@reclaimprotocol/attestor-core 5.0.5 → 5.0.6

package/lib/server/utils/tee-oprf-mpc-verification.d.ts

@@ -6,9 +6,9 @@
  * are already trusted because they are included in TEE-signed payloads.
  * This module verifies that both TEEs computed identical outputs.
  */
-import type { KOutputPayload, TOutputPayload } from '#src/proto/tee-bundle.ts';
-import type { OprfVerificationResult } from '#src/server/utils/tee-oprf-verification.ts';
-import type { Logger } from '#src/types/general.ts';
+import type { KOutputPayload, TOutputPayload } from '../../proto/tee-bundle.ts';
+import type { OprfVerificationResult } from '../../server/utils/tee-oprf-verification.ts';
+import type { Logger } from '../../types/general.ts';
 /**
  * Verifies OPRF MPC outputs from TEE_K and TEE_T match
  * Returns verified outputs for transcript replacement (same format as ZK OPRF)

package/lib/server/utils/tee-oprf-verification.d.ts

@@ -2,9 +2,9 @@
  * TEE OPRF Verification and Replacement
  * Verifies OPRF proofs and replaces ranges in reconstructed plaintext
  */
-import type { OPRFVerificationData } from '#src/proto/tee-bundle.ts';
-import type { TeeBundleData } from '#src/server/utils/tee-verification.ts';
-import type { Logger } from '#src/types/general.ts';
+import type { OPRFVerificationData } from '../../proto/tee-bundle.ts';
+import type { TeeBundleData } from '../../server/utils/tee-verification.ts';
+import type { Logger } from '../../types/general.ts';
 export interface OprfVerificationResult {
     position: number;
     length: number;

package/lib/server/utils/tee-transcript-reconstruction.d.ts

@@ -1,9 +1,9 @@
 /**
  * TLS Transcript Reconstruction from TEE data
  */
-import type { CertificateInfo } from '#src/proto/tee-bundle.ts';
-import type { TeeBundleData } from '#src/server/utils/tee-verification.ts';
-import type { Logger } from '#src/types/general.ts';
+import type { CertificateInfo } from '../../proto/tee-bundle.ts';
+import type { TeeBundleData } from '../../server/utils/tee-verification.ts';
+import type { Logger } from '../../types/general.ts';
 export interface TeeTranscriptData {
     revealedRequest: Uint8Array;
     reconstructedResponse: Uint8Array;

package/lib/server/utils/tee-verification.d.ts

@@ -2,9 +2,9 @@
  * TEE Bundle verification utilities
  * Handles validation of TEE verification bundles including attestations and signatures
  */
-import type { SignedMessage } from '#src/proto/tee-bundle.ts';
-import { KOutputPayload, TOutputPayload } from '#src/proto/tee-bundle.ts';
-import type { Logger } from '#src/types/general.ts';
+import type { SignedMessage } from '../../proto/tee-bundle.ts';
+import { KOutputPayload, TOutputPayload } from '../../proto/tee-bundle.ts';
+import type { Logger } from '../../types/general.ts';
 export interface TeeBundleData {
     teekSigned: SignedMessage;
     teetSigned: SignedMessage;

package/lib/server/utils/validation.d.ts

@@ -1,2 +1,2 @@
-import type { ProviderName, ProviderParams } from '#src/types/index.ts';
+import type { ProviderName, ProviderParams } from '../../types/index.ts';
 export declare function assertValidateProviderParams<T extends ProviderName>(name: T, params: unknown): asserts params is ProviderParams<T>;

package/lib/types/claims.d.ts

@@ -1,9 +1,9 @@
-import type { ProviderClaimData } from '#src/proto/api.ts';
-import type { IAttestorClient, IAttestorClientInitParams } from '#src/types/client.ts';
-import type { CompleteTLSPacket, Logger } from '#src/types/general.ts';
-import type { ProofGenerationStep, ProviderName, ProviderParams, ProviderSecretParams } from '#src/types/providers.ts';
-import type { Transcript } from '#src/types/tunnel.ts';
-import type { PrepareZKProofsBaseOpts } from '#src/types/zk.ts';
+import type { ProviderClaimData } from '../proto/api.ts';
+import type { IAttestorClient, IAttestorClientInitParams } from '../types/client.ts';
+import type { CompleteTLSPacket, Logger } from '../types/general.ts';
+import type { ProofGenerationStep, ProviderName, ProviderParams, ProviderSecretParams } from '../types/providers.ts';
+import type { Transcript } from '../types/tunnel.ts';
+import type { PrepareZKProofsBaseOpts } from '../types/zk.ts';
 /**
  * Uniquely identifies a claim.
  * Hash of claim info.

package/lib/types/client.d.ts

@@ -1,10 +1,10 @@
 import type { IncomingMessage } from 'http';
 import type { WebSocket as WSWebSocket } from 'ws';
-import type { AuthenticationRequest, InitRequest, InitResponse, RPCMessage, RPCMessages, ServiceSignatureType, TunnelMessage } from '#src/proto/api.ts';
-import type { BGPListener } from '#src/types/bgp.ts';
-import type { Logger } from '#src/types/general.ts';
-import type { RPCEvent, RPCEventMap, RPCEventType, RPCRequestData, RPCResponseData, RPCType } from '#src/types/rpc.ts';
-import type { TCPSocketProperties, Tunnel } from '#src/types/tunnel.ts';
+import type { AuthenticationRequest, InitRequest, InitResponse, RPCMessage, RPCMessages, ServiceSignatureType, TunnelMessage } from '../proto/api.ts';
+import type { BGPListener } from '../types/bgp.ts';
+import type { Logger } from '../types/general.ts';
+import type { RPCEvent, RPCEventMap, RPCEventType, RPCRequestData, RPCResponseData, RPCType } from '../types/rpc.ts';
+import type { TCPSocketProperties, Tunnel } from '../types/tunnel.ts';
 /**
  * Any WebSocket implementation -- either the native
  * WebSocket or the WebSocket from the `ws` package.

package/lib/types/general.d.ts

@@ -1,5 +1,5 @@
 import type { Logger as TLSLogger, TLSPacketContext, TLSProtocolVersion } from '@reclaimprotocol/tls';
-import type { OPRFRawMarker, TOPRFProofParams } from '#src/types/zk.ts';
+import type { OPRFRawMarker, TOPRFProofParams } from '../types/zk.ts';
 /**
  * Represents a slice of any array or string
  */

package/lib/types/handlers.d.ts

@@ -1,7 +1,7 @@
 import type { Transaction } from 'elastic-apm-node';
-import type { IAttestorServerSocket } from '#src/types/client.ts';
-import type { Logger } from '#src/types/general.ts';
-import type { RPCRequestData, RPCResponseData, RPCType } from '#src/types/rpc.ts';
+import type { IAttestorServerSocket } from '../types/client.ts';
+import type { Logger } from '../types/general.ts';
+import type { RPCRequestData, RPCResponseData, RPCType } from '../types/rpc.ts';
 export type RPCHandlerMetadata = {
     logger: Logger;
     tx?: Transaction;

package/lib/types/providers.d.ts

@@ -1,9 +1,9 @@
 import type { TLSConnectionOptions } from '@reclaimprotocol/tls';
-import type { AttestorVersion, ProviderClaimData } from '#src/proto/api.ts';
-import type { ArraySlice, Logger, RedactedOrHashedArraySlice } from '#src/types/general.ts';
-import type { ProvidersConfig } from '#src/types/providers.gen.ts';
-import type { Awaitable } from '#src/types/signatures.ts';
-import type { Transcript } from '#src/types/tunnel.ts';
+import type { AttestorVersion, ProviderClaimData } from '../proto/api.ts';
+import type { ArraySlice, Logger, RedactedOrHashedArraySlice } from '../types/general.ts';
+import type { ProvidersConfig } from '../types/providers.gen.ts';
+import type { Awaitable } from '../types/signatures.ts';
+import type { Transcript } from '../types/tunnel.ts';
 export type AttestorData = {
     id: string;
     url: string;

package/lib/types/rpc.d.ts

@@ -1,5 +1,5 @@
-import type { RPCMessage, TunnelDisconnectEvent, TunnelMessage } from '#src/proto/api.ts';
-import type { AttestorError } from '#src/utils/error.ts';
+import type { RPCMessage, TunnelDisconnectEvent, TunnelMessage } from '../proto/api.ts';
+import type { AttestorError } from '../utils/error.ts';
 type ExtractPrefix<T, S extends string> = T extends `${infer _}${S}` ? _ : never;
 export type RPCType = ExtractPrefix<keyof RPCMessage, 'Request'>;
 type RPCRequestType<T extends RPCType> = `${T}Request`;

package/lib/types/tunnel.d.ts

@@ -1,4 +1,4 @@
-import type { CreateTunnelRequest } from '#src/proto/api.ts';
+import type { CreateTunnelRequest } from '../proto/api.ts';
 export type MakeTunnelBaseOpts<O> = O & {
     onClose?(err?: Error): void;
     onMessage?(data: Uint8Array): void;

package/lib/types/zk.d.ts

@@ -1,5 +1,5 @@
 import type { EncryptionAlgorithm, OPRFOperator, ZKEngine, ZKOperator } from '@reclaimprotocol/zk-symmetric-crypto';
-import type { TOPRFPayload } from '#src/proto/api.ts';
+import type { TOPRFPayload } from '../proto/api.ts';
 export type ZKOperators = {
     [E in EncryptionAlgorithm]?: ZKOperator;
 };

package/lib/utils/auth.d.ts

@@ -1,5 +1,5 @@
-import type { AuthenticationRequest, ServiceSignatureType } from '#src/proto/api.ts';
-import { AuthenticatedUserData } from '#src/proto/api.ts';
+import type { AuthenticationRequest, ServiceSignatureType } from '../proto/api.ts';
+import { AuthenticatedUserData } from '../proto/api.ts';
 export declare function assertValidAuthRequest(request: AuthenticationRequest | undefined, signatureType: ServiceSignatureType): Promise<void>;
 /**
  * Create an authentication request with the given data and private key,

package/lib/utils/bgp-listener.d.ts

@@ -1,5 +1,5 @@
 import type { Logger } from 'pino';
-import type { BGPListener } from '#src/types/index.ts';
+import type { BGPListener } from '../types/index.ts';
 /**
  * Listens for BGP announcements and emits events whenever
  * an announcement overlaps with a target IP.

package/lib/utils/claims.d.ts

@@ -1,5 +1,5 @@
-import { ClaimTunnelResponse } from '#src/proto/api.ts';
-import type { ClaimID, ClaimInfo, CompleteClaimData, ProviderParams } from '#src/types/index.ts';
+import { ClaimTunnelResponse } from '../proto/api.ts';
+import type { ClaimID, ClaimInfo, CompleteClaimData, ProviderParams } from '../types/index.ts';
 /**
  * Creates the standard string to sign for a claim.
  * This data is what the attestor will sign when it successfully
@@ -16,7 +16,7 @@ export declare function createSignDataForClaim(data: CompleteClaimData): string;
  * The successful run of this function means that the claim
  * is valid, and the attestor that signed the claim is valid.
  */
-export declare function assertValidClaimSignatures({ signatures, ...res }: Partial<ClaimTunnelResponse>, metadata?: import("#src/proto/api.ts").InitRequest): Promise<void>;
+export declare function assertValidClaimSignatures({ signatures, ...res }: Partial<ClaimTunnelResponse>, metadata?: import("../proto/api.ts").InitRequest): Promise<void>;
 /**
  * Generates a unique identifier for given claim info
  * @param info

package/lib/utils/error.d.ts

@@ -1,4 +1,4 @@
-import { ErrorCode, ErrorData } from '#src/proto/api.ts';
+import { ErrorCode, ErrorData } from '../proto/api.ts';
 /**
  * Represents an error that can be thrown by the Attestor Core
  * or server. Provides a code, and optional data

package/lib/utils/generics.d.ts

@@ -1,7 +1,7 @@
 import type { CipherSuite, TLSProtocolVersion } from '@reclaimprotocol/tls';
 import { uint8ArrayToBinaryStr } from '@reclaimprotocol/tls';
-import { RPCMessage, RPCMessages } from '#src/proto/api.ts';
-import type { CompleteTLSPacket, IDecryptedTranscript, IDecryptedTranscriptMessage, ProviderField, RPCEvent, RPCEventMap, RPCEventType, RPCType, Transcript } from '#src/types/index.ts';
+import { RPCMessage, RPCMessages } from '../proto/api.ts';
+import type { CompleteTLSPacket, IDecryptedTranscript, IDecryptedTranscriptMessage, ProviderField, RPCEvent, RPCEventMap, RPCEventType, RPCType, Transcript } from '../types/index.ts';
 export { uint8ArrayToBinaryStr };
 /**
  * Decodes a Uint8Array to a UTF-8 string.

package/lib/utils/http-parser.d.ts

@@ -1,5 +1,5 @@
 import type { IncomingHttpHeaders } from 'http';
-import type { ArraySlice, Transcript } from '#src/types/index.ts';
+import type { ArraySlice, Transcript } from '../types/index.ts';
 export type HttpRequest = {
     method: string;
     url: string;

package/lib/utils/logger.d.ts

@@ -1,4 +1,4 @@
-import type { LogLevel } from '#src/types/index.ts';
+import type { LogLevel } from '../types/index.ts';
 export declare let logger: import("pino").Logger<never, boolean>;
 /**
  * Creates a logger instance with optional redaction of PII.

package/lib/utils/prepare-packets.d.ts

@@ -1,6 +1,6 @@
 import type { CipherSuite, TLSPacketContext } from '@reclaimprotocol/tls';
-import type { ClaimTunnelRequest_TranscriptMessage as TranscriptMessage } from '#src/proto/api.ts';
-import type { CompleteTLSPacket, Logger, MessageRevealInfo, PrepareZKProofsBaseOpts, Transcript } from '#src/types/index.ts';
+import type { ClaimTunnelRequest_TranscriptMessage as TranscriptMessage } from '../proto/api.ts';
+import type { CompleteTLSPacket, Logger, MessageRevealInfo, PrepareZKProofsBaseOpts, Transcript } from '../types/index.ts';
 export type PreparePacketsForRevealOpts = {
     cipherSuite: CipherSuite;
     logger: Logger;

package/lib/utils/redactions.d.ts

@@ -1,4 +1,4 @@
-import type { ArraySlice, OPRFRawMarker, RedactedOrHashedArraySlice, TOPRFProofParams } from '#src/types/index.ts';
+import type { ArraySlice, OPRFRawMarker, RedactedOrHashedArraySlice, TOPRFProofParams } from '../types/index.ts';
 export declare const REDACTION_CHAR = "*";
 export declare const REDACTION_CHAR_CODE: number;
 type SliceWithReveal<T> = {

package/lib/utils/retries.d.ts

@@ -1,4 +1,4 @@
-import type { Logger } from '#src/types/index.ts';
+import type { Logger } from '../types/index.ts';
 type RetryLoopOptions = {
     maxRetries?: number;
     logger: Logger;

package/lib/utils/signatures/eth.d.ts

@@ -1,2 +1,2 @@
-import type { ServiceSignatureProvider } from '#src/types/index.ts';
+import type { ServiceSignatureProvider } from '../../types/index.ts';
 export declare const ETH_SIGNATURE_PROVIDER: ServiceSignatureProvider;

package/lib/utils/signatures/index.d.ts

@@ -1,5 +1,5 @@
-import { ServiceSignatureType } from '#src/proto/api.ts';
-import type { ServiceSignatureProvider } from '#src/types/index.ts';
+import { ServiceSignatureType } from '../../proto/api.ts';
+import type { ServiceSignatureProvider } from '../../types/index.ts';
 export declare const SIGNATURES: { [key in ServiceSignatureType]: ServiceSignatureProvider; };
 export declare const SelectedServiceSignatureType: 1;
 export declare const SelectedServiceSignature: ServiceSignatureProvider;

package/lib/utils/socket-base.d.ts

@@ -1,7 +1,7 @@
 import type { WebSocket as WSWebSocket } from 'ws';
-import type { InitRequest, RPCMessage } from '#src/proto/api.ts';
-import { RPCMessages } from '#src/proto/api.ts';
-import type { IAttestorSocket, Logger, RPCEvent, RPCEventMap } from '#src/types/index.ts';
+import type { InitRequest, RPCMessage } from '../proto/api.ts';
+import { RPCMessages } from '../proto/api.ts';
+import type { IAttestorSocket, Logger, RPCEvent, RPCEventMap } from '../types/index.ts';
 /**
  * Common AttestorSocket class used on the client & server side as the
  * base for their respective socket implementations.

package/lib/utils/zk.d.ts

@@ -1,8 +1,8 @@
 import type { CipherSuite } from '@reclaimprotocol/tls';
 import type { EncryptionAlgorithm, OPRFOperator, PrivateInput, PublicInput, ZKEngine, ZKOperator } from '@reclaimprotocol/zk-symmetric-crypto';
-import type { MessageReveal_MessageRevealZk as ZKReveal, MessageReveal_TOPRFProof as TOPRFProof, MessageReveal_ZKProof as ZKProof } from '#src/proto/api.ts';
-import { ZKProofEngine } from '#src/proto/api.ts';
-import type { CompleteTLSPacket, Logger, OPRFOperators, PrepareZKProofsBaseOpts, TOPRFProofParams, ZKOperators, ZKRevealInfo } from '#src/types/index.ts';
+import type { MessageReveal_MessageRevealZk as ZKReveal, MessageReveal_TOPRFProof as TOPRFProof, MessageReveal_ZKProof as ZKProof } from '../proto/api.ts';
+import { ZKProofEngine } from '../proto/api.ts';
+import type { CompleteTLSPacket, Logger, OPRFOperators, PrepareZKProofsBaseOpts, TOPRFProofParams, ZKOperators, ZKRevealInfo } from '../types/index.ts';
 type PrepareZKProofsOpts = {
     logger?: Logger;
     cipherSuite: CipherSuite;
@@ -62,7 +62,7 @@ export declare function makeZkProofGenerator({ zkOperators, oprfOperators, logge
  */
 export declare function verifyZkPacket({ cipherSuite, ciphertext, zkReveal, zkOperators, oprfOperators, logger, zkEngine, iv, recordNumber, toprfOvershotNullifier, getNextPacket }: ZKVerifyOpts): Promise<{
     redactedPlaintext: Uint8Array<ArrayBuffer>;
-    oprfRawMarkers: import("#src/proto/api.ts").MessageReveal_OPRFRawMarker[];
+    oprfRawMarkers: import("../proto/api.ts").MessageReveal_OPRFRawMarker[];
 }>;
 export declare function makeDefaultZkOperator(algorithm: EncryptionAlgorithm, zkEngine: ZKEngine, logger: Logger): ZKOperator;
 export declare function makeDefaultOPRFOperator(algorithm: EncryptionAlgorithm, zkEngine: ZKEngine, logger: Logger): OPRFOperator;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@reclaimprotocol/attestor-core",
-  "version": "5.0.5",
+  "version": "5.0.6",
   "description": "",
   "type": "module",
   "imports": {
@@ -21,7 +21,7 @@
     }
   },
   "scripts": {
-    "build": "tsc -p tsconfig.build.json && npm run run:tsc -- src/scripts/build-lib.ts",
+    "build": "tsc -p tsconfig.build.json && tsc-alias && npm run run:tsc -- src/scripts/build-lib.ts",
     "build:browser": "sh ./src/scripts/build-browser.sh",
     "run:tsc": "node --experimental-strip-types",
     "start": "npm run run:tsc -- src/scripts/start-server.ts",
@@ -105,7 +105,7 @@
     "parse5": "^8.0.0",
     "parse5-htmlparser2-tree-adapter": "^8.0.0",
     "pino": "^9.14.0",
-    "re2": "^1.23.3",
+    "re2": "^1.24.0",
     "serve-static": "^1.16.3",
     "snarkjs": "^0.7.6",
     "ws": "^8.20.0",
@@ -131,6 +131,7 @@
     "json-schema-to-typescript": "^15.0.4",
     "ts-jest": "^29.4.6",
     "ts-proto": "^2.11.6",
+    "tsc-alias": "^1.8.17",
     "typechain": "^8.3.2",
     "typescript": "^5.9.3",
     "whatwg-url": "^14.2.0",

package/lib/server/tee/acme-http-server.d.ts

@@ -1,13 +0,0 @@
-/**
- * Ephemeral HTTP server that answers ACME HTTP-01 challenges. Started right
- * before an order is placed and stopped as soon as the order is finalized,
- * so the attestor does not keep port 80 bound during normal operation.
- */
-export declare class AcmeChallengeServer {
-    private readonly tokens;
-    private server?;
-    add(token: string, keyAuthorization: string): void;
-    remove(token: string): void;
-    start(port: number): Promise<void>;
-    stop(): Promise<void>;
-}

package/lib/server/tee/attestation-generate.d.ts

@@ -1,29 +0,0 @@
-import type { AttestationReport } from '#src/proto/tee-bundle.ts';
-/**
- * Requests a custom attestation token from the Confidential Space launcher
- * over the unix domain socket. Mirrors reclaim-tee's shared/gcp_attestation.go.
- */
-export declare function generateAttestationJwt(nonces: string[]): Promise<Uint8Array>;
-export interface AttestationContext {
-    attestorAddress: string;
-    tlsCertSha256Hex: () => string | undefined;
-}
-/**
- * Starts the background attestation refresh loop. The first attestation is
- * generated synchronously so getCachedAttestationJwt() is ready by the time
- * the server begins handling claims.
- */
-export declare function startAttestationRefresh(ctx: AttestationContext): Promise<void>;
-export declare function stopAttestationRefresh(): void;
-/**
- * Returns the currently-cached attestation JWT bytes, or undefined if no
- * attestation has been generated yet or the cache has expired without a
- * successful refresh.
- */
-export declare function getCachedAttestationJwt(): Uint8Array | undefined;
-/**
- * Returns an AttestationReport ready to embed in a claim response, or
- * undefined when no attestation is available (i.e. attestor is not running
- * inside a TEE, or the refresh loop has not produced one yet).
- */
-export declare function makeClaimAttestation(): AttestationReport | undefined;

package/lib/server/tee/bootstrap.d.ts

@@ -1,11 +0,0 @@
-/**
- * Brings the attestor up in TEE mode:
- *   1. Pull signing/OPRF secrets from GCP Secret Manager into process.env.
- *   2. Load (or obtain via ACME) the TLS cert and start the renewal loop.
- *   3. Start the attestation refresh loop, with the public key + cert hash
- *      as nonces.
- *
- * Must run before #src/server/index.ts is imported, since modules in that
- * tree read PRIVATE_KEY at module load.
- */
-export declare function bootstrapTee(): Promise<void>;

package/lib/server/tee/cert-manager.d.ts

@@ -1,24 +0,0 @@
-import tls from 'tls';
-export interface CertManagerConfig {
-    projectId: string;
-    domain: string;
-    email: string;
-    directoryUrl: string;
-    httpChallengePort: number;
-}
-export interface ActiveCertificate {
-    certPem: string;
-    keyPem: string;
-    notAfter: Date;
-    sha256Hex: string;
-    secureContext: tls.SecureContext;
-}
-/**
- * Bootstraps the TLS certificate. Tries Secret Manager first; if absent or
- * expiring within the renewal window, runs ACME against the configured
- * directory URL and persists the result.
- */
-export declare function bootstrapCertificate(cfg: CertManagerConfig): Promise<ActiveCertificate>;
-export declare function startRenewalLoop(cfg: CertManagerConfig): void;
-export declare function stopRenewalLoop(): void;
-export declare function getActiveCertificate(): ActiveCertificate | undefined;

package/lib/server/tee/cloud-logging.d.ts

@@ -1,23 +0,0 @@
-import type { LogLevel } from '#src/types/index.ts';
-interface CloudLoggingOptions {
-    projectId: string;
-    logName: string;
-    level?: LogLevel;
-}
-/**
- * Replaces the default pino logger with one that forwards every log line
- * to GCP Cloud Logging under the given log name. Idempotent.
- *
- * Probes the Cloud Logging client first by writing a no-op entry; if
- * authentication or transport fails, leaves the default stdout logger in
- * place rather than crashing the process. On Confidential Space VMs the
- * launcher's `tee-container-log-redirect` ships stdout to Cloud Logging
- * anyway, so the worst case is logs appear under
- * `confidential-space-launcher` rather than the configured `logName`.
- *
- * We also install a process-wide `unhandledRejection` filter that
- * swallows errors originating in `@google-cloud/logging`, since the SDK
- * has internal lazy gRPC init that escapes our local `.catch()`.
- */
-export declare function installCloudLogging(opts: CloudLoggingOptions): void;
-export {};

package/lib/server/tee/secret-loader.d.ts

@@ -1,10 +0,0 @@
-/**
- * Fetches the attestor's signing key and OPRF key material from GCP
- * Secret Manager and writes them into process.env, so that the rest of
- * the server (which reads these via getEnvVariable at module load) sees
- * them as if they had been set in the environment.
- *
- * Must be called before any module that reads PRIVATE_KEY / TOPRF_* is
- * imported, otherwise the reads happen before the values are populated.
- */
-export declare function loadSecretsIntoEnv(projectId: string): Promise<void>;

package/lib/server/tee/secret-manager.d.ts

@@ -1,3 +0,0 @@
-export declare function accessLatestSecret(projectId: string, secretId: string): Promise<Uint8Array>;
-export declare function createSecretIfNotExists(projectId: string, secretId: string): Promise<void>;
-export declare function addSecretVersion(projectId: string, secretId: string, payload: Uint8Array): Promise<void>;

package/lib/utils/gcp-attestation.d.ts

@@ -1,23 +0,0 @@
-/**
- * GCP attestation validation utilities.
- *
- * Validates JWT attestation tokens from GCP Confidential Computing
- * (Confidential Space). Browser-safe: uses `@peculiar/x509` for chain
- * verification and `globalThis.crypto.subtle` for JWT signature
- * verification. Both are available in Node 19+ and modern browsers.
- */
-import type { Logger } from '#src/types/general.ts';
-export interface GcpValidationResult {
-    isValid: boolean;
-    errors: string[];
-    ethAddress?: Uint8Array;
-    userDataType?: string;
-    pcr0?: string;
-    envVars?: Record<string, string>;
-}
-export declare function validateGcpAttestationAndExtractKey(attestation: Uint8Array | string, logger?: Logger): Promise<GcpValidationResult>;
-/**
- * Extracts the container image digest from a previously-validated GCP
- * attestation token. Re-validates the JWT before reading.
- */
-export declare function extractImageDigestFromGCPAttestation(token: Uint8Array | string, logger?: Logger): Promise<string>;