Live on NEAR Mainnet

Verifiable OS
for Agents

Every agent runs inside an Intel TDX enclave. Every execution produces a cryptographic attestation certificate — an on-chain receipt proving what code ran, what it did, and that nobody tampered with it. Secrets stay encrypted. Wallets are policy-controlled. Payments are built in.

Intel TDX Hardware Enclaves
MPC Network NEAR Mainnet Validators
All Chains NEAR / ETH / BTC / SOL ...
At a Glance

A Real Operating System.
Not Another Wrapper.

Every primitive an OS needs — but every operation runs inside Intel TDX enclaves and produces a cryptographic attestation certificate that anyone can verify on-chain.

TEE Kernel

5 syscall interfaces exposed through WIT. The agent calls the kernel; the kernel enforces trust.

Encrypted Filesystem

Persistent storage with atomic CAS and increment. Private by default, public when you choose.

Hardware Secrets

Client encrypts, TEE decrypts. Operator never sees plaintext. API keys protected by hardware isolation.

Agent Custody

Multi-chain wallets (NEAR/ETH/BTC/SOL). MPC-derived keys with spending limits, whitelists, and emergency freeze.

Access Conditions

9 composable rules: token balance, NFT ownership, DAO role, regex, boolean logic. Kernel-level access control.

Attestation Chain

TDX 5-measurement verification. Sigstore binary certification. On-chain attestation records. Verify the hardware, the binary, the chain.

Scheduler

Interval, storage-diff, webhook triggers. Scheduler is untrusted — it decides when, the TEE decides what.

Verifiable Randomness

Ed25519 VRF with on-chain proof. Anti-grinding via blockchain-assigned request IDs. Provably fair.

Stateless Processes

Erlang model: start, work, write state, terminate. No crashes, no leaks. Immune to cascading failures.

Blockchain RPC

Full NEAR access from inside the enclave. View calls, send transactions. Agents interact with DeFi without exposing keys.

Built-in Monetization

Native stablecoin payments per execution. Refund API. Developers earn per call — no Stripe, no invoicing.

Live in Production

Price oracle, near.email, private tokens, private DAO voting. Running on mainnet today.

The Problem

Agents Need Infrastructure
They Can't Trust

Blind Trust

AI agents store data, hold secrets, manage wallets, and sign transactions. Today, this means trusting a cloud provider with everything — your agent's keys, your users' data, your business logic.

Hardware Guarantee

OutLayer runs every computation inside Intel TDX hardware enclaves. The operator cannot read your data, modify your results, or run different code than what you deployed. This isn't a promise — it's physics.

Why an OS

Linux for Applications.
OutLayer for Agents.

The same fundamental abstractions — processes, filesystem, permissions, syscalls — designed for autonomous agents and enforced by hardware attestation

Linux for applications
Kernel Syscall interface to hardware
Filesystem read, write, fsync
Network socket, connect, send
/dev/urandom Random number generator
Users & Groups Permission model
cron Scheduled execution
OutLayer for agents
TEE Kernel 5 WIT syscall interfaces, hardware-attested
Encrypted Storage Per-agent encryption, atomic ops, cross-agent reads
Blockchain RPC Full NEAR access from inside the enclave
Verifiable RNG Ed25519 VRF with on-chain cryptographic proof
Access Conditions 9 composable rules: token balance, NFT, DAO role...
Scheduler Interval, storage-diff, webhook triggers
The Kernel

One Interface.
Complete Agent Infrastructure.

Storage, blockchain, wallets, randomness, payments — every primitive exposed as a kernel syscall. Your agent runs as a sandboxed WASI process. Every call is hardware-attested.

outlayer:near:rpc Network Stack

Blockchain Access

Full NEAR RPC from inside the enclave. View calls, send signed transactions, read any contract state. Your agent autonomously interacts with DeFi, DAOs, NFTs — without exposing signing keys.

outlayer:storage Filesystem

Encrypted Filesystem

Persistent key-value storage with atomic CAS and increment. Private by default — even the operator can't read it. Public when you choose, enabling cross-agent composability.

outlayer:wallet Hardware Security Module

Multi-Chain Wallet

NEAR, Ethereum, Bitcoin, Solana. MPC-derived keys that never leave the enclave. Transfer, swap, withdraw — all governed by a policy engine with spending limits and multisig.

outlayer:vrf /dev/urandom (verifiable)

Verifiable Randomness

Ed25519 VRF with on-chain proof. Anti-grinding via blockchain-assigned request IDs. Anyone can verify the output on-chain. Provably fair lotteries, games, NFT minting.

outlayer:payment Native Monetization

Built-in Payments

Stablecoin payments per execution. Refund API for partial returns. Transparent, deterministic pricing. Developers earn per call — no Stripe, no invoicing, no intermediaries.

Agent Custody

Your Rules.
Keys That Can't Be Lost.

You set the policy. The agent spends within your rules. Private keys live inside the TEE and are re-derived on every operation — the agent never holds them and can never lose them.

One Wallet, Every Chain

Keys are deterministically derived from a master secret held by the NEAR MPC network. Same wallet ID always produces the same addresses on NEAR, Ethereum, Bitcoin, and Solana. Stateless, deterministic — the TEE re-derives keys on every operation.

The agent never touches private keys directly. It issues commands to the kernel, and the kernel signs transactions after evaluating policy.

agent_wallet.rs 
// Get derived address on any chain
let near_addr = wallet::get_address("near")?;
let eth_addr  = wallet::get_address("ethereum")?;

// Transfer tokens
wallet::transfer("near", "bob.near", amount)?;

// Cross-chain swap via NEAR Intents
wallet::swap(
    "nep141:wrap.near",
    "nep141:usdc.near",
    amount, ""
)?;

// Withdraw to Ethereum
wallet::withdraw(
    "ethereum", "0xBob...",
    "1000000", "erc20:USDC"
)?;

Spending Limits

Per-transaction, hourly, daily, and monthly caps across all tokens. Velocity controls that the agent cannot bypass.

Address Whitelist

Restrict which addresses the agent can send to. Whitelist or blacklist mode — enforced in hardware, not in application code.

Multisig Approvals

Transactions above a threshold require 2-of-3 human approval via NEAR wallet signatures. TEE holds the transaction until the threshold is met.

Emergency Freeze

Owner calls freeze_wallet() directly on-chain. Takes effect in seconds. No API, no coordinator — works even if infrastructure is compromised.

Sign Transactions Set Policy Freeze Wallet Read Private Keys
Agent (code) Via TEE, within policy No No No
Owner (human) No Yes (on-chain) Yes (on-chain) No
TEE (hardware) After policy check No No Derived, never exported
Operator (infra) No No No No
Secrets & Permissions

End-to-End Encrypted.
Kernel-Level Access Control.

Secrets Are a Cryptographic Primitive

Developers encrypt secrets in their browser using the keystore's public key. The encrypted blob lives on the NEAR blockchain. When the agent runs, the TEE fetches it, decrypts with a hardware-derived key, and injects as environment variables.

At no point does the operator, the coordinator, or any component outside the TEE see plaintext. Combined with Access Conditions, secrets are protected by both cryptography and hardware isolation, with access gated by on-chain conditions the TEE validates before decrypting.

access_conditions.rs 
// Only DAO council members
// who hold 100+ USDC
// can trigger this agent:

Logic(And, [
    DaoMember {
        dao: "traders.sputnik-dao.near",
        role: "council"
    },
    FtBalance {
        contract: "usdc.near",
        operator: Gte,
        value: 100_000_000
    }
])
Whitelist
Account Pattern (regex)
NEAR Balance
Token Balance
NFT Ownership
DAO Membership
Boolean Logic (And/Or/Not)
Trust Model

Verify, Don't Trust

"Verifiable" is not a marketing adjective. It is a technical property backed by Intel TDX hardware measurements and on-chain attestation records.

Operator CANNOT

Hardware-enforced by Intel TDX

  • Read decrypted secrets or wallet private keys
  • Modify execution results
  • Run different code than what was deployed
  • Forge attestation reports
  • Extract storage encryption keys

Anyone CAN Verify

On-chain, publicly auditable

  • Exact code running in the enclave (TDX measurements)
  • Binary matches public source (Sigstore certificates)
  • Each execution was attested (on-chain records)
  • 5 hardware measurements match approved set
  • Worker keys registered with verified TDX quotes

Intel TDX provides five hardware measurements (MRTD, RTMR0–3) that uniquely identify the code running inside the enclave. All five must match an admin-approved set stored on the NEAR blockchain. Workers generate Ed25519 keypairs inside the TEE, register them on-chain with verified TDX attestation quotes, and sign every execution result with keys that never leave the enclave.

Process Model

Stateless by Design.
Composable by Default.

Agents follow the Erlang model: start, work, write state, terminate. No crashes, no leaks, no zombies. State is explicit, not in RAM.

Sandboxed Execution

WASI capability-based security. Agents cannot access the host filesystem or network except through kernel syscalls. Every instruction is metered.

Cross-Agent Composability

Any agent can publish to public storage. Any other agent can read it. An oracle publishes prices; a trading bot reads them; a risk agent monitors both. Like Unix pipes, but for agents.

Autonomous Scheduling

Interval-based ticks, storage-diff triggers, webhooks. The scheduler is untrusted — it can decide when to trigger, but can't influence what the agent does. All execution happens in TEE.

In Production

Not a Whitepaper.
Running on Mainnet.

DeFi

Price Oracle

Decentralized price feeds from 7 exchanges. Scheduler monitors deviations, triggers TEE agent to fetch, aggregate, and publish. Prices readable by any agent via cross-project public storage.

Email

near.email

Blockchain-native email for NEAR accounts. alice.near becomes [email protected]. ECIES encryption, MPC key derivation, TEE-protected server. Operators cannot read your mail.

Privacy

Private Token Transfers

Confidential token transfers where balances live in TEE-encrypted storage. The smart contract sees only encrypted state. Users prove ownership via wallet signatures.

Governance

Private DAO Voting

Anonymous voting where individual votes are hidden but the tally is verifiable. Votes collected in TEE-encrypted storage, access-gated by DAO membership. Only the result is published.

AI

Verifiable AI Inference

Run OpenAI, Claude, or local models inside TEE. Return attestation-backed AI results to smart contracts or HTTPS clients. Hardware proof that the model output wasn't tampered with.

Gaming

Provably Fair Randomness

TEE-generated VRF for games, lotteries, NFT minting. Ed25519 signature proof verifiable by any NEAR smart contract. Anti-grinding by design.

Get Started

Zero to Deployed
in Minutes

terminal 
# Install
cargo install outlayer-cli

# Login with NEAR wallet
outlayer login

# Create your first agent
mkdir my-agent && cd my-agent
outlayer init

# Write your agent logic (edit src/main.rs)

# Deploy & run
outlayer deploy
outlayer run '{"command": "hello"}'

Deploy Verifiable
Agents

Open source. Live on mainnet. Hardware-attested execution, encrypted secrets, multi-chain wallets, and built-in monetization — out of the box.

Read the Docs Try Playground