npm - @reclaimprotocol/attestor-core - Versions diffs - 5.0.1-beta.13 → 5.0.1-beta.16 - Mend

@reclaimprotocol/attestor-core 5.0.1-beta.13 → 5.0.1-beta.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (134) hide show

package/lib/external-rpc/index.js +17321 -3
package/lib/index.d.ts +1 -0
package/lib/index.js +15391 -11
package/lib/scripts/build-browser-debug.d.ts +1 -0
package/package.json +1 -1
package/lib/avs/abis/avsDirectoryABI.js +0 -343
package/lib/avs/abis/delegationABI.js +0 -4
package/lib/avs/abis/registryABI.js +0 -728
package/lib/avs/client/create-claim-on-avs.js +0 -168
package/lib/avs/config.js +0 -26
package/lib/avs/contracts/ReclaimServiceManager.js +0 -0
package/lib/avs/contracts/common.js +0 -0
package/lib/avs/contracts/factories/ReclaimServiceManager__factory.js +0 -1183
package/lib/avs/contracts/factories/index.js +0 -4
package/lib/avs/contracts/index.js +0 -6
package/lib/avs/types/index.js +0 -0
package/lib/avs/utils/contracts.js +0 -53
package/lib/avs/utils/register.js +0 -74
package/lib/avs/utils/tasks.js +0 -48
package/lib/client/create-claim.js +0 -461
package/lib/client/index.js +0 -3
package/lib/client/tunnels/make-rpc-tcp-tunnel.js +0 -53
package/lib/client/tunnels/make-rpc-tls-tunnel.js +0 -127
package/lib/client/utils/attestor-pool.js +0 -24
package/lib/client/utils/client-socket.js +0 -120
package/lib/client/utils/message-handler.js +0 -97
package/lib/config/index.js +0 -62
package/lib/external-rpc/benchmark.js +0 -82
package/lib/external-rpc/event-bus.js +0 -17
package/lib/external-rpc/handle-incoming-msg.js +0 -241
package/lib/external-rpc/jsc-polyfills/1.js +0 -80
package/lib/external-rpc/jsc-polyfills/2.js +0 -15
package/lib/external-rpc/jsc-polyfills/event.js +0 -19
package/lib/external-rpc/jsc-polyfills/index.js +0 -2
package/lib/external-rpc/jsc-polyfills/ws.js +0 -83
package/lib/external-rpc/setup-browser.js +0 -33
package/lib/external-rpc/setup-jsc.js +0 -22
package/lib/external-rpc/types.js +0 -0
package/lib/external-rpc/utils.js +0 -100
package/lib/external-rpc/zk.js +0 -58
package/lib/mechain/abis/governanceABI.js +0 -461
package/lib/mechain/abis/taskABI.js +0 -512
package/lib/mechain/client/create-claim-on-mechain.js +0 -33
package/lib/mechain/client/index.js +0 -1
package/lib/mechain/constants/index.js +0 -8
package/lib/mechain/index.js +0 -2
package/lib/mechain/types/index.js +0 -0
package/lib/proto/api.js +0 -4250
package/lib/proto/tee-bundle.js +0 -1296
package/lib/providers/http/index.js +0 -640
package/lib/providers/http/patch-parse5-tree.js +0 -34
package/lib/providers/http/utils.js +0 -283
package/lib/providers/index.js +0 -7
package/lib/scripts/build-browser.js +0 -38
package/lib/scripts/build-jsc.js +0 -47
package/lib/scripts/build-lib.js +0 -47
package/lib/scripts/check-avs-registration.js +0 -28
package/lib/scripts/fallbacks/crypto.js +0 -4
package/lib/scripts/fallbacks/empty.js +0 -4
package/lib/scripts/fallbacks/re2.js +0 -7
package/lib/scripts/fallbacks/snarkjs.js +0 -10
package/lib/scripts/fallbacks/stwo.js +0 -159
package/lib/scripts/generate-provider-types.js +0 -101
package/lib/scripts/generate-receipt.js +0 -101
package/lib/scripts/generate-toprf-keys.js +0 -24
package/lib/scripts/jsc-cli-rpc.js +0 -35
package/lib/scripts/register-avs-operator.js +0 -3
package/lib/scripts/start-server.js +0 -11
package/lib/scripts/update-avs-metadata.js +0 -20
package/lib/scripts/utils.js +0 -10
package/lib/scripts/whitelist-operator.js +0 -16
package/lib/server/create-server.js +0 -105
package/lib/server/handlers/claimTeeBundle.js +0 -232
package/lib/server/handlers/claimTunnel.js +0 -80
package/lib/server/handlers/completeClaimOnChain.js +0 -29
package/lib/server/handlers/createClaimOnChain.js +0 -32
package/lib/server/handlers/createTaskOnMechain.js +0 -57
package/lib/server/handlers/createTunnel.js +0 -98
package/lib/server/handlers/disconnectTunnel.js +0 -8
package/lib/server/handlers/fetchCertificateBytes.js +0 -57
package/lib/server/handlers/index.js +0 -25
package/lib/server/handlers/init.js +0 -33
package/lib/server/handlers/toprf.js +0 -19
package/lib/server/index.js +0 -4
package/lib/server/socket.js +0 -112
package/lib/server/tunnels/make-tcp-tunnel.js +0 -202
package/lib/server/utils/apm.js +0 -29
package/lib/server/utils/assert-valid-claim-request.js +0 -354
package/lib/server/utils/config-env.js +0 -4
package/lib/server/utils/dns.js +0 -24
package/lib/server/utils/gcp-attestation.js +0 -237
package/lib/server/utils/generics.js +0 -45
package/lib/server/utils/iso.js +0 -259
package/lib/server/utils/keep-alive.js +0 -38
package/lib/server/utils/nitro-attestation.js +0 -249
package/lib/server/utils/oprf-raw.js +0 -61
package/lib/server/utils/process-handshake.js +0 -233
package/lib/server/utils/proxy-session.js +0 -6
package/lib/server/utils/tee-oprf-mpc-verification.js +0 -86
package/lib/server/utils/tee-oprf-verification.js +0 -151
package/lib/server/utils/tee-transcript-reconstruction.js +0 -140
package/lib/server/utils/tee-verification.js +0 -358
package/lib/server/utils/validation.js +0 -45
package/lib/types/bgp.js +0 -0
package/lib/types/claims.js +0 -0
package/lib/types/client.js +0 -0
package/lib/types/general.js +0 -0
package/lib/types/handlers.js +0 -0
package/lib/types/index.js +0 -10
package/lib/types/providers.gen.js +0 -16
package/lib/types/providers.js +0 -0
package/lib/types/rpc.js +0 -0
package/lib/types/signatures.js +0 -0
package/lib/types/tunnel.js +0 -0
package/lib/types/zk.js +0 -0
package/lib/utils/auth.js +0 -71
package/lib/utils/b64-json.js +0 -17
package/lib/utils/bgp-listener.js +0 -123
package/lib/utils/claims.js +0 -89
package/lib/utils/env.js +0 -19
package/lib/utils/error.js +0 -54
package/lib/utils/generics.js +0 -268
package/lib/utils/http-parser.js +0 -201
package/lib/utils/index.js +0 -13
package/lib/utils/logger.js +0 -82
package/lib/utils/prepare-packets.js +0 -69
package/lib/utils/redactions.js +0 -135
package/lib/utils/retries.js +0 -26
package/lib/utils/signatures/eth.js +0 -31
package/lib/utils/signatures/index.js +0 -12
package/lib/utils/socket-base.js +0 -96
package/lib/utils/tls.js +0 -58
package/lib/utils/ws.js +0 -22
package/lib/utils/zk.js +0 -625

package/lib/scripts/generate-provider-types.js DELETED Viewed

@@ -1,101 +0,0 @@
-import { readdir, readFile, writeFile } from "fs/promises";
-import { compile } from "json-schema-to-typescript";
-import { parse } from "yaml";
-const PROVIDER_SCHEMAS_PATH = "./provider-schemas";
-const GEN_TS_FILENAME = "./src/types/providers.gen.js";
-const BinaryDataType = "BinaryData";
-async function main() {
-  const folders = await findAllProviderFolders();
-  console.log(`Generating for ${folders.length} provider folders`);
-  let ts = "/* eslint-disable */\n/* Generated file. Do not edit */";
-  ts += `
-type ${BinaryDataType} = Uint8Array | string
-`;
-  let providerTypeMap = "\nexport interface ProvidersConfig {\n";
-  let providerSchemaMap = "\nexport const PROVIDER_SCHEMAS = {\n";
-  for (const folder of folders) {
-    const {
-      schemaTitle: paramsSchemaTitle,
-      ts: paramsSchemaTs,
-      jsonTitle: paramsJsonTitle
-    } = await generateTsFromYamlSchema(folder, "parameters");
-    const {
-      schemaTitle: secretParamsSchemaTitle,
-      ts: secretParamsSchemaTs,
-      jsonTitle: secretParamsJsonTitle
-    } = await generateTsFromYamlSchema(
-      folder,
-      "secret-parameters"
-    );
-    ts += `
-${paramsSchemaTs}
-${secretParamsSchemaTs}`;
-    providerTypeMap += `	${folder}: {
-`;
-    providerTypeMap += `		parameters: ${paramsSchemaTitle}
-`;
-    providerTypeMap += `		secretParameters: ${secretParamsSchemaTitle}
-`;
-    providerTypeMap += "	}\n";
-    providerSchemaMap += `	${folder}: {
-`;
-    providerSchemaMap += `		parameters: ${paramsJsonTitle},
-`;
-    providerSchemaMap += `		secretParameters: ${secretParamsJsonTitle}
-`;
-    providerSchemaMap += "	},\n";
-  }
-  providerTypeMap += "}\n";
-  providerSchemaMap += "}\n";
-  ts += providerTypeMap;
-  ts += providerSchemaMap;
-  await writeFile(GEN_TS_FILENAME, ts);
-  console.log(`Wrote to ${GEN_TS_FILENAME}`);
-}
-async function getJsonSchemaForProvider(name, type) {
-  const paramsYaml = await readFile(
-    `${PROVIDER_SCHEMAS_PATH}/${name}/${type}.yaml`,
-    { encoding: "utf-8" }
-  );
-  const paramsJson = parse(paramsYaml);
-  return paramsJson;
-}
-async function generateTsFromYamlSchema(name, type) {
-  const paramsJson = await getJsonSchemaForProvider(name, type);
-  let paramsSchemaTs = await compile(
-    paramsJson,
-    "",
-    {
-      additionalProperties: false,
-      bannerComment: "",
-      ignoreMinAndMaxItems: true,
-      declareExternallyReferenced: false,
-      customName({ type: type2, format }) {
-        if (type2 === "string" && format === "binary") {
-          return BinaryDataType;
-        }
-        return void 0;
-      }
-    }
-  );
-  const jsonTitle = `${paramsJson.title}Json`;
-  paramsSchemaTs += `
-export const ${jsonTitle} = ${JSON.stringify(paramsJson)}`;
-  return {
-    ts: paramsSchemaTs,
-    schemaTitle: paramsJson.title,
-    jsonTitle
-  };
-}
-async function findAllProviderFolders() {
-  const providerFolders = await readdir(
-    PROVIDER_SCHEMAS_PATH,
-    { withFileTypes: true }
-  );
-  return providerFolders.filter((p) => p.isDirectory()).map((p) => p.name);
-}
-void main();
-export {
-  generateTsFromYamlSchema
-};

package/lib/scripts/generate-receipt.js DELETED Viewed

@@ -1,101 +0,0 @@
-import "#src/server/utils/config-env.js";
-import { setCryptoImplementation } from "@reclaimprotocol/tls";
-import { webcryptoCrypto } from "@reclaimprotocol/tls/webcrypto";
-import { readFile } from "fs/promises";
-import {
-  API_SERVER_PORT,
-  createClaimOnAttestor,
-  getAttestorClientFromPool,
-  getTranscriptString,
-  logger,
-  providers,
-  WS_PATHNAME
-} from "#src/index.js";
-import { getCliArgument } from "#src/scripts/utils.js";
-import { createServer, decryptTranscript } from "#src/server/index.js";
-import { assertValidateProviderParams } from "#src/server/utils/validation.js";
-import { getEnvVariable } from "#src/utils/env.js";
-setCryptoImplementation(webcryptoCrypto);
-const DEFAULT_ATTESTOR_HOST_PORT = "wss://eu.attestor.reclaimprotocol.org/ws";
-const PRIVATE_KEY_HEX = getEnvVariable("PRIVATE_KEY_HEX") || "0x0123788edad59d7c013cdc85e4372f350f828e2cec62d9a2de4560e69aec7f89";
-let server;
-async function main(receiptParams) {
-  const paramsJson = receiptParams ?? await getInputParameters();
-  if (!(paramsJson.name in providers)) {
-    throw new Error(`Unknown provider "${paramsJson.name}"`);
-  }
-  assertValidateProviderParams(paramsJson.name, paramsJson.params);
-  let attestorHostPort = getCliArgument("attestor") || DEFAULT_ATTESTOR_HOST_PORT;
-  if (attestorHostPort === "local") {
-    console.log("starting local attestor server...");
-    server = await createServer();
-    attestorHostPort = `ws://localhost:${API_SERVER_PORT}${WS_PATHNAME}`;
-  }
-  globalThis.ATTESTOR_BASE_URL = attestorHostPort.replace("ws://", "http://").replace("wss://", "https://");
-  const zkEngine = getCliArgument("zk") === "gnark" ? "gnark" : "stwo";
-  const { request, error, claim } = await createClaimOnAttestor({
-    name: paramsJson.name,
-    secretParams: paramsJson.secretParams,
-    params: paramsJson.params,
-    ownerPrivateKey: PRIVATE_KEY_HEX,
-    client: { url: attestorHostPort },
-    logger,
-    zkEngine
-  });
-  if (error) {
-    console.error("claim creation failed:", error);
-  } else {
-    const ctx = claim?.context ? JSON.parse(claim.context) : {};
-    console.log(`receipt is valid for ${paramsJson.name} provider`);
-    if (ctx.extractedParameters) {
-      console.log("extracted params:", ctx.extractedParameters);
-    }
-  }
-  if (!request) {
-    throw new Error("Missing request in claim");
-  }
-  const decTranscript = await decryptTranscript(
-    request?.transcript,
-    logger,
-    zkEngine,
-    request?.fixedServerIV,
-    request?.fixedClientIV
-  );
-  const transcriptStr = getTranscriptString(decTranscript);
-  console.log("receipt:\n", transcriptStr);
-  console.log("claim:\n", claim);
-  const client = getAttestorClientFromPool(attestorHostPort);
-  await client.terminateConnection();
-}
-async function getInputParameters() {
-  const paramsJsonFile = getCliArgument("json");
-  if (!paramsJsonFile) {
-    const name = getCliArgument("name");
-    const paramsStr = getCliArgument("params");
-    const secretParamsStr = getCliArgument("secretParams");
-    if (!name || !paramsStr || !secretParamsStr) {
-      throw new Error("Either provide --json argument for parameters JSON or provide separately with --name, --params & --secretParams");
-    }
-    return {
-      name,
-      params: JSON.parse(paramsStr),
-      secretParams: JSON.parse(secretParamsStr)
-    };
-  }
-  let fileContents = await readFile(paramsJsonFile, "utf8");
-  for (const variable in process.env) {
-    fileContents = fileContents.replace(
-      `{{${variable}}}`,
-      process.env[variable]
-    );
-  }
-  return JSON.parse(fileContents);
-}
-main().catch((err) => {
-  console.error("error in receipt gen", err);
-}).finally(() => {
-  server?.close();
-});
-export {
-  main
-};

package/lib/scripts/generate-toprf-keys.js DELETED Viewed

@@ -1,24 +0,0 @@
-import { hexlify } from "ethers";
-import { logger, makeDefaultOPRFOperator } from "#src/utils/index.js";
-const ENGINE = "gnark";
-const TOTAL_KEYS = 10;
-const THRESHOLD = 1;
-async function main() {
-  const op = makeDefaultOPRFOperator("chacha20", ENGINE, logger);
-  const {
-    publicKey,
-    privateKey,
-    shares
-  } = await op.generateThresholdKeys(TOTAL_KEYS, THRESHOLD);
-  logEnvValue("TOPRF_PUBLIC_KEY", publicKey);
-  logEnvValue("TOPRF_PRIVATE_KEY", privateKey);
-  for (const [i, share] of shares.entries()) {
-    console.log(`# Share ${i}`);
-    logEnvValue("TOPRF_SHARE_PUBLIC_KEY", share.publicKey);
-    logEnvValue("TOPRF_SHARE_PRIVATE_KEY", share.privateKey);
-  }
-}
-function logEnvValue(name, value) {
-  console.log(`${name}=${hexlify(value)}`);
-}
-void main();

package/lib/scripts/jsc-cli-rpc.js DELETED Viewed

@@ -1,35 +0,0 @@
-import "#src/external-rpc/jsc-polyfills/index.js";
-import { setCryptoImplementation } from "@reclaimprotocol/tls";
-import { pureJsCrypto } from "@reclaimprotocol/tls/purejs-crypto";
-import { handleIncomingMessage } from "#src/external-rpc/index.js";
-import { B64_JSON_REVIVER } from "#src/utils/b64-json.js";
-function readIncomingMsg() {
-  const cmd2 = readline();
-  return JSON.parse(cmd2, B64_JSON_REVIVER);
-}
-setCryptoImplementation(pureJsCrypto);
-print("Input base URL for attestor");
-const initCmd = readIncomingMsg();
-if (initCmd.type !== "init") {
-  throw new Error("Expected init command");
-}
-globalThis.RPC_CHANNEL_NAME = "cli";
-globalThis.ATTESTOR_BASE_URL = initCmd.attestorBaseUrl;
-const channel = {
-  postMessage(message) {
-    print(message);
-  }
-};
-globalThis[RPC_CHANNEL_NAME] = channel;
-print("reading RPC messages...");
-let cmd;
-while (cmd = readIncomingMsg(), cmd.type !== "quit") {
-  if (cmd.type === "init") {
-    continue;
-  }
-  handleIncomingMessage(cmd);
-  await new Promise((resolve) => {
-    setTimeout(resolve, 500);
-  });
-}
-print("done");

package/lib/scripts/register-avs-operator.js DELETED Viewed

@@ -1,3 +0,0 @@
-import "src/server/utils/config-env";
-import { registerOperator } from "#src/avs/utils/register.js";
-void registerOperator();

package/lib/scripts/start-server.js DELETED Viewed

@@ -1,11 +0,0 @@
-import "#src/server/utils/config-env.js";
-import { setCryptoImplementation } from "@reclaimprotocol/tls";
-import { webcryptoCrypto } from "@reclaimprotocol/tls/webcrypto";
-import { getApm } from "#src/server/utils/apm.js";
-getApm();
-setCryptoImplementation(webcryptoCrypto);
-async function main() {
-  const { createServer } = await import("#src/server/index.js");
-  return createServer();
-}
-main();

package/lib/scripts/update-avs-metadata.js DELETED Viewed

@@ -1,20 +0,0 @@
-import "src/server/utils/config-env";
-import { getContracts } from "#src/avs/utils/contracts.js";
-import { getCliArgument } from "#src/scripts/utils.js";
-async function main() {
-  const { contract } = getContracts();
-  const minSignaturesPerTask = getCliArgument("minSignaturesPerTask");
-  if (!minSignaturesPerTask) {
-    throw new Error(
-      "Provide operator address via --minSignaturesPerTask <num>"
-    );
-  }
-  const tx = await contract.updateTaskCreationMetadata({
-    minSignaturesPerTask: +(minSignaturesPerTask || 0),
-    maxTaskCreationDelayS: 0,
-    maxTaskLifetimeS: 0
-  });
-  await tx.wait();
-  console.log("Updated task creation metadata");
-}
-void main();

package/lib/scripts/utils.js DELETED Viewed

@@ -1,10 +0,0 @@
-function getCliArgument(arg) {
-  const index = process.argv.indexOf(`--${arg}`);
-  if (index === -1) {
-    return void 0;
-  }
-  return process.argv[index + 1];
-}
-export {
-  getCliArgument
-};

package/lib/scripts/whitelist-operator.js DELETED Viewed

@@ -1,16 +0,0 @@
-import "src/server/utils/config-env";
-import { getContracts } from "#src/avs/utils/contracts.js";
-import { getCliArgument } from "#src/scripts/utils.js";
-async function main() {
-  const { contract } = getContracts();
-  const address = getCliArgument("address");
-  if (!address) {
-    throw new Error(
-      "Provide operator address via --address <addr>"
-    );
-  }
-  const tx = await contract.whitelistAddressAsOperator(address, true);
-  await tx.wait();
-  console.log("Whitelisted address:", address);
-}
-void main();

package/lib/server/create-server.js DELETED Viewed

@@ -1,105 +0,0 @@
-import { createServer as createHttpServer } from "http";
-import serveStatic from "serve-static";
-import { WebSocketServer } from "ws";
-import { API_SERVER_PORT, ATTESTOR_ADDRESS_PATHNAME, BROWSER_RPC_PATHNAME, WS_PATHNAME } from "#src/config/index.js";
-import { AttestorServerSocket } from "#src/server/socket.js";
-import { getAttestorAddress } from "#src/server/utils/generics.js";
-import { addKeepAlive } from "#src/server/utils/keep-alive.js";
-import { createBgpListener } from "#src/utils/bgp-listener.js";
-import { getEnvVariable } from "#src/utils/env.js";
-import { logger as LOGGER } from "#src/utils/index.js";
-import { SelectedServiceSignatureType } from "#src/utils/signatures/index.js";
-import { promisifySend } from "#src/utils/ws.js";
-const PORT = +(getEnvVariable("PORT") || API_SERVER_PORT);
-const DISABLE_BGP_CHECKS = getEnvVariable("DISABLE_BGP_CHECKS") === "1";
-const ATTESTOR_ADDRESS_JSON_RES = JSON.stringify({
-  address: getAttestorAddress(SelectedServiceSignatureType),
-  signatureType: SelectedServiceSignatureType
-});
-async function createServer(port = PORT) {
-  const http = createHttpServer();
-  const serveBrowserRpc = serveStatic(
-    "browser",
-    {
-      index: ["index.html"],
-      setHeaders(res) {
-        res.setHeader("Access-Control-Allow-Origin", "*");
-      }
-    }
-  );
-  const bgpListener = !DISABLE_BGP_CHECKS ? createBgpListener(LOGGER.child({ service: "bgp-listener" })) : void 0;
-  const wss = new WebSocketServer({ noServer: true });
-  http.on("upgrade", handleUpgrade.bind(wss));
-  http.on("request", (req, res) => {
-    const url = URL.parse(req.url || "", "http://localhost");
-    if (!url) {
-      res.statusCode = 422;
-      res.end("Invalid URL");
-      return;
-    }
-    if (url.pathname === ATTESTOR_ADDRESS_PATHNAME) {
-      res.writeHead(200, { "Content-Type": "application/json" });
-      res.end(ATTESTOR_ADDRESS_JSON_RES);
-      return;
-    }
-    if (!url.pathname?.startsWith(BROWSER_RPC_PATHNAME)) {
-      res.statusCode = 404;
-      res.end("Not found");
-      return;
-    }
-    req.url = req.url.slice(BROWSER_RPC_PATHNAME.length) || "/";
-    serveBrowserRpc(req, res, (err) => {
-      if (err) {
-        LOGGER.error({ err, url: req.url }, "Failed to serve file");
-      }
-      res.statusCode = err?.statusCode ?? 404;
-      res.end(err?.message ?? "Not found");
-    });
-  });
-  http.listen(port);
-  await new Promise((resolve, reject) => {
-    http.once("listening", () => resolve());
-    http.once("error", reject);
-  });
-  wss.on("connection", (ws, req) => handleNewClient(ws, req, bgpListener));
-  LOGGER.info(
-    {
-      port,
-      apiPath: WS_PATHNAME,
-      browserRpcPath: BROWSER_RPC_PATHNAME,
-      signerAddress: getAttestorAddress(SelectedServiceSignatureType)
-    },
-    "WS server listening"
-  );
-  const wssClose = wss.close.bind(wss);
-  wss.close = (cb) => {
-    wssClose(() => http.close(cb));
-    bgpListener?.close();
-  };
-  return wss;
-}
-async function handleNewClient(ws, req, bgpListener) {
-  promisifySend(ws);
-  const client = await AttestorServerSocket.acceptConnection(
-    ws,
-    { req, bgpListener, logger: LOGGER }
-  );
-  if (!client) {
-    return;
-  }
-  ws.serverSocket = client;
-  addKeepAlive(ws, LOGGER.child({ sessionId: client.sessionId }));
-}
-function handleUpgrade(request, socket, head) {
-  const { pathname } = new URL(request.url, "wss://base.url");
-  if (pathname === WS_PATHNAME) {
-    this.handleUpgrade(request, socket, head, (ws) => {
-      this.emit("connection", ws, request);
-    });
-    return;
-  }
-  socket.destroy();
-}
-export {
-  createServer
-};

package/lib/server/handlers/claimTeeBundle.js DELETED Viewed

@@ -1,232 +0,0 @@
-import { ClaimTeeBundleResponse } from "#src/proto/api.js";
-import { VerificationBundle } from "#src/proto/tee-bundle.js";
-import { substituteParamValues } from "#src/providers/http/index.js";
-import { assertValidProviderTranscript } from "#src/server/utils/assert-valid-claim-request.js";
-import { getAttestorAddress, niceParseJsonObject, signAsAttestor } from "#src/server/utils/generics.js";
-import { verifyOprfMpcOutputs } from "#src/server/utils/tee-oprf-mpc-verification.js";
-import { verifyOprfProofs } from "#src/server/utils/tee-oprf-verification.js";
-import { reconstructTlsTranscript } from "#src/server/utils/tee-transcript-reconstruction.js";
-import { verifyTeeBundle } from "#src/server/utils/tee-verification.js";
-import { AttestorError } from "#src/utils/error.js";
-import { createSignDataForClaim, getIdentifierFromClaimInfo } from "#src/utils/index.js";
-const claimTeeBundle = async (teeBundleRequest, { logger, client }) => {
-  const {
-    verificationBundle,
-    data
-  } = teeBundleRequest;
-  const res = ClaimTeeBundleResponse.create({ request: teeBundleRequest });
-  logger.info("Starting TEE bundle verification");
-  const teeData = await verifyTeeBundle(verificationBundle, logger);
-  const timestampS = Math.floor(teeData.kOutputPayload.timestampMs / 1e3);
-  logger.info("Verifying OPRF proofs");
-  const bundle = VerificationBundle.decode(verificationBundle);
-  const zkOprfResults = await verifyOprfProofs(
-    { ...teeData, oprfVerifications: bundle.oprfVerifications },
-    logger
-  );
-  logger.info("Verifying OPRF MPC outputs");
-  const oprfMpcResults = verifyOprfMpcOutputs(
-    teeData.kOutputPayload,
-    teeData.tOutputPayload,
-    logger
-  );
-  const allOprfResults = validateAndCombineOprfResults(zkOprfResults, oprfMpcResults, logger);
-  logger.info("Starting TLS transcript reconstruction with OPRF replacements");
-  const transcriptData = await reconstructTlsTranscript(teeData, logger, allOprfResults);
-  logger.info("Creating plaintext transcript from TEE data");
-  const plaintextTranscript = createPlaintextTranscriptFromTeeData(transcriptData, logger);
-  logger.info("Running direct provider validation on TEE reconstructed data");
-  if (!data) {
-    throw new AttestorError("ERROR_INVALID_CLAIM", "No claim data provided in TEE bundle request");
-  }
-  const validatedClaim = await validateTeeProviderReceipt(
-    plaintextTranscript,
-    data,
-    logger,
-    { version: client.metadata.clientVersion },
-    transcriptData.certificateInfo
-  );
-  const ctx = niceParseJsonObject(validatedClaim.context, "context");
-  ctx.pcr0_k = teeData.teekPcr0;
-  ctx.pcr0_t = teeData.teetPcr0;
-  ctx.tee_session_id = teeData.teeSessionId;
-  validatedClaim.context = JSON.stringify(ctx);
-  res.claim = {
-    ...validatedClaim,
-    identifier: getIdentifierFromClaimInfo(validatedClaim),
-    // Use timestampS from TEE_K bundle for claim signing
-    timestampS,
-    // hardcode for compatibility with V1 claims
-    epoch: 1
-  };
-  logger.info({ claim: res.claim }, "TEE bundle claim validation successful");
-  res.signatures = {
-    attestorAddress: getAttestorAddress(
-      client.metadata.signatureType
-    ),
-    claimSignature: res.claim ? await signAsAttestor(
-      createSignDataForClaim(res.claim),
-      client.metadata.signatureType
-    ) : new Uint8Array(),
-    resultSignature: await signAsAttestor(
-      ClaimTeeBundleResponse.encode(res).finish(),
-      client.metadata.signatureType
-    )
-  };
-  logger.info("TEE bundle claim processing completed");
-  return res;
-};
-function createPlaintextTranscriptFromTeeData(transcriptData, logger) {
-  const transcript = [];
-  if (transcriptData.revealedRequest && transcriptData.revealedRequest.length > 0) {
-    transcript.push({
-      sender: "client",
-      message: transcriptData.revealedRequest
-    });
-    logger.debug("Added TEE revealed request to plaintext transcript", {
-      length: transcriptData.revealedRequest.length
-    });
-  }
-  if (transcriptData.reconstructedResponse && transcriptData.reconstructedResponse.length > 0) {
-    transcript.push({
-      sender: "server",
-      message: transcriptData.reconstructedResponse
-    });
-    logger.debug("Added TEE consolidated response to plaintext transcript", {
-      length: transcriptData.reconstructedResponse.length
-    });
-  }
-  if (transcriptData.certificateInfo) {
-    logger.info("Certificate information available for validation", {
-      commonName: transcriptData.certificateInfo.commonName,
-      issuerCommonName: transcriptData.certificateInfo.issuerCommonName,
-      dnsNames: transcriptData.certificateInfo.dnsNames,
-      notBefore: new Date(transcriptData.certificateInfo.notBeforeUnix * 1e3).toISOString(),
-      notAfter: new Date(transcriptData.certificateInfo.notAfterUnix * 1e3).toISOString()
-    });
-  }
-  logger.info("Created plaintext transcript from TEE data", {
-    totalMessages: transcript.length,
-    hasRequest: !!transcriptData.revealedRequest?.length,
-    hasResponse: !!transcriptData.reconstructedResponse?.length,
-    hasCertificateInfo: !!transcriptData.certificateInfo
-  });
-  return transcript;
-}
-async function validateTeeProviderReceipt(plaintextTranscript, claimInfo, logger, providerCtx, certificateInfo) {
-  logger.info("Starting direct TEE provider validation", {
-    provider: claimInfo.provider,
-    transcriptMessages: plaintextTranscript.length,
-    hasCertificateInfo: !!certificateInfo
-  });
-  if (certificateInfo) {
-    validateTlsCertificate(claimInfo, certificateInfo, logger);
-  }
-  const validatedClaim = await assertValidProviderTranscript(
-    plaintextTranscript,
-    claimInfo,
-    logger,
-    providerCtx
-  );
-  logger.info("TEE provider validation completed successfully", {
-    provider: validatedClaim.provider,
-    owner: validatedClaim.owner || "unknown"
-  });
-  return validatedClaim;
-}
-function isHostnameValidForCertificate(hostname, certName) {
-  if (hostname === certName) {
-    return true;
-  }
-  if (certName.startsWith("*.")) {
-    const wildcardDomain = certName.slice(2);
-    if (hostname.endsWith(wildcardDomain)) {
-      const subdomainPart = hostname.slice(0, -wildcardDomain.length);
-      if (subdomainPart.endsWith(".")) {
-        const subdomain = subdomainPart.slice(0, -1);
-        return !subdomain.includes(".");
-      }
-    }
-  }
-  return false;
-}
-function validateTlsCertificate(claimInfo, certificateInfo, logger) {
-  let claimedHostname;
-  const paramsWithTemplates = niceParseJsonObject(claimInfo.parameters, "params");
-  const params = substituteParamValues(paramsWithTemplates, void 0, true).newParams;
-  if ("url" in params && typeof params.url === "string") {
-    claimedHostname = new URL(params.url).hostname;
-  }
-  if (!claimedHostname) {
-    logger.warn("Could not extract hostname from claim for certificate validation", {
-      provider: claimInfo.provider
-    });
-    throw new AttestorError(
-      "ERROR_INVALID_CLAIM",
-      "Certificate validation failed: hostname not found"
-    );
-  }
-  logger.info("Validating TLS certificate for claimed hostname", {
-    claimedHostname,
-    certificateCommonName: certificateInfo.commonName,
-    certificateDnsNames: certificateInfo.dnsNames
-  });
-  const isValidForHostname = isHostnameValidForCertificate(claimedHostname, certificateInfo.commonName) || certificateInfo.dnsNames.some((name) => isHostnameValidForCertificate(claimedHostname, name));
-  if (!isValidForHostname) {
-    throw new AttestorError(
-      "ERROR_INVALID_CLAIM",
-      `Certificate validation failed: hostname '${claimedHostname}' not valid for certificate (CN: ${certificateInfo.commonName}, SANs: ${certificateInfo.dnsNames.join(", ")})`
-    );
-  }
-  const now = Date.now() / 1e3;
-  if (now < certificateInfo.notBeforeUnix || now > certificateInfo.notAfterUnix) {
-    throw new AttestorError(
-      "ERROR_INVALID_CLAIM",
-      `Certificate validation failed: certificate not valid at current time (valid from ${new Date(certificateInfo.notBeforeUnix * 1e3).toISOString()} to ${new Date(certificateInfo.notAfterUnix * 1e3).toISOString()})`
-    );
-  }
-  logger.info("TLS certificate validation passed", {
-    claimedHostname,
-    validatedAgainst: isHostnameValidForCertificate(claimedHostname, certificateInfo.commonName) ? `CommonName: ${certificateInfo.commonName}` : `SAN: ${certificateInfo.dnsNames.find((name) => isHostnameValidForCertificate(claimedHostname, name))}`
-  });
-}
-function validateAndCombineOprfResults(zkOprfResults, oprfMpcResults, logger) {
-  const allOprfResults = [...zkOprfResults, ...oprfMpcResults];
-  if (allOprfResults.length === 0) {
-    return allOprfResults;
-  }
-  logger.info(`Combined ${zkOprfResults.length} ZK OPRF + ${oprfMpcResults.length} OPRF MPC results`);
-  const seen = {};
-  for (const result of zkOprfResults) {
-    seen[result.position] = { length: result.length, source: "zk" };
-  }
-  for (const result of oprfMpcResults) {
-    const existing = seen[result.position];
-    if (existing) {
-      if (existing.length !== result.length) {
-        throw new AttestorError(
-          "ERROR_INVALID_CLAIM",
-          `OPRF range conflict at position ${result.position}: ZK length ${existing.length} vs MPC length ${result.length}`
-        );
-      }
-      logger.warn(`Duplicate OPRF range at position ${result.position} from both ZK and MPC - using MPC result`);
-    }
-    for (const [pos, data] of Object.entries(seen)) {
-      const position = Number(pos);
-      const existingEnd = position + data.length;
-      const newEnd = result.position + result.length;
-      const overlaps = result.position < existingEnd && newEnd > position && result.position !== position;
-      if (overlaps) {
-        throw new AttestorError(
-          "ERROR_INVALID_CLAIM",
-          `Overlapping OPRF ranges: [${position}:${existingEnd}] (${data.source}) and [${result.position}:${newEnd}] (mpc)`
-        );
-      }
-    }
-    seen[result.position] = { length: result.length, source: "mpc" };
-  }
-  return allOprfResults;
-}
-export {
-  claimTeeBundle
-};