MCPcopy Index your code
hub / github.com/Layr-Labs/d-inference

github.com/Layr-Labs/d-inference @v0.7.4

Chat with this repo
repository ↗ · DeepWiki ↗ · release v0.7.4 ↗ · + Follow
5,701 symbols 29,606 edges 756 files 3,000 documented · 53% updated 2d agov0.7.4 · 2026-07-05★ 22683 open issues
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

Darkbloom

Public Alpha — Darkbloom is a decentralized private-inference network for Apple Silicon. Expect rough edges, breaking changes, and downtime. During the alpha, providers keep 100% of revenue (0% platform fee).

Darkbloom turns idle Macs into a private, OpenAI-compatible inference cloud.

Today, AI compute reaches you through a stack of markups — chipmaker to hyperscaler to API vendor. Meanwhile, over 100 million Apple Silicon Macs sit mostly idle, each with up to 512 GB of unified memory and up to 819 GB/s of bandwidth — enough to run frontier-scale models at interactive speeds. Darkbloom connects that idle capacity directly to demand, and pays the people who own the machines.

The hard part is privacy. The person running a provider node has root and physical custody of the machine doing your inference — yet they must not be able to read your prompts or the model's responses. Darkbloom closes every software path to that plaintext:

  • No observation surface. Inference runs in-process via MLX — no subprocess, no local server, no IPC to tap.
  • Locked-down process. Debuggers are denied at the kernel level (PT_DENY_ATTACH); memory-reading APIs are blocked by Hardened Runtime. These protections are immutable for the process lifetime, because removing them requires disabling SIP, which requires a reboot that kills the process.
  • End-to-end encryption. The coordinator re-seals every request with NaCl Box (X25519 + XSalsa20-Poly1305) to the provider's attested key, so on the provider machine only the hardened process — never its owner — can decrypt it.
  • Hardware attestation. A four-layer chain — Secure Enclave signatures, MDM cross-checks, Apple Managed Device Attestation, and APNs code-identity — proves each node's security posture and that it runs a genuine, unmodified binary.

What remains is the same residual threat model Apple accepts for Private Cloud Compute: physically de-soldering and probing memory chips. Everything short of that is engineered out.

The API is OpenAI- and Anthropic-compatible, so most clients work by changing one base URL.


Contents


How it works

flowchart LR
    U["<b>Consumer</b>

OpenAI / Anthropic SDK · curl · Web UI"]
    subgraph coord["Coordinator · Go · Confidential VM (AMD SEV-SNP)"]
        CO["Auth · Routing · Billing

Attestation · E2E relay"]
    end
    subgraph prov["Provider · Swift CLI · hardened macOS process"]
        P["mlx-swift-lm (in-process)"] --> G["Apple Silicon GPU (Metal)"]
    end

    U -->|"HTTPS · OpenAI-compatible

TLS + optional NaCl Box"| CO
    CO -->|"WebSocket · outbound from provider

mandatory per-request NaCl Box"| P
    P -.->|"encrypted SSE chunks"| CO
    CO -.->|"streamed response"| U

A consumer calls the coordinator over a standard HTTPS, OpenAI-compatible API. The coordinator is a Go control plane running in a Confidential VM; it authenticates the request, picks a provider, handles billing, and relays the encrypted payload. Providers are Apple Silicon Macs running the darkbloom Swift CLI; they connect outbound over WebSocket — no port forwarding or inbound firewall changes are needed — decrypt the request inside a hardened process, and run inference in-process on the GPU via MLX.

Privacy & security

Darkbloom is engineered so that the operator of the Mac running your inference cannot read your prompt or the response. The only plaintext exposure anywhere is transient — inside the coordinator's hardware-encrypted Confidential-VM memory — and it is never logged or retained.

Encryption, hop by hop

sequenceDiagram
    participant C as Consumer
    participant K as Coordinator (CVM)
    participant P as Provider (Secure Enclave-bound)

    C->>K: Request over TLS

(optionally NaCl Box-sealed to coordinator key)
    Note over K: Decrypts in CVM memory for routing + billing.

Never logs or retains prompt content.
    K->>P: Re-encrypts body with a fresh ephemeral key →

provider's attested X25519 key (mandatory NaCl Box)
    Note over P: Only the hardened provider process decrypts.

Runs inference in-process on the GPU.
    P-->>K: Response SSE chunks encrypted to

coordinator's ephemeral key
    K-->>C: Relays response (re-sealed if sender encryption is on)
Hop Protection
Consumer → Coordinator TLS by default; optionally NaCl Box-sealed to the coordinator's X25519 key (GET /v1/encryption-key)
Inside Coordinator Decrypts in Confidential-VM memory for routing & billing only; never logs or retains prompt content
Coordinator → Provider Mandatory per-request NaCl Box to the provider's attested X25519 key, with a fresh ephemeral key per request
Provider → Coordinator Response chunks encrypted back to the coordinator's ephemeral key

Precise claim: Darkbloom is not "the coordinator never sees plaintext." The accurate statement is that plaintext is exposed only inside the coordinator's hardware-encrypted CVM memory, is never logged or retained, and is immediately re-encrypted for the selected provider. The provider is the final decryption endpoint, and it is bound to an attested Secure Enclave identity. See docs/architecture/security/encryption.md and docs/consumer/privacy-expectations.md.

Provider hardening

Layer What it does
In-process inference MLX runs inside the provider process — no subprocess, local server, or IPC to observe
Hardened Runtime + SIP Blocks debugger attachment, memory reads, and code injection; immutable for the process lifetime
PT_DENY_ATTACH Kernel-level denial of debugger attach

Attestation & trust

flowchart TB
    SE["Secure Enclave P-256 key

hardware-bound, keychain-ACL"] --> SIG["Signs attestation blob"]
    SIG --> SS["<b>self_signed</b>"]
    SS --> MDM["MDM SecurityInfo cross-check

SIP · Secure Boot · FileVault"]
    MDM --> MDA["Apple MDA certificate chain

Enterprise Attestation Root CA"]
    MDA --> HW["<b>hardware</b>"]
    HW --> APNS["APNs code-identity attestation (v0.6.0+)

proves the running binary is genuine"]
    CHAL["Challenge-response every 5 min

re-verifies SIP / Secure Boot"] -.-> SS
    CHAL -.-> HW

Providers carry one of three trust levels, surfaced to consumers on every response via the X-Provider-Trust-Level header (alongside X-Provider-Attested, X-Provider-Encrypted, X-Provider-Chip, and X-Provider-Secure-Enclave):

Level Verification
none No attestation — not admitted for private text traffic
self_signed Secure Enclave P-256 signature + periodic challenge-response
hardware MDM enrollment + Apple Managed Device Attestation (MDA) certificate chain

The strongest production gate is APNs code-identity attestation, which proves the running provider binary is genuine and team-provisioned. The full attestation chain for any provider is publicly verifiable at GET /v1/providers/attestation.

Quickstart (consumers)

The API is OpenAI-compatible — point any OpenAI SDK at the Darkbloom base URL.

Base URL: https://api.darkbloom.dev/v1 Auth: Authorization: Bearer <key>, where <key> is an API key (sk-db-…, created in the console) or a Privy session JWT.

from openai import OpenAI

client = OpenAI(
    base_url="https://api.darkbloom.dev/v1",
    api_key="sk-db-...",
)

stream = client.chat.completions.create(
    model="gemma-4-26b",                       # use an id from GET /v1/models
    messages=[{"role": "user", "content": "Hello, Darkbloom!"}],
    stream=True,
)
for chunk in stream:
    if chunk.choices[0].delta.content:
        print(chunk.choices[0].delta.content, end="")
curl https://api.darkbloom.dev/v1/chat/completions \
  -H "Authorization: Bearer sk-db-..." \
  -H "Content-Type: application/json" \
  -d '{"model":"gemma-4-26b","messages":[{"role":"user","content":"Hello!"}],"stream":true}'

The Anthropic Messages API works too — point the Anthropic SDK at the same base URL and use /v1/messages.

See docs/consumer/quickstart.md for authentication, streaming, and SDK details.

API surface

OpenAI-compatible, with Anthropic Messages support. Inference endpoints require a Bearer key; reads marked public need no auth.

Method & path Purpose
POST /v1/chat/completions OpenAI Chat Completions (streaming + non-streaming)
POST /v1/responses OpenAI Responses API (auto-detects input vs messages)
POST /v1/completions OpenAI legacy text completions
POST /v1/messages Anthropic Messages API
GET /v1/models List models (OpenAI shape)
GET /v1/models/{id} Retrieve a model
GET /v1/models/catalog Public — full model catalog with Darkbloom metadata
GET /v1/pricing Public — live per-token pricing
GET /v1/encryption-key Public — coordinator X25519 key for optional sender-side sealing
GET /v1/providers/attestation Public — provider attestation chains for verification
GET /v1/payments/balance, GET /v1/payments/usage Account balance and usage

Supported across the inference endpoints: streaming (SSE), tool / function calling, vision / multimodal input, reasoning models, and server-side continuous batching for throughput. n > 1 is rejected with 400 (on chat completions and the Responses API). Unimplemented OpenAI endpoints (e.g. /v1/embeddings) return a structured 404.

Full request/response schemas: docs/reference/api-contracts.md.

Models

The model catalog is owned by the coordinator and DB-backed — there is no hardcoded model list. Consumer-facing names are stable aliases (e.g. gemma-4-26b, gpt-oss-20b) that resolve to concrete, versioned builds; aliases can be re-pointed to new builds without breaking clients. Providers download approved models from https://models.darkbloom.ai and verify per-file and aggregate SHA-256 hashes before serving.

The authoritative, live list is always GET /v1/models (or the public GET /v1/models/catalog). Representative current models:

Alias Family Notes
gemma-4-26b Gemma 4 (MoE, ~4B active) Google's latest MoE; multimodal (text + vision)
gpt-oss-20b GPT-OSS 20B (MoE, ~3.6B active) OpenAI open-weight reasoning model

Quantization and exact build details evolve — query /v1/models rather than hardcoding them. See docs/consumer/models.md.

Pricing

Pricing is per-token and resolved per request: a provider's custom price, else a platform price, else built-in fallbacks.

Item Fallback default
Input tokens $0.05 / 1M
Output tokens $0.20 / 1M
Minimum charge $0.0001 / request
Platform fee 0% during public alpha

Per-token rates target roughly half of comparable hosted APIs. Live per-model pricing is always at GET /v1/pricing. Funding is via Solana USDC deposits (verified on-chain) or Stripe; provider payouts run through Stripe Connect. Requests routed to your own machine via self-route are free. See docs/reference/pricing-model.md.

Run a provider

Earn by serving inference on your idle Mac — and stop paying for your own usage via self-route.

Requirements

Minimum Recommended
Chip Apple Silicon (M1+) M1 Pro/Max/Ultra or newer
macOS 14 (Sonoma) Latest stable
Memory 8 GB (start is rejected below 8 GB) 32 GB+ for large or multi-model
Disk 50 GB free 100 GB+
Network Outbound HTTPS (443) Low-latency path to api.darkbloom.dev

A model loads when it fits in available memory plus a small headroom (weights + ~2 GB), after the OS reserve. See docs/provider/hardware-requirements.md.

Install

curl -fsSL https://api.darkbloom.dev/install.sh | bash

Zero prerequisites and no sudo. The installer fetches the latest signed release, verifies the bundle / binary / mlx.metallib SHA-256 against the coordinator's release record, checks the Apple Developer ID code signature, provisions the Secure Enclave helper, and offers to install the MDM enrollment profile for hardware trust. See docs/provider/installation.md.

First run

darkbloom start              # background launchd service (interactive model picker)
darkbloom start --foreground # run attached to the terminal
darkbloom login              # link your account (RFC 8628 device-code flow)
darkbloom status             # config, hardware, schedule, live trust verdict
darkbloom doctor             # local diagnostics + coordinator's trust view

docs/provider/quickstart.md walks through the full flow.

CLI reference

Command Purpose
start Start serving (launchd daemon, --foreground, or --local)
stop / restart Stop (--uninstall removes t

Extension points exported contracts — how you extend this code

Snapshotter (Interface)
Snapshotter produces a consistent copy of a BoltDB file. It is injectable so archive-building tests can exercise the wal [5 …
coordinator/stateexport/snapshot.go
MetricsSink (Interface)
MetricsSink is the minimal interface the emitter needs to bump counters. The api package injects a small adapter so the [2 …
coordinator/telemetry/emitter.go
CodeIdentityAttestor (Interface)
CodeIdentityAttestor sends a code-identity challenge to a provider's device. The implementation builds E_K(nonceB64) (en [2 …
coordinator/apns/attestor.go
APIKeyStore (Interface)
APIKeyStore covers consumer API-key lifecycle: the legacy single-key helpers, multi-key management (one account → many n [2 …
coordinator/store/interface_domains.go
EventConsumer (Interface)
(no doc) [2 implementers]
e2e/testbed/events.go
DecodeTPSDist (FuncType)
DecodeTPSDist returns the static decode tokens/sec for provider index i of n. It must be deterministic in i so a simulat
coordinator/registry/routingsim/fleet.go
GaugeFunc (FuncType)
GaugeFunc returns a snapshotted gauge value computed at read time.
coordinator/api/metrics.go
OnMDACallback (FuncType)
OnMDACallback is called when a DevicePropertiesAttestation response arrives. The UDID identifies the device; certChain i
coordinator/mdm/mdm.go

Core symbols most depended-on inside this repo

New
called by 606
coordinator/registry/registry.go
Error
called by 602
coordinator/api/provider.go
Close
called by 427
coordinator/api/server.go
writeJSON
called by 424
coordinator/api/httputil.go
Set
called by 353
coordinator/api/cache.go
errorResponse
called by 345
coordinator/api/httputil.go
cancel
called by 332
console-ui/src/app/api/chat/route.ts
Mu
called by 283
coordinator/registry/registry.go

Shape

Function 3,502
Method 1,552
Struct 437
Interface 171
TypeAlias 26
FuncType 8
Class 5

Languages

Go84%
TypeScript15%
Python1%
Rust1%

Modules by API surface

coordinator/registry/registry.go186 symbols
coordinator/store/memory.go164 symbols
coordinator/store/interface_domains.go162 symbols
coordinator/store/postgres.go153 symbols
coordinator/api/server.go124 symbols
coordinator/api/consumer.go83 symbols
console-ui/src/app/stats/page.tsx78 symbols
coordinator/registry/scheduler.go65 symbols
coordinator/store/interface.go50 symbols
coordinator/api/dispatch.go45 symbols
coordinator/api/provider.go41 symbols
coordinator/api/trust_reuse_test.go38 symbols

Datastores touched

testbedDatabase · 1 repos

For agents

$ claude mcp add d-inference \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact

Ask about this repo answers extend the page