@reclaimprotocol/attestor-core 4.0.3 → 5.0.1-beta.10

package/lib/scripts/start-server.js

@@ -1,13 +1,11 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-const apm_1 = require("../server/utils/apm");
-require("../server/utils/config-env");
-(0, apm_1.getApm)();
-function main() {
-    // importing dynamically to allow APM to inject
-    // into modules before they are used
-    const { createServer } = require('../server/create-server');
-    return createServer();
+import "../server/utils/config-env.js";
+import { setCryptoImplementation } from "@reclaimprotocol/tls";
+import { webcryptoCrypto } from "@reclaimprotocol/tls/webcrypto";
+import { getApm } from "../server/utils/apm.js";
+getApm();
+setCryptoImplementation(webcryptoCrypto);
+async function main() {
+  const { createServer } = await import("../server/index.js");
+  return createServer();
 }
 main();
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic3RhcnQtc2VydmVyLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vc3JjL3NjcmlwdHMvc3RhcnQtc2VydmVyLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7O0FBQUEsOENBQTZDO0FBQzdDLHVDQUFvQztBQUNwQyxJQUFBLFlBQU0sR0FBRSxDQUFBO0FBRVIsU0FBUyxJQUFJO0lBQ1osK0NBQStDO0lBQy9DLG9DQUFvQztJQUNwQyxNQUFNLEVBQUUsWUFBWSxFQUFFLEdBQUcsT0FBTyxDQUFDLHlCQUF5QixDQUFDLENBQUE7SUFDM0QsT0FBTyxZQUFZLEVBQUUsQ0FBQTtBQUN0QixDQUFDO0FBRUQsSUFBSSxFQUFFLENBQUEifQ==

package/lib/scripts/update-avs-metadata.d.ts

@@ -1 +1 @@
-import '../server/utils/config-env';
+import 'src/server/utils/config-env';

package/lib/scripts/update-avs-metadata.js

@@ -1,22 +1,20 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-// eslint-disable-next-line simple-import-sort/imports
-require("../server/utils/config-env");
-const contracts_1 = require("../avs/utils/contracts");
-const utils_1 = require("../scripts/utils");
+import "src/server/utils/config-env";
+import { getContracts } from "../avs/utils/contracts.js";
+import { getCliArgument } from "../scripts/utils.js";
 async function main() {
-    const { contract } = (0, contracts_1.getContracts)();
-    const minSignaturesPerTask = (0, utils_1.getCliArgument)('minSignaturesPerTask');
-    if (!minSignaturesPerTask) {
-        throw new Error('Provide operator address via --minSignaturesPerTask <num>');
-    }
-    const tx = await contract.updateTaskCreationMetadata({
-        minSignaturesPerTask: +(minSignaturesPerTask || 0),
-        maxTaskCreationDelayS: 0,
-        maxTaskLifetimeS: 0,
-    });
-    await tx.wait();
-    console.log('Updated task creation metadata');
+  const { contract } = getContracts();
+  const minSignaturesPerTask = getCliArgument("minSignaturesPerTask");
+  if (!minSignaturesPerTask) {
+    throw new Error(
+      "Provide operator address via --minSignaturesPerTask <num>"
+    );
+  }
+  const tx = await contract.updateTaskCreationMetadata({
+    minSignaturesPerTask: +(minSignaturesPerTask || 0),
+    maxTaskCreationDelayS: 0,
+    maxTaskLifetimeS: 0
+  });
+  await tx.wait();
+  console.log("Updated task creation metadata");
 }
 void main();
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoidXBkYXRlLWF2cy1tZXRhZGF0YS5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uL3NyYy9zY3JpcHRzL3VwZGF0ZS1hdnMtbWV0YWRhdGEudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7QUFBQSxzREFBc0Q7QUFDdEQsdUNBQW9DO0FBQ3BDLHVEQUFzRDtBQUN0RCw2Q0FBa0Q7QUFFbEQsS0FBSyxVQUFVLElBQUk7SUFDbEIsTUFBTSxFQUFFLFFBQVEsRUFBRSxHQUFHLElBQUEsd0JBQVksR0FBRSxDQUFBO0lBRW5DLE1BQU0sb0JBQW9CLEdBQUcsSUFBQSxzQkFBYyxFQUFDLHNCQUFzQixDQUFDLENBQUE7SUFDbkUsSUFBRyxDQUFDLG9CQUFvQixFQUFFLENBQUM7UUFDMUIsTUFBTSxJQUFJLEtBQUssQ0FDZCwyREFBMkQsQ0FDM0QsQ0FBQTtJQUNGLENBQUM7SUFFRCxNQUFNLEVBQUUsR0FBRyxNQUFNLFFBQVEsQ0FBQywwQkFBMEIsQ0FBQztRQUNwRCxvQkFBb0IsRUFBRSxDQUFDLENBQUMsb0JBQW9CLElBQUksQ0FBQyxDQUFDO1FBQ2xELHFCQUFxQixFQUFFLENBQUM7UUFDeEIsZ0JBQWdCLEVBQUUsQ0FBQztLQUNuQixDQUFDLENBQUE7SUFDRixNQUFNLEVBQUUsQ0FBQyxJQUFJLEVBQUUsQ0FBQTtJQUVmLE9BQU8sQ0FBQyxHQUFHLENBQUMsZ0NBQWdDLENBQUMsQ0FBQTtBQUM5QyxDQUFDO0FBRUQsS0FBSyxJQUFJLEVBQUUsQ0FBQSJ9

package/lib/scripts/utils.js

@@ -1,11 +1,10 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.getCliArgument = getCliArgument;
 function getCliArgument(arg) {
-    const index = process.argv.indexOf(`--${arg}`);
-    if (index === -1) {
-        return undefined;
-    }
-    return process.argv[index + 1];
+  const index = process.argv.indexOf(`--${arg}`);
+  if (index === -1) {
+    return void 0;
+  }
+  return process.argv[index + 1];
 }
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoidXRpbHMuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi9zcmMvc2NyaXB0cy91dGlscy50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOztBQUFBLHdDQU9DO0FBUEQsU0FBZ0IsY0FBYyxDQUFDLEdBQVc7SUFDekMsTUFBTSxLQUFLLEdBQUcsT0FBTyxDQUFDLElBQUksQ0FBQyxPQUFPLENBQUMsS0FBSyxHQUFHLEVBQUUsQ0FBQyxDQUFBO0lBQzlDLElBQUcsS0FBSyxLQUFLLENBQUMsQ0FBQyxFQUFFLENBQUM7UUFDakIsT0FBTyxTQUFTLENBQUE7SUFDakIsQ0FBQztJQUVELE9BQU8sT0FBTyxDQUFDLElBQUksQ0FBQyxLQUFLLEdBQUcsQ0FBQyxDQUFDLENBQUE7QUFDL0IsQ0FBQyJ9
+export {
+  getCliArgument
+};

package/lib/scripts/whitelist-operator.d.ts

@@ -1 +1 @@
-import '../server/utils/config-env';
+import 'src/server/utils/config-env';

package/lib/scripts/whitelist-operator.js

@@ -1,18 +1,16 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-// eslint-disable-next-line simple-import-sort/imports
-require("../server/utils/config-env");
-const contracts_1 = require("../avs/utils/contracts");
-const utils_1 = require("../scripts/utils");
+import "src/server/utils/config-env";
+import { getContracts } from "../avs/utils/contracts.js";
+import { getCliArgument } from "../scripts/utils.js";
 async function main() {
-    const { contract } = (0, contracts_1.getContracts)();
-    const address = (0, utils_1.getCliArgument)('address');
-    if (!address) {
-        throw new Error('Provide operator address via --address <addr>');
-    }
-    const tx = await contract.whitelistAddressAsOperator(address, true);
-    await tx.wait();
-    console.log('Whitelisted address:', address);
+  const { contract } = getContracts();
+  const address = getCliArgument("address");
+  if (!address) {
+    throw new Error(
+      "Provide operator address via --address <addr>"
+    );
+  }
+  const tx = await contract.whitelistAddressAsOperator(address, true);
+  await tx.wait();
+  console.log("Whitelisted address:", address);
 }
 void main();
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoid2hpdGVsaXN0LW9wZXJhdG9yLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vc3JjL3NjcmlwdHMvd2hpdGVsaXN0LW9wZXJhdG9yLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7O0FBQUEsc0RBQXNEO0FBQ3RELHVDQUFvQztBQUNwQyx1REFBc0Q7QUFDdEQsNkNBQWtEO0FBRWxELEtBQUssVUFBVSxJQUFJO0lBQ2xCLE1BQU0sRUFBRSxRQUFRLEVBQUUsR0FBRyxJQUFBLHdCQUFZLEdBQUUsQ0FBQTtJQUVuQyxNQUFNLE9BQU8sR0FBRyxJQUFBLHNCQUFjLEVBQUMsU0FBUyxDQUFDLENBQUE7SUFDekMsSUFBRyxDQUFDLE9BQU8sRUFBRSxDQUFDO1FBQ2IsTUFBTSxJQUFJLEtBQUssQ0FDZCwrQ0FBK0MsQ0FDL0MsQ0FBQTtJQUNGLENBQUM7SUFFRCxNQUFNLEVBQUUsR0FBRyxNQUFNLFFBQVEsQ0FBQywwQkFBMEIsQ0FBQyxPQUFPLEVBQUUsSUFBSSxDQUFDLENBQUE7SUFDbkUsTUFBTSxFQUFFLENBQUMsSUFBSSxFQUFFLENBQUE7SUFFZixPQUFPLENBQUMsR0FBRyxDQUFDLHNCQUFzQixFQUFFLE9BQU8sQ0FBQyxDQUFBO0FBQzdDLENBQUM7QUFFRCxLQUFLLElBQUksRUFBRSxDQUFBIn0=

package/lib/server/create-server.d.ts

@@ -1,7 +1,8 @@
-import { IncomingMessage } from 'http';
+import type { IncomingMessage } from 'http';
+import type { WebSocket } from 'ws';
 /**
  * Creates the WebSocket API server,
  * creates a fileserver to serve the browser RPC client,
  * and listens on the given port.
  */
-export declare function createServer(port?: number): Promise<import("ws").Server<typeof import("ws"), typeof IncomingMessage>>;
+export declare function createServer(port?: number): Promise<import("ws").Server<typeof WebSocket, typeof IncomingMessage>>;

package/lib/server/create-server.js

@@ -1,92 +1,105 @@
-"use strict";
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.createServer = createServer;
-const http_1 = require("http");
-const serve_static_1 = __importDefault(require("serve-static"));
-const config_1 = require("../config");
-const socket_1 = require("../server/socket");
-const generics_1 = require("../server/utils/generics");
-const keep_alive_1 = require("../server/utils/keep-alive");
-const utils_1 = require("../utils");
-const bgp_listener_1 = require("../utils/bgp-listener");
-const env_1 = require("../utils/env");
-const signatures_1 = require("../utils/signatures");
-const ws_1 = require("../utils/ws");
-const ws_2 = require("ws");
-const PORT = +((0, env_1.getEnvVariable)('PORT') || config_1.API_SERVER_PORT);
-const DISABLE_BGP_CHECKS = (0, env_1.getEnvVariable)('DISABLE_BGP_CHECKS') === '1';
-/**
- * Creates the WebSocket API server,
- * creates a fileserver to serve the browser RPC client,
- * and listens on the given port.
- */
+import { createServer as createHttpServer } from "http";
+import serveStatic from "serve-static";
+import { WebSocketServer } from "ws";
+import { API_SERVER_PORT, ATTESTOR_ADDRESS_PATHNAME, BROWSER_RPC_PATHNAME, WS_PATHNAME } from "../config/index.js";
+import { AttestorServerSocket } from "../server/socket.js";
+import { getAttestorAddress } from "../server/utils/generics.js";
+import { addKeepAlive } from "../server/utils/keep-alive.js";
+import { createBgpListener } from "../utils/bgp-listener.js";
+import { getEnvVariable } from "../utils/env.js";
+import { logger as LOGGER } from "../utils/index.js";
+import { SelectedServiceSignatureType } from "../utils/signatures/index.js";
+import { promisifySend } from "../utils/ws.js";
+const PORT = +(getEnvVariable("PORT") || API_SERVER_PORT);
+const DISABLE_BGP_CHECKS = getEnvVariable("DISABLE_BGP_CHECKS") === "1";
+const ATTESTOR_ADDRESS_JSON_RES = JSON.stringify({
+  address: getAttestorAddress(SelectedServiceSignatureType),
+  signatureType: SelectedServiceSignatureType
+});
 async function createServer(port = PORT) {
-    const http = (0, http_1.createServer)();
-    const serveBrowserRpc = (0, serve_static_1.default)('browser', { index: ['index.html'] });
-    const bgpListener = !DISABLE_BGP_CHECKS
-        ? (0, bgp_listener_1.createBgpListener)(utils_1.logger.child({ service: 'bgp-listener' }))
-        : undefined;
-    const wss = new ws_2.WebSocketServer({ noServer: true });
-    http.on('upgrade', handleUpgrade.bind(wss));
-    http.on('request', (req, res) => {
-        var _a;
-        // simple way to serve files at the browser RPC path
-        if (!((_a = req.url) === null || _a === void 0 ? void 0 : _a.startsWith(config_1.BROWSER_RPC_PATHNAME))) {
-            res.statusCode = 404;
-            res.end('Not found');
-            return;
-        }
-        req.url = req.url.slice(config_1.BROWSER_RPC_PATHNAME.length) || '/';
-        serveBrowserRpc(req, res, (err) => {
-            var _a, _b;
-            if (err) {
-                utils_1.logger.error({ err, url: req.url }, 'Failed to serve file');
-            }
-            res.statusCode = (_a = err === null || err === void 0 ? void 0 : err.statusCode) !== null && _a !== void 0 ? _a : 404;
-            res.end((_b = err === null || err === void 0 ? void 0 : err.message) !== null && _b !== void 0 ? _b : 'Not found');
-        });
-    });
-    // wait for us to start listening
-    http.listen(port);
-    await new Promise((resolve, reject) => {
-        http.once('listening', () => resolve());
-        http.once('error', reject);
+  const http = createHttpServer();
+  const serveBrowserRpc = serveStatic(
+    "browser",
+    {
+      index: ["index.html"],
+      setHeaders(res) {
+        res.setHeader("Access-Control-Allow-Origin", "*");
+      }
+    }
+  );
+  const bgpListener = !DISABLE_BGP_CHECKS ? createBgpListener(LOGGER.child({ service: "bgp-listener" })) : void 0;
+  const wss = new WebSocketServer({ noServer: true });
+  http.on("upgrade", handleUpgrade.bind(wss));
+  http.on("request", (req, res) => {
+    const url = URL.parse(req.url || "", "http://localhost");
+    if (!url) {
+      res.statusCode = 422;
+      res.end("Invalid URL");
+      return;
+    }
+    if (url.pathname === ATTESTOR_ADDRESS_PATHNAME) {
+      res.writeHead(200, { "Content-Type": "application/json" });
+      res.end(ATTESTOR_ADDRESS_JSON_RES);
+      return;
+    }
+    if (!url.pathname?.startsWith(BROWSER_RPC_PATHNAME)) {
+      res.statusCode = 404;
+      res.end("Not found");
+      return;
+    }
+    req.url = req.url.slice(BROWSER_RPC_PATHNAME.length) || "/";
+    serveBrowserRpc(req, res, (err) => {
+      if (err) {
+        LOGGER.error({ err, url: req.url }, "Failed to serve file");
+      }
+      res.statusCode = err?.statusCode ?? 404;
+      res.end(err?.message ?? "Not found");
     });
-    wss.on('connection', (ws, req) => handleNewClient(ws, req, bgpListener));
-    utils_1.logger.info({
-        port,
-        apiPath: config_1.WS_PATHNAME,
-        browserRpcPath: config_1.BROWSER_RPC_PATHNAME,
-        signerAddress: (0, generics_1.getAttestorAddress)(signatures_1.SelectedServiceSignatureType)
-    }, 'WS server listening');
-    const wssClose = wss.close.bind(wss);
-    wss.close = (cb) => {
-        wssClose(() => http.close(cb));
-        bgpListener === null || bgpListener === void 0 ? void 0 : bgpListener.close();
-    };
-    return wss;
+  });
+  http.listen(port);
+  await new Promise((resolve, reject) => {
+    http.once("listening", () => resolve());
+    http.once("error", reject);
+  });
+  wss.on("connection", (ws, req) => handleNewClient(ws, req, bgpListener));
+  LOGGER.info(
+    {
+      port,
+      apiPath: WS_PATHNAME,
+      browserRpcPath: BROWSER_RPC_PATHNAME,
+      signerAddress: getAttestorAddress(SelectedServiceSignatureType)
+    },
+    "WS server listening"
+  );
+  const wssClose = wss.close.bind(wss);
+  wss.close = (cb) => {
+    wssClose(() => http.close(cb));
+    bgpListener?.close();
+  };
+  return wss;
 }
 async function handleNewClient(ws, req, bgpListener) {
-    (0, ws_1.promisifySend)(ws);
-    const client = await socket_1.AttestorServerSocket.acceptConnection(ws, { req, bgpListener, logger: utils_1.logger });
-    // if initialisation fails, don't store the client
-    if (!client) {
-        return;
-    }
-    ws.serverSocket = client;
-    (0, keep_alive_1.addKeepAlive)(ws, utils_1.logger.child({ sessionId: client.sessionId }));
+  promisifySend(ws);
+  const client = await AttestorServerSocket.acceptConnection(
+    ws,
+    { req, bgpListener, logger: LOGGER }
+  );
+  if (!client) {
+    return;
+  }
+  ws.serverSocket = client;
+  addKeepAlive(ws, LOGGER.child({ sessionId: client.sessionId }));
 }
 function handleUpgrade(request, socket, head) {
-    const { pathname } = new URL(request.url, 'wss://base.url');
-    if (pathname === config_1.WS_PATHNAME) {
-        this.handleUpgrade(request, socket, head, (ws) => {
-            this.emit('connection', ws, request);
-        });
-        return;
-    }
-    socket.destroy();
+  const { pathname } = new URL(request.url, "wss://base.url");
+  if (pathname === WS_PATHNAME) {
+    this.handleUpgrade(request, socket, head, (ws) => {
+      this.emit("connection", ws, request);
+    });
+    return;
+  }
+  socket.destroy();
 }
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY3JlYXRlLXNlcnZlci5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uL3NyYy9zZXJ2ZXIvY3JlYXRlLXNlcnZlci50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7OztBQXVCQSxvQ0ErREM7QUF0RkQsK0JBQXdFO0FBQ3hFLGdFQUFzQztBQUN0Qyx1Q0FBK0U7QUFDL0UsOENBQXdEO0FBQ3hELHdEQUE4RDtBQUM5RCw0REFBMEQ7QUFFMUQscUNBQTRDO0FBQzVDLHlEQUEwRDtBQUMxRCx1Q0FBOEM7QUFDOUMscURBQW1FO0FBQ25FLHFDQUE0QztBQUU1QywyQkFBK0M7QUFFL0MsTUFBTSxJQUFJLEdBQUcsQ0FBQyxDQUFDLElBQUEsb0JBQWMsRUFBQyxNQUFNLENBQUMsSUFBSSx3QkFBZSxDQUFDLENBQUE7QUFDekQsTUFBTSxrQkFBa0IsR0FBRyxJQUFBLG9CQUFjLEVBQUMsb0JBQW9CLENBQUMsS0FBSyxHQUFHLENBQUE7QUFFdkU7Ozs7R0FJRztBQUNJLEtBQUssVUFBVSxZQUFZLENBQUMsSUFBSSxHQUFHLElBQUk7SUFDN0MsTUFBTSxJQUFJLEdBQUcsSUFBQSxtQkFBZ0IsR0FBRSxDQUFBO0lBQy9CLE1BQU0sZUFBZSxHQUFHLElBQUEsc0JBQVcsRUFDbEMsU0FBUyxFQUNULEVBQUUsS0FBSyxFQUFFLENBQUMsWUFBWSxDQUFDLEVBQUUsQ0FDekIsQ0FBQTtJQUNELE1BQU0sV0FBVyxHQUFHLENBQUMsa0JBQWtCO1FBQ3RDLENBQUMsQ0FBQyxJQUFBLGdDQUFpQixFQUFDLGNBQU0sQ0FBQyxLQUFLLENBQUMsRUFBRSxPQUFPLEVBQUUsY0FBYyxFQUFFLENBQUMsQ0FBQztRQUM5RCxDQUFDLENBQUMsU0FBUyxDQUFBO0lBRVosTUFBTSxHQUFHLEdBQUcsSUFBSSxvQkFBZSxDQUFDLEVBQUUsUUFBUSxFQUFFLElBQUksRUFBRSxDQUFDLENBQUE7SUFDbkQsSUFBSSxDQUFDLEVBQUUsQ0FBQyxTQUFTLEVBQUUsYUFBYSxDQUFDLElBQUksQ0FBQyxHQUFHLENBQUMsQ0FBQyxDQUFBO0lBQzNDLElBQUksQ0FBQyxFQUFFLENBQUMsU0FBUyxFQUFFLENBQUMsR0FBRyxFQUFFLEdBQUcsRUFBRSxFQUFFOztRQUMvQixvREFBb0Q7UUFDcEQsSUFBRyxDQUFDLENBQUEsTUFBQSxHQUFHLENBQUMsR0FBRywwQ0FBRSxVQUFVLENBQUMsNkJBQW9CLENBQUMsQ0FBQSxFQUFFLENBQUM7WUFDL0MsR0FBRyxDQUFDLFVBQVUsR0FBRyxHQUFHLENBQUE7WUFDcEIsR0FBRyxDQUFDLEdBQUcsQ0FBQyxXQUFXLENBQUMsQ0FBQTtZQUNwQixPQUFNO1FBQ1AsQ0FBQztRQUVELEdBQUcsQ0FBQyxHQUFHLEdBQUcsR0FBRyxDQUFDLEdBQUcsQ0FBQyxLQUFLLENBQUMsNkJBQW9CLENBQUMsTUFBTSxDQUFDLElBQUksR0FBRyxDQUFBO1FBRTNELGVBQWUsQ0FBQyxHQUFHLEVBQUUsR0FBRyxFQUFFLENBQUMsR0FBRyxFQUFFLEVBQUU7O1lBQ2pDLElBQUcsR0FBRyxFQUFFLENBQUM7Z0JBQ1IsY0FBTSxDQUFDLEtBQUssQ0FDWCxFQUFFLEdBQUcsRUFBRSxHQUFHLEVBQUUsR0FBRyxDQUFDLEdBQUcsRUFBRSxFQUNyQixzQkFBc0IsQ0FDdEIsQ0FBQTtZQUNGLENBQUM7WUFFRCxHQUFHLENBQUMsVUFBVSxHQUFHLE1BQUEsR0FBRyxhQUFILEdBQUcsdUJBQUgsR0FBRyxDQUFFLFVBQVUsbUNBQUksR0FBRyxDQUFBO1lBQ3ZDLEdBQUcsQ0FBQyxHQUFHLENBQUMsTUFBQSxHQUFHLGFBQUgsR0FBRyx1QkFBSCxHQUFHLENBQUUsT0FBTyxtQ0FBSSxXQUFXLENBQUMsQ0FBQTtRQUNyQyxDQUFDLENBQUMsQ0FBQTtJQUNILENBQUMsQ0FBQyxDQUFBO0lBRUYsaUNBQWlDO0lBQ2pDLElBQUksQ0FBQyxNQUFNLENBQUMsSUFBSSxDQUFDLENBQUE7SUFDakIsTUFBTSxJQUFJLE9BQU8sQ0FBTyxDQUFDLE9BQU8sRUFBRSxNQUFNLEVBQUUsRUFBRTtRQUMzQyxJQUFJLENBQUMsSUFBSSxDQUFDLFdBQVcsRUFBRSxHQUFHLEVBQUUsQ0FBQyxPQUFPLEVBQUUsQ0FBQyxDQUFBO1FBQ3ZDLElBQUksQ0FBQyxJQUFJLENBQUMsT0FBTyxFQUFFLE1BQU0sQ0FBQyxDQUFBO0lBQzNCLENBQUMsQ0FBQyxDQUFBO0lBRUYsR0FBRyxDQUFDLEVBQUUsQ0FBQyxZQUFZLEVBQUUsQ0FBQyxFQUFFLEVBQUUsR0FBRyxFQUFFLEVBQUUsQ0FBQyxlQUFlLENBQUMsRUFBRSxFQUFFLEdBQUcsRUFBRSxXQUFXLENBQUMsQ0FBQyxDQUFBO0lBRXhFLGNBQU0sQ0FBQyxJQUFJLENBQ1Y7UUFDQyxJQUFJO1FBQ0osT0FBTyxFQUFFLG9CQUFXO1FBQ3BCLGNBQWMsRUFBRSw2QkFBb0I7UUFDcEMsYUFBYSxFQUFFLElBQUEsNkJBQWtCLEVBQ2hDLHlDQUE0QixDQUM1QjtLQUNELEVBQ0QscUJBQXFCLENBQ3JCLENBQUE7SUFFRCxNQUFNLFFBQVEsR0FBRyxHQUFHLENBQUMsS0FBSyxDQUFDLElBQUksQ0FBQyxHQUFHLENBQUMsQ0FBQTtJQUNwQyxHQUFHLENBQUMsS0FBSyxHQUFHLENBQUMsRUFBRSxFQUFFLEVBQUU7UUFDbEIsUUFBUSxDQUFDLEdBQUcsRUFBRSxDQUFDLElBQUksQ0FBQyxLQUFLLENBQUMsRUFBRSxDQUFDLENBQUMsQ0FBQTtRQUM5QixXQUFXLGFBQVgsV0FBVyx1QkFBWCxXQUFXLENBQUUsS0FBSyxFQUFFLENBQUE7SUFDckIsQ0FBQyxDQUFBO0lBRUQsT0FBTyxHQUFHLENBQUE7QUFDWCxDQUFDO0FBRUQsS0FBSyxVQUFVLGVBQWUsQ0FDN0IsRUFBYSxFQUNiLEdBQW9CLEVBQ3BCLFdBQW9DO0lBRXBDLElBQUEsa0JBQWEsRUFBQyxFQUFFLENBQUMsQ0FBQTtJQUNqQixNQUFNLE1BQU0sR0FBRyxNQUFNLDZCQUFvQixDQUFDLGdCQUFnQixDQUN6RCxFQUFFLEVBQ0YsRUFBRSxHQUFHLEVBQUUsV0FBVyxFQUFFLE1BQU0sRUFBRSxjQUFNLEVBQUUsQ0FDcEMsQ0FBQTtJQUNELGtEQUFrRDtJQUNsRCxJQUFHLENBQUMsTUFBTSxFQUFFLENBQUM7UUFDWixPQUFNO0lBQ1AsQ0FBQztJQUVELEVBQUUsQ0FBQyxZQUFZLEdBQUcsTUFBTSxDQUFBO0lBQ3hCLElBQUEseUJBQVksRUFBQyxFQUFFLEVBQUUsY0FBTSxDQUFDLEtBQUssQ0FBQyxFQUFFLFNBQVMsRUFBRSxNQUFNLENBQUMsU0FBUyxFQUFFLENBQUMsQ0FBQyxDQUFBO0FBQ2hFLENBQUM7QUFFRCxTQUFTLGFBQWEsQ0FFckIsT0FBd0IsRUFDeEIsTUFBYyxFQUNkLElBQVk7SUFFWixNQUFNLEVBQUUsUUFBUSxFQUFFLEdBQUcsSUFBSSxHQUFHLENBQUMsT0FBTyxDQUFDLEdBQUksRUFBRSxnQkFBZ0IsQ0FBQyxDQUFBO0lBRTVELElBQUcsUUFBUSxLQUFLLG9CQUFXLEVBQUUsQ0FBQztRQUM3QixJQUFJLENBQUMsYUFBYSxDQUFDLE9BQU8sRUFBRSxNQUFNLEVBQUUsSUFBSSxFQUFFLENBQUMsRUFBRSxFQUFFLEVBQUU7WUFDaEQsSUFBSSxDQUFDLElBQUksQ0FBQyxZQUFZLEVBQUUsRUFBRSxFQUFFLE9BQU8sQ0FBQyxDQUFBO1FBQ3JDLENBQUMsQ0FBQyxDQUFBO1FBQ0YsT0FBTTtJQUNQLENBQUM7SUFFRCxNQUFNLENBQUMsT0FBTyxFQUFFLENBQUE7QUFDakIsQ0FBQyJ9
+export {
+  createServer
+};

package/lib/server/handlers/claimTeeBundle.d.ts

@@ -0,0 +1,6 @@
+/**
+ * TEE Bundle Claim Handler
+ * Handles ClaimTeeBundleRequest by verifying TEE attestations and reconstructing TLS transcript
+ */
+import type { RPCHandler } from '#src/types/index.ts';
+export declare const claimTeeBundle: RPCHandler<'claimTeeBundle'>;

package/lib/server/handlers/claimTeeBundle.js

@@ -0,0 +1,232 @@
+import { ClaimTeeBundleResponse } from "../../proto/api.js";
+import { VerificationBundle } from "../../proto/tee-bundle.js";
+import { substituteParamValues } from "../../providers/http/index.js";
+import { assertValidProviderTranscript } from "../../server/utils/assert-valid-claim-request.js";
+import { getAttestorAddress, niceParseJsonObject, signAsAttestor } from "../../server/utils/generics.js";
+import { verifyOprfMpcOutputs } from "../../server/utils/tee-oprf-mpc-verification.js";
+import { verifyOprfProofs } from "../../server/utils/tee-oprf-verification.js";
+import { reconstructTlsTranscript } from "../../server/utils/tee-transcript-reconstruction.js";
+import { verifyTeeBundle } from "../../server/utils/tee-verification.js";
+import { AttestorError } from "../../utils/error.js";
+import { createSignDataForClaim, getIdentifierFromClaimInfo } from "../../utils/index.js";
+const claimTeeBundle = async (teeBundleRequest, { logger, client }) => {
+  const {
+    verificationBundle,
+    data
+  } = teeBundleRequest;
+  const res = ClaimTeeBundleResponse.create({ request: teeBundleRequest });
+  logger.info("Starting TEE bundle verification");
+  const teeData = await verifyTeeBundle(verificationBundle, logger);
+  const timestampS = Math.floor(teeData.kOutputPayload.timestampMs / 1e3);
+  logger.info("Verifying OPRF proofs");
+  const bundle = VerificationBundle.decode(verificationBundle);
+  const zkOprfResults = await verifyOprfProofs(
+    { ...teeData, oprfVerifications: bundle.oprfVerifications },
+    logger
+  );
+  logger.info("Verifying OPRF MPC outputs");
+  const oprfMpcResults = verifyOprfMpcOutputs(
+    teeData.kOutputPayload,
+    teeData.tOutputPayload,
+    logger
+  );
+  const allOprfResults = validateAndCombineOprfResults(zkOprfResults, oprfMpcResults, logger);
+  logger.info("Starting TLS transcript reconstruction with OPRF replacements");
+  const transcriptData = await reconstructTlsTranscript(teeData, logger, allOprfResults);
+  logger.info("Creating plaintext transcript from TEE data");
+  const plaintextTranscript = createPlaintextTranscriptFromTeeData(transcriptData, logger);
+  logger.info("Running direct provider validation on TEE reconstructed data");
+  if (!data) {
+    throw new AttestorError("ERROR_INVALID_CLAIM", "No claim data provided in TEE bundle request");
+  }
+  const validatedClaim = await validateTeeProviderReceipt(
+    plaintextTranscript,
+    data,
+    logger,
+    { version: client.metadata.clientVersion },
+    transcriptData.certificateInfo
+  );
+  const ctx = niceParseJsonObject(validatedClaim.context, "context");
+  ctx.pcr0_k = teeData.teekPcr0;
+  ctx.pcr0_t = teeData.teetPcr0;
+  ctx.tee_session_id = teeData.teeSessionId;
+  validatedClaim.context = JSON.stringify(ctx);
+  res.claim = {
+    ...validatedClaim,
+    identifier: getIdentifierFromClaimInfo(validatedClaim),
+    // Use timestampS from TEE_K bundle for claim signing
+    timestampS,
+    // hardcode for compatibility with V1 claims
+    epoch: 1
+  };
+  logger.info({ claim: res.claim }, "TEE bundle claim validation successful");
+  res.signatures = {
+    attestorAddress: getAttestorAddress(
+      client.metadata.signatureType
+    ),
+    claimSignature: res.claim ? await signAsAttestor(
+      createSignDataForClaim(res.claim),
+      client.metadata.signatureType
+    ) : new Uint8Array(),
+    resultSignature: await signAsAttestor(
+      ClaimTeeBundleResponse.encode(res).finish(),
+      client.metadata.signatureType
+    )
+  };
+  logger.info("TEE bundle claim processing completed");
+  return res;
+};
+function createPlaintextTranscriptFromTeeData(transcriptData, logger) {
+  const transcript = [];
+  if (transcriptData.revealedRequest && transcriptData.revealedRequest.length > 0) {
+    transcript.push({
+      sender: "client",
+      message: transcriptData.revealedRequest
+    });
+    logger.debug("Added TEE revealed request to plaintext transcript", {
+      length: transcriptData.revealedRequest.length
+    });
+  }
+  if (transcriptData.reconstructedResponse && transcriptData.reconstructedResponse.length > 0) {
+    transcript.push({
+      sender: "server",
+      message: transcriptData.reconstructedResponse
+    });
+    logger.debug("Added TEE consolidated response to plaintext transcript", {
+      length: transcriptData.reconstructedResponse.length
+    });
+  }
+  if (transcriptData.certificateInfo) {
+    logger.info("Certificate information available for validation", {
+      commonName: transcriptData.certificateInfo.commonName,
+      issuerCommonName: transcriptData.certificateInfo.issuerCommonName,
+      dnsNames: transcriptData.certificateInfo.dnsNames,
+      notBefore: new Date(transcriptData.certificateInfo.notBeforeUnix * 1e3).toISOString(),
+      notAfter: new Date(transcriptData.certificateInfo.notAfterUnix * 1e3).toISOString()
+    });
+  }
+  logger.info("Created plaintext transcript from TEE data", {
+    totalMessages: transcript.length,
+    hasRequest: !!transcriptData.revealedRequest?.length,
+    hasResponse: !!transcriptData.reconstructedResponse?.length,
+    hasCertificateInfo: !!transcriptData.certificateInfo
+  });
+  return transcript;
+}
+async function validateTeeProviderReceipt(plaintextTranscript, claimInfo, logger, providerCtx, certificateInfo) {
+  logger.info("Starting direct TEE provider validation", {
+    provider: claimInfo.provider,
+    transcriptMessages: plaintextTranscript.length,
+    hasCertificateInfo: !!certificateInfo
+  });
+  if (certificateInfo) {
+    validateTlsCertificate(claimInfo, certificateInfo, logger);
+  }
+  const validatedClaim = await assertValidProviderTranscript(
+    plaintextTranscript,
+    claimInfo,
+    logger,
+    providerCtx
+  );
+  logger.info("TEE provider validation completed successfully", {
+    provider: validatedClaim.provider,
+    owner: validatedClaim.owner || "unknown"
+  });
+  return validatedClaim;
+}
+function isHostnameValidForCertificate(hostname, certName) {
+  if (hostname === certName) {
+    return true;
+  }
+  if (certName.startsWith("*.")) {
+    const wildcardDomain = certName.slice(2);
+    if (hostname.endsWith(wildcardDomain)) {
+      const subdomainPart = hostname.slice(0, -wildcardDomain.length);
+      if (subdomainPart.endsWith(".")) {
+        const subdomain = subdomainPart.slice(0, -1);
+        return !subdomain.includes(".");
+      }
+    }
+  }
+  return false;
+}
+function validateTlsCertificate(claimInfo, certificateInfo, logger) {
+  let claimedHostname;
+  const paramsWithTemplates = niceParseJsonObject(claimInfo.parameters, "params");
+  const params = substituteParamValues(paramsWithTemplates, void 0, true).newParams;
+  if ("url" in params && typeof params.url === "string") {
+    claimedHostname = new URL(params.url).hostname;
+  }
+  if (!claimedHostname) {
+    logger.warn("Could not extract hostname from claim for certificate validation", {
+      provider: claimInfo.provider
+    });
+    throw new AttestorError(
+      "ERROR_INVALID_CLAIM",
+      "Certificate validation failed: hostname not found"
+    );
+  }
+  logger.info("Validating TLS certificate for claimed hostname", {
+    claimedHostname,
+    certificateCommonName: certificateInfo.commonName,
+    certificateDnsNames: certificateInfo.dnsNames
+  });
+  const isValidForHostname = isHostnameValidForCertificate(claimedHostname, certificateInfo.commonName) || certificateInfo.dnsNames.some((name) => isHostnameValidForCertificate(claimedHostname, name));
+  if (!isValidForHostname) {
+    throw new AttestorError(
+      "ERROR_INVALID_CLAIM",
+      `Certificate validation failed: hostname '${claimedHostname}' not valid for certificate (CN: ${certificateInfo.commonName}, SANs: ${certificateInfo.dnsNames.join(", ")})`
+    );
+  }
+  const now = Date.now() / 1e3;
+  if (now < certificateInfo.notBeforeUnix || now > certificateInfo.notAfterUnix) {
+    throw new AttestorError(
+      "ERROR_INVALID_CLAIM",
+      `Certificate validation failed: certificate not valid at current time (valid from ${new Date(certificateInfo.notBeforeUnix * 1e3).toISOString()} to ${new Date(certificateInfo.notAfterUnix * 1e3).toISOString()})`
+    );
+  }
+  logger.info("TLS certificate validation passed", {
+    claimedHostname,
+    validatedAgainst: isHostnameValidForCertificate(claimedHostname, certificateInfo.commonName) ? `CommonName: ${certificateInfo.commonName}` : `SAN: ${certificateInfo.dnsNames.find((name) => isHostnameValidForCertificate(claimedHostname, name))}`
+  });
+}
+function validateAndCombineOprfResults(zkOprfResults, oprfMpcResults, logger) {
+  const allOprfResults = [...zkOprfResults, ...oprfMpcResults];
+  if (allOprfResults.length === 0) {
+    return allOprfResults;
+  }
+  logger.info(`Combined ${zkOprfResults.length} ZK OPRF + ${oprfMpcResults.length} OPRF MPC results`);
+  const seen = {};
+  for (const result of zkOprfResults) {
+    seen[result.position] = { length: result.length, source: "zk" };
+  }
+  for (const result of oprfMpcResults) {
+    const existing = seen[result.position];
+    if (existing) {
+      if (existing.length !== result.length) {
+        throw new AttestorError(
+          "ERROR_INVALID_CLAIM",
+          `OPRF range conflict at position ${result.position}: ZK length ${existing.length} vs MPC length ${result.length}`
+        );
+      }
+      logger.warn(`Duplicate OPRF range at position ${result.position} from both ZK and MPC - using MPC result`);
+    }
+    for (const [pos, data] of Object.entries(seen)) {
+      const position = Number(pos);
+      const existingEnd = position + data.length;
+      const newEnd = result.position + result.length;
+      const overlaps = result.position < existingEnd && newEnd > position && result.position !== position;
+      if (overlaps) {
+        throw new AttestorError(
+          "ERROR_INVALID_CLAIM",
+          `Overlapping OPRF ranges: [${position}:${existingEnd}] (${data.source}) and [${result.position}:${newEnd}] (mpc)`
+        );
+      }
+    }
+    seen[result.position] = { length: result.length, source: "mpc" };
+  }
+  return allOprfResults;
+}
+export {
+  claimTeeBundle
+};

package/lib/server/handlers/claimTunnel.d.ts

@@ -1,2 +1,2 @@
-import { RPCHandler } from '../../types';
+import type { RPCHandler } from '#src/types/index.ts';
 export declare const claimTunnel: RPCHandler<'claimTunnel'>;