@reclaimprotocol/attestor-core 5.0.1-beta.21 → 5.0.1-beta.23

package/lib/avs/contracts/factories/index.js

@@ -0,0 +1,4 @@
+/* Autogenerated file. Do not edit manually. */
+/* tslint:disable */
+/* eslint-disable */
+export { ReclaimServiceManager__factory } from "./ReclaimServiceManager__factory.js";

package/lib/avs/contracts/index.js

@@ -0,0 +1,2 @@
+export * as factories from "./factories/index.js";
+export { ReclaimServiceManager__factory } from "./factories/ReclaimServiceManager__factory.js";

package/lib/avs/utils/contracts.js

@@ -0,0 +1,33 @@
+import { Contract, JsonRpcProvider, Wallet } from 'ethers';
+import { avsDirectoryABI } from "../abis/avsDirectoryABI.js";
+import { delegationABI } from "../abis/delegationABI.js";
+import { registryABI } from "../abis/registryABI.js";
+import { CHAIN_CONFIGS, PRIVATE_KEY, SELECTED_CHAIN_ID } from "../config.js";
+import { ReclaimServiceManager__factory } from "../contracts/index.js";
+const configs = {};
+/**
+ * get the contracts for the given chain ID
+ */
+export function getContracts(chainId = SELECTED_CHAIN_ID) {
+    const config = CHAIN_CONFIGS[chainId];
+    if (!config) {
+        throw new Error(`No config found for chain ID: ${chainId}`);
+    }
+    configs[chainId] ||= initialiseContracts(config);
+    return configs[chainId];
+}
+export function initialiseContracts({ rpcUrl, stakeRegistryAddress, avsDirectoryAddress, contractAddress, delegationManagerAddress, }, privateKey = PRIVATE_KEY) {
+    const provider = new JsonRpcProvider(rpcUrl);
+    const wallet = privateKey
+        ? new Wallet(privateKey, provider)
+        : undefined;
+    return {
+        provider,
+        wallet,
+        delegationManager: new Contract(delegationManagerAddress, delegationABI, wallet || provider),
+        // eslint-disable-next-line camelcase
+        contract: ReclaimServiceManager__factory.connect(contractAddress, wallet || provider),
+        registryContract: new Contract(stakeRegistryAddress, registryABI, wallet || provider),
+        avsDirectory: new Contract(avsDirectoryAddress, avsDirectoryABI, wallet || provider),
+    };
+}

package/lib/avs/utils/register.js

@@ -0,0 +1,79 @@
+import { hexlify, randomBytes, SigningKey } from 'ethers';
+import { RECLAIM_PUBLIC_URL, SELECTED_CHAIN_ID } from "../config.js";
+import { getContracts } from "./contracts.js";
+import { logger as LOGGER } from "../../utils/index.js";
+/**
+ * Registers the operator on the chain, if required.
+ * If already registered -- will just pass through
+ */
+export async function registerOperator({ logger = LOGGER, chainId = SELECTED_CHAIN_ID, wallet = getContracts(chainId).wallet, reclaimRpcUrl = RECLAIM_PUBLIC_URL } = {}) {
+    const contracts = getContracts(chainId);
+    const delegationManager = contracts.delegationManager
+        .connect(wallet);
+    const avsDirectory = contracts.avsDirectory
+        .connect(wallet);
+    const contract = contracts.contract
+        .connect(wallet);
+    const registryContract = contracts.registryContract
+        .connect(wallet);
+    const addr = wallet.address;
+    try {
+        const tx1 = await delegationManager
+            .registerAsOperator({
+            earningsReceiver: addr,
+            delegationApprover: '0x0000000000000000000000000000000000000000',
+            stakerOptOutWindowBlocks: 0
+        }, '');
+        await tx1.wait();
+        logger.info('operator registered on DM successfully');
+    }
+    catch (err) {
+        if (!err.message.includes('operator has already registered')) {
+            throw err;
+        }
+        logger.info('Operator already registered on EL');
+    }
+    const salt = hexlify(randomBytes(32));
+    // Example expiry, 1 hour from now
+    const expiry = Math.floor(Date.now() / 1000) + 3600;
+    // Define the output structure
+    const operatorSignature = {
+        expiry: expiry,
+        salt: salt,
+        signature: ''
+    };
+    // Calculate the digest hash using the avsDirectory's method
+    const contractAddress = await contract.getAddress();
+    const digestHash = await avsDirectory
+        .calculateOperatorAVSRegistrationDigestHash(addr, contractAddress, salt, expiry);
+    // Sign the digest hash with the operator's private key
+    const signingKey = new SigningKey(wallet.privateKey);
+    const signature = signingKey.sign(digestHash);
+    // Encode the signature in the required format
+    operatorSignature.signature = signature.serialized;
+    logger.info('operator signature generated successfully');
+    if (!(await registryContract.operatorRegistered(addr))) {
+        const tx2 = await registryContract
+            .registerOperatorWithSignature(addr, operatorSignature);
+        await tx2.wait();
+        logger.info('operator registered on AVS successfully');
+    }
+    else {
+        logger.info('Operator already registered on AVS');
+    }
+    const existingMetadata = await contract.getMetadataForOperator(addr)
+        .catch(err => {
+        if (err.message.includes('Operator not found')) {
+            return undefined;
+        }
+        throw err;
+    });
+    const metadata = { addr, url: reclaimRpcUrl };
+    if (existingMetadata?.addr === metadata.addr
+        && existingMetadata?.url === metadata.url) {
+        logger.info('operator metadata already up to date');
+        return;
+    }
+    await contract.updateOperatorMetadata(metadata);
+    logger.info({ metadata }, 'operator metadata updated successfully');
+}

package/lib/avs/utils/tasks.js

@@ -0,0 +1,41 @@
+import { EventLog, getBytes } from 'ethers';
+import { getContracts } from "./contracts.js";
+export async function createNewClaimRequestOnChain({ request, payer, chainId, ...rest }) {
+    const contracts = getContracts(chainId);
+    const contract = contracts.contract.connect(payer);
+    const ownerAddress = typeof rest.owner === 'string'
+        ? rest.owner
+        : rest.owner.address;
+    const fullRequest = {
+        ...request,
+        owner: ownerAddress
+    };
+    const signature = await getSignature();
+    const task = await contract.createNewTask(fullRequest, signature || '0x00');
+    const rslt = await task.wait();
+    const logs = rslt?.logs ?? [];
+    const eventLogs = logs.filter((log) => log instanceof EventLog);
+    // check task created event was emitted
+    const ev = eventLogs[0];
+    const arg = ev?.args;
+    return { task: arg, tx: rslt };
+    function getSignature() {
+        if (ownerAddress.toLowerCase() === payer.address.toLowerCase()) {
+            return;
+        }
+        if ('requestSignature' in rest) {
+            return rest.requestSignature;
+        }
+        if (typeof rest.owner !== 'object') {
+            throw new Error('Owner wallet must be provided or'
+                + ' requestSignature must be provided');
+        }
+        return signClaimRequest(fullRequest, rest.owner, chainId);
+    }
+}
+export async function signClaimRequest(request, owner, chainId) {
+    const contract = getContracts(chainId).contract;
+    const encoded = await contract.encodeClaimRequest(request);
+    const strSig = await owner.signMessage(getBytes(encoded));
+    return getBytes(strSig);
+}

package/lib/client/create-claim.js

@@ -0,0 +1,432 @@
+import { asciiToUint8Array } from '@reclaimprotocol/tls';
+import { makeRpcTlsTunnel } from "./tunnels/make-rpc-tls-tunnel.js";
+import { getAttestorClientFromPool } from "./utils/attestor-pool.js";
+import { DEFAULT_HTTPS_PORT, PROVIDER_CTX, TOPRF_DOMAIN_SEPARATOR } from "../config/index.js";
+import { ClaimTunnelRequest } from "../proto/api.js";
+import { providers } from "../providers/index.js";
+import { AttestorError, binaryHashToStr, canonicalStringify, generateTunnelId, getBlocksToReveal, getEngineProto, getProviderValue, isApplicationData, logger as LOGGER, makeDefaultOPRFOperator, makeHttpResponseParser, preparePacketsForReveal, redactSlices, uint8ArrayToStr, unixTimestampSeconds } from "../utils/index.js";
+import { executeWithRetries } from "../utils/retries.js";
+import { SIGNATURES } from "../utils/signatures/index.js";
+import { getDefaultTlsOptions } from "../utils/tls.js";
+/**
+ * Create a claim on the attestor
+ */
+export function createClaimOnAttestor({ logger: _logger, maxRetries = 3, ...opts }) {
+    const logger = _logger
+        // if the client has already been initialised
+        // and no logger is provided, use the client's logger
+        // otherwise default to the global logger
+        || ('logger' in opts.client ? opts.client.logger : LOGGER);
+    return executeWithRetries(attempt => (_createClaimOnAttestor({
+        ...opts,
+        logger: attempt ? logger.child({ attempt }) : logger
+    })), { maxRetries, logger, shouldRetry });
+}
+function shouldRetry(err) {
+    if (err instanceof TypeError) {
+        return false;
+    }
+    // possibly a network error, or the server
+    // closed the connection before we received the full data
+    if (err?.message?.includes('stream ended before')) {
+        return true;
+    }
+    return err instanceof AttestorError
+        && err.code !== 'ERROR_INVALID_CLAIM'
+        && err.code !== 'ERROR_BAD_REQUEST'
+        && err.code !== 'ERROR_AUTHENTICATION_FAILED'
+        && err.code !== 'ERROR_TOPRF_OUT_OF_BOUNDS';
+}
+async function _createClaimOnAttestor({ name, params, secretParams, context, onStep, ownerPrivateKey, client: clientInit, logger = LOGGER, timestampS, updateProviderParams, updateParametersFromOprfData = true, ...zkOpts }) {
+    const provider = providers[name];
+    const hostPort = getProviderValue(params, provider.hostPort, secretParams);
+    const geoLocation = getProviderValue(params, provider.geoLocation, secretParams);
+    const proxySessionId = getProviderValue(params, provider.proxySessionId, secretParams);
+    const providerTlsOpts = getProviderValue(params, provider.additionalClientOptions);
+    const tlsOpts = {
+        ...getDefaultTlsOptions(),
+        fetchCertificateBytes: fetchCertificateBytesFromAttestor,
+        ...providerTlsOpts
+    };
+    const { zkEngine = 'snarkjs' } = zkOpts;
+    let redactionMode = getProviderValue(params, provider.writeRedactionMode);
+    const [host, port] = hostPort.split(':');
+    const resParser = makeHttpResponseParser();
+    let client;
+    let lastMsgRevealed = false;
+    const revealMap = new Map();
+    onStep?.({ name: 'connecting' });
+    let endedHttpRequest;
+    const createTunnelReq = {
+        host,
+        port: port ? +port : DEFAULT_HTTPS_PORT,
+        geoLocation,
+        proxySessionId,
+        id: generateTunnelId()
+    };
+    logger = logger.child({ tunnelId: createTunnelReq.id });
+    const authRequest = 'authRequest' in clientInit
+        ? (typeof clientInit.authRequest === 'function'
+            ? await clientInit.authRequest()
+            : clientInit.authRequest)
+        : undefined;
+    const tunnel = await makeRpcTlsTunnel({
+        tlsOpts,
+        connect: (connectMsgs) => {
+            let created = false;
+            if ('metadata' in clientInit) {
+                client = clientInit;
+            }
+            else {
+                client = getAttestorClientFromPool(clientInit.url, () => {
+                    created = true;
+                    return {
+                        authRequest: authRequest,
+                        initMessages: connectMsgs,
+                        logger
+                    };
+                });
+            }
+            if (!created) {
+                client
+                    .waitForInit()
+                    .then(() => client.sendMessage(...connectMsgs))
+                    .catch(err => {
+                    logger.error({ err }, 'error in sending init msgs');
+                });
+            }
+            return client;
+        },
+        logger,
+        request: createTunnelReq,
+        onMessage(data) {
+            logger.debug({ bytes: data.length }, 'recv data from server');
+            resParser.onChunk(data);
+            if (resParser.res.complete) {
+                logger?.debug('got complete HTTP response from server');
+                // wait a little bit to make sure the client has
+                // finished writing the response
+                setTimeout(() => {
+                    endedHttpRequest?.();
+                }, 100);
+            }
+        },
+        onClose(err) {
+            const level = err ? 'error' : 'debug';
+            logger?.[level]({ err }, 'tls session ended');
+            endedHttpRequest?.(err);
+            try {
+                resParser.streamEnded();
+            }
+            catch { }
+        },
+    });
+    const { version: tlsVersion, cipherSuite } = tunnel.tls.getMetadata();
+    if (tlsVersion === 'TLS1_2' && redactionMode !== 'zk') {
+        redactionMode = 'zk';
+        logger.info('TLS1.2 detected, defaulting to zk redaction mode');
+    }
+    const { redactions, data: requestStr } = provider.createRequest(
+    // @ts-ignore
+    secretParams, params, logger);
+    const requestData = typeof requestStr === 'string'
+        ? asciiToUint8Array(requestStr)
+        : requestStr;
+    logger.debug({ redactions: redactions.length }, 'generated request');
+    const waitForAllData = new Promise((resolve, reject) => {
+        endedHttpRequest = err => (err ? reject(err) : resolve());
+    });
+    onStep?.({ name: 'sending-request-data' });
+    try {
+        if (redactionMode === 'zk') {
+            await writeRedactedZk();
+        }
+        else {
+            await writeRedactedWithKeyUpdate();
+        }
+        logger.info('wrote request to server');
+    }
+    catch (err) {
+        // wait for complete stream end when the session is closed
+        // mid-write, as this means the server could not process
+        // our request due to some error. Hope the stream end
+        // error will be more descriptive
+        logger.error({ err }, 'session errored during write, waiting for stream end');
+    }
+    onStep?.({ name: 'waiting-for-response' });
+    await waitForAllData;
+    await tunnel.close();
+    logger.info('session closed, processing response');
+    // update the response selections
+    if (updateProviderParams) {
+        const { params: updatedParms, secretParams: updatedSecretParms } = await updateProviderParams(tunnel.transcript, tlsVersion ?? 'TLS1_2');
+        params = { ...params, ...updatedParms };
+        secretParams = { ...secretParams, ...updatedSecretParms };
+    }
+    const signatureAlg = SIGNATURES[client.metadata.signatureType];
+    let serverIV;
+    let clientIV;
+    const [serverBlock] = getLastBlocks('server', 1);
+    if (serverBlock?.message.type === 'ciphertext') {
+        serverIV = serverBlock.message.fixedIv;
+    }
+    const [clientBlock] = getLastBlocks('client', 1);
+    if (clientBlock?.message.type === 'ciphertext') {
+        clientIV = clientBlock.message.fixedIv;
+    }
+    const transcript = await generateTranscript();
+    // now that we have the full transcript, we need
+    // to generate the ZK proofs & send them to the attestor
+    // to verify & sign our claim
+    const claimTunnelReq = ClaimTunnelRequest.create({
+        request: createTunnelReq,
+        data: {
+            provider: name,
+            parameters: canonicalStringify(params),
+            context: canonicalStringify(context),
+            timestampS: timestampS ?? unixTimestampSeconds(),
+            owner: getAddress(),
+        },
+        transcript: transcript,
+        zkEngine: getEngineProto(zkEngine),
+        fixedServerIV: serverIV,
+        fixedClientIV: clientIV,
+    });
+    onStep?.({ name: 'waiting-for-verification' });
+    const claimTunnelBytes = ClaimTunnelRequest
+        .encode(claimTunnelReq).finish();
+    const requestSignature = await signatureAlg
+        .sign(claimTunnelBytes, ownerPrivateKey);
+    claimTunnelReq.signatures = { requestSignature };
+    const result = await client.rpc('claimTunnel', claimTunnelReq);
+    logger.info({ success: !!result.claim }, 'recv claim response');
+    return result;
+    async function fetchCertificateBytesFromAttestor(url) {
+        if (!client) {
+            throw new Error('attestor client not initialized');
+        }
+        const result = await client.rpc('fetchCertificateBytes', { url });
+        return result.bytes;
+    }
+    async function writeRedactedWithKeyUpdate() {
+        let currentIndex = 0;
+        for (const section of redactions) {
+            const block = requestData
+                .slice(currentIndex, section.fromIndex);
+            if (block.length) {
+                await writeWithReveal(block, true);
+            }
+            const redacted = requestData
+                .slice(section.fromIndex, section.toIndex);
+            await writeWithReveal(redacted, false);
+            currentIndex = section.toIndex;
+        }
+        // write if redactions were there
+        const lastBlockStart = redactions?.[redactions.length - 1]
+            ?.toIndex || 0;
+        const block = requestData.slice(lastBlockStart);
+        if (block.length) {
+            await writeWithReveal(block, true);
+        }
+    }
+    async function writeRedactedZk() {
+        let blocksWritten = tunnel.transcript.length;
+        await tunnel.tls.write(requestData);
+        blocksWritten = tunnel.transcript.length - blocksWritten;
+        setRevealOfLastSentBlocks({
+            type: 'zk',
+            redactedPlaintext: redactSlices(requestData, redactions)
+        }, blocksWritten);
+    }
+    /**
+     * Write data to the tunnel, with the option to mark the packet
+     * as revealable to the attestor or not
+     */
+    async function writeWithReveal(data, reveal) {
+        // if the reveal state has changed, update the traffic keys
+        // to not accidentally reveal a packet not meant to be revealed
+        // and vice versa
+        if (reveal !== lastMsgRevealed) {
+            await tunnel.tls.updateTrafficKeys();
+        }
+        let blocksWritten = tunnel.transcript.length;
+        await tunnel.write(data);
+        blocksWritten = tunnel.transcript.length - blocksWritten;
+        // now we mark the packet to be revealed to the attestor
+        setRevealOfLastSentBlocks(reveal ? { type: 'complete' } : undefined, blocksWritten);
+        lastMsgRevealed = reveal;
+    }
+    function setRevealOfLastSentBlocks(reveal, nBlocks = 1) {
+        const lastBlocks = getLastBlocks('client', nBlocks);
+        if (!lastBlocks.length) {
+            return;
+        }
+        for (const block of lastBlocks) {
+            setRevealOfMessage(block.message, reveal);
+        }
+    }
+    function getLastBlocks(sender, nBlocks) {
+        // set the correct index for the server blocks
+        const lastBlocks = [];
+        for (let i = tunnel.transcript.length - 1; i >= 0; i--) {
+            const block = tunnel.transcript[i];
+            if (block.sender === sender) {
+                lastBlocks.push(block);
+                if (lastBlocks.length === nBlocks) {
+                    break;
+                }
+            }
+        }
+        return lastBlocks;
+    }
+    /**
+     * Generate transcript with reveal data for the attestor to verify
+     */
+    async function generateTranscript() {
+        await addServerSideReveals();
+        const startMs = Date.now();
+        const revealedMessages = await preparePacketsForReveal(tunnel.transcript, revealMap, {
+            logger,
+            cipherSuite: cipherSuite,
+            onZkProgress(done, total) {
+                const timeSinceStartMs = Date.now() - startMs;
+                const timePerBlockMs = timeSinceStartMs / done;
+                const timeLeftMs = timePerBlockMs * (total - done);
+                onStep?.({
+                    name: 'generating-zk-proofs',
+                    proofsDone: done,
+                    proofsTotal: total,
+                    approxTimeLeftS: Math.round(timeLeftMs / 1000),
+                });
+            },
+            ...zkOpts,
+        });
+        return revealedMessages;
+    }
+    /**
+     * Add reveals for server side blocks, using
+     * the provider's redaction function if available.
+     * Otherwise, opts to reveal all server side blocks.
+     */
+    async function addServerSideReveals() {
+        const allPackets = tunnel.transcript;
+        let serverPacketsToReveal = 'all';
+        const packets = [];
+        const serverBlocks = [];
+        for (const b of allPackets) {
+            if (b.message.type !== 'ciphertext'
+                || !isApplicationData(b.message, tlsVersion)) {
+                continue;
+            }
+            const plaintext = tlsVersion === 'TLS1_3'
+                ? b.message.plaintext.slice(0, -1)
+                : b.message.plaintext;
+            packets.push({
+                message: plaintext,
+                sender: b.sender
+            });
+            if (b.sender === 'server') {
+                serverBlocks.push({
+                    plaintext: plaintext,
+                    message: b.message
+                });
+            }
+        }
+        if (provider.getResponseRedactions) {
+            serverPacketsToReveal = await getBlocksToReveal(serverBlocks, total => provider.getResponseRedactions({
+                response: total,
+                params,
+                logger,
+                ctx: PROVIDER_CTX
+            }), performOprf);
+        }
+        const revealedPackets = packets
+            .filter(p => p.sender === 'client');
+        if (serverPacketsToReveal === 'all') {
+            // reveal all server side blocks
+            for (const { message, sender } of allPackets) {
+                if (sender === 'server') {
+                    setRevealOfMessage(message, { type: 'complete' });
+                }
+            }
+            revealedPackets.push(...packets.filter(p => p.sender === 'server'));
+        }
+        else {
+            for (const { block, redactedPlaintext, overshotToprfFromPrevBlock, toprfs, oprfRawMarkers } of serverPacketsToReveal) {
+                setRevealOfMessage(block.message, {
+                    type: 'zk',
+                    redactedPlaintext,
+                    toprfs,
+                    oprfRawMarkers,
+                    overshotToprfFromPrevBlock
+                });
+                revealedPackets.push({ sender: 'server', message: redactedPlaintext });
+                if (updateParametersFromOprfData && toprfs) {
+                    let strParams = canonicalStringify(params);
+                    for (const toprf of toprfs) {
+                        const ogText = uint8ArrayToStr(toprf.plaintext);
+                        const hashedText = binaryHashToStr(toprf.nullifier, toprf.dataLocation.length);
+                        strParams = strParams.replaceAll(ogText, hashedText);
+                    }
+                    params = JSON.parse(strParams);
+                }
+            }
+        }
+        await provider.assertValidProviderReceipt({
+            receipt: revealedPackets,
+            params: {
+                ...params,
+                // provide secret params for proper
+                // request body validation
+                secretParams,
+            },
+            logger,
+            ctx: PROVIDER_CTX
+        });
+        // reveal all handshake blocks
+        // so the attestor can verify there was no
+        // hanky-panky
+        for (const p of allPackets) {
+            if (p.message.type !== 'ciphertext') {
+                continue;
+            }
+            // break the moment we hit the first
+            // application data packet
+            if (isApplicationData(p.message, tlsVersion)) {
+                break;
+            }
+            setRevealOfMessage(p.message, { type: 'complete' });
+        }
+    }
+    async function performOprf(plaintext) {
+        logger.info({ length: plaintext.length }, 'generating OPRF...');
+        const oprfOperator = zkOpts.oprfOperators?.['chacha20']
+            || makeDefaultOPRFOperator('chacha20', zkEngine, logger);
+        const reqData = await oprfOperator.generateOPRFRequestData(plaintext, TOPRF_DOMAIN_SEPARATOR, logger);
+        const res = await client.rpc('toprf', {
+            maskedData: reqData.maskedData,
+            engine: getEngineProto(zkEngine)
+        });
+        const nullifier = await oprfOperator.finaliseOPRF(client.initResponse.toprfPublicKey, reqData, [res]);
+        const data = {
+            nullifier,
+            responses: [res],
+            mask: reqData.mask,
+            dataLocation: undefined,
+            plaintext
+        };
+        return data;
+    }
+    function setRevealOfMessage(message, reveal) {
+        if (reveal) {
+            revealMap.set(message, reveal);
+            return;
+        }
+        revealMap.delete(message);
+    }
+    function getAddress() {
+        const { getAddress, getPublicKey } = signatureAlg;
+        const pubKey = getPublicKey(ownerPrivateKey);
+        return getAddress(pubKey);
+    }
+}

package/lib/client/index.js

@@ -0,0 +1,3 @@
+export * from "./create-claim.js";
+export * from "./utils/attestor-pool.js";
+export * from "./utils/client-socket.js";

package/lib/client/tunnels/make-rpc-tcp-tunnel.js

@@ -0,0 +1,51 @@
+import { AttestorError } from "../../utils/index.js";
+/**
+ * Makes a tunnel communication wrapper for a TCP tunnel.
+ *
+ * It listens for messages and disconnect events from the server,
+ * and appropriately calls the `onMessage` and `onClose` callbacks.
+ */
+export const makeRpcTcpTunnel = ({ tunnelId, client, onClose, onMessage, }) => {
+    let closed = false;
+    client.addEventListener('tunnel-message', onMessageListener);
+    client.addEventListener('tunnel-disconnect-event', onDisconnectListener);
+    client.addEventListener('connection-terminated', onConnectionTerminatedListener);
+    return {
+        async write(message) {
+            await client.sendMessage({ tunnelMessage: { tunnelId, message } });
+        },
+        async close(err) {
+            if (closed) {
+                return;
+            }
+            onErrorRecv(err);
+            await client.rpc('disconnectTunnel', { id: tunnelId });
+        }
+    };
+    function onMessageListener({ data }) {
+        if (data.tunnelId !== tunnelId) {
+            return;
+        }
+        onMessage?.(data.message);
+    }
+    function onDisconnectListener({ data }) {
+        if (data.tunnelId !== tunnelId) {
+            return;
+        }
+        onErrorRecv(data.error?.code
+            ? AttestorError.fromProto(data.error)
+            : undefined);
+    }
+    function onConnectionTerminatedListener({ data }) {
+        onErrorRecv(data);
+    }
+    function onErrorRecv(err) {
+        client.logger?.debug({ tunnelId, err }, 'TCP tunnel closed');
+        client.removeEventListener('tunnel-message', onMessageListener);
+        client.removeEventListener('tunnel-disconnect-event', onDisconnectListener);
+        client.removeEventListener('connection-terminated', onConnectionTerminatedListener);
+        onClose?.(err);
+        onClose = undefined;
+        closed = true;
+    }
+};