Skip to content

feat(deployment): download attestation evidence for confidential compute leases#3359

Merged
baktun14 merged 6 commits into
mainfrom
feat/deployment-download-attestation-evidence
Jun 25, 2026
Merged

feat(deployment): download attestation evidence for confidential compute leases#3359
baktun14 merged 6 commits into
mainfrom
feat/deployment-download-attestation-evidence

Conversation

@baktun14

@baktun14 baktun14 commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

Why

Tenants running a Confidential Compute (TEE) workload need to obtain the hardware-signed attestation evidence for their running lease so they can independently confirm the workload is genuinely running inside a Trusted Execution Environment.

Part of CON-540

Auth note for reviewers: CON-540's spec note says the attestation endpoint requires mTLS with the lease owner's key. This PR intentionally uses the JWT provider-proxy path instead: deploy-web's mTLS/certificate flows were removed in #3217, and the live CC provider was confirmed to return quotes over the JWT/API-key path. The mTLS note reads as spec-derived/outdated. The hardware-vendor validation + per-report verdict display is the separate follow-up CON-552.

Token model — stacked on #3360. The attestation scope is not on the shared global managed-wallet token. It was briefly added there (CON-575) but that broke manifest sends on every non-TEE provider (they reject the unknown scope), so #3360 reverts it. This PR instead mints an ephemeral, single-provider granular token carrying only attestation (useProviderJwt.generateScopedProviderToken) at download time, scoped to the CC lease's provider. Only TEE-capable providers accept the scope, and the trigger is already gated to CC leases, so the scoped token is only ever sent where the provider accepts it. Base this PR on #3360; merge #3360 first.

What

From the deployment detail view of a running Confidential Compute lease (and only when behind the new ui_confidential_compute flag, and the on-chain group declares a tee/type), the tenant can fetch and download the attestation evidence:

  • POST /lease/{dseq}/{gseq}/{oseq}/attestation/quote via the existing JWT provider-proxy path — front-end only, no API/provider-proxy/backend change.
  • A fresh 64-byte nonce is generated per request ({ nonce, bind_tls: false }) so the evidence is bound to that request.
  • A preview modal shows the platform, the single CPU report, and a list of per-GPU reports (with device indices), making the CPU-vs-per-GPU split explicit. A Download JSON action saves the full bundle.
  • The trigger renders nothing for non-Confidential-Compute deployments, when the lease is not live, or when the flag is off.

Changes

  • ui_confidential_compute added to the FeatureFlag union.
  • generateAttestationNonce() + AttestationQuote/TeePlatform types in confidentialCompute.ts.
  • ProviderProxyService.fetchAttestationQuote().
  • useAttestationQuoteMutation (mutation, not query — evidence is never cached); mints a per-provider attestation-scoped token via useProviderJwt.generateScopedProviderToken instead of using the global token.
  • useProviderJwt.generateScopedProviderToken — ephemeral, single-provider granular token (access: "granular", not persisted to the JWT atom / managed-wallet storage).
  • AttestationEvidenceModal + DownloadAttestationEvidence, wired into LeaseRow.

Tests cover the nonce util, the service request shape, the mutation hook, and both components (76 passing across the affected files).

Follow-ups / notes

  • The AttestationQuote shape (esp. gpu_reports[].index/.report) is from AEP-83 §5 and should be confirmed against the live CC provider (pro6000.hou, snp-gpu) before merge.
  • The Unleash flag ui_confidential_compute must be registered server-side; it defaults off. Use NEXT_PUBLIC_UNLEASH_ENABLE_ALL for local testing.

Summary by CodeRabbit

  • New Features

    • Added an attestation evidence action for eligible live leases.
    • Users can view attestation details, including CPU and GPU report information where available.
    • Users can download the evidence as a JSON file.
  • Bug Fixes

    • Added clearer loading, error, and retry handling when attestation evidence cannot be fetched.
    • The attestation action now only appears when it is relevant to the lease state and platform.

@coderabbitai

coderabbitai Bot commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

Adds attestation quote types and nonce generation, fetches evidence through provider proxy calls authenticated with scoped provider JWTs, exposes a React Query mutation, and adds deployment UI for opening, downloading, retrying, and rendering attestation evidence.

Changes

Confidential compute attestation

Layer / File(s) Summary
Nonce and quote types
apps/deploy-web/src/utils/confidentialCompute.ts, apps/deploy-web/src/utils/confidentialCompute.spec.ts
TeePlatform, attestation quote/evidence types, and 64-byte nonce generation are added and tested.
Scoped provider JWT generation
apps/deploy-web/src/hooks/useProviderJwt/useProviderJwt.ts, apps/deploy-web/src/hooks/useProviderJwt/useProviderJwt.spec.tsx
The JWT hook removes "attestation" from the default persisted scope and adds per-provider scoped token generation, with success and failure coverage.
Provider quote fetch
apps/deploy-web/src/services/provider-proxy/provider-proxy.service.ts, apps/deploy-web/src/services/provider-proxy/provider-proxy.service.spec.ts
ProviderProxyService posts attestation quote requests with generated nonces and returns quote plus nonce, with HTTP assertions in tests.
Quote mutation hook
apps/deploy-web/src/queries/useAttestationQuoteMutation.ts, apps/deploy-web/src/queries/useAttestationQuoteMutation.spec.ts
The mutation validates provider input, mints an attestation-scoped token, forwards lease coordinates to the proxy, and is covered by hook tests.
Evidence modal
apps/deploy-web/src/components/deployments/AttestationEvidenceModal.tsx, apps/deploy-web/src/components/deployments/AttestationEvidenceModal.spec.tsx
The modal fetches evidence on mount, renders pending/error/success states, shows CPU/GPU reports, and downloads a JSON bundle.
Launcher and lease row wiring
apps/deploy-web/src/components/deployments/DownloadAttestationEvidence.tsx, apps/deploy-web/src/components/deployments/DownloadAttestationEvidence.spec.tsx, apps/deploy-web/src/components/deployments/LeaseRow.tsx
The attestation evidence trigger is gated by live lease, provider, and TEE checks, opens the modal, and is inserted into the lease row, with trigger tests.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

  • akash-network/console#3228: Adds attestation-quote fetching and the provider JWT plumbing used by the same ensureToken-based provider-proxy path.
  • akash-network/console#3360: Updates useProviderJwt scope handling by removing "attestation" from the default token request while keeping scoped attestation token generation separate.

Suggested labels

size: XL

Suggested reviewers

  • stalniy
  • ygrishajev
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/deployment-download-attestation-evidence

Comment @coderabbitai help to get the list of available commands.

@codecov

codecov Bot commented Jun 24, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 68.24%. Comparing base (0da5034) to head (bc4d563).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #3359      +/-   ##
==========================================
- Coverage   69.62%   68.24%   -1.39%     
==========================================
  Files        1088      998      -90     
  Lines       26651    24330    -2321     
  Branches     6406     5949     -457     
==========================================
- Hits        18555    16603    -1952     
+ Misses       7105     6768     -337     
+ Partials      991      959      -32     
Flag Coverage Δ *Carryforward flag
api 84.98% <ø> (ø) Carriedforward from 1810645
deploy-web 55.20% <ø> (ø) Carriedforward from 1810645
log-collector ?
notifications 91.37% <ø> (ø) Carriedforward from 1810645
provider-console 81.38% <ø> (ø) Carriedforward from 1810645
provider-inventory ?
provider-proxy 86.26% <ø> (ø) Carriedforward from 1810645
tx-signer ?

*This pull request uses carry forward flags. Click here to find out more.

Files with missing lines Coverage Δ
...deploy-web/src/components/deployments/LeaseRow.tsx 0.00% <ø> (ø)
...loy-web/src/hooks/useProviderJwt/useProviderJwt.ts 94.87% <ø> (ø)
.../services/provider-proxy/provider-proxy.service.ts 96.10% <ø> (ø)

... and 90 files with indirect coverage changes

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

🧹 Nitpick comments (2)
apps/deploy-web/src/components/deployments/AttestationEvidenceModal.spec.tsx (1)

60-63: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Avoid casting the mocked hook result through unknown.

This can hide missing fields on the mutation state and makes the test less trustworthy than it looks. Use mock<ReturnType<typeof DEPENDENCIES.useAttestationQuoteMutation>>({...}) for the returned value instead. As per coding guidelines, "Use vitest-mock-extended with mock() and MockProxy<T> for mocking in tests" and "Use mock<T>() instead of as unknown as <Type> for type casting in tests."

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/deploy-web/src/components/deployments/AttestationEvidenceModal.spec.tsx`
around lines 60 - 63, The mocked return value in
AttestationEvidenceModal.spec.tsx is being forced through unknown, which can
mask missing mutation-state fields. Update the useAttestationQuoteMutation test
double to return a properly typed mock using mock<ReturnType<typeof
DEPENDENCIES.useAttestationQuoteMutation>>({...}) instead of an as unknown as
cast, so the mocked hook result stays fully type-checked and aligned with the
real mutation shape.

Source: Coding guidelines

apps/deploy-web/src/services/provider-proxy/provider-proxy.service.spec.ts (1)

1132-1144: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Use a typed MockProxy<HttpClient> here instead of casting through unknown.

The as unknown as HttpClient / as Mock casts switch off the type checking this test should be giving you around post(). Building the client with mock<HttpClient>() and stubbing post afterward keeps the request-shape assertions type-safe. As per coding guidelines, "Use vitest-mock-extended with mock() and MockProxy<T> for mocking in tests" and "Use mock<T>() instead of as unknown as <Type> for type casting in tests."

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/deploy-web/src/services/provider-proxy/provider-proxy.service.spec.ts`
around lines 1132 - 1144, The test is bypassing type safety by casting the
HttpClient mock through unknown and then treating post as an untyped Mock.
Update the fetchAttestationQuote test setup to use a typed MockProxy<HttpClient>
created with mock() and stub post directly on that mock, then read the call
arguments from the typed mock instead of casting. Keep the assertions around
service.fetchAttestationQuote and the payload shape, but remove the as unknown
as HttpClient and as Mock casts so the post() request checks remain type-safe.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@apps/deploy-web/src/components/deployments/DownloadAttestationEvidence.tsx`:
- Around line 29-42: The launcher in DownloadAttestationEvidence should also be
blocked when provider is missing, since Props allows a nullable provider and
LeaseRow can pass an undefined result from providers?.find(...). Update the
early-return guard in DownloadAttestationEvidence to require provider before
rendering the button/modal, so the AttestationEvidenceModal is never opened in a
state that will immediately fail with “Provider is not available for this
lease.”

In `@apps/deploy-web/src/services/provider-proxy/provider-proxy.service.ts`:
- Around line 62-67: The attestation quote fetch in provider-proxy.service.ts is
missing a finite timeout, so a stalled provider can leave the flow pending
forever. Update the request call inside the provider proxy attestation quote
path to pass a timeout value through this request() invocation, using the
existing request timeout support, and keep the current error handling/retry
behavior intact. Locate the change around the request<AttestationQuote> call in
the provider proxy service.
- Around line 54-68: The attestation quote flow in fetchAttestationQuote
generates a nonce but does not return it, so callers cannot persist the
freshness challenge alongside the quote. Update fetchAttestationQuote in
provider-proxy.service.ts to include the generated nonce in its returned result,
and adjust the AttestationQuote shape or returned object construction as needed
so the nonce is available to the download flow together with response.data.

In `@apps/deploy-web/src/utils/confidentialCompute.ts`:
- Around line 198-210: The attestation payload types currently overstate the
provider contract: in GpuAttestationReport and AttestationQuote, fields like
report, tee_platform, index, and gpu_reports are marked required even though the
gateway boundary can omit them. Update these type definitions to reflect the raw
provider response by making the boundary fields optional, or add a
validation/narrowing step before exposing AttestationQuote so downstream code
only sees a truly strict shape. Use the existing GpuAttestationReport and
AttestationQuote symbols in confidentialCompute.ts to keep the raw input
contract aligned with the documented behavior.

---

Nitpick comments:
In
`@apps/deploy-web/src/components/deployments/AttestationEvidenceModal.spec.tsx`:
- Around line 60-63: The mocked return value in
AttestationEvidenceModal.spec.tsx is being forced through unknown, which can
mask missing mutation-state fields. Update the useAttestationQuoteMutation test
double to return a properly typed mock using mock<ReturnType<typeof
DEPENDENCIES.useAttestationQuoteMutation>>({...}) instead of an as unknown as
cast, so the mocked hook result stays fully type-checked and aligned with the
real mutation shape.

In `@apps/deploy-web/src/services/provider-proxy/provider-proxy.service.spec.ts`:
- Around line 1132-1144: The test is bypassing type safety by casting the
HttpClient mock through unknown and then treating post as an untyped Mock.
Update the fetchAttestationQuote test setup to use a typed MockProxy<HttpClient>
created with mock() and stub post directly on that mock, then read the call
arguments from the typed mock instead of casting. Keep the assertions around
service.fetchAttestationQuote and the payload shape, but remove the as unknown
as HttpClient and as Mock casts so the post() request checks remain type-safe.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 80053c99-7848-431f-9761-f968dd8eea6a

📥 Commits

Reviewing files that changed from the base of the PR and between 0da5034 and dae1a4e.

📒 Files selected for processing (12)
  • apps/deploy-web/src/components/deployments/AttestationEvidenceModal.spec.tsx
  • apps/deploy-web/src/components/deployments/AttestationEvidenceModal.tsx
  • apps/deploy-web/src/components/deployments/DownloadAttestationEvidence.spec.tsx
  • apps/deploy-web/src/components/deployments/DownloadAttestationEvidence.tsx
  • apps/deploy-web/src/components/deployments/LeaseRow.tsx
  • apps/deploy-web/src/queries/useAttestationQuoteMutation.spec.ts
  • apps/deploy-web/src/queries/useAttestationQuoteMutation.ts
  • apps/deploy-web/src/services/provider-proxy/provider-proxy.service.spec.ts
  • apps/deploy-web/src/services/provider-proxy/provider-proxy.service.ts
  • apps/deploy-web/src/types/feature-flags.ts
  • apps/deploy-web/src/utils/confidentialCompute.spec.ts
  • apps/deploy-web/src/utils/confidentialCompute.ts

Comment thread apps/deploy-web/src/services/provider-proxy/provider-proxy.service.ts Outdated
Comment thread apps/deploy-web/src/utils/confidentialCompute.ts
PR #3353 added "attestation" to the global managed-wallet provider JWT
scope unconditionally. Field and non-TEE providers validate the scope
against an enum that does not include "attestation" and reject the entire
JWT with "JWT has invalid claims", so manifest sends fail for every managed
deployment and the deployment never goes active.

Revert the global scope back to the base set. The attestation scope is only
needed to call the provider attestationQuote endpoint, which has no consumer
on this token; it moves to a per-provider granular token for confidential
compute attestation-evidence downloads (#3359).
baktun14 added 2 commits June 24, 2026 15:05
…ute leases

Surface a download for a running Confidential Compute lease's hardware-signed
attestation evidence (AEP-83 §5). A fresh 64-byte nonce is sent per request so
the returned evidence is bound to that request; the preview distinguishes the
single CPU report from per-GPU reports and saves the full bundle as JSON.

Fetched over the existing JWT provider-proxy path (the managed-wallet token
carries the `attestation` scope) — front-end only, no backend change. Gated
behind the new `ui_confidential_compute` flag and only shown for running
deployments whose on-chain group declares a tee/type.

Part of CON-540
@baktun14 baktun14 force-pushed the feat/deployment-download-attestation-evidence branch from d0ad120 to 01b95b3 Compare June 24, 2026 19:23
@baktun14 baktun14 changed the base branch from main to fix/jwt-revert-global-attestation-scope June 24, 2026 19:23
…wnload

The provider attestationQuote endpoint requires the `attestation` JWT scope.
#3360 removed that scope from the shared global managed-wallet token because
non-TEE providers reject it. Add useProviderJwt.generateScopedProviderToken to
mint an ephemeral, single-provider granular token carrying only `attestation`,
and use it from useAttestationQuoteMutation instead of the global token.

Only TEE-capable providers accept the scope, and the download trigger already
renders solely for confidential-compute leases, so the scoped token is
requested only where the provider accepts it.

Ref CON-575
@baktun14 baktun14 force-pushed the feat/deployment-download-attestation-evidence branch from 01b95b3 to 3feebb6 Compare June 24, 2026 19:34
…d the fetch

Return the per-request nonce alongside the quote and include it in the
downloaded bundle so the evidence can be verified for freshness against the
hardware-signed report_data. Give the attestation quote fetch a finite 60s
timeout so a stalled provider surfaces the modal's error/retry UI instead of
hanging in a pending state.

Addresses CodeRabbit review feedback on PR #3359.
Base automatically changed from fix/jwt-revert-global-attestation-scope to main June 24, 2026 20:26
…ion download

The download already only renders for live leases whose on-chain group
declares a TEE type, so it never surfaces for non-Confidential-Compute
deployments. The feature flag was redundant.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
apps/deploy-web/src/hooks/useProviderJwt/useProviderJwt.spec.tsx (1)

105-107: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Avoid as unknown as HttpClient in mocks.

These casts bypass the test mocking convention; create the mock as mock<HttpClient>() and configure post on the mock instead. As per coding guidelines, “Use mock<T>() instead of as unknown as <Type> for type casting in tests.”

Also applies to: 137-137, 151-151

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/deploy-web/src/hooks/useProviderJwt/useProviderJwt.spec.tsx` around
lines 105 - 107, The test mock setup for consoleApiHttpClient in
useProviderJwt.spec.tsx should avoid the unsafe `as unknown as HttpClient` cast
and follow the test mocking convention instead. Update the mock creation to use
`mock<HttpClient>()` directly, then configure the `post` method on that mock for
the resolved token response; apply the same pattern to the other affected mock
instances in this spec so the tests rely on typed mocks rather than type
assertions.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@apps/deploy-web/src/hooks/useProviderJwt/useProviderJwt.spec.tsx`:
- Around line 105-107: The test mock setup for consoleApiHttpClient in
useProviderJwt.spec.tsx should avoid the unsafe `as unknown as HttpClient` cast
and follow the test mocking convention instead. Update the mock creation to use
`mock<HttpClient>()` directly, then configure the `post` method on that mock for
the resolved token response; apply the same pattern to the other affected mock
instances in this spec so the tests rely on typed mocks rather than type
assertions.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 9184cf18-bbc4-4c27-ad69-86ba32e85bbe

📥 Commits

Reviewing files that changed from the base of the PR and between d0ad120 and bc4d563.

📒 Files selected for processing (13)
  • apps/deploy-web/src/components/deployments/AttestationEvidenceModal.spec.tsx
  • apps/deploy-web/src/components/deployments/AttestationEvidenceModal.tsx
  • apps/deploy-web/src/components/deployments/DownloadAttestationEvidence.spec.tsx
  • apps/deploy-web/src/components/deployments/DownloadAttestationEvidence.tsx
  • apps/deploy-web/src/components/deployments/LeaseRow.tsx
  • apps/deploy-web/src/hooks/useProviderJwt/useProviderJwt.spec.tsx
  • apps/deploy-web/src/hooks/useProviderJwt/useProviderJwt.ts
  • apps/deploy-web/src/queries/useAttestationQuoteMutation.spec.ts
  • apps/deploy-web/src/queries/useAttestationQuoteMutation.ts
  • apps/deploy-web/src/services/provider-proxy/provider-proxy.service.spec.ts
  • apps/deploy-web/src/services/provider-proxy/provider-proxy.service.ts
  • apps/deploy-web/src/utils/confidentialCompute.spec.ts
  • apps/deploy-web/src/utils/confidentialCompute.ts
🚧 Files skipped from review as they are similar to previous changes (7)
  • apps/deploy-web/src/components/deployments/LeaseRow.tsx
  • apps/deploy-web/src/utils/confidentialCompute.spec.ts
  • apps/deploy-web/src/services/provider-proxy/provider-proxy.service.ts
  • apps/deploy-web/src/utils/confidentialCompute.ts
  • apps/deploy-web/src/components/deployments/AttestationEvidenceModal.spec.tsx
  • apps/deploy-web/src/services/provider-proxy/provider-proxy.service.spec.ts
  • apps/deploy-web/src/components/deployments/AttestationEvidenceModal.tsx

@baktun14 baktun14 added this pull request to the merge queue Jun 25, 2026
Merged via the queue into main with commit 443757e Jun 25, 2026
57 checks passed
@baktun14 baktun14 deleted the feat/deployment-download-attestation-evidence branch June 25, 2026 13:01
baktun14 added a commit to akash-network/console-air that referenced this pull request Jun 25, 2026
…ute leases

Port akash-network/console#3359 (upstream CON-540) into the self-custody fork, adapted to
mTLS. From a running Confidential Compute lease's detail view the tenant can fetch and
download the hardware-signed attestation evidence to verify the workload independently.

- generateAttestationNonce + attestation types (AttestationQuote/Evidence) in
  confidentialCompute, with a fresh 64-byte nonce bound to each request
- provider-proxy fetchAttestationQuote: POST /lease/{dseq}/{gseq}/{oseq}/attestation/quote
- useAttestationQuoteMutation, the evidence preview modal, and a self-gating trigger
  wired into the lease row

Auth adaptation: upstream fetches the quote over a managed-wallet granular JWT
(generateScopedProviderToken / /v1/create-jwt-token), which this fork has no equivalent
for. Instead the call reuses useProviderCredentials().details (mTLS, JWT only when the
chain is down) — the same path status/logs/shell/manifest already use. The download trigger
gates on live lease + on-chain tee/type + usable credentials, matching the fork convention
so it never fires an uncredentialed provider request (the deployment view shows a
CreateCredentialsButton when no usable credential exists).
baktun14 added a commit to akash-network/console-air that referenced this pull request Jun 25, 2026
…ute leases (#38)

Port akash-network/console#3359 (upstream CON-540) into the self-custody fork, adapted to
mTLS. From a running Confidential Compute lease's detail view the tenant can fetch and
download the hardware-signed attestation evidence to verify the workload independently.

- generateAttestationNonce + attestation types (AttestationQuote/Evidence) in
  confidentialCompute, with a fresh 64-byte nonce bound to each request
- provider-proxy fetchAttestationQuote: POST /lease/{dseq}/{gseq}/{oseq}/attestation/quote
- useAttestationQuoteMutation, the evidence preview modal, and a self-gating trigger
  wired into the lease row

Auth adaptation: upstream fetches the quote over a managed-wallet granular JWT
(generateScopedProviderToken / /v1/create-jwt-token), which this fork has no equivalent
for. Instead the call reuses useProviderCredentials().details (mTLS, JWT only when the
chain is down) — the same path status/logs/shell/manifest already use. The download trigger
gates on live lease + on-chain tee/type + usable credentials, matching the fork convention
so it never fires an uncredentialed provider request (the deployment view shows a
CreateCredentialsButton when no usable credential exists).
domhhv pushed a commit to domhhv/akash-network-console that referenced this pull request Jun 27, 2026
…kash-network#3360)

PR akash-network#3353 added "attestation" to the global managed-wallet provider JWT
scope unconditionally. Field and non-TEE providers validate the scope
against an enum that does not include "attestation" and reject the entire
JWT with "JWT has invalid claims", so manifest sends fail for every managed
deployment and the deployment never goes active.

Revert the global scope back to the base set. The attestation scope is only
needed to call the provider attestationQuote endpoint, which has no consumer
on this token; it moves to a per-provider granular token for confidential
compute attestation-evidence downloads (akash-network#3359).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants