Meru
A vendor-neutral audit substrate that turns every TEE-attested inference call into a tamper-evident cryptographic receipt, anchored on-chain, cross-chain readable, and verifiable by a regulator
Videos
Tech Stack
React
Next
Solidity
Web3
Ethers
Node
TypeScript
0G
Description
Meru is confidential AI you can prove. Every regulated business in 2026 is hitting the same wall: their teams want
ChatGPT-quality AI on private data — bank statements, medical records, legal contracts, internal compliance docs — but their
compliance officers can't approve it. Why? Because there's no tamper-proof way to show what the AI actually did with the
data. The AI vendor stores a copy of every prompt. The model could leak. The audit log could be edited. A regulator can't
independently verify any of it.
Meru solves this by producing a cryptographic receipt for every AI inference, anchored on a public blockchain that the
regulator can read without trusting anyone.
How it works:
1. You upload a document. Meru encrypts it (AES-256-GCM with browser-side key derivation) and stores the ciphertext on 0G
Storage.
2. You ask the AI a question. The question travels encrypted to a hardware-secured enclave — a TEE (Trusted Execution
Environment, Intel TDX + Phala dStack) running on 0G Compute. Even the cloud operator can't peek inside while it runs.
3. The AI's answer comes back with a cryptographic signature from the enclave.
4. That signature gets anchored on 0G Chain (real mainnet, chain 16661) and re-attested on Ethereum Sepolia as an independent
witness. Not a bridge — zero value crosses, just the receipt. Two independent ledgers; if one fails, the audit survives on
the other.
5. A regulator with nothing but a browser can verify the receipt against both chains — through a standalone HTML widget that
talks directly to the chains, never to Meru's servers.
The technical primitive is a signed-bundle wire format: (answer, sourceChunkHashes, modelId, timestamp, signature) verified
inside the TEE and anchored on-chain via a commit-reveal scheme with a 60-second contract-enforced window — defending against
block-builder front-running on the audit log itself.
What's actually live, on real mainnet:
- Provenant.sol deployed at 0xA8296DfF7C2faD1170e880d71aF92B2F201D30C5 on 0G Aristotle (7,378 bytes verified bytecode)
- Real Sealed Inference against a Phala TEE provider running gpt-5.4-mini (dstack-pha-prod5.phala.network)
- Real on-chain commit-reveal cycles with the contract-enforced 60s gap
- A permissionless JSON-RPC indexer anyone can run
- A standalone HTML verifier widget — single file, no SDK, no backend
One command verifies the entire chain end-to-end: cd backend && npm run smoke returns 8/8 ✅ against live mainnet.
The thesis in one sentence: Meru is the open-source, decentralized, on-chain-anchored equivalent of
https://security.apple.com/blog/private-cloud-compute/ — for regulated industries. Apple's PCC is the canonical reference
architecture for confidential AI inference, but it's closed-source, single-vendor, and consumer-facing. Meru is the
multi-vendor, multi-tenant, permissionless, enterprise-grade version of the same five design requirements, built on the 0G
stack.
Who buys this: Indian fintech AI vendors hitting the DPDPA Rule 13(4) deadline (Nov 2026, ₹250 cr penalty). EU-classified
"high-risk AI deployers" preparing for EU AI Act Article 12 (full enforcement Dec 2027). The 12,000+ Significant Data
Fiduciaries under India's data protection law. TAM ≈ $1.5B-$4B by 2028.Progress During Hackathon
# Roadmap
Started from a blank slate. Built end-to-end against three 0G primitives (Storage + Compute + Chain). Deployed on real
Aristotle mainnet, not testnet.
Phase 1 — Architecture + research
- Decided to compose all three 0G primitives into one coherent audit substrate, not a single-primitive demo.
- Validated the technical thesis against Apple Private Cloud Compute's 5 design requirements.
- Named TEE.fail / WireTap (Oct 2025) as defense-in-depth challenges and documented them before writing code.
Phase 2 — Smart contracts
- Wrote Provenant.sol — ERC-721 corpus iNFT + on-chain commit-reveal (60-second contract-enforced gate) + ERC-7857 interface
shim + EIP-191 bundle-signature verification with block.chainid replay protection.
- Wrote ProvenantReader.sol — Sepolia mirror with chain-bound digest re-attestation.
- 15 Hardhat unit tests passing.
- Slither static analysis: 49 informational, 0 high, 0 medium.
- Deployed to 0G Aristotle mainnet at 0xA8296DfF7C2faD1170e880d71aF92B2F201D30C5 (7,378 bytes verified bytecode).
- Sepolia mirror deployed to the same address.
Phase 3 — Backend + 0G integration
- Wrote the Sealed Inference SDK wrapper using the canonical @0gfoundation/0g-compute-ts-sdk broker.
- Wired against a real Phala TEE provider running gpt-5.4-mini at dstack-pha-prod5.phala.network.
- TEE chat-signature verification via processResponse against on-chain teeSignerAddress.
- Hard-fail gate when the verification handle is missing — no silent downgrade to unverified.
- Anchor → Sepolia mirror flow.
- Encrypted-at-rest corpus on 0G Storage (AES-256-GCM + HKDF per-corpus subkeys).
- Client-side X25519 encrypted intents in the browser.
- 5 backend MEV tests passing.
- One-command mainnet smoke (npm run smoke): 8/8 ✅ across RPC, bytecode, ERC-721 + ERC-7857 interface shim, corpusOf,
inferenceCountOf, real inferenceAt event reads.
Phase 4 — Permissionless indexer
- Standalone Node.js package.
- JSON-RPC 2.0 + REST + WebSocket push of every InferenceLogged event.
- Multi-destination relayer.
- KelpDAO anti-pattern gate (off-by-default fallback signer) documented in code.
Phase 5 — Reference UI
- Next.js 16 + React 19 + Tailwind v4.
- Light-mode-first "AI notary" aesthetic — calm, document-oriented, intentionally not "crypto-app."
- Chat interface as a reference application — the product is the protocol; the chat is the wedge.
- PipelineTracker only advances on real backend signals (no fake setInterval).
- DemoModeBanner discloses the Level-1 TEE attestation signer placeholder.
- ProvenanceModal links to the standalone verifier widget.
Phase 6 — Standalone verifier (the demo's punchline)
- Single static HTML file. No SDK. No Meru backend in the loop.
- Reads 0G Aristotle RPC + Sepolia RPC directly.
- Recomputes the audit digest locally.
- ✓ or ✗ verifies any bundle entry.
- A regulator with a browser can verify any Meru inference against live mainnet — even if every Meru server is offline.
Phase 7 — Documentation discipline
Five load-bearing docs:
- THREAT-MODEL.md — named assumptions + what we don't claim
- PRODUCTION-VISION.md — Web 4.0 confidentiality-rails architecture target
- HACKATHON-MVP.md — wedge + extensibility roadmap (agentic AI, MCP, multi-agent)
- INTEGRATING-0G-SEALED-INFERENCE.md — broker SDK recipe (useful for any 0G builder)
- MERU-VS-PCC-VS-DSTACK.md — Apple PCC's 5 design requirements mapped against Meru + Phala dStack
- E2E-ENCRYPTED-INFERENCE.md — v2 enclave-owned-key handshake protocol
---
Final state
- ~50 source files across 4 packages
- ~36,400 lines of TypeScript + Solidity
- 20 unit tests passing
- 0 high / 0 medium static-analysis findings
- Real mainnet deployment + real Phala TEE inference + real cross-chain mirror + permissionless indexer + standalone verifier
- Solo build, alongside full-time job
---
# Production Roadmap — the path from this MVP to enterprise-grade
The MVP is a deliberate wedge slice of a larger system. Three forward versions, each with concrete engineering plans
documented in docs/PRODUCTION-VISION.md.
v2 — Limited beta (Q3 2026)
Closes the v1 trust-boundary gaps:
- Enclave-owned X25519 keypair generated at boot via Phala dStack KMS — backend becomes pure transport, never sees plaintext
(closes the encrypted-intent "bridge mode" gap).
- Real Shutter Network keyper integration for commit-reveal — replaces the in-memory threshold scaffold with a permissionless
keyper quorum. The 3-line swap-in is already documented in backend/src/mev/shutter.ts.
- Browser-side document encryption — user holds the corpus key; the backend never touches plaintext docs.
- Versioned corpus manifests anchored on-chain so multi-document corpora produce durable provenance across appends.
- Mainnet cross-chain mirrors to Base + Linea + Ethereum L1 (Sepolia deprecates Sept 2026).
- RevokeEnclave + EnrollEnclave events on Provenant.sol for signer lifecycle.
- Per-chunk retrieval-trace commitments inside the enclave — sourceChunkHashes[] graduates from "corpus fingerprint" to
actual retrieval evidence.
Effort: ~6-8 weeks focused, one engineer. Main dependency: deploy a custom dStack app on Phala.
v3 — Production GA (Q1 2027)
Closes the operational gaps for enterprise sale:
- HSM/KMS-backed key management (AWS KMS / HashiCorp Vault) — per-corpus key rotation + revocation.
- Multi-attestation quorum — Intel TDX + AMD SEV-SNP. Defense-in-depth against single-vendor attestation-key compromise
(TEE.fail / WireTap class attacks).
- Reproducible-build pipeline + binary transparency log — Sigstore-style; closes the verifiable-transparency gap that Apple
PCC sets the bar for.
- Multi-tenant RBAC with org scopes, audit-role separation, machine-readable compliance evidence-export bundles.
- Durable workflow orchestration (Temporal / Inngest) replacing inline async/await.
- Multi-region indexer mesh with Postgres + Redis + S3/R2 checkpointing for DR.
Effort: ~6 months with a 2-3 engineer team, gated by enterprise design-partner conversations.
v4 — Protocol layer (2027+)
The audit primitive becomes a substrate for the wider 0G ecosystem:
- Audit Substrate v1.0 spec published as a 0G ecosystem standard — any 0G app emitting AI-inference events uses the same wire
format.
- Indexer-economics — per-query micro-fees to indexers for serving audit data to regulators. Aligns indexer incentives with
auditor demand.
- Cross-substrate composability — Meru receipts referenced by DePIN protocols (proof of physical-world action), agentic
finance protocols (proof of strategy decision), identity protocols (proof of credential issuance).
Commercial path
- Q3 2026: v2 limited beta with 3 design partners (Indian fintech AI vendors aligned with DPDPA Nov 2026 deadline) — free
during beta.
- Q4 2026: v3 GA + cold-outbound to Tier-1 buyer list. Target: 5 paying customers, $250K–$350K ACV.
- Q1 2027: protocol-tier launch + 0G ecosystem partnership announcements.
Direct addressable buyers (Tier 1, 2026-2028): ~3,500 EU-classified "high-risk AI deployers" + ~12,000 Indian Significant
Data Fiduciaries under DPDPA. TAM ≈ $1.5B–$4B by 2028. Fundraising Status
self-funded