Gnosis

Confidential inference as a service, for your terminal agent.

Point Claude Code, the OpenAI SDK, or curl at a small sidecar that runs on your machine. The sidecar talks to an attested confidential VM in our cloud, encrypting each prompt to a key only that VM holds. We see the byte count and the timestamp. We can't see the prompt or the response.

🚧 Pre-launch · sign up for updates

Working today: the sidecar + worker + enclave code, ChaCha20-Poly1305 envelopes between them, attestation verification function (with fixtures).

How it works

Sidecar

A small binary that runs on your machine. Speaks OpenAI- and Anthropic-shaped HTTP on localhost:11434. Encrypts every prompt before it leaves your machine.

Enclave

A confidential VM holding an ephemeral keypair we can't extract. Decrypts prompts in memory, runs inference, encrypts responses. Reboots every 24 hours to rotate keys.

Channel

Encryption handshake delivers a session key to the enclave; per-request envelopes for prompts and responses. The Worker between you and the enclave forwards ciphertext, blind to the content.

It looks like OpenAI

Identical to OpenAI's Python SDK — the only change is OPENAI_BASE_URL.

$ OPENAI_BASE_URL=http://localhost:11434/v1 \
  OPENAI_API_KEY=$(cat ~/.gnosis/api-key) \
  python -c "from openai import OpenAI; \
    print(OpenAI().chat.completions.create( \
      model='qwen-0.5b', \
      messages=[{'role':'user','content':'hi'}] \
    ).choices[0].message.content)"