@reclaimprotocol/js-sdk 5.1.0 → 5.3.0-dev.1

package/dist/index.js

@@ -84,7 +84,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "@reclaimprotocol/js-sdk",
-      version: "5.1.0",
+      version: "5.3.0-dev.1",
       description: "Designed to request proofs from the Reclaim protocol and manage the flow of claims and witness interactions.",
       main: "dist/index.js",
       types: "dist/index.d.ts",
@@ -220,6 +220,7 @@ __export(index_exports, {
   isHttpProviderClaimParams: () => isHttpProviderClaimParams,
   isMobileDevice: () => isMobileDevice,
   recoverSignersOfSignedClaim: () => recoverSignersOfSignedClaim,
+  runTeeVerification: () => runTeeVerification,
   takePairsWhereValueIsArray: () => takePairsWhereValueIsArray,
   takeTemplateParametersFromProofs: () => takeTemplateParametersFromProofs,
   transformForOnchain: () => transformForOnchain,
@@ -238,7 +239,7 @@ var RECLAIM_EXTENSION_ACTIONS = {
 };
 
 // src/Reclaim.ts
-var import_ethers5 = require("ethers");
+var import_ethers6 = require("ethers");
 var import_canonicalize3 = __toESM(require("canonicalize"));
 
 // src/utils/errors.ts
@@ -560,19 +561,19 @@ function scheduleIntervalEndingTask(sessionId, intervals, onFailureCallback, tim
     }
   }, timeout);
 }
-var createVerifyProofResultSuccess = (proofs, isTeeVerified) => {
+var createVerifyProofResultSuccess = (proofs, isTeeAttestationVerified) => {
   return {
     isVerified: true,
-    isTeeVerified,
+    isTeeAttestationVerified,
     error: void 0,
     data: proofs.map(createTrustedDataFromProofData),
     publicData: getPublicDataFromProofs(proofs)
   };
 };
-var createVerifyProofResultFailure = (error, isTeeVerified) => {
+var createVerifyProofResultFailure = (error, isTeeAttestationVerified) => {
   return {
     isVerified: false,
-    isTeeVerified,
+    isTeeAttestationVerified,
     error,
     data: [],
     publicData: []
@@ -1446,6 +1447,20 @@ function clearDeviceCache() {
   cachedMobileType = null;
 }
 
+// src/utils/attestationNonce.ts
+var import_ethers4 = require("ethers");
+var ATTESTATION_NONCE_DOMAIN = "RECLAIM_TEE_NONCE_V1";
+function generateAttestationNonce(appSecret, applicationId, sessionId, timestamp) {
+  const noncePayload = [
+    ATTESTATION_NONCE_DOMAIN,
+    applicationId,
+    sessionId,
+    timestamp,
+    appSecret
+  ].join(":");
+  return import_ethers4.ethers.keccak256(import_ethers4.ethers.toUtf8Bytes(noncePayload)).replace(/^0x/i, "");
+}
+
 // src/utils/providerUtils.ts
 var logger7 = logger_default.logger;
 function fetchProviderHashRequirementsBy(providerId, exactProviderVersionString, allowedTags, proofs) {
@@ -1673,309 +1688,313 @@ function assertValidateProof(proofs, config) {
 }
 
 // src/utils/verifyTee.ts
-var import_node_forge = __toESM(require("node-forge"));
-var import_ethers4 = require("ethers");
-
-// src/utils/amdCerts.ts
-var AMD_CERTS = {
-  "Milan": `-----BEGIN CERTIFICATE-----
-MIIGjzCCBD6gAwIBAgIDAQEBMEYGCSqGSIb3DQEBCjA5oA8wDQYJYIZIAWUDBAIC
-BQChHDAaBgkqhkiG9w0BAQgwDQYJYIZIAWUDBAICBQCiAwIBMKMDAgEBMHsxFDAS
-BgNVBAsMC0VuZ2luZWVyaW5nMQswCQYDVQQGEwJVUzEUMBIGA1UEBwwLU2FudGEg
-Q2xhcmExCzAJBgNVBAgMAkNBMR8wHQYDVQQKDBZBZHZhbmNlZCBNaWNybyBEZXZp
-Y2VzMRIwEAYDVQQDDAlBUkstTWlsYW4wHhcNMjIxMTE2MjI0NTI0WhcNNDcxMTE2
-MjI0NTI0WjCBgDEUMBIGA1UECwwLRW5naW5lZXJpbmcxCzAJBgNVBAYTAlVTMRQw
-EgYDVQQHDAtTYW50YSBDbGFyYTELMAkGA1UECAwCQ0ExHzAdBgNVBAoMFkFkdmFu
-Y2VkIE1pY3JvIERldmljZXMxFzAVBgNVBAMMDlNFVi1WTEVLLU1pbGFuMIICIjAN
-BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1EUWkz5FTPz+uWT2hCEyisam8FRu
-XZAmS3l+rXgSCeS1Q0+1olcnFSJpiwfssfhoutJqePyicu+OhkX131PMeO/VOtH3
-upK4YNJmq36IJp7ZWIm5nK2fJNkYEHW0m/NXcIA9U2iHl5bAQ5cbGp97/FaOJ4Vm
-GoTMV658Yox/plFmZRFfRcsw2hyNhqUl1gzdpnIIgPkygUovFEgaa0IVSgGLHQhZ
-QiebNLLSVWRVReve0t94zlRIRRdrz84cckP9H9DTAUMyQaxSZbPINKbV6TPmtrwA
-V9UP1Qq418xn9I+C0SsWutP/5S1OiL8OTzQ4CvgbHOfd2F3yVv4xDBza4SelF2ig
-oDf+BF4XI/IIHJL2N5uKy3+gkSB2Xl6prohgVmqRFvBW9OTCEa32WhXu0t1Z1abE
-KDZ3LpZt9/Crg6zyPpXDLR/tLHHpSaPRj7CTzHieKMTz+Q6RrCCQcHGfaAD/ETNY
-56aHvNJRZgbzXDUJvnLr3dYyOvvn/DtKhCSimJynn7Len4ArDVQVwXRPe3hR/asC
-E2CajT7kGC1AOtUzQuIKZS2D0Qk74g297JhLHpEBlQiyjRJ+LCWZNx9uJcixGyza
-v6fiOWx4U8uWhRzHs8nvDAdcS4LW31tPlA9BeOK/BGimQTu7hM5MDFZL0C9dWK5p
-uCUJex6I2vSqvycCAwEAAaOBozCBoDAdBgNVHQ4EFgQUNuJXE6qi45/CgqkKRPtV
-LObC7pEwHwYDVR0jBBgwFoAUhawa0UP3yKxV1MUdQUir1XhK1FMwEgYDVR0TAQH/
-BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQQwOgYDVR0fBDMwMTAvoC2gK4YpaHR0
-cHM6Ly9rZHNpbnRmLmFtZC5jb20vdmxlay92MS9NaWxhbi9jcmwwRgYJKoZIhvcN
-AQEKMDmgDzANBglghkgBZQMEAgIFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQME
-AgIFAKIDAgEwowMCAQEDggIBAI7ayEXDNj1rCVnjQFb6L91NNOmEIOmi6XtopAqr
-8fj7wqXap1MY82Y0AIi1K9R7C7G1sCmY8QyEyX0zqHsoNbU2IMcSdZrIp8neT8af
-v8tPt7qoW3hZ+QQRMtgVkVVrjJZelvlB74xr5ifDcDiBd2vu/C9IqoQS4pVBKNSF
-pofzjtYKvebBBBXxeM2b901UxNgVjCY26TtHEWN9cA6cDVqDDCCL6uOeR9UOvKDS
-SqlM6nXldSj7bgK7Wh9M9587IwRvNZluXc1CDiKMZybLdSKOlyMJH9ss1GPn0eBV
-EhVjf/gttn7HrcQ9xJZVXyDtL3tkGzemrPK14NOYzmph6xr1iiedAzOVpNdPiEXn
-2lvas0P4TD9UgBh0Y7xyf2yENHiSgJT4T8Iktm/TSzuh4vqkQ72A1HdNTGjoZcfz
-KCsQJ/YuFICeaNxw5cIAGBK/o+6Ek32NPv5XtixNOhEx7GsaVRG05bq5oTt14b4h
-KYhqV1CDrX5hiVRpFFDs/sAGfgTzLdiGXLcvYAUz1tCKIT/eQS9c4/yitn4F3mCP
-d4uQB+fggMtK0qPRthpFtc2SqVCTvHnhxyXqo7GpXMsssgLgKNwaFPe2+Ld5OwPR
-6Pokji9h55m05Dxob8XtD4gW6oFLo9Icg7XqdOr9Iip5RBIPxy7rKk/ReqGs9KH7
-0YPk
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIGYzCCBBKgAwIBAgIDAQAAMEYGCSqGSIb3DQEBCjA5oA8wDQYJYIZIAWUDBAIC
-BQChHDAaBgkqhkiG9w0BAQgwDQYJYIZIAWUDBAICBQCiAwIBMKMDAgEBMHsxFDAS
-BgNVBAsMC0VuZ2luZWVyaW5nMQswCQYDVQQGEwJVUzEUMBIGA1UEBwwLU2FudGEg
-Q2xhcmExCzAJBgNVBAgMAkNBMR8wHQYDVQQKDBZBZHZhbmNlZCBNaWNybyBEZXZp
-Y2VzMRIwEAYDVQQDDAlBUkstTWlsYW4wHhcNMjAxMDIyMTcyMzA1WhcNNDUxMDIy
-MTcyMzA1WjB7MRQwEgYDVQQLDAtFbmdpbmVlcmluZzELMAkGA1UEBhMCVVMxFDAS
-BgNVBAcMC1NhbnRhIENsYXJhMQswCQYDVQQIDAJDQTEfMB0GA1UECgwWQWR2YW5j
-ZWQgTWljcm8gRGV2aWNlczESMBAGA1UEAwwJQVJLLU1pbGFuMIICIjANBgkqhkiG
-9w0BAQEFAAOCAg8AMIICCgKCAgEA0Ld52RJOdeiJlqK2JdsVmD7FktuotWwX1fNg
-W41XY9Xz1HEhSUmhLz9Cu9DHRlvgJSNxbeYYsnJfvyjx1MfU0V5tkKiU1EesNFta
-1kTA0szNisdYc9isqk7mXT5+KfGRbfc4V/9zRIcE8jlHN61S1ju8X93+6dxDUrG2
-SzxqJ4BhqyYmUDruPXJSX4vUc01P7j98MpqOS95rORdGHeI52Naz5m2B+O+vjsC0
-60d37jY9LFeuOP4Meri8qgfi2S5kKqg/aF6aPtuAZQVR7u3KFYXP59XmJgtcog05
-gmI0T/OitLhuzVvpZcLph0odh/1IPXqx3+MnjD97A7fXpqGd/y8KxX7jksTEzAOg
-bKAeam3lm+3yKIcTYMlsRMXPcjNbIvmsBykD//xSniusuHBkgnlENEWx1UcbQQrs
-+gVDkuVPhsnzIRNgYvM48Y+7LGiJYnrmE8xcrexekBxrva2V9TJQqnN3Q53kt5vi
-Qi3+gCfmkwC0F0tirIZbLkXPrPwzZ0M9eNxhIySb2npJfgnqz55I0u33wh4r0ZNQ
-eTGfw03MBUtyuzGesGkcw+loqMaq1qR4tjGbPYxCvpCq7+OgpCCoMNit2uLo9M18
-fHz10lOMT8nWAUvRZFzteXCm+7PHdYPlmQwUw3LvenJ/ILXoQPHfbkH0CyPfhl1j
-WhJFZasCAwEAAaN+MHwwDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSFrBrRQ/fI
-rFXUxR1BSKvVeErUUzAPBgNVHRMBAf8EBTADAQH/MDoGA1UdHwQzMDEwL6AtoCuG
-KWh0dHBzOi8va2RzaW50Zi5hbWQuY29tL3ZjZWsvdjEvTWlsYW4vY3JsMEYGCSqG
-SIb3DQEBCjA5oA8wDQYJYIZIAWUDBAICBQChHDAaBgkqhkiG9w0BAQgwDQYJYIZI
-AWUDBAICBQCiAwIBMKMDAgEBA4ICAQC6m0kDp6zv4Ojfgy+zleehsx6ol0ocgVel
-ETobpx+EuCsqVFRPK1jZ1sp/lyd9+0fQ0r66n7kagRk4Ca39g66WGTJMeJdqYriw
-STjjDCKVPSesWXYPVAyDhmP5n2v+BYipZWhpvqpaiO+EGK5IBP+578QeW/sSokrK
-dHaLAxG2LhZxj9aF73fqC7OAJZ5aPonw4RE299FVarh1Tx2eT3wSgkDgutCTB1Yq
-zT5DuwvAe+co2CIVIzMDamYuSFjPN0BCgojl7V+bTou7dMsqIu/TW/rPCX9/EUcp
-KGKqPQ3P+N9r1hjEFY1plBg93t53OOo49GNI+V1zvXPLI6xIFVsh+mto2RtgEX/e
-pmMKTNN6psW88qg7c1hTWtN6MbRuQ0vm+O+/2tKBF2h8THb94OvvHHoFDpbCELlq
-HnIYhxy0YKXGyaW1NjfULxrrmxVW4wcn5E8GddmvNa6yYm8scJagEi13mhGu4Jqh
-3QU3sf8iUSUr09xQDwHtOQUVIqx4maBZPBtSMf+qUDtjXSSq8lfWcd8bLr9mdsUn
-JZJ0+tuPMKmBnSH860llKk+VpVQsgqbzDIvOLvD6W1Umq25boxCYJ+TuBoa4s+HH
-CViAvgT9kf/rBq1d+ivj6skkHxuzcxbk1xv6ZGxrteJxVH7KlX7YRdZ6eARKwLe4
-AFZEAwoKCQ==
------END CERTIFICATE-----`,
-  "Genoa": `-----BEGIN CERTIFICATE-----
-MIIGjzCCBD6gAwIBAgIDAgEBMEYGCSqGSIb3DQEBCjA5oA8wDQYJYIZIAWUDBAIC
-BQChHDAaBgkqhkiG9w0BAQgwDQYJYIZIAWUDBAICBQCiAwIBMKMDAgEBMHsxFDAS
-BgNVBAsMC0VuZ2luZWVyaW5nMQswCQYDVQQGEwJVUzEUMBIGA1UEBwwLU2FudGEg
-Q2xhcmExCzAJBgNVBAgMAkNBMR8wHQYDVQQKDBZBZHZhbmNlZCBNaWNybyBEZXZp
-Y2VzMRIwEAYDVQQDDAlBUkstR2Vub2EwHhcNMjIxMTE4MjA0ODM0WhcNNDcxMTE4
-MjA0ODM0WjCBgDEUMBIGA1UECwwLRW5naW5lZXJpbmcxCzAJBgNVBAYTAlVTMRQw
-EgYDVQQHDAtTYW50YSBDbGFyYTELMAkGA1UECAwCQ0ExHzAdBgNVBAoMFkFkdmFu
-Y2VkIE1pY3JvIERldmljZXMxFzAVBgNVBAMMDlNFVi1WTEVLLUdlbm9hMIICIjAN
-BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAzL2/xihHscEpxS3+OsQZpAuNIJGS
-EQZrkoWPtqKMjjZOyXMMRHAheTm56Ei0Mb8TJZlbGDS5x/AdbowstGmpHqh2zvSv
-jZO7V4v6Ft84p71P6GXfOVEQgCuatiszfIwFrRQk/cmU7HuJadBq6XtYE+qBJMju
-s8C0WwW/IWY9j6pNbEA1SnUvVg6t89zfE+AcB5UDCKq09x7qw+rPt9pTpEch0f1b
-HdRFJlpgWGTq02ohH9bT+6au8kPpvMa3m2p8zdIIqtuuSG6srIimrpt24lsr4tLh
-QG65R/RbVJT9MsK4ULpbAUO5NwdlLwbnpLWHiUwoYrySMD8l3xRDvhPmInlXEFEo
-8lahcYllxiJJR8oqqA6x3jPFKmkfhEgaQefcn4P8nA4SScqAoLihn75iiDtU2+Zl
-kPnKgcNs5U1Le441ypen2n7BOnRyhmwyAUBGk3OcMXHsJ6KGpDJyTVCaC3fWX3ex
-4Iv4LkuKRA6O9yu3zHP23N/ubE8/YykffIjMbtBoOAzdWCn9lE4amo4VZ+8ewIut
-ZAYmC5TIQO+wWUqKYr0iAobccMnZdJjUORjVoqVQ+dLr+/1otk36gfPc0LpmhWZK
-fAXF9sgvYtQjcaR9wlGr8ySRtZ2YJWofuR7zgYFJPEXRwAnbAR/05hBmog7CMt1F
-9YKSmku6JfRecY8CAwEAAaOBozCBoDAdBgNVHQ4EFgQUhEdjn8HQNI9bN2NAKL9z
-gM6VNoowHwYDVR0jBBgwFoAUn135/g3Y81rQMxol74EpT74xqFswEgYDVR0TAQH/
-BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQQwOgYDVR0fBDMwMTAvoC2gK4YpaHR0
-cHM6Ly9rZHNpbnRmLmFtZC5jb20vdmxlay92MS9HZW5vYS9jcmwwRgYJKoZIhvcN
-AQEKMDmgDzANBglghkgBZQMEAgIFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQME
-AgIFAKIDAgEwowMCAQEDggIBALgCTyTS/ppxo42n2LOox42LvNIsn2/ZaMs2NfCj
-4f2+VN5Xs1NNdptn2nq/SKu5aKnLS5XGWCnHfMSKZ7vqHLKMa0Wxfm+4JahOItQ3
-+PzbTa0EwUkq1u6oezhTHywX1PilNRc4EjWgQ6ba/z4BBxO3P10tW/C39VS0Cv8S
-N5G2bfZrPkjy6LBjGiaT4MBcsN+SM2o5QgKRG0qqn+edegHMmTPBDV2qCKbe5CBs
-a122q+F6S9hPEEiGkz/IpShnSGCaFvbEu0Uvh2dYUlrON2peZMDkevKurDXlGxTe
-hAflCiugBsNeJivx0j7B/HazAvxkLPTCkIdmQJccezF5PCgmMW0SeP4cMb5Ewzv/
-yCsTLyh13YsYBww5eW4DBREd/vCAS7F1JQUZ4twQy/jqBAJhcDyGuRnnwrRevGdW
-sb3cXBqeLCub7CKZ1n/zqSRHq8FRgoroPRpfFjSGhDVFbjj7bDzWU6WNmF/7Lpnq
-G+tIMyRc+3Y3yRAYchFNOFHyS6R2C0KTy1nRSYwBUdQtGaQ0rE3e5Mulcidh4qkI
-xpp089vzqV8JTSJsRzTOzkujOuHUYPKswJ1TvQr5S1C0gPN2qAESnCs7Nf2x82DS
-xmEqaiI7xS58pR6vZ8BeXMGPPQqgOm/oBzOypVR3iCG6MFdjsTNA6M8P7GCZe1p7
-2cko
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIGYzCCBBKgAwIBAgIDAgAAMEYGCSqGSIb3DQEBCjA5oA8wDQYJYIZIAWUDBAIC
-BQChHDAaBgkqhkiG9w0BAQgwDQYJYIZIAWUDBAICBQCiAwIBMKMDAgEBMHsxFDAS
-BgNVBAsMC0VuZ2luZWVyaW5nMQswCQYDVQQGEwJVUzEUMBIGA1UEBwwLU2FudGEg
-Q2xhcmExCzAJBgNVBAgMAkNBMR8wHQYDVQQKDBZBZHZhbmNlZCBNaWNybyBEZXZp
-Y2VzMRIwEAYDVQQDDAlBUkstR2Vub2EwHhcNMjIwMTI2MTUzNDM3WhcNNDcwMTI2
-MTUzNDM3WjB7MRQwEgYDVQQLDAtFbmdpbmVlcmluZzELMAkGA1UEBhMCVVMxFDAS
-BgNVBAcMC1NhbnRhIENsYXJhMQswCQYDVQQIDAJDQTEfMB0GA1UECgwWQWR2YW5j
-ZWQgTWljcm8gRGV2aWNlczESMBAGA1UEAwwJQVJLLUdlbm9hMIICIjANBgkqhkiG
-9w0BAQEFAAOCAg8AMIICCgKCAgEA3Cd95S/uFOuRIskW9vz9VDBF69NDQF79oRhL
-/L2PVQGhK3YdfEBgpF/JiwWFBsT/fXDhzA01p3LkcT/7LdjcRfKXjHl+0Qq/M4dZ
-kh6QDoUeKzNBLDcBKDDGWo3v35NyrxbA1DnkYwUKU5AAk4P94tKXLp80oxt84ahy
-HoLmc/LqsGsp+oq1Bz4PPsYLwTG4iMKVaaT90/oZ4I8oibSru92vJhlqWO27d/Rx
-c3iUMyhNeGToOvgx/iUo4gGpG61NDpkEUvIzuKcaMx8IdTpWg2DF6SwF0IgVMffn
-vtJmA68BwJNWo1E4PLJdaPfBifcJpuBFwNVQIPQEVX3aP89HJSp8YbY9lySS6PlV
-EqTBBtaQmi4ATGmMR+n2K/e+JAhU2Gj7jIpJhOkdH9firQDnmlA2SFfJ/Cc0mGNz
-W9RmIhyOUnNFoclmkRhl3/AQU5Ys9Qsan1jT/EiyT+pCpmnA+y9edvhDCbOG8F2o
-xHGRdTBkylungrkXJGYiwGrR8kaiqv7NN8QhOBMqYjcbrkEr0f8QMKklIS5ruOfq
-lLMCBw8JLB3LkjpWgtD7OpxkzSsohN47Uom86RY6lp72g8eXHP1qYrnvhzaG1S70
-vw6OkbaaC9EjiH/uHgAJQGxon7u0Q7xgoREWA/e7JcBQwLg80Hq/sbRuqesxz7wB
-WSY254cCAwEAAaN+MHwwDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSfXfn+Ddjz
-WtAzGiXvgSlPvjGoWzAPBgNVHRMBAf8EBTADAQH/MDoGA1UdHwQzMDEwL6AtoCuG
-KWh0dHBzOi8va2RzaW50Zi5hbWQuY29tL3ZjZWsvdjEvR2Vub2EvY3JsMEYGCSqG
-SIb3DQEBCjA5oA8wDQYJYIZIAWUDBAICBQChHDAaBgkqhkiG9w0BAQgwDQYJYIZI
-AWUDBAICBQCiAwIBMKMDAgEBA4ICAQAdIlPBC7DQmvH7kjlOznFx3i21SzOPDs5L
-7SgFjMC9rR07292GQCA7Z7Ulq97JQaWeD2ofGGse5swj4OQfKfVv/zaJUFjvosZO
-nfZ63epu8MjWgBSXJg5QE/Al0zRsZsp53DBTdA+Uv/s33fexdenT1mpKYzhIg/cK
-tz4oMxq8JKWJ8Po1CXLzKcfrTphjlbkh8AVKMXeBd2SpM33B1YP4g1BOdk013kqb
-7bRHZ1iB2JHG5cMKKbwRCSAAGHLTzASgDcXr9Fp7Z3liDhGu/ci1opGmkp12QNiJ
-uBbkTU+xDZHm5X8Jm99BX7NEpzlOwIVR8ClgBDyuBkBC2ljtr3ZSaUIYj2xuyWN9
-5KFY49nWxcz90CFa3Hzmy4zMQmBe9dVyls5eL5p9bkXcgRMDTbgmVZiAf4afe8DL
-dmQcYcMFQbHhgVzMiyZHGJgcCrQmA7MkTwEIds1wx/HzMcwU4qqNBAoZV7oeIIPx
-dqFXfPqHqiRlEbRDfX1TG5NFVaeByX0GyH6jzYVuezETzruaky6fp2bl2bczxPE8
-HdS38ijiJmm9vl50RGUeOAXjSuInGR4bsRufeGPB9peTa9BcBOeTWzstqTUB/F/q
-aZCIZKr4X6TyfUuSDz/1JDAGl+lxdM0P9+lLaP9NahQjHCVf0zf1c1salVuGFk2w
-/wMz1R1BHg==
------END CERTIFICATE-----`
-};
-
-// src/utils/verifyTee.ts
-var crlCache = {};
+var import_ethers5 = require("ethers");
 var logger9 = logger_default.logger;
-function toUint8Array(input) {
-  if (typeof Buffer !== "undefined" && typeof Buffer.isBuffer === "function" && Buffer.isBuffer(input)) {
-    return new Uint8Array(input);
+var EXPECTED_ISSUER = "https://confidentialcomputing.googleapis.com";
+var EXPECTED_HW_MODEL = "GCP_AMD_SEV";
+var EXPECTED_TEE_PROVIDER = "gcp";
+var EXPECTED_TEE_TECHNOLOGY = "amd-sev";
+var SUPPORTED_PROOF_VERSIONS = ["v2", "v3"];
+var TOKEN_CLOCK_SKEW_S = 60;
+var NONCE_TIMESTAMP_MAX_SKEW_MS = 10 * 60 * 1e3;
+var BROWSER_ENVIRONMENT_ERROR = "TEE attestation verification is only supported in non-browser environments. Run verifyTeeAttestation on your server or API route.";
+function assert(condition, message) {
+  if (!condition) {
+    throw new Error(message);
   }
-  if (input instanceof Uint8Array) {
-    return new Uint8Array(input);
+}
+function isBrowserEnvironment() {
+  if (typeof window !== "undefined" || typeof document !== "undefined") {
+    return true;
   }
-  if (typeof ArrayBuffer !== "undefined" && input instanceof ArrayBuffer) {
-    return new Uint8Array(input);
+  if (typeof navigator !== "undefined" && typeof process === "undefined") {
+    return true;
   }
-  throw new Error("Unsupported binary data type");
-}
-function uint8ArrayToBinaryString(bytes) {
-  let result = "";
-  const chunkSize = 32768;
-  for (let i = 0; i < bytes.length; i += chunkSize) {
-    const chunk = bytes.subarray(i, i + chunkSize);
-    result += String.fromCharCode(...chunk);
+  const workerGlobalScope = globalThis.WorkerGlobalScope;
+  if (typeof workerGlobalScope !== "undefined" && typeof self !== "undefined" && self instanceof workerGlobalScope) {
+    return true;
   }
-  return result;
+  return false;
 }
-function binaryStringToUint8Array(binary) {
-  const result = new Uint8Array(binary.length);
-  for (let i = 0; i < binary.length; i++) {
-    result[i] = binary.charCodeAt(i);
+function assertNonBrowserEnvironment() {
+  if (isBrowserEnvironment()) {
+    throw new Error(BROWSER_ENVIRONMENT_ERROR);
   }
-  return result;
 }
-function base64ToUint8Array(base64) {
-  if (typeof atob === "function") {
-    const binary = atob(base64);
-    return binaryStringToUint8Array(binary);
-  }
+function normalizeHex(value) {
+  return (value || "").trim().replace(/^0x/i, "").toLowerCase();
+}
+function isHex(value) {
+  return /^[0-9a-f]+$/i.test(value);
+}
+function decodeBase64Url(input) {
+  const normalized = input.replace(/-/g, "+").replace(/_/g, "/");
+  const padded = normalized + "=".repeat((4 - normalized.length % 4) % 4);
   if (typeof Buffer !== "undefined") {
-    return new Uint8Array(Buffer.from(base64, "base64"));
+    return new Uint8Array(Buffer.from(padded, "base64"));
+  }
+  if (typeof atob === "function") {
+    const binary = atob(padded);
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i += 1) {
+      bytes[i] = binary.charCodeAt(i);
+    }
+    return bytes;
   }
   throw new Error("Base64 decoding is not supported in this environment");
 }
-function arrayBufferToHex(buffer) {
-  const view = buffer instanceof Uint8Array ? buffer : new Uint8Array(buffer);
-  let hex = "";
-  for (let i = 0; i < view.length; i++) {
-    hex += view[i].toString(16).padStart(2, "0");
+function decodeUtf8(bytes) {
+  return new TextDecoder().decode(bytes);
+}
+function decodeJwt(token) {
+  const parts = token.split(".");
+  assert(parts.length === 3, "attestation token is not a JWT");
+  return {
+    header: JSON.parse(decodeUtf8(decodeBase64Url(parts[0]))),
+    payload: JSON.parse(decodeUtf8(decodeBase64Url(parts[1]))),
+    signingInput: `${parts[0]}.${parts[1]}`,
+    signature: decodeBase64Url(parts[2])
+  };
+}
+function getFetch() {
+  const fetchFn = globalThis.fetch;
+  assert(fetchFn, "fetch is not available in this environment");
+  return fetchFn.bind(globalThis);
+}
+function getSubtleCrypto() {
+  var _a, _b, _c;
+  if ((_a = globalThis.crypto) == null ? void 0 : _a.subtle) {
+    return globalThis.crypto.subtle;
+  }
+  const nodeCrypto = typeof process !== "undefined" && ((_b = process.versions) == null ? void 0 : _b.node) ? require("crypto") : void 0;
+  if ((_c = nodeCrypto == null ? void 0 : nodeCrypto.webcrypto) == null ? void 0 : _c.subtle) {
+    return nodeCrypto.webcrypto.subtle;
+  }
+  throw new Error("WebCrypto subtle is not available in this environment");
+}
+function fetchJson(url) {
+  return __async(this, null, function* () {
+    const response = yield getFetch()(url);
+    if (!response.ok) {
+      throw new Error(`GET ${url} returned ${response.status} ${response.statusText}`);
+    }
+    return response.json();
+  });
+}
+function sha256Hex(input) {
+  return __async(this, null, function* () {
+    const digest = yield getSubtleCrypto().digest("SHA-256", new TextEncoder().encode(input));
+    return Array.from(new Uint8Array(digest), (value) => value.toString(16).padStart(2, "0")).join("");
+  });
+}
+var JWKS_CACHE_TTL_MS = 5 * 60 * 1e3;
+var cachedJwksUri = null;
+var cachedJwksKeys = null;
+var cachedJwksAt = 0;
+function verifyJwtSignature(token, issuer) {
+  return __async(this, null, function* () {
+    const { header, payload, signingInput, signature } = decodeJwt(token);
+    assert(header.alg === "RS256", `unexpected attestation signing algorithm: ${header.alg}`);
+    assert(typeof header.kid === "string" && header.kid.length > 0, "attestation token kid is missing");
+    const isCacheFresh = cachedJwksKeys && Date.now() - cachedJwksAt < JWKS_CACHE_TTL_MS;
+    if (!isCacheFresh) {
+      const oidc = yield fetchJson(`${issuer}/.well-known/openid-configuration`);
+      assert(typeof (oidc == null ? void 0 : oidc.jwks_uri) === "string" && oidc.jwks_uri.length > 0, "issuer JWKS URI is missing");
+      cachedJwksUri = oidc.jwks_uri;
+      const jwks = yield fetchJson(cachedJwksUri);
+      cachedJwksKeys = (jwks == null ? void 0 : jwks.keys) || [];
+      cachedJwksAt = Date.now();
+    }
+    const jwk = cachedJwksKeys.find((key) => key.kid === header.kid);
+    assert(jwk, `no JWKS key found for kid ${header.kid}`);
+    const cryptoKey = yield getSubtleCrypto().importKey(
+      "jwk",
+      jwk,
+      { name: "RSASSA-PKCS1-v1_5", hash: "SHA-256" },
+      false,
+      ["verify"]
+    );
+    const isValid = yield getSubtleCrypto().verify(
+      "RSASSA-PKCS1-v1_5",
+      cryptoKey,
+      signature,
+      new TextEncoder().encode(signingInput)
+    );
+    assert(isValid, "JWT signature verification failed");
+    return payload;
+  });
+}
+function isNonceContextData(obj) {
+  if (!obj || typeof obj !== "object") return false;
+  const o = obj;
+  return typeof o.applicationId === "string" && o.applicationId.length > 0 && typeof o.sessionId === "string" && o.sessionId.length > 0 && typeof o.timestamp === "string" && o.timestamp.length > 0;
+}
+function parseProofContext(proof) {
+  let parsedContext;
+  try {
+    parsedContext = JSON.parse(proof.claimData.context);
+  } catch (e) {
+    throw new Error("Malformed proof: claimData.context is not valid JSON");
+  }
+  if (!parsedContext || typeof parsedContext !== "object") {
+    throw new Error("Malformed proof: claimData.context is not a JSON object");
+  }
+  const ctx = parsedContext;
+  const expectedNonce = ctx.attestationNonce;
+  assert(typeof expectedNonce === "string" && expectedNonce.length > 0, "Proof context is missing attestationNonce");
+  const nonceDataObj = ctx.attestationNonceData;
+  assert(isNonceContextData(nonceDataObj), "Proof context is missing or has invalid attestationNonceData (requires applicationId, sessionId, timestamp)");
+  return { parsedContext: ctx, nonceDataObj, expectedNonce };
+}
+function verifyApplicationAndSessionBinding(proof, parsedContext, nonceDataObj, expectedApplicationId) {
+  var _a;
+  const { applicationId, sessionId, timestamp } = nonceDataObj;
+  if (expectedApplicationId) {
+    assert(
+      applicationId.toLowerCase() === expectedApplicationId.toLowerCase(),
+      `Application ID Mismatch! Expected ${expectedApplicationId}, but proof context contains ${applicationId}`
+    );
+  }
+  let parsedParameters = {};
+  if (proof.claimData.parameters) {
+    try {
+      const parsed = JSON.parse(proof.claimData.parameters);
+      parsedParameters = parsed && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : {};
+    } catch (e) {
+      throw new Error("Malformed proof: claimData.parameters is not valid JSON");
+    }
+  }
+  const contextSessionId = parsedContext == null ? void 0 : parsedContext.reclaimSessionId;
+  const parameterSessionId = (_a = parsedParameters == null ? void 0 : parsedParameters.proxySessionId) != null ? _a : parsedParameters == null ? void 0 : parsedParameters.sessionId;
+  if (contextSessionId && contextSessionId.toString() !== sessionId.toString()) {
+    throw new Error(`Session ID Mismatch! Expected ${sessionId}, but proof context contains reclaimSessionId=${contextSessionId}`);
+  }
+  if (parameterSessionId && parameterSessionId.toString() !== sessionId.toString()) {
+    throw new Error(`Session ID Mismatch! Expected ${sessionId}, but proof parameters contain ${parameterSessionId}`);
+  }
+  if (!contextSessionId && !parameterSessionId) {
+    throw new Error("Proof is missing reclaimSessionId and proxySessionId/sessionId for attestation nonce verification");
+  }
+  const claimTimestampMs = proof.claimData.timestampS * 1e3;
+  const nonceTimestampMs = parseInt(timestamp, 10);
+  const diffMs = Math.abs(claimTimestampMs - nonceTimestampMs);
+  if (diffMs > NONCE_TIMESTAMP_MAX_SKEW_MS) {
+    throw new Error(`Timestamp Skew Too Large! claimData.timestampS and attestationNonce timestamp differ by ${Math.round(diffMs / 1e3)}s (limit: 600s)`);
   }
-  return hex;
 }
-function concatUint8Arrays(parts) {
-  const totalLength = parts.reduce((sum, arr) => sum + arr.length, 0);
-  const result = new Uint8Array(totalLength);
-  let offset = 0;
-  for (const arr of parts) {
-    result.set(arr, offset);
-    offset += arr.length;
+function verifyNonceMaterial(expectedNonce, nonceDataObj, expectedAppSecret) {
+  const cleanExpectedNonce = normalizeHex(expectedNonce);
+  const { applicationId, sessionId, timestamp } = nonceDataObj;
+  assert(cleanExpectedNonce.length > 0, "Proof context attestationNonce is empty");
+  assert(isHex(cleanExpectedNonce), "Proof context attestationNonce is not valid hex");
+  if (expectedAppSecret) {
+    const recomputedNonce = generateAttestationNonce(expectedAppSecret, applicationId, sessionId, timestamp);
+    assert(
+      recomputedNonce === cleanExpectedNonce,
+      "Attestation nonce verification failed: app secret, application ID, session ID, or timestamp do not match"
+    );
+    return;
+  }
+  if (cleanExpectedNonce.length > 74) {
+    const legacyNonceData = `${applicationId}:${sessionId}:${timestamp}`;
+    const nonceMsg = import_ethers5.ethers.getBytes(import_ethers5.ethers.keccak256(new TextEncoder().encode(legacyNonceData)));
+    const recoveredAddress = import_ethers5.ethers.verifyMessage(
+      nonceMsg,
+      expectedNonce.startsWith("0x") ? expectedNonce : `0x${expectedNonce}`
+    );
+    assert(
+      recoveredAddress.toLowerCase() === applicationId.toLowerCase(),
+      `Nonce signature verification failed: recovered ${recoveredAddress}, expected ${applicationId}`
+    );
+    return;
   }
-  return result;
+  throw new Error("App secret is required to verify hash-based attestation nonces");
 }
-function reverseBytes(bytes) {
-  const copy = Uint8Array.from(bytes);
-  copy.reverse();
-  return copy;
+function assertTokenFresh(claims) {
+  const now = Math.floor(Date.now() / 1e3);
+  if (typeof claims.nbf === "number" && now + TOKEN_CLOCK_SKEW_S < claims.nbf) {
+    throw new Error(`Attestation token is not valid before ${claims.nbf}`);
+  }
+  if (typeof claims.exp === "number" && now - TOKEN_CLOCK_SKEW_S > claims.exp) {
+    throw new Error(`Attestation token expired at ${claims.exp}`);
+  }
+  if (typeof claims.iat === "number" && claims.iat > now + TOKEN_CLOCK_SKEW_S) {
+    throw new Error(`Attestation token issued-at ${claims.iat} is in the future`);
+  }
 }
-function normalizeSerial(s) {
-  let cleaned = s.toLowerCase().replace(/[^a-f0-9]/g, "");
-  while (cleaned.startsWith("0") && cleaned.length > 1) cleaned = cleaned.substring(1);
-  return cleaned;
+function assertAudienceClaim(aud) {
+  if (typeof aud === "string") {
+    assert(aud.length > 0, "attestation token audience is empty");
+    return;
+  }
+  if (Array.isArray(aud)) {
+    assert(aud.length > 0, "attestation token audience is empty");
+    assert(aud.every((entry) => typeof entry === "string" && entry.length > 0), "attestation token audience contains invalid entries");
+    return;
+  }
+  throw new Error("attestation token audience is missing");
 }
-var isNode = typeof process !== "undefined" && process.versions && process.versions.node;
-var getSubtleCrypto = () => {
+function getProofVersion(teeAttestation) {
   var _a;
-  if (typeof window !== "undefined" && ((_a = window.crypto) == null ? void 0 : _a.subtle)) return window.crypto.subtle;
-  if (isNode) return require("crypto").webcrypto.subtle;
-  throw new Error("No WebCrypto subtle implementation found in this environment");
-};
-function parseCert(buffer) {
-  const bytes = toUint8Array(buffer);
-  const asn1 = import_node_forge.default.asn1.fromDer(uint8ArrayToBinaryString(bytes));
-  const certSeq = asn1.value;
-  const tbsAsn1 = certSeq[0];
-  const sigAlgAsn1 = certSeq[1];
-  const sigValueAsn1 = certSeq[2];
-  const tbsFields = tbsAsn1.value;
-  let idx = 0;
-  if (tbsFields[idx].tagClass === 128) idx++;
-  const serialAsn1 = tbsFields[idx++];
-  const serialNumber = import_node_forge.default.util.bytesToHex(serialAsn1.value);
-  idx++;
-  idx++;
-  const validityAsn1 = tbsFields[idx++];
-  idx++;
-  const spkiAsn1 = tbsFields[idx];
-  if (!validityAsn1 || !Array.isArray(validityAsn1.value) || validityAsn1.value.length < 2) {
-    throw new Error("Certificate validity window is malformed");
-  }
-  const notBeforeNode = validityAsn1.value[0];
-  const notAfterNode = validityAsn1.value[1];
-  const notBefore = notBeforeNode ? parseAsn1Time(notBeforeNode) : void 0;
-  const notAfter = notAfterNode ? parseAsn1Time(notAfterNode) : void 0;
-  const sigRaw = typeof sigValueAsn1.value === "string" ? sigValueAsn1.value : "";
-  const signature = binaryStringToUint8Array(sigRaw.substring(1));
-  const sigAlgOid = import_node_forge.default.asn1.derToOid(sigAlgAsn1.value[0].value);
-  return {
-    serialNumber: normalizeSerial(serialNumber),
-    tbsDer: binaryStringToUint8Array(import_node_forge.default.asn1.toDer(tbsAsn1).getBytes()),
-    signature,
-    sigAlgOid,
-    spkiDer: binaryStringToUint8Array(import_node_forge.default.asn1.toDer(spkiAsn1).getBytes()),
-    notBefore,
-    notAfter
-  };
+  return (_a = teeAttestation.proof_version) != null ? _a : teeAttestation.proofVersion;
+}
+function assertProofShape(teeAttestation) {
+  var _a, _b, _c;
+  if (teeAttestation.error) {
+    throw new Error(`${teeAttestation.error.code}: ${teeAttestation.error.message}`);
+  }
+  const proofVersion = getProofVersion(teeAttestation);
+  assert(typeof proofVersion === "string" && SUPPORTED_PROOF_VERSIONS.includes(proofVersion), `unexpected proof version: ${proofVersion}`);
+  assert(teeAttestation.tee_provider === EXPECTED_TEE_PROVIDER, `unexpected tee provider: ${teeAttestation.tee_provider}`);
+  assert(teeAttestation.tee_technology === EXPECTED_TEE_TECHNOLOGY, `unexpected tee technology: ${teeAttestation.tee_technology}`);
+  assert(typeof teeAttestation.nonce === "string" && teeAttestation.nonce.length > 0, "tee attestation nonce missing");
+  assert(typeof teeAttestation.timestamp === "string" && teeAttestation.timestamp.length > 0, "tee attestation timestamp missing");
+  assert(!Number.isNaN(Date.parse(teeAttestation.timestamp)), "tee attestation timestamp is invalid");
+  assert(typeof ((_a = teeAttestation.workload) == null ? void 0 : _a.image_digest) === "string" && teeAttestation.workload.image_digest.length > 0, "workload image digest missing");
+  assert(typeof ((_b = teeAttestation.verifier) == null ? void 0 : _b.image_digest) === "string" && teeAttestation.verifier.image_digest.length > 0, "verifier image digest missing");
+  assert(typeof ((_c = teeAttestation.attestation) == null ? void 0 : _c.token) === "string" && teeAttestation.attestation.token.length > 0, "attestation token missing");
+}
+function computeDigestBinding(teeAttestation) {
+  return __async(this, null, function* () {
+    const proofVersion = getProofVersion(teeAttestation);
+    if (proofVersion === "v3") {
+      assert(typeof teeAttestation.workload.container_name === "string" && teeAttestation.workload.container_name.length > 0, "workload container name missing");
+      assert(typeof teeAttestation.verifier.container_name === "string" && teeAttestation.verifier.container_name.length > 0, "verifier container name missing");
+      return sha256Hex([
+        "v3",
+        `workload.container_name=${teeAttestation.workload.container_name}`,
+        `workload.image_digest=${teeAttestation.workload.image_digest}`,
+        `verifier.container_name=${teeAttestation.verifier.container_name}`,
+        `verifier.image_digest=${teeAttestation.verifier.image_digest}`
+      ].join("\n"));
+    }
+    return sha256Hex(
+      `${teeAttestation.workload.image_digest}
+${teeAttestation.verifier.image_digest}`
+    );
+  });
 }
-function verifySignature(publicKeyPem, data, signature, sigAlgOid) {
+function verifyGcpClaims(teeAttestation, expectedNonce) {
   return __async(this, null, function* () {
-    const cryptoSubtle = getSubtleCrypto();
-    const forgeCert = import_node_forge.default.pki.certificateFromPem(publicKeyPem);
-    const spkiBuf = binaryStringToUint8Array(import_node_forge.default.asn1.toDer(import_node_forge.default.pki.publicKeyToAsn1(forgeCert.publicKey)).getBytes());
-    let importParams;
-    let verifyParams;
-    if (sigAlgOid === "1.2.840.113549.1.1.10") {
-      importParams = { name: "RSA-PSS", hash: "SHA-384" };
-      verifyParams = { name: "RSA-PSS", saltLength: 48 };
-    } else if (sigAlgOid === "1.2.840.113549.1.1.11" || sigAlgOid === "1.2.840.113549.1.1.12" || sigAlgOid === "1.2.840.113549.1.1.5") {
-      importParams = { name: "RSASSA-PKCS1-v1_5", hash: sigAlgOid === "1.2.840.113549.1.1.12" ? "SHA-384" : "SHA-256" };
-      verifyParams = { name: "RSASSA-PKCS1-v1_5" };
-    } else if (sigAlgOid === "1.2.840.10045.4.3.3") {
-      importParams = { name: "ECDSA", namedCurve: "P-384" };
-      verifyParams = { name: "ECDSA", hash: "SHA-384" };
-    } else {
-      importParams = { name: "RSASSA-PKCS1-v1_5", hash: "SHA-256" };
-      verifyParams = { name: "RSASSA-PKCS1-v1_5" };
-    }
-    const key = yield cryptoSubtle.importKey("spki", spkiBuf, importParams, false, ["verify"]);
-    const isValid = yield cryptoSubtle.verify(verifyParams, key, signature, data);
-    if (!isValid) throw new Error(`Signature verification failed (OID: ${sigAlgOid}, ImportParams: ${JSON.stringify(importParams)})`);
+    var _a;
+    const claims = yield verifyJwtSignature(teeAttestation.attestation.token, EXPECTED_ISSUER);
+    assert(claims.iss === EXPECTED_ISSUER, `unexpected issuer: ${claims.iss}`);
+    assertAudienceClaim(claims.aud);
+    assert(Array.isArray(claims.eat_nonce), "eat_nonce claim missing");
+    const digestBinding = yield computeDigestBinding(teeAttestation);
+    assert(claims.eat_nonce.includes(expectedNonce), "request nonce is not present in attestation token");
+    assert(claims.eat_nonce.includes(digestBinding), "digest-binding nonce is not present in attestation token");
+    assert(claims.hwmodel === EXPECTED_HW_MODEL, `unexpected hwmodel: ${claims.hwmodel}`);
+    assert(claims.secboot === true, "secure boot claim is not true");
+    assert((_a = claims.submods) == null ? void 0 : _a.gce, "gce submod claim missing");
+    assertTokenFresh(claims);
   });
 }
-var COSIGN_PUBLIC_KEY = `-----BEGIN PUBLIC KEY-----
-MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEjiL30OjPuxa+GC1I7SAcBv2u2pMt
-h9WbP33IvB3eFww+C1hoW0fwdZPiq4FxBtKNiZuFpmYuFngW/nJteBu9kQ==
------END PUBLIC KEY-----
-`;
-function verifyTeeAttestation(proof, expectedApplicationId) {
+function verifyTeeAttestation(proof, appSecret) {
   return __async(this, null, function* () {
+    assertNonBrowserEnvironment();
     try {
+      const appId = new import_ethers5.ethers.Wallet(appSecret).address;
       let teeAttestation = proof.teeAttestation;
       if (!teeAttestation) {
         throw new Error("Missing teeAttestation in proof");
@@ -1983,414 +2002,45 @@ function verifyTeeAttestation(proof, expectedApplicationId) {
       if (typeof teeAttestation === "string") {
         teeAttestation = JSON.parse(teeAttestation);
       }
-      let expectedNonceSignature;
-      let nonceDataObj;
-      try {
-        const context = JSON.parse(proof.claimData.context);
-        expectedNonceSignature = context.attestationNonce;
-        nonceDataObj = context.attestationNonceData;
-      } catch (e) {
-        throw new Error("Failed to parse proof context to extract attestationNonce");
-      }
-      if (!expectedNonceSignature || !nonceDataObj) {
-        throw new Error("Proof context is missing attestationNonce or attestationNonceData");
-      }
-      if (teeAttestation.nonce !== expectedNonceSignature) {
-        throw new Error(`Nonce Mismatch! Expected signature ${expectedNonceSignature}, got ${teeAttestation.nonce}`);
-      }
-      const { applicationId, sessionId, timestamp } = nonceDataObj;
-      if (expectedApplicationId && applicationId.toLowerCase() !== expectedApplicationId.toLowerCase()) {
-        throw new Error(`Application ID Mismatch! Expected ${expectedApplicationId}, but proof context contains ${applicationId}`);
-      }
-      const expectedNonceData = `${applicationId}:${sessionId}:${timestamp}`;
-      const nonceMsg = import_ethers4.ethers.getBytes(import_ethers4.ethers.keccak256(new TextEncoder().encode(expectedNonceData)));
-      const recoveredAddress = import_ethers4.ethers.verifyMessage(nonceMsg, expectedNonceSignature);
-      if (recoveredAddress.toLowerCase() !== applicationId.toLowerCase()) {
-        throw new Error(`Nonce signature verification failed: recovered ${recoveredAddress}, expected ${applicationId}`);
-      }
-      try {
-        const context = JSON.parse(proof.claimData.context);
-        const paramSessionId = context.attestationNonceData.sessionId;
-        if (!paramSessionId) {
-          throw new Error(`Proof parameters are missing proxySessionId or sessionId`);
-        }
-        if (paramSessionId.toString() !== sessionId.toString()) {
-          throw new Error(`Session ID Mismatch! Expected ${sessionId}, but proof parameters contain ${paramSessionId}`);
-        }
-        const claimTimestampMs = proof.claimData.timestampS * 1e3;
-        const nonceTimestampMs = parseInt(timestamp, 10);
-        const diffMs = Math.abs(claimTimestampMs - nonceTimestampMs);
-        const TEN_MINUTES_MS = 10 * 60 * 1e3;
-        if (diffMs > TEN_MINUTES_MS) {
-          throw new Error(`Timestamp Skew Too Large! claimData.timestampS and attestationNonce timestamp differ by ${Math.round(diffMs / 1e3)}s (limit: 600s)`);
-        }
-      } catch (e) {
-        if (e instanceof Error && (e.message.includes("Session ID Mismatch!") || e.message.includes("Timestamp Skew"))) {
-          throw e;
-        }
-        throw new Error(`Failed to cross-verify session ID: ${e.message}`);
-      }
-      const reportBuffer = base64ToUint8Array(teeAttestation.snp_report);
-      const report = parseAttestationReport(reportBuffer);
-      if (report.isDebugEnabled) {
-        throw new Error("POLICY CHECK FAILED: Debug mode is ALLOWED. Environment is compromised.");
-      }
-      const certBuffer = base64ToUint8Array(teeAttestation.vlek_cert);
-      yield verifyAMDChain(certBuffer);
-      verifyTCB(certBuffer, report);
-      yield verifyHardwareSignature(reportBuffer, certBuffer);
-      yield verifyReportData(teeAttestation, proof.claimData.context, report);
-      return true;
+      assertProofShape(teeAttestation);
+      const { parsedContext, nonceDataObj, expectedNonce } = parseProofContext(proof);
+      verifyApplicationAndSessionBinding(proof, parsedContext, nonceDataObj, appId);
+      verifyNonceMaterial(expectedNonce, nonceDataObj, appSecret);
+      const cleanExpectedNonce = normalizeHex(expectedNonce);
+      const cleanTeeNonce = normalizeHex(teeAttestation.nonce);
+      assert(cleanTeeNonce.length > 0, "TEE attestation nonce is empty");
+      assert(isHex(cleanTeeNonce), "TEE attestation nonce is not valid hex");
+      assert(cleanTeeNonce === cleanExpectedNonce, `Nonce Mismatch! Expected ${cleanExpectedNonce}, got ${cleanTeeNonce}`);
+      yield verifyGcpClaims(teeAttestation, cleanExpectedNonce);
+      return { isVerified: true };
     } catch (error) {
       logger9.error("TEE attestation verification failed:", error);
-      return false;
-    }
-  });
-}
-function parseAttestationReport(buffer) {
-  if (buffer.length < 1e3) {
-    throw new Error(`Report buffer is too small: ${buffer.length} bytes`);
-  }
-  const view = new DataView(buffer.buffer, buffer.byteOffset, buffer.byteLength);
-  const policy = view.getBigUint64(8, true);
-  const isDebugEnabled = (policy & BigInt(1) << BigInt(19)) !== BigInt(0);
-  const reported_tcb = {
-    bootloader: buffer[56],
-    tee: buffer[57],
-    snp: buffer[62],
-    microcode: buffer[63]
-  };
-  const reportData = arrayBufferToHex(buffer.subarray(80, 144));
-  return { policy, isDebugEnabled, reported_tcb, reportData };
-}
-function getExtValue(certAsn1, oidString) {
-  const tbsCert = certAsn1.value[0];
-  if (!tbsCert || !tbsCert.value) return null;
-  const extBlockWrapper = tbsCert.value.find((node) => node.tagClass === import_node_forge.default.asn1.Class.CONTEXT_SPECIFIC && node.type === 3);
-  if (!extBlockWrapper || !extBlockWrapper.value || !extBlockWrapper.value.length) return null;
-  const extSequence = extBlockWrapper.value[0];
-  for (const ext of extSequence.value) {
-    const extIdAsn1 = ext.value[0];
-    const extIdStr = import_node_forge.default.asn1.derToOid(extIdAsn1.value);
-    if (extIdStr === oidString) {
-      const extValueAsn1 = ext.value[ext.value.length - 1];
-      const rawOctetStringBytes = extValueAsn1.value;
-      try {
-        const innerAsn1 = import_node_forge.default.asn1.fromDer(import_node_forge.default.util.createBuffer(rawOctetStringBytes));
-        if (innerAsn1.type === 2) {
-          const bytes = innerAsn1.value;
-          if (typeof bytes === "string" && bytes.length > 0) {
-            return bytes.charCodeAt(bytes.length - 1);
-          } else {
-            throw new Error(`Extension ${oidString} INTEGER value is empty or invalid`);
-          }
-        } else {
-          throw new Error(`Extension ${oidString} does not contain an INTEGER, found type ${innerAsn1.type}`);
-        }
-      } catch (e) {
-        throw new Error(`Failed to strictly parse AMD TCB extension ${oidString}: ${e.message}`);
-      }
-    }
-  }
-  return null;
-}
-function verifyTCB(vlekCertBuffer, report) {
-  const certAsn1 = import_node_forge.default.asn1.fromDer(import_node_forge.default.util.createBuffer(uint8ArrayToBinaryString(vlekCertBuffer)));
-  const OID_BOOTLOADER = "1.3.6.1.4.1.3704.1.3.1";
-  const OID_TEE = "1.3.6.1.4.1.3704.1.3.2";
-  const OID_SNP = "1.3.6.1.4.1.3704.1.3.3";
-  const OID_MICROCODE = "1.3.6.1.4.1.3704.1.3.8";
-  const certTcb = {
-    bootloader: getExtValue(certAsn1, OID_BOOTLOADER),
-    tee: getExtValue(certAsn1, OID_TEE),
-    snp: getExtValue(certAsn1, OID_SNP),
-    microcode: getExtValue(certAsn1, OID_MICROCODE)
-  };
-  if (certTcb.bootloader !== null && report.reported_tcb.bootloader < certTcb.bootloader) {
-    throw new Error(`TCB Downgrade! Bootloader reported ${report.reported_tcb.bootloader}, but certificate requires ${certTcb.bootloader}`);
-  }
-  if (certTcb.tee !== null && report.reported_tcb.tee < certTcb.tee) {
-    throw new Error(`TCB Downgrade! TEE reported ${report.reported_tcb.tee}, but certificate requires ${certTcb.tee}`);
-  }
-  if (certTcb.snp !== null && report.reported_tcb.snp < certTcb.snp) {
-    throw new Error(`TCB Downgrade! SNP reported ${report.reported_tcb.snp}, but certificate requires ${certTcb.snp}`);
-  }
-  if (certTcb.microcode !== null && report.reported_tcb.microcode < certTcb.microcode) {
-    throw new Error(`TCB Downgrade! Microcode reported ${report.reported_tcb.microcode}, but certificate requires ${certTcb.microcode}`);
-  }
-}
-function parseAsn1Time(node) {
-  const s = node.value;
-  if (node.type === import_node_forge.default.asn1.Type.UTCTIME) {
-    const yr = parseInt(s.substring(0, 2), 10);
-    return new Date(Date.UTC(
-      yr >= 50 ? 1900 + yr : 2e3 + yr,
-      parseInt(s.substring(2, 4), 10) - 1,
-      parseInt(s.substring(4, 6), 10),
-      parseInt(s.substring(6, 8), 10),
-      parseInt(s.substring(8, 10), 10),
-      parseInt(s.substring(10, 12), 10)
-    ));
-  } else {
-    return new Date(Date.UTC(
-      parseInt(s.substring(0, 4), 10),
-      parseInt(s.substring(4, 6), 10) - 1,
-      parseInt(s.substring(6, 8), 10),
-      parseInt(s.substring(8, 10), 10),
-      parseInt(s.substring(10, 12), 10),
-      parseInt(s.substring(12, 14), 10)
-    ));
-  }
-}
-function verifyCRL(crlBuf, arkPem, vlekSerial) {
-  return __async(this, null, function* () {
-    const crlAsn1 = import_node_forge.default.asn1.fromDer(import_node_forge.default.util.createBuffer(uint8ArrayToBinaryString(crlBuf)));
-    if (!Array.isArray(crlAsn1.value) || crlAsn1.value.length < 3) {
-      throw new Error("CRL ASN.1 structure is invalid: expected SEQUENCE with TBSCertList, AlgorithmIdentifier, BIT STRING");
-    }
-    const tbsAsn1 = crlAsn1.value[0];
-    const sigBitsAsn1 = crlAsn1.value[2];
-    if (!Array.isArray(tbsAsn1.value)) {
-      throw new Error("CRL TBSCertList is not a valid SEQUENCE");
-    }
-    const tbsFields = tbsAsn1.value;
-    let fi = 0;
-    if (fi < tbsFields.length && tbsFields[fi].tagClass === import_node_forge.default.asn1.Class.UNIVERSAL && tbsFields[fi].type === import_node_forge.default.asn1.Type.INTEGER) {
-      fi++;
-    }
-    if (fi < tbsFields.length) fi++;
-    if (fi >= tbsFields.length) throw new Error("CRL TBSCertList missing issuer");
-    const issuerAsn1 = tbsFields[fi++];
-    if (fi >= tbsFields.length) throw new Error("CRL TBSCertList missing thisUpdate");
-    const thisUpdateAsn1 = tbsFields[fi++];
-    let nextUpdateAsn1 = null;
-    if (fi < tbsFields.length && tbsFields[fi].tagClass === import_node_forge.default.asn1.Class.UNIVERSAL && (tbsFields[fi].type === import_node_forge.default.asn1.Type.UTCTIME || tbsFields[fi].type === import_node_forge.default.asn1.Type.GENERALIZEDTIME)) {
-      nextUpdateAsn1 = tbsFields[fi++];
-    }
-    let revokedSeq = null;
-    if (fi < tbsFields.length && tbsFields[fi].tagClass === import_node_forge.default.asn1.Class.UNIVERSAL && tbsFields[fi].type === import_node_forge.default.asn1.Type.SEQUENCE) {
-      revokedSeq = tbsFields[fi];
-    }
-    const now = /* @__PURE__ */ new Date();
-    const thisUpdate = parseAsn1Time(thisUpdateAsn1);
-    if (thisUpdate > now) {
-      throw new Error(`CRL is not yet valid: thisUpdate is ${thisUpdate.toISOString()}`);
-    }
-    if (nextUpdateAsn1) {
-      const nextUpdate = parseAsn1Time(nextUpdateAsn1);
-      if (nextUpdate < now) {
-        throw new Error(`CRL has expired: nextUpdate was ${nextUpdate.toISOString()}`);
-      }
-    }
-    const crlIssuerDer = import_node_forge.default.asn1.toDer(issuerAsn1).getBytes();
-    const arkForgeCert = import_node_forge.default.pki.certificateFromPem(arkPem);
-    const arkCertAsn1 = import_node_forge.default.pki.certificateToAsn1(arkForgeCert);
-    const arkSubjectAsn1 = arkCertAsn1.value[0].value[5];
-    const arkSubjectDer = import_node_forge.default.asn1.toDer(arkSubjectAsn1).getBytes();
-    if (crlIssuerDer !== arkSubjectDer) {
-      throw new Error("CRL issuer does not match AMD ARK certificate subject \u2014 chain mismatch");
-    }
-    const tbsDerBuf = binaryStringToUint8Array(import_node_forge.default.asn1.toDer(tbsAsn1).getBytes());
-    const sigRaw = typeof sigBitsAsn1.value === "string" ? sigBitsAsn1.value : "";
-    const sigBuf = binaryStringToUint8Array(sigRaw.substring(1));
-    const cryptoSubtle = getSubtleCrypto();
-    const spkiBuf = binaryStringToUint8Array(
-      import_node_forge.default.asn1.toDer(import_node_forge.default.pki.publicKeyToAsn1(arkForgeCert.publicKey)).getBytes()
-    );
-    const arkCryptoKey = yield cryptoSubtle.importKey(
-      "spki",
-      spkiBuf,
-      { name: "RSA-PSS", hash: "SHA-384" },
-      false,
-      ["verify"]
-    );
-    const isValid = yield cryptoSubtle.verify(
-      { name: "RSA-PSS", saltLength: 48 },
-      // SHA-384 salt length is 48
-      arkCryptoKey,
-      sigBuf,
-      tbsDerBuf
-    );
-    if (!isValid) {
-      throw new Error("CRL signature is INVALID \u2014 the CRL may be tampered or forged");
-    }
-    const targetSerial = normalizeSerial(vlekSerial);
-    if (revokedSeq && Array.isArray(revokedSeq.value)) {
-      for (const entry of revokedSeq.value) {
-        if (!Array.isArray(entry.value) || entry.value.length < 2) continue;
-        const serialAsn1 = entry.value[0];
-        if (serialAsn1.type !== import_node_forge.default.asn1.Type.INTEGER || typeof serialAsn1.value !== "string") continue;
-        const serialHex = import_node_forge.default.util.bytesToHex(serialAsn1.value);
-        if (normalizeSerial(serialHex) === targetSerial) {
-          throw new Error("\u{1F6A8} VLEK Certificate is REVOKED per AMD CRL! This hardware may be compromised.");
-        }
-      }
+      return {
+        isVerified: false,
+        error: error instanceof Error ? error.message : String(error)
+      };
     }
   });
 }
-function assertCertValidity(label, cert) {
-  const now = Date.now();
-  if (cert.notBefore && now < cert.notBefore.getTime()) {
-    throw new Error(`${label} certificate is not yet valid (notBefore: ${cert.notBefore.toISOString()})`);
-  }
-  if (cert.notAfter && now > cert.notAfter.getTime()) {
-    throw new Error(`${label} certificate expired on ${cert.notAfter.toISOString()}`);
-  }
-}
-function verifyAMDChain(vlekCertBuffer) {
+function runTeeVerification(proofs, config) {
   return __async(this, null, function* () {
-    const processors = ["Milan", "Genoa"];
-    let chainVerified = false;
-    const vlek = parseCert(vlekCertBuffer);
-    assertCertValidity("VLEK", vlek);
-    for (const processor of processors) {
-      let matchedChain = false;
+    const hasTeeData = proofs.every((proof) => {
+      if (proof.teeAttestation) return true;
       try {
-        const chainPem = AMD_CERTS[processor];
-        if (!chainPem) continue;
-        const certs = chainPem.split("-----END CERTIFICATE-----").map((c) => c.trim()).filter((c) => c.length > 0).map((c) => c + "\n-----END CERTIFICATE-----\n");
-        const askCert = import_node_forge.default.pki.certificateFromPem(certs[0]);
-        const arkCert = import_node_forge.default.pki.certificateFromPem(certs[1]);
-        const askDer = import_node_forge.default.asn1.toDer(import_node_forge.default.pki.certificateToAsn1(askCert)).getBytes();
-        const arkDer = import_node_forge.default.asn1.toDer(import_node_forge.default.pki.certificateToAsn1(arkCert)).getBytes();
-        const ask = parseCert(binaryStringToUint8Array(askDer));
-        const ark = parseCert(binaryStringToUint8Array(arkDer));
-        assertCertValidity("ASK", ask);
-        assertCertValidity("ARK", ark);
-        try {
-          yield verifySignature(certs[1], ark.tbsDer, ark.signature, ark.sigAlgOid);
-        } catch (e) {
-          throw new Error(`AMD ARK self-signature verification failed: ${e.message}`);
-        }
-        try {
-          yield verifySignature(certs[1], ask.tbsDer, ask.signature, ask.sigAlgOid);
-        } catch (e) {
-          throw new Error(`AMD ASK-by-ARK signature verification failed: ${e.message}`);
-        }
-        try {
-          yield verifySignature(certs[0], vlek.tbsDer, vlek.signature, vlek.sigAlgOid);
-        } catch (e) {
-          throw new Error(`VLEK-by-ASK signature verification failed: ${e.message}`);
-        }
-        matchedChain = true;
-        let crlBuf;
-        const now = Date.now();
-        if (crlCache[processor] && now - crlCache[processor].fetchedAt < 36e5) {
-          crlBuf = crlCache[processor].buffer;
-        } else {
-          const crlUrl = `https://kdsintf.amd.com/vlek/v1/${processor}/crl`;
-          const controller = new AbortController();
-          const timeoutId = setTimeout(() => controller.abort(), 5e3);
-          const crlResp = yield fetch(crlUrl, { signal: controller.signal });
-          clearTimeout(timeoutId);
-          if (!crlResp.ok) continue;
-          crlBuf = new Uint8Array(yield crlResp.arrayBuffer());
-          crlCache[processor] = { buffer: crlBuf, fetchedAt: now };
-        }
-        if (vlek.serialNumber && crlBuf) {
-          yield verifyCRL(crlBuf, certs[1], vlek.serialNumber);
-        }
-        chainVerified = true;
-        break;
+        const context = JSON.parse(proof.claimData.context);
+        return !!(context == null ? void 0 : context.attestationNonce);
       } catch (e) {
-        if (matchedChain) {
-          throw e;
-        }
-        continue;
+        return false;
       }
+    });
+    if (!hasTeeData) {
+      throw new TeeVerificationError("TEE verification requested but one or more proofs are missing TEE attestation data");
     }
-    if (!chainVerified) {
-      throw new Error("VLEK Certificate failed verification against all known AMD Root of Trust chains!");
-    }
-  });
-}
-function verifyHardwareSignature(reportBytes, certBytes) {
-  return __async(this, null, function* () {
-    const vlek = parseCert(certBytes);
-    const sigOffset = 672;
-    const rLE = reportBytes.subarray(sigOffset, sigOffset + 72);
-    const sLE = reportBytes.subarray(sigOffset + 72, sigOffset + 144);
-    const rBE = reverseBytes(rLE);
-    const sBE = reverseBytes(sLE);
-    const signedData = reportBytes.subarray(0, 672);
-    const cryptoSubtle = getSubtleCrypto();
-    const importedKey = yield cryptoSubtle.importKey(
-      "spki",
-      vlek.spkiDer,
-      { name: "ECDSA", namedCurve: "P-384" },
-      false,
-      ["verify"]
-    );
-    const rPadding = rBE.subarray(0, rBE.length - 48);
-    const sPadding = sBE.subarray(0, sBE.length - 48);
-    if (!rPadding.every((b) => b === 0) || !sPadding.every((b) => b === 0)) {
-      throw new Error("Hardware ECDSA signature is malformed: non-zero padding bytes detected in the structural signature coordinates.");
-    }
-    const r48 = rBE.subarray(rBE.length - 48);
-    const s48 = sBE.subarray(sBE.length - 48);
-    const rawSignature = concatUint8Arrays([r48, s48]);
-    const isValid = yield cryptoSubtle.verify(
-      { name: "ECDSA", hash: { name: "SHA-384" } },
-      importedKey,
-      rawSignature,
-      signedData
-    );
-    if (!isValid) {
-      throw new Error("Hardware ECDSA signature is completely invalid!");
-    }
-  });
-}
-function verifyReportData(teeAttestation, proofContext, report) {
-  return __async(this, null, function* () {
-    if (!teeAttestation.workload_digest || !teeAttestation.verifier_digest) {
-      throw new Error("POLICY CHECK FAILED: Missing workload_digest or verifier_digest in TEE attestation.");
-    }
-    const { attestationNonce: nonce } = JSON.parse(proofContext);
-    const cryptoSubtle = getSubtleCrypto();
-    const extractDigestBytes = (imageRef) => {
-      const marker = "@sha256:";
-      const idx = imageRef.lastIndexOf(marker);
-      if (idx < 0) throw new Error(`Image ref missing @sha256: digest: ${imageRef}`);
-      const hexDigest = imageRef.substring(idx + marker.length);
-      if (hexDigest.length !== 64) throw new Error(`SHA256 digest must be 64 hex chars, got ${hexDigest.length} in: ${imageRef}`);
-      const bytes = new Uint8Array(32);
-      for (let i = 0; i < 32; i++) bytes[i] = parseInt(hexDigest.substring(i * 2, i * 2 + 2), 16);
-      return bytes;
-    };
-    const importedCosignKey = yield cryptoSubtle.importKey(
-      "spki",
-      base64ToUint8Array(
-        COSIGN_PUBLIC_KEY.replace("-----BEGIN PUBLIC KEY-----", "").replace("-----END PUBLIC KEY-----", "").replace(/\s+/g, "")
-      ),
-      { name: "ECDSA", namedCurve: "P-256" },
-      true,
-      ["verify"]
+    const teeResults = yield Promise.all(
+      proofs.map((proof) => verifyTeeAttestation(proof, config.appSecret))
     );
-    const pubKeySpkiDer = yield cryptoSubtle.exportKey("spki", importedCosignKey);
-    const pubKeyHashBuffer = yield cryptoSubtle.digest("SHA-256", pubKeySpkiDer);
-    const pubKeyHashBytes = new Uint8Array(pubKeyHashBuffer);
-    const nonceHex = (teeAttestation.nonce || nonce).replace(/^0x/i, "");
-    const nonceBytes = new Uint8Array(nonceHex.length / 2);
-    for (let i = 0; i < nonceBytes.length; i++) nonceBytes[i] = parseInt(nonceHex.substring(i * 2, i * 2 + 2), 16);
-    const workloadBytes = extractDigestBytes(teeAttestation.workload_digest);
-    const verifierBytes = extractDigestBytes(teeAttestation.verifier_digest);
-    const domainSep = new TextEncoder().encode("POPCORN_TEE_REPORT_DATA_V1");
-    const version = new Uint8Array([1]);
-    const payload = new Uint8Array(
-      domainSep.length + version.length + workloadBytes.length + verifierBytes.length + pubKeyHashBytes.length + nonceBytes.length
-    );
-    let offset = 0;
-    for (const chunk of [domainSep, version, workloadBytes, verifierBytes, pubKeyHashBytes, nonceBytes]) {
-      payload.set(chunk, offset);
-      offset += chunk.length;
-    }
-    const hashBuffer = yield cryptoSubtle.digest("SHA-256", payload);
-    const hashHex = arrayBufferToHex(hashBuffer);
-    const expected64ByteHex = hashHex + hashHex;
-    if (report.reportData !== expected64ByteHex) {
-      throw new Error(`REPORT_DATA Mismatch! Hardware report is not bound to these image digests or nonce.
-Expected: ${expected64ByteHex}
-Got:      ${report.reportData}`);
+    if (!teeResults.every((r) => r.isVerified)) {
+      throw new TeeVerificationError("TEE attestation verification failed for one or more proofs");
     }
   });
 }
@@ -2398,6 +2048,7 @@ Got:      ${report.reportData}`);
 // src/Reclaim.ts
 var logger10 = logger_default.logger;
 var sdkVersion = require_package().version;
+var SDK_TEE_ATTESTATION_VERSION = "v3";
 function verifyProof(proofOrProofs, config) {
   return __async(this, null, function* () {
     const proofs = Array.isArray(proofOrProofs) ? proofOrProofs : [proofOrProofs];
@@ -2413,29 +2064,15 @@ function verifyProof(proofOrProofs, config) {
         yield assertVerifiedProof(proof, attestors);
       }
       yield assertValidateProof(proofs, config);
-      let isTeeVerified = void 0;
-      if (config.verifyTEE) {
-        const hasTeeData = proofs.every((proof) => proof.teeAttestation || JSON.parse(proof.claimData.context).attestationNonce);
-        if (!hasTeeData) {
-          const teeError = new TeeVerificationError("TEE verification requested but one or more proofs are missing TEE attestation data");
-          logger10.error(teeError.message);
-          return createVerifyProofResultFailure(teeError, false);
-        }
-        try {
-          const teeResults = yield Promise.all(proofs.map((proof) => verifyTeeAttestation(proof)));
-          isTeeVerified = teeResults.every((r) => r === true);
-          if (!isTeeVerified) {
-            const teeError = new TeeVerificationError("TEE attestation verification failed for one or more proofs");
-            logger10.error(teeError.message);
-            return createVerifyProofResultFailure(teeError, false);
-          }
-        } catch (error) {
-          const teeError = new TeeVerificationError("Error verifying TEE attestation", error);
-          logger10.error(teeError.message);
-          return createVerifyProofResultFailure(teeError, false);
-        }
+      let isTeeAttestationVerified;
+      if (config.teeAttestation && "dangerouslyDisableContentValidation" in config && config.dangerouslyDisableContentValidation) {
+        logger10.warn("teeAttestation is enabled but content validation is disabled \u2014 TEE attestation alone does not guarantee proof contents are valid");
       }
-      return createVerifyProofResultSuccess(proofs, isTeeVerified);
+      if (config.teeAttestation) {
+        yield runTeeVerification(proofs, config.teeAttestation);
+        isTeeAttestationVerified = true;
+      }
+      return createVerifyProofResultSuccess(proofs, isTeeAttestationVerified);
     } catch (error) {
       logger10.error("Error in validating proof:", error);
       const _error = error instanceof Error ? error : new Error(String(error));
@@ -2498,7 +2135,7 @@ var ReclaimProofRequest = class _ReclaimProofRequest {
      * @returns
      */
     this.getTemplateData = () => {
-      var _a, _b, _c, _d, _e, _f, _g, _h, _i, _j, _k, _l;
+      var _a, _b, _c, _d, _e, _f, _g, _h, _i, _j, _k, _l, _m, _n, _o;
       if (!this.signature) {
         throw new SignatureNotFoundError("Signature is not set.");
       }
@@ -2538,7 +2175,9 @@ var ReclaimProofRequest = class _ReclaimProofRequest {
         log: (_h = (_g = this.options) == null ? void 0 : _g.log) != null ? _h : false,
         canAutoSubmit: (_j = (_i = this.options) == null ? void 0 : _i.canAutoSubmit) != null ? _j : true,
         metadata: (_k = this.options) == null ? void 0 : _k.metadata,
-        preferredLocale: (_l = this.options) == null ? void 0 : _l.preferredLocale
+        preferredLocale: (_l = this.options) == null ? void 0 : _l.preferredLocale,
+        acceptTeeAttestation: (_m = this.options) == null ? void 0 : _m.acceptTeeAttestation,
+        teeAttestationVersion: (_o = (_n = this.context.attestationNonceData) == null ? void 0 : _n.attestationVersion) != null ? _o : SDK_TEE_ATTESTATION_VERSION
       };
       return templateData;
     };
@@ -2609,6 +2248,7 @@ var ReclaimProofRequest = class _ReclaimProofRequest {
    */
   static init(applicationId, appSecret, providerId, options) {
     return __async(this, null, function* () {
+      var _a;
       try {
         validateFunctionParams([
           { paramName: "applicationId", input: applicationId, isString: true },
@@ -2690,22 +2330,28 @@ var ReclaimProofRequest = class _ReclaimProofRequest {
             }, "the constructor");
           }
         }
-        const proofRequestInstance = new _ReclaimProofRequest(applicationId, providerId, options);
+        const proofRequestOptions = __spreadProps(__spreadValues({}, options), {
+          acceptTeeAttestation: (_a = options == null ? void 0 : options.acceptTeeAttestation) != null ? _a : true
+        });
+        const proofRequestInstance = new _ReclaimProofRequest(applicationId, providerId, proofRequestOptions);
         const signature = yield proofRequestInstance.generateSignature(appSecret);
         proofRequestInstance.setSignature(signature);
         const data = yield initSession(providerId, applicationId, proofRequestInstance.timeStamp, signature, options == null ? void 0 : options.providerVersion);
         proofRequestInstance.sessionId = data.sessionId;
         proofRequestInstance.resolvedProviderVersion = data.resolvedProviderVersion;
         proofRequestInstance.context.reclaimSessionId = data.sessionId;
-        if (options == null ? void 0 : options.acceptTeeAttestation) {
-          const wallet = new import_ethers5.ethers.Wallet(appSecret);
-          const nonceData = `${applicationId}:${data.sessionId}:${proofRequestInstance.timeStamp}`;
-          const nonceMsg = import_ethers5.ethers.getBytes(import_ethers5.ethers.keccak256(new TextEncoder().encode(nonceData)));
-          const nonceSignature = yield wallet.signMessage(nonceMsg);
-          proofRequestInstance.setAttestationContext(nonceSignature, {
+        if (proofRequestOptions.acceptTeeAttestation) {
+          const attestationNonce = generateAttestationNonce(
+            appSecret,
+            applicationId,
+            data.sessionId,
+            proofRequestInstance.timeStamp
+          );
+          proofRequestInstance.setAttestationContext(attestationNonce, {
             applicationId,
             sessionId: data.sessionId,
-            timestamp: proofRequestInstance.timeStamp
+            timestamp: proofRequestInstance.timeStamp,
+            attestationVersion: SDK_TEE_ATTESTATION_VERSION
           });
         }
         return proofRequestInstance;
@@ -3223,13 +2869,13 @@ var ReclaimProofRequest = class _ReclaimProofRequest {
   generateSignature(applicationSecret) {
     return __async(this, null, function* () {
       try {
-        const wallet = new import_ethers5.ethers.Wallet(applicationSecret);
+        const wallet = new import_ethers6.ethers.Wallet(applicationSecret);
         const canonicalData = (0, import_canonicalize3.default)({ providerId: this.providerId, timestamp: this.timeStamp });
         if (!canonicalData) {
           throw new SignatureGeneratingError("Failed to canonicalize data for signing.");
         }
-        const messageHash = import_ethers5.ethers.keccak256(new TextEncoder().encode(canonicalData));
-        return yield wallet.signMessage(import_ethers5.ethers.getBytes(messageHash));
+        const messageHash = import_ethers6.ethers.keccak256(new TextEncoder().encode(canonicalData));
+        return yield wallet.signMessage(import_ethers6.ethers.getBytes(messageHash));
       } catch (err) {
         logger10.info(`Error generating proof request for applicationId: ${this.applicationId}, providerId: ${this.providerId}, timeStamp: ${this.timeStamp}`);
         throw new SignatureGeneratingError(`Error generating signature for applicationId: ${this.applicationId}`);
@@ -3917,6 +3563,7 @@ var ReclaimProofRequest = class _ReclaimProofRequest {
   isHttpProviderClaimParams,
   isMobileDevice,
   recoverSignersOfSignedClaim,
+  runTeeVerification,
   takePairsWhereValueIsArray,
   takeTemplateParametersFromProofs,
   transformForOnchain,