Skip to main content
A confidential response carries a fixed set of typed claims about the upstream that served it. They appear in the receipt’s upstream.verified.claims and in the attested session. A claim never just says “trusted”: each one states its own assurance level. This page is the reference for reading them. Each claim is an object with a status, a source, and a plain reason: 
"tee_attested": {
  "status": "asserted",
  "source": "hardware_proven",
  "reason": "verified the TEE quote and bound the request channel"
}

Claim status

statusMeaning
assertedThe verifier’s evidence backs this claim.
refutedThe evidence contradicts the claim (for example a stale platform TCB). Recorded, not hidden.
unknownThe claim was not established. This is transparency, never a silent pass.

Claim source

The source states who vouches for an asserted or refuted claim, so a hardware fact and an assertion never look alike.
sourceAssurance
hardware_provenFrom the verified TEE quote or its collateral. Strongest.
verifier_derivedComputed by the verifier from verified evidence.
provider_assertedPublished by the provider, not independently proven.
operator_assertedDeclared by the gateway operator. Weakest.

The claim vocabulary

ClaimAsks
tee_attestedIs this a genuine CPU TEE with an identity bound to the channel?
tcb_up_to_dateIs the platform’s Trusted Computing Base current?
os_known_goodDoes the OS or platform image map to reviewed source?
serving_software_known_goodDoes the serving software map to reviewed source?
gpu_attestedIs a genuine confidential-computing GPU attested and nonce-bound?
model_weights_provenanceAre the served weights and quantization what they claim to be?
Which provider asserts which claim is on the Providers page.

TCB freshness

tcb_up_to_date is an honest tri-state read from the verifier’s reported TCB status:
  • An up-to-date platform asserts the claim.
  • A stale platform refutes it. The quote proves a stale TCB, so the gateway records the refuted claim rather than silently treating the platform as current.
  • An absent status is unknown.
Freshness comes from the verified evidence, never from policy.

How to read GPU attestation

gpu_attested becomes asserted (with source verifier_derived) when a provider’s NVIDIA confidential-computing GPU attestation is verified and bound to the verification nonce. It proves a genuine confidential GPU exists for that nonce. It does not prove that GPU is bound to the serving CPU TEE for your specific request. That is why its source is verifier_derived rather than hardware_proven, and why it never gates a session. Absent or unverified GPU evidence leaves the claim unknown.

Using claims in a decision

  1. Require tee_attested to be asserted with source hardware_proven.
  2. Treat serving_software_known_good: asserted as a stronger statement than a provider_asserted claim about software.
  3. Decide your own policy on tcb_up_to_date: refuted (serve with a recorded stale TCB, or reject).
  4. Read gpu_attested as supplemental, not as a gate.
  5. Treat any unknown as “not proven”, and weigh it accordingly.

Next

Attested sessions

Providers