feat: support confai provider key (forward-compat for ca-api confai rename)

aamirrasheed · claude · aamirrasheed · commit 4bab47a93f9c · 2026-05-15T18:57:23.000Z
Adds confai as the highest-priority provider key lookup in the
InferenceProvider check and info gateway_ip extraction. Falls back to
confidential (legacy) then lunal (oldest). Bumps version to v1.5.9.
Extends smoke tests to cover all three provider keys and the missing-key
fallback.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/ccvm b/ccvm
@@ -5,7 +5,7 @@ set -e
 # TEE verification and management for confidential compute VMs.
 # https://github.com/lunal-dev/confidential-cvm-cli
 
-VERSION="v1.5.8"
+VERSION="v1.5.9"
 
 ATTEST_DIR="/etc/privateclaw"
 EVIDENCE_FILE="$ATTEST_DIR/evidence.json"
@@ -383,12 +383,12 @@ cmd_verify() {
     FAIL_COUNT=$((FAIL_COUNT + 1))
     echo ""
   else
-    # Try "confidential" provider first, fall back to legacy "lunal" for older configs
-    ENDPOINT=$(jq -r '.models.providers.confidential.baseUrl // .models.providers.lunal.baseUrl // "not configured"' "$OC_CONFIG" 2>/dev/null || echo "not configured")
+    # Try "confai" provider first (new name), fall back to "confidential" (legacy), then "lunal" (oldest)
+    ENDPOINT=$(jq -r '.models.providers.confai.baseUrl // .models.providers.confidential.baseUrl // .models.providers.lunal.baseUrl // "not configured"' "$OC_CONFIG" 2>/dev/null || echo "not configured")
     [ "$VERBOSE" = "true" ] && echo "  Endpoint:      $ENDPOINT"
 
     # Read bearer token from openclaw config (apiKey field)
-    BEARER_TOKEN=$(jq -r '.models.providers.confidential.apiKey // .models.providers.lunal.apiKey // empty' "$OC_CONFIG" 2>/dev/null || true)
+    BEARER_TOKEN=$(jq -r '.models.providers.confai.apiKey // .models.providers.confidential.apiKey // .models.providers.lunal.apiKey // empty' "$OC_CONFIG" 2>/dev/null || true)
 
     # Make a minimal request to the inference endpoint and capture response headers
     INF_HEADERS=""
@@ -957,7 +957,7 @@ cmd_info() {
   local gateway_ip="not found"
   local openclaw_conf="$HOME/.openclaw/openclaw.json"
   if [ -f "$openclaw_conf" ] && command -v jq &>/dev/null; then
-    gateway_ip=$(jq -r '.models.providers.confidential.baseUrl // empty' "$openclaw_conf" 2>/dev/null \
+    gateway_ip=$(jq -r '.models.providers.confai.baseUrl // .models.providers.confidential.baseUrl // empty' "$openclaw_conf" 2>/dev/null \
       | sed 's|https://||; s|http://||' \
       | cut -d: -f1 \
       | cut -d/ -f1)
diff --git a/tests/smoke.sh b/tests/smoke.sh
@@ -35,4 +35,39 @@ if ! grep -q "^ccvm:" <<<"$compat_info_output"; then
   exit 1
 fi
 
+# Test InferenceProvider jq queries resolve correctly for all three provider keys
+tmp_oc=$(mktemp)
+trap 'rm -f "$tmp_oc"' EXIT
+
+# confai key (new, highest priority)
+printf '{"models":{"providers":{"confai":{"baseUrl":"https://confai.example.com","apiKey":"tok-confai"}}}}' > "$tmp_oc"
+got_endpoint=$(jq -r '.models.providers.confai.baseUrl // .models.providers.confidential.baseUrl // .models.providers.lunal.baseUrl // "not configured"' "$tmp_oc")
+got_apikey=$(jq -r '.models.providers.confai.apiKey // .models.providers.confidential.apiKey // .models.providers.lunal.apiKey // empty' "$tmp_oc")
+if [ "$got_endpoint" != "https://confai.example.com" ] || [ "$got_apikey" != "tok-confai" ]; then
+  echo "FAIL: confai provider key not resolved (endpoint=$got_endpoint apikey=$got_apikey)" >&2; exit 1
+fi
+
+# confidential key (legacy fallback #1)
+printf '{"models":{"providers":{"confidential":{"baseUrl":"https://conf.example.com","apiKey":"tok-conf"}}}}' > "$tmp_oc"
+got_endpoint=$(jq -r '.models.providers.confai.baseUrl // .models.providers.confidential.baseUrl // .models.providers.lunal.baseUrl // "not configured"' "$tmp_oc")
+got_apikey=$(jq -r '.models.providers.confai.apiKey // .models.providers.confidential.apiKey // .models.providers.lunal.apiKey // empty' "$tmp_oc")
+if [ "$got_endpoint" != "https://conf.example.com" ] || [ "$got_apikey" != "tok-conf" ]; then
+  echo "FAIL: confidential provider key not resolved (endpoint=$got_endpoint apikey=$got_apikey)" >&2; exit 1
+fi
+
+# lunal key (legacy fallback #2)
+printf '{"models":{"providers":{"lunal":{"baseUrl":"https://lunal.example.com","apiKey":"tok-lunal"}}}}' > "$tmp_oc"
+got_endpoint=$(jq -r '.models.providers.confai.baseUrl // .models.providers.confidential.baseUrl // .models.providers.lunal.baseUrl // "not configured"' "$tmp_oc")
+got_apikey=$(jq -r '.models.providers.confai.apiKey // .models.providers.confidential.apiKey // .models.providers.lunal.apiKey // empty' "$tmp_oc")
+if [ "$got_endpoint" != "https://lunal.example.com" ] || [ "$got_apikey" != "tok-lunal" ]; then
+  echo "FAIL: lunal provider key not resolved (endpoint=$got_endpoint apikey=$got_apikey)" >&2; exit 1
+fi
+
+# no matching key → "not configured"
+printf '{"models":{"providers":{}}}' > "$tmp_oc"
+got_endpoint=$(jq -r '.models.providers.confai.baseUrl // .models.providers.confidential.baseUrl // .models.providers.lunal.baseUrl // "not configured"' "$tmp_oc")
+if [ "$got_endpoint" != "not configured" ]; then
+  echo "FAIL: missing provider key should return 'not configured' (got: $got_endpoint)" >&2; exit 1
+fi
+
 echo "smoke tests passed"
