I built Onera because I was uncomfortable sending sensitive code to LLM APIs in plaintext. Most hosted inference today requires trusting the provider not to log or inspect prompts, but technically the infrastructure still has access. I wanted a setup where the server operator itself could not read user data.

Onera uses AMD SEV-SNP trusted execution environments to run inference inside a hardware encrypted VM, where memory is encrypted and isolated from the host. The client first performs remote attestation to verify the enclave, and then establishes an encrypted channel directly into it. Prompts are sent through this secure channel and processed entirely inside the enclave, so even the machine running the workload cannot inspect them.

The API is OpenAI compatible, so it works with existing tools like OpenClaw, OpenWebUI, Cursor, Claude Code, or anything using the OpenAI SDK, without requiring changes to the client architecture.

The entire client and enclave runtime are open source here: https://github.com/onera-app/onera

Happy to answer any technical questions or feedback.