@layr-labs/ecloud-sdk 0.4.0-dev.1 → 0.4.0-dev.2

package/dist/{helpers-D_AbDeP4.d.ts → helpers-BcoV07Me.d.ts}

@@ -1,4 +1,4 @@
-import { a8 as EnvironmentConfig, ai as SubscriptionStatus, a7 as BillingEnvironmentConfig, ag as ProductID, ak as CreateSubscriptionOptions, am as CreateSubscriptionResponse, al as GetSubscriptionOptions, au as ProductSubscriptionResponse, G as GasEstimate, ad as Logger } from './index-DD7ZLbqD.js';
+import { a8 as EnvironmentConfig, ai as SubscriptionStatus, a7 as BillingEnvironmentConfig, ag as ProductID, ak as CreateSubscriptionOptions, am as CreateSubscriptionResponse, al as GetSubscriptionOptions, au as ProductSubscriptionResponse, G as GasEstimate, ad as Logger } from './index-BEbhrwWl.js';
 import { Address, Hex, WalletClient, PublicClient, SignAuthorizationReturnType, Chain } from 'viem';
 
 /**

package/dist/{helpers-BNeMZYcY.d.cts → helpers-DdtPaQr9.d.cts}

@@ -1,4 +1,4 @@
-import { a8 as EnvironmentConfig, ai as SubscriptionStatus, a7 as BillingEnvironmentConfig, ag as ProductID, ak as CreateSubscriptionOptions, am as CreateSubscriptionResponse, al as GetSubscriptionOptions, au as ProductSubscriptionResponse, G as GasEstimate, ad as Logger } from './index-DD7ZLbqD.cjs';
+import { a8 as EnvironmentConfig, ai as SubscriptionStatus, a7 as BillingEnvironmentConfig, ag as ProductID, ak as CreateSubscriptionOptions, am as CreateSubscriptionResponse, al as GetSubscriptionOptions, au as ProductSubscriptionResponse, G as GasEstimate, ad as Logger } from './index-BEbhrwWl.cjs';
 import { Address, Hex, WalletClient, PublicClient, SignAuthorizationReturnType, Chain } from 'viem';
 
 /**

package/dist/{index-DD7ZLbqD.d.cts → index-BEbhrwWl.d.cts}

@@ -612,6 +612,7 @@ interface EnvironmentConfig {
     kmsServerURL: string;
     userApiServerURL: string;
     defaultRPCURL: string;
+    billingRPCURL?: string;
     usdcCreditsAddress?: Address;
 }
 interface Release {

package/dist/{index-DD7ZLbqD.d.ts → index-BEbhrwWl.d.ts}

@@ -612,6 +612,7 @@ interface EnvironmentConfig {
     kmsServerURL: string;
     userApiServerURL: string;
     defaultRPCURL: string;
+    billingRPCURL?: string;
     usdcCreditsAddress?: Address;
 }
 interface Release {

package/dist/index.cjs

@@ -162,6 +162,7 @@ var init_session = __esm({
 // src/index.ts
 var index_exports = {};
 __export(index_exports, {
+  AttestClient: () => AttestClient,
   AuthRequiredError: () => AuthRequiredError,
   BUILD_STATUS: () => BUILD_STATUS,
   BadRequestError: () => BadRequestError,
@@ -171,6 +172,7 @@ __export(index_exports, {
   ConflictError: () => ConflictError,
   ERC20ABI: () => ERC20_default,
   ForbiddenError: () => ForbiddenError,
+  JwtProvider: () => JwtProvider,
   NoopClient: () => NoopClient,
   NotFoundError: () => NotFoundError,
   PRIMARY_LANGUAGES: () => PRIMARY_LANGUAGES,
@@ -691,6 +693,10 @@ setup_tls() {
 # Run TLS setup
 setup_tls
 
+# Export KMS variables for attestation-based JWT auth
+export KMS_SERVER_URL="{{kmsServerURL}}"
+export KMS_PUBLIC_KEY="$(cat /usr/local/bin/kms-signing-public-key.pem)"
+
 echo "compute-source-env.sh: Environment sourced."
 
 # Drop privileges to original user for the application command
@@ -4954,7 +4960,7 @@ var CanViewAppLogsPermission = "0x2fd3f2fe";
 var CanViewSensitiveAppInfoPermission = "0x0e67b22f";
 var CanUpdateAppProfilePermission = "0x036fef61";
 function getDefaultClientId() {
-  const version = true ? "0.4.0-dev.1" : "0.0.0";
+  const version = true ? "0.4.0-dev.2" : "0.0.0";
   return `ecloud-sdk/v${version}`;
 }
 var UserApiClient = class {
@@ -5745,7 +5751,8 @@ var ENVIRONMENTS = {
     erc7702DelegatorAddress: CommonAddresses.ERC7702Delegator,
     kmsServerURL: "http://10.128.15.203:8080",
     userApiServerURL: "https://userapi-compute-sepolia-prod.eigencloud.xyz",
-    defaultRPCURL: "https://ethereum-sepolia-rpc.publicnode.com"
+    defaultRPCURL: "https://ethereum-sepolia-rpc.publicnode.com",
+    billingRPCURL: "https://ethereum-rpc.publicnode.com"
   },
   "mainnet-alpha": {
     name: "mainnet-alpha",
@@ -6285,7 +6292,7 @@ function getPostHogAPIKey() {
   if (process.env.ECLOUD_POSTHOG_KEY) {
     return process.env.ECLOUD_POSTHOG_KEY;
   }
-  return typeof POSTHOG_API_KEY_BUILD_TIME !== "undefined" ? POSTHOG_API_KEY_BUILD_TIME : void 0;
+  return true ? "phc_BiKfywNft5iBI8N7MxmuVCkb4GGZj4mDFXYPmOPUAI8" : void 0;
 }
 function getPostHogEndpoint() {
   return process.env.ECLOUD_POSTHOG_ENDPOINT || "https://us.i.posthog.com";
@@ -8194,9 +8201,101 @@ function createComputeModule(config) {
   };
 }
 
+// src/client/modules/billing/index.ts
+var import_viem7 = require("viem");
+
+// src/client/common/abis/USDCCredits.json
+var USDCCredits_default = [
+  {
+    type: "function",
+    name: "purchaseCreditsFor",
+    stateMutability: "nonpayable",
+    inputs: [
+      { name: "amount", type: "uint256" },
+      { name: "account", type: "address" }
+    ],
+    outputs: []
+  },
+  {
+    type: "function",
+    name: "purchaseCredits",
+    stateMutability: "nonpayable",
+    inputs: [
+      { name: "amount", type: "uint256" }
+    ],
+    outputs: []
+  },
+  {
+    type: "function",
+    name: "usdc",
+    stateMutability: "view",
+    inputs: [],
+    outputs: [
+      { name: "", type: "address" }
+    ]
+  },
+  {
+    type: "function",
+    name: "minimumPurchase",
+    stateMutability: "view",
+    inputs: [],
+    outputs: [
+      { name: "", type: "uint256" }
+    ]
+  },
+  {
+    type: "event",
+    name: "CreditsPurchased",
+    inputs: [
+      { name: "purchaser", type: "address", indexed: true },
+      { name: "account", type: "address", indexed: true },
+      { name: "amount", type: "uint256", indexed: false }
+    ]
+  }
+];
+
+// src/client/common/abis/ERC20.json
+var ERC20_default = [
+  {
+    type: "function",
+    name: "approve",
+    stateMutability: "nonpayable",
+    inputs: [
+      { name: "spender", type: "address" },
+      { name: "amount", type: "uint256" }
+    ],
+    outputs: [
+      { name: "", type: "bool" }
+    ]
+  },
+  {
+    type: "function",
+    name: "balanceOf",
+    stateMutability: "view",
+    inputs: [
+      { name: "account", type: "address" }
+    ],
+    outputs: [
+      { name: "", type: "uint256" }
+    ]
+  },
+  {
+    type: "function",
+    name: "allowance",
+    stateMutability: "view",
+    inputs: [
+      { name: "owner", type: "address" },
+      { name: "spender", type: "address" }
+    ],
+    outputs: [
+      { name: "", type: "uint256" }
+    ]
+  }
+];
+
 // src/client/modules/billing/index.ts
 function createBillingModule(config) {
-  const { verbose = false, skipTelemetry = false, walletClient } = config;
+  const { verbose = false, skipTelemetry = false, walletClient, publicClient, environment } = config;
   if (!walletClient.account) {
     throw new Error("WalletClient must have an account attached");
   }
@@ -8204,8 +8303,85 @@ function createBillingModule(config) {
   const logger = getLogger(verbose);
   const billingEnvConfig = getBillingEnvironmentConfig(getBuildType());
   const billingApi = new BillingApiClient(billingEnvConfig, walletClient);
-  return {
+  const environmentConfig = getEnvironmentConfig(environment);
+  const usdcCreditsAddress = environmentConfig.usdcCreditsAddress;
+  if (!usdcCreditsAddress) {
+    throw new Error(`USDCCredits contract address not configured for environment "${environment}"`);
+  }
+  const module2 = {
     address,
+    async getTopUpInfo() {
+      const usdcAddress = await publicClient.readContract({
+        address: usdcCreditsAddress,
+        abi: USDCCredits_default,
+        functionName: "usdc"
+      });
+      const [minimumPurchase, usdcBalance, currentAllowance] = await Promise.all([
+        publicClient.readContract({
+          address: usdcCreditsAddress,
+          abi: USDCCredits_default,
+          functionName: "minimumPurchase"
+        }),
+        publicClient.readContract({
+          address: usdcAddress,
+          abi: ERC20_default,
+          functionName: "balanceOf",
+          args: [address]
+        }),
+        publicClient.readContract({
+          address: usdcAddress,
+          abi: ERC20_default,
+          functionName: "allowance",
+          args: [address, usdcCreditsAddress]
+        })
+      ]);
+      return { usdcAddress, minimumPurchase, usdcBalance, currentAllowance };
+    },
+    async topUp(opts) {
+      return withSDKTelemetry(
+        {
+          functionName: "topUp",
+          skipTelemetry,
+          properties: { amount: opts.amount.toString() }
+        },
+        async () => {
+          const targetAccount = opts.account ?? address;
+          const { usdcAddress, currentAllowance } = await module2.getTopUpInfo();
+          const executions = [];
+          if (currentAllowance < opts.amount) {
+            executions.push({
+              target: usdcAddress,
+              value: 0n,
+              callData: (0, import_viem7.encodeFunctionData)({
+                abi: ERC20_default,
+                functionName: "approve",
+                args: [usdcCreditsAddress, opts.amount]
+              })
+            });
+          }
+          executions.push({
+            target: usdcCreditsAddress,
+            value: 0n,
+            callData: (0, import_viem7.encodeFunctionData)({
+              abi: USDCCredits_default,
+              functionName: "purchaseCreditsFor",
+              args: [opts.amount, targetAccount]
+            })
+          });
+          const txHash = await executeBatch(
+            {
+              walletClient,
+              publicClient,
+              environmentConfig,
+              executions,
+              pendingMessage: "Submitting credit purchase..."
+            },
+            logger
+          );
+          return { txHash, walletAddress: address };
+        }
+      );
+    },
     async subscribe(opts) {
       return withSDKTelemetry(
         {
@@ -8292,6 +8468,7 @@ function createBillingModule(config) {
       );
     }
   };
+  return module2;
 }
 
 // src/client/common/utils/buildapi.ts
@@ -9054,95 +9231,6 @@ async function getCurrentInstanceType(preflightCtx, appID, logger, clientId) {
   }
 }
 
-// src/client/common/abis/USDCCredits.json
-var USDCCredits_default = [
-  {
-    type: "function",
-    name: "purchaseCreditsFor",
-    stateMutability: "nonpayable",
-    inputs: [
-      { name: "amount", type: "uint256" },
-      { name: "account", type: "address" }
-    ],
-    outputs: []
-  },
-  {
-    type: "function",
-    name: "purchaseCredits",
-    stateMutability: "nonpayable",
-    inputs: [
-      { name: "amount", type: "uint256" }
-    ],
-    outputs: []
-  },
-  {
-    type: "function",
-    name: "usdc",
-    stateMutability: "view",
-    inputs: [],
-    outputs: [
-      { name: "", type: "address" }
-    ]
-  },
-  {
-    type: "function",
-    name: "minimumPurchase",
-    stateMutability: "view",
-    inputs: [],
-    outputs: [
-      { name: "", type: "uint256" }
-    ]
-  },
-  {
-    type: "event",
-    name: "CreditsPurchased",
-    inputs: [
-      { name: "purchaser", type: "address", indexed: true },
-      { name: "account", type: "address", indexed: true },
-      { name: "amount", type: "uint256", indexed: false }
-    ]
-  }
-];
-
-// src/client/common/abis/ERC20.json
-var ERC20_default = [
-  {
-    type: "function",
-    name: "approve",
-    stateMutability: "nonpayable",
-    inputs: [
-      { name: "spender", type: "address" },
-      { name: "amount", type: "uint256" }
-    ],
-    outputs: [
-      { name: "", type: "bool" }
-    ]
-  },
-  {
-    type: "function",
-    name: "balanceOf",
-    stateMutability: "view",
-    inputs: [
-      { name: "account", type: "address" }
-    ],
-    outputs: [
-      { name: "", type: "uint256" }
-    ]
-  },
-  {
-    type: "function",
-    name: "allowance",
-    stateMutability: "view",
-    inputs: [
-      { name: "owner", type: "address" },
-      { name: "spender", type: "address" }
-    ],
-    outputs: [
-      { name: "", type: "uint256" }
-    ]
-  }
-];
-
 // src/client/index.ts
 function createECloudClient(cfg) {
   cfg.privateKey = addHexPrefix(cfg.privateKey);
@@ -9176,12 +9264,158 @@ function createECloudClient(cfg) {
     }),
     billing: createBillingModule({
       verbose: cfg.verbose,
-      walletClient
+      walletClient,
+      publicClient,
+      environment: cfg.environment
     })
   };
 }
+
+// src/client/modules/attest/attest-client.ts
+var import_node_crypto = require("crypto");
+var import_node_http = __toESM(require("http"), 1);
+var import_jose2 = require("jose");
+var DEFAULT_SOCKET_PATH = "/run/container_launcher/teeserver.sock";
+var CHALLENGE_PREFIX = "COMPUTE_APP_JWT_REQUEST_RSA_KEY_V1";
+var SIGNATURE_PREFIX = "COMPUTE_APP_KMS_SIGNATURE_V1";
+var NULL_BYTE = Buffer.from([0]);
+var AttestClient = class {
+  constructor(config) {
+    this.config = config;
+  }
+  async attest() {
+    const { publicKey, privateKey } = (0, import_node_crypto.generateKeyPairSync)("rsa", {
+      modulusLength: 4096,
+      publicKeyEncoding: { type: "spki", format: "pem" },
+      privateKeyEncoding: { type: "pkcs8", format: "pem" }
+    });
+    const challengeHash = (0, import_node_crypto.createHash)("sha256").update(CHALLENGE_PREFIX).update(NULL_BYTE).update(publicKey).digest();
+    const socketPath = this.config.socketPath ?? DEFAULT_SOCKET_PATH;
+    const attestationBytes = await this.getAttestation(socketPath, challengeHash);
+    const attestResponse = await this.postAttest(attestationBytes, publicKey);
+    this.verifySignature(JSON.stringify(attestResponse.data), attestResponse.signature);
+    const rsaPrivateKey = await crypto.subtle.importKey(
+      "pkcs8",
+      pemToBuffer(privateKey),
+      { name: "RSA-OAEP", hash: "SHA-256" },
+      false,
+      ["decrypt"]
+    );
+    const { plaintext } = await (0, import_jose2.compactDecrypt)(
+      attestResponse.data.encryptedToken,
+      rsaPrivateKey
+    );
+    const decrypted = JSON.parse(new TextDecoder().decode(plaintext));
+    return decrypted.token;
+  }
+  verifySignature(dataJson, signature) {
+    const message = Buffer.concat([
+      Buffer.from(SIGNATURE_PREFIX),
+      NULL_BYTE,
+      Buffer.from(dataJson)
+    ]);
+    const valid = (0, import_node_crypto.verify)(
+      "sha256",
+      message,
+      this.config.kmsPublicKey,
+      Buffer.from(signature, "base64")
+    );
+    if (!valid) {
+      throw new Error("KMS response signature verification failed");
+    }
+  }
+  getAttestation(socketPath, challenge) {
+    return new Promise((resolve2, reject) => {
+      const body = JSON.stringify({ challenge: challenge.toString("base64") });
+      const req = import_node_http.default.request(
+        {
+          socketPath,
+          path: "/v1/bound_evidence",
+          method: "POST",
+          headers: {
+            "Content-Type": "application/json",
+            "Content-Length": Buffer.byteLength(body)
+          }
+        },
+        (res) => {
+          const chunks = [];
+          res.on("data", (chunk) => chunks.push(chunk));
+          res.on("end", () => {
+            if (res.statusCode !== 200) {
+              reject(new Error(`TEE attestation failed (${res.statusCode}): ${Buffer.concat(chunks).toString()}`));
+              return;
+            }
+            resolve2(Buffer.concat(chunks));
+          });
+        }
+      );
+      req.on("error", (err) => reject(new Error(`TEE attestation request failed: ${err.message}`)));
+      req.write(body);
+      req.end();
+    });
+  }
+  async postAttest(attestationBytes, rsaPublicKey) {
+    const url = `${this.config.kmsServerURL}/auth/attest`;
+    const body = JSON.stringify({
+      version: 3,
+      attestation: attestationBytes.toString("base64"),
+      rsaKey: rsaPublicKey,
+      audience: this.config.audience
+    });
+    const response = await fetch(url, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body
+    });
+    if (!response.ok) {
+      const text = await response.text();
+      throw new Error(`KMS attest failed (${response.status}): ${text}`);
+    }
+    return response.json();
+  }
+};
+function pemToBuffer(pem) {
+  const b64 = pem.replace(/-----[A-Z ]+-----/g, "").replace(/\s/g, "");
+  const buf = Buffer.from(b64, "base64");
+  return buf.buffer.slice(buf.byteOffset, buf.byteOffset + buf.byteLength);
+}
+
+// src/client/modules/attest/jwt-provider.ts
+var JwtProvider = class {
+  constructor(attestClient, bufferSeconds = 30) {
+    this.attestClient = attestClient;
+    this.bufferSeconds = bufferSeconds;
+  }
+  async getToken() {
+    if (this.cachedToken && !this.isExpiringSoon()) {
+      return this.cachedToken;
+    }
+    if (this.pending) {
+      return this.pending;
+    }
+    this.pending = this.attestClient.attest().then((token) => {
+      this.cachedToken = token;
+      this.expiresAt = this.decodeJwtExp(token);
+      return token;
+    }).finally(() => {
+      this.pending = void 0;
+    });
+    return this.pending;
+  }
+  isExpiringSoon() {
+    if (!this.expiresAt) return true;
+    return Date.now() / 1e3 >= this.expiresAt - this.bufferSeconds;
+  }
+  decodeJwtExp(jwt) {
+    const payload = jwt.split(".")[1];
+    if (!payload) return void 0;
+    const decoded = JSON.parse(Buffer.from(payload, "base64url").toString());
+    return decoded.exp;
+  }
+};
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
+  AttestClient,
   AuthRequiredError,
   BUILD_STATUS,
   BadRequestError,
@@ -9191,6 +9425,7 @@ function createECloudClient(cfg) {
   ConflictError,
   ERC20ABI,
   ForbiddenError,
+  JwtProvider,
   NoopClient,
   NotFoundError,
   PRIMARY_LANGUAGES,