A formally verified protocol for sovereign, portable, privacy‑preserving apps.

Every app runs on infrastructure you have to trust — an operator who can silently rewrite your data, censor you, or vanish, with no way to check. That held while code was human-written, human-reviewed, run by accountable people, and watched by humans who'd notice. All four are now false.

Code is AI-written faster than anyone can audit; apps are run by autonomous agents at machine speed; reputation and terms of service don't survive millions of unattended interactions. When no human can vouch for the operator or the code, the only trust that scales is mathematical proof.

ENC is a trust-minimized protocol that delivers self-sovereignty through verifiability — each property resting on the one before it.

At ENC's core is a tiny verified kernel that runs no app code: state is non-computing (key→value leaves), and a manifest declares everything an enclave is. The node enforces that declaration — verify, check, append, update the tree — nothing arbitrary to run. An app composes several enclaves over a federated mesh.

The verified core is transparent about the rules — anyone you allow can confirm what happened and that it followed them — but never about your content. Encryption isn't baked in; it layers on top as swappable plugins, chosen by the shape of the conversation, scaling the same core from a private note to a DM to a large group. Swap in a new scheme — even post-quantum — without touching the verified core; each plugin carries its own machine-checked security claim.

Every other "formally verified" protocol shares one unsolved problem: the proof covers a model, but the code that ships is hand-written — or vibe-coded by an AI — and drifts the moment coding starts. That gap is where bugs and backdoors live. ENC closes it by construction.

One Lean 4 specification carries the proof; a deterministic CodeGen emits the Lean, JavaScript, Rust, and WebAssembly that ship. A reproducibility gate fails the build unless every regenerated artifact matches hash-for-hash; the spec itself compiles to an executable reference; and witnesses replay the tests against the exact shipped bytes. The running code is held to the proof — no second codebase to drift. The code is the spec, compiled.

An agent has no judgment to fall back on, so the trust a human supplied must become something the machine can compute. On ENC an agent acts under its own sub-key, authorized by a cosigned, time-boxed certificate — your root key is never handed over. The cert expires and is revocable, so a compromised or hijacked agent has a bounded blast radius and never exposes your identity. The leash is math, not hope.

The ENC Pipeline lets autonomous agents generate any app, instantly, with mathematical guarantees instead of human review — not just the app, but the infrastructure, UI, dataview servers, and client logic too, all from the same proven core. Around 1,500 apps are already formalized into a smart corpus for instant generation of any kind; trust rests on the proof, not the builder, and every new version is re-proven before it ships.

ENC Cloud lets you deploy and manage enclaves in one place — spin one up, scale it, migrate it, retire it. Under the hood it's a network of edge-worker node operators: because a node orders and delivers but can't forge, sign, or read your data, you get managed hosting without handing over trust — and no lock-in, since an enclave migrates to another operator, or off the cloud entirely, in one command.