@appliedblockchain/silentdatarollup-core 1.0.9 → 1.0.10

package/dist/chunk-RWLHE5DT.mjs

@@ -0,0 +1,3312 @@
+// src/Base.ts
+import debug2 from "debug";
+import {
+  getBytes,
+  keccak256 as keccak2563,
+  toUtf8Bytes as toUtf8Bytes3,
+  TypedDataEncoder
+} from "ethers";
+
+// src/constants.ts
+import { keccak256, toUtf8Bytes } from "ethers";
+var SIGN_RPC_METHODS = [
+  "sd_getTransactionsByAddress",
+  "eth_estimateGas",
+  "eth_getProof",
+  "eth_getTransactionByHash",
+  "eth_getTransactionReceipt",
+  "eth_getUserOperationReceipt",
+  "eth_getUserOperationByHash"
+];
+var eip721Domain = {
+  name: "Silent Data [Rollup]",
+  version: "1"
+};
+var delegateEIP721Types = {
+  Ticket: [
+    { name: "expires", type: "string" },
+    { name: "ephemeralAddress", type: "string" }
+  ]
+};
+var DEBUG_NAMESPACE = "silentdata:core";
+var DEBUG_NAMESPACE_SILENTDATA_INTERCEPTOR = "silentdata:interceptor";
+var HEADER_SIGNATURE = "x-signature";
+var HEADER_TIMESTAMP = "x-timestamp";
+var HEADER_SIGNATURE_TYPE = "x-signature-type";
+var HEADER_EIP712_SIGNATURE = "x-eip712-signature";
+var HEADER_DELEGATE = "x-delegate";
+var HEADER_DELEGATE_SIGNATURE = "x-delegate-signature";
+var HEADER_EIP712_DELEGATE_SIGNATURE = "x-eip712-delegate-signature";
+var HEADER_SIGNER_SWC = "x-signer-swc";
+var HEADER_FROM_BLOCK = "x-from-block";
+var ENTRYPOINT_ADDRESS = "0x34F5Bda45f2Ce00B646BD6B19D0F9817b5D8D398";
+var DEFAULT_USER_OPERATION_RECEIPT_LOOKUP_RANGE = 1024;
+var USER_OPERATION_EVENT_SIGNATURE = "UserOperationEvent(bytes32,address,address,uint256,bool,uint256,uint256)";
+var USER_OPERATION_EVENT_HASH = keccak256(
+  toUtf8Bytes(USER_OPERATION_EVENT_SIGNATURE)
+);
+var DEFAULT_DELEGATE_EXPIRES = 10 * 60 * 60;
+var DELEGATE_EXPIRATION_THRESHOLD_BUFFER = 5;
+var WHITELISTED_METHODS = [
+  "sd_getTransactionsByAddress",
+  "sd_getVersion",
+  "eth_blockNumber",
+  "eth_call",
+  "eth_chainId",
+  "eth_estimateGas",
+  "eth_feeHistory",
+  "eth_gasPrice",
+  "eth_getBalance",
+  "eth_getBlockByHash",
+  "eth_getBlockByNumber",
+  "eth_getCode",
+  "eth_getFilterChanges",
+  "eth_getFilterLogs",
+  "eth_getHeaderByHash",
+  "eth_getLogs",
+  "eth_getProof",
+  "eth_getTransactionByHash",
+  "eth_getTransactionCount",
+  "eth_getTransactionReceipt",
+  "eth_maxPriorityFeePerGas",
+  "eth_newBlockFilter",
+  "eth_sendRawTransaction",
+  "eth_syncing",
+  "eth_newFilter",
+  "eth_newPendingTransactionFilter",
+  "net_listening",
+  "net_version",
+  "net_peerCount",
+  "web3_clientVersion",
+  "web3_sha3"
+];
+
+// src/privateEvents.ts
+import { keccak256 as keccak2562, toUtf8Bytes as toUtf8Bytes2 } from "ethers";
+var PRIVATE_EVENT_SIGNATURE = "PrivateEvent(address[],bytes32,bytes)";
+var PRIVATE_EVENT_SIGNATURE_HASH = keccak2562(
+  toUtf8Bytes2(PRIVATE_EVENT_SIGNATURE)
+);
+function calculateEventTypeHash(eventSignature) {
+  return keccak2562(toUtf8Bytes2(eventSignature));
+}
+
+// src/types.ts
+var ChainId = /* @__PURE__ */ ((ChainId2) => {
+  ChainId2[ChainId2["MAINNET"] = 380929] = "MAINNET";
+  ChainId2[ChainId2["TESTNET"] = 381185] = "TESTNET";
+  return ChainId2;
+})(ChainId || {});
+var NetworkName = /* @__PURE__ */ ((NetworkName2) => {
+  NetworkName2["MAINNET"] = "sdr";
+  NetworkName2["TESTNET"] = "sdr-testnet";
+  return NetworkName2;
+})(NetworkName || {});
+var SignatureType = /* @__PURE__ */ ((SignatureType2) => {
+  SignatureType2["Raw"] = "RAW";
+  SignatureType2["EIP191"] = "EIP191";
+  SignatureType2["EIP712"] = "EIP712";
+  return SignatureType2;
+})(SignatureType || {});
+
+// src/utils.ts
+import debug from "debug";
+import { Wallet } from "ethers";
+var log = debug(DEBUG_NAMESPACE);
+function getAuthEIP721Types(payload) {
+  return {
+    Call: [
+      {
+        name: "request",
+        type: Array.isArray(payload) ? "JsonRPCRequest[]" : "JsonRPCRequest"
+      },
+      { name: "timestamp", type: "string" }
+    ],
+    JsonRPCRequest: [
+      { name: "jsonrpc", type: "string" },
+      { name: "method", type: "string" },
+      { name: "params", type: "string" },
+      { name: "id", type: "uint256" }
+    ]
+  };
+}
+async function signAuthHeaderTypedData(signer, payload, timestamp, chainId) {
+  log("Preparing payload for signTypedData");
+  const preparePayload = (p) => ({
+    ...p,
+    params: JSON.stringify(p.params)
+  });
+  const preparedPayload = Array.isArray(payload) ? payload.map(preparePayload) : preparePayload(payload);
+  const message = {
+    request: preparedPayload,
+    timestamp
+  };
+  const types = getAuthEIP721Types(payload);
+  const domain = { ...eip721Domain, chainId };
+  log("Signing typed data", JSON.stringify({ domain, types, message }, null, 2));
+  const signature = await signer.signTypedData(domain, types, message);
+  log("Signature generated:", signature);
+  return signature;
+}
+async function signAuthHeaderRawMessage(signer, payload, timestamp, chainId) {
+  log("Preparing raw message for signing");
+  const serialRequest = JSON.stringify(payload);
+  const xMessage = chainId + serialRequest + timestamp;
+  log("Raw message:", xMessage);
+  const signature = await signer.signMessage(xMessage);
+  log("Raw signature generated:", signature);
+  return signature;
+}
+async function getAuthHeaders(signer, payload, chainId, signatureType) {
+  const xTimestamp = (/* @__PURE__ */ new Date()).toISOString();
+  const headers = {
+    [HEADER_TIMESTAMP]: xTimestamp
+  };
+  switch (signatureType) {
+    case "RAW" /* Raw */:
+      log("Generating raw signature");
+      headers[HEADER_SIGNATURE] = await signAuthHeaderRawMessage(
+        signer,
+        payload,
+        xTimestamp,
+        chainId
+      );
+      break;
+    case "EIP712" /* EIP712 */:
+      log("Generating EIP712 signature");
+      headers[HEADER_EIP712_SIGNATURE] = await signAuthHeaderTypedData(
+        signer,
+        payload,
+        xTimestamp,
+        chainId
+      );
+      break;
+    default:
+      throw new Error(`Unsupported signature type: ${signatureType}`);
+  }
+  return headers;
+}
+function isSignableContractCall(payload, contracts) {
+  if (!contracts || contracts.length === 0) {
+    return false;
+  }
+  log("Checking if contract call is signable");
+  if (payload.method !== "eth_call") {
+    log("Payload method is not eth_call, returning false");
+    return false;
+  }
+  const params = payload.params;
+  if (!params || params.length === 0 || typeof params[0] !== "object") {
+    log("Invalid params, returning false");
+    return false;
+  }
+  const callTarget = params[0].to;
+  if (!callTarget) {
+    log("Missing call target, returning false");
+    return false;
+  }
+  log(`Call target: ${callTarget}`);
+  const contractIndex = contracts.findIndex(
+    (c) => c.contract.target.toString().toLowerCase() === callTarget.toLowerCase()
+  );
+  if (contractIndex < 0) {
+    log("Contract not found, returning false");
+    return false;
+  }
+  const callData = params[0].data;
+  if (!callData) {
+    log("Missing call data, returning false");
+    return false;
+  }
+  const methodSignature = callData.slice(2, 10);
+  if (!methodSignature) {
+    log("Missing method signature, returning false");
+    return false;
+  }
+  log(`Method signature: ${methodSignature}`);
+  const { contract, contractMethodsToSign } = contracts[contractIndex];
+  const isSignable = contractMethodsToSign.some((methodName) => {
+    const fragment = contract.interface.getFunction(methodName);
+    return !!fragment && methodSignature.startsWith(fragment.selector.slice(2));
+  });
+  log("Is signable contract call:", isSignable);
+  return isSignable;
+}
+var defaultGetDelegate = async (provider) => {
+  return Wallet.createRandom();
+};
+var prepareTypedDataPayload = (p) => ({
+  ...p,
+  params: JSON.stringify(p.params)
+});
+
+// src/Base.ts
+var log2 = debug2(DEBUG_NAMESPACE);
+var SilentDataRollupBase = class {
+  constructor(config) {
+    this.currentDelegateSigner = null;
+    this.delegateSignerExpires = 0;
+    this.cachedDelegateHeaders = null;
+    this.cachedHeadersExpiry = 0;
+    this.delegateHeadersPromise = null;
+    this.contracts = [];
+    this._cachedNetwork = null;
+    this.config = {
+      ...config,
+      authSignatureType: config.authSignatureType ?? "EIP191" /* EIP191 */
+    };
+    this.delegateConfig = this.resolveDelegateConfig(config);
+    log2(
+      "SilentDataRollupBase initialized with config:",
+      JSON.stringify(config, null, 2)
+    );
+  }
+  resolveDelegateConfig(config) {
+    if (config.delegate === true) {
+      return {
+        getDelegate: defaultGetDelegate,
+        expires: DEFAULT_DELEGATE_EXPIRES
+      };
+    } else if (typeof config.delegate === "object") {
+      return {
+        getDelegate: config.delegate.getDelegate ?? defaultGetDelegate,
+        expires: config.delegate.expires ?? DEFAULT_DELEGATE_EXPIRES
+      };
+    }
+    return null;
+  }
+  /**
+   * Get cached network with simple caching
+   * @param provider - The provider to get the network from
+   * @returns Promise<Network> - The cached or freshly fetched network
+   */
+  async getCachedNetwork(provider) {
+    if (!this._cachedNetwork) {
+      this._cachedNetwork = await provider.getNetwork();
+      log2("Network cached:", this._cachedNetwork);
+    }
+    return this._cachedNetwork;
+  }
+  async getDelegateSigner(provider) {
+    if (!this.delegateConfig) {
+      log2("getDelegateSigner: No delegate config, returning null");
+      return null;
+    }
+    const now = Math.floor(Date.now() / 1e3);
+    log2("getDelegateSigner: Current time:", now);
+    const isDelegateSignerValid = this.currentDelegateSigner && this.delegateSignerExpires - DELEGATE_EXPIRATION_THRESHOLD_BUFFER > now;
+    if (isDelegateSignerValid) {
+      log2(
+        "getDelegateSigner: Returning existing delegate signer, expires in:",
+        this.delegateSignerExpires - now,
+        "seconds"
+      );
+      return this.currentDelegateSigner;
+    } else {
+      log2("getDelegateSigner: Getting new delegate signer");
+      try {
+        const newSigner = await this.delegateConfig.getDelegate(provider);
+        this.currentDelegateSigner = newSigner;
+        this.delegateSignerExpires = now + this.delegateConfig.expires;
+        log2(
+          "getDelegateSigner: New delegate signer set, expires in:",
+          this.delegateConfig.expires,
+          "seconds"
+        );
+        return newSigner;
+      } catch (error) {
+        log2("getDelegateSigner: Error getting delegate signer:", error);
+        throw new Error("Failed to get delegate signer");
+      }
+    }
+  }
+  async getDelegateSignerMessage(provider) {
+    if (!this.delegateConfig) {
+      log2("No delegate config, returning null");
+      return null;
+    }
+    const delegateSigner = await this.getDelegateSigner(provider);
+    if (!delegateSigner) {
+      log2("Failed to get delegate signer, returning null");
+      return null;
+    }
+    return {
+      expires: new Date(this.delegateSignerExpires * 1e3).toISOString(),
+      ephemeralAddress: await delegateSigner.getAddress()
+    };
+  }
+  /**
+   * Signs a raw delegate header message.
+   * This method can be overridden by extending classes to customize the signing process.
+   * The signer implementation decides whether to add EIP-191 prefix or not.
+   * @param provider - The provider used for signing
+   * @param message - The delegate signer message to be signed
+   * @param isSWC - Whether signing for smart wallet contract (EIP-1271)
+   * @returns A promise that resolves to the signature string
+   */
+  async signDelegateHeader(provider, message, isSWC) {
+    log2("signDelegateHeader: Signing delegate header", message);
+    let bytesToSign;
+    if (isSWC) {
+      const messageHash = keccak2563(toUtf8Bytes3(message));
+      bytesToSign = getBytes(messageHash);
+      log2("Signing hash bytes for SWC", messageHash);
+    } else {
+      bytesToSign = toUtf8Bytes3(message);
+      log2("Signing message bytes for EOA", message);
+    }
+    const signature = await provider.signer.signMessage(bytesToSign);
+    log2("signDelegateHeader: Signature generated:", signature);
+    return signature;
+  }
+  /**
+   * Signs a typed delegate header message.
+   * This method can be overridden by extending classes to customize the signing process.
+   * @param provider - The provider used for signing
+   * @param chainId - The chain ID
+   * @param message - The delegate signer message to be signed
+   * @param isSWC - Whether signing for smart wallet contract (EIP-1271)
+   * @returns A promise that resolves to the signature string
+   */
+  async signTypedDelegateHeader(provider, chainId, message, isSWC) {
+    log2("signTypedDelegateHeader: Signing typed delegate header");
+    log2(
+      "signTypedDelegateHeader: Typed message:",
+      JSON.stringify(message, null, 2)
+    );
+    const domain = { ...eip721Domain, chainId };
+    if (isSWC) {
+      const messageHash = TypedDataEncoder.hash(
+        domain,
+        delegateEIP721Types,
+        message
+      );
+      const hashBytes = getBytes(messageHash);
+      const signature2 = await provider.signer.signMessage(hashBytes);
+      log2("signTypedDelegateHeader: Typed SWC signature generated:", signature2);
+      return signature2;
+    }
+    const signature = await provider.signer.signTypedData(
+      domain,
+      delegateEIP721Types,
+      message
+    );
+    log2("signTypedDelegateHeader: Signature generated:", signature);
+    return signature;
+  }
+  /**
+   * IMPORTANT: Return the cached promise (currentPromise), not the resolved value.
+   * This ensures multiple concurrent callers share the same in-flight request,
+   * preventing redundant API calls.
+   */
+  async getDelegateHeaders(provider) {
+    log2("Getting delegate headers");
+    if (!this.delegateHeadersPromise) {
+      this.delegateHeadersPromise = this.generateDelegateHeaders(provider);
+    }
+    const currentPromise = this.delegateHeadersPromise;
+    try {
+      const delegateHeaders = await currentPromise;
+      log2("Delegate headers:", JSON.stringify(delegateHeaders, null, 2));
+      return currentPromise;
+    } catch (error) {
+      log2("Error getting delegate headers:", error);
+      throw new Error("Failed to get delegate headers");
+    } finally {
+      if (this.delegateHeadersPromise === currentPromise) {
+        this.delegateHeadersPromise = null;
+      }
+    }
+  }
+  async generateDelegateHeaders(provider) {
+    const now = Math.floor(Date.now() / 1e3);
+    const signatureType = this.config.authSignatureType;
+    const isCachedHeadersValid = this.cachedDelegateHeaders && this.cachedHeadersExpiry - DELEGATE_EXPIRATION_THRESHOLD_BUFFER > now;
+    if (isCachedHeadersValid) {
+      log2("Returning cached delegate headers");
+      return this.cachedDelegateHeaders;
+    }
+    try {
+      const delegateSignerMessage = await this.getDelegateSignerMessage(provider);
+      if (!delegateSignerMessage) {
+        throw new Error("Failed to get delegate signer message");
+      }
+      const delegateSigner = await this.getDelegateSigner(provider);
+      if (!delegateSigner) {
+        throw new Error("Failed to get delegate signer");
+      }
+      const headers = {
+        [HEADER_DELEGATE]: JSON.stringify(delegateSignerMessage)
+      };
+      const chainId = (await this.getCachedNetwork(provider)).chainId.toString();
+      const isSWC = !!this.config.smartWalletAddress;
+      switch (signatureType) {
+        case "EIP191" /* EIP191 */:
+        case "RAW" /* Raw */: {
+          log2("Generating delegate signature");
+          const delegateMessageToSign = chainId + JSON.stringify(delegateSignerMessage);
+          headers[HEADER_DELEGATE_SIGNATURE] = await this.signDelegateHeader(
+            provider,
+            delegateMessageToSign,
+            isSWC
+          );
+          break;
+        }
+        case "EIP712" /* EIP712 */:
+          log2("Generating delegate EIP712 signature");
+          headers[HEADER_EIP712_DELEGATE_SIGNATURE] = await this.signTypedDelegateHeader(
+            provider,
+            chainId,
+            delegateSignerMessage,
+            isSWC
+          );
+          break;
+        default:
+          throw new Error(`Unsupported signature type: ${signatureType}`);
+      }
+      this.cachedDelegateHeaders = headers;
+      this.cachedHeadersExpiry = new Date(delegateSignerMessage.expires).getTime() / 1e3;
+      return this.cachedDelegateHeaders;
+    } catch (error) {
+      log2("Error getting delegate headers:", error);
+      throw new Error("Failed to get delegate headers");
+    }
+  }
+  async getAuthHeaders(provider, payload) {
+    log2("Getting auth headers", JSON.stringify(payload, null, 2));
+    const xTimestamp = (/* @__PURE__ */ new Date()).toISOString();
+    const headers = {
+      [HEADER_TIMESTAMP]: xTimestamp
+    };
+    const chainId = (await this.getCachedNetwork(provider)).chainId.toString();
+    const signatureType = this.config.authSignatureType ?? "EIP191" /* EIP191 */;
+    const isSWC = !!this.config.smartWalletAddress;
+    let payloadToSign = payload;
+    const isGetUserOperationReceipt = !Array.isArray(payload) && payload.method === "eth_getUserOperationReceipt";
+    if (isGetUserOperationReceipt) {
+      log2(
+        "Detected eth_getUserOperationReceipt, building custom eth_getLogs payload for signing"
+      );
+      let fromBlock;
+      try {
+        fromBlock = await this.getFromBlockForUserOperationReceipt(provider);
+        headers[HEADER_FROM_BLOCK] = fromBlock.toString();
+        log2(`Added ${HEADER_FROM_BLOCK} header:`, fromBlock.toString());
+      } catch (error) {
+        log2(
+          "Error calculating fromBlock for eth_getUserOperationReceipt:",
+          error
+        );
+        throw new Error(
+          "Failed to calculate fromBlock for eth_getUserOperationReceipt"
+        );
+      }
+      payloadToSign = this.buildGetUserOperationReceiptSigningPayload(
+        payload,
+        fromBlock
+      );
+      log2(
+        "Using custom eth_getLogs payload for signing:",
+        JSON.stringify(payloadToSign, null, 2)
+      );
+    }
+    switch (signatureType) {
+      case "EIP191" /* EIP191 */:
+      case "RAW" /* Raw */:
+        log2("Generating auth header signature");
+        headers[HEADER_SIGNATURE] = await this.signAuthHeader(
+          provider,
+          payloadToSign,
+          xTimestamp,
+          chainId,
+          isSWC
+        );
+        break;
+      case "EIP712" /* EIP712 */:
+        log2("Generating auth header typed signature");
+        headers[HEADER_EIP712_SIGNATURE] = await this.signTypedAuthHeader(
+          provider,
+          payloadToSign,
+          xTimestamp,
+          chainId,
+          isSWC
+        );
+        break;
+      default:
+        throw new Error(`Unsupported signature type: ${signatureType}`);
+    }
+    log2("Auth headers:", JSON.stringify(headers, null, 2));
+    return headers;
+  }
+  /**
+   * Signs auth header.
+   */
+  async signAuthHeader(provider, payload, timestamp, chainId, isSWC) {
+    const xMessage = this.prepareMessage(chainId, payload, timestamp);
+    const delegateSigner = await this.getDelegateSigner(this);
+    const signer = delegateSigner ?? provider.signer;
+    const usingDelegate = !!delegateSigner;
+    let bytesToSign;
+    if (isSWC && !usingDelegate) {
+      const messageHash = keccak2563(toUtf8Bytes3(xMessage));
+      bytesToSign = getBytes(messageHash);
+      log2("Signing hash bytes for SWC");
+    } else {
+      bytesToSign = toUtf8Bytes3(xMessage);
+      log2("Signing message bytes for EOA");
+    }
+    const signature = await signer.signMessage(bytesToSign);
+    log2("Message signed raw. Signature:", signature);
+    return signature;
+  }
+  /**
+   * Signs auth header using typed data signature.
+   */
+  async signTypedAuthHeader(provider, payload, timestamp, chainId, isSWC) {
+    const message = this.prepareTypedData(payload, timestamp);
+    const types = getAuthEIP721Types(payload);
+    const delegateSigner = await this.getDelegateSigner(this);
+    const signer = delegateSigner ?? provider.signer;
+    const usingDelegate = !!delegateSigner;
+    const domain = { ...eip721Domain, chainId };
+    if (isSWC && !usingDelegate) {
+      const messageHash2 = TypedDataEncoder.hash(domain, types, message);
+      log2("EIP-712 hash (SWC without delegate):", messageHash2);
+      const hashBytes = getBytes(messageHash2);
+      const signature2 = await signer.signMessage(hashBytes);
+      log2("Message signed with EIP-712 for SWC. Signature:", signature2);
+      return signature2;
+    }
+    log2(
+      "Signing typed data",
+      JSON.stringify({ message, types, domain }, null, 2)
+    );
+    const messageHash = TypedDataEncoder.hash(domain, types, message);
+    log2("EIP-712 hash (EOA):", messageHash);
+    const signature = await this.signTypedData(signer, domain, types, message);
+    log2("Message signed with EIP-712. Signature:", signature);
+    return signature;
+  }
+  /**
+   * Signs a message using the provided signer.
+   * This method can be overridden to customize the signing process.
+   * @param signer - The signer to use
+   * @param message - The message to sign
+   * @returns A promise that resolves to the signature string
+   */
+  async signMessage(signer, message) {
+    return signer.signMessage(message);
+  }
+  /**
+   * Signs typed data using the provided signer.
+   * This method can be overridden to customize the signing process.
+   * @param signer - The signer to use
+   * @param domain - The EIP-712 domain
+   * @param types - The EIP-712 types
+   * @param message - The message to sign
+   * @returns A promise that resolves to the signature string
+   */
+  async signTypedData(signer, domain, types, message) {
+    return signer.signTypedData(domain, types, message);
+  }
+  setContract(contract, contractMethodsToSign) {
+    log2("Setting contract and methods to sign: ", contractMethodsToSign);
+    this.contracts.push({
+      contract,
+      contractMethodsToSign
+    });
+  }
+  /**
+   * Calculates the fromBlock value for eth_getUserOperationReceipt requests.
+   * Gets the current block number and subtracts the configured userOperationReceiptLookupRange.
+   *
+   * IMPORTANT: The bundler strictly validates this value and will reject the request if:
+   * - The header is missing
+   * - The value is < 0
+   * - The value is > current block number
+   * - The value is too far back (< currentBlock - userOperationReceiptLookupRange)
+   *
+   * This method ensures the returned value is always within the valid range:
+   * max(0, currentBlock - userOperationReceiptLookupRange) <= fromBlock <= currentBlock
+   *
+   * @param provider - The provider to use for fetching the current block number
+   * @returns A promise that resolves to the fromBlock value as a bigint
+   * @throws Error if unable to fetch the current block number
+   */
+  async getFromBlockForUserOperationReceipt(provider) {
+    const lookupRange = BigInt(
+      this.config.userOperationReceiptLookupRange ?? DEFAULT_USER_OPERATION_RECEIPT_LOOKUP_RANGE
+    );
+    log2("User operation receipt lookup range:", lookupRange.toString());
+    let currentBlockNumber;
+    if (typeof provider.getBlockNumber === "function") {
+      currentBlockNumber = BigInt(await provider.getBlockNumber());
+    } else if (typeof provider.request === "function") {
+      const blockNumberHex = await provider.request({
+        method: "eth_blockNumber",
+        params: []
+      });
+      currentBlockNumber = BigInt(blockNumberHex);
+    } else {
+      throw new Error(
+        "Provider does not support getBlockNumber or request method"
+      );
+    }
+    log2("Current block number:", currentBlockNumber.toString());
+    const fromBlock = currentBlockNumber > lookupRange ? currentBlockNumber - lookupRange : 0n;
+    log2("Calculated fromBlock:", fromBlock.toString());
+    return fromBlock;
+  }
+  /**
+   * Builds a custom eth_getLogs payload for signing when the original request is eth_getUserOperationReceipt.
+   * This method can be overridden to customize the payload construction.
+   *
+   * IMPORTANT: The bundler must reconstruct this exact payload to verify the signature.
+   * The bundler should use the same `id` from the original eth_getUserOperationReceipt request
+   * when constructing the eth_getLogs request to send to the RPC node.
+   *
+   * @param payload - The original eth_getUserOperationReceipt payload
+   * @param fromBlock - The fromBlock value to use in the eth_getLogs filter
+   * @returns A JsonRpcPayload with method 'eth_getLogs' to be used for signing
+   */
+  buildGetUserOperationReceiptSigningPayload(payload, fromBlock) {
+    return {
+      jsonrpc: payload.jsonrpc,
+      method: "eth_getLogs",
+      params: [
+        {
+          address: ENTRYPOINT_ADDRESS,
+          fromBlock: `0x${fromBlock.toString(16)}`,
+          topics: [
+            PRIVATE_EVENT_SIGNATURE_HASH,
+            USER_OPERATION_EVENT_HASH
+            // eventType
+          ]
+        }
+      ],
+      id: payload.id ?? 1
+    };
+  }
+  /**
+   * Prepares the message to be signed for the x-signature header.
+   */
+  prepareMessage(chainId, payload, timestamp) {
+    log2("Preparing raw message for signing", {
+      payload: JSON.stringify(payload, null, 2),
+      timestamp
+    });
+    const serialRequest = JSON.stringify(payload);
+    const xMessage = chainId + serialRequest + timestamp;
+    log2("Raw message to be signed:", xMessage);
+    return xMessage;
+  }
+  /**
+   * Prepares the message to be signed for the x-eip712-signature header.
+   */
+  prepareTypedData(payload, timestamp) {
+    log2("Preparing payload for signTypedData");
+    const preparedPayload = Array.isArray(payload) ? payload.map(prepareTypedDataPayload) : prepareTypedDataPayload(payload);
+    const message = {
+      request: preparedPayload,
+      timestamp
+    };
+    log2("Prepared payload for signTypedData", JSON.stringify(message, null, 2));
+    return message;
+  }
+};
+
+// src/contract.ts
+import { Contract as Contract2, Interface } from "ethers";
+var SilentDataRollupContract = class extends Contract2 {
+  constructor(config) {
+    const { address, abi, runner, contractMethodsToSign } = config;
+    const contractInterface = new Interface(abi);
+    contractMethodsToSign.forEach((method) => {
+      if (!contractInterface.hasFunction(method)) {
+        throw new Error(
+          `Method to sign '${method}' not found in the contract ABI`
+        );
+      }
+    });
+    super(address, abi, runner);
+    const baseProvider = runner.baseProvider || runner.provider?.baseProvider;
+    if (typeof baseProvider?.setContract === "function") {
+      baseProvider.setContract(this, contractMethodsToSign);
+    }
+  }
+};
+
+// src/audit/challenge.ts
+import { ethers as ethers2 } from "ethers";
+
+// src/audit/quote/validateTdxQuote.ts
+import * as x5095 from "@peculiar/x509";
+
+// src/audit/quote/quoteStructs.ts
+var intelQuoteV4Version = 4;
+var QuoteVersion = 4;
+var AttestationKeyType = 2;
+var rtmrsCount = 4;
+var RtmrSize = 48;
+var qeSvnSize = 2;
+var pceSvnSize = 2;
+var TeeTcbSvnSize = 16;
+var QeVendorIDSize = 16;
+var userDataSize = 20;
+var MrSeamSize = 48;
+var mrSignerSeamSize = 48;
+var TeeTDX = 129;
+var seamAttributesSize = 8;
+var TdAttributesSize = 8;
+var XfamSize = 8;
+var MrTdSize = 48;
+var MrConfigIDSize = 48;
+var MrOwnerSize = 48;
+var MrOwnerConfigSize = 48;
+var cpuSvnSize = 16;
+var attributesSize = 16;
+var ReportDataSize = 64;
+var headerVersionStart = 0;
+var headerVersionEnd = 2;
+var headerAttestationKeyTypeStart = headerVersionEnd;
+var headerAttestationKeyTypeEnd = 4;
+var headerTeeTypeStart = headerAttestationKeyTypeEnd;
+var headerTeeTypeEnd = 8;
+var headerPceSvnStart = headerTeeTypeEnd;
+var headerPceSvnEnd = 10;
+var headerQeSvnStart = headerPceSvnEnd;
+var headerQeSvnEnd = 12;
+var headerQeVendorIDStart = headerQeSvnEnd;
+var headerQeVendorIDEnd = 28;
+var headerUserDataStart = headerQeVendorIDEnd;
+var tdTeeTcbSvnStart = 0;
+var tdTeeTcbSvnEnd = 16;
+var tdMrSeamStart = tdTeeTcbSvnEnd;
+var tdMrSeamEnd = 64;
+var tdMrSignerSeamStart = tdMrSeamEnd;
+var tdMrSignerSeamEnd = 112;
+var tdSeamAttributesStart = tdMrSignerSeamEnd;
+var tdSeamAttributesEnd = 120;
+var tdAttributesStart = tdSeamAttributesEnd;
+var tdAttributesEnd = 128;
+var tdXfamStart = tdAttributesEnd;
+var tdXfamEnd = 136;
+var tdMrTdStart = tdXfamEnd;
+var tdMrTdEnd = 184;
+var tdMrConfigIDStart = tdMrTdEnd;
+var tdMrConfigIDEnd = 232;
+var tdMrOwnerStart = tdMrConfigIDEnd;
+var tdMrOwnerEnd = 280;
+var tdMrOwnerConfigStart = tdMrOwnerEnd;
+var tdMrOwnerConfigEnd = 328;
+var tdRtmrsStart = tdMrOwnerConfigEnd;
+var tdRtmrsEnd = 520;
+var tdReportDataStart = tdRtmrsEnd;
+var headerSize = 48;
+var tdQuoteBodySize = 584;
+var qeReportSize = 384;
+var qeCPUSvnStart = 0;
+var qeCPUSvnEnd = 16;
+var qeMiscSelectStart = qeCPUSvnEnd;
+var qeMiscSelectEnd = 20;
+var qeReserved1Start = qeMiscSelectEnd;
+var qeReserved1End = 48;
+var qeAttributesStart = qeReserved1End;
+var qeAttributesEnd = 64;
+var qeMrEnclaveStart = qeAttributesEnd;
+var qeMrEnclaveEnd = 96;
+var qeReserved2Start = qeMrEnclaveEnd;
+var qeReserved2End = 128;
+var qeMrSignerStart = qeReserved2End;
+var qeMrSignerEnd = 160;
+var qeReserved3Start = qeMrSignerEnd;
+var qeReserved3End = 256;
+var qeIsvProdIDStart = qeReserved3End;
+var qeIsvProdIDEnd = 258;
+var qeIsvSvnStart = qeIsvProdIDEnd;
+var qeIsvSvnEnd = 260;
+var qeReserved4Start = qeIsvSvnEnd;
+var qeReserved4End = 320;
+var qeReportDataStart = qeReserved4End;
+var qeReportDataEnd = 384;
+var reserved1Size = 28;
+var mrEnclaveSize = 32;
+var reserved2Size = 32;
+var mrSignerSize = 32;
+var reserved3Size = 96;
+var reserved4Size = 60;
+var ErrQuoteV4AuthDataNil = new Error("QuoteV4 authData is nil");
+var ErrQuoteV4Nil = new Error("QuoteV4 is nil");
+var ErrHeaderNil = new Error("header is nil");
+var ErrAttestationKeyType = new Error(
+  "attestation key type not supported"
+);
+var ErrTeeType = new Error("TEE type is not TDX");
+var ErrTDQuoteBodyNil = new Error("TD quote body is nil");
+var ErrQeReportNil = new Error("QE Report is nil");
+function checkQuoteV4(q) {
+  if (!q) {
+    throw ErrQuoteV4Nil;
+  }
+  checkHeaderSizes(q.header);
+  checkTdQuoteBodySizes(q.tdQuoteBody);
+  if (q.signedData.signature.length !== 64)
+    throw new Error("signature wrong size");
+  if (q.signedData.ecdsaAttestationKey.length !== 64)
+    throw new Error("attestationKey wrong size");
+}
+function checkHeaderSizes(h) {
+  if (h.qeSvn.length !== qeSvnSize) throw new Error("qeSvn wrong size");
+  if (h.pceSvn.length !== pceSvnSize) throw new Error("pceSvn wrong size");
+  if (h.qeVendorId.length !== QeVendorIDSize)
+    throw new Error("qeVendorId wrong size");
+  if (h.userData.length !== userDataSize) throw new Error("userData wrong size");
+}
+function checkTdQuoteBodySizes(b) {
+  if (b.mrSeam.length !== MrSeamSize) throw new Error("mrSeam wrong size");
+  if (b.tdAttributes.length !== TdAttributesSize)
+    throw new Error("tdAttributes wrong size");
+  if (b.xfam.length !== XfamSize) throw new Error("xfam wrong size");
+  if (b.mrTd.length !== MrTdSize) throw new Error("mrTd wrong size");
+  if (b.mrConfigId.length !== MrConfigIDSize)
+    throw new Error("mrConfigId wrong size");
+  if (b.mrOwner.length !== MrOwnerSize) throw new Error("mrOwner wrong size");
+  if (b.mrOwnerConfig.length !== MrOwnerConfigSize)
+    throw new Error("mrOwnerConfig wrong size");
+  if (b.reportData.length !== ReportDataSize)
+    throw new Error("reportData wrong size");
+  if (b.rtmrs.length !== rtmrsCount) throw new Error("rtmrs count != 4");
+  for (const r of b.rtmrs)
+    if (r.length !== RtmrSize) throw new Error("rtmr wrong size");
+}
+function HeaderToAbiBytes(header) {
+  if (!header) {
+    throw ErrHeaderNil;
+  }
+  checkHeader(header);
+  const data = new Uint8Array(headerSize);
+  const view = new DataView(data.buffer);
+  view.setUint16(headerVersionStart, header.version, true);
+  view.setUint16(headerAttestationKeyTypeStart, header.attestationKeyType, true);
+  view.setUint32(headerTeeTypeStart, header.teeType, true);
+  data.set(header.pceSvn, headerPceSvnStart);
+  data.set(header.qeSvn, headerQeSvnStart);
+  data.set(header.qeVendorId, headerQeVendorIDStart);
+  data.set(header.userData, headerUserDataStart);
+  return data;
+}
+function checkHeader(header) {
+  if (!header) {
+    throw ErrHeaderNil;
+  }
+  if (header.version >= 1 << 16) {
+    throw new Error(
+      `version field size must fit in 2 bytes, got ${header.version}`
+    );
+  }
+  if (header.version !== QuoteVersion) {
+    throw new Error(`version ${header.version} not supported`);
+  }
+  if (header.attestationKeyType >= 1 << 16) {
+    throw new Error(
+      `attestation key type field size must fit in 2 bytes, got ${header.attestationKeyType}`
+    );
+  }
+  if (header.attestationKeyType !== AttestationKeyType) {
+    throw ErrAttestationKeyType;
+  }
+  if (header.teeType !== TeeTDX) {
+    throw ErrTeeType;
+  }
+  if (header.qeSvn.length !== qeSvnSize) {
+    throw new Error(
+      `qeSvn size is ${header.qeSvn.length} bytes. Expected ${qeSvnSize} bytes`
+    );
+  }
+  if (header.pceSvn.length !== pceSvnSize) {
+    throw new Error(
+      `pceSvn size is ${header.pceSvn.length} bytes. Expected ${pceSvnSize} bytes`
+    );
+  }
+  if (header.qeVendorId.length !== QeVendorIDSize) {
+    throw new Error(
+      `qeVendorId size is ${header.qeVendorId.length} bytes. Expected ${QeVendorIDSize} bytes`
+    );
+  }
+  if (header.userData.length !== userDataSize) {
+    throw new Error(
+      `user data size is ${header.userData.length} bytes. Expected ${userDataSize} bytes`
+    );
+  }
+}
+function TdQuoteBodyToAbiBytes(tdQuoteBody) {
+  if (!tdQuoteBody) {
+    throw ErrTDQuoteBodyNil;
+  }
+  checkTDQuoteBody(tdQuoteBody);
+  const data = new Uint8Array(tdQuoteBodySize);
+  data.set(tdQuoteBody.teeTcbSvn, tdTeeTcbSvnStart);
+  data.set(tdQuoteBody.mrSeam, tdMrSeamStart);
+  data.set(tdQuoteBody.mrSignerSeam, tdMrSignerSeamStart);
+  data.set(tdQuoteBody.seamAttributes, tdSeamAttributesStart);
+  data.set(tdQuoteBody.tdAttributes, tdAttributesStart);
+  data.set(tdQuoteBody.xfam, tdXfamStart);
+  data.set(tdQuoteBody.mrTd, tdMrTdStart);
+  data.set(tdQuoteBody.mrConfigId, tdMrConfigIDStart);
+  data.set(tdQuoteBody.mrOwner, tdMrOwnerStart);
+  data.set(tdQuoteBody.mrOwnerConfig, tdMrOwnerConfigStart);
+  let offset = tdRtmrsStart;
+  for (let i = 0; i < rtmrsCount; i++) {
+    const rtmr = tdQuoteBody.rtmrs[i];
+    if (!rtmr || rtmr.length !== RtmrSize) {
+      throw new Error(`RTMR[${i}] is missing or invalid`);
+    }
+    data.set(rtmr, offset);
+    offset += RtmrSize;
+  }
+  data.set(tdQuoteBody.reportData, tdReportDataStart);
+  return data;
+}
+function enclaveReportToAbiBytes(report) {
+  if (!report) {
+    throw ErrQeReportNil;
+  }
+  checkQeReport(report);
+  const data = new Uint8Array(qeReportSize);
+  data.set(report.cpuSvn, qeCPUSvnStart);
+  new DataView(data.buffer).setUint32(
+    qeMiscSelectStart,
+    report.miscSelect,
+    true
+  );
+  data.set(report.reserved1, qeReserved1Start);
+  data.set(report.attributes, qeAttributesStart);
+  data.set(report.mrEnclave, qeMrEnclaveStart);
+  data.set(report.reserved2, qeReserved2Start);
+  data.set(report.mrSigner, qeMrSignerStart);
+  data.set(report.reserved3, qeReserved3Start);
+  new DataView(data.buffer).setUint16(qeIsvProdIDStart, report.isvProdId, true);
+  new DataView(data.buffer).setUint16(qeIsvSvnStart, report.isvSvn, true);
+  data.set(report.reserved4, qeReserved4Start);
+  data.set(report.reportData, qeReportDataStart);
+  return data;
+}
+function checkQeReport(report) {
+  if (!report) {
+    throw ErrQeReportNil;
+  }
+  if (report.cpuSvn.length !== cpuSvnSize) {
+    throw new Error(
+      `cpuSvn size is ${report.cpuSvn.length} bytes. Expected ${cpuSvnSize} bytes`
+    );
+  }
+  if (report.reserved1.length !== reserved1Size) {
+    throw new Error(
+      `reserved1 size is ${report.reserved1.length} bytes. Expected ${reserved1Size} bytes`
+    );
+  }
+  if (report.attributes.length !== attributesSize) {
+    throw new Error(
+      `attributes size is ${report.attributes.length} bytes. Expected ${attributesSize} bytes`
+    );
+  }
+  if (report.mrEnclave.length !== mrEnclaveSize) {
+    throw new Error(
+      `mrEnclave size is ${report.mrEnclave.length} bytes. Expected ${mrEnclaveSize} bytes`
+    );
+  }
+  if (report.reserved2.length !== reserved2Size) {
+    throw new Error(
+      `reserved2 size is ${report.reserved2.length} bytes. Expected ${reserved2Size} bytes`
+    );
+  }
+  if (report.mrSigner.length !== mrSignerSize) {
+    throw new Error(
+      `mrSigner size is ${report.mrSigner.length} bytes. Expected ${mrSignerSize} bytes`
+    );
+  }
+  if (report.reserved3.length !== reserved3Size) {
+    throw new Error(
+      `reserved3 size is ${report.reserved3.length} bytes. Expected ${reserved3Size} bytes`
+    );
+  }
+  if (report.isvProdId >= 1 << 16) {
+    throw new Error(`isvProdId must fit in 2 bytes, got ${report.isvProdId}`);
+  }
+  if (report.isvSvn >= 1 << 16) {
+    throw new Error(`isvSvn must fit in 2 bytes, got ${report.isvSvn}`);
+  }
+  if (report.reserved4.length !== reserved4Size) {
+    throw new Error(
+      `reserved4 size is ${report.reserved4.length} bytes. Expected ${reserved4Size} bytes`
+    );
+  }
+  if (report.reportData.length !== ReportDataSize) {
+    throw new Error(
+      `reportData size is ${report.reportData.length} bytes. Expected ${ReportDataSize} bytes`
+    );
+  }
+}
+function checkTDQuoteBody(tdQuoteBody) {
+  if (!tdQuoteBody) {
+    throw ErrTDQuoteBodyNil;
+  }
+  if (tdQuoteBody.teeTcbSvn.length !== TeeTcbSvnSize) {
+    throw new Error(
+      `teeTcbSvn size is ${tdQuoteBody.teeTcbSvn.length} bytes. Expected ${TeeTcbSvnSize} bytes`
+    );
+  }
+  if (tdQuoteBody.mrSeam.length !== MrSeamSize) {
+    throw new Error(
+      `mrSeam size is ${tdQuoteBody.mrSeam.length} bytes. Expected ${MrSeamSize} bytes`
+    );
+  }
+  if (tdQuoteBody.mrSignerSeam.length !== mrSignerSeamSize) {
+    throw new Error(
+      `mrSignerSeam size is ${tdQuoteBody.mrSignerSeam.length} bytes. Expected ${mrSignerSeamSize} bytes`
+    );
+  }
+  if (tdQuoteBody.seamAttributes.length !== seamAttributesSize) {
+    throw new Error(
+      `seamAttributes size is ${tdQuoteBody.seamAttributes.length} bytes. Expected ${seamAttributesSize} bytes`
+    );
+  }
+  if (tdQuoteBody.tdAttributes.length !== TdAttributesSize) {
+    throw new Error(
+      `tdAttributes size is ${tdQuoteBody.tdAttributes.length} bytes. Expected ${TdAttributesSize} bytes`
+    );
+  }
+  if (tdQuoteBody.xfam.length !== XfamSize) {
+    throw new Error(
+      `xfam size is ${tdQuoteBody.xfam.length} bytes. Expected ${XfamSize} bytes`
+    );
+  }
+  if (tdQuoteBody.mrTd.length !== MrTdSize) {
+    throw new Error(
+      `mrTd size is ${tdQuoteBody.mrTd.length} bytes. Expected ${MrTdSize} bytes`
+    );
+  }
+  if (tdQuoteBody.mrConfigId.length !== MrConfigIDSize) {
+    throw new Error(
+      `mrConfigId size is ${tdQuoteBody.mrConfigId.length} bytes. Expected ${MrConfigIDSize} bytes`
+    );
+  }
+  if (tdQuoteBody.mrOwner.length !== MrOwnerSize) {
+    throw new Error(
+      `mrOwner size is ${tdQuoteBody.mrOwner.length} bytes. Expected ${MrOwnerSize} bytes`
+    );
+  }
+  if (tdQuoteBody.mrOwnerConfig.length !== MrOwnerConfigSize) {
+    throw new Error(
+      `mrOwnerConfig size is ${tdQuoteBody.mrOwnerConfig.length} bytes. Expected ${MrOwnerConfigSize} bytes`
+    );
+  }
+  if (tdQuoteBody.rtmrs.length !== rtmrsCount) {
+    throw new Error(
+      `rtmrs count is ${tdQuoteBody.rtmrs.length}. Expected ${rtmrsCount}`
+    );
+  }
+  for (let i = 0; i < rtmrsCount; i++) {
+    if (tdQuoteBody.rtmrs[i].length !== RtmrSize) {
+      throw new Error(
+        `rtmr${i} size is ${tdQuoteBody.rtmrs[i].length} bytes. Expected ${RtmrSize} bytes`
+      );
+    }
+  }
+}
+function enclaveReportToProto(b) {
+  const data = b.slice();
+  const view = new DataView(data.buffer, data.byteOffset, data.byteLength);
+  const enclaveReport = {
+    cpuSvn: data.slice(qeCPUSvnStart, qeCPUSvnEnd),
+    miscSelect: view.getUint32(qeMiscSelectStart, true),
+    reserved1: data.slice(qeReserved1Start, qeReserved1End),
+    attributes: data.slice(qeAttributesStart, qeAttributesEnd),
+    mrEnclave: data.slice(qeMrEnclaveStart, qeMrEnclaveEnd),
+    reserved2: data.slice(qeReserved2Start, qeReserved2End),
+    mrSigner: data.slice(qeMrSignerStart, qeMrSignerEnd),
+    reserved3: data.slice(qeReserved3Start, qeReserved3End),
+    isvProdId: view.getUint16(qeIsvProdIDStart, true),
+    isvSvn: view.getUint16(qeIsvSvnStart, true),
+    reserved4: data.slice(qeReserved4Start, qeReserved4End),
+    reportData: data.slice(qeReportDataStart, qeReportDataEnd)
+  };
+  checkQeReport(enclaveReport);
+  return enclaveReport;
+}
+
+// src/audit/quote/base64-utils.ts
+import * as asn1js from "asn1js";
+import * as x509 from "@peculiar/x509";
+function encodeBase64(data) {
+  let binary = "";
+  for (let i = 0; i < data.byteLength; i++) {
+    binary += String.fromCharCode(data[i]);
+  }
+  return globalThis.btoa(binary);
+}
+function leU16(buf, off = 0) {
+  return buf[off] | buf[off + 1] << 8;
+}
+function leU32(buf, off = 0) {
+  return (buf[off] | buf[off + 1] << 8 | buf[off + 2] << 16 | buf[off + 3] << 24) >>> 0;
+}
+function toBigIntLE(u) {
+  let r = 0n;
+  for (let i = u.length - 1; i >= 0; --i) r = r << 8n | BigInt(u[i]);
+  return r;
+}
+function decodeU16(node, name) {
+  if (!(node instanceof asn1js.Integer))
+    throw new Error(`${name} must be INTEGER`);
+  const v = node.valueBlock.valueDec;
+  if (v < 0 || v > 65535) throw new Error(`${name} out of range`);
+  return v;
+}
+function decodeU8(node, name) {
+  if (!(node instanceof asn1js.Integer))
+    throw new Error(`${name} must be INTEGER`);
+  const v = node.valueBlock.valueDec;
+  if (v < 0 || v > 255) throw new Error(`${name} out of range`);
+  return v;
+}
+async function verifyEcdsaSignature(pubKey, msg, sig) {
+  const jwk = {
+    kty: "EC",
+    crv: "P-256",
+    x: b64url(pubKey.slice(0, 32)),
+    y: b64url(pubKey.slice(32)),
+    ext: true
+  };
+  const key = await x509.cryptoProvider.get().subtle.importKey(
+    "jwk",
+    jwk,
+    { name: "ECDSA", namedCurve: "P-256" },
+    false,
+    ["verify"]
+  );
+  return x509.cryptoProvider.get().subtle.verify({ name: "ECDSA", hash: "SHA-256" }, key, sig, msg);
+}
+function b64url(data) {
+  return encodeBase64(data).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+
+// src/audit/quote/validate.ts
+var xfamFixed1 = 0x00000003n;
+var xfamFixed0 = 0x0006dbe7n;
+var tdAttributesFixed1 = 0x0n;
+var tdxAttributesSeptVeDisSupport = 1n << 28n;
+var tdxAttributesPksSupport = 1n << 30n;
+var tdxAttributesPerfmonSupport = 1n << 63n;
+var tdAttributesFixed0 = 0x1n | tdxAttributesSeptVeDisSupport | tdxAttributesPksSupport | tdxAttributesPerfmonSupport;
+var must = {
+  equalBytes(a, b, field) {
+    if (a.length !== b.length) throw new Error(`${field} length mismatch`);
+    for (let i = 0; i < a.length; ++i)
+      if (a[i] !== b[i]) {
+        throw new Error(`${field} mismatch - byte ${i}`);
+      }
+  }
+};
+function validateTdxQuoteV4(q, opts) {
+  checkQuoteV4(q);
+  exactByteMatch(q, opts);
+  minVersionCheck(q, opts);
+  validateXfam(q.tdQuoteBody.xfam, xfamFixed1, xfamFixed0);
+  validateTdAttributes(
+    q.tdQuoteBody.tdAttributes,
+    tdAttributesFixed1,
+    tdAttributesFixed0
+  );
+}
+function exactByteMatch(q, opts) {
+  const b = q.tdQuoteBody;
+  const h = q.header;
+  const bo = opts.tdQuoteBodyOptions;
+  const ho = opts.headerOptions;
+  const cmp = (name, given, expected, size) => {
+    if (!expected) return;
+    if (size && expected.length !== size)
+      throw new Error(`${name} option must be ${size} bytes`);
+    must.equalBytes(given, expected, name);
+  };
+  cmp("MR_SEAM", b.mrSeam, bo.mrSeam, MrSeamSize);
+  cmp("TD_ATTRIBUTES", b.tdAttributes, bo.tdAttributes, TdAttributesSize);
+  cmp("XFAM", b.xfam, bo.xfam, XfamSize);
+  cmp("MR_TD", b.mrTd, bo.mrTd, MrTdSize);
+  cmp("MR_CONFIG_ID", b.mrConfigId, bo.mrConfigID, MrConfigIDSize);
+  cmp("MR_OWNER", b.mrOwner, bo.mrOwner, MrOwnerSize);
+  cmp(
+    "MR_OWNER_CONFIG",
+    b.mrOwnerConfig,
+    bo.mrOwnerConfig,
+    MrOwnerConfigSize
+  );
+  if (bo.rtmrs) {
+    if (bo.rtmrs.length !== rtmrsCount)
+      throw new Error("RTMR option len != 4");
+    bo.rtmrs.forEach(
+      (exp, i) => cmp(`RTMR[${i}]`, b.rtmrs[i], exp, RtmrSize)
+    );
+  }
+  cmp("REPORT_DATA", b.reportData, bo.reportData, ReportDataSize);
+  cmp("QE_VENDOR_ID", h.qeVendorId, ho.qeVendorID, QeVendorIDSize);
+}
+function isSvnHigherOrEqual(quoteSvn, optionSvn) {
+  if (!optionSvn) {
+    return true;
+  }
+  for (let i = 0; i < quoteSvn.length; i++) {
+    if (quoteSvn[i] < optionSvn[i]) {
+      return false;
+    }
+  }
+  return true;
+}
+function minVersionCheck(quote, opts) {
+  if (!isSvnHigherOrEqual(
+    quote.tdQuoteBody.teeTcbSvn,
+    opts.tdQuoteBodyOptions?.minimumTeeTcbSvn
+  )) {
+    throw new Error(
+      `TEE TCB security-version number ${toBigIntLE(
+        quote.tdQuoteBody.teeTcbSvn
+      )} is less than the required minimum ${toBigIntLE(
+        opts.tdQuoteBodyOptions.minimumTeeTcbSvn
+      )}`
+    );
+  }
+  const qeSvn = leU16(quote.header.qeSvn);
+  const pceSvn = leU16(quote.header.pceSvn);
+  if (qeSvn < opts.headerOptions.minimumQeSvn) {
+    throw new Error(
+      `QE security-version number ${qeSvn} is less than the required minimum ${opts.headerOptions.minimumQeSvn}`
+    );
+  }
+  if (pceSvn < opts.headerOptions.minimumPceSvn) {
+    throw new Error(
+      `PCE security-version number ${pceSvn} is less than the required minimum ${opts.headerOptions.minimumPceSvn}`
+    );
+  }
+  return;
+}
+function validateXfam(value, fixed1, fixed0) {
+  if (value.length === 0) return;
+  if (value.length !== XfamSize) {
+    throw new Error("xfam size is invalid");
+  }
+  const xfam = new DataView(
+    value.buffer,
+    value.byteOffset,
+    value.byteLength
+  ).getBigUint64(0, true);
+  if ((xfam & fixed1) !== fixed1) {
+    throw new Error(
+      `unauthorized xfam 0x${xfam.toString(16)} as xfamFixed1 0x${fixed1.toString(16)} bits are unset`
+    );
+  }
+  if ((xfam & ~fixed0) !== BigInt(0)) {
+    throw new Error(
+      `unauthorized xfam 0x${xfam.toString(16)} as xfamFixed0 0x${fixed0.toString(16)} bits are set`
+    );
+  }
+}
+function validateTdAttributes(value, fixed1, fixed0) {
+  if (value.length === 0) return;
+  if (value.length !== TdAttributesSize) {
+    throw new Error("tdAttributes size is invalid");
+  }
+  const tdAttributes = new DataView(
+    value.buffer,
+    value.byteOffset,
+    value.byteLength
+  ).getBigUint64(0, true);
+  if ((tdAttributes & fixed1) !== fixed1) {
+    throw new Error(
+      `unauthorized tdAttributes 0x${tdAttributes.toString(16)} as tdAttributesFixed1 0x${fixed1.toString(16)} bits are unset`
+    );
+  }
+  if ((tdAttributes & ~fixed0) !== 0n) {
+    throw new Error(
+      `unauthorized tdAttributes 0x${tdAttributes.toString(16)} as tdAttributesFixed0 0x${fixed0.toString(16)} bits are set`
+    );
+  }
+}
+
+// src/audit/quote/verify.ts
+import * as x5094 from "@peculiar/x509";
+
+// src/audit/quote/pck.ts
+import * as asn1js3 from "asn1js";
+
+// src/audit/quote/tcb.ts
+import * as asn1js2 from "asn1js";
+import * as x5092 from "@peculiar/x509";
+var tcbComponentSize = 16;
+var tcbSigningPhrase = "Intel SGX TCB Signing";
+var tcbInfoID = "TDX";
+var qeIdentityID = "TD_QE";
+var qeIdentityVersion = 2;
+var tcbInfoTdxModuleIDPrefix = "TDX_";
+var rootCertPhrase = "Intel SGX Root CA";
+var ErrRootCertNil = new Error("root certificate is empty");
+var ErrCollateralNil = new Error(
+  "collateral received is an empty structure"
+);
+var ErrTcbInfoTcbLevelsMissing = new Error(
+  "tcbInfo contains empty TcbLevels"
+);
+var ErrQeIdentityTcbLevelsMissing = new Error(
+  "QeIdentity contains empty TcbLevels"
+);
+var ErrCrlEmpty = new Error("CRL is empty");
+var ErrTrustedCertEmpty = new Error("trusted certificate is empty");
+var ErrTcbStatus = new Error(
+  "unable to find latest status of TCB, it is now OutOfDate"
+);
+var tcbInfoVersion = 3;
+var TcbComponentStatusUpToDate = "UpToDate";
+var tcbExtensionSize = 18;
+function sgxTcbComponentOid(component) {
+  return [...sgxTcbComponentOidPrefix, component].join(".");
+}
+function extractTcbExtension(components, atcb) {
+  const tcbComponents = new Uint8Array(tcbComponentSize);
+  for (const ext of components) {
+    if (!(ext instanceof asn1js2.Sequence))
+      throw new Error("TCB component is not a SEQUENCE");
+    if (ext.valueBlock.value.length !== 2)
+      throw new Error("AttributeTypeAndValue must have 2 elements");
+    const [oidBlock, rawVal] = ext.valueBlock.value;
+    if (!(oidBlock instanceof asn1js2.ObjectIdentifier))
+      throw new Error("Missing OID in TCB component");
+    const value = unwrapSingleSet(rawVal);
+    const oid = oidBlock.valueBlock.toString();
+    for (let i = 0; i < tcbComponentSize; i++) {
+      if (oid === sgxTcbComponentOid(i + 1)) {
+        tcbComponents[i] = decodeU8(value, `sgxTcbComponent${i + 1}`);
+        break;
+      }
+    }
+    if (oid === OidPCESvn) {
+      atcb.pceSvn = decodeU16(value, "PCESvn");
+    }
+    if (oid === OidCPUSvn) {
+      if (!(value instanceof asn1js2.OctetString))
+        throw new Error("CPUSvn must be an OCTET STRING");
+      const buf = new Uint8Array(value.valueBlock.valueHex);
+      if (buf.length !== cpuSvnSize)
+        throw new Error(
+          `CPUSvn length is ${buf.length}, expected ${cpuSvnSize}`
+        );
+      atcb.cpuSvn = buf;
+    }
+  }
+  atcb.cpuSvnComponents = tcbComponents;
+}
+async function verifyTCBinfo(options) {
+  const collateral = options.collateral;
+  if (!collateral) throw ErrCollateralNil;
+  const tcbInfo = collateral.tdxTcbInfo.tcbInfo;
+  const signature = collateral.tdxTcbInfo.signature;
+  if (tcbInfo.id !== tcbInfoID) {
+    throw new Error(
+      `tcbInfo ID "${tcbInfo.id}" does not match with expected ID "${tcbInfoID}"`
+    );
+  }
+  if (tcbInfo.version !== tcbInfoVersion) {
+    throw new Error(
+      `tcbInfo version ${tcbInfo.version} does not match with expected version ${tcbInfoVersion}`
+    );
+  }
+  if (!Array.isArray(tcbInfo.tcbLevels) || tcbInfo.tcbLevels.length === 0) {
+    throw ErrTcbInfoTcbLevelsMissing;
+  }
+  await verifyResponse(
+    tcbSigningPhrase,
+    collateral.tcbInfoIssuerRootCertificate,
+    collateral.tcbInfoIssuerIntermediateCertificate,
+    collateral.tcbInfoBody,
+    signature,
+    collateral.rootCaCrl,
+    options
+  );
+}
+async function verifyQeIdentity(options) {
+  const collateral = options.collateral;
+  if (!collateral) throw ErrCollateralNil;
+  const qeIdentity = collateral.qeIdentity.enclaveIdentity;
+  const signature = collateral.qeIdentity.signature;
+  if (qeIdentity.id !== qeIdentityID) {
+    throw new Error(
+      `QeIdentity ID "${qeIdentity.id}" does not match with expected ID "${qeIdentityID}"`
+    );
+  }
+  if (qeIdentity.version !== qeIdentityVersion) {
+    throw new Error(
+      `QeIdentity version ${qeIdentity.version} does not match with expected version ${qeIdentityVersion}`
+    );
+  }
+  if (!Array.isArray(qeIdentity.tcbLevels) || qeIdentity.tcbLevels.length === 0) {
+    throw ErrQeIdentityTcbLevelsMissing;
+  }
+  await verifyResponse(
+    tcbSigningPhrase,
+    collateral.qeIdentityIssuerRootCertificate,
+    collateral.qeIdentityIssuerIntermediateCertificate,
+    collateral.enclaveIdentityBody,
+    signature,
+    collateral.rootCaCrl,
+    options
+  );
+}
+async function verifyResponse(signingPhrase, rootCertificate, signingCertificate, rawBody, rawSignature, crl, options) {
+  await validateCertificate(rootCertificate, rootCertificate, "rootCertPhrase");
+  await validateCertificate(signingCertificate, rootCertificate, signingPhrase);
+  const signature = Uint8Array.from(Buffer.from(rawSignature, "hex"));
+  const publicKey = await x5092.cryptoProvider.get().subtle.importKey(
+    "spki",
+    signingCertificate.publicKey.rawData,
+    { name: "ECDSA", namedCurve: "P-256" },
+    false,
+    ["verify"]
+  );
+  const isValid = await x5092.cryptoProvider.get().subtle.verify(
+    { name: "ECDSA", hash: "SHA-256" },
+    publicKey,
+    signature,
+    rawBody
+  );
+  if (!isValid) {
+    throw new Error(
+      "Could not verify response body signature using the signing certificate"
+    );
+  }
+  if (options.checkRevocations) {
+    if (options.getCollateral) {
+      if (!crl) {
+        throw new Error("Missing CRL for revocation check");
+      }
+      await validateCRL(crl, rootCertificate);
+      for (const entry of crl.entries) {
+        if (entry.serialNumber === signingCertificate.serialNumber) {
+          throw new Error(
+            `Signing certificate was revoked at ${entry.revocationDate}`
+          );
+        }
+      }
+    } else {
+      throw new Error("Revocation check is enabled, but GetCollateral is false");
+    }
+  }
+}
+async function validateCertificate(cert, parent, expectedPhrase) {
+  if (!cert) throw new Error("certificate is nil");
+  if (!parent) throw new Error("parent certificate is nil");
+  const cnList = cert.subjectName.getField("CN");
+  const subjectCN = cnList.length > 0 ? cnList[0] : null;
+  if (subjectCN !== expectedPhrase) {
+    throw new Error(
+      `"${subjectCN}" is not expected in certificate's subject name. Expected "${expectedPhrase}"`
+    );
+  }
+  const issuerName = cert.issuerName.toString();
+  const parentSubject = parent.subjectName.toString();
+  if (issuerName !== parentSubject) {
+    throw new Error(
+      `Certificate issuer name ("${issuerName}") does not match parent certificate subject name ("${parentSubject}")`
+    );
+  }
+  const verified = await cert.verify({ publicKey: parent });
+  if (!verified) {
+    throw new Error(
+      "Certificate signature verification using parent certificate failed"
+    );
+  }
+}
+async function validateCRL(crl, trustedCertificate) {
+  if (!crl) {
+    throw ErrCrlEmpty;
+  }
+  if (!trustedCertificate) {
+    throw ErrTrustedCertEmpty;
+  }
+  if (crl.issuer.toString() !== trustedCertificate.subject.toString()) {
+    throw new Error(
+      `CRL issuer's name "${crl.issuer.toString()}" does not match expected name "${trustedCertificate.subject.toString()}"`
+    );
+  }
+  try {
+    await crl.verify(trustedCertificate);
+  } catch (err) {
+    throw new Error(
+      `CRL signature verification failed using trusted certificate: ${err}`
+    );
+  }
+}
+async function verifyTdQuoteBody(tdQuoteBody, options) {
+  const { tcbInfo, pckCertExtensions } = options;
+  if (pckCertExtensions.fmspc !== tcbInfo.fmspc) {
+    throw new Error(
+      `FMSPC mismatch: PCK Certificate(${pckCertExtensions.fmspc}) vs Intel PCS(${tcbInfo.fmspc})`
+    );
+  }
+  if (pckCertExtensions.pceid !== tcbInfo.pceID) {
+    throw new Error(
+      `PCEID mismatch: PCK Certificate(${pckCertExtensions.pceid}) vs Intel PCS(${tcbInfo.pceID})`
+    );
+  }
+  const reportedMrSigner = tdQuoteBody.mrSignerSeam;
+  const expectedMrSigner = tcbInfo.tdxModule.mrsigner.bytes;
+  if (!equalBytes(reportedMrSigner, expectedMrSigner)) {
+    throw new Error(
+      `MRSIGNERSEAM mismatch: quote(${toHex(reportedMrSigner)}) vs PCS(${toHex(expectedMrSigner)})`
+    );
+  }
+  const mask = tcbInfo.tdxModule.attributesMask.bytes;
+  const seamAttrs = tdQuoteBody.seamAttributes;
+  if (mask.length !== seamAttrs.length) {
+    throw new Error(
+      `SeamAttributes length mismatch: quote(${seamAttrs.length}) vs PCS mask(${mask.length})`
+    );
+  }
+  const maskedAttrs = applyMask(mask, seamAttrs);
+  const expectedAttrs = tcbInfo.tdxModule.attributes.bytes;
+  if (!equalBytes(maskedAttrs, expectedAttrs)) {
+    throw new Error(
+      `AttributesMask mismatch: quote(${toHex(maskedAttrs)}) vs PCS(${toHex(expectedAttrs)})`
+    );
+  }
+  checkTcbInfoTcbStatus(tcbInfo, tdQuoteBody, pckCertExtensions);
+}
+async function checkTcbInfoTcbStatus(tcbInfo, tdQuoteBody, pckCertExtensions) {
+  const tcbLevels = tcbInfo.tcbLevels;
+  const matchingTcbLevel = getMatchingTcbLevel(
+    tcbLevels,
+    tdQuoteBody,
+    pckCertExtensions.tcb.pceSvn,
+    pckCertExtensions.tcb.cpuSvnComponents
+  );
+  if (!matchingTcbLevel) {
+    throw new Error("Failed to find matching TCB Level");
+  }
+  if (tdQuoteBody.teeTcbSvn[1] > 0) {
+    const matchingTdxModuleTcbLevel = await getMatchingTdxModuleTcbLevel(
+      tcbInfo.tdxModuleIdentities,
+      tdQuoteBody.teeTcbSvn
+    );
+    if (!matchingTdxModuleTcbLevel) {
+      throw new Error("Failed to find matching TDX Module TCB Level");
+    }
+    if (matchingTdxModuleTcbLevel.tcbStatus !== TcbComponentStatusUpToDate) {
+      throw new Error(
+        `TDX Module TCB Status is not "${TcbComponentStatusUpToDate}", found "${matchingTdxModuleTcbLevel.tcbStatus}"`
+      );
+    }
+    return;
+  }
+  if (matchingTcbLevel.tcbStatus !== TcbComponentStatusUpToDate) {
+    throw new Error(
+      `TCB Status is not "${TcbComponentStatusUpToDate}", found "${matchingTcbLevel.tcbStatus}"`
+    );
+  }
+}
+async function getMatchingTdxModuleTcbLevel(tcbInfoTdxModuleIdentities, teeTcbSvn) {
+  const tdxModuleVersion = teeTcbSvn.slice(1, 2);
+  const tdxModuleIdentityID = tcbInfoTdxModuleIDPrefix + toHex(tdxModuleVersion);
+  const tdxModuleIsvSvn = teeTcbSvn[0];
+  for (const tdxModuleIdentity of tcbInfoTdxModuleIdentities) {
+    if (tdxModuleIdentityID === tdxModuleIdentity.id) {
+      for (const tcbLevel of tdxModuleIdentity.tcbLevels) {
+        if (tdxModuleIsvSvn >= tcbLevel.tcb.isvsvn) {
+          return tcbLevel;
+        }
+      }
+      throw new Error(
+        `could not find a TDX Module Identity TCB Level matching the TDX Module's ISVSVN (${tdxModuleIsvSvn})`
+      );
+    }
+  }
+  throw new Error(
+    `could not find a TDX Module Identity (${tdxModuleIdentityID}) matching the given TEE TDX version (${toHex(tdxModuleVersion)})`
+  );
+}
+function checkQeTcbStatus(tcbLevels, isvSvn) {
+  for (const level of tcbLevels) {
+    if (level.tcb.isvsvn <= isvSvn) {
+      if (level.tcbStatus !== "UpToDate") {
+        throw new Error(
+          `TCB Status is not "UpToDate", found "${level.tcbStatus}"`
+        );
+      }
+      return;
+    }
+  }
+  throw ErrTcbStatus;
+}
+function toHex(bytes) {
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+function applyMask(a, b) {
+  if (a.length !== b.length) {
+    throw new Error(
+      `applyMask: input lengths differ (a: ${a.length}, b: ${b.length})`
+    );
+  }
+  const result = new Uint8Array(a.length);
+  for (let i = 0; i < a.length; i++) {
+    result[i] = a[i] & b[i];
+  }
+  return result;
+}
+function getMatchingTcbLevel(tcbLevels, tdReport, pckCertPceSvn, pckCertCPUSvnComponents) {
+  for (const tcbLevel of tcbLevels) {
+    if (isCPUSvnHigherOrEqual(
+      pckCertCPUSvnComponents,
+      tcbLevel.tcb.sgxTcbcomponents
+    ) && pckCertPceSvn >= tcbLevel.tcb.pcesvn && isTdxTcbSvnHigherOrEqual(
+      tdReport.teeTcbSvn,
+      tcbLevel.tcb.tdxTcbcomponents
+    )) {
+      return tcbLevel;
+    }
+  }
+  throw new Error("no matching TCB level found");
+}
+function isCPUSvnHigherOrEqual(pckCertCPUSvnComponents, sgxTcbcomponents) {
+  if (pckCertCPUSvnComponents.length !== sgxTcbcomponents.length) {
+    return false;
+  }
+  for (let i = 0; i < pckCertCPUSvnComponents.length; i++) {
+    if (pckCertCPUSvnComponents[i] < sgxTcbcomponents[i].svn) {
+      return false;
+    }
+  }
+  return true;
+}
+function isTdxTcbSvnHigherOrEqual(teeTcbSvn, tdxTcbcomponents) {
+  if (teeTcbSvn.length !== tdxTcbcomponents.length) {
+    return false;
+  }
+  let start = 0;
+  if (teeTcbSvn[1] > 0) {
+    start = 2;
+  }
+  for (let i = start; i < teeTcbSvn.length; i++) {
+    if (teeTcbSvn[i] < tdxTcbcomponents[i].svn) {
+      return false;
+    }
+  }
+  return true;
+}
+
+// src/audit/quote/pck.ts
+var pckCertChainCertificationDataTypeStart = 0;
+var pckCertChainCertificationDataTypeEnd = 2;
+var pckCertChainSizeStart = pckCertChainCertificationDataTypeEnd;
+var pckCertChainSizeEnd = 6;
+var pckCertChainDataStart = pckCertChainSizeEnd;
+var pckReportCertificationDataType = 5;
+var pckCertExtensionSize = 6;
+var sgxExtensionMinSize = 4;
+var ppidSize = 16;
+var pceIDSize = 2;
+var fmspcSize = 6;
+var processorIssuerID = "processor";
+var platformIssuerID = "platform";
+var processorIssuer = "Intel SGX PCK Processor CA";
+var pckCertPhrase = "Intel SGX PCK Certificate";
+var platformIssuer = "Intel SGX PCK Platform CA";
+var intermediateCertPhrase = "Intel SGX PCK Platform CA";
+var OidPPID = "1.2.840.113741.1.13.1.1";
+var OidPCEID = "1.2.840.113741.1.13.1.3";
+var OidTCB = "1.2.840.113741.1.13.1.2";
+var OidFMSPC = "1.2.840.113741.1.13.1.4";
+var OidCPUSvn = "1.2.840.113741.1.13.1.2.18";
+var OidPCESvn = "1.2.840.113741.1.13.1.2.17";
+var OidSgxExtension = "1.2.840.113741.1.13.1";
+var sgxTcbComponentOidPrefix = "1.2.840.113741.1.13.1.2";
+var ErrPckCertChainNil = new Error("PCK certificate chain is nil");
+var ErrPCKCertChainInvalid = new Error(
+  "incomplete PCK Certificate chain found, should contain 3 concatenated PEM-formatted 'CERTIFICATE'-type block (PCK Leaf Cert||Intermediate CA Cert||Root CA Cert)"
+);
+var ErrRootCaCertExpired = new Error(
+  "root CA certificate in PCK certificate chain has expired"
+);
+var ErrIntermediateCertNil = new Error(
+  "intermediate certificate is empty"
+);
+var ErrPCKCertNil = new Error("PCK certificate is empty");
+var ErrRevocationCheckFailed = new Error(
+  "unable to check for certificate revocation as GetCollateral parameter in the options is set to false"
+);
+var ErrIntermediateCaCertExpired = new Error(
+  "intermediate CA certificate in PCK certificate chain has expired"
+);
+var ErrPckLeafCertExpired = new Error(
+  "PCK leaf certificate in PCK certificate chain has expired"
+);
+var ErrPckCertCANil = new Error(
+  "could not find CA from PCK certificate"
+);
+var trustedRootCertificate;
+function unwrapSingleSet(n) {
+  if (n instanceof asn1js3.Set) {
+    if (n.valueBlock.value.length !== 1) {
+      throw new Error("SET wrapper should contain exactly one element");
+    }
+    return n.valueBlock.value[0];
+  }
+  return n;
+}
+function pckCertificateChainToProto(b) {
+  const data = b.slice();
+  const view = new DataView(data.buffer, data.byteOffset, data.byteLength);
+  const certificateDataType = view.getUint16(
+    pckCertChainCertificationDataTypeStart,
+    true
+  );
+  const size = view.getUint32(pckCertChainSizeStart, true);
+  const pckCertChain = data.slice(pckCertChainDataStart);
+  const pckCertificateChain = {
+    certificateDataType,
+    size,
+    pckCertChain
+  };
+  checkPCKCertificateChain(pckCertificateChain);
+  return pckCertificateChain;
+}
+function checkPCKCertificateChain(chain) {
+  if (!chain) {
+    throw ErrPckCertChainNil;
+  }
+  const { certificateDataType, size, pckCertChain } = chain;
+  if (certificateDataType >= 1 << 16) {
+    throw new Error(
+      `certification data type expected to be 2 bytes, got ${certificateDataType}`
+    );
+  }
+  if (certificateDataType !== pckReportCertificationDataType) {
+    throw new Error(
+      `PCK certificate chain data type invalid, got ${certificateDataType}, expected ${pckReportCertificationDataType}`
+    );
+  }
+  if (size !== pckCertChain.length) {
+    throw new Error(
+      `PCK certificate chain size is ${pckCertChain.length}. Expected size ${size}`
+    );
+  }
+}
+function findMatchingExtension(extns, oid) {
+  const match = extns.find((ext) => ext.type === oid);
+  if (!match) {
+    throw new Error(
+      `Unable to find extension with OID ${oid} in PCK certificate`
+    );
+  }
+  return match;
+}
+async function pckCertificateExtensions(cert) {
+  if (cert.extensions.length !== pckCertExtensionSize) {
+    throw new Error(
+      `PCK certificate extensions length found ${cert.extensions.length}. Expected ${pckCertExtensionSize}`
+    );
+  }
+  const sgxExt = findMatchingExtension(cert.extensions, OidSgxExtension);
+  if (!sgxExt) {
+    throw new Error(
+      "Could not find SGX extension present in the PCK certificate"
+    );
+  }
+  const { result: inner, offset } = asn1js3.fromBER(sgxExt.value);
+  if (offset === -1 || !(inner instanceof asn1js3.Sequence)) {
+    throw new Error("Expected SGX extension to be a SEQUENCE");
+  }
+  const remaining = sgxExt.value.slice(offset);
+  if (remaining.byteLength !== 0) {
+    throw new Error("SGX extension has trailing bytes");
+  }
+  return extractSgxExtensions(inner.valueBlock.value);
+}
+function extractCaFromPckCert(pckCert) {
+  const cnList = pckCert.issuerName.getField("CN");
+  const pckIssuer = cnList.length > 0 ? cnList[0] : null;
+  if (pckIssuer === platformIssuer) {
+    return platformIssuerID;
+  }
+  if (pckIssuer === processorIssuer) {
+    return processorIssuerID;
+  }
+  throw ErrPckCertCANil;
+}
+function extractSgxExtensions(extensions) {
+  if (extensions.length < sgxExtensionMinSize) {
+    throw new Error(
+      `SGX Extension has length ${extensions.length}. It should have a minimum length of ${sgxExtensionMinSize}`
+    );
+  }
+  let ppid;
+  let tcb;
+  let pceid;
+  let fmspc;
+  for (const ext of extensions) {
+    if (!(ext instanceof asn1js3.Sequence)) {
+      throw new Error("Expected each SGX extension to be a SEQUENCE");
+    }
+    const bytes = ext.toBER(false);
+    const { result: parsed, offset } = asn1js3.fromBER(bytes);
+    if (offset === -1 || !(parsed instanceof asn1js3.Sequence)) {
+      throw new Error("Could not parse SGX extension entry");
+    }
+    const typeOidBlock = parsed.valueBlock.value[0];
+    if (!(typeOidBlock instanceof asn1js3.ObjectIdentifier)) {
+      throw new Error("Missing Object Identifier in SGX extension entry");
+    }
+    const oid = typeOidBlock.valueBlock.toString();
+    if (oid === OidPPID) {
+      ppid = extractAsn1OctetStringExtension(
+        "PPID",
+        ext,
+        ppidSize
+      );
+    } else if (oid === OidTCB) {
+      tcb = extractAsn1SequenceTcbExtension(ext);
+    } else if (oid === OidPCEID) {
+      pceid = extractAsn1OctetStringExtension(
+        "PCEID",
+        ext,
+        pceIDSize
+      );
+    } else if (oid === OidFMSPC) {
+      fmspc = extractAsn1OctetStringExtension(
+        "FMSPC",
+        ext,
+        fmspcSize
+      );
+    }
+  }
+  if (!ppid || !tcb || !pceid || !fmspc) {
+    throw new Error(
+      "Missing one or more required SGX extensions in PCK certificate"
+    );
+  }
+  return { ppid, tcb, pceid, fmspc };
+}
+function extractAsn1OctetStringExtension(name, seq, expectedSize) {
+  if (seq.valueBlock.value.length !== 2) {
+    throw new Error(`${name} extension should have 2 elements`);
+  }
+  const valueNode = unwrapSingleSet(seq.valueBlock.value[1]);
+  if (!(valueNode instanceof asn1js3.OctetString)) {
+    throw new Error(`${name} extension expected OCTET STRING`);
+  }
+  const bytes = new Uint8Array(valueNode.valueBlock.valueHex);
+  if (bytes.length !== expectedSize) {
+    throw new Error(
+      `${name} has length ${bytes.length}, expected ${expectedSize}`
+    );
+  }
+  return Buffer.from(bytes).toString("hex");
+}
+function extractAsn1SequenceTcbExtension(ext) {
+  const raw = ext.toBER(false);
+  const { result: outerSeq, offset } = asn1js3.fromBER(raw);
+  if (offset === -1 || !(outerSeq instanceof asn1js3.Sequence)) {
+    throw new Error("Could not parse TCB extension inside SGX extension");
+  }
+  const values = outerSeq.valueBlock.value;
+  if (values.length !== 2) {
+    throw new Error(
+      `TCB extension sequence has ${values.length} elements, expected 2`
+    );
+  }
+  const inner = values[1];
+  const innerRaw = inner.toBER(false);
+  const { result: innerSeq, offset: innerOffset } = asn1js3.fromBER(innerRaw);
+  if (innerOffset === -1 || !(innerSeq instanceof asn1js3.Sequence)) {
+    throw new Error("Could not parse TCB components inside TCB extension");
+  }
+  const components = innerSeq.valueBlock.value;
+  if (components.length !== tcbExtensionSize) {
+    throw new Error(
+      `TCB components length is ${components.length}, expected ${tcbExtensionSize}`
+    );
+  }
+  const tcbv = {};
+  extractTcbExtension(components, tcbv);
+  return tcbv;
+}
+async function verifyPCKCertificationChain(options) {
+  const { chain, collateral } = options;
+  if (!chain?.rootCert) throw ErrRootCertNil;
+  if (!chain.intermediateCerts) throw ErrIntermediateCertNil;
+  if (!chain.pckCertificate) throw ErrPCKCertNil;
+  const rootCert = chain.rootCert;
+  const intermediateCert = chain.intermediateCerts;
+  const pckCert = chain.pckCertificate;
+  await validateCertificate2(rootCert, rootCert, rootCertPhrase);
+  await validateCertificate2(intermediateCert, rootCert, intermediateCertPhrase);
+  await validateCertificate2(pckCert, intermediateCert, pckCertPhrase);
+  const opts = x509Options(options.trustedRoots, intermediateCert, options.now);
+  const ok = await pckCert.verify(opts);
+  if (!ok) {
+    throw new Error("error verifying PCK Certificate");
+  }
+  if (options.checkRevocations) {
+    if (!options.getCollateral) throw ErrRevocationCheckFailed;
+    await validateCRL(collateral?.rootCaCrl, rootCert);
+    await validateCRL(collateral?.pckCrl, intermediateCert);
+    if (collateral?.pckCrl?.issuer !== pckCert.issuer) {
+      throw new Error(
+        `issuer "${collateral.pckCrl.issuer}" of PCK CRL does not match PCK Certificate issuer "${pckCert.issuer}"`
+      );
+    }
+    for (const entry of collateral.rootCaCrl?.entries ?? []) {
+      if (intermediateCert.serialNumber === entry.serialNumber) {
+        throw new Error(
+          `Intermediate certificate was revoked at ${entry.revocationDate}`
+        );
+      }
+    }
+    for (const entry of collateral.pckCrl?.entries ?? []) {
+      if (pckCert.serialNumber === entry.serialNumber) {
+        throw new Error(
+          `PCK Leaf certificate was revoked at ${entry.revocationDate}`
+        );
+      }
+    }
+  }
+  await checkCertificateExpiration(chain, options);
+}
+async function checkCertificateExpiration(chain, options) {
+  const currentTime = options.now;
+  if (currentTime > chain.rootCert.notAfter) {
+    throw ErrRootCaCertExpired;
+  }
+  if (currentTime > chain.intermediateCerts.notAfter) {
+    throw ErrIntermediateCaCertExpired;
+  }
+  if (currentTime > chain.pckCertificate.notAfter) {
+    throw ErrPckLeafCertExpired;
+  }
+}
+async function validateCertificate2(cert, parent, expectedPhrase) {
+  if (!cert) throw new Error("certificate is nil");
+  if (!parent) throw new Error("parent certificate is nil");
+  const cnList = cert.subjectName.getField("CN");
+  const subjectCN = cnList.length > 0 ? cnList[0] : null;
+  if (subjectCN !== expectedPhrase) {
+    throw new Error(
+      `"${subjectCN}" is not expected in certificate's subject name. Expected "${expectedPhrase}"`
+    );
+  }
+  const issuerName = cert.issuerName.toString();
+  const parentSubject = parent.subjectName.toString();
+  if (issuerName !== parentSubject) {
+    throw new Error(
+      `Certificate issuer name ("${issuerName}") does not match parent certificate subject name ("${parentSubject}")`
+    );
+  }
+  const verified = await cert.verify({ publicKey: parent });
+  if (!verified) {
+    throw new Error(
+      "Certificate signature verification using parent certificate failed"
+    );
+  }
+}
+function x509Options(trustedRoots, intermediateCert, now) {
+  let publicKeySource;
+  if (intermediateCert) {
+    publicKeySource = intermediateCert;
+  } else if (trustedRoots && trustedRoots.length > 0) {
+    publicKeySource = trustedRoots[0];
+  } else {
+    publicKeySource = trustedRootCertificate;
+  }
+  return {
+    date: now,
+    publicKey: publicKeySource
+  };
+}
+
+// src/audit/quote/collateral.ts
+import * as x5093 from "@peculiar/x509";
+import * as asn1js4 from "asn1js";
+var ErrMissingTcbInfoBody = new Error(
+  "missing tcbInfo body in the collaterals obtained"
+);
+var ErrMissingEnclaveIdentityBody = new Error(
+  "missing enclaveIdentity body in the collaterals obtained"
+);
+var ErrTcbInfoNil = new Error("tcbInfo is empty in collaterals");
+var ErrQeIdentityNil = new Error("QeIdentity is empty in collaterals");
+var ErrMissingTcbInfoSigningCert = new Error(
+  "missing signing certificate in the issuer chain of tcbInfo"
+);
+var ErrMissingTcbInfoRootCert = new Error(
+  "missing root certificate in the issuer chain of tcbInfo"
+);
+var ErrMissingQeIdentitySigningCert = new Error(
+  "missing signing certificate in the issuer chain of QeIdentity"
+);
+var ErrMissingQeIdentityRootCert = new Error(
+  "missing root certificate in the issuer chain of QeIdentity"
+);
+var ErrMissingPckCrl = new Error(
+  "missing PCK CRL in the collaterals obtained"
+);
+var ErrMissingRootCaCrl = new Error(
+  "missing ROOT CA CRL in the collaterals obtained"
+);
+var ErrMissingPCKCrlSigningCert = new Error(
+  "missing signing certificate in the issuer chain of PCK CRL"
+);
+var ErrMissingPCKCrlRootCert = new Error(
+  "missing root certificate in the issuer chain of PCK CRL"
+);
+var ErrTcbInfoExpired = new Error("tcbInfo has expired");
+var ErrQeIdentityExpired = new Error("QeIdentity has expired");
+var ErrTcbInfoSigningCertExpired = new Error(
+  "tcbInfo signing certificate has expired"
+);
+var ErrTcbInfoRootCertExpired = new Error(
+  "tcbInfo root certificate has expired"
+);
+var ErrQeIdentityRootCertExpired = new Error(
+  "QeIdentity root certificate has expired"
+);
+var ErrQeIdentitySigningCertExpired = new Error(
+  "QeIdentity signing certificate has expired"
+);
+var ErrRootCaCrlExpired = new Error("root CA CRL has expired");
+var ErrPCKCrlExpired = new Error("PCK CRL has expired");
+var ErrPCKCrlSigningCertExpired = new Error(
+  "PCK CRL signing certificate has expired"
+);
+var ErrPCKCrlRootCertExpired = new Error(
+  "PCK CRL root certificate has expired"
+);
+var ErrEmptyRootCRLUrl = new Error(
+  "empty url found in QeIdentity issuer's chain which is required to receive ROOT CA CRL"
+);
+var sgxPckCrlIssuerChainPhrase = "Sgx-Pck-Crl-Issuer-Chain";
+var sgxQeIdentityIssuerChainPhrase = "Sgx-Enclave-Identity-Issuer-Chain";
+var enclaveIdentityPhrase = "enclaveIdentity";
+var tcbInfoIssuerChainPhrase = "Tcb-Info-Issuer-Chain";
+var tcbInfoPhrase = "tcbInfo";
+var OID_CRL_DISTRIBUTION_POINTS = "2.5.29.31";
+var pcsTdxBaseURL = "https://api.trustedservices.intel.com/tdx/certification/v4";
+var pcsSgxBaseURL = "https://api.trustedservices.intel.com/sgx/certification/v4";
+var RetryHTTPSGetter = class {
+  constructor(underlying = new SimpleHTTPSGetter(), timeoutMs = 12e4, maxRetryDelayMs = 3e4) {
+    this.underlying = underlying;
+    this.timeoutMs = timeoutMs;
+    this.maxRetryDelayMs = maxRetryDelayMs;
+  }
+  async get(url) {
+    const deadline = Date.now() + this.timeoutMs;
+    let delay = 2e3;
+    for (; ; ) {
+      try {
+        return await this.underlying.get(url);
+      } catch (err) {
+        if (Date.now() + delay > deadline) {
+          throw err;
+        }
+        await new Promise((r) => setTimeout(r, delay));
+        delay = Math.min(delay * 2, this.maxRetryDelayMs);
+      }
+    }
+  }
+};
+var SimpleHTTPSGetter = class {
+  async get(url) {
+    const resp = await fetch(url);
+    if (!resp.ok) {
+      throw new Error(`failed to retrieve ${url}, status code ${resp.status}`);
+    }
+    const headers = {};
+    resp.headers.forEach((value, key) => {
+      if (!headers[key]) headers[key] = [];
+      headers[key].push(value);
+    });
+    const body = new Uint8Array(await resp.arrayBuffer());
+    return [headers, body];
+  }
+};
+var CRLUnavailableError = class extends Error {
+  constructor(causes) {
+    super("CRL is unavailable");
+    this.name = "CRLUnavailableError";
+    this.causes = causes;
+  }
+};
+var AttestationRecreationError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "AttestationRecreationError";
+  }
+};
+function defaultHTTPSGetter() {
+  return new RetryHTTPSGetter();
+}
+async function verifyCollateral(options) {
+  const collateral = options.collateral;
+  if (!collateral) throw ErrCollateralNil;
+  if (!collateral.tcbInfoBody) throw ErrMissingTcbInfoBody;
+  if (!collateral.enclaveIdentityBody) throw ErrMissingEnclaveIdentityBody;
+  if (Object.keys(collateral.tdxTcbInfo || {}).length === 0) throw ErrTcbInfoNil;
+  if (Object.keys(collateral.qeIdentity || {}).length === 0)
+    throw ErrQeIdentityNil;
+  if (!collateral.tcbInfoIssuerIntermediateCertificate)
+    throw ErrMissingTcbInfoSigningCert;
+  if (!collateral.tcbInfoIssuerRootCertificate) throw ErrMissingTcbInfoRootCert;
+  if (!collateral.qeIdentityIssuerIntermediateCertificate)
+    throw ErrMissingQeIdentitySigningCert;
+  if (!collateral.qeIdentityIssuerRootCertificate)
+    throw ErrMissingQeIdentityRootCert;
+  if (options.checkRevocations) {
+    if (!collateral.pckCrl) throw ErrMissingPckCrl;
+    if (!collateral.rootCaCrl) throw ErrMissingRootCaCrl;
+    if (!collateral.pckCrlIssuerIntermediateCertificate)
+      throw ErrMissingPCKCrlSigningCert;
+    if (!collateral.pckCrlIssuerRootCertificate) throw ErrMissingPCKCrlRootCert;
+  }
+  await checkCollateralExpiration(collateral, options);
+}
+async function checkCollateralExpiration(collateral, options) {
+  const currentTime = options.now;
+  const tcbInfo = collateral.tdxTcbInfo.tcbInfo;
+  const qeIdentity = collateral.qeIdentity.enclaveIdentity;
+  if (currentTime > tcbInfo.nextUpdate) {
+    throw ErrTcbInfoExpired;
+  }
+  if (currentTime > qeIdentity.nextUpdate) {
+    throw ErrQeIdentityExpired;
+  }
+  if (currentTime > collateral.tcbInfoIssuerIntermediateCertificate.notAfter) {
+    throw ErrTcbInfoSigningCertExpired;
+  }
+  if (currentTime > collateral.tcbInfoIssuerRootCertificate.notAfter) {
+    throw ErrTcbInfoRootCertExpired;
+  }
+  if (currentTime > collateral.qeIdentityIssuerRootCertificate.notAfter) {
+    throw ErrQeIdentityRootCertExpired;
+  }
+  if (currentTime > collateral.qeIdentityIssuerIntermediateCertificate.notAfter) {
+    throw ErrQeIdentitySigningCertExpired;
+  }
+  if (options.checkRevocations) {
+    if (currentTime > collateral.rootCaCrl.nextUpdate) {
+      throw ErrRootCaCrlExpired;
+    }
+    if (currentTime > collateral.pckCrl.nextUpdate) {
+      throw ErrPCKCrlExpired;
+    }
+    if (currentTime > collateral.pckCrlIssuerIntermediateCertificate.notAfter) {
+      throw ErrPCKCrlSigningCertExpired;
+    }
+    if (currentTime > collateral.pckCrlIssuerRootCertificate.notAfter) {
+      throw ErrPCKCrlRootCertExpired;
+    }
+  }
+}
+async function obtainCollateral(fmspc, ca, options) {
+  const getter = options.getter ?? defaultHTTPSGetter();
+  const collateral = {};
+  await getTcbInfo(fmspc, getter, collateral);
+  await getQeIdentity(getter, collateral);
+  if (options.checkRevocations) {
+    await getPckCrl(ca, getter, collateral);
+    await getRootCrl(getter, collateral);
+  }
+  return collateral;
+}
+function pckCrlURL(ca) {
+  return `${pcsSgxBaseURL}/pckcrl?ca=${encodeURIComponent(ca)}&encoding=der`;
+}
+async function getPckCrl(ca, getter, collateral) {
+  const pckCrlURLStr = pckCrlURL(ca);
+  let headers;
+  let body;
+  try {
+    ;
+    [headers, body] = await getter.get(pckCrlURLStr);
+  } catch (err) {
+    const error = err instanceof Error ? err : new Error(String(err));
+    throw new CRLUnavailableError([error, new Error("could not fetch PCK CRL")]);
+  }
+  let intermediateCert;
+  let rootCert;
+  try {
+    ;
+    [intermediateCert, rootCert] = headerToIssuerChain(
+      headers,
+      sgxPckCrlIssuerChainPhrase
+    );
+  } catch (err) {
+    const error = err instanceof Error ? err : new Error(String(err));
+    throw error;
+  }
+  collateral.pckCrlIssuerIntermediateCertificate = intermediateCert;
+  collateral.pckCrlIssuerRootCertificate = rootCert;
+  try {
+    collateral.pckCrl = bodyToCrl(body);
+  } catch (err) {
+    const error = err instanceof Error ? err : new Error(String(err));
+    throw new CRLUnavailableError([error, new Error("could not fetch PCK CRL")]);
+  }
+}
+function headerToIssuerChain(headers, phrase) {
+  const values = headers[phrase];
+  if (!values || values.length !== 1) {
+    throw new Error(
+      `issuer chain is expected to be of size 1, found ${values?.length ?? 0}`
+    );
+  }
+  const encodedChain = values[0];
+  if (!encodedChain) {
+    throw new Error(`issuer chain certificates missing in "${phrase}"`);
+  }
+  let certChain;
+  try {
+    certChain = decodeURIComponent(encodedChain);
+  } catch (err) {
+    throw new Error(`unable to decode issuer chain in "${phrase}": ${err}`);
+  }
+  const pemBlocks = x5093.PemConverter.decode(certChain);
+  if (pemBlocks.length !== 2) {
+    throw new Error(
+      `expected 2 PEM blocks (intermediate + root), found ${pemBlocks.length}`
+    );
+  }
+  const intermediate = new x5093.X509Certificate(pemBlocks[0]);
+  const root = new x5093.X509Certificate(pemBlocks[1]);
+  return [intermediate, root];
+}
+async function getQeIdentity(getter, collateral) {
+  const QeIdentityURL = qeIdentityURL();
+  let headers;
+  let body;
+  try {
+    ;
+    [headers, body] = await getter.get(QeIdentityURL);
+  } catch (err) {
+    throw new AttestationRecreationError(
+      `could not receive QeIdentity response: ${err}`
+    );
+  }
+  let intermediateCert;
+  let rootCert;
+  try {
+    ;
+    [intermediateCert, rootCert] = headerToIssuerChain(
+      headers,
+      sgxQeIdentityIssuerChainPhrase
+    );
+  } catch (err) {
+    throw new AttestationRecreationError(err.message);
+  }
+  collateral.qeIdentityIssuerIntermediateCertificate = intermediateCert;
+  collateral.qeIdentityIssuerRootCertificate = rootCert;
+  try {
+    collateral.qeIdentity = JSON.parse(
+      new TextDecoder().decode(body)
+    );
+  } catch (err) {
+    throw new AttestationRecreationError(
+      `unable to unmarshal QeIdentity response: ${err}`
+    );
+  }
+  try {
+    collateral.enclaveIdentityBody = bodyToRawMessage(
+      enclaveIdentityPhrase,
+      body
+    );
+  } catch (err) {
+    throw new AttestationRecreationError(err.message);
+  }
+}
+function bodyToRawMessage(name, body) {
+  if (body.length === 0) {
+    throw new Error(`"${name}" is empty`);
+  }
+  const decoded = new TextDecoder().decode(body);
+  let rawBody;
+  try {
+    rawBody = JSON.parse(decoded);
+  } catch (err) {
+    throw new Error(`could not convert "${name}" body to raw message: ${err}`);
+  }
+  const val = rawBody[name];
+  if (val === void 0) {
+    throw new Error(`"${name}" field is missing in the response received`);
+  }
+  const json = JSON.stringify(val);
+  return new TextEncoder().encode(json);
+}
+function qeIdentityURL() {
+  return `${pcsTdxBaseURL}/qe/identity`;
+}
+function TcbInfoURL(fmspc) {
+  return `${pcsTdxBaseURL}/tcb?fmspc=${fmspc}`;
+}
+async function getTcbInfo(fmspc, getter, collateral) {
+  const tcbInfoURL = TcbInfoURL(fmspc);
+  let header;
+  let body;
+  try {
+    ;
+    [header, body] = await getter.get(tcbInfoURL);
+  } catch (err) {
+    throw new AttestationRecreationError(
+      `could not receive tcbInfo response: ${err}`
+    );
+  }
+  let intermediateCert, rootCert;
+  try {
+    ;
+    [intermediateCert, rootCert] = headerToIssuerChain(
+      header,
+      tcbInfoIssuerChainPhrase
+    );
+  } catch (err) {
+    throw new AttestationRecreationError(err.message);
+  }
+  collateral.tcbInfoIssuerIntermediateCertificate = intermediateCert;
+  collateral.tcbInfoIssuerRootCertificate = rootCert;
+  try {
+    collateral.tdxTcbInfo = JSON.parse(
+      new TextDecoder().decode(body)
+    );
+  } catch (err) {
+    throw new AttestationRecreationError(
+      `unable to unmarshal tcbInfo response: ${err}`
+    );
+  }
+  try {
+    collateral.tcbInfoBody = bodyToRawMessage(tcbInfoPhrase, body);
+  } catch (err) {
+    throw new AttestationRecreationError(err.message);
+  }
+}
+function getCrlDistributionPoints(cert) {
+  const ext = cert.extensions.find(
+    (e) => e.type === OID_CRL_DISTRIBUTION_POINTS
+  );
+  if (!ext) return [];
+  const outer = asn1js4.fromBER(ext.value);
+  if (outer.offset === -1 || !(outer.result instanceof asn1js4.OctetString))
+    return [];
+  const inner = asn1js4.fromBER(outer.result.valueBlock.valueHex);
+  if (inner.offset === -1 || !(inner.result instanceof asn1js4.Sequence))
+    return [];
+  const seq = inner.result;
+  if (seq.valueBlock.value.length === 0) return [];
+  const dp = seq.valueBlock.value[0];
+  if (!(dp instanceof asn1js4.Constructed) || dp.valueBlock.value.length === 0)
+    return [];
+  const dpn = dp.valueBlock.value[0];
+  if (!(dpn instanceof asn1js4.Constructed)) return [];
+  const names = new GeneralNames({ schema: dpn });
+  return names.names.filter((n) => n.type === 6).map((n) => n.value);
+}
+var GeneralName = class {
+  constructor(type, value) {
+    this.type = type;
+    this.value = value;
+  }
+};
+var GeneralNames = class {
+  constructor(params) {
+    this.names = [];
+    const items = params.schema.valueBlock.value;
+    for (const el of items) {
+      if (el.idBlock.tagClass === 3) {
+        const tag = el.idBlock.tagNumber;
+        if (tag === 6 && el instanceof asn1js4.Primitive) {
+          const uri = new asn1js4.IA5String({ valueHex: el.valueBlock.valueHex });
+          this.names.push(new GeneralName(tag, uri.valueBlock.value));
+        }
+      }
+    }
+  }
+};
+async function getRootCrl(getter, collateral) {
+  const rootCrlURLs = getCrlDistributionPoints(
+    collateral.qeIdentityIssuerRootCertificate
+  );
+  if (rootCrlURLs.length === 0) {
+    throw ErrEmptyRootCRLUrl;
+  }
+  const errors = [];
+  for (const url of rootCrlURLs) {
+    try {
+      const [, body] = await getter.get(url);
+      collateral.rootCaCrl = bodyToCrl(body);
+      return;
+    } catch (err) {
+      errors.push(err instanceof Error ? err : new Error(String(err)));
+    }
+  }
+  throw new CRLUnavailableError([
+    ...errors,
+    new Error("could not fetch root CRL")
+  ]);
+}
+function bodyToCrl(body) {
+  try {
+    return new x5093.X509Crl(body);
+  } catch (err) {
+    throw new Error(`unable to parse DER bytes of CRL: ${err}`);
+  }
+}
+
+// src/audit/quote/verify.ts
+var ErrOptionsNil = new Error("options parameter is empty");
+var ErrRootCaCertExpired2 = new Error(
+  "root CA certificate in PCK certificate chain has expired"
+);
+var ErrHashVerificationFail = new Error(
+  "unable to verify message digest using quote's signature and ecdsa attestation key"
+);
+var ErrSHA256VerificationFail = new Error(
+  "QE Report Data does not match with value of SHA 256 calculated over the concatenation of ECDSA Attestation Key and QE Authenticated Data"
+);
+async function extractChainFromQuoteV4(quote) {
+  const certChainBytes = quote.signedData?.certificationData?.qeReportCertificationData?.pckCertificateChainData?.pckCertChain;
+  if (!certChainBytes) throw ErrPckCertChainNil;
+  const pemString = new TextDecoder().decode(certChainBytes);
+  const pemBlocks = x5094.PemConverter.decode(pemString);
+  if (pemBlocks.length < 3) {
+    throw ErrPCKCertChainInvalid;
+  }
+  const pckCert = new x5094.X509Certificate(pemBlocks[0]);
+  const intermediateCert = new x5094.X509Certificate(pemBlocks[1]);
+  const rootCert = new x5094.X509Certificate(pemBlocks[2]);
+  return {
+    pckCertificate: pckCert,
+    rootCert,
+    intermediateCerts: intermediateCert
+  };
+}
+async function localVerifyTdxQuote(aquote, opts) {
+  if (!opts) throw ErrOptionsNil;
+  checkQuoteV4(aquote);
+  const chain = await extractChainFromQuoteV4(aquote);
+  const exts = await pckCertificateExtensions(chain.pckCertificate);
+  let acollateral;
+  if (opts.getCollateral) {
+    const ca = extractCaFromPckCert(chain.pckCertificate);
+    acollateral = await obtainCollateral(exts.fmspc, ca, opts);
+  }
+  opts.collateral = acollateral;
+  opts.pckCertExtensions = exts;
+  opts.chain = chain;
+  if (!opts.now) opts.now = /* @__PURE__ */ new Date();
+  await verifyEvidenceV4(aquote, opts);
+  return exts;
+}
+function equalBytes(a, b) {
+  if (a.length !== b.length) return false;
+  for (let i = 0; i < a.length; i++) {
+    if (a[i] !== b[i]) return false;
+  }
+  return true;
+}
+function getHeaderAndTdQuoteBodyInAbiBytes(aquote) {
+  const header = HeaderToAbiBytes(aquote.header);
+  if (!header) {
+    throw new Error("could not convert header to ABI bytes");
+  }
+  const tdQuoteBody = TdQuoteBodyToAbiBytes(aquote.tdQuoteBody);
+  if (!tdQuoteBody) {
+    throw new Error("could not convert TD Quote Body to ABI bytes");
+  }
+  const combined = new Uint8Array(header.length + tdQuoteBody.length);
+  combined.set(header, 0);
+  combined.set(tdQuoteBody, header.length);
+  return combined;
+}
+async function verifyEvidenceV4(aquote, options) {
+  if (aquote.header.teeType !== TeeTDX) {
+    throw new Error("Invalid TEE type in quote (expected TDX)");
+  }
+  await verifyPCKCertificationChain(options);
+  if (options.getCollateral) {
+    await verifyCollateral(options);
+    await verifyTCBinfo(options);
+    await verifyQeIdentity(options);
+  }
+  await verifyQuote(aquote, options);
+}
+async function verifyQuote(aquote, options) {
+  const chain = options.chain;
+  const collateral = options.collateral;
+  const pckCertExtensions = options.pckCertExtensions;
+  const attestKey = aquote.signedData?.ecdsaAttestationKey;
+  if (!attestKey) {
+    throw new Error("Missing attestation key in quote");
+  }
+  const signature = aquote.signedData?.signature;
+  if (!signature) {
+    throw new Error("Missing signature in quote");
+  }
+  const message = getHeaderAndTdQuoteBodyInAbiBytes(aquote);
+  const isValid = await verifyEcdsaSignature(attestKey, message, signature);
+  if (!isValid) {
+    throw ErrHashVerificationFail;
+  }
+  const qeReportCertificationData = aquote.signedData?.certificationData?.qeReportCertificationData;
+  if (!qeReportCertificationData)
+    throw new Error("Missing QE report certification data");
+  await tdxProtoQeReportSignature(
+    qeReportCertificationData,
+    chain.pckCertificate
+  );
+  await verifyHash256(aquote);
+  if (collateral) {
+    await verifyTdQuoteBody(aquote.tdQuoteBody, {
+      tcbInfo: collateral.tdxTcbInfo.tcbInfo,
+      pckCertExtensions
+    });
+    await verifyQeReport(qeReportCertificationData.qeReport, {
+      qeIdentity: collateral.qeIdentity.enclaveIdentity
+    });
+  }
+}
+async function verifyQeReport(qeReport, options) {
+  const { qeIdentity } = options;
+  const miscSelectMaskBytes = qeIdentity.miscselectMask.bytes;
+  const miscSelectBytes = qeIdentity.miscselect.bytes;
+  if (miscSelectMaskBytes.length !== 4) {
+    throw new Error(
+      `MISCSELECTMask field size (${miscSelectMaskBytes.length}) is not 4`
+    );
+  }
+  if (miscSelectBytes.length !== 4) {
+    throw new Error(
+      `MISCSELECT field size (${miscSelectBytes.length}) is not 4`
+    );
+  }
+  const viewMask = new DataView(
+    miscSelectMaskBytes.buffer,
+    miscSelectMaskBytes.byteOffset,
+    4
+  );
+  const viewSelect = new DataView(
+    miscSelectBytes.buffer,
+    miscSelectBytes.byteOffset,
+    4
+  );
+  const miscSelectMask = qeReport.miscSelect & viewMask.getUint32(0, true);
+  const miscSelect = viewSelect.getUint32(0, true);
+  if (miscSelectMask !== miscSelect) {
+    throw new Error(
+      `MISCSELECT mismatch: expected ${miscSelect}, got masked ${miscSelectMask}`
+    );
+  }
+  const attrsMask = qeIdentity.attributesMask.bytes;
+  const reportAttrs = qeReport.attributes;
+  if (attrsMask.length !== reportAttrs.length) {
+    throw new Error(
+      `AttributesMask size (${attrsMask.length}) does not match report attributes size (${reportAttrs.length})`
+    );
+  }
+  const maskedAttrs = applyMask(attrsMask, reportAttrs);
+  const expectedAttrs = qeIdentity.attributes.bytes;
+  if (!equalBytes(maskedAttrs, expectedAttrs)) {
+    throw new Error(
+      `Attributes mismatch: masked=${toHex(maskedAttrs)} expected=${toHex(expectedAttrs)}`
+    );
+  }
+  const mrSignerReport = qeReport.mrSigner;
+  const mrSignerExpected = qeIdentity.mrsigner.bytes;
+  if (!equalBytes(mrSignerReport, mrSignerExpected)) {
+    throw new Error(
+      `MRSIGNER mismatch: report=${toHex(mrSignerReport)} expected=${toHex(mrSignerExpected)}`
+    );
+  }
+  if (qeReport.isvProdId !== qeIdentity.isvProdID) {
+    throw new Error(
+      `ISV PRODID mismatch: report=${qeReport.isvProdId} expected=${qeIdentity.isvProdID}`
+    );
+  }
+  checkQeTcbStatus(qeIdentity.tcbLevels, qeReport.isvSvn);
+}
+async function verifyHash256(aquote) {
+  const qeReportCertData = aquote.signedData?.certificationData?.qeReportCertificationData;
+  if (!qeReportCertData) throw new Error("missing QE Report certification data");
+  const qeReportData = qeReportCertData.qeReport?.reportData;
+  const qeAuthData = qeReportCertData.qeAuthData?.data;
+  const attestKey = aquote.signedData?.ecdsaAttestationKey;
+  if (!qeReportData || !qeAuthData || !attestKey) {
+    throw new Error("missing fields for QE report SHA-256 verification");
+  }
+  const concat = new Uint8Array(attestKey.length + qeAuthData.length);
+  concat.set(attestKey, 0);
+  concat.set(qeAuthData, attestKey.length);
+  const hashBuffer = await x5094.cryptoProvider.get().subtle.digest("SHA-256", concat);
+  let hashedMessage = new Uint8Array(hashBuffer);
+  if (hashedMessage.length < qeReportData.length) {
+    const padded = new Uint8Array(qeReportData.length);
+    padded.set(hashedMessage, 0);
+    hashedMessage = padded;
+  }
+  if (!equalBytes(hashedMessage, qeReportData)) {
+    throw ErrSHA256VerificationFail;
+  }
+}
+async function tdxProtoQeReportSignature(qeReportCertificationData, pckCertX509) {
+  const rawReport = enclaveReportToAbiBytes(
+    qeReportCertificationData.qeReport
+  );
+  if (!rawReport) {
+    throw new Error("could not parse QE report");
+  }
+  await tdxQeReportSignature(
+    rawReport,
+    qeReportCertificationData.qeReportSignature,
+    pckCertX509
+  );
+}
+async function tdxQeReportSignature(qeReport, signature, pckCert) {
+  const cryptoKey = await x5094.cryptoProvider.get().subtle.importKey(
+    "spki",
+    pckCert.publicKey.rawData,
+    { name: "ECDSA", namedCurve: "P-256" },
+    false,
+    ["verify"]
+  );
+  const isValid = await x5094.cryptoProvider.get().subtle.verify(
+    { name: "ECDSA", hash: "SHA-256" },
+    cryptoKey,
+    signature,
+    qeReport
+  );
+  if (!isValid) {
+    throw new Error(
+      "QE report's signature verification using PCK Leaf Certificate failed"
+    );
+  }
+}
+
+// src/audit/quote/validateTdxQuote.ts
+var CA_ROOT_PEM = `
+-----BEGIN CERTIFICATE-----
+MIICjzCCAjSgAwIBAgIUImUM1lqdNInzg7SVUr9QGzknBqwwCgYIKoZIzj0EAwIw
+aDEaMBgGA1UEAwwRSW50ZWwgU0dYIFJvb3QgQ0ExGjAYBgNVBAoMEUludGVsIENv
+cnBvcmF0aW9uMRQwEgYDVQQHDAtTYW50YSBDbGFyYTELMAkGA1UECAwCQ0ExCzAJ
+BgNVBAYTAlVTMB4XDTE4MDUyMTEwNDUxMFoXDTQ5MTIzMTIzNTk1OVowaDEaMBgG
+A1UEAwwRSW50ZWwgU0dYIFJvb3QgQ0ExGjAYBgNVBAoMEUludGVsIENvcnBvcmF0
+aW9uMRQwEgYDVQQHDAtTYW50YSBDbGFyYTELMAkGA1UECAwCQ0ExCzAJBgNVBAYT
+AlVTMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEC6nEwMDIYZOj/iPWsCzaEKi7
+1OiOSLRFhWGjbnBVJfVnkY4u3IjkDYYL0MxO4mqsyYjlBalTVYxFP2sJBK5zlKOB
+uzCBuDAfBgNVHSMEGDAWgBQiZQzWWp00ifODtJVSv1AbOScGrDBSBgNVHR8ESzBJ
+MEegRaBDhkFodHRwczovL2NlcnRpZmljYXRlcy50cnVzdGVkc2VydmljZXMuaW50
+ZWwuY29tL0ludGVsU0dYUm9vdENBLmRlcjAdBgNVHQ4EFgQUImUM1lqdNInzg7SV
+Ur9QGzknBqwwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwCgYI
+KoZIzj0EAwIDSQAwRgIhAOW/5QkR+S9CiSDcNoowLuPRLsWGf/Yi7GSX94BgwTwg
+AiEA4J0lrHoMs+Xo5o/sX6O9QWxHRAvZUGOdRQ7cvqRXaqI=
+-----END CERTIFICATE-----
+`;
+var ErrCertificationDataNil = new Error("certification data is nil");
+var ErrQeReportCertificationDataNil = new Error(
+  "QE Report certification data is nil"
+);
+var ErrQeAuthDataNil = new Error("QE AuthData is nil");
+var ErrCertNil = new Error("certificate is nil");
+var ErrParentCertNil = new Error("parent certificate is nil");
+var ErrCertPubKeyType = new Error(
+  "certificate public key is not of type ecdsa public key"
+);
+var ErrRootCaCertExpired3 = new Error(
+  "root CA certificate in PCK certificate chain has expired"
+);
+var ErrPublicKeySize = new Error("public key is of unexpected size");
+var ErrPckExtInvalid = new Error(
+  "unexpected leftover bytes for PCK certificate's extension"
+);
+var ErrSgxExtInvalid = new Error(
+  "unexpected leftover bytes when parsing SGX extensions"
+);
+var ErrTcbExtInvalid = new Error(
+  "unexpected leftover bytes for TCB extension inside SGX extension field"
+);
+var ErrTcbCompInvalid = new Error(
+  "unexpected leftover bytes for TCB components in TCB Extension inside SGX extension field"
+);
+var signedDataSignatureStart = 0;
+var signedDataSignatureEnd = 64;
+var signedDataAttestationKeyStart = signedDataSignatureEnd;
+var signedDataAttestationKeyEnd = 128;
+var signedDataCertificationDataStart = signedDataAttestationKeyEnd;
+var certificateDataTypeStart = 0;
+var certificateDataTypeEnd = 2;
+var certificateSizeStart = certificateDataTypeEnd;
+var certificateSizeEnd = 6;
+var certificateDataStart = certificateSizeEnd;
+var qeReportCertificationDataType = 6;
+var signatureSize = 64;
+var enclaveReportStart = 0;
+var enclaveReportEnd = 384;
+var qeReportCertificationDataSignatureStart = enclaveReportEnd;
+var qeReportCertificationDataSignatureEnd = 448;
+var qeReportCertificationDataAuthDataStart = qeReportCertificationDataSignatureEnd;
+var authDataParsedDataSizeStart = 0;
+var authDataParsedDataSizeEnd = 2;
+var attestationKeySize = 64;
+async function getTrustedRoots(rot) {
+  const inlines = rot.cabundles ?? [];
+  if (inlines.length === 0) return null;
+  const pool = [];
+  for (const pemString of inlines) {
+    const cert = new x5095.X509Certificate(pemString);
+    pool.push(cert);
+  }
+  return pool;
+}
+async function rootOfTrustToVerifyOptions(rot) {
+  return {
+    checkRevocations: !!rot.checkCrl,
+    getCollateral: !!rot.getCollateral,
+    trustedRoots: await getTrustedRoots(rot) ?? void 0
+  };
+}
+function headerToProto(buf) {
+  if (buf.length !== 48) throw new Error("header must be 48 bytes");
+  return {
+    version: leU16(buf, 0),
+    attestationKeyType: leU16(buf, 2),
+    teeType: leU32(buf, 4),
+    pceSvn: buf.slice(8, 10),
+    qeSvn: buf.slice(10, 12),
+    qeVendorId: buf.slice(12, 28),
+    userData: buf.slice(28, 48)
+  };
+}
+function tdQuoteBodyToProto(buf) {
+  if (buf.length !== 584) throw new Error("TDQuoteBody must be 0x248 bytes");
+  const body = {
+    teeTcbSvn: buf.slice(0, 16),
+    mrSeam: buf.slice(16, 64),
+    mrSignerSeam: buf.slice(64, 112),
+    seamAttributes: buf.slice(112, 120),
+    tdAttributes: buf.slice(120, 128),
+    xfam: buf.slice(128, 136),
+    mrTd: buf.slice(136, 184),
+    mrConfigId: buf.slice(184, 232),
+    mrOwner: buf.slice(232, 280),
+    mrOwnerConfig: buf.slice(280, 328),
+    rtmrs: [
+      buf.slice(328, 376),
+      buf.slice(376, 424),
+      buf.slice(424, 472),
+      buf.slice(472, 520)
+    ],
+    reportData: buf.slice(520, 584)
+  };
+  return body;
+}
+function signedDataToProto(b) {
+  const data = b.slice();
+  const signedData = {
+    signature: data.slice(signedDataSignatureStart, signedDataSignatureEnd),
+    ecdsaAttestationKey: data.slice(
+      signedDataAttestationKeyStart,
+      signedDataAttestationKeyEnd
+    ),
+    certificationData: certificationDataToProto(
+      data.slice(signedDataCertificationDataStart)
+    )
+  };
+  checkEcdsa256BitQuoteV4AuthData(signedData);
+  return signedData;
+}
+function checkEcdsa256BitQuoteV4AuthData(signedData) {
+  if (!signedData) {
+    throw ErrQuoteV4AuthDataNil;
+  }
+  if (signedData.signature.length !== signatureSize) {
+    throw new Error(
+      `signature size is ${signedData.signature.length} bytes. Expected ${signatureSize} bytes`
+    );
+  }
+  if (signedData.ecdsaAttestationKey.length !== attestationKeySize) {
+    throw new Error(
+      `ecdsa attestation key size is ${signedData.ecdsaAttestationKey.length} bytes. Expected ${attestationKeySize} bytes`
+    );
+  }
+  checkCertificationData(signedData.certificationData);
+}
+function checkCertificationData(certification) {
+  if (!certification) {
+    throw ErrCertificationDataNil;
+  }
+  const { certificateDataType } = certification;
+  if (certificateDataType >= 1 << 16) {
+    throw new Error(
+      `certification data type field size must fit in 2 bytes, got ${certificateDataType}`
+    );
+  }
+  if (certificateDataType !== qeReportCertificationDataType) {
+    throw new Error(
+      `certification data type invalid, got ${certificateDataType}, expected ${qeReportCertificationDataType}`
+    );
+  }
+  checkQeReportCertificationData(certification.qeReportCertificationData);
+}
+function checkQeReportCertificationData(qeReport) {
+  if (!qeReport) {
+    throw ErrQeReportCertificationDataNil;
+  }
+  checkQeReport(qeReport.qeReport);
+  if (qeReport.qeReportSignature.length !== signatureSize) {
+    throw new Error(
+      `signature size is ${qeReport.qeReportSignature.length} bytes. Expected ${signatureSize} bytes`
+    );
+  }
+  checkQeAuthData(qeReport.qeAuthData);
+  checkPCKCertificateChain(qeReport.pckCertificateChainData);
+}
+function checkQeAuthData(authData) {
+  if (!authData) {
+    throw ErrQeAuthDataNil;
+  }
+  const { parsedDataSize, data } = authData;
+  if (parsedDataSize >= 1 << 16) {
+    throw new Error(
+      `parsed data size field must fit in 2 bytes, got ${parsedDataSize}`
+    );
+  }
+  if (parsedDataSize !== data.length) {
+    throw new Error(
+      `parsed data size is ${data.length} bytes. Expected ${parsedDataSize} bytes`
+    );
+  }
+}
+function certificationDataToProto(b) {
+  const data = b.slice();
+  const certificateDataType = new DataView(
+    data.buffer,
+    data.byteOffset,
+    data.byteLength
+  ).getUint16(certificateDataTypeStart, true);
+  const size = new DataView(
+    data.buffer,
+    data.byteOffset,
+    data.byteLength
+  ).getUint32(certificateSizeStart, true);
+  const rawCertificateData = data.slice(certificateDataStart);
+  if (rawCertificateData.length !== size) {
+    throw new Error(
+      `size of certificate data is 0x${rawCertificateData.length.toString(16)}. Expected size 0x${size.toString(16)}`
+    );
+  }
+  const qeReportCertificationData = qeReportCertificationDataToProto(rawCertificateData);
+  const certification = {
+    certificateDataType,
+    size,
+    qeReportCertificationData
+  };
+  checkCertificationData(certification);
+  return certification;
+}
+function qeReportCertificationDataToProto(b) {
+  const data = b.slice();
+  const qeReportCertificationData = {};
+  const enclaveReport = enclaveReportToProto(
+    data.slice(enclaveReportStart, enclaveReportEnd)
+  );
+  qeReportCertificationData.qeReport = enclaveReport;
+  qeReportCertificationData.qeReportSignature = data.slice(
+    qeReportCertificationDataSignatureStart,
+    qeReportCertificationDataSignatureEnd
+  );
+  const { authData, authDataSize } = qeAuthDataToProto(
+    data.slice(qeReportCertificationDataAuthDataStart)
+  );
+  qeReportCertificationData.qeAuthData = authData;
+  const pckCertStart = qeReportCertificationDataAuthDataStart + authDataSize;
+  const pckCertChain = pckCertificateChainToProto(data.slice(pckCertStart));
+  qeReportCertificationData.pckCertificateChainData = pckCertChain;
+  checkQeReportCertificationData(qeReportCertificationData);
+  return qeReportCertificationData;
+}
+function qeAuthDataToProto(b) {
+  const data = b.slice();
+  const view = new DataView(data.buffer, data.byteOffset, data.byteLength);
+  const parsedDataSize = view.getUint16(authDataParsedDataSizeStart, true);
+  const authDataStart = authDataParsedDataSizeEnd;
+  const authDataEnd = authDataStart + parsedDataSize;
+  const authData = {
+    parsedDataSize,
+    data: data.slice(authDataStart, authDataEnd)
+  };
+  checkQeAuthData(authData);
+  return {
+    authData,
+    authDataSize: authDataEnd
+  };
+}
+function quoteToProtoV4(buf) {
+  if (buf.length < 1020) {
+    throw new Error("quote too small - min 0x3fc");
+  }
+  const header = headerToProto(buf.slice(0, 48));
+  const body = tdQuoteBodyToProto(buf.slice(48, 632));
+  const signedDataSize = leU32(buf, 632);
+  const signedDataStart = 636;
+  if (buf.length < signedDataStart + signedDataSize)
+    throw new Error("signedDataSize exceeds buffer");
+  const signedData = signedDataToProto(
+    buf.slice(signedDataStart, signedDataStart + signedDataSize)
+  );
+  const extra = buf.slice(signedDataStart + signedDataSize);
+  return {
+    header,
+    tdQuoteBody: body,
+    signedDataSize,
+    signedData,
+    extraBytes: extra.length ? extra : void 0
+  };
+}
+function determineQuoteFormat(buf) {
+  if (buf.length < 2) throw new Error("buffer too small to detect format");
+  return leU16(buf);
+}
+function localValidateTdxQuote(quote, opts) {
+  if (!opts) {
+    throw ErrOptionsNil;
+  }
+  if (!quote || quote.tdQuoteBody === void 0) {
+    throw new Error("unsupported quote type");
+  }
+  validateTdxQuoteV4(quote, opts);
+}
+
+// src/audit/registry.ts
+import { ethers } from "ethers";
+var REGISTRY_ABI = [
+  "function isMeasurementRegistered(bytes32 measurement) view returns (bool)"
+];
+async function isMeasurementRegistered(provider, contractAddress, measurement) {
+  const contract = new ethers.Contract(contractAddress, REGISTRY_ABI, provider);
+  const measurementHex = ethers.hexlify(measurement);
+  return contract.isMeasurementRegistered(measurementHex);
+}
+async function verifyQuoteRegistered(hashAggregates, ethereumEndpoint, contractAddress) {
+  const provider = new ethers.JsonRpcProvider(ethereumEndpoint);
+  for (const variant of hashAggregates) {
+    try {
+      if (await isMeasurementRegistered(provider, contractAddress, variant)) {
+        return true;
+      }
+    } catch (err) {
+      throw new Error(
+        `Registry lookup failed for measurement ${ethers.hexlify(variant)}: ${err.message}`
+      );
+    }
+  }
+  return false;
+}
+function toU8Arr(str) {
+  return Uint8Array.from(Buffer.from(str, "hex"));
+}
+function aggregateAllMeasurementsPCS(m) {
+  const body = m.body;
+  const exts = m.pckExt;
+  return concatUint8Arrays([
+    body.mrConfigId,
+    body.mrOwner,
+    body.mrOwnerConfig,
+    body.mrSeam,
+    body.mrSignerSeam,
+    body.mrTd,
+    //measurements.ReportData, # differs between quotes
+    body.seamAttributes,
+    body.tdAttributes,
+    //measurements.TeeTcbSvn, # differs between machines and needs to be greater than some value
+    body.xfam,
+    body.rtmrs[0],
+    body.rtmrs[1],
+    body.rtmrs[2],
+    body.rtmrs[3],
+    toU8Arr(exts.fmspc),
+    // Family-Model-Stepping-Platform-Custom SKU
+    toU8Arr(exts.ppid)
+    // specific machine
+  ]);
+}
+function aggregateCodeMeasurementsAllPCS(m) {
+  const body = m.body;
+  const exts = m.pckExt;
+  return concatUint8Arrays([
+    body.mrConfigId,
+    body.mrOwner,
+    body.mrOwnerConfig,
+    body.mrSeam,
+    body.mrSignerSeam,
+    body.mrTd,
+    body.rtmrs[0],
+    body.rtmrs[1],
+    body.rtmrs[2],
+    body.rtmrs[3],
+    toU8Arr(exts.fmspc)
+    // Family-Model-Stepping-Platform-Custom SKU
+  ]);
+}
+function aggregateCodeMeasurementsTD(m) {
+  const body = m.body;
+  return concatUint8Arrays([
+    body.mrTd,
+    body.rtmrs[0],
+    body.rtmrs[1],
+    body.rtmrs[2],
+    body.rtmrs[3]
+  ]);
+}
+function aggregateCodeMeasurementsAll(m) {
+  const body = m.body;
+  return concatUint8Arrays([
+    body.mrConfigId,
+    body.mrOwner,
+    body.mrOwnerConfig,
+    body.mrSeam,
+    body.mrSignerSeam,
+    body.mrTd,
+    ...body.rtmrs
+  ]);
+}
+function aggregateAllMeasurements(m) {
+  const body = m.body;
+  return concatUint8Arrays([
+    body.mrConfigId,
+    body.mrOwner,
+    body.mrOwnerConfig,
+    body.mrSeam,
+    body.mrSignerSeam,
+    body.mrTd,
+    body.seamAttributes,
+    body.tdAttributes,
+    body.teeTcbSvn,
+    body.xfam,
+    ...body.rtmrs
+  ]);
+}
+function concatUint8Arrays(arrays) {
+  const totalLength = arrays.reduce((sum, a) => sum + a.length, 0);
+  const result = new Uint8Array(totalLength);
+  let offset = 0;
+  for (const arr of arrays) {
+    result.set(arr, offset);
+    offset += arr.length;
+  }
+  return result;
+}
+async function hashMeasurements(input) {
+  const first = await sha256(input);
+  const second = await sha256(first);
+  return second;
+}
+
+// src/audit/quoteToHash.ts
+var CHALLENGE_DOMAIN_SEPARATOR = "CUSTOM-RPC ATTEST:";
+async function parseVerifyRawQuote(raw, rootPem) {
+  const quote = await quoteToProto(raw);
+  if (!quote) {
+    throw new Error("Failed to parse quote");
+  }
+  const rot = {
+    cabundles: [rootPem]
+  };
+  const verifyOptions = await rootOfTrustToVerifyOptions(rot);
+  const exts = await localVerifyTdxQuote(quote, verifyOptions);
+  const val_opts = {
+    // defaults are reasonable
+    headerOptions: {},
+    tdQuoteBodyOptions: {}
+  };
+  localValidateTdxQuote(quote, val_opts);
+  return { body: quote.tdQuoteBody, pckExt: exts };
+}
+async function quoteToProto(b) {
+  const quoteFormat = determineQuoteFormat(b);
+  if (!quoteFormat) {
+    throw new Error("Failed to determine quote format");
+  }
+  switch (quoteFormat) {
+    case intelQuoteV4Version:
+      return quoteToProtoV4(b);
+    default:
+      throw new Error("Quote format not supported");
+  }
+}
+async function quoteToHash(rawQuote, rootPem) {
+  const tdQuoteBody = await parseVerifyRawQuote(rawQuote, rootPem);
+  if (!tdQuoteBody) {
+    throw new Error("error parsing and verifying TDX quote");
+  }
+  const reportData = tdQuoteBody.body.reportData;
+  const domainSeparator = reportData.slice(0, CHALLENGE_DOMAIN_SEPARATOR.length);
+  const expectedDomain = new TextEncoder().encode(CHALLENGE_DOMAIN_SEPARATOR);
+  if (!equalBytes(domainSeparator, expectedDomain)) {
+    throw new Error("quote constructed for alternate purpose");
+  }
+  return {
+    challenge: reportData.slice(CHALLENGE_DOMAIN_SEPARATOR.length),
+    hashVariants: [
+      await hashMeasurements(
+        aggregateCodeMeasurementsTD(tdQuoteBody)
+      ),
+      await hashMeasurements(
+        aggregateCodeMeasurementsAll(tdQuoteBody)
+      ),
+      await hashMeasurements(
+        aggregateAllMeasurements(tdQuoteBody)
+      ),
+      await hashMeasurements(
+        aggregateAllMeasurementsPCS(tdQuoteBody)
+      ),
+      await hashMeasurements(
+        aggregateCodeMeasurementsAllPCS(tdQuoteBody)
+      )
+    ]
+  };
+}
+async function sha256(input) {
+  const hashBuffer = await crypto.subtle.digest("SHA-256", input);
+  return new Uint8Array(hashBuffer);
+}
+
+// src/audit/challenge.ts
+function compressUncompressedSecp256k1(pubUncompressed) {
+  if (pubUncompressed.length !== 65 || pubUncompressed[0] !== 4) {
+    throw new Error(
+      `Unexpected pubkey format/length: ${pubUncompressed.length}`
+    );
+  }
+  const x = pubUncompressed.slice(1, 33);
+  const y = pubUncompressed.slice(33, 65);
+  const prefix = (y[31] & 1) === 0 ? 2 : 3;
+  return Buffer.concat([Buffer.from([prefix]), Buffer.from(x)]);
+}
+var DomainSeparatorSign = "CUSTOM-RPC SIGN:";
+function stringToBytes(str) {
+  let rawQuote;
+  try {
+    rawQuote = ethers2.getBytes("0x" + str);
+  } catch (e) {
+    throw new Error(`Invalid hex: ${e?.message ?? e}`);
+  }
+  return rawQuote;
+}
+async function validateTdxAttestation(attestBody, exporterKey, l1RpcUrl, registryContractAddress) {
+  const text = attestBody.toString("utf8").trim();
+  let json;
+  try {
+    json = JSON.parse(text);
+  } catch (e) {
+    throw new Error(`Invalid TDX attestation body JSON: ${e?.message ?? e}`);
+  }
+  const rawQuote = stringToBytes(json.quote);
+  const { challenge, hashVariants } = await quoteToHash(rawQuote, CA_ROOT_PEM);
+  const registered = await verifyQuoteRegistered(
+    hashVariants,
+    l1RpcUrl,
+    registryContractAddress
+  );
+  if (!registered) {
+    throw new Error("TDX measurement not registered in verification registry");
+  }
+  const challengeBuffer = Buffer.from(challenge);
+  if (challengeBuffer.length < 32) {
+    throw new Error(`Report data too short: ${challengeBuffer.length}`);
+  }
+  const pubHashFromQuote = challengeBuffer.subarray(challengeBuffer.length - 32);
+  const pubCompressed = await recoverSignaturePubkey(
+    exporterKey,
+    json.signature
+  );
+  const pubHash = await sha256(pubCompressed);
+  return bytesEqual(pubHashFromQuote, pubHash);
+}
+async function recoverSignaturePubkey(message, signatureHex) {
+  const digest = await sha256(
+    Buffer.concat([
+      Buffer.from(DomainSeparatorSign, "utf8"),
+      Buffer.from(message)
+    ])
+  );
+  const sigBytes = stringToBytes(signatureHex);
+  if (sigBytes.length !== 65) {
+    throw new Error(
+      `Invalid signature length: ${sigBytes.length} (expected 65)`
+    );
+  }
+  const sig = Buffer.from(sigBytes);
+  if (sig[64] === 0 || sig[64] === 1) {
+    sig[64] += 27;
+  }
+  let pubUncompressed;
+  try {
+    const pubHex = ethers2.SigningKey.recoverPublicKey(
+      ethers2.hexlify(digest),
+      ethers2.hexlify(sig)
+    );
+    pubUncompressed = ethers2.getBytes(pubHex);
+  } catch (e) {
+    throw new Error(
+      `Failed to recover public key from signature: ${e?.message ?? e}`
+    );
+  }
+  const pubCompressed = compressUncompressedSecp256k1(pubUncompressed);
+  return pubCompressed;
+}
+function bytesEqual(a, b) {
+  if (a.length !== b.length) return false;
+  for (let i = 0; i < a.length; i++) {
+    if (a[i] !== b[i]) {
+      return false;
+    }
+  }
+  return true;
+}
+
+export {
+  SIGN_RPC_METHODS,
+  eip721Domain,
+  delegateEIP721Types,
+  DEBUG_NAMESPACE,
+  DEBUG_NAMESPACE_SILENTDATA_INTERCEPTOR,
+  HEADER_SIGNATURE,
+  HEADER_TIMESTAMP,
+  HEADER_SIGNATURE_TYPE,
+  HEADER_EIP712_SIGNATURE,
+  HEADER_DELEGATE,
+  HEADER_DELEGATE_SIGNATURE,
+  HEADER_EIP712_DELEGATE_SIGNATURE,
+  HEADER_SIGNER_SWC,
+  HEADER_FROM_BLOCK,
+  ENTRYPOINT_ADDRESS,
+  DEFAULT_USER_OPERATION_RECEIPT_LOOKUP_RANGE,
+  USER_OPERATION_EVENT_SIGNATURE,
+  USER_OPERATION_EVENT_HASH,
+  DEFAULT_DELEGATE_EXPIRES,
+  DELEGATE_EXPIRATION_THRESHOLD_BUFFER,
+  WHITELISTED_METHODS,
+  PRIVATE_EVENT_SIGNATURE,
+  PRIVATE_EVENT_SIGNATURE_HASH,
+  calculateEventTypeHash,
+  ChainId,
+  NetworkName,
+  SignatureType,
+  getAuthEIP721Types,
+  getAuthHeaders,
+  isSignableContractCall,
+  defaultGetDelegate,
+  prepareTypedDataPayload,
+  SilentDataRollupBase,
+  SilentDataRollupContract,
+  validateTdxAttestation
+};