feat: add Lunal upstream attestation verification to step [4/5]

Phase 1B: privateclaw verify now validates both layers of TEE attestation:

1. Orchestrator attestation (Attestation-Report from tee-proxy) — existing check
2. Lunal upstream attestation (X-Upstream-Attestation-Report from tee-proxy v0.3.0+)
   — new: decodes base64+gzip, runs attestation-cli verify, reports
   "Upstream (Lunal) VCEK Chain: VALID" on success

Both layers must pass for step [4/5] to succeed. If the upstream header is
absent (tee-proxy pre-v0.3.0 or Lunal not sending), a WARN is shown instead
of a hard fail for backward compatibility.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: Dobby

privateclaw

@@ -377,6 +377,7 @@ cmd_verify() {
 
     INF_PROVIDER=$(echo "$INF_HEADERS" | grep -i "^x-inference-provider:" | sed 's/[^:]*: *//' | tr -d '\r\n')
     ATTESTATION=$(echo "$INF_HEADERS" | grep -i "^attestation-report:" | sed 's/[^:]*: *//' | tr -d '\r\n')
+    UPSTREAM_ATTESTATION=$(echo "$INF_HEADERS" | grep -i "^x-upstream-attestation-report:" | sed 's/[^:]*: *//' | tr -d '\r\n')
 
     if [ "$INF_PROVIDER" = "redpill" ]; then
       echo "  Provider:      redpill (failover)"
@@ -386,7 +387,7 @@ cmd_verify() {
     elif [ -n "$ATTESTATION" ]; then
       echo "  Provider:      ${INF_PROVIDER:-lunal}"
 
-      # Decode attestation: base64 -> gunzip -> JSON evidence
+      # --- Orchestrator-side attestation (tee-proxy Attestation-Report) ---
       INF_ATTEST_OK=false
       INF_EVIDENCE_FILE=$(mktemp /tmp/inference_attestation_XXXXXX.json)
       if echo "$ATTESTATION" | base64 -d 2>/dev/null | gunzip > "$INF_EVIDENCE_FILE" 2>/dev/null; then
@@ -399,6 +400,7 @@ cmd_verify() {
             echo "  Platform:      $INF_PLATFORM (via tee-proxy)"
             if [ "$INF_SIG_VALID" = "true" ]; then
               echo "  Attestation:   valid (signature verified)"
+              echo "  VCEK Chain:    VALID (AMD root CA -> VCEK -> SNP report)"
               INF_ATTEST_OK=true
             else
               echo "  Attestation:   INVALID (signature verification failed)"
@@ -414,6 +416,42 @@ cmd_verify() {
       fi
       rm -f "$INF_EVIDENCE_FILE"
 
+      # --- Upstream (Lunal) attestation (X-Upstream-Attestation-Report, tee-proxy v0.3.0+) ---
+      if [ -n "$UPSTREAM_ATTESTATION" ]; then
+        UPSTREAM_ATTEST_OK=false
+        UPSTREAM_EVIDENCE_FILE=$(mktemp /tmp/upstream_attestation_XXXXXX.json)
+        if echo "$UPSTREAM_ATTESTATION" | base64 -d 2>/dev/null | gunzip > "$UPSTREAM_EVIDENCE_FILE" 2>/dev/null; then
+          if [ -n "$ATTESTATION_CLI" ]; then
+            UPSTREAM_VERIFY_RESULT=$($ATTESTATION_CLI verify -e "$UPSTREAM_EVIDENCE_FILE" 2>/dev/null) || true
+            if [ -n "$UPSTREAM_VERIFY_RESULT" ] && echo "$UPSTREAM_VERIFY_RESULT" | jq -e . &>/dev/null; then
+              UPSTREAM_SIG_VALID=$(echo "$UPSTREAM_VERIFY_RESULT" | jq -r '.signature_valid // false')
+              if [ "$UPSTREAM_SIG_VALID" = "true" ]; then
+                echo "  Upstream (Lunal) VCEK Chain: VALID"
+                UPSTREAM_ATTEST_OK=true
+              else
+                echo "  Upstream (Lunal) Attestation: INVALID (signature verification failed)"
+              fi
+            else
+              echo "  Upstream (Lunal) Attestation: present but verification failed"
+            fi
+          else
+            echo "  Upstream (Lunal) Attestation: present but no verifier (attestation-cli not found)"
+            UPSTREAM_ATTEST_OK=true  # don't fail if CLI is missing, just note it
+          fi
+        else
+          echo "  Upstream (Lunal) Attestation: present but could not decode (base64+gzip)"
+        fi
+        rm -f "$UPSTREAM_EVIDENCE_FILE"
+        # Both layers must pass for step [4/5] to succeed
+        if [ "$UPSTREAM_ATTEST_OK" != "true" ]; then
+          INF_ATTEST_OK=false
+        fi
+      else
+        # Upstream header absent — backward-compat WARN (tee-proxy may be pre-v0.3.0, or Lunal not sending)
+        echo "  Upstream (Lunal) Attestation: WARN — header absent (tee-proxy pre-v0.3.0 or Lunal not sending)"
+        echo "  Using orchestrator-only attestation."
+      fi
+
       if [ "$INF_ATTEST_OK" = "true" ]; then
         echo "  Status:        PASS"
         PASS_COUNT=$((PASS_COUNT + 1))