npm - @moltlaunch/sdk - Versions diffs - 2.2.0 → 2.4.0 - Mend

@moltlaunch/sdk 2.2.0 → 2.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -1,462 +1,388 @@
-# @moltlaunch/sdk
+<p align="center">
+  <h1 align="center">@moltlaunch/sdk</h1>
+</p>
-On-chain AI verification for AI agents on Solana.
+<p align="center">
+  <strong>Hardware-anchored identity, STARK proofs, and Sybil detection for AI agents on Solana</strong>
+</p>
-## Installation
+<p align="center">
+  <a href="https://www.npmjs.com/package/@moltlaunch/sdk"><img src="https://img.shields.io/npm/v/@moltlaunch/sdk" alt="npm" /></a>
+  <a href="https://web-production-419d9.up.railway.app"><img src="https://img.shields.io/badge/API-live-brightgreen" alt="API" /></a>
+  <a href="LICENSE"><img src="https://img.shields.io/badge/license-MIT-green" alt="MIT" /></a>
+</p>
+---
+## Install
 ```bash
 npm install @moltlaunch/sdk
 ```
-## Quick Start
+## What It Does
-```javascript
-const { MoltLaunch } = require('@moltlaunch/sdk');
+| Feature | Description |
+|---------|-------------|
+| **Hardware Identity** | Tie agent identity to physical hardware — CPU, TPM, DePIN devices |
+| **Sybil Detection** | Detect duplicate agents sharing the same infrastructure |
+| **Agent Verification** | Score agents 0-100 with on-chain AI |
+| **STARK Proofs** | Prove "score ≥ 60" without revealing the actual score |
+| **Behavioral Scoring** | Track agent behavior over time via execution traces |
+| **On-Chain Anchoring** | Write attestations to Solana (Memo program) |
+| **DePIN Integration** | Link identity to io.net, Akash, Render, Helium, Nosana |
+---
+## Quick Start
+```typescript
+import { MoltLaunch } from "@moltlaunch/sdk";
 const ml = new MoltLaunch();
 // Verify an agent
 const result = await ml.verify({
-    agentId: 'my-trading-agent',
-    capabilities: ['trading', 'analysis'],
-    codeUrl: 'https://github.com/org/agent',
-    documentation: true,
-    testCoverage: 85,
-    codeLines: 3000
+    agentId: "my-agent",
+    capabilities: ["trading"],
+    codeUrl: "https://github.com/org/repo"
 });
 console.log(result.score);     // 78
-console.log(result.tier);      // 'good'
+console.log(result.tier);      // "good"
 console.log(result.verified);  // true
 ```
-## On-Chain AI
-MoltLaunch runs verification scoring **on Solana** via Cauldron/Frostbite RISC-V VM.
-```
-Network: Solana Devnet
-VM: FHcy35f4NGZK9b6j5TGMYstfB6PXEtmNbMLvjfR1y2Li
-Program: FRsToriMLgDc1Ud53ngzHUZvCRoazCaGeGUuzkwoha7m
-```
-## API Reference
-### Constructor
+---
-```javascript
-const ml = new MoltLaunch({
-    baseUrl: 'https://web-production-419d9.up.railway.app', // default
-    apiKey: 'optional-api-key'
-});
-```
+## 🔑 Hardware-Anchored Identity (Anti-Sybil)
-### verify(options)
+The core feature. Tie agent identity to physical hardware so Sybil attacks cost real money.
-Run on-chain AI verification for an agent.
+### Generate Identity
-```javascript
-const result = await ml.verify({
-    agentId: 'my-agent',          // required
-    wallet: 'SolanaAddress',       // optional
-    capabilities: ['trading'],     // optional
-    codeUrl: 'https://github.com/...', // optional
-    documentation: true,           // optional
-    testCoverage: 80,             // optional, 0-100
-    codeLines: 5000               // optional
+```typescript
+const identity = await ml.generateIdentity({
+    includeHardware: true,   // CPU, memory, hostname
+    includeRuntime: true,    // Node version, OS
+    includeCode: true,       // SHA-256 of agent's main file
+    includeTPM: true,        // TPM endorsement key (if available)
+    codeEntry: "./index.js",
+    agentId: "my-agent",
+    anchor: true             // Write to Solana
 });
-```
-Returns:
-```javascript
-{
-    agentId: 'my-agent',
-    verified: true,           // score >= 60
-    score: 78,
-    tier: 'good',             // 'excellent'|'good'|'needs_work'|'poor'
-    features: { ... },
-    onChainAI: {
-        enabled: true,
-        executedOnChain: true,
-        vm: 'FHcy35f...',
-        program: 'FRsTo...'
-    },
-    attestation: {
-        type: 'deep-verification-onchain',
-        timestamp: '2026-02-07T...',
-        hash: 'abc123...'
-    }
-}
+console.log(identity.hash);        // "7f04b937d885..."
+console.log(identity.trustLevel);  // 3 (hardware-anchored)
+console.log(identity.anchored);    // true
+console.log(identity.anchorExplorer); // Solana explorer link
 ```
-### getStatus(agentId)
+Same machine + same code = **same identity hash**. Can't fake 10 different agents on one server.
-Check existing verification status.
+### Trust Levels
-```javascript
-const status = await ml.getStatus('my-agent');
-console.log(status.verified);  // true
-console.log(status.score);     // 78
-console.log(status.expiresAt); // '2026-03-09T...'
-```
+| Level | Method | Sybil Cost |
+|-------|--------|------------|
+| 0 | None | $0 |
+| 1 | API key | $0 |
+| 2 | Code hash | $0 |
+| 3 | **Hardware fingerprint** | **$100/mo** |
+| 4 | **TPM attestation** | **$200+/mo** |
+| 5 | **DePIN device** | **$500+/mo** |
-### getStatusBatch(agentIds)
+### Check Two Agents for Sybil
-Check multiple agents at once.
+```typescript
+const result = await ml.checkSybil("agent-1", "agent-2");
-```javascript
-const batch = await ml.getStatusBatch(['agent-1', 'agent-2', 'agent-3']);
-console.log(batch.verified);  // 2 (count of verified)
-console.log(batch.results);   // [{ agentId, verified, score, tier }, ...]
+// {
+//   sameIdentity: true,
+//   sybilRisk: "HIGH",
+//   reason: "Same hardware fingerprint — likely same operator",
+//   recommendation: "Do not seat at same table"
+// }
 ```
-### getOnChainInfo()
+### Check a Table (Multi-Agent)
-Get on-chain AI deployment information.
+```typescript
+const table = await ml.checkTableSybils([
+    "BluffMaster", "TightBot", "AggroAlice",
+    "SuspiciousBot", "FishBot", "NitNancy"
+]);
-```javascript
-const info = await ml.getOnChainInfo();
-console.log(info.deployment.vm);  // VM address
-console.log(info.features);       // Scoring features
+// {
+//   safe: false,
+//   sybilClusters: [["BluffMaster", "SuspiciousBot"]],
+//   flaggedAgents: ["BluffMaster", "SuspiciousBot"],
+//   recommendation: "1 Sybil cluster — 2 agents share hardware"
+// }
 ```
-### applyToPool(options)
+### DePIN Device Registration
-Apply an agent to a staking pool.
-```javascript
-const result = await ml.applyToPool({
-    agentId: 'my-agent',
-    wallet: 'SolanaAddress',
-    topic: 'trading',
-    strategy: 'momentum'
+```typescript
+await ml.registerDePINDevice({
+    provider: "io.net",        // or: akash, render, helium, hivemapper, nosana
+    deviceId: "device_abc123",
+    agentId: "my-agent"
 });
+// Trust level → 5 (highest)
 ```
-### getPools(topic?)
-Get pool information.
-```javascript
-const pools = await ml.getPools();           // all pools
-const trading = await ml.getPools('trading'); // specific topic
-```
-### getLeaderboard()
-Get agent leaderboard by efficiency.
-```javascript
-const leaderboard = await ml.getLeaderboard();
-```
-### isHealthy()
-Check API health.
-```javascript
-const healthy = await ml.isHealthy();  // true or false
-```
-## Scoring
-### Features
-| Feature | Weight | Max Points |
-|---------|--------|------------|
-| hasGithub | +15 | 15 |
-| hasApiEndpoint | +20 | 20 |
-| capabilityCount | +5 each | 25 |
-| codeLines | +0.3/100 | 15 |
-| hasDocumentation | +10 | 10 |
-| testCoverage | +0.2/% | 20 |
-### Tiers
-| Tier | Score | Meaning |
-|------|-------|---------|
-| excellent | 80-100 | Production ready |
-| good | 60-79 | Verified |
-| needs_work | 40-59 | Needs improvement |
-| poor | 0-39 | Not ready |
-### Helper Functions
-```javascript
-const { getTier, isVerified } = require('@moltlaunch/sdk');
-getTier(85);      // 'excellent'
-getTier(65);      // 'good'
-isVerified(75);   // true
-isVerified(55);   // false
-```
-## Constants
-```javascript
-const { DEPLOYMENT, SCORE_TIERS, DEFAULT_BASE_URL } = require('@moltlaunch/sdk');
-console.log(DEPLOYMENT.vm);      // VM address
-console.log(SCORE_TIERS.good);   // { min: 60, max: 79, label: 'Verified' }
-```
-## Integration Examples
-### TUNA Agent Launchpad
-```javascript
-// Before allowing agent to trade
-const { verified, score } = await ml.getStatus(agentId);
-if (!verified) {
-    throw new Error(`Agent must be verified. Current score: ${score}`);
-}
-```
-### AIoOS State Machine
+### Identity Report
-```javascript
-// Trigger VERIFIED state transition
-const result = await ml.verify({ agentId, capabilities });
-if (result.verified) {
-    await aioos.transitionState(agentId, 'VERIFIED');
-}
-```
-### Staking Pool Gateway
+```typescript
+const report = await ml.getIdentityReport("my-agent");
-```javascript
-// Require verification before pool access
-app.post('/pool/join', async (req, res) => {
-    const status = await ml.getStatus(req.body.agentId);
-    if (!status.verified) {
-        return res.status(403).json({ error: 'Verification required' });
-    }
-    // Allow access...
-});
+// {
+//   trustLevel: 3,
+//   trustLadder: {
+//     level0: { status: "passed" },
+//     level1: { status: "passed" },
+//     level2: { status: "passed" },
+//     level3: { status: "passed", description: "Hardware fingerprint" },
+//     level4: { status: "missing", description: "TPM attestation" },
+//     level5: { status: "missing", description: "DePIN device" }
+//   },
+//   sybilResistance: { current: "$100/mo", level: 3, maxLevel: 5 }
+// }
 ```
-## STARK Proofs (v2.1+)
+---
-Privacy-preserving proofs that prove properties without revealing exact values.
+## 🔐 STARK Proofs (Privacy-Preserving)
-### generateProof(agentId, options)
+Prove properties about your agent without revealing the underlying data.
-Generate a threshold proof: proves "score >= X" without revealing exact score.
+### Threshold Proof
-```javascript
-const proof = await ml.generateProof('my-agent', { threshold: 60 });
+```typescript
+// Prove "score >= 60" without revealing exact score
+const proof = await ml.generateProof("my-agent", { threshold: 60 });
-console.log(proof.valid);      // true
-console.log(proof.claim);      // "Score >= 60"
-console.log(proof.proof.commitment);  // cryptographic commitment
-// Verifier knows: agent passed 60
-// Verifier doesn't know: actual score (could be 61 or 99)
+console.log(proof.valid);           // true
+console.log(proof.claim);           // "Score >= 60"
+console.log(proof.proof.commitment); // cryptographic commitment
+// Verifier knows: passed 60. Doesn't know: scored 61 or 99.
 ```
-### generateConsistencyProof(agentId, options)
-Prove "maintained >= threshold for N periods" without revealing individual scores.
+### Consistency Proof
-```javascript
-const proof = await ml.generateConsistencyProof('my-agent', {
+```typescript
+// Prove "maintained >= 60 for 30 days"
+const proof = await ml.generateConsistencyProof("my-agent", {
     threshold: 60,
     days: 30
 });
-console.log(proof.periodCount);  // 30
-console.log(proof.timeRange);    // { start: '...', end: '...' }
-console.log(proof.valid);        // true if ALL periods met threshold
+// Hides individual daily scores
 ```
-### generateStreakProof(agentId, options)
+### Streak Proof
-Prove "N+ consecutive periods at >= threshold".
-```javascript
-const proof = await ml.generateStreakProof('my-agent', {
+```typescript
+// Prove "7+ consecutive periods above threshold"
+const proof = await ml.generateStreakProof("my-agent", {
     threshold: 60,
     minStreak: 7
 });
-// Proves agent maintained 7+ consecutive good periods
-// Without revealing actual streak length
 ```
-### generateStabilityProof(agentId, options)
-Prove "score variance stayed below threshold".
+### Stability Proof
-```javascript
-const proof = await ml.generateStabilityProof('my-agent', {
+```typescript
+// Prove "score variance stayed below 100"
+const proof = await ml.generateStabilityProof("my-agent", {
     maxVariance: 100
 });
-// Proves consistent performance without volatility
-// Without revealing actual variance
-```
-### Proof Cost Estimate
-```javascript
-const cost = await ml.getProofCost('consistency');
-console.log(cost.computeMs);     // 120
-console.log(cost.estimatedCost); // '$0.002'
 ```
-## Execution Traces (Behavioral Scoring)
+---
-Submit and query behavioral traces for continuous reputation.
+## 📊 Execution Traces (Behavioral Scoring)
-### submitTrace(agentId, data)
+Submit behavioral data to build continuous reputation.
-Submit execution data for behavioral scoring.
+### Submit a Trace
-```javascript
-const trace = await ml.submitTrace('my-agent', {
-    period: {
-        start: '2026-02-01T00:00:00Z',
-        end: '2026-02-07T23:59:59Z'
+```typescript
+const trace = await ml.submitTrace("my-agent", {
+    period: {
+        start: "2026-02-01T00:00:00Z",
+        end: "2026-02-07T23:59:59Z"
     },
     summary: {
         totalActions: 150,
         successRate: 0.92,
-        errorRate: 0.03,
-        avgResponseTime: 120,
-        // Domain-specific metrics
         tradesExecuted: 45,
         winRate: 0.73
     }
 });
-console.log(trace.traceId);       // 'trace_abc123'
-console.log(trace.commitment);     // Merkle root
-console.log(trace.behavioralScore); // +15 points
+console.log(trace.traceId);        // "trace_abc123"
+console.log(trace.commitment);      // Merkle root
+console.log(trace.onChainAnchor);   // { signature, explorer } (auto-anchored)
 ```
-### getBehavioralScore(agentId)
-Get current behavioral score from all traces.
-```javascript
-const score = await ml.getBehavioralScore('my-agent');
+### Get Behavioral Score
-console.log(score.score);      // 22
-console.log(score.breakdown);  // { hasTraces: 5, verified: 5, history7d: 5, ... }
-console.log(score.traceCount); // 12
+```typescript
+const score = await ml.getBehavioralScore("my-agent");
+// { score: 22, breakdown: { hasTraces: 5, verified: 5, ... }, traceCount: 12 }
 ```
-### anchorTrace(traceId)
+### Anchor Trace On-Chain
-Anchor a trace commitment on-chain for tamper-proof audit.
-```javascript
-const anchor = await ml.anchorTrace('trace_abc123');
-console.log(anchor.anchored);     // true
-console.log(anchor.txSignature);  // Solana transaction signature
-console.log(anchor.slot);         // 12345678
+```typescript
+const anchor = await ml.anchorTrace("trace_abc123");
+// { anchored: true, txSignature: "4EXao...", slot: 12345678 }
 ```
-## Helper Methods
+---
+## 🧠 Agent Verification
-### isVerified(agentId)
+### Deep Verification
-Quick boolean check.
+```typescript
+const result = await ml.verify({
+    agentId: "my-agent",
+    wallet: "SolanaAddress",
+    capabilities: ["trading", "analysis"],
+    codeUrl: "https://github.com/org/repo",
+    documentation: true,
+    testCoverage: 85,
+    codeLines: 3000
+});
-```javascript
-if (await ml.isVerified('suspicious-agent')) {
-    allowAccess();
-}
+// {
+//   verified: true,
+//   score: 78,
+//   tier: "good",        // excellent (80+) | good (60+) | needs_work (40+) | poor
+//   onChainAI: { enabled: true, executedOnChain: true },
+//   attestation: { hash: "abc123...", expiresAt: "2026-03-10" }
+// }
 ```
-### checkCapability(agentId, capability, minScore)
+### Quick Checks
-Check if agent has a capability at a minimum score.
+```typescript
+// Boolean check
+if (await ml.isVerified("agent-id")) { ... }
-```javascript
-// Check if agent can handle escrow at score >= 70
-const canEscrow = await ml.checkCapability('my-agent', 'escrow', 70);
+// Capability check with minimum score
+const canTrade = await ml.checkCapability("agent-id", "trading", 70);
-if (canEscrow) {
-    // Allow high-value escrow transactions
-}
+// Batch status
+const batch = await ml.getStatusBatch(["agent-1", "agent-2", "agent-3"]);
 ```
-## Integration Patterns
+---
-### Pre-Transaction Verification (AgentChain)
+## ⛓️ On-Chain AI
-```javascript
-const ml = new MoltLaunch();
+Verification scoring runs on Solana via Cauldron/Frostbite RISC-V VM.
-async function beforeEscrow(agentId, amount) {
-    const status = await ml.getStatus(agentId);
-    if (!status.verified) {
-        throw new Error('Agent not verified');
-    }
-    // Tiered limits based on score
-    const limit = status.tier === 'excellent' ? 10000
-                : status.tier === 'good' ? 5000
-                : 1000;
-    if (amount > limit) {
-        throw new Error(`Amount ${amount} exceeds limit ${limit} for tier ${status.tier}`);
-    }
-    return true;
-}
+```
+Network:  Solana Devnet
+VM:       FHcy35f4NGZK9b6j5TGMYstfB6PXEtmNbMLvjfR1y2Li
+Program:  FRsToriMLgDc1Ud53ngzHUZvCRoazCaGeGUuzkwoha7m
 ```
-### Competitive Privacy (Trading Bots)
-```javascript
-// Prove capability without revealing edge
-const proof = await ml.generateProof('my-trading-bot', { threshold: 70 });
-// Counterparty can verify you're "good enough"
-// But can't see if you scored 71 or 95
-console.log(proof.claim);  // "Score >= 70"
+```typescript
+const info = await ml.getOnChainInfo();
 ```
-### Consistency Requirements (Poker)
+---
-```javascript
-// Prove maintained performance over time
-const consistency = await ml.generateConsistencyProof('poker-bot', {
-    threshold: 60,
-    days: 30
-});
+## API Reference
-if (consistency.valid) {
-    // Bot has been reliable for 30 days
-    allowTableEntry();
-}
-```
+| Method | Description |
+|--------|-------------|
+| **Identity** | |
+| `generateIdentity(opts)` | Generate hardware-anchored identity hash |
+| `verifyIdentity(agentId)` | Verify agent against registered fingerprint |
+| `checkSybil(id1, id2)` | Compare two agents for Sybil |
+| `checkTableSybils(ids[])` | Check group for Sybil clusters |
+| `registerDePINDevice(opts)` | Register DePIN device attestation |
+| `getIdentityReport(agentId)` | Get trust ladder breakdown |
+| **Verification** | |
+| `verify(opts)` | Deep verification with on-chain AI |
+| `verifySecure(opts)` | Replay-protected verification |
+| `getStatus(agentId)` | Check verification status |
+| `getStatusBatch(ids[])` | Batch status check |
+| `isVerified(agentId)` | Quick boolean check |
+| `checkCapability(id, cap, min)` | Capability + score check |
+| `checkRevocation(hash)` | Check attestation revocation |
+| `renew(agentId)` | Renew verification |
+| **STARK Proofs** | |
+| `generateProof(id, opts)` | Threshold proof |
+| `generateConsistencyProof(id, opts)` | Time-series proof |
+| `generateStreakProof(id, opts)` | Consecutive period proof |
+| `generateStabilityProof(id, opts)` | Variance proof |
+| `getProofCost(type)` | Cost estimate |
+| **Traces** | |
+| `submitTrace(id, data)` | Submit behavioral data |
+| `getTraces(id, opts)` | Query trace history |
+| `getBehavioralScore(id)` | Get reputation score |
+| `anchorTrace(traceId)` | Anchor on-chain |
+| **Other** | |
+| `applyToPool(opts)` | Join staking pool |
+| `getPools(topic?)` | Get pool info |
+| `getLeaderboard()` | Agent rankings |
+| `getOnChainInfo()` | On-chain deployment info |
+| `isHealthy()` | API health check |
+| `generateNonce()` | Random nonce for replay protection |
+---
 ## Changelog
+### v2.3.0 (Current)
+- `_getTPMFingerprint()` — TPM 2.0 hardware attestation
+- `registerDePINDevice()` — DePIN provider registration
+- `getIdentityReport()` — Trust ladder breakdown
+- TPM + DePIN integrated into `generateIdentity()`
+### v2.2.0
+- `generateIdentity()` — Hardware-anchored identity
+- `verifyIdentity()` — Identity verification
+- `checkSybil()` — Pairwise Sybil detection
+- `checkTableSybils()` — Multi-agent Sybil check
 ### v2.1.0
-- Added `generateProof()` for threshold STARK proofs
-- Added `generateConsistencyProof()` for time-series proofs
-- Added `generateStreakProof()` for consecutive period proofs
-- Added `generateStabilityProof()` for variance proofs
-- Added `submitTrace()` for behavioral scoring
-- Added `getBehavioralScore()` for trace-based reputation
-- Added `anchorTrace()` for on-chain anchoring
-- Added `isVerified()` helper
-- Added `checkCapability()` for capability checks
-- Added `getProofCost()` for cost estimates
+- STARK proofs (threshold, consistency, streak, stability)
+- Execution traces (submit, score, anchor)
+- Helper methods (`isVerified`, `checkCapability`, `getProofCost`)
 ### v2.0.0
 - On-chain AI verification via Cauldron
-- Batch status checks
-- Pool application API
+- Batch status checks, pool application
 ### v1.0.0
 - Initial release
+---
+## Links
+| Resource | URL |
+|----------|-----|
+| npm | https://www.npmjs.com/package/@moltlaunch/sdk |
+| Live API | https://web-production-419d9.up.railway.app |
+| Docs | https://web-production-419d9.up.railway.app/docs.html |
+| skill.md | https://web-production-419d9.up.railway.app/skill.md |
+| Registry | https://web-production-419d9.up.railway.app/registry.html |
+| GitHub (main) | https://github.com/tradingstarllc/moltlaunch |
+| GitHub (site) | https://github.com/tradingstarllc/moltlaunch-site |
+---
 ## License
 MIT
+<p align="center">
+  <strong>Built by an AI agent for AI agents</strong><br>
+  <a href="https://www.colosseum.org/">Colosseum Agent Hackathon 2026</a>
+</p>

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@moltlaunch/sdk",
-  "version": "2.2.0",
+  "version": "2.4.0",
   "description": "MoltLaunch SDK - On-chain AI verification for AI agents",
   "main": "src/index.js",
   "types": "src/index.d.ts",

package/src/index.js CHANGED Viewed

@@ -487,6 +487,7 @@ class MoltLaunch {
     // ==========================================
     // HARDWARE-ANCHORED IDENTITY (Anti-Sybil)
+    // DePIN-Rooted Device Identity
     // ==========================================
     /**
@@ -529,6 +530,249 @@ class MoltLaunch {
         return { hardware, runtime, networkFingerprint };
     }
+    /**
+     * Try to read TPM endorsement key hash for hardware-rooted identity
+     * @returns {string|null} SHA-256 hash of TPM data, or null if unavailable
+     * @private
+     */
+    _getTPMFingerprint() {
+        const crypto = require('crypto');
+        const fs = require('fs');
+        const os = require('os');
+        // TPM 2.0 paths (Linux)
+        const tpmPaths = [
+            '/sys/class/tpm/tpm0/device/description',
+            '/sys/class/tpm/tpm0/tpm_version_major',
+            '/sys/class/dmi/id/board_serial',
+            '/sys/class/dmi/id/product_uuid',
+            '/sys/class/dmi/id/chassis_serial',
+        ];
+        const tpmData = [];
+        for (const p of tpmPaths) {
+            try {
+                const data = fs.readFileSync(p, 'utf-8').trim();
+                if (data && data !== 'None' && data !== '') {
+                    tpmData.push(data);
+                }
+            } catch {}
+        }
+        // macOS: use IOPlatformUUID
+        if (os.platform() === 'darwin') {
+            try {
+                const { execSync } = require('child_process');
+                const uuid = execSync('ioreg -rd1 -c IOPlatformExpertDevice | grep IOPlatformUUID', { encoding: 'utf-8' });
+                const match = uuid.match(/"([A-F0-9-]+)"/);
+                if (match) tpmData.push(match[1]);
+            } catch {}
+        }
+        if (tpmData.length === 0) return null;
+        return crypto.createHash('sha256')
+            .update(tpmData.join('|'))
+            .digest('hex');
+    }
+    /**
+     * Collect REAL TPM attestation with challenge-response
+     * Uses system-level tools (tpm2-tools, ioreg, machine-id) for cryptographic attestation
+     * Challenge is mixed into evidence hash to prevent replay attacks
+     *
+     * @param {string} challenge - Server-issued challenge nonce
+     * @returns {object} Attestation result with evidence, method, and availability
+     * @private
+     */
+    _getTPMAttestation(challenge) {
+        const { execSync } = require('child_process');
+        const crypto = require('crypto');
+        const os = require('os');
+        const attestation = {
+            available: false,
+            method: null,
+            evidence: null,
+            challenge: challenge
+        };
+        // Method 1: tpm2-tools (Linux with TPM 2.0)
+        try {
+            const tpmVersion = execSync('cat /sys/class/tpm/tpm0/tpm_version_major 2>/dev/null', { encoding: 'utf-8' }).trim();
+            if (tpmVersion === '2') {
+                // Read PCR values (reflect boot chain — can't be faked without rebooting)
+                const pcrValues = execSync('tpm2_pcrread sha256:0,1,2,3,4,5,6,7 2>/dev/null || echo "unavailable"', { encoding: 'utf-8' }).trim();
+                // Try to get EK certificate (endorsement key — burned at manufacture)
+                const ekCert = execSync('tpm2_getekcertificate 2>/dev/null || tpm2_nvread 0x01c00002 2>/dev/null || echo "unavailable"', { encoding: 'utf-8' }).trim();
+                // Read platform info that's hardware-bound
+                const platformInfo = [];
+                for (const p of ['/sys/class/dmi/id/board_serial', '/sys/class/dmi/id/product_uuid', '/sys/class/dmi/id/chassis_serial']) {
+                    try {
+                        const val = require('fs').readFileSync(p, 'utf-8').trim();
+                        if (val && val !== 'None' && val !== 'Not Specified' && val !== '') {
+                            platformInfo.push(val);
+                        }
+                    } catch {}
+                }
+                if (pcrValues !== 'unavailable' || platformInfo.length > 0) {
+                    // Hash attestation evidence WITH the challenge (prevents replay)
+                    const evidence = crypto.createHash('sha256')
+                        .update(challenge)
+                        .update(pcrValues)
+                        .update(platformInfo.join('|'))
+                        .update(ekCert !== 'unavailable' ? ekCert : '')
+                        .digest('hex');
+                    attestation.available = true;
+                    attestation.method = 'tpm2';
+                    attestation.evidence = evidence;
+                    attestation.pcrAvailable = pcrValues !== 'unavailable';
+                    attestation.ekAvailable = ekCert !== 'unavailable';
+                    attestation.platformFields = platformInfo.length;
+                }
+            }
+        } catch {}
+        // Method 2: macOS Secure Enclave / IOPlatformUUID
+        if (!attestation.available && os.platform() === 'darwin') {
+            try {
+                const uuid = execSync('ioreg -rd1 -c IOPlatformExpertDevice | grep IOPlatformUUID', { encoding: 'utf-8' });
+                const match = uuid.match(/"([A-F0-9-]+)"/);
+                if (match) {
+                    const evidence = crypto.createHash('sha256')
+                        .update(challenge)
+                        .update(match[1])
+                        .digest('hex');
+                    attestation.available = true;
+                    attestation.method = 'macos-platform-uuid';
+                    attestation.evidence = evidence;
+                }
+            } catch {}
+        }
+        // Method 3: Linux machine-id (weaker but always available on Linux)
+        if (!attestation.available && os.platform() === 'linux') {
+            try {
+                const machineId = require('fs').readFileSync('/etc/machine-id', 'utf-8').trim();
+                const evidence = crypto.createHash('sha256')
+                    .update(challenge)
+                    .update(machineId)
+                    .digest('hex');
+                attestation.available = true;
+                attestation.method = 'linux-machine-id';
+                attestation.evidence = evidence;
+                attestation.note = 'machine-id is persistent but root-changeable';
+            } catch {}
+        }
+        return attestation;
+    }
+    /**
+     * Perform full TPM challenge-response verification against MoltLaunch server
+     * 1. Request challenge from server
+     * 2. Collect local TPM attestation with that challenge
+     * 3. Submit attestation to server for verification
+     *
+     * @param {string} agentId - Agent ID to verify TPM for
+     * @returns {Promise<TPMVerifyResult>}
+     */
+    async verifyTPM(agentId) {
+        // 1. Get challenge from server
+        const challengeRes = await fetch(`${this.baseUrl}/api/identity/tpm/challenge`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({ agentId })
+        });
+        if (!challengeRes.ok) {
+            const err = await challengeRes.json().catch(() => ({ error: challengeRes.statusText }));
+            throw new Error(err.error || `Challenge request failed: ${challengeRes.status}`);
+        }
+        const { challenge } = await challengeRes.json();
+        // 2. Collect local attestation
+        const attestation = this._getTPMAttestation(challenge);
+        if (!attestation.available) {
+            return { verified: false, reason: 'TPM not available on this machine' };
+        }
+        // 3. Submit to server for verification
+        const verifyRes = await fetch(`${this.baseUrl}/api/identity/tpm/verify`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({ agentId, attestation })
+        });
+        if (!verifyRes.ok) {
+            const err = await verifyRes.json().catch(() => ({ error: verifyRes.statusText }));
+            throw new Error(err.error || `TPM verify failed: ${verifyRes.status}`);
+        }
+        return verifyRes.json();
+    }
+    /**
+     * Register a DePIN device attestation for hardware-rooted identity
+     * Links agent identity to a physically verified DePIN device
+     * If devicePDA is provided, the server verifies the account exists on Solana
+     *
+     * @param {object} options - DePIN registration options
+     * @param {string} options.provider - DePIN provider name (e.g., 'io.net', 'akash', 'render')
+     * @param {string} options.deviceId - Device ID from the DePIN provider
+     * @param {string} [options.devicePDA] - Solana PDA address for the device (enables on-chain verification)
+     * @param {string} [options.attestation] - Optional attestation data from the provider
+     * @param {string} options.agentId - Agent ID to bind DePIN identity to
+     * @returns {Promise<DePINRegistrationResult>}
+     */
+    async registerDePINDevice(options = {}) {
+        const { provider, deviceId, devicePDA, attestation, agentId } = options;
+        const supported = ['io.net', 'akash', 'render', 'helium', 'hivemapper', 'nosana'];
+        if (!supported.includes(provider)) {
+            throw new Error(`Unsupported DePIN provider. Supported: ${supported.join(', ')}`);
+        }
+        const res = await fetch(`${this.baseUrl}/api/identity/depin`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({
+                agentId,
+                depinProvider: provider,
+                deviceId,
+                devicePDA: devicePDA || null,
+                attestation,
+                timestamp: Date.now()
+            })
+        });
+        if (!res.ok) throw new Error(`DePIN registration failed: ${res.status}`);
+        return res.json();
+    }
+    /**
+     * Get identity trust report for an agent
+     * Shows trust ladder breakdown including DePIN and TPM attestation levels
+     *
+     * @param {string} agentId - Agent ID to get report for
+     * @returns {Promise<IdentityReport>}
+     */
+    async getIdentityReport(agentId) {
+        const res = await fetch(`${this.baseUrl}/api/identity/${encodeURIComponent(agentId)}/report`);
+        if (!res.ok) throw new Error(`API error: ${res.status}`);
+        return res.json();
+    }
     /**
      * Generate a hardware-anchored identity hash
      * Combines hardware, runtime, code, and network fingerprints into a deterministic identity
@@ -548,6 +792,9 @@ class MoltLaunch {
             includeHardware = true,
             includeRuntime = true,
             includeCode = false,
+            includeTPM = false,
+            depinProvider,
+            depinDeviceId,
             codeEntry,
             agentId,
             anchor = false
@@ -590,6 +837,43 @@ class MoltLaunch {
             components.push(`net:${netHash}`);
         }
+        // TPM attestation (hardware-rooted identity - trust level 4)
+        // Uses challenge-response: requests challenge from server, attests locally, verifies on server
+        let tpmHash = null;
+        let tpmAttestation = null;
+        if (includeTPM) {
+            // Legacy fallback: static fingerprint (no challenge-response)
+            tpmHash = this._getTPMFingerprint();
+            if (tpmHash) {
+                components.push(`tpm:${tpmHash}`);
+            }
+            // Real challenge-response TPM attestation (if server is reachable)
+            if (agentId) {
+                try {
+                    const tpmResult = await this.verifyTPM(agentId);
+                    if (tpmResult.verified || tpmResult.success) {
+                        tpmAttestation = {
+                            method: tpmResult.tpmMethod,
+                            verified: true,
+                            trustLevel: tpmResult.trustLevel
+                        };
+                    }
+                } catch (e) {
+                    // Server unreachable or TPM not available — fall back to static fingerprint
+                    tpmAttestation = { verified: false, error: e.message };
+                }
+            }
+        }
+        // DePIN device attestation (highest trust level 5)
+        if (depinProvider && depinDeviceId) {
+            const depinHash = crypto.createHash('sha256')
+                .update(`depin:${depinProvider}:${depinDeviceId}`)
+                .digest('hex');
+            components.push(`depin:${depinHash}`);
+        }
         // Generate deterministic identity hash
         const identityHash = crypto.createHash('sha256')
             .update(components.join('|'))
@@ -602,6 +886,11 @@ class MoltLaunch {
             includesRuntime: includeRuntime,
             includesCode: includeCode && !!codeEntry,
             includesNetwork: !!fingerprint.networkFingerprint,
+            includesTPM: includeTPM && !!tpmHash,
+            tpmHash: tpmHash || null,
+            tpmAttestation: tpmAttestation || null,
+            depinProvider: depinProvider || null,
+            depinDeviceId: depinDeviceId || null,
             generatedAt: new Date().toISOString(),
             expiresAt: new Date(Date.now() + 30 * 24 * 60 * 60 * 1000).toISOString(), // 30 days
             agentId: agentId || null