npm - @dynamic-labs-wallet/forward-mpc-client - Versions diffs - 0.3.0 → 0.5.0 - Mend

@dynamic-labs-wallet/forward-mpc-client 0.3.0 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.d.cts CHANGED Viewed

@@ -1,8 +1,20 @@
-import { EventEmitter } from 'eventemitter3';
-import { TraceContext, HashAlgorithm, BaseWebSocketMessage } from '@dynamic-labs-wallet/forward-mpc-shared';
+import EventEmitter$1, { EventEmitter } from 'eventemitter3';
+import { TraceContext, HashAlgorithm, BaseWebSocketMessage, encryptKeyshare, WebSocketError } from '@dynamic-labs-wallet/forward-mpc-shared';
 export { BaseWebSocketMessage, ErrorResponse, HandshakeV1RequestMessage, HandshakeV1ResponseMessage, SignMessageV1RequestMessage, SignMessageV1ResponseMessage, WebSocketError, WebSocketErrorType } from '@dynamic-labs-wallet/forward-mpc-shared';
 import { SigningAlgorithm } from '@dynamic-labs-wallet/core';
+export { SigningAlgorithm } from '@dynamic-labs-wallet/core';
+/**
+ * Result of attestation document verification
+ */
+interface AttestationVerificationResult {
+    /** Whether the attestation document is valid */
+    valid: boolean;
+    /** Any verification errors */
+    errors: string[];
+    /** Timestamp when verification was performed */
+    timestamp: number;
+}
 /**
  * Configuration for attestation verification
  */
@@ -14,6 +26,12 @@ interface AttestationVerificationConfig {
     /** Maximum age of attestation document in milliseconds */
     maxAge?: number;
 }
+/**
+ * Verifies a Nitro attestation document received during handshake.
+ */
+interface AttestationVerifier {
+    verify(attestationDocBase64: string, expectedChallenge: string, nonce: Uint8Array): Promise<AttestationVerificationResult>;
+}
 interface ForwardMPCClientOptions {
     reconnectAttempts?: number;
@@ -129,4 +147,254 @@ declare class ForwardMPCClient extends EventEmitter {
     private verifyAttestationDocument;
 }
-export { type ClientEvents, ForwardMPCClient, type ForwardMPCClientOptions };
+/**
+ * When an ExternalLogger is provided, the library routes all log calls through
+ * it. The signature matches the Datadog Browser SDK logger so that the same
+ * instance can be passed directly.
+ *
+ * Compatible with the Datadog Browser SDK logger interface (@datadog/browser-logs).
+ */
+interface ExternalLogger {
+    debug(message: string, messageContext?: object, error?: Error): void;
+    info(message: string, messageContext?: object, error?: Error): void;
+    warn(message: string, messageContext?: object, error?: Error): void;
+    error(message: string, messageContext?: object, error?: Error): void;
+}
+interface BaseMessageParams {
+    traceContext?: TraceContext;
+    userId?: string;
+    environmentId?: string;
+}
+interface BaseMPCMessageParams {
+    relayDomain: string;
+    roomUuid: string;
+    signingAlgo: SigningAlgorithm;
+}
+interface SignMessageParams extends BaseMessageParams, BaseMPCMessageParams {
+    keyshare: Parameters<typeof encryptKeyshare>[0];
+    message: Uint8Array | string;
+    hashAlgo?: HashAlgorithm;
+    derivationPath?: Uint32Array;
+    tweak?: Uint8Array;
+}
+interface KeygenParams extends BaseMessageParams, BaseMPCMessageParams {
+    keygenInit: {
+        keygenId: string;
+        keygenSecret: string;
+    };
+    numParties: number;
+    threshold: number;
+    keygenIds: string[];
+}
+type ReceiveKeyParams = Omit<KeygenParams, 'signingAlgo'>;
+interface SignMessageResult {
+    signature: Uint8Array;
+}
+interface KeygenResult {
+    pubkey: Uint8Array;
+    secretShare: string;
+}
+interface ReceiveKeyResult {
+    pubkey: Uint8Array;
+    secretShare: string;
+}
+interface ForwardMPCClientV2Options {
+    reconnectAttempts?: number;
+    reconnectInterval?: number;
+    connectionTimeout?: number;
+    requestTimeout?: number;
+    attestationConfig?: AttestationVerificationConfig;
+    attestationVerifier?: AttestationVerifier;
+    /**
+     * Disables attestation verification. DO NOT use in production.
+     * @deprecated Use only for local development and testing.
+     */
+    dangerouslyBypassAttestation?: boolean;
+    logger?: ExternalLogger;
+}
+interface ClientV2Events {
+    connected: () => void;
+    disconnected: () => void;
+    error: (error: Error) => void;
+}
+declare class ForwardMPCClientV2 extends EventEmitter$1<ClientV2Events> {
+    protected readonly url: string;
+    protected readonly options: ForwardMPCClientV2Options;
+    private readonly transport;
+    private readonly sessionOptions;
+    private readonly logger;
+    private session;
+    private _connectPromise;
+    private _handshaking;
+    private _disconnectedIntentionally;
+    constructor(url: string, options?: ForwardMPCClientV2Options);
+    get connected(): boolean;
+    /**
+     * Opens the WebSocket connection and performs the ML-KEM-768 handshake.
+     * Resolves once the session is fully established (and attested, if configured).
+     * Concurrent calls coalesce on a single in-flight promise.
+     */
+    connect(traceContext?: TraceContext): Promise<void>;
+    /**
+     * Disposes the current session (zeroing crypto material) and closes the transport.
+     */
+    disconnect(): void;
+    signMessage(params: SignMessageParams): Promise<SignMessageResult>;
+    /**
+     * MPC key generation for ECDSA and BIP340.
+     * ED25519 is not supported here — use receiveKey() instead.
+     */
+    keygen(params: KeygenParams): Promise<KeygenResult>;
+    /**
+     * Receives an ED25519 key generated by another party (ExportableEd25519).
+     */
+    receiveKey(params: ReceiveKeyParams): Promise<ReceiveKeyResult>;
+    /**
+     * Ensures an active session exists, auto-connecting if needed.
+     */
+    private ensureSession;
+    private _runHandshake;
+    private _doConnect;
+    /**
+     * Called when the transport connects (both initial and after auto-reconnect).
+     * The `_handshaking` flag is set synchronously at the top of `_doConnect`
+     * before any await, so it reliably indicates when we already own the handshake.
+     *
+     * For transport-initiated reconnects, `_connectPromise` is set so that
+     * concurrent `connect()` or `ensureSession()` callers coalesce on the
+     * in-flight handshake rather than initiating a second one.
+     */
+    private onTransportConnected;
+    private onTransportDisconnected;
+}
+/**
+ * @deprecated Use {@link ForwardMPCClientV2} directly and manage the instance
+ * lifecycle yourself. This class will be removed in a future version.
+ */
+declare class ForwardMPCClientSingleton extends ForwardMPCClientV2 {
+}
+declare const ErrorCode: {
+    readonly CONNECTION_FAILED: "CONNECTION_FAILED";
+    readonly CONNECTION_TIMEOUT: "CONNECTION_TIMEOUT";
+    readonly NOT_CONNECTED: "NOT_CONNECTED";
+    readonly HANDSHAKE_FAILED: "HANDSHAKE_FAILED";
+    readonly HANDSHAKE_INVALID_RESPONSE: "HANDSHAKE_INVALID_RESPONSE";
+    readonly ATTESTATION_FAILED: "ATTESTATION_FAILED";
+    readonly ATTESTATION_NONCE_MISSING: "ATTESTATION_NONCE_MISSING";
+    readonly REQUEST_TIMEOUT: "REQUEST_TIMEOUT";
+    readonly SESSION_DISPOSED: "SESSION_DISPOSED";
+    readonly SERVER_ERROR: "SERVER_ERROR";
+    readonly MESSAGE_PARSE_FAILED: "MESSAGE_PARSE_FAILED";
+    readonly SESSION_ESTABLISH_FAILED: "SESSION_ESTABLISH_FAILED";
+    readonly UNSUPPORTED_ALGORITHM: "UNSUPPORTED_ALGORITHM";
+};
+type ErrorCode = (typeof ErrorCode)[keyof typeof ErrorCode];
+declare const ForwardMPCErrorType: {
+    readonly TRANSPORT: "transport";
+    readonly SESSION: "session";
+    readonly CLIENT: "client";
+};
+type ForwardMPCErrorType = (typeof ForwardMPCErrorType)[keyof typeof ForwardMPCErrorType];
+/**
+ * Abstract root for all Forward MPC errors.
+ * `instanceof ForwardMPCError` is true for every error thrown by this library.
+ */
+declare abstract class ForwardMPCError extends Error {
+    readonly code: ErrorCode;
+    readonly type: ForwardMPCErrorType;
+    readonly context?: Record<string, unknown>;
+    constructor(message: string, code: ErrorCode, type: ForwardMPCErrorType, context?: Record<string, unknown>);
+    toJSON(): Record<string, unknown>;
+}
+/** Abstract base for errors originating from the WebSocket / transport layer. */
+declare abstract class TransportError extends ForwardMPCError {
+    constructor(message: string, code: ErrorCode, context?: Record<string, unknown>);
+}
+/** Abstract base for errors originating from the session / crypto / protocol layer. */
+declare abstract class SessionError extends ForwardMPCError {
+    constructor(message: string, code: ErrorCode, context?: Record<string, unknown>);
+}
+/** Abstract base for errors originating from the client / application layer. */
+declare abstract class ClientError extends ForwardMPCError {
+    constructor(message: string, code: ErrorCode, context?: Record<string, unknown>);
+}
+declare class TransportConnectionError extends TransportError {
+    constructor(context?: Record<string, unknown>);
+}
+declare class TransportConnectionTimeoutError extends TransportError {
+    constructor(context?: Record<string, unknown>);
+}
+declare class TransportNotConnectedError extends TransportError {
+    constructor(context?: Record<string, unknown>);
+}
+declare class SessionHandshakeError extends SessionError {
+    constructor(reason: string, context?: Record<string, unknown>);
+}
+declare class SessionHandshakeInvalidResponseError extends SessionError {
+    constructor(context?: Record<string, unknown>);
+}
+declare class SessionAttestationError extends SessionError {
+    constructor(context?: Record<string, unknown>);
+}
+declare class SessionAttestationNonceMissingError extends SessionError {
+    constructor(context?: Record<string, unknown>);
+}
+declare class SessionRequestTimeoutError extends SessionError {
+    constructor(context?: Record<string, unknown>);
+}
+declare class SessionDisposedError extends SessionError {
+    constructor(context?: Record<string, unknown>);
+}
+declare class SessionServerError extends SessionError {
+    constructor(reason: string, context?: Record<string, unknown>);
+}
+declare class SessionMessageParseError extends SessionError {
+    constructor(context?: Record<string, unknown>);
+}
+/**
+ * The remote server returned an explicit error response.
+ * Carries the full WebSocketError payload so callers can inspect
+ * `serverError.type` and `serverError.details`.
+ */
+declare class SessionRemoteError extends SessionError {
+    readonly serverError: WebSocketError;
+    constructor(serverError: WebSocketError, context?: Record<string, unknown>);
+}
+declare class ClientUnsupportedAlgorithmError extends ClientError {
+    constructor(context?: Record<string, unknown>);
+}
+declare class ClientSessionEstablishFailedError extends ClientError {
+    constructor(context?: Record<string, unknown>);
+}
+/**
+ * Nitro Enclave Attestation Document Verifier
+ * Uses Evervault's official WASM attestation bindings
+ * Optimized for client-side usage with hex string input
+ */
+declare class NitroAttestationVerifier implements AttestationVerifier {
+    private readonly config;
+    private wasmInitPromise;
+    constructor(config: AttestationVerificationConfig);
+    /**
+     * Initialises the WASM module exactly once. Concurrent callers share the
+     * same in-flight promise, preventing duplicate initialisation.
+     * On failure the promise is cleared so the next call may retry.
+     */
+    private ensureWasmInitialized;
+    /**
+     * Verify an attestation document using Evervault WASM bindings
+     * Accepts base64-encoded attestation document directly
+     *
+     * @param attestationDocBase64 - Base64-encoded attestation document
+     * @param expectedChallenge - Expected challenge (ciphertext hash)
+     * @param nonce - Expected nonce (REQUIRED for security)
+     */
+    verify(attestationDocBase64: string, expectedChallenge: string, nonce: Uint8Array): Promise<AttestationVerificationResult>;
+}
+export { type AttestationVerificationConfig, type AttestationVerificationResult, type AttestationVerifier, ClientError, type ClientEvents, ClientSessionEstablishFailedError, ClientUnsupportedAlgorithmError, type ClientV2Events, ErrorCode, type ExternalLogger, ForwardMPCClient, type ForwardMPCClientOptions, ForwardMPCClientSingleton, ForwardMPCClientV2, type ForwardMPCClientV2Options, ForwardMPCError, ForwardMPCErrorType, type KeygenParams, type KeygenResult, NitroAttestationVerifier, type ReceiveKeyParams, type ReceiveKeyResult, SessionAttestationError, SessionAttestationNonceMissingError, SessionDisposedError, SessionError, SessionHandshakeError, SessionHandshakeInvalidResponseError, SessionMessageParseError, SessionRemoteError, SessionRequestTimeoutError, SessionServerError, type SignMessageParams, type SignMessageResult, TransportConnectionError, TransportConnectionTimeoutError, TransportError, TransportNotConnectedError };

package/dist/index.d.ts CHANGED Viewed

@@ -1,8 +1,20 @@
-import { EventEmitter } from 'eventemitter3';
-import { TraceContext, HashAlgorithm, BaseWebSocketMessage } from '@dynamic-labs-wallet/forward-mpc-shared';
+import EventEmitter$1, { EventEmitter } from 'eventemitter3';
+import { TraceContext, HashAlgorithm, BaseWebSocketMessage, encryptKeyshare, WebSocketError } from '@dynamic-labs-wallet/forward-mpc-shared';
 export { BaseWebSocketMessage, ErrorResponse, HandshakeV1RequestMessage, HandshakeV1ResponseMessage, SignMessageV1RequestMessage, SignMessageV1ResponseMessage, WebSocketError, WebSocketErrorType } from '@dynamic-labs-wallet/forward-mpc-shared';
 import { SigningAlgorithm } from '@dynamic-labs-wallet/core';
+export { SigningAlgorithm } from '@dynamic-labs-wallet/core';
+/**
+ * Result of attestation document verification
+ */
+interface AttestationVerificationResult {
+    /** Whether the attestation document is valid */
+    valid: boolean;
+    /** Any verification errors */
+    errors: string[];
+    /** Timestamp when verification was performed */
+    timestamp: number;
+}
 /**
  * Configuration for attestation verification
  */
@@ -14,6 +26,12 @@ interface AttestationVerificationConfig {
     /** Maximum age of attestation document in milliseconds */
     maxAge?: number;
 }
+/**
+ * Verifies a Nitro attestation document received during handshake.
+ */
+interface AttestationVerifier {
+    verify(attestationDocBase64: string, expectedChallenge: string, nonce: Uint8Array): Promise<AttestationVerificationResult>;
+}
 interface ForwardMPCClientOptions {
     reconnectAttempts?: number;
@@ -129,4 +147,254 @@ declare class ForwardMPCClient extends EventEmitter {
     private verifyAttestationDocument;
 }
-export { type ClientEvents, ForwardMPCClient, type ForwardMPCClientOptions };
+/**
+ * When an ExternalLogger is provided, the library routes all log calls through
+ * it. The signature matches the Datadog Browser SDK logger so that the same
+ * instance can be passed directly.
+ *
+ * Compatible with the Datadog Browser SDK logger interface (@datadog/browser-logs).
+ */
+interface ExternalLogger {
+    debug(message: string, messageContext?: object, error?: Error): void;
+    info(message: string, messageContext?: object, error?: Error): void;
+    warn(message: string, messageContext?: object, error?: Error): void;
+    error(message: string, messageContext?: object, error?: Error): void;
+}
+interface BaseMessageParams {
+    traceContext?: TraceContext;
+    userId?: string;
+    environmentId?: string;
+}
+interface BaseMPCMessageParams {
+    relayDomain: string;
+    roomUuid: string;
+    signingAlgo: SigningAlgorithm;
+}
+interface SignMessageParams extends BaseMessageParams, BaseMPCMessageParams {
+    keyshare: Parameters<typeof encryptKeyshare>[0];
+    message: Uint8Array | string;
+    hashAlgo?: HashAlgorithm;
+    derivationPath?: Uint32Array;
+    tweak?: Uint8Array;
+}
+interface KeygenParams extends BaseMessageParams, BaseMPCMessageParams {
+    keygenInit: {
+        keygenId: string;
+        keygenSecret: string;
+    };
+    numParties: number;
+    threshold: number;
+    keygenIds: string[];
+}
+type ReceiveKeyParams = Omit<KeygenParams, 'signingAlgo'>;
+interface SignMessageResult {
+    signature: Uint8Array;
+}
+interface KeygenResult {
+    pubkey: Uint8Array;
+    secretShare: string;
+}
+interface ReceiveKeyResult {
+    pubkey: Uint8Array;
+    secretShare: string;
+}
+interface ForwardMPCClientV2Options {
+    reconnectAttempts?: number;
+    reconnectInterval?: number;
+    connectionTimeout?: number;
+    requestTimeout?: number;
+    attestationConfig?: AttestationVerificationConfig;
+    attestationVerifier?: AttestationVerifier;
+    /**
+     * Disables attestation verification. DO NOT use in production.
+     * @deprecated Use only for local development and testing.
+     */
+    dangerouslyBypassAttestation?: boolean;
+    logger?: ExternalLogger;
+}
+interface ClientV2Events {
+    connected: () => void;
+    disconnected: () => void;
+    error: (error: Error) => void;
+}
+declare class ForwardMPCClientV2 extends EventEmitter$1<ClientV2Events> {
+    protected readonly url: string;
+    protected readonly options: ForwardMPCClientV2Options;
+    private readonly transport;
+    private readonly sessionOptions;
+    private readonly logger;
+    private session;
+    private _connectPromise;
+    private _handshaking;
+    private _disconnectedIntentionally;
+    constructor(url: string, options?: ForwardMPCClientV2Options);
+    get connected(): boolean;
+    /**
+     * Opens the WebSocket connection and performs the ML-KEM-768 handshake.
+     * Resolves once the session is fully established (and attested, if configured).
+     * Concurrent calls coalesce on a single in-flight promise.
+     */
+    connect(traceContext?: TraceContext): Promise<void>;
+    /**
+     * Disposes the current session (zeroing crypto material) and closes the transport.
+     */
+    disconnect(): void;
+    signMessage(params: SignMessageParams): Promise<SignMessageResult>;
+    /**
+     * MPC key generation for ECDSA and BIP340.
+     * ED25519 is not supported here — use receiveKey() instead.
+     */
+    keygen(params: KeygenParams): Promise<KeygenResult>;
+    /**
+     * Receives an ED25519 key generated by another party (ExportableEd25519).
+     */
+    receiveKey(params: ReceiveKeyParams): Promise<ReceiveKeyResult>;
+    /**
+     * Ensures an active session exists, auto-connecting if needed.
+     */
+    private ensureSession;
+    private _runHandshake;
+    private _doConnect;
+    /**
+     * Called when the transport connects (both initial and after auto-reconnect).
+     * The `_handshaking` flag is set synchronously at the top of `_doConnect`
+     * before any await, so it reliably indicates when we already own the handshake.
+     *
+     * For transport-initiated reconnects, `_connectPromise` is set so that
+     * concurrent `connect()` or `ensureSession()` callers coalesce on the
+     * in-flight handshake rather than initiating a second one.
+     */
+    private onTransportConnected;
+    private onTransportDisconnected;
+}
+/**
+ * @deprecated Use {@link ForwardMPCClientV2} directly and manage the instance
+ * lifecycle yourself. This class will be removed in a future version.
+ */
+declare class ForwardMPCClientSingleton extends ForwardMPCClientV2 {
+}
+declare const ErrorCode: {
+    readonly CONNECTION_FAILED: "CONNECTION_FAILED";
+    readonly CONNECTION_TIMEOUT: "CONNECTION_TIMEOUT";
+    readonly NOT_CONNECTED: "NOT_CONNECTED";
+    readonly HANDSHAKE_FAILED: "HANDSHAKE_FAILED";
+    readonly HANDSHAKE_INVALID_RESPONSE: "HANDSHAKE_INVALID_RESPONSE";
+    readonly ATTESTATION_FAILED: "ATTESTATION_FAILED";
+    readonly ATTESTATION_NONCE_MISSING: "ATTESTATION_NONCE_MISSING";
+    readonly REQUEST_TIMEOUT: "REQUEST_TIMEOUT";
+    readonly SESSION_DISPOSED: "SESSION_DISPOSED";
+    readonly SERVER_ERROR: "SERVER_ERROR";
+    readonly MESSAGE_PARSE_FAILED: "MESSAGE_PARSE_FAILED";
+    readonly SESSION_ESTABLISH_FAILED: "SESSION_ESTABLISH_FAILED";
+    readonly UNSUPPORTED_ALGORITHM: "UNSUPPORTED_ALGORITHM";
+};
+type ErrorCode = (typeof ErrorCode)[keyof typeof ErrorCode];
+declare const ForwardMPCErrorType: {
+    readonly TRANSPORT: "transport";
+    readonly SESSION: "session";
+    readonly CLIENT: "client";
+};
+type ForwardMPCErrorType = (typeof ForwardMPCErrorType)[keyof typeof ForwardMPCErrorType];
+/**
+ * Abstract root for all Forward MPC errors.
+ * `instanceof ForwardMPCError` is true for every error thrown by this library.
+ */
+declare abstract class ForwardMPCError extends Error {
+    readonly code: ErrorCode;
+    readonly type: ForwardMPCErrorType;
+    readonly context?: Record<string, unknown>;
+    constructor(message: string, code: ErrorCode, type: ForwardMPCErrorType, context?: Record<string, unknown>);
+    toJSON(): Record<string, unknown>;
+}
+/** Abstract base for errors originating from the WebSocket / transport layer. */
+declare abstract class TransportError extends ForwardMPCError {
+    constructor(message: string, code: ErrorCode, context?: Record<string, unknown>);
+}
+/** Abstract base for errors originating from the session / crypto / protocol layer. */
+declare abstract class SessionError extends ForwardMPCError {
+    constructor(message: string, code: ErrorCode, context?: Record<string, unknown>);
+}
+/** Abstract base for errors originating from the client / application layer. */
+declare abstract class ClientError extends ForwardMPCError {
+    constructor(message: string, code: ErrorCode, context?: Record<string, unknown>);
+}
+declare class TransportConnectionError extends TransportError {
+    constructor(context?: Record<string, unknown>);
+}
+declare class TransportConnectionTimeoutError extends TransportError {
+    constructor(context?: Record<string, unknown>);
+}
+declare class TransportNotConnectedError extends TransportError {
+    constructor(context?: Record<string, unknown>);
+}
+declare class SessionHandshakeError extends SessionError {
+    constructor(reason: string, context?: Record<string, unknown>);
+}
+declare class SessionHandshakeInvalidResponseError extends SessionError {
+    constructor(context?: Record<string, unknown>);
+}
+declare class SessionAttestationError extends SessionError {
+    constructor(context?: Record<string, unknown>);
+}
+declare class SessionAttestationNonceMissingError extends SessionError {
+    constructor(context?: Record<string, unknown>);
+}
+declare class SessionRequestTimeoutError extends SessionError {
+    constructor(context?: Record<string, unknown>);
+}
+declare class SessionDisposedError extends SessionError {
+    constructor(context?: Record<string, unknown>);
+}
+declare class SessionServerError extends SessionError {
+    constructor(reason: string, context?: Record<string, unknown>);
+}
+declare class SessionMessageParseError extends SessionError {
+    constructor(context?: Record<string, unknown>);
+}
+/**
+ * The remote server returned an explicit error response.
+ * Carries the full WebSocketError payload so callers can inspect
+ * `serverError.type` and `serverError.details`.
+ */
+declare class SessionRemoteError extends SessionError {
+    readonly serverError: WebSocketError;
+    constructor(serverError: WebSocketError, context?: Record<string, unknown>);
+}
+declare class ClientUnsupportedAlgorithmError extends ClientError {
+    constructor(context?: Record<string, unknown>);
+}
+declare class ClientSessionEstablishFailedError extends ClientError {
+    constructor(context?: Record<string, unknown>);
+}
+/**
+ * Nitro Enclave Attestation Document Verifier
+ * Uses Evervault's official WASM attestation bindings
+ * Optimized for client-side usage with hex string input
+ */
+declare class NitroAttestationVerifier implements AttestationVerifier {
+    private readonly config;
+    private wasmInitPromise;
+    constructor(config: AttestationVerificationConfig);
+    /**
+     * Initialises the WASM module exactly once. Concurrent callers share the
+     * same in-flight promise, preventing duplicate initialisation.
+     * On failure the promise is cleared so the next call may retry.
+     */
+    private ensureWasmInitialized;
+    /**
+     * Verify an attestation document using Evervault WASM bindings
+     * Accepts base64-encoded attestation document directly
+     *
+     * @param attestationDocBase64 - Base64-encoded attestation document
+     * @param expectedChallenge - Expected challenge (ciphertext hash)
+     * @param nonce - Expected nonce (REQUIRED for security)
+     */
+    verify(attestationDocBase64: string, expectedChallenge: string, nonce: Uint8Array): Promise<AttestationVerificationResult>;
+}
+export { type AttestationVerificationConfig, type AttestationVerificationResult, type AttestationVerifier, ClientError, type ClientEvents, ClientSessionEstablishFailedError, ClientUnsupportedAlgorithmError, type ClientV2Events, ErrorCode, type ExternalLogger, ForwardMPCClient, type ForwardMPCClientOptions, ForwardMPCClientSingleton, ForwardMPCClientV2, type ForwardMPCClientV2Options, ForwardMPCError, ForwardMPCErrorType, type KeygenParams, type KeygenResult, NitroAttestationVerifier, type ReceiveKeyParams, type ReceiveKeyResult, SessionAttestationError, SessionAttestationNonceMissingError, SessionDisposedError, SessionError, SessionHandshakeError, SessionHandshakeInvalidResponseError, SessionMessageParseError, SessionRemoteError, SessionRequestTimeoutError, SessionServerError, type SignMessageParams, type SignMessageResult, TransportConnectionError, TransportConnectionTimeoutError, TransportError, TransportNotConnectedError };