This server runs inside an Intel TDX confidential VM. This page is served from inside that VM and explains how to check, without trusting us, that the code running here is exactly the public source code.
v0.2.00d4fd15 0d4fd1590a652fa1bc73b88f307ad0ed5d549b2aghcr.io/open-software-network/june-api:0d4fd15Audio, transcripts, and notes pass through this server. Because the running image is remotely attested, neither Phala (the platform) nor Open Software (us) can quietly swap it for one that reads your data. Any change to the running code is visible in the chain below.
The chain has three links: source (a public git commit), image (a container image our CI builds from that commit, published with a content digest), and attestation (third-party-verifiable proof that the image with that digest is what is actually executing inside a genuine Intel TDX VM).
Open the Trust Center report. Confirm the attestation verifies, then find the image reference pinned in the attested compose file. It should be:
ghcr.io/open-software-network/june-api:0d4fd15
Resolve that tag to its content digest in the public registry:
docker buildx imagetools inspect ghcr.io/open-software-network/june-api:0d4fd15 \
--format '{{.Manifest.Digest}}'
Compare against the digest our CI recorded in the repository at deploy
time, as an immutable deploy/<env>/<sha> git tag:
git clone https://github.com/open-software-network/os-june && cd os-june
git tag -l 'deploy/*/0d4fd15' -n3
The tag message states which image digest commit 0d4fd15
deployed. It must match the digest from step 2.
Read the source at that commit. The commit linked above is the exact tree the image was built from. The build stamps it into the image itself.
This proves the running digest is the one our public CI built and recorded for that commit. Bit-for-bit reproducible rebuilds (regenerating the digest yourself instead of trusting our CI) are in progress; see docs/reproducible-builds.md.
The chain verifies the code running in the confidential VM, not what upstream providers do. Everything leaving the TEE for model inference (audio for transcription, prompts and context for note generation and the agent) goes through Venice. By default it runs on Venice private models: zero data retention, no training. If you select an anonymized model not run by Venice, the request is still routed and anonymized by Venice, but the underlying model provider may retain data under its own privacy policy. End-to-end private inference is a separate workstream.