Your code, your data, your prompts β provably private. The AI helps you, but never learns from you.
Enclave is a privacy-first autonomous AI agent platform where all LLM inference and tool execution happens inside a Trusted Execution Environment (TEE). It cryptographically proves that user data, prompts, and task context never leave the secure enclave in plaintext.
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β USER BROWSER β
β Next.js frontend ββ WebAuthn auth β
ββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββ
β HTTPS + JWT
ββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββ
β GATEWAY LAYER (EC2 host) β
β FastAPI βββ SSE streaming βββ Task queue β
β Attestation verifier Audit log (append-only) β
βββββββββββββββvsockβββββββββββββββββββββββββββββββββββββββββ-ββ
β
ββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββ
β β
NITRO ENCLAVE β
β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Agent Controller (Python) β β
β β ββββββββββββ ββββββββββββ βββββββββββββββββββββ β β
β β β Planner β β Executor β β Memory Manager β β β
β β β (Claude) β β(sandbox) β β (sealed storage) β β β
β β ββββββ¬ββββββ ββββββ¬ββββββ ββββββββββ¬βββββββββββ β β
β β β β β β β
β β ββββββΌββββββββββββββΌβββββββββββββββββββΌβββββββββββ β β
β β β Tool Router β β β
β β β code_exec β file_ops β browser β api_call β β β
β β ββββββββββββββββββββββββββββββββββββββββββββββββββ β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β Enclave crypto keys (not accessible from host process) β
βββββββββββββββvsockβββββββββββββββββββββββββββββββββββββββββ-β
β
ββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββ
β PRIVACY PROXY (Go) β
β Key rotation β Metadata stripping β Dummy-request padding β
βββββββββββββββmTLSββββββββββββββββββββββββββββββββββββββββββ-β
β
LLM Provider API (Anthropic / OpenAI)
| Guarantee | How It Works |
|---|---|
| TEE-enforced inference | LLM API calls made from inside an attested AWS Nitro Enclave. The host cannot observe plaintext. |
| Attestation receipts | Every task produces a signed attestation report proving code version, enclave identity, and data integrity. |
| Zero-training | API calls route through a privacy proxy that strips metadata and rotates API keys. |
| Sealed memory | Agent state encrypted with enclave-only keys derived from PCR measurements. Tampered enclaves lose access. |
| Task integrity | SHA3-256 hash of every task's prompt + output included in the attestation receipt. |
- Python 3.12+
- Go 1.22+ (for the privacy proxy)
# Clone and enter the project
cd TEE
# Create virtual environment
python3 -m venv .venv
source .venv/bin/activate
# Install dependencies
pip install -e ".[dev]"
# Run tests
pytest tests/ -vEnclave includes a terminal interactive UI (TUI) that features real-time Claude Code-style token and event streaming (thinking steps, live text tokens, tool calls, and results) from the secure enclave:
source .venv/bin/activate
python tui.pyInside the TUI, you can submit tasks, switch models/providers, inspect history, verify attestation receipts, and observe the agent's reasoning process in real-time.
source .venv/bin/activate
uvicorn host.api.main:app --reload --port 8000| Method | Path | Description |
|---|---|---|
POST |
/tasks |
Submit a new task |
GET |
/tasks/{id} |
Get task status |
GET |
/tasks/{id}/stream |
SSE stream of task events |
GET |
/tasks/{id}/attestation |
Get attestation receipt |
GET |
/enclave/attest |
Get enclave attestation document |
GET |
/health |
Health check |
TEE/
βββ enclave/ # Runs inside the TEE
β βββ agent/ # AgentController, Planner, LLM client
β β βββ controller.py # Main agent step loop (native tool calling)
β β βββ planner.py # System prompt builder (native tool use parameters)
β β βββ llm_client.py # Provider clients (Anthropic with streaming, OpenAI, etc.)
β β βββ models.py # All dataclasses (Message, ContentBlock, StepEvent, etc.)
β βββ tools/ # Tool implementations
β β βββ base.py # BaseTool ABC + ToolRegistry (JSON tool definitions)
β β βββ router.py # ToolRouter (dispatch + validation)
β β βββ code_executor.py
β β βββ file_ops.py
β β βββ browser_tool.py
β β βββ api_call.py
β β βββ memory_tool.py
β βββ crypto/ # Cryptographic primitives
β β βββ keys.py # Key generation, HKDF, SecretBox
β β βββ attestation.py # Nitro + Mock attestation providers
β β βββ sealing.py # PCR-bound secret sealing
β βββ memory/ # Persistent encrypted state
β β βββ manager.py # MemoryManager (encrypted ChromaDB wrapper)
β β βββ state_db.py # TaskStateDB (async SQLite)
β βββ vsock/ # Enclave β Host communication
β βββ protocol.py # Length-prefix message framing
β βββ server.py # Async server (passes connection writer for streaming)
β βββ client.py # Async client (synchronous call & stream-iterator send)
βββ host/ # Runs outside the TEE (untrusted)
β βββ api/main.py # FastAPI gateway
β βββ attestation/ # Host-side attestation verifier
βββ proxy/ # Go privacy proxy
βββ tests/ # Full test suite (114 tests)
βββ docs/ # Security whitepaper, guides
βββ pyproject.toml # Project configuration
- Curious cloud provider: Cannot read Nitro Enclave memory
- Compromised host: Can relay messages but cannot decrypt them
- LLM provider: Cannot see plaintext prompts (privacy proxy strips metadata)
- Network eavesdropper: All external traffic is mTLS
- Malicious LLM responses: All tool calls sandboxed, validated against schema
- Signing: Ed25519 (via libsodium/PyNaCl)
- Encryption: XSalsa20-Poly1305 (NaCl SecretBox)
- Key exchange: Curve25519 (NaCl SealedBox)
- Key derivation: HKDF-SHA256
- Attestation: AWS Nitro Attestation Document (COSE_Sign1 + CBOR)
- Task integrity: SHA3-256
"If Anthropic, AWS, or a government agency subpoenaed all logs, host process memory, and network traffic, what would they learn about the user's tasks?"
Answer: Nothing useful. They would see encrypted blobs, metadata-stripped API calls, and an attestation document proving legitimate code was running.
pytest tests/ -v # All tests
pytest tests/ --cov=enclave --cov-report=term # With coverage
pytest tests/test_agent_loop.py -v # Agent loop only
pytest tests/test_attestation.py -v # Crypto + attestationruff check enclave/ host/ tests/ # Linting
mypy enclave/ host/ # Type checking
bandit -r enclave/ host/ -ll # Security scanningPrivate β All rights reserved.