diff --git a/CLAUDE.md b/CLAUDE.md new file mode 100644 index 0000000..055afb9 --- /dev/null +++ b/CLAUDE.md @@ -0,0 +1,132 @@ +# Privatemode Proxy — Agent Instructions + +OpenAI-compatible API proxy that runs on Azure Confidential VMs (AMD SEV-SNP). Provides a web-accessible endpoint for end-to-end encrypted AI via [Privatemode](https://privatemode.ai) — no local software required. All memory is hardware-encrypted; Azure cannot access decrypted traffic, TLS keys, or API secrets. + +## Quick Start + +```bash +# 1. Copy and configure environment +cp .env.example .env +# Edit .env: set ADMIN_PASSWORD and PRIVATEMODE_API_KEY + +# 2. Build the container +docker build -t privatemode-proxy:latest . + +# 3. Run (HTTP mode for local dev) +docker run -d --name privatemode \ + -p 8080:8080 \ + --env-file .env \ + privatemode-proxy:latest + +# 4. Health check +curl http://localhost:8080/health + +# 5. Run tests +pip install -r requirements-test.txt +pytest +``` + +For production deployment on Azure Confidential VMs with TLS, see `README.md` (Step-by-step guide) and `docs/CONFIDENTIAL_COMPUTING_DEPLOYMENT.md`. + +## Architecture + +The container runs two processes managed by **supervisord**: + +1. **privatemode-proxy** (port 8081) — Official Privatemode binary from `ghcr.io/edgelesssys/privatemode/privatemode-proxy`. Handles E2E encrypted communication with Privatemode's TEE servers. +2. **auth-proxy** (port 8080) — Python/aiohttp proxy that sits in front of the Privatemode binary. Handles TLS termination, API key authentication, rate limiting, usage tracking, and the admin web UI. + +``` +Client --> auth-proxy (:8080) --> privatemode-proxy (:8081) --> Privatemode API (TEE) +``` + +### Key Directories + +| Directory | Purpose | +|-----------|---------| +| `auth-proxy/` | Python proxy server — core application code | +| `auth-proxy/static/` | Static assets for admin UI | +| `tests/` | pytest test suite (async, aiohttp-based) | +| `scripts/` | CLI tools — key management, doc scraping | +| `docs/` | Scraped Privatemode documentation + Azure deployment guide | +| `secrets/` | Gitignored — API keys, settings (examples provided) | +| `.github/workflows/` | CodeQL analysis | + +## Key Files + +| File | Description | +|------|-------------| +| `auth-proxy/server.py` | Main proxy server — request routing, TLS, HTTPS enforcement | +| `auth-proxy/admin.py` | Admin web UI — key management, usage dashboard, settings | +| `auth-proxy/config.py` | Centralized configuration from environment variables | +| `auth-proxy/key_manager.py` | API key CRUD, validation, hot-reload from JSON file | +| `auth-proxy/usage_tracker.py` | Token usage and cost tracking per key/model | +| `auth-proxy/utils.py` | Shared utilities | +| `Dockerfile` | Multi-stage build: extracts Privatemode binary, installs Python deps, runs as non-root | +| `supervisord.conf` | Process manager config — runs both proxies in one container | +| `scripts/manage_keys.py` | CLI for API key management | +| `scripts/scrape_docs.py` | Scrapes Privatemode documentation into `docs/` | +| `.env.example` | Environment variable template | +| `secrets/api_keys.json.example` | API keys file format reference | +| `pytest.ini` | Test config (async mode) | +| `requirements-test.txt` | Test dependencies (pytest, pytest-aiohttp, pytest-asyncio) | + +## Development + +### Running Tests + +```bash +pip install -r requirements-test.txt +pytest # all tests +pytest tests/test_auth.py # single module +pytest -v # verbose +``` + +Tests use `pytest-aiohttp` for async HTTP testing. See `tests/conftest.py` for fixtures and `tests/helpers.py` for test utilities. + +### API Endpoints + +| Method | Endpoint | Auth | Description | +|--------|----------|------|-------------| +| `POST` | `/v1/chat/completions` | Bearer key | Chat completions | +| `POST` | `/v1/embeddings` | Bearer key | Text embeddings | +| `POST` | `/v1/audio/transcriptions` | Bearer key | Speech-to-text (Whisper) | +| `GET` | `/v1/models` | Bearer key | List available models | +| `GET` | `/health` | None | Health check | +| `GET` | `/admin` | Password | Admin web UI | + +### Available Models + +`gpt-oss-120b`, `gemma-3-27b`, `qwen3-coder-30b-a3b` (chat), `qwen3-embedding-4b` (embeddings), `whisper-large-v3` (audio). + +### Environment Variables + +See `.env.example` for the full list. Required: `ADMIN_PASSWORD`, `PRIVATEMODE_API_KEY`. Optional: `TLS_CERT_FILE`, `TLS_KEY_FILE`, `TRUST_PROXY`, rate limit settings. + +## Security Model + +### TEE Guarantees (AMD SEV-SNP) + +- **All VM memory is hardware-encrypted** by the CPU with keys Azure cannot access +- **TLS terminates inside the TEE** — Azure never sees decrypted traffic +- **Privatemode API key** lives only in encrypted memory (passed via env var) +- **SSH keys** are generated locally and never uploaded to Azure +- **Let's Encrypt private keys** are generated on the VM and never leave the TEE + +### Defense in Depth + +1. **Hardware**: AMD SEV-SNP memory encryption +2. **OS**: Ubuntu with Secure Boot + vTPM +3. **Container**: Non-root user (`appuser`, UID 1000), minimal image +4. **Application**: HTTPS enforcement, per-key and per-IP rate limiting, Bearer token auth +5. **Key management**: Hot-reload key rotation, optional expiration dates, per-key rate limits + +### What is NOT Encrypted from Azure + +- Encrypted network traffic (before TLS termination) +- VM metadata (name, size, region) +- Disk contents (unless confidential disk encryption enabled) +- Resource usage metrics (CPU, memory, network) + +### Zero-Retention + +Prompts and responses are never logged or stored. Only token usage metadata is tracked for billing. The proxy reads the `usage` field from responses but ignores `choices` content entirely. diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..5894a13 --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2024-2026 Open Paws + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE.