Introducing Haven Protocol — Privacy Reputation on CKB

Hey everyone,

I’m excited to share Haven Protocol, a privacy reputation layer I’ve been building natively on Nervos CKB.

The Problem

Reputation systems today force a choice: either your identity is public and your reputation is meaningful, or your identity is private and your reputation is non-existent. There’s no way to prove you’re a trustworthy participant without revealing who you are.

What Haven Does

Haven flips this. Your score is public. Your identity is private.

Every user gets a Haven Score (0-1000) based on their real activity - CKB on-chain transactions, GitHub contributions, Twitter engagement. The score lives on-chain as a CKB cell, readable by any dApp. But the identity behind that score? Known only inside a Phala Network TEE. Nobody - not Haven, not the chain, not other users - can link a score to a real person.

How It Works

1. Connect your wallet - your CKB wallet is the only required connection. Social accounts (Twitter, GitHub, LinkedIn) are optional and boost your score.

2. TEE computes your score - the Phala TEE collects your activity, runs the scoring formulas (privacy hygiene, contribution, humanity, community), and generates a DCAP attestation that cryptographically binds the scoring result to the TEE’s execution environment, proving the computation ran inside a genuine Intel TDX enclave.

3. SP1 proves correct computation - the attestation is sent to an SP1 proof worker that generates a ZK proof (SP1 PLONK) verifying that the TEE executed the scoring program correctly - that each component score was computed honestly from real activity data and the final score was produced without tampering.

4. CKB verifies it - the proof is submitted on-chain. The Haven type script checks the SP1 PLONK proof before allowing the score cell to update. If the proof is invalid - meaning the computation was tampered with - the score cell cannot be updated.

5. dApps read it - any CKB dApp can read your score directly from the chain using the Haven SDK. No API keys, no Haven server dependency.

Architecture

User → Dashboard → SDK → CKB (read scores)
                     ↓
               Phala TEE → Proof Worker → CKB (write scores)
                  ↓              ↓
            dstack (DCAP)   Automata SP1

Five components:

• CKB Scripts - Type script (SP1 PLONK verification) + dual-path lock script (TEE update / user direct control). Deployed on testnet.
• Phala TEE Service - NestJS app running inside a Phala TEE. Handles identity, scoring, attestation, and chain submission. PostgreSQL for storage. Modular connection system - adding new providers is just a database row.
• SP1 Proof Worker - Rust binary using Automata’s DCAP verifier. Generates PLONK proofs from TDX attestation quotes.
• TypeScript SDK - @haven-protocol/ckb-sdk with React hooks. Everything a dApp needs to read scores, verify tiers, manage deposits, and connect accounts.
• Dashboard - React app with a custom design system. Score visualization, leaderboard, identity management, ecosystem page with Shadow Job Board.

Score Breakdown

Scores update every 24 hours in production (every 5 minutes during testnet testing). A user with real CKB testnet activity and no social accounts can score in the 200-400 range. Linking social accounts pushes it higher.

Score Tiers

Why CKB

• RISC-V VM - SP1 PLONK proofs verify natively in CKB scripts
• Cell model - score state lives in a user-owned cell. The TEE updates it, the user owns it
• Dual-path lock script - TEE can update scores, users always retain full ownership and can reclaim CKBytes
• Type scripts as validators - score update rules enforced on-chain. No override possible
• Composability - any dApp reads score cells directly. No Haven server needed

Current Status

• CKB type script + lock script deployed on Pudge testnet (upgradable via type-id)
• TEE service running with Phala dstack, connected to PostgreSQL
• Proof worker generating SP1 PLONK proofs from DCAP attestations
• Dashboard live with wallet connect, score display, leaderboard, notifications
• SDK published with React hooks for dApp integration
• On-chain scoring working for any CKB wallet type (secp256k1, omnilock, JoyID)

Links

• GitHub: https://github.com/truthixify/haven

What’s Next

• Deploy proof worker to a server - currently runs locally. Moving it to a cloud server so it’s always available for proof generation
• Deploy TEE to Phala Cloud - currently running on a local dstack simulator for testing. On real Phala hardware, the DCAP attestation will use genuine Intel TDX quotes, which unlocks the full end-to-end flow: TEE scores → real attestation → SP1 proof → on-chain score update
• Twitter and GitHub OAuth - social account integration for enhanced scoring
• More provider connections - LinkedIn, Discord, Telegram
• CKB mainnet deployment
• RGB++ cross-chain score signals
• DAO governance with score-weighted voting
• Shadow Job Board with anonymous talent matching

I’d love feedback on the architecture, the scoring model, or anything else. Happy to answer questions.

That’s a genuinely useful idea. I’ve heard this concept before with no idea how someone would go about implementing it. Weighting different actions must be tricky

Update: Haven Protocol - Full Pipeline Working on Testnet

It’s been a productive sprint since the initial post. The full end-to-end pipeline is now working on CKB testnet - TEE scores a user, generates a DCAP attestation, requests an SP1 PLONK proof, and submits a verified score update on-chain. Here’s what changed:

What’s New

TEE deployed on Phala Cloud - the TEE service is no longer local. It runs on real Phala hardware with genuine Intel TDX attestation via dstack. The DCAP quotes are real, the enclave is verifiable, and the scoring pipeline runs autonomously every cycle.

SP1 v6 proof generation - Iupgraded from SP1 v5 to v6 (Hypercube). This required writing our own SP1 guest program for DCAP verification since Automata’s pre-built ELF was compiled for v5 and incompatible with v6’s memory layout. The guest program uses dcap-rs to verify TDX quotes inside the SP1 VM and commits the verification result as public values. Proofs are generated via SP1 Network.

Pure Rust secp256k1 in the lock script - the lock script originally used CKB’s dynamic loading (CKBDLContext) to load the system secp256k1 C library. This caused persistent failures due to compatibility issues with ckb_dlopen2. I replaced it with the k256 crate (RustCrypto) - pure Rust, no_std, no external dep cells needed. The lock script is now fully self-contained at 132KB.

SDK published on npm - @haven-protocol-ckb/sdk v0.1.1 is live. The dashboard uses it directly from npm (not a local link). Includes React hooks for leaderboard, score fetching, notifications, deposits, and a TEE client with getScoreHistory().

Score history tracking - the TEE now records every confirmed score update in a dedicated score_history table. The dashboard fetches this via GET /api/score/history and renders it with Recharts - real data, no synthetic curves.

Leaderboard working - the SDK queries all Haven Score cells from CKB using the indexer’s prefix search mode (script_search_mode: 'prefix'). The leaderboard shows live on-chain scores with podium cards for the top 3 and a sortable table below.

Swagger API docs - the TEE exposes full OpenAPI documentation at /docs with all endpoints documented.

Architecture Changes

The type script validation now properly checks:

• Public inputs match cell state (identity, scores, epoch, breakdown)
• Epoch increments by exactly 1 per update
• Deposit balance decreases by the registry’s per-update fee
• Expiry is set from the on-chain registry’s epoch duration (not a hardcoded constant)
• SP1 PLONK proof verifies with the correct journal (SP1 public values) and vk_hash with “0x” prefix

The lock script was redeployed with:

• k256 for pure Rust ECDSA recovery (no dynamic loading)
• Pubkey compression before blake160 (matching CKB convention)
• Separated diagnostic error codes for each verification step

Current Testnet Deployment

• Type Script: 0x134e98b0... (type-id, upgradable)
• Lock Script: 0x296b392e... (type-id, k256 secp256k1)
• Registry Cell: 0x31105ea4...
• TEE Service: Phala Cloud (dstack, PostgreSQL)
• Proof Worker: Railway (SP1 v6, Automata DCAP)
• SDK: @haven-protocol-ckb/[email protected] on npm
• Dashboard: Live with recharts, leaderboard, notifications

What’s Next

• Score optimization - currently everyone scores 8/1000 because on-chain activity collection needs tuning for the new lock script addresses
• More provider connections - LinkedIn, Discord, Telegram
• Shadow Job Board on the ecosystem page
• RGB++ cross-chain score signals

The repo is at https://github.com/truthixify/haven. Feedback welcome.

Update: Multi-Platform Identity, Score Optimization

Since the last update where the full pipeline went live (TEE scoring, DCAP attestation, SP1 proof, on-chain verification), I’ve been focused on expanding the identity layer and fixing scoring accuracy.

Multi-Platform OAuth

GitHub, Discord, and LinkedIn OAuth flows are now live. Users link accounts directly from the dashboard through the Phala TEE:

• GitHub (OAuth 2.0): repos, commits, PRs, issues, org contributions
• Discord (OAuth 2.0): account age, server memberships, linked platform accounts (Steam, Twitch, YouTube, etc.)
• LinkedIn (OpenID Connect): profile verification

Each connection is stored exclusively inside the TEE enclave. Twitter is implemented in code but currently blocked by Twitter’s API tier requirements (free tier doesn’t support OAuth 2.0 user authentication).

Scoring Now Uses All Platforms

Discord and LinkedIn data feed directly into the scoring formulas:

• Proof of Human (20% weight): account ages are now averaged across all connected platforms (wallet, GitHub, Discord, LinkedIn). Connecting more platforms increases the multi-platform consistency bonus since it’s harder for sybils to maintain old accounts everywhere.
• Community Engagement (10% weight): Discord guild count and linked accounts factor into interaction diversity alongside GitHub PRs/issues and on-chain activity.

On-Chain Scoring Fixed

The on-chain activity collector was returning zero for all users. The root cause: it derived lock args from the user’s public key assuming standard secp256k1, but users connecting via JoyID or omnilock have different lock scripts. The fix was straightforward. The lock script fields (code hash, hash type, args) saved during identity registration are now properly mapped through to the collector. Users get accurate on-chain scoring regardless of wallet type.

Scoring Cycle

The scoring cycle now runs every 24 hours (midnight UTC). When a user’s score hasn’t changed since the last successful on-chain submission, the TEE skips proof generation and chain submission entirely. No wasted SP1 network calls for unchanged scores.

Dashboard

The dashboard is live at https://haven-protocol.vercel.app/

Features working:

• Score display with live refresh
• Leaderboard with on-chain data (podium + sortable table)
• Score history chart (Recharts, real data from TEE)
• Identity management with GitHub, Discord, LinkedIn OAuth
• Deposit creation and top-up
• Notifications
• Loading screens between page navigations

What’s Next

• CKB ecosystem GitHub scoring: check user contributions to nervosnetwork repos and other ecosystem projects. Merged PRs, issues created, and commit history to ecosystem repos will directly boost the Contribution score.
• Discord reputation from Nervos server: detect if users are members of the Nervos Discord server, their roles, and activity level. Active community members in the official server get a Community score boost.
• LinkedIn Nervos engagement: check if users follow or engage with Nervos-related company pages and content on LinkedIn.
• Twitter integration once API access tier is resolved
• Shadow Job Board on the ecosystem page for anonymous talent matching based on score tiers

Repo: GitHub - truthixify/haven · GitHub
SDK: https://www.npmjs.com/package/@haven-protocol-ckb/sdk
Dashboard: https://haven-protocol.vercel.app/