feat: proxy-side Chutes attestation verification with dual-mode chain API

[mondaylord]

Summary

This PR upgrades vllm-proxy attestation chaining for Chutes into a dual-mode design with proxy-side verification by default.

Goal:

• Let integrators validate only vllm-proxy attestation in the common path
• Keep a full passthrough path for clients that want to run private-ai-verifier themselves
• Improve observability/debuggability of attestation verification results

Motivation

Previously, clients needed to consume and verify multiple artifacts (proxy + upstream + binding). This is powerful but heavier for product integration.

We now provide:

• verify_mode=proxy (default): proxy verifies Chutes evidence internally and returns a signed verification receipt.
• verify_mode=passthrough: proxy returns full chain artifacts as before.

API Changes

Endpoint

GET /v1/attestation/chain

Request params

• model (required)
• nonce (required, min 16 chars)
• signing_algo (optional, ecdsa or ed25519)
• verify_mode (optional, default proxy)
  • proxy
  • passthrough

---

Response: verify_mode=proxy (default)

Returns:

• proxy.attestation
• verification_receipt (proxy-signed)

verification_receipt.payload includes:

• request/binding metadata (nonce, model, upstream_attestation_sha256, binding signature fields)
• result (pass)
• summary fields:
  • total_instances
  • tdx_uptodate_instances
  • binding_verified_instances
• per-instance diagnostics (instance_results):
  • instance_id
  • tdx_status
  • tdx_error_present
  • debug_mode_disabled
  • binding_verified
  • gpu_token_checked, gpu_verified
  • expected_report_data, actual_report_data
  • errors

Response: verify_mode=passthrough

Returns full chain material:

• proxy.attestation
• upstream.attestation (+ attestation_sha256)
• binding_proof

Verification Logic (proxy mode)

Implemented with fail-close semantics.

Per Chutes instance, proxy verifies:

1. Quote decodes strictly (base64 validate)
2. Online TDX verification via dcap_qvl:
   • must return result
   • status must be UpToDate
3. TDX debug bit disabled (from quote td_attributes)
4. Nonce binding:
   • sha256(nonce + e2e_pubkey) must equal quote report_data prefix
5. GPU token checks (when present):
   • overall attestation result true
   • eat_nonce equals expected report_data

If any required check fails for any instance, request returns chutes_verification_failed.

Alignment with private-ai-verifier

This PR follows the Chutes provider/verifier behavior in private-ai-verifier and adds proxy-side online TDX verification, which is required to reliably surface UpToDate status in proxy mode.

Dependency Changes

• Added:
  • dcap-qvl>=0.3.13

Other Improvements

• Added/updated tests under tests/app for:
  • proxy mode success/failure
  • passthrough mode shape/hash consistency
  • invalid mode handling
  • online TDX verification paths
• Improved tests/app/verify_attestation_chain.py:
  • supports running both modes (VERIFY_MODE=both default)
  • prints full instance results (not truncated preview)

How to Use

Proxy mode (default)

curl -sS "$BASE_URL/v1/attestation/chain?model=moonshotai/Kimi-K2.5-TEE&nonce=<NONCE>&signing_algo=ecdsa"   -H "Authorization: Bearer $API_KEY"

Expected consumer behavior:

• verify proxy attestation/signature
• verify verification_receipt.signature
• check verification_receipt.payload.result == "pass"
• inspect summary + instance diagnostics for observability

Passthrough mode

curl -sS "$BASE_URL/v1/attestation/chain?model=moonshotai/Kimi-K2.5-TEE&nonce=<NONCE>&signing_algo=ecdsa&verify_mode=passthrough"   -H "Authorization: Bearer $API_KEY"

Use this mode if client wants to run full custom verification externally.

Backward Compatibility Notes

• Default mode is now proxy.
• Clients that assumed upstream/binding_proof always exist should explicitly request verify_mode=passthrough.