Privacy Boundary
The active B3IQ private_transport boundary and the future verified confidential compute path.
B3IQ private inference currently uses encrypted transport. It is private from the B3IQ control plane, gateway, hosted playground, router accounting, billing exports, and public explorer payloads. It is not yet a claim that prompts and outputs are hidden from the node operator.
Privacy Classes
| Class | Status | Claim |
|---|---|---|
| private_transport | Active | Client encrypts to node transport key. Protects content from B3IQ services and public surfaces, not from the node operator. |
| verified_confidential_cpu | Planned | Requires verified TEE attestation, transport key binding, attestation freshness, and receipt evidence. |
| verified_confidential_gpu | Later | Requires practical confidential GPU hardware, driver stack, and attestation tooling. |
Current Baseline
- Private job request bodies must include a
b3iq-private-transport-v1envelope. - Extra request fields are rejected before balance reservation.
- Private command results store only validated encrypted response envelopes and optional receipt hash.
- D1 may contain ciphertext envelopes, job state, billing rows, ledger rows, receipt hashes, and signed receipt commitments.
- D1 must not contain raw prompts, outputs, customer tokens, local node keys, or router secrets.
- Old terminal ciphertext envelopes can be purged while preserving billing, receipt, and settlement evidence.
What Not To Claim Yet
Use private_transport wording
Say current private jobs protect content from B3IQ services and public protocol surfaces.
Claim node-operator privacy
Do not market normal consumer nodes as confidential inference nodes until verified TEE execution exists and is tested.
TEE Path
The first confidential CPU target is AMD SEV-SNP. Intel TDX remains a second backend. The TEE path needs:
Quote retrieval and verification
Prototype hardware quote retrieval and verifier service integration.
Transport key binding
Bind the node transport public key to attestation report data.
Sanitized public summary
Publish only verification status, TEE type, provider/verifier, policy ID, measurement/runtime/report-data/public-key/quote hashes, and freshness.
Client-side verification
Verify attestation before encryption in strict confidential mode.
Receipt commitment
Include attestation hash in signed receipts without exposing raw quotes or certificate chains.
Until that flow is implemented and tested end to end, use
private_transport terminology.