Skip to content

feat(tee): raise explicit not-implemented error for the opaque provider#385

Merged
imran-siddique merged 1 commit into
mainfrom
feat/opaque-not-implemented-error
Jul 4, 2026
Merged

feat(tee): raise explicit not-implemented error for the opaque provider#385
imran-siddique merged 1 commit into
mainfrom
feat/opaque-not-implemented-error

Conversation

@imran-siddique

Copy link
Copy Markdown
Contributor

Follow-up to the docs pass in #383. The opaque (OPAQUE managed-runtime) provider was a silent no-op: OpaqueProvider.detect() returned False, so in auto mode it was silently skipped, and an explicit provider: opaque selection surfaced only a generic "not available on this host". It is a recognized-but-not-yet-implemented placeholder, so this makes that explicit.

Changes

  • New error AttestationProviderNotImplemented (subclass of AttestationProviderUnsupported, code ATTESTATION_PROVIDER_NOT_IMPLEMENTED, HTTP 501) — the gateway still refuses to start, but with a clear reason.
  • OpaqueProvider.detect() and get_attestation_report() now raise it instead of returning False / a bare NotImplementedError.
  • Removed opaque from the auto-detect probe order (tee/detect.py), so it is never auto-selected. The auto loop also defensively skips any provider that raises the not-implemented error.
  • Explicit provider: opaque now raises the explicit error rather than the generic unsupported message.

Tests

  • opaque detect() / get_attestation_report() raise the new error; explicit selection via detect_provider raises it; opaque is asserted absent from the probe order. Full tee suite (50 tests) passes locally; ruff + mypy clean.

Docs

  • README, docs/SPEC.md §9, STATUS.md, docs/spec/attestation.md §1.1/§1.2, and the error-code registry updated to match (probe order is now tpm -> sev-snp -> tdx).

🤖 Generated with Claude Code

The `opaque` (OPAQUE managed-runtime) provider was a silent no-op: detect()
returned False, so in auto mode it was silently skipped, and an explicit
`provider: opaque` selection surfaced only a generic "not available on this
host". It is a recognized-but-unimplemented placeholder, so make that explicit.

- Add AttestationProviderNotImplemented (subclass of AttestationProviderUnsupported,
  code ATTESTATION_PROVIDER_NOT_IMPLEMENTED, HTTP 501); the gateway still refuses
  to start.
- OpaqueProvider.detect() and get_attestation_report() now raise it instead of
  returning False / a bare NotImplementedError.
- Remove `opaque` from the auto-detect probe order so it is never auto-selected;
  the auto loop also defensively skips any provider that raises NotImplemented.
- Explicit `provider: opaque` now raises the explicit error rather than the
  generic unsupported message.
- Tests: opaque detect/report raise the new error; explicit selection raises it;
  opaque is not in the probe order.
- Docs: README, SPEC §9, STATUS.md, attestation.md §1.1/§1.2, and the error-code
  registry updated to match (probe order tpm -> sev-snp -> tdx).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@imran-siddique imran-siddique merged commit ffd76f9 into main Jul 4, 2026
12 checks passed
@imran-siddique imran-siddique deleted the feat/opaque-not-implemented-error branch July 4, 2026 20:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant