blueprint-tee 0.2.0-alpha.2

First-class TEE (Trusted Execution Environment) support for the Blueprint SDK
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66

//! First-class TEE (Trusted Execution Environment) support for the Blueprint SDK.
//!
//! This crate provides runtime TEE capabilities including attestation verification,
//! key exchange, and middleware integration for blueprint services running in
//! confidential compute environments.
//!
//! # Overview
//!
//! Blueprint TEE supports multiple deployment modes:
//!
//! - **Direct**: The runner itself executes inside a TEE with device passthrough
//!   and hardened defaults.
//! - **Remote**: The runner provisions workloads in cloud TEE instances
//!   (AWS Nitro, Azure CVM, GCP Confidential Space).
//! - **Hybrid**: Selected jobs run in TEE runtimes while others run normally.
//!
//! # Quick Start
//!
//! ```rust,ignore
//! use blueprint_runner::BlueprintRunner;
//! use blueprint_tee::{TeeConfig, TeeMode, TeeRequirement};
//!
//! let tee = TeeConfig::builder()
//!     .requirement(TeeRequirement::Required)
//!     .mode(TeeMode::Direct)
//!     .build()?;
//!
//! BlueprintRunner::builder(config, env)
//!     .tee(tee)
//!     .router(router)
//!     .run()
//!     .await?;
//! ```
//!
//! # Features
#![doc = document_features::document_features!()]
#![cfg_attr(docsrs, feature(doc_auto_cfg))]

pub mod attestation;
pub mod config;
pub mod errors;
pub mod exchange;
pub mod middleware;
pub mod runtime;

// Re-exports
pub use config::{
    AttestationFreshnessPolicy, HybridRoutingSource, RuntimeLifecyclePolicy, SecretInjectionPolicy,
    TeeConfig, TeeConfigBuilder, TeeKeyExchangeConfig, TeeMode, TeeProvider, TeeProviderSelector,
    TeePublicKeyPolicy, TeeRequirement, TeeRequirements,
};
pub use errors::TeeError;

pub use attestation::{
    AttestationClaims, AttestationFormat, AttestationReport, AttestationVerifier, Measurement,
    PublicKeyBinding, VerificationLevel, VerifiedAttestation,
};

pub use exchange::TeeAuthService;

pub use middleware::{TeeContext, TeeLayer};

pub use runtime::{
    BackendRegistry, TeeDeployRequest, TeeDeploymentHandle, TeeDeploymentStatus, TeePublicKey,
    TeeRuntimeBackend,
};