CLI

Command-line interface for Tinfoil’s secure AI inference API
GitHub: tinfoil-cli

Overview

The Tinfoil CLI provides a command-line interface for making verified HTTP requests to Tinfoil enclaves and validating attestation documents. It supports all major AI inference operations including chat completions, audio transcription, and text embeddings.

Installation

Pre-built Binaries

Download the latest release for your OS from the Releases page.

Install Script

You can install tinfoil CLI using our install script. This script automatically detects your operating system and architecture, downloads the correct binary, and installs it to /usr/local/bin.

curl -fsSL https://github.com/tinfoilsh/tinfoil-cli/raw/main/install.sh | sh

Note: If you receive permission errors (for example, if you’re not running as root), you may need to run the command with sudo:

curl -fsSL https://github.com/tinfoilsh/tinfoil-cli/raw/main/install.sh | sh

Build from Source

  1. Ensure you have Go installed.
  2. Clone the repository:
git clone https://github.com/tinfoilsh/tinfoil-cli.git
cd tinfoil-cli
  1. Build the binary:
go build -o tinfoil

Command Reference

Usage:
  tinfoil [command]

Available Commands:
  attestation  Attestation commands (verify or audit)
  chat         Chat with a language model
  audio        Transcribe audio files using Whisper
  embed        Generate text embeddings
  proxy        Run a local HTTP proxy
  completion   Generate the autocompletion script for the specified shell
  help         Help about any command
  http         Make verified HTTP requests

Flags:
  -e, --host string           Enclave hostname
  -h, --help                  help for tinfoil
  -r, --repo string           Source repo

Use "tinfoil [command] --help" for more information about a command.

Usage Examples

Chat

Chat with AI models using natural language.

Basic Usage

tinfoil chat -m llama3-3-70b -k "YOUR_API_KEY" "Why is tinfoil now called aluminum foil?"
The model parameter is required. See our model catalog for supported models.

Streaming Example

tinfoil chat -m llama3-3-70b -k "YOUR_API_KEY" "Explain quantum computing in simple terms"

Specifying a Custom Model

For custom models not included in config.json, supply the model name along with the -e and -r overrides:

tinfoil chat -m custom-model -k "YOUR_API_KEY" "Explain string theory" \
  -e custom.enclave.example.com \
  -r cool-user/custom-model-repo

If you omit -e or -r for a model that isn’t in the configuration, a warning will be displayed prompting you to specify these flags.

Command Options:

  • -m, --model: The model name to use for chat. Must be specified.
  • -k, --api-key: The API key for authentication.
  • -e, --host: The hostname of the enclave. Optional if defined in the config file.
  • -r, --repo: The GitHub repository containing code measurements. Optional if defined in the config file.

Audio Transcription

The audio command allows you to transcribe audio files using Whisper. By default, it uses the whisper-large-v3-turbo model.

Basic Usage

tinfoil audio -k "YOUR_API_KEY" -f path/to/audio/file.mp3

This command uses the default model whisper-large-v3-turbo and loads the enclave host and repo values from config.json.

Specifying a Custom Model

tinfoil audio -m custom-whisper-model -k "YOUR_API_KEY" -f path/to/audio/file.mp3 \
  -e custom.enclave.example.com \
  -r cool-user/custom-model-repo

Command Options:

  • -m, --model: The model name to use for transcription. Defaults to whisper-large-v3-turbo.
  • -k, --api-key: The API key for authentication.
  • -f, --file: The audio file to transcribe.
  • -e, --host: The hostname of the enclave. Optional if defined in the config file.
  • -r, --repo: The GitHub repository containing code measurements. Optional if defined in the config file.

Text-to-Speech

The CLI can generate audio from text using the Kokoro model via the HTTP command:

# Generate speech and save to file
tinfoil http POST \
  -e audio-processing.model.tinfoil.sh \
  -r tinfoilsh/confidential-audio-processing \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  https://audio-processing.model.tinfoil.sh/v1/audio/speech \
  -d '{
    "model": "kokoro",
    "voice": "af_sky+af_bella",
    "input": "Hello world! This is a test of text-to-speech synthesis.",
    "response_format": "mp3"
  }' > output.mp3

echo "Speech saved to output.mp3"

Available voices include af_sky, af_bella, af_heart, and combinations like af_sky+af_bella.

Text Embeddings

The embed command allows you to generate embeddings for text inputs. By default, it uses the nomic-embed-text model.

With Default Model

tinfoil embed -k "YOUR_API_KEY" "This is a text I want to get embeddings for."

This command uses the default model nomic-embed-text and loads the enclave host and repo values from config.json.

With Multiple Text Inputs

You can provide multiple text inputs to get embeddings for all of them:

tinfoil embed -k "YOUR_API_KEY" "First text" "Second text" "Third text"

Specifying a Custom Model

tinfoil embed -m custom-embed-model -k "YOUR_API_KEY" "Text to embed" \
  -e custom.enclave.example.com \
  -r cool-user/custom-model-repo

Command Options:

  • -m, --model: The model name to use for embeddings. Defaults to nomic-embed-text.
  • -k, --api-key: The API key for authentication.
  • -e, --host: The hostname of the enclave. Optional if defined in the config file.
  • -r, --repo: The GitHub repository containing code measurements. Optional if defined in the config file.

Attestation Verification

Verify Attestation

Use the attestation verify command to manually verify that an enclave is running the expected code. The output will be a series of INFO logs describing each verification step.

Sample successful output:

$ tinfoil attestation verify \
  -e llama3-3-70b-p.model.tinfoil.sh \
  -r tinfoilsh/confidential-llama3-3-70b-prod
INFO[0000] Fetching latest release for tinfoilsh/confidential-llama3-3-70b-prod 
INFO[0000] Fetching sigstore bundle from tinfoilsh/confidential-llama3-3-70b-prod for digest f2f48557c8b0c1b268f8d8673f380242ad8c4983fe9004c02a8688a89f94f333 
INFO[0001] Fetching trust root                          
INFO[0001] Verifying code measurements                  
INFO[0001] Fetching attestation doc from llama3-3-70b-p.model.tinfoil.sh 
INFO[0001] Verifying enclave measurements               
INFO[0001] Public key fingerprint: 5f6c24f54ed862c404a558aa3fa85b686b77263ceeda86131e7acd90e8af5db2 
INFO[0001] Remote public key fingerprint: 5f6c24f54ed862c404a558aa3fa85b686b77263ceeda86131e7acd90e8af5db2 
INFO[0001] Measurements match

Audit Attestation

You can also verify attestations at random and record a machine-readable audit log. Use the attestation audit command for this purpose.

By default the audit record is printed to stdout as JSON. To write it to a file, use the -l/--log-file flag:

tinfoil attestation audit \
  -e llama3-3-70b-p.model.tinfoil.sh \
  -r tinfoilsh/confidential-llama3-3-70b-prod \
  -l /var/log/tinfoil_audit.log

The audit log record includes the timestamp, enclave host, code and enclave measurement fingerprints, and the verification status.

Proxy

Use tinfoil proxy to start a local HTTP proxy that verifies connections and forwards them to the specified enclave:

tinfoil proxy \
  -r tinfoilsh/confidential-llama3-3-70b-prod \
  -e llama3-3-70b-prod.model.tinfoil.sh \
  -p 8080