t2 verify checks the whole chain and fails closed on any forgery — and the Sui-anchor check needs zero trust in t2000.
Anchor-every + verify (Sui-native — the wedge)
Every confidential response is automatically anchored on Sui — aReceiptAnchored event committing the response wire_hash + attested workload_id, tamper-evident and publicly timestamped. No extra call: it’s fired for you the moment the response returns (zero added latency). RedPill anchors on Ethereum/Automata; t2000 anchors on Sui — the only Sui-native verifiable-inference anchor.
The signed receipt is also durably stored, so you can verify any time — not just inside the upstream gateway’s short receipt-retention window. GET /v1/aci/receipts/{id} serves the durable copy once the gateway TTL lapses (still fully trustless — the receipt is signed and its hash is anchored on-chain, so it can’t be forged wherever it’s served).
What it checks
- Sui anchor (trustless). Reads the on-chain
ReceiptAnchoredevent straight from a Sui fullnode and confirms the committedwire_hash+workload_idmatch the signed receipt. t2000 can’t forge it; a wrong/missing anchor fails closed. - Receipt signature (trustless). Recovers the receipt’s secp256k1 signer — recomputing the dstack ACI canonical bytes (JCS →
sha256→ 65-byter‖s‖v) — and matches it to the attested receipt-signing key. An altered or forged receipt fails. - TDX quote / DCAP (trustless). Re-verifies the hardware TDX quote with
@phala/dcap-qvl, chaining to Intel’s root CA via PCCS collateral (Intel-signed — the PCCS is a cache, not a trust point) → genuine enclave + TCB status, without trusting the gateway’s server-side verification. Also confirms the quote’sreport_datacommits the report’s signing address and the quote is for the receipt’s workload. Skip it with--quick. - Confidential upstream + typed claims. Surfaces the upstream’s typed TCB claims (each with its source) and the attested-session id.
Programmatic
agent.verify(receiptId) on a T2000 instance, or the t2000_verify MCP tool.
What’s trustless (honest): the Sui anchor, the receipt signature, and the TDX quote are all verified client-side — the quote chains to Intel’s root, so even the gateway’s
verified:true is no longer something you have to trust. The one remaining hop is keyset_endorsement (cryptographically tying the receipt-signing key to the quote’s identity key); the receipt-signature check already proves the receipt is signed by the published keyset key. The gateway still terminates TLS and sees plaintext on its forwarding leg (ZDR) — full E2EE is planned for v3.1. See the trust boundary.