refactor

Author: balogh.adam@icloud.com

src/opengradient/client/llm.py

@@ -15,7 +15,7 @@
 
 from ..types import TEE_LLM, StreamChoice, StreamChunk, StreamDelta, TextGenerationOutput, x402SettlementMode
 from .opg_token import Permit2ApprovalResult, ensure_opg_approval
-from .tee_connection import TEEConnection
+from .tee_connection import RegistryTEEConnection, StaticTEEConnection, TEEConnectionInterface
 from .tee_registry import TEERegistry
 
 logger = logging.getLogger(__name__)
@@ -62,62 +62,67 @@ class LLM:
     below the requested amount.
 
     Usage:
+        # Via on-chain registry (default)
         llm = og.LLM(private_key="0x...")
 
+        # Via hardcoded URL (development / self-hosted)
+        llm = og.LLM.from_url(private_key="0x...", llm_server_url="https://1.2.3.4")
+
         # One-time approval (idempotent — skips if allowance is already sufficient)
         llm.ensure_opg_approval(opg_amount=5)
 
         result = await llm.chat(model=TEE_LLM.CLAUDE_HAIKU_4_5, messages=[...])
         result = await llm.completion(model=TEE_LLM.CLAUDE_HAIKU_4_5, prompt="Hello")
-
-    Args:
-        private_key (str): Ethereum private key for signing x402 payments.
-        rpc_url (str): RPC URL for the OpenGradient network. Used to fetch the
-            active TEE endpoint from the on-chain registry when ``llm_server_url``
-            is not provided.
-        tee_registry_address (str): Address of the on-chain TEE registry contract.
-        llm_server_url (str, optional): Bypass the registry and connect directly
-            to this TEE endpoint URL (e.g. ``"https://1.2.3.4"``). When set,
-            TLS certificate verification is disabled automatically because
-            self-hosted TEE servers typically use self-signed certificates.
-
-            .. warning::
-                Using ``llm_server_url`` disables TLS certificate verification,
-                which removes protection against man-in-the-middle attacks.
-                Only connect to servers you trust and over secure network paths.
     """
 
     def __init__(
         self,
         private_key: str,
         rpc_url: str = DEFAULT_RPC_URL,
         tee_registry_address: str = DEFAULT_TEE_REGISTRY_ADDRESS,
-        llm_server_url: Optional[str] = None,
     ):
         if not private_key:
-            raise ValueError(
-                "A private key is required to use the LLM client. "
-                "Pass a valid private_key to the constructor."
-            )
+            raise ValueError("A private key is required to use the LLM client. Pass a valid private_key to the constructor.")
         self._wallet_account: LocalAccount = Account.from_key(private_key)
 
-        # x402 payment stack (created once, reused across TEE refreshes)
-        signer = EthAccountSigner(self._wallet_account)
-        x402_client = x402Client()
-        register_exact_evm_client(x402_client, signer, networks=[BASE_TESTNET_NETWORK])
-        register_upto_evm_client(x402_client, signer, networks=[BASE_TESTNET_NETWORK])
+        x402_client = LLM._build_x402_client(private_key)
+        onchain_registry = TEERegistry(rpc_url=rpc_url, registry_address=tee_registry_address)
+        self._tee: TEEConnectionInterface = RegistryTEEConnection(x402_client=x402_client, registry=onchain_registry)
 
-        registry: Optional[TEERegistry] = (
-            TEERegistry(rpc_url=rpc_url, registry_address=tee_registry_address)
-            if llm_server_url is None
-            else None
-        )
+    @classmethod
+    def from_url(
+        cls,
+        private_key: str,
+        llm_server_url: str,
+    ) -> "LLM":
+        """**[Dev]** Create an LLM client with a hardcoded TEE endpoint URL.
 
-        self._tee = TEEConnection(
-            x402_client=x402_client,
-            registry=registry,
-            llm_server_url=llm_server_url,
-        )
+        Intended for development and self-hosted TEE servers. TLS certificate
+        verification is disabled because these servers typically use self-signed
+        certificates. For production use, prefer the default constructor which
+        resolves TEEs from the on-chain registry.
+
+        Args:
+            private_key: Ethereum private key for signing x402 payments.
+            llm_server_url: The TEE endpoint URL (e.g. ``"https://1.2.3.4"``).
+        """
+        instance = cls.__new__(cls)
+        if not private_key:
+            raise ValueError("A private key is required to use the LLM client. Pass a valid private_key to the constructor.")
+        instance._wallet_account = Account.from_key(private_key)
+        x402_client = cls._build_x402_client(private_key)
+        instance._tee = StaticTEEConnection(x402_client=x402_client, endpoint=llm_server_url)
+        return instance
+
+    @staticmethod
+    def _build_x402_client(private_key: str) -> x402Client:
+        """Build the x402 payment stack from a private key."""
+        account = Account.from_key(private_key)
+        signer = EthAccountSigner(account)
+        client = x402Client()
+        register_exact_evm_client(client, signer, networks=[BASE_TESTNET_NETWORK])
+        register_upto_evm_client(client, signer, networks=[BASE_TESTNET_NETWORK])
+        return client
 
     # ── Lifecycle ───────────────────────────────────────────────────────
 

src/opengradient/client/tee_connection.py

@@ -4,7 +4,7 @@
 import logging
 import ssl
 from dataclasses import dataclass
-from typing import Dict, Optional, Union
+from typing import Dict, Optional, Protocol, Union
 
 from x402 import x402Client
 from x402.http.clients import x402HttpxClient
@@ -34,36 +34,80 @@ def metadata(self) -> Dict:
         )
 
 
-class TEEConnection:
-    """Maintains a verified connection to a single TEE endpoint.
+class TEEConnectionInterface(Protocol):
+    """Interface for TEE connection implementations."""
 
-    Handles initial resolution from the on-chain registry (or an explicit URL),
-    TLS certificate pinning, background health checks, and automatic failover
-    when the current TEE becomes unavailable.
+    def get(self) -> ActiveTEE: ...
+    def ensure_refresh_loop(self) -> None: ...
+    async def reconnect(self) -> None: ...
+    async def close(self) -> None: ...
 
-    Use ``get()`` to obtain the current ``ActiveTEE`` snapshot for making requests.
+
+class StaticTEEConnection:
+    """TEE connection with a hardcoded endpoint URL.
+
+    No registry lookup, no background refresh. TLS certificate verification
+    is disabled because self-hosted TEE servers typically use self-signed certs.
 
     Args:
         x402_client: Configured x402 payment client for creating HTTP clients.
-        registry: TEERegistry for looking up active TEEs. None when using an explicit URL.
-        llm_server_url: Bypass the registry and connect directly to this URL.
+        endpoint: The TEE endpoint URL to connect to.
     """
 
-    def __init__(
-        self,
-        x402_client: x402Client,
-        registry: Optional[TEERegistry] = None,
-        llm_server_url: Optional[str] = None,
-    ):
+    def __init__(self, x402_client: x402Client, endpoint: str):
+        self._x402_client = x402_client
+        self._endpoint = endpoint
+        self._active: ActiveTEE = self._connect()
+
+    def get(self) -> ActiveTEE:
+        """Return a snapshot of the current TEE connection."""
+        return self._active
+
+    def _connect(self) -> ActiveTEE:
+        return ActiveTEE(
+            endpoint=self._endpoint,
+            http_client=x402HttpxClient(self._x402_client, verify=False),
+            tee_id=None,
+            payment_address=None,
+        )
+
+    def ensure_refresh_loop(self) -> None:
+        """No-op — static connections don't refresh."""
+        pass
+
+    async def reconnect(self) -> None:
+        """Rebuild the HTTP client (same endpoint)."""
+        old_client = self._active.http_client
+        self._active = self._connect()
+        try:
+            await old_client.aclose()
+        except Exception:
+            logger.debug("Failed to close previous HTTP client during reconnect.", exc_info=True)
+
+    async def close(self) -> None:
+        """Close the HTTP client."""
+        await self._active.http_client.aclose()
+
+
+class RegistryTEEConnection:
+    """TEE connection resolved from the on-chain registry.
+
+    Handles TLS certificate pinning, background health checks, and automatic
+    failover when the current TEE becomes unavailable.
+
+    Args:
+        x402_client: Configured x402 payment client for creating HTTP clients.
+        registry: TEERegistry for looking up active TEEs.
+    """
+
+    def __init__(self, x402_client: x402Client, registry: TEERegistry):
         self._x402_client = x402_client
         self._registry = registry
-        self._llm_server_url = llm_server_url
 
-        self._active: Optional[ActiveTEE] = None
         self._refresh_lock = asyncio.Lock()
         self._refresh_task: Optional[asyncio.Task] = None
 
-        self._connect()
+        self._active: ActiveTEE = self._connect()
 
     # ── Public API ──────────────────────────────────────────────────────
 
@@ -73,28 +117,46 @@ def get(self) -> ActiveTEE:
 
     # ── Connection management ───────────────────────────────────────────
 
-    def _connect(self) -> None:
+    def _resolve_tee(self):
+        """Resolve TEE endpoint and metadata from the on-chain registry.
+
+        Returns:
+            The TEE object from the registry.
+
+        Raises:
+            RuntimeError: If the registry lookup fails.
+            ValueError: If no active LLM proxy TEE is found.
+        """
+        try:
+            tee = self._registry.get_llm_tee()
+        except Exception as e:
+            raise RuntimeError(f"Failed to fetch LLM TEE endpoint from registry: {e}") from e
+
+        if tee is None:
+            raise ValueError("No active LLM proxy TEE found in the registry. Pass llm_server_url explicitly to override.")
+
+        logger.info("Using TEE endpoint from registry: %s (teeId=%s)", tee.endpoint, tee.tee_id)
+        return tee
+
+    def _connect(self) -> ActiveTEE:
         """Resolve TEE from registry and create a secure HTTP client."""
-        endpoint, tls_cert_der, tee_id, payment_address = self._resolve_tee(
-            self._llm_server_url,
-            self._registry,
-        )
+        tee = self._resolve_tee()
 
-        ssl_ctx = build_ssl_context_from_der(tls_cert_der) if tls_cert_der else None
-        tls_verify: Union[ssl.SSLContext, bool] = ssl_ctx if ssl_ctx else (self._llm_server_url is None)
+        ssl_ctx = build_ssl_context_from_der(tee.tls_cert_der) if tee.tls_cert_der else None
+        tls_verify: Union[ssl.SSLContext, bool] = ssl_ctx if ssl_ctx else True
 
-        self._active = ActiveTEE(
-            endpoint=endpoint,
+        return ActiveTEE(
+            endpoint=tee.endpoint,
             http_client=x402HttpxClient(self._x402_client, verify=tls_verify),
-            tee_id=tee_id,
-            payment_address=payment_address,
+            tee_id=tee.tee_id,
+            payment_address=tee.payment_address,
         )
 
     async def reconnect(self) -> None:
         """Connect to a new TEE from the registry and rebuild the HTTP client."""
         async with self._refresh_lock:
             old_client = self._active.http_client
-            self._connect()
+            self._active = self._connect()
             try:
                 await old_client.aclose()
             except Exception:
@@ -105,11 +167,8 @@ async def reconnect(self) -> None:
     def ensure_refresh_loop(self) -> None:
         """Start the background TEE refresh loop if not already running.
 
-        No-op when ``llm_server_url`` is set (bypasses the registry).
         Called lazily from async request methods since ``__init__`` is synchronous.
         """
-        if self._llm_server_url is not None:
-            return
         if self._refresh_task is not None and not self._refresh_task.done():
             return
         self._refresh_task = asyncio.create_task(self._tee_refresh_loop())
@@ -139,34 +198,4 @@ async def close(self) -> None:
         if self._refresh_task is not None:
             self._refresh_task.cancel()
             self._refresh_task = None
-        if self._active is not None:
-            await self._active.http_client.aclose()
-
-    # ── Static helpers ──────────────────────────────────────────────────
-
-    @staticmethod
-    def _resolve_tee(
-        tee_endpoint_override: Optional[str],
-        registry: Optional[TEERegistry],
-    ) -> tuple:
-        """Resolve TEE endpoint and metadata from the on-chain registry or explicit URL.
-
-        Returns:
-            (endpoint, tls_cert_der, tee_id, payment_address)
-        """
-        if tee_endpoint_override is not None:
-            return tee_endpoint_override, None, None, None
-
-        if registry is None:
-            raise ValueError("Either llm_server_url or a TEERegistry instance must be provided.")
-
-        try:
-            tee = registry.get_llm_tee()
-        except Exception as e:
-            raise RuntimeError(f"Failed to fetch LLM TEE endpoint from registry: {e}") from e
-
-        if tee is None:
-            raise ValueError("No active LLM proxy TEE found in the registry. Pass llm_server_url explicitly to override.")
-
-        logger.info("Using TEE endpoint from registry: %s (teeId=%s)", tee.endpoint, tee.tee_id)
-        return tee.endpoint, tee.tls_cert_der, tee.tee_id, tee.payment_address
+        await self._active.http_client.aclose()

tests/client_test.py

@@ -77,7 +77,7 @@ def test_llm_initialization(self, mock_tee_registry):
     def test_llm_initialization_custom_url(self, mock_tee_registry):
         """Test LLM initialization with custom server URL."""
         custom_llm_url = "https://custom.llm.server"
-        llm = LLM(private_key=FAKE_PRIVATE_KEY, llm_server_url=custom_llm_url)
+        llm = LLM.from_url(private_key=FAKE_PRIVATE_KEY, llm_server_url=custom_llm_url)
         assert llm._tee.get().endpoint == custom_llm_url
 
 

tests/llm_test.py

@@ -137,9 +137,10 @@ def _make_llm(
     endpoint: str = "https://test.tee.server",
 ) -> LLM:
     """Build an LLM with an explicit server URL (skips registry lookup)."""
-    llm = LLM(private_key=FAKE_PRIVATE_KEY, llm_server_url=endpoint)
-    # llm_server_url path sets tee_id/payment_address to None; replace with test values.
     from dataclasses import replace
+
+    llm = LLM.from_url(private_key=FAKE_PRIVATE_KEY, llm_server_url=endpoint)
+    # from_url sets tee_id/payment_address to None; replace with test values.
     llm._tee._active = replace(llm._tee.get(), tee_id="test-tee-id", payment_address="0xTestPayment")
     return llm