A TypeScript SDK and CLI for deploying and managing applications on EigenCloud TEE (Trusted Execution Environment). This monorepo provides both programmatic SDK access and a command-line interface for interacting with ecloud's decentralized compute platform.
ECloud SDK and CLI enables developers to:
- Deploy containerized applications to ecloud TEE
- Manage application lifecycle (start, stop, terminate)
- Build and push Docker images with encryption
- Monitor application status and logs
- Docker - To package and publish application images (Download)
- ETH for gas - For deployment transactions
- Not recommended for customer funds - Mainnet Alpha is intended to enable developers to build, test and ship applications. We do not recommend holding significant customer funds at this stage in Mainnet Alpha.
- Developer is still trusted - Mainnet Alpha does not enable full verifiable and trustless execution. * A later version will ensure developers can not upgrade code maliciously, and liveness guarantees. No SLA - Mainnet Alpha does not have SLAs around support, and uptime of infrastructure.
Note
Migrating from eigenx? Head over to Migration guide first
npm install -g @layr-labs/ecloud-cli# Log in to your Docker registry (required to push images)
docker login
# Log in with an existing private key
ecloud auth loginDon't have a private key? Use ecloud auth generate --store instead
Need ETH for gas? Run ecloud auth whoami to see your address. For sepolia, get funds from Google Cloud or Alchemy
This is required to create apps
ecloud billing subscribe# Create your app (choose: typescript | python | golang | rust)
ecloud compute app create my-app typescript
cd my-app
# Configure environment variables
cp .env.example .env
# Deploy to TEE
ecloud compute app deployHave an existing project? You don't need ecloud compute app create - the CLI works with any Docker-based project:
# From your existing project directory
cd my-existing-project
# Ensure you have a Dockerfile and .env file
# The CLI will prompt for these if not found in standard locations
# Deploy directly - the CLI will detect your project
ecloud compute app deployWhat you need:
- Dockerfile - Must target
linux/amd64and run as root user - .env file - For environment variables (optional but recommended)
The CLI will automatically prompt for the Dockerfile and .env paths if they're not in the default locations. This means you can use ecloud with any existing containerized application without restructuring your project.
Need TLS/HTTPS? Run ecloud compute app configure tls to add the necessary configuration files for domain setup with private traffic termination in the TEE.
# View app information and logs
ecloud compute app info
ecloud compute app logs
# Add --watch (or -w) to continuously poll for live updates
ecloud compute app info --watch
ecloud compute app logs --watchThat's it! Your starter app is now running in a TEE with access to a MNEMONIC that only it can access.
Ready to customize? Edit your application code, update .env with any API keys you need, then run ecloud compute app upgrade my-app to deploy your changes
Your TEE application runs with these capabilities:
- Secure Execution - Your code runs in an Intel TDX instance with hardware-level isolation
- Auto-Generated Wallet - Access a private mnemonic via
process.env.MNEMONIC- Derive wallet accounts using standard libraries (e.g., viem’s
mnemonicToAccount(process.env.MNEMONIC)) - Only your TEE can decrypt and use this mnemonic
- Derive wallet accounts using standard libraries (e.g., viem’s
- Environment Variables - All variables from your
.envfile are available in your container- Variables with
_PUBLICsuffix are visible to users for transparency - Standard variables remain private and encrypted within the TEE
- Variables with
- Onchain Management - Your app's lifecycle is controlled via Ethereum smart contracts
# List all your apps
ecloud compute app list
# Stop/start your app
ecloud compute app stop my-app
ecloud compute app start my-app
# Terminate your app
ecloud compute app terminate my-appEcloud CLI needs a private key to sign transactions. Three options:
ecloud auth generate --store # Generate new key and store it
ecloud auth login # Store an existing key securely
ecloud auth whoami # Check authentication
ecloud auth logout # Remove keyexport ECLOUD_PRIVATE_KEY=0x1234...
ecloud compute app deployecloud compute app deploy --private-key 0x1234...Priority: Flag → Environment → Keyring
# Add TLS configuration to your project
ecloud compute app configure tls
# Add variables to .env
cat .env.example.tls >> .envRequired in .env:
DOMAIN=yourdomain.com
APP_PORT=3000Recommended for first deployment:
ENABLE_CADDY_LOGS=true # Debug logs
ACME_STAGING=true # Test certificates (avoid rate limits)Create A record pointing to instance IP:
- Type: A
- Name: yourdomain.com
- Value:
<instance-ip>(get fromecloud compute app info)
ecloud compute app upgradeTo switch from staging to production:
# Set in .env:
ACME_STAGING=false
ACME_FORCE_ISSUE=true # Only if staging cert exists
# Deploy, then set ACME_FORCE_ISSUE=false for future deploysNotes:
- Let's Encrypt rate limit: 5 certificates/week per domain
- Test with staging certificates first to avoid rate limits
- DNS changes may take a few minutes to propagate
If you prefer to build and push Docker images yourself instead of letting the CLI handle it, or already have an existing image:
# Build and push your image manually
docker build --platform linux/amd64 -t myregistry/myapp:v1.0 .
docker push myregistry/myapp:v1.0
# Deploy using the image reference
ecloud compute app deploy myregistry/myapp:v1.0Requirements:
- Image must target
linux/amd64architecture - Application must run as root user (TEE requirement)
Ecloud collects anonymous usage data to help us improve the CLI and understand how it's being used. This telemetry is enabled by default but can be easily disabled.
- Commands used (e.g.,
ecloud compute app create,ecloud compute app deploy) - Error counts and types to identify common issues
- Performance metrics (command execution times)
- System information (OS, architecture)
- Deployment environment (e.g., sepolia, mainnet-alpha)
- User Ethereum address
- Personal information or identifiers
- Private keys or sensitive credentials
- Application source code or configurations
- Specific file paths or project names
For a detailed understanding of how Ecloud enables verifiable applications with deterministic identities, see our Architecture Documentation.
- Hardware Isolation - Intel TDX secure enclaves with memory encryption
- Attestation - Cryptographic proof of exact Docker image integrity
- Deterministic Keys - Apps receive consistent identities via KMS
- Smart Contracts - Onchain configuration and lifecycle management
- Node.js 18+
- pnpm (recommended) or npm
- Docker (for building and pushing images)
git clone https://github.com/Layr-Labs/ecloud
cd ecloud
pnpm install
pnpm build
pnpm ecloud versionThis monorepo contains two main packages:
The core TypeScript SDK for programmatic access to ecloud services.
Features:
- Type-safe client for ecloud operations
- Docker image building and pushing
- KMS encryption for secure deployments
- Smart contract interactions (EIP7702)
- Environment configuration management
import { createECloudClient } from "@layr-labs/ecloud-sdk";
// Create a client
const client = createECloudClient({
privateKey: "0x...",
environment: "sepolia", // or "sepolia" or "mainnet-alpha"
rpcUrl: "https://sepolia.infura.io/v3/...",
});
// Deploy an application
const result = await client.compute.app.deploy({
image: "myapp:latest",
});
console.log(`Deployed app ID: ${result.appId}`);
console.log(`Transaction hash: ${result.tx}`);
// Start an application
await client.compute.app.start(result.appId);
// Stop an application
await client.compute.app.stop(result.appId);
// Terminate an application
await client.compute.app.terminate(result.appId);The SDK supports the following environments:
- sepolia: Sepolia testnet
- mainnet-alpha: Ethereum mainnet (alpha)
ecloud-sdk/
├── packages/
│ ├── cli/ # CLI package
│ │ ├── src/
│ │ │ ├── commands/ # CLI commands
│ │ │ └── client.ts # Client loader
│ │ └── bin/ # CLI entry points
│ └── sdk/ # SDK package
│ └── src/
│ └── client/
│ └── modules/
│ └── app/ # App management module
│ ├── deploy/ # Deployment logic
│ └── index.ts
├── package.json
└── pnpm-workspace.yaml
pnpm build- Build all packagespnpm lint- Lint all packagespnpm format- Check code formattingpnpm format:fix- Fix code formattingpnpm test- Run tests (when implemented)pnpm ecloud- Run the CLI
- Create a new command file in
packages/cli/src/commands/ - Export a class extending
Commandfrom@oclif/core - The command will be automatically discovered by oclif
- Create a new module in
packages/sdk/src/client/modules/ - Export a module factory function (e.g.,
createXxxModule) - Add the module to the client in
packages/sdk/src/client/index.ts
The deployment process involves several steps:
- Preflight Checks: Validate environment and configuration
- Docker Build: Build Docker image if needed
- Image Push: Push image to registry
- Encryption: Encrypt sensitive data using KMS
- On-Chain Deployment: Deploy smart contract with app configuration
- Status Monitoring: Watch until application is running
- Private keys are never stored or logged
- Sensitive data is encrypted using KMS before deployment
- All blockchain interactions use secure wallet clients
- Environment variables are supported for sensitive configuration
- Fork the repository
- Create a feature branch
- Make your changes
- Run tests and linting
- Submit a pull request
For issues and questions, please open an issue on GitHub.