隐私 AI 代理

AI 智能体最需要隐私。

智能体持有你的密钥、代币、收件箱和钱包，并代表你执行操作。将它们运行在已验证的 CVM 中，其中 compose-hash 即权限范围，且每个动作都经过签名。

Confidential agents, in production.

Personal, coding, security, financial, social, memory, MCP — pick a category, then drill into a specific framework to see how Phala slots into the runtime.

9:41▮▮ 5G ▰

‹

OpenClaw

bot

⌕

＋

Write a message...

◉

Visit Clawdi

Personal computer-use agent. Sessions, calendars, and inbox sealed in a CVM whose compose-hash IS the permission scope.

Agents · live on Phala Cloud.

Verified counts from Phala Cloud + ClickHouse. Compose-hashes are observed in the Cloud DB; trust-by-construction primitives sit in an attested CVM.

Agent CVMs deployed

12,783

cumulative · all frameworks

Compute hours

16.9M

fleet-wide · since Feb 2025

TDX quotes verified

1.10M

KMS attestation

Compose-hashes observed

2,591

distinct agent builds

Total CVMs deployed by framework

cumulative · since first deploy

1,585

1,545

604

279

168

Eliza

character agents

7 live · since 2024-12

Clawdi

OpenClaw

193 live · since 2026-01

BlueNexus

MCP servers

5 live · since 2025-10

Vijil

verifiable CI

since 2025-04

Agent Wallet

x402 · ERC-8004

1 live · since 2025-05

Hermes

Nous Research

7 live · since 2025-01

TDX nodes

GPU TEE teepods

8 · 64 GPUs

Regions

KMS instances

Failed quotes / 24h

1 / 35

运行任何代理框架。构造即封闭。

编码代理

Claude Code, Codex, and verifiable CI agents like Vijil run in a CVM where the repo, secrets, and tool tokens stay sealed against the registered compose-hash. Every diff signed before merge.

CODING

marvin@Mac ~/ai-agent % claude code

Claude Code

sealed CVM

· [marvin@Mac] % claude

✓ scope: github.write

› refactor agents/...

⏺ sealed-token: github.pat ✓

✓ Sign-RPC 0x9c1a…

COMPUTER-USE

OpenClawbot

Triage today's inbox — Stanford threads.

tool · gmail.search

3 threads · 11 messages

sealed-token gmail.compose ✓

电脑操作代理

OpenClaw, Hermes, and Pi take over the browser, GUI, and OS — bounded by an attested compose-hash and KMS-gated credentials. Sessions, calendars, inbox stay sealed in the CVM.

工具与记忆代理

MCP servers (BlueNexus) attest to clients before they accept a connection — mutual RA-TLS. Long-term memory backends (Xtrace) seal shards per app-id; revoking the build evicts memory cleanly.

MCP · MEMORY

BlueNexus MCP

$ mcp connect mcp.bluenexus.ai▸ verifying TDX quote✓ mutual RA-TLS bound• search.web (sealed)• vault.unlock (multi-sig)

WALLET · SECURITY

Agent Walletx402

payment request

$24.00 USDC

api.confidential-llm.ai

scope≤ $50/daymulti-sig2/2 ✓

钱包与链上代理

Agent Wallet (ERC-8004 + Coinbase x402) and Ironclaw (NEAR security) bind spending scope to the compose-hash. Multi-sig DstackApp gates every signing key; revoke compose-hash → kill access.

permission as identity · scope as compose-hash

Permission is identity. Identity is the compose-hash.

On dstack, an agent’s tool list and credential scope can’t drift from what its build authorizes — there’s no runtime path that widens privilege.

Attested launch

dstack-vmm boots the agent CVM. The TDX quote covers the full compose-hash — including system prompt, model digest, and tool list (all in the docker-compose).

Sealed credentials

User previously sealed OAuth tokens against this exact compose-hash. dstack-kms releases the wrap key only after the quote matches. No host process ever sees plaintext.

Mutual RA-TLS

When Agent A delegates to Agent B, each cert embeds a fresh TDX quote. Both sides run dcap-qvl on the peer and check DstackApp.sol for the allowed-delegates whitelist.

Bounded outbound

External tool (Gmail, Stripe, etc.) is outside the trust boundary. The OAuth token leaves only inside the outbound TLS handshake, scope upper-bounded by compose-hash.

Signed action log

Every tool call is appended inside the CVM and signed via Sign RPC. Tamper breaks the chain. Auditors verify without trusting Phala or the operator.

工作原理

逐步查看多智能体流水线。

关闭 dstack 看看凭证和工具范围如何漂移失控。

dstack 上的隐私 AI Agents

CVM 中的代理计算机 · 按子代理划分的 sandbox · 封装保险库 · 受范围约束的外向通道

活跃边缘未激活步骤中新增

步骤 1 of 5 · 随滚动响应

步骤 1 / 5

已证明启动 — TDX Quote 验证整台计算机

dstack-vmm 将 agent 运行时作为一个 TDX CVM 启动。dstack-guest-agent 生成组合 TDX 证明，覆盖 MRTD + RTMR0–3 + GPU 机密模式。用户通过 RA-TLS 获取证明并在本地运行 dcap-qvl——信任决策在客户端完成，以 Intel 的 TDX 硬件根信任和链上 DstackKms.sol 为锚。Phala Network 不需要为自身背书。

With dstack: 信任根是 Intel 的 TDX 硬件签名，并锚定在链上——任何客户端都可以在不信任 Phala 或云服务商的情况下进行验证。

live · Sign-RPC action log

Every tool call leaves a tamper-evident receipt.

Each row is a real-shaped Sign-RPC entry: agent identity, tool, args hash, and a per-app key signature that chains to the TDX root. Auditors verify the log offline — Phala isn't in the trust chain.

action.log · streaming

tamper detected · 0

tsagenttoolargssignatureverify

14:00:01support-bot-v3.2crm.readlookup(account=acme)0x9c1a…f7e2✓

14:00:03inbox-triagegmail.readlist(after=09:00)0x4f2c…a91e✓

14:00:04support-bot-v3.2stripe.readcharge(id=ch_3O…)0xc3d4…f7e2✓

14:00:08cal-botcalendar.readfree(2026-05-05, 30m)0xa1b2…d4f6✓

14:00:11pnl-monitorwallet.readbalance(addr=0xab…)0xe5f6…b8c0✓

14:00:14inbox-triagegmail.composedraft(thread=18b4…)0x7d8e…2f1a✓

14:00:18research-botweb.search"phala dstack v0.6"0x6e9f…c3d4✓

14:00:21devops-botgithub.writepr.merge(123)0xb1a2…f0e7✓

14:00:24support-bot-v3.2zendesk.writeticket.reply(8421)0x3d4e…7a8b✓

14:00:27cal-botcalendar.writecreate(slot=15:00)0x8c9d…e1f2✓

14:00:31pnl-monitorwebhook.sendalert(threshold=2.5%)0xf2e3…d4c5✓

14:00:35devops-botsentry.readerrors(env=prod)0x5b6c…7d8e✓

14:00:39inbox-triagegmail.readlist(label=INBOX)0xa9b8…c7d6✓

14:00:43research-botdoc.writeappend(notes.md)0x4e5f…6a7b✓

14:00:47awaiting next call————

chain · per-app key → KMS root → TDX root + DstackApp.sol14 rows · all verified offline

AI 解决方案路径

在 AI 触及密钥时使用隐私模型。

隐私模型端点是第一个入口点。同样的隐私原语也适用于代理、数据工作流和训练。

LLM API

隐私 AI 推理

提供 OpenAI 兼容的模型调用，提示词、输出和客户上下文都需要在使用中加密保护。

打开解决方案

encrypted

DeepSeek V3.1

128K

$0.27/M input

encrypted

Qwen3 Coder

256K

$0.40/M input

encrypted

Llama 3.3 70B

128K

$0.15/M input

encrypted

GPT OSS 120B

128K

$0.10/M input

encrypted

Claude Sonnet 4.5

200K

$3.00/M input

encrypted

Gemini 2.5 Pro

$1.25/M input

Training

隐私模型训练

在保持数据集、梯度、检查点和评估轨迹处于边界内的同时，基于专有数据调整模型。

打开解决方案

private training run

Observe without exposing weights.

H100 CC

dataset

sealed

fine-tune

running

eval

private

checkpoint

verified

loss curve

proof attached

attestation.json

Data

隐私 AI 数据

将模型移动到敏感记录旁，在不向模型运营方暴露原始数据的情况下返回已批准的输出。

打开解决方案

source

EHR data

source

Customer records

source

Internal docs

TEE clean room

query without raw access

approved output

aggregate only

no row exportproof linked

Deploy a confidential agent

权限即身份。范围即 compose-hash。

将代理以 docker-compose 形式发布。注册 compose-hash。密封 OAuth 令牌。每次跨代理调用都会通过 RA-TLS 重新验证对端。

View docs 联系销售

01Mutual RA-TLS between agent CVMs
02Sealed OAuth tokens, KMS-gated
03Compose-hash IS the scope
04Outbound tools bounded by attested code
05Sign-RPC action log

隐私执行。可验证结果。

新闻通讯