diff --git a/.vitepress/sidebar.ts b/.vitepress/sidebar.ts index 067dcccc..2bcca6ce 100644 --- a/.vitepress/sidebar.ts +++ b/.vitepress/sidebar.ts @@ -345,7 +345,11 @@ export function getSidebar() { text: '๐Ÿ“– Guides', items: [ { - text: 'Manage Your iApps', + text: 'Build and Deploy your iApps', + link: '/build-iapp/guides/build-&-deploy-iapp', + }, + { + text: 'Manage your iApps', link: '/build-iapp/guides/manage-iapp', }, { diff --git a/src/build-iapp/guides/ai-frameworks.md b/src/build-iapp/guides/ai-frameworks.md deleted file mode 100644 index e69de29b..00000000 diff --git a/src/build-iapp/guides/build-&-deploy-iapp.md b/src/build-iapp/guides/build-&-deploy-iapp.md new file mode 100644 index 00000000..27697166 --- /dev/null +++ b/src/build-iapp/guides/build-&-deploy-iapp.md @@ -0,0 +1,115 @@ +--- +title: Build and Deploy an iApp? +description: + How to build an confidential iexec application and deploy it on iexec protocol +--- + +## iApp Generator: Your Development Tool + +Bootstrap TEE-compatible applications in minutes without any hardcoding skills, +iApp Generator handles all the low-level complexity for you. + +- **Access to TEEs easily** - No need to dive into low-level requirements, build + iApps that connect to TEEs in minutes. +- **Check and deploy iApps quickly** - iApp Generator checks that your iApp + complies with the iExec Framework and streamlines its deployment. +- **Select your project mode & language** - Get started with either a basic or + advanced setup, depending on your experience with the iExec framework. You can + use Python or JavaScriptโ€”whichever you prefer! + +```bash +# Create your iApp (Python or Node.js supported) +iapp init my-privacy-app +cd my-privacy-app + +# Develop and test locally (simulates TEE environment) +iapp test +# Deploy to the network +iapp deploy +``` + +
+

Note: iApp Generator currently supports Python and Node.js, but iApps can be built in any language that runs in Docker.

+
+ +## Real Examples + +Here are some real-world examples of iApps to help you understand how they work +in practice. + +**Email Notification iApp** + +This iApp lets you send updates to your contacts without ever seeing their email +addresses, privacy is preserved by design. + +::: code-group + +```python [Python] +# User runs: "Send updates to my contacts about my project" +contacts = load_protecteddata() # User's protected contact list +for contact in contacts: + send_email(contact, project_update_message) +# โ†’ Emails sent directly, you never see the addresses +``` + +```js [Node.js] +/* User runs: "Send updates to my contacts about my project" */ +const contacts = loadProtectedData(); // User's protected contact list +contacts.forEach((contact) => { + sendEmail(contact, projectUpdateMessage); +}); +// โ†’ Emails sent directly, you never see the addresses +``` + +::: + +**Oracle Update iApp** + +This iApp securely updates a price oracle using private trading data, ensuring +sensitive information stays confidential. + +::: code-group + +```python [Python] +# User runs: "Update price oracle with my private trading data" +trading_data = load_protecteddata() # User's protected trading history +average_price = calculate_weighted_average(trading_data) +update_oracle_contract(average_price) +# โ†’ Oracle updated with real data, trading history stays private +``` + +```js [Node.js] +/* User runs: "Update price oracle with my private trading data" */ +const tradingData = loadProtectedData(); // User's protected trading history +const averagePrice = calculateWeightedAverage(tradingData); +updateOracleContract(averagePrice); +// โ†’ Oracle updated with real data, trading history stays private +``` + +::: + +**Automated Transactions iApp** + +This iApp automates monthly payments using protected payment details, so +financial information remains private. + +::: code-group + +```python [Python] +# User runs: "Automate payments every month" +payment_info = load_protecteddata() # User's payment details +for month in range(12): + process_payment(payment_info) +# โ†’ Payments processed, payment details stay private +``` + +```js [Node.js] +/* User runs: "Automate payments every month" */ +const paymentInfo = loadProtectedData(); // User's payment details +for (let month = 0; month < 12; month++) { + processPayment(paymentInfo); +} +// โ†’ Payments processed, payment details stay private +``` + +::: diff --git a/src/build-iapp/guides/debugging-your-iapp.md b/src/build-iapp/guides/debugging-your-iapp.md index e66469d2..96815a3f 100644 --- a/src/build-iapp/guides/debugging-your-iapp.md +++ b/src/build-iapp/guides/debugging-your-iapp.md @@ -112,6 +112,12 @@ with open(f"{os.environ['IEXEC_OUT']}/computed.json", 'w') as f: json.dump(computed, f) ``` +### โš ๏ธ **Dataset type unmatching** + +- **Cause**: The dataset type specified in the frontend (protectData) does not + match with the dataset type specified in the iApp +- **Solution**: Check both dataset types + ## Best Practices ### ๐Ÿ” **Input Validation** diff --git a/src/build-iapp/guides/inputs-and-outputs.md b/src/build-iapp/guides/inputs-and-outputs.md index c81ee1c3..9ae58597 100644 --- a/src/build-iapp/guides/inputs-and-outputs.md +++ b/src/build-iapp/guides/inputs-and-outputs.md @@ -275,23 +275,6 @@ environment. **When to use:** Processing user's sensitive information like personal data, financial records, health data. -### How Users Provide Protected Data - -Users specify the protected data address when executing your iApp: - -```ts twoslash -import { IExecDataProtectorCore, getWeb3Provider } from '@iexec/dataprotector'; - -const web3Provider = getWeb3Provider('PRIVATE_KEY'); -const dataProtectorCore = new IExecDataProtectorCore(web3Provider); -// ---cut--- -// User provides their protected data for processing -const response = await dataProtectorCore.processProtectedData({ - protectedData: '0x123abc...', // Address of their protected data - app: '0x456def...', // Your iApp address -}); -``` - ### How to Access Protected Data Protected data is available in the `IEXEC_IN` directory as decrypted files: @@ -345,6 +328,23 @@ try { ::: +### How Users Provide Protected Data + +Users specify the protected data address when executing your iApp: + +```ts twoslash +import { IExecDataProtectorCore, getWeb3Provider } from '@iexec/dataprotector'; + +const web3Provider = getWeb3Provider('PRIVATE_KEY'); +const dataProtectorCore = new IExecDataProtectorCore(web3Provider); +// ---cut--- +// User provides their protected data for processing +const response = await dataProtectorCore.processProtectedData({ + protectedData: '0x123abc...', // Address of their protected data + app: '0x456def...', // Your iApp address +}); +``` + ### Working with Multiple Protected Datasets When multiple datasets are provided, they're available as separate files: diff --git a/src/build-iapp/guides/manage-iapps.md b/src/build-iapp/guides/manage-iapps.md deleted file mode 100644 index e69de29b..00000000 diff --git a/src/build-iapp/guides/orders.md b/src/build-iapp/guides/orders.md deleted file mode 100644 index e69de29b..00000000 diff --git a/src/build-iapp/guides/other-emerging-trends.md b/src/build-iapp/guides/other-emerging-trends.md deleted file mode 100644 index e69de29b..00000000 diff --git a/src/build-iapp/guides/using-tdx-experimental.md b/src/build-iapp/guides/using-tdx-experimental.md index 5754e24f..64774d37 100644 --- a/src/build-iapp/guides/using-tdx-experimental.md +++ b/src/build-iapp/guides/using-tdx-experimental.md @@ -38,6 +38,15 @@ technology, different from the default SGX implementation. - โŒ **Limited worker availability** - โŒ **Not production ready** +| Feature | Intel SGX | Intel TDX | +| ------------------------ | ----------------------------------------------------------------------------------- | -------------------------------------------- | +| Release Year | 2015 | 2023 | +| Enclave Scope | Application level | Virtual machine level | +| Code Adaptation Required | Yes - needs redesign of app's logic | No - supports lift-and-shift of full systems | +| Memory Size | Limited | Extensive (multi-GB+) | +| Integration Complexity | Higher (more dev work) | Lower (VM legacy code) | +| Best Fit For | Lightweight, high-assurance modules (e.g. wallets, crypto key ops, small AI models) | Heavier AI workloads, legacy apps, databases | + ## Enabling TDX in iApp Generator ### Environment Variable Method @@ -53,6 +62,15 @@ iapp deploy iapp run ``` +:::warning Environment Variable Declaration + +The syntax for setting environment variables differs between operating systems: + +- **Mac/Linux**: `export EXPERIMENTAL_TDX_APP=true` +- **Windows**: `set EXPERIMENTAL_TDX_APP=true` + +::: + ### Per-Command Method **Enable TDX for specific commands**: @@ -77,6 +95,30 @@ EXPERIMENTAL_TDX_APP=true iapp debug iexec app show ``` +### + +โš ๏ธ **To use** the iExec DataProtector SDK with TDX support, you must configure +the SDK with the right SMS endpoint. + +```jsx +const dataProtector = new IExecDataProtector(web3Provider, { + iexecOptions: { + smsURL: 'https://sms.labs.iex.ec', + }, +}); +``` + +โš ๏ธ**You need** to change the default worker pool in your protected Data +declaration + +```jsx +await dataProtector.core.processProtectedData({ + protectedData: protectedData.address, + workerpool: 'tdx-labs.pools.iexec.eth', + app: '0x1919ceb0c6e60f3B497936308B58F9a6aDf071eC', +}); +``` + ## Protected Data Compatibility :::warning Protected Data Requirements diff --git a/src/build-iapp/iapp-generator/getting-started.md b/src/build-iapp/iapp-generator/getting-started.md index 0457ac5e..2458db91 100644 --- a/src/build-iapp/iapp-generator/getting-started.md +++ b/src/build-iapp/iapp-generator/getting-started.md @@ -6,7 +6,7 @@ Before using the iApp Generator, make sure you have: \- [**Node.js**](https://nodejs.org/en/) version 20 or higher -\- **Docker** +\- **Docker / Docker hub account** \- **Docker Buildx** _(for macOS users, check AMD64 compatibility)_ diff --git a/src/build-iapp/what-is-iapp.md b/src/build-iapp/what-is-iapp.md index 40b2bfff..ff132374 100644 --- a/src/build-iapp/what-is-iapp.md +++ b/src/build-iapp/what-is-iapp.md @@ -5,210 +5,204 @@ description: Privacy-first applications that run on decentralized infrastructure # ๐Ÿš€ What Is an iApp? -**Think about code, but it runs in a privacy-safe environment.** An iApp is just -your regular application code (Python script, AI model, data processor) packaged -to run inside secure enclaves. +An iExec Application (iApp) is your regular application code (Python script, AI +model, data processor) that can securely process protected data (created by +[DataProtector](/manage-data/dataProtector)) inside a confidential computing +environment called TEE (a Trusted Execution Environment). -## Why Would You Want This? +## Why iApps Matter? -Simple: **to process sensitive data that users won't normally share.** +iApps let you process sensitive data while keeping it private and secure. Imagine you want to build: -- An AI that analyzes personal health data -- An email tool that needs access to contact lists -- A financial advisor that processes bank statements -- A content filter that reads private messages +
+
+
+ ๐Ÿค– + An AI that analyzes personal health data +
+
+ ๐Ÿ“ง + An email tool that needs access to contact lists +
+
+ ๐Ÿ’ฐ + A financial advisor that processes bank statements +
+
+ ๐Ÿ›ก๏ธ + A content filter that reads private messages +
+
+
Users have this data, but they won't give it to your regular app. **With iApps, they will.** -## How It Works - -Your code runs in a **trusted execution environment** (TEE) - think of it as a -"privacy bubble" that even iExec workers can't peek into. - -Users run your iApp when they want to **use** their Protected Data for -something. Your code gets access to their protected data, performs actions with -it - all without you ever seeing the raw data. - -## iApp Generator: Your Development Tool - -Creating iApps used to be complex. **iApp Generator** simplifies this by: - -- **Simulating TEE environment locally** - Test your code in conditions close to - real execution -- **Handling deployment** - Package and deploy with simple commands -- **Managing dependencies** - Docker containers, environment setup, etc. - -```bash -# Create your iApp (Python or Node.js supported) -iapp init my-sentiment-analyzer -cd my-sentiment-analyzer - -# Develop and test locally (simulates TEE environment) -iapp test -# Deploy to the network -iapp deploy -``` - -_Note: iApp Generator currently supports Python and Node.js, but iApps can be -built in any language that runs in Docker._ - -## Real Examples - -**Email Notification iApp** - -```python -# User runs: "Send updates to my contacts about my project" -contacts = load_protecteddata() # User's protected contact list -for contact in contacts: - send_email(contact, project_update_message) -# โ†’ Emails sent directly, you never see the addresses -``` - -**Oracle Update iApp** - -```python -# User runs: "Update price oracle with my private trading data" -trading_data = load_protecteddata() # User's protected trading history -average_price = calculate_weighted_average(trading_data) -update_oracle_contract(average_price) -# โ†’ Oracle updated with real data, trading history stays private -``` - -**Automated Transactions iApp** - -```python -# User runs: "Buy tokens when my portfolio meets certain conditions" -portfolio = load_protecteddata() # User's protected portfolio data -if should_buy_tokens(portfolio): - execute_trade(token_address, amount) -# โ†’ Trade executed based on private data, portfolio details stay hidden -``` - -## The Trust Model - -Here's why users will actually use your iApp with their private data: - -### What Users See - -- โœ… "This code runs in a secure enclave, not on the developer's servers" -- โœ… "My data gets used privately for actions I want" -- โœ… "Even iExec workers can't see my data during execution" -- โœ… "I can revoke access anytime" - -### What You Get - -- โœ… Users willing to use your services with their sensitive data -- โœ… New business models around privacy-preserving analytics -- โœ… Competitive advantage through privacy guarantees +## Key Concepts + +
+
+ โœ… +

True Privacy: Users never expose their raw data. Your app processes it privately inside secure enclaves.

+
+
+ โœ… +

Trusted Execution: iExec ensures that your code runs inside a Trusted Execution Environment (TEE), which guarantees that only the specified Docker image is executed in a secure and isolated environment.

+
+
+ โœ… +

Decentralized Infrastructure: No single point of failure. Your app runs across a distributed network of workers.

+
+
+ โœ… +

Zero Trust Architecture: User data is protected by hardware-based TEEs, which keep data confidential and inaccessible to the host, cloud provider, or operating system during execution.

+
+
-### The Technical Reality - -``` -User's Private Data โ†’ Encrypted โ†’ TEE Environment โ†’ Your iApp uses it โ†’ Actions Performed -``` +## How It Works -**Nobody sees the raw data except your code running inside the secure enclave.** +Your code runs in a Trusted Execution Environment (TEE), a secure area inside +specific processors (Intel SGX/TDX chipset). Everything that happens there stays +private and protected, even from the operating system. + +An authorized user can trigger an iApp that processes someone's protected data +inside this private environment. The data is used, but never exposed, not even +to the person running the app. + +
+
+
+ 1 + User provides private data +
+
+ 2 + Data is protected with DataProtector +
+
+ 3 + Protected data transferred to Trusted Execution Environment (TEE) +
+
+ 4 + Your iApp runs inside TEE and processes protected data +
+
+ 5 + Confidential computing performed while maintaining privacy +
+
+
+ +
+

Nobody sees the raw data except your code running inside the secure enclave.

+
Your iApp can send emails, update contracts, make transactions, trigger notifications - anything your code needs to do with the protected data. This isn't about trust - it's about **mathematical guarantees** that privacy is preserved. -## What This Enables - -### ๐Ÿ“ง **Private Communication** - -Users send emails, notifications, or messages using their protected contact -lists without exposing recipient information. - -### ๐Ÿ”ฎ **Trustworthy Oracles** - -Users contribute real data to oracles while keeping their private information -confidential. - -### ๐Ÿค– **Personal AI Assistants** - -Users let AI models perform actions based on their private data - trading, -scheduling, recommendations. - -### โšก **Automated Actions** - -Users set up automated workflows that use their private data to trigger actions, -transactions, or updates. +## Use Cases + +
+
+
+ ๐Ÿ“ง +

Private Communication

+
+

Users send emails, notifications, or messages using their protected contact lists without exposing recipient information.

+
+ +
+
+ ๐Ÿ”ฎ +

Trustworthy Oracles

+
+

Users contribute real data to oracles while keeping their private information confidential.

+
+ +
+
+ ๐Ÿค– +

Personal AI Assistants

+
+

Users let AI models perform actions based on their private data - trading, scheduling, recommendations...

+
+ +
+
+ โšก +

Automated Actions

+
+

Users let AI models perform actions based on their private data - trading, scheduling, recommendations...

+
+
## โ“ Frequently Asked Questions -::: details ๐Ÿ“ฆ What can I build with iApps? Anything that runs in Docker! AI -models, data processing scripts, web scrapers, image processing, financial -calculations, etc. If it runs in a container, it can be an iApp. ::: - -::: details โšก How fast are iApps? Initial task scheduling takes ~30 seconds -(depending on the resources the worker download, congestion etc), then your code -runs at normal speed depending on complexity. ::: +::: details ๐Ÿ“ฆ What can I build with iApps? -::: details ๐Ÿ›ก๏ธ Are iApps really secure? Yes! Code runs in Intel SGX or TDX -secure enclaves. Even the worker running your iApp can't see what's happening -inside the enclave. ::: +Anything that runs in Docker! AI models, data processing scripts, web scrapers, +image processing, financial calculations, etc. If it runs in a container, it can +be an iApp. -::: details ๐Ÿš€ How do I deploy my first iApp? Try our -[Hello World](/overview/helloWorld) for a quick start, or check the -[iApp Generator](/build_iapp/iapp-generator) section for detailed instructions. ::: -::: details ๐Ÿ”ง What programming languages are supported? iApps can be built in -any language that runs in Docker (Python, JavaScript, R, Java, Go, etc.). -However, **iApp Generator** currently supports only Python and Node.js for -simplified development. ::: +::: details โšกHow fast are iApps? -## Why This Changes Everything +Initial task scheduling takes a few seconds (depending on the resources the +worker download, congestion etc), then your code runs at normal speed depending +on complexity. -### โœ… **True Privacy** - -Users never expose their raw data. Your app processes it privately inside secure -enclaves. - -### โœ… **Verifiable Execution** - -Cryptographic proof that your code ran exactly as intended. No black box -execution. - -### โœ… **Decentralized Infrastructure** - -No single point of failure. Your app runs across a distributed network of -workers. - -### โœ… **Zero Trust Architecture** +::: -Users don't need to trust you with their data. The protocol guarantees privacy. +::: details ๐Ÿ›ก๏ธ Are iApps really secure? -## Start Building +Yes! Code runs in Intel SGX or TDX secure enclaves. Even the worker running your +iApp can't see what's happening inside the enclave. -Ready to build privacy-first applications? +::: -### ๐Ÿš€ **Try iApp Generator** +::: details ๐Ÿš€ How do I deploy my first iApp? -- [Getting Started](/build_iapp/iapp-generator/getting-started) - Deploy your - first iApp in 15 minutes -- [Building Your iExec App](/build_iapp/iapp-generator/building-your-iexec-app) - - Complete development guide +Try our [Hello World](/overview/helloWorld) for a quick start, or check the +[iApp Generator](/build-iapp/iapp-generator) section for detailed instructions. -### ๐Ÿ“– **Learn with Guides** +::: -- [Orders](/build_iapp/guides/orders) - How iApp execution works -- [Inputs and Outputs](/build_iapp/guides/inputs-and-outputs) - Handle data flow -- [Debugging Your iApp](/build_iapp/guides/debugging-your-iapp) - Troubleshoot - issues +::: details ๐Ÿ”ง What programming languages are supported? -### ๐ŸŽฏ **See iApps in Action** +iApps can be built in any language that runs in Docker (Python, JavaScript, R, +Java, Go, etc.). However, **iApp Generator** currently supports only Python and +Node.js for simplified development. -Real iApps you can use today: +::: -- [Web3Mail](/use_iapp/web3mail) - Private emailing iApp SDK -- [Web3Telegram](/use_iapp/web3telegram) Private messaging iApp SDK -- [Oracle Factory](/use_iapp/oracle-factory) - Decentralized oracles +## Next Steps + +
+ +
+
+
๐Ÿ“š
+
+ Learn More - iApp Generator: + Complete DataProtector Documentation +
+
+
+
๐Ÿš€
+
+ Getting Started - deploy your first iApp: + DataProtector Quick Start Guide +
+
+
+ +
---