npm - @usesigil/kit - Versions diffs - 0.1.0 - Mend

@usesigil/kit 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (631) hide show

package/LICENSE +191 -0
package/README.md +190 -0
package/dist/advanced-analytics.d.ts +118 -0
package/dist/advanced-analytics.d.ts.map +1 -0
package/dist/advanced-analytics.js +341 -0
package/dist/advanced-analytics.js.map +1 -0
package/dist/agent-analytics.d.ts +76 -0
package/dist/agent-analytics.d.ts.map +1 -0
package/dist/agent-analytics.js +179 -0
package/dist/agent-analytics.js.map +1 -0
package/dist/agent-errors.d.ts +151 -0
package/dist/agent-errors.d.ts.map +1 -0
package/dist/agent-errors.js +2001 -0
package/dist/agent-errors.js.map +1 -0
package/dist/alt-config.d.ts +43 -0
package/dist/alt-config.d.ts.map +1 -0
package/dist/alt-config.js +78 -0
package/dist/alt-config.js.map +1 -0
package/dist/alt-loader.d.ts +47 -0
package/dist/alt-loader.d.ts.map +1 -0
package/dist/alt-loader.js +143 -0
package/dist/alt-loader.js.map +1 -0
package/dist/balance-tracker.d.ts +87 -0
package/dist/balance-tracker.d.ts.map +1 -0
package/dist/balance-tracker.js +181 -0
package/dist/balance-tracker.js.map +1 -0
package/dist/composer.d.ts +56 -0
package/dist/composer.d.ts.map +1 -0
package/dist/composer.js +77 -0
package/dist/composer.js.map +1 -0
package/dist/core/engine.d.ts +17 -0
package/dist/core/engine.d.ts.map +1 -0
package/dist/core/engine.js +177 -0
package/dist/core/engine.js.map +1 -0
package/dist/core/errors.d.ts +24 -0
package/dist/core/errors.d.ts.map +1 -0
package/dist/core/errors.js +16 -0
package/dist/core/errors.js.map +1 -0
package/dist/core/index.d.ts +9 -0
package/dist/core/index.d.ts.map +1 -0
package/dist/core/index.js +10 -0
package/dist/core/index.js.map +1 -0
package/dist/core/policies.d.ts +75 -0
package/dist/core/policies.d.ts.map +1 -0
package/dist/core/policies.js +126 -0
package/dist/core/policies.js.map +1 -0
package/dist/core/registry.d.ts +29 -0
package/dist/core/registry.d.ts.map +1 -0
package/dist/core/registry.js +125 -0
package/dist/core/registry.js.map +1 -0
package/dist/core/state.d.ts +71 -0
package/dist/core/state.d.ts.map +1 -0
package/dist/core/state.js +169 -0
package/dist/core/state.js.map +1 -0
package/dist/create-vault.d.ts +58 -0
package/dist/create-vault.d.ts.map +1 -0
package/dist/create-vault.js +90 -0
package/dist/create-vault.js.map +1 -0
package/dist/custody-adapter.d.ts +54 -0
package/dist/custody-adapter.d.ts.map +1 -0
package/dist/custody-adapter.js +45 -0
package/dist/custody-adapter.js.map +1 -0
package/dist/event-analytics.d.ts +45 -0
package/dist/event-analytics.d.ts.map +1 -0
package/dist/event-analytics.js +277 -0
package/dist/event-analytics.js.map +1 -0
package/dist/events.d.ts +56 -0
package/dist/events.d.ts.map +1 -0
package/dist/events.js +151 -0
package/dist/events.js.map +1 -0
package/dist/formatting.d.ts +103 -0
package/dist/formatting.d.ts.map +1 -0
package/dist/formatting.js +244 -0
package/dist/formatting.js.map +1 -0
package/dist/generated/accounts/agentSpendOverlay.d.ts +54 -0
package/dist/generated/accounts/agentSpendOverlay.d.ts.map +1 -0
package/dist/generated/accounts/agentSpendOverlay.js +74 -0
package/dist/generated/accounts/agentSpendOverlay.js.map +1 -0
package/dist/generated/accounts/agentVault.d.ts +95 -0
package/dist/generated/accounts/agentVault.d.ts.map +1 -0
package/dist/generated/accounts/agentVault.js +83 -0
package/dist/generated/accounts/agentVault.js.map +1 -0
package/dist/generated/accounts/escrowDeposit.d.ts +50 -0
package/dist/generated/accounts/escrowDeposit.d.ts.map +1 -0
package/dist/generated/accounts/escrowDeposit.js +76 -0
package/dist/generated/accounts/escrowDeposit.js.map +1 -0
package/dist/generated/accounts/index.d.ts +17 -0
package/dist/generated/accounts/index.d.ts.map +1 -0
package/dist/generated/accounts/index.js +17 -0
package/dist/generated/accounts/index.js.map +1 -0
package/dist/generated/accounts/instructionConstraints.d.ts +37 -0
package/dist/generated/accounts/instructionConstraints.d.ts.map +1 -0
package/dist/generated/accounts/instructionConstraints.js +64 -0
package/dist/generated/accounts/instructionConstraints.js.map +1 -0
package/dist/generated/accounts/pendingConstraintsUpdate.d.ts +53 -0
package/dist/generated/accounts/pendingConstraintsUpdate.d.ts.map +1 -0
package/dist/generated/accounts/pendingConstraintsUpdate.js +68 -0
package/dist/generated/accounts/pendingConstraintsUpdate.js.map +1 -0
package/dist/generated/accounts/pendingPolicyUpdate.d.ts +72 -0
package/dist/generated/accounts/pendingPolicyUpdate.d.ts.map +1 -0
package/dist/generated/accounts/pendingPolicyUpdate.js +97 -0
package/dist/generated/accounts/pendingPolicyUpdate.js.map +1 -0
package/dist/generated/accounts/policyConfig.d.ts +180 -0
package/dist/generated/accounts/policyConfig.d.ts.map +1 -0
package/dist/generated/accounts/policyConfig.js +88 -0
package/dist/generated/accounts/policyConfig.js.map +1 -0
package/dist/generated/accounts/sessionAuthority.d.ts +104 -0
package/dist/generated/accounts/sessionAuthority.d.ts.map +1 -0
package/dist/generated/accounts/sessionAuthority.js +86 -0
package/dist/generated/accounts/sessionAuthority.js.map +1 -0
package/dist/generated/accounts/spendTracker.d.ts +60 -0
package/dist/generated/accounts/spendTracker.d.ts.map +1 -0
package/dist/generated/accounts/spendTracker.js +74 -0
package/dist/generated/accounts/spendTracker.js.map +1 -0
package/dist/generated/errors/index.d.ts +9 -0
package/dist/generated/errors/index.d.ts.map +1 -0
package/dist/generated/errors/index.js +9 -0
package/dist/generated/errors/index.js.map +1 -0
package/dist/generated/errors/sigil.d.ts +162 -0
package/dist/generated/errors/sigil.d.ts.map +1 -0
package/dist/generated/errors/sigil.js +237 -0
package/dist/generated/errors/sigil.js.map +1 -0
package/dist/generated/event-discriminators.d.ts +2 -0
package/dist/generated/event-discriminators.d.ts.map +1 -0
package/dist/generated/event-discriminators.js +39 -0
package/dist/generated/event-discriminators.js.map +1 -0
package/dist/generated/index.d.ts +13 -0
package/dist/generated/index.d.ts.map +1 -0
package/dist/generated/index.js +13 -0
package/dist/generated/index.js.map +1 -0
package/dist/generated/instructions/agentTransfer.d.ts +109 -0
package/dist/generated/instructions/agentTransfer.d.ts.map +1 -0
package/dist/generated/instructions/agentTransfer.js +211 -0
package/dist/generated/instructions/agentTransfer.js.map +1 -0
package/dist/generated/instructions/applyConstraintsUpdate.d.ts +55 -0
package/dist/generated/instructions/applyConstraintsUpdate.d.ts.map +1 -0
package/dist/generated/instructions/applyConstraintsUpdate.js +129 -0
package/dist/generated/instructions/applyConstraintsUpdate.js.map +1 -0
package/dist/generated/instructions/applyPendingPolicy.d.ts +55 -0
package/dist/generated/instructions/applyPendingPolicy.d.ts.map +1 -0
package/dist/generated/instructions/applyPendingPolicy.js +122 -0
package/dist/generated/instructions/applyPendingPolicy.js.map +1 -0
package/dist/generated/instructions/cancelConstraintsUpdate.d.ts +51 -0
package/dist/generated/instructions/cancelConstraintsUpdate.d.ts.map +1 -0
package/dist/generated/instructions/cancelConstraintsUpdate.js +115 -0
package/dist/generated/instructions/cancelConstraintsUpdate.js.map +1 -0
package/dist/generated/instructions/cancelPendingPolicy.d.ts +55 -0
package/dist/generated/instructions/cancelPendingPolicy.d.ts.map +1 -0
package/dist/generated/instructions/cancelPendingPolicy.js +122 -0
package/dist/generated/instructions/cancelPendingPolicy.js.map +1 -0
package/dist/generated/instructions/closeInstructionConstraints.d.ts +55 -0
package/dist/generated/instructions/closeInstructionConstraints.d.ts.map +1 -0
package/dist/generated/instructions/closeInstructionConstraints.js +120 -0
package/dist/generated/instructions/closeInstructionConstraints.js.map +1 -0
package/dist/generated/instructions/closeSettledEscrow.d.ts +72 -0
package/dist/generated/instructions/closeSettledEscrow.d.ts.map +1 -0
package/dist/generated/instructions/closeSettledEscrow.js +127 -0
package/dist/generated/instructions/closeSettledEscrow.js.map +1 -0
package/dist/generated/instructions/closeVault.d.ts +69 -0
package/dist/generated/instructions/closeVault.d.ts.map +1 -0
package/dist/generated/instructions/closeVault.js +142 -0
package/dist/generated/instructions/closeVault.js.map +1 -0
package/dist/generated/instructions/createEscrow.d.ts +131 -0
package/dist/generated/instructions/createEscrow.d.ts.map +1 -0
package/dist/generated/instructions/createEscrow.js +272 -0
package/dist/generated/instructions/createEscrow.js.map +1 -0
package/dist/generated/instructions/createInstructionConstraints.d.ts +69 -0
package/dist/generated/instructions/createInstructionConstraints.d.ts.map +1 -0
package/dist/generated/instructions/createInstructionConstraints.js +145 -0
package/dist/generated/instructions/createInstructionConstraints.js.map +1 -0
package/dist/generated/instructions/depositFunds.d.ts +82 -0
package/dist/generated/instructions/depositFunds.d.ts.map +1 -0
package/dist/generated/instructions/depositFunds.js +198 -0
package/dist/generated/instructions/depositFunds.js.map +1 -0
package/dist/generated/instructions/finalizeSession.d.ts +126 -0
package/dist/generated/instructions/finalizeSession.d.ts.map +1 -0
package/dist/generated/instructions/finalizeSession.js +218 -0
package/dist/generated/instructions/finalizeSession.js.map +1 -0
package/dist/generated/instructions/freezeVault.d.ts +40 -0
package/dist/generated/instructions/freezeVault.d.ts.map +1 -0
package/dist/generated/instructions/freezeVault.js +66 -0
package/dist/generated/instructions/freezeVault.js.map +1 -0
package/dist/generated/instructions/index.d.ts +37 -0
package/dist/generated/instructions/index.d.ts.map +1 -0
package/dist/generated/instructions/index.js +37 -0
package/dist/generated/instructions/index.js.map +1 -0
package/dist/generated/instructions/initializeVault.d.ts +122 -0
package/dist/generated/instructions/initializeVault.d.ts.map +1 -0
package/dist/generated/instructions/initializeVault.js +187 -0
package/dist/generated/instructions/initializeVault.js.map +1 -0
package/dist/generated/instructions/pauseAgent.d.ts +44 -0
package/dist/generated/instructions/pauseAgent.d.ts.map +1 -0
package/dist/generated/instructions/pauseAgent.js +72 -0
package/dist/generated/instructions/pauseAgent.js.map +1 -0
package/dist/generated/instructions/queueConstraintsUpdate.d.ts +73 -0
package/dist/generated/instructions/queueConstraintsUpdate.d.ts.map +1 -0
package/dist/generated/instructions/queueConstraintsUpdate.js +168 -0
package/dist/generated/instructions/queueConstraintsUpdate.js.map +1 -0
package/dist/generated/instructions/queuePolicyUpdate.d.ts +116 -0
package/dist/generated/instructions/queuePolicyUpdate.d.ts.map +1 -0
package/dist/generated/instructions/queuePolicyUpdate.js +173 -0
package/dist/generated/instructions/queuePolicyUpdate.js.map +1 -0
package/dist/generated/instructions/reactivateVault.d.ts +47 -0
package/dist/generated/instructions/reactivateVault.d.ts.map +1 -0
package/dist/generated/instructions/reactivateVault.js +74 -0
package/dist/generated/instructions/reactivateVault.js.map +1 -0
package/dist/generated/instructions/refundEscrow.d.ts +74 -0
package/dist/generated/instructions/refundEscrow.d.ts.map +1 -0
package/dist/generated/instructions/refundEscrow.js +142 -0
package/dist/generated/instructions/refundEscrow.js.map +1 -0
package/dist/generated/instructions/registerAgent.d.ts +55 -0
package/dist/generated/instructions/registerAgent.d.ts.map +1 -0
package/dist/generated/instructions/registerAgent.js +85 -0
package/dist/generated/instructions/registerAgent.js.map +1 -0
package/dist/generated/instructions/revokeAgent.d.ts +49 -0
package/dist/generated/instructions/revokeAgent.d.ts.map +1 -0
package/dist/generated/instructions/revokeAgent.js +81 -0
package/dist/generated/instructions/revokeAgent.js.map +1 -0
package/dist/generated/instructions/settleEscrow.d.ts +80 -0
package/dist/generated/instructions/settleEscrow.d.ts.map +1 -0
package/dist/generated/instructions/settleEscrow.js +173 -0
package/dist/generated/instructions/settleEscrow.js.map +1 -0
package/dist/generated/instructions/syncPositions.d.ts +44 -0
package/dist/generated/instructions/syncPositions.d.ts.map +1 -0
package/dist/generated/instructions/syncPositions.js +72 -0
package/dist/generated/instructions/syncPositions.js.map +1 -0
package/dist/generated/instructions/unpauseAgent.d.ts +44 -0
package/dist/generated/instructions/unpauseAgent.d.ts.map +1 -0
package/dist/generated/instructions/unpauseAgent.js +72 -0
package/dist/generated/instructions/unpauseAgent.js.map +1 -0
package/dist/generated/instructions/updateAgentPermissions.d.ts +68 -0
package/dist/generated/instructions/updateAgentPermissions.d.ts.map +1 -0
package/dist/generated/instructions/updateAgentPermissions.js +139 -0
package/dist/generated/instructions/updateAgentPermissions.js.map +1 -0
package/dist/generated/instructions/updateInstructionConstraints.d.ts +65 -0
package/dist/generated/instructions/updateInstructionConstraints.d.ts.map +1 -0
package/dist/generated/instructions/updateInstructionConstraints.js +131 -0
package/dist/generated/instructions/updateInstructionConstraints.js.map +1 -0
package/dist/generated/instructions/updatePolicy.d.ts +108 -0
package/dist/generated/instructions/updatePolicy.d.ts.map +1 -0
package/dist/generated/instructions/updatePolicy.js +143 -0
package/dist/generated/instructions/updatePolicy.js.map +1 -0
package/dist/generated/instructions/validateAndAuthorize.d.ts +171 -0
package/dist/generated/instructions/validateAndAuthorize.d.ts.map +1 -0
package/dist/generated/instructions/validateAndAuthorize.js +271 -0
package/dist/generated/instructions/validateAndAuthorize.js.map +1 -0
package/dist/generated/instructions/withdrawFunds.d.ts +74 -0
package/dist/generated/instructions/withdrawFunds.d.ts.map +1 -0
package/dist/generated/instructions/withdrawFunds.js +166 -0
package/dist/generated/instructions/withdrawFunds.js.map +1 -0
package/dist/generated/programs/index.d.ts +9 -0
package/dist/generated/programs/index.d.ts.map +1 -0
package/dist/generated/programs/index.js +9 -0
package/dist/generated/programs/index.js.map +1 -0
package/dist/generated/programs/sigil.d.ts +173 -0
package/dist/generated/programs/sigil.d.ts.map +1 -0
package/dist/generated/programs/sigil.js +443 -0
package/dist/generated/programs/sigil.js.map +1 -0
package/dist/generated/types/accountConstraint.d.ts +18 -0
package/dist/generated/types/accountConstraint.d.ts.map +1 -0
package/dist/generated/types/accountConstraint.js +24 -0
package/dist/generated/types/accountConstraint.js.map +1 -0
package/dist/generated/types/actionAuthorized.d.ts +39 -0
package/dist/generated/types/actionAuthorized.d.ts.map +1 -0
package/dist/generated/types/actionAuthorized.js +43 -0
package/dist/generated/types/actionAuthorized.js.map +1 -0
package/dist/generated/types/actionType.d.ts +37 -0
package/dist/generated/types/actionType.d.ts.map +1 -0
package/dist/generated/types/actionType.js +43 -0
package/dist/generated/types/actionType.js.map +1 -0
package/dist/generated/types/agentContributionEntry.d.ts +49 -0
package/dist/generated/types/agentContributionEntry.d.ts.map +1 -0
package/dist/generated/types/agentContributionEntry.js +26 -0
package/dist/generated/types/agentContributionEntry.js.map +1 -0
package/dist/generated/types/agentEntry.d.ts +24 -0
package/dist/generated/types/agentEntry.d.ts.map +1 -0
package/dist/generated/types/agentEntry.js +28 -0
package/dist/generated/types/agentEntry.js.map +1 -0
package/dist/generated/types/agentPausedEvent.d.ts +22 -0
package/dist/generated/types/agentPausedEvent.d.ts.map +1 -0
package/dist/generated/types/agentPausedEvent.js +26 -0
package/dist/generated/types/agentPausedEvent.js.map +1 -0
package/dist/generated/types/agentPermissionsUpdated.d.ts +24 -0
package/dist/generated/types/agentPermissionsUpdated.d.ts.map +1 -0
package/dist/generated/types/agentPermissionsUpdated.js +28 -0
package/dist/generated/types/agentPermissionsUpdated.js.map +1 -0
package/dist/generated/types/agentRegistered.d.ts +26 -0
package/dist/generated/types/agentRegistered.d.ts.map +1 -0
package/dist/generated/types/agentRegistered.js +30 -0
package/dist/generated/types/agentRegistered.js.map +1 -0
package/dist/generated/types/agentRevoked.d.ts +24 -0
package/dist/generated/types/agentRevoked.d.ts.map +1 -0
package/dist/generated/types/agentRevoked.js +28 -0
package/dist/generated/types/agentRevoked.js.map +1 -0
package/dist/generated/types/agentSpendLimitChecked.d.ts +28 -0
package/dist/generated/types/agentSpendLimitChecked.d.ts.map +1 -0
package/dist/generated/types/agentSpendLimitChecked.js +32 -0
package/dist/generated/types/agentSpendLimitChecked.js.map +1 -0
package/dist/generated/types/agentTransferExecuted.d.ts +24 -0
package/dist/generated/types/agentTransferExecuted.d.ts.map +1 -0
package/dist/generated/types/agentTransferExecuted.js +28 -0
package/dist/generated/types/agentTransferExecuted.js.map +1 -0
package/dist/generated/types/agentUnpausedEvent.d.ts +22 -0
package/dist/generated/types/agentUnpausedEvent.d.ts.map +1 -0
package/dist/generated/types/agentUnpausedEvent.js +26 -0
package/dist/generated/types/agentUnpausedEvent.js.map +1 -0
package/dist/generated/types/constraintEntry.d.ts +23 -0
package/dist/generated/types/constraintEntry.d.ts.map +1 -0
package/dist/generated/types/constraintEntry.js +27 -0
package/dist/generated/types/constraintEntry.js.map +1 -0
package/dist/generated/types/constraintOperator.d.ts +22 -0
package/dist/generated/types/constraintOperator.d.ts.map +1 -0
package/dist/generated/types/constraintOperator.js +28 -0
package/dist/generated/types/constraintOperator.js.map +1 -0
package/dist/generated/types/constraintsChangeApplied.d.ts +20 -0
package/dist/generated/types/constraintsChangeApplied.d.ts.map +1 -0
package/dist/generated/types/constraintsChangeApplied.js +24 -0
package/dist/generated/types/constraintsChangeApplied.js.map +1 -0
package/dist/generated/types/constraintsChangeCancelled.d.ts +16 -0
package/dist/generated/types/constraintsChangeCancelled.d.ts.map +1 -0
package/dist/generated/types/constraintsChangeCancelled.js +18 -0
package/dist/generated/types/constraintsChangeCancelled.js.map +1 -0
package/dist/generated/types/constraintsChangeQueued.d.ts +20 -0
package/dist/generated/types/constraintsChangeQueued.d.ts.map +1 -0
package/dist/generated/types/constraintsChangeQueued.js +24 -0
package/dist/generated/types/constraintsChangeQueued.js.map +1 -0
package/dist/generated/types/dataConstraint.d.ts +23 -0
package/dist/generated/types/dataConstraint.d.ts.map +1 -0
package/dist/generated/types/dataConstraint.js +27 -0
package/dist/generated/types/dataConstraint.js.map +1 -0
package/dist/generated/types/delegationRevoked.d.ts +22 -0
package/dist/generated/types/delegationRevoked.d.ts.map +1 -0
package/dist/generated/types/delegationRevoked.js +26 -0
package/dist/generated/types/delegationRevoked.js.map +1 -0
package/dist/generated/types/epochBucket.d.ts +28 -0
package/dist/generated/types/epochBucket.d.ts.map +1 -0
package/dist/generated/types/epochBucket.js +24 -0
package/dist/generated/types/epochBucket.js.map +1 -0
package/dist/generated/types/escrowCreated.d.ts +30 -0
package/dist/generated/types/escrowCreated.d.ts.map +1 -0
package/dist/generated/types/escrowCreated.js +34 -0
package/dist/generated/types/escrowCreated.js.map +1 -0
package/dist/generated/types/escrowRefunded.d.ts +26 -0
package/dist/generated/types/escrowRefunded.d.ts.map +1 -0
package/dist/generated/types/escrowRefunded.js +30 -0
package/dist/generated/types/escrowRefunded.js.map +1 -0
package/dist/generated/types/escrowSettled.d.ts +26 -0
package/dist/generated/types/escrowSettled.d.ts.map +1 -0
package/dist/generated/types/escrowSettled.js +30 -0
package/dist/generated/types/escrowSettled.js.map +1 -0
package/dist/generated/types/escrowStatus.d.ts +18 -0
package/dist/generated/types/escrowStatus.d.ts.map +1 -0
package/dist/generated/types/escrowStatus.js +24 -0
package/dist/generated/types/escrowStatus.js.map +1 -0
package/dist/generated/types/feesCollected.d.ts +38 -0
package/dist/generated/types/feesCollected.d.ts.map +1 -0
package/dist/generated/types/feesCollected.js +42 -0
package/dist/generated/types/feesCollected.js.map +1 -0
package/dist/generated/types/fundsDeposited.d.ts +24 -0
package/dist/generated/types/fundsDeposited.d.ts.map +1 -0
package/dist/generated/types/fundsDeposited.js +28 -0
package/dist/generated/types/fundsDeposited.js.map +1 -0
package/dist/generated/types/fundsWithdrawn.d.ts +26 -0
package/dist/generated/types/fundsWithdrawn.d.ts.map +1 -0
package/dist/generated/types/fundsWithdrawn.js +30 -0
package/dist/generated/types/fundsWithdrawn.js.map +1 -0
package/dist/generated/types/index.d.ts +50 -0
package/dist/generated/types/index.d.ts.map +1 -0
package/dist/generated/types/index.js +50 -0
package/dist/generated/types/index.js.map +1 -0
package/dist/generated/types/instructionConstraintsClosed.d.ts +20 -0
package/dist/generated/types/instructionConstraintsClosed.d.ts.map +1 -0
package/dist/generated/types/instructionConstraintsClosed.js +24 -0
package/dist/generated/types/instructionConstraintsClosed.js.map +1 -0
package/dist/generated/types/instructionConstraintsCreated.d.ts +24 -0
package/dist/generated/types/instructionConstraintsCreated.d.ts.map +1 -0
package/dist/generated/types/instructionConstraintsCreated.js +28 -0
package/dist/generated/types/instructionConstraintsCreated.js.map +1 -0
package/dist/generated/types/instructionConstraintsUpdated.d.ts +24 -0
package/dist/generated/types/instructionConstraintsUpdated.d.ts.map +1 -0
package/dist/generated/types/instructionConstraintsUpdated.js +28 -0
package/dist/generated/types/instructionConstraintsUpdated.js.map +1 -0
package/dist/generated/types/policyChangeApplied.d.ts +20 -0
package/dist/generated/types/policyChangeApplied.d.ts.map +1 -0
package/dist/generated/types/policyChangeApplied.js +24 -0
package/dist/generated/types/policyChangeApplied.js.map +1 -0
package/dist/generated/types/policyChangeCancelled.d.ts +16 -0
package/dist/generated/types/policyChangeCancelled.d.ts.map +1 -0
package/dist/generated/types/policyChangeCancelled.js +18 -0
package/dist/generated/types/policyChangeCancelled.js.map +1 -0
package/dist/generated/types/policyChangeQueued.d.ts +20 -0
package/dist/generated/types/policyChangeQueued.d.ts.map +1 -0
package/dist/generated/types/policyChangeQueued.js +24 -0
package/dist/generated/types/policyChangeQueued.js.map +1 -0
package/dist/generated/types/policyUpdated.d.ts +34 -0
package/dist/generated/types/policyUpdated.d.ts.map +1 -0
package/dist/generated/types/policyUpdated.js +38 -0
package/dist/generated/types/policyUpdated.js.map +1 -0
package/dist/generated/types/positionsSynced.d.ts +24 -0
package/dist/generated/types/positionsSynced.d.ts.map +1 -0
package/dist/generated/types/positionsSynced.js +28 -0
package/dist/generated/types/positionsSynced.js.map +1 -0
package/dist/generated/types/protocolSpendCounter.d.ts +33 -0
package/dist/generated/types/protocolSpendCounter.d.ts.map +1 -0
package/dist/generated/types/protocolSpendCounter.js +26 -0
package/dist/generated/types/protocolSpendCounter.js.map +1 -0
package/dist/generated/types/sessionFinalized.d.ts +32 -0
package/dist/generated/types/sessionFinalized.d.ts.map +1 -0
package/dist/generated/types/sessionFinalized.js +36 -0
package/dist/generated/types/sessionFinalized.js.map +1 -0
package/dist/generated/types/vaultClosed.d.ts +22 -0
package/dist/generated/types/vaultClosed.d.ts.map +1 -0
package/dist/generated/types/vaultClosed.js +26 -0
package/dist/generated/types/vaultClosed.js.map +1 -0
package/dist/generated/types/vaultCreated.d.ts +24 -0
package/dist/generated/types/vaultCreated.d.ts.map +1 -0
package/dist/generated/types/vaultCreated.js +28 -0
package/dist/generated/types/vaultCreated.js.map +1 -0
package/dist/generated/types/vaultFrozen.d.ts +24 -0
package/dist/generated/types/vaultFrozen.d.ts.map +1 -0
package/dist/generated/types/vaultFrozen.js +28 -0
package/dist/generated/types/vaultFrozen.js.map +1 -0
package/dist/generated/types/vaultReactivated.d.ts +24 -0
package/dist/generated/types/vaultReactivated.d.ts.map +1 -0
package/dist/generated/types/vaultReactivated.js +28 -0
package/dist/generated/types/vaultReactivated.js.map +1 -0
package/dist/generated/types/vaultStatus.d.ts +19 -0
package/dist/generated/types/vaultStatus.d.ts.map +1 -0
package/dist/generated/types/vaultStatus.js +25 -0
package/dist/generated/types/vaultStatus.js.map +1 -0
package/dist/index.d.ts +74 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +113 -0
package/dist/index.js.map +1 -0
package/dist/inscribe.d.ts +134 -0
package/dist/inscribe.d.ts.map +1 -0
package/dist/inscribe.js +149 -0
package/dist/inscribe.js.map +1 -0
package/dist/inspector.d.ts +85 -0
package/dist/inspector.d.ts.map +1 -0
package/dist/inspector.js +188 -0
package/dist/inspector.js.map +1 -0
package/dist/math-utils.d.ts +15 -0
package/dist/math-utils.d.ts.map +1 -0
package/dist/math-utils.js +29 -0
package/dist/math-utils.js.map +1 -0
package/dist/owner-transaction.d.ts +42 -0
package/dist/owner-transaction.d.ts.map +1 -0
package/dist/owner-transaction.js +71 -0
package/dist/owner-transaction.js.map +1 -0
package/dist/policies.d.ts +70 -0
package/dist/policies.d.ts.map +1 -0
package/dist/policies.js +87 -0
package/dist/policies.js.map +1 -0
package/dist/portfolio-analytics.d.ts +82 -0
package/dist/portfolio-analytics.d.ts.map +1 -0
package/dist/portfolio-analytics.js +232 -0
package/dist/portfolio-analytics.js.map +1 -0
package/dist/presets.d.ts +108 -0
package/dist/presets.d.ts.map +1 -0
package/dist/presets.js +110 -0
package/dist/presets.js.map +1 -0
package/dist/priority-fees.d.ts +49 -0
package/dist/priority-fees.d.ts.map +1 -0
package/dist/priority-fees.js +175 -0
package/dist/priority-fees.js.map +1 -0
package/dist/protocol-analytics.d.ts +35 -0
package/dist/protocol-analytics.d.ts.map +1 -0
package/dist/protocol-analytics.js +64 -0
package/dist/protocol-analytics.js.map +1 -0
package/dist/protocol-names.d.ts +9 -0
package/dist/protocol-names.d.ts.map +1 -0
package/dist/protocol-names.js +18 -0
package/dist/protocol-names.js.map +1 -0
package/dist/protocol-resolver.d.ts +54 -0
package/dist/protocol-resolver.d.ts.map +1 -0
package/dist/protocol-resolver.js +123 -0
package/dist/protocol-resolver.js.map +1 -0
package/dist/resolve-accounts.d.ts +38 -0
package/dist/resolve-accounts.d.ts.map +1 -0
package/dist/resolve-accounts.js +120 -0
package/dist/resolve-accounts.js.map +1 -0
package/dist/rpc-helpers.d.ts +50 -0
package/dist/rpc-helpers.d.ts.map +1 -0
package/dist/rpc-helpers.js +119 -0
package/dist/rpc-helpers.js.map +1 -0
package/dist/seal.d.ts +211 -0
package/dist/seal.d.ts.map +1 -0
package/dist/seal.js +569 -0
package/dist/seal.js.map +1 -0
package/dist/security-analytics.d.ts +85 -0
package/dist/security-analytics.d.ts.map +1 -0
package/dist/security-analytics.js +510 -0
package/dist/security-analytics.js.map +1 -0
package/dist/shield.d.ts +235 -0
package/dist/shield.d.ts.map +1 -0
package/dist/shield.js +701 -0
package/dist/shield.js.map +1 -0
package/dist/simulation.d.ts +111 -0
package/dist/simulation.d.ts.map +1 -0
package/dist/simulation.js +514 -0
package/dist/simulation.js.map +1 -0
package/dist/spending-analytics.d.ts +91 -0
package/dist/spending-analytics.d.ts.map +1 -0
package/dist/spending-analytics.js +217 -0
package/dist/spending-analytics.js.map +1 -0
package/dist/state-resolver.d.ts +173 -0
package/dist/state-resolver.d.ts.map +1 -0
package/dist/state-resolver.js +660 -0
package/dist/state-resolver.js.map +1 -0
package/dist/tee/cache.d.ts +28 -0
package/dist/tee/cache.d.ts.map +1 -0
package/dist/tee/cache.js +75 -0
package/dist/tee/cache.js.map +1 -0
package/dist/tee/index.d.ts +9 -0
package/dist/tee/index.d.ts.map +1 -0
package/dist/tee/index.js +9 -0
package/dist/tee/index.js.map +1 -0
package/dist/tee/nitro-root.d.ts +11 -0
package/dist/tee/nitro-root.d.ts.map +1 -0
package/dist/tee/nitro-root.js +24 -0
package/dist/tee/nitro-root.js.map +1 -0
package/dist/tee/providers/crossmint.d.ts +12 -0
package/dist/tee/providers/crossmint.d.ts.map +1 -0
package/dist/tee/providers/crossmint.js +73 -0
package/dist/tee/providers/crossmint.js.map +1 -0
package/dist/tee/providers/privy.d.ts +12 -0
package/dist/tee/providers/privy.d.ts.map +1 -0
package/dist/tee/providers/privy.js +73 -0
package/dist/tee/providers/privy.js.map +1 -0
package/dist/tee/providers/turnkey.d.ts +34 -0
package/dist/tee/providers/turnkey.d.ts.map +1 -0
package/dist/tee/providers/turnkey.js +401 -0
package/dist/tee/providers/turnkey.js.map +1 -0
package/dist/tee/types.d.ts +124 -0
package/dist/tee/types.d.ts.map +1 -0
package/dist/tee/types.js +51 -0
package/dist/tee/types.js.map +1 -0
package/dist/tee/verify.d.ts +34 -0
package/dist/tee/verify.d.ts.map +1 -0
package/dist/tee/verify.js +177 -0
package/dist/tee/verify.js.map +1 -0
package/dist/tee/wallet-types.d.ts +61 -0
package/dist/tee/wallet-types.d.ts.map +1 -0
package/dist/tee/wallet-types.js +42 -0
package/dist/tee/wallet-types.js.map +1 -0
package/dist/testing/devnet.d.ts +64 -0
package/dist/testing/devnet.d.ts.map +1 -0
package/dist/testing/devnet.js +222 -0
package/dist/testing/devnet.js.map +1 -0
package/dist/testing/index.d.ts +3 -0
package/dist/testing/index.d.ts.map +1 -0
package/dist/testing/index.js +9 -0
package/dist/testing/index.js.map +1 -0
package/dist/testing/mock-rpc.d.ts +31 -0
package/dist/testing/mock-rpc.d.ts.map +1 -0
package/dist/testing/mock-rpc.js +50 -0
package/dist/testing/mock-rpc.js.map +1 -0
package/dist/testing/mock-state.d.ts +35 -0
package/dist/testing/mock-state.d.ts.map +1 -0
package/dist/testing/mock-state.js +86 -0
package/dist/testing/mock-state.js.map +1 -0
package/dist/tokens.d.ts +35 -0
package/dist/tokens.d.ts.map +1 -0
package/dist/tokens.js +157 -0
package/dist/tokens.js.map +1 -0
package/dist/transaction-executor.d.ts +116 -0
package/dist/transaction-executor.d.ts.map +1 -0
package/dist/transaction-executor.js +165 -0
package/dist/transaction-executor.js.map +1 -0
package/dist/types.d.ts +102 -0
package/dist/types.d.ts.map +1 -0
package/dist/types.js +216 -0
package/dist/types.js.map +1 -0
package/dist/vault-analytics.d.ts +83 -0
package/dist/vault-analytics.d.ts.map +1 -0
package/dist/vault-analytics.js +175 -0
package/dist/vault-analytics.js.map +1 -0
package/dist/velocity-tracker.d.ts +79 -0
package/dist/velocity-tracker.d.ts.map +1 -0
package/dist/velocity-tracker.js +183 -0
package/dist/velocity-tracker.js.map +1 -0
package/dist/x402/amount-guard.d.ts +26 -0
package/dist/x402/amount-guard.d.ts.map +1 -0
package/dist/x402/amount-guard.js +80 -0
package/dist/x402/amount-guard.js.map +1 -0
package/dist/x402/audit-trail.d.ts +26 -0
package/dist/x402/audit-trail.d.ts.map +1 -0
package/dist/x402/audit-trail.js +32 -0
package/dist/x402/audit-trail.js.map +1 -0
package/dist/x402/codec.d.ts +26 -0
package/dist/x402/codec.d.ts.map +1 -0
package/dist/x402/codec.js +95 -0
package/dist/x402/codec.js.map +1 -0
package/dist/x402/errors.d.ts +34 -0
package/dist/x402/errors.d.ts.map +1 -0
package/dist/x402/errors.js +53 -0
package/dist/x402/errors.js.map +1 -0
package/dist/x402/facilitator-verify.d.ts +24 -0
package/dist/x402/facilitator-verify.d.ts.map +1 -0
package/dist/x402/facilitator-verify.js +74 -0
package/dist/x402/facilitator-verify.js.map +1 -0
package/dist/x402/index.d.ts +14 -0
package/dist/x402/index.d.ts.map +1 -0
package/dist/x402/index.js +23 -0
package/dist/x402/index.js.map +1 -0
package/dist/x402/nonce-tracker.d.ts +65 -0
package/dist/x402/nonce-tracker.d.ts.map +1 -0
package/dist/x402/nonce-tracker.js +123 -0
package/dist/x402/nonce-tracker.js.map +1 -0
package/dist/x402/payment-selector.d.ts +20 -0
package/dist/x402/payment-selector.d.ts.map +1 -0
package/dist/x402/payment-selector.js +49 -0
package/dist/x402/payment-selector.js.map +1 -0
package/dist/x402/policy-bridge.d.ts +23 -0
package/dist/x402/policy-bridge.d.ts.map +1 -0
package/dist/x402/policy-bridge.js +67 -0
package/dist/x402/policy-bridge.js.map +1 -0
package/dist/x402/shielded-fetch.d.ts +46 -0
package/dist/x402/shielded-fetch.d.ts.map +1 -0
package/dist/x402/shielded-fetch.js +342 -0
package/dist/x402/shielded-fetch.js.map +1 -0
package/dist/x402/transfer-builder.d.ts +43 -0
package/dist/x402/transfer-builder.d.ts.map +1 -0
package/dist/x402/transfer-builder.js +126 -0
package/dist/x402/transfer-builder.js.map +1 -0
package/dist/x402/types.d.ts +109 -0
package/dist/x402/types.d.ts.map +1 -0
package/dist/x402/types.js +8 -0
package/dist/x402/types.js.map +1 -0
package/package.json +98 -0

package/dist/tee/providers/turnkey.js ADDED Viewed

@@ -0,0 +1,401 @@
+/**
+ * Turnkey TEE Attestation Provider
+ *
+ * Two-layer verification:
+ * 1. Boot Proof — COSE_Sign1 (P-384 ECDSA) with AWS Nitro cert chain + PCR3
+ * 2. App Proof — P-256 ECDSA signature binding the app public key to the boot attestation
+ *
+ * COSE_Sign1 structure (CBOR tag 18):
+ *   [protected_headers, unprotected_headers, payload, signature]
+ *
+ * Sig_structure for verification:
+ *   CBOR(["Signature1", protected_bytes, b'', payload_bytes])
+ *
+ * The cert chain is extracted from unprotected headers key 33 (x5chain).
+ * Each cert in the chain must chain to the embedded AWS Nitro Root CA.
+ *
+ * PCR3 is the SHA-384 hash of the IAM role ARN — used to bind the enclave
+ * identity to a specific AWS IAM role (Turnkey's production enclave).
+ */
+import * as crypto from "node:crypto";
+import { getAddressEncoder } from "@solana/kit";
+import { AttestationStatus, } from "../types.js";
+import { AWS_NITRO_ROOT_CA_PEM } from "../nitro-root.js";
+import { TeeAttestationError, AttestationCertChainError, AttestationPcrMismatchError, } from "../wallet-types.js";
+// Allow overriding the root CA for testing
+let rootCaPem = AWS_NITRO_ROOT_CA_PEM;
+/** Override the root CA PEM for testing. Only available in test environments. */
+export function setTestRootCa(pem) {
+    if (typeof process === "undefined" || process.env.NODE_ENV !== "test") {
+        throw new Error("setTestRootCa() is only available in test environments (NODE_ENV=test)");
+    }
+    rootCaPem = pem;
+}
+/** Restore the production root CA PEM. */
+export function restoreProductionRootCa() {
+    rootCaPem = AWS_NITRO_ROOT_CA_PEM;
+}
+/**
+ * Convert a raw ECDSA signature (r || s concatenation) to DER format
+ * for Node.js crypto.verify().
+ */
+function rawSigToDer(rawSig, curveByteLen) {
+    if (rawSig.length !== curveByteLen * 2) {
+        throw new TeeAttestationError(`Invalid raw ECDSA signature: expected ${curveByteLen * 2} bytes, got ${rawSig.length}`);
+    }
+    const r = rawSig.subarray(0, curveByteLen);
+    const s = rawSig.subarray(curveByteLen, curveByteLen * 2);
+    // Encode each integer, adding leading zero if high bit set
+    function encodeInt(val) {
+        // Strip leading zeros but keep at least one byte
+        let start = 0;
+        while (start < val.length - 1 && val[start] === 0)
+            start++;
+        val = val.subarray(start);
+        const needsPad = val[0] >= 0x80;
+        const len = val.length + (needsPad ? 1 : 0);
+        const out = Buffer.alloc(2 + len);
+        out[0] = 0x02; // INTEGER tag
+        out[1] = len;
+        if (needsPad) {
+            out[2] = 0x00;
+            val.copy(out, 3);
+        }
+        else {
+            val.copy(out, 2);
+        }
+        return out;
+    }
+    const rDer = encodeInt(r);
+    const sDer = encodeInt(s);
+    const seqLen = rDer.length + sDer.length;
+    // SEQUENCE header
+    const header = seqLen < 128
+        ? Buffer.from([0x30, seqLen])
+        : Buffer.from([0x30, 0x81, seqLen]);
+    return Buffer.concat([header, rDer, sDer]);
+}
+/**
+ * Decode a CBOR-encoded COSE_Sign1 structure.
+ * Uses cbor-x for CBOR decoding.
+ */
+async function decodeCoseSign1(cborBytes) {
+    // Dynamic import to handle optional dependency gracefully
+    const cbor = await import("cbor-x");
+    const decoded = cbor.decode(cborBytes);
+    // COSE_Sign1 is a CBOR array of 4 elements
+    // May be wrapped in a CBOR tag (tag 18 for COSE_Sign1)
+    let arr;
+    if (Array.isArray(decoded)) {
+        arr = decoded;
+    }
+    else if (decoded &&
+        typeof decoded === "object" &&
+        "value" in decoded &&
+        Array.isArray(decoded.value)) {
+        // M2: Validate COSE_Sign1 tag (18) when present
+        if ("tag" in decoded && decoded.tag !== 18) {
+            throw new TeeAttestationError(`Invalid COSE tag: expected 18 (COSE_Sign1), got ${decoded.tag}`);
+        }
+        arr = decoded.value;
+    }
+    else {
+        throw new TeeAttestationError("Invalid COSE_Sign1: expected 4-element array");
+    }
+    if (arr.length !== 4) {
+        throw new TeeAttestationError(`Invalid COSE_Sign1: expected 4 elements, got ${arr.length}`);
+    }
+    // M3: Type-guard COSE_Sign1 byte-string elements
+    function assertByteString(val, name) {
+        if (val instanceof Uint8Array || Buffer.isBuffer(val))
+            return val;
+        throw new TeeAttestationError(`Invalid COSE_Sign1: ${name} must be a byte string`);
+    }
+    const protectedHeaders = Buffer.from(assertByteString(arr[0], "protected_headers"));
+    // Unprotected headers: may be a Map or plain object
+    let unprotectedHeaders;
+    if (arr[1] instanceof Map) {
+        unprotectedHeaders = arr[1];
+    }
+    else if (arr[1] && typeof arr[1] === "object") {
+        unprotectedHeaders = new Map(Object.entries(arr[1]).map(([k, v]) => [
+            parseInt(k, 10),
+            v,
+        ]));
+    }
+    else {
+        unprotectedHeaders = new Map();
+    }
+    const payload = Buffer.from(assertByteString(arr[2], "payload"));
+    const signature = Buffer.from(assertByteString(arr[3], "signature"));
+    return { protectedHeaders, unprotectedHeaders, payload, signature };
+}
+/**
+ * Build the Sig_structure for COSE_Sign1 verification:
+ *   CBOR(["Signature1", protected_bytes, b'', payload_bytes])
+ */
+async function buildSigStructure(protectedHeaders, payload) {
+    const cbor = await import("cbor-x");
+    return Buffer.from(cbor.encode([
+        "Signature1",
+        protectedHeaders,
+        Buffer.alloc(0), // external_aad = empty
+        payload,
+    ]));
+}
+/**
+ * Validate a certificate chain against the root CA.
+ * Each certificate must be signed by the next certificate in the chain,
+ * and the last certificate must chain to the root CA.
+ */
+function validateCertChain(certs) {
+    if (certs.length === 0) {
+        throw new AttestationCertChainError("Empty certificate chain");
+    }
+    // Build X509Certificate objects
+    const x509Certs = certs.map((certDer) => {
+        const pem = "-----BEGIN CERTIFICATE-----\n" +
+            certDer
+                .toString("base64")
+                .match(/.{1,64}/g)
+                .join("\n") +
+            "\n-----END CERTIFICATE-----";
+        return new crypto.X509Certificate(pem);
+    });
+    const rootCert = new crypto.X509Certificate(rootCaPem);
+    // Verify chain from leaf to root
+    // certs[0] = leaf (signing cert), certs[N-1] = closest to root
+    for (let i = 0; i < x509Certs.length; i++) {
+        const cert = x509Certs[i];
+        const issuer = i + 1 < x509Certs.length ? x509Certs[i + 1] : rootCert;
+        if (!cert.checkIssued(issuer)) {
+            throw new AttestationCertChainError(`Certificate at index ${i} was not issued by certificate at index ${i + 1}`);
+        }
+        // Verify the signature
+        const issuerPublicKey = issuer.publicKey;
+        if (!cert.verify(issuerPublicKey)) {
+            throw new AttestationCertChainError(`Certificate signature verification failed at chain index ${i}`);
+        }
+        // F1: Verify certificate is within its validity period
+        const now = new Date();
+        if (now < new Date(cert.validFrom) || now > new Date(cert.validTo)) {
+            throw new AttestationCertChainError(`Certificate at index ${i} is outside its validity period ` +
+                `(${cert.validFrom} to ${cert.validTo})`);
+        }
+    }
+    // Verify the last cert chains to root
+    if (x509Certs.length > 0) {
+        const lastCert = x509Certs[x509Certs.length - 1];
+        if (!lastCert.checkIssued(rootCert) ||
+            !lastCert.verify(rootCert.publicKey)) {
+            throw new AttestationCertChainError("Certificate chain does not terminate at the AWS Nitro Root CA");
+        }
+    }
+    // Return the leaf certificate (signing cert)
+    return x509Certs[0];
+}
+/**
+ * Extract PCR values from a decoded Nitro attestation document payload.
+ */
+function extractPcrValues(attestationDoc) {
+    const pcrs = attestationDoc.pcrs;
+    if (!pcrs)
+        return {};
+    const getHex = (index) => {
+        const val = pcrs instanceof Map
+            ? pcrs.get(index)
+            : pcrs[index];
+        return val ? Buffer.from(val).toString("hex") : undefined;
+    };
+    return {
+        pcr0: getHex(0),
+        pcr1: getHex(1),
+        pcr2: getHex(2),
+        pcr3: getHex(3),
+    };
+}
+/**
+ * Verify a Turnkey wallet's TEE attestation.
+ *
+ * Expects the wallet to have a `getAttestation()` method that returns
+ * a TurnkeyAttestationBundle. If the method doesn't exist or returns null,
+ * falls back to ProviderTrusted.
+ */
+export async function verifyTurnkey(wallet, config) {
+    // Kit Address is already base58 — no conversion needed
+    const publicKey = wallet.publicKey;
+    // Check if wallet provides attestation data
+    const walletRecord = wallet;
+    const getAttestation = typeof walletRecord.getAttestation === "function"
+        ? walletRecord.getAttestation
+        : undefined;
+    // H2: Turnkey wallets without getAttestation() cannot be cryptographically
+    // verified. Return Unavailable instead of ProviderTrusted to prevent
+    // spoofed wallets from passing requireAttestation.
+    if (!getAttestation) {
+        return {
+            status: AttestationStatus.Unavailable,
+            provider: "turnkey",
+            publicKey,
+            metadata: {
+                provider: "turnkey",
+                enclaveType: "nitro",
+                verifiedAt: Date.now(),
+            },
+            message: "Turnkey wallet does not expose getAttestation() — " +
+                "cannot verify enclave identity. Pass a wallet with getAttestation() " +
+                "for cryptographic verification.",
+        };
+    }
+    const ATTESTATION_TIMEOUT_MS = 30_000;
+    let bundle;
+    try {
+        let timer;
+        bundle = await Promise.race([
+            getAttestation.call(wallet).finally(() => clearTimeout(timer)),
+            new Promise((_, reject) => {
+                timer = setTimeout(() => reject(new TeeAttestationError("Turnkey getAttestation() timed out after 30s")), ATTESTATION_TIMEOUT_MS);
+            }),
+        ]);
+    }
+    catch (err) {
+        if (err instanceof TeeAttestationError)
+            throw err;
+        return {
+            status: AttestationStatus.Failed,
+            provider: "turnkey",
+            publicKey,
+            metadata: { provider: "turnkey", verifiedAt: Date.now() },
+            message: `Failed to fetch attestation bundle: ${err.message ?? err}`,
+        };
+    }
+    if (!bundle) {
+        return {
+            status: AttestationStatus.Unavailable,
+            provider: "turnkey",
+            publicKey,
+            metadata: {
+                provider: "turnkey",
+                enclaveType: "nitro",
+                verifiedAt: Date.now(),
+            },
+            message: "Turnkey getAttestation() returned null — cannot verify enclave identity.",
+        };
+    }
+    // === Boot Proof Verification (COSE_Sign1 + P-384) ===
+    try {
+        // F9: Validate bundle field types before processing
+        if (typeof bundle.bootProof !== "string" || bundle.bootProof.length === 0) {
+            throw new TeeAttestationError("Invalid attestation bundle: bootProof must be a non-empty base64 string");
+        }
+        // F2: Enforce size limit to prevent OOM from malicious payloads
+        const MAX_ATTESTATION_BYTES = 64 * 1024; // 64KB — Nitro docs are ~3-5KB
+        const bootBytes = Buffer.from(bundle.bootProof, "base64");
+        if (bootBytes.length > MAX_ATTESTATION_BYTES) {
+            throw new TeeAttestationError(`Boot proof exceeds maximum size (${bootBytes.length} > ${MAX_ATTESTATION_BYTES} bytes)`);
+        }
+        const { protectedHeaders, unprotectedHeaders, payload, signature } = await decodeCoseSign1(bootBytes);
+        // Extract certificate chain from unprotected headers key 33 (x5chain)
+        const x5chain = unprotectedHeaders.get(33);
+        if (!x5chain || !Array.isArray(x5chain)) {
+            throw new AttestationCertChainError("No x5chain (key 33) in COSE_Sign1 unprotected headers");
+        }
+        const certBuffers = x5chain.map((c, i) => {
+            if (!(c instanceof Uint8Array) && !Buffer.isBuffer(c)) {
+                throw new AttestationCertChainError(`x5chain entry at index ${i} is not a byte string`);
+            }
+            return Buffer.from(c);
+        });
+        const signingCert = validateCertChain(certBuffers);
+        // Build Sig_structure and verify ECDSA P-384 signature
+        const sigStructure = await buildSigStructure(protectedHeaders, payload);
+        const derSig = rawSigToDer(signature, 48); // P-384 = 48 bytes per component
+        const verified = crypto.verify("SHA384", sigStructure, {
+            key: signingCert.publicKey,
+            dsaEncoding: "der",
+        }, derSig);
+        if (!verified) {
+            throw new TeeAttestationError("COSE_Sign1 signature verification failed");
+        }
+        // Decode the attestation document payload
+        const cbor = await import("cbor-x");
+        const attestationDoc = cbor.decode(payload);
+        // Extract and check PCR values
+        const pcrValues = extractPcrValues(attestationDoc);
+        // C4: Check PCR3 if expected value is provided — require it to be present
+        if (config?.expectedPcr3) {
+            if (!pcrValues.pcr3) {
+                throw new AttestationPcrMismatchError(3, config.expectedPcr3, "<absent>");
+            }
+            if (pcrValues.pcr3.toLowerCase() !== config.expectedPcr3.toLowerCase()) {
+                throw new AttestationPcrMismatchError(3, config.expectedPcr3, pcrValues.pcr3);
+            }
+        }
+        // Extract the boot public key from the attestation document
+        const bootPublicKeyBytes = attestationDoc.public_key;
+        // === App Proof Verification (P-256 ECDSA) ===
+        // F3: Use explicit undefined/null checks — empty strings must not silently skip verification
+        const hasAppProof = bundle.appSignature !== undefined && bundle.appPublicKey !== undefined;
+        if (hasAppProof) {
+            // C2: If app proof is provided, bootPublicKeyBytes MUST be present in the
+            // attestation document — otherwise there is no enclave binding.
+            if (!bootPublicKeyBytes || Buffer.from(bootPublicKeyBytes).length === 0) {
+                throw new TeeAttestationError("App proof provided but attestation document lacks public_key — cannot bind enclave to wallet");
+            }
+            if (!bundle.appSignature || !bundle.appPublicKey) {
+                throw new TeeAttestationError("App proof fields present but empty — possible attestation tampering");
+            }
+            // Validate app proof field types
+            if (typeof bundle.appSignature !== "string" ||
+                typeof bundle.appPublicKey !== "string") {
+                throw new TeeAttestationError("Invalid attestation bundle: appSignature and appPublicKey must be strings");
+            }
+            const appPubKeyBytes = Buffer.from(bundle.appPublicKey, "hex");
+            // F5: Reject invalid P-256 key format immediately
+            if (appPubKeyBytes.length !== 65) {
+                throw new TeeAttestationError(`Invalid app public key: expected 65 bytes (uncompressed P-256), got ${appPubKeyBytes.length}`);
+            }
+            // C1: Always verify the P-256 signature binding the wallet key to the enclave.
+            // The app signature proves the wallet's Ed25519 public key was generated inside
+            // the attested enclave. This MUST be checked regardless of whether the app key
+            // matches the boot key — the signature is the binding proof, not key equality.
+            const appSig = Buffer.from(bundle.appSignature, "hex");
+            // Kit Address → 32-byte Ed25519 public key via encoder
+            const walletPubKeyBytes = Buffer.from(getAddressEncoder().encode(wallet.publicKey));
+            const keyObj = crypto.createPublicKey({
+                key: Buffer.concat([
+                    // SubjectPublicKeyInfo header for P-256 uncompressed point
+                    Buffer.from("3059301306072a8648ce3d020106082a8648ce3d030107034200", "hex"),
+                    appPubKeyBytes,
+                ]),
+                format: "der",
+                type: "spki",
+            });
+            const appVerified = crypto.verify("SHA256", walletPubKeyBytes, { key: keyObj, dsaEncoding: "der" }, appSig);
+            if (!appVerified) {
+                throw new TeeAttestationError("App proof P-256 signature verification failed");
+            }
+        }
+        return {
+            status: AttestationStatus.CryptographicallyVerified,
+            provider: "turnkey",
+            publicKey,
+            metadata: {
+                provider: "turnkey",
+                enclaveType: "nitro",
+                pcrValues,
+                certChainLength: certBuffers.length,
+                verifiedAt: Date.now(),
+            },
+            message: "Turnkey attestation cryptographically verified: " +
+                "COSE_Sign1 P-384 signature valid, cert chain trusted, PCR values checked.",
+        };
+    }
+    catch (err) {
+        // F8: Only base class check needed — subclasses extend TeeAttestationError
+        if (err instanceof TeeAttestationError)
+            throw err;
+        throw new TeeAttestationError(`Turnkey attestation verification failed: ${err.message ?? err}`);
+    }
+}
+//# sourceMappingURL=turnkey.js.map

package/dist/tee/providers/turnkey.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"turnkey.js","sourceRoot":"","sources":["../../../src/tee/providers/turnkey.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,KAAK,MAAM,MAAM,aAAa,CAAC;AACtC,OAAO,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAChD,OAAO,EACL,iBAAiB,GAMlB,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,qBAAqB,EAAE,MAAM,kBAAkB,CAAC;AACzD,OAAO,EACL,mBAAmB,EACnB,yBAAyB,EACzB,2BAA2B,GAC5B,MAAM,oBAAoB,CAAC;AAG5B,2CAA2C;AAC3C,IAAI,SAAS,GAAG,qBAAqB,CAAC;AAEtC,iFAAiF;AACjF,MAAM,UAAU,aAAa,CAAC,GAAW;IACvC,IAAI,OAAO,OAAO,KAAK,WAAW,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,MAAM,EAAE,CAAC;QACtE,MAAM,IAAI,KAAK,CACb,wEAAwE,CACzE,CAAC;IACJ,CAAC;IACD,SAAS,GAAG,GAAG,CAAC;AAClB,CAAC;AAED,0CAA0C;AAC1C,MAAM,UAAU,uBAAuB;IACrC,SAAS,GAAG,qBAAqB,CAAC;AACpC,CAAC;AAED;;;GAGG;AACH,SAAS,WAAW,CAAC,MAAc,EAAE,YAAoB;IACvD,IAAI,MAAM,CAAC,MAAM,KAAK,YAAY,GAAG,CAAC,EAAE,CAAC;QACvC,MAAM,IAAI,mBAAmB,CAC3B,yCAAyC,YAAY,GAAG,CAAC,eAAe,MAAM,CAAC,MAAM,EAAE,CACxF,CAAC;IACJ,CAAC;IACD,MAAM,CAAC,GAAG,MAAM,CAAC,QAAQ,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC;IAC3C,MAAM,CAAC,GAAG,MAAM,CAAC,QAAQ,CAAC,YAAY,EAAE,YAAY,GAAG,CAAC,CAAC,CAAC;IAE1D,2DAA2D;IAC3D,SAAS,SAAS,CAAC,GAAW;QAC5B,iDAAiD;QACjD,IAAI,KAAK,GAAG,CAAC,CAAC;QACd,OAAO,KAAK,GAAG,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC;YAAE,KAAK,EAAE,CAAC;QAC3D,GAAG,GAAG,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAE1B,MAAM,QAAQ,GAAG,GAAG,CAAC,CAAC,CAAE,IAAI,IAAI,CAAC;QACjC,MAAM,GAAG,GAAG,GAAG,CAAC,MAAM,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QAC5C,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC;QAClC,GAAG,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC,cAAc;QAC7B,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC;QACb,IAAI,QAAQ,EAAE,CAAC;YACb,GAAG,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC;YACd,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;QACnB,CAAC;aAAM,CAAC;YACN,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;QACnB,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC;IAED,MAAM,IAAI,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC;IAC1B,MAAM,IAAI,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC;IAC1B,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;IAEzC,kBAAkB;IAClB,MAAM,MAAM,GACV,MAAM,GAAG,GAAG;QACV,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QAC7B,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC;IAExC,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC;AAC7C,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,eAAe,CAAC,SAAiB;IAM9C,0DAA0D;IAC1D,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,QAAQ,CAAC,CAAC;IACpC,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAEvC,2CAA2C;IAC3C,uDAAuD;IACvD,IAAI,GAAc,CAAC;IACnB,IAAI,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QAC3B,GAAG,GAAG,OAAO,CAAC;IAChB,CAAC;SAAM,IACL,OAAO;QACP,OAAO,OAAO,KAAK,QAAQ;QAC3B,OAAO,IAAI,OAAO;QAClB,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,EAC5B,CAAC;QACD,gDAAgD;QAChD,IAAI,KAAK,IAAI,OAAO,IAAK,OAA2B,CAAC,GAAG,KAAK,EAAE,EAAE,CAAC;YAChE,MAAM,IAAI,mBAAmB,CAC3B,mDAAoD,OAA2B,CAAC,GAAG,EAAE,CACtF,CAAC;QACJ,CAAC;QACD,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC;IACtB,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,mBAAmB,CAC3B,8CAA8C,CAC/C,CAAC;IACJ,CAAC;IAED,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACrB,MAAM,IAAI,mBAAmB,CAC3B,gDAAgD,GAAG,CAAC,MAAM,EAAE,CAC7D,CAAC;IACJ,CAAC;IAED,iDAAiD;IACjD,SAAS,gBAAgB,CAAC,GAAY,EAAE,IAAY;QAClD,IAAI,GAAG,YAAY,UAAU,IAAI,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC;YACnD,OAAO,GAAiB,CAAC;QAC3B,MAAM,IAAI,mBAAmB,CAC3B,uBAAuB,IAAI,wBAAwB,CACpD,CAAC;IACJ,CAAC;IAED,MAAM,gBAAgB,GAAG,MAAM,CAAC,IAAI,CAClC,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,mBAAmB,CAAC,CAC9C,CAAC;IAEF,oDAAoD;IACpD,IAAI,kBAAwC,CAAC;IAC7C,IAAI,GAAG,CAAC,CAAC,CAAC,YAAY,GAAG,EAAE,CAAC;QAC1B,kBAAkB,GAAG,GAAG,CAAC,CAAC,CAAyB,CAAC;IACtD,CAAC;SAAM,IAAI,GAAG,CAAC,CAAC,CAAC,IAAI,OAAO,GAAG,CAAC,CAAC,CAAC,KAAK,QAAQ,EAAE,CAAC;QAChD,kBAAkB,GAAG,IAAI,GAAG,CAC1B,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAA4B,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC;YAChE,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC;YACf,CAAC;SACF,CAAC,CACH,CAAC;IACJ,CAAC;SAAM,CAAC;QACN,kBAAkB,GAAG,IAAI,GAAG,EAAE,CAAC;IACjC,CAAC;IAED,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC,CAAC;IACjE,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC,CAAC;IAErE,OAAO,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,OAAO,EAAE,SAAS,EAAE,CAAC;AACtE,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,iBAAiB,CAC9B,gBAAwB,EACxB,OAAe;IAEf,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,QAAQ,CAAC,CAAC;IACpC,OAAO,MAAM,CAAC,IAAI,CAChB,IAAI,CAAC,MAAM,CAAC;QACV,YAAY;QACZ,gBAAgB;QAChB,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,uBAAuB;QACxC,OAAO;KACR,CAAC,CACH,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,SAAS,iBAAiB,CAAC,KAAe;IACxC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,yBAAyB,CAAC,yBAAyB,CAAC,CAAC;IACjE,CAAC;IAED,gCAAgC;IAChC,MAAM,SAAS,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,EAAE;QACtC,MAAM,GAAG,GACP,+BAA+B;YAC/B,OAAO;iBACJ,QAAQ,CAAC,QAAQ,CAAC;iBAClB,KAAK,CAAC,UAAU,CAAE;iBAClB,IAAI,CAAC,IAAI,CAAC;YACb,6BAA6B,CAAC;QAChC,OAAO,IAAI,MAAM,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC;IACzC,CAAC,CAAC,CAAC;IAEH,MAAM,QAAQ,GAAG,IAAI,MAAM,CAAC,eAAe,CAAC,SAAS,CAAC,CAAC;IAEvD,iCAAiC;IACjC,+DAA+D;IAC/D,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,SAAS,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAC1C,MAAM,IAAI,GAAG,SAAS,CAAC,CAAC,CAAE,CAAC;QAC3B,MAAM,MAAM,GAAG,CAAC,GAAG,CAAC,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,GAAG,CAAC,CAAE,CAAC,CAAC,CAAC,QAAQ,CAAC;QAEvE,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,EAAE,CAAC;YAC9B,MAAM,IAAI,yBAAyB,CACjC,wBAAwB,CAAC,2CAA2C,CAAC,GAAG,CAAC,EAAE,CAC5E,CAAC;QACJ,CAAC;QAED,uBAAuB;QACvB,MAAM,eAAe,GAAG,MAAM,CAAC,SAAS,CAAC;QACzC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,EAAE,CAAC;YAClC,MAAM,IAAI,yBAAyB,CACjC,4DAA4D,CAAC,EAAE,CAChE,CAAC;QACJ,CAAC;QAED,uDAAuD;QACvD,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,IAAI,GAAG,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,GAAG,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YACnE,MAAM,IAAI,yBAAyB,CACjC,wBAAwB,CAAC,kCAAkC;gBACzD,IAAI,IAAI,CAAC,SAAS,OAAO,IAAI,CAAC,OAAO,GAAG,CAC3C,CAAC;QACJ,CAAC;IACH,CAAC;IAED,sCAAsC;IACtC,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACzB,MAAM,QAAQ,GAAG,SAAS,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,CAAE,CAAC;QAClD,IACE,CAAC,QAAQ,CAAC,WAAW,CAAC,QAAQ,CAAC;YAC/B,CAAC,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC,EACpC,CAAC;YACD,MAAM,IAAI,yBAAyB,CACjC,+DAA+D,CAChE,CAAC;QACJ,CAAC;IACH,CAAC;IAED,6CAA6C;IAC7C,OAAO,SAAS,CAAC,CAAC,CAAE,CAAC;AACvB,CAAC;AAED;;GAEG;AACH,SAAS,gBAAgB,CACvB,cAAuC;IAEvC,MAAM,IAAI,GAAG,cAAc,CAAC,IAGf,CAAC;IACd,IAAI,CAAC,IAAI;QAAE,OAAO,EAAE,CAAC;IAErB,MAAM,MAAM,GAAG,CAAC,KAAa,EAAsB,EAAE;QACnD,MAAM,GAAG,GACP,IAAI,YAAY,GAAG;YACjB,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC;YACjB,CAAC,CAAE,IAA+B,CAAC,KAAK,CAAC,CAAC;QAC9C,OAAO,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IAC5D,CAAC,CAAC;IAEF,OAAO;QACL,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC;QACf,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC;QACf,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC;QACf,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC;KAChB,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,MAAiB,EACjB,MAA0B;IAE1B,uDAAuD;IACvD,MAAM,SAAS,GAAG,MAAM,CAAC,SAAS,CAAC;IAEnC,4CAA4C;IAC5C,MAAM,YAAY,GAAG,MAA4C,CAAC;IAClE,MAAM,cAAc,GAClB,OAAO,YAAY,CAAC,cAAc,KAAK,UAAU;QAC/C,CAAC,CAAE,YAAY,CAAC,cAAiE;QACjF,CAAC,CAAC,SAAS,CAAC;IAChB,2EAA2E;IAC3E,qEAAqE;IACrE,mDAAmD;IACnD,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,OAAO;YACL,MAAM,EAAE,iBAAiB,CAAC,WAAW;YACrC,QAAQ,EAAE,SAAS;YACnB,SAAS;YACT,QAAQ,EAAE;gBACR,QAAQ,EAAE,SAAS;gBACnB,WAAW,EAAE,OAAO;gBACpB,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE;aACvB;YACD,OAAO,EACL,oDAAoD;gBACpD,sEAAsE;gBACtE,iCAAiC;SACpC,CAAC;IACJ,CAAC;IAED,MAAM,sBAAsB,GAAG,MAAM,CAAC;IACtC,IAAI,MAAuC,CAAC;IAC5C,IAAI,CAAC;QACH,IAAI,KAAoC,CAAC;QACzC,MAAM,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC;YAC1B,cAAc,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC;YAC9D,IAAI,OAAO,CAAQ,CAAC,CAAC,EAAE,MAAM,EAAE,EAAE;gBAC/B,KAAK,GAAG,UAAU,CAChB,GAAG,EAAE,CACH,MAAM,CACJ,IAAI,mBAAmB,CACrB,8CAA8C,CAC/C,CACF,EACH,sBAAsB,CACvB,CAAC;YACJ,CAAC,CAAC;SACH,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,mBAAmB;YAAE,MAAM,GAAG,CAAC;QAClD,OAAO;YACL,MAAM,EAAE,iBAAiB,CAAC,MAAM;YAChC,QAAQ,EAAE,SAAS;YACnB,SAAS;YACT,QAAQ,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE;YACzD,OAAO,EAAE,uCAAwC,GAAa,CAAC,OAAO,IAAI,GAAG,EAAE;SAChF,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO;YACL,MAAM,EAAE,iBAAiB,CAAC,WAAW;YACrC,QAAQ,EAAE,SAAS;YACnB,SAAS;YACT,QAAQ,EAAE;gBACR,QAAQ,EAAE,SAAS;gBACnB,WAAW,EAAE,OAAO;gBACpB,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE;aACvB;YACD,OAAO,EACL,0EAA0E;SAC7E,CAAC;IACJ,CAAC;IAED,uDAAuD;IACvD,IAAI,CAAC;QACH,oDAAoD;QACpD,IAAI,OAAO,MAAM,CAAC,SAAS,KAAK,QAAQ,IAAI,MAAM,CAAC,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC1E,MAAM,IAAI,mBAAmB,CAC3B,yEAAyE,CAC1E,CAAC;QACJ,CAAC;QAED,gEAAgE;QAChE,MAAM,qBAAqB,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,+BAA+B;QACxE,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;QAC1D,IAAI,SAAS,CAAC,MAAM,GAAG,qBAAqB,EAAE,CAAC;YAC7C,MAAM,IAAI,mBAAmB,CAC3B,oCAAoC,SAAS,CAAC,MAAM,MAAM,qBAAqB,SAAS,CACzF,CAAC;QACJ,CAAC;QACD,MAAM,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,OAAO,EAAE,SAAS,EAAE,GAChE,MAAM,eAAe,CAAC,SAAS,CAAC,CAAC;QAEnC,sEAAsE;QACtE,MAAM,OAAO,GAAG,kBAAkB,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAC3C,IAAI,CAAC,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;YACxC,MAAM,IAAI,yBAAyB,CACjC,uDAAuD,CACxD,CAAC;QACJ,CAAC;QAED,MAAM,WAAW,GAAI,OAAqB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;YACtD,IAAI,CAAC,CAAC,CAAC,YAAY,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC;gBACtD,MAAM,IAAI,yBAAyB,CACjC,0BAA0B,CAAC,uBAAuB,CACnD,CAAC;YACJ,CAAC;YACD,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACxB,CAAC,CAAC,CAAC;QACH,MAAM,WAAW,GAAG,iBAAiB,CAAC,WAAW,CAAC,CAAC;QAEnD,uDAAuD;QACvD,MAAM,YAAY,GAAG,MAAM,iBAAiB,CAAC,gBAAgB,EAAE,OAAO,CAAC,CAAC;QACxE,MAAM,MAAM,GAAG,WAAW,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC,CAAC,iCAAiC;QAE5E,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAC5B,QAAQ,EACR,YAAY,EACZ;YACE,GAAG,EAAE,WAAW,CAAC,SAAS;YAC1B,WAAW,EAAE,KAAK;SACnB,EACD,MAAM,CACP,CAAC;QAEF,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,mBAAmB,CAAC,0CAA0C,CAAC,CAAC;QAC5E,CAAC;QAED,0CAA0C;QAC1C,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,QAAQ,CAAC,CAAC;QACpC,MAAM,cAAc,GAAG,IAAI,CAAC,MAAM,CAAC,OAAO,CAA4B,CAAC;QAEvE,+BAA+B;QAC/B,MAAM,SAAS,GAAG,gBAAgB,CAAC,cAAc,CAAC,CAAC;QAEnD,0EAA0E;QAC1E,IAAI,MAAM,EAAE,YAAY,EAAE,CAAC;YACzB,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC;gBACpB,MAAM,IAAI,2BAA2B,CACnC,CAAC,EACD,MAAM,CAAC,YAAY,EACnB,UAAU,CACX,CAAC;YACJ,CAAC;YACD,IAAI,SAAS,CAAC,IAAI,CAAC,WAAW,EAAE,KAAK,MAAM,CAAC,YAAY,CAAC,WAAW,EAAE,EAAE,CAAC;gBACvE,MAAM,IAAI,2BAA2B,CACnC,CAAC,EACD,MAAM,CAAC,YAAY,EACnB,SAAS,CAAC,IAAI,CACf,CAAC;YACJ,CAAC;QACH,CAAC;QAED,4DAA4D;QAC5D,MAAM,kBAAkB,GAAG,cAAc,CAAC,UAG7B,CAAC;QAEd,+CAA+C;QAC/C,6FAA6F;QAC7F,MAAM,WAAW,GACf,MAAM,CAAC,YAAY,KAAK,SAAS,IAAI,MAAM,CAAC,YAAY,KAAK,SAAS,CAAC;QACzE,IAAI,WAAW,EAAE,CAAC;YAChB,0EAA0E;YAC1E,gEAAgE;YAChE,IAAI,CAAC,kBAAkB,IAAI,MAAM,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACxE,MAAM,IAAI,mBAAmB,CAC3B,8FAA8F,CAC/F,CAAC;YACJ,CAAC;YAED,IAAI,CAAC,MAAM,CAAC,YAAY,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC;gBACjD,MAAM,IAAI,mBAAmB,CAC3B,qEAAqE,CACtE,CAAC;YACJ,CAAC;YAED,iCAAiC;YACjC,IACE,OAAO,MAAM,CAAC,YAAY,KAAK,QAAQ;gBACvC,OAAO,MAAM,CAAC,YAAY,KAAK,QAAQ,EACvC,CAAC;gBACD,MAAM,IAAI,mBAAmB,CAC3B,2EAA2E,CAC5E,CAAC;YACJ,CAAC;YAED,MAAM,cAAc,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,KAAK,CAAC,CAAC;YAE/D,kDAAkD;YAClD,IAAI,cAAc,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;gBACjC,MAAM,IAAI,mBAAmB,CAC3B,uEAAuE,cAAc,CAAC,MAAM,EAAE,CAC/F,CAAC;YACJ,CAAC;YAED,+EAA+E;YAC/E,gFAAgF;YAChF,+EAA+E;YAC/E,+EAA+E;YAC/E,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,KAAK,CAAC,CAAC;YACvD,uDAAuD;YACvD,MAAM,iBAAiB,GAAG,MAAM,CAAC,IAAI,CACnC,iBAAiB,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAC7C,CAAC;YAEF,MAAM,MAAM,GAAG,MAAM,CAAC,eAAe,CAAC;gBACpC,GAAG,EAAE,MAAM,CAAC,MAAM,CAAC;oBACjB,2DAA2D;oBAC3D,MAAM,CAAC,IAAI,CACT,sDAAsD,EACtD,KAAK,CACN;oBACD,cAAc;iBACf,CAAC;gBACF,MAAM,EAAE,KAAK;gBACb,IAAI,EAAE,MAAM;aACb,CAAC,CAAC;YAEH,MAAM,WAAW,GAAG,MAAM,CAAC,MAAM,CAC/B,QAAQ,EACR,iBAAiB,EACjB,EAAE,GAAG,EAAE,MAAM,EAAE,WAAW,EAAE,KAAK,EAAE,EACnC,MAAM,CACP,CAAC;YAEF,IAAI,CAAC,WAAW,EAAE,CAAC;gBACjB,MAAM,IAAI,mBAAmB,CAC3B,+CAA+C,CAChD,CAAC;YACJ,CAAC;QACH,CAAC;QAED,OAAO;YACL,MAAM,EAAE,iBAAiB,CAAC,yBAAyB;YACnD,QAAQ,EAAE,SAAS;YACnB,SAAS;YACT,QAAQ,EAAE;gBACR,QAAQ,EAAE,SAAS;gBACnB,WAAW,EAAE,OAAO;gBACpB,SAAS;gBACT,eAAe,EAAE,WAAW,CAAC,MAAM;gBACnC,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE;aACvB;YACD,OAAO,EACL,kDAAkD;gBAClD,2EAA2E;SAC9E,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,2EAA2E;QAC3E,IAAI,GAAG,YAAY,mBAAmB;YAAE,MAAM,GAAG,CAAC;QAClD,MAAM,IAAI,mBAAmB,CAC3B,4CAA6C,GAAa,CAAC,OAAO,IAAI,GAAG,EAAE,CAC5E,CAAC;IACJ,CAAC;AACH,CAAC"}

package/dist/tee/types.d.ts ADDED Viewed

@@ -0,0 +1,124 @@
+/**
+ * TEE Remote Attestation — Core Types
+ *
+ * Defines the provider enum, attestation result/config interfaces,
+ * and provider-specific metadata types.
+ */
+/** Supported TEE custody providers. */
+export type TeeProvider = "crossmint" | "turnkey" | "privy";
+/** Attestation verification result status. */
+export declare enum AttestationStatus {
+    /**
+     * Full cryptographic verification passed — COSE_Sign1 signature validated,
+     * certificate chain verified against AWS Nitro root, and PCR values checked.
+     * This is the strongest guarantee: mathematical proof that the key lives in
+     * a specific enclave image. Currently only Turnkey provides this level.
+     */
+    CryptographicallyVerified = "cryptographically_verified",
+    /**
+     * Provider API confirmed custody of the wallet key. The SDK called the
+     * provider's API (e.g. Crossmint getWallet, Privy wallets.get) and verified
+     * the returned address matches this wallet's public key.
+     *
+     * **What this proves:** The provider's API server acknowledges that this
+     * address exists in their custody system and is managed by their TEE
+     * infrastructure. An attacker cannot spoof this without access to valid
+     * API credentials for the correct app/account.
+     *
+     * **What this does NOT prove:** There is no cryptographic chain from the
+     * enclave hardware to this verification. You are trusting the provider's
+     * API server to report custody truthfully. A compromised provider API or
+     * a man-in-the-middle could theoretically return false confirmations.
+     *
+     * Use `minAttestationLevel: "cryptographic"` if you require hardware-rooted proof.
+     */
+    ProviderVerified = "provider_verified",
+    /**
+     * The wallet declares a known TEE provider but no custody verification was
+     * performed. This happens when: (1) the wallet does not implement
+     * `verifyProviderCustody()`, or (2) the custody API call failed and this
+     * is a fallback result.
+     *
+     * **Security implication:** Any object with `{ provider: "crossmint" }` can
+     * reach this status. Use `minAttestationLevel: "provider_verified"` to require
+     * at least API-confirmed custody.
+     */
+    ProviderTrusted = "provider_trusted",
+    /** Attestation verification failed. */
+    Failed = "failed",
+    /** No attestation data available (provider doesn't support it). */
+    Unavailable = "unavailable"
+}
+/** AWS Nitro Enclave PCR values (SHA-384 hashes). */
+export interface NitroPcrValues {
+    /** PCR0: Enclave image hash */
+    pcr0?: string;
+    /** PCR1: Linux kernel hash */
+    pcr1?: string;
+    /** PCR2: Application hash */
+    pcr2?: string;
+    /** PCR3: IAM role ARN hash (used by Turnkey for identity binding) */
+    pcr3?: string;
+}
+/** Turnkey-specific attestation bundle containing boot + app proofs. */
+export interface TurnkeyAttestationBundle {
+    /** COSE_Sign1 encoded boot attestation document (base64) */
+    bootProof: string;
+    /** P-256 ECDSA signature over the app public key (hex). Optional — omit when no app proof is available. */
+    appSignature?: string;
+    /** App public key derived from boot attestation (hex). Optional — omit when no app proof is available. */
+    appPublicKey?: string;
+}
+/** Metadata attached to an attestation result. */
+export interface AttestationMetadata {
+    /** TEE provider name */
+    provider: TeeProvider;
+    /** Enclave type (e.g. "nitro", "tdx", "sgx") */
+    enclaveType?: string;
+    /** PCR values (AWS Nitro specific) */
+    pcrValues?: NitroPcrValues;
+    /** Certificate chain used for verification */
+    certChainLength?: number;
+    /** When the attestation was verified */
+    verifiedAt: number;
+    /** Raw attestation data for advanced consumers */
+    rawAttestation?: unknown;
+}
+/** Result of a TEE attestation verification. */
+export interface AttestationResult {
+    /** Verification status */
+    status: AttestationStatus;
+    /** Provider that was verified */
+    provider: TeeProvider;
+    /** Base58-encoded public key of the attested wallet */
+    publicKey: string;
+    /** Detailed metadata about the attestation */
+    metadata: AttestationMetadata;
+    /** Human-readable message */
+    message: string;
+}
+/** Minimum attestation level required. Ordered from weakest to strongest. */
+export type AttestationLevel = "provider_trusted" | "provider_verified" | "cryptographic";
+/** Configuration for TEE attestation verification. */
+export interface AttestationConfig {
+    /** Require attestation to pass — throws on failure. Default: false */
+    requireAttestation?: boolean;
+    /** Cache TTL in milliseconds. Default: 3_600_000 (1 hour). Set to 0 to disable caching. */
+    cacheTtlMs?: number;
+    /** Callback fired after successful verification. */
+    onVerified?: (result: AttestationResult) => void;
+    /** Expected PCR3 value for Turnkey (SHA-384 hash of IAM role ARN). */
+    expectedPcr3?: string;
+    /** Minimum acceptable verification level. Default: "provider_trusted" (backward-compatible). */
+    minAttestationLevel?: AttestationLevel;
+}
+/** A wallet that has passed TEE attestation verification. */
+export interface VerifiedTeeWallet {
+    /** The attestation result */
+    attestation: AttestationResult;
+    /** Base58 public key */
+    publicKey: string;
+    /** The provider that was verified */
+    provider: TeeProvider;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/tee/types.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/tee/types.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,uCAAuC;AACvC,MAAM,MAAM,WAAW,GAAG,WAAW,GAAG,SAAS,GAAG,OAAO,CAAC;AAE5D,8CAA8C;AAC9C,oBAAY,iBAAiB;IAC3B;;;;;OAKG;IACH,yBAAyB,+BAA+B;IACxD;;;;;;;;;;;;;;;;OAgBG;IACH,gBAAgB,sBAAsB;IACtC;;;;;;;;;OASG;IACH,eAAe,qBAAqB;IACpC,uCAAuC;IACvC,MAAM,WAAW;IACjB,mEAAmE;IACnE,WAAW,gBAAgB;CAC5B;AAED,qDAAqD;AACrD,MAAM,WAAW,cAAc;IAC7B,+BAA+B;IAC/B,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,8BAA8B;IAC9B,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,6BAA6B;IAC7B,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,qEAAqE;IACrE,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,wEAAwE;AACxE,MAAM,WAAW,wBAAwB;IACvC,4DAA4D;IAC5D,SAAS,EAAE,MAAM,CAAC;IAClB,2GAA2G;IAC3G,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,0GAA0G;IAC1G,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,kDAAkD;AAClD,MAAM,WAAW,mBAAmB;IAClC,wBAAwB;IACxB,QAAQ,EAAE,WAAW,CAAC;IACtB,gDAAgD;IAChD,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,sCAAsC;IACtC,SAAS,CAAC,EAAE,cAAc,CAAC;IAC3B,8CAA8C;IAC9C,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,wCAAwC;IACxC,UAAU,EAAE,MAAM,CAAC;IACnB,kDAAkD;IAClD,cAAc,CAAC,EAAE,OAAO,CAAC;CAC1B;AAED,gDAAgD;AAChD,MAAM,WAAW,iBAAiB;IAChC,0BAA0B;IAC1B,MAAM,EAAE,iBAAiB,CAAC;IAC1B,iCAAiC;IACjC,QAAQ,EAAE,WAAW,CAAC;IACtB,uDAAuD;IACvD,SAAS,EAAE,MAAM,CAAC;IAClB,8CAA8C;IAC9C,QAAQ,EAAE,mBAAmB,CAAC;IAC9B,6BAA6B;IAC7B,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,6EAA6E;AAC7E,MAAM,MAAM,gBAAgB,GACxB,kBAAkB,GAClB,mBAAmB,GACnB,eAAe,CAAC;AAEpB,sDAAsD;AACtD,MAAM,WAAW,iBAAiB;IAChC,sEAAsE;IACtE,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,2FAA2F;IAC3F,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,oDAAoD;IACpD,UAAU,CAAC,EAAE,CAAC,MAAM,EAAE,iBAAiB,KAAK,IAAI,CAAC;IACjD,sEAAsE;IACtE,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,gGAAgG;IAChG,mBAAmB,CAAC,EAAE,gBAAgB,CAAC;CACxC;AAED,6DAA6D;AAC7D,MAAM,WAAW,iBAAiB;IAChC,6BAA6B;IAC7B,WAAW,EAAE,iBAAiB,CAAC;IAC/B,wBAAwB;IACxB,SAAS,EAAE,MAAM,CAAC;IAClB,qCAAqC;IACrC,QAAQ,EAAE,WAAW,CAAC;CACvB"}

package/dist/tee/types.js ADDED Viewed

@@ -0,0 +1,51 @@
+/**
+ * TEE Remote Attestation — Core Types
+ *
+ * Defines the provider enum, attestation result/config interfaces,
+ * and provider-specific metadata types.
+ */
+/** Attestation verification result status. */
+export var AttestationStatus;
+(function (AttestationStatus) {
+    /**
+     * Full cryptographic verification passed — COSE_Sign1 signature validated,
+     * certificate chain verified against AWS Nitro root, and PCR values checked.
+     * This is the strongest guarantee: mathematical proof that the key lives in
+     * a specific enclave image. Currently only Turnkey provides this level.
+     */
+    AttestationStatus["CryptographicallyVerified"] = "cryptographically_verified";
+    /**
+     * Provider API confirmed custody of the wallet key. The SDK called the
+     * provider's API (e.g. Crossmint getWallet, Privy wallets.get) and verified
+     * the returned address matches this wallet's public key.
+     *
+     * **What this proves:** The provider's API server acknowledges that this
+     * address exists in their custody system and is managed by their TEE
+     * infrastructure. An attacker cannot spoof this without access to valid
+     * API credentials for the correct app/account.
+     *
+     * **What this does NOT prove:** There is no cryptographic chain from the
+     * enclave hardware to this verification. You are trusting the provider's
+     * API server to report custody truthfully. A compromised provider API or
+     * a man-in-the-middle could theoretically return false confirmations.
+     *
+     * Use `minAttestationLevel: "cryptographic"` if you require hardware-rooted proof.
+     */
+    AttestationStatus["ProviderVerified"] = "provider_verified";
+    /**
+     * The wallet declares a known TEE provider but no custody verification was
+     * performed. This happens when: (1) the wallet does not implement
+     * `verifyProviderCustody()`, or (2) the custody API call failed and this
+     * is a fallback result.
+     *
+     * **Security implication:** Any object with `{ provider: "crossmint" }` can
+     * reach this status. Use `minAttestationLevel: "provider_verified"` to require
+     * at least API-confirmed custody.
+     */
+    AttestationStatus["ProviderTrusted"] = "provider_trusted";
+    /** Attestation verification failed. */
+    AttestationStatus["Failed"] = "failed";
+    /** No attestation data available (provider doesn't support it). */
+    AttestationStatus["Unavailable"] = "unavailable";
+})(AttestationStatus || (AttestationStatus = {}));
+//# sourceMappingURL=types.js.map

package/dist/tee/types.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/tee/types.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAKH,8CAA8C;AAC9C,MAAM,CAAN,IAAY,iBAyCX;AAzCD,WAAY,iBAAiB;IAC3B;;;;;OAKG;IACH,6EAAwD,CAAA;IACxD;;;;;;;;;;;;;;;;OAgBG;IACH,2DAAsC,CAAA;IACtC;;;;;;;;;OASG;IACH,yDAAoC,CAAA;IACpC,uCAAuC;IACvC,sCAAiB,CAAA;IACjB,mEAAmE;IACnE,gDAA2B,CAAA;AAC7B,CAAC,EAzCW,iBAAiB,KAAjB,iBAAiB,QAyC5B"}

package/dist/tee/verify.d.ts ADDED Viewed

@@ -0,0 +1,34 @@
+/**
+ * TEE Attestation Dispatcher
+ *
+ * Main entry point for TEE attestation verification.
+ * Detects the provider from the wallet, routes to the appropriate verifier,
+ * manages caching, and enforces requireAttestation + minAttestationLevel.
+ */
+import type { WalletLike } from "./wallet-types.js";
+import { AttestationCache } from "./cache.js";
+import { type AttestationResult, type AttestationConfig } from "./types.js";
+/**
+ * Verify TEE attestation for a wallet.
+ *
+ * Flow:
+ * 1. Check cache (unless cacheTtlMs === 0)
+ * 2. Detect provider from wallet
+ * 3. Route to provider-specific verifier
+ * 4. Cache result
+ * 5. Fire onVerified callback on success
+ * 6. If requireAttestation is true and verification failed, throw
+ * 7. If minAttestationLevel is set and not met, throw
+ */
+export declare function verifyTeeAttestation(wallet: WalletLike, config?: AttestationConfig): Promise<AttestationResult>;
+/** Clear the global attestation cache (useful for testing). */
+export declare function clearAttestationCache(): void;
+/** Delete a single entry from the global cache. */
+/** Delete all cache entries for a wallet (including PCR3-suffixed variants). */
+export declare function deleteFromAttestationCache(publicKey: string): boolean;
+/**
+ * Get the global attestation cache instance (for testing/inspection only).
+ * @internal
+ */
+export declare function getGlobalCache(): AttestationCache;
+//# sourceMappingURL=verify.d.ts.map

package/dist/tee/verify.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"verify.d.ts","sourceRoot":"","sources":["../../src/tee/verify.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAa,MAAM,mBAAmB,CAAC;AAG/D,OAAO,EAAE,gBAAgB,EAAwB,MAAM,YAAY,CAAC;AACpE,OAAO,EAEL,KAAK,iBAAiB,EACtB,KAAK,iBAAiB,EAGvB,MAAM,YAAY,CAAC;AA0CpB;;;;;;;;;;;GAWG;AACH,wBAAsB,oBAAoB,CACxC,MAAM,EAAE,UAAU,EAClB,MAAM,CAAC,EAAE,iBAAiB,GACzB,OAAO,CAAC,iBAAiB,CAAC,CAuH5B;AAED,+DAA+D;AAC/D,wBAAgB,qBAAqB,IAAI,IAAI,CAE5C;AAED,mDAAmD;AACnD,gFAAgF;AAChF,wBAAgB,0BAA0B,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAIrE;AAED;;;GAGG;AACH,wBAAgB,cAAc,IAAI,gBAAgB,CAEjD"}