feat(tee): add TDX TEE framework support#542
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
This PR is being reviewed by Cursor Bugbot
Details
Your team is on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle for each member of your team.
To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.
| teeFramework = vDefaultTeeFramework || TEE_FRAMEWORKS.SCONE, | ||
| teeFramework = vDefaultTeeFramework || | ||
| TEE_FRAMEWORKS.SCONE || | ||
| TEE_FRAMEWORKS.TDX, |
There was a problem hiding this comment.
Dead code in default parameter due to OR chaining
Medium Severity
The expression vDefaultTeeFramework || TEE_FRAMEWORKS.SCONE || TEE_FRAMEWORKS.TDX always evaluates to vDefaultTeeFramework || 'scone' because TEE_FRAMEWORKS.SCONE ('scone') is truthy, so JavaScript's || short-circuits and TEE_FRAMEWORKS.TDX is never reached. The added || TEE_FRAMEWORKS.TDX is dead code and has no effect on behavior. If the intent was to support TDX as a possible default, a different approach is needed.
| framework && framework.toLowerCase() === TEE_FRAMEWORKS.TDX | ||
| ? string().notRequired() | ||
| : fingerprintSchema.required(), | ||
| ), |
There was a problem hiding this comment.
Schema regression loses string type validation for non-TDX
Medium Severity
In objMrenclaveSchema, the non-TDX branch for version and fingerprint calls versionSchema.required() / fingerprintSchema.required() where those schema parameters are the mixed() base. This yields mixed().required(), losing the string() type check that existed before this change. For SCONE and GRAMINE frameworks, version and fingerprint are no longer validated as strings — non-string values like numbers or objects now pass. The TDX branch correctly uses string().notRequired(), and the existing entrypoint field follows the correct pattern of returning a fresh string().required().
🐳 Hadolint Dockerfile Lint ResultsClick to expand detailed resultsDockerfile:17 DL3016 warning: Pin versions in npm. Instead of `npm install <package>` use `npm install <package>@<version>` |
1 participant
Note
Medium Risk
Touches core tag validation and preflight requirement checks that gate order signing/matching, so mistakes could allow invalid TEE combinations or block valid ones; changes are covered by added tests but affect execution workflows.
Overview
Adds TDX as a new
TeeFrameworkand tag bit, wiring it through tag encoding/validation, chain defaults (SMS URLs), and order preflight logic.Updates
iexec app initto support--tee-framework tdxvia a newtdxTeeApptemplate (no on-chainmrenclave) and relaxescheckAppRequirementsto treat a TDX tag as compatible with apps that don’t declare a TEE framework. Documentation and generated API docs are updated accordingly, along with new/updated unit+e2e tests and a large simplification/reorder ofCLI.mdcommand sections.Written by Cursor Bugbot for commit 634ca38. This will update automatically on new commits. Configure here.