Nova apps run inside AWS Nitro Enclaves, managed by Enclaver (Sparsity edition) and supervised by Odyn (PID 1 inside the enclave). Key concepts:
Enclaver: packages your Docker image into an EIF (Enclave Image File) and manages the enclave lifecycle.
Odyn: supervisor inside the enclave; provides Internal API for signing, attestation, encryption, KMS, S3, and manages networking.
Nova Platform: cloud platform at sparsity.cloud — builds EIFs from Git, runs enclaves, exposes app URLs.
Nova KMS: distributed key management; enclave apps derive keys via /v1/kms/derive.
Nova Python SDK: canonical SDK in enclave/nova_python_sdk/ — import as from nova_python_sdk.odyn import Odyn. Ships in nova-app-template and all examples.
⚠️ enclaver.yaml and nova-build.yaml are generated by Nova Platform — developers never need to write or provide these files. The control plane generates both from app settings before triggering the build workflow. S3 storage and AWS credentials are fully managed by the platform; developers never touch them.
Prerequisites (collect from user before starting)
Ensure skill is up to date before starting:
bash
clawhub update nova-app-builder
Older versions are missing Dockerfile.txt in the template, causing scaffold to fail.
App idea: What does the app do?
Nova account + API key: Sign up at sparsity.cloud → Account → API Keys.
GitHub repo + GitHub PAT: Used only to push your app code to GitHub. Nova Platform then builds from the repo URL. The PAT is not passed to Nova Platform.
git remote set-url origin https://oauth2:${GH_TOKEN}@github.com/<user>/<repo>.git
git push origin main
⚠️ Do NOT ask for Docker registry credentials, AWS S3 credentials, or enclaver.yaml.
Nova Platform handles the Docker build, image registry, and S3/storage provisioning internally.
Developers never touch AWS credentials or write enclaver.yaml — the platform generates it from the advanced field.
The app only calls Internal API endpoints (/v1/s3/*) for storage; Odyn handles the rest.
Port choice: Any port works. Set it via advanced.app_listening_port when creating the app. Must also match EXPOSE in your Dockerfile. No requirement to use 8080.
This generates <output-dir>/<app-name>/ with the following structure:
Note: The template ships as Dockerfile.txt (clawhub cannot distribute extensionless files). scaffold.py automatically renames it to Dockerfile and substitutes the port. No manual action needed.
Alternatively, fork nova-app-template for the full production-ready structure:
text
nova-app-template/
├── Makefile
├── Dockerfile
├── enclaver.yaml ← reference template only; portal parses listening port from it;
│ platform generates the real enclaver.yaml from app settings
├── enclave/
│ ├── app.py ← entry point (not main.py)
│ ├── routes.py ← FastAPI route handlers
│ ├── config.py ← app business logic config (chain RPCs, contract address, etc.)
│ ├── chain.py ← chain interaction helpers (app-specific ABI, contract reads)
│ ├── tasks.py ← background scheduler (oracle, periodic jobs)
│ ├── nova_python_sdk/ ← canonical Nova SDK (do not modify)
│ │ ├── odyn.py ← identity, attestation, encryption, S3, KMS/app-wallet wrappers
│ │ ├── kms_client.py ← thin client for KMS and app-wallet request handlers
│ │ ├── rpc.py ← shared RPC transport + environment switching
│ │ └── env.py ← IN_ENCLAVE + endpoint resolution helpers
│ └── requirements.txt
├── frontend/ ← React/Next.js UI (served at /frontend)
└── contracts/ ← example on-chain contracts
Edit enclave/main.py (scaffold) or enclave/routes.py (full template). Key patterns:
Minimal FastAPI app:
python
import os, httpx
from fastapi import FastAPI
app = FastAPI()
IN_ENCLAVE = os.getenv("IN_ENCLAVE", "false").lower() == "true"
ODYN_BASE = "http://localhost:18000" if IN_ENCLAVE else "http://odyn.sparsity.cloud:18000"
@app.get("/api/hello")
def hello():
r = httpx.get(f"{ODYN_BASE}/v1/eth/address", timeout=10)
return {"message": "Hello from TEE!", "enclave": r.json()["address"]}
⚠️ IN_ENCLAVE is NOT injected automatically by Enclaver — it's an app-level convention. Set it in your Dockerfile as ENV IN_ENCLAVE=false for local dev; the platform sets it true in production.
Using the Nova Python SDK (recommended for full template; copy from nova-app-template):
Business chain: Ethereum Mainnet (1) — your business logic
Helios light-client RPC runs locally at http://127.0.0.1:18545 (Base Sepolia) and http://127.0.0.1:18546 (Mainnet).
⚠️ Helios RPC ports must be decided before creating the app — they are set in advanced.helios_chains[].local_rpc_port and locked at creation time. Choose values carefully up front.
Rules for enclave code:
Odyn calls (localhost): requests or httpx both work — Odyn is local.
External outbound HTTP: must use httpx (proxy-aware). Never use requests or urllib for external calls — they may bypass the egress proxy.
Persistent state → use /v1/s3/* endpoints (or odyn.s3_put()); the enclave filesystem is ephemeral.
Secrets → derive via KMS (/v1/kms/derive); never from env vars or hardcoded.
Test locally: IN_ENCLAVE=false python3 app.py (scaffold: uvicorn main:app --port <port>). Odyn calls hit the public mock.
/.well-known/attestation routing note: In production Nova deployments, this endpoint is handled by Caddy routing to the Aux API (port 18001) — not your app code. Some examples implement it in app code as a local dev shim. Don't ship that in production.
Step 3 — Commit & push to Git
Your repo only needs Dockerfile + app code. No local Docker build needed — Nova Platform builds from your Git repo directly.
KMS integration is fully handled by the platform — just set enable_decentralized_kms: true (and optionally enable_app_wallet: true) in advanced when creating the app. No contract addresses, app IDs, or manual KMS config needed in your code.
bash
git add .
git commit -m "Initial Nova app"
git push origin main
Step 4 — Deploy to Nova Platform
The deployment is a 3-step process: Create App → Trigger Build → Create Deployment.
Via Portal (recommended for first-time)
Portal flow (works for both scaffold and full template):
The repo URL is stored on the app record and used for all subsequent builds — you don't provide it again at build time.
In the App page → Versions → + New Version:
Git Ref: main (or tag / commit SHA)
Version: e.g. 1.0.0
Submit
Wait for build status → success (platform builds Docker image → EIF → generates PCRs and build-attestation.json signed with Sigstore/cosign)
In Versions, find the successful version → Deploy this version:
Select Region
Select Tier: standard or performance
Submit
Poll until deployment state → running → copy the App URL (hostname from app detail)
The deploy modal has no environment-variable input — no env vars or credentials needed.
Via API (scripted)
The script will ask interactively whether to run on-chain registration after the app is live. Use --onchain to always run it, --no-onchain to always skip.
BASE="https://sparsity.cloud/api"
TOKEN="<your-api-key>"
REPO="https://github.com/you/my-app"
# 1. Create app — 'advanced' is the only config field needed
SQID=$(curl -sX POST "$BASE/apps" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name":"my-app",
"repo_url":"'"$REPO"'",
"description":"optional description",
"metadata_uri":"",
"app_contract_addr":"",
"advanced":{
"directory":"/",
"app_listening_port":8080,
"egress_allow":["**"],
"enable_decentralized_kms":false,
"enable_persistent_storage":false,
"enable_s3_storage":false,
"enable_s3_kms_encryption":false,
"enable_ipfs_storage":false,
"enable_walrus_storage":false,
"enable_app_wallet":false,
"enable_helios_rpc":false
}
}' \
| python3 -c "import sys,json; print(json.load(sys.stdin)['sqid'])")
echo "App sqid: $SQID"
# 2. Create new version (build) — repo URL comes from app record, not repeated here
BUILD_ID=$(curl -sX POST "$BASE/apps/$SQID/builds" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"git_ref":"main","version":"1.0.0"}' \
| python3 -c "import sys,json; print(json.load(sys.stdin)['id'])")
echo "Build ID: $BUILD_ID"
# 3. Poll build
while true; do
STATUS=$(curl -s "$BASE/builds/$BUILD_ID/status" \
-H "Authorization: Bearer $TOKEN" \
| python3 -c "import sys,json; print(json.load(sys.stdin).get('status',''))")
echo "Build: $STATUS"
[ "$STATUS" = "success" ] && break
[ "$STATUS" = "failed" ] && echo "Build failed!" && exit 1
sleep 15
done
# 4. Deploy this version — specify region and tier
# region options: ap-south-1 (default), us-east-1, us-west-1, eu-west-1
# tier options: standard (2vCPU/5GiB), performance (6vCPU/13GiB)
DEPLOY_ID=$(curl -sX POST "$BASE/apps/$SQID/deployments" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d "{\"build_id\":$BUILD_ID,\"region\":\"ap-south-1\",\"tier\":\"standard\"}" \
| python3 -c "import sys,json; print(json.load(sys.stdin)['id'])")
echo "Deployment ID: $DEPLOY_ID"
# 5. Poll deployment
while true; do
RESP=$(curl -s "$BASE/deployments/$DEPLOY_ID/status" -H "Authorization: Bearer $TOKEN")
STATE=$(echo $RESP | python3 -c "import sys,json; d=json.load(sys.stdin); print(d.get('deployment_state',''))")
echo "Deployment state: $STATE"
[ "$STATE" = "running" ] && break
[ "$STATE" = "failed" ] && echo "Deploy failed!" && exit 1
sleep 15
done
# 6. Get app URL (hostname from detail, or use unified status)
curl -s "$BASE/apps/$SQID/detail" -H "Authorization: Bearer $TOKEN" \
| python3 -c "import sys,json; d=json.load(sys.stdin); print(d['app'].get('hostname',''))"
# Tip: GET /api/apps/{sqid}/status gives the full lifecycle in one call:
# build_status, deployment_state, proof_status, onchain_instance_id, etc.
Step 5 — Verify the live app
bash
# Health check
curl https://<hostname>/
# Hello endpoint (returns enclave address + signature)
curl https://<hostname>/api/hello
# Attestation (proves it's a real Nitro Enclave) — POST, returns binary CBOR
# In production, /.well-known/attestation is Caddy → Aux API; not app code
curl -sX POST https://<hostname>/.well-known/attestation --output attestation.bin
Note: /api/app-wallet is only available if you forked nova-app-template. The scaffold template includes /api/hello instead.
Step 6 — On-Chain Registration (optional but important for trust)
After the app is running, register it on-chain to establish verifiable trust.
Using the script (recommended):
bash
python3 scripts/nova_deploy.py ... --onchain
The script will automatically execute steps 6a–6d and poll until complete.
Manually via API — 4-step sequence:
bash
# 6a. Create app on-chain
curl -sX POST "$BASE/apps/$SQID/create-onchain" \
-H "Authorization: Bearer $TOKEN"
# Poll: GET /api/apps/{sqid}/status → onchain_app_id is set when done
# 6b. Enroll build version on-chain (PCR measurements → trusted code fingerprint)
curl -sX POST "$BASE/apps/$SQID/builds/$BUILD_ID/enroll" \
-H "Authorization: Bearer $TOKEN"
# Poll enrollment via build status endpoint
while true; do
ENROLLED=$(curl -s "$BASE/builds/$BUILD_ID/status" \
-H "Authorization: Bearer $TOKEN" \
| python3 -c "import sys,json; d=json.load(sys.stdin); print(d.get('is_enrolled',''))")
echo "Enrolled: $ENROLLED"
[ "$ENROLLED" = "True" ] && break
sleep 10
done
# 6c. Generate ZK proof (SP1-based)
curl -sX POST "$BASE/zkproof/generate" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d "{\"deployment_id\": $DEPLOY_ID}"
# Poll proof via deployment status endpoint (or /zkproof/status/{deployment_id})
while true; do
PROOF=$(curl -s "$BASE/deployments/$DEPLOY_ID/status" \
-H "Authorization: Bearer $TOKEN" \
| python3 -c "import sys,json; print(json.load(sys.stdin).get('proof_status',''))")
echo "Proof status: $PROOF"
[ "$PROOF" = "proved" ] && break
[ "$PROOF" = "failed" ] && echo "Proof failed!" && exit 1
sleep 30
done
# 6d. Register instance on-chain (manual — auto-registration has been removed)
curl -sX POST "$BASE/apps/$SQID/instance/register" \
-H "Authorization: Bearer $TOKEN"
# Poll: GET /api/deployments/{id}/status → onchain_instance_id is set when done
# Or use unified: GET /api/apps/{sqid}/status → latest_onchain_instance_id
What each step does:
Create app on-chain: Registers your app in the Nova App Registry contract (Base Sepolia)
Enroll version: Records the EIF's PCR measurements on-chain — the trusted code fingerprint
Generate ZK proof: Platform generates an SP1 zero-knowledge proof from the enclave's Nitro attestation
Register instance: Verifies the ZK proof on-chain and links the live instance to its enrolled version
After registration, anyone can verify on-chain that this running instance matches the audited build.
Odyn Internal API Reference
All endpoints are on http://127.0.0.1:18000 (Primary API — inside enclave only, NOT publicly exposed in production).
Always-available endpoints:
Endpoint
Method
Description
/v1/eth/address
GET
Enclave Ethereum address + public key
/v1/eth/sign
POST
EIP-191 personal-sign (optionally with attestation)
/v1/eth/sign-tx
POST
Sign EIP-1559 transactions
/v1/random
GET
32 bytes from NSM-backed randomness
/v1/attestation
POST
Raw CBOR attestation bytes (not JSON)
/v1/encryption/public_key
GET
Enclave P-384 public key
/v1/encryption/encrypt
POST
Encrypt response to a client
/v1/encryption/decrypt
POST
Decrypt client payloads
Feature-gated endpoints (set in advanced at app creation):
Endpoint Group
Gate
Description
/v1/s3/*
enable_s3_storage: true
Base64 object storage backed by S3
/v1/kms/derive
enable_decentralized_kms: true
Deterministic key derivation
/v1/kms/kv/put|get|delete
enable_decentralized_kms: true
KMS-backed KV store with optional TTL
/v1/app-wallet/address
enable_app_wallet: true
App-specific wallet address
/v1/app-wallet/sign
enable_app_wallet: true
EIP-191 message signing via app wallet
/v1/app-wallet/sign-tx
enable_app_wallet: true
EIP-1559 transaction signing via app wallet
Port exposure in production:
Runtime publishes exactly two ports: host app port → enclave app port and host attestation port → enclave Aux API port 18001
/.well-known/attestation* is routed by Caddy to the host attestation port → Aux API (18001)
Primary API (18000) is NOT exposed publicly for normal production apps
Odyn mock service (local development):
Primary API: http://odyn.sparsity.cloud:18000
Aux API: http://odyn.sparsity.cloud:18001
Helios RPC presets: http://odyn.sparsity.cloud:18545 through :18553
Key Notes
advanced is REQUIRED at app creation. Omitting it will cause the build to fail. Only advanced exists — the old enclaver field has been removed from the API.
Your repo only needs Dockerfile + app code. The platform handles everything else at build time.
App ID format: sqid (string like abc123) — use in all URL paths, not the integer id.
Port: Set via advanced.app_listening_port. Must also match EXPOSE in Dockerfile. The enclaver.yaml in the template repo is a reference; portal reads the listening port from it.
Repo URL is set once at app creation — not repeated at build time. Build only needs git_ref + version.
Deploy requires region + tier: regions are ap-south-1 (default), us-east-1, us-west-1, eu-west-1. tier is "standard" (2 vCPU/5 GiB) or "performance" (6 vCPU/13 GiB). No env var injection in deploy.
Helios RPC: Use the canonical port mapping in references/nova-api.md — ports are fixed and locked at app creation.
KMS/S3 fully managed by platform — no AWS credentials, no enclaver.yaml authoring needed.
No Docker push: Platform builds from Git.
On-chain steps (create-onchain → enroll → ZK proof → register) are required for public verifiability, but optional for a functional running app.
Instance registration is now manual — auto-registration has been removed. Use POST /api/apps/{app_sqid}/instance/register after proof is proved.
Portal helper APIs (clone-repo, get-enclaver-config) are used by the portal UI to auto-fill the listening port from enclaver.yaml when you enter a repo URL. Not needed for direct API usage.
Build provenance: Builds produce a build-attestation.json with PCR0/PCR1/PCR2, source repo, commit, GitHub run metadata — signed with Sigstore/cosign and stored off-chain.
IN_ENCLAVE is not injected by Enclaver — set ENV IN_ENCLAVE=false in Dockerfile for local dev; production sets it true.
Common Issues
Symptom
Fix
Dockerfile missing after scaffold
Run clawhub update nova-app-builder then re-scaffold. The template ships as Dockerfile.txt and scaffold renames it to Dockerfile automatically.
App expects enclaver.yaml or old config
enclaver.yaml is always generated by Nova Platform — developers never provide it. The advanced field at app creation drives all platform-level config. Only enclave/config.py (app business logic) needs developer attention when using the full template.
API endpoint console.sparsity.cloud not resolving
Old version of nova_deploy.py. Run clawhub update nova-app-builder. Correct endpoint is https://sparsity.cloud/api.
from odyn import Odyn fails
Old import path. New SDK is at nova_python_sdk/. Use from nova_python_sdk.odyn import Odyn.
Build stuck in pending
Check GitHub Actions in nova build repo; may be queued
Build failed
Check error_message in build response; usually Dockerfile issue
Deploy API returns 401
Regenerate API key at sparsity.cloud
App stuck in provisioning >10 min
Check app logs via GET /api/apps/{sqid}/detail
httpx request fails inside enclave
Add domain to advanced.egress_allow. Note: "**" matches domains only — add "0.0.0.0/0" for direct IP connections
Direct IP connection blocked
"**" does NOT cover IPs. Add "0.0.0.0/0" (IPv4) and/or "::/0" (IPv6) to egress_allow
S3 fails
Ensure 169.254.169.254 and S3 endpoint are in egress allow list
/v1/kms/* returns 400
Ensure enable_decentralized_kms: true and enable_helios_rpc: true in advanced at app creation
App Wallet unavailable
Ensure enable_app_wallet: true in advanced at app creation
Proxy not respected for external calls
Use httpx for external HTTP calls (proxy-aware). requests/urllib may bypass the egress proxy. Note: requests is fine for internal Odyn calls (localhost).
Health check returns 502
App is starting; wait for enclave to fully boot
ZK proof stuck
Check GET /api/zkproof/status/{deployment_id} for details
/.well-known/attestation returning wrong format in prod
In production, this is Caddy → Aux API routing — not app code. Remove app-side shim for production builds.
Reference Files
references/odyn-api.md — Full Odyn Internal API (signing, encryption, S3, KMS, App Wallet, attestation)
references/nova-api.md — Nova Platform REST API (full endpoint reference)
Nova Python SDK: The canonical SDK lives in enclave/nova_python_sdk/ in both nova-app-template and all examples. Do not modify SDK files — copy the whole directory into your project.