What’s proven + verifiable
- The compute ran in a genuine GPU-TEE. The hardware TDX quote is verified and the channel to the upstream is bound (
tls_spki_sha256pinned) and fail-closed. - Per-response integrity. A signed receipt commits your request/response hashes to the attested workload — tampering is detectable.
- Public, tamper-evident record. The receipt is anchored on Sui — a third party can independently check the commitment on-chain.
- No body retention. The gateway stores hashes, not request/response bodies (zero data retention).
What’s still trusted (disclosed)
- The gateway’s plaintext leg. Our gateway terminates TLS and sees plaintext before forwarding to the verified upstream. The protection is that the leg is ZDR (retains nothing), not that the gateway never sees the request.
- The receipt-signing key is a t2000 server key (not yet sealed in a TEE KMS).
- Routed (frontier) responses are not confidential.
openai/*,anthropic/*, etc. forward to a third party that sees your prompt —upstream.verified = failed, by design. Confidentiality is a property of the verified upstream, confirmed per response from the receipt.
What v3.1 adds (planned)
Full no-trust closes the gap above: the gateway itself runs in a TEE (its own attestation), the receipt key lives in dstack KMS, and end-to-end encryption means even t2000 never sees plaintext. It’s the heaviest, most security-critical step — we’ll build it when a “can’t-trust-the-gateway” need pulls for it. (The TDX quote itself is already re-verified client-side withdcap-qvl via t2 verify — that’s shipped, not deferred.)
This tier-by-tier honesty is non-negotiable: the receipt + docs state exactly what each tier proves. Overclaiming “zero-trust” today would be the failure mode this whole design guards against — a wrong “verifiable” claim is worse than honest ZDR.
Choosing a tier
- Confidential (
phala/*) — when the upstream that runs the model must be attested and your prompt must not reach a non-attested third party. - Private (every model, ZDR) — when contractual zero-retention through the gateway is sufficient and you want the full model range.
