README
¶
NeoCompute Marble Service
TEE-secured confidential computing service running inside MarbleRun enclave.
Overview
The NeoCompute Marble service implements secure JavaScript execution:
- Users submit JavaScript code with optional encrypted inputs
- TEE executes code within secure enclave using goja runtime
- Secrets can be injected from the user's secret store (Supabase-backed, access-controlled)
- Results are signed for verifiable TEE origin
Architecture
┌─────────────────────────────────────────────────────────────────┐
│ MarbleRun Enclave (TEE) │
│ │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ Handler │ │ goja JS │ │ Secrets │ │
│ │ (REST API) │───>│ Runtime │<──>│ (Injected) │ │
│ └─────────────┘ └──────┬──────┘ └─────────────┘ │
│ │ │ │
│ ┌──────▼──────┐ ┌──────▼──────┐ ┌─────────────┐ │
│ │ Job Manager │ │ Crypto │ │ Output │ │
│ │ (TTL/GC) │ │ Utilities │ │ Signing │ │
│ └─────────────┘ └─────────────┘ └─────────────┘ │
└─────────────────────────────────────────────────────────────────┘
File Structure
| File | Purpose |
|---|---|
service.go |
Service initialization, job management |
core.go |
Script execution, goja runtime |
handlers.go |
HTTP request handlers |
api.go |
Route registration |
types.go |
Request/response types |
Lifecycle is handled by the shared commonservice.BaseService (start/stop hooks, workers, standard routes).
Key Components
Service Struct
type Service struct {
*commonservice.BaseService
masterKey []byte
signingKey []byte // Derived key for HMAC signing
secretProvider secrets.Provider
jobs sync.Map // map[jobID]jobEntry
resultTTL time.Duration
cleanupInterval time.Duration
}
goja JavaScript Runtime
Secure JavaScript execution with:
input- User-provided input datasecrets- Injected secrets (viasecret_refs)console.log- Debug logging (with limits)crypto.sha256()- Hash functioncrypto.randomBytes()- Secure random generation
Security Features
Resource Limits
| Constant | Value | Description |
|---|---|---|
MaxScriptSize |
100KB | Max script size |
MaxInputSize |
1MB | Max input data |
MaxOutputSize |
1MB | Max output data |
MaxSecretRefs |
10 | Max secrets per execution |
MaxLogEntries |
100 | Max console.log calls |
MaxLogEntrySize |
4KB | Max log entry size |
MaxConcurrentJobs |
5 | Max parallel jobs per user |
DefaultTimeout |
30s | Execution timeout |
Output Protection
Results include cryptographic attestation:
type ExecuteResponse struct {
// ... basic fields ...
EncryptedOutput string `json:"encrypted_output,omitempty"` // AES-GCM encrypted
OutputHash string `json:"output_hash,omitempty"` // SHA256 of output
Signature string `json:"signature,omitempty"` // HMAC-SHA256 signature
}
Job Isolation
- Jobs stored per-user with TTL expiration
- Automatic cleanup of expired results
- User can only access their own jobs
API Endpoints
| Endpoint | Method | Description |
|---|---|---|
/health |
GET | Service health check |
/info |
GET | Service status + statistics |
/execute |
POST | Execute JavaScript |
/jobs |
GET | List user's jobs |
/jobs/{id} |
GET | Get job result |
Request/Response Types
ExecuteRequest
type ExecuteRequest struct {
Script string `json:"script"`
EntryPoint string `json:"entry_point,omitempty"` // default: "main"
Input map[string]interface{} `json:"input,omitempty"`
SecretRefs []string `json:"secret_refs,omitempty"` // secret names
Timeout int `json:"timeout,omitempty"`
}
ExecuteResponse
type ExecuteResponse struct {
JobID string `json:"job_id"`
Status string `json:"status"`
Output map[string]interface{} `json:"output,omitempty"`
Logs []string `json:"logs,omitempty"`
Error string `json:"error,omitempty"`
GasUsed int64 `json:"gas_used"`
StartedAt time.Time `json:"started_at"`
Duration string `json:"duration,omitempty"`
EncryptedOutput string `json:"encrypted_output,omitempty"`
OutputHash string `json:"output_hash,omitempty"`
Signature string `json:"signature,omitempty"`
}
Configuration
type Config struct {
Marble *marble.Marble
DB database.RepositoryInterface
ResultTTL time.Duration // default: 24h
CleanupInterval time.Duration // default: 1min
}
Required Secrets
| Secret | Description |
|---|---|
COMPUTE_MASTER_KEY |
Master key for encryption/signing |
Environment Variables
| Variable | Description |
|---|---|
NEOCOMPUTE_RESULT_TTL |
Custom result retention time |
Usage Examples
Basic Script Execution
POST /execute
{
"script": "function main() { return { result: input.a + input.b }; }",
"input": { "a": 5, "b": 3 }
}
Using Secrets
POST /execute
{
"script": "function main() { return { apiKey: secrets.api_key }; }",
"secret_refs": ["api_key"]
}
Using Crypto Utilities
POST /execute
{
"script": "function main() { return { hash: crypto.sha256(input.data), random: crypto.randomBytes(16) }; }",
"input": { "data": "hello world" }
}
Job Status Values
| Status | Description |
|---|---|
running |
Execution in progress |
completed |
Successfully finished |
failed |
Execution failed |
Dependencies
Infrastructure Packages
| Package | Purpose |
|---|---|
infrastructure/crypto |
AES-GCM, HMAC, hashing |
infrastructure/marble |
MarbleRun TEE utilities |
infrastructure/secrets |
Secrets provider interface + policy enforcement |
infrastructure/database |
Framework DB access (optional) |
infrastructure/service |
Base service framework |
External Packages
| Package | Purpose |
|---|---|
github.com/dop251/goja |
JavaScript runtime |
github.com/gorilla/mux |
HTTP router |
github.com/google/uuid |
Job ID generation |
golang.org/x/crypto/hkdf |
Key derivation |
Related Documentation
Documentation
¶
Overview ¶
Package neocompute provides API routes for the neocompute service.
Package neocompute provides core logic for the neocompute service.
Package neocompute provides HTTP handlers for the neocompute service.
Package neocompute provides neocompute service.
The NeoCompute service allows users to execute custom JavaScript inside the TEE enclave with access to their secrets. This enables: - Privacy-preserving computation on sensitive data - Secure execution of business logic with verifiable results - Integration with external APIs using protected credentials
Architecture: - Script execution via goja JavaScript runtime - Secure secret injection from user's secret store - Signed execution results for verification - Gas metering and resource limits
Package neocompute provides types for the neocompute service.
Index ¶
Constants ¶
View Source
const ( ServiceID = "neocompute" ServiceName = "NeoCompute Service" Version = "1.0.0" // Default execution timeout DefaultTimeout = 30 * time.Second // Max script size (100KB) MaxScriptSize = 100 * 1024 // Gas accounting is approximate and based on the submitted script size. // This value is intended for billing/rate limiting and is not tied to VM opcodes. GasPerScriptByte = 10 // Resource limits for security MaxInputSize = 1 * 1024 * 1024 // 1MB max input size MaxOutputSize = 1 * 1024 * 1024 // 1MB max output size MaxSecretRefs = 10 // Max secrets per execution MaxLogEntries = 100 // Max console.log entries MaxLogEntrySize = 4096 // Max size per log entry MaxConcurrentJobs = 5 // Max concurrent jobs per user // Result retention defaults DefaultResultTTL = 24 * time.Hour )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Config ¶
type Config struct {
Marble *marble.Marble
DB database.RepositoryInterface
// SecretProvider optionally injects user secrets into the JS runtime.
SecretProvider secrets.Provider
// Optional overrides, primarily used for testing.
ResultTTL time.Duration
CleanupInterval time.Duration
}
Config holds service configuration.
type ExecuteRequest ¶
type ExecuteRequest struct {
Script string `json:"script"`
EntryPoint string `json:"entry_point,omitempty"`
Input map[string]interface{} `json:"input,omitempty"`
SecretRefs []string `json:"secret_refs,omitempty"`
Timeout int `json:"timeout,omitempty"`
AppID string `json:"app_id,omitempty"`
ScriptName string `json:"script_name,omitempty"`
}
ExecuteRequest represents a script execution request.
type ExecuteResponse ¶
type ExecuteResponse struct {
JobID string `json:"job_id"`
Status string `json:"status"`
Output map[string]interface{} `json:"output,omitempty"`
Logs []string `json:"logs,omitempty"`
Error string `json:"error,omitempty"`
GasUsed int64 `json:"gas_used"`
StartedAt time.Time `json:"started_at"`
Duration string `json:"duration,omitempty"`
// TEE attestation fields - prove result came from enclave
EncryptedOutput string `json:"encrypted_output,omitempty"` // AES-GCM encrypted output (base64)
OutputHash string `json:"output_hash,omitempty"` // SHA256 hash of plaintext output
Signature string `json:"signature,omitempty"` // HMAC-SHA256 signature of output hash
}
ExecuteResponse represents a script execution response.
type Service ¶
type Service struct {
*commonservice.BaseService
// contains filtered or unexported fields
}
Service implements the NeoCompute service.
func (*Service) Execute ¶
func (s *Service) Execute(ctx context.Context, userID string, req *ExecuteRequest) (*ExecuteResponse, error)
Execute runs code inside the TEE enclave and stores the result for later retrieval.
Source Files
Click to show internal directories.
Click to hide internal directories.