Skip to content

fix(jwt): remove attestation from global managed-wallet token scope#3360

Merged
baktun14 merged 1 commit into
mainfrom
fix/jwt-revert-global-attestation-scope
Jun 24, 2026
Merged

fix(jwt): remove attestation from global managed-wallet token scope#3360
baktun14 merged 1 commit into
mainfrom
fix/jwt-revert-global-attestation-scope

Conversation

@baktun14

@baktun14 baktun14 commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

Why

PR #3353 (CON-575 console rollout) added "attestation" to the global managed-wallet provider JWT scope unconditionally. Field and non-TEE providers validate the scope against an enum that does not include "attestation" and reject the entire JWT with "JWT has invalid claims". As a result manifest sends fail for every managed deployment (not just CC ones), the deployment never goes active, and the two real-deployment E2E specs time out at validateLease():

  • apps/deploy-web/tests/ui/managed-wallet-deployment.spec.ts
  • apps/deploy-web/tests/ui/managed-wallet-alerts.spec.ts

The attestation scope is a distinct ActionScope value that only gates the provider attestationQuote endpoint (/v1/lease/attestation/quote); it is not needed to send a manifest, and nothing on the global token calls that endpoint. Deploying a CC (TEE) workload does not need it either, since sidecar injection rides the manifest tee.attestation flag (auto-set by chain-sdk generateManifest), not the JWT.

This reverts the global scope to the base set. The attestation scope moves to a per-provider granular token, requested only for confidential-compute attestation-evidence downloads, in #3359.

Ref CON-575

What

Remove "attestation" from the global access: "scoped" token request in useProviderJwt.ts and update the corresponding spec expectation. No other behavior changes.

Summary by CodeRabbit

  • Bug Fixes
    • Reduced the permissions requested when generating access tokens, removing an unnecessary scope while keeping the rest of the token behavior unchanged.
    • Updated the related test expectation to match the new token request payload.

PR #3353 added "attestation" to the global managed-wallet provider JWT
scope unconditionally. Field and non-TEE providers validate the scope
against an enum that does not include "attestation" and reject the entire
JWT with "JWT has invalid claims", so manifest sends fail for every managed
deployment and the deployment never goes active.

Revert the global scope back to the base set. The attestation scope is only
needed to call the provider attestationQuote endpoint, which has no consumer
on this token; it moves to a per-provider granular token for confidential
compute attestation-evidence downloads (#3359).
@coderabbitai

coderabbitai Bot commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 0084774c-2a25-48cb-9a85-f171ce32153e

📥 Commits

Reviewing files that changed from the base of the PR and between 0da5034 and 1810645.

📒 Files selected for processing (2)
  • apps/deploy-web/src/hooks/useProviderJwt/useProviderJwt.spec.tsx
  • apps/deploy-web/src/hooks/useProviderJwt/useProviderJwt.ts

📝 Walkthrough

Walkthrough

The provider JWT request no longer includes the attestation lease scope, and the corresponding spec expectation was updated to match.

Changes

Provider JWT scope update

Layer / File(s) Summary
JWT request scope update
apps/deploy-web/src/hooks/useProviderJwt/useProviderJwt.ts, apps/deploy-web/src/hooks/useProviderJwt/useProviderJwt.spec.tsx
The JWT creation payload removes attestation from leases.access.scope, and the test expectation reflects the narrower scope list.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Suggested labels

size: L

Suggested reviewers

  • ygrishajev
  • stalniy
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/jwt-revert-global-attestation-scope

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint install failed: one or more packages not found in the registry.


Comment @coderabbitai help to get the list of available commands.

@codecov

codecov Bot commented Jun 24, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 68.24%. Comparing base (0da5034) to head (1810645).

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #3360      +/-   ##
==========================================
- Coverage   69.62%   68.24%   -1.39%     
==========================================
  Files        1088      998      -90     
  Lines       26651    24330    -2321     
  Branches     6406     5949     -457     
==========================================
- Hits        18555    16603    -1952     
+ Misses       7105     6768     -337     
+ Partials      991      959      -32     
Flag Coverage Δ *Carryforward flag
api 84.98% <ø> (ø) Carriedforward from 0da5034
deploy-web 55.20% <ø> (ø) Carriedforward from 0da5034
log-collector ?
notifications 91.37% <ø> (ø) Carriedforward from 0da5034
provider-console 81.38% <ø> (ø) Carriedforward from 0da5034
provider-inventory ?
provider-proxy 86.26% <ø> (ø) Carriedforward from 0da5034
tx-signer ?

*This pull request uses carry forward flags. Click here to find out more.

Files with missing lines Coverage Δ
...loy-web/src/hooks/useProviderJwt/useProviderJwt.ts 94.87% <ø> (ø)

... and 90 files with indirect coverage changes

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

baktun14 added a commit that referenced this pull request Jun 24, 2026
…wnload

The provider attestationQuote endpoint requires the `attestation` JWT scope.
#3360 removed that scope from the shared global managed-wallet token because
non-TEE providers reject it. Add useProviderJwt.generateScopedProviderToken to
mint an ephemeral, single-provider granular token carrying only `attestation`,
and use it from useAttestationQuoteMutation instead of the global token.

Only TEE-capable providers accept the scope, and the download trigger already
renders solely for confidential-compute leases, so the scoped token is
requested only where the provider accepts it.

Ref CON-575
baktun14 added a commit that referenced this pull request Jun 24, 2026
…wnload

The provider attestationQuote endpoint requires the `attestation` JWT scope.
#3360 removed that scope from the shared global managed-wallet token because
non-TEE providers reject it. Add useProviderJwt.generateScopedProviderToken to
mint an ephemeral, single-provider granular token carrying only `attestation`,
and use it from useAttestationQuoteMutation instead of the global token.

Only TEE-capable providers accept the scope, and the download trigger already
renders solely for confidential-compute leases, so the scoped token is
requested only where the provider accepts it.

Ref CON-575
@baktun14 baktun14 added this pull request to the merge queue Jun 24, 2026
Merged via the queue into main with commit 06d1248 Jun 24, 2026
57 checks passed
@baktun14 baktun14 deleted the fix/jwt-revert-global-attestation-scope branch June 24, 2026 20:26
domhhv pushed a commit to domhhv/akash-network-console that referenced this pull request Jun 27, 2026
…ute leases (akash-network#3359)

* fix(jwt): remove attestation from global managed-wallet token scope

PR akash-network#3353 added "attestation" to the global managed-wallet provider JWT
scope unconditionally. Field and non-TEE providers validate the scope
against an enum that does not include "attestation" and reject the entire
JWT with "JWT has invalid claims", so manifest sends fail for every managed
deployment and the deployment never goes active.

Revert the global scope back to the base set. The attestation scope is only
needed to call the provider attestationQuote endpoint, which has no consumer
on this token; it moves to a per-provider granular token for confidential
compute attestation-evidence downloads (akash-network#3359).

* feat(deployment): download attestation evidence for confidential compute leases

Surface a download for a running Confidential Compute lease's hardware-signed
attestation evidence (AEP-83 §5). A fresh 64-byte nonce is sent per request so
the returned evidence is bound to that request; the preview distinguishes the
single CPU report from per-GPU reports and saves the full bundle as JSON.

Fetched over the existing JWT provider-proxy path (the managed-wallet token
carries the `attestation` scope) — front-end only, no backend change. Gated
behind the new `ui_confidential_compute` flag and only shown for running
deployments whose on-chain group declares a tee/type.

Part of CON-540

* refactor(deployment): guard attestation download on resolved provider and extract report label

* feat(deployment): mint per-provider token for attestation evidence download

The provider attestationQuote endpoint requires the `attestation` JWT scope.
akash-network#3360 removed that scope from the shared global managed-wallet token because
non-TEE providers reject it. Add useProviderJwt.generateScopedProviderToken to
mint an ephemeral, single-provider granular token carrying only `attestation`,
and use it from useAttestationQuoteMutation instead of the global token.

Only TEE-capable providers accept the scope, and the download trigger already
renders solely for confidential-compute leases, so the scoped token is
requested only where the provider accepts it.

Ref CON-575

* fix(deployment): bind attestation evidence to its nonce and time-bound the fetch

Return the per-request nonce alongside the quote and include it in the
downloaded bundle so the evidence can be verified for freshness against the
hardware-signed report_data. Give the attestation quote fetch a finite 60s
timeout so a stalled provider surfaces the modal's error/retry UI instead of
hanging in a pending state.

Addresses CodeRabbit review feedback on PR akash-network#3359.

* refactor(deployment): drop ui_confidential_compute flag from attestation download

The download already only renders for live leases whose on-chain group
declares a TEE type, so it never surfaces for non-Confidential-Compute
deployments. The feature flag was redundant.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants