sablenetwork
Roadmap

Two layers of trust.

Private inference needs two guarantees a centralized API can't give you: that nobody saw your prompt, and that the operator who ran it has something to lose if they cheat. We build them in that order — confidentiality first (hardware), then accountability (economics). Everything below is labelled by where it actually is. We don't describe a phase in the present tense until it ships.

Layer 1 · Hardware

Confidentiality

Inference runs inside an attested Trusted Execution Environment. The operator — and anyone with access to the box — is cryptographically blind to your prompt. Clients verify the enclave's attestation before sending anything.

Layer 2 · Economics

Accountability

Operators restake to join the network and are slashed for failed attestation, downtime, or breaking the privacy contract. Confidentiality says they can't read you; accountability says it costs them to misbehave.

No one in this category has both. TEE networks prove confidentiality but carry no economic stake; restaking networks prove accountability but run inference in the clear. The combination is the point.

Phase 1

The gateway

Live

A drop-in, OpenAI-compatible API. Swap one line and your traffic is encrypted in transit, routed, metered, and never persisted.

  • Encrypted-in-transit gateway

    Prompts sealed on ingress (AES-256-GCM); plaintext lives only in the egress shim, never on disk or in logs.

  • OpenAI-compatible surface

    Chat (streaming + non-streaming), embeddings, models, a stable Sable model catalog, region pinning, privacy tiers.

  • Publicly-verifiable signed receipts

    Every response carries a secp256k1 / EIP-191 receipt over content-free metadata + a fingerprint. Verify it without trusting us.

  • Agent-grade key controls

    Argon2id-hashed keys, per-key spend caps, model allowlists, expiry, rate limits, SIWE-gated dashboard, webhooks.

What's honest about the standard tier: it's encrypt-in-transit only — the upstream model host still sees plaintext. The confidential tier closes that, and it's live today for sable-confidential-24b (see below).

Phase 2

Confidential execution (TEE)

Building

Run inference inside an attested enclave the host can't read. The attested-backend path is LIVE for sable-confidential-24b; owning the enclave ourselves is the remaining work.

  • Attested enclave — live (via backend)

    Today confidential traffic routes to an attested Intel TDX + NVIDIA H100 CC backend whose hardware quote the gateway verifies against a pinned measurement. Next: run the shim in an enclave Sable measures itself.

  • Pre-flight client attestation — live

    GET /v1/attestation exposes the verified enclave status, and the SDK's verifyAttestation() checks it before you send — trust the chip, not the company.

  • Tiers bound to hardware — live (one model)

    The confidential tier is fail-closed: a request is refused unless the enclave attests. Live for sable-confidential-24b; extending to more models is in progress.

  • Receipt → attestation — live

    The signed receipt now carries a verified TEE attestation block (verification "tee-attested", response_bound true) alongside the gateway signature. Same envelope, stronger claim.

The make-or-break bet — and the fast path shipped: confidential traffic for one model routes to an attested TDX backend whose quote and per-response signature we verify in-gateway. The durable moat — owning the measured enclave — is what 'building' still refers to.

Phase 3

Proof of inference

Planned

A per-request proof that the right model ran on the right input — not just that a Sable key signed some metadata.

  • Attested transcripts

    TEE attestation + signed transcripts bind model identity, input hash, and output together.

  • Verifiable inference (ZK)

    The long-term substrate: a cryptographic proof that a specific model produced a specific output. Heavy research; ZK-ML is moving fast.

Phase 4

Decentralization & accountability

Planned

A permissionless operator set with real skin in the game. We compose with an established restaking layer for crypto-economic security rather than reinventing it.

  • Restake-secured operator set

    Operators restake to join; slashing enforces the privacy contract — forged attestation, downtime, or a contract violation burns stake.

  • On-chain audit trail

    Receipt commitments (content-free) anchored to a data-availability layer for a tamper-evident public record of what ran, when.

  • Decentralized routing

    Sealed-envelope hops between nodes; each node sees only the encrypted form except its own egress step.

  • Network token — last, if ever

    Payments / premium routing / rewards layered on top of the restaking security. Never the thing securing the network, never a pump.

Why rent it: hand-rolling stake + slashing + a token from scratch is the slow, risky path. Established restaking infrastructure already secures billions in staked ETH; we compose with it rather than rebuild it.

Dates are deliberately absent. We'd rather ship a phase and move its label to Live than promise a quarter. If a claim isn't marked Live, we don't make it on the rest of the site either.