The Sovereign Context Protocol
Agents can use private data only within permissions signed by the data owner. Each operation creates a verifiable activity record that validators can attest and the protocol can settle.
You get an answer and a bill. What ran, on which data, at what cost: unverifiable.
The execution trail stops at the vendor's API. No receipts, no replay, no independent audit.
Model, data, and metering all live with the same vendor. The auditor is the auditee.
Your context is locked inside apps. Agents that need context often have to hand it to whoever runs the model.
Proof of Compute turns AI from a black box into an auditable economic network.
| Component | Status | What you can do |
|---|---|---|
| Cere mainnet | Live since 2021 | Use the L1 settlement and governance foundation |
| Consent registry (GAR) | Live | Record and verify signed consent |
| Dragon 1 storage | DDC mainnet since 2024 | Store data on DDC |
| Dragon 1 agent compute | Testnet | Build and test agent execution |
| Agent marketplace | In build · pre-launch | Nothing public yet; first builders being onboarded |
| SCP standard | Draft v0 · specs being written | The five interfaces are on this page; public drafts follow |
// who is who: SCP = open standard · Cere = chain underneath · Dragon 1 = flagship cluster · marketplaces = built on top
A grant is signed once, recorded by GAR, attested by validators against captured activity, then settled in $CERE. Proof of Compute, end to end.
Identity is a wallet. The vault, partitioned into scopes, belongs to it. Enterprise or personal, the data never moves to the model vendor.
A grant is a signed agreement: which scopes, for how long. The Global Agent Registry verifies every access against it, and revoking is a signature change.
Agents execute on cluster compute, serverless and GPU-backed, inside the permission boundary instead of behind a vendor API.
DAC emits a signed activity record per operation: data touched, compute burned, result hash. Off-chain payloads, on-chain integrity.
Independent validators attest captured execution records against independently observed activity. Only attested records are eligible for settlement.
Each window closes automatically: customer deposits debited, operators, validators, and the protocol treasury paid in $CERE.
Run agents on personal or enterprise context without surrendering the underlying data.
What the chain of evidence actually looks like, from signed grant to settled era. Illustrative samples: field shapes follow the reference implementation, not live records.
{
"agent_service_pub_key": "ed25519:8f3c…a1d2",
"user_pub_key": "ed25519:5d9e…44b7",
"created_at": "2026-06-10T08:14:02Z",
"expires_at": "2026-09-10T08:14:02Z",
"revoked": false,
"metadata": { "scopes": [ { "context": { "vaultId": "v-7c21…", "scopeId": "calendar" } } ] },
"signature": { "algorithm": "ed25519", "signer": "5d9e…44b7", "value": "0x9b41…" }
}
// signed by the wallet · verified by GAR on every write · status derived at read
{
"record_id": "dac-019283…",
"agent": "ed25519:8f3c…a1d2",
"vault_scope": "v-7c21… / calendar",
"operation": "read + inference",
"compute": { "cpu_ms": 412, "gpu_units": 0.83 },
"result_hash": "blake2:cf02…77aa",
"signatures": ["agent-derived-key", "orchestrator", "agent-runtime"]
}
// multi-signed at source · batched → single extrinsic · payload off-chain, hash on-chain
attestation round · cluster dragon-1 · era 412 assigned validators : 7 (randomised subset, rotates per round) cross-checked vs : independently observed activity agree : 6 / 7 → quorum ≥ 2/3 ✓ PASS // recorded on ddc-clusters · unattested records never reach payout
event ClusterEraPaid { cluster: dragon-1, era: 412 } customer deposits → debited node providers → credited per validated activity validators → paid for inspection protocol treasury → share accrued // closes the window · split set per cluster by on-chain governance
// math, not promises: every step above is a signed, inspectable object before anyone gets paid
Agents on enterprise data without the data leaving the boundary. Enterprises can be billed in familiar cloud-style terms while the protocol settles verified usage underneath.
Drone and robotics fleets where every agent decision, escalation, and payload ties to measurable compute and an auditable trail.
Publish once, run on private vaults, get paid per proven execution. Verification, attribution, and cost handled by the protocol.
Your own agents on your own data, with memory that survives provider switching. Revoke with a signature.
Most AI infrastructure focuses on models, hosting, or orchestration. SCP sits between private data, agent permissions, activity capture, and settlement.
It records what happened: every run leaves a signed, attestable trail.
Agents run against scoped vaults instead of copied datasets.
Settlement depends on attested activity, not platform-reported usage.
Marketplaces are built on top; the protocol stays neutral underneath.
Compute, storage, and data activity are measured, verified, and paid out automatically to the participants who power the network.
// indicative split, set per cluster by on-chain governance. developers are paid at the marketplace layer: launch your own marketplace on the protocol and set your own creator split.
Node operators stake $CERE to join a cluster on-chain through the staking pallets.
Providers post $CERE bonds against the SLAs and data-availability commitments they declare. Miss them and the bond is slashed.
Independent validators verify usage and the protocol pays operators automatically. No invoicing, no reconciliation.
$CERE governs infrastructure commitments on-chain. Trusted parts replicate freely; staked parts scale with the network.
Assumed: some nodes misreport or fail; no single validator is trusted. Detected: validator inspection catches misreported activity, out-of-scope compute, and missed SLAs. Consequence: unattested activity never pays out, bonds are slashed, and repeat offenders are removed from the cluster set.
// want to run a node with real $CERE rewards? join the Founding 50 →
Run your own cluster, or build on someone else's. Some participants operate infrastructure; many more just use it. Dragon 1 is the flagship cluster, one instance of many by design.
Run the cluster software, register it on-chain through the ddc-clusters pallets, post your bond, declare your SLAs. No permission needed.
cluster software →Propose a cluster through OpenGov for shared resources and incentives. Public, transparent, voted by $CERE holders.
propose a cluster →Want help with architecture, region, SLA, or compliance? We help teams design and launch tailored clusters.
talk to us →// every cluster is registered, bonded, and inspected on-chain. browse them on the chain explorer.
SCP defines five interfaces for conformant participants: identity and delegation, vault access, event streams, portable memory, and conformance. Cere Protocol and Dragon 1 are first implementers, not owners: the standard is open, and intended to move to an external standards body as it stabilises.
// stage: draft v0 · five surfaces scaffolded · identity-and-delegation leads · an open change process ships with the public drafts
Wallet-owned identity and signed, scoped, time-limited grants. The load-bearing surface.
How agents read and write a user's vault, partitioned by scope.
Real-time context as a first-class, subscribable surface.
Portable agent memory that survives provider switching. The reference implementation calls these containers cubbies.
What a conformant participant must demonstrate, plus audit and lineage.
Publish an agent once, plug into any user's vault under the grants they sign, and never operate their infrastructure. Reference SDK in TypeScript today, with the CLI and a Go DDC client alongside.
import { VaultSDK, KeypairWallet } from "@cef-ai/vault-sdk" const sdk = new VaultSDK({ wallet: new KeypairWallet(seed) }) await sdk.vault.ensure() // claim the vault, bound to your key await sdk.vault.scope("calendar").publish(event) // → accepted: signed by your wallet, verified against GAR, // activity record captured for attestation // quickstart: install sdk → claim vault → request grant // → publish event → inspect the activity record
npm i -g @cef-ai/cli cef keypair generate # your wallet is your identity cef build # signed ES module + manifest cef publish # listed under your key
import "github.com/cerebellum-network/cere-ddc-sdk-go" // content-addressed reads and writes against // your DDC bucket: erasure-coded, client-keyed, // brokered by the vault's S3 credentials
$CERE holders vote on-chain over protocol parameters, treasury spends, and cluster updates. Separately, the Cere Network DAO operates as a Swiss association with member voting through its General Assembly.
Stake $CERE to secure the network and back the bonds infrastructure providers post against their commitments.
Propose and vote on referenda via Polkassembly, one CERE one vote: protocol parameters, treasury spends, cluster protocol updates, across graduated tracks.
The Cere Network DAO is a Swiss association: members vote one member, one vote in its General Assembly. A separate track from token voting.
Contribute compute to any cluster through the ddc-staking and ddc-nodes pallets, post a bond, earn a share of validated usage. Or launch a cluster of your own.
Publish agents once, signed under your own key, or launch your own marketplace on the protocol. Any conformant marketplace can carry your manifest; users bring their own vaults.
Claim a vault, connect agents under grants you sign, revoke with a signature. Your data and your agents' memory stay yours when you switch providers.
Verifiable AI compute is ready to build on. Choose your path.
Permissionless or governed. Registered, bonded, and inspected on-chain.
launch a cluster →Your data, your agents, your signature. Switch providers without losing memory.
explore the ecosystem →// questions first? talk to us