Solana RedPill Verifier

Why it matters

This is the moment AI output gets a receipt on Solana.

Most AI infrastructure still asks users to trust an endpoint. The endpoint says a model answered. The provider says the request ran in a secure environment. The app says a response was not changed. Those are useful claims, but they are still claims. The Solana RedPill Verifier turns that chain into state a wallet can inspect.

The historic shift is not merely that a TEE proof is stored on-chain. It is that an AI response can carry a bounded evidence trail: request hash, response hash, model hash, nonce, TEE signing address, quote hash, attestation report hash, compose hash, verifier set hash, Solana slot, submitter, and credential issuance. That moves AI verification from "trust this server" toward "verify this answer."

The original RedPill verifier stored proof records through an Ethereum contract. This SVM port keeps the off-chain TDX and NVIDIA verification chain, then replaces EVM events with Solana program state. A proof becomes a PDA. A credential becomes a Token-2022 non-transferable NFT through the Solana Attestation Service. The demo domain, verify.8bitlabs.ai, is the public front door for that idea.

Source map

The repository is small, but each directory carries part of the trust path.

Program program/

Zero-Anchor Pinocchio SVM program. It dispatches InitCounter, StoreProof, and StoreProofV2.

Gateway clawd-tee-gateway/

Rust axum proxy that signs payload hashes, collects TDX and GPU evidence, anchors proofs, and issues credentials.

Client clients/typescript/

TypeScript builders, PDA helpers, account decoders, lookup methods, and the solana-redpill-verifier CLI.

Interface idl/

IDL v0.2.0 for program consumers and generated client surfaces.

Build target/

Rust and SBF build output. It is not the design, but it proves the verifier has a real compile target.

Docs README.md / svm.md

The README documents V2 and the gateway. svm.md records the Ethereum-to-Solana handoff.

Architecture

From inference to permanent SVM proof.

A verified response is built from independent layers. The gateway sees the request and response, the TEE key signs their canonical payload hash, attestation backends bind that key to hardware, and the Solana program records the result in deterministic accounts.

01

Proxy the AI request

The gateway accepts OpenAI-compatible chat, completion, and embedding requests and forwards them to an upstream model provider.

02

Hash the transcript

The request JSON, response JSON, model string, and nonce are separately hashed and packed into a signed payload hash.

03

Sign inside the TEE

A secp256k1 key signs the payload hash. The key is designed to stay inside the TEE boundary.

04

Collect hardware evidence

Intel TDX quote collection and NVIDIA NRAS GPU attestation produce the hardware evidence for the report.

05

Anchor to Solana

The transaction includes the secp256k1 native instruction and StoreProofV2, creating a proof PDA.

06

Issue credentials

When a wallet crosses the configured proof threshold, SAS can mint a non-transferable Token-2022 credential.

Original RedPill on Ethereum Solana RedPill Verifier

mapping(bytes32 => Proof) One TeeProof or TeeProofV2 PDA per proof hash.

verifyAndStore(quote, addr) StoreProof and StoreProofV2 instructions.

Contract events for discovery. Solana account writes queryable through RPC by PDA.

ecrecover in Solidity. Solana secp256k1 native program plus instruction sysvar checks.

Global proof mapping. Sharded ProofCounterDay accounts by UTC day to avoid one hot counter.

SVM program

The on-chain part is intentionally narrow.

The program is not trying to run DCAP verification inside the SVM. It stores the proof record, enforces account derivation, and optionally binds the proof to the TEE signature with Solana's native secp256k1 verifier. That keeps compute focused where Solana is strong: permanent, composable, low-latency state.

Instruction set

0 InitCounter: One-time global counter setup for V1 deployments.
1 StoreProof: V1 proof storage by quote hash, with optional fixed-index secp verification.
2 StoreProofV2: Flexible secp index, request/response/model binding, expiration, status, and day counters.

Demo

verify.8bitlabs.ai shows the proof chain without needing a private gateway key.

This browser demo recomputes the public hash path used by StoreProofV2. It does not forge a TEE signature, collect a live TDX quote, or submit a Solana transaction from the browser. It demonstrates the deterministic part anyone can inspect before trusting the live gateway.

Browser proof-chain

Local deterministic verifier

Ready. This computes request_hash, response_hash, model_hash, nonce, and signed_payload_hash in your browser.

Gateway shape

Live endpoint contract

curl https://verify.8bitlabs.ai/v1/chat/completions \
  -H "Content-Type: application/json" \
  -H "x-clawd-wallet: <solana-wallet>" \
  -d '{
    "model": "redpill/solana-demo",
    "messages": [
      { "role": "user", "content": "prove this answer" }
    ]
  }'

A live gateway response appends an _clawd proof object with hashes, signature, signing address, verification level, proof PDA, and transaction signature.

Proof object shape

{
  "request_hash": "sha256(request_json)",
  "response_hash": "sha256(response_json)",
  "model_hash": "sha256(model_string)",
  "signed_payload_hash": "sha256(CLAWD_REDPILL_V2 || request || response || model || nonce)",
  "signing_address": "0xTEE_SECP256K1_ADDRESS",
  "signature": "65-byte secp256k1 signature",
  "verification_level": "TeeSigOnchain",
  "solana_proof_address": "TeeProofV2 PDA",
  "solana_tx_sig": "Solana transaction signature"
}

Trust model

The verifier separates evidence from authority.

What the chain proves

A Solana account proves a specific payload hash was submitted, by a specific signer, at a specific slot, under a declared verification level and policy version.

What the TEE signature proves

In TeeSigOnchain mode, the transaction includes native secp256k1 verification that the TEE key signed the payload hash.

What off-chain attestation proves

TDX and NVIDIA evidence bind the signing address and report data to the claimed confidential computing environment.

What still needs scrutiny

Provider behavior, gateway deployment, verifier set selection, upstream model identity, and DCAP policies remain operational security concerns.

Credentials

SAS turns repeated proof usage into wallet-native reputation.

The gateway can track successful anchored proofs per wallet through the x-clawd-wallet header. Once the configured threshold is met, it can use the Solana Attestation Service program to issue a Token-2022 non-transferable NFT containing proof count, TEE signing address, and the latest proof hash.

SAS program 22zoJMtdu4tQc2PzL74ZUT7FrwgB1Udec8DdW4yw4BdG

This makes the verifier useful beyond one request. A wallet can accumulate a portable credential showing it has crossed a threshold of verified TEE-backed interactions.

What comes next

The milestone is real, but the production checklist is explicit.

01

Deploy and publish the verifier program IDs for devnet and mainnet environments.

02

Attach verify.8bitlabs.ai to the live gateway for request, lookup, and credential flows.

03

Expose proof lookup by signedPayloadHash and quote hash for explorers and dashboards.

04

Add integration tests around StoreProofV2, sharded counters, secp instruction indexes, and account decoding.

05

Track the path to on-chain DCAP verification if a Solana-native verifier becomes available.

8 Bit Labs position

Verifiable AI should be inspectable by default.

The Solana RedPill Verifier is historic for 8 Bit Labs because it joins three worlds that have usually been separate: confidential AI inference, SVM-native state, and wallet-native credentials. Model registries prove which artifacts exist. This verifier starts proving how an answer was made.

Open verify.8bitlabs.ai Return to 8 Bit Labs Back to top