@inco/lightning 0.2.17 → 0.3.2-alpha.3

package/README.md

@@ -60,14 +60,6 @@ With a nod to the future we provide the `make release` target which performs a s
 1. PR to main
 2. Manually grab hash from dockerhub which is also `git describe --tags --always --dirty`
 
-## Update denver multi-chain testnet
-
-1. Copy docker tag into [Pulumi.multichain.yaml](../../infraco/pkg/denver/Pulumi.multichain.yaml)
-2. Consider whether to cobber `requestConter.txt` and `lastBlock.txt` depending on the type of update:
-   - If updating a covalidator to an existing contract use `--no-clobber`
-   - If updating a covalidator to a new contract omit `--no-clobber`
-3. Run `pulumi up`
-
 ## Manifest file
 
 [`manifest.yaml`](./manifest.yaml) is a file that tracks Inco Lightning smart contract releases (versioned instances of the executor contract) and deployments (actual instances of the contract on particular chains). The release names correspond to the names of the [solidity libs](./src/libs) that are libraries that statically link to the correct executor for the corresponding release.

package/manifest.yaml

@@ -139,6 +139,48 @@ incoLightning_devnet_v0_340846814:
     executorAddress: "0x3B22be60Ae699933959CA3cE147C96caa88Ccd3D"
     salt: "0x8202d2d747784cb7d48868e44c42c4bf162a70bc00b001d6742fded0dd599ede"
   deployments:
+    - name: incoLightningPreview_0_2_1__340846814
+      chainId: "9746"
+      chainName: Plasma Testnet
+      version:
+        major: 0
+        minor: 2
+        patch: 1
+        shortSalt: "340846814"
+      decryptSigner: "0x138AcbDC1FA02b955949d8Da09E546Ea7748710f"
+      eciesPublicKey: "0x038a582d29083c2f3fefe024bf4dd9ab913ab8973716977da5f01106e0b84095b1"
+      blockNumber: "1718868"
+      deployDate: 2025-09-10T15:20:25.654Z
+      commit: v6-7-gf96f358e-dirty
+      active: true
+    - name: incoLightning_0_2_1__340846814
+      chainId: "9746"
+      chainName: Plasma Testnet
+      version:
+        major: 0
+        minor: 2
+        patch: 1
+        shortSalt: "340846814"
+      decryptSigner: "0x138AcbDC1FA02b955949d8Da09E546Ea7748710f"
+      eciesPublicKey: "0x038a582d29083c2f3fefe024bf4dd9ab913ab8973716977da5f01106e0b84095b1"
+      blockNumber: "1717229"
+      deployDate: 2025-09-10T14:53:07.218Z
+      commit: v6-7-gf96f358e-dirty
+      active: true
+    - name: incoLightningPreview_0_2_1__340846814
+      chainId: "4801"
+      chainName: World Chain Sepolia
+      version:
+        major: 0
+        minor: 2
+        patch: 1
+        shortSalt: "340846814"
+      decryptSigner: "0x138AcbDC1FA02b955949d8Da09E546Ea7748710f"
+      eciesPublicKey: "0x038a582d29083c2f3fefe024bf4dd9ab913ab8973716977da5f01106e0b84095b1"
+      blockNumber: "17365942"
+      deployDate: 2025-08-15T17:35:15.208Z
+      commit: v0.2.17-35-g8cca6b4e-dirty
+      active: true
     - name: incoLightning_0_2_0__340846814
       chainId: "84532"
       chainName: Base Sepolia

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@inco/lightning",
-  "version": "0.2.17",
+  "version": "0.3.2-alpha.3",
   "repository": "https://github.com/Inco-fhevm/inco-monorepo",
   "files": [
     "src/",
@@ -18,8 +18,12 @@
     "@inco/shared": "^0.1.0",
     "@openzeppelin/contracts": "^5.2.0",
     "@openzeppelin/contracts-upgradeable": "^5.2.0",
+    "@safe-global/safe-smart-account": "https://github.com/safe-global/safe-smart-account.git#v1.5.0",
+    "automata-dcap-attestation": "https://github.com/automata-network/automata-dcap-attestation.git#evm-v1.0.0",
+    "automata-on-chain-pccs": "https://github.com/automata-network/automata-on-chain-pccs.git#v1.0.0",
     "ds-test": "https://github.com/dapphub/ds-test",
     "forge-std": "https://github.com/foundry-rs/forge-std",
+    "solady": "https://github.com/Vectorized/solady.git#v0.1.24",
     "tsx": "^4.19.3"
   },
   "devDependencies": {

package/src/DeployTEE.sol

@@ -0,0 +1,153 @@
+// SPDX-License-Identifier: No License
+pragma solidity ^0.8;
+
+import {Script} from "forge-std/Script.sol";
+import {Vm} from "forge-std/Vm.sol";
+import {console} from "forge-std/console.sol";
+
+import {IQuoteVerifier} from "automata-dcap-attestation/interfaces/IQuoteVerifier.sol";
+import {TEELifecycle} from "./lightning-parts/TEELifecycle.sol";
+
+import {CA} from "@automata-network/on-chain-pccs/Common.sol";
+import {EnclaveIdentityJsonObj, IdentityObj, EnclaveIdentityHelper} from "@automata-network/on-chain-pccs/helpers/EnclaveIdentityHelper.sol";
+import {TcbInfoJsonObj, FmspcTcbHelper} from "@automata-network/on-chain-pccs/helpers/FmspcTcbHelper.sol";
+import {PCKHelper} from "@automata-network/on-chain-pccs/helpers/PCKHelper.sol";
+import {X509CRLHelper} from "@automata-network/on-chain-pccs/helpers/X509CRLHelper.sol";
+import {AutomataFmspcTcbDao} from "@automata-network/on-chain-pccs/automata_pccs/AutomataFmspcTcbDao.sol";
+import {AutomataEnclaveIdentityDao} from "@automata-network/on-chain-pccs/automata_pccs/AutomataEnclaveIdentityDao.sol";
+import {AutomataPcsDao} from "@automata-network/on-chain-pccs/automata_pccs/AutomataPcsDao.sol";
+import {AutomataPckDao} from "@automata-network/on-chain-pccs/automata_pccs/AutomataPckDao.sol";
+import {AutomataDaoStorage} from "@automata-network/on-chain-pccs/automata_pccs/shared/AutomataDaoStorage.sol";
+import {PCCSRouter} from "@automata-network/dcap-attestation/PCCSRouter.sol";
+import {V4QuoteVerifier} from "@automata-network/dcap-attestation/verifiers/V4QuoteVerifier.sol";
+
+// For now we don't use deployments for TEELifecycle, as we do for IncoLightning.
+// @todo: Use deployments for TEELifecycle
+// ref: https://github.com/Inco-fhevm/inco-monorepo/issues/875
+string constant EIP712_NAME = "TEELifecycle";
+string constant EIP712_VERSION = "1.0.0";
+
+// DeployTEE is a script that deplots all TEE-related supporting contracts for IncoLightning.
+contract DeployTEE is Script {
+
+    // The default address of the P256 Verifier contract that is used to verify the P256 signatures.
+    // It is deployed with this address on Ethereum L1, OP Mainnet, Base, Arbitrum.
+    // @dev From: https://github.com/daimo-eth/p256-verifier?tab=readme-ov-file#usage
+    address public P256_VERIFIER = 0xc2b78104907F722DABAc4C69f826a522B2754De4;
+
+    // The PCCSRouter contract is used as the entrypoint for the management of collateral used to verify quotes.
+    // It is used by the QuoteVerifier to fetch collateral.
+    PCCSRouter public pccsRouter;
+    
+    // These helpers are used to parse the collateral files and upload them to the PCCSRouter.
+    AutomataFmspcTcbDao fmspcTcbDao;
+    AutomataEnclaveIdentityDao enclaveIdDao;
+
+    // This function deploys a TEELifecycle contract that is used to manage the TEE lifecycle for the IncoLightning contract.
+    // @dev The TEELifecycle contract is used to manage the TEE lifecycle for the IncoLightning contract.
+    //      It is used to verify quotes, and to manage the TEE lifecycle.
+    //      It is also used to manage the EOA signers for the IncoLightning contract.
+    // @param quoteVerifierAddress The address of the QuoteVerifier contract to be used by the TEELifecycle contract.
+    function deployTEELifecycle(address deployer, address quoteVerifierAddress) internal returns (TEELifecycle) {
+        // TODO: Currently TEELifecycle is not UUPS
+        // ref: https://github.com/Inco-fhevm/inco-monorepo/issues/875
+        TEELifecycle implementation = new TEELifecycle();
+        implementation.initialize(
+            deployer,
+            EIP712_NAME,
+            EIP712_VERSION,
+            quoteVerifierAddress
+        );
+        return implementation;
+    }
+
+    // This function deploys a QuoteVerifier contract that is used to verify quotes for the IncoLightning contract.
+    // @dev: TDX_HW environment variable is used to determine whether to use the FakeQuoteVerifier or the V4QuoteVerifier.
+    // @dev We deploy two flavors of the QuoteVerifier contract:
+    // - FakeQuoteVerifier: A fake implementation of the QuoteVerifier contract that is used to test the IncoLightning contract.
+    //   This is used for testing purposes, and returns true for all quote verifications.
+    // - V4QuoteVerifier: The real implementation of the QuoteVerifier contract that is used to verify quotes for the IncoLightning contract.
+    //   This is taken from the automata-dcap-attestation package.
+    function deployQuoteVerifier() internal returns (IQuoteVerifier quoteVerifier) {
+        // deploys the QuoteVerifier contract
+        quoteVerifier = new V4QuoteVerifier(
+            P256_VERIFIER,
+            address(pccsRouter)
+        );
+
+        pccsRouter.setAuthorized(address(quoteVerifier), true);
+    }
+
+    function deployPCCS(address owner, string memory collateralDir) internal {
+
+        EnclaveIdentityHelper enclaveIdHelper = new EnclaveIdentityHelper();
+        FmspcTcbHelper tcbHelper = new FmspcTcbHelper();
+        PCKHelper x509 = new PCKHelper();
+        X509CRLHelper x509Crl = new X509CRLHelper();
+
+        AutomataDaoStorage pccsStorage = new AutomataDaoStorage(owner);
+        AutomataPcsDao pcsDao = new AutomataPcsDao(address(pccsStorage), P256_VERIFIER, address(x509), address(x509Crl));
+        AutomataPckDao pckDao = new AutomataPckDao(address(pccsStorage), P256_VERIFIER, address(pcsDao), address(x509), address(x509Crl));
+        enclaveIdDao = new AutomataEnclaveIdentityDao(
+            address(pccsStorage), P256_VERIFIER, address(pcsDao), address(enclaveIdHelper), address(x509), address(x509Crl)
+        );
+        fmspcTcbDao = new AutomataFmspcTcbDao(address(pccsStorage), P256_VERIFIER, address(pcsDao), address(tcbHelper), address(x509), address(x509Crl));
+        // grants dao permissions to write to the storage
+        pccsStorage.grantDao(address(pcsDao));
+        pccsStorage.grantDao(address(pckDao));
+        pccsStorage.grantDao(address(fmspcTcbDao));
+        pccsStorage.grantDao(address(enclaveIdDao));
+
+        // grants admin address permission to read collaterals
+        pccsRouter = new PCCSRouter(
+            owner,
+            address(enclaveIdDao),
+            address(fmspcTcbDao),
+            address(pcsDao),
+            address(pckDao),
+            address(x509),
+            address(x509Crl),
+            address(tcbHelper)
+        );
+        // allow PCCS Router to read collaterals from the storage
+        pccsStorage.setCallerAuthorization(address(pccsRouter), true);
+
+        // Upload Root Certs/CRLs
+        bytes memory rootCaDer = vm.readFileBinary(string.concat(collateralDir, "Intel_SGX_Attestation_RootCA.cer"));
+        pcsDao.upsertPcsCertificates(CA.ROOT, rootCaDer);
+        bytes memory tcbDer = vm.readFileBinary(string.concat(collateralDir, "Intel_SGX_TCB_Signing.cer"));
+        pcsDao.upsertPcsCertificates(CA.SIGNING, tcbDer);
+        bytes memory platformDer = vm.readFileBinary(string.concat(collateralDir, "Intel_SGX_PCK_PlatformCA.cer"));
+        pcsDao.upsertPcsCertificates(CA.PLATFORM, platformDer);
+        bytes memory platformCrlDer = vm.readFileBinary(string.concat(collateralDir, "Intel_SGX_PCK_CRL.crl"));
+        pcsDao.upsertPckCrl(CA.PLATFORM, platformCrlDer);
+        bytes memory rootCrlDer = vm.readFileBinary(string.concat(collateralDir, "AttestationReportSigningCA.crl"));
+
+        pcsDao.upsertRootCACrl(rootCrlDer);
+    }
+    
+    // This function deploys the P256 Verifier contract that is used to verify P256 signatures.
+    // @dev The code is taken from https://github.com/automata-network/automata-on-chain-pccs/blob/v1.0.0/test/TestSetupBase.t.sol#L91
+    function deployP256() internal {
+        // Known chains that have the P256 Verifier deployed:
+        // Ethereum Mainnet, Optimism Mainnet, Base, Arbitrum
+        // https://github.com/daimo-eth/p256-verifier/tree/master/broadcast/Deploy.s.sol
+        if (block.chainid == 1 || block.chainid == 10 || block.chainid == 8453 || block.chainid == 84531 ) {
+            console.log("P256 Verifier contract is already deployed on this chain, skipping deployment.");
+            return;
+        }
+        require(block.chainid == 31337, "Deploying P256 Verifier is only supported on Anvil chain");
+        bytes memory txdata =
+            hex"00000000000000000000000000000000000000000000000000000000000000006080806040523461001657610dd1908161001c8239f35b600080fdfe60e06040523461001a57610012366100c7565b602081519101f35b600080fd5b6040810190811067ffffffffffffffff82111761003b57604052565b7f4e487b7100000000000000000000000000000000000000000000000000000000600052604160045260246000fd5b60e0810190811067ffffffffffffffff82111761003b57604052565b90601f7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe0910116810190811067ffffffffffffffff82111761003b57604052565b60a08103610193578060201161001a57600060409180831161018f578060601161018f578060801161018f5760a01161018c57815182810181811067ffffffffffffffff82111761015f579061013291845260603581526080356020820152833560203584356101ab565b15610156575060ff6001915b5191166020820152602081526101538161001f565b90565b60ff909161013e565b6024837f4e487b710000000000000000000000000000000000000000000000000000000081526041600452fd5b80fd5b5080fd5b5060405160006020820152602081526101538161001f565b909283158015610393575b801561038b575b8015610361575b6103585780519060206101dc818301938451906103bd565b1561034d57604051948186019082825282604088015282606088015260808701527fffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc63254f60a08701527fffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551958660c082015260c081526102588161006a565b600080928192519060055afa903d15610345573d9167ffffffffffffffff831161031857604051926102b1857fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe0601f8401160185610086565b83523d828585013e5b156102eb57828280518101031261018c5750015190516102e693929185908181890994099151906104eb565b061490565b807f4e487b7100000000000000000000000000000000000000000000000000000000602492526001600452fd5b6024827f4e487b710000000000000000000000000000000000000000000000000000000081526041600452fd5b6060916102ba565b505050505050600090565b50505050600090565b507fffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc6325518310156101c4565b5082156101bd565b507fffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc6325518410156101b6565b7fffffffff00000001000000000000000000000000ffffffffffffffffffffffff90818110801590610466575b8015610455575b61044d577f5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b8282818080957fffffffff00000001000000000000000000000000fffffffffffffffffffffffc0991818180090908089180091490565b505050600090565b50801580156103f1575082156103f1565b50818310156103ea565b7f800000000000000000000000000000000000000000000000000000000000000081146104bc577fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0190565b7f4e487b7100000000000000000000000000000000000000000000000000000000600052601160045260246000fd5b909192608052600091600160a05260a05193600092811580610718575b61034d57610516838261073d565b95909460ff60c05260005b600060c05112156106ef575b60a05181036106a1575050507f4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5957f6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c2969594939291965b600060c05112156105c7575050505050507fffffffff00000001000000000000000000000000ffffffffffffffffffffffff91506105c260a051610ca2565b900990565b956105d9929394959660a05191610a98565b9097929181928960a0528192819a6105f66080518960c051610722565b61060160c051610470565b60c0528061061b5750505050505b96959493929196610583565b969b5061067b96939550919350916001810361068857507f4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5937f6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c29693610952565b979297919060a05261060f565b6002036106985786938a93610952565b88938893610952565b600281036106ba57505050829581959493929196610583565b9197917ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd0161060f575095508495849661060f565b506106ff6080518560c051610722565b8061070b60c051610470565b60c052156105215761052d565b5060805115610508565b91906002600192841c831b16921c1681018091116104bc5790565b8015806107ab575b6107635761075f91610756916107b3565b92919091610c42565b9091565b50507f6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296907f4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f590565b508115610745565b919082158061094a575b1561080f57507f6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c29691507f4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5906001908190565b7fb01cbd1c01e58065711814b583f061e9d431cca994cea1313449bf97c840ae0a917fffffffff00000001000000000000000000000000ffffffffffffffffffffffff808481600186090894817f94e82e0c1ed3bdb90743191a9c5bbf0d88fc827fd214cc5f0b5ec6ba27673d6981600184090893841561091b575050808084800993840994818460010994828088600109957f6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c29609918784038481116104bc5784908180867fffffffff00000001000000000000000000000000fffffffffffffffffffffffd0991818580090808978885038581116104bc578580949281930994080908935b93929190565b9350935050921560001461093b5761093291610b6d565b91939092610915565b50506000806000926000610915565b5080156107bd565b91949592939095811580610a90575b15610991575050831580610989575b61097a5793929190565b50600093508392508291508190565b508215610970565b85919294951580610a88575b610a78577fffffffff00000001000000000000000000000000ffffffffffffffffffffffff968703918783116104bc5787838189850908938689038981116104bc5789908184840908928315610a5d575050818880959493928180848196099b8c9485099b8c920999099609918784038481116104bc5784908180867fffffffff00000001000000000000000000000000fffffffffffffffffffffffd0991818580090808978885038581116104bc578580949281930994080908929190565b965096505050509093501560001461093b5761093291610b6d565b9550509150915091906001908190565b50851561099d565b508015610961565b939092821580610b65575b61097a577fffffffff00000001000000000000000000000000ffffffffffffffffffffffff908185600209948280878009809709948380888a0998818080808680097fffffffff00000001000000000000000000000000fffffffffffffffffffffffc099280096003090884808a7fffffffff00000001000000000000000000000000fffffffffffffffffffffffd09818380090898898603918683116104bc57888703908782116104bc578780969481809681950994089009089609930990565b508015610aa3565b919091801580610c3a575b610c2d577fffffffff00000001000000000000000000000000ffffffffffffffffffffffff90818460020991808084800980940991817fffffffff00000001000000000000000000000000fffffffffffffffffffffffc81808088860994800960030908958280837fffffffff00000001000000000000000000000000fffffffffffffffffffffffd09818980090896878403918483116104bc57858503928584116104bc5785809492819309940890090892565b5060009150819081908190565b508215610b78565b909392821580610c9a575b610c8d57610c5a90610ca2565b9182917fffffffff00000001000000000000000000000000ffffffffffffffffffffffff80809581940980099009930990565b5050509050600090600090565b508015610c4d565b604051906020918281019183835283604083015283606083015260808201527fffffffff00000001000000000000000000000000fffffffffffffffffffffffd60a08201527fffffffff00000001000000000000000000000000ffffffffffffffffffffffff60c082015260c08152610d1a8161006a565b600080928192519060055afa903d15610d93573d9167ffffffffffffffff83116103185760405192610d73857fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe0601f8401160185610086565b83523d828585013e5b156102eb57828280518101031261018c5750015190565b606091610d7c56fea2646970667358221220fa55558b04ced380e93d0a46be01bb895ff30f015c50c516e898c341cd0a230264736f6c63430008150033";
+        
+        // deploys the P256 Verifier contract using the default CREATE2 deterministic deployment contract available of EVM chains including on Anvil
+        // https://github.com/Arachnid/deterministic-deployment-proxy?tab=readme-ov-file#latest-outputs
+        // https://getfoundry.sh/guides/deterministic-deployments-using-create2
+        (bool succ,) = address(0x4e59b44847b379578588920cA78FbF26c0B4956C).call(txdata);
+        require(succ, "Failed to deploy P256");
+
+        // check code
+        uint256 codesize = P256_VERIFIER.code.length;
+        require(codesize > 0, "P256 deployed to the wrong address");
+    }
+}

package/src/DeployUtils.sol

@@ -9,6 +9,7 @@ import {ERC1967Proxy} from "@openzeppelin/contracts/proxy/ERC1967/ERC1967Proxy.s
 import {CONTRACT_NAME, MAJOR_VERSION, MINOR_VERSION, PATCH_VERSION} from "../src/version/IncoLightningConfig.sol";
 import {console} from "forge-std/console.sol";
 import {CreateXHelper} from "./CreateXHelper.sol";
+import {IncoLightningPreview} from "@inco/lightning-preview/src/IncoLightningPreview.sol";
 
 // can be set to 0x01 so the inco address can exist on only one chain, we want the same contract at the same address
 // on all chains
@@ -93,12 +94,16 @@ contract DeployUtils is Script {
     /// @param pepper a value used to avoid address collision on deploying the same contract twice with the same deployer
     /// @param minorVersionForSalt minor version of the contract to use in the salt
     /// @param patchVersionForSalt patch version of the contract to use in the salt
+    /// @param includePreviewFeatures whether to include preview features in the contract
+    /// @param teeLifecycleAddress the address of the TEELifecycle contract to use in the contract
     function deployIncoLightningUsingConfig(
         address deployer,
         string memory pepper,
     // FIXME: on the next major version (new contract address and state) we should remove these from the salt altogether
         uint8 minorVersionForSalt,
-        uint8 patchVersionForSalt
+        uint8 patchVersionForSalt,
+        bool includePreviewFeatures,
+        address teeLifecycleAddress
     ) internal returns (IncoLightning proxy) {
         bytes32 salt = getSalt(
             CONTRACT_NAME,
@@ -114,12 +119,20 @@ contract DeployUtils is Script {
             vm.toString(salt)
         );
         IncoLightning implementation = new IncoLightning(salt);
+        if (includePreviewFeatures) {
+            IncoLightningPreview preview = new IncoLightningPreview(address(implementation));
+            // FIXME: This is hack, we ought to define an interface IIncoLightning here and use that instead
+            implementation = IncoLightning(address(preview));
+        }
         proxy = IncoLightning(
             deployProxy({
-                deployer: deployer,
                 salt: salt,
                 implem: address(implementation),
-                initFunctionSelector: IncoLightning.initialize.selector
+                initCall: abi.encodeWithSelector(
+                    IncoLightning.initialize.selector,
+                    deployer,
+                    teeLifecycleAddress
+                )
             })
         );
     }
@@ -129,17 +142,12 @@ contract DeployUtils is Script {
 ///     the proxy
 /// @dev deployer is made the owner of the contract
     function deployProxy(
-        address deployer,
         bytes32 salt,
         address implem,
-        bytes4 initFunctionSelector
+        bytes memory initCall
     ) internal returns (address proxy) {
         CreateX createX = CreateX(createXAddress);
         CreateX.Values memory msgValues = CreateX.Values(0, 0);
-        bytes memory initCall = abi.encodeWithSelector(
-            initFunctionSelector,
-            deployer
-        );
         bytes memory bytecode = abi.encodePacked(
             type(ERC1967Proxy).creationCode,
             abi.encode(implem, initCall)

package/src/Errors.sol

@@ -0,0 +1,4 @@
+// SPDX-License-Identifier: No License
+pragma solidity ^0.8;
+
+error HandleAlreadyExists();

package/src/IncoLightning.gen.sol

@@ -11,5 +11,5 @@ import { UUPSUpgradeable } from "@openzeppelin/contracts/proxy/utils/UUPSUpgrade
 import { Version } from "./version/Version.sol";
 
 interface IIncoLightningGen {
-    function initialize(address owner) external;
+    function initialize(address owner, address teeLifecycleAddress) external;
 }

package/src/IncoLightning.sol

@@ -40,8 +40,9 @@ contract IncoLightning is
         require(msg.sender == owner());
     }
 
-    function initialize(address owner) public initializer {
+    function initialize(address owner, address teeLifecycleAddress) public initializer {
         __Ownable_init(owner);
+        __SignatureVerifier_init(teeLifecycleAddress);
     }
 
     fallback() external {} // must be included for createX deploy

package/src/Lib.alphanet.sol

@@ -410,6 +410,18 @@ library e {
         inco.allow(eaddress.unwrap(a), to);
     }
 
+    function reveal(euint256 a) internal {
+        inco.reveal(euint256.unwrap(a));
+    }
+
+    function reveal(ebool a) internal {
+        inco.reveal(ebool.unwrap(a));
+    }
+
+    function reveal(eaddress a) internal {
+        inco.reveal(eaddress.unwrap(a));
+    }
+
     function allowThis(euint256 a) internal {
         allow(a, address(this));
     }

package/src/Lib.demonet.sol

@@ -410,6 +410,18 @@ library e {
         inco.allow(eaddress.unwrap(a), to);
     }
 
+    function reveal(euint256 a) internal {
+        inco.reveal(euint256.unwrap(a));
+    }
+
+    function reveal(ebool a) internal {
+        inco.reveal(ebool.unwrap(a));
+    }
+
+    function reveal(eaddress a) internal {
+        inco.reveal(eaddress.unwrap(a));
+    }
+
     function allowThis(euint256 a) internal {
         allow(a, address(this));
     }

package/src/Lib.devnet.sol

@@ -410,6 +410,18 @@ library e {
         inco.allow(eaddress.unwrap(a), to);
     }
 
+    function reveal(euint256 a) internal {
+        inco.reveal(euint256.unwrap(a));
+    }
+
+    function reveal(ebool a) internal {
+        inco.reveal(ebool.unwrap(a));
+    }
+
+    function reveal(eaddress a) internal {
+        inco.reveal(eaddress.unwrap(a));
+    }
+
     function allowThis(euint256 a) internal {
         allow(a, address(this));
     }

package/src/Lib.sol

@@ -410,6 +410,18 @@ library e {
         inco.allow(eaddress.unwrap(a), to);
     }
 
+    function reveal(euint256 a) internal {
+        inco.reveal(euint256.unwrap(a));
+    }
+
+    function reveal(ebool a) internal {
+        inco.reveal(ebool.unwrap(a));
+    }
+
+    function reveal(eaddress a) internal {
+        inco.reveal(eaddress.unwrap(a));
+    }
+
     function allowThis(euint256 a) internal {
         allow(a, address(this));
     }

package/src/Lib.template.sol

@@ -444,6 +444,18 @@ library e {
         inco.allow(eaddress.unwrap(a), to);
     }
 
+    function reveal(euint256 a) internal {
+        inco.reveal(euint256.unwrap(a));
+    }
+
+    function reveal(ebool a) internal {
+        inco.reveal(ebool.unwrap(a));
+    }
+
+    function reveal(eaddress a) internal {
+        inco.reveal(eaddress.unwrap(a));
+    }
+
     function allowThis(euint256 a) internal {
         allow(a, address(this));
     }

package/src/Lib.testnet.sol

@@ -410,6 +410,18 @@ library e {
         inco.allow(eaddress.unwrap(a), to);
     }
 
+    function reveal(euint256 a) internal {
+        inco.reveal(euint256.unwrap(a));
+    }
+
+    function reveal(ebool a) internal {
+        inco.reveal(ebool.unwrap(a));
+    }
+
+    function reveal(eaddress a) internal {
+        inco.reveal(eaddress.unwrap(a));
+    }
+
     function allowThis(euint256 a) internal {
         allow(a, address(this));
     }

package/src/Types.sol

@@ -34,7 +34,25 @@ pragma solidity ^0.8;
         RandBounded, // 27
         // These are pseudo-ops part of the decryption/callback system but we need to generate code for them so I am including them
         DecryptionRequested, // 28
-        RequestFulfilled // 29
+        RequestFulfilled, // 29
+        EOP30, EOP31, EOP32, EOP33, EOP34, EOP35, EOP36, EOP37, EOP38, EOP39,
+        EOP40, EOP41, EOP42, EOP43, EOP44, EOP45, EOP46, EOP47, EOP48, EOP49,
+        EOP50, EOP51, EOP52, EOP53, EOP54, EOP55, EOP56, EOP57, EOP58, EOP59,
+        EOP60, EOP61, EOP62, EOP63, EOP64, EOP65, EOP66, EOP67, EOP68, EOP69,
+        EOP70, EOP71, EOP72, EOP73, EOP74, EOP75, EOP76, EOP77, EOP78, EOP79,
+        EOP80, EOP81, EOP82, EOP83, EOP84, EOP85, EOP86, EOP87, EOP88, EOP89,
+        EOP90, EOP91, EOP92, EOP93, EOP94, EOP95, EOP96, EOP97, EOP98, EOP99,
+        NewEList, // 100
+        EListGet, // 101
+        EListGetOr, // 102
+        EListSet, // 103
+        EListInsert, // 104
+        EListAppend, // 105
+        EListConcat, // 106
+        EListSlice, // 107
+        EListRange, // 108
+        EListShuffle, // 109
+        EListReverse // 110
     }
 
     type ebool is bytes32;
@@ -55,7 +73,24 @@ pragma solidity ^0.8;
         Uint256,
         Bytes64UNSUPPORTED,
         Bytes128UNSUPPORTED,
-        Bytes256UNSUPPORTED
+        Bytes256UNSUPPORTED,
+        EmptyType12, // 12
+        EmptyType13, // 13
+        EmptyType14, // 14
+        EmptyType15, // 15
+        EmptyType16, // 16
+        EmptyType17, // 17
+        EmptyType18, // 18
+        EmptyType19, // 19
+        EmptyType20, EmptyType21, EmptyType22, EmptyType23, EmptyType24, EmptyType25, EmptyType26, EmptyType27, EmptyType28, EmptyType29,
+        EmptyType30, EmptyType31, EmptyType32, EmptyType33, EmptyType34, EmptyType35, EmptyType36, EmptyType37, EmptyType38, EmptyType39,
+        EmptyType40, EmptyType41, EmptyType42, EmptyType43, EmptyType44, EmptyType45, EmptyType46, EmptyType47, EmptyType48, EmptyType49,
+        EmptyType50, EmptyType51, EmptyType52, EmptyType53, EmptyType54, EmptyType55, EmptyType56, EmptyType57, EmptyType58, EmptyType59,
+        EmptyType60, EmptyType61, EmptyType62, EmptyType63, EmptyType64, EmptyType65, EmptyType66, EmptyType67, EmptyType68, EmptyType69,
+        EmptyType70, EmptyType71, EmptyType72, EmptyType73, EmptyType74, EmptyType75, EmptyType76, EmptyType77, EmptyType78, EmptyType79,
+        EmptyType80, EmptyType81, EmptyType82, EmptyType83, EmptyType84, EmptyType85, EmptyType86, EmptyType87, EmptyType88, EmptyType89,
+        EmptyType90, EmptyType91, EmptyType92, EmptyType93, EmptyType94, EmptyType95, EmptyType96, EmptyType97, EmptyType98, EmptyType99,
+        List // 100
     }
 
 // check correctness of compute
@@ -74,4 +109,11 @@ string constant EVM_HOST_CHAIN_PREFIX = "evm/";
 uint8 constant HANDLE_VERSION = 0;
 
 // IncoLightning only supports single-valued ciphertexts so this is always 0
-uint256 constant HANDLE_INDEX = 0;
+// NOTE: this must be a uint8 to get hash agreement!
+uint8 constant HANDLE_INDEX = 0;
+
+/// Util function to convert an ETypes to a bit mask
+/// @param t the type to convert to a bit mask
+function typeToBitMask(ETypes t) pure returns (bytes32) {
+    return bytes32(1 << uint256(t));
+}

package/src/libs/incoLightning_alphanet_v0_297966649.sol

@@ -410,6 +410,18 @@ library e {
         inco.allow(eaddress.unwrap(a), to);
     }
 
+    function reveal(euint256 a) internal {
+        inco.reveal(euint256.unwrap(a));
+    }
+
+    function reveal(ebool a) internal {
+        inco.reveal(ebool.unwrap(a));
+    }
+
+    function reveal(eaddress a) internal {
+        inco.reveal(eaddress.unwrap(a));
+    }
+
     function allowThis(euint256 a) internal {
         allow(a, address(this));
     }

package/src/libs/incoLightning_demonet_v0_863421733.sol

@@ -410,6 +410,18 @@ library e {
         inco.allow(eaddress.unwrap(a), to);
     }
 
+    function reveal(euint256 a) internal {
+        inco.reveal(euint256.unwrap(a));
+    }
+
+    function reveal(ebool a) internal {
+        inco.reveal(ebool.unwrap(a));
+    }
+
+    function reveal(eaddress a) internal {
+        inco.reveal(eaddress.unwrap(a));
+    }
+
     function allowThis(euint256 a) internal {
         allow(a, address(this));
     }

package/src/libs/incoLightning_devnet_v0_340846814.sol

@@ -410,6 +410,18 @@ library e {
         inco.allow(eaddress.unwrap(a), to);
     }
 
+    function reveal(euint256 a) internal {
+        inco.reveal(euint256.unwrap(a));
+    }
+
+    function reveal(ebool a) internal {
+        inco.reveal(ebool.unwrap(a));
+    }
+
+    function reveal(eaddress a) internal {
+        inco.reveal(eaddress.unwrap(a));
+    }
+
     function allowThis(euint256 a) internal {
         allow(a, address(this));
     }

package/src/libs/incoLightning_testnet_v0_183408998.sol

@@ -410,6 +410,18 @@ library e {
         inco.allow(eaddress.unwrap(a), to);
     }
 
+    function reveal(euint256 a) internal {
+        inco.reveal(euint256.unwrap(a));
+    }
+
+    function reveal(ebool a) internal {
+        inco.reveal(ebool.unwrap(a));
+    }
+
+    function reveal(eaddress a) internal {
+        inco.reveal(eaddress.unwrap(a));
+    }
+
     function allowThis(euint256 a) internal {
         allow(a, address(this));
     }

package/src/lightning-parts/AccessControl/BaseAccessControlList.gen.sol

@@ -7,6 +7,9 @@ interface IBaseAccessControlListGen {
     /// @dev persistent
     function allow(bytes32 handle, address account) external;
 
+    /// @dev Permanently allows public decryption/reencryption access to anyone for the given handle.
+    function reveal(bytes32 handle) external;
+
     function allowTransient(bytes32 handle, address account) external;
 
     function allowedTransient(bytes32 handle, address account) external view returns (bool);
@@ -16,4 +19,6 @@ interface IBaseAccessControlListGen {
     function persistAllowed(bytes32 handle, address account) external view returns (bool);
 
     function isAllowed(bytes32 handle, address account) external view returns (bool);
+
+    function isRevealed(bytes32 handle) external view returns (bool);
 }