.

Security Assessment
Overall Risk: Medium. The tool interacts heavily with the Solana blockchain and requires network requests to operate. The biggest concern flagged in the audit is the presence of a recursive force deletion command (`rm -rf`) inside the `package.json` file. While common in build scripts, this can be dangerous if modified maliciously. Additionally, the setup instructions explicitly encourage piping a remote script directly into bash (`bash <(curl ...)`), which is a known security risk for executing unverified code. The tool also requires GitHub authentication and manages API keys, meaning it handles sensitive developer credentials. No hardcoded secrets were detected, and no dangerous system permissions are requested.

Quality Assessment
The project is relatively new and suffers from low community visibility, currently sitting at only 9 GitHub stars. However, it is under active development (last updated today), uses a standard MIT license, and is written in TypeScript. Developers should consider it an early-stage project, meaning it may contain unpatched bugs or undergoing rapid changes.

Verdict
Use with caution: while actively maintained and openly licensed, the low community trust, `rm -rf` flag, and remote script execution instructions warrant a careful review of the codebase before integrating.
SUMMARY

orquestra is a free, open-source platform that instantly converts Solana program IDLs into production-ready APIs & MCP server.

README.md
orquestra logo

orquestra

Transform Solana Anchor IDLs into Production-Ready REST APIs

License: MIT
TypeScript
Solana
Cloudflare Workers

orquestra is a free, open-source platform that converts Solana Anchor IDLs into REST APIs. Upload your IDL and get auto-generated endpoints for every instruction, account type, and error — with transaction building and AI-ready documentation included.

Quick Start

git clone https://github.com/berkayoztunc/orquestra.git
cd orquestra
bun install
bun run db:migrate:dev
bun run dev

Development

bun run dev             # start frontend + backend
bun run build           # build all packages
bun run deploy          # deploy to Cloudflare
bun run db:migrate:dev  # apply tracked D1 migrations locally
bun run db:seed         # seed test data
bun run type-check      # TypeScript check
bun run lint:fix        # lint & fix

Claude Agents

Install Orquestra sub-agents into Claude Code for AI-driven Solana task pipelines:

# Current project
bash <(curl -fsSL https://raw.githubusercontent.com/berkayoztunc/orquestra/main/install-skills.sh)

# Globally (all projects)
bash <(curl -fsSL https://raw.githubusercontent.com/berkayoztunc/orquestra/main/install-skills.sh) --global

Installs 6 agents into .claude/agents/:

  • orquestra — main orchestrator, delegates to sub-agents end-to-end
  • orquestra-researcher — program discovery, IDL docs, instruction listing
  • orquestra-pda-explorer — PDA derivation and on-chain account resolution
  • orquestra-tx-builder — unsigned transaction construction
  • orquestra-simulator — preflight + Anchor error decoding, no signing
  • orquestra-signer — sign + send via signer-mcp, explicit approval required

API Overview

Public API base:

  • Local: http://localhost:8787
  • Production: https://api.orquestra.dev

Core service and auth:

GET  /health
GET  /health/ping

GET  /auth/github
GET  /auth/github/callback
POST /auth/github/callback
GET  /auth/me
POST /auth/logout

Project discovery and management:

GET /api/projects
GET /api/projects/mine
GET /api/projects/by-program/:programId
GET /api/projects/:projectId
PUT /api/projects/:projectId

GET    /api/projects/:projectId/keys
POST   /api/projects/:projectId/keys
DELETE /api/projects/:projectId/keys/:keyId
POST   /api/projects/:projectId/keys/:keyId/rotate

IDL lifecycle:

POST   /api/idl/upload
GET    /api/idl/:projectId
GET    /api/idl/:projectId/versions
PUT    /api/idl/:projectId
DELETE /api/idl/:projectId

Generated program API:

GET  /api/:projectId/instructions
GET  /api/:projectId/instructions/:name
POST /api/:projectId/instructions/:name/build

GET  /api/:projectId/pda
POST /api/:projectId/pda/derive
GET  /api/:projectId/pda/fetch/:address

GET /api/:projectId/accounts
GET /api/:projectId/errors
GET /api/:projectId/events
GET /api/:projectId/types
GET /api/:projectId/docs
PUT /api/:projectId/docs
DELETE /api/:projectId/docs
GET /api/:projectId/addresses
POST /api/:projectId/addresses
PUT /api/:projectId/addresses/:addressId
DELETE /api/:projectId/addresses/:addressId
GET /api/:projectId/idl

AI, discovery, and machine-readable surfaces:

GET /api/projects/:projectId/ai-analysis
GET /project/:projectId/llms.txt
GET /openapi.json
GET /.well-known/openid-configuration
GET /.well-known/oauth-authorization-server
GET /.well-known/jwks.json
GET /.well-known/oauth-protected-resource
GET /api/discovery/sitemap
GET /mcp
POST /mcp

Internal automation endpoints:

POST /api/ingest/idl
POST /api/admin/recategorize

/api/ingest/* and /api/admin/* are protected with X-Ingest-Key. User-facing project management endpoints use JWT auth, and generated program build flows can use either JWT or X-API-Key depending on the operation.

Auth via JWT:

curl -H "Authorization: Bearer <token>" https://api.orquestra.dev/api/my-project/instructions

Auth via API key:

curl -H "X-API-Key: <key>" https://api.orquestra.dev/api/my-project/instructions/initialize/build \
  -d '{"args": {"amount": 1000000}, "accounts": {"authority": "..."}}'

Build an instruction with network-aware simulation:

curl -X POST https://api.orquestra.dev/api/<projectId>/instructions/<instruction>/build \
  -H "Content-Type: application/json" \
  -H "X-API-Key: <key>" \
  -d '{
    "accounts": {
      "authority": "<pubkey>",
      "vault": "<pubkey>"
    },
    "args": {
      "amount": 1000000
    },
    "feePayer": "<pubkey>",
    "network": "mainnet-beta",
    "simulate": true
  }'

CLI

The CLI is a separate companion tool: orquestra-cli

The Rust CLI has two modes:

  • API mode: use your Orquestra project and API key.
  • Local IDL mode: point the CLI at a local Anchor IDL JSON file and run fully offline.

Quick setup examples:

# API mode
orquestra config set \
  --project-id <program-or-project-id> \
  --api-key <api-key> \
  --rpc https://api.mainnet-beta.solana.com \
  --keypair ~/.config/solana/id.json

# Local IDL mode
orquestra config set \
  --idl ./target/idl/my_program.json \
  --rpc https://api.mainnet-beta.solana.com \
  --keypair ~/.config/solana/id.json

orquestra config show

Core commands:

orquestra                              # interactive top-level menu
orquestra list
orquestra run [INSTRUCTION]            # supports --arg key=value --account name=pubkey --yes
orquestra pda [ACCOUNT]                # supports --seed name=value
orquestra sign <BASE58_TX>
orquestra simulate [BASE58_TX]
orquestra tx [SIGNATURE]
orquestra search [QUERY]
orquestra idl fetch [PROGRAM_ID] [-o output.json]
orquestra config set [--project-id] [--api-key] [--rpc] [--keypair] [--api-base] [--idl]
orquestra config show
orquestra config reset                  # interactively update config values
orquestra --version
orquestra --help

Typical workflows:

# List instructions for the configured project or local IDL
orquestra list

# Run a specific instruction with pre-filled values
orquestra run deposit \
  --arg amount=1000000 \
  --account authority=<pubkey> \
  --account vault=<pubkey> \
  --yes

# Derive a PDA directly
orquestra pda vault --seed owner=<pubkey>

# Search programs and set one as active
orquestra search marginfi

# Inspect a confirmed transaction
orquestra tx <signature>

The CLI will auto-fill signer accounts from your configured keypair, auto-derive resolvable PDAs, and print the unsigned base58 transaction when no keypair is configured.

This repo also includes tools for discovering on-chain programs:

bun run cli:scan      -- --rpc-url 'https://api.mainnet-beta.solana.com' --out-dir ./output
bun run cli:check-idl -- --rpc-url 'https://api.mainnet-beta.solana.com' --out-dir ./output
bun run cli:full      -- --rpc-url 'https://api.mainnet-beta.solana.com' --out-dir ./output

Stack

  • Frontend: React 18, Vite, Tailwind CSS, Zustand
  • Backend: Hono, Cloudflare Workers, D1, KV
  • Auth: GitHub OAuth, JWT (Web Crypto API)
  • Tooling: Bun, Wrangler, TypeScript

Contributing

  1. Fork & clone the repo
  2. git checkout -b feature/my-feature
  3. Make changes, run bun run type-check and bun run lint:fix
  4. Open a pull request

See CONTRIBUTING.md for details.

Contributors

License

MIT

Reviews (0)

No results found