pi-privacy 0.2.0 → 0.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +1 -0
- package/package.json +10 -4
- package/src/attest/attestation.ts +6 -1
- package/src/extension.ts +4 -2
- package/src/providers/catalog.ts +13 -0
package/README.md
CHANGED
|
@@ -43,6 +43,7 @@ them look the same.
|
|
|
43
43
|
| `nearai` | Verified TEE | Attestation report (Intel TDX + NVIDIA CC) fetched over HTTPS, bound to a fresh nonce |
|
|
44
44
|
| `openrouter` | ZDR (posture-aware) | `zdr-policy` until enforcement pins routing → `zdr-enforced` |
|
|
45
45
|
| `venice`, `fireworks` | ZDR (by policy) | Provider policy; honest limits noted (e.g. Venice is not TEE-attested) |
|
|
46
|
+
| `privateer-api` | ZDR (by policy) | Privateer developer key (`sk-priv-…`); server-proxied inference — the proxy mediates attestation, so it's a zero-retention *policy*, not a client-verified enclave |
|
|
46
47
|
| `ollama`, `custom` | On-device | Detected when the endpoint is a loopback URL |
|
|
47
48
|
|
|
48
49
|
Providers with no verifiable or default privacy channel (Together, DeepSeek, MiniMax,
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "pi-privacy",
|
|
3
|
-
"version": "0.
|
|
3
|
+
"version": "0.3.0",
|
|
4
4
|
"description": "Privacy posture + TEE attestation for Pi providers: cryptographically verified confidential-enclave (TEE) inference, enforced/labeled zero-data-retention (ZDR), and on-device detection — honestly graded so a verified guarantee never reads like a claimed one.",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"license": "MIT",
|
|
@@ -25,7 +25,9 @@
|
|
|
25
25
|
"sev-snp"
|
|
26
26
|
],
|
|
27
27
|
"pi": {
|
|
28
|
-
"extensions": [
|
|
28
|
+
"extensions": [
|
|
29
|
+
"./extensions"
|
|
30
|
+
]
|
|
29
31
|
},
|
|
30
32
|
"exports": {
|
|
31
33
|
".": "./src/index.ts",
|
|
@@ -54,8 +56,12 @@
|
|
|
54
56
|
"@earendil-works/pi-ai": ">=0.80.0"
|
|
55
57
|
},
|
|
56
58
|
"peerDependenciesMeta": {
|
|
57
|
-
"@earendil-works/pi-coding-agent": {
|
|
58
|
-
|
|
59
|
+
"@earendil-works/pi-coding-agent": {
|
|
60
|
+
"optional": true
|
|
61
|
+
},
|
|
62
|
+
"@earendil-works/pi-ai": {
|
|
63
|
+
"optional": true
|
|
64
|
+
}
|
|
59
65
|
},
|
|
60
66
|
"dependencies": {
|
|
61
67
|
"undici": "^7.28.0"
|
|
@@ -115,7 +115,12 @@ export function interpretReport(modelId: string, nonce: string, raw: unknown): A
|
|
|
115
115
|
const hardware: string[] = [];
|
|
116
116
|
if (/nvidia|gpu/.test(blob)) hardware.push("NVIDIA");
|
|
117
117
|
if (/intel|tdx/.test(blob)) hardware.push("Intel TDX");
|
|
118
|
-
|
|
118
|
+
// Freshness/anti-replay: our nonce must appear in the report. Require a non-trivial
|
|
119
|
+
// nonce — a real attestation nonce is 32 bytes (64 hex, see randomNonce). Guard
|
|
120
|
+
// against an empty/short nonce, since blob.includes("") is vacuously true and would
|
|
121
|
+
// score a missing nonce as "echoed" (matters when the nonce is externally supplied,
|
|
122
|
+
// e.g. a server-proxied report rather than one bound to our own randomNonce).
|
|
123
|
+
const nonceEchoed = nonce.length >= 16 && blob.includes(nonce.toLowerCase());
|
|
119
124
|
|
|
120
125
|
return { model: modelId, nonce, signingAddress, nonceEchoed, hardware, raw };
|
|
121
126
|
}
|
package/src/extension.ts
CHANGED
|
@@ -70,8 +70,9 @@ export interface PiPrivacyOptions {
|
|
|
70
70
|
// Install the process-wide attestation dispatcher (default true). Set false if the
|
|
71
71
|
// host already installed one (e.g. privateer-agent's boot.ts).
|
|
72
72
|
installDispatcher?: boolean;
|
|
73
|
-
// Register the config-only privacy providers (tinfoil/nearai/venice/ollama
|
|
74
|
-
// seed models (default true). Built-in providers
|
|
73
|
+
// Register the config-only privacy providers (tinfoil/nearai/venice/ollama/
|
|
74
|
+
// privateer-api) with seed models (default true). Built-in providers
|
|
75
|
+
// (openrouter/fireworks) are left
|
|
75
76
|
// to Pi so their model listings aren't clobbered.
|
|
76
77
|
registerProviders?: boolean;
|
|
77
78
|
// Enforce OpenRouter ZDR routing (default false — opt-in, since a model with no
|
|
@@ -103,6 +104,7 @@ const SEED_MODELS: Record<string, string> = {
|
|
|
103
104
|
nearai: "zai-org/GLM-5.1-FP8",
|
|
104
105
|
venice: "qwen3-coder-480b-a35b-instruct-turbo",
|
|
105
106
|
ollama: "llama3.1",
|
|
107
|
+
"privateer-api": "near/zai-org/GLM-5.1-FP8",
|
|
106
108
|
};
|
|
107
109
|
|
|
108
110
|
function registerable(p: PrivacyProvider): boolean {
|
package/src/providers/catalog.ts
CHANGED
|
@@ -80,6 +80,19 @@ export const PRIVACY_PROVIDERS: PrivacyProvider[] = [
|
|
|
80
80
|
// FireFunction may log. Not TEE-attested.
|
|
81
81
|
note: "fireworks.ai → API Keys (open models: zero retention by default, not TEE-attested; Fireworks's own f1/FireFunction may log).",
|
|
82
82
|
},
|
|
83
|
+
{
|
|
84
|
+
id: "privateer-api",
|
|
85
|
+
label: "Privateer (developer API)",
|
|
86
|
+
tier: "zdr-policy",
|
|
87
|
+
baseUrl: "https://api.privateer.pro/v1",
|
|
88
|
+
api: "openai-completions",
|
|
89
|
+
keyEnv: "${PRIVATEER_API_KEY}",
|
|
90
|
+
// Honest copy: a server-proxied developer key (sk-priv-…). Privateer asserts
|
|
91
|
+
// zero retention, but the proxy mediates attestation — a pi client can't verify
|
|
92
|
+
// the underlying enclave end-to-end through it — so this is POLICY, not a
|
|
93
|
+
// client-verified TEE. (Verified-TEE access is the in-app account channel's job.)
|
|
94
|
+
note: "privateer.pro → API keys (sk-priv-…). Server-proxied, zero-retention by policy; NOT TEE-attested end-to-end (the proxy mediates attestation).",
|
|
95
|
+
},
|
|
83
96
|
{
|
|
84
97
|
id: "openrouter",
|
|
85
98
|
label: "OpenRouter",
|