Confidential compute: client-side encryption and attested key release

[jeremymanning]

Description

Per spec Phase 4 (T069a-T069b), job data confidentiality needs two tiers:

1. Confidential-medium: Client-side AES-256-GCM encryption with per-job ephemeral key, TPM-agent-attested key release
2. Confidential-high: SEV-SNP/TDX guest-measurement key wrapping, key released only to attested T3+/T4 sandboxes

Requirements

• Client-side AES-256-GCM encryption of job inputs and code before upload
• Per-job ephemeral keys wrapped with submitter's public key in job manifest
• TPM-attested key release for confidential-medium jobs
• SEV-SNP/TDX guest-measurement sealed keys for confidential-high jobs
• Individual donor nodes see only ciphertext shards (indistinguishable from random bytes)
• Fewer than 10 colluding donors cannot reconstruct plaintext

Success Criteria

• Job inputs encrypted client-side before CID store upload
• Key release requires valid TPM attestation (confidential-medium)
• Key release requires valid guest measurement (confidential-high)
• Donor nodes cannot access plaintext
• Integration test with real encryption/decryption cycle
• Test with insufficient attestation → key release denied

Testing (Principle V)

• Encrypt job → upload → execute on attested node → decrypt result → verify correct
• Attempt key release without attestation → denied
• Attempt key release with wrong guest measurement → denied
• Verify shard inspection shows only random-looking bytes

[jeremymanning]

Addressed in spec 004-full-implementation (PR #59). Implementation verified in code; 802 tests passing across Linux/macOS/Windows. See #57 master plan for full context.