Summary

This PR introduces on-chain TEE registry integration to dynamically discover active LLM proxy endpoints with TLS certificate pinning, replacing hardcoded server URLs. The client now resolves TEE endpoints from the registry by default, with optional fallback to static URLs for development/self-hosted scenarios.

Key Changes

• New TEE Registry Integration (teeRegistry.ts):

  • TEERegistry class queries the on-chain TEE Registry contract to fetch active TEE endpoints and their DER-encoded TLS certificates
  • Implements getActiveTEEsByType() to retrieve all active TEEs of a given type and getLLMTEE() to select a random active LLM proxy
  • Converts hex-encoded certificate data from the contract into Uint8Array format for TLS pinning

• New TEE Connection Abstraction (teeConnection.ts):

  • TEEConnection interface provides a common contract for static and registry-backed TEE connections
  • StaticTEEConnection for hardcoded endpoints (dev/self-hosted) with disabled TLS verification
  • RegistryTEEConnection for registry-backed discovery with:
    • TLS certificate pinning via buildPinnedAgent() (creates undici Agent with pinned CA certificate)
    • Optional background health check loop (5-minute interval) to detect stale TEE registrations
    • Automatic reconnection and retry on connection failures
  • Proper resource cleanup via close() method for dispatchers and timers

• Updated LLM Client (llm.ts):

  • Replaced hardcoded serverUrl and streamingServerUrl config with connection: TEEConnection
  • Refactored request flow: requestWithRetry() handles TEE resolution and single-retry-on-failure logic
  • sendOnce() builds a paid fetch with the TEE's pinned dispatcher injected into every request
  • Added close() method to tear down resources

• Updated Client Factory (client.ts):

  • Automatically creates RegistryTEEConnection by default (queries registry via RPC)
  • Falls back to StaticTEEConnection when llmServerUrl is provided
  • Accepts optional rpcUrl and teeRegistryAddress overrides
  • Added close() method for cleanup

• Configuration Updates (types.ts, defaults.ts):

  • Removed llmStreamingServerUrl config (both chat and streaming use the same endpoint)
  • Updated llmServerUrl documentation to clarify it disables registry lookup
  • Added rpcUrl and teeRegistryAddress config options
  • Changed defaults from hardcoded LLM URLs to registry RPC URL and contract address

• Public API Exports (index.ts):

  • Exported TEERegistry, TEEEndpoint, TEE_TYPE_* constants
  • Exported TEEConnection, ActiveTEE, RegistryTEEConnection, StaticTEEConnection, buildPinnedAgent

Notable Implementation Details

• TLS Certificate Pinning: Instead of trust-on-first-use (TOFU), the client fetches the certificate submitted during TEE registration and pins to it, rejecting any mismatched certificates
• Hostname Verification Disabled: TEE servers are typically addressed by IP while certificates may be issued for different hostnames; the pinned certificate itself serves as the trust anchor
• Graceful Degradation: Connection failures trigger a registry refresh and single retry; if the TEE is no longer active, a fresh one is selected
• Resource Management: Background timers are marked as non-blocking (unref()) and all resources are properly cleaned up on close()
• Version Bump: Package version updated to 2.1.0

https://claude.ai/code/session_01Nvpzd6GMuRCcgfuFZgotUk