Wulong

A NestJS API designed to run inside a Trusted Execution Environment (TEE) with quantum-resistant ML-KEM-1024 encryption and Web3 authentication (SIWE), giving users cryptographic guarantees that the operator cannot access their data during processing. Optimized for Phala Network deployment.

Features

• TEE Attestation - Cryptographic proof of code integrity
  • Platforms: AMD SEV-SNP, Intel TDX, AWS Nitro, Phala
  • See TEE setup guide
• Web3 Authentication - SIWE (Sign-In with Ethereum)
  • See auth guide
• Quantum-Resistant Encryption - ML-KEM-1024 (NIST FIPS 203) with multi-recipient support
  • Client-side encryption with w3pk
  • Privacy-first: clients can decrypt locally without server
  • Server-side decryption for operations (with SIWE auth)
  • See ML-KEM guide and client guide

Quick Start

Local Development (without Docker)

Mock TEE attestation - no real hardware security.

# Install dependencies
pnpm install

# Setup environment
cp .env.template .env

# Generate TLS certificates
mkdir -p secrets
openssl req -x509 -newkey rsa:4096 -keyout secrets/tls.key -out secrets/tls.cert -days 365 -nodes -subj "/CN=localhost"

# Generate ML-KEM keypair
pnpm ts-node scripts/generate-admin-keypair.ts
# Copy the output keys to your .env file

# Start development server
pnpm start:dev

# Test ML-KEM encryption (in another terminal)
pnpm test:mlkem              # Basic encryption test
pnpm test:store-access       # Full store+access flow with SIWE

Access at https://localhost:3000 (accept self-signed certificate warning)

Docker Development

Mock TEE attestation - no real hardware security.

docker compose -f docker-compose.dev.yml up

Access at https://localhost:3000

Phala Cloud (Production TEE)

# Build and push Docker image
docker buildx build --platform linux/amd64 -t YOUR_USERNAME/wulong:latest --push .

# Deploy to Phala Cloud
phala deploy --interactive

# Test against Phala deployment
WULONG_URL=https://your-app-id-3000.phala.network pnpm test:store-access

Docs

Setup & Deployment

• Local Setup - Run locally without Docker (development)
• Docker Setup - Run with Docker (development & testing)
• Phala Deployment - Deploy to Phala Cloud TEE (production)

API & Usage

• API Reference - Complete REST API endpoint documentation
• ML-KEM Encryption - Quantum-resistant encryption guide
• Client-Side Encryption - How to encrypt data with w3pk
• SIWE Authentication - Ethereum wallet authentication guide
• Testing Guide - Local and Phala testing procedures

Architecture & Security

• Overview - Project overview, architecture, and security model
• TEE Setup - Platform-specific deployment (AMD SEV-SNP, Intel TDX, AWS Nitro, Phala)
• Side Channel Attacks - Security considerations and mitigations
• Implementation Plan - ML-KEM development roadmap

License

GPL-3.0

Contact

Julien Béranger (GitHub)

• Element: @julienbrg:matrix.org
• Farcaster: julien-
• Telegram: @julienbrg