The Nova Stack is a comprehensive, self-contained suite of open-source tools for building, deploying, and verifying Trusted Execution Environment (TEE) applications on blockchain and AWS Nitro Enclaves.
With Nova Stack, you can independently develop, build, deploy, and register trustless TEE applications. You own and control the entire pipeline.
Nova Stack consists of four core components that together provide a complete, end-to-end workflow for confidential computing applications.
┌──────────────────────────────────────────────────────────────────────────────────────────┐
│ NOVA STACK PIPELINE │
├──────────────────────────────────────────────────────────────────────────────────────────┤
│ │
│ 1. DEVELOP 2. BUILD 3. DEPLOY 4. REGISTER │
│ ────────── ──────── ──────── ──────────── │
│ ┌────────────┐ ┌────────────┐ ┌────────────┐ ┌────────────┐ │
│ │ Capsule │ ──────▶ │ App Hub │ ──────▶ │ Capsule │ ─────▶ │ ZKP CLI │ │
│ │ │ │ │ │ │ │ │ │
│ │ Build & │ │ Transparent│ │ Run your │ │ Attest, │ │
│ │ test your │ │ CI/CD build│ │ release │ │ Prove & │ │
│ │ TEE app │ │ with proofs│ │ image │ │ Register │ │
│ └────────────┘ └─────┬──────┘ └────────────┘ └─────┬──────┘ │
│ │ Upload hash │ Verify & │
│ ▼ ▼ Register │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ App Registry │ │
│ │ (On-Chain) │ │
│ └─────────────────────────────────────────────────────────┘ │
└──────────────────────────────────────────────────────────────────────────────────────────┘
- Develop: Use Nova Enclave Capsule to build and test your TEE application locally in mock mode or on a real Nitro Enclave.
- Build: Use App Hub (or your own CI/CD) to transparently build your application, producing a verifiable EIF and measurement (PCRs). The measurements are enrolled into the on-chain registry as a new Version.
- Deploy: Use Nova Enclave Capsule to run the built release image, which contains the EIF, on your own AWS EC2 instances with Nitro Enclave support.
- Register: Use ZKP CLI to obtain remote attestation from your running enclave, generate a Zero-Knowledge Proof, and register your Instance on-chain in the App Registry by verifying it against the enrolled version.
Learn more about this workflow at https://sparsity.cloud/how-it-works.
Note that this repo contains the latest released version of the components, while they are being actively developed in the original repos.
The Development & Runtime Engine
./enclave-capsule/
Original Repo: https://github.com/sparsity-xyz/nova-enclave-capsule
Nova Enclave Capsule is the core toolkit for the entire lifecycle of AWS Nitro Enclave applications, from local development to production deployment. It uses capsule-cli build plus a capsule.yaml manifest to turn a standard container image into a release image with an embedded EIF, and capsule-cli run to launch that image on Nitro-enabled EC2. Inside the enclave, capsule-runtime supervises the application, while capsule-shell manages the host-side runtime and Nitro lifecycle.
- Capsule CLI Workflow: Build and run enclave applications with
capsule-cli buildandcapsule-cli run, using a singlecapsule.yamlmanifest to describe the runtime contract. - Networking & Proxies: Nitro Enclaves have no native networking. Nova Enclave Capsule provides ingress and egress proxy layers so your app can communicate with the outside world using standard protocols.
- Capsule Runtime & Capsule API:
capsule-runtimeruns as PID 1 inside the enclave and exposes local HTTP APIs for attestation, randomness, signing, encryption, storage, and related enclave services. - Trustless RPC (Helios): Includes a built-in Helios Light Client that syncs with Ethereum/OP Stack chains. Your app gets a local, trustless JSON-RPC endpoint (
http://localhost:8545) verified by cryptographic proofs, eliminating reliance on trusted 3rd party RPCs. - Storage & Mounts: Supports encrypted S3-backed storage as well as host-backed directory mounts for stateful enclave workloads.
- KMS-Backed Key Management: Integrates enclave identity with external KMS-backed signing and derivation flows for application wallets and related services.
The Transparent Builder
./app-hub/
Original Repo: https://github.com/sparsity-xyz/sparsity-nova-app-hub
A transparent build system using GitHub Actions. Applications submitted here are built publicly, ensuring that the binary running in the enclave matches the source code. This creates a "chain of custody" for the software supply chain.
- SLSA Level 3: Builds are signed and verifiable.
- PCR Generation: Automatically calculates the measurements needed for remote attestation.
- Build Attestation: Creates cryptographic proofs tying source code commits to built EIF artifacts.
💡 Note: You can also set up your own build pipeline using the same GitHub Actions workflows provided in App Hub.
The On-Chain Registry
./app-registry/
Smart contracts for on-chain TEE application registration and verification.
🔗 Live Deployment: Base Sepolia (0x0f68...4cc8)
🔍 Live App Explorer: https://sparsity.cloud/explore/
- NovaAppRegistry: The core registry managing the 3-layer hierarchy of TEE applications:
- App: Identity and ownership.
- Version: Immutable code measurements (PCRs) and metadata.
- Instance: Live running enclaves verified via ZK proofs.
- NitroEnclaveVerifier: Verifies ZK proofs of AWS Nitro attestations on-chain using SP1.
- Access Control: Granular permissions for App Owners and the Registry Admin.
- Upgradeable: Built using the UUPS proxy pattern for future extensibility.
The Attestation & Registration Tool
./zkp-cli/
⚠️ Under Development
A command-line tool for the final step of the deployment pipeline. It connects to proving services to:
- Retrieve Remote Attestations: Connect to a running enclave and obtain attestation from the AWS Nitro Secure Module (NSM).
- Generate ZK Proofs: Submit the attestation to an SP1 proving service to generate a Zero-Knowledge Proof of the enclave's identity.
- On-Chain Registration: Submit the ZK proof to the App Registry smart contract, completing the verifiable registration.
- Check the Sparsity Nova Examples for reference implementations.
- Use Nova Enclave Capsule and a
capsule.yamlmanifest to build and test your application locally. - Start with the Nova Enclave Capsule README or the HN Fetcher example.
- Submit your application to App Hub for transparent, verifiable builds.
- GitHub Actions will build your EIF and generate PCR measurements.
- Download the built artifacts (EIF + attestation).
- Launch an EC2 instance with Nitro Enclave support in your own AWS account.
- Deploy the built release image using
capsule-cli run. - Your enclave is now running and accessible through the ports you publish from the Capsule release image.
- Deploy your own App Registry (or use an existing deployment):
- Use ZKP CLI to attest, prove, and register your running enclave:
| Feature | Benefit |
|---|---|
| Fully Open Source | Inspect, modify, and self-host every component |
| Verifiable Builds | Transparent CI/CD ensures binary integrity |
| On-Chain Registration | Cryptographic proof of your enclave's identity on the blockchain |
| Self-Contained | Complete pipeline from development to on-chain registration |
- How It Works
- Nova App Template
- Nova App Examples
- Nova Enclave Capsule
- Nova Enclave Capsule Documentation
- App Registry Documentation
- Sparsity Cloud (With Managed Nova Stack) - Optional managed platform for simplified deployment