Skip to main content

venice_ai.resources.tee

Venice TEE (Trusted Execution Environment) attestation + session resource.

Wraps GET /tee/attestation and bootstraps a client-side E2EE :class:~venice_ai.tee._session.TeeSession for the confidential e2ee-* chat path. Attached as client.tee on both the async :class:~venice_ai._client.VeniceClient and (via the sync proxy) the :class:~venice_ai._sync_client.SyncVeniceClient.

Two entry points:

  • :meth:Tee.get_attestation — fetch and baseline-verify an attestation (fail-closed). Network + bytes.fromhex only; does not require the [e2ee] extra, so a bare install can still attest.
  • :meth:Tee.open_session — :meth:get_attestation then build a :class:TeeSession (generates the SESSION keypair). The keypair generation needs cryptography; the lazy import + actionable ImportError (the pip install 'venice-ai[e2ee]' hint) live in :mod:venice_ai.tee._crypto.

.. warning:

Baseline attestation trusts Venice's server-side ``verified`` claim and does
not perform full client-side Intel TDX / NVIDIA quote verification on its own.
For full offline Intel TDX verification, pass a
:class:`venice_ai.tee.DcapTdxVerifier` (the ``[e2ee-verify]`` extra) via
``verifier=``. See :func:`venice_ai.tee._attestation.verify_attestation` for
the limitation and the :class:`FullQuoteVerifier` extension point.

Tee Objects

class Tee(APIResource["VeniceClient"])

Venice confidential-compute (TEE) attestation + E2EE session bootstrap.

Example:

async with VeniceClient() as client:
# Verify the enclave and open an encrypted session in one step.
session = await client.tee.open_session(model="e2ee-gemma-3-27b-p")
with session:
headers = session.request_headers()
blob = session.encrypt_message("Hello, confidential world.")
# ... POST /chat/completions (stream=True) with `headers` and
# the encrypted message content; decrypt each streamed delta:
#     text = session.decrypt_chunk(delta_hex)

Tee.get_attestation

async def get_attestation(
        *,
        model: str,
        nonce: str | None = None,
        fail_closed: bool = True,
        verifier: FullQuoteVerifier | None = None) -> TeeAttestation

Fetch and baseline-verify a TEE attestation for model.

Calls GET /tee/attestation?model=&nonce= (a free endpoint), verifies the response fail-closed against the client-generated nonce (server verified claim, nonce echo, report-data binding, TDX debug-flag), and records the sent nonce on the returned attestation.

This path uses only the network + bytes.fromhex / integer operations; it does not require the [e2ee] extra. A bare install can attest a model even though it cannot open an encrypting session.

Arguments:

  • model - The e2ee-* model id to attest (e.g. "e2ee-gemma-3-27b-p").
  • nonce - Optional 32-byte (64 lowercase hex) freshness nonce. When omitted, a cryptographically random one is generated. The Venice API rejects nonces that are not exactly 32 bytes.
  • fail_closed - When True (default), any failed verification check raises :class:~venice_ai.exceptions.TeeAttestationError. When False, failures are collected and a :class:UserWarning is emitted instead (the attestation is still returned).
  • verifier - Optional :class:FullQuoteVerifier for full client-side quote verification (baseline ships none).

Returns:

A verified :class:~venice_ai.tee.types.TeeAttestation with sent_nonce populated.

Raises:

  • TeeAttestationError - If fail_closed and verification fails (or the supplied nonce is malformed).
  • APIError - For HTTP-level failures.

Tee.get_signature

async def get_signature(*, model: str,
                        request_id: str) -> TeeSignatureResponse

Fetch the TEE signature proving a completion was produced by the enclave.

Calls GET /tee/signature?model=&request_id=. The returned

Arguments:

  • model: The TEE model id the completion ran on (an e2ee-* / TEE-attestation-capable model).
  • request_id: The completion id to attest (the chat completion id).

Returns:

The parsed :class:~venice_ai.tee.types.TeeSignatureResponse.

Tee.open_session

async def open_session(
        *,
        model: str,
        nonce: str | None = None,
        verifier: FullQuoteVerifier | None = None) -> TeeSession

Verify model's attestation (fail-closed) and open an E2EE session.

Convenience over :meth:get_attestation + :meth:TeeSession.from_attestation. Always verifies fail-closed (an unverified enclave must never back an encrypting session). Generating the SESSION keypair requires the [e2ee] extra; if cryptography is missing, the lazy import in :mod:venice_ai.tee._crypto raises an :class:ImportError with the pip install 'venice-ai[e2ee]' hint.

Arguments:

  • model - The e2ee-* model id.
  • nonce - Optional 32-byte (64-hex) nonce; generated when omitted.
  • verifier - Optional :class:FullQuoteVerifier.

Returns:

A :class:~venice_ai.tee._session.TeeSession ready to produce request headers and encrypt/decrypt messages. Use it as a context manager so its SESSION private key is dropped on exit.

Raises:

  • TeeAttestationError - If verification fails (always fail-closed here).
  • ImportError - If the [e2ee] extra is not installed.
  • APIError - For HTTP-level failures.