Documentation
¶
Overview ¶
Package proxy implements the teep HTTP proxy server. It sits between an OpenAI-compatible client and a TEE-capable AI backend (Venice, NEAR AI), performing attestation verification and optional E2EE on every request.
Request flow for POST /v1/chat/completions:
- Parse model name from request body.
- Resolve model → provider. Unknown model → 400.
- Check negative cache. Blocked → 503.
- Check attestation cache. On miss, fetch + verify + cache.
- Any enforced factor Fail (not in allow_fail) → 502 with report JSON.
- If E2EE and tdx_reportdata_binding Pass: encrypt messages, set headers. If E2EE required but binding fails: block request (no plaintext fallback).
- Forward to upstream. Parse streaming SSE or buffer non-streaming body.
- Decrypt each chunk (E2EE). Abort on any decryption failure.
- Re-emit SSE to client (streaming) or return assembled JSON (non-streaming).
10. Zero session key material.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Server ¶
type Server struct {
// contains filtered or unexported fields
}
Server is the teep proxy HTTP server.
func New ¶
New builds a Server from cfg. Providers are wired with their Attester and Preparer implementations based on provider name.
func (*Server) ListenAndServe ¶
ListenAndServe starts the proxy HTTP server on the configured listen address. It blocks until ctx is cancelled (e.g. via signal.NotifyContext), then initiates a graceful shutdown with a 5-second deadline to drain in-flight requests (which zeros any active E2EE sessions via their defers).
Source Files