feat: add confidential compute support to SDL

[cloud-j-luna]

📝 Description

This PR adds support to Confidential Compute to SDL and provider client.

🔧 Purpose of the Change

• New feature implementation
• Bug fix
• Documentation update
• Code refactoring
• Dependency upgrade
• Other: [specify]

✅ Checklist

• I've updated relevant documentation
• Code follows Akash Network's style guide
• I've added/updated relevant unit tests
• Dependencies have been properly updated
• I agree and adhered to the Contribution Guidelines

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds Trusted Execution Environment (TEE) support across schema, SDL parsing/validation, manifest generation, and provider attestation APIs; includes YAML fixtures, unit tests, protobuf contract additions, and build-tooling updates.

Changes

TEE Support and Attestation Management

Layer / File(s)	Summary
Protobuf TEE contracts proto/node/akash/base/resources/v1beta4/tee.proto, proto/provider/akash/manifest/v2beta3/service.proto	Defines node-level TEE message and adds TEEParams plus optional tee field on ServiceParams to carry TEE type and attestation flag.
TEE type validation and parsing go/sdl/tee.go	Implements TEE constants, allowed-type set, UnmarshalYAML decoding, validation (including GPU-requirement checks), attribute emission, and deterministic sorting.
SDL schema and service parameters go/sdl/sdl-input.schema.yaml, go/sdl/v2.go	Adds services.*.params.tee schema (enum type, optional attestation) and TEE *v2ResourceTEE on v2ServiceParams.
Manifest translation in group builders go/sdl/groupBuilder_v2.go, go/sdl/groupBuilder_v2_1.go	Validates TEE against GPU availability, projects TEE attributes into placement group requirements (stable-sorted), and sets manifest ServiceParams.TEE with Attestation defaulting to true unless specified.
Test fixtures and scenario coverage go/sdl/_testdata/v2.1-*.yaml, go/sdl/v2_1_test.go	Adds multiple SDL v2.1 fixtures for confidential compute and TEE variants and tests verifying manifest TEE translation, attestation behavior, invalid-type errors, and GPU-requirement enforcement.
Provider attestation quote API go/provider/client/path.go, go/provider/client/client.go	Adds LeaseAttestationQuotePath and Client.AttestationQuote implementation that POSTs request body to the lease attestation/quote endpoint and returns response bytes.
Build tooling updates Makefile, make/setup-cache.mk, go/node/deployment/v1beta4/groupspec.go	Bumps golangci-lint to v2.12.2, moves semver major computation into recipe, fixes cleanup/dependency references, and a minor whitespace edit in groupspec.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 I nibble schemas in the night,
TEE types lined up just right,
Attestation hops through code and test,
Secrets tucked in places best,
A small rabbit cheers confidential compute's might.

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 16.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Description check	❓ Inconclusive	The description follows the template structure with explanation and purpose identified, but the checklist items are all unchecked despite claimed implementation of documentation, tests, style adherence, and contribution guidelines.	Mark completed checklist items to accurately reflect the work done (documentation, unit tests in v2_1_test.go, style adherence) and clarify any uncompleted items.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'feat: add confidential compute support to SDL' clearly and concisely describes the main feature being added across the changeset.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/confidential-compute

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.2)

level=error msg="[linters_context] typechecking error: pattern ./...: directory prefix . does not contain main module or its selected dependencies"

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

go/provider/client/client.go (1)

924-926: ⚡ Quick win

Use ClientResponseError for non-OK responses for API consistency.

At Line 924, this method returns a plain formatted error, while other HTTP methods return typed ClientResponseError via shared handling. This makes downstream error handling inconsistent.

Suggested diff

-	if resp.StatusCode != http.StatusOK {
-		return nil, fmt.Errorf("attestation quote failed (status %d): %s", resp.StatusCode, string(body))
-	}
+	if err := createClientResponseErrorIfNotOK(resp, bytes.NewBuffer(body)); err != nil {
+		return nil, err
+	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go/provider/client/client.go` around lines 924 - 926, Replace the plain
fmt.Errorf return in the non-OK branch with a typed ClientResponseError to match
the package's API error handling: when resp.StatusCode != http.StatusOK build
and return a ClientResponseError populated with the HTTP status code and
response body (use the existing resp and body variables) and include a clear
message like "attestation quote failed" so callers can assert on the concrete
ClientResponseError type instead of a plain error.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@make/setup-cache.mk`:
- Line 155: The target rule for $(GOLANGCI_LINT_VERSION_FILE) incorrectly lists
$(AP_DEVCACHE) as a prerequisite but the cache target defined in this Makefile
is $(AKASH_DEVCACHE); update the prerequisite to use $(AKASH_DEVCACHE) so the
cache is properly initialized. Locate the rule named
"$(GOLANGCI_LINT_VERSION_FILE): $(SEMVER) $(AP_DEVCACHE)" and replace the
$(AP_DEVCACHE) token with $(AKASH_DEVCACHE) to match the existing cache target
and ensure the dependency is executed.

---

Nitpick comments:
In `@go/provider/client/client.go`:
- Around line 924-926: Replace the plain fmt.Errorf return in the non-OK branch
with a typed ClientResponseError to match the package's API error handling: when
resp.StatusCode != http.StatusOK build and return a ClientResponseError
populated with the HTTP status code and response body (use the existing resp and
body variables) and include a clear message like "attestation quote failed" so
callers can assert on the concrete ClientResponseError type instead of a plain
error.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 86c1e270-5e7b-47fe-bc4b-dd9a2fe9eacd

📥 Commits

Reviewing files that changed from the base of the PR and between 76a8ada and defc2f4.

⛔ Files ignored due to path filters (1)

• go/manifest/v2beta3/service.pb.go is excluded by !**/*.pb.go

📒 Files selected for processing (16)

• Makefile
• buf.yaml
• go/provider/client/client.go
• go/provider/client/path.go
• go/sdl/_testdata/v2.1-confidential-compute-cpu-only.yaml
• go/sdl/_testdata/v2.1-confidential-compute-gpu.yaml
• go/sdl/_testdata/v2.1-confidential-compute-no-attestation.yaml
• go/sdl/_testdata/v2.1-confidential-compute-tdx-gpu.yaml
• go/sdl/_testdata/v2.1-confidential-compute-tdx.yaml
• go/sdl/groupBuilder_v2.go
• go/sdl/groupBuilder_v2_1.go
• go/sdl/sdl-input.schema.yaml
• go/sdl/v2.go
• go/sdl/v2_1_test.go
• make/setup-cache.mk
• proto/provider/akash/manifest/v2beta3/service.proto

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@proto/provider/akash/manifest/v2beta3/service.proto`:
- Around line 49-54: The proto's attestation boolean in TEEParams cannot express
a true default at the wire level (proto3 zero value is false), so fix by
changing the field to a wrapper type or by ensuring producers set it explicitly:
replace "bool attestation = 2" with "google.protobuf.BoolValue attestation = 2"
(and import google/protobuf/wrappers.proto) so an omitted field is
distinguishable, and update any Go/SDL builders (the TEEParams construction
code) to explicitly set attestation to true when omitted; alternatively, if you
prefer not to change the wire format, update documentation and all
producers/builders to always assign attestation = true in TEEParams creation
(reference symbols: attestation, TEEParams, service.proto).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: b90c7160-7679-4804-9c99-ffec49068fad

📥 Commits

Reviewing files that changed from the base of the PR and between 2b83c04 and d5b8443.

⛔ Files ignored due to path filters (2)

• go/manifest/v2beta3/service.pb.go is excluded by !**/*.pb.go
• go/node/types/resources/v1beta4/tee.pb.go is excluded by !**/*.pb.go

📒 Files selected for processing (21)

• Makefile
• go/node/deployment/v1beta4/groupspec.go
• go/provider/client/client.go
• go/provider/client/path.go
• go/sdl/_testdata/v2.1-confidential-compute-cpu-only.yaml
• go/sdl/_testdata/v2.1-confidential-compute-gpu.yaml
• go/sdl/_testdata/v2.1-confidential-compute-no-attestation.yaml
• go/sdl/_testdata/v2.1-confidential-compute-tdx-gpu.yaml
• go/sdl/_testdata/v2.1-confidential-compute-tdx.yaml
• go/sdl/_testdata/v2.1-tee-snp-gpu.yaml
• go/sdl/_testdata/v2.1-tee-snp.yaml
• go/sdl/_testdata/v2.1-tee-tdx-no-attestation.yaml
• go/sdl/groupBuilder_v2.go
• go/sdl/groupBuilder_v2_1.go
• go/sdl/sdl-input.schema.yaml
• go/sdl/tee.go
• go/sdl/v2.go
• go/sdl/v2_1_test.go
• make/setup-cache.mk
• proto/node/akash/base/resources/v1beta4/tee.proto
• proto/provider/akash/manifest/v2beta3/service.proto

✅ Files skipped from review due to trivial changes (3)

• go/sdl/_testdata/v2.1-tee-snp.yaml
• go/node/deployment/v1beta4/groupspec.go
• go/sdl/_testdata/v2.1-confidential-compute-cpu-only.yaml

🚧 Files skipped from review as they are similar to previous changes (16)

• go/sdl/_testdata/v2.1-confidential-compute-tdx.yaml
• go/sdl/v2.go
• go/provider/client/path.go
• go/sdl/_testdata/v2.1-confidential-compute-no-attestation.yaml
• go/sdl/_testdata/v2.1-tee-tdx-no-attestation.yaml
• go/sdl/_testdata/v2.1-confidential-compute-gpu.yaml
• go/sdl/_testdata/v2.1-confidential-compute-tdx-gpu.yaml
• Makefile
• go/provider/client/client.go
• go/sdl/tee.go
• make/setup-cache.mk
• go/sdl/_testdata/v2.1-tee-snp-gpu.yaml
• go/sdl/sdl-input.schema.yaml
• go/sdl/groupBuilder_v2_1.go
• go/sdl/v2_1_test.go
• go/sdl/groupBuilder_v2.go

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

attestation "defaults to true" cannot be represented at the wire level.

proto3 bool zero value is false, so an unset/omitted attestation decodes to false, not true. The Go SDL builder explicitly sets it to true when omitted, so manifests produced through this repo are safe. However, any consumer that constructs TEEParams directly (e.g. a non-Go client) will get attestation disabled by default — a security-relevant divergence from the documented contract for confidential compute. Ensure all producers set this field explicitly, or document that the default is enforced only by the producer.

🧰 Tools

🪛 Buf (1.69.0)

[error] 51-51: cannot find gogoproto.nullable in this scope

(COMPILE)

---

[error] 52-52: cannot find gogoproto.jsontag in this scope

(COMPILE)

---

[error] 53-53: cannot find gogoproto.moretags in this scope

(COMPILE)

---

[error] 54-54: cannot find gogoproto.nullable in this scope

(COMPILE)

---

[error] 52-52: cannot find gogoproto.jsontag in this scope

(COMPILE)

---

[error] 53-53: cannot find gogoproto.moretags in this scope

(COMPILE)

---

[error] 51-51: cannot find gogoproto.customname in this scope

(COMPILE)

---

[error] 52-52: cannot find gogoproto.jsontag in this scope

(COMPILE)

---

[error] 53-53: cannot find gogoproto.moretags in this scope

(COMPILE)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@proto/provider/akash/manifest/v2beta3/service.proto` around lines 49 - 54,
The proto's attestation boolean in TEEParams cannot express a true default at
the wire level (proto3 zero value is false), so fix by changing the field to a
wrapper type or by ensuring producers set it explicitly: replace "bool
attestation = 2" with "google.protobuf.BoolValue attestation = 2" (and import
google/protobuf/wrappers.proto) so an omitted field is distinguishable, and
update any Go/SDL builders (the TEEParams construction code) to explicitly set
attestation to true when omitted; alternatively, if you prefer not to change the
wire format, update documentation and all producers/builders to always assign
attestation = true in TEEParams creation (reference symbols: attestation,
TEEParams, service.proto).

[coderabbitai]

♻️ Duplicate comments (1)

proto/provider/akash/manifest/v2beta3/service.proto (1)

49-54: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

attestation "defaults to true" is not representable at the wire level.

A proto3 bool zero-value is false, so any producer that doesn't explicitly set attestation (e.g. a non-Go client constructing TEEParams directly) will get attestation disabled, diverging from the documented default. The Go SDL builder sets it explicitly, so manifests from this repo are safe, but the default is producer-enforced only. Consider a wrapper type (google.protobuf.BoolValue) or clearly documenting that the default is enforced by producers.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@proto/provider/akash/manifest/v2beta3/service.proto` around lines 49 - 54,
The attestation field currently declared as a proto3 bool (attestation = 2)
cannot express a default of true at the wire level; change its type to
google.protobuf.BoolValue and import google/protobuf/wrappers.proto so absence
vs explicit false is distinguishable (i.e., replace "bool attestation = 2" with
"google.protobuf.BoolValue attestation = 2" and update any
gogoproto.jsontag/moretags as needed), then update any builders/usage (e.g.,
where TEEParams is constructed) to treat a nil wrapper as the default-true
behavior or add clear comments documenting the new semantics.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@proto/provider/akash/manifest/v2beta3/service.proto`:
- Around line 49-54: The attestation field currently declared as a proto3 bool
(attestation = 2) cannot express a default of true at the wire level; change its
type to google.protobuf.BoolValue and import google/protobuf/wrappers.proto so
absence vs explicit false is distinguishable (i.e., replace "bool attestation =
2" with "google.protobuf.BoolValue attestation = 2" and update any
gogoproto.jsontag/moretags as needed), then update any builders/usage (e.g.,
where TEEParams is constructed) to treat a nil wrapper as the default-true
behavior or add clear comments documenting the new semantics.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 27187bf8-8df3-4511-ac7d-ee38a8c1f395

📥 Commits

Reviewing files that changed from the base of the PR and between d5b8443 and c273f80.

⛔ Files ignored due to path filters (2)

• go/manifest/v2beta3/service.pb.go is excluded by !**/*.pb.go
• go/node/types/resources/v1beta4/tee.pb.go is excluded by !**/*.pb.go

📒 Files selected for processing (21)

• Makefile
• go/node/deployment/v1beta4/groupspec.go
• go/provider/client/client.go
• go/provider/client/path.go
• go/sdl/_testdata/v2.1-confidential-compute-cpu-only.yaml
• go/sdl/_testdata/v2.1-confidential-compute-gpu.yaml
• go/sdl/_testdata/v2.1-confidential-compute-no-attestation.yaml
• go/sdl/_testdata/v2.1-confidential-compute-tdx-gpu.yaml
• go/sdl/_testdata/v2.1-confidential-compute-tdx.yaml
• go/sdl/_testdata/v2.1-tee-snp-gpu.yaml
• go/sdl/_testdata/v2.1-tee-snp.yaml
• go/sdl/_testdata/v2.1-tee-tdx-no-attestation.yaml
• go/sdl/groupBuilder_v2.go
• go/sdl/groupBuilder_v2_1.go
• go/sdl/sdl-input.schema.yaml
• go/sdl/tee.go
• go/sdl/v2.go
• go/sdl/v2_1_test.go
• make/setup-cache.mk
• proto/node/akash/base/resources/v1beta4/tee.proto
• proto/provider/akash/manifest/v2beta3/service.proto

✅ Files skipped from review due to trivial changes (5)

• go/sdl/_testdata/v2.1-tee-snp.yaml
• go/sdl/_testdata/v2.1-confidential-compute-no-attestation.yaml
• go/sdl/_testdata/v2.1-confidential-compute-tdx.yaml
• go/sdl/v2.go
• go/node/deployment/v1beta4/groupspec.go

🚧 Files skipped from review as they are similar to previous changes (13)

• Makefile
• go/sdl/_testdata/v2.1-tee-snp-gpu.yaml
• go/sdl/_testdata/v2.1-confidential-compute-tdx-gpu.yaml
• go/sdl/_testdata/v2.1-confidential-compute-cpu-only.yaml
• go/sdl/groupBuilder_v2_1.go
• go/provider/client/path.go
• go/provider/client/client.go
• go/sdl/_testdata/v2.1-confidential-compute-gpu.yaml
• go/sdl/sdl-input.schema.yaml
• go/sdl/v2_1_test.go
• go/sdl/_testdata/v2.1-tee-tdx-no-attestation.yaml
• go/sdl/tee.go
• make/setup-cache.mk

[troian]

correct for params is v2TEEParams

[troian]

how do we know at SDL build time if GPU has TEE? what if provider has it disabled?