Skip to main content
The platform’s privacy claims are designed to be checked against source, not taken on trust. The gateway is open source, and its attestation report records the exact source commit the running workload was built from.

Source provenance in the report

Every attestation report includes attestation.source_provenance: 
{
  "repo_url": "https://github.com/Dstack-TEE/private-ai-gateway.git",
  "repo_commit": "9d45c7e3d48d2f74c31cd85f1fb5c6cee1435ef3",
  "image_digest": null,
  "image_provenance": null
}
This is what makes “verify the running code” concrete: the report names the repository and commit the attested workload was built from. To audit a deployment, review that commit and compare it against the release you are willing to trust.

Repositories

private-ai-gateway

The Attested Confidential Inference gateway: the API surface, attestation reports, receipts, and provider verification.

dstack

The dstack TEE runtime and KMS the gateway uses for workload identity and quotes.

RedPill on GitHub

The organization, clients, and tooling.

What you can check from source

  • Attestation handling. How the gateway builds the report, binds the nonce and keyset into the quote, and endorses its signing keys.
  • Provider verification. How each confidential provider is verified and which channel binding is enforced before forwarding.
  • Receipts. How the transparency event log is built and signed, and that bodies are hashed, not stored.
  • Fail-closed forwarding. That a required upstream which cannot be verified or bound is rejected.

Reporting a vulnerability

Report security issues privately to support@redpill.ai rather than in a public issue. Include reproduction steps.

Next

Attestation report

Verify a response