tee: enforce loopback-or-bearer worker API access

ramtamilselvan · ramtamilselvan · commit 4f4e65778c65 · 2026-04-18T16:10:48.000+04:00
diff --git a/app/tee_client.go b/app/tee_client.go
@@ -11,6 +11,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"net/http"
+	"os"
 	"strings"
 	"sync"
 	"time"
@@ -146,6 +147,7 @@ type RemoteTEEClient struct {
 	endpoint string
 	client   *http.Client
 	breaker  *circuitbreaker.Breaker
+	apiToken string
 }
 
 // NewRemoteTEEClient creates a new HTTP-based TEE client.
@@ -160,6 +162,7 @@ func NewRemoteTEEClient(logger log.Logger, endpoint string) (*RemoteTEEClient, e
 		logger:   logger,
 		endpoint: endpoint,
 		breaker:  circuitbreaker.NewDefault("tee_remote_execute"),
+		apiToken: strings.TrimSpace(os.Getenv("AETHELRED_TEE_API_TOKEN")),
 		client: httpclient.NewPooledClient(httpclient.PoolConfig{
 			Timeout:             60 * time.Second,
 			MaxIdleConns:        100,
@@ -200,6 +203,7 @@ func (c *RemoteTEEClient) Execute(ctx context.Context, request *TEEExecutionRequ
 		return nil, fmt.Errorf("failed to create TEE request: %w", err)
 	}
 	httpReq.Header.Set("Content-Type", "application/json")
+	c.applyAuth(httpReq)
 
 	resp, err := c.client.Do(httpReq)
 	if err != nil {
@@ -257,6 +261,7 @@ func (c *RemoteTEEClient) GetCapabilities() *TEECapabilities {
 		c.logger.Warn("Failed to create capabilities request", "error", err)
 		return &TEECapabilities{Platform: "remote"}
 	}
+	c.applyAuth(httpReq)
 
 	resp, err := c.client.Do(httpReq)
 	if err != nil {
@@ -314,6 +319,7 @@ func (c *RemoteTEEClient) IsHealthy(ctx context.Context) bool {
 		}
 		return false
 	}
+	c.applyAuth(httpReq)
 	resp, err := c.client.Do(httpReq)
 	if err != nil {
 		if c.breaker != nil {
@@ -341,6 +347,13 @@ func (c *RemoteTEEClient) Close() error {
 	return nil
 }
 
+func (c *RemoteTEEClient) applyAuth(req *http.Request) {
+	if c == nil || req == nil || c.apiToken == "" {
+		return
+	}
+	req.Header.Set("Authorization", "Bearer "+c.apiToken)
+}
+
 // Breaker exposes the circuit breaker for metrics.
 func (c *RemoteTEEClient) Breaker() *circuitbreaker.Breaker {
 	return c.breaker
diff --git a/app/tee_client_test.go b/app/tee_client_test.go
@@ -2,6 +2,8 @@ package app
 
 import (
 	"context"
+	"net/http"
+	"net/http/httptest"
 	"strings"
 	"testing"
 	"time"
@@ -109,6 +111,32 @@ func TestRemoteTEEClient_IsHealthyRejectsBlockedEndpoint(t *testing.T) {
 	}
 }
 
+func TestRemoteTEEClient_IsHealthyUsesBearerTokenWhenConfigured(t *testing.T) {
+	t.Setenv("AETHELRED_TEE_API_TOKEN", "worker-secret")
+
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path != "/health" {
+			http.NotFound(w, r)
+			return
+		}
+		if got := r.Header.Get("Authorization"); got != "Bearer worker-secret" {
+			http.Error(w, "missing auth", http.StatusUnauthorized)
+			return
+		}
+		w.WriteHeader(http.StatusOK)
+	}))
+	defer server.Close()
+
+	client, err := NewRemoteTEEClient(log.NewNopLogger(), server.URL)
+	if err != nil {
+		t.Fatalf("expected local test server endpoint to be accepted, got %v", err)
+	}
+
+	if !client.IsHealthy(context.Background()) {
+		t.Fatal("expected health probe to succeed with configured bearer token")
+	}
+}
+
 func bytes32(fill byte) []byte {
 	out := make([]byte, 32)
 	for i := range out {
diff --git a/docs/audits/EVIDENCE_INDEX.md b/docs/audits/EVIDENCE_INDEX.md
@@ -391,6 +391,8 @@ The current evidence branch is a pre-audit hardening candidate on top of
 | Nitro parser fail-closed regression | `cargo test --manifest-path services/tee-worker/nitro-sdk/Cargo.toml --features attestation-evidence nitro` | `services/tee-worker/nitro-sdk/src/attestation/aws_nitro.rs` |
 | ARM attestation fail-closed regression | `cargo test --manifest-path services/tee-worker/nitro-sdk/Cargo.toml --features attestation-evidence arm` | `services/tee-worker/nitro-sdk/src/attestation/arm_trustzone.rs` |
 | Shared endpoint literal-IP regression | `go test ./x/verify/httputil` | `x/verify/httputil/httputil_test.go` |
+| Worker API auth boundary regression | `go test ./services/tee-worker/executor` | `services/tee-worker/executor/main_test.go` |
+| Remote TEE client auth regression | `go test ./app` | `app/tee_client_test.go` |
 | Seal verifier regression | `go test ./x/seal/keeper/...` | `x/seal/keeper/` |
 | Vault relay governance regression | `go test ./x/vault/keeper` | `x/vault/keeper/keeper_test.go` |
 | Sovereign access-control regression | `cargo test --manifest-path services/tee-worker/nitro-sdk/Cargo.toml --features full-sdk lib_full::sovereign::` | `services/tee-worker/nitro-sdk/src/sovereign/` |
diff --git a/docs/audits/REMEDIATION_REGISTER.md b/docs/audits/REMEDIATION_REGISTER.md
@@ -219,6 +219,7 @@ part of the `main`-branch CLOSED statistics below.
 | HS-2026-04-16-52 | Medium | Worker / Nitro Parser Truthfulness | Fail closed in the Nitro attestation wrapper when the COSE/CBOR parsing backend is unavailable, instead of constructing a placeholder attestation document after only validating the outer COSE shell | `ramesh/protocol-hardening-sweep-20260416` / PR `#141` | `cargo test --manifest-path services/tee-worker/nitro-sdk/Cargo.toml --features attestation-evidence nitro` and `cargo check --manifest-path services/tee-worker/nitro-sdk/Cargo.toml --features attestation-evidence` |
 | HS-2026-04-16-53 | Medium | Worker / ARM Attestation Truthfulness | Fail closed in the ARM TrustZone / CCA wrapper when parser or signature-verification backends are unavailable, instead of fabricating placeholder token state or returning success from non-cryptographic signature paths | `ramesh/protocol-hardening-sweep-20260416` / PR `#141` | `cargo test --manifest-path services/tee-worker/nitro-sdk/Cargo.toml --features attestation-evidence arm` and `cargo check --manifest-path services/tee-worker/nitro-sdk/Cargo.toml --features attestation-evidence` |
 | HS-2026-04-16-54 | Medium | Verify / Shared Endpoint Literal IP Boundary | Tighten the shared endpoint validator so literal loopback, private, unspecified, and IPv6 non-routable addresses fail closed centrally instead of bypassing DNS-based SSRF checks when supplied directly as endpoint hosts | `ramesh/protocol-hardening-sweep-20260416` / PR `#141` | `go test ./x/verify/httputil`, `go test ./x/verify/...`, and `go test ./app ./x/pouw/keeper ./x/verify/... ./x/seal/keeper ./x/validator/keeper ./x/vault/keeper` |
+| HS-2026-04-16-55 | Medium | Worker / Execution API Boundary | Enforce loopback-or-bearer access on the TEE worker control plane, require an explicit API token for non-loopback exposure, and teach the remote Go TEE client to present that bearer token when configured instead of relying on network placement alone to protect `/health`, `/capabilities`, `/execute`, and `/verify` | `ramesh/protocol-hardening-sweep-20260416` / PR `#141` | `go test ./services/tee-worker/executor`, `go test ./app`, and `go test ./app ./x/pouw/keeper ./x/verify/... ./x/seal/keeper ./x/validator/keeper ./x/vault/keeper` |
 
 See `docs/audits/protocol-hardening-sweep-2026-04-16.md` for the detailed
 scope and verification record.
diff --git a/docs/audits/STATUS.md b/docs/audits/STATUS.md
@@ -101,7 +101,7 @@ March 30 verified baseline.
 | Branch / PR | Scope | Current Head | Status | Evidence |
 |---|---|---|---|---|
 | `ramesh/broad-review-cleanup-20260416` / `#139` | Repo review-surface cleanup for TypeScript SDK and VSCode tooling | Branch head in PR | In Review | PR checks + local `npm run typecheck`, `npm run compile`, `npm run lint`, `npm test` |
-| `ramesh/protocol-hardening-sweep-20260416` / `#141` | Bridge relayer persistence and authority, burn nonce extraction, fail-closed zk proof and TEE/VM verification, authenticated simulated keeper attestations, deterministic simulated EZKL verification, deterministic simulated keeper zk proof binding, secure-by-default TEE precompile registry wiring, seal verifier fail-closed defaults, stateful seal revocation approval/execution, removal of the ordinary privileged seal-revocation bypass, narrowed raw keeper revoke entrypoints, quorumed emergency seal revocation, explicit authority enforcement on governance-only vault keeper methods, authority-gated non-overwritable relay liveness challenges with audit logging, loopback-by-default admin consensus-audit endpoint enforcement with explicit bearer-token authorization for remote exposure, truthful simulated/degraded health reporting with `503` reserved for genuinely unhealthy runtime posture, redacted public health diagnostics with detailed output gated to loopback or explicit token authorization, loopback-by-default metrics endpoint enforcement with explicit bearer-token authorization for remote scraping, forwarded proxy traffic no longer inheriting unauthenticated loopback trust on admin, metrics, or detailed health routes, fail-closed remote TEE endpoint validation across startup and health probing, fail-closed readiness endpoint probing for configured verifier targets, fail-closed EZKL remote prover/verifier endpoint validation, fail-closed DCAP collateral and CRL endpoint validation, fail-closed mirrored worker Nitro remote endpoint validation, fail-closed drand relay endpoint validation with bounded local fallback decoding, fail-closed TEE worker backend proxy endpoint validation, fail-closed lightweight attestation collateral backends, fail-closed Nitro parser placeholder path, fail-closed ARM parser and signature placeholder paths, fail-closed shared endpoint literal-IP bypasses, fail-closed TEE startup gating for real remote verifier modes, explicit simulated Nitro client identity with schema-consistent quote/proof artifacts, fail-closed Nitro payload confidentiality handling, fail-closed seal signature verification semantics, fail-closed seal export provenance semantics, honest PQC backend availability gating, fail-closed enhanced seal signature semantics, fail-closed seal import provenance semantics, aligned simulated TEE platform taxonomy across app and PoUW validation, ABCI vote-extension request binding for validator identity and height, runtime enforcement of locked PoUW governance parameters, governance compatibility and compliance alignment with runtime lock policy, auditable trusted-measurement registry mutations with legacy Nitro index reconciliation, bonded-quorum trusted-measurement emergency revocation, aligned security audit and threat-model narratives with the hardened production governance posture, cryptographic mempool signature enforcement, fail-closed VM job-registry proof verification, owner-bound sovereign payload encryption and fail-closed sovereign access control, validator slashing economic-penalty enforcement, timelock-safe automation keeper ownership, fail-closed non-local deployment authority resolution, real hybrid secp256k1 + Dilithium signer/verification in the worker runtime, governance bootstrap, Cruzible deployability | Latest branch head in PR | In Review | `docs/audits/protocol-hardening-sweep-2026-04-16.md` |
+| `ramesh/protocol-hardening-sweep-20260416` / `#141` | Bridge relayer persistence and authority, burn nonce extraction, fail-closed zk proof and TEE/VM verification, authenticated simulated keeper attestations, deterministic simulated EZKL verification, deterministic simulated keeper zk proof binding, secure-by-default TEE precompile registry wiring, seal verifier fail-closed defaults, stateful seal revocation approval/execution, removal of the ordinary privileged seal-revocation bypass, narrowed raw keeper revoke entrypoints, quorumed emergency seal revocation, explicit authority enforcement on governance-only vault keeper methods, authority-gated non-overwritable relay liveness challenges with audit logging, loopback-by-default admin consensus-audit endpoint enforcement with explicit bearer-token authorization for remote exposure, truthful simulated/degraded health reporting with `503` reserved for genuinely unhealthy runtime posture, redacted public health diagnostics with detailed output gated to loopback or explicit token authorization, loopback-by-default metrics endpoint enforcement with explicit bearer-token authorization for remote scraping, forwarded proxy traffic no longer inheriting unauthenticated loopback trust on admin, metrics, or detailed health routes, fail-closed remote TEE endpoint validation across startup and health probing, fail-closed readiness endpoint probing for configured verifier targets, fail-closed EZKL remote prover/verifier endpoint validation, fail-closed DCAP collateral and CRL endpoint validation, fail-closed mirrored worker Nitro remote endpoint validation, fail-closed drand relay endpoint validation with bounded local fallback decoding, fail-closed TEE worker backend proxy endpoint validation, fail-closed lightweight attestation collateral backends, fail-closed Nitro parser placeholder path, fail-closed ARM parser and signature placeholder paths, fail-closed shared endpoint literal-IP bypasses, loopback-or-bearer TEE worker API enforcement with token-aware remote client requests, fail-closed TEE startup gating for real remote verifier modes, explicit simulated Nitro client identity with schema-consistent quote/proof artifacts, fail-closed Nitro payload confidentiality handling, fail-closed seal signature verification semantics, fail-closed seal export provenance semantics, honest PQC backend availability gating, fail-closed enhanced seal signature semantics, fail-closed seal import provenance semantics, aligned simulated TEE platform taxonomy across app and PoUW validation, ABCI vote-extension request binding for validator identity and height, runtime enforcement of locked PoUW governance parameters, governance compatibility and compliance alignment with runtime lock policy, auditable trusted-measurement registry mutations with legacy Nitro index reconciliation, bonded-quorum trusted-measurement emergency revocation, aligned security audit and threat-model narratives with the hardened production governance posture, cryptographic mempool signature enforcement, fail-closed VM job-registry proof verification, owner-bound sovereign payload encryption and fail-closed sovereign access control, validator slashing economic-penalty enforcement, timelock-safe automation keeper ownership, fail-closed non-local deployment authority resolution, real hybrid secp256k1 + Dilithium signer/verification in the worker runtime, governance bootstrap, Cruzible deployability | Latest branch head in PR | In Review | `docs/audits/protocol-hardening-sweep-2026-04-16.md` |
 
 These branches are additive hardening tranches and do not reopen any finding
 that was already marked CLOSED on the March 30 baseline. They exist to reduce
diff --git a/docs/audits/protocol-hardening-sweep-2026-04-16.md b/docs/audits/protocol-hardening-sweep-2026-04-16.md
@@ -803,6 +803,26 @@ already merged.
   explicit localhost allowances plus blocked literal IPv4/IPv6 bypass cases,
   including non-canonical loopback and private IPv6 forms.
 
+### 3zr. Worker API loopback-or-bearer hardening
+
+- Tightened `services/tee-worker/executor/main.go`, where the TEE worker
+  control plane still relied on ambient network placement instead of
+  code-enforced caller authentication for `/health`, `/capabilities`,
+  `/execute`, and `/verify`.
+- The worker now defaults to explicit loopback binding
+  (`127.0.0.1:8545`), requires `AETHELRED_TEE_API_TOKEN` whenever it is bound
+  beyond loopback, and enforces loopback-or-bearer authorization on all HTTP
+  routes while refusing forwarded-header loopback trust.
+- Tightened `app/tee_client.go` so `RemoteTEEClient` automatically presents the
+  configured `AETHELRED_TEE_API_TOKEN` as a bearer token on health,
+  capabilities, and execution requests when remote exposure is intentionally
+  enabled.
+- Added focused regressions in
+  `services/tee-worker/executor/main_test.go` and `app/tee_client_test.go`
+  covering remote request rejection without a bearer token, remote acceptance
+  with the configured bearer token, and token-aware remote client health
+  probing.
+
 ### 4. Cruzible deployability and reviewability
 
 - Reduced `Cruzible.sol` deployed bytecode under the EIP-170 limit without
@@ -1034,6 +1054,10 @@ already merged.
   IP forms centrally instead of relying on DNS resolution to catch those
   inputs after the fact, which closes an SSRF-style bypass class across the
   app, verify, and worker startup paths that reuse that helper.
+- The TEE worker control plane no longer relies only on topology for safety.
+  Non-loopback exposure now requires an explicit API token, the worker enforces
+  loopback-or-bearer access on its HTTP routes, and the remote Go client
+  participates in that contract by attaching the configured bearer token.
 - The built-in security audit and threat model now describe the same hardened
   governance posture the runtime enforces, which removes an internal
   claim-vs-control mismatch around consensus threshold policy, one-way
diff --git a/services/tee-worker/executor/main.go b/services/tee-worker/executor/main.go
diff --git a/services/tee-worker/executor/main_test.go b/services/tee-worker/executor/main_test.go
