feat: add model name to signatures and attestation report (#50)

* feat: add model name to cryptographic signatures and attestation report

Include model_name in the signed text format (model:req_hash:resp_hash)
and in the AttestationReport struct so clients can independently verify
which model the proxy is serving.

* fix: bundle attestation params into struct to satisfy clippy too_many_arguments

* chore: fix formatting

Author: PierreLeGuen

src/attestation.rs

@@ -251,27 +251,38 @@ nU+jXBG7tgClr/DntUBJx+xfNWpxLKE=
         );
     }
 }
+/// Parameters for generating an attestation report.
+pub struct AttestationParams<'a> {
+    pub model_name: &'a str,
+    pub signing_address: &'a str,
+    pub signing_algo: &'a str,
+    pub signing_public_key: &'a str,
+    pub signing_address_bytes: &'a [u8],
+    pub nonce: Option<&'a str>,
+    pub gpu_no_hw_mode: bool,
+    pub tls_cert_fingerprint: Option<&'a str>,
+}
+
 /// Generate a complete attestation report.
 pub async fn generate_attestation(
-    signing_address: &str,
-    signing_algo: &str,
-    signing_public_key: &str,
-    signing_address_bytes: &[u8],
-    nonce: Option<&str>,
-    gpu_no_hw_mode: bool,
-    tls_cert_fingerprint: Option<&str>,
+    params: AttestationParams<'_>,
 ) -> Result<AttestationReport, AttestationError> {
-    let nonce_bytes = parse_nonce(nonce)?;
+    let nonce_bytes = parse_nonce(params.nonce)?;
     let nonce_hex = hex::encode(nonce_bytes);
 
     // Build TDX report data (binds cert fingerprint when present)
-    let fp_bytes = tls_cert_fingerprint
+    let fp_bytes = params
+        .tls_cert_fingerprint
         .map(hex::decode)
         .transpose()
         .map_err(|e| {
             AttestationError::Internal(anyhow::anyhow!("bad cert fingerprint hex: {e}"))
         })?;
-    let report_data = build_report_data(signing_address_bytes, &nonce_bytes, fp_bytes.as_deref());
+    let report_data = build_report_data(
+        params.signing_address_bytes,
+        &nonce_bytes,
+        fp_bytes.as_deref(),
+    );
 
     // Get TDX quote from dstack
     let client = dstack_sdk::dstack_client::DstackClient::new(None);
@@ -280,23 +291,24 @@ pub async fn generate_attestation(
         serde_json::from_str(&quote_result.event_log).map_err(anyhow::Error::from)?;
 
     // Collect GPU evidence
-    let gpu_evidence = collect_gpu_evidence(&nonce_hex, gpu_no_hw_mode).await?;
+    let gpu_evidence = collect_gpu_evidence(&nonce_hex, params.gpu_no_hw_mode).await?;
     let nvidia_payload = build_nvidia_payload(&nonce_hex, &gpu_evidence);
 
     // Get system info
     let info = client.info().await?;
     let info_value = serde_json::to_value(&info).map_err(anyhow::Error::from)?;
 
     Ok(AttestationReport {
-        signing_address: signing_address.to_string(),
-        signing_algo: signing_algo.to_string(),
-        signing_public_key: signing_public_key.to_string(),
+        model_name: params.model_name.to_string(),
+        signing_address: params.signing_address.to_string(),
+        signing_algo: params.signing_algo.to_string(),
+        signing_public_key: params.signing_public_key.to_string(),
         request_nonce: nonce_hex,
         intel_quote: quote_result.quote,
         nvidia_payload,
         event_log,
         info: info_value,
-        tls_cert_fingerprint: tls_cert_fingerprint.map(|s| s.to_string()),
+        tls_cert_fingerprint: params.tls_cert_fingerprint.map(|s| s.to_string()),
     })
 }
 

src/proxy.rs

@@ -183,6 +183,8 @@ pub struct ProxyOpts {
     pub cache: Arc<ChatCache>,
     /// Prefix for auto-generated IDs (e.g., "chatcmpl", "img", "emb").
     pub id_prefix: String,
+    /// Model name included in the signed text.
+    pub model_name: String,
     /// If set, report usage to the cloud API after a successful response.
     pub usage_reporter: Option<UsageReporter>,
     /// What kind of usage to extract from the response.
@@ -251,7 +253,7 @@ pub async fn proxy_json_request(
     let response_sha256 = hex::encode(Sha256::digest(response_body.as_bytes()));
 
     // Sign and cache
-    let text = format!("{request_sha256}:{response_sha256}");
+    let text = format!("{}:{request_sha256}:{response_sha256}", opts.model_name);
     let signed = opts.signing.sign_chat(&text).map_err(|e| {
         error!(error = %e, "Signing failed");
         AppError::Internal(e)
@@ -304,6 +306,7 @@ pub async fn proxy_streaming_request(
     let signing = opts.signing.clone();
     let cache = opts.cache.clone();
     let usage_reporter = opts.usage_reporter.clone();
+    let model_name = opts.model_name.clone();
 
     let (tx, rx) = tokio::sync::mpsc::channel::<Result<Bytes, std::io::Error>>(64);
 
@@ -355,7 +358,7 @@ pub async fn proxy_streaming_request(
         if !upstream_error && !downstream_closed && parser.seen_done {
             let response_sha256 = hex::encode(hasher.finalize());
             if let Some(ref id) = parser.chat_id {
-                let text = format!("{request_sha256}:{response_sha256}");
+                let text = format!("{model_name}:{request_sha256}:{response_sha256}");
                 match signing.sign_chat(&text) {
                     Ok(signed) => {
                         if let Ok(signed_json) = serde_json::to_string(&signed) {
@@ -457,7 +460,7 @@ pub async fn proxy_multipart_request(
         serde_json::to_string(&response_data).map_err(|e| AppError::Internal(e.into()))?;
     let response_sha256 = hex::encode(Sha256::digest(response_body.as_bytes()));
 
-    let text = format!("{request_sha256}:{response_sha256}");
+    let text = format!("{}:{request_sha256}:{response_sha256}", opts.model_name);
     let signed = opts.signing.sign_chat(&text).map_err(|e| {
         error!(error = %e, "Signing failed");
         AppError::Internal(e)
@@ -566,7 +569,7 @@ pub async fn sign_and_cache_json_response(
         serde_json::to_string(&response_data).map_err(|e| AppError::Internal(e.into()))?;
     let response_sha256 = hex::encode(Sha256::digest(response_body.as_bytes()));
 
-    let text = format!("{request_sha256}:{response_sha256}");
+    let text = format!("{}:{request_sha256}:{response_sha256}", opts.model_name);
     let signed = opts.signing.sign_chat(&text).map_err(|e| {
         error!(error = %e, "Signing failed");
         AppError::Internal(e)
@@ -595,6 +598,7 @@ pub async fn proxy_streaming_response(
     let signing = opts.signing.clone();
     let cache = opts.cache.clone();
     let usage_reporter = opts.usage_reporter.clone();
+    let model_name = opts.model_name.clone();
     let request_sha256 = request_sha256.to_string();
 
     let (tx, rx) = tokio::sync::mpsc::channel::<Result<Bytes, std::io::Error>>(64);
@@ -643,7 +647,7 @@ pub async fn proxy_streaming_response(
         if !upstream_error && !downstream_closed && parser.seen_done {
             let response_sha256 = hex::encode(hasher.finalize());
             if let Some(ref id) = parser.chat_id {
-                let text = format!("{request_sha256}:{response_sha256}");
+                let text = format!("{model_name}:{request_sha256}:{response_sha256}");
                 match signing.sign_chat(&text) {
                     Ok(signed) => {
                         if let Ok(signed_json) = serde_json::to_string(&signed) {
@@ -842,6 +846,7 @@ mod tests {
             signing,
             cache,
             id_prefix: "test".to_string(),
+            model_name: "test-model".to_string(),
             usage_reporter: None,
             usage_type: UsageType::default(),
         }

src/routes/attestation.rs

@@ -53,19 +53,20 @@ pub async fn attestation_report(
         }
     }
 
-    let report = crate::attestation::generate_attestation(
-        &signing_address,
+    let report = crate::attestation::generate_attestation(crate::attestation::AttestationParams {
+        model_name: &state.config.model_name,
+        signing_address: &signing_address,
         signing_algo,
-        &signing_public_key,
-        &signing_address_bytes,
-        query.nonce.as_deref(),
-        state.config.gpu_no_hw_mode,
-        if query.include_tls_fingerprint.unwrap_or(false) {
+        signing_public_key: &signing_public_key,
+        signing_address_bytes: &signing_address_bytes,
+        nonce: query.nonce.as_deref(),
+        gpu_no_hw_mode: state.config.gpu_no_hw_mode,
+        tls_cert_fingerprint: if query.include_tls_fingerprint.unwrap_or(false) {
             state.tls_cert_fingerprint.as_deref()
         } else {
             None
         },
-    )
+    })
     .await
     .map_err(|e| match e {
         crate::attestation::AttestationError::InvalidNonce(msg) => AppError::BadRequest(msg),

src/routes/catch_all.rs

@@ -200,6 +200,7 @@ pub async fn catch_all(
             signing: state.signing.clone(),
             cache: state.cache.clone(),
             id_prefix: "pt".to_string(),
+            model_name: state.config.model_name.clone(),
             usage_reporter: reporter,
             usage_type: UsageType::ChatCompletion,
         };
@@ -221,6 +222,7 @@ pub async fn catch_all(
             signing: state.signing.clone(),
             cache: state.cache.clone(),
             id_prefix: "pt".to_string(),
+            model_name: state.config.model_name.clone(),
             usage_reporter: reporter,
             usage_type: UsageType::ChatCompletion,
         };

src/routes/chat.rs

@@ -46,6 +46,7 @@ pub async fn chat_completions(
         signing: state.signing.clone(),
         cache: state.cache.clone(),
         id_prefix: "chatcmpl".to_string(),
+        model_name: state.config.model_name.clone(),
         usage_reporter: make_usage_reporter(auth.cloud_api_key.as_ref(), &state),
         usage_type: UsageType::ChatCompletion,
     };

src/routes/completions.rs

@@ -44,6 +44,7 @@ pub async fn completions(
         signing: state.signing.clone(),
         cache: state.cache.clone(),
         id_prefix: "cmpl".to_string(),
+        model_name: state.config.model_name.clone(),
         usage_reporter: make_usage_reporter(auth.cloud_api_key.as_ref(), &state),
         usage_type: UsageType::ChatCompletion,
     };

src/routes/passthrough.rs

@@ -139,6 +139,7 @@ pub async fn images_edits(
         signing: state.signing.clone(),
         cache: state.cache.clone(),
         id_prefix: "img".to_string(),
+        model_name: state.config.model_name.clone(),
         usage_reporter: make_usage_reporter(auth.cloud_api_key.as_ref(), &state),
         usage_type: UsageType::ImageGeneration,
     };
@@ -185,6 +186,7 @@ pub async fn audio_transcriptions(
         signing: state.signing.clone(),
         cache: state.cache.clone(),
         id_prefix: "trans".to_string(),
+        model_name: state.config.model_name.clone(),
         usage_reporter: make_usage_reporter(auth.cloud_api_key.as_ref(), &state),
         usage_type: UsageType::ChatCompletion,
     };
@@ -220,6 +222,7 @@ async fn json_passthrough(
         signing: state.signing.clone(),
         cache: state.cache.clone(),
         id_prefix: id_prefix.to_string(),
+        model_name: state.config.model_name.clone(),
         usage_reporter,
         usage_type,
     };

src/types.rs

@@ -13,6 +13,7 @@ pub struct SignedChat {
 /// Attestation report returned by GET /v1/attestation/report.
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct AttestationReport {
+    pub model_name: String,
     pub signing_address: String,
     pub signing_algo: String,
     pub signing_public_key: String,

tests/integration.rs

@@ -744,8 +744,8 @@ async fn test_signature_binds_actual_request_body() {
         body["text"]
             .as_str()
             .unwrap()
-            .starts_with(&format!("{expected_hash}:")),
-        "Signed text must start with SHA-256 of actual request body"
+            .starts_with(&format!("test-model:{expected_hash}:")),
+        "Signed text must start with model_name:SHA-256 of actual request body"
     );
 }
 
@@ -804,7 +804,7 @@ async fn test_x_request_hash_header_is_ignored() {
         body["text"]
             .as_str()
             .unwrap()
-            .starts_with(&format!("{expected_hash}:")),
+            .starts_with(&format!("test-model:{expected_hash}:")),
         "Signed text must use actual body hash, not X-Request-Hash header"
     );
 }
@@ -996,7 +996,10 @@ async fn test_ecdsa_signature_cryptographic_verification() {
     // Verify text = sha256(request):sha256(response)
     let expected_req_hash = hex::encode(Sha256::digest(&request_bytes));
     let expected_resp_hash = hex::encode(Sha256::digest(&response_body_bytes));
-    assert_eq!(text, format!("{expected_req_hash}:{expected_resp_hash}"));
+    assert_eq!(
+        text,
+        format!("test-model:{expected_req_hash}:{expected_resp_hash}")
+    );
 
     // Verify ECDSA EIP-191 signature via key recovery
     let sig_bytes = hex::decode(&signature_hex[2..]).unwrap();
@@ -1092,7 +1095,10 @@ async fn test_ed25519_signature_cryptographic_verification() {
     // Verify text = sha256(request):sha256(response)
     let expected_req_hash = hex::encode(Sha256::digest(&request_bytes));
     let expected_resp_hash = hex::encode(Sha256::digest(&response_body_bytes));
-    assert_eq!(text, format!("{expected_req_hash}:{expected_resp_hash}"));
+    assert_eq!(
+        text,
+        format!("test-model:{expected_req_hash}:{expected_resp_hash}")
+    );
 
     // Verify Ed25519 signature
     let sig_bytes = hex::decode(signature_hex).unwrap();
@@ -1181,17 +1187,19 @@ async fn test_streaming_signature_cached_and_verifiable() {
     let parts: Vec<&str> = text.split(':').collect();
     assert_eq!(
         parts.len(),
-        2,
-        "Signed text should be request_hash:response_hash"
+        3,
+        "Signed text should be model_name:request_hash:response_hash"
     );
 
+    assert_eq!(parts[0], "test-model");
+
     // Request hash should match SHA256 of request body
     let expected_req_hash = hex::encode(Sha256::digest(&request_bytes));
-    assert_eq!(parts[0], expected_req_hash);
+    assert_eq!(parts[1], expected_req_hash);
 
     // Response hash should match SHA256 of the streamed bytes
     let expected_resp_hash = hex::encode(Sha256::digest(&stream_body_bytes));
-    assert_eq!(parts[1], expected_resp_hash);
+    assert_eq!(parts[2], expected_resp_hash);
 
     // Signature should be valid format
     let sig_hex = sig_body["signature"].as_str().unwrap();