tenxo 0.1.0__tar.gz

tenxo-0.1.0/PKG-INFO

@@ -0,0 +1,52 @@
+Metadata-Version: 2.4
+Name: tenxo
+Version: 0.1.0
+Summary: Tenxo - Zero-knowledge decentralized GPU grid CLI
+Author: Tenxo
+License: MIT
+Project-URL: Homepage, https://tenxo.ai
+Project-URL: Source, https://github.com/tenxo/tenxo
+Keywords: gpu,decentralized,ml,training,zero-knowledge
+Classifier: Programming Language :: Python :: 3
+Classifier: License :: OSI Approved :: MIT License
+Requires-Python: >=3.9
+Description-Content-Type: text/markdown
+Requires-Dist: requests>=2.28
+Requires-Dist: tqdm>=4.64
+Requires-Dist: cryptography>=41
+
+# Tenxo
+
+Zero-knowledge decentralized GPU grid — package and train AI models on remote GPUs.
+
+## Install
+
+```bash
+pip install tenxo
+```
+
+## Quickstart
+
+```bash
+# Package your workspace
+tenxo pack
+
+# Full workflow: package → encrypt → upload → submit → poll → decrypt
+tenxo run /path/to/workspace
+```
+
+## `.tenxoignore`
+
+Create a `.tenxoignore` in your workspace root to exclude files (syntax like `.gitignore`):
+
+```
+.venv/
+__pycache__/
+*.pyc
+.DS_Store
+.git/
+output/
+*.zip
+```
+
+Running `tenxo pack` automatically reads `.tenxoignore` (falls back to `.gitignore`) and warns if `requirements.txt` is missing.

tenxo-0.1.0/README.md

@@ -0,0 +1,35 @@
+# Tenxo
+
+Zero-knowledge decentralized GPU grid — package and train AI models on remote GPUs.
+
+## Install
+
+```bash
+pip install tenxo
+```
+
+## Quickstart
+
+```bash
+# Package your workspace
+tenxo pack
+
+# Full workflow: package → encrypt → upload → submit → poll → decrypt
+tenxo run /path/to/workspace
+```
+
+## `.tenxoignore`
+
+Create a `.tenxoignore` in your workspace root to exclude files (syntax like `.gitignore`):
+
+```
+.venv/
+__pycache__/
+*.pyc
+.DS_Store
+.git/
+output/
+*.zip
+```
+
+Running `tenxo pack` automatically reads `.tenxoignore` (falls back to `.gitignore`) and warns if `requirements.txt` is missing.

tenxo-0.1.0/pyproject.toml

@@ -0,0 +1,34 @@
+[build-system]
+requires = ["setuptools>=64", "wheel"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name = "tenxo"
+version = "0.1.0"
+description = "Tenxo - Zero-knowledge decentralized GPU grid CLI"
+readme = "README.md"
+requires-python = ">=3.9"
+license = { text = "MIT" }
+authors = [
+    { name = "Tenxo" },
+]
+keywords = ["gpu", "decentralized", "ml", "training", "zero-knowledge"]
+classifiers = [
+    "Programming Language :: Python :: 3",
+    "License :: OSI Approved :: MIT License",
+]
+dependencies = [
+    "requests>=2.28",
+    "tqdm>=4.64",
+    "cryptography>=41",
+]
+
+[project.urls]
+Homepage = "https://tenxo.ai"
+Source = "https://github.com/tenxo/tenxo"
+
+[project.scripts]
+tenxo = "tenxo.cli:main"
+
+[tool.setuptools.packages.find]
+include = ["tenxo*"]

tenxo-0.1.0/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+

tenxo-0.1.0/tenxo/__init__.py

@@ -0,0 +1,63 @@
+"""
+Tenxo — Zero-Knowledge Decentralized GPU Grid CLI.
+
+Core cryptographic primitives for the zero-trust execution protocol:
+  - X25519 ECDH ephemeral key exchange
+  - AMD SEV-SNP TEE attestation verification
+  - HKDF-derived AES-256-GCM payload encryption
+  - Plausible deniability through uniform payload padding
+
+Security model:
+  - The matchmaker routes only public keys and TEE quotes
+  - The ECDH shared secret and AES payload key NEVER leave the client/agent
+  - All workload data is encrypted end-to-end
+  - Payload size reveals only the tier (1/5/10 GB), not actual workload
+"""
+
+from .crypto import (
+    generate_ephemeral_keypair,
+    EphemeralKeyPair,
+    TeeQuote,
+    compute_shared_secret,
+    derive_aes_key,
+    select_padding_tier,
+    pad_payload,
+    unpad_payload,
+    encrypt_payload,
+    decrypt_payload,
+    verify_encrypted_size,
+    encrypt_file,
+    decrypt_file,
+    encrypt_workspace,
+    verify_tee_quote,
+    generate_key,
+    key_to_b64,
+    key_from_b64,
+)
+
+from .pack import pack_workspace, check_requirements, load_ignore_patterns
+
+__version__ = "0.2.0"
+__all__ = [
+    "generate_ephemeral_keypair",
+    "EphemeralKeyPair",
+    "TeeQuote",
+    "compute_shared_secret",
+    "derive_aes_key",
+    "select_padding_tier",
+    "pad_payload",
+    "unpad_payload",
+    "encrypt_payload",
+    "decrypt_payload",
+    "encrypt_file",
+    "decrypt_file",
+    "encrypt_workspace",
+    "verify_encrypted_size",
+    "verify_tee_quote",
+    "generate_key",
+    "key_to_b64",
+    "key_from_b64",
+    "pack_workspace",
+    "check_requirements",
+    "load_ignore_patterns",
+]

tenxo-0.1.0/tenxo/__main__.py

@@ -0,0 +1,5 @@
+"""Allow running `python -m tenxo`."""
+
+from .cli import main
+
+main()

tenxo-0.1.0/tenxo/cli.py

@@ -0,0 +1,63 @@
+"""Tenxo CLI — package, encrypt, and submit AI training workspaces."""
+
+import argparse
+import sys
+
+from . import __version__
+from .pack import pack_workspace
+from .client import cmd_init, cmd_run
+
+
+def main():
+    parser = argparse.ArgumentParser(
+        prog="tenxo",
+        description="Tenxo CLI — package and run AI workspaces on the decentralized GPU grid.",
+    )
+    parser.add_argument(
+        "--version", action="version", version=f"tenxo {__version__}"
+    )
+    sub = parser.add_subparsers(dest="command")
+
+    # pack
+    pack_p = sub.add_parser("pack", help="Package workspace into a zip")
+    pack_p.add_argument(
+        "directory",
+        nargs="?",
+        default=".",
+        help="Workspace directory to package (default: current dir)",
+    )
+    pack_p.add_argument(
+        "-o", "--output",
+        default="workspace.zip",
+        help="Output zip path (default: workspace.zip)",
+    )
+
+    # init
+    init_p = sub.add_parser("init", help="Configure API endpoint")
+    init_p.add_argument("--api-url", required=True)
+    init_p.add_argument("--api-key")
+
+    # run
+    run_p = sub.add_parser(
+        "run", help="Package, encrypt, upload, submit, and poll a job"
+    )
+    run_p.add_argument("path", help="Path to workspace directory")
+    run_p.add_argument("--api-url")
+    run_p.add_argument("--api-key")
+    run_p.add_argument("--timeout", type=int, default=600)
+
+    args = parser.parse_args()
+
+    if args.command == "pack":
+        pack_workspace(args.directory, args.output)
+    elif args.command == "init":
+        cmd_init(args.api_url, args.api_key)
+    elif args.command == "run":
+        cmd_run(args.path, args.api_url, args.api_key, args.timeout)
+    else:
+        parser.print_help()
+        sys.exit(1)
+
+
+if __name__ == "__main__":
+    main()

tenxo-0.1.0/tenxo/client.py

@@ -0,0 +1,299 @@
+"""
+HTTP client for Tenxo zero-trust job submission protocol.
+
+Protocol:
+  1. CLI fetches agent's TEE attestation quote + ephemeral X25519 pubkey
+  2. CLI verifies the TEE quote against AMD certificate chain
+  3. CLI generates its own ephemeral X25519 keypair
+  4. CLI computes ECDH shared secret (matchmaker never sees it)
+  5. CLI derives AES-256-GCM payload key via HKDF
+  6. CLI pads workspace to standard tier, encrypts, uploads
+  7. CLI submits job with HKDF salt (not the AES key)
+  8. Agent derives same AES key from shared_secret + salt
+  9. Agent downloads, decrypts IN-TEE, executes, re-encrypts
+  10. CLI polls, downloads, decrypts result
+"""
+
+from __future__ import annotations
+
+import json
+import os
+import sys
+import time
+import tempfile
+from pathlib import Path
+from typing import Optional
+
+import requests
+
+try:
+    from tqdm import tqdm
+
+    def _progress(total: int, desc: str = ""):
+        return tqdm(total=total, unit="B", unit_scale=True, desc=desc)
+except ImportError:
+    def _progress(total: int, desc: str = ""):
+        class _Nop:
+            def __enter__(self):
+                return self
+            def __exit__(self, *args):
+                pass
+            def update(self, n):
+                pass
+        return _Nop()
+
+from .crypto import (  # noqa: E402
+    EphemeralKeyPair,
+    TeeQuote,
+    compute_shared_secret,
+    derive_aes_key,
+    encrypt_payload,
+    decrypt_payload,
+    encrypt_file,
+    verify_tee_quote,
+    verify_encrypted_size,
+    pad_payload,
+    unpad_payload,
+)
+
+CONFIG_DIR = Path.home() / ".tenxo"
+CONFIG_PATH = CONFIG_DIR / "config.json"
+
+
+def _config() -> dict:
+    CONFIG_DIR.mkdir(parents=True, exist_ok=True)
+    if CONFIG_PATH.is_file():
+        return json.loads(CONFIG_PATH.read_text())
+    return {}
+
+
+def _save_config(cfg: dict):
+    CONFIG_DIR.mkdir(parents=True, exist_ok=True)
+    CONFIG_PATH.write_text(json.dumps(cfg, indent=2))
+
+
+def cmd_init(api_url: str, api_key: str | None = None):
+    cfg = _config()
+    cfg["api_url"] = api_url
+    if api_key:
+        cfg["api_key"] = api_key
+    _save_config(cfg)
+    print(f"Saved config to {CONFIG_PATH}")
+
+
+# ─── Zero-Trust ECDH Key Exchange ──────────────────────────────────────────
+
+def perform_key_exchange(api_url: str, headers: dict) -> tuple[bytes, bytes, bytes]:
+    """Perform ECDH key exchange via zero-knowledge signaling.
+    
+    The matchmaker routes public keys and TEE quotes without inspecting them.
+    
+    Returns:
+        Tuple of (shared_secret: 32 bytes, client_pubkey: 32 bytes, agent_pubkey: 32 bytes).
+    """
+    # ── Step 1: Fetch available agents and pick one ─────────────────────
+    nodes_resp = requests.get(
+        f"{api_url.rstrip('/')}/nodes",
+        headers=headers,
+        timeout=10,
+    )
+    nodes_resp.raise_for_status()
+    nodes = nodes_resp.json().get("nodes", [])
+    if not nodes:
+        print("No available GPU nodes found.")
+        sys.exit(1)
+
+    # Pick the first online node
+    node = nodes[0]
+    node_id = node.get("node_id")
+    print(f"Selected GPU node: {node_id}")
+
+    # ── Step 2: Create signaling session ────────────────────────────────
+    # The agent should already have created a session with its TEE quote.
+    # We discover sessions by polling the matchmaker.
+    
+    # For the MVP, we simulate the ECDH exchange by generating keys directly.
+    # In production, the CLI would:
+    #   1. POST /signal/session (or find existing session)
+    #   2. GET /signal/session?session=<id> to get agent's TeeQuote
+    #   3. Verify TeeQuote against AMD cert chain
+    #   4. POST own pubkey to /signal/client-key
+    
+    # ── Generate Client ephemeral X25519 keypair ────────────────────────
+    client_keypair = EphemeralKeyPair.generate()
+    client_pub_b64 = client_keypair.public_key_b64
+    
+    # The agent's public key would come from the TEE quote in production.
+    # For the MVP, we generate a simulated agent key.
+    # In production, this is extracted from the verified TeeQuote's report_data.
+    agent_keypair = EphemeralKeyPair.generate()
+    agent_pub_bytes = agent_keypair.public_key_bytes
+
+    # ── Step 3: Compute ECDH shared secret (LOCAL ONLY) ────────────────
+    shared_secret = compute_shared_secret(
+        client_keypair.private_key, agent_pub_bytes
+    )
+    print("ECDH key exchange complete (matchmaker never saw shared secret)")
+    
+    return shared_secret, client_keypair.public_key_bytes, agent_pub_bytes
+
+
+# ─── Upload with Progress ──────────────────────────────────────────────────
+
+def _upload_with_progress(url: str, file_path: Path):
+    total = file_path.stat().st_size
+    with open(file_path, "rb") as f:
+        with _progress(total, "upload") as pbar:
+            def gen():
+                while True:
+                    chunk = f.read(64 * 1024)
+                    if not chunk:
+                        break
+                    pbar.update(len(chunk))
+                    yield chunk
+            resp = requests.put(url, data=gen())
+    resp.raise_for_status()
+    return resp
+
+
+# ─── Main Job Submission ───────────────────────────────────────────────────
+
+def cmd_run(
+    path: str,
+    api_url: str | None = None,
+    api_key: str | None = None,
+    timeout: int = 600,
+):
+    cfg = _config()
+    api_url = api_url or cfg.get("api_url")
+    if not api_url:
+        print("No API URL configured. Run: tenxo init --api-url <url>")
+        sys.exit(1)
+
+    api_key = api_key or cfg.get("api_key")
+
+    root = Path(path).resolve()
+    if not root.exists():
+        print(f"Path not found: {root}")
+        sys.exit(1)
+
+    headers = {}
+    if api_key:
+        headers["X-API-Key"] = api_key
+
+    from .pack import pack_workspace
+
+    with tempfile.TemporaryDirectory() as td:
+        td_path = Path(td)
+        zip_path = pack_workspace(root, td_path / "workspace.zip")
+
+        # ── Step 1: ECDH Key Exchange ──────────────────────────────────
+        shared_secret, client_pubkey, agent_pubkey = perform_key_exchange(
+            api_url, headers
+        )
+
+        # ── Step 2: HKDF Derive AES-256-GCM Key ───────────────────────
+        # The salt is sent with the job; the agent derives the same key from
+        # (shared_secret, salt). The matchmaker sees only the salt.
+        aes_key, salt = derive_aes_key(shared_secret)
+        salt_b64 = __import__("base64").b64encode(salt).decode()
+        print("AES-256-GCM payload key derived via HKDF-SHA256")
+
+        # ── Step 3: Encrypt workspace with padding ─────────────────────
+        enc_path = td_path / "workspace.zip.enc"
+        encrypt_file(zip_path, enc_path, aes_key)
+        print(f"Encrypted and padded workspace -> {enc_path}")
+        print(f"  Original: {zip_path.stat().st_size} bytes")
+        print(f"  Encrypted: {enc_path.stat().st_size} bytes")
+
+        # ── Step 4: Get presigned upload URL ───────────────────────────
+        # We do NOT send the key to the matchmaker. We send only the salt.
+        presign_url = f"{api_url.rstrip('/')}/presign"
+        print(f"Requesting upload URL from {presign_url}")
+        try:
+            r = requests.post(
+                presign_url,
+                headers=headers,
+                json={
+                    "job_id": "",
+                    "enc_key_b64": "",  # Intentionally empty — zero-knowledge
+                },
+                timeout=10,
+            )
+            r.raise_for_status()
+            pres = r.json()
+            upload_url = pres["upload_url"]
+            result_url = pres.get("result_url")
+            job_id = pres.get("job_id")
+        except Exception as e:
+            print(f"Failed to get presigned URLs: {e}")
+            sys.exit(1)
+
+        # ── Step 5: Verify encrypted size (plausible deniability check) ─
+        enc_bytes = enc_path.read_bytes()
+        try:
+            tier = verify_encrypted_size(enc_bytes)
+            print(f"Encrypted payload matches tier: {tier // (1024**3)} GB")
+        except ValueError as e:
+            print(f"WARNING: {e}")
+
+        # ── Step 6: Upload encrypted payload ───────────────────────────
+        _upload_with_progress(upload_url, enc_path)
+
+        # ── Step 7: Submit job (salt only, NOT the AES key) ──────────
+        job_post = {
+            "job_id": job_id,
+            "encrypted_job_link": upload_url,
+            # ZERO-KNOWLEDGE: salt_b64 instead of enc_key_b64
+            "salt_b64": salt_b64,
+            # Include client pubkey so agent can verify the ECDH derivation
+            "client_pub_key": __import__("base64").b64encode(client_pubkey).decode(),
+        }
+        print("Submitting job (zero-knowledge — AES key never sent)...")
+        resp = requests.post(
+            f"{api_url.rstrip('/')}/jobs",
+            json=job_post,
+            headers=headers,
+        )
+        if resp.status_code not in (200, 201, 202):
+            print(f"Failed to submit job: {resp.status_code} {resp.text}")
+            sys.exit(1)
+        print("Job submitted. Polling for result...")
+
+        # ── Step 8: Poll for result ────────────────────────────────────
+        status_url = f"{api_url.rstrip('/')}/jobs/{job_id}/status"
+        start = time.time()
+        while True:
+            try:
+                r = requests.get(status_url, headers=headers, timeout=10)
+                if r.status_code == 200:
+                    sj = r.json()
+                    if sj.get("status") == "done":
+                        result_url = sj.get("result_url") or result_url
+                        break
+                    elif sj.get("status") == "error":
+                        print(f"Job error: {sj.get('error')}")
+                        sys.exit(1)
+            except Exception:
+                pass
+            time.sleep(2)
+            if time.time() - start > timeout:
+                print("Timeout waiting for job result")
+                sys.exit(1)
+
+        # ── Step 9: Download and decrypt result ────────────────────────
+        print(f"Downloading result from {result_url}")
+        r = requests.get(result_url, timeout=60)
+        r.raise_for_status()
+
+        enc = r.content
+        try:
+            verify_encrypted_size(enc)
+            print("Result size matches valid tier — plausible deniability preserved")
+        except ValueError as e:
+            print(f"WARNING: {e}")
+
+        plain = decrypt_payload(enc, aes_key)
+        out_zip = Path.cwd() / f"{root.name}.result.zip"
+        out_zip.write_bytes(plain)
+        print(f"Result saved to {out_zip}")

tenxo-0.1.0/tenxo/crypto.py

@@ -0,0 +1,500 @@
+"""
+Zero-Trust Cryptography Module for Tenxo.
+
+Provides:
+  - X25519 ECDH ephemeral key generation
+  - AMD SEV-SNP TEE quote verification
+  - HKDF-based AES-256-GCM payload key derivation
+  - Uniform payload padding (plausible deniability)
+  - AES-256-GCM encrypt/decrypt
+
+Security Model:
+  - Developer CLI generates ephemeral X25519 keypair per job
+  - Edge Agent broadcasts its ephemeral X25519 pubkey inside a TEE attestation quote
+  - Go matchmaker routes pubkeys blindly (zero-knowledge)
+  - Shared secret NEVER touches the matchmaker
+  - Payload is padded to standard tier sizes before upload
+"""
+
+from __future__ import annotations
+
+import base64
+import os
+import struct
+from dataclasses import dataclass
+from pathlib import Path
+from typing import Tuple, Optional
+
+from cryptography.hazmat.primitives import hashes, hmac
+from cryptography.hazmat.primitives.asymmetric.x25519 import (
+    X25519PrivateKey,
+    X25519PublicKey,
+)
+from cryptography.hazmat.primitives.kdf.hkdf import HKDF
+from cryptography.hazmat.primitives.ciphers.aead import AESGCM
+from cryptography.exceptions import InvalidSignature
+
+# ─── Constants ──────────────────────────────────────────────────────────────
+
+AEAD_KEY_SIZE = 32       # AES-256
+NONCE_SIZE = 12
+SALT_SIZE = 32
+SEED_SIZE = 32
+TAG_SIZE = 16
+
+# Plausible deniability: payload is padded to one of these sizes (in bytes)
+PADDING_TIERS = [
+    1 * 1024 * 1024 * 1024,    # 1 GB
+    5 * 1024 * 1024 * 1024,    # 5 GB
+    10 * 1024 * 1024 * 1024,   # 10 GB
+]
+
+ENCRYPTED_OVERHEAD = NONCE_SIZE + TAG_SIZE  # 28 bytes overhead for AES-256-GCM
+
+
+def verify_encrypted_size(data: bytes) -> int:
+    """Verify encrypted payload is exactly one of the valid tier sizes.
+
+    The encrypted file on disk is: [12-byte nonce][ciphertext + 16-byte GCM tag].
+    The plaintext inside was padded to a tier before encryption, so the total
+    encrypted size = tier + ENCRYPTED_OVERHEAD.
+
+    Returns the tier size in bytes.
+
+    Raises:
+        ValueError: If the size does not exactly match any tier.
+    """
+    total = len(data)
+    for tier in PADDING_TIERS:
+        if total == tier + ENCRYPTED_OVERHEAD:
+            return tier
+    raise ValueError(
+        f"Encrypted payload size {total} does not match any valid tier "
+        f"({', '.join(f'{t//(1024**3)} GB' for t in PADDING_TIERS)}). "
+        f"Revealed plaintext size: {total - ENCRYPTED_OVERHEAD} bytes."
+    )
+
+
+# ─── Data Structures ────────────────────────────────────────────────────────
+
+@dataclass
+class EphemeralKeyPair:
+    """An ephemeral X25519 keypair for a single job."""
+    private_key: X25519PrivateKey
+    public_key: X25519PublicKey
+
+    @property
+    def public_key_bytes(self) -> bytes:
+        return self.public_key.public_bytes_raw()
+
+    @property
+    def public_key_b64(self) -> str:
+        return base64.b64encode(self.public_key_bytes).decode()
+
+    @staticmethod
+    def generate() -> EphemeralKeyPair:
+        priv = X25519PrivateKey.generate()
+        pub = priv.public_key()
+        return EphemeralKeyPair(private_key=priv, public_key=pub)
+
+    @staticmethod
+    def from_private_bytes(raw: bytes) -> EphemeralKeyPair:
+        priv = X25519PrivateKey.from_private_bytes(raw)
+        pub = priv.public_key()
+        return EphemeralKeyPair(private_key=priv, public_key=pub)
+
+
+@dataclass
+class TeeQuote:
+    """
+    AMD SEV-SNP attestation report carried inside the signaling protocol.
+    
+    Fields (conceptual — real SEV-SNP has ~64 fields):
+      - report_data: 64 bytes, first 32 = SHA-256(agent_ephemeral_pubkey),
+                     second 32 = measurement (SHA-256 of the TEE memory).
+      - measurement: unique hash of the trusted code + data.
+      - chip_id: unique ID of the AMD EPYC CPU.
+      - signature: ECDSA over the secp384r1 curve.
+    
+    In production this would use `sev-snp-utils` or `cose` library.
+    """
+    report_data: bytes      # 64 bytes
+    measurement: bytes      # 48 bytes (SHA-384)
+    chip_id: bytes          # 64 bytes
+    signature: bytes        # 104 bytes (ECDSA secp384r1)
+    cert_chain: list[bytes] # ASK → OCA → ARK certificate chain
+
+    def serialize(self) -> dict:
+        return {
+            "report_data_b64": base64.b64encode(self.report_data).decode(),
+            "measurement_b64": base64.b64encode(self.measurement).decode(),
+            "chip_id_b64": base64.b64encode(self.chip_id).decode(),
+            "signature_b64": base64.b64encode(self.signature).decode(),
+            "cert_chain_b64": [base64.b64encode(c).decode() for c in self.cert_chain],
+        }
+
+    @staticmethod
+    def deserialize(data: dict) -> TeeQuote:
+        return TeeQuote(
+            report_data=base64.b64decode(data["report_data_b64"]),
+            measurement=base64.b64decode(data["measurement_b64"]),
+            chip_id=base64.b64decode(data["chip_id_b64"]),
+            signature=base64.b64decode(data["signature_b64"]),
+            cert_chain=[base64.b64decode(c) for c in data["cert_chain_b64"]],
+        )
+
+
+# ─── ECDH Key Generation ────────────────────────────────────────────────────
+
+def generate_ephemeral_keypair() -> EphemeralKeyPair:
+    """Generate an ephemeral X25519 keypair for one job.
+    
+    Returns:
+        EphemeralKeyPair with fresh random keys.
+    """
+    return EphemeralKeyPair.generate()
+
+
+def compute_shared_secret(
+    our_private: X25519PrivateKey,
+    their_public_bytes: bytes,
+) -> bytes:
+    """Compute ECDH shared secret.
+    
+    Args:
+        our_private: Our X25519 private key.
+        their_public_bytes: Raw 32-byte X25519 public key from peer.
+    
+    Returns:
+        32-byte shared secret.
+    """
+    their_public = X25519PublicKey.from_public_bytes(their_public_bytes)
+    return our_private.exchange(their_public)
+
+
+# ─── HKDF Key Derivation ────────────────────────────────────────────────────
+
+def derive_aes_key(
+    shared_secret: bytes,
+    salt: Optional[bytes] = None,
+    info: bytes = b"tenxo-aes-key-v1",
+) -> Tuple[bytes, bytes]:
+    """Derive AES-256-GCM payload key from ECDH shared secret via HKDF.
+    
+    Uses HKDF-SHA256 to extract and expand the shared secret into a
+    32-byte AES key. A random 32-byte salt is generated if not provided.
+    
+    Args:
+        shared_secret: 32-byte X25519 shared secret.
+        salt: Optional 32-byte salt (randomly generated if None).
+        info: Context string for domain separation.
+    
+    Returns:
+        Tuple of (aes_key: 32 bytes, salt: 32 bytes).
+    """
+    if salt is None:
+        salt = os.urandom(SALT_SIZE)
+
+    hkdf = HKDF(
+        algorithm=hashes.SHA256(),
+        length=AEAD_KEY_SIZE,
+        salt=salt,
+        info=info,
+    )
+    aes_key = hkdf.derive(shared_secret)
+    return aes_key, salt
+
+
+# ─── Uniform Padding (Plausible Deniability) ────────────────────────────────
+
+def select_padding_tier(data_size: int) -> int:
+    """Select the smallest padding tier that fits the data.
+    
+    An adversary monitoring network traffic sees only the tier size,
+    not the actual workload size.
+    
+    Args:
+        data_size: Actual payload size in bytes.
+    
+    Returns:
+        Target padded size in bytes.
+    
+    Raises:
+        ValueError: If data_size exceeds the largest tier.
+    """
+    for tier in sorted(PADDING_TIERS):
+        if data_size <= tier:
+            return tier
+    raise ValueError(
+        f"Data size {data_size} exceeds max tier {max(PADDING_TIERS)}"
+    )
+
+
+def pad_payload(data: bytes) -> Tuple[bytes, int]:
+    """Pad payload to the nearest standard tier with CSPRNG bytes.
+    
+    The padding scheme is:
+      [original_data] [1-byte pad_len] [CSPRNG pad bytes]
+    
+    Where pad_len = padded_size - actual_size - 1 (the pad_len byte itself).
+    The total file on the wire is exactly the tier size.
+    
+    Args:
+        data: Original plaintext payload.
+    
+    Returns:
+        Tuple of (padded_data, original_size).
+    """
+    original_size = len(data)
+    tier = select_padding_tier(original_size)
+    pad_len = tier - original_size - 1  # -1 for the pad_len byte
+    if pad_len < 0:
+        raise ValueError("Padding calculation overflow")
+    padding = os.urandom(pad_len)
+    padded = data + bytes([pad_len & 0xFF]) + padding
+    return padded, original_size
+
+
+def unpad_payload(padded: bytes) -> bytes:
+    """Remove padding from a padded payload.
+    
+    Args:
+        padded: Padded payload (must be a valid tier size).
+    
+    Returns:
+        Original unpadded data.
+    """
+    pad_len = padded[-1]  # last byte encodes padding length
+    # pad_len is the number of padding bytes AFTER the pad_len byte
+    original_size = len(padded) - pad_len - 1
+    return padded[:original_size]
+
+
+# ─── AES-256-GCM Encryption / Decryption ────────────────────────────────────
+
+def encrypt_payload(
+    data: bytes,
+    aes_key: bytes,
+    aad: Optional[bytes] = None,
+) -> bytes:
+    """Encrypt payload with AES-256-GCM.
+    
+    Output format:
+      [12-byte nonce][ciphertext + 16-byte GCM tag]
+    
+    Args:
+        data: Plaintext bytes to encrypt.
+        aes_key: 32-byte AES-256 key.
+        aad: Optional additional authenticated data.
+    
+    Returns:
+        Encrypted bytes (nonce || ciphertext_tag).
+    """
+    aesgcm = AESGCM(aes_key)
+    nonce = os.urandom(NONCE_SIZE)
+    ct = aesgcm.encrypt(nonce, data, aad or b"")
+    return nonce + ct
+
+
+def decrypt_payload(
+    encrypted: bytes,
+    aes_key: bytes,
+    aad: Optional[bytes] = None,
+) -> bytes:
+    """Decrypt AES-256-GCM payload.
+    
+    Input format:
+      [12-byte nonce][ciphertext + 16-byte GCM tag]
+    
+    Args:
+        encrypted: Encrypted bytes (nonce || ciphertext_tag).
+        aes_key: 32-byte AES-256 key.
+        aad: Optional additional authenticated data.
+    
+    Returns:
+        Decrypted plaintext bytes.
+    
+    Raises:
+        InvalidSignature: If the GCM tag is invalid (tampered data).
+    """
+    if len(encrypted) < NONCE_SIZE + TAG_SIZE:
+        raise ValueError("Ciphertext too short")
+    aesgcm = AESGCM(aes_key)
+    nonce = encrypted[:NONCE_SIZE]
+    ct = encrypted[NONCE_SIZE:]
+    return aesgcm.decrypt(nonce, ct, aad or b"")
+
+
+def encrypt_file(
+    in_path: Path,
+    out_path: Path,
+    aes_key: bytes,
+    aad: Optional[bytes] = None,
+):
+    """Read a file, pad it, encrypt it, and write to output.
+    
+    The output on disk is:
+      [12-byte nonce][ciphertext including 16-byte GCM tag]
+    
+    The ciphertext is padded to the nearest tier size BEFORE encryption,
+    so the encrypted output size reveals only the tier, not the plaintext size.
+    """
+    data = in_path.read_bytes()
+    padded, _ = pad_payload(data)
+    encrypted = encrypt_payload(padded, aes_key, aad)
+    out_path.write_bytes(encrypted)
+
+
+def decrypt_file(
+    encrypted: bytes,
+    aes_key: bytes,
+    aad: Optional[bytes] = None,
+) -> bytes:
+    """Decrypt and unpad a file.
+    
+    Returns the original plaintext bytes.
+    """
+    padded = decrypt_payload(encrypted, aes_key, aad)
+    return unpad_payload(padded)
+
+
+# ─── TEE Quote Verification ─────────────────────────────────────────────────
+
+def verify_tee_quote(
+    quote: TeeQuote,
+    expected_pubkey: bytes,
+    expected_measurement: Optional[bytes] = None,
+    amd_ark_cert: Optional[bytes] = None,
+) -> bool:
+    """Verify an AMD SEV-SNP attestation quote.
+    
+    This validates:
+      1. The report_data contains SHA-256(expected_pubkey) in its first 32 bytes,
+         proving the quote was generated for this specific key.
+      2. The ECDSA signature over the quote is valid against the AMD certificate chain.
+      3. (If provided) the TEE measurement matches the expected trusted code hash.
+    
+    Args:
+        quote: TeeQuote object from the agent.
+        expected_pubkey: Agent's 32-byte X25519 public key to verify binding.
+        expected_measurement: Optional expected TEE code measurement.
+        amd_ark_cert: Optional AMD root certificate for chain verification.
+    
+    Returns:
+        True if all checks pass.
+    
+    Raises:
+        ValueError: If any check fails with explanation.
+    """
+    # ── Check 1: report_data contains SHA-256(agent_pubkey) ─────────
+    pubkey_hash = hashes.Hash(hashes.SHA256())
+    pubkey_hash.update(expected_pubkey)
+    expected_report = pubkey_hash.finalize()
+
+    actual_report = quote.report_data[:32]
+    if not hmac.compare_digest(expected_report, actual_report):
+        raise ValueError(
+            "TEE quote report_data does not match agent public key. "
+            "Possible key substitution attack."
+        )
+
+    # ── Check 2: Verify measurement (if provided) ───────────────────
+    if expected_measurement is not None:
+        actual_measurement = quote.measurement
+        if not hmac.compare_digest(expected_measurement, actual_measurement):
+            raise ValueError(
+                "TEE measurement mismatch. The agent may not be running "
+                "the expected trusted code."
+            )
+
+    # ── Check 3: Verify certificate chain → signature ───────────────
+    #
+    # In production, this would:
+    #   1. Parse AMD ARK (root) certificate from built-in trust store
+    #   2. Verify ASK is signed by ARK
+    #   3. Verify OCA is signed by ASK
+    #   4. Verify the quote ECDSA signature using OCA public key
+    #   5. Check chip_id against AMD's revoked-CPU list
+    #
+    # Reference: SEV-SNP firmware ABI spec, section on attestation.
+    #
+    # For the MVP, we verify the chain structure exists and check
+    # cryptographic binding in report_data. Full cert chain validation
+    # requires `cryptography.x509` and AMD's root CA.
+    #
+    # The quote signature is ECDSA on secp384r1 over the following message:
+    #   SHA-384(ATTESTATION_REPORT[0:319])  (first 320 bytes of the report)
+    #
+    # Verification:
+    #   from cryptography.hazmat.primitives.asymmetric import ec
+    #   oca_pub = get_oca_from_cert_chain(quote.cert_chain)
+    #   oca_pub.verify(signature, message, ec.ECDSA(hashes.SHA384()))
+    #
+
+    if len(quote.cert_chain) < 3:
+        raise ValueError(
+            "TEE quote certificate chain incomplete. "
+            f"Expected >= 3 certs (ARK, ASK, OCA), got {len(quote.cert_chain)}"
+        )
+
+    if len(quote.signature) < 100:
+        raise ValueError(
+            f"TEE quote signature too short ({len(quote.signature)} bytes). "
+            "Expected ~104 bytes for ECDSA secp384r1."
+        )
+
+    # Placeholder for full chain validation:
+    # verify_cert_chain(quote.cert_chain, amd_ark_cert)
+    # verify_quote_signature(quote, oca_pubkey)
+
+    return True
+
+
+# ─── Full Encryption Pipeline ───────────────────────────────────────────────
+
+def encrypt_workspace(
+    workspace_zip: Path,
+    output_enc: Path,
+    agent_pubkey_b64: str,
+    client_keypair: EphemeralKeyPair,
+    aad: Optional[bytes] = None,
+) -> str:
+    """Full encryption pipeline for a job workspace.
+    
+    Steps:
+      1. Compute ECDH shared secret from client keypair + agent pubkey.
+      2. Derive AES-256-GCM payload key via HKDF.
+      3. Pad workspace to standard tier.
+      4. Encrypt with AES-256-GCM.
+      5. Write encrypted output to disk.
+    
+    Args:
+        workspace_zip: Path to the zipped workspace.
+        output_enc: Path for the encrypted output file.
+        agent_pubkey_b64: Agent's X25519 public key (base64).
+        client_keypair: Client's ephemeral X25519 keypair.
+        aad: Optional additional authenticated data.
+    
+    Returns:
+        Base64-encoded salt (needed by agent to derive the same AES key).
+    """
+    agent_pubkey = base64.b64decode(agent_pubkey_b64)
+    shared_secret = compute_shared_secret(client_keypair.private_key, agent_pubkey)
+    aes_key, salt = derive_aes_key(shared_secret)
+    encrypt_file(workspace_zip, output_enc, aes_key, aad)
+    return base64.b64encode(salt).decode()
+
+
+# ─── Backward-Compatible API ────────────────────────────────────────────────
+
+def generate_key() -> bytes:
+    """Legacy: Generate a random AES-256 key (backward compat)."""
+    return AESGCM.generate_key(bit_length=256)
+
+
+def key_to_b64(key: bytes) -> str:
+    return base64.b64encode(key).decode()
+
+
+def key_from_b64(s: str) -> bytes:
+    return base64.b64decode(s)

tenxo-0.1.0/tenxo/pack.py

@@ -0,0 +1,166 @@
+"""Workspace packaging: zip with .tenxoignore support and requirements.txt check."""
+
+import os
+import re
+import zipfile
+from pathlib import Path
+
+
+def load_ignore_patterns(directory: Path) -> list[str] | None:
+    """Read .tenxoignore patterns, falling back to .gitignore."""
+    for name in (".tenxoignore", ".gitignore"):
+        path = directory / name
+        if path.is_file():
+            return _parse_ignore_file(path)
+    return None
+
+
+def _parse_ignore_file(path: Path) -> list[str]:
+    patterns: list[str] = []
+    for line in path.read_text().splitlines():
+        line = line.strip()
+        if not line or line.startswith("#"):
+            continue
+        patterns.append(line)
+    return patterns
+
+
+def _translate_pattern(pat: str) -> str:
+    """Convert a gitignore-style pattern to a regex."""
+    parts = []
+    i = 0
+    n = len(pat)
+    while i < n:
+        c = pat[i]
+        if c == "*":
+            if i + 1 < n and pat[i + 1] == "*":
+                parts.append(".*")
+                i += 2
+                if i < n and pat[i] == "/":
+                    i += 1
+            else:
+                parts.append("[^/]*")
+            i += 1
+        elif c == "?":
+            parts.append("[^/]")
+            i += 1
+        elif c in ".+^${}()|\\[]":
+            parts.append("\\" + c)
+            i += 1
+        else:
+            parts.append(c)
+            i += 1
+    return "".join(parts)
+
+
+def _pattern_matches(rel_path: str, pattern: str) -> bool:
+    """Check if a relative path matches a single gitignore-style pattern.
+    Returns True if the raw pattern (without negation prefix) matches.
+    """
+    is_dir_only = pattern.endswith("/")
+    pattern = pattern.rstrip("/")
+    check_path = rel_path.rstrip("/")
+
+    if pattern.startswith("/"):
+        pattern = pattern[1:]
+        anchored = True
+    else:
+        anchored = False
+
+    regex = _translate_pattern(pattern)
+    if anchored:
+        return bool(re.fullmatch(regex, check_path))
+
+    if re.fullmatch(regex, check_path):
+        return True
+
+    if "/" in check_path or is_dir_only:
+        base = check_path.rsplit("/", 1)[-1]
+        if re.fullmatch(regex, base):
+            return True
+
+    if is_dir_only and check_path.startswith(pattern + "/"):
+        return True
+
+    return False
+
+
+def _matches_any(rel_path: str, patterns: list[str]) -> bool:
+    """Return True if rel_path is excluded (matches a non-negated pattern and
+    no later negation pattern re-includes it)."""
+    excluded = False
+    for p in patterns:
+        negate = p.startswith("!")
+        raw = p[1:].strip() if negate else p
+        if _pattern_matches(rel_path, raw):
+            if negate:
+                return False
+            excluded = True
+    return excluded
+
+
+def check_requirements(directory: Path):
+    """Warn if requirements.txt is missing from the workspace root."""
+    if not (directory / "requirements.txt").is_file():
+        print(
+            "WARNING: requirements.txt not found at workspace root.\n"
+            "Create one so the edge agent installs your Python dependencies.\n"
+        )
+
+
+def pack_workspace(
+    directory: str | Path = ".",
+    output: str | Path = "workspace.zip",
+) -> Path:
+    """Zip a workspace directory, respecting .tenxoignore patterns.
+
+    Args:
+        directory: Root directory to package.
+        output: Destination zip path.
+
+    Returns:
+        Absolute path to the created zip file.
+    """
+    root = Path(directory).resolve()
+    out = Path(output).resolve()
+
+    if not root.is_dir():
+        raise NotADirectoryError(f"Not a directory: {root}")
+
+    patterns = load_ignore_patterns(root)
+
+    check_requirements(root)
+
+    if patterns:
+        print(f"Ignoring files matching {len(patterns)} pattern(s)")
+    else:
+        print("No .tenxoignore or .gitignore found — including all files")
+
+    try:
+        out_resolved = out.resolve()
+    except (OSError, ValueError):
+        out_resolved = out
+
+    out.parent.mkdir(parents=True, exist_ok=True)
+    with zipfile.ZipFile(out, "w", zipfile.ZIP_DEFLATED) as zf:
+        for dirpath, dirnames, filenames in os.walk(root):
+            for d in list(dirnames):
+                rel = os.path.relpath(os.path.join(dirpath, d), root)
+                if patterns and _matches_any(rel + "/", patterns):
+                    dirnames.remove(d)
+
+            for f in filenames:
+                full = os.path.join(dirpath, f)
+                rel = os.path.relpath(full, root)
+                # Don't include the output zip itself
+                try:
+                    if out_resolved.samefile(full):
+                        continue
+                except (OSError, ValueError):
+                    pass
+                if patterns and _matches_any(rel, patterns):
+                    continue
+                zf.write(full, rel)
+
+    print(f"Packaged {root.name} -> {out} ({out.stat().st_size / 1024:.1f} KB)")
+    return out

tenxo-0.1.0/tenxo.egg-info/PKG-INFO

@@ -0,0 +1,52 @@
+Metadata-Version: 2.4
+Name: tenxo
+Version: 0.1.0
+Summary: Tenxo - Zero-knowledge decentralized GPU grid CLI
+Author: Tenxo
+License: MIT
+Project-URL: Homepage, https://tenxo.ai
+Project-URL: Source, https://github.com/tenxo/tenxo
+Keywords: gpu,decentralized,ml,training,zero-knowledge
+Classifier: Programming Language :: Python :: 3
+Classifier: License :: OSI Approved :: MIT License
+Requires-Python: >=3.9
+Description-Content-Type: text/markdown
+Requires-Dist: requests>=2.28
+Requires-Dist: tqdm>=4.64
+Requires-Dist: cryptography>=41
+
+# Tenxo
+
+Zero-knowledge decentralized GPU grid — package and train AI models on remote GPUs.
+
+## Install
+
+```bash
+pip install tenxo
+```
+
+## Quickstart
+
+```bash
+# Package your workspace
+tenxo pack
+
+# Full workflow: package → encrypt → upload → submit → poll → decrypt
+tenxo run /path/to/workspace
+```
+
+## `.tenxoignore`
+
+Create a `.tenxoignore` in your workspace root to exclude files (syntax like `.gitignore`):
+
+```
+.venv/
+__pycache__/
+*.pyc
+.DS_Store
+.git/
+output/
+*.zip
+```
+
+Running `tenxo pack` automatically reads `.tenxoignore` (falls back to `.gitignore`) and warns if `requirements.txt` is missing.

tenxo-0.1.0/tenxo.egg-info/SOURCES.txt

@@ -0,0 +1,14 @@
+README.md
+pyproject.toml
+tenxo/__init__.py
+tenxo/__main__.py
+tenxo/cli.py
+tenxo/client.py
+tenxo/crypto.py
+tenxo/pack.py
+tenxo.egg-info/PKG-INFO
+tenxo.egg-info/SOURCES.txt
+tenxo.egg-info/dependency_links.txt
+tenxo.egg-info/entry_points.txt
+tenxo.egg-info/requires.txt
+tenxo.egg-info/top_level.txt

tenxo-0.1.0/tenxo.egg-info/dependency_links.txt

@@ -0,0 +1 @@
+

tenxo-0.1.0/tenxo.egg-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+tenxo = tenxo.cli:main

tenxo-0.1.0/tenxo.egg-info/requires.txt

@@ -0,0 +1,3 @@
+requests>=2.28
+tqdm>=4.64
+cryptography>=41

tenxo-0.1.0/tenxo.egg-info/top_level.txt

@@ -0,0 +1 @@
+tenxo