From Promises to Proofs

How MorpheusAIs moves AI inference from operator integrity to hardware-enforced guarantees — verifiable by anyone, trusted by no one.

🎚️ New: The AI Trust Spectrum — see how all seven ways to use AI (Big AI → Gateway → your own C-Node → fully local) score across six dimensions, with the full rationale. Explore →
Any provider
Pre-TEE MorpheusAIs
88%
Privacy Score
✅ Permissionless (native web3)
✅ Anonymous (wallet only)
✅ Fully decentralized routing
✅ Open-source code
✅ Encrypted transport (MOR-RPC)
⚠️ Operator could log — no proof
⚠️ CI/CD not yet hardened
TEE provider
TEE Phase 1 (CPU)
96%
Privacy Score
✅ Permissionless (native web3)
✅ Anonymous (wallet only)
✅ Fully decentralized routing
✅ Verifiable build (cosign + SBOM)
✅ Operator CANNOT log
✅ Hardware attestation (CPU)
⚠️ External LLM gap†
TEE provider · v7.0 shipped
TEE Phase 2 — Full Chain
~100%*
Privacy Score
✅ Pseudonymous (wallet only)
✅ P-Node attests its own backend LLM
✅ CPU TDX + NVIDIA NRAS GPU attest
✅ Per-prompt fast re-verify (~50 ms)
✅ Workload RTMR3 + pinned-cert TLS
✅ Open-source, decentralized routing
✅ Operator CANNOT log
* Network metadata (IP addresses, packet timing, volume) remains observable — content, prompts, model, and wallet are fully encrypted inside the TEE.
Roadmap
What’s Next
Expansion
In parallel now
Phase 3a · 2nd TEE Partner (~5%)
Phase 3b · Consumer-side hardening (~50%)
Then — informed by 3a + 3b
Phase 4 · Self-hosted TEE Provider (design)
Gateway-side attestation — research
Jump to detailed roadmap ↓

Native path · TEE rollout

Where the MorpheusAIs decentralized stack stands today: baseline on the left, TEE phases moving right.

Phase 2 shipped · v7.0.0 Updated Jun 15, 2026 at 10:22 AM EDT
Start Phase 1 shipped Phase 2 shipped
Baseline

MorpheusAIs protocol — decentralized routing, wallet identity, encrypted transport.

Phase 1 Shipped v6.0

C-Node → P-Node attestation: consumer verifies the provider runs the signed TEE image before each session.

Phase 2 Shipped v7.0

P-Node → Backend LLM attestation: provider cryptographically verifies its own LLM on every prompt — CPU TDX + NVIDIA NRAS GPU + pinned TLS.

Ahead — 3a & 3b in parallel now · 4 follows
Details ↓
Phase 3a ~5%
2nd TEE Partner — end-to-end

Diversify beyond the v7.0 launch partner: achieve full Phase 1 + Phase 2 parity with a second independent TEE stack.

Phase 3b ~50%
Consumer-side hardening — NodeNeo

Reduce friction on the consumer side: NodeNeo v2.7+ on iPhone & desktop, streamlined attestation verification UX.

Phase 4 After 3a + 3b
Self-hosted TEE Provider

Reference hardware + config so any operator with Intel TDX / NVIDIA CC can run a fully-attested TEE P-Node themselves. Informed by 3a + 3b learnings.

1
Choose your access path
How do you want to connect to the network?
MAX PRIVACY
🛡️
MorpheusAIs
The decentralized protocol
Run your own local C-Node (consumer node)
Identity is wallet address only — no email, no signup
Stake MOR to earn inference credits on-chain
Sessions routed via smart contracts — P2P
Your C-Node verifies TEE attestation directly
No centralized intermediary touches your prompts
Pipeline: Consumer → Local C-Node → Blockchain → P-Node → LLM
MAX CONVENIENCE
API Gateway
A separate product — centralized access layer
👤 Sign up with email (AWS Cognito)
🔑 Create an API key — gateway knows your identity
🏢 Centralized C-Node managed by the gateway operator
🛣️ Gateway-side prompt privacy is policy-based today — hardware attestation for this layer is on the roadmap
🧾 Pay with Stripe / crypto — no MOR staking required
Easy onramp — standard REST API, familiar DX
Pipeline: Consumer → API Gateway (email/key) → Centralized C-Node → P-Node → LLM
2
Explore each phase — past, present, future
Pick a phase to see its trust model and pipeline in detail. Defaults to the current state (Phase 2).
Privacy Properties
Privacy scores assume the MorpheusAIs path (local C-Node, wallet-only identity) connecting to a TEE-tagged provider. Non-TEE providers remain at Pre-TEE trust levels. API Gateway reduces anonymity & decentralization scores.
Baseline MorpheusAIs (Pre-TEE)

Pseudonymous, encrypted, decentralized, open-source — but provider trust is a promise, not a proof. The P-Node operator could log prompts.

Inference Pipeline — MorpheusAIs
Your control
👤
Consumer
wallet only
💻
Local C-Node
your machine
— encrypted —→
On-chain routing
⛓️
Blockchain
MOR
Trust required
🖥️
P-Node
standard HW
🤖
LLM
external
Trust model: Consumer identity is a wallet address — no email, no KYC. Session messages encrypted in transit (MOR-RPC protocol). Your local C-Node handles routing via on-chain smart contracts. But the P-Node operator could modify the software to log prompts, attach a debugger, or inspect traffic to the LLM backend. Privacy rests on operator integrity.
Inference Pipeline — API Gateway (separate product)
Identity known — not attested
👤
Consumer
email + API key
→ auth →
🌐
API Gateway
Cognito
💻
Central C-Node
managed
— encrypted —→
On-chain routing
⛓️
Blockchain
MOR
Trust required
🖥️
P-Node
standard HW
🤖
LLM
external
Trust model (API Gateway): Consumer signs up with email and creates an API key — the gateway operator knows your identity. A centralized C-Node (managed by the gateway) handles routing. The gateway system could log your prompts — we currently cannot cryptographically attest otherwise. Convenient, but not anonymous and not decentralized.
This is a separate product from MorpheusAIs. It is a convenience wrapper that provides a familiar REST API, Stripe/crypto billing, and managed infrastructure.
v6.0 — Shipped TEE Phase 1 — Consumer verifies Provider

Hardware-enforced isolation. The P-Node operator cannot access memory, attach debuggers, or modify the running image. Cryptographic attestation proves what’s running — to anyone who asks.

🛡️
Maximum privacy with TEE Phase 1
Run your own local C-Node (v6.0.0 or higher) and stake your own MOR for inference. Your C-Node verifies the TEE attestation quote directly against the CI/CD-published golden values — no centralized intermediary ever sees your prompts. Download C-Node →
Inference Pipeline — MorpheusAIs (hardware-attested)
Your control
👤
Consumer
wallet only
💻
Local C-Node
v6.0+ TEE-aware
— encrypted session —→
C-Node checks before session
⛓️
Blockchain
MOR
📦
GHCR
golden
📜
TDX Quote
TLS bind
Hardware-enforced boundary
🛡️
TEE P-Node
SecretVM
Outside TEE†
🤖
LLM
external
CI/CD Supply Chain (signed + attested)
Open-source build
💻
Source
GitHub
⚙️
Build
Actions
Cryptographically signed
🔒
Cosign
Sigstore
🧮
RTMR3
computed
📦
GHCR
manifest
What changed: P-Node runs inside Intel TDX / AMD SEV. Memory is hardware-encrypted. No SSH. Image is cosign-signed, digest-pinned, measured into RTMR3. Your local C-Node verifies the hardware attestation quote against the CI/CD-published manifest before opening a session. TLS cert fingerprint bound to quote (anti-spoofing). No centralized party is involved.

Per-prompt re-verification (v6.2+): After the initial full attestation, every subsequent prompt re-fetches the quote and TLS fingerprint from the provider. If the quote hash or TLS cert changes mid-session (image swap, VM restart, DNS hijack), the prompt is blocked. ~50–150ms overhead, no external API call on the fast path.

† Remaining gap: If the P-Node calls an external LLM API, that hop leaves the TEE boundary. Phase 2 closes this.
Inference Pipeline — API Gateway (separate product)
Identity known — not attested
👤
Consumer
email + API key
→ auth →
🌐
API Gateway
Cognito
💻
Central C-Node
managed
— TLS —→
C-Node checks
⛓️
Blockchain
MOR
📦
GHCR
golden
📜
TDX Quote
TLS bind
Hardware-enforced boundary
🛡️
TEE P-Node
SecretVM
Outside TEE†
🤖
LLM
external
API Gateway with TEE providers: The P-Node side gains the full Phase 1 TEE protections — hardware attestation, no operator access. The gateway-managed C-Node verifies that attestation for you before opening each session.

Gateway posture: the gateway is open-source and operated under a no-logging, no-inspection policy — prompts and responses transit the gateway on their way to the attested provider but are not read or retained. Registration uses a lightweight email + API key for account management and billing.

What’s still on the roadmap: hardware attestation of the gateway layer itself. Today that’s a policy guarantee backed by open-source code; a cryptographic version is research-stage (see the 3a / 3b / 4 roadmap). For the strongest privacy today, run your own local C-Node — wallet-only, no intermediary.
v7.0.0 — Shipped TEE Phase 2 — P-Node verifies its own Backend LLM

The second hop of the trust chain. Phase 1 proved the P-Node runs the signed TEE image; Phase 2 proves the P-Node’s backend LLM is itself running in attested hardware — CPU TDX quote, workload RTMR3 replay, CPU–GPU nonce binding, and NVIDIA NRAS v4 GPU attestation — re-checked on every prompt.

🚀
Shipped on April 23, 2026 with SCRT Labs / SecretVM as first TEE partner
Full two-hop TEE chain is live on main at Morpheus-Lumerin-Node v7.0.0. Forward-compatible: v6.0.0+ consumers automatically gain Phase 2 guarantees when they connect to a v7.0.0+ provider — no client upgrade required. Next: bring a second TEE partner to parity (Phase 3a).
Inference Pipeline — MorpheusAIs (two-hop attested chain)
Your control
👤
Consumer
wallet only
💻
Local C-Node
v6.0+ TEE-aware
— Hop 1: TLS + attestation —→
C-Node checks before session
⛓️
Blockchain
MOR
📦
GHCR
golden
📜
TDX Quote
TLS bind
P-Node enclave
🛡️
TEE P-Node
v7.0+ TDX
— Hop 2: per-prompt verify —→
P-Node checks every prompt
🧮
RTMR3
workload
🔗
Pinned TLS
cert hash
🎲
CPU–GPU
nonce
Backend LLM enclave
🧠
LLM + GPU
TDX + NRAS
CI/CD Supply Chain (signed + attested)
Open-source build
💻
Source
GitHub
⚙️
Build
Actions
Cryptographically signed
🔒
Cosign
Sigstore
🧮
RTMR3
computed
📦
GHCR
manifest
Backend Verification (P-Node → LLM, every prompt)
Hardware quote
📜
CPU TDX
MRTD + RTMR0–2
🧮
RTMR3
workload replay
+
Transport identity
🔗
Pinned TLS
cert hash in quote
🎲
CPU–GPU
nonce binding
+
GPU attestation
📜
NVIDIA NRAS v4
JWT EAT
Fast verify
~50 ms / prompt
The complete guarantee (v7.0.0): The C-Node verifies the P-Node TEE image (Hop 1, unchanged from Phase 1). The P-Node then verifies its own backend LLM (Hop 2, new in v7.0): CPU TDX quote parses through the SecretAI portal, MRTD + RTMR0–2 are looked up in the SecretVM artifact registry, workload RTMR3 is replayed against the declared MODELS line in docker-compose.yaml, the backend TLS cert is pinned inside the quote’s reportData, the CPU–GPU nonce is cross-bound, and NVIDIA NRAS v4 returns a JWT-signed EAT for the GPU. All of this re-runs on every single prompt via FastVerifyBackend (~50 ms hot path) — any drift (image swap, cert rotation, replay from another box) and the prompt is refused. Per-model state is exposed live at GET /v1/models/attestation.

Privacy isn’t a policy. It’s physics.
Inference Pipeline — API Gateway (separate product)
Identity known — not attested
👤
Consumer
email + API key
→ auth →
🌐
API Gateway
Cognito
💻
Central C-Node
managed
— RA-TLS —→
C-Node checks
⛓️
Blockchain
MOR
📦
GHCR
golden
📜
TDX Quote
RA-TLS bind
Full hardware enclave (CPU + GPU)
🛡️
TEE P-Node
CPU attested
→ local →
🧠
LLM + GPU
CC attested
API Gateway with v7.0 providers: The provider side is now fully attested end-to-end (C-Node → P-Node → Backend LLM, two hops of TDX + NVIDIA NRAS). The gateway-managed C-Node verifies the P-Node’s attestation on your behalf and transparently passes those Hop 2 guarantees through to every request.

What the gateway actually does with your prompts: it routes them. The gateway is open-source and operated under a no-logging, no-inspection policy — prompts and responses transit the gateway on their way to the attested TEE provider, but are not read, retained, or mined. Registration uses a lightweight email + API key so we can manage accounts and billing.

What’s still on the roadmap: hardware attestation of the gateway layer itself. Today that privacy posture is a policy guarantee backed by open-source code; turning it into a cryptographic one (so anyone can verify instead of trust) is research-stage — see the Phase 3a / 3b / 4 tracks below.

For the strongest privacy today: run your own local C-Node and connect straight to the MorpheusAIs network — wallet-only identity, no intermediary, full Phase 2 attestation chain end-to-end.

What’s next — beyond v7.0

Phase 2 shipped the full two-hop chain with one partner. Phase 3a and 3b run in parallel now (stacked on the left below); Phase 4 follows, informed by what we learn in 3a and 3b.

3a & 3b in parallel · 4 follows Phase 4 informed by 3a + 3b
In parallel — running now
PHASE 3a Investigating · ~5%
2nd TEE Partner — end-to-end
Provider diversification
  • Reach full Phase 1 + Phase 2 parity with a second independent TEE stack alongside today’s v7.0 launch partner.
  • Generalize the SecretVM-specific artifact registry + portal assumptions in backend_verifier.go so a second vendor plugs in cleanly.
  • Expected output: a second cosign-signed TEE image build, a second portal URL, and an on-chain tee-tagged offer from a non-SCRT operator.
  • Removes single-vendor risk in the confidential-compute supply chain.
PHASE 3b In flight · ~50%
Consumer-side hardening
NodeNeo & ease-of-use (in parallel with 3a)
  • NodeNeo: macOS + iPhone consumer clients with TEE-aware session flow.
  • Continue reducing friction: streamlined attestation-verification UX, clearer TEE status in the chat surface, one-tap “verify this provider”.
  • Harden the Go SDK path that C-Node and NodeNeo share, so mobile + desktop consumers benefit automatically from Phase 2 guarantees without bespoke code.
  • Gateway-side attestation remains an open research item — consumer-path TEE is where privacy is strongest today and where we’re investing.
Sequential — follows 3a + 3b
PHASE 4 Sequential · after 3a + 3b
Self-hosted TEE Provider
Individual operators, own hardware · informed by 3a + 3b
  • Guidance + reference configuration so anyone with proper hardware (Intel TDX CPU + NVIDIA Confidential Computing GPU) can run a fully-attested TEE P-Node themselves — no SCRT-hosted infrastructure required.
  • Hardware compatibility matrix, BIOS / TDX-enablement runbooks, GPU CC provisioning, and a reproducible docker-compose.tee.yml that produces matching RTMR3 measurements.
  • On-chain registration flow for self-operated tee-tagged offers with community-verifiable artifact submissions.
  • Unlocks a fully permissionless TEE provider side to match today’s permissionless consumer side.
Open problem — Gateway-side attestation: The API Gateway is the remaining unattested layer. Options under investigation include running the gateway’s C-Node inside a TDX enclave and replacing API-key auth with a wallet-bound attested session. Nothing committed yet — gateway confidential compute is research-stage while Phases 3a / 3b / 4 are prioritized.

“The first decentralized AI where privacy isn’t a policy — it’s physics.”

Run your own C-Node. Stake your own MOR. Verify the TEE yourself. No trust required.

Get Started — MorpheusAIs (Max Privacy)
💻
Run Your Own C-Node
Consumer node — your machine, your wallet
Download C-Node →
Stake MOR • Wallet-only identity • Verify TEE yourself
🛡️
Run a TEE P-Node
Provider node — hardware-attested inference
P-Node TEE Setup Guide →
Intel TDX / AMD SEV • Cosign-verified • Earn MOR