EXTENDED DOCUMENTATION

Deployment

Environment Templates

text
```
.env.example
```
text
```
.env.development.example
```
text
```
.env.production.example
```
text
```
docs/ENVIRONMENT.md
```
for bilingual variable explanations and operator guidance

Frontend

Deploy

text

apps/web

to Vercel.

Required env vars:

text
```
PHALA_API_URL
```
text
```
PHALA_API_TOKEN
```
or
text
```
PHALA_SHARED_SECRET
```
text
```
TWELVEDATA_API_KEY
```
for the TwelveData built-in provider
optional Coinbase spot provider requires no secret
text
```
NEXT_PUBLIC_SUPABASE_URL
```
text
```
NEXT_PUBLIC_SUPABASE_ANON_KEY
```
text
```
SUPABASE_SERVICE_ROLE_KEY
```

optional but recommended in production:

text

MORPHEUS_PROVIDER_CONFIG_API_KEY

text

ADMIN_CONSOLE_API_KEY

optional and recommended for scoped admin separation:

text
```
MORPHEUS_PROVIDER_CONFIG_API_KEY
```
text
```
MORPHEUS_RELAYER_ADMIN_API_KEY
```
text
```
MORPHEUS_SIGNING_ADMIN_API_KEY
```
text
```
MORPHEUS_RELAY_ADMIN_API_KEY
```
text
```
MORPHEUS_OPERATOR_API_KEY
```

optional datafeed defaults:

text

MORPHEUS_FEED_PROJECT_SLUG

text

MORPHEUS_FEED_PROVIDER

Phala Worker

Deploy

text

workers/phala-worker

to Phala with:

text
```
PHALA_API_TOKEN
```
or
text
```
PHALA_SHARED_SECRET
```
text
```
NEO_RPC_URL
```
text
```
NEOX_RPC_URL
```

text

PHALA_NEO_N3_WIF

text

PHALA_NEO_N3_PRIVATE_KEY

text
```
PHALA_NEOX_PRIVATE_KEY
```
text
```
SUPABASE_URL
```
or
text
```
NEXT_PUBLIC_SUPABASE_URL
```
if direct worker calls should resolve project provider defaults
text
```
SUPABASE_SERVICE_ROLE_KEY
```
(or compatible service key) for worker-side provider-config lookup
optional
text
```
ORACLE_TIMEOUT
```
for upstream fetch timeout (for example
text
```
20s
```
)
optional
text
```
ORACLE_SCRIPT_TIMEOUT_MS
```
for privacy Oracle script execution timeout
optional
text
```
COMPUTE_SCRIPT_TIMEOUT_MS
```
for compute script execution timeout
optional
text
```
PHALA_USE_DERIVED_KEYS=true
```
to derive worker and relayer signing keys from tappd/dstack when explicit keys are omitted
optional
text
```
PHALA_EMIT_ATTESTATION=true
```
to attach dstack quotes in worker responses
optional
text
```
PHALA_DSTACK_ENDPOINT
```
to override the dstack endpoint (defaults to
text
```
/var/run/dstack.sock
```
when mounted)

optional

text

PHALA_DSTACK_NEO_N3_KEY_PATH

text

PHALA_DSTACK_NEOX_KEY_PATH

to override worker derived key paths

optional

text

PHALA_DSTACK_RELAYER_NEO_N3_KEY_PATH

text

PHALA_DSTACK_RELAYER_NEOX_KEY_PATH

to override relayer derived key paths

optional
text
```
PHALA_DSTACK_ORACLE_ENCRYPTION_KEY_PATH
```
to control the wrapping-key path for stable Oracle X25519 transport key storage
optional
text
```
PHALA_ORACLE_KEYSTORE_PATH
```
to control where the sealed Oracle transport key is persisted (default
text
```
/data/morpheus/oracle-key.json
```
inside the shared CVM volume)
web verifier API:
text
```
/api/attestation/verify
```
demo verifier flow:
text
```
/api/attestation/demo
```
and
text
```
/verifier
```

Phala CVM Topology

Recommended first deployment:

1
text
```
Confidential VM
```
2 containers inside it:
text
```
phala-worker
```
+
text
```
morpheus-relayer
```

Sizing guidance:

text
```
Small TDX
```
→ not recommended
text
```
Medium TDX
```
→ recommended for testnet / MVP
text
```
Large TDX
```
→ recommended default for production

Deployment files:

text
```
workers/phala-worker/Dockerfile
```
text
```
workers/morpheus-relayer/Dockerfile
```
text
```
deploy/phala/docker-compose.yml
```
text
```
deploy/phala/Caddyfile
```
text
```
deploy/phala/morpheus.env.example
```
text
```
deploy/phala/README.md
```
text
```
scripts/render-phala-env.mjs
```
text
```
scripts/check-phala-env.mjs
```

Morpheus Relayer

Run

text

workers/morpheus-relayer

as the async bridge that watches

text

OracleRequested

events and calls

text

fulfillRequest

back on-chain.

Required env vars:

text
```
PHALA_API_URL
```
text
```
PHALA_API_TOKEN
```
or
text
```
PHALA_SHARED_SECRET
```
text
```
MORPHEUS_NETWORK
```

text

MORPHEUS_RELAYER_NEO_N3_WIF

text

MORPHEUS_RELAYER_NEO_N3_PRIVATE_KEY

text
```
MORPHEUS_RELAYER_NEOX_PRIVATE_KEY
```
text
```
CONTRACT_MORPHEUS_ORACLE_HASH
```
text
```
CONTRACT_MORPHEUS_ORACLE_X_ADDRESS
```

Optional:

text
```
MORPHEUS_RELAYER_POLL_INTERVAL_MS
```
text
```
MORPHEUS_RELAYER_CONCURRENCY
```
text
```
MORPHEUS_RELAYER_MAX_BLOCKS_PER_TICK
```
text
```
MORPHEUS_RELAYER_MAX_RETRIES
```
text
```
MORPHEUS_RELAYER_RETRY_BASE_DELAY_MS
```
text
```
MORPHEUS_RELAYER_RETRY_MAX_DELAY_MS
```
text
```
MORPHEUS_RELAYER_PROCESSED_CACHE_SIZE
```
text
```
MORPHEUS_RELAYER_DEAD_LETTER_LIMIT
```
text
```
MORPHEUS_RELAYER_LOG_FORMAT
```
text
```
MORPHEUS_RELAYER_LOG_LEVEL
```
text
```
MORPHEUS_RELAYER_NEO_N3_CONFIRMATIONS
```
text
```
MORPHEUS_RELAYER_NEO_X_CONFIRMATIONS
```
text
```
MORPHEUS_RELAYER_NEO_N3_START_BLOCK
```
text
```
MORPHEUS_RELAYER_NEO_X_START_BLOCK
```
text
```
MORPHEUS_RELAYER_STATE_FILE
```
text
```
MORPHEUS_AUTOMATION_ENABLED
```
text
```
MORPHEUS_AUTOMATION_BATCH_SIZE
```
text
```
MORPHEUS_AUTOMATION_MAX_QUEUED_PER_TICK
```

text

MORPHEUS_AUTOMATION_DEFAULT_PRICE_COOLDOWN_MS

Supabase

Apply, in order:

text

supabase/migrations/0001_morpheus_schema.sql

text

supabase/migrations/0002_morpheus_policies_and_seeds.sql

text

supabase/migrations/0003_provider_configs.sql

text

supabase/migrations/0004_relayer_ops.sql

text

supabase/migrations/0005_operation_logs.sql

Optional:

text
```
supabase/seed.sql
```

Supabase Recording Model

Current persistence behavior:

relayer runs and jobs are recorded in
text
```
morpheus_relayer_runs
```
and
text
```
morpheus_relayer_jobs
```
web/API operations are recorded in
text
```
morpheus_operation_logs
```
encrypted request fields such as
text
```
encrypted_params
```
,
text
```
encrypted_input
```
,
text
```
encrypted_payload
```
, and
text
```
encrypted_inputs.*
```
are stored directly as ciphertext in
text
```
morpheus_encrypted_secrets
```
plaintext secret-like keys are redacted before operation-log persistence
automation registrations are stored in
text
```
morpheus_automation_jobs
```
automation queue attempts are stored in
text
```
morpheus_automation_runs
```

Contracts

Build and deploy the Morpheus gateway contracts from

text

contracts/

. Use

text

config/networks/testnet.json

and

text

config/networks/mainnet.json

as the canonical address registry files.

Core contracts:

Neo N3:

text

MorpheusOracle

text

OracleCallbackConsumer

text

MorpheusDataFeed

Neo X:

text

MorpheusOracleX

text

OracleCallbackConsumerX

text

MorpheusDataFeedX

The intended logic is consistent across both chains:

privacy oracle requests
off-chain privacy compute through oracle/compute worker modules
datafeed storage and updater-controlled publication
automation registration, execution queueing, and callback fulfillment

Provider control-plane notes:

built-in provider metadata lives in the worker provider registry
project-level provider defaults live in Supabase
text
```
morpheus_provider_configs
```
the web dashboard can manage provider configs through
text
```
/api/provider-configs
```

Optional On-Chain Key Publication

After the Phala worker is live, publish the active Oracle encryption key to your gateway contract:

bash
npm run publish:oracle-key

Previous Supported Providers NextEnvironment Setup

REVISION 1.0.2LAST UPDATED: 2026-03-11

EDIT ON GITHUB