Skip to content

Add ConfidentialLLM: one-call Oblivious HTTP chat client#303

Merged
adambalogh merged 3 commits into
mainfrom
claude/sdk-confidential-inference-q67zzr
Jul 1, 2026
Merged

Add ConfidentialLLM: one-call Oblivious HTTP chat client#303
adambalogh merged 3 commits into
mainfrom
claude/sdk-confidential-inference-q67zzr

Conversation

@adambalogh

Copy link
Copy Markdown
Collaborator

Summary

Adds ConfidentialLLM, a high-level client for verified, private chat completions over Oblivious HTTP (OHTTP). This is the same confidential inference path the OpenGradient browser chat app uses, enabling end-to-end encrypted requests to TEEs through an untrusted relay without requiring a wallet on the caller's side.

Key Changes

  • New module opengradient.client.confidential_llm: High-level convenience wrapper that:

    • Auto-discovers OHTTP-capable TEEs from the on-chain registry
    • Encrypts requests end-to-end (HPKE) to the enclave
    • POSTs ciphertext to the relay's confidential-inference path (/api/v1/chat/ohttp)
    • Verifies the enclave's signature before returning any content
    • Requires no wallet on the caller's side (relay holds the x402 account)
  • ConfidentialLLM class with:

    • Constructor that auto-resolves TEE from registry (with configurable RPC and registry address)
    • from_tee() class method to skip registry lookup for self-hosted or pinned enclaves
    • chat() method for argument-driven chat completions (mirrors OpenAI API shape)
    • chat_completion() and stream_chat_completion() escape hatches for raw request bodies
    • Support for streaming (fully buffered and verified before returning)
    • Per-request auth header provider for relay authentication
  • Helper functions:

    • _gateway_model(): Reduces "provider/model" IDs to gateway model names (e.g., "anthropic/claude-haiku-4-5""claude-haiku-4-5")
    • _confidential_inference_url(): Appends /api/v1/chat/ohttp path to relay URLs
  • Documentation: Full API docs in docs/opengradient/client/confidential_llm.md with usage examples

  • Example script examples/confidential_chat.py: Demonstrates end-to-end encrypted chat with TEE verification

  • Comprehensive tests in tests/confidential_llm_test.py: Full encrypt/sign/verify round trip through a self-contained OHTTP recipient fixture

  • Updated module exports: Added ConfidentialLLM to opengradient.__init__.py and client module docs

Implementation Details

  • Reuses existing OhttpRelayClient and TEERegistry infrastructure, focusing on the high-level convenience layer
  • Registry defaults (DEFAULT_RPC_URL, DEFAULT_TEE_REGISTRY_ADDRESS) are duplicated from llm.py to keep the confidential path free of x402/wallet dependencies
  • Request body building mirrors the browser chat app's buildInnerChatRequest logic
  • Streaming responses are fully buffered and verified before returning, ensuring stream_frames are safe to replay to end users
  • No wallet required: authentication to the relay is delegated to the caller via an optional auth_headers provider

https://claude.ai/code/session_015Z4QrXF4R4VGKia6hhTomc

Adds a high-level client that mirrors the chat app's OHTTP flow
(lib/api/ohttp.ts): auto-resolve an OHTTP-capable TEE from the on-chain
registry, POST HPKE-encrypted requests to the relay's confidential-inference
path (/api/v1/chat/ohttp), and verify the enclave's RSA-PSS signature before
returning any content.

Previously the SDK exposed only the low-level OhttpRelayClient, which forced
callers to build a TEERegistry, resolve the TEE, and know/append the endpoint
path by hand. ConfidentialLLM wraps all of that behind a single constructor and
a chat() convenience that builds the OpenAI request body (normalizing the
"provider/model" id to the gateway model name, like the chat app). It needs no
wallet on the caller's side — the untrusted relay holds the x402 account and
only ever sees ciphertext.

- New module src/opengradient/client/confidential_llm.py (ConfidentialLLM,
  from_tee, chat/chat_completion/stream_chat_completion, OHTTP_CHAT_ENDPOINT)
- Export from client and top-level package
- Test tests/confidential_llm_test.py (full encrypt/sign/verify round trip)
- Example examples/confidential_chat.py + README entry
- Regenerated pdoc docs

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_015Z4QrXF4R4VGKia6hhTomc
@adambalogh adambalogh marked this pull request as ready for review July 1, 2026 23:02
claude added 2 commits July 1, 2026 23:03
Add a Key Features bullet and a "Confidential Inference (Oblivious HTTP)"
section under Core Functionality, covering ConfidentialLLM: end-to-end
encrypted chat through an untrusted relay, client-side signature verification,
no wallet needed on the caller, auto-resolution of an OHTTP-capable TEE, and
the from_tee escape hatch.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_015Z4QrXF4R4VGKia6hhTomc
Implements the CLI-auth device flow the chat app exposes at /cli-auth
(app/(standalone)/cli-auth, CliAuth.tsx). login_chat_account() starts a
short-lived loopback HTTP listener, opens the authorization page pointed at it,
and returns the session the page posts back once the user signs in. The page
only ever posts to a loopback (127.0.0.1) address, so the token never leaves the
user's machine.

The listener answers the browser's CORS preflight (OPTIONS) as well as the JSON
POST — without the preflight response the browser blocks the callback and falls
back to manual copy/paste.

The returned ChatAccountAuth carries the access token plus the client config
(chat_api_base_url, TEE registry) and drops straight into ConfidentialLLM:

    auth = og.login_chat_account()
    client = og.ConfidentialLLM(
        relay_url=auth.chat_api_base_url,
        auth_headers=auth.auth_headers,
    )

- New module src/opengradient/client/chat_auth.py (login_chat_account,
  ChatAccountAuth)
- Export from client and top-level package
- Test tests/chat_auth_test.py (bundle parsing + end-to-end loopback flow with
  CORS preflight)
- examples/confidential_chat.py now logs in via the browser by default
- README + examples README + regenerated pdoc docs

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_015Z4QrXF4R4VGKia6hhTomc
Comment thread src/opengradient/client/chat_auth.py Dismissed
@adambalogh adambalogh merged commit 2261dc2 into main Jul 1, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants