feat: add backend client and inventory attestation call

.github/workflows/ci.yml

@@ -7,7 +7,7 @@ on:
     branches: [ main, 'release/**' ]
 
 env:
-  GO_VERSION: '1.26.1'
+  GO_VERSION: '1.26.2'
   GOFLAGS: '-trimpath'
 
 jobs:

.github/workflows/release.yml

@@ -6,7 +6,7 @@ on:
       - 'v*'  # Triggers on version tags like v1.0.0, v2.1.3, etc.
 
 env:
-  GO_VERSION: '1.26.1'
+  GO_VERSION: '1.26.2'
 
 permissions:
   contents: write  # Needed for creating GitHub releases

.golangci.yml

@@ -1,6 +1,6 @@
 version: "2"
 run:
-  go: 1.26.1
+  go: 1.26.2
 linters:
   default: none
   enable:

SECURITY.md

@@ -49,7 +49,7 @@ This repository contains the `fleetint` host agent. The notes below are intended
 - Exporter token refresh and endpoint reload: [`internal/exporter/exporter.go`](internal/exporter/exporter.go)
 - Local HTTP server routes: [`internal/server/server.go`](internal/server/server.go)
 - Optional fault injection handler: [`internal/server/handlers_inject_fault.go`](internal/server/handlers_inject_fault.go)
-- Remote attestation and `nvattest` invocation: [`internal/attestation/attestation.go`](internal/attestation/attestation.go)
+- Remote attestation and `nvattest` invocation: [`internal/attestation/manager.go`](internal/attestation/manager.go), [`internal/attestation/collector.go`](internal/attestation/collector.go)
 
 ### Threat Model
 

cmd/fleetint/enroll.go

@@ -22,21 +22,12 @@ import (
 	"os"
 	"strings"
 
-	pkgmetadata "github.com/NVIDIA/fleet-intelligence-sdk/pkg/metadata"
-	"github.com/NVIDIA/fleet-intelligence-sdk/pkg/sqlite"
 	"github.com/urfave/cli"
 
-	"github.com/NVIDIA/fleet-intelligence-agent/internal/config"
-	"github.com/NVIDIA/fleet-intelligence-agent/internal/endpoint"
 	"github.com/NVIDIA/fleet-intelligence-agent/internal/enrollment"
 )
 
-var (
-	performEnrollment = func(enrollEndpoint, sakToken string) (string, error) {
-		return enrollment.PerformEnrollment(context.Background(), enrollEndpoint, sakToken)
-	}
-	storeEnrollmentConfig = storeConfigInMetadata
-)
+var performEnrollWorkflow = enrollment.Enroll
 
 // resolveToken returns the SAK token from --token, --token-file, or stdin.
 func resolveToken(cliContext *cli.Context) (string, error) {
@@ -48,7 +39,7 @@ func resolveToken(cliContext *cli.Context) (string, error) {
 	}
 
 	if tokenFile != "" {
-		const maxTokenSize = 1 << 20 // 1 MiB -- SAK tokens are small; anything larger is a mistake
+		const maxTokenSize = 1 << 20
 		var raw []byte
 		var err error
 		if tokenFile == "-" {
@@ -105,84 +96,5 @@ func enrollCommand(cliContext *cli.Context) error {
 		fmt.Fprintln(writerFromContext(cliContext), "Proceeding with enrollment because --force was provided")
 	}
 
-	baseURL, err := endpoint.ValidateBackendEndpoint(baseEndpoint)
-	if err != nil {
-		return fmt.Errorf("invalid enrollment endpoint: %w", err)
-	}
-
-	// Construct enroll endpoint
-	enrollEndpoint, err := endpoint.JoinPath(baseURL, "api", "v1", "health", "enroll")
-	if err != nil {
-		return fmt.Errorf("failed to construct enroll endpoint: %w", err)
-	}
-
-	// Make enrollment request to get JWT token
-	jwtToken, err := performEnrollment(enrollEndpoint, sakToken)
-	if err != nil {
-		// Error already printed to stderr by PerformEnrollment
-		return err
-	}
-
-	// Construct other endpoints using url.JoinPath for proper URL handling
-	metricsEndpoint, err := endpoint.JoinPath(baseURL, "api", "v1", "health", "metrics")
-	if err != nil {
-		return fmt.Errorf("failed to construct metrics endpoint: %w", err)
-	}
-	logsEndpoint, err := endpoint.JoinPath(baseURL, "api", "v1", "health", "logs")
-	if err != nil {
-		return fmt.Errorf("failed to construct logs endpoint: %w", err)
-	}
-	nonceEndpoint, err := endpoint.JoinPath(baseURL, "api", "v1", "health", "nonce")
-	if err != nil {
-		return fmt.Errorf("failed to construct nonce endpoint: %w", err)
-	}
-
-	// Store endpoints and JWT token in metadata table
-	if err := storeEnrollmentConfig(enrollEndpoint, metricsEndpoint, logsEndpoint, nonceEndpoint, jwtToken, sakToken); err != nil {
-		return fmt.Errorf("failed to store configuration: %w", err)
-	}
-
-	return nil
-}
-
-func storeConfigInMetadata(enrollEndpoint, metricsEndpoint, logsEndpoint, nonceEndpoint, jwtToken, sakToken string) error {
-	stateFile, err := config.DefaultStateFile()
-	if err != nil {
-		return fmt.Errorf("failed to get state file path: %w", err)
-	}
-
-	dbRW, err := sqlite.Open(stateFile)
-	if err != nil {
-		return fmt.Errorf("failed to open state database: %w", err)
-	}
-	defer dbRW.Close()
-
-	if err := pkgmetadata.CreateTableMetadata(context.Background(), dbRW); err != nil {
-		return fmt.Errorf("failed to create metadata table: %w", err)
-	}
-
-	// Store SAK token (for JWT refresh), JWT token (for API calls), and all endpoints
-	if err := pkgmetadata.SetMetadata(context.Background(), dbRW, "sak_token", sakToken); err != nil {
-		return fmt.Errorf("failed to set SAK token: %w", err)
-	}
-	if err := pkgmetadata.SetMetadata(context.Background(), dbRW, pkgmetadata.MetadataKeyToken, jwtToken); err != nil {
-		return fmt.Errorf("failed to set JWT token: %w", err)
-	}
-	if err := pkgmetadata.SetMetadata(context.Background(), dbRW, "enroll_endpoint", enrollEndpoint); err != nil {
-		return fmt.Errorf("failed to set enroll endpoint: %w", err)
-	}
-	if err := pkgmetadata.SetMetadata(context.Background(), dbRW, "metrics_endpoint", metricsEndpoint); err != nil {
-		return fmt.Errorf("failed to set metrics endpoint: %w", err)
-	}
-	if err := pkgmetadata.SetMetadata(context.Background(), dbRW, "logs_endpoint", logsEndpoint); err != nil {
-		return fmt.Errorf("failed to set logs endpoint: %w", err)
-	}
-	if err := pkgmetadata.SetMetadata(context.Background(), dbRW, "nonce_endpoint", nonceEndpoint); err != nil {
-		return fmt.Errorf("failed to set nonce endpoint: %w", err)
-	}
-	if err := config.SecureStateFilePermissions(stateFile); err != nil {
-		return fmt.Errorf("failed to secure state database permissions: %w", err)
-	}
-
-	return nil
+	return performEnrollWorkflow(context.Background(), baseEndpoint, sakToken)
 }

cmd/fleetint/enroll_test.go

@@ -17,9 +17,8 @@ package main
 
 import (
 	"bytes"
+	"context"
 	"fmt"
-	"os"
-	"path/filepath"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -50,12 +49,10 @@ func TestEnrollCommandPrecheckError(t *testing.T) {
 
 func TestEnrollCommandBlocksOnFailedPrecheck(t *testing.T) {
 	originalRunPrecheck := runPrecheck
-	originalPerformEnrollment := performEnrollment
-	originalStoreConfig := storeEnrollmentConfig
+	originalEnrollWorkflow := performEnrollWorkflow
 	t.Cleanup(func() {
 		runPrecheck = originalRunPrecheck
-		performEnrollment = originalPerformEnrollment
-		storeEnrollmentConfig = originalStoreConfig
+		performEnrollWorkflow = originalEnrollWorkflow
 	})
 
 	enrollmentCalled := false
@@ -66,11 +63,8 @@ func TestEnrollCommandBlocksOnFailedPrecheck(t *testing.T) {
 			},
 		}, nil
 	}
-	performEnrollment = func(enrollEndpoint, sakToken string) (string, error) {
+	performEnrollWorkflow = func(ctx context.Context, baseEndpoint, sakToken string) error {
 		enrollmentCalled = true
-		return "jwt-token", nil
-	}
-	storeEnrollmentConfig = func(enrollEndpoint, metricsEndpoint, logsEndpoint, nonceEndpoint, jwtToken, sakToken string) error {
 		return nil
 	}
 
@@ -88,12 +82,10 @@ func TestEnrollCommandBlocksOnFailedPrecheck(t *testing.T) {
 
 func TestEnrollCommandForceBypassesFailedPrecheck(t *testing.T) {
 	originalRunPrecheck := runPrecheck
-	originalPerformEnrollment := performEnrollment
-	originalStoreConfig := storeEnrollmentConfig
+	originalEnrollWorkflow := performEnrollWorkflow
 	t.Cleanup(func() {
 		runPrecheck = originalRunPrecheck
-		performEnrollment = originalPerformEnrollment
-		storeEnrollmentConfig = originalStoreConfig
+		performEnrollWorkflow = originalEnrollWorkflow
 	})
 
 	enrollmentCalled := false
@@ -104,11 +96,8 @@ func TestEnrollCommandForceBypassesFailedPrecheck(t *testing.T) {
 			},
 		}, nil
 	}
-	performEnrollment = func(enrollEndpoint, sakToken string) (string, error) {
+	performEnrollWorkflow = func(ctx context.Context, baseEndpoint, sakToken string) error {
 		enrollmentCalled = true
-		return "jwt-token", nil
-	}
-	storeEnrollmentConfig = func(enrollEndpoint, metricsEndpoint, logsEndpoint, nonceEndpoint, jwtToken, sakToken string) error {
 		return nil
 	}
 
@@ -120,35 +109,3 @@ func TestEnrollCommandForceBypassesFailedPrecheck(t *testing.T) {
 	require.NoError(t, err)
 	assert.True(t, enrollmentCalled)
 }
-
-func TestStoreConfigInMetadataSecuresFreshStateFile(t *testing.T) {
-	if os.Geteuid() == 0 {
-		t.Skip("test expects non-root default state path resolution")
-	}
-
-	tmpHome := t.TempDir()
-	t.Setenv("HOME", tmpHome)
-
-	err := storeConfigInMetadata(
-		"https://example.com/api/v1/health/enroll",
-		"https://example.com/api/v1/health/metrics",
-		"https://example.com/api/v1/health/logs",
-		"https://example.com/api/v1/health/nonce",
-		"jwt-token",
-		"sak-token",
-	)
-	require.NoError(t, err)
-
-	stateFile := filepath.Join(tmpHome, ".fleetint", "fleetint.state")
-	for _, candidate := range []string{stateFile, stateFile + "-wal", stateFile + "-shm"} {
-		info, err := os.Stat(candidate)
-		if os.IsNotExist(err) {
-			if candidate == stateFile {
-				require.NoError(t, err)
-			}
-			continue
-		}
-		require.NoError(t, err)
-		assert.Equal(t, os.FileMode(0o600), info.Mode().Perm())
-	}
-}

cmd/fleetint/run.go

@@ -202,15 +202,6 @@ func configureHealthExporterFromEnv(cfg *config.Config) error {
 		return err
 	}
 
-	// FLEETINT_ATTESTATION_JITTER_ENABLED - Enable/disable attestation jitter
-	if err := setBoolFromEnv("FLEETINT_ATTESTATION_JITTER_ENABLED", &he.Attestation.JitterEnabled, "set attestation jitter enabled from env", "attestation_jitter_enabled"); err != nil {
-		return err
-	}
-
-	if err := setDurationFromEnv("FLEETINT_ATTESTATION_INTERVAL", &he.Attestation.Interval, "set attestation interval from env", "attestation_interval", 0, 0); err != nil {
-		return err
-	}
-
 	// Lookbacks
 	if err := setDurationFromEnv("FLEETINT_METRICS_LOOKBACK", &he.MetricsLookback, "set health exporter metrics lookback from env", "metrics_lookback", 0, 0); err != nil {
 		return err
@@ -231,6 +222,29 @@ func configureHealthExporterFromEnv(cfg *config.Config) error {
 	return nil
 }
 
+func configureLoopConfigFromEnv(cfg *config.Config) error {
+	if cfg.Inventory != nil {
+		if err := setBoolFromEnv("FLEETINT_INVENTORY_ENABLED", &cfg.Inventory.Enabled, "set inventory enabled from env", "inventory_enabled"); err != nil {
+			return err
+		}
+		if err := setDurationFromEnv("FLEETINT_INVENTORY_INTERVAL", &cfg.Inventory.Interval, "set inventory interval from env", "inventory_interval", time.Minute, 0); err != nil {
+			return err
+		}
+	}
+	if cfg.Attestation != nil {
+		if err := setBoolFromEnv("FLEETINT_ATTESTATION_ENABLED", &cfg.Attestation.Enabled, "set attestation enabled from env", "attestation_enabled"); err != nil {
+			return err
+		}
+		if err := setDurationFromEnv("FLEETINT_ATTESTATION_INITIAL_INTERVAL", &cfg.Attestation.InitialInterval, "set attestation initial interval from env", "attestation_initial_interval", time.Minute, 0); err != nil {
+			return err
+		}
+		if err := setDurationFromEnv("FLEETINT_ATTESTATION_INTERVAL", &cfg.Attestation.Interval, "set attestation interval from env", "attestation_interval", time.Minute, 0); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
 func runCommand(cliContext *cli.Context) error {
 	logLevel := cliContext.String("log-level")
 	logFile := cliContext.String("log-file")
@@ -310,6 +324,9 @@ func runCommand(cliContext *cli.Context) error {
 	if err := configureHealthExporterFromEnv(cfg); err != nil {
 		return fmt.Errorf("failed to configure health exporter from environment variables: %w", err)
 	}
+	if err := configureLoopConfigFromEnv(cfg); err != nil {
+		return fmt.Errorf("failed to configure loop settings from environment variables: %w", err)
+	}
 	log.Logger.Infow("health exporter configuration", "cfg", cfg.HealthExporter)
 
 	if listenAddress != "" {