Skip to content

feat: multi-provider integration stack with in-enclave auth schemes#1

Merged
FiscalMindset merged 1 commit into
mainfrom
feat/multi-provider-integration-stack
Jul 1, 2026
Merged

feat: multi-provider integration stack with in-enclave auth schemes#1
FiscalMindset merged 1 commit into
mainfrom
feat/multi-provider-integration-stack

Conversation

@FiscalMindset

@FiscalMindset FiscalMindset commented Jul 1, 2026

Copy link
Copy Markdown
Owner

What & why

Product feedback flagged two gaps: integration coverage ("integration stack score is lower than the rest") and problem concreteness ("not as concrete or distinct as other projects"). Both traced to one root cause — the enclave's substitution was a blind v.replace(SENTINEL, secret), which only works for Authorization: Bearer, so all providers were LLM APIs.

This PR extends Blindfold from a 4-endpoint LLM-key proxy → 12 first-class provider integrations across 6 industries, with each provider's real auth computed inside the TDX enclave — including schemes a generic proxy structurally cannot do (Basic base64, AWS SigV4), because the secret is consumed by a computation, not pasted into a header.

Changes

  • contract: AuthSpec (bearer/basic/sigv4). auth.rs computes HTTP Basic base64 (Twilio) and AWS SigV4 signatures (S3/SES) in-enclave; new contract/auth-tests crate.
  • providers.ts: concrete registry (OpenAI/Anthropic/xAI/Groq/Gemini/Stripe/GitHub/SendGrid/Slack/Twilio/AWS S3+SES), each with host + sealed-secret name + auth scheme. Gemini uses x-goog-api-key, not Authorization.
  • proxy/types: route via registry with per-provider secret_key + auth.
  • examples: real live demos (gemini, stripe, prompt-injection). Exfil checks scan the entire process.env for a real key pattern, so a leftover key is reported as a leak, not hidden.
  • docs: integration-stack.md, README supported-integrations table.

Proof

Crypto correctness — AWS SigV4 vectors (native cargo test), 4/4 pass:

test auth::tests::base64_matches_known_values ... ok
test auth::tests::basic_auth_twilio_shape ... ok
test auth::tests::sigv4_signing_key_derivation_vector ... ok
test auth::tests::sigv4_get_vanilla_vector ... ok
test result: ok. 4 passed; 0 failed

sigv4_get_vanilla_vector matches AWS's published Signature=5fa00fa3…fbf31 byte-for-byte; signing-key derivation matches f4780e2d…db404d.

Enclave rebuilds clean: blindfold_proxy.wasm, 227,364 bytes, with sha2+hmac compiled in.

Live end-to-end against the real T3 enclave (tenant did:t3n:58f5f5f9…):

Gemini (real answer, agent holds no key):

✅ Real Gemini answer (key never left the enclave):
   Confidential computing protects data while it's being processed by isolating it
   within a hardware-secured environment, even from the OS, hypervisor, or cloud provider.
🕵️  env vars containing a real Gemini key: (none)   ← scans ALL of process.env
   auth header the agent sends:           x-goog-api-key: __BLINDFOLD__

Stripe (test mode — real read and write):

✅ Authenticated to a REAL Stripe account (test mode, livemode=false).   # GET /v1/balance → 200
✅ Real WRITE succeeded — created customer cus_Uo0eVe1uifYYut (livemode=false).  # POST /v1/customers → 200
🛡️  env vars containing a real Stripe key: (none); auth header: Bearer __BLINDFOLD__

Prompt injection (GitHub credential theft, defeated structurally):

✅ Legit call succeeded — agent is authenticated to GitHub as "FiscalMindset".
🛡️  env vars containing a real GitHub token: (none); auth header: Bearer __BLINDFOLD__

Notes

  • Backward compatible: auth defaults to bearer; existing LLM flows unchanged.
  • Two operational gotchas documented in integration-stack.md: blindfold grant replaces the egress allowlist (grant all hosts in one call), and testnet has a per-minute fuel_per_minute quota (surfaces as generic 500s under load).
  • No secrets committed (.env/target/node_modules gitignored).

Summary by cubic

Adds a multi-provider integration stack with in-enclave auth, expanding from 4 LLM endpoints to 12 providers across 6 industries. The enclave now computes real auth (Bearer, Basic, AWS SigV4) so secrets are never pasted into headers.

  • New Features

    • Contract adds AuthSpec (bearer/basic/sigv4); enclave computes HTTP Basic and AWS SigV4 inside TDX.
    • Concrete provider registry in packages/blindfold/src/providers.ts with upstream host, sealed secret name, and auth scheme; Gemini uses x-goog-api-key.
    • Proxy routes via the registry, sets per-provider secret_key + auth, strips agent Authorization, and plants __BLINDFOLD__ only where needed.
    • Supported providers: OpenAI, Anthropic, xAI, Groq, Gemini, Stripe, GitHub, SendGrid, Slack, Twilio, AWS S3, AWS SES.
    • Real demos: examples/gemini/, examples/stripe/, examples/prompt-injection/; docs in integration-stack.md and README table. SigV4 verified against AWS test vectors (contract/auth-tests).
  • Migration

    • Backward compatible. auth defaults to bearer; existing LLM flows keep working.
    • To adopt new providers: route via proxy prefixes (e.g. /gemini/, /stripe/, /aws/s3/), seal the provider’s secret, and grant all required hosts in one call.
    • Set non-secret config in env where needed (e.g. TWILIO_ACCOUNT_SID, AWS_ACCESS_KEY_ID, AWS_REGION).
    • Testnet notes: per-minute quota and form-encoded write quirks; see integration-stack.md.

Written for commit 7f05f0a. Summary will update on new commits.

Review in cubic

Extend Blindfold from a 4-endpoint LLM-key proxy to 12 first-class provider
integrations across 6 industries, with each provider's real auth computed
inside the TDX enclave.

contract:
- add AuthSpec (bearer/basic/sigv4) to the forward path
- compute HTTP Basic base64 (Twilio) and AWS SigV4 signatures (S3/SES) in
  the enclave, so the secret is consumed by a computation and never pasted
  into a header value on its own
- auth.rs is unit-tested against AWS's published SigV4 vectors (get-vanilla
  full signature + signing-key derivation); new contract/auth-tests crate

providers/proxy:
- providers.ts: concrete registry (OpenAI/Anthropic/xAI/Groq/Gemini/Stripe/
  GitHub/SendGrid/Slack/Twilio/AWS S3+SES) with per-provider host, sealed-
  secret name, and auth scheme; Gemini uses x-goog-api-key, not Authorization
- proxy routes via the registry with per-provider secret_key + auth
- ForwardRequest gains an optional auth field (serialises to the contract enum)

examples (real, live end-to-end):
- gemini, stripe (test mode, read+write), prompt-injection (GitHub)
- exfil checks scan the entire process.env for a real key pattern, so a
  leftover key is reported as a leak rather than hidden

docs: integration-stack.md (what/why/impact + operational gotchas), README
supported-integrations table, EXAMPLES/examples index
@FiscalMindset FiscalMindset merged commit 4035ecd into main Jul 1, 2026
3 checks passed
@FiscalMindset FiscalMindset deleted the feat/multi-provider-integration-stack branch July 1, 2026 14:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants