npm - @reclaimprotocol/js-sdk - Versions diffs - 5.0.0-dev.1 → 5.0.0-dev.3 - Mend

@reclaimprotocol/js-sdk 5.0.0-dev.1 → 5.0.0-dev.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/index.d.ts CHANGED Viewed

@@ -1,3 +1,11 @@
+interface TeeAttestation {
+    workload_digest: string;
+    verifier_digest: string;
+    nonce: string;
+    snp_report: string;
+    vlek_cert: string;
+    timestamp: string;
+}
 interface Proof {
     identifier: string;
     claimData: ProviderClaimData;
@@ -8,6 +16,7 @@ interface Proof {
         [key: string]: string;
     };
     taskId?: number;
+    teeAttestation?: TeeAttestation;
 }
 declare const RECLAIM_EXTENSION_ACTIONS: {
     CHECK_EXTENSION: string;
@@ -38,6 +47,14 @@ interface Context {
     contextAddress: string;
     contextMessage: string;
     reclaimSessionId: string;
+    extractedParameters?: Record<string, string>;
+    providerHash?: string;
+    attestationNonce?: string;
+    attestationNonceData?: {
+        applicationId: string;
+        sessionId: string;
+        timestamp: string;
+    };
 }
 interface Beacon {
     getState(epoch?: number): Promise<BeaconState>;
@@ -49,7 +66,73 @@ type BeaconState = {
     witnessesRequiredForClaim: number;
     nextEpochTimestampS: number;
 };
+/**
+ * Information of the exact provider and its version used in the verification session.
+ *
+ * See also:
+ *
+ * * `ReclaimProofRequest.getProviderVersion()` - With a ReclaimProofRequest object, you can get the provider id & exact version of provider used in verification session.
+ */
+interface ProviderVersionInfo {
+    /**
+     * The identifier of provider used in verifications that resulted in a proof
+     *
+     * See also:
+     *
+     * * `ReclaimProofRequest.getProviderVersion()` - With a ReclaimProofRequest object, you can get the provider id & exact version of provider used in verification session.
+     */
+    providerId: string;
+    /**
+     * The exact version of provider used in verifications that resulted in a proof.
+     *
+     * This cannot be a version constaint or version expression.
+     *
+     * See also:
+     *
+     * * `ReclaimProofRequest.getProviderVersion()` - With a ReclaimProofRequest object, you can get the provider id & exact version of provider used in verification session.
+     */
+    providerVersion: string;
+    /**
+     * List of allowed pre-release tags.
+     * For example, if you are using AI, provide `['ai']` to allow AI patch versions of the provider.
+     */
+    allowedTags: string[];
+}
+/**
+ * Fetches the provider configuration by the providerId and its version; and constructs the robust hash requirements needed for proof validation.
+ * It resolves both explicitly required HTTP requests and allowed injected requests based on the provider version.
+ *
+ * See also:
+ *
+ * * `ReclaimProofRequest.getProviderHashRequirements()` - An alternative of this function to get the expected hashes for a proof request. The result can be provided in verifyProof function's `config` parameter for proof validation.
+ * * `getProviderHashRequirementsFromSpec()` - An alternative of this function to get the expected hashes from a provider spec. The result can be provided in verifyProof function's `config` parameter for proof validation.
+ *
+ * @param providerId - The unique identifier of the selected provider.
+ * @param exactProviderVersionString - The specific version string of the provider configuration to ensure deterministic validation.
+ * @returns A promise that resolves to `ProviderHashRequirementsConfig` representing the expected hashes for proof validation.
+ */
+declare function fetchProviderHashRequirementsBy(providerId: string, exactProviderVersionString: string | null | undefined, allowedTags: string[] | null | undefined, proofs?: Proof[]): Promise<ProviderHashRequirementsConfig[]>;
+/**
+ * Generates an array of `RequestSpec` objects by replacing template parameters with their corresponding values.
+ *
+ * If the input template includes `templateParams` (e.g., `['param1', 'param2']`), this function will
+ * cartesian-map (or pairwise-map) the provided `templateParameters` record (e.g., `{ param1: ['v1', 'v2'], param2: ['a1', 'a2'] }`)
+ * to generate multiple unique `RequestSpec` configurations.
+ *
+ * The function ensures that:
+ * 1. Parameters strictly specified in `template.templateParams` are found.
+ * 2. All specified template parameters arrays have the exact same length (pairwise mapping).
+ * 3. String replacements are fully applied (all occurrences) to `responseMatches` (value) and `responseRedactions` (jsonPath, xPath, regex).
+ *
+ * @param requestSpecTemplates - The base template `RequestSpec` containing parameter placeholders.
+ * @param templateParameters - A record mapping parameter names to arrays of strings representing the extracted values.
+ * @returns An array of fully constructed `RequestSpec` objects with templates replaced.
+ * @throws {InvalidRequestSpecError} If required parameters are missing or parameter value arrays have mismatched lengths.
+ */
+declare function generateSpecsFromRequestSpecTemplate(requestSpecTemplates: RequestSpec[], templateParameters: Record<string, string[]>): RequestSpec[];
+declare function takeTemplateParametersFromProofs(proofs?: Proof[]): Record<string, string[]>;
+declare function takePairsWhereValueIsArray(o: Record<string, string> | undefined): Record<string, string[]>;
 /**
  * Transforms a raw provider hash requirement specification into a structured configuration for proof validation.
  * It computes the proof hashes for both required and allowed extra requests to correctly match uploaded proofs.
@@ -91,9 +174,9 @@ type ProviderHashRequirementsConfig = {
  */
 type HashRequirement = {
     /**
-     * The hash value to match
+     * The hash value(s) to match. An array represents multiple valid hashes for optional configurations.
      */
-    value: string;
+    value: string | string[];
     /**
      * Whether the hash is required to be present in the proof.
      * Defaults to true
@@ -138,9 +221,14 @@ interface RequestSpec {
     required?: boolean;
     /**
      * Whether request matching this spec is allowed to appear multiple times in list of proofs.
-     * Defaults to false.
+     * Defaults to true.
      */
     multiple?: boolean;
+    /**
+     * Template parameter variables for the request spec that should be replaced with real values
+     * during dynamic request spec construction.
+     */
+    templateParams?: string[];
 }
 /**
  * Defines the configuration for identifying/sniffing the request body.
@@ -182,12 +270,19 @@ type ClaimID = ProviderClaimData['identifier'];
 type ClaimInfo = Pick<ProviderClaimData, 'context' | 'provider' | 'parameters'>;
 type CompleteClaimData = Pick<ProviderClaimData, 'owner' | 'timestampS' | 'epoch'> & ClaimInfo;
 interface HttpProviderClaimParams {
-    body: string;
+    body?: string | null;
     method: RequestSpec['method'];
     responseMatches: ResponseMatchSpec[];
     responseRedactions: ResponseRedactionSpec[];
     url: string;
 }
+interface HashableHttpProviderClaimParams {
+    body: string;
+    method: RequestSpec['method'];
+    responseMatches: (Omit<ResponseMatchSpec, 'isOptional'>)[];
+    responseRedactions: ResponseRedactionSpec[];
+    url: string;
+}
 type SignedClaim = {
     claim: CompleteClaimData;
     signatures: Uint8Array[];
@@ -217,7 +312,16 @@ type ProofRequestOptions = {
     useBrowserExtension?: boolean;
     extensionID?: string;
     providerVersion?: string;
+    /**
+     * @deprecated Use `portalUrl` instead.
+     */
     customSharePageUrl?: string;
+    /**
+     * URL of the portal/share page for the verification flow.
+     *
+     * @default 'https://portal.reclaimprotocol.org'
+     */
+    portalUrl?: string;
     customAppClipUrl?: string;
     launchOptions?: ReclaimFlowLaunchOptions;
     /**
@@ -253,6 +357,10 @@ type ProofRequestOptions = {
      * @since 4.7.0
      */
     metadata?: Record<string, string>;
+    /**
+     * If true, generates a TEE attestation nonce during session initialization and expects a TEE attestation in the proof.
+     */
+    acceptTeeAttestation?: boolean;
 };
 type ReclaimFlowLaunchOptions = {
     /**
@@ -268,7 +376,40 @@ type ReclaimFlowLaunchOptions = {
      * once fully released. See: https://blog.reclaimprotocol.org/posts/moving-beyond-google-play-instant
      */
     canUseDeferredDeepLinksFlow?: boolean;
+    /**
+     * Verification mode for the flow.
+     *
+     * - `'portal'`: Opens the portal URL in the browser (remote browser verification).
+     * - `'app'`: Verifier app flow via the share page. If `useAppClip` is `true`, uses App Clip on iOS.
+     *
+     * Can be set at call time via `triggerReclaimFlow({ verificationMode })` or `getRequestUrl({ verificationMode })`,
+     * or at init time via `launchOptions: { verificationMode }`.
+     *
+     * @default 'portal'
+     */
+    verificationMode?: 'app' | 'portal';
+    /**
+     * Target DOM element to embed the verification flow in an iframe.
+     * When provided, the portal opens inside the element instead of a new tab.
+     * Use `closeEmbeddedFlow()` to remove the iframe programmatically.
+     *
+     * Only applies to portal mode.
+     */
+    target?: HTMLElement;
+};
+/**
+ * Handle returned by `triggerReclaimFlow` to control the launched flow.
+ */
+type FlowHandle = {
+    /** Closes the flow (removes iframe, closes tab, stops polling) */
+    close: () => void;
+    /** The iframe element when using embedded mode, `undefined` otherwise */
+    iframe?: HTMLIFrameElement;
+    /** The tab/window reference when using new tab mode, `undefined` otherwise */
+    tab?: Window | null;
 };
+/** Alias for `FlowHandle` */
+type EmbeddedFlowHandle = FlowHandle;
 type ModalOptions = {
     title?: string;
     description?: string;
@@ -338,6 +479,7 @@ type ProofPropertiesJSON = {
     jsonProofResponse?: boolean;
     resolvedProviderVersion: string;
     modalOptions?: SerializableModalOptions;
+    teeAttestation?: TeeAttestation | string;
 };
 type HttpFormEntry = {
     name: string;
@@ -347,7 +489,7 @@ type HttpRedirectionMethod = 'GET' | 'POST';
 /**
  * Options for HTTP redirection.
  *
- * Only supported by In-Browser SDK.
+ * Only supported by Portal flow.
  * On other SDKs, this will be ignored and a GET redirection will be performed with the URL.
  *
  * @since 4.11.0
@@ -400,6 +542,16 @@ type TemplateData = {
     metadata?: Record<string, string>;
     preferredLocale?: ProofRequestOptions['preferredLocale'];
 };
+type TrustedData = {
+    context: Record<string, unknown>;
+    extractedParameters: Record<string, string>;
+};
+type VerifyProofResult = {
+    isVerified: boolean;
+    isTeeVerified?: boolean;
+    data: TrustedData[];
+    error?: Error;
+};
 type ProviderVersionConfig = {
     major?: number;
     minor?: number;
@@ -418,12 +570,16 @@ type StatusUrlResponse = {
         sessionId: string;
         proofs?: Proof[];
         statusV2: string;
+        error?: {
+            type: string;
+            message: string;
+        };
     };
     providerId?: string;
 };
 type ProviderConfigResponse = {
     message: string;
-    providers?: ReclaimProviderConfig;
+    providers?: ReclaimProviderConfig[];
     providerId?: string;
     providerVersionString?: string;
 };
@@ -437,6 +593,12 @@ interface ReclaimProviderConfig {
     requestData: InterceptorRequestSpec[];
     allowedInjectedRequestData: InjectedRequestSpec[];
 }
+type ProviderHashRequirementsResponse = {
+    message?: string;
+    hashRequirements?: ProviderHashRequirementsConfig;
+    providerId?: string;
+    providerVersionString?: string;
+};
 /**
  * Content validation configuration specifying essential required hashes and optional extra proofs.
@@ -451,6 +613,40 @@ type ValidationConfigWithHash = {
      */
     hashes: (string | HashRequirement)[];
 };
+/**
+ * Content validation configuration specifying the provider id and version used in the verification session that generated the proofs.
+ * Used to explicitly validate that a generated proof matches the exact request structure expected.
+ *
+ * See also:
+ *
+ * * `ReclaimProofRequest.getProviderVersion()` - With a ReclaimProofRequest object, you can get the provider id & exact version of provider used in verification session.
+ */
+interface ValidationConfigWithProviderInformation {
+    /**
+     * The identifier of provider used in verifications that resulted in a proof
+     *
+     * See also:
+     *
+     * * `ReclaimProofRequest.getProviderVersion()` - With a ReclaimProofRequest object, you can get the provider id & exact version of provider used in verification session.
+     **/
+    providerId: string;
+    /**
+     * The exact version of provider used in verifications that resulted in a proof.
+     *
+     * This cannot be a version constaint or version expression. It can be undefined or left blank if proof must be validated with latest version of provider.
+     * Patches for the next provider version are also fetched and hashes from that spec is also be used to compare the hashes from proof.
+     *
+     * See also:
+     *
+     * * `ReclaimProofRequest.getProviderVersion()` - With a ReclaimProofRequest object, you can get the provider id & exact version of provider used in verification session.
+     **/
+    providerVersion?: string;
+    /**
+     * List of allowed pre-release tags.
+     * For example, if you are using AI, provide `['ai']` to allow AI patch versions of the provider.
+     */
+    allowedTags?: string[];
+}
 /**
  * Legacy configuration to completely bypass content validation during verification.
  * Warning: Using this poses a risk as it avoids strictly matching proof parameters to expected hashes.
@@ -462,12 +658,19 @@ interface ValidationConfigWithDisabledValidation {
  * Represents the configuration options applied when validating proof contents, allowing
  * strict hash checking or intentionally skipping validation if flagged.
  */
-type ValidationConfig = ValidationConfigWithHash | ValidationConfigWithDisabledValidation;
+type ValidationConfig = ValidationConfigWithHash | ValidationConfigWithProviderInformation | ValidationConfigWithDisabledValidation;
 /**
  * Describes the comprehensive configuration required to initialize the proof verification process.
  * Aligns with `ValidationConfig` options for verifying signatures alongside proof contents.
  */
-type VerificationConfig = ValidationConfig;
+type VerificationConfig = ValidationConfig & {
+    /**
+     * If true, verifies TEE (Trusted Execution Environment) attestation included in the proof.
+     * When enabled, the result will include `isTeeVerified` and `isVerified` will be false
+     * if TEE data is missing or TEE verification fails.
+     */
+    verifyTEE?: boolean;
+};
 declare function assertValidProofsByHash(proofs: Proof[], config: ProviderHashRequirementsConfig): void;
 declare function isHttpProviderClaimParams(claimParams: unknown): claimParams is HttpProviderClaimParams;
 declare function getHttpProviderClaimParamsFromProof(proof: Proof): HttpProviderClaimParams;
@@ -477,7 +680,7 @@ declare function getHttpProviderClaimParamsFromProof(proof: Proof): HttpProvider
  * @param config - The validation config
  * @throws {ProofNotValidatedError} When the proof is not validated
  */
-declare function assertValidateProof(proofs: Proof[], config: VerificationConfig): void;
+declare function assertValidateProof(proofs: Proof[], config: VerificationConfig): Promise<void>;
 /**
  * Verifies one or more Reclaim proofs by validating signatures, verifying witness information,
@@ -491,28 +694,54 @@ declare function assertValidateProof(proofs: Proof[], config: VerificationConfig
  * * All 3 functions above are alternatives of each other and result from these functions can be directly used as `config` parameter in this function for proof validation.
  *
  * @param proofOrProofs - A single proof object or an array of proof objects to be verified.
- * @param config - Verification configuration that specifies required hashes, allowed extra hashes, or disables content validation.
- * @returns Promise<boolean> - Returns `true` if all proofs are successfully verified and validated, `false` otherwise.
- * @throws {ProofNotVerifiedError} When signature validation or identifier mismatch occurs.
- * @throws {ProofNotValidatedError} When no proofs are provided, when the configuration is missing, or when proof content does not match the expectations set in the config.
+ * @param config - Verification configuration that specifies required hashes, allowed extra hashes, or disables content validation. Optionally includes `verifyTEE` to require TEE attestation verification.
+ * @returns Verification result with `isVerified`, extracted `data` from each proof, optional `error` on failure, and `isTeeVerified` when `verifyTEE` is enabled.
  *
  * @example
  * ```typescript
+ * // Fast and simple automatically fetched verification
+ * const { isVerified, data } = await verifyProof(proof, request.getProviderVersion());
+ *
+ * // With TEE attestation verification (fails if TEE data is missing or invalid)
+ * const { isVerified, isTeeVerified, data } = await verifyProof(proof, { ...request.getProviderVersion(), verifyTEE: true });
+ *
+ * // Or, by manually providing the details:
+ *
+ * const { isVerified, data } = await verifyProof(proof, {
+ *   providerId: "YOUR_PROVIDER_ID",
+ *   // The exact provider version used in the session.
+ *   providerVersion: "1.0.0",
+ *   // Optionally provide tags. For example, this can be `['ai']` when you want to allow patches from ai.
+ *   allowedTags: ["ai"]
+ * });
+ *
  * // Validate a single proof against expected hash
- * const isValid = await verifyProof(proof, { hashes: ['0xAbC...'] });
+ * const { isVerified, data } = await verifyProof(proof, { hashes: ['0xAbC...'] });
+ * if (isVerified) {
+ *   console.log(data[0].context);
+ *   console.log(data[0].extractedParameters);
+ * }
  *
  * // Validate multiple proofs
- * const areAllValid = await verifyProof([proof1, proof2], {
+ * const { isVerified, data } = await verifyProof([proof1, proof2], {
  *   hashes: ['0xAbC...', '0xF22..'],
  * });
  *
- * // Validate 1 required proofs, any number of multiple with same hash, and one optional
- * const areAllValid = await verifyProof([proof1, proof2, sameAsProof2], {
- *   hashes: ['0xAbC...', { value: '0xF22..', multiple: true }, { value: '0xE33..', required: false }],
+ * // Validate multiple proofs and handle optional matches or repeated proofs
+ * const { isVerified, data } = await verifyProof([proof1, proof2, sameAsProof2], {
+ *   hashes: [
+ *     // A string hash is perfectly equivalent to { value: '...', required: true, multiple: true }
+ *     '0xStrict1...',
+ *     // An array 'value' means 1 proof can have any 1 matching hash from this list.
+ *     // 'multiple: true' (the default) means any proof matching this hash is allowed to appear multiple times in the list of proofs.
+ *     { value: ['0xOpt1..', '0xOpt2..'], multiple: true },
+ *     // 'required: false' means there can be 0 proofs matching this hash. Such proofs may be optionally present. (Defaults to true).
+ *     { value: '0xE33..', required: false }
+ *   ],
  * });
  * ```
  */
-declare function verifyProof(proofOrProofs: Proof | Proof[], config: VerificationConfig): Promise<boolean>;
+declare function verifyProof(proofOrProofs: Proof | Proof[], config: VerificationConfig): Promise<VerifyProofResult>;
 /**
  * Transforms a Reclaim proof into a format suitable for on-chain verification
  *
@@ -536,6 +765,8 @@ declare class ReclaimProofRequest {
     private sessionId;
     private options?;
     private context;
+    private attestationNonce?;
+    private attestationNonceData?;
     private claimCreationType?;
     private providerId;
     private resolvedProviderVersion?;
@@ -553,19 +784,22 @@ declare class ReclaimProofRequest {
     private templateData;
     private extensionID;
     private customSharePageUrl?;
+    private appSharePageUrl;
     private customAppClipUrl?;
+    private portalTab?;
+    private portalIframe?;
     private modalOptions?;
     private modal?;
     private readonly FAILURE_TIMEOUT;
     private constructor();
     /**
-     * Initializes a new Reclaim proof request instance with automatic signature generation and session creation
+     * Initializes a new Reclaim proof request instance with automatic signature generation and session creation.
      *
      * @param applicationId - Your Reclaim application ID
      * @param appSecret - Your application secret key for signing requests
      * @param providerId - The ID of the provider to use for proof generation
      * @param options - Optional configuration options for the proof request
-     * @returns Promise<ReclaimProofRequest> - A fully initialized proof request instance
+     * @returns A fully initialized proof request instance
      * @throws {InitError} When initialization fails due to invalid parameters or session creation errors
      *
      * @example
@@ -574,7 +808,7 @@ declare class ReclaimProofRequest {
      *   'your-app-id',
      *   'your-app-secret',
      *   'provider-id',
-     *   { log: true, acceptAiProviders: true }
+     *   { portalUrl: 'https://portal.reclaimprotocol.org', log: true }
      * );
      * ```
      */
@@ -629,11 +863,11 @@ declare class ReclaimProofRequest {
      *
      * @param url - The URL where users should be redirected after successful proof generation
      * @param method - The redirection method that should be used for redirection. Allowed options: `GET`, and `POST`.
-     * `POST` form redirection is only supported in In-Browser SDK.
+     * `POST` form redirection is only supported in Portal flow.
      * @param body - List of name-value pairs to be sent as the body of the form request.
      * `When `method` is set to `POST`, `body` will be sent with 'application/x-www-form-urlencoded' content type.
      * When `method` is set to `GET`, if `body` is set then `body` will be sent as query parameters.
-     * Sending `body` on redirection is only supported in In-Browser SDK.
+     * Sending `body` on redirection is only supported in Portal flow.
      *
      * @throws {InvalidParamError} When URL is invalid
      *
@@ -686,11 +920,11 @@ declare class ReclaimProofRequest {
      *
      * @param url - The URL where users should be redirected after an error which aborts the verification process
      * @param method - The redirection method that should be used for redirection. Allowed options: `GET`, and `POST`.
-     * `POST` form redirection is only supported in In-Browser SDK.
+     * `POST` form redirection is only supported in Portal flow.
      * @param body - List of name-value pairs to be sent as the body of the form request.
      * When `method` is set to `POST`, `body` will be sent with 'application/x-www-form-urlencoded' content type.
      * When `method` is set to `GET`, if `body` is set then `body` will be sent as query parameters.
-     * Sending `body` on redirection is only supported in In-Browser SDK.
+     * Sending `body` on redirection is only supported in Portal flow.
      * @throws {InvalidParamError} When URL is invalid
      *
      * @example
@@ -861,7 +1095,26 @@ declare class ReclaimProofRequest {
     private setSignature;
     private generateSignature;
     private clearInterval;
+    private setAttestationContext;
+    private applyAttestationContext;
+    private encodeTemplateData;
     private buildSharePageUrl;
+    private openPortalTab;
+    private closePortalTab;
+    private embedPortalIframe;
+    /**
+     * Closes the embedded portal iframe and stops the session polling.
+     *
+     * Call this to programmatically cancel the embedded verification flow
+     * that was started with `triggerReclaimFlow({ target: element })`.
+     * Also called automatically when verification succeeds or fails.
+     *
+     * @example
+     * ```typescript
+     * proofRequest.closeEmbeddedFlow();
+     * ```
+     */
+    closeEmbeddedFlow(): void;
     /**
      * Exports the Reclaim proof verification request as a JSON string
      *
@@ -885,13 +1138,15 @@ declare class ReclaimProofRequest {
      */
     private getTemplateData;
     /**
-     * Generates and returns the request URL for proof verification
+     * Generates and returns the request URL for proof verification.
+     *
+     * Defaults to portal mode. Pass `{ verificationMode: 'app' }` for native app flow URLs.
      *
-     * This URL can be shared with users to initiate the proof generation process.
-     * The URL format varies based on device type:
-     * - Mobile iOS: Returns App Clip URL (if useAppClip is enabled)
-     * - Mobile Android: Returns Instant App URL (if useAppClip is enabled)
-     * - Desktop/Other: Returns standard verification URL
+     * - Portal mode (default): returns portal URL on all platforms
+     * - App mode: returns share page URL on all platforms
+     * - App mode + `useAppClip: true` on iOS: returns App Clip URL instead
+     *
+     * Falls back to `launchOptions` set at init time if not passed at call time.
      *
      * @param launchOptions - Optional launch configuration to override default behavior
      * @returns Promise<string> - The generated request URL
@@ -899,31 +1154,58 @@ declare class ReclaimProofRequest {
      *
      * @example
      * ```typescript
-     * const requestUrl = await proofRequest.getRequestUrl();
-     * // Share this URL with users or display as QR code
+     * // Portal URL (default)
+     * const url = await proofRequest.getRequestUrl();
+     *
+     * // Verifier app flow URL
+     * const url = await proofRequest.getRequestUrl({ verificationMode: 'app' });
      * ```
      */
     getRequestUrl(launchOptions?: ReclaimFlowLaunchOptions): Promise<string>;
     /**
-     * Triggers the appropriate Reclaim verification flow based on device type and configuration
+     * Triggers the appropriate Reclaim verification flow based on device type and configuration.
      *
-     * This method automatically detects the device type and initiates the optimal verification flow:
-     * - Desktop with browser extension: Triggers extension flow
-     * - Desktop without extension: Shows QR code modal
-     * - Mobile Android: Redirects to Instant App
-     * - Mobile iOS: Redirects to App Clip
+     * Defaults to portal mode (remote browser verification). Pass `{ verificationMode: 'app' }`
+     * for verifier app flow via the share page.
+     *
+     * - **Embedded iframe**: Pass `{ target: element }` to embed the portal inside a DOM element instead of a new tab
+     * - Desktop: browser extension takes priority in both modes
+     * - Desktop portal mode (no extension): opens portal in new tab
+     * - Desktop app mode (no extension): shows QR code modal with share page URL
+     * - Mobile portal mode: opens portal in new tab
+     * - Mobile app mode: opens share page (or App Clip on iOS if `useAppClip` is `true`)
      *
      * @param launchOptions - Optional launch configuration to override default behavior
-     * @returns Promise<void>
+     * @returns Promise<FlowHandle> - Handle to control the flow (close, access iframe)
      * @throws {SignatureNotFoundError} When signature is not set
      *
      * @example
      * ```typescript
-     * await proofRequest.triggerReclaimFlow();
-     * // The appropriate verification method will be triggered automatically
+     * // Portal flow (default) — opens in new tab
+     * const handle = await proofRequest.triggerReclaimFlow();
+     * handle.tab;   // Window reference to the opened tab
+     * handle.close(); // close tab and stop polling
+     *
+     * // Embed portal in an iframe inside a DOM element
+     * const handle = await proofRequest.triggerReclaimFlow({ target: document.getElementById('reclaim-container') });
+     * handle.iframe; // HTMLIFrameElement reference
+     * handle.close(); // remove iframe and stop polling
+     *
+     * // Verifier app flow
+     * await proofRequest.triggerReclaimFlow({ verificationMode: 'app' });
+     *
+     * // App Clip on iOS (requires useAppClip: true at init)
+     * const request = await ReclaimProofRequest.init(APP_ID, SECRET, PROVIDER, { useAppClip: true });
+     * await request.triggerReclaimFlow({ verificationMode: 'app' });
+     *
+     * // Can also set verificationMode at init time via launchOptions
+     * const request = await ReclaimProofRequest.init(APP_ID, SECRET, PROVIDER, {
+     *   launchOptions: { verificationMode: 'app' }
+     * });
+     * await request.triggerReclaimFlow(); // uses 'app' mode from init
      * ```
      */
-    triggerReclaimFlow(launchOptions?: ReclaimFlowLaunchOptions): Promise<void>;
+    triggerReclaimFlow(launchOptions?: ReclaimFlowLaunchOptions): Promise<FlowHandle>;
     /**
      * Checks if the Reclaim browser extension is installed and available
      *
@@ -946,16 +1228,28 @@ declare class ReclaimProofRequest {
     private showQRCodeModal;
     private redirectToInstantApp;
     private redirectToAppClip;
+    /**
+     * Returns the provider id and exact version of the provider that was used in the verification session of this request.
+     *
+     * This can be provided as a config parameter to the `verifyProof` function to verify the proof.
+     *
+     * See also:
+     * * `verifyProof()` - Verifies a proof against the expected provider configuration.
+     * * `getProviderHashRequirements()` - An alternative of this function to get the expected hashes for a provider version by providing providerId and exactProviderVersionString. The result can be provided in verifyProof function's `config` parameter for proof validation.
+     * * `getProviderHashRequirementsFromSpec()` - An alternative of this function to get the expected hashes from a provider spec. The result can be provided in verifyProof function's `config` parameter for proof validation.
+     */
+    getProviderVersion(): ProviderVersionInfo;
     /**
      * Fetches the provider config that was used for this session and returns the hash requirements
      *
      * See also:
+     * * `verifyProof()` - Verifies a proof against the expected provider configuration.
      * * `fetchProviderHashRequirementsBy()` - An alternative of this function to get the expected hashes for a provider version by providing providerId and exactProviderVersionString. The result can be provided in verifyProof function's `config` parameter for proof validation.
      * * `getProviderHashRequirementsFromSpec()` - An alternative of this function to get the expected hashes from a provider spec. The result can be provided in verifyProof function's `config` parameter for proof validation.
      *
-     * @returns A promise that resolves to a ProviderHashRequirementsConfig
+     * @returns A promise that resolves to a `ProviderHashRequirementsConfig` or `ProviderHashRequirementsConfig[]`
      */
-    getProviderHashRequirements(): Promise<ProviderHashRequirementsConfig>;
+    getProviderHashRequirements(proofs: Proof[], allowedTags: string[] | null | undefined): Promise<ProviderHashRequirementsConfig[]>;
     /**
      * Starts the proof request session and monitors for proof submission
      *
@@ -1080,21 +1374,27 @@ declare function updateSession(sessionId: string, status: SessionStatus): Promis
  * @throws StatusUrlError if the status URL fetch fails
  */
 declare function fetchStatusUrl(sessionId: string): Promise<StatusUrlResponse>;
-declare function fetchProviderConfig(providerId: string, exactProviderVersionString: string): Promise<ProviderConfigResponse>;
+declare function fetchProviderConfigs(providerId: string, exactProviderVersionString: string | null | undefined, allowedTags: string[] | null | undefined): Promise<ProviderConfigResponse>;
 /**
- * Fetches the provider configuration by the providerId and its version; and constructs the robust hash requirements needed for proof validation.
- * It resolves both explicitly required HTTP requests and allowed injected requests based on the provider version.
- *
- * See also:
- *
- * * `ReclaimProofRequest.getProviderHashRequirements()` - An alternative of this function to get the expected hashes for a proof request. The result can be provided in verifyProof function's `config` parameter for proof validation.
- * * `getProviderHashRequirementsFromSpec()` - An alternative of this function to get the expected hashes from a provider spec. The result can be provided in verifyProof function's `config` parameter for proof validation.
- *
- * @param providerId - The unique identifier of the selected provider.
- * @param exactProviderVersion - The specific version string of the provider configuration to ensure deterministic validation.
- * @returns A promise that resolves to `ProviderHashRequirementsConfig` representing the expected hashes for proof validation.
+ * Validates the hardware TEE attestation included in the proof.
+ * Throws an error if the attestation is invalid or compromised.
  */
-declare function fetchProviderHashRequirementsBy(providerId: string, exactProviderVersion: string): Promise<ProviderHashRequirementsConfig>;
+declare function verifyTeeAttestation(proof: Proof, expectedApplicationId?: string): Promise<boolean>;
+declare const TeeVerificationError: {
+    new (message?: string, innerError?: unknown | undefined): {
+        innerError?: unknown | undefined;
+        name: string;
+        message: string;
+        stack?: string;
+        cause?: unknown;
+    };
+    isError(error: unknown): error is Error;
+    captureStackTrace(targetObject: object, constructorOpt?: Function): void;
+    prepareStackTrace?: ((err: Error, stackTraces: NodeJS.CallSite[]) => any) | undefined;
+    stackTraceLimit: number;
+};
 /**
  * Highly accurate device type detection - returns only 'desktop' or 'mobile'
@@ -1123,4 +1423,4 @@ declare function isDesktopDevice(): boolean;
  */
 declare function clearDeviceCache(): void;
-export { type Beacon, type BeaconState, type BodySniff, ClaimCreationType, type ClaimID, type ClaimInfo, type CompleteClaimData, type Context, type CreateVerificationRequest, DeviceType, type ExtensionMessage, type HashRequirement, type HttpFormEntry, type HttpProviderClaimParams, type HttpRedirectionMethod, type HttpRedirectionOptions, type InitSessionResponse, type InjectedRequestSpec, type InterceptorRequestSpec, type ModalOptions, type OnError, type OnSuccess, type Proof, type ProofPropertiesJSON, type ProofRequestOptions, type ProviderClaimData, type ProviderConfigResponse, type ProviderHashRequirementSpec, type ProviderHashRequirementsConfig, type ProviderVersionConfig, RECLAIM_EXTENSION_ACTIONS, type ReclaimFlowLaunchOptions, ReclaimProofRequest, type ReclaimProviderConfig, type RequestSpec, type ResponseMatchSpec, type ResponseRedactionSpec, type SerializableModalOptions, SessionStatus, type SignedClaim, type StartSessionParams, type StatusUrlResponse, type TemplateData, type UpdateSessionResponse, type ValidationConfig, type ValidationConfigWithDisabledValidation, type ValidationConfigWithHash, type VerificationConfig, type WitnessData, assertValidProofsByHash, assertValidateProof, assertVerifiedProof, clearDeviceCache, createLinkWithTemplateData, fetchProviderConfig, fetchProviderHashRequirementsBy, fetchStatusUrl, getAttestors, getDeviceType, getHttpProviderClaimParamsFromProof, getMobileDeviceType, getProviderHashRequirementsFromSpec, getShortenedUrl, hashRequestSpec, initSession, isDesktopDevice, isHttpProviderClaimParams, isMobileDevice, recoverSignersOfSignedClaim, transformForOnchain, updateSession, verifyProof };
+export { type Beacon, type BeaconState, type BodySniff, ClaimCreationType, type ClaimID, type ClaimInfo, type CompleteClaimData, type Context, type CreateVerificationRequest, DeviceType, type EmbeddedFlowHandle, type ExtensionMessage, type FlowHandle, type HashRequirement, type HashableHttpProviderClaimParams, type HttpFormEntry, type HttpProviderClaimParams, type HttpRedirectionMethod, type HttpRedirectionOptions, type InitSessionResponse, type InjectedRequestSpec, type InterceptorRequestSpec, type ModalOptions, type OnError, type OnSuccess, type Proof, type ProofPropertiesJSON, type ProofRequestOptions, type ProviderClaimData, type ProviderConfigResponse, type ProviderHashRequirementSpec, type ProviderHashRequirementsConfig, type ProviderHashRequirementsResponse, type ProviderVersionConfig, type ProviderVersionInfo, RECLAIM_EXTENSION_ACTIONS, type ReclaimFlowLaunchOptions, ReclaimProofRequest, type ReclaimProviderConfig, type RequestSpec, type ResponseMatchSpec, type ResponseRedactionSpec, type SerializableModalOptions, SessionStatus, type SignedClaim, type StartSessionParams, type StatusUrlResponse, type TeeAttestation, TeeVerificationError, type TemplateData, type TrustedData, type UpdateSessionResponse, type ValidationConfig, type ValidationConfigWithDisabledValidation, type ValidationConfigWithHash, type ValidationConfigWithProviderInformation, type VerificationConfig, type VerifyProofResult, type WitnessData, assertValidProofsByHash, assertValidateProof, assertVerifiedProof, clearDeviceCache, createLinkWithTemplateData, fetchProviderConfigs, fetchProviderHashRequirementsBy, fetchStatusUrl, generateSpecsFromRequestSpecTemplate, getAttestors, getDeviceType, getHttpProviderClaimParamsFromProof, getMobileDeviceType, getProviderHashRequirementsFromSpec, getShortenedUrl, hashRequestSpec, initSession, isDesktopDevice, isHttpProviderClaimParams, isMobileDevice, recoverSignersOfSignedClaim, takePairsWhereValueIsArray, takeTemplateParametersFromProofs, transformForOnchain, updateSession, verifyProof, verifyTeeAttestation };