@zeke-02/tinfoil 0.0.10 → 0.11.7

package/dist/esm/router.mjs

@@ -1,33 +0,0 @@
-import { TINFOIL_CONFIG } from "./config.mjs";
-/**
- * Router utilities for fetching available Tinfoil routers
- */
-/**
- * Fetches the list of available routers from the ATC API
- * and returns a randomly selected address.
- *
- * @returns Promise<string> A randomly selected router address
- * @throws Error if no routers are found or if the request fails
- */
-export async function fetchRouter() {
-    const routersUrl = TINFOIL_CONFIG.ATC_API_URL;
-    try {
-        const response = await fetch(routersUrl);
-        if (!response.ok) {
-            throw new Error(`Failed to fetch routers: ${response.status} ${response.statusText}`);
-        }
-        const routers = await response.json();
-        if (!Array.isArray(routers) || routers.length === 0) {
-            throw new Error("No routers found in the response");
-        }
-        // Return a randomly selected router
-        const randomIndex = Math.floor(Math.random() * routers.length);
-        return routers[randomIndex];
-    }
-    catch (error) {
-        if (error instanceof Error) {
-            throw new Error(`Failed to fetch router: ${error.message}`);
-        }
-        throw new Error("Failed to fetch router: Unknown error");
-    }
-}

package/dist/esm/secure-fetch.browser.d.ts

@@ -1 +0,0 @@
-export declare function createSecureFetch(baseURL: string, enclaveURL?: string, hpkePublicKey?: string, tlsPublicKeyFingerprint?: string): typeof fetch;

package/dist/esm/secure-fetch.browser.mjs

@@ -1,10 +0,0 @@
-import { createEncryptedBodyFetch } from "./encrypted-body-fetch.mjs";
-export function createSecureFetch(baseURL, enclaveURL, hpkePublicKey, tlsPublicKeyFingerprint) {
-    if (hpkePublicKey) {
-        return createEncryptedBodyFetch(baseURL, hpkePublicKey, enclaveURL);
-    }
-    else {
-        throw new Error("HPKE public key not available and TLS-only verification is not supported in browsers. " +
-            "Only HPKE-enabled enclaves can be used in browser environments.");
-    }
-}

package/dist/esm/secure-fetch.d.ts

@@ -1 +0,0 @@
-export declare function createSecureFetch(baseURL: string, enclaveURL?: string, hpkePublicKey?: string, tlsPublicKeyFingerprint?: string): typeof fetch;

package/dist/esm/secure-fetch.mjs

@@ -1,12 +0,0 @@
-import { createEncryptedBodyFetch } from "./encrypted-body-fetch.mjs";
-export function createSecureFetch(baseURL, enclaveURL, hpkePublicKey, tlsPublicKeyFingerprint) {
-    let fetchFunction;
-    if (hpkePublicKey) {
-        fetchFunction = createEncryptedBodyFetch(baseURL, hpkePublicKey, enclaveURL);
-    }
-    else {
-        throw new Error("HPKE public key not available and TLS-only verification is not supported in browsers. " +
-            "Only HPKE-enabled enclaves can be used in browser environments.");
-    }
-    return fetchFunction;
-}

package/dist/esm/unverified-client.d.ts

@@ -1,18 +0,0 @@
-interface UnverifiedClientOptions {
-    baseURL?: string;
-    enclaveURL?: string;
-    configRepo?: string;
-}
-export declare class UnverifiedClient {
-    private initPromise;
-    private _fetch;
-    private baseURL?;
-    private enclaveURL?;
-    private readonly configRepo;
-    constructor(options?: UnverifiedClientOptions);
-    ready(): Promise<void>;
-    private initUnverifiedClient;
-    getVerificationDocument(): Promise<void>;
-    get fetch(): typeof fetch;
-}
-export {};

package/dist/esm/unverified-client.mjs

@@ -1,61 +0,0 @@
-import { TINFOIL_CONFIG } from "./config.mjs";
-import { createEncryptedBodyFetch } from "./encrypted-body-fetch.mjs";
-import { fetchRouter } from "./router.mjs";
-export class UnverifiedClient {
-    constructor(options = {}) {
-        this.initPromise = null;
-        this._fetch = null;
-        this.baseURL = options.baseURL;
-        this.enclaveURL = options.enclaveURL;
-        this.configRepo = options.configRepo || TINFOIL_CONFIG.INFERENCE_PROXY_REPO;
-    }
-    async ready() {
-        if (!this.initPromise) {
-            this.initPromise = this.initUnverifiedClient();
-        }
-        return this.initPromise;
-    }
-    async initUnverifiedClient() {
-        // Only fetch router if neither baseURL nor enclaveURL is provided
-        if (!this.baseURL && !this.enclaveURL) {
-            const routerAddress = await fetchRouter();
-            this.enclaveURL = `https://${routerAddress}`;
-            this.baseURL = `https://${routerAddress}/v1/`;
-        }
-        // Ensure both baseURL and enclaveURL are initialized
-        if (!this.baseURL) {
-            if (this.enclaveURL) {
-                // If enclaveURL is provided but baseURL is not, derive baseURL from enclaveURL
-                const enclaveUrl = new URL(this.enclaveURL);
-                this.baseURL = `${enclaveUrl.origin}/v1/`;
-            }
-            else {
-                throw new Error("Unable to determine baseURL: neither baseURL nor enclaveURL provided");
-            }
-        }
-        if (!this.enclaveURL) {
-            if (this.baseURL) {
-                // If baseURL is provided but enclaveURL is not, derive enclaveURL from baseURL
-                const baseUrl = new URL(this.baseURL);
-                this.enclaveURL = baseUrl.origin;
-            }
-            else {
-                throw new Error("Unable to determine enclaveURL: neither baseURL nor enclaveURL provided");
-            }
-        }
-        this._fetch = createEncryptedBodyFetch(this.baseURL, undefined, this.enclaveURL);
-    }
-    async getVerificationDocument() {
-        if (!this.initPromise) {
-            await this.ready();
-        }
-        await this.initPromise;
-        throw new Error("Verification document unavailable: this version of the client is unverified");
-    }
-    get fetch() {
-        return async (input, init) => {
-            await this.ready();
-            return this._fetch(input, init);
-        };
-    }
-}

package/dist/esm/verifier.d.ts

@@ -1,141 +0,0 @@
-/**
- * Attestation measurement containing platform type and register values
- */
-export interface AttestationMeasurement {
-    type: string;
-    registers: string[];
-}
-/**
- * Hardware measurement from TDX platform verification
- */
-export interface HardwareMeasurement {
-    ID: string;
-    MRTD: string;
-    RTMR0: string;
-}
-/**
- * Attestation response containing cryptographic keys and measurements
- * At least one of tlsPublicKeyFingerprint or hpkePublicKey must be present
- */
-export interface AttestationResponse {
-    tlsPublicKeyFingerprint?: string;
-    hpkePublicKey?: string;
-    measurement: AttestationMeasurement;
-}
-/**
- * State of an intermediate verification step
- */
-export interface VerificationStepState {
-    status: "pending" | "success" | "failed";
-    error?: string;
-}
-/**
- * Full verification document produced by a verify() call
- * Includes state tracking for all intermediate steps
- */
-export interface VerificationDocument {
-    configRepo: string;
-    enclaveHost: string;
-    releaseDigest: string;
-    codeMeasurement: AttestationMeasurement;
-    enclaveMeasurement: AttestationResponse;
-    tlsPublicKey: string;
-    hpkePublicKey: string;
-    hardwareMeasurement?: HardwareMeasurement;
-    codeFingerprint: string;
-    enclaveFingerprint: string;
-    selectedRouterEndpoint: string;
-    securityVerified: boolean;
-    steps: {
-        fetchDigest: VerificationStepState;
-        verifyCode: VerificationStepState;
-        verifyEnclave: VerificationStepState;
-        compareMeasurements: VerificationStepState;
-        createTransport?: VerificationStepState;
-        verifyHPKEKey?: VerificationStepState;
-        otherError?: VerificationStepState;
-    };
-}
-/**
- * Verifier performs attestation verification for Tinfoil enclaves
- *
- * The verifier loads a WebAssembly module (compiled from Go) that performs
- * end-to-end attestation verification:
- * 1. Fetches the latest code release digest from GitHub
- * 2. Verifies code provenance using Sigstore/Rekor
- * 3. Performs runtime attestation against the enclave
- * 4. Verifies hardware measurements (for TDX platforms)
- * 5. Compares code and runtime measurements using platform-specific logic
- *
- * Primary method: verify() - Returns AttestationResponse with cryptographic keys
- * Verification details: getVerificationDocument() - Returns step-by-step results
- */
-export declare class Verifier {
-    private static goInstance;
-    private static initializationPromise;
-    private static readonly defaultWasmUrl;
-    static originalFsWriteSync: ((fd: number, buf: Uint8Array) => number) | null;
-    static wasmLogsSuppressed: boolean;
-    static globalsInitialized: boolean;
-    private lastVerificationDocument?;
-    protected readonly serverURL: string;
-    protected readonly configRepo: string;
-    constructor(options?: {
-        serverURL?: string;
-        configRepo?: string;
-    });
-    /**
-     * Execute a function with a fresh WASM instance that auto-cleans up
-     * This ensures Go runtime doesn't keep the process alive
-     */
-    private static executeWithWasm;
-    /**
-     * Perform end-to-end attestation verification
-     *
-     * This method performs all verification steps atomically via the Go WASM verify() function:
-     * 1. Fetches the latest code digest from GitHub releases
-     * 2. Verifies code provenance using Sigstore/Rekor
-     * 3. Performs runtime attestation against the enclave
-     * 4. Verifies hardware measurements (for TDX platforms)
-     * 5. Compares code and runtime measurements using platform-specific logic
-     *
-     * The WASM runtime is automatically initialized and cleaned up within this method.
-     * A detailed verification document is saved and can be accessed via getVerificationDocument().
-     *
-     * @returns AttestationResponse containing cryptographic keys (TLS/HPKE) and enclave measurement
-     * @throws Error if measurements don't match or verification fails at any step
-     */
-    verify(): Promise<AttestationResponse>;
-    /**
-     * Save a failed verification document
-     */
-    private saveFailedVerificationDocument;
-    /**
-     * Internal verification logic that runs within WASM context
-     */
-    private verifyInternal;
-    /**
-     * Returns the verification document from the last verify() call
-     *
-     * The document contains detailed step-by-step verification results including:
-     * - Step status (pending/success/failed) for each verification phase
-     * - Measurements, fingerprints, and cryptographic keys
-     * - Error messages for any failed steps
-     *
-     * Available even if verification failed, allowing inspection of which step failed.
-     *
-     * @returns VerificationDocument with complete verification details, or undefined if verify() hasn't been called
-     */
-    getVerificationDocument(): VerificationDocument | undefined;
-}
-/**
- * Control WASM log output
- *
- * The Go WASM runtime outputs logs (stdout/stderr) through a polyfilled fs.writeSync.
- * This function allows suppressing those logs without affecting other console output.
- * By default, WASM logs are suppressed to reduce noise.
- *
- * @param suppress - Whether to suppress WASM logs (default: true)
- * @returns void
- */
-export declare function suppressWasmLogs(suppress?: boolean): void;