Add OHTTP config support to TEE registry and endpoints#296
Merged
Conversation
The bundled TEERegistry ABI and TEEInfo stopped at endpoint + TLS cert, so the registry read was partial. Read the whole on-chain record: - ABI: add the ohttpConfig struct (keyId/kemId/kdfId/aeadId/publicKey/keyConfig) to getActiveTEEs and getTEE outputs. - TEEInfo: add the ohttp_config field; new OhttpConfig NamedTuple mirrors it. - TEEEndpoint: carry signing_public_key_der + ohttp_config (back-compatible defaults), so callers can encrypt OHTTP requests AND verify TEE signatures, not just dial the endpoint. - get_llm_tee_ohttp_config(): pick a random active LLM-proxy TEE that advertises a usable HPKE config. - tests: full-struct fixture + OHTTP-field assertions. https://claude.ai/code/session_01L2gvK4aHX1bs3EQ61zxdkT
`make check` (mypy) flagged `_parse_ohttp_config(raw: object)` as not indexable. Type the decoded on-chain tuple as `Sequence[Any]`. https://claude.ai/code/session_01L2gvK4aHX1bs3EQ61zxdkT
Contributor
There was a problem hiding this comment.
Pull request overview
This PR extends the Python SDK’s on-chain TEE registry integration to surface Oblivious HTTP (OHTTP)/HPKE configuration material alongside existing endpoint + pinned TLS certificate data, enabling clients to choose between direct connections and an OHTTP relay path.
Changes:
- Added
OhttpConfigand expandedTEEInfo/TEEEndpointparsing to carry OHTTP config + signing public key material from the registry. - Introduced
get_llm_tee_ohttp_config()to select only LLM-proxy TEEs with usable HPKE public keys. - Updated the registry ABI and extended unit tests to assert the new parsed fields.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
src/opengradient/client/tee_registry.py |
Adds OHTTP structs/parsing, enriches TEEEndpoint, and introduces OHTTP-specific selection API. |
tests/tee_registry_test.py |
Updates mocked TEEInfo tuples and assertions for new endpoint fields. |
src/opengradient/abi/TEERegistry.abi |
Reformats ABI and adds the OhttpConfig struct to relevant outputs. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- TEEInfo.ohttp_config was annotated OhttpConfig but TEEInfo(*raw) assigns the raw decoded web3 sub-tuple, so the runtime value is a Sequence, not a parsed OhttpConfig. Relax the annotation to Sequence[Any] and document that the parsed/typed form lives on TEEEndpoint.ohttp_config. - Add tests covering the new branches: _parse_ohttp_config returns None on an empty HPKE public key (and on a malformed tuple), get_active_tees_by_type surfaces ohttp_config=None when no HPKE key is present, and get_llm_tee_ohttp_config filters out TEEs without usable HPKE material (returning None when none qualify).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Extends the TEE registry integration to include OHTTP/HPKE key material, enabling clients to encrypt Oblivious HTTP requests to TEEs. The
TEEEndpointnow carries both the direct x402 connection path (endpoint + TLS cert) and the oblivious-HTTP relay path (OHTTP config + signing key).Key Changes
ABI Update: Reformatted
TEERegistry.abiwith consistent indentation and addedOhttpConfigstruct toTEEInfooutput (keyId, kemId, kdfId, aeadId, publicKey, keyConfig, registeredAt)New
OhttpConfigNamedTuple: Mirrors the on-chain struct with HPKE key material (X25519 public key, KEM/KDF/AEAD algorithm IDs, serialized key config blob)Enhanced
TEEInfoNamedTuple: Now includes theohttp_configfield to carry the full registry recordEnhanced
TEEEndpointDataclass:signing_public_key_der(RSA public key for signature verification)ohttp_configfieldNew Registry Methods:
get_llm_tee_ohttp_config(): Returns a random active LLM proxy TEE guaranteed to have OHTTP config (non-empty X25519 public key)_parse_ohttp_config(): Helper to safely coerce decoded on-chain tuples intoOhttpConfigobjects, returningNonefor TEEs without OHTTP materialUpdated
get_active_tees_by_type(): Now populatessigning_public_key_derandohttp_configfields on returnedTEEEndpointobjectsTest Updates: Extended
_make_tee_info()helper to include the fullohttpConfigsub-tuple and added assertions verifying the new fields are correctly parsedImplementation Details
Noneif the tuple is malformed or the public key is empty (indicating no OHTTP support)get_llm_tee_ohttp_config()method explicitly checks for 32-byte X25519 keys to ensure usabilityget_llm_tee()continues to work; new code can opt into OHTTP via the new methodhttps://claude.ai/code/session_01L2gvK4aHX1bs3EQ61zxdkT