@elizaos/plugin-tee 2.0.0-alpha.3 → 2.0.0-alpha.4

package/dist/node/actions/index.d.ts

@@ -0,0 +1,2 @@
+export { remoteAttestationAction } from "./remoteAttestation";
+//# sourceMappingURL=index.d.ts.map

package/dist/node/actions/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/actions/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,uBAAuB,EAAE,MAAM,qBAAqB,CAAC"}

package/dist/node/actions/index.js

@@ -0,0 +1 @@
+export { remoteAttestationAction } from "./remoteAttestation";

package/dist/node/actions/remoteAttestation.d.ts

@@ -0,0 +1,3 @@
+import type { Action } from "@elizaos/core";
+export declare const remoteAttestationAction: Action;
+//# sourceMappingURL=remoteAttestation.d.ts.map

package/dist/node/actions/remoteAttestation.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"remoteAttestation.d.ts","sourceRoot":"","sources":["../../../src/actions/remoteAttestation.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,MAAM,EAMP,MAAM,eAAe,CAAC;AAMvB,eAAO,MAAM,uBAAuB,EAAE,MAoIrC,CAAC"}

package/dist/node/actions/remoteAttestation.js

@@ -0,0 +1,115 @@
+import { logger } from "@elizaos/core";
+import { PhalaRemoteAttestationProvider } from "../providers/remoteAttestation";
+import { hexToUint8Array, uploadAttestationQuote } from "../utils";
+export const remoteAttestationAction = {
+    name: "REMOTE_ATTESTATION",
+    similes: [
+        "REMOTE_ATTESTATION",
+        "TEE_REMOTE_ATTESTATION",
+        "TEE_ATTESTATION",
+        "TEE_QUOTE",
+        "ATTESTATION",
+        "TEE_ATTESTATION_QUOTE",
+        "PROVE_TEE",
+        "VERIFY_TEE",
+    ],
+    description: "Generate a remote attestation to prove that the agent is running in a TEE (Trusted Execution Environment)",
+    validate: async (runtime) => {
+        const teeMode = runtime.getSetting("TEE_MODE");
+        if (!teeMode) {
+            logger.warn("REMOTE_ATTESTATION: TEE_MODE not configured");
+            return false;
+        }
+        return true;
+    },
+    handler: async (runtime, message, _state, _options, callback) => {
+        try {
+            const teeMode = runtime.getSetting("TEE_MODE");
+            if (!teeMode) {
+                logger.error("TEE_MODE is not configured");
+                callback?.({
+                    text: "TEE_MODE is not configured. Cannot generate attestation.",
+                    actions: ["NONE"],
+                });
+                return { success: false, error: "TEE_MODE is not configured" };
+            }
+            const attestationMessage = {
+                agentId: runtime.agentId,
+                timestamp: Date.now(),
+                message: {
+                    entityId: message.entityId,
+                    roomId: message.roomId,
+                    content: message.content.text ?? "",
+                },
+            };
+            logger.debug(`Generating attestation for: ${JSON.stringify(attestationMessage)}`);
+            const provider = new PhalaRemoteAttestationProvider(String(teeMode));
+            const attestation = await provider.generateAttestation(JSON.stringify(attestationMessage));
+            const attestationData = hexToUint8Array(attestation.quote);
+            const uploadResult = await uploadAttestationQuote(attestationData);
+            const proofUrl = `https://proof.t16z.com/reports/${uploadResult.checksum}`;
+            logger.info(`Attestation uploaded: ${proofUrl}`);
+            callback?.({
+                text: `Remote attestation quote: ${proofUrl}`,
+                actions: ["NONE"],
+            });
+            return { success: true, text: `Attestation generated: ${proofUrl}` };
+        }
+        catch (error) {
+            const errorMessage = error instanceof Error ? error.message : String(error);
+            logger.error(`Failed to generate remote attestation: ${errorMessage}`);
+            callback?.({
+                text: `Failed to generate attestation: ${errorMessage}`,
+                actions: ["NONE"],
+            });
+            return { success: false, error: errorMessage };
+        }
+    },
+    examples: [
+        [
+            {
+                name: "{{name1}}",
+                content: {
+                    text: "If you are running in a TEE, generate a remote attestation",
+                },
+            },
+            {
+                name: "{{agentName}}",
+                content: {
+                    text: "Of course, one second...",
+                    actions: ["REMOTE_ATTESTATION"],
+                },
+            },
+        ],
+        [
+            {
+                name: "{{name1}}",
+                content: {
+                    text: "Can you prove you're running in a trusted execution environment?",
+                },
+            },
+            {
+                name: "{{agentName}}",
+                content: {
+                    text: "Absolutely! Let me generate a TEE attestation quote for you.",
+                    actions: ["REMOTE_ATTESTATION"],
+                },
+            },
+        ],
+        [
+            {
+                name: "{{name1}}",
+                content: {
+                    text: "I need verification that this conversation is happening in a secure enclave",
+                },
+            },
+            {
+                name: "{{agentName}}",
+                content: {
+                    text: "I'll generate a remote attestation to prove I'm running in a TEE.",
+                    actions: ["REMOTE_ATTESTATION"],
+                },
+            },
+        ],
+    ],
+};

package/dist/node/index.d.ts

@@ -0,0 +1,10 @@
+import { type Plugin } from "@elizaos/core";
+export { remoteAttestationAction } from "./actions";
+export { DeriveKeyProvider, PhalaDeriveKeyProvider, PhalaRemoteAttestationProvider, phalaDeriveKeyProvider, phalaRemoteAttestationProvider, RemoteAttestationProvider, } from "./providers";
+export { TEEService } from "./services";
+export * from "./types";
+export { calculateSHA256, getTeeEndpoint, hexToUint8Array, sha256Bytes, uint8ArrayToHex, uploadAttestationQuote, } from "./utils";
+export { getVendor, PhalaVendor, type TeeVendorInterface, TeeVendorNames, } from "./vendors";
+export declare const teePlugin: Plugin;
+export default teePlugin;
+//# sourceMappingURL=index.d.ts.map

package/dist/node/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAA8B,KAAK,MAAM,EAAE,MAAM,eAAe,CAAC;AAIxE,OAAO,EAAE,uBAAuB,EAAE,MAAM,WAAW,CAAC;AACpD,OAAO,EACL,iBAAiB,EACjB,sBAAsB,EACtB,8BAA8B,EAC9B,sBAAsB,EACtB,8BAA8B,EAC9B,yBAAyB,GAC1B,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AACxC,cAAc,SAAS,CAAC;AACxB,OAAO,EACL,eAAe,EACf,cAAc,EACd,eAAe,EACf,WAAW,EACX,eAAe,EACf,sBAAsB,GACvB,MAAM,SAAS,CAAC;AACjB,OAAO,EACL,SAAS,EACT,WAAW,EACX,KAAK,kBAAkB,EACvB,cAAc,GACf,MAAM,WAAW,CAAC;AAInB,eAAO,MAAM,SAAS,EAAE,MA6BvB,CAAC;AAEF,eAAe,SAAS,CAAC"}

package/dist/node/index.js

@@ -0,0 +1,34 @@
+import { logger } from "@elizaos/core";
+import { TEEService } from "./services/tee";
+import { getVendor, TeeVendorNames } from "./vendors";
+export { remoteAttestationAction } from "./actions";
+export { DeriveKeyProvider, PhalaDeriveKeyProvider, PhalaRemoteAttestationProvider, phalaDeriveKeyProvider, phalaRemoteAttestationProvider, RemoteAttestationProvider, } from "./providers";
+export { TEEService } from "./services";
+export * from "./types";
+export { calculateSHA256, getTeeEndpoint, hexToUint8Array, sha256Bytes, uint8ArrayToHex, uploadAttestationQuote, } from "./utils";
+export { getVendor, PhalaVendor, TeeVendorNames, } from "./vendors";
+const defaultVendor = getVendor(TeeVendorNames.PHALA);
+export const teePlugin = {
+    name: "tee",
+    description: "TEE integration plugin for secure key management and remote attestation",
+    config: {
+        TEE_MODE: process.env.TEE_MODE ?? null,
+        TEE_VENDOR: process.env.TEE_VENDOR ?? null,
+        WALLET_SECRET_SALT: process.env.WALLET_SECRET_SALT ?? null,
+    },
+    async init(config, runtime) {
+        const vendorName = config.TEE_VENDOR ?? runtime.getSetting("TEE_VENDOR") ?? TeeVendorNames.PHALA;
+        const teeModeRaw = config.TEE_MODE ?? runtime.getSetting("TEE_MODE") ?? "LOCAL";
+        const teeMode = typeof teeModeRaw === "string" ? teeModeRaw : String(teeModeRaw);
+        logger.info(`Initializing TEE plugin with vendor: ${vendorName}, mode: ${teeMode}`);
+        if (!["LOCAL", "DOCKER", "PRODUCTION"].includes(teeMode.toUpperCase())) {
+            throw new Error(`Invalid TEE_MODE: ${teeMode}. Must be one of: LOCAL, DOCKER, PRODUCTION`);
+        }
+        logger.info(`TEE plugin initialized successfully`);
+    },
+    actions: defaultVendor.getActions(),
+    providers: defaultVendor.getProviders(),
+    services: [TEEService],
+    evaluators: [],
+};
+export default teePlugin;

package/dist/node/providers/base.d.ts

@@ -0,0 +1,8 @@
+import type { DeriveKeyResult, RemoteAttestationQuote, TdxQuoteHashAlgorithm } from "../types";
+export declare abstract class DeriveKeyProvider {
+    abstract rawDeriveKey(path: string, subject: string): Promise<DeriveKeyResult>;
+}
+export declare abstract class RemoteAttestationProvider {
+    abstract generateAttestation(reportData: string, hashAlgorithm?: TdxQuoteHashAlgorithm): Promise<RemoteAttestationQuote>;
+}
+//# sourceMappingURL=base.d.ts.map

package/dist/node/providers/base.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"base.d.ts","sourceRoot":"","sources":["../../../src/providers/base.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,sBAAsB,EAAE,qBAAqB,EAAE,MAAM,UAAU,CAAC;AAE/F,8BAAsB,iBAAiB;IACrC,QAAQ,CAAC,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC;CAC/E;AAED,8BAAsB,yBAAyB;IAC7C,QAAQ,CAAC,mBAAmB,CAC1B,UAAU,EAAE,MAAM,EAClB,aAAa,CAAC,EAAE,qBAAqB,GACpC,OAAO,CAAC,sBAAsB,CAAC;CACnC"}

package/dist/node/providers/base.js

@@ -0,0 +1,4 @@
+export class DeriveKeyProvider {
+}
+export class RemoteAttestationProvider {
+}

package/dist/node/providers/deriveKey.d.ts

@@ -0,0 +1,24 @@
+import { type Provider } from "@elizaos/core";
+import { type DeriveKeyResponse } from "@phala/dstack-sdk";
+import { Keypair } from "@solana/web3.js";
+import { type PrivateKeyAccount } from "viem/accounts";
+import type { DeriveKeyResult, RemoteAttestationQuote } from "../types";
+import { DeriveKeyProvider } from "./base";
+export declare class PhalaDeriveKeyProvider extends DeriveKeyProvider {
+    private readonly client;
+    private readonly raProvider;
+    constructor(teeMode: string);
+    private generateDeriveKeyAttestation;
+    rawDeriveKey(path: string, subject: string): Promise<DeriveKeyResult>;
+    rawDeriveKeyResponse(path: string, subject: string): Promise<DeriveKeyResponse>;
+    deriveEd25519Keypair(path: string, subject: string, agentId: string): Promise<{
+        keypair: Keypair;
+        attestation: RemoteAttestationQuote;
+    }>;
+    deriveEcdsaKeypair(path: string, subject: string, agentId: string): Promise<{
+        keypair: PrivateKeyAccount;
+        attestation: RemoteAttestationQuote;
+    }>;
+}
+export declare const phalaDeriveKeyProvider: Provider;
+//# sourceMappingURL=deriveKey.d.ts.map

package/dist/node/providers/deriveKey.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"deriveKey.d.ts","sourceRoot":"","sources":["../../../src/providers/deriveKey.ts"],"names":[],"mappings":"AACA,OAAO,EAA2C,KAAK,QAAQ,EAAE,MAAM,eAAe,CAAC;AACvF,OAAO,EAAE,KAAK,iBAAiB,EAAe,MAAM,mBAAmB,CAAC;AACxE,OAAO,EAAE,OAAO,EAAE,MAAM,iBAAiB,CAAC;AAE1C,OAAO,EAAE,KAAK,iBAAiB,EAAuB,MAAM,eAAe,CAAC;AAC5E,OAAO,KAAK,EAEV,eAAe,EACf,sBAAsB,EAEvB,MAAM,UAAU,CAAC;AAElB,OAAO,EAAE,iBAAiB,EAAE,MAAM,QAAQ,CAAC;AAG3C,qBAAa,sBAAuB,SAAQ,iBAAiB;IAC3D,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAc;IACrC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAiC;gBAEhD,OAAO,EAAE,MAAM;YAcb,4BAA4B;IAapC,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC;IAkBrE,oBAAoB,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,iBAAiB,CAAC;IAO/E,oBAAoB,CACxB,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,MAAM,GACd,OAAO,CAAC;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,WAAW,EAAE,sBAAsB,CAAA;KAAE,CAAC;IA6B/D,kBAAkB,CACtB,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,MAAM,GACd,OAAO,CAAC;QACT,OAAO,EAAE,iBAAiB,CAAC;QAC3B,WAAW,EAAE,sBAAsB,CAAC;KACrC,CAAC;CAuBH;AAED,eAAO,MAAM,sBAAsB,EAAE,QA2DpC,CAAC"}

package/dist/node/providers/deriveKey.js

@@ -0,0 +1,143 @@
+import crypto from "node:crypto";
+import { logger } from "@elizaos/core";
+import { TappdClient } from "@phala/dstack-sdk";
+import { Keypair } from "@solana/web3.js";
+import { keccak256 } from "viem";
+import { privateKeyToAccount } from "viem/accounts";
+import { getTeeEndpoint } from "../utils";
+import { DeriveKeyProvider } from "./base";
+import { PhalaRemoteAttestationProvider } from "./remoteAttestation";
+export class PhalaDeriveKeyProvider extends DeriveKeyProvider {
+    client;
+    raProvider;
+    constructor(teeMode) {
+        super();
+        const endpoint = getTeeEndpoint(teeMode);
+        logger.info(endpoint
+            ? `TEE: Connecting to key derivation service at ${endpoint}`
+            : "TEE: Running key derivation in production mode");
+        this.client = endpoint ? new TappdClient(endpoint) : new TappdClient();
+        this.raProvider = new PhalaRemoteAttestationProvider(teeMode);
+    }
+    async generateDeriveKeyAttestation(agentId, publicKey, subject) {
+        const deriveKeyData = {
+            agentId,
+            publicKey,
+            subject,
+        };
+        return this.raProvider.generateAttestation(JSON.stringify(deriveKeyData));
+    }
+    async rawDeriveKey(path, subject) {
+        if (!path || !subject) {
+            throw new Error("Path and subject are required for key derivation");
+        }
+        try {
+            const response = await this.client.deriveKey(path, subject);
+            return {
+                key: response.asUint8Array(),
+                certificateChain: [],
+            };
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            logger.error(`Error deriving raw key: ${message}`);
+            throw error;
+        }
+    }
+    async rawDeriveKeyResponse(path, subject) {
+        if (!path || !subject) {
+            throw new Error("Path and subject are required for key derivation");
+        }
+        return this.client.deriveKey(path, subject);
+    }
+    async deriveEd25519Keypair(path, subject, agentId) {
+        if (!path || !subject) {
+            throw new Error("Path and subject are required for key derivation");
+        }
+        try {
+            const derivedKey = await this.client.deriveKey(path, subject);
+            const uint8ArrayDerivedKey = derivedKey.asUint8Array();
+            const hash = crypto.createHash("sha256");
+            hash.update(uint8ArrayDerivedKey);
+            const seed = new Uint8Array(hash.digest());
+            const keypair = Keypair.fromSeed(seed.slice(0, 32));
+            const attestation = await this.generateDeriveKeyAttestation(agentId, keypair.publicKey.toBase58(), subject);
+            return { keypair, attestation };
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            logger.error(`Error deriving Ed25519 key: ${message}`);
+            throw error;
+        }
+    }
+    async deriveEcdsaKeypair(path, subject, agentId) {
+        if (!path || !subject) {
+            throw new Error("Path and subject are required for key derivation");
+        }
+        try {
+            const derivedKey = await this.client.deriveKey(path, subject);
+            const hex = keccak256(derivedKey.asUint8Array());
+            const keypair = privateKeyToAccount(hex);
+            const attestation = await this.generateDeriveKeyAttestation(agentId, keypair.address, subject);
+            return { keypair, attestation };
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            logger.error(`Error deriving ECDSA key: ${message}`);
+            throw error;
+        }
+    }
+}
+export const phalaDeriveKeyProvider = {
+    name: "phala-derive-key",
+    get: async (runtime, _message) => {
+        const teeModeRaw = runtime.getSetting("TEE_MODE");
+        if (!teeModeRaw) {
+            return {
+                data: null,
+                values: {},
+                text: "TEE_MODE is not configured",
+            };
+        }
+        const teeMode = typeof teeModeRaw === "string" ? teeModeRaw : String(teeModeRaw);
+        const secretSaltRaw = runtime.getSetting("WALLET_SECRET_SALT");
+        if (!secretSaltRaw) {
+            logger.error("WALLET_SECRET_SALT is not configured");
+            return {
+                data: null,
+                values: {},
+                text: "WALLET_SECRET_SALT is not configured in settings",
+            };
+        }
+        const secretSalt = typeof secretSaltRaw === "string" ? secretSaltRaw : String(secretSaltRaw);
+        const provider = new PhalaDeriveKeyProvider(teeMode);
+        const agentId = runtime.agentId;
+        try {
+            const solanaKeypair = await provider.deriveEd25519Keypair(secretSalt, "solana", agentId);
+            const evmKeypair = await provider.deriveEcdsaKeypair(secretSalt, "evm", agentId);
+            const walletData = {
+                solana: solanaKeypair.keypair.publicKey.toBase58(),
+                evm: evmKeypair.keypair.address,
+            };
+            const values = {
+                solana_public_key: solanaKeypair.keypair.publicKey.toBase58(),
+                evm_address: evmKeypair.keypair.address,
+            };
+            const text = `Solana Public Key: ${values.solana_public_key}\nEVM Address: ${values.evm_address}`;
+            return {
+                data: walletData,
+                values,
+                text,
+            };
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            logger.error(`Error in derive key provider: ${message}`);
+            return {
+                data: null,
+                values: {},
+                text: `Failed to derive keys: ${message}`,
+            };
+        }
+    },
+};

package/dist/node/providers/index.d.ts

@@ -0,0 +1,4 @@
+export { DeriveKeyProvider, RemoteAttestationProvider } from "./base";
+export { PhalaDeriveKeyProvider, phalaDeriveKeyProvider } from "./deriveKey";
+export { PhalaRemoteAttestationProvider, phalaRemoteAttestationProvider, } from "./remoteAttestation";
+//# sourceMappingURL=index.d.ts.map

package/dist/node/providers/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/providers/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,yBAAyB,EAAE,MAAM,QAAQ,CAAC;AACtE,OAAO,EAAE,sBAAsB,EAAE,sBAAsB,EAAE,MAAM,aAAa,CAAC;AAC7E,OAAO,EACL,8BAA8B,EAC9B,8BAA8B,GAC/B,MAAM,qBAAqB,CAAC"}

package/dist/node/providers/index.js

@@ -0,0 +1,3 @@
+export { DeriveKeyProvider, RemoteAttestationProvider } from "./base";
+export { PhalaDeriveKeyProvider, phalaDeriveKeyProvider } from "./deriveKey";
+export { PhalaRemoteAttestationProvider, phalaRemoteAttestationProvider, } from "./remoteAttestation";

package/dist/node/providers/remoteAttestation.d.ts

@@ -0,0 +1,10 @@
+import { type Provider } from "@elizaos/core";
+import type { RemoteAttestationQuote, TdxQuoteHashAlgorithm } from "../types";
+import { RemoteAttestationProvider } from "./base";
+export declare class PhalaRemoteAttestationProvider extends RemoteAttestationProvider {
+    private readonly client;
+    constructor(teeMode: string);
+    generateAttestation(reportData: string, hashAlgorithm?: TdxQuoteHashAlgorithm): Promise<RemoteAttestationQuote>;
+}
+export declare const phalaRemoteAttestationProvider: Provider;
+//# sourceMappingURL=remoteAttestation.d.ts.map

package/dist/node/providers/remoteAttestation.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"remoteAttestation.d.ts","sourceRoot":"","sources":["../../../src/providers/remoteAttestation.ts"],"names":[],"mappings":"AAAA,OAAO,EAA2C,KAAK,QAAQ,EAAE,MAAM,eAAe,CAAC;AAEvF,OAAO,KAAK,EAEV,sBAAsB,EACtB,qBAAqB,EAEtB,MAAM,UAAU,CAAC;AAElB,OAAO,EAAE,yBAAyB,EAAE,MAAM,QAAQ,CAAC;AAEnD,qBAAa,8BAA+B,SAAQ,yBAAyB;IAC3E,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAc;gBAEzB,OAAO,EAAE,MAAM;IAarB,mBAAmB,CACvB,UAAU,EAAE,MAAM,EAClB,aAAa,CAAC,EAAE,qBAAqB,GACpC,OAAO,CAAC,sBAAsB,CAAC;CAiBnC;AAED,eAAO,MAAM,8BAA8B,EAAE,QA+C5C,CAAC"}

package/dist/node/providers/remoteAttestation.js

@@ -0,0 +1,73 @@
+import { logger } from "@elizaos/core";
+import { TappdClient } from "@phala/dstack-sdk";
+import { getTeeEndpoint } from "../utils";
+import { RemoteAttestationProvider } from "./base";
+export class PhalaRemoteAttestationProvider extends RemoteAttestationProvider {
+    client;
+    constructor(teeMode) {
+        super();
+        const endpoint = getTeeEndpoint(teeMode);
+        logger.info(endpoint
+            ? `TEE: Connecting to simulator at ${endpoint}`
+            : "TEE: Running in production mode without simulator");
+        this.client = endpoint ? new TappdClient(endpoint) : new TappdClient();
+    }
+    async generateAttestation(reportData, hashAlgorithm) {
+        try {
+            const tdxQuote = await this.client.tdxQuote(reportData, hashAlgorithm);
+            return {
+                quote: tdxQuote.quote,
+                timestamp: Date.now(),
+            };
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            logger.error(`Error generating remote attestation: ${message}`);
+            throw new Error(`Failed to generate TDX Quote: ${message}`);
+        }
+    }
+}
+export const phalaRemoteAttestationProvider = {
+    name: "phala-remote-attestation",
+    get: async (runtime, message) => {
+        const teeModeRaw = runtime.getSetting("TEE_MODE");
+        if (!teeModeRaw) {
+            return {
+                data: null,
+                values: {},
+                text: "TEE_MODE is not configured",
+            };
+        }
+        const teeMode = typeof teeModeRaw === "string" ? teeModeRaw : String(teeModeRaw);
+        const provider = new PhalaRemoteAttestationProvider(teeMode);
+        const agentId = runtime.agentId;
+        try {
+            const attestationMessage = {
+                agentId,
+                timestamp: Date.now(),
+                message: {
+                    entityId: message.entityId,
+                    roomId: message.roomId,
+                    content: message.content.text ?? "",
+                },
+            };
+            const attestation = await provider.generateAttestation(JSON.stringify(attestationMessage));
+            return {
+                data: {
+                    quote: attestation.quote,
+                    timestamp: attestation.timestamp.toString(),
+                },
+                values: {
+                    quote: attestation.quote,
+                    timestamp: attestation.timestamp.toString(),
+                },
+                text: `Remote attestation: ${attestation.quote.substring(0, 64)}...`,
+            };
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            logger.error(`Error in remote attestation provider: ${message}`);
+            throw new Error(`Failed to generate TDX Quote: ${message}`);
+        }
+    },
+};

package/dist/node/services/index.d.ts

@@ -0,0 +1,2 @@
+export { TEEService } from "./tee";
+//# sourceMappingURL=index.d.ts.map

package/dist/node/services/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/services/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,OAAO,CAAC"}

package/dist/node/services/index.js

@@ -0,0 +1 @@
+export { TEEService } from "./tee";

package/dist/node/services/tee.d.ts

@@ -0,0 +1,24 @@
+import { type IAgentRuntime, type Metadata, Service, type UUID } from "@elizaos/core";
+import type { DeriveKeyResponse } from "@phala/dstack-sdk";
+import type { Keypair } from "@solana/web3.js";
+import type { PrivateKeyAccount } from "viem";
+import type { RemoteAttestationQuote, TeeServiceConfig } from "../types";
+export declare class TEEService extends Service {
+    private provider;
+    static serviceType: "tee";
+    capabilityDescription: string;
+    config?: Metadata;
+    constructor(runtime: IAgentRuntime, config?: Partial<TeeServiceConfig>);
+    static start(runtime: IAgentRuntime): Promise<TEEService>;
+    stop(): Promise<void>;
+    deriveEcdsaKeypair(path: string, subject: string, agentId: UUID): Promise<{
+        keypair: PrivateKeyAccount;
+        attestation: RemoteAttestationQuote;
+    }>;
+    deriveEd25519Keypair(path: string, subject: string, agentId: UUID): Promise<{
+        keypair: Keypair;
+        attestation: RemoteAttestationQuote;
+    }>;
+    rawDeriveKey(path: string, subject: string): Promise<DeriveKeyResponse>;
+}
+//# sourceMappingURL=tee.d.ts.map

package/dist/node/services/tee.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tee.d.ts","sourceRoot":"","sources":["../../../src/services/tee.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,aAAa,EAElB,KAAK,QAAQ,EACb,OAAO,EAEP,KAAK,IAAI,EACV,MAAM,eAAe,CAAC;AACvB,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AAC3D,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,iBAAiB,CAAC;AAC/C,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,MAAM,CAAC;AAE9C,OAAO,KAAK,EAAE,sBAAsB,EAAE,gBAAgB,EAAE,MAAM,UAAU,CAAC;AAGzE,qBAAa,UAAW,SAAQ,OAAO;IACrC,OAAO,CAAC,QAAQ,CAAyB;IACzC,MAAM,CAAC,WAAW,QAAmB;IAC9B,qBAAqB,SAA6D;IAC1E,MAAM,CAAC,EAAE,QAAQ,CAAC;gBAErB,OAAO,EAAE,aAAa,EAAE,MAAM,CAAC,EAAE,OAAO,CAAC,gBAAgB,CAAC;WAmBzD,KAAK,CAAC,OAAO,EAAE,aAAa,GAAG,OAAO,CAAC,UAAU,CAAC;IAQzD,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IAIrB,kBAAkB,CACtB,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,IAAI,GACZ,OAAO,CAAC;QACT,OAAO,EAAE,iBAAiB,CAAC;QAC3B,WAAW,EAAE,sBAAsB,CAAC;KACrC,CAAC;IAII,oBAAoB,CACxB,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,IAAI,GACZ,OAAO,CAAC;QACT,OAAO,EAAE,OAAO,CAAC;QACjB,WAAW,EAAE,sBAAsB,CAAC;KACrC,CAAC;IAII,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,iBAAiB,CAAC;CAG9E"}

package/dist/node/services/tee.js

@@ -0,0 +1,42 @@
+import { logger, Service, ServiceType, } from "@elizaos/core";
+import { PhalaDeriveKeyProvider } from "../providers/deriveKey";
+import { TeeMode, TeeVendor } from "../types";
+export class TEEService extends Service {
+    provider;
+    static serviceType = ServiceType.TEE;
+    capabilityDescription = "Trusted Execution Environment for secure key management";
+    constructor(runtime, config) {
+        super(runtime);
+        const teeModeRaw = config?.mode ?? runtime.getSetting("TEE_MODE") ?? TeeMode.LOCAL;
+        const teeMode = typeof teeModeRaw === "string" ? teeModeRaw : TeeMode.LOCAL;
+        const vendor = config?.vendor ?? TeeVendor.PHALA;
+        const secretSaltRaw = config?.secretSalt ?? runtime.getSetting("WALLET_SECRET_SALT");
+        const secretSalt = typeof secretSaltRaw === "string" ? secretSaltRaw : undefined;
+        // Set config as Metadata-compatible object
+        this.config = {
+            mode: teeMode,
+            vendor,
+            ...(secretSalt ? { secretSalt } : {}),
+        };
+        this.provider = new PhalaDeriveKeyProvider(teeMode);
+    }
+    static async start(runtime) {
+        const teeModeRaw = runtime.getSetting("TEE_MODE") ?? TeeMode.LOCAL;
+        const teeMode = typeof teeModeRaw === "string" ? teeModeRaw : TeeMode.LOCAL;
+        logger.info(`Starting TEE service with mode: ${teeMode}`);
+        const service = new TEEService(runtime, { mode: teeMode });
+        return service;
+    }
+    async stop() {
+        logger.info("Stopping TEE service");
+    }
+    async deriveEcdsaKeypair(path, subject, agentId) {
+        return this.provider.deriveEcdsaKeypair(path, subject, agentId);
+    }
+    async deriveEd25519Keypair(path, subject, agentId) {
+        return this.provider.deriveEd25519Keypair(path, subject, agentId);
+    }
+    async rawDeriveKey(path, subject) {
+        return this.provider.rawDeriveKeyResponse(path, subject);
+    }
+}

package/dist/node/types/index.d.ts

@@ -0,0 +1,58 @@
+export declare enum TeeMode {
+    LOCAL = "LOCAL",
+    DOCKER = "DOCKER",
+    PRODUCTION = "PRODUCTION"
+}
+export declare enum TeeVendor {
+    PHALA = "phala"
+}
+export declare enum TeeType {
+    SGX_GRAMINE = "sgx_gramine",
+    TDX_DSTACK = "tdx_dstack"
+}
+export interface RemoteAttestationQuote {
+    readonly quote: string;
+    readonly timestamp: number;
+}
+export interface DeriveKeyAttestationData {
+    readonly agentId: string;
+    readonly publicKey: string;
+    readonly subject?: string;
+}
+export interface RemoteAttestationMessage {
+    readonly agentId: string;
+    readonly timestamp: number;
+    readonly message: {
+        readonly entityId: string;
+        readonly roomId: string;
+        readonly content: string;
+    };
+}
+export interface DeriveKeyResult {
+    readonly key: Uint8Array;
+    readonly certificateChain: string[];
+}
+export interface Ed25519KeypairResult {
+    readonly publicKey: string;
+    readonly secretKey: Uint8Array;
+    readonly attestation: RemoteAttestationQuote;
+}
+export interface EcdsaKeypairResult {
+    readonly address: string;
+    readonly privateKey: Uint8Array;
+    readonly attestation: RemoteAttestationQuote;
+}
+export interface TeeServiceConfig {
+    readonly mode: TeeMode;
+    readonly vendor: TeeVendor;
+    readonly secretSalt?: string;
+}
+export interface TeeProviderResult {
+    readonly data: Record<string, string> | null;
+    readonly values: Record<string, string>;
+    readonly text: string;
+}
+export type TdxQuoteHashAlgorithm = "sha256" | "sha384" | "sha512" | "raw";
+export declare function parseTeeMode(mode: string): TeeMode;
+export declare function parseTeeVendor(vendor: string): TeeVendor;
+//# sourceMappingURL=index.d.ts.map

package/dist/node/types/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/types/index.ts"],"names":[],"mappings":"AAAA,oBAAY,OAAO;IACjB,KAAK,UAAU;IACf,MAAM,WAAW;IACjB,UAAU,eAAe;CAC1B;AAED,oBAAY,SAAS;IACnB,KAAK,UAAU;CAChB;AAED,oBAAY,OAAO;IACjB,WAAW,gBAAgB;IAC3B,UAAU,eAAe;CAC1B;AAED,MAAM,WAAW,sBAAsB;IACrC,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;CAC5B;AAED,MAAM,WAAW,wBAAwB;IACvC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;CAC3B;AAED,MAAM,WAAW,wBAAwB;IACvC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,OAAO,EAAE;QAChB,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;QAC1B,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;QACxB,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;KAC1B,CAAC;CACH;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,GAAG,EAAE,UAAU,CAAC;IACzB,QAAQ,CAAC,gBAAgB,EAAE,MAAM,EAAE,CAAC;CACrC;AAED,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,SAAS,EAAE,UAAU,CAAC;IAC/B,QAAQ,CAAC,WAAW,EAAE,sBAAsB,CAAC;CAC9C;AAED,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,UAAU,EAAE,UAAU,CAAC;IAChC,QAAQ,CAAC,WAAW,EAAE,sBAAsB,CAAC;CAC9C;AAED,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC;IACvB,QAAQ,CAAC,MAAM,EAAE,SAAS,CAAC;IAC3B,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,IAAI,CAAC;IAC7C,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACxC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,MAAM,qBAAqB,GAAG,QAAQ,GAAG,QAAQ,GAAG,QAAQ,GAAG,KAAK,CAAC;AAE3E,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAWlD;AAED,wBAAgB,cAAc,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAOxD"}