feat: generate token if needed

[Dodecahedr0x]

TEE validators need an auth token to accept some requests. This PR adds the auth as part of the flow to avoid having to do it manually and put the token in the config

Summary by CodeRabbit

• New Features
  • Added Trusted Execution Environment (TEE) authentication support for Private Ephemeral Rollup deployments. When enabled via the new tee configuration option, automatic authentication occurs during startup and session tokens are transparently managed for secure API communication.

[coderabbitai]

Warning

Review limit reached

@Dodecahedr0x, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 21 minutes and 58 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 7ffde20b-5bb7-4cb7-9d39-f44fa7f0bfdd

📥 Commits

Reviewing files that changed from the base of the PR and between 37cfcb9 and da9cfb3.

📒 Files selected for processing (2)

• assist/src/close.rs
• core/src/auth.rs

Walkthrough

This PR adds Private Ephemeral Rollup (PER) TEE authentication support. A new core auth module implements challenge/response authentication, URL helpers manage session tokens, and both bencher and assist applications conditionally authenticate at startup using vault-signed callbacks.

Changes

Private Ephemeral Rollup TEE Authentication

Layer / File(s)	Summary
Core TEE authentication framework core/src/auth.rs, core/src/config.rs, core/src/types.rs, core/src/lib.rs, core/Cargo.toml, config.example.toml	fetch_auth_token performs two HTTP calls to derive and sign a TEE challenge, returning a session token. authenticate_tee conditionally runs the auth flow, derives base URL from config, fetches token, and appends it to the ephemeral URL. ConnectionSettings gains a tee: bool flag. Url adds origin() and with_token() methods to construct authenticated URLs. Module is exposed publicly and reqwest dependency is added.
Bencher TEE authentication integration bencher/src/main.rs	Imports Signer, makes config mutable, calls a local authenticate_tee helper early in main before other setup. Helper loads vault keypair, derives public key, spins up a Tokio runtime, and invokes core::auth::authenticate_tee with a message-signing callback.
Assist TEE authentication integration assist/src/close.rs	Mutates loaded config and calls core::auth::authenticate_tee using vault signing before constructing the Closer and proceeding with account closure.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat: generate token if needed' accurately captures the main objective of this PR: implementing automatic auth token generation for TEE validators to eliminate manual token creation or storage.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dode/tee

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@assist/src/close.rs`:
- Around line 25-32: You load the vault with crate::common::load_vault(&config)
and then call Closer::new(&config).await which loads the vault again; change
Closer::new to accept the already-loaded vault (e.g., add a parameter like
vault: &Vault or Vault) and update its callers so you pass the vault you created
here instead of letting Closer::new reload it; adjust the Closer::new signature
and implementation to use the provided vault and remove the redundant load there
(refer to load_vault, vault variable, core::auth::authenticate_tee, and
Closer::new to locate the spots to change).

In `@core/src/auth.rs`:
- Around line 40-48: The reqwest client is created without a timeout which can
hang the auth challenge request; change the creation of client (the variable
named client used to request ChallengeResponse from
"{base_url}/auth/challenge?pubkey={pubkey}") to use
reqwest::Client::builder().timeout(Duration::from_secs(N)).build()? (pick a
sensible N like 10 or 30) and add the necessary std::time::Duration import;
ensure the build() result is handled (propagate or return the error) so the code
still awaits and parses the ChallengeResponse as before.
- Around line 70-75: The current logic parses the response JSON unconditionally
which causes JSON deserialization errors to mask real HTTP errors; update the
code around the response handling (the local variable response and the
LoginResponse parsing) to first check response.status().is_success(), and only
call response.json().await to deserialize into LoginResponse when succeeded is
true; if not succeeded, call response.text().await to capture the server body
(falling back to a generic message if empty) and return an Err with that text
(e.g., "TEE authentication failed: <body>"); ensure any JSON parse errors on
successful responses are still propagated as before.

In `@core/src/types.rs`:
- Around line 132-140: with_token currently injects token raw into the query
which can break parsing; percent-encode the token before building
path_and_query. Add percent-encoding = "2" to Cargo.toml, import
percent_encoding (e.g. percent_encode_str or utf8_percent_encode with an
appropriate encode set) in types.rs, call it on token and use the encoded string
in both branches where path_and_query is built inside with_token, and leave the
final full -> hyper::Uri parse and Url wrapper unchanged.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 379a5da0-6c53-4448-812a-f70c70a52b14

📥 Commits

Reviewing files that changed from the base of the PR and between 14c642f and 37cfcb9.

⛔ Files ignored due to path filters (1)

• Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (8)

• assist/src/close.rs
• bencher/src/main.rs
• config.example.toml
• core/Cargo.toml
• core/src/auth.rs
• core/src/config.rs
• core/src/lib.rs
• core/src/types.rs