npm - @inco/lightning - Versions diffs - 0.2.17 → 0.3.2 - Mend

@inco/lightning 0.2.17 → 0.3.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (42) hide show

package/manifest.yaml CHANGED Viewed

@@ -139,6 +139,35 @@ incoLightning_devnet_v0_340846814:
     executorAddress: "0x3B22be60Ae699933959CA3cE147C96caa88Ccd3D"
     salt: "0x8202d2d747784cb7d48868e44c42c4bf162a70bc00b001d6742fded0dd599ede"
   deployments:
+    - name: incoLightningPreview_0_2_1__340846814
+      chainId: "4801"
+      chainName: World Chain Sepolia
+      version:
+        major: 0
+        minor: 2
+        patch: 1
+        shortSalt: "340846814"
+      decryptSigner: "0x138AcbDC1FA02b955949d8Da09E546Ea7748710f"
+      eciesPublicKey: "0x038a582d29083c2f3fefe024bf4dd9ab913ab8973716977da5f01106e0b84095b1"
+      blockNumber: "17365942"
+      deployDate: 2025-08-15T17:35:15.208Z
+      commit: v0.2.17-35-g8cca6b4e-dirty
+      active: true
+    - name: incoLightningPreview_0_2_1__340846814
+      chainId: "9746"
+      chainName: Plasma Testnet
+      version:
+        major: 0
+        minor: 2
+        patch: 1
+        shortSalt: "340846814"
+      decryptSigner: "0x138AcbDC1FA02b955949d8Da09E546Ea7748710f"
+      eciesPublicKey: "0x048a582d29083c2f3fefe024bf4dd9ab913ab8973716977da5f01106e0b8\
+        4095b1e647a9e377175fcb66bda05087c93b05e1fd53a704d0914bb23a0b2a69e9f235"
+      blockNumber: "3339121"
+      deployDate: 2025-08-07T12:14:56.788Z
+      commit: v0.2.17-28-gfd11c1aa-dirty
+      active: true
     - name: incoLightning_0_2_0__340846814
       chainId: "84532"
       chainName: Base Sepolia

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@inco/lightning",
-  "version": "0.2.17",
+  "version": "0.3.2",
   "repository": "https://github.com/Inco-fhevm/inco-monorepo",
   "files": [
     "src/",
@@ -18,8 +18,12 @@
     "@inco/shared": "^0.1.0",
     "@openzeppelin/contracts": "^5.2.0",
     "@openzeppelin/contracts-upgradeable": "^5.2.0",
+    "@safe-global/safe-smart-account": "https://github.com/safe-global/safe-smart-account.git#v1.5.0",
+    "automata-dcap-attestation": "https://github.com/automata-network/automata-dcap-attestation.git#evm-v1.0.0",
+    "automata-on-chain-pccs": "https://github.com/automata-network/automata-on-chain-pccs.git#v1.0.0",
     "ds-test": "https://github.com/dapphub/ds-test",
     "forge-std": "https://github.com/foundry-rs/forge-std",
+    "solady": "https://github.com/Vectorized/solady.git#v0.1.24",
     "tsx": "^4.19.3"
   },
   "devDependencies": {

package/src/DeployTEE.sol ADDED Viewed

@@ -0,0 +1,153 @@
+// SPDX-License-Identifier: No License
+pragma solidity ^0.8;
+import {Script} from "forge-std/Script.sol";
+import {Vm} from "forge-std/Vm.sol";
+import {console} from "forge-std/console.sol";
+import {IQuoteVerifier} from "automata-dcap-attestation/interfaces/IQuoteVerifier.sol";
+import {TEELifecycle} from "./lightning-parts/TEELifecycle.sol";
+import {CA} from "@automata-network/on-chain-pccs/Common.sol";
+import {EnclaveIdentityJsonObj, IdentityObj, EnclaveIdentityHelper} from "@automata-network/on-chain-pccs/helpers/EnclaveIdentityHelper.sol";
+import {TcbInfoJsonObj, FmspcTcbHelper} from "@automata-network/on-chain-pccs/helpers/FmspcTcbHelper.sol";
+import {PCKHelper} from "@automata-network/on-chain-pccs/helpers/PCKHelper.sol";
+import {X509CRLHelper} from "@automata-network/on-chain-pccs/helpers/X509CRLHelper.sol";
+import {AutomataFmspcTcbDao} from "@automata-network/on-chain-pccs/automata_pccs/AutomataFmspcTcbDao.sol";
+import {AutomataEnclaveIdentityDao} from "@automata-network/on-chain-pccs/automata_pccs/AutomataEnclaveIdentityDao.sol";
+import {AutomataPcsDao} from "@automata-network/on-chain-pccs/automata_pccs/AutomataPcsDao.sol";
+import {AutomataPckDao} from "@automata-network/on-chain-pccs/automata_pccs/AutomataPckDao.sol";
+import {AutomataDaoStorage} from "@automata-network/on-chain-pccs/automata_pccs/shared/AutomataDaoStorage.sol";
+import {PCCSRouter} from "@automata-network/dcap-attestation/PCCSRouter.sol";
+import {V4QuoteVerifier} from "@automata-network/dcap-attestation/verifiers/V4QuoteVerifier.sol";
+// For now we don't use deployments for TEELifecycle, as we do for IncoLightning.
+// @todo: Use deployments for TEELifecycle
+// ref: https://github.com/Inco-fhevm/inco-monorepo/issues/875
+string constant EIP712_NAME = "TEELifecycle";
+string constant EIP712_VERSION = "1.0.0";
+// DeployTEE is a script that deplots all TEE-related supporting contracts for IncoLightning.
+contract DeployTEE is Script {
+    // The default address of the P256 Verifier contract that is used to verify the P256 signatures.
+    // It is deployed with this address on Ethereum L1, OP Mainnet, Base, Arbitrum.
+    // @dev From: https://github.com/daimo-eth/p256-verifier?tab=readme-ov-file#usage
+    address public P256_VERIFIER = 0xc2b78104907F722DABAc4C69f826a522B2754De4;
+    // The PCCSRouter contract is used as the entrypoint for the management of collateral used to verify quotes.
+    // It is used by the QuoteVerifier to fetch collateral.
+    PCCSRouter public pccsRouter;
+    // These helpers are used to parse the collateral files and upload them to the PCCSRouter.
+    AutomataFmspcTcbDao fmspcTcbDao;
+    AutomataEnclaveIdentityDao enclaveIdDao;
+    // This function deploys a TEELifecycle contract that is used to manage the TEE lifecycle for the IncoLightning contract.
+    // @dev The TEELifecycle contract is used to manage the TEE lifecycle for the IncoLightning contract.
+    //      It is used to verify quotes, and to manage the TEE lifecycle.
+    //      It is also used to manage the EOA signers for the IncoLightning contract.
+    // @param quoteVerifierAddress The address of the QuoteVerifier contract to be used by the TEELifecycle contract.
+    function deployTEELifecycle(address deployer, address quoteVerifierAddress) internal returns (TEELifecycle) {
+        // TODO: Currently TEELifecycle is not UUPS
+        // ref: https://github.com/Inco-fhevm/inco-monorepo/issues/875
+        TEELifecycle implementation = new TEELifecycle();
+        implementation.initialize(
+            deployer,
+            EIP712_NAME,
+            EIP712_VERSION,
+            quoteVerifierAddress
+        );
+        return implementation;
+    }
+    // This function deploys a QuoteVerifier contract that is used to verify quotes for the IncoLightning contract.
+    // @dev: TDX_HW environment variable is used to determine whether to use the FakeQuoteVerifier or the V4QuoteVerifier.
+    // @dev We deploy two flavors of the QuoteVerifier contract:
+    // - FakeQuoteVerifier: A fake implementation of the QuoteVerifier contract that is used to test the IncoLightning contract.
+    //   This is used for testing purposes, and returns true for all quote verifications.
+    // - V4QuoteVerifier: The real implementation of the QuoteVerifier contract that is used to verify quotes for the IncoLightning contract.
+    //   This is taken from the automata-dcap-attestation package.
+    function deployQuoteVerifier() internal returns (IQuoteVerifier quoteVerifier) {
+        // deploys the QuoteVerifier contract
+        quoteVerifier = new V4QuoteVerifier(
+            P256_VERIFIER,
+            address(pccsRouter)
+        );
+        pccsRouter.setAuthorized(address(quoteVerifier), true);
+    }
+    function deployPCCS(address owner, string memory collateralDir) internal {
+        EnclaveIdentityHelper enclaveIdHelper = new EnclaveIdentityHelper();
+        FmspcTcbHelper tcbHelper = new FmspcTcbHelper();
+        PCKHelper x509 = new PCKHelper();
+        X509CRLHelper x509Crl = new X509CRLHelper();
+        AutomataDaoStorage pccsStorage = new AutomataDaoStorage(owner);
+        AutomataPcsDao pcsDao = new AutomataPcsDao(address(pccsStorage), P256_VERIFIER, address(x509), address(x509Crl));
+        AutomataPckDao pckDao = new AutomataPckDao(address(pccsStorage), P256_VERIFIER, address(pcsDao), address(x509), address(x509Crl));
+        enclaveIdDao = new AutomataEnclaveIdentityDao(
+            address(pccsStorage), P256_VERIFIER, address(pcsDao), address(enclaveIdHelper), address(x509), address(x509Crl)
+        );
+        fmspcTcbDao = new AutomataFmspcTcbDao(address(pccsStorage), P256_VERIFIER, address(pcsDao), address(tcbHelper), address(x509), address(x509Crl));
+        // grants dao permissions to write to the storage
+        pccsStorage.grantDao(address(pcsDao));
+        pccsStorage.grantDao(address(pckDao));
+        pccsStorage.grantDao(address(fmspcTcbDao));
+        pccsStorage.grantDao(address(enclaveIdDao));
+        // grants admin address permission to read collaterals
+        pccsRouter = new PCCSRouter(
+            owner,
+            address(enclaveIdDao),
+            address(fmspcTcbDao),
+            address(pcsDao),
+            address(pckDao),
+            address(x509),
+            address(x509Crl),
+            address(tcbHelper)
+        );
+        // allow PCCS Router to read collaterals from the storage
+        pccsStorage.setCallerAuthorization(address(pccsRouter), true);
+        // Upload Root Certs/CRLs
+        bytes memory rootCaDer = vm.readFileBinary(string.concat(collateralDir, "Intel_SGX_Attestation_RootCA.cer"));
+        pcsDao.upsertPcsCertificates(CA.ROOT, rootCaDer);
+        bytes memory tcbDer = vm.readFileBinary(string.concat(collateralDir, "Intel_SGX_TCB_Signing.cer"));
+        pcsDao.upsertPcsCertificates(CA.SIGNING, tcbDer);
+        bytes memory platformDer = vm.readFileBinary(string.concat(collateralDir, "Intel_SGX_PCK_PlatformCA.cer"));
+        pcsDao.upsertPcsCertificates(CA.PLATFORM, platformDer);
+        bytes memory platformCrlDer = vm.readFileBinary(string.concat(collateralDir, "Intel_SGX_PCK_CRL.crl"));
+        pcsDao.upsertPckCrl(CA.PLATFORM, platformCrlDer);
+        bytes memory rootCrlDer = vm.readFileBinary(string.concat(collateralDir, "AttestationReportSigningCA.crl"));
+        pcsDao.upsertRootCACrl(rootCrlDer);
+    }
+    // This function deploys the P256 Verifier contract that is used to verify P256 signatures.
+    // @dev The code is taken from https://github.com/automata-network/automata-on-chain-pccs/blob/v1.0.0/test/TestSetupBase.t.sol#L91
+    function deployP256() internal {
+        // Known chains that have the P256 Verifier deployed:
+        // Ethereum Mainnet, Optimism Mainnet, Base, Arbitrum
+        // https://github.com/daimo-eth/p256-verifier/tree/master/broadcast/Deploy.s.sol
+        if (block.chainid == 1 || block.chainid == 10 || block.chainid == 8453 || block.chainid == 84531 ) {
+            console.log("P256 Verifier contract is already deployed on this chain, skipping deployment.");
+            return;
+        }
+        require(block.chainid == 31337, "Deploying P256 Verifier is only supported on Anvil chain");
+        bytes memory txdata =
+            hex"00000000000000000000000000000000000000000000000000000000000000006080806040523461001657610dd1908161001c8239f35b600080fdfe60e06040523461001a57610012366100c7565b602081519101f35b600080fd5b6040810190811067ffffffffffffffff82111761003b57604052565b7f4e487b7100000000000000000000000000000000000000000000000000000000600052604160045260246000fd5b60e0810190811067ffffffffffffffff82111761003b57604052565b90601f7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe0910116810190811067ffffffffffffffff82111761003b57604052565b60a08103610193578060201161001a57600060409180831161018f578060601161018f578060801161018f5760a01161018c57815182810181811067ffffffffffffffff82111761015f579061013291845260603581526080356020820152833560203584356101ab565b15610156575060ff6001915b5191166020820152602081526101538161001f565b90565b60ff909161013e565b6024837f4e487b710000000000000000000000000000000000000000000000000000000081526041600452fd5b80fd5b5080fd5b5060405160006020820152602081526101538161001f565b909283158015610393575b801561038b575b8015610361575b6103585780519060206101dc818301938451906103bd565b1561034d57604051948186019082825282604088015282606088015260808701527fffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc63254f60a08701527fffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551958660c082015260c081526102588161006a565b600080928192519060055afa903d15610345573d9167ffffffffffffffff831161031857604051926102b1857fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe0601f8401160185610086565b83523d828585013e5b156102eb57828280518101031261018c5750015190516102e693929185908181890994099151906104eb565b061490565b807f4e487b7100000000000000000000000000000000000000000000000000000000602492526001600452fd5b6024827f4e487b710000000000000000000000000000000000000000000000000000000081526041600452fd5b6060916102ba565b505050505050600090565b50505050600090565b507fffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc6325518310156101c4565b5082156101bd565b507fffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc6325518410156101b6565b7fffffffff00000001000000000000000000000000ffffffffffffffffffffffff90818110801590610466575b8015610455575b61044d577f5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b8282818080957fffffffff00000001000000000000000000000000fffffffffffffffffffffffc0991818180090908089180091490565b505050600090565b50801580156103f1575082156103f1565b50818310156103ea565b7f800000000000000000000000000000000000000000000000000000000000000081146104bc577fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0190565b7f4e487b7100000000000000000000000000000000000000000000000000000000600052601160045260246000fd5b909192608052600091600160a05260a05193600092811580610718575b61034d57610516838261073d565b95909460ff60c05260005b600060c05112156106ef575b60a05181036106a1575050507f4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5957f6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c2969594939291965b600060c05112156105c7575050505050507fffffffff00000001000000000000000000000000ffffffffffffffffffffffff91506105c260a051610ca2565b900990565b956105d9929394959660a05191610a98565b9097929181928960a0528192819a6105f66080518960c051610722565b61060160c051610470565b60c0528061061b5750505050505b96959493929196610583565b969b5061067b96939550919350916001810361068857507f4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5937f6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c29693610952565b979297919060a05261060f565b6002036106985786938a93610952565b88938893610952565b600281036106ba57505050829581959493929196610583565b9197917ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd0161060f575095508495849661060f565b506106ff6080518560c051610722565b8061070b60c051610470565b60c052156105215761052d565b5060805115610508565b91906002600192841c831b16921c1681018091116104bc5790565b8015806107ab575b6107635761075f91610756916107b3565b92919091610c42565b9091565b50507f6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296907f4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f590565b508115610745565b919082158061094a575b1561080f57507f6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c29691507f4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5906001908190565b7fb01cbd1c01e58065711814b583f061e9d431cca994cea1313449bf97c840ae0a917fffffffff00000001000000000000000000000000ffffffffffffffffffffffff808481600186090894817f94e82e0c1ed3bdb90743191a9c5bbf0d88fc827fd214cc5f0b5ec6ba27673d6981600184090893841561091b575050808084800993840994818460010994828088600109957f6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c29609918784038481116104bc5784908180867fffffffff00000001000000000000000000000000fffffffffffffffffffffffd0991818580090808978885038581116104bc578580949281930994080908935b93929190565b9350935050921560001461093b5761093291610b6d565b91939092610915565b50506000806000926000610915565b5080156107bd565b91949592939095811580610a90575b15610991575050831580610989575b61097a5793929190565b50600093508392508291508190565b508215610970565b85919294951580610a88575b610a78577fffffffff00000001000000000000000000000000ffffffffffffffffffffffff968703918783116104bc5787838189850908938689038981116104bc5789908184840908928315610a5d575050818880959493928180848196099b8c9485099b8c920999099609918784038481116104bc5784908180867fffffffff00000001000000000000000000000000fffffffffffffffffffffffd0991818580090808978885038581116104bc578580949281930994080908929190565b965096505050509093501560001461093b5761093291610b6d565b9550509150915091906001908190565b50851561099d565b508015610961565b939092821580610b65575b61097a577fffffffff00000001000000000000000000000000ffffffffffffffffffffffff908185600209948280878009809709948380888a0998818080808680097fffffffff00000001000000000000000000000000fffffffffffffffffffffffc099280096003090884808a7fffffffff00000001000000000000000000000000fffffffffffffffffffffffd09818380090898898603918683116104bc57888703908782116104bc578780969481809681950994089009089609930990565b508015610aa3565b919091801580610c3a575b610c2d577fffffffff00000001000000000000000000000000ffffffffffffffffffffffff90818460020991808084800980940991817fffffffff00000001000000000000000000000000fffffffffffffffffffffffc81808088860994800960030908958280837fffffffff00000001000000000000000000000000fffffffffffffffffffffffd09818980090896878403918483116104bc57858503928584116104bc5785809492819309940890090892565b5060009150819081908190565b508215610b78565b909392821580610c9a575b610c8d57610c5a90610ca2565b9182917fffffffff00000001000000000000000000000000ffffffffffffffffffffffff80809581940980099009930990565b5050509050600090600090565b508015610c4d565b604051906020918281019183835283604083015283606083015260808201527fffffffff00000001000000000000000000000000fffffffffffffffffffffffd60a08201527fffffffff00000001000000000000000000000000ffffffffffffffffffffffff60c082015260c08152610d1a8161006a565b600080928192519060055afa903d15610d93573d9167ffffffffffffffff83116103185760405192610d73857fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe0601f8401160185610086565b83523d828585013e5b156102eb57828280518101031261018c5750015190565b606091610d7c56fea2646970667358221220fa55558b04ced380e93d0a46be01bb895ff30f015c50c516e898c341cd0a230264736f6c63430008150033";
+        // deploys the P256 Verifier contract using the default CREATE2 deterministic deployment contract available of EVM chains including on Anvil
+        // https://github.com/Arachnid/deterministic-deployment-proxy?tab=readme-ov-file#latest-outputs
+        // https://getfoundry.sh/guides/deterministic-deployments-using-create2
+        (bool succ,) = address(0x4e59b44847b379578588920cA78FbF26c0B4956C).call(txdata);
+        require(succ, "Failed to deploy P256");
+        // check code
+        uint256 codesize = P256_VERIFIER.code.length;
+        require(codesize > 0, "P256 deployed to the wrong address");
+    }
+}

package/src/DeployUtils.sol CHANGED Viewed

@@ -9,6 +9,7 @@ import {ERC1967Proxy} from "@openzeppelin/contracts/proxy/ERC1967/ERC1967Proxy.s
 import {CONTRACT_NAME, MAJOR_VERSION, MINOR_VERSION, PATCH_VERSION} from "../src/version/IncoLightningConfig.sol";
 import {console} from "forge-std/console.sol";
 import {CreateXHelper} from "./CreateXHelper.sol";
+import {IncoLightningPreview} from "@inco/lightning-preview/src/IncoLightningPreview.sol";
 // can be set to 0x01 so the inco address can exist on only one chain, we want the same contract at the same address
 // on all chains
@@ -93,12 +94,16 @@ contract DeployUtils is Script {
     /// @param pepper a value used to avoid address collision on deploying the same contract twice with the same deployer
     /// @param minorVersionForSalt minor version of the contract to use in the salt
     /// @param patchVersionForSalt patch version of the contract to use in the salt
+    /// @param includePreviewFeatures whether to include preview features in the contract
+    /// @param teeLifecycleAddress the address of the TEELifecycle contract to use in the contract
     function deployIncoLightningUsingConfig(
         address deployer,
         string memory pepper,
     // FIXME: on the next major version (new contract address and state) we should remove these from the salt altogether
         uint8 minorVersionForSalt,
-        uint8 patchVersionForSalt
+        uint8 patchVersionForSalt,
+        bool includePreviewFeatures,
+        address teeLifecycleAddress
     ) internal returns (IncoLightning proxy) {
         bytes32 salt = getSalt(
             CONTRACT_NAME,
@@ -114,12 +119,20 @@ contract DeployUtils is Script {
             vm.toString(salt)
         );
         IncoLightning implementation = new IncoLightning(salt);
+        if (includePreviewFeatures) {
+            IncoLightningPreview preview = new IncoLightningPreview(address(implementation));
+            // FIXME: This is hack, we ought to define an interface IIncoLightning here and use that instead
+            implementation = IncoLightning(address(preview));
+        }
         proxy = IncoLightning(
             deployProxy({
-                deployer: deployer,
                 salt: salt,
                 implem: address(implementation),
-                initFunctionSelector: IncoLightning.initialize.selector
+                initCall: abi.encodeWithSelector(
+                    IncoLightning.initialize.selector,
+                    deployer,
+                    teeLifecycleAddress
+                )
             })
         );
     }
@@ -129,17 +142,12 @@ contract DeployUtils is Script {
 ///     the proxy
 /// @dev deployer is made the owner of the contract
     function deployProxy(
-        address deployer,
         bytes32 salt,
         address implem,
-        bytes4 initFunctionSelector
+        bytes memory initCall
     ) internal returns (address proxy) {
         CreateX createX = CreateX(createXAddress);
         CreateX.Values memory msgValues = CreateX.Values(0, 0);
-        bytes memory initCall = abi.encodeWithSelector(
-            initFunctionSelector,
-            deployer
-        );
         bytes memory bytecode = abi.encodePacked(
             type(ERC1967Proxy).creationCode,
             abi.encode(implem, initCall)

package/src/Errors.sol ADDED Viewed

@@ -0,0 +1,4 @@
+// SPDX-License-Identifier: No License
+pragma solidity ^0.8;
+error HandleAlreadyExists();

package/src/IncoLightning.gen.sol CHANGED Viewed

@@ -11,5 +11,5 @@ import { UUPSUpgradeable } from "@openzeppelin/contracts/proxy/utils/UUPSUpgrade
 import { Version } from "./version/Version.sol";
 interface IIncoLightningGen {
-    function initialize(address owner) external;
+    function initialize(address owner, address teeLifecycleAddress) external;
 }

package/src/IncoLightning.sol CHANGED Viewed

@@ -40,8 +40,9 @@ contract IncoLightning is
         require(msg.sender == owner());
     }
-    function initialize(address owner) public initializer {
+    function initialize(address owner, address teeLifecycleAddress) public initializer {
         __Ownable_init(owner);
+        __SignatureVerifier_init(teeLifecycleAddress);
     }
     fallback() external {} // must be included for createX deploy

package/src/Types.sol CHANGED Viewed

@@ -34,7 +34,25 @@ pragma solidity ^0.8;
         RandBounded, // 27
         // These are pseudo-ops part of the decryption/callback system but we need to generate code for them so I am including them
         DecryptionRequested, // 28
-        RequestFulfilled // 29
+        RequestFulfilled, // 29
+        EOP30, EOP31, EOP32, EOP33, EOP34, EOP35, EOP36, EOP37, EOP38, EOP39,
+        EOP40, EOP41, EOP42, EOP43, EOP44, EOP45, EOP46, EOP47, EOP48, EOP49,
+        EOP50, EOP51, EOP52, EOP53, EOP54, EOP55, EOP56, EOP57, EOP58, EOP59,
+        EOP60, EOP61, EOP62, EOP63, EOP64, EOP65, EOP66, EOP67, EOP68, EOP69,
+        EOP70, EOP71, EOP72, EOP73, EOP74, EOP75, EOP76, EOP77, EOP78, EOP79,
+        EOP80, EOP81, EOP82, EOP83, EOP84, EOP85, EOP86, EOP87, EOP88, EOP89,
+        EOP90, EOP91, EOP92, EOP93, EOP94, EOP95, EOP96, EOP97, EOP98, EOP99,
+        NewEList, // 100
+        EListGet, // 101
+        EListGetOr, // 102
+        EListSet, // 103
+        EListInsert, // 104
+        EListAppend, // 105
+        EListConcat, // 106
+        EListSlice, // 107
+        EListRange, // 108
+        EListShuffle, // 109
+        EListReverse // 110
     }
     type ebool is bytes32;
@@ -55,7 +73,24 @@ pragma solidity ^0.8;
         Uint256,
         Bytes64UNSUPPORTED,
         Bytes128UNSUPPORTED,
-        Bytes256UNSUPPORTED
+        Bytes256UNSUPPORTED,
+        EmptyType12, // 12
+        EmptyType13, // 13
+        EmptyType14, // 14
+        EmptyType15, // 15
+        EmptyType16, // 16
+        EmptyType17, // 17
+        EmptyType18, // 18
+        EmptyType19, // 19
+        EmptyType20, EmptyType21, EmptyType22, EmptyType23, EmptyType24, EmptyType25, EmptyType26, EmptyType27, EmptyType28, EmptyType29,
+        EmptyType30, EmptyType31, EmptyType32, EmptyType33, EmptyType34, EmptyType35, EmptyType36, EmptyType37, EmptyType38, EmptyType39,
+        EmptyType40, EmptyType41, EmptyType42, EmptyType43, EmptyType44, EmptyType45, EmptyType46, EmptyType47, EmptyType48, EmptyType49,
+        EmptyType50, EmptyType51, EmptyType52, EmptyType53, EmptyType54, EmptyType55, EmptyType56, EmptyType57, EmptyType58, EmptyType59,
+        EmptyType60, EmptyType61, EmptyType62, EmptyType63, EmptyType64, EmptyType65, EmptyType66, EmptyType67, EmptyType68, EmptyType69,
+        EmptyType70, EmptyType71, EmptyType72, EmptyType73, EmptyType74, EmptyType75, EmptyType76, EmptyType77, EmptyType78, EmptyType79,
+        EmptyType80, EmptyType81, EmptyType82, EmptyType83, EmptyType84, EmptyType85, EmptyType86, EmptyType87, EmptyType88, EmptyType89,
+        EmptyType90, EmptyType91, EmptyType92, EmptyType93, EmptyType94, EmptyType95, EmptyType96, EmptyType97, EmptyType98, EmptyType99,
+        List // 100
     }
 // check correctness of compute
@@ -74,4 +109,11 @@ string constant EVM_HOST_CHAIN_PREFIX = "evm/";
 uint8 constant HANDLE_VERSION = 0;
 // IncoLightning only supports single-valued ciphertexts so this is always 0
-uint256 constant HANDLE_INDEX = 0;
+// NOTE: this must be a uint8 to get hash agreement!
+uint8 constant HANDLE_INDEX = 0;
+/// Util function to convert an ETypes to a bit mask
+/// @param t the type to convert to a bit mask
+function typeToBitMask(ETypes t) pure returns (bytes32) {
+    return bytes32(1 << uint256(t));
+}

package/src/lightning-parts/EncryptedInput.gen.sol CHANGED Viewed

@@ -5,6 +5,7 @@ import { BaseAccessControlList } from "./AccessControl/BaseAccessControlList.sol
 import { EventCounter } from "./primitives/EventCounter.sol";
 import { HandleGeneration } from "./primitives/HandleGeneration.sol";
 import { euint256, ebool, eaddress, ETypes, EVM_HOST_CHAIN_PREFIX, HANDLE_VERSION, HANDLE_INDEX } from "../Types.sol";
+import { HandleAlreadyExists } from "../Errors.sol";
 interface IEncryptedInputGen {
     function newEuint256(bytes memory ciphertext, address user) external returns (euint256 newValue);

package/src/lightning-parts/EncryptedInput.sol CHANGED Viewed

@@ -6,6 +6,7 @@ import {EventCounter} from "./primitives/EventCounter.sol";
 import {HandleGeneration} from "./primitives/HandleGeneration.sol";
 import {euint256, ebool, eaddress, ETypes, EVM_HOST_CHAIN_PREFIX, HANDLE_VERSION, HANDLE_INDEX} from "../Types.sol";
 import {IEncryptedInputGen} from "./EncryptedInput.gen.sol";
+import {HandleAlreadyExists} from "../Errors.sol";
 abstract contract EncryptedInput is
     IEncryptedInputGen,
@@ -13,7 +14,6 @@ abstract contract EncryptedInput is
     EventCounter,
     HandleGeneration
 {
-    error HandleAlreadyExists();
     event NewInput(
         bytes32 indexed result,

package/src/lightning-parts/EncryptedOperations.gen.sol CHANGED Viewed

@@ -1,7 +1,7 @@
 /// SPDX-License-Identifier: No License
 pragma solidity ^0.8;
-import { euint256, ebool, EOps, SenderNotAllowedForHandle, ETypes, isTypeSupported } from "../Types.sol";
+import { euint256, ebool, EOps, SenderNotAllowedForHandle, ETypes, isTypeSupported, typeToBitMask } from "../Types.sol";
 import { BaseAccessControlList } from "./AccessControl/BaseAccessControlList.sol";
 import { EventCounter } from "./primitives/EventCounter.sol";
 import { HandleGeneration } from "./primitives/HandleGeneration.sol";

package/src/lightning-parts/EncryptedOperations.sol CHANGED Viewed

@@ -1,7 +1,7 @@
 // SPDX-License-Identifier: No License
 pragma solidity ^0.8;
-import {euint256, ebool, EOps, SenderNotAllowedForHandle, ETypes, isTypeSupported} from "../Types.sol";
+import {euint256, ebool, EOps, SenderNotAllowedForHandle, ETypes, isTypeSupported, typeToBitMask} from "../Types.sol";
 import {BaseAccessControlList} from "./AccessControl/BaseAccessControlList.sol";
 import {EventCounter} from "./primitives/EventCounter.sol";
 import {HandleGeneration} from "./primitives/HandleGeneration.sol";
@@ -16,7 +16,7 @@ abstract contract EncryptedOperations is
     error UnexpectedType(ETypes actual, bytes32 expectedTypes);
     error UnsupportedType(ETypes actual);
-    uint256 private randCounter;
+    uint256 internal randCounter;
     bytes32 constant EBOOL = bytes32(1 << uint256(ETypes.Bool));
     bytes32 constant EUINT160 = bytes32(1 << uint256(ETypes.AddressOrUint160OrBytes20));
@@ -175,10 +175,6 @@ abstract contract EncryptedOperations is
         uint256 eventId
     );
-    function typeToBitMask(ETypes t) internal pure returns (bytes32) {
-        return bytes32(1 << uint256(t));
-    }
     modifier checked(euint256 lhs, euint256 rhs) {
         checkInput(euint256.unwrap(lhs), typeToBitMask(ETypes.Uint256));
         checkInput(euint256.unwrap(rhs), typeToBitMask(ETypes.Uint256));
@@ -569,6 +565,9 @@ abstract contract EncryptedOperations is
             bytes32(randCounter++),
             bytes32(uint256(randType))
         );
+        //NOTE: We pass the incremented randCounter which is incremented using postfix increment above.
+        // Due to postfix returning the value before incrementing, the emitted randCounter will be larger by one than the number used to build the handle.
+        // So for security and replayability reasons, we always use the incremented randCounter when seeding on the covalidator side, which is fine for as long as we're consistent.
         emit ERand(randCounter, randType, result, getNewEventId());
     }
@@ -586,6 +585,9 @@ abstract contract EncryptedOperations is
             upperBound,
             bytes32(uint256(randType))
         );
+        //NOTE: We pass the incremented randCounter which is incremented using postfix increment above.
+        // Due to postfix returning the value before incrementing, the emitted randCounter will be larger by one than the number used to build the handle.
+        // So for security and replayability reasons, we always use the incremented randCounter when seeding on the covalidator side, which is fine for as long as we're consistent.
         emit ERandBounded(randCounter, randType, upperBound, result, getNewEventId());
     }

package/src/lightning-parts/TEELifecycle.gen.sol ADDED Viewed

@@ -0,0 +1,58 @@
+/// SPDX-License-Identifier: No License
+pragma solidity ^0.8.19;
+import "./TEELifecycle.types.sol";
+import { ECDSA } from "@openzeppelin/contracts/utils/cryptography/ECDSA.sol";
+import { EIP712 } from "@openzeppelin/contracts/utils/cryptography/EIP712.sol";
+import { OwnableUpgradeable } from "@openzeppelin/contracts-upgradeable/access/OwnableUpgradeable.sol";
+import { IQuoteVerifier } from "automata-dcap-attestation/interfaces/IQuoteVerifier.sol";
+import { BELE } from "automata-dcap-attestation/utils/BELE.sol";
+import { HEADER_LENGTH } from "automata-dcap-attestation/types/Constants.sol";
+import { TD10ReportBody, Header } from "automata-dcap-attestation/types/V4Structs.sol";
+import { EIP712Upgradeable } from "@openzeppelin/contracts-upgradeable/utils/cryptography/EIP712Upgradeable.sol";
+import { EnclaveIdentityJsonObj, IdentityObj } from "@automata-network/on-chain-pccs/helpers/EnclaveIdentityHelper.sol";
+import { TcbInfoJsonObj } from "@automata-network/on-chain-pccs/helpers/FmspcTcbHelper.sol";
+import { AutomataFmspcTcbDao } from "@automata-network/on-chain-pccs/automata_pccs/AutomataFmspcTcbDao.sol";
+import { AutomataEnclaveIdentityDao } from "@automata-network/on-chain-pccs/automata_pccs/AutomataEnclaveIdentityDao.sol";
+interface ITEELifecycleGen {
+    function initialize(address owner, string memory eip712Name, string memory eip712Version, address quoteVerifierAddress) external;
+    ///  @notice Uploads the collateral to the contract
+    ///  @param tcbInfo - The TCB info to upload
+    ///  @param identity - The identity to upload
+    function uploadCollateral(TcbInfoJsonObj memory tcbInfo, EnclaveIdentityJsonObj memory identity) external;
+    ///  @notice Verifies the bootstrap data against the provided quote and signature
+    ///  @param bootstrapResult - The bootstrap data to verify
+    ///  @param quote - The quote to verify against
+    ///  @param signature - The signature to verify against
+    function verifyBootstrapResult(BootstrapResult calldata bootstrapResult, bytes calldata quote, bytes calldata signature) external;
+    ///  @notice Approves a new TEE version and updates the TEEVersionHistory
+    ///  @param newMRTD - The MRTD bytes of the new TEE version
+    ///  @dev This function increments the version number automatically based on the current history
+    function approveNewTEEVersion(bytes calldata newMRTD) external;
+    ///  @notice Adds a new covalidator to the contract state
+    ///  @param quote - The quote from the new covalidator that contains the current MRTD and the eoa address of the new party in the report data
+    function addNewCovalidator(bytes calldata quote) external;
+    ///  @notice Checks if the bootstrap is complete, meaning that there is an active TEE version.
+    ///  @return true if the bootstrap is complete, false otherwise
+    function isBootstrapComplete() external view returns (bool);
+    ///  @notice From https://github.com/automata-network/automata-dcap-attestation/blob/evm-v1.0.0/evm/contracts/verifiers/V4QuoteVerifier.sol#L309
+    ///  @notice Parses the TD10 report body from the raw quote
+    ///  @param rawQuote - The raw quote bytes
+    ///  @return report - The parsed TD10 report body
+    function parseTD10ReportBody(bytes calldata rawQuote) external pure returns (TD10ReportBody memory report);
+    ///  @notice Parses the TD10 report to extract the report data and MRTD
+    ///  @param tdReport - The TD10 report body
+    ///  @return reportDataSigner - The signing address of the report data signer
+    ///  @return reportMRTD - The MRTD bytes from the report
+    function parseReport(TD10ReportBody memory tdReport) external pure returns (address, bytes memory);
+    function bootstrapResultDigest(BootstrapResult memory bootstrapResult) external view returns (bytes32);
+}