npm - @reclaimprotocol/js-sdk - Versions diffs - 5.4.0 → 5.4.1 - Mend

@reclaimprotocol/js-sdk 5.4.0 → 5.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/index.d.ts CHANGED Viewed

@@ -51,6 +51,22 @@ interface ExtensionMessage {
 interface WitnessData {
     id: string;
     url: string;
+    claimAttestation?: AttestorClaimAttestation;
+}
+/**
+ * Attestation produced by an attestor running inside a Trusted Execution
+ * Environment. Binds the attestor's signing key (and its signature over
+ * the claim) to a hardware-backed enclave identity.
+ *
+ * Verified by `runAttestorTeeVerification`.
+ */
+interface AttestorClaimAttestation {
+    /** ETH address of the attestor whose enclave produced the attestation. Matches `WitnessData.id`. */
+    attestor_address: string;
+    /** Attestor signature over the claim. Must equal the corresponding entry in `Proof.signatures`. */
+    claim_signature: string;
+    /** Raw attestation report. For GCP Confidential Space, a JWT (header.payload.signature). */
+    attestation_report: string;
 }
 interface ProviderClaimData {
     provider: string;
@@ -299,6 +315,59 @@ interface ResponseRedactionSpec {
     xPath: string;
 }
+/**
+ * Result of verifying an attestor TEE attestation.
+ */
+type AttestorTeeVerificationResult = {
+    isVerified: boolean;
+    error?: string;
+    /** sha256 image digest of the attestor container, on success. */
+    imageDigest?: string;
+};
+/**
+ * Validates a GCP Confidential Space attestation JWT produced by an
+ * attestor running in a Confidential Space VM, and asserts that the
+ * attestation binds to the given attestor address.
+ *
+ * The attestor (running inside the TEE) calls the Confidential Space
+ * launcher's attestation endpoint with two nonces:
+ *   - `attestor_public_key:<eth-address>` - binds to the signing key.
+ *   - `attestor_cert_hash:<sha256-hex>`   - binds to the live TLS cert.
+ *
+ * This function only verifies the public-key nonce. The TLS cert hash
+ * binding is informational and not checked here. Callers that need to
+ * pin to a specific attestor image should compare the returned
+ * `imageDigest` against a known-good value.
+ *
+ * The JWT signature is verified by walking the x5c certificate chain
+ * to a pinned GCP Confidential Space Root CA. No outbound network
+ * calls are made.
+ *
+ * Node-only (uses node:crypto). Mirrors the environment restriction in
+ * the existing `verifyTeeAttestation` helper.
+ *
+ * @param report - the raw JWT string (header.payload.signature).
+ * @param expectedAttestorAddress - hex ETH address (0x-prefixed or
+ *   unprefixed) that the attestation should be bound to.
+ */
+declare function verifyAttestorTeeAttestation(report: string, expectedAttestorAddress: string): Promise<AttestorTeeVerificationResult>;
+/**
+ * Configuration for verifying the attestor's TEE attestation on each
+ * witness of the proof.
+ */
+type AttestorTeeAttestationConfig = {
+    /**
+     * Optional allowlist of expected attestor container image digests
+     * (e.g. `"sha256:4906340f..."`). When provided, the attestation's
+     * `submods.container.image_digest` must be in this list.
+     *
+     * Leave undefined to skip image pinning and rely solely on the JWT
+     * chain rooting to the GCP Confidential Space Root CA + nonce
+     * binding to the attestor address.
+     */
+    expectedImageDigests?: string[];
+};
 /**
  * Content validation configuration specifying essential required hashes and optional extra proofs.
  * Used to explicitly validate that a generated proof matches the exact request structure expected.
@@ -378,6 +447,20 @@ type VerificationConfig = ValidationConfig & {
      * if TEE attestation data is missing or verification fails.
      */
     teeAttestation?: TeeAttestationConfig;
+    /**
+     * Attestor TEE attestation verification configuration.
+     * When provided, verifies that every witness on every proof has a valid
+     * `claimAttestation` from an attestor running inside a TEE (GCP
+     * Confidential Space).
+     *
+     * Independent of `teeAttestation`, which verifies the verifier-app's
+     * own TEE attestation. Both can be enabled together.
+     *
+     * The result will include `isAttestorTeeAttestationVerified` and
+     * `isVerified` will be false if any witness is missing TEE attestation
+     * data or its verification fails.
+     */
+    attestorTeeAttestation?: AttestorTeeAttestationConfig;
 };
 declare function assertValidProofsByHash(proofs: Proof[], config: ProviderHashRequirementsConfig): void;
 declare function isHttpProviderClaimParams(claimParams: unknown): claimParams is HttpProviderClaimParams;
@@ -703,6 +786,7 @@ type TrustedData = {
 type VerifyProofResultSuccess = {
     isVerified: true;
     isTeeAttestationVerified?: boolean;
+    isAttestorTeeAttestationVerified?: boolean;
     error: undefined;
     data: TrustedData[];
     publicData: any[];
@@ -710,6 +794,7 @@ type VerifyProofResultSuccess = {
 type VerifyProofResultFailure = {
     isVerified: false;
     isTeeAttestationVerified?: boolean;
+    isAttestorTeeAttestationVerified?: boolean;
     error: Error;
     data: [];
     publicData: [];
@@ -1634,4 +1719,4 @@ declare function isDesktopDevice(): boolean;
  */
 declare function clearDeviceCache(): void;
-export { type Beacon, type BeaconState, type BodySniff, ClaimCreationType, type ClaimID, type ClaimInfo, type CompleteClaimData, type Context, type CreateVerificationRequest, DeviceType, type EmbeddedFlowHandle, type ExtensionMessage, type FlowHandle, type HashRequirement, type HashableHttpProviderClaimParams, type HttpFormEntry, type HttpProviderClaimParams, type HttpRedirectionMethod, type HttpRedirectionOptions, type InitSessionResponse, type InjectedRequestSpec, type InterceptorRequestSpec, type ModalOptions, type OnError, type OnSuccess, type Proof, type ProofPropertiesJSON, type ProofRequestOptions, type ProviderClaimData, type ProviderConfigResponse, type ProviderHashRequirementSpec, type ProviderHashRequirementsConfig, type ProviderHashRequirementsResponse, type ProviderVersionConfig, type ProviderVersionInfo, RECLAIM_EXTENSION_ACTIONS, type ReclaimFlowInitOptions, type ReclaimFlowLaunchOptions, ReclaimProofRequest, type ReclaimProviderConfig, type ReclaimProviderConfigWithRequestSpec, type RequestSpec, type ResponseMatchSpec, type ResponseRedactionSpec, SUPPORTED_TEE_ATTESTATION_VERSIONS, type SerializableModalOptions, SessionStatus, type SignedClaim, type StartSessionParams, type StatusUrlResponse, type TeeAttestation, type TeeAttestationConfig, type TeeAttestationVersion, TeeVerificationError, type TeeVerificationResult, type TemplateData, type TrustedData, type UpdateSessionResponse, type ValidationConfig, type ValidationConfigWithDisabledValidation, type ValidationConfigWithHash, type ValidationConfigWithProviderInformation, type VerificationConfig, type VerifyProofResult, type VerifyProofResultFailure, type VerifyProofResultSuccess, type WitnessData, assertValidProofsByHash, assertValidateProof, assertVerifiedProof, clearDeviceCache, createLinkWithTemplateData, createSignDataForClaim, fetchProviderConfigs, fetchProviderHashRequirementsBy, fetchStatusUrl, generateAttestationNonce, generateInitSignature, generateSpecsFromRequestSpecTemplate, getAttestors, getDeviceType, getHttpProviderClaimParamsFromProof, getIdentifierFromClaimInfo, getMobileDeviceType, getProviderHashRequirementSpecFromProviderConfig, getProviderHashRequirementsFromSpec, getProviderParamsAsCanonicalizedString, getShortenedUrl, hashProofClaimParams, hashRequestSpec, initSession, isDesktopDevice, isHttpProviderClaimParams, isMobileDevice, recoverSignersOfSignedClaim, runTeeVerification, takePairsWhereValueIsArray, takeTemplateParametersFromProofs, transformForOnchain, updateSession, verifyProof, verifyTeeAttestation };
+export { type AttestorClaimAttestation, type AttestorTeeVerificationResult, type Beacon, type BeaconState, type BodySniff, ClaimCreationType, type ClaimID, type ClaimInfo, type CompleteClaimData, type Context, type CreateVerificationRequest, DeviceType, type EmbeddedFlowHandle, type ExtensionMessage, type FlowHandle, type HashRequirement, type HashableHttpProviderClaimParams, type HttpFormEntry, type HttpProviderClaimParams, type HttpRedirectionMethod, type HttpRedirectionOptions, type InitSessionResponse, type InjectedRequestSpec, type InterceptorRequestSpec, type ModalOptions, type OnError, type OnSuccess, type Proof, type ProofPropertiesJSON, type ProofRequestOptions, type ProviderClaimData, type ProviderConfigResponse, type ProviderHashRequirementSpec, type ProviderHashRequirementsConfig, type ProviderHashRequirementsResponse, type ProviderVersionConfig, type ProviderVersionInfo, RECLAIM_EXTENSION_ACTIONS, type ReclaimFlowInitOptions, type ReclaimFlowLaunchOptions, ReclaimProofRequest, type ReclaimProviderConfig, type ReclaimProviderConfigWithRequestSpec, type RequestSpec, type ResponseMatchSpec, type ResponseRedactionSpec, SUPPORTED_TEE_ATTESTATION_VERSIONS, type SerializableModalOptions, SessionStatus, type SignedClaim, type StartSessionParams, type StatusUrlResponse, type TeeAttestation, type TeeAttestationConfig, type TeeAttestationVersion, TeeVerificationError, type TeeVerificationResult, type TemplateData, type TrustedData, type UpdateSessionResponse, type ValidationConfig, type ValidationConfigWithDisabledValidation, type ValidationConfigWithHash, type ValidationConfigWithProviderInformation, type VerificationConfig, type VerifyProofResult, type VerifyProofResultFailure, type VerifyProofResultSuccess, type WitnessData, assertValidProofsByHash, assertValidateProof, assertVerifiedProof, clearDeviceCache, createLinkWithTemplateData, createSignDataForClaim, fetchProviderConfigs, fetchProviderHashRequirementsBy, fetchStatusUrl, generateAttestationNonce, generateInitSignature, generateSpecsFromRequestSpecTemplate, getAttestors, getDeviceType, getHttpProviderClaimParamsFromProof, getIdentifierFromClaimInfo, getMobileDeviceType, getProviderHashRequirementSpecFromProviderConfig, getProviderHashRequirementsFromSpec, getProviderParamsAsCanonicalizedString, getShortenedUrl, hashProofClaimParams, hashRequestSpec, initSession, isDesktopDevice, isHttpProviderClaimParams, isMobileDevice, recoverSignersOfSignedClaim, runTeeVerification, takePairsWhereValueIsArray, takeTemplateParametersFromProofs, transformForOnchain, updateSession, verifyAttestorTeeAttestation, verifyProof, verifyTeeAttestation };