Meru

Videos

Description


Meru is confidential AI you can prove. Every regulated business in 2026 is hitting the same wall: their teams want           

ChatGPT-quality AI on private data — bank statements, medical records, legal contracts, internal compliance docs — but their 

compliance officers can't approve it. Why? Because there's no tamper-proof way to show what the AI actually did with the     

data. The AI vendor stores a copy of every prompt. The model could leak. The audit log could be edited. A regulator can't    

independently verify any of it.                                                                                              


Meru solves this by producing a cryptographic receipt for every AI inference, anchored on a public blockchain that the       

regulator can read without trusting anyone.               



How it works:                            


1. You upload a document. Meru encrypts it (AES-256-GCM with browser-side key derivation) and stores the ciphertext on 0G    

Storage.                                

2. You ask the AI a question. The question travels encrypted to a hardware-secured enclave — a TEE (Trusted Execution        

Environment, Intel TDX + Phala dStack) running on 0G Compute. Even the cloud operator can't peek inside while it runs.

3. The AI's answer comes back with a cryptographic signature from the enclave.                                             

4. That signature gets anchored on 0G Chain (real mainnet, chain 16661) and re-attested on Ethereum Sepolia as an independent

witness. Not a bridge — zero value crosses, just the receipt. Two independent ledgers; if one fails, the audit survives on

the other.                                                                                                                   

5. A regulator with nothing but a browser can verify the receipt against both chains — through a standalone HTML widget that 

talks directly to the chains, never to Meru's servers.                                                                     



The technical primitive is a signed-bundle wire format: (answer, sourceChunkHashes, modelId, timestamp, signature) verified  

inside the TEE and anchored on-chain via a commit-reveal scheme with a 60-second contract-enforced window — defending against

block-builder front-running on the audit log itself.                                                                        



What's actually live, on real mainnet:                                                                                     

- Provenant.sol deployed at 0xA8296DfF7C2faD1170e880d71aF92B2F201D30C5 on 0G Aristotle (7,378 bytes verified bytecode)       

- Real Sealed Inference against a Phala TEE provider running gpt-5.4-mini (dstack-pha-prod5.phala.network)            

- Real on-chain commit-reveal cycles with the contract-enforced 60s gap                                                      

- A permissionless JSON-RPC indexer anyone can run                                                                         

- A standalone HTML verifier widget — single file, no SDK, no backend                                                        



One command verifies the entire chain end-to-end: cd backend && npm run smoke returns 8/8 ✅ against live mainnet.           



The thesis in one sentence: Meru is the open-source, decentralized, on-chain-anchored equivalent of                          

https://security.apple.com/blog/private-cloud-compute/ — for regulated industries. Apple's PCC is the canonical reference    

architecture for confidential AI inference, but it's closed-source, single-vendor, and consumer-facing. Meru is the          

multi-vendor, multi-tenant, permissionless, enterprise-grade version of the same five design requirements, built on the 0G   

stack.                                                                                                                       



Who buys this: Indian fintech AI vendors hitting the DPDPA Rule 13(4) deadline (Nov 2026, ₹250 cr penalty). EU-classified    

"high-risk AI deployers" preparing for EU AI Act Article 12 (full enforcement Dec 2027). The 12,000+ Significant Data        

Fiduciaries under India's data protection law. TAM ≈ $1.5B-$4B by 2028.

Progress During Hackathon

<pre><code class="language-markdown"># Roadmap Started from a blank slate. Built end-to-end against three 0G primitives (Storage + Compute + Chain). Deployed on real Aristotle mainnet, not testnet. Phase 1 — Architecture + research - Decided to compose all three 0G primitives into one coherent audit substrate, not a single-primitive demo. - Validated the technical thesis against Apple Private Cloud Compute's 5 design requirements. - Named TEE.fail / WireTap (Oct 2025) as defense-in-depth challenges and documented them before writing code. Phase 2 — Smart contracts - Wrote Provenant.sol — ERC-721 corpus iNFT + on-chain commit-reveal (60-second contract-enforced gate) + ERC-7857 interface shim + EIP-191 bundle-signature verification with block.chainid replay protection. - Wrote ProvenantReader.sol — Sepolia mirror with chain-bound digest re-attestation. - 15 Hardhat unit tests passing. - Slither static analysis: 49 informational, 0 high, 0 medium. - Deployed to 0G Aristotle mainnet at 0xA8296DfF7C2faD1170e880d71aF92B2F201D30C5 (7,378 bytes verified bytecode). - Sepolia mirror deployed to the same address. Phase 3 — Backend + 0G integration - Wrote the Sealed Inference SDK wrapper using the canonical @0gfoundation/0g-compute-ts-sdk broker. - Wired against a real Phala TEE provider running gpt-5.4-mini at dstack-pha-prod5.phala.network. - TEE chat-signature verification via processResponse against on-chain teeSignerAddress. - Hard-fail gate when the verification handle is missing — no silent downgrade to unverified. - Anchor → Sepolia mirror flow. - Encrypted-at-rest corpus on 0G Storage (AES-256-GCM + HKDF per-corpus subkeys). - Client-side X25519 encrypted intents in the browser. - 5 backend MEV tests passing. - One-command mainnet smoke (npm run smoke): 8/8 ✅ across RPC, bytecode, ERC-721 + ERC-7857 interface shim, corpusOf, inferenceCountOf, real inferenceAt event reads. Phase 4 — Permissionless indexer - Standalone Node.js package. - JSON-RPC 2.0 + REST + WebSocket push of every InferenceLogged event. - Multi-destination relayer. - KelpDAO anti-pattern gate (off-by-default fallback signer) documented in code. Phase 5 — Reference UI - Next.js 16 + React 19 + Tailwind v4. - Light-mode-first "AI notary" aesthetic — calm, document-oriented, intentionally not "crypto-app." - Chat interface as a reference application — the product is the protocol; the chat is the wedge. - PipelineTracker only advances on real backend signals (no fake setInterval). - DemoModeBanner discloses the Level-1 TEE attestation signer placeholder. - ProvenanceModal links to the standalone verifier widget. Phase 6 — Standalone verifier (the demo's punchline) - Single static HTML file. No SDK. No Meru backend in the loop. - Reads 0G Aristotle RPC + Sepolia RPC directly. - Recomputes the audit digest locally. - ✓ or ✗ verifies any bundle entry. - A regulator with a browser can verify any Meru inference against live mainnet — even if every Meru server is offline. Phase 7 — Documentation discipline Five load-bearing docs: - THREAT-MODEL.md — named assumptions + what we don't claim - PRODUCTION-VISION.md — Web 4.0 confidentiality-rails architecture target - HACKATHON-MVP.md — wedge + extensibility roadmap (agentic AI, MCP, multi-agent) - INTEGRATING-0G-SEALED-INFERENCE.md — broker SDK recipe (useful for any 0G builder) - MERU-VS-PCC-VS-DSTACK.md — Apple PCC's 5 design requirements mapped against Meru + Phala dStack - E2E-ENCRYPTED-INFERENCE.md — v2 enclave-owned-key handshake protocol --- Final state - ~50 source files across 4 packages - ~36,400 lines of TypeScript + Solidity - 20 unit tests passing - 0 high / 0 medium static-analysis findings - Real mainnet deployment + real Phala TEE inference + real cross-chain mirror + permissionless indexer + standalone verifier - Solo build, alongside full-time job --- # Production Roadmap — the path from this MVP to enterprise-grade The MVP is a deliberate wedge slice of a larger system. Three forward versions, each with concrete engineering plans documented in docs/PRODUCTION-VISION.md. v2 — Limited beta (Q3 2026) Closes the v1 trust-boundary gaps: - Enclave-owned X25519 keypair generated at boot via Phala dStack KMS — backend becomes pure transport, never sees plaintext (closes the encrypted-intent "bridge mode" gap). - Real Shutter Network keyper integration for commit-reveal — replaces the in-memory threshold scaffold with a permissionless keyper quorum. The 3-line swap-in is already documented in backend/src/mev/shutter.ts. - Browser-side document encryption — user holds the corpus key; the backend never touches plaintext docs. - Versioned corpus manifests anchored on-chain so multi-document corpora produce durable provenance across appends. - Mainnet cross-chain mirrors to Base + Linea + Ethereum L1 (Sepolia deprecates Sept 2026). - RevokeEnclave + EnrollEnclave events on Provenant.sol for signer lifecycle. - Per-chunk retrieval-trace commitments inside the enclave — sourceChunkHashes[] graduates from "corpus fingerprint" to actual retrieval evidence. Effort: ~6-8 weeks focused, one engineer. Main dependency: deploy a custom dStack app on Phala. v3 — Production GA (Q1 2027) Closes the operational gaps for enterprise sale: - HSM/KMS-backed key management (AWS KMS / HashiCorp Vault) — per-corpus key rotation + revocation. - Multi-attestation quorum — Intel TDX + AMD SEV-SNP. Defense-in-depth against single-vendor attestation-key compromise (TEE.fail / WireTap class attacks). - Reproducible-build pipeline + binary transparency log — Sigstore-style; closes the verifiable-transparency gap that Apple PCC sets the bar for. - Multi-tenant RBAC with org scopes, audit-role separation, machine-readable compliance evidence-export bundles. - Durable workflow orchestration (Temporal / Inngest) replacing inline async/await. - Multi-region indexer mesh with Postgres + Redis + S3/R2 checkpointing for DR. Effort: ~6 months with a 2-3 engineer team, gated by enterprise design-partner conversations. v4 — Protocol layer (2027+) The audit primitive becomes a substrate for the wider 0G ecosystem: - Audit Substrate v1.0 spec published as a 0G ecosystem standard — any 0G app emitting AI-inference events uses the same wire format. - Indexer-economics — per-query micro-fees to indexers for serving audit data to regulators. Aligns indexer incentives with auditor demand. - Cross-substrate composability — Meru receipts referenced by DePIN protocols (proof of physical-world action), agentic finance protocols (proof of strategy decision), identity protocols (proof of credential issuance). Commercial path - Q3 2026: v2 limited beta with 3 design partners (Indian fintech AI vendors aligned with DPDPA Nov 2026 deadline) — free during beta. - Q4 2026: v3 GA + cold-outbound to Tier-1 buyer list. Target: 5 paying customers, $250K–$350K ACV. - Q1 2027: protocol-tier launch + 0G ecosystem partnership announcements. Direct addressable buyers (Tier 1, 2026-2028): ~3,500 EU-classified "high-risk AI deployers" + ~12,000 Indian Significant Data Fiduciaries under DPDPA. TAM ≈ $1.5B–$4B by 2028. </code></pre>

Tech Stack

React

Web3

Ethers

Node

TypeScript

0G

Fundraising Status

self-funded

Videos

Description

Progress During Hackathon

Tech Stack

Fundraising Status

Github Link

Builders Also Viewed