feat: complete E2EE support for chat/completions (ECDSA + Ed25519) with replay protection, attestation public key, and verification tooling

[mondaylord]

Summary

This PR adds full E2EE support for /v1/chat/completions with both ECDSA and Ed25519, including:

• Request decryption + response encryption (non-stream + stream)
• v1 legacy mode for NEAR vllm-proxy compatibility
• v2 AAD binding
• Replay protection (nonce + timestamp, Redis-backed)
• Attestation response enhancement (signing_public_key)
• Finer-grained E2EE error types
• Protocol documentation + verification scripts/tests

---

Motivation

We need practical, production-ready E2EE for chat completions in TEE deployments while keeping OpenAI-compatible API ergonomics and cross-instance replay safety.

---

What's included

1) E2EE core (src/app/api/v1/e2ee.py)

• Add E2EE context + validation
• Support both algorithms:
  • ECDSA (secp256k1 ECDH + HKDF + AES-GCM)
  • Ed25519 (Ed25519↔X25519 conversion + HKDF + AES-GCM)
• Add v2 AAD construction:
  • Request AAD: v2|req|...
  • Response AAD: v2|resp|...
• Encrypt/decrypt for:
  • Non-stream response fields (content, reasoning_content)
  • Stream chunks (delta.content, delta.reasoning_content)
• Add structured E2EE exceptions and typed error codes
• Add version negotiation behavior:
  • Default: plain (non-E2EE) if key headers are absent
  • Legacy/v1: E2EE key headers present, but no strict v2 trigger
  • Strict v2: explicit X-E2EE-Version: 2 OR nonce+timestamp present

2) OpenAI route integration (src/app/api/v1/openai.py)

• Parse E2EE headers on /v1/chat/completions
• Decrypt request before upstream forwarding
• Encrypt upstream response/chunks before returning
• Claim replay nonce after successful decrypt path
• Return E2EE response headers:
  • X-E2EE-Applied
  • X-E2EE-Version
  • X-E2EE-Algo
• Keep /v1/completions rejecting E2EE usage

3) Replay protection cache

• New: src/app/cache/replay_cache.py
• Redis-first replay claim with local fallback
• Add set_if_absent (SET NX EX) support in src/app/cache/redis.py

4) Attestation enhancement

• /v1/attestation/report now includes signing_public_key
• Present at top-level and in each all_attestations item
• Enables algorithm-agnostic key discovery for E2EE clients

5) Docs + tests + verification tooling

• New protocol spec: docs/e2ee_protocol.md
• Unit tests:
  • tests/app/test_openai_e2ee.py
  • tests/app/test_e2ee_cache.py
• Verification scripts:
  • tests/app/verify_nonstream_ecdsa_e2ee.py
  • tests/app/verify_stream_ecdsa_e2ee.py
  • tests/app/verify_nonstream_ed25519_e2ee.py
  • tests/app/verify_stream_ed25519_e2ee.py

---

Backward compatibility

• No endpoint path changes
• Existing non-E2EE clients continue to work
• attestation/report change is additive (signing_public_key)
• Legacy/v1 behavior is preserved for Near-compatible integrations

---

Validation results (real deployment)

Validated on deployed proxy URL with model Qwen/Qwen3.5-27B:

Test	Result
ECDSA non-stream	✅ decrypt OK, replay returns 400
ECDSA stream	✅ decrypt OK, replay returns 400
Ed25519 non-stream	✅ decrypt OK, replay returns 400
Ed25519 stream	✅ decrypt OK, replay returns 400
E2EE response headers	✅ present and correct

---

Notes

• Replay errors return typed codes (e.g. e2ee_replay_detected)
• Strict v2 uses X-E2EE-Nonce + X-E2EE-Timestamp
• signing_public_key is hex without 0x prefix
• Recommended mode for security-sensitive deployments: v2