The Quill Cloud prompt path runs inside an AWS Nitro Enclave. The KMS keys it needs to reach Bedrock are released by AWS only when the enclave's PCR0 measurement matches the published value below. That binds the running binary to this open-source code at this commit.
| Source code | github.com/Lore-Hex/quill-cloud-proxy |
|---|---|
| Infrastructure | github.com/Lore-Hex/quill-cloud-infra |
| License | Apache 2.0 |
| Region | us-east-1 |
See /pcr0.txt for the live PCR0 value.
It is updated atomically with each release. Compare to the output of
./tools/verify-pcr0.sh on a clean clone.
| Prompt content | No |
|---|---|
| Completion content | No |
| Bearer tokens | No |
| Per-request timestamps | No |
| Client IPs | No (ALB log TTL ≤ 24h) |
| Per-device daily aggregate counts (req, tokens, errors), 90-day TTL | Yes — for accountability + billing |
| Hourly across-all-devices request count | Yes — heartbeat |
git clone https://github.com/Lore-Hex/quill-cloud-proxy cd quill-cloud-proxy ./tools/verify-pcr0.sh # the script prints the PCR0 of the local rebuild and compares # to the published value at /pcr0.txt
enclave/tests/test_no_io.py — AST scan that fails CI
if any I/O identifier (print, open, logging, etc.) appears
in the enclave production source.parent/tests/test_no_content_in_logs.py — AST scan
that fails CI if a parent log call has any prompt-content kwarg.parent/src/quill_parent/relay.py — the byte pump
between the ALB and the enclave; never decodes the body.quill-cloud-infra/modules/kms/main.tf — KMS condition
policy that binds Bedrock-credential decrypt to the published PCR0.No JavaScript. No analytics. No cookies. Hosted as static files on S3 with a 60-second cache header.