Abstract

This proof demonstrates that Glasshouse can coordinate a protected compute lifecycle on third-party GPU infrastructure without treating the provider as a trusted application host. The payload was packaged and encrypted before deployment, attestation completed before key release, training ran on CUDA, and runtime evidence was captured through GlassPulse.

The scope is intentionally narrow. This article is the starting point: one provider, one GPU class, one long protected training run, and one clean proof packet.

Package

Glasshouse created an encrypted deployment package and a manifest for the release-agent training workload.

The internal proof retained the package id, manifest hash, and deployment id.

Launch

RunPod accepted the deployment and started a real RTX 3090 provider instance for the canary.

The provider instance id was captured as a public, non-secret run artifact.

Measure

The remote runner fetched its bootstrap bundle and emitted measurement and readiness lifecycle events.

Observed events included enclave.anti_debug_ready and enclave.measured.

Attest

Glasshouse verified the manifest-driven runtime state before allowing the workload to continue.

The deployment reached attestation_status: verified.

Release

The package key was released only after attestation passed, then the workload loaded encrypted model weights.

The completion evidence reports weightsLoadedFromEncryptedPackage: true.

Train

CUDA/PyTorch training ran for 1,800.001 seconds and emitted periodic progress evidence.

The run completed 2,015,589 epochs on cuda.

Report

The runner emitted a completion event with the manifest hash, weight digest, runtime state, and training result.

GlassPulse captured enclave.release_plan_completed with valid JSON evidence.

Zeroize

The runtime removed decrypted workspace material and zeroized package-key state on exit.

The final deployment state was zeroized and no RunPod pod was left running.

Verified result

The final run is boring in the right way.

The strongest artifact is a completed provider run with concrete state transitions, digests, and cleanup. These are the original public numbers to cite.

Provider	`RunPod`
GPU	`NVIDIA GeForce RTX 3090`
Deployment status	`completed`
Attestation status	`verified`
Runtime state after completion	`zeroized`
Training duration	`1800.001s`
Epochs	`2,015,589`
Final loss	`2.5729296622943598e-14`
Weights loaded from encrypted package	`true`
Progress evidence events	`5`
RunPod pods left running	`0`

Digests and evidence

The proof carries hashes, not just prose.

Glasshouse kept a manifest digest for the package and a SHA-256 digest for the weights loaded after gated release. The public artifact below is sanitized, but keeps the non-secret digests and lifecycle facts intact.

Provider instance id	`a89vazud9b26yr`
Container id	`depin-1777839427407-f2adaf77`
Manifest SHA-256	`626576850feb5fa48292ee39448057c49b84d8beed9e1eddc87cc4fa18a023f2`
Weights SHA-256	`b9058c72baba884cfa9cdcecf84f6ff40fbb4bf211555926d957b6bc50366c59`
Completion event	`enclave.release_plan_completed`
Completion timestamp	`2026-05-03T20:49:00.687Z`

Open original JSON artifact

Lifecycle trail

The important states were observed end to end.

The full local evidence file remains internal, but the public state sequence is safe to show. It demonstrates readiness, measurement, attestation, key release, execution, progress, completion, and zeroization.

enclave.anti_debug_ready
enclave.measured
enclave.attestation_verified
enclave.key_released
enclave.executing
enclave.release_training_progress
enclave.release_plan_completed
enclave.zeroized

Sanitized result

A small JSON view is enough for public inspection.

The raw proof file is retained for diligence. The public article only needs the result shape, hashes, lifecycle facts, and caveats.

{
  "provider": "RunPod",
  "gpu": "NVIDIA GeForce RTX 3090",
  "attestationStatus": "verified",
  "runtimeStateAfterCompletion": "zeroized",
  "training": {
    "elapsedSec": 1800.001,
    "epochs": 2015589,
    "device": "cuda",
    "weightsLoadedFromEncryptedPackage": true
  },
  "cleanup": {
    "runpodPodsLeftRunningAfterCleanup": 0
  }
}

Reproducibility

The canary can be rerun with a RunPod key and a Glasshouse host.

Reproducibility matters more than dramatic wording. The command shape below is the same long proof path with secrets and public hostnames replaced by placeholders.

$env:RUNPOD_API_KEY='<runpod-api-key>'
$env:RUNPOD_ENCLAVE_RUNNER_IMAGE='pytorch/pytorch:2.2.2-cuda12.1-cudnn8-runtime'
$env:PUBLIC_API_BASE_URL='https://<public-glasshouse-api-host>'
$env:GLASSHOUSE_PUBLIC_BASE_URL='https://<public-glasshouse-api-host>'
$env:GLASSHOUSE_PUBLIC_ATTESTATION_URL='https://<public-attestation-host>/v1/attestation'

python scripts/release_agent_enclave_canary.py \
  --base-url 'https://<public-glasshouse-api-host>' \
  --provider runpod \
  --gpu-model auto \
  --train-duration-sec 1800 \
  --timeout-sec 3000 \
  --provider-boot-timeout-sec 600 \
  --poll-interval-sec 30 \
  --progress-interval-sec 300 \
  --json-out tmp/release_agent_enclave_runpod_30m.json

What this is not

The caveats are part of the claim.

This is a software-enforced zero-trust enclave path on third-party GPU infrastructure. It is not a hardware confidential-computing claim.

The proof targets ordinary provider operational surfaces: rented GPU lifecycle, container logs, filesystem packaging, deployment events, and cleanup.

It does not claim memory inviolability against a privileged provider, kernel-level adversary, or hardware-level adversary.

The public artifact is intentionally sanitized. It excludes API keys, public tunnel URLs, encrypted payloads, package keys, and implementation-level enclave mechanics.

Glasshouse ran 30 minutes of protected training on a RunPod RTX 3090.

Five chapters. One continuous proof story.