Sealed rooms

What a "room" is#

A room is a single session that runs inside confidential computing hardware — a CPU enclave that keeps memory encrypted and isolated even from the operator of the machine it runs on. Your prompt is encrypted to that enclave, decrypted *only inside it*, processed, and the answer is returned. The plaintext never touches disk and is never logged.

What that buys you#

• —The machine operator cannot read your prompt or the model's reply.
• —The model that runs is fixed and measured — it can't be silently swapped for a logged or watered-down one.
• —When the session ends, the plaintext is gone from the enclave — no readable record of your prompt or answer exists for anyone to hand over. (Billing metadata — a timestamp, your wallet, the token cost — is kept so we can meter and you can verify; the *content* is not.)
• —In the chat app, your saved history is end-to-end encrypted with your wallet key — stored as ciphertext we can't decrypt.

Measured at boot#

When the enclave boots, the hardware measures everything loaded into it and produces a fingerprint — the MRTD (a hash of the trusted boot state). That fingerprint is public and fixed. A quote signed by the CPU binds the fingerprint to a hardware root of trust, so anyone can confirm the room you're talking to is running exactly the expected code.

The attested fingerprint#

<the room's published MRTD>

If the room ever returned a different fingerprint, your client would refuse to talk to it. Walk through checking it yourself in Verify it yourself.