@reclaimprotocol/attestor-core 4.0.3 → 5.0.1-beta.2

package/lib/server/create-server.js

@@ -1,92 +1,105 @@
-"use strict";
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.createServer = createServer;
-const http_1 = require("http");
-const serve_static_1 = __importDefault(require("serve-static"));
-const config_1 = require("../config");
-const socket_1 = require("../server/socket");
-const generics_1 = require("../server/utils/generics");
-const keep_alive_1 = require("../server/utils/keep-alive");
-const utils_1 = require("../utils");
-const bgp_listener_1 = require("../utils/bgp-listener");
-const env_1 = require("../utils/env");
-const signatures_1 = require("../utils/signatures");
-const ws_1 = require("../utils/ws");
-const ws_2 = require("ws");
-const PORT = +((0, env_1.getEnvVariable)('PORT') || config_1.API_SERVER_PORT);
-const DISABLE_BGP_CHECKS = (0, env_1.getEnvVariable)('DISABLE_BGP_CHECKS') === '1';
-/**
- * Creates the WebSocket API server,
- * creates a fileserver to serve the browser RPC client,
- * and listens on the given port.
- */
+import { createServer as createHttpServer } from "http";
+import serveStatic from "serve-static";
+import { WebSocketServer } from "ws";
+import { API_SERVER_PORT, ATTESTOR_ADDRESS_PATHNAME, BROWSER_RPC_PATHNAME, WS_PATHNAME } from "../config/index.js";
+import { AttestorServerSocket } from "../server/socket.js";
+import { getAttestorAddress } from "../server/utils/generics.js";
+import { addKeepAlive } from "../server/utils/keep-alive.js";
+import { createBgpListener } from "../utils/bgp-listener.js";
+import { getEnvVariable } from "../utils/env.js";
+import { logger as LOGGER } from "../utils/index.js";
+import { SelectedServiceSignatureType } from "../utils/signatures/index.js";
+import { promisifySend } from "../utils/ws.js";
+const PORT = +(getEnvVariable("PORT") || API_SERVER_PORT);
+const DISABLE_BGP_CHECKS = getEnvVariable("DISABLE_BGP_CHECKS") === "1";
+const ATTESTOR_ADDRESS_JSON_RES = JSON.stringify({
+  address: getAttestorAddress(SelectedServiceSignatureType),
+  signatureType: SelectedServiceSignatureType
+});
 async function createServer(port = PORT) {
-    const http = (0, http_1.createServer)();
-    const serveBrowserRpc = (0, serve_static_1.default)('browser', { index: ['index.html'] });
-    const bgpListener = !DISABLE_BGP_CHECKS
-        ? (0, bgp_listener_1.createBgpListener)(utils_1.logger.child({ service: 'bgp-listener' }))
-        : undefined;
-    const wss = new ws_2.WebSocketServer({ noServer: true });
-    http.on('upgrade', handleUpgrade.bind(wss));
-    http.on('request', (req, res) => {
-        var _a;
-        // simple way to serve files at the browser RPC path
-        if (!((_a = req.url) === null || _a === void 0 ? void 0 : _a.startsWith(config_1.BROWSER_RPC_PATHNAME))) {
-            res.statusCode = 404;
-            res.end('Not found');
-            return;
-        }
-        req.url = req.url.slice(config_1.BROWSER_RPC_PATHNAME.length) || '/';
-        serveBrowserRpc(req, res, (err) => {
-            var _a, _b;
-            if (err) {
-                utils_1.logger.error({ err, url: req.url }, 'Failed to serve file');
-            }
-            res.statusCode = (_a = err === null || err === void 0 ? void 0 : err.statusCode) !== null && _a !== void 0 ? _a : 404;
-            res.end((_b = err === null || err === void 0 ? void 0 : err.message) !== null && _b !== void 0 ? _b : 'Not found');
-        });
-    });
-    // wait for us to start listening
-    http.listen(port);
-    await new Promise((resolve, reject) => {
-        http.once('listening', () => resolve());
-        http.once('error', reject);
+  const http = createHttpServer();
+  const serveBrowserRpc = serveStatic(
+    "browser",
+    {
+      index: ["index.html"],
+      setHeaders(res) {
+        res.setHeader("Access-Control-Allow-Origin", "*");
+      }
+    }
+  );
+  const bgpListener = !DISABLE_BGP_CHECKS ? createBgpListener(LOGGER.child({ service: "bgp-listener" })) : void 0;
+  const wss = new WebSocketServer({ noServer: true });
+  http.on("upgrade", handleUpgrade.bind(wss));
+  http.on("request", (req, res) => {
+    const url = URL.parse(req.url || "", "http://localhost");
+    if (!url) {
+      res.statusCode = 422;
+      res.end("Invalid URL");
+      return;
+    }
+    if (url.pathname === ATTESTOR_ADDRESS_PATHNAME) {
+      res.writeHead(200, { "Content-Type": "application/json" });
+      res.end(ATTESTOR_ADDRESS_JSON_RES);
+      return;
+    }
+    if (!url.pathname?.startsWith(BROWSER_RPC_PATHNAME)) {
+      res.statusCode = 404;
+      res.end("Not found");
+      return;
+    }
+    req.url = req.url.slice(BROWSER_RPC_PATHNAME.length) || "/";
+    serveBrowserRpc(req, res, (err) => {
+      if (err) {
+        LOGGER.error({ err, url: req.url }, "Failed to serve file");
+      }
+      res.statusCode = err?.statusCode ?? 404;
+      res.end(err?.message ?? "Not found");
     });
-    wss.on('connection', (ws, req) => handleNewClient(ws, req, bgpListener));
-    utils_1.logger.info({
-        port,
-        apiPath: config_1.WS_PATHNAME,
-        browserRpcPath: config_1.BROWSER_RPC_PATHNAME,
-        signerAddress: (0, generics_1.getAttestorAddress)(signatures_1.SelectedServiceSignatureType)
-    }, 'WS server listening');
-    const wssClose = wss.close.bind(wss);
-    wss.close = (cb) => {
-        wssClose(() => http.close(cb));
-        bgpListener === null || bgpListener === void 0 ? void 0 : bgpListener.close();
-    };
-    return wss;
+  });
+  http.listen(port);
+  await new Promise((resolve, reject) => {
+    http.once("listening", () => resolve());
+    http.once("error", reject);
+  });
+  wss.on("connection", (ws, req) => handleNewClient(ws, req, bgpListener));
+  LOGGER.info(
+    {
+      port,
+      apiPath: WS_PATHNAME,
+      browserRpcPath: BROWSER_RPC_PATHNAME,
+      signerAddress: getAttestorAddress(SelectedServiceSignatureType)
+    },
+    "WS server listening"
+  );
+  const wssClose = wss.close.bind(wss);
+  wss.close = (cb) => {
+    wssClose(() => http.close(cb));
+    bgpListener?.close();
+  };
+  return wss;
 }
 async function handleNewClient(ws, req, bgpListener) {
-    (0, ws_1.promisifySend)(ws);
-    const client = await socket_1.AttestorServerSocket.acceptConnection(ws, { req, bgpListener, logger: utils_1.logger });
-    // if initialisation fails, don't store the client
-    if (!client) {
-        return;
-    }
-    ws.serverSocket = client;
-    (0, keep_alive_1.addKeepAlive)(ws, utils_1.logger.child({ sessionId: client.sessionId }));
+  promisifySend(ws);
+  const client = await AttestorServerSocket.acceptConnection(
+    ws,
+    { req, bgpListener, logger: LOGGER }
+  );
+  if (!client) {
+    return;
+  }
+  ws.serverSocket = client;
+  addKeepAlive(ws, LOGGER.child({ sessionId: client.sessionId }));
 }
 function handleUpgrade(request, socket, head) {
-    const { pathname } = new URL(request.url, 'wss://base.url');
-    if (pathname === config_1.WS_PATHNAME) {
-        this.handleUpgrade(request, socket, head, (ws) => {
-            this.emit('connection', ws, request);
-        });
-        return;
-    }
-    socket.destroy();
+  const { pathname } = new URL(request.url, "wss://base.url");
+  if (pathname === WS_PATHNAME) {
+    this.handleUpgrade(request, socket, head, (ws) => {
+      this.emit("connection", ws, request);
+    });
+    return;
+  }
+  socket.destroy();
 }
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY3JlYXRlLXNlcnZlci5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uL3NyYy9zZXJ2ZXIvY3JlYXRlLXNlcnZlci50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7OztBQXVCQSxvQ0ErREM7QUF0RkQsK0JBQXdFO0FBQ3hFLGdFQUFzQztBQUN0Qyx1Q0FBK0U7QUFDL0UsOENBQXdEO0FBQ3hELHdEQUE4RDtBQUM5RCw0REFBMEQ7QUFFMUQscUNBQTRDO0FBQzVDLHlEQUEwRDtBQUMxRCx1Q0FBOEM7QUFDOUMscURBQW1FO0FBQ25FLHFDQUE0QztBQUU1QywyQkFBK0M7QUFFL0MsTUFBTSxJQUFJLEdBQUcsQ0FBQyxDQUFDLElBQUEsb0JBQWMsRUFBQyxNQUFNLENBQUMsSUFBSSx3QkFBZSxDQUFDLENBQUE7QUFDekQsTUFBTSxrQkFBa0IsR0FBRyxJQUFBLG9CQUFjLEVBQUMsb0JBQW9CLENBQUMsS0FBSyxHQUFHLENBQUE7QUFFdkU7Ozs7R0FJRztBQUNJLEtBQUssVUFBVSxZQUFZLENBQUMsSUFBSSxHQUFHLElBQUk7SUFDN0MsTUFBTSxJQUFJLEdBQUcsSUFBQSxtQkFBZ0IsR0FBRSxDQUFBO0lBQy9CLE1BQU0sZUFBZSxHQUFHLElBQUEsc0JBQVcsRUFDbEMsU0FBUyxFQUNULEVBQUUsS0FBSyxFQUFFLENBQUMsWUFBWSxDQUFDLEVBQUUsQ0FDekIsQ0FBQTtJQUNELE1BQU0sV0FBVyxHQUFHLENBQUMsa0JBQWtCO1FBQ3RDLENBQUMsQ0FBQyxJQUFBLGdDQUFpQixFQUFDLGNBQU0sQ0FBQyxLQUFLLENBQUMsRUFBRSxPQUFPLEVBQUUsY0FBYyxFQUFFLENBQUMsQ0FBQztRQUM5RCxDQUFDLENBQUMsU0FBUyxDQUFBO0lBRVosTUFBTSxHQUFHLEdBQUcsSUFBSSxvQkFBZSxDQUFDLEVBQUUsUUFBUSxFQUFFLElBQUksRUFBRSxDQUFDLENBQUE7SUFDbkQsSUFBSSxDQUFDLEVBQUUsQ0FBQyxTQUFTLEVBQUUsYUFBYSxDQUFDLElBQUksQ0FBQyxHQUFHLENBQUMsQ0FBQyxDQUFBO0lBQzNDLElBQUksQ0FBQyxFQUFFLENBQUMsU0FBUyxFQUFFLENBQUMsR0FBRyxFQUFFLEdBQUcsRUFBRSxFQUFFOztRQUMvQixvREFBb0Q7UUFDcEQsSUFBRyxDQUFDLENBQUEsTUFBQSxHQUFHLENBQUMsR0FBRywwQ0FBRSxVQUFVLENBQUMsNkJBQW9CLENBQUMsQ0FBQSxFQUFFLENBQUM7WUFDL0MsR0FBRyxDQUFDLFVBQVUsR0FBRyxHQUFHLENBQUE7WUFDcEIsR0FBRyxDQUFDLEdBQUcsQ0FBQyxXQUFXLENBQUMsQ0FBQTtZQUNwQixPQUFNO1FBQ1AsQ0FBQztRQUVELEdBQUcsQ0FBQyxHQUFHLEdBQUcsR0FBRyxDQUFDLEdBQUcsQ0FBQyxLQUFLLENBQUMsNkJBQW9CLENBQUMsTUFBTSxDQUFDLElBQUksR0FBRyxDQUFBO1FBRTNELGVBQWUsQ0FBQyxHQUFHLEVBQUUsR0FBRyxFQUFFLENBQUMsR0FBRyxFQUFFLEVBQUU7O1lBQ2pDLElBQUcsR0FBRyxFQUFFLENBQUM7Z0JBQ1IsY0FBTSxDQUFDLEtBQUssQ0FDWCxFQUFFLEdBQUcsRUFBRSxHQUFHLEVBQUUsR0FBRyxDQUFDLEdBQUcsRUFBRSxFQUNyQixzQkFBc0IsQ0FDdEIsQ0FBQTtZQUNGLENBQUM7WUFFRCxHQUFHLENBQUMsVUFBVSxHQUFHLE1BQUEsR0FBRyxhQUFILEdBQUcsdUJBQUgsR0FBRyxDQUFFLFVBQVUsbUNBQUksR0FBRyxDQUFBO1lBQ3ZDLEdBQUcsQ0FBQyxHQUFHLENBQUMsTUFBQSxHQUFHLGFBQUgsR0FBRyx1QkFBSCxHQUFHLENBQUUsT0FBTyxtQ0FBSSxXQUFXLENBQUMsQ0FBQTtRQUNyQyxDQUFDLENBQUMsQ0FBQTtJQUNILENBQUMsQ0FBQyxDQUFBO0lBRUYsaUNBQWlDO0lBQ2pDLElBQUksQ0FBQyxNQUFNLENBQUMsSUFBSSxDQUFDLENBQUE7SUFDakIsTUFBTSxJQUFJLE9BQU8sQ0FBTyxDQUFDLE9BQU8sRUFBRSxNQUFNLEVBQUUsRUFBRTtRQUMzQyxJQUFJLENBQUMsSUFBSSxDQUFDLFdBQVcsRUFBRSxHQUFHLEVBQUUsQ0FBQyxPQUFPLEVBQUUsQ0FBQyxDQUFBO1FBQ3ZDLElBQUksQ0FBQyxJQUFJLENBQUMsT0FBTyxFQUFFLE1BQU0sQ0FBQyxDQUFBO0lBQzNCLENBQUMsQ0FBQyxDQUFBO0lBRUYsR0FBRyxDQUFDLEVBQUUsQ0FBQyxZQUFZLEVBQUUsQ0FBQyxFQUFFLEVBQUUsR0FBRyxFQUFFLEVBQUUsQ0FBQyxlQUFlLENBQUMsRUFBRSxFQUFFLEdBQUcsRUFBRSxXQUFXLENBQUMsQ0FBQyxDQUFBO0lBRXhFLGNBQU0sQ0FBQyxJQUFJLENBQ1Y7UUFDQyxJQUFJO1FBQ0osT0FBTyxFQUFFLG9CQUFXO1FBQ3BCLGNBQWMsRUFBRSw2QkFBb0I7UUFDcEMsYUFBYSxFQUFFLElBQUEsNkJBQWtCLEVBQ2hDLHlDQUE0QixDQUM1QjtLQUNELEVBQ0QscUJBQXFCLENBQ3JCLENBQUE7SUFFRCxNQUFNLFFBQVEsR0FBRyxHQUFHLENBQUMsS0FBSyxDQUFDLElBQUksQ0FBQyxHQUFHLENBQUMsQ0FBQTtJQUNwQyxHQUFHLENBQUMsS0FBSyxHQUFHLENBQUMsRUFBRSxFQUFFLEVBQUU7UUFDbEIsUUFBUSxDQUFDLEdBQUcsRUFBRSxDQUFDLElBQUksQ0FBQyxLQUFLLENBQUMsRUFBRSxDQUFDLENBQUMsQ0FBQTtRQUM5QixXQUFXLGFBQVgsV0FBVyx1QkFBWCxXQUFXLENBQUUsS0FBSyxFQUFFLENBQUE7SUFDckIsQ0FBQyxDQUFBO0lBRUQsT0FBTyxHQUFHLENBQUE7QUFDWCxDQUFDO0FBRUQsS0FBSyxVQUFVLGVBQWUsQ0FDN0IsRUFBYSxFQUNiLEdBQW9CLEVBQ3BCLFdBQW9DO0lBRXBDLElBQUEsa0JBQWEsRUFBQyxFQUFFLENBQUMsQ0FBQTtJQUNqQixNQUFNLE1BQU0sR0FBRyxNQUFNLDZCQUFvQixDQUFDLGdCQUFnQixDQUN6RCxFQUFFLEVBQ0YsRUFBRSxHQUFHLEVBQUUsV0FBVyxFQUFFLE1BQU0sRUFBRSxjQUFNLEVBQUUsQ0FDcEMsQ0FBQTtJQUNELGtEQUFrRDtJQUNsRCxJQUFHLENBQUMsTUFBTSxFQUFFLENBQUM7UUFDWixPQUFNO0lBQ1AsQ0FBQztJQUVELEVBQUUsQ0FBQyxZQUFZLEdBQUcsTUFBTSxDQUFBO0lBQ3hCLElBQUEseUJBQVksRUFBQyxFQUFFLEVBQUUsY0FBTSxDQUFDLEtBQUssQ0FBQyxFQUFFLFNBQVMsRUFBRSxNQUFNLENBQUMsU0FBUyxFQUFFLENBQUMsQ0FBQyxDQUFBO0FBQ2hFLENBQUM7QUFFRCxTQUFTLGFBQWEsQ0FFckIsT0FBd0IsRUFDeEIsTUFBYyxFQUNkLElBQVk7SUFFWixNQUFNLEVBQUUsUUFBUSxFQUFFLEdBQUcsSUFBSSxHQUFHLENBQUMsT0FBTyxDQUFDLEdBQUksRUFBRSxnQkFBZ0IsQ0FBQyxDQUFBO0lBRTVELElBQUcsUUFBUSxLQUFLLG9CQUFXLEVBQUUsQ0FBQztRQUM3QixJQUFJLENBQUMsYUFBYSxDQUFDLE9BQU8sRUFBRSxNQUFNLEVBQUUsSUFBSSxFQUFFLENBQUMsRUFBRSxFQUFFLEVBQUU7WUFDaEQsSUFBSSxDQUFDLElBQUksQ0FBQyxZQUFZLEVBQUUsRUFBRSxFQUFFLE9BQU8sQ0FBQyxDQUFBO1FBQ3JDLENBQUMsQ0FBQyxDQUFBO1FBQ0YsT0FBTTtJQUNQLENBQUM7SUFFRCxNQUFNLENBQUMsT0FBTyxFQUFFLENBQUE7QUFDakIsQ0FBQyJ9
+export {
+  createServer
+};

package/lib/server/handlers/claimTeeBundle.d.ts

@@ -0,0 +1,6 @@
+/**
+ * TEE Bundle Claim Handler
+ * Handles ClaimTeeBundleRequest by verifying TEE attestations and reconstructing TLS transcript
+ */
+import type { RPCHandler } from '#src/types/index.ts';
+export declare const claimTeeBundle: RPCHandler<'claimTeeBundle'>;

package/lib/server/handlers/claimTeeBundle.js

@@ -0,0 +1,232 @@
+import { ClaimTeeBundleResponse } from "../../proto/api.js";
+import { VerificationBundle } from "../../proto/tee-bundle.js";
+import { substituteParamValues } from "../../providers/http/index.js";
+import { assertValidProviderTranscript } from "../../server/utils/assert-valid-claim-request.js";
+import { getAttestorAddress, niceParseJsonObject, signAsAttestor } from "../../server/utils/generics.js";
+import { verifyOprfMpcOutputs } from "../../server/utils/tee-oprf-mpc-verification.js";
+import { verifyOprfProofs } from "../../server/utils/tee-oprf-verification.js";
+import { reconstructTlsTranscript } from "../../server/utils/tee-transcript-reconstruction.js";
+import { verifyTeeBundle } from "../../server/utils/tee-verification.js";
+import { AttestorError } from "../../utils/error.js";
+import { createSignDataForClaim, getIdentifierFromClaimInfo } from "../../utils/index.js";
+const claimTeeBundle = async (teeBundleRequest, { logger, client }) => {
+  const {
+    verificationBundle,
+    data
+  } = teeBundleRequest;
+  const res = ClaimTeeBundleResponse.create({ request: teeBundleRequest });
+  logger.info("Starting TEE bundle verification");
+  const teeData = await verifyTeeBundle(verificationBundle, logger);
+  const timestampS = Math.floor(teeData.kOutputPayload.timestampMs / 1e3);
+  logger.info("Verifying OPRF proofs");
+  const bundle = VerificationBundle.decode(verificationBundle);
+  const zkOprfResults = await verifyOprfProofs(
+    { ...teeData, oprfVerifications: bundle.oprfVerifications },
+    logger
+  );
+  logger.info("Verifying OPRF MPC outputs");
+  const oprfMpcResults = verifyOprfMpcOutputs(
+    teeData.kOutputPayload,
+    teeData.tOutputPayload,
+    logger
+  );
+  const allOprfResults = validateAndCombineOprfResults(zkOprfResults, oprfMpcResults, logger);
+  logger.info("Starting TLS transcript reconstruction with OPRF replacements");
+  const transcriptData = await reconstructTlsTranscript(teeData, logger, allOprfResults);
+  logger.info("Creating plaintext transcript from TEE data");
+  const plaintextTranscript = createPlaintextTranscriptFromTeeData(transcriptData, logger);
+  logger.info("Running direct provider validation on TEE reconstructed data");
+  if (!data) {
+    throw new AttestorError("ERROR_INVALID_CLAIM", "No claim data provided in TEE bundle request");
+  }
+  const validatedClaim = await validateTeeProviderReceipt(
+    plaintextTranscript,
+    data,
+    logger,
+    { version: client.metadata.clientVersion },
+    transcriptData.certificateInfo
+  );
+  const ctx = niceParseJsonObject(validatedClaim.context, "context");
+  ctx.pcr0_k = teeData.teekPcr0;
+  ctx.pcr0_t = teeData.teetPcr0;
+  ctx.tee_session_id = teeData.teeSessionId;
+  validatedClaim.context = JSON.stringify(ctx);
+  res.claim = {
+    ...validatedClaim,
+    identifier: getIdentifierFromClaimInfo(validatedClaim),
+    // Use timestampS from TEE_K bundle for claim signing
+    timestampS,
+    // hardcode for compatibility with V1 claims
+    epoch: 1
+  };
+  logger.info({ claim: res.claim }, "TEE bundle claim validation successful");
+  res.signatures = {
+    attestorAddress: getAttestorAddress(
+      client.metadata.signatureType
+    ),
+    claimSignature: res.claim ? await signAsAttestor(
+      createSignDataForClaim(res.claim),
+      client.metadata.signatureType
+    ) : new Uint8Array(),
+    resultSignature: await signAsAttestor(
+      ClaimTeeBundleResponse.encode(res).finish(),
+      client.metadata.signatureType
+    )
+  };
+  logger.info("TEE bundle claim processing completed");
+  return res;
+};
+function createPlaintextTranscriptFromTeeData(transcriptData, logger) {
+  const transcript = [];
+  if (transcriptData.revealedRequest && transcriptData.revealedRequest.length > 0) {
+    transcript.push({
+      sender: "client",
+      message: transcriptData.revealedRequest
+    });
+    logger.debug("Added TEE revealed request to plaintext transcript", {
+      length: transcriptData.revealedRequest.length
+    });
+  }
+  if (transcriptData.reconstructedResponse && transcriptData.reconstructedResponse.length > 0) {
+    transcript.push({
+      sender: "server",
+      message: transcriptData.reconstructedResponse
+    });
+    logger.debug("Added TEE consolidated response to plaintext transcript", {
+      length: transcriptData.reconstructedResponse.length
+    });
+  }
+  if (transcriptData.certificateInfo) {
+    logger.info("Certificate information available for validation", {
+      commonName: transcriptData.certificateInfo.commonName,
+      issuerCommonName: transcriptData.certificateInfo.issuerCommonName,
+      dnsNames: transcriptData.certificateInfo.dnsNames,
+      notBefore: new Date(transcriptData.certificateInfo.notBeforeUnix * 1e3).toISOString(),
+      notAfter: new Date(transcriptData.certificateInfo.notAfterUnix * 1e3).toISOString()
+    });
+  }
+  logger.info("Created plaintext transcript from TEE data", {
+    totalMessages: transcript.length,
+    hasRequest: !!transcriptData.revealedRequest?.length,
+    hasResponse: !!transcriptData.reconstructedResponse?.length,
+    hasCertificateInfo: !!transcriptData.certificateInfo
+  });
+  return transcript;
+}
+async function validateTeeProviderReceipt(plaintextTranscript, claimInfo, logger, providerCtx, certificateInfo) {
+  logger.info("Starting direct TEE provider validation", {
+    provider: claimInfo.provider,
+    transcriptMessages: plaintextTranscript.length,
+    hasCertificateInfo: !!certificateInfo
+  });
+  if (certificateInfo) {
+    validateTlsCertificate(claimInfo, certificateInfo, logger);
+  }
+  const validatedClaim = await assertValidProviderTranscript(
+    plaintextTranscript,
+    claimInfo,
+    logger,
+    providerCtx
+  );
+  logger.info("TEE provider validation completed successfully", {
+    provider: validatedClaim.provider,
+    owner: validatedClaim.owner || "unknown"
+  });
+  return validatedClaim;
+}
+function isHostnameValidForCertificate(hostname, certName) {
+  if (hostname === certName) {
+    return true;
+  }
+  if (certName.startsWith("*.")) {
+    const wildcardDomain = certName.slice(2);
+    if (hostname.endsWith(wildcardDomain)) {
+      const subdomainPart = hostname.slice(0, -wildcardDomain.length);
+      if (subdomainPart.endsWith(".")) {
+        const subdomain = subdomainPart.slice(0, -1);
+        return !subdomain.includes(".");
+      }
+    }
+  }
+  return false;
+}
+function validateTlsCertificate(claimInfo, certificateInfo, logger) {
+  let claimedHostname;
+  const paramsWithTemplates = niceParseJsonObject(claimInfo.parameters, "params");
+  const params = substituteParamValues(paramsWithTemplates, void 0, true).newParams;
+  if ("url" in params && typeof params.url === "string") {
+    claimedHostname = new URL(params.url).hostname;
+  }
+  if (!claimedHostname) {
+    logger.warn("Could not extract hostname from claim for certificate validation", {
+      provider: claimInfo.provider
+    });
+    throw new AttestorError(
+      "ERROR_INVALID_CLAIM",
+      "Certificate validation failed: hostname not found"
+    );
+  }
+  logger.info("Validating TLS certificate for claimed hostname", {
+    claimedHostname,
+    certificateCommonName: certificateInfo.commonName,
+    certificateDnsNames: certificateInfo.dnsNames
+  });
+  const isValidForHostname = isHostnameValidForCertificate(claimedHostname, certificateInfo.commonName) || certificateInfo.dnsNames.some((name) => isHostnameValidForCertificate(claimedHostname, name));
+  if (!isValidForHostname) {
+    throw new AttestorError(
+      "ERROR_INVALID_CLAIM",
+      `Certificate validation failed: hostname '${claimedHostname}' not valid for certificate (CN: ${certificateInfo.commonName}, SANs: ${certificateInfo.dnsNames.join(", ")})`
+    );
+  }
+  const now = Date.now() / 1e3;
+  if (now < certificateInfo.notBeforeUnix || now > certificateInfo.notAfterUnix) {
+    throw new AttestorError(
+      "ERROR_INVALID_CLAIM",
+      `Certificate validation failed: certificate not valid at current time (valid from ${new Date(certificateInfo.notBeforeUnix * 1e3).toISOString()} to ${new Date(certificateInfo.notAfterUnix * 1e3).toISOString()})`
+    );
+  }
+  logger.info("TLS certificate validation passed", {
+    claimedHostname,
+    validatedAgainst: isHostnameValidForCertificate(claimedHostname, certificateInfo.commonName) ? `CommonName: ${certificateInfo.commonName}` : `SAN: ${certificateInfo.dnsNames.find((name) => isHostnameValidForCertificate(claimedHostname, name))}`
+  });
+}
+function validateAndCombineOprfResults(zkOprfResults, oprfMpcResults, logger) {
+  const allOprfResults = [...zkOprfResults, ...oprfMpcResults];
+  if (allOprfResults.length === 0) {
+    return allOprfResults;
+  }
+  logger.info(`Combined ${zkOprfResults.length} ZK OPRF + ${oprfMpcResults.length} OPRF MPC results`);
+  const seen = {};
+  for (const result of zkOprfResults) {
+    seen[result.position] = { length: result.length, source: "zk" };
+  }
+  for (const result of oprfMpcResults) {
+    const existing = seen[result.position];
+    if (existing) {
+      if (existing.length !== result.length) {
+        throw new AttestorError(
+          "ERROR_INVALID_CLAIM",
+          `OPRF range conflict at position ${result.position}: ZK length ${existing.length} vs MPC length ${result.length}`
+        );
+      }
+      logger.warn(`Duplicate OPRF range at position ${result.position} from both ZK and MPC - using MPC result`);
+    }
+    for (const [pos, data] of Object.entries(seen)) {
+      const position = Number(pos);
+      const existingEnd = position + data.length;
+      const newEnd = result.position + result.length;
+      const overlaps = result.position < existingEnd && newEnd > position && result.position !== position;
+      if (overlaps) {
+        throw new AttestorError(
+          "ERROR_INVALID_CLAIM",
+          `Overlapping OPRF ranges: [${position}:${existingEnd}] (${data.source}) and [${result.position}:${newEnd}] (mpc)`
+        );
+      }
+    }
+    seen[result.position] = { length: result.length, source: "mpc" };
+  }
+  return allOprfResults;
+}
+export {
+  claimTeeBundle
+};

package/lib/server/handlers/claimTunnel.d.ts

@@ -1,2 +1,2 @@
-import { RPCHandler } from '../../types';
+import type { RPCHandler } from '#src/types/index.ts';
 export declare const claimTunnel: RPCHandler<'claimTunnel'>;

package/lib/server/handlers/claimTunnel.js

@@ -1,78 +1,80 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.claimTunnel = void 0;
-const config_1 = require("../../config");
-const api_1 = require("../../proto/api");
-const apm_1 = require("../../server/utils/apm");
-const assert_valid_claim_request_1 = require("../../server/utils/assert-valid-claim-request");
-const generics_1 = require("../../server/utils/generics");
-const utils_1 = require("../../utils");
+import { MAX_CLAIM_TIMESTAMP_DIFF_S } from "../../config/index.js";
+import { ClaimTunnelResponse } from "../../proto/api.js";
+import { getApm } from "../../server/utils/apm.js";
+import { assertTranscriptsMatch, assertValidClaimRequest } from "../../server/utils/assert-valid-claim-request.js";
+import { getAttestorAddress, signAsAttestor } from "../../server/utils/generics.js";
+import { AttestorError, createSignDataForClaim, getIdentifierFromClaimInfo, unixTimestampSeconds } from "../../utils/index.js";
 const claimTunnel = async (claimRequest, { tx, logger, client }) => {
-    var _a, _b, _c, _d;
-    const { request, data: { timestampS } = {}, } = claimRequest;
-    const tunnel = client.getTunnel(request === null || request === void 0 ? void 0 : request.id);
-    try {
-        await tunnel.close();
-    }
-    catch (err) {
-        logger.debug({ err }, 'error closing tunnel');
-    }
-    if (tx) {
-        const transcriptBytes = tunnel.transcript.reduce((acc, { message }) => acc + message.length, 0);
-        tx === null || tx === void 0 ? void 0 : tx.setLabel('transcriptBytes', transcriptBytes.toString());
+  const {
+    request,
+    data: { timestampS } = {}
+  } = claimRequest;
+  const tunnel = client.getTunnel(request?.id);
+  try {
+    await tunnel.close();
+  } catch (err) {
+    logger.debug({ err }, "error closing tunnel");
+  }
+  if (tx) {
+    const transcriptBytes = tunnel.transcript.reduce(
+      (acc, { message }) => acc + message.length,
+      0
+    );
+    tx?.setLabel("transcriptBytes", transcriptBytes.toString());
+  }
+  if (tunnel.createRequest?.host !== request?.host || tunnel.createRequest?.port !== request?.port || tunnel.createRequest?.geoLocation !== request?.geoLocation || tunnel.createRequest?.proxySessionId !== request?.proxySessionId) {
+    throw AttestorError.badRequest("Tunnel request does not match");
+  }
+  assertTranscriptsMatch(claimRequest.transcript, tunnel.transcript);
+  const res = ClaimTunnelResponse.create({ request: claimRequest });
+  try {
+    const now = unixTimestampSeconds();
+    if (Math.floor(timestampS - now) > MAX_CLAIM_TIMESTAMP_DIFF_S) {
+      throw new AttestorError(
+        "ERROR_INVALID_CLAIM",
+        `Timestamp provided ${timestampS} is too far off. Current time is ${now}`
+      );
     }
-    // we throw an error for cases where the attestor cannot prove
-    // the user's request is faulty. For eg. if the user sends a
-    // "createRequest" that does not match the tunnel's actual
-    // create request -- the attestor cannot prove that the user
-    // is lying. In such cases, we throw a bad request error.
-    // Same goes for matching the transcript.
-    if (((_a = tunnel.createRequest) === null || _a === void 0 ? void 0 : _a.host) !== (request === null || request === void 0 ? void 0 : request.host)
-        || ((_b = tunnel.createRequest) === null || _b === void 0 ? void 0 : _b.port) !== (request === null || request === void 0 ? void 0 : request.port)
-        || ((_c = tunnel.createRequest) === null || _c === void 0 ? void 0 : _c.geoLocation) !== (request === null || request === void 0 ? void 0 : request.geoLocation)) {
-        throw utils_1.AttestorError.badRequest('Tunnel request does not match');
-    }
-    (0, assert_valid_claim_request_1.assertTranscriptsMatch)(claimRequest.transcript, tunnel.transcript);
-    const res = api_1.ClaimTunnelResponse.create({ request: claimRequest });
+    const assertTx = getApm()?.startTransaction("assertValidClaimRequest", { childOf: tx });
     try {
-        const now = (0, utils_1.unixTimestampSeconds)();
-        if (Math.floor(timestampS - now) > config_1.MAX_CLAIM_TIMESTAMP_DIFF_S) {
-            throw new utils_1.AttestorError('ERROR_INVALID_CLAIM', `Timestamp provided ${timestampS} is too far off. Current time is ${now}`);
-        }
-        const assertTx = (_d = (0, apm_1.getApm)()) === null || _d === void 0 ? void 0 : _d.startTransaction('assertValidClaimRequest', { childOf: tx });
-        try {
-            const claim = await (0, assert_valid_claim_request_1.assertValidClaimRequest)(claimRequest, client.metadata, logger);
-            res.claim = {
-                ...claim,
-                identifier: (0, utils_1.getIdentifierFromClaimInfo)(claim),
-                // hardcode for compatibility with V1 claims
-                epoch: 1
-            };
-        }
-        catch (err) {
-            assertTx === null || assertTx === void 0 ? void 0 : assertTx.setOutcome('failure');
-            throw err;
-        }
-        finally {
-            assertTx === null || assertTx === void 0 ? void 0 : assertTx.end();
-        }
-    }
-    catch (err) {
-        logger.error({ err }, 'invalid claim request');
-        const attestorErr = utils_1.AttestorError.fromError(err);
-        attestorErr.code = 'ERROR_INVALID_CLAIM';
-        res.error = attestorErr.toProto();
+      const claim = await assertValidClaimRequest(
+        claimRequest,
+        client.metadata,
+        logger
+      );
+      res.claim = {
+        ...claim,
+        identifier: getIdentifierFromClaimInfo(claim),
+        // hardcode for compatibility with V1 claims
+        epoch: 1
+      };
+    } catch (err) {
+      assertTx?.setOutcome("failure");
+      throw err;
+    } finally {
+      assertTx?.end();
     }
-    res.signatures = {
-        attestorAddress: (0, generics_1.getAttestorAddress)(client.metadata.signatureType),
-        claimSignature: res.claim
-            ? await (0, generics_1.signAsAttestor)((0, utils_1.createSignDataForClaim)(res.claim), client.metadata.signatureType)
-            : new Uint8Array(),
-        resultSignature: await (0, generics_1.signAsAttestor)(api_1.ClaimTunnelResponse.encode(res).finish(), client.metadata.signatureType)
-    };
-    // remove tunnel from client -- to free up our mem
-    client.removeTunnel(request.id);
-    return res;
+  } catch (err) {
+    logger.error({ err }, "invalid claim request");
+    const attestorErr = AttestorError.fromError(err, "ERROR_INVALID_CLAIM");
+    res.error = attestorErr.toProto();
+  }
+  res.signatures = {
+    attestorAddress: getAttestorAddress(
+      client.metadata.signatureType
+    ),
+    claimSignature: res.claim ? await signAsAttestor(
+      createSignDataForClaim(res.claim),
+      client.metadata.signatureType
+    ) : new Uint8Array(),
+    resultSignature: await signAsAttestor(
+      ClaimTunnelResponse.encode(res).finish(),
+      client.metadata.signatureType
+    )
+  };
+  client.removeTunnel(request.id);
+  return res;
+};
+export {
+  claimTunnel
 };
-exports.claimTunnel = claimTunnel;
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY2xhaW1UdW5uZWwuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvc2VydmVyL2hhbmRsZXJzL2NsYWltVHVubmVsLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7OztBQUFBLHVDQUF1RDtBQUN2RCx1Q0FBbUQ7QUFDbkQsOENBQTZDO0FBQzdDLDRGQUE2RztBQUM3Ryx3REFBOEU7QUFFOUUscUNBQW1IO0FBRTVHLE1BQU0sV0FBVyxHQUE4QixLQUFLLEVBQzFELFlBQVksRUFDWixFQUFFLEVBQUUsRUFBRSxNQUFNLEVBQUUsTUFBTSxFQUFFLEVBQ3JCLEVBQUU7O0lBQ0gsTUFBTSxFQUNMLE9BQU8sRUFDUCxJQUFJLEVBQUUsRUFBRSxVQUFVLEVBQUUsR0FBRyxFQUFFLEdBQ3pCLEdBQUcsWUFBWSxDQUFBO0lBQ2hCLE1BQU0sTUFBTSxHQUFHLE1BQU0sQ0FBQyxTQUFTLENBQUMsT0FBTyxhQUFQLE9BQU8sdUJBQVAsT0FBTyxDQUFFLEVBQUcsQ0FBQyxDQUFBO0lBQzdDLElBQUksQ0FBQztRQUNKLE1BQU0sTUFBTSxDQUFDLEtBQUssRUFBRSxDQUFBO0lBQ3JCLENBQUM7SUFBQyxPQUFNLEdBQUcsRUFBRSxDQUFDO1FBQ2IsTUFBTSxDQUFDLEtBQUssQ0FBQyxFQUFFLEdBQUcsRUFBRSxFQUFFLHNCQUFzQixDQUFDLENBQUE7SUFDOUMsQ0FBQztJQUVELElBQUcsRUFBRSxFQUFFLENBQUM7UUFDUCxNQUFNLGVBQWUsR0FBRyxNQUFNLENBQUMsVUFBVSxDQUFDLE1BQU0sQ0FDL0MsQ0FBQyxHQUFHLEVBQUUsRUFBRSxPQUFPLEVBQUUsRUFBRSxFQUFFLENBQUMsR0FBRyxHQUFHLE9BQU8sQ0FBQyxNQUFNLEVBQzFDLENBQUMsQ0FDRCxDQUFBO1FBQ0QsRUFBRSxhQUFGLEVBQUUsdUJBQUYsRUFBRSxDQUFFLFFBQVEsQ0FBQyxpQkFBaUIsRUFBRSxlQUFlLENBQUMsUUFBUSxFQUFFLENBQUMsQ0FBQTtJQUM1RCxDQUFDO0lBRUQsOERBQThEO0lBQzlELDREQUE0RDtJQUM1RCwwREFBMEQ7SUFDMUQsNERBQTREO0lBQzVELHlEQUF5RDtJQUN6RCx5Q0FBeUM7SUFDekMsSUFDQyxDQUFBLE1BQUEsTUFBTSxDQUFDLGFBQWEsMENBQUUsSUFBSSxPQUFLLE9BQU8sYUFBUCxPQUFPLHVCQUFQLE9BQU8sQ0FBRSxJQUFJLENBQUE7V0FDekMsQ0FBQSxNQUFBLE1BQU0sQ0FBQyxhQUFhLDBDQUFFLElBQUksT0FBSyxPQUFPLGFBQVAsT0FBTyx1QkFBUCxPQUFPLENBQUUsSUFBSSxDQUFBO1dBQzVDLENBQUEsTUFBQSxNQUFNLENBQUMsYUFBYSwwQ0FBRSxXQUFXLE9BQUssT0FBTyxhQUFQLE9BQU8sdUJBQVAsT0FBTyxDQUFFLFdBQVcsQ0FBQSxFQUM1RCxDQUFDO1FBQ0YsTUFBTSxxQkFBYSxDQUFDLFVBQVUsQ0FBQywrQkFBK0IsQ0FBQyxDQUFBO0lBQ2hFLENBQUM7SUFFRCxJQUFBLG1EQUFzQixFQUFDLFlBQVksQ0FBQyxVQUFVLEVBQUUsTUFBTSxDQUFDLFVBQVUsQ0FBQyxDQUFBO0lBRWxFLE1BQU0sR0FBRyxHQUFHLHlCQUFtQixDQUFDLE1BQU0sQ0FBQyxFQUFFLE9BQU8sRUFBRSxZQUFZLEVBQUUsQ0FBQyxDQUFBO0lBQ2pFLElBQUksQ0FBQztRQUNKLE1BQU0sR0FBRyxHQUFHLElBQUEsNEJBQW9CLEdBQUUsQ0FBQTtRQUNsQyxJQUFHLElBQUksQ0FBQyxLQUFLLENBQUMsVUFBVyxHQUFHLEdBQUcsQ0FBQyxHQUFHLG1DQUEwQixFQUFFLENBQUM7WUFDL0QsTUFBTSxJQUFJLHFCQUFhLENBQ3RCLHFCQUFxQixFQUNyQixzQkFBc0IsVUFBVSxvQ0FBb0MsR0FBRyxFQUFFLENBQ3pFLENBQUE7UUFDRixDQUFDO1FBRUQsTUFBTSxRQUFRLEdBQUcsTUFBQSxJQUFBLFlBQU0sR0FBRSwwQ0FDdEIsZ0JBQWdCLENBQUMseUJBQXlCLEVBQUUsRUFBRSxPQUFPLEVBQUUsRUFBRSxFQUFFLENBQUMsQ0FBQTtRQUUvRCxJQUFJLENBQUM7WUFDSixNQUFNLEtBQUssR0FBRyxNQUFNLElBQUEsb0RBQXVCLEVBQzFDLFlBQVksRUFDWixNQUFNLENBQUMsUUFBUSxFQUNmLE1BQU0sQ0FDTixDQUFBO1lBQ0QsR0FBRyxDQUFDLEtBQUssR0FBRztnQkFDWCxHQUFHLEtBQUs7Z0JBQ1IsVUFBVSxFQUFFLElBQUEsa0NBQTBCLEVBQUMsS0FBSyxDQUFDO2dCQUM3Qyw0Q0FBNEM7Z0JBQzVDLEtBQUssRUFBRSxDQUFDO2FBQ1IsQ0FBQTtRQUNGLENBQUM7UUFBQyxPQUFNLEdBQUcsRUFBRSxDQUFDO1lBQ2IsUUFBUSxhQUFSLFFBQVEsdUJBQVIsUUFBUSxDQUFFLFVBQVUsQ0FBQyxTQUFTLENBQUMsQ0FBQTtZQUMvQixNQUFNLEdBQUcsQ0FBQTtRQUNWLENBQUM7Z0JBQVMsQ0FBQztZQUNWLFFBQVEsYUFBUixRQUFRLHVCQUFSLFFBQVEsQ0FBRSxHQUFHLEVBQUUsQ0FBQTtRQUNoQixDQUFDO0lBQ0YsQ0FBQztJQUFDLE9BQU0sR0FBRyxFQUFFLENBQUM7UUFDYixNQUFNLENBQUMsS0FBSyxDQUFDLEVBQUUsR0FBRyxFQUFFLEVBQUUsdUJBQXVCLENBQUMsQ0FBQTtRQUM5QyxNQUFNLFdBQVcsR0FBRyxxQkFBYSxDQUFDLFNBQVMsQ0FBQyxHQUFHLENBQUMsQ0FBQTtRQUNoRCxXQUFXLENBQUMsSUFBSSxHQUFHLHFCQUFxQixDQUFBO1FBQ3hDLEdBQUcsQ0FBQyxLQUFLLEdBQUcsV0FBVyxDQUFDLE9BQU8sRUFBRSxDQUFBO0lBQ2xDLENBQUM7SUFFRCxHQUFHLENBQUMsVUFBVSxHQUFHO1FBQ2hCLGVBQWUsRUFBRSxJQUFBLDZCQUFrQixFQUNsQyxNQUFNLENBQUMsUUFBUSxDQUFDLGFBQWEsQ0FDN0I7UUFDRCxjQUFjLEVBQUUsR0FBRyxDQUFDLEtBQUs7WUFDeEIsQ0FBQyxDQUFDLE1BQU0sSUFBQSx5QkFBYyxFQUNyQixJQUFBLDhCQUFzQixFQUFDLEdBQUcsQ0FBQyxLQUFLLENBQUMsRUFDakMsTUFBTSxDQUFDLFFBQVEsQ0FBQyxhQUFhLENBQzdCO1lBQ0QsQ0FBQyxDQUFDLElBQUksVUFBVSxFQUFFO1FBQ25CLGVBQWUsRUFBRSxNQUFNLElBQUEseUJBQWMsRUFDcEMseUJBQW1CLENBQUMsTUFBTSxDQUFDLEdBQUcsQ0FBQyxDQUFDLE1BQU0sRUFBRSxFQUN4QyxNQUFNLENBQUMsUUFBUSxDQUFDLGFBQWEsQ0FDN0I7S0FDRCxDQUFBO0lBRUQsa0RBQWtEO0lBQ2xELE1BQU0sQ0FBQyxZQUFZLENBQUMsT0FBTyxDQUFDLEVBQUUsQ0FBQyxDQUFBO0lBRS9CLE9BQU8sR0FBRyxDQUFBO0FBQ1gsQ0FBQyxDQUFBO0FBakdZLFFBQUEsV0FBVyxlQWlHdkIifQ==

package/lib/server/handlers/completeClaimOnChain.d.ts

@@ -1,2 +1,2 @@
-import { RPCHandler } from '../../types';
+import type { RPCHandler } from '#src/types/index.ts';
 export declare const completeClaimOnChain: RPCHandler<'completeClaimOnChain'>;