README
¶
Marble SDK Wrapper
This package is a thin SDK that wraps MarbleRun primitives for services:
- Loads Coordinator-injected TLS certs/CA and builds an mTLS HTTP client for cross-marble traffic.
- Exposes injected secrets via
Marble.Secret/UseSecret. - Surfaces TEE identity (report, UUID, marble type) to services.
We keep this layer even though MarbleRun is used because it provides:
- A stable Go API inside services (tests and simulation can mock it).
- A single place to translate environment injection (
MARBLE_CERT,MARBLE_KEY,MARBLE_ROOT_CA,MARBLE_SECRETS,MARBLE_UUID) into usable clients/configs. - Enforcement of the official cross-marble communication path (mTLS via
Marble.HTTPClient), rather than ad-hoc HTTP clients.
Components
Marble (marble.go)
Core Marble type for TEE service configuration.
m, err := marble.New(marble.Config{
MarbleType: "neocompute",
})
Service (service.go)
Low-level service base (identity + router + dependency holders).
Most services should embed infrastructure/service.BaseService, which wraps
*marble.Service and adds:
- Lifecycle hooks (
Start/Stop) with safe shutdown handling - Background worker registration helpers
- Standard endpoints (
/health,/ready,/info)
base := commonservice.NewBase(&commonservice.BaseConfig{
ID: "myservice",
Name: "My Service",
Version: "1.0.0",
Marble: cfg.Marble,
DB: cfg.DB,
})
base.RegisterStandardRoutes()
Secret Management
Secrets are injected by MarbleRun Coordinator and accessed via the Marble instance:
// Get secret (returns false if not found)
secret, ok := m.Secret("COMPUTE_MASTER_KEY")
if !ok {
return errors.New("COMPUTE_MASTER_KEY not configured")
}
defer crypto.ZeroBytes(secret) // Always zero secrets after use
Available Secrets
| Secret | Service | Description |
|---|---|---|
NEOFEEDS_SIGNING_KEY |
Datafeed | ECDSA private key for signing prices |
NEOVRF_SIGNING_KEY |
NeoVRF | Master key for VRF signing (>= 32 bytes) |
COMPUTE_MASTER_KEY |
Confidential Compute | Master key for encryption/signing (>= 32 bytes) |
POOL_MASTER_KEY |
AccountPool | HD derivation master key (>= 32 bytes) |
POOL_MASTER_KEY_HASH |
AccountPool | SHA-256 hash of derived master pubkey (32 bytes; required in enclave mode) |
POOL_MASTER_ATTESTATION_HASH |
AccountPool | Optional attestation/bundle hash (for on-chain anchoring) |
GLOBALSIGNER_MASTER_SEED |
GlobalSigner | 32-byte master seed for deterministic key derivation |
SECRETS_MASTER_KEY |
Edge + Services | AES-256 master key for user secrets (32 bytes; same envelope across Edge + TEE) |
mTLS Communication
For secure inter-service communication within the MarbleRun mesh:
// Get mTLS HTTP client
httpClient := m.HTTPClient()
// Make request to another marble
resp, err := httpClient.Get("https://neoaccounts:8085/info")
External Gateways (Supabase Edge)
By default, enclave services only accept client certificates signed by the
MarbleRun root CA (MARBLE_ROOT_CA). To support external gateways that must
connect via mTLS (e.g. Supabase Edge Functions), you can append additional PEM
roots to the server-side client CA pool by setting:
MARBLE_EXTRA_CLIENT_CA(PEM)
This affects inbound mTLS verification (tls.Config.ClientCAs) and does not
change the trust roots used for outbound mesh calls.
External HTTP Calls
For outbound calls to non-mesh endpoints (Supabase, Neo RPC, third-party APIs), use:
httpClient := m.ExternalHTTPClient()
resp, err := httpClient.Get("https://api.coingecko.com/api/v3/ping")
Service Lifecycle
// Service lifecycle and workers are provided by `infrastructure/service.BaseService`.
// Get service info
id := svc.ID()
name := svc.Name()
version := svc.Version()
// Get HTTP router
router := svc.Router()
// Get database repository
db := svc.DB()
Testing
For testing without actual MarbleRun:
m, _ := marble.New(marble.Config{MarbleType: "test"})
// Set test secrets
m.SetTestSecret("MY_SECRET", []byte("test-value"))
go test ./infrastructure/marble/... -v
Current test coverage: 43.8%
Environment Variables
| Variable | Description |
|---|---|
MARBLE_TYPE |
Service type identifier |
MARBLE_CERT |
TLS certificate (injected) |
MARBLE_KEY |
TLS private key (injected) |
MARBLE_ROOT_CA |
Root CA certificate (injected) |
MARBLE_EXTRA_CLIENT_CA |
Optional extra client CA PEMs (inbound mTLS) |
MARBLE_SECRETS |
JSON-encoded secrets (injected) |
MARBLE_UUID |
Unique marble instance ID |
Documentation
¶
Overview ¶
Package marble provides attestation utilities for TEE services.
Package marble provides the core Marble SDK for MarbleRun integration. Each service runs as a Marble inside an EGo SGX enclave.
Package marble provides the service framework for MarbleRun Marbles.
Index ¶
- func ComputeAttestationHash(m *Marble, serviceID string) []byte
- type Config
- type Marble
- func (m *Marble) ExternalHTTPClient() *http.Client
- func (m *Marble) HTTPClient() *http.Client
- func (m *Marble) Initialize(ctx context.Context) error
- func (m *Marble) IsEnclave() bool
- func (m *Marble) MarbleType() string
- func (m *Marble) Report() *attestation.Report
- func (m *Marble) Secret(name string) ([]byte, bool)
- func (m *Marble) SetTestReport(report *attestation.Report)
- func (m *Marble) SetTestSecret(name string, value []byte)
- func (m *Marble) TLSConfig() *tls.Config
- func (m *Marble) UUID() string
- func (m *Marble) UseSecret(name string, fn func([]byte) error) error
- type Service
- func (s *Service) DB() database.RepositoryInterface
- func (s *Service) ID() string
- func (s *Service) IsRunning() bool
- func (s *Service) Marble() *Marble
- func (s *Service) Name() string
- func (s *Service) Router() *mux.Router
- func (s *Service) Start(ctx context.Context) error
- func (s *Service) Stop() error
- func (s *Service) Version() string
- type ServiceConfig
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ComputeAttestationHash ¶
ComputeAttestationHash computes a SHA-256 hash for attestation purposes. It tries multiple sources in order: report, MARBLE_CERT, marble type/UUID. The serviceID is used as a fallback identifier when no other source is available.
Types ¶
type Marble ¶
type Marble struct {
// contains filtered or unexported fields
}
Marble represents a MarbleRun Marble instance. It handles attestation, secrets injection, and secure communication.
func (*Marble) ExternalHTTPClient ¶
ExternalHTTPClient returns an HTTP client suitable for outbound calls to non-Marblerun endpoints (Supabase, Neo RPC, third-party APIs).
It never installs the MarbleRun root CA or client certificate, ensuring the connection uses the system trust store and does not attempt mTLS.
func (*Marble) HTTPClient ¶
HTTPClient returns an HTTP client configured for mTLS.
func (*Marble) Initialize ¶
Initialize performs Marble initialization with the Coordinator. This is called automatically by MarbleRun before the application starts.
func (*Marble) MarbleType ¶
MarbleType returns the Marble type.
func (*Marble) Report ¶
func (m *Marble) Report() *attestation.Report
Report returns the enclave self-report.
func (*Marble) SetTestReport ¶
func (m *Marble) SetTestReport(report *attestation.Report)
SetTestReport sets an enclave report for testing purposes only. This method should only be used in tests.
func (*Marble) SetTestSecret ¶
SetTestSecret sets a secret for testing purposes only. This method should only be used in tests.
type Service ¶
type Service struct {
// contains filtered or unexported fields
}
Service is a minimal base for Marble-hosted services.
Prefer embedding `infrastructure/service.BaseService` in actual services; it wraps this type and provides lifecycle hooks, workers, and standard routes.
func NewService ¶
func NewService(cfg ServiceConfig) *Service
NewService creates a new base service.
func (*Service) DB ¶
func (s *Service) DB() database.RepositoryInterface
DB returns the database repository.
type ServiceConfig ¶
type ServiceConfig struct {
ID string
Name string
Version string
Marble *Marble
DB database.RepositoryInterface
}
ServiceConfig holds service configuration.
Source Files