tinfoil

package module
v0.1.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 21, 2025 License: AGPL-3.0 Imports: 5 Imported by: 0

README

Tinfoil Go Client

Build Status

Installation

tinfoil-go currently relies on a specific feature in go-sev-guest that hasn't been upstreamed yet. This requires adding the following line to your go.mod:

replace github.com/google/go-sev-guest v0.0.0-00010101000000-000000000000 => github.com/jraman567/go-sev-guest v0.0.0-20250117204014-6339110611c9

Then run:

go get github.com/tinfoilsh/tinfoil-go

Quick Start

The Tinfoil Go client is a wrapper around the OpenAI Go client and provides secure communication with Tinfoil enclaves. It has the same API as the OpenAI client, with additional security features:

  • Automatic attestation validation to ensure enclave integrity verification
  • TLS certificate pinning to prevent man-in-the-middle attacks
package main

import (
	"context"
	"fmt"

	"github.com/openai/openai-go"
	"github.com/openai/openai-go/option"
	"github.com/tinfoilsh/tinfoil-go" // imported as tinfoil
)

func main() {
	// Create a client for a specific enclave and model repository
	client, err := tinfoil.NewClientWithParams(
		"enclave.example.com",
		"org/model-repo",
		option.WithAPIKey("your-api-key"),
	)
	if err != nil {
		panic(err.Error())
	}

	// Make requests using the OpenAI client API
	// Note: enclave verification happens automatically
	chatCompletion, err := client.Chat.Completions.New(context.TODO(), openai.ChatCompletionNewParams{
		Messages: []openai.ChatCompletionMessageParamUnion{
			openai.UserMessage("Say this is a test"),
		},
		Model: "llama3-3-70b", // see https://docs.tinfoil.sh for supported models
	})

	if err != nil {
		panic(err.Error())
	}

	fmt.Println(chatCompletion.Choices[0].Message.Content)
}

Usage

// 1. Create a client
client, err := tinfoil.NewClientWithParams(
	"enclave.example.com",  // Enclave hostname
	"org/repo",             // GitHub repository
	option.WithAPIKey("your-api-key"),
)
if err != nil {
	panic(err.Error())
}

// 2. Use client as you would openai.Client 
// see https://pkg.go.dev/github.com/openai/openai-go for API documentation

Advanced Functionality

// For manual verification and direct HTTP access, use SecureClient directly
secureClient := tinfoil.NewSecureClient("enclave.example.com", "org/repo")

// Manual verification
groundTruth, err := secureClient.Verify()
if err != nil {
	return fmt.Errorf("verification failed: %w", err)
}

// Get the raw HTTP client 
httpClient, err := secureClient.HTTPClient()
if err != nil {
	return fmt.Errorf("failed to get HTTP client: %w", err)
}

// Make HTTP requests directly 
resp, err := secureClient.Get("/api/status", map[string]string{
	"Authorization": "Bearer token",
})

Foreign Function Interface (FFI) Support

For usage in other languages through FFI, additional functions are available which avoid using FFI incompatible data structures (e.g., Go maps):

// Create a SecureClient for FFI usage
secureClient := tinfoil.NewSecureClient("enclave.example.com", "org/repo")

// Initialize a request and get an ID
requestID, err := secureClient.InitPostRequest("/api/submit", []byte(`{"key":"value"}`))

// Add headers individually
secureClient.AddHeader(requestID, "Content-Type", "application/json")
secureClient.AddHeader(requestID, "Authorization", "Bearer token")

// Execute the request
resp, err := secureClient.ExecuteRequest(requestID)

API Documentation

This library is a drop-in replacement for the official OpenAI Go client that can be used with Tinfoil. All methods and types are identical. See the OpenAI Go client documentation for complete API usage and documentation.

Go Reference

Reporting Vulnerabilities

Please report security vulnerabilities by either:

We aim to respond to security reports within 24 hours and will keep you updated on our progress.

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Client 

type Client struct {
	*openai.Client
	// contains filtered or unexported fields
}

Client wraps the OpenAI client to provide secure inference through Tinfoil

func NewClient 

func NewClient(openaiOpts ...option.RequestOption) (*Client, error)

NewClient creates a new secure OpenAI client using default parameters

func NewClientWithParams 

func NewClientWithParams(enclave, repo string, openaiOpts ...option.RequestOption) (*Client, error)

NewClientWithParams creates a new secure OpenAI client with explicit enclave and repo parameters

func (*Client) Enclave added in v0.1.2 

func (c *Client) Enclave() string

func (*Client) Repo added in v0.1.2 

func (c *Client) Repo() string

type Enclave added in v0.0.5 

type Enclave struct {
	Host string
	Repo string
}

type LoadBalancer added in v0.0.5 

type LoadBalancer struct {
	// contains filtered or unexported fields
}

func NewLoadBalancer added in v0.0.5 

func NewLoadBalancer(enclaves []Enclave, openaiOpts ...option.RequestOption) (*LoadBalancer, error)

func (*LoadBalancer) NextClient added in v0.0.5 

func (lb *LoadBalancer) NextClient() *Client

NextClient returns the next client in round robin fashion using atomic operations

Source Files

View all Source files

Directories

Path Synopsis
examples
chat command

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.