npm - @super-protocol/addons-tee - Versions diffs - 1.0.0 → 2.0.1 - Mend

@super-protocol/addons-tee 1.0.0 → 2.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (95) hide show

package/bindings/amd-sev-snp-napi-rs/amd-sev-snp-napi-rs.linux-x64-gnu.node +0 -0
package/bindings/nvidia-native/README.md +174 -0
package/bindings/nvidia-native/build/Release/libnvat.so.1.1.0 +0 -0
package/bindings/nvidia-native/build/Release/nvidia_native.node +0 -0
package/bindings/nvidia-native/package.json +26 -0
package/bindings/nvidia-native/postinstall.js +40 -0
package/bindings/sgx-native/build/Release/sgx_native.node +0 -0
package/bindings/usr/lib/node_modules/node-addon-api/node_api.Makefile +6 -0
package/bindings/usr/lib/node_modules/node-addon-api/nothing.target.mk +159 -0
package/bindings/utils/virtee/libsev.so +0 -0
package/bindings/utils/virtee/snpguest +0 -0
package/dist/index.d.ts +1 -0
package/dist/index.js +3 -2
package/dist/nvidia-native-module/nvidia-attestation.d.ts +146 -0
package/dist/nvidia-native-module/nvidia-attestation.js +374 -0
package/dist/nvidia-native-module/nvidia-debug-state-policy.rego +45 -0
package/dist/nvidia-native-module/nvidia-detailed-policy.rego +205 -0
package/package.json +4 -2
package/.editorconfig +0 -15
package/.eslintrc.json +0 -61
package/.prettierignore +0 -3
package/.prettierrc +0 -15
package/bindings/amd-sev-snp-napi-rs/package-lock.json +0 -40
package/bindings/sgx-native/package-lock.json +0 -23
package/bindings/sp-sev/.github/auto_assign-issues.yml +0 -5
package/bindings/sp-sev/.github/auto_assign.yml +0 -21
package/bindings/sp-sev/.github/dependabot.yml +0 -6
package/bindings/sp-sev/.github/workflows/dco.yml +0 -10
package/bindings/sp-sev/.github/workflows/lint.yml +0 -56
package/bindings/sp-sev/.github/workflows/test.yml +0 -215
package/bindings/sp-sev/.rustfmt.toml +0 -2
package/bindings/sp-sev/CODEOWNERS +0 -1
package/bindings/sp-sev/Cargo.lock +0 -2461
package/bindings/sp-sev/Cargo.toml +0 -80
package/bindings/sp-sev/LICENSE +0 -201
package/bindings/sp-sev/README.md +0 -82
package/bindings/sp-sev/build.rs +0 -17
package/bindings/sp-sev/docs/attestation/README.md +0 -239
package/bindings/sp-sev/docs/attestation/certchain.dot +0 -14
package/bindings/sp-sev/docs/attestation/certchain.dot.png +0 -0
package/bindings/sp-sev/docs/attestation/prerequisites.md +0 -6
package/bindings/sp-sev/docs/attestation/process.msc +0 -60
package/bindings/sp-sev/docs/attestation/process.msc.png +0 -0
package/bindings/sp-sev/docs/attestation/protections.md +0 -53
package/bindings/sp-sev/package-version.py +0 -11
package/bindings/sp-sev/tests/api.rs +0 -194
package/bindings/sp-sev/tests/certs.rs +0 -142
package/bindings/sp-sev/tests/certs_data/cert_chain_milan +0 -74
package/bindings/sp-sev/tests/certs_data/cert_chain_turin +0 -74
package/bindings/sp-sev/tests/certs_data/report_milan.hex +0 -1
package/bindings/sp-sev/tests/certs_data/vcek_milan.der +0 -0
package/bindings/sp-sev/tests/certs_data/vcek_turin.der +0 -0
package/bindings/sp-sev/tests/guest.rs +0 -57
package/bindings/sp-sev/tests/id-block.rs +0 -172
package/bindings/sp-sev/tests/measurement/ovmf_AmdSev_suffix.bin +0 -0
package/bindings/sp-sev/tests/measurement/ovmf_OvmfX64_suffix.bin +0 -0
package/bindings/sp-sev/tests/measurement/test_auth_block.bin +0 -0
package/bindings/sp-sev/tests/measurement/test_auth_key.pem +0 -6
package/bindings/sp-sev/tests/measurement/test_auth_sig.bin +0 -0
package/bindings/sp-sev/tests/measurement/test_id_key.pem +0 -6
package/bindings/sp-sev/tests/measurement/test_id_sig.bin +0 -0
package/bindings/sp-sev/tests/measurement.rs +0 -510
package/bindings/sp-sev/tests/naples/ark.cert.bad +0 -0
package/bindings/sp-sev/tests/naples/ark.cert.sig +0 -0
package/bindings/sp-sev/tests/naples/ark.rs +0 -38
package/bindings/sp-sev/tests/naples/ask.rs +0 -29
package/bindings/sp-sev/tests/naples/cek.cert +0 -0
package/bindings/sp-sev/tests/naples/cek.rs +0 -30
package/bindings/sp-sev/tests/naples/mod.rs +0 -20
package/bindings/sp-sev/tests/naples/oca.cert +0 -0
package/bindings/sp-sev/tests/naples/oca.rs +0 -45
package/bindings/sp-sev/tests/naples/pdh.cert +0 -0
package/bindings/sp-sev/tests/naples/pdh.rs +0 -28
package/bindings/sp-sev/tests/naples/pek.cert +0 -0
package/bindings/sp-sev/tests/naples/pek.rs +0 -32
package/bindings/sp-sev/tests/rome/ark.rs +0 -33
package/bindings/sp-sev/tests/rome/ask.rs +0 -29
package/bindings/sp-sev/tests/rome/cek.cert +0 -0
package/bindings/sp-sev/tests/rome/cek.rs +0 -29
package/bindings/sp-sev/tests/rome/mod.rs +0 -16
package/bindings/sp-sev/tests/rome/oca.cert +0 -0
package/bindings/sp-sev/tests/rome/oca.rs +0 -45
package/bindings/sp-sev/tests/rome/pdh.cert +0 -0
package/bindings/sp-sev/tests/rome/pdh.rs +0 -28
package/bindings/sp-sev/tests/rome/pek.cert +0 -0
package/bindings/sp-sev/tests/rome/pek.rs +0 -32
package/bindings/sp-sev/tests/session.rs +0 -39
package/bindings/sp-sev/tests/sev_launch.rs +0 -120
package/bindings/sp-sev/tests/snp_launch.rs +0 -108
package/dto/src/AmdSevSnp.proto +0 -31
package/dto/src/Compression.proto +0 -11
package/dto/src/Hash.proto +0 -6
package/dto/src/OrderReport.proto +0 -21
package/dto/src/TRI.proto +0 -22
package/dto/src/TeeDeviceInfo.proto +0 -46

package/bindings/amd-sev-snp-napi-rs/amd-sev-snp-napi-rs.linux-x64-gnu.node CHANGED Viewed

Binary file

package/bindings/nvidia-native/README.md ADDED Viewed

@@ -0,0 +1,174 @@
+# NVIDIA Native Attestation Module
+Node.js native addon for GPU attestation using NVIDIA Attestation SDK.
+## Features
+- **Remote Attestation via NRAS**: Generate JWT tokens via NVIDIA Remote Attestation Service
+- **Policy Verification**: Verify JWT with Rego policies
+- **Device Topology**: Retrieve GPU and NVSwitch counts with dynamic library loading
+- **Device Information**: Get NVIDIA GPU device information
+- **TypeScript Support**: Full type support
+## Dependencies
+### Runtime (System Libraries)
+```bash
+# Ubuntu/Debian
+sudo apt-get install -y \
+    libcurl4-openssl-dev \
+    libxml2-dev \
+    libssl-dev \
+    libxmlsec1-dev \
+    libxmlsec1-openssl
+```
+### Build Dependencies
+```bash
+sudo apt-get install -y build-essential cmake git python3
+```
+### NVIDIA Attestation SDK
+The SDK is included as a git submodule and is built automatically on first build.
+## Build
+```bash
+# 1. Initialize submodules
+git submodule update --init --recursive
+# 2. Build
+./build.sh
+```
+## Usage
+### TypeScript (Recommended)
+```typescript
+import {
+  NvidiaAttestationService,
+  PERMISSIVE_POLICY
+} from 'tee-addon';
+const service = new NvidiaAttestationService();
+// Attestation via NRAS
+const result = await service.attestGpuWithNRAS({
+  serviceKey: 'your-api-key'
+});
+console.log('Success:', result.success);
+console.log('JWT:', result.jwt);
+console.log('Claims:', result.claims);
+```
+### Native C++
+```javascript
+const { TNvidiaAttestation } = require('./build/Release/nvidia_native.node');
+const attestation = new TNvidiaAttestation();
+const nonce = Buffer.alloc(32);
+const result = attestation.attestGpuWithNRAS(nonce);
+console.log(result.success, result.jwt, result.claims);
+```
+## API Reference
+### generateNonce(nonceLength?)
+Generates a cryptographic nonce via NVIDIA Attestation SDK.
+**Parameters**:
+- `nonceLength?: number` — length in bytes (default `32`)
+**Returns**: `Buffer`
+### attestGpuWithNRAS(nonce?, serviceKey?, nrasUrl?)
+Performs GPU attestation via NRAS.
+**Returns**: `{success: boolean, jwt: string, claims: string}`
+### attestNvSwitchWithNRAS(nonce?, serviceKey?, nrasUrl?)
+Performs NVSwitch attestation via NRAS.
+**Returns**: `{success: boolean, jwt: string, claims: string}`
+### verifyJwt(jwt, serviceKey?, nrasUrl?)
+Verifies detached EAT JWT cryptographically via NRAS and returns decoded claims.
+**Returns**: `{result: boolean, claims: string, msg: string, logs: string}`
+**Behavior**:
+- Returns `{result: true, claims, msg: "Success"}` when cryptographic verification succeeds
+- Returns `{result: false, claims, msg: "Attestation overall result is false"}` when verification reaches decision stage but overall result is false
+- Throws `TypeError` for invalid input argument types/shape
+- Throws `Error` for hard failures (malformed/invalid JWT payload, validate/decode failure, claims extraction/serialization failure, HTTP/JWKS processing failure)
+### evaluatePolicy(claims, regoPolicy)
+Evaluates attestation claims against a Rego policy and returns policy diagnostics.
+**Returns**: `{result: boolean, msg: string, details: string[], logs: string}`
+**Behavior**:
+- Returns `{result: true, msg: "Success", details: []}` when claims match the policy
+- Returns `{result: false, msg, details}` when claims do not match the policy, with failed rule names in `details`
+- Throws `TypeError` for invalid input argument types/shape
+- Throws `Error` for policy evaluation failures
+### getDeviceTopology()
+Retrieves NVIDIA device topology information (GPU and NVSwitch).
+Dynamically loads NVML and NSCQ libraries, gets device counts, and unloads libraries automatically.
+**Parameters**: None
+**Returns**: `{gpuCount: number, nvswitchCount: number}`
+**Throws**: Error if libraries are loaded but data retrieval fails
+**Example**:
+```javascript
+const topology = attestation.getDeviceTopology();
+console.log(`GPUs: ${topology.gpuCount}`);
+console.log(`NVSwitches: ${topology.nvswitchCount}`);
+```
+**Error Handling**:
+```javascript
+try {
+    const topology = attestation.getDeviceTopology();
+    console.log(`Found ${topology.gpuCount} GPUs and ${topology.nvswitchCount} NVSwitches`);
+} catch (error) {
+    console.error('Failed to get topology:', error.message);
+}
+```
+**Notes**:
+- Requires NVIDIA Driver with NVML support
+- NVSwitch requires NSCQ library (optional)
+- Returns 0 if libraries are not installed (graceful degradation)
+- Throws if libraries are loaded but data retrieval fails
+### getDeviceInfo()
+Retrieves device information.
+**Returns**: `{deviceId: string, vendor: string, attestationSupported: boolean}`
+## See also
+See the main project README for full documentation.
+## License
+ISC

package/bindings/nvidia-native/build/Release/libnvat.so.1.1.0 ADDED Viewed

Binary file

package/bindings/nvidia-native/build/Release/nvidia_native.node ADDED Viewed

Binary file

package/bindings/nvidia-native/package.json ADDED Viewed

@@ -0,0 +1,26 @@
+{
+  "name": "nvidia-native",
+  "version": "1.0.0",
+  "description": "Native Node.js addon for NVIDIA attestation",
+  "main": "index.js",
+  "scripts": {
+    "install": "node-gyp rebuild",
+    "build": "node-gyp rebuild",
+    "clean": "node-gyp clean"
+  },
+  "gypfile": true,
+  "dependencies": {
+    "node-addon-api": "^5.0.0"
+  },
+  "devDependencies": {
+    "node-gyp": "^9.0.0"
+  },
+  "keywords": [
+    "nvidia",
+    "attestation",
+    "tee",
+    "native"
+  ],
+  "author": "",
+  "license": "ISC"
+}

package/bindings/nvidia-native/postinstall.js ADDED Viewed

@@ -0,0 +1,40 @@
+#!/usr/bin/env node
+const fs = require('fs');
+const path = require('path');
+const releaseDir = path.join(__dirname, 'build', 'Release');
+const libFile = 'libnvat.so.1.1.0';
+const libPath = path.join(releaseDir, libFile);
+if (!fs.existsSync(libPath)) {
+  console.error(`FATAL: Required library not found: ${libPath}`);
+  process.exit(1);
+}
+const symlink1 = path.join(releaseDir, 'libnvat.so.1');
+const symlink2 = path.join(releaseDir, 'libnvat.so');
+// Create symlink libnvat.so.1 -> libnvat.so.1.1.0
+try {
+  if (fs.existsSync(symlink1)) {
+    fs.unlinkSync(symlink1);
+  }
+  fs.symlinkSync(libFile, symlink1);
+  console.log('Created symlink: libnvat.so.1 -> libnvat.so.1.1.0');
+} catch (err) {
+  console.error(`FATAL: Failed to create symlink ${symlink1}: ${err.message}`);
+  process.exit(1);
+}
+// Create symlink libnvat.so -> libnvat.so.1
+try {
+  if (fs.existsSync(symlink2)) {
+    fs.unlinkSync(symlink2);
+  }
+  fs.symlinkSync('libnvat.so.1', symlink2);
+  console.log('Created symlink: libnvat.so -> libnvat.so.1');
+} catch (err) {
+  console.error(`FATAL: Failed to create symlink ${symlink2}: ${err.message}`);
+  process.exit(1);
+}

package/bindings/sgx-native/build/Release/sgx_native.node CHANGED Viewed

Binary file

package/bindings/usr/lib/node_modules/node-addon-api/node_api.Makefile ADDED Viewed

@@ -0,0 +1,6 @@
+# This file is generated by gyp; do not edit.
+export builddir_name ?= ./build/../../usr/lib/node_modules/node-addon-api/.
+.PHONY: all
+all:
+	$(MAKE) -C ../../../../nvidia-native/build nothing

package/bindings/usr/lib/node_modules/node-addon-api/nothing.target.mk ADDED Viewed

@@ -0,0 +1,159 @@
+# This file is generated by gyp; do not edit.
+TOOLSET := target
+TARGET := nothing
+DEFS_Debug := \
+	'-DNODE_GYP_MODULE_NAME=nothing' \
+	'-DUSING_UV_SHARED=1' \
+	'-DUSING_V8_SHARED=1' \
+	'-DV8_DEPRECATION_WARNINGS=1' \
+	'-D_GLIBCXX_USE_CXX11_ABI=1' \
+	'-D_FILE_OFFSET_BITS=64' \
+	'-D_LARGEFILE_SOURCE' \
+	'-D__STDC_FORMAT_MACROS' \
+	'-DOPENSSL_NO_PINSHARED' \
+	'-DOPENSSL_THREADS' \
+	'-DDEBUG' \
+	'-D_DEBUG'
+# Flags passed to all source files.
+CFLAGS_Debug := \
+	-fPIC \
+	-pthread \
+	-Wall \
+	-Wextra \
+	-Wno-unused-parameter \
+	-m64 \
+	-g \
+	-O0
+# Flags passed to only C files.
+CFLAGS_C_Debug :=
+# Flags passed to only C++ files.
+CFLAGS_CC_Debug := \
+	-fno-rtti \
+	-fno-exceptions \
+	-std=gnu++17
+INCS_Debug := \
+	-I/root/.cache/node-gyp/20.20.0/include/node \
+	-I/root/.cache/node-gyp/20.20.0/src \
+	-I/root/.cache/node-gyp/20.20.0/deps/openssl/config \
+	-I/root/.cache/node-gyp/20.20.0/deps/openssl/openssl/include \
+	-I/root/.cache/node-gyp/20.20.0/deps/uv/include \
+	-I/root/.cache/node-gyp/20.20.0/deps/zlib \
+	-I/root/.cache/node-gyp/20.20.0/deps/v8/include
+DEFS_Release := \
+	'-DNODE_GYP_MODULE_NAME=nothing' \
+	'-DUSING_UV_SHARED=1' \
+	'-DUSING_V8_SHARED=1' \
+	'-DV8_DEPRECATION_WARNINGS=1' \
+	'-D_GLIBCXX_USE_CXX11_ABI=1' \
+	'-D_FILE_OFFSET_BITS=64' \
+	'-D_LARGEFILE_SOURCE' \
+	'-D__STDC_FORMAT_MACROS' \
+	'-DOPENSSL_NO_PINSHARED' \
+	'-DOPENSSL_THREADS'
+# Flags passed to all source files.
+CFLAGS_Release := \
+	-fPIC \
+	-pthread \
+	-Wall \
+	-Wextra \
+	-Wno-unused-parameter \
+	-m64 \
+	-O3 \
+	-fno-omit-frame-pointer
+# Flags passed to only C files.
+CFLAGS_C_Release :=
+# Flags passed to only C++ files.
+CFLAGS_CC_Release := \
+	-fno-rtti \
+	-fno-exceptions \
+	-std=gnu++17
+INCS_Release := \
+	-I/root/.cache/node-gyp/20.20.0/include/node \
+	-I/root/.cache/node-gyp/20.20.0/src \
+	-I/root/.cache/node-gyp/20.20.0/deps/openssl/config \
+	-I/root/.cache/node-gyp/20.20.0/deps/openssl/openssl/include \
+	-I/root/.cache/node-gyp/20.20.0/deps/uv/include \
+	-I/root/.cache/node-gyp/20.20.0/deps/zlib \
+	-I/root/.cache/node-gyp/20.20.0/deps/v8/include
+OBJS := \
+	$(obj).target/$(TARGET)/../../usr/lib/node_modules/node-addon-api/nothing.o
+# Add to the list of files we specially track dependencies for.
+all_deps += $(OBJS)
+# CFLAGS et al overrides must be target-local.
+# See "Target-specific Variable Values" in the GNU Make manual.
+$(OBJS): TOOLSET := $(TOOLSET)
+$(OBJS): GYP_CFLAGS := $(DEFS_$(BUILDTYPE)) $(INCS_$(BUILDTYPE))  $(CFLAGS_$(BUILDTYPE)) $(CFLAGS_C_$(BUILDTYPE))
+$(OBJS): GYP_CXXFLAGS := $(DEFS_$(BUILDTYPE)) $(INCS_$(BUILDTYPE))  $(CFLAGS_$(BUILDTYPE)) $(CFLAGS_CC_$(BUILDTYPE))
+# Suffix rules, putting all outputs into $(obj).
+$(obj).$(TOOLSET)/$(TARGET)/%.o: $(srcdir)/%.c FORCE_DO_CMD
+	@$(call do_cmd,cc,1)
+# Try building from generated source, too.
+$(obj).$(TOOLSET)/$(TARGET)/%.o: $(obj).$(TOOLSET)/%.c FORCE_DO_CMD
+	@$(call do_cmd,cc,1)
+$(obj).$(TOOLSET)/$(TARGET)/%.o: $(obj)/%.c FORCE_DO_CMD
+	@$(call do_cmd,cc,1)
+# End of this set of suffix rules
+### Rules for final target.
+LDFLAGS_Debug := \
+	-pthread \
+	-rdynamic \
+	-m64
+LDFLAGS_Release := \
+	-pthread \
+	-rdynamic \
+	-m64
+LIBS :=
+$(obj).target/../../usr/lib/node_modules/node-addon-api/nothing.a: GYP_LDFLAGS := $(LDFLAGS_$(BUILDTYPE))
+$(obj).target/../../usr/lib/node_modules/node-addon-api/nothing.a: LIBS := $(LIBS)
+$(obj).target/../../usr/lib/node_modules/node-addon-api/nothing.a: TOOLSET := $(TOOLSET)
+$(obj).target/../../usr/lib/node_modules/node-addon-api/nothing.a: $(OBJS)
+	$(call create_archive,$@,$^)
+# Add target alias
+.PHONY: nothing
+nothing: $(obj).target/../../usr/lib/node_modules/node-addon-api/nothing.a
+# Add target alias to "all" target.
+.PHONY: all
+all: nothing
+# Add target alias
+.PHONY: nothing
+nothing: $(builddir)/nothing.a
+# Copy this to the static library output path.
+$(builddir)/nothing.a: TOOLSET := $(TOOLSET)
+$(builddir)/nothing.a: $(obj).target/../../usr/lib/node_modules/node-addon-api/nothing.a FORCE_DO_CMD
+	$(call do_cmd,copy)
+all_deps += $(builddir)/nothing.a
+# Short alias for building this static library.
+.PHONY: nothing.a
+nothing.a: $(obj).target/../../usr/lib/node_modules/node-addon-api/nothing.a $(builddir)/nothing.a
+# Add static library to "all" target.
+.PHONY: all
+all: $(builddir)/nothing.a

package/bindings/utils/virtee/libsev.so CHANGED Viewed

Binary file

package/bindings/utils/virtee/snpguest CHANGED Viewed

Binary file

package/dist/index.d.ts CHANGED Viewed

	@@ -1 +1,2 @@
1 1	export * as SgxNative from "./sgx-native-module";
2	+ export * as NvidiaNative from "./nvidia-native-module/nvidia-attestation";

package/dist/index.js CHANGED Viewed

@@ -23,6 +23,7 @@ var __importStar = (this && this.__importStar) || function (mod) {
     return result;
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.SgxNative = void 0;
+exports.NvidiaNative = exports.SgxNative = void 0;
 exports.SgxNative = __importStar(require("./sgx-native-module"));
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi9zcmMvaW5kZXgudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7QUFBQSxpRUFBaUQifQ==
+exports.NvidiaNative = __importStar(require("./nvidia-native-module/nvidia-attestation"));
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi9zcmMvaW5kZXgudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7QUFBQSxpRUFBaUQ7QUFDakQsMEZBQTBFIn0=

package/dist/nvidia-native-module/nvidia-attestation.d.ts ADDED Viewed

@@ -0,0 +1,146 @@
+/// <reference types="node" />
+import { Static } from "@sinclair/typebox";
+export declare const MIN_NONCE_LENGTH = 32;
+export declare const DEFAULT_NRAS_URL = "https://nras.attestation.nvidia.com";
+export declare const NVIDIA_DETAILED_POLICY_RELATIVE_PATH = "nvidia-detailed-policy.rego";
+export declare const NVIDIA_DEBUG_STATE_POLICY_RELATIVE_PATH = "nvidia-debug-state-policy.rego";
+export declare enum NvidiaDeviceType {
+    GPU = 0,
+    NVSWITCH = 1
+}
+declare const NvidiaAttestationResultSchema: import("@sinclair/typebox").TObject<{
+    success: import("@sinclair/typebox").TBoolean;
+    jwt: import("@sinclair/typebox").TString;
+    claims: import("@sinclair/typebox").TString;
+    logs: import("@sinclair/typebox").TString;
+}>;
+export type NvidiaAttestationResult = Static<typeof NvidiaAttestationResultSchema>;
+declare const NvidiaDeviceTopologySchema: import("@sinclair/typebox").TObject<{
+    gpuCount: import("@sinclair/typebox").TInteger;
+    nvswitchCount: import("@sinclair/typebox").TInteger;
+    logs: import("@sinclair/typebox").TString;
+}>;
+export type NvidiaDeviceTopology = Static<typeof NvidiaDeviceTopologySchema>;
+export type NvidiaAttestationOptions = {
+    nonce?: Buffer;
+    serviceKey?: string;
+    nrasUrl?: string;
+};
+export type NvidiaJwtVerificationParams = {
+    jwt: string;
+    serviceKey?: string;
+    nrasUrl?: string;
+};
+export type NvidiaPolicyEvaluationParams = {
+    claims: string;
+    regoPolicy: string;
+};
+declare const NvidiaJwtVerificationResultSchema: import("@sinclair/typebox").TObject<{
+    result: import("@sinclair/typebox").TBoolean;
+    claims: import("@sinclair/typebox").TString;
+    msg: import("@sinclair/typebox").TString;
+    logs: import("@sinclair/typebox").TString;
+}>;
+export type NvidiaJwtVerificationResult = Static<typeof NvidiaJwtVerificationResultSchema>;
+declare const NvidiaPolicyEvaluationResultSchema: import("@sinclair/typebox").TObject<{
+    result: import("@sinclair/typebox").TBoolean;
+    msg: import("@sinclair/typebox").TString;
+    details: import("@sinclair/typebox").TArray<import("@sinclair/typebox").TString>;
+    logs: import("@sinclair/typebox").TString;
+}>;
+export type NvidiaPolicyEvaluationResult = Static<typeof NvidiaPolicyEvaluationResultSchema>;
+declare const NvtrustGPUInfoSchema: import("@sinclair/typebox").TObject<{
+    model: import("@sinclair/typebox").TString;
+    driverVersion: import("@sinclair/typebox").TString;
+    vbios: import("@sinclair/typebox").TString;
+    dbgStat: import("@sinclair/typebox").TBoolean;
+}>;
+export type NvtrustGPUInfo = Static<typeof NvtrustGPUInfoSchema>;
+export declare class NvidiaAttestationError extends Error {
+    constructor(message?: string);
+}
+export declare class NvidiaAttestationErrorWithLogs extends NvidiaAttestationError {
+    readonly logs?: string | undefined;
+    constructor(message: string, logs?: string | undefined);
+}
+/**
+ * Parses a raw claims JSON string (array of JWT payloads) into typed GPU info objects.
+ *
+ * @param claims - JSON string containing an array of NVIDIA JWT payload objects.
+ * @returns Array of parsed and validated GPU info objects.
+ * @throws NvidiaAttestationError when the input is not valid JSON, not an array,
+ *         or any element fails schema validation.
+ */
+export declare function ParseGpuClaim(claims: string): NvtrustGPUInfo[];
+export declare class NvidiaAttestationService {
+    private static readonly policyCache;
+    private readonly native;
+    private getNvidiaDetailedPolicyPath;
+    private getNvidiaDebugStatePolicyPath;
+    /**
+     * Loads bundled detailed NVIDIA Rego policy from package files.
+     *
+     * The policy content is cached after first successful read.
+     *
+     * @returns Rego policy text.
+     */
+    getNvidiaDetailedPolicy(): Promise<string>;
+    /**
+     * Loads bundled debug-state NVIDIA Rego policy from package files.
+     *
+     * Checks device type, secure boot and debug status.
+     * The policy content is cached after first successful read.
+     *
+     * @returns Rego policy text.
+     */
+    getNvidiaDebugStatePolicy(): Promise<string>;
+    /**
+     * Loads a policy file using single-flight caching keyed by absolute path.
+     *
+     * Concurrent callers for the same path share one in-flight read.
+     * On failure the cache entry is removed so the next call retries.
+     */
+    private loadCachedPolicy;
+    /**
+     * Creates NVIDIA attestation service instance and initializes native SDK bindings.
+     *
+     * @throws NvidiaAttestationError when native NVIDIA attestation layer cannot be initialized.
+     */
+    constructor();
+    /**
+     * Generates cryptographically secure nonce via native NVIDIA SDK.
+     *
+     * @param length - Nonce size in bytes (default: 32).
+     * @returns Nonce bytes.
+     */
+    generateNonce(length?: number): Promise<Buffer>;
+    /**
+     * Performs GPU attestation via NVIDIA Remote Attestation Service (NRAS).
+     *
+     * @param options - Attestation options.
+     * @returns Attestation result (`success`, `jwt`, `claims`).
+     */
+    attestGpuWithNRAS(options?: NvidiaAttestationOptions): Promise<NvidiaAttestationResult>;
+    /**
+     * Performs NVSwitch attestation via NVIDIA Remote Attestation Service (NRAS).
+     *
+     * @param options - Attestation options.
+     * @returns Attestation result (`success`, `jwt`, `claims`).
+     */
+    attestNvSwitchWithNRAS(options?: NvidiaAttestationOptions): Promise<NvidiaAttestationResult>;
+    /**
+     * Retrieves NVIDIA device topology (GPU and NVSwitch counts) from native layer.
+     *
+     * @returns Device topology data.
+     */
+    getDeviceTopology(): Promise<NvidiaDeviceTopology>;
+    /**
+     * Verifies detached EAT JWT cryptographically via NRAS and returns decoded claims.
+     */
+    verifyJwt(params: NvidiaJwtVerificationParams): Promise<NvidiaJwtVerificationResult>;
+    /**
+     * Evaluates attestation claims against a Rego policy and returns policy diagnostics.
+     */
+    evaluatePolicy(params: NvidiaPolicyEvaluationParams): Promise<NvidiaPolicyEvaluationResult>;
+}
+export {};