@reclaimprotocol/attestor-core 4.0.3 → 5.0.1-beta.2

package/lib/server/utils/tee-verification.js

@@ -0,0 +1,358 @@
+import { ServiceSignatureType } from "../../proto/api.js";
+import { BodyType, KOutputPayload, TOutputPayload, VerificationBundle } from "../../proto/tee-bundle.js";
+import { validateGcpAttestationAndExtractKey } from "../../server/utils/gcp-attestation.js";
+import { validateNitroAttestationAndExtractKey } from "../../server/utils/nitro-attestation.js";
+import { AttestorError } from "../../utils/error.js";
+import { SIGNATURES } from "../../utils/signatures/index.js";
+async function verifyTeeBundle(bundleBytes, logger) {
+  const bundle = parseVerificationBundle(bundleBytes);
+  validateBundleCompleteness(bundle);
+  const { teekKeyResult, teetKeyResult } = await extractPublicKeys(bundle, logger);
+  await verifyTeeSignatures(bundle, teekKeyResult, teetKeyResult, logger);
+  if (!bundle.teekSigned || !bundle.teetSigned) {
+    throw new AttestorError("ERROR_INVALID_CLAIM", "Missing TEE signed messages");
+  }
+  const kOutputPayload = parseKOutputPayload(bundle.teekSigned);
+  const tOutputPayload = parseTOutputPayload(bundle.teetSigned);
+  validateTimestamps(kOutputPayload, tOutputPayload, logger);
+  const teeSessionId = validateSessionIds(kOutputPayload, tOutputPayload, logger);
+  logger.info("TEE bundle verification successful");
+  return {
+    teekSigned: bundle.teekSigned,
+    teetSigned: bundle.teetSigned,
+    kOutputPayload,
+    tOutputPayload,
+    teekPcr0: teekKeyResult.pcr0,
+    teetPcr0: teetKeyResult.pcr0,
+    teeSessionId
+  };
+}
+function parseVerificationBundle(bundleBytes) {
+  try {
+    return VerificationBundle.decode(bundleBytes);
+  } catch (error) {
+    throw new Error(`Failed to parse verification bundle: ${error.message}`);
+  }
+}
+function validateBundleCompleteness(bundle) {
+  if (!bundle.teekSigned) {
+    throw new Error("SECURITY ERROR: missing TEE_K signed message - verification bundle incomplete");
+  }
+  if (!bundle.teetSigned) {
+    throw new Error("SECURITY ERROR: missing TEE_T signed message - verification bundle incomplete");
+  }
+  const hasAttestations = bundle.teekSigned.attestationReport?.report && bundle.teekSigned.attestationReport.report.length > 0 || bundle.teetSigned.attestationReport?.report && bundle.teetSigned.attestationReport.report.length > 0;
+  const hasPublicKeys = bundle.teekSigned.ethAddress && bundle.teekSigned.ethAddress.length > 0 || bundle.teetSigned.ethAddress && bundle.teetSigned.ethAddress.length > 0;
+  if (!hasAttestations && !hasPublicKeys) {
+    throw new Error("SECURITY ERROR: bundle must have either Nitro attestations (production) or embedded public keys (development)");
+  }
+  if (bundle.teekSigned.bodyType !== BodyType.BODY_TYPE_K_OUTPUT) {
+    throw new Error("Invalid TEE_K signed message: wrong body type");
+  }
+  if (bundle.teetSigned.bodyType !== BodyType.BODY_TYPE_T_OUTPUT) {
+    throw new Error("Invalid TEE_T signed message: wrong body type");
+  }
+  if (!bundle.teekSigned.body || bundle.teekSigned.body.length === 0) {
+    throw new Error("Invalid TEE_K signed message: empty body");
+  }
+  if (!bundle.teetSigned.body || bundle.teetSigned.body.length === 0) {
+    throw new Error("Invalid TEE_T signed message: empty body");
+  }
+  if (!bundle.teekSigned.signature || bundle.teekSigned.signature.length === 0) {
+    throw new Error("Invalid TEE_K signed message: missing signature");
+  }
+  if (!bundle.teetSigned.signature || bundle.teetSigned.signature.length === 0) {
+    throw new Error("Invalid TEE_T signed message: missing signature");
+  }
+}
+async function extractPublicKeys(bundle, logger) {
+  const hasEmbeddedAttestations = bundle.teekSigned.attestationReport?.report && bundle.teekSigned.attestationReport.report.length > 0 && (bundle.teetSigned.attestationReport?.report && bundle.teetSigned.attestationReport.report.length > 0);
+  let teekKeyResult;
+  let teetKeyResult;
+  if (hasEmbeddedAttestations) {
+    logger.info("Using production mode: extracting keys from attestations");
+    if (!bundle.teekSigned?.attestationReport?.report) {
+      throw new Error("TEE_K embedded attestation report missing");
+    }
+    if (!bundle.teetSigned?.attestationReport?.report) {
+      throw new Error("TEE_T embedded attestation report missing");
+    }
+    const teekAttestationType = bundle.teekSigned.attestationReport.type || "nitro";
+    const teetAttestationType = bundle.teetSigned.attestationReport.type || "nitro";
+    logger.info(`TEE_K attestation type: ${teekAttestationType}`);
+    logger.info(`TEE_T attestation type: ${teetAttestationType}`);
+    const teekAttestationBytes = bundle.teekSigned.attestationReport.report;
+    const teetAttestationBytes = bundle.teetSigned.attestationReport.report;
+    if (teekAttestationType === "gcp") {
+      const gcpResult = await validateGcpAttestationAndExtractKey(teekAttestationBytes, logger);
+      if (!gcpResult.isValid) {
+        throw new Error(`TEE_K GCP attestation validation failed: ${gcpResult.errors.join(", ")}`);
+      }
+      if (!gcpResult.ethAddress) {
+        throw new Error("TEE_K GCP attestation validation failed: no address");
+      }
+      if (gcpResult.userDataType !== "tee_k") {
+        throw new Error(`TEE_K GCP attestation validation failed: wrong TEE type, expected tee_k, got ${gcpResult.userDataType}`);
+      }
+      teekKeyResult = {
+        teeType: gcpResult.userDataType,
+        ethAddress: "0x" + Buffer.from(gcpResult.ethAddress).toString("hex"),
+        pcr0: gcpResult.pcr0 || "gcp-no-digest"
+      };
+    } else {
+      const nitroResult = await validateNitroAttestationAndExtractKey(teekAttestationBytes);
+      if (!nitroResult.isValid) {
+        throw new Error(`TEE_K Nitro attestation validation failed: ${nitroResult.errors.join(", ")}`);
+      }
+      if (!nitroResult.ethAddress) {
+        throw new Error("TEE_K Nitro attestation validation failed: no address");
+      }
+      if (nitroResult.userDataType !== "tee_k") {
+        throw new Error(`TEE_K Nitro attestation validation failed: wrong TEE type, expected tee_k, got ${nitroResult.userDataType}`);
+      }
+      teekKeyResult = {
+        teeType: nitroResult.userDataType,
+        ethAddress: nitroResult.ethAddress,
+        pcr0: nitroResult.pcr0
+      };
+    }
+    if (teetAttestationType === "gcp") {
+      const gcpResult = await validateGcpAttestationAndExtractKey(teetAttestationBytes, logger);
+      if (!gcpResult.isValid) {
+        throw new Error(`TEE_T GCP attestation validation failed: ${gcpResult.errors.join(", ")}`);
+      }
+      if (!gcpResult.ethAddress) {
+        throw new Error("TEE_T GCP attestation validation failed: no address");
+      }
+      if (gcpResult.userDataType !== "tee_t") {
+        throw new Error(`TEE_T GCP attestation validation failed: wrong TEE type, expected tee_t, got ${gcpResult.userDataType}`);
+      }
+      teetKeyResult = {
+        teeType: gcpResult.userDataType,
+        ethAddress: "0x" + Buffer.from(gcpResult.ethAddress).toString("hex"),
+        pcr0: gcpResult.pcr0 || "gcp-no-digest"
+      };
+      if (!gcpResult.envVars?.EXPECTED_TEEK_PCR0) {
+        throw new Error("TEE_T GCP attestation missing required EXPECTED_TEEK_PCR0 environment variable");
+      }
+      const expectedPcr0 = gcpResult.envVars.EXPECTED_TEEK_PCR0;
+      const actualPcr0 = teekKeyResult.pcr0;
+      logger.info(`Cross-validating TEE_K PCR0: expected=${expectedPcr0}, actual=${actualPcr0}`);
+      if (expectedPcr0 !== actualPcr0) {
+        throw new Error(`TEE cross-validation failed: TEE_T expects TEE_K PCR0 "${expectedPcr0}" but got "${actualPcr0}"`);
+      }
+      logger.info("TEE cross-validation successful: TEE_K PCR0 matches TEE_T expectation");
+    } else {
+      const nitroResult = await validateNitroAttestationAndExtractKey(teetAttestationBytes);
+      if (!nitroResult.isValid) {
+        throw new Error(`TEE_T Nitro attestation validation failed: ${nitroResult.errors.join(", ")}`);
+      }
+      if (!nitroResult.ethAddress) {
+        throw new Error("TEE_T Nitro attestation validation failed: no address");
+      }
+      if (nitroResult.userDataType !== "tee_t") {
+        throw new Error(`TEE_T Nitro attestation validation failed: wrong TEE type, expected tee_t, got ${nitroResult.userDataType}`);
+      }
+      teetKeyResult = {
+        teeType: nitroResult.userDataType,
+        ethAddress: nitroResult.ethAddress,
+        pcr0: nitroResult.pcr0
+      };
+    }
+    logger.info("Attestations validated successfully");
+  } else {
+    const standaloneEnabled = process.env.TEE_STANDALONE === "true" || process.env.TEE_STANDALONE === "1";
+    if (!standaloneEnabled) {
+      throw new Error("Missing attestation reports and standalone mode is not enabled (set TEE_STANDALONE=true to enable)");
+    }
+    const hasEmbeddedKeys = bundle.teekSigned.ethAddress && bundle.teekSigned.ethAddress.length > 0 && (bundle.teetSigned.ethAddress && bundle.teetSigned.ethAddress.length > 0);
+    if (!hasEmbeddedKeys) {
+      throw new Error("Missing attestation and no embedded ETH addresses for standalone mode");
+    }
+    logger.warn("STANDALONE MODE ENABLED: Using embedded ETH addresses without attestation verification");
+    const teekAddress = Buffer.from(bundle.teekSigned.ethAddress).toString("utf8");
+    teekKeyResult = {
+      teeType: "tee_k",
+      ethAddress: teekAddress,
+      pcr0: "standalone-mode"
+      // No PCR0 in standalone mode
+    };
+    logger.info(`TEE_K standalone address: ${teekAddress}`);
+    const teetAddress = Buffer.from(bundle.teetSigned.ethAddress).toString("utf8");
+    teetKeyResult = {
+      teeType: "tee_t",
+      ethAddress: teetAddress,
+      pcr0: "standalone-mode"
+      // No PCR0 in standalone mode
+    };
+    logger.info(`TEE_T standalone address: ${teetAddress}`);
+    logger.info("Standalone mode key extraction successful");
+  }
+  return {
+    teekKeyResult,
+    teetKeyResult
+  };
+}
+async function verifyTeeSignatures(bundle, teekKeyResult, teetKeyResult, logger) {
+  if (!bundle.teekSigned) {
+    throw new Error("TEE_K signed message is missing");
+  }
+  const teekResult = await verifyTeeSignature(
+    bundle.teekSigned,
+    teekKeyResult,
+    "TEE_K",
+    logger
+  );
+  if (!teekResult.isValid) {
+    throw new Error(`TEE_K signature verification failed: ${teekResult.errors.join(", ")}`);
+  }
+  if (!bundle.teetSigned) {
+    throw new Error("TEE_T signed message is missing");
+  }
+  const teetResult = await verifyTeeSignature(
+    bundle.teetSigned,
+    teetKeyResult,
+    "TEE_T",
+    logger
+  );
+  if (!teetResult.isValid) {
+    throw new Error(`TEE_T signature verification failed: ${teetResult.errors.join(", ")}`);
+  }
+  logger.info("TEE signatures verified successfully");
+}
+async function verifyTeeSignature(signedMessage, extractedKey, teeType, logger) {
+  const errors = [];
+  if (!signedMessage) {
+    return {
+      isValid: false,
+      errors: ["Signed message is null or undefined"]
+    };
+  }
+  try {
+    let ethAddress;
+    if (extractedKey.ethAddress) {
+      ethAddress = extractedKey.ethAddress;
+      logger.debug(`${teeType} using ETH address from attestation: ${ethAddress}`);
+    } else {
+      return {
+        isValid: false,
+        errors: ["eth address is null"]
+      };
+    }
+    const { verify: verifySig } = SIGNATURES[ServiceSignatureType.SERVICE_SIGNATURE_TYPE_ETH];
+    const isValid = await verifySig(
+      signedMessage.body,
+      signedMessage.signature,
+      ethAddress
+    );
+    if (!isValid) {
+      errors.push(`${teeType} signature verification failed for address ${ethAddress}`);
+    }
+    logger.debug(`${teeType} signature verification result: ${isValid} for address ${ethAddress}`);
+    return {
+      isValid: errors.length === 0,
+      errors,
+      address: extractedKey.ethAddress
+    };
+  } catch (error) {
+    errors.push(`${teeType} signature verification error: ${error.message}`);
+    return {
+      isValid: false,
+      errors
+    };
+  }
+}
+function parseKOutputPayload(signedMessage) {
+  const payload = KOutputPayload.decode(signedMessage.body);
+  if (!payload.redactedRequest) {
+    throw new Error("Missing redacted request in TEE_K payload");
+  }
+  if (!payload.consolidatedResponseKeystream || payload.consolidatedResponseKeystream.length === 0) {
+    throw new Error("Missing consolidated response keystream in TEE_K payload");
+  }
+  if (!payload.certificateInfo) {
+    throw new Error("Missing certificate info in TEE_K payload");
+  }
+  return payload;
+}
+function parseTOutputPayload(signedMessage) {
+  const payload = TOutputPayload.decode(signedMessage.body);
+  if (!payload.consolidatedResponseCiphertext || payload.consolidatedResponseCiphertext.length === 0) {
+    throw new Error("Missing consolidated response ciphertext in TEE_T payload");
+  }
+  return payload;
+}
+function validateTimestamps(kPayload, tPayload, logger) {
+  const now = Date.now();
+  const kTimestamp = kPayload.timestampMs;
+  const tTimestamp = tPayload.timestampMs;
+  const kTimestampS = Math.floor(kTimestamp / 1e3);
+  const tTimestampS = Math.floor(tTimestamp / 1e3);
+  const nowS = Math.floor(now / 1e3);
+  logger.info("Validating TEE timestamps", {
+    kTimestampMs: kTimestamp,
+    tTimestampMs: tTimestamp,
+    kTimestampS,
+    tTimestampS,
+    nowS
+  });
+  const maxAgeMs = 10 * 60 * 1e3;
+  const oldestAllowed = now - maxAgeMs;
+  if (kTimestamp < oldestAllowed) {
+    throw new Error(`TEE_K timestamp ${kTimestamp} is too old. Must be within 10 minutes of current time ${now}`);
+  }
+  if (tTimestamp < oldestAllowed) {
+    throw new Error(`TEE_T timestamp ${tTimestamp} is too old. Must be within 10 minutes of current time ${now}`);
+  }
+  const maxFutureMs = 60 * 1e3;
+  const maxAllowed = now + maxFutureMs;
+  if (kTimestamp > maxAllowed) {
+    throw new Error(`TEE_K timestamp ${kTimestamp} is in the future. Current time is ${now}`);
+  }
+  if (tTimestamp > maxAllowed) {
+    throw new Error(`TEE_T timestamp ${tTimestamp} is in the future. Current time is ${now}`);
+  }
+  const timestampDiffMs = Math.abs(kTimestamp - tTimestamp);
+  const maxDiffMs = 60 * 1e3;
+  if (timestampDiffMs > maxDiffMs) {
+    throw new Error(`TEE timestamps differ by ${timestampDiffMs}ms, which exceeds maximum allowed difference of ${maxDiffMs}ms (1 minute)`);
+  }
+  logger.info("TEE timestamp validation successful", {
+    timestampDiffMs,
+    ageKMs: now - kTimestamp,
+    ageTMs: now - tTimestamp
+  });
+}
+function validateSessionIds(kPayload, tPayload, logger) {
+  const kSessionId = kPayload.sessionId;
+  const tSessionId = tPayload.sessionId;
+  logger.info("Validating TEE session IDs", {
+    kSessionId,
+    tSessionId
+  });
+  if (!kSessionId || kSessionId.length === 0) {
+    throw new AttestorError(
+      "ERROR_INVALID_CLAIM",
+      "Missing session_id in TEE_K payload - required for cross-TEE binding"
+    );
+  }
+  if (!tSessionId || tSessionId.length === 0) {
+    throw new AttestorError(
+      "ERROR_INVALID_CLAIM",
+      "Missing session_id in TEE_T payload - required for cross-TEE binding"
+    );
+  }
+  if (kSessionId !== tSessionId) {
+    throw new AttestorError(
+      "ERROR_INVALID_CLAIM",
+      `Session ID mismatch: TEE_K session_id "${kSessionId}" does not match TEE_T session_id "${tSessionId}".`
+    );
+  }
+  logger.info("TEE session ID validation successful", {
+    sessionId: kSessionId
+  });
+  return kSessionId;
+}
+export {
+  verifyTeeBundle
+};

package/lib/{utils → server/utils}/validation.d.ts

@@ -1,2 +1,2 @@
-import { ProviderName, ProviderParams } from '../types';
+import type { ProviderName, ProviderParams } from '#src/types/index.ts';
 export declare function assertValidateProviderParams<T extends ProviderName>(name: T, params: unknown): asserts params is ProviderParams<T>;

package/lib/server/utils/validation.js

@@ -0,0 +1,45 @@
+import { Ajv } from "ajv";
+import { PROVIDER_SCHEMAS } from "../../types/providers.gen.js";
+import { AttestorError } from "../../utils/error.js";
+const PROVIDER_VALIDATOR_MAP = {};
+const AJV = new Ajv({
+  allErrors: true,
+  strict: true,
+  strictRequired: false,
+  formats: {
+    binary(data) {
+      return data instanceof Uint8Array || typeof Buffer !== "undefined" && Buffer.isBuffer(data);
+    },
+    url(data) {
+      try {
+        new URL(data);
+        return true;
+      } catch {
+        return false;
+      }
+    }
+  }
+});
+function assertValidateProviderParams(name, params) {
+  let validate = PROVIDER_VALIDATOR_MAP[name];
+  if (!validate) {
+    const schema = PROVIDER_SCHEMAS[name]?.parameters;
+    if (!schema) {
+      throw new AttestorError(
+        "ERROR_BAD_REQUEST",
+        `Invalid provider name "${String(name)}"`
+      );
+    }
+    validate = AJV.compile(schema);
+  }
+  if (!validate?.(params)) {
+    throw new AttestorError(
+      "ERROR_BAD_REQUEST",
+      "Params validation failed",
+      { errors: JSON.stringify(validate.errors) }
+    );
+  }
+}
+export {
+  assertValidateProviderParams
+};

package/lib/types/bgp.js

@@ -1,3 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiYmdwLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vc3JjL3R5cGVzL2JncC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiIn0=

package/lib/types/claims.d.ts

@@ -1,9 +1,9 @@
-import type { ProviderClaimData } from '../proto/api';
-import type { IAttestorClient, IAttestorClientInitParams } from '../types/client';
-import type { CompleteTLSPacket, Logger } from '../types/general';
-import type { ProofGenerationStep, ProviderName, ProviderParams, ProviderSecretParams } from '../types/providers';
-import type { Transcript } from '../types/tunnel';
-import type { PrepareZKProofsBaseOpts } from '../types/zk';
+import type { ProviderClaimData } from '#src/proto/api.ts';
+import type { IAttestorClient, IAttestorClientInitParams } from '#src/types/client.ts';
+import type { CompleteTLSPacket, Logger } from '#src/types/general.ts';
+import type { ProofGenerationStep, ProviderName, ProviderParams, ProviderSecretParams } from '#src/types/providers.ts';
+import type { Transcript } from '#src/types/tunnel.ts';
+import type { PrepareZKProofsBaseOpts } from '#src/types/zk.ts';
 /**
  * Uniquely identifies a claim.
  * Hash of claim info.
@@ -11,10 +11,7 @@ import type { PrepareZKProofsBaseOpts } from '../types/zk';
  */
 export type ClaimID = ProviderClaimData['identifier'];
 export type ClaimInfo = Pick<ProviderClaimData, 'context' | 'provider' | 'parameters'>;
-export type AnyClaimInfo = ClaimInfo | {
-    identifier: ClaimID;
-};
-export type CompleteClaimData = Pick<ProviderClaimData, 'owner' | 'timestampS' | 'epoch'> & AnyClaimInfo;
+export type CompleteClaimData = Pick<ProviderClaimData, 'owner' | 'timestampS' | 'epoch'> & ClaimInfo;
 export type CreateClaimOnAttestorOpts<N extends ProviderName> = {
     /** name of the provider to generate signed receipt for */
     name: N;

package/lib/types/claims.js

@@ -1,3 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY2xhaW1zLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vc3JjL3R5cGVzL2NsYWltcy50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiIn0=

package/lib/types/client.d.ts

@@ -1,10 +1,10 @@
 import type { IncomingMessage } from 'http';
-import type { AuthenticationRequest, InitRequest, InitResponse, RPCMessage, RPCMessages, ServiceSignatureType, TunnelMessage } from '../proto/api';
-import type { BGPListener } from '../types/bgp';
-import type { Logger } from '../types/general';
-import type { RPCEvent, RPCEventMap, RPCEventType, RPCRequestData, RPCResponseData, RPCType } from '../types/rpc';
-import type { TCPSocketProperties, Tunnel } from '../types/tunnel';
 import type { WebSocket as WSWebSocket } from 'ws';
+import type { AuthenticationRequest, InitRequest, InitResponse, RPCMessage, RPCMessages, ServiceSignatureType, TunnelMessage } from '#src/proto/api.ts';
+import type { BGPListener } from '#src/types/bgp.ts';
+import type { Logger } from '#src/types/general.ts';
+import type { RPCEvent, RPCEventMap, RPCEventType, RPCRequestData, RPCResponseData, RPCType } from '#src/types/rpc.ts';
+import type { TCPSocketProperties, Tunnel } from '#src/types/tunnel.ts';
 /**
  * Any WebSocket implementation -- either the native
  * WebSocket or the WebSocket from the `ws` package.

package/lib/types/client.js

@@ -1,3 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY2xpZW50LmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vc3JjL3R5cGVzL2NsaWVudC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiIn0=

package/lib/types/general.d.ts

@@ -1,5 +1,5 @@
 import type { Logger as TLSLogger, TLSPacketContext, TLSProtocolVersion } from '@reclaimprotocol/tls';
-import type { TOPRFProofParams } from '../types/zk';
+import type { OPRFRawMarker, TOPRFProofParams } from '#src/types/zk.ts';
 /**
  * Represents a slice of any array or string
  */
@@ -11,11 +11,14 @@ export type RedactedOrHashedArraySlice = {
     fromIndex: number;
     toIndex: number;
     /**
-     * By default, the the data is redacted. Instead if you'd like
-     * a deterministic hash, set this to 'oprf'
+     * By default, the data is redacted. Instead if you'd like
+     * a deterministic hash, set this to:
+     * - 'oprf' for client-side TOPRF with ZK proof
+     * - 'oprf-mpc' for TEE-to-TEE MPC OPRF
+     * - 'oprf-raw' for server-side OPRF (data revealed to attestor)
      * @default undefined
      */
-    hash?: 'oprf';
+    hash?: 'oprf' | 'oprf-mpc' | 'oprf-raw';
 };
 export type Logger = TLSLogger & {
     child: (opts: {
@@ -27,6 +30,17 @@ export type ZKRevealInfo = {
     type: 'zk';
     redactedPlaintext: Uint8Array;
     toprfs?: TOPRFProofParams[];
+    oprfRawMarkers?: OPRFRawMarker[];
+    overshotToprfFromPrevBlock?: {
+        length: number;
+    };
+    /**
+     * If an oprf-raw marker from the previous block overshot into this block.
+     * The server will collect plaintext from this block to complete the OPRF.
+     */
+    overshotOprfRawFromPrevBlock?: {
+        length: number;
+    };
 };
 export type MessageRevealInfo = {
     type: 'complete';
@@ -48,4 +62,15 @@ export type IDecryptedTranscript = {
     transcript: IDecryptedTranscriptMessage[];
     tlsVersion: TLSProtocolVersion;
     hostname: string;
+    /**
+     * oprf-raw replacements: original plaintext -> nullifier mappings
+     * for server-side parameter replacement
+     */
+    oprfRawReplacements?: OPRFRawReplacement[];
+};
+export type OPRFRawReplacement = {
+    /** Original plaintext that was OPRF'd */
+    originalText: string;
+    /** OPRF nullifier string to replace with */
+    nullifierText: string;
 };

package/lib/types/general.js

@@ -1,3 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZ2VuZXJhbC5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uL3NyYy90eXBlcy9nZW5lcmFsLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiIifQ==

package/lib/types/handlers.d.ts

@@ -1,7 +1,7 @@
 import type { Transaction } from 'elastic-apm-node';
-import type { IAttestorServerSocket } from '../types/client';
-import type { Logger } from '../types/general';
-import type { RPCRequestData, RPCResponseData, RPCType } from '../types/rpc';
+import type { IAttestorServerSocket } from '#src/types/client.ts';
+import type { Logger } from '#src/types/general.ts';
+import type { RPCRequestData, RPCResponseData, RPCType } from '#src/types/rpc.ts';
 export type RPCHandlerMetadata = {
     logger: Logger;
     tx?: Transaction;

package/lib/types/handlers.js

@@ -1,3 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaGFuZGxlcnMuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi9zcmMvdHlwZXMvaGFuZGxlcnMudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IiJ9

package/lib/types/index.d.ts

@@ -1,10 +1,10 @@
-export * from './providers';
-export * from './general';
-export * from './signatures';
-export * from './claims';
-export * from './zk';
-export * from './client';
-export * from './rpc';
-export * from './tunnel';
-export * from './handlers';
-export * from './bgp';
+export * from './providers.ts';
+export * from './general.ts';
+export * from './signatures.ts';
+export * from './claims.ts';
+export * from './zk.ts';
+export * from './client.ts';
+export * from './rpc.ts';
+export * from './tunnel.ts';
+export * from './handlers.ts';
+export * from './bgp.ts';

package/lib/types/index.js

@@ -1,27 +1,10 @@
-"use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __exportStar = (this && this.__exportStar) || function(m, exports) {
-    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-__exportStar(require("./providers"), exports);
-__exportStar(require("./general"), exports);
-__exportStar(require("./signatures"), exports);
-__exportStar(require("./claims"), exports);
-__exportStar(require("./zk"), exports);
-__exportStar(require("./client"), exports);
-__exportStar(require("./rpc"), exports);
-__exportStar(require("./tunnel"), exports);
-__exportStar(require("./handlers"), exports);
-__exportStar(require("./bgp"), exports);
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi9zcmMvdHlwZXMvaW5kZXgudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7Ozs7Ozs7Ozs7Ozs7OztBQUFBLDhDQUEyQjtBQUMzQiw0Q0FBeUI7QUFDekIsK0NBQTRCO0FBQzVCLDJDQUF3QjtBQUN4Qix1Q0FBb0I7QUFDcEIsMkNBQXdCO0FBQ3hCLHdDQUFxQjtBQUNyQiwyQ0FBd0I7QUFDeEIsNkNBQTBCO0FBQzFCLHdDQUFxQiJ9
+export * from "./providers.js";
+export * from "./general.js";
+export * from "./signatures.js";
+export * from "./claims.js";
+export * from "./zk.js";
+export * from "./client.js";
+export * from "./rpc.js";
+export * from "./tunnel.js";
+export * from "./handlers.js";
+export * from "./bgp.js";

package/lib/types/providers.d.ts

@@ -1,8 +1,8 @@
 import type { TLSConnectionOptions } from '@reclaimprotocol/tls';
-import type { AttestorVersion, ProviderClaimData } from '../proto/api';
-import type { ArraySlice, Logger, RedactedOrHashedArraySlice } from '../types/general';
-import type { ProvidersConfig } from '../types/providers.gen';
-import type { Transcript } from '../types/tunnel';
+import type { AttestorVersion, ProviderClaimData } from '#src/proto/api.ts';
+import type { ArraySlice, Logger, RedactedOrHashedArraySlice } from '#src/types/general.ts';
+import type { ProvidersConfig } from '#src/types/providers.gen.ts';
+import type { Transcript } from '#src/types/tunnel.ts';
 export type AttestorData = {
     id: string;
     url: string;
@@ -66,6 +66,17 @@ export interface Provider<N extends ProviderName, Params = ProviderParams<N>, Se
      * @example "US", "IN"
      */
     geoLocation?: ProviderField<Params, SecretParams, string | undefined>;
+    /**
+     * Session identifier for proxy IP persistence.
+     *
+     * When provided, ensures all requests within the same session
+     * are routed through the same proxy IP address. Useful for
+     * maintaining IP consistency across multiple requests.
+     *
+     * Can be a smallcase alphanumeric string of length 8-14 characters.
+     * @example "mystring12345", "something1234"
+     */
+    proxySessionId?: ProviderField<Params, SecretParams, string | undefined>;
     /** extra options to pass to the client like root CA certificates */
     additionalClientOptions?: ProviderField<Params, SecretParams, TLSConnectionOptions | undefined>;
     /**