feat: multi-provider integration stack with in-enclave auth schemes#1
Merged
Merged
Conversation
Extend Blindfold from a 4-endpoint LLM-key proxy to 12 first-class provider integrations across 6 industries, with each provider's real auth computed inside the TDX enclave. contract: - add AuthSpec (bearer/basic/sigv4) to the forward path - compute HTTP Basic base64 (Twilio) and AWS SigV4 signatures (S3/SES) in the enclave, so the secret is consumed by a computation and never pasted into a header value on its own - auth.rs is unit-tested against AWS's published SigV4 vectors (get-vanilla full signature + signing-key derivation); new contract/auth-tests crate providers/proxy: - providers.ts: concrete registry (OpenAI/Anthropic/xAI/Groq/Gemini/Stripe/ GitHub/SendGrid/Slack/Twilio/AWS S3+SES) with per-provider host, sealed- secret name, and auth scheme; Gemini uses x-goog-api-key, not Authorization - proxy routes via the registry with per-provider secret_key + auth - ForwardRequest gains an optional auth field (serialises to the contract enum) examples (real, live end-to-end): - gemini, stripe (test mode, read+write), prompt-injection (GitHub) - exfil checks scan the entire process.env for a real key pattern, so a leftover key is reported as a leak rather than hidden docs: integration-stack.md (what/why/impact + operational gotchas), README supported-integrations table, EXAMPLES/examples index
This was referenced Jul 1, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What & why
Product feedback flagged two gaps: integration coverage ("integration stack score is lower than the rest") and problem concreteness ("not as concrete or distinct as other projects"). Both traced to one root cause — the enclave's substitution was a blind
v.replace(SENTINEL, secret), which only works forAuthorization: Bearer, so all providers were LLM APIs.This PR extends Blindfold from a 4-endpoint LLM-key proxy → 12 first-class provider integrations across 6 industries, with each provider's real auth computed inside the TDX enclave — including schemes a generic proxy structurally cannot do (Basic base64, AWS SigV4), because the secret is consumed by a computation, not pasted into a header.
Changes
AuthSpec(bearer/basic/sigv4).auth.rscomputes HTTP Basic base64 (Twilio) and AWS SigV4 signatures (S3/SES) in-enclave; newcontract/auth-testscrate.x-goog-api-key, notAuthorization.secret_key+auth.process.envfor a real key pattern, so a leftover key is reported as a leak, not hidden.integration-stack.md, README supported-integrations table.Proof
Crypto correctness — AWS SigV4 vectors (native
cargo test), 4/4 pass:sigv4_get_vanilla_vectormatches AWS's publishedSignature=5fa00fa3…fbf31byte-for-byte; signing-key derivation matchesf4780e2d…db404d.Enclave rebuilds clean:
blindfold_proxy.wasm, 227,364 bytes, with sha2+hmac compiled in.Live end-to-end against the real T3 enclave (tenant
did:t3n:58f5f5f9…):Gemini (real answer, agent holds no key):
Stripe (test mode — real read and write):
Prompt injection (GitHub credential theft, defeated structurally):
Notes
authdefaults to bearer; existing LLM flows unchanged.integration-stack.md:blindfold grantreplaces the egress allowlist (grant all hosts in one call), and testnet has a per-minutefuel_per_minutequota (surfaces as generic 500s under load)..env/target/node_modulesgitignored).Summary by cubic
Adds a multi-provider integration stack with in-enclave auth, expanding from 4 LLM endpoints to 12 providers across 6 industries. The enclave now computes real auth (Bearer, Basic, AWS SigV4) so secrets are never pasted into headers.
New Features
AuthSpec(bearer/basic/sigv4); enclave computes HTTP Basic and AWS SigV4 inside TDX.packages/blindfold/src/providers.tswith upstream host, sealed secret name, and auth scheme; Gemini usesx-goog-api-key.secret_key+auth, strips agentAuthorization, and plants__BLINDFOLD__only where needed.examples/gemini/,examples/stripe/,examples/prompt-injection/; docs inintegration-stack.mdand README table. SigV4 verified against AWS test vectors (contract/auth-tests).Migration
authdefaults to bearer; existing LLM flows keep working./gemini/,/stripe/,/aws/s3/), seal the provider’s secret, andgrantall required hosts in one call.TWILIO_ACCOUNT_SID,AWS_ACCESS_KEY_ID,AWS_REGION).integration-stack.md.Written for commit 7f05f0a. Summary will update on new commits.