@zeke-02/tinfoil 0.0.11 → 1.1.3

package/dist/ai-sdk-provider.d.ts

@@ -1,7 +1,46 @@
-interface CreateTinfoilAIOptions {
+/**
+ * Options for creating a Tinfoil AI SDK provider.
+ */
+export interface CreateTinfoilAIOptions {
+    /**
+     * Override the base URL for API requests.
+     * Useful for proxying requests through your own backend.
+     */
     baseURL?: string;
-    enclaveURL?: string;
+    /** GitHub repo for code verification. */
     configRepo?: string;
+    /** URL to fetch the attestation bundle from. */
+    attestationBundleURL?: string;
 }
-export declare function createTinfoilAI(apiKey: string, options?: CreateTinfoilAIOptions, headers?: Record<string, string>): Promise<import("@ai-sdk/openai-compatible").OpenAICompatibleProvider<string, string, string, string>>;
-export {};
+/**
+ * Create a Tinfoil provider for the Vercel AI SDK.
+ *
+ * This performs enclave verification and returns an OpenAI-compatible provider
+ * that can be used with Vercel AI SDK functions like `generateText` and `streamText`.
+ *
+ * @param apiKey - Your Tinfoil API key. Falls back to TINFOIL_API_KEY env var if not provided.
+ * @param options - Optional configuration
+ * @returns An AI SDK provider for Tinfoil
+ *
+ * @example
+ * ```typescript
+ * import { createTinfoilAI } from "tinfoil";
+ * import { generateText } from "ai";
+ *
+ * // Uses TINFOIL_API_KEY env var
+ * const tinfoil = await createTinfoilAI();
+ *
+ * // Or pass API key explicitly
+ * const tinfoil = await createTinfoilAI("your-api-key");
+ *
+ * const { text } = await generateText({
+ *   model: tinfoil("llama3-3-70b"),
+ *   prompt: "Hello!",
+ * });
+ * ```
+ *
+ * @see https://docs.tinfoil.sh/sdk/javascript-sdk
+ * @see https://sdk.vercel.ai/ - Vercel AI SDK documentation
+ */
+export declare function createTinfoilAI(apiKey?: string, options?: CreateTinfoilAIOptions): Promise<import("@ai-sdk/openai-compatible").OpenAICompatibleProvider<string, string, string, string>>;
+//# sourceMappingURL=ai-sdk-provider.d.ts.map

package/dist/ai-sdk-provider.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ai-sdk-provider.d.ts","sourceRoot":"","sources":["../src/ai-sdk-provider.ts"],"names":[],"mappings":"AAKA;;GAEG;AACH,MAAM,WAAW,sBAAsB;IACrC;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB,yCAAyC;IACzC,UAAU,CAAC,EAAE,MAAM,CAAC;IAEpB,gDAAgD;IAChD,oBAAoB,CAAC,EAAE,MAAM,CAAC;CAC/B;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,wBAAsB,eAAe,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,OAAO,GAAE,sBAA2B,yGAwB1F"}

package/dist/ai-sdk-provider.js

@@ -1,29 +1,57 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.createTinfoilAI = createTinfoilAI;
-const openai_compatible_1 = require("@ai-sdk/openai-compatible");
-const config_1 = require("./config");
-const secure_client_1 = require("./secure-client");
-async function createTinfoilAI(apiKey, options = {}, headers = {}) {
-    const baseURL = options.baseURL;
-    const enclaveURL = options.enclaveURL;
-    const configRepo = options.configRepo || config_1.TINFOIL_CONFIG.INFERENCE_PROXY_REPO;
-    const secureClient = new secure_client_1.SecureClient({
-        baseURL,
-        enclaveURL,
-        configRepo,
+import { createOpenAICompatible } from "@ai-sdk/openai-compatible";
+import { SecureClient } from "./secure-client.js";
+import { isRealBrowser } from "./env.js";
+import { ConfigurationError } from "./verifier.js";
+/**
+ * Create a Tinfoil provider for the Vercel AI SDK.
+ *
+ * This performs enclave verification and returns an OpenAI-compatible provider
+ * that can be used with Vercel AI SDK functions like `generateText` and `streamText`.
+ *
+ * @param apiKey - Your Tinfoil API key. Falls back to TINFOIL_API_KEY env var if not provided.
+ * @param options - Optional configuration
+ * @returns An AI SDK provider for Tinfoil
+ *
+ * @example
+ * ```typescript
+ * import { createTinfoilAI } from "tinfoil";
+ * import { generateText } from "ai";
+ *
+ * // Uses TINFOIL_API_KEY env var
+ * const tinfoil = await createTinfoilAI();
+ *
+ * // Or pass API key explicitly
+ * const tinfoil = await createTinfoilAI("your-api-key");
+ *
+ * const { text } = await generateText({
+ *   model: tinfoil("llama3-3-70b"),
+ *   prompt: "Hello!",
+ * });
+ * ```
+ *
+ * @see https://docs.tinfoil.sh/sdk/javascript-sdk
+ * @see https://sdk.vercel.ai/ - Vercel AI SDK documentation
+ */
+export async function createTinfoilAI(apiKey, options = {}) {
+    // Resolve API key: use provided value, or fall back to env var (non-browser only)
+    let resolvedApiKey = apiKey;
+    if (!resolvedApiKey && !isRealBrowser() && typeof process !== 'undefined' && process.env.TINFOIL_API_KEY) {
+        resolvedApiKey = process.env.TINFOIL_API_KEY;
+    }
+    if (!resolvedApiKey) {
+        throw new ConfigurationError("API key is required. Provide apiKey parameter or set TINFOIL_API_KEY environment variable.");
+    }
+    const secureClient = new SecureClient({
+        baseURL: options.baseURL,
+        configRepo: options.configRepo,
+        attestationBundleURL: options.attestationBundleURL,
     });
     await secureClient.ready();
-    // Get the baseURL from SecureClient after initialization
-    const finalBaseURL = baseURL || secureClient.getBaseURL();
-    if (!finalBaseURL) {
-        throw new Error("Unable to determine baseURL for AI SDK provider");
-    }
-    return (0, openai_compatible_1.createOpenAICompatible)({
+    return createOpenAICompatible({
         name: "tinfoil",
-        baseURL: finalBaseURL,
-        apiKey: apiKey,
+        baseURL: secureClient.getBaseURL(),
+        apiKey: resolvedApiKey,
         fetch: secureClient.fetch,
-        headers,
     });
 }
+//# sourceMappingURL=ai-sdk-provider.js.map

package/dist/ai-sdk-provider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ai-sdk-provider.js","sourceRoot":"","sources":["../src/ai-sdk-provider.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,sBAAsB,EAAE,MAAM,2BAA2B,CAAC;AACnE,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,EAAE,kBAAkB,EAAE,MAAM,eAAe,CAAC;AAmBnD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,MAAe,EAAE,UAAkC,EAAE;IACzF,kFAAkF;IAClF,IAAI,cAAc,GAAG,MAAM,CAAC;IAC5B,IAAI,CAAC,cAAc,IAAI,CAAC,aAAa,EAAE,IAAI,OAAO,OAAO,KAAK,WAAW,IAAI,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,CAAC;QACzG,cAAc,GAAG,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;IAC/C,CAAC;IACD,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,MAAM,IAAI,kBAAkB,CAAC,4FAA4F,CAAC,CAAC;IAC7H,CAAC;IAED,MAAM,YAAY,GAAG,IAAI,YAAY,CAAC;QACpC,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,UAAU,EAAE,OAAO,CAAC,UAAU;QAC9B,oBAAoB,EAAE,OAAO,CAAC,oBAAoB;KACnD,CAAC,CAAC;IAEH,MAAM,YAAY,CAAC,KAAK,EAAE,CAAC;IAE3B,OAAO,sBAAsB,CAAC;QAC5B,IAAI,EAAE,SAAS;QACf,OAAO,EAAE,YAAY,CAAC,UAAU,EAAG;QACnC,MAAM,EAAE,cAAc;QACtB,KAAK,EAAE,YAAY,CAAC,KAAK;KAC1B,CAAC,CAAC;AACL,CAAC"}

package/dist/atc.d.ts

@@ -0,0 +1,23 @@
+import type { AttestationBundle } from "./verifier.js";
+export interface FetchAttestationBundleOptions {
+    atcBaseUrl?: string;
+    enclaveURL?: string;
+    configRepo?: string;
+}
+/**
+ * Fetches a complete attestation bundle from ATC.
+ *
+ * When enclaveURL or configRepo are provided, issues a POST so ATC builds a
+ * bundle for the specified enclave/repo. Otherwise issues a GET for the
+ * default router behaviour.
+ */
+export declare function fetchAttestationBundle(options?: FetchAttestationBundleOptions): Promise<AttestationBundle>;
+/**
+ * Fetches the list of available routers and returns a randomly selected address.
+ *
+ * @param atcBaseUrl - Base URL for the attestation endpoint (defaults to TINFOIL_CONFIG.ATC_BASE_URL)
+ * @returns A randomly selected router address
+ * @throws Error if no routers are found or if the request fails
+ */
+export declare function fetchRouter(atcBaseUrl?: string): Promise<string>;
+//# sourceMappingURL=atc.d.ts.map

package/dist/atc.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"atc.d.ts","sourceRoot":"","sources":["../src/atc.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAGvD,MAAM,WAAW,6BAA6B;IAC5C,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;;;;;GAMG;AACH,wBAAsB,sBAAsB,CAAC,OAAO,GAAE,6BAAkC,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAkCpH;AAED;;;;;;GAMG;AACH,wBAAsB,WAAW,CAAC,UAAU,GAAE,MAAoC,GAAG,OAAO,CAAC,MAAM,CAAC,CAgBnG"}

package/dist/atc.js

@@ -0,0 +1,59 @@
+import { TINFOIL_CONFIG } from "./config.js";
+import { FetchError } from "./verifier.js";
+/**
+ * Fetches a complete attestation bundle from ATC.
+ *
+ * When enclaveURL or configRepo are provided, issues a POST so ATC builds a
+ * bundle for the specified enclave/repo. Otherwise issues a GET for the
+ * default router behaviour.
+ */
+export async function fetchAttestationBundle(options = {}) {
+    const baseUrl = options.atcBaseUrl ?? TINFOIL_CONFIG.ATC_BASE_URL;
+    const url = `${baseUrl}/attestation`;
+    const usePost = !!(options.enclaveURL || options.configRepo);
+    const response = usePost
+        ? await fetch(url, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({
+                enclaveUrl: options.enclaveURL,
+                repo: options.configRepo,
+            }),
+        })
+        : await fetch(url);
+    if (!response.ok) {
+        throw new FetchError(`Failed to fetch attestation bundle from ${baseUrl}: HTTP ${response.status} ${response.statusText}`);
+    }
+    const bundle = await response.json();
+    return {
+        domain: bundle.domain,
+        enclaveAttestationReport: {
+            format: bundle.enclaveAttestationReport.format,
+            body: bundle.enclaveAttestationReport.body,
+        },
+        digest: bundle.digest,
+        sigstoreBundle: bundle.sigstoreBundle,
+        vcek: bundle.vcek,
+        enclaveCert: bundle.enclaveCert,
+    };
+}
+/**
+ * Fetches the list of available routers and returns a randomly selected address.
+ *
+ * @param atcBaseUrl - Base URL for the attestation endpoint (defaults to TINFOIL_CONFIG.ATC_BASE_URL)
+ * @returns A randomly selected router address
+ * @throws Error if no routers are found or if the request fails
+ */
+export async function fetchRouter(atcBaseUrl = TINFOIL_CONFIG.ATC_BASE_URL) {
+    const routersUrl = `${atcBaseUrl}/routers?platform=snp`;
+    const response = await fetch(routersUrl);
+    if (!response.ok) {
+        throw new FetchError(`Failed to fetch router list from ${atcBaseUrl}: HTTP ${response.status} ${response.statusText}`);
+    }
+    const routers = await response.json();
+    if (!Array.isArray(routers) || routers.length === 0) {
+        throw new FetchError("No available routers found in the response");
+    }
+    return routers[Math.floor(Math.random() * routers.length)];
+}
+//# sourceMappingURL=atc.js.map

package/dist/atc.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"atc.js","sourceRoot":"","sources":["../src/atc.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAE7C,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAQ3C;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAAC,UAAyC,EAAE;IACtF,MAAM,OAAO,GAAG,OAAO,CAAC,UAAU,IAAI,cAAc,CAAC,YAAY,CAAC;IAClE,MAAM,GAAG,GAAG,GAAG,OAAO,cAAc,CAAC;IAErC,MAAM,OAAO,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,IAAI,OAAO,CAAC,UAAU,CAAC,CAAC;IAE7D,MAAM,QAAQ,GAAG,OAAO;QACtB,CAAC,CAAC,MAAM,KAAK,CAAC,GAAG,EAAE;YACf,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACnB,UAAU,EAAE,OAAO,CAAC,UAAU;gBAC9B,IAAI,EAAE,OAAO,CAAC,UAAU;aACzB,CAAC;SACH,CAAC;QACJ,CAAC,CAAC,MAAM,KAAK,CAAC,GAAG,CAAC,CAAC;IAErB,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,UAAU,CAAC,2CAA2C,OAAO,UAAU,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC;IAC7H,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IAErC,OAAO;QACL,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,wBAAwB,EAAE;YACxB,MAAM,EAAE,MAAM,CAAC,wBAAwB,CAAC,MAAM;YAC9C,IAAI,EAAE,MAAM,CAAC,wBAAwB,CAAC,IAAI;SAC3C;QACD,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,cAAc,EAAE,MAAM,CAAC,cAAc;QACrC,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,WAAW,EAAE,MAAM,CAAC,WAAW;KAChC,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,aAAqB,cAAc,CAAC,YAAY;IAChF,MAAM,UAAU,GAAG,GAAG,UAAU,uBAAuB,CAAC;IAExD,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,UAAU,CAAC,CAAC;IAEzC,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,UAAU,CAAC,oCAAoC,UAAU,UAAU,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC;IACzH,CAAC;IAED,MAAM,OAAO,GAAa,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IAEhD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACpD,MAAM,IAAI,UAAU,CAAC,4CAA4C,CAAC,CAAC;IACrE,CAAC;IAED,OAAO,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC;AAC7D,CAAC"}

package/dist/config.d.ts

@@ -3,11 +3,12 @@
  */
 export declare const TINFOIL_CONFIG: {
     /**
-     * The GitHub repository for code attestation verification
+     * Base URL for the attestation endpoint
      */
-    readonly INFERENCE_PROXY_REPO: "tinfoilsh/confidential-model-router";
+    readonly ATC_BASE_URL: "https://atc.tinfoil.sh";
     /**
-     * The ATC (Attestation and Trust Center) API URL for fetching available routers
+     * The GitHub repository for the router code attestation
      */
-    readonly ATC_API_URL: "https://atc.tinfoil.sh/routers";
+    readonly DEFAULT_ROUTER_REPO: "tinfoilsh/confidential-model-router";
 };
+//# sourceMappingURL=config.d.ts.map

package/dist/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,eAAO,MAAM,cAAc;IACzB;;OAEG;;IAGH;;OAEG;;CAEK,CAAC"}

package/dist/config.js

@@ -1,16 +1,14 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.TINFOIL_CONFIG = void 0;
 /**
  * Configuration constants for the Tinfoil Node SDK
  */
-exports.TINFOIL_CONFIG = {
+export const TINFOIL_CONFIG = {
     /**
-     * The GitHub repository for code attestation verification
+     * Base URL for the attestation endpoint
      */
-    INFERENCE_PROXY_REPO: "tinfoilsh/confidential-model-router",
+    ATC_BASE_URL: "https://atc.tinfoil.sh",
     /**
-     * The ATC (Attestation and Trust Center) API URL for fetching available routers
+     * The GitHub repository for the router code attestation
      */
-    ATC_API_URL: "https://atc.tinfoil.sh/routers",
+    DEFAULT_ROUTER_REPO: "tinfoilsh/confidential-model-router",
 };
+//# sourceMappingURL=config.js.map

package/dist/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,MAAM,CAAC,MAAM,cAAc,GAAG;IAC5B;;OAEG;IACH,YAAY,EAAE,wBAAwB;IAEtC;;OAEG;IACH,mBAAmB,EAAE,qCAAqC;CAClD,CAAC"}

package/dist/encrypted-body-fetch.d.ts

@@ -1,13 +1,34 @@
-import type { Transport as EhbpTransport } from "@zeke-02/ehbp";
-export declare function getHPKEKey(enclaveURL: string): Promise<CryptoKey>;
+import { Identity, Transport, type SessionRecoveryToken } from "ehbp";
+export type { SessionRecoveryToken } from "ehbp";
+export { decryptResponseWithToken } from "ehbp";
+export interface SecureTransport {
+    fetch: typeof fetch;
+    getSessionRecoveryToken(): Promise<SessionRecoveryToken>;
+}
+/**
+ * Fetch and parse server identity from the HPKE keys endpoint.
+ * Returns the server Identity which can be used to create a Transport.
+ */
+export declare function getServerIdentity(enclaveURL: string): Promise<Identity>;
 export declare function normalizeEncryptedBodyRequestArgs(input: RequestInfo | URL, init?: RequestInit): {
     url: string;
     init?: RequestInit;
 };
-export declare function encryptedBodyRequest(input: RequestInfo | URL, hpkePublicKey?: string, init?: RequestInit, enclaveURL?: string, transportInstance?: EhbpTransport): Promise<Response>;
-type FetchWithResponse = typeof fetch & {
-    Response: typeof Response;
-};
-export declare function createEncryptedBodyFetch(baseURL: string, hpkePublicKey?: string, enclaveURL?: string): FetchWithResponse;
-export declare function getTransportForOrigin(origin: string, keyOrigin: string): Promise<EhbpTransport>;
-export {};
+export declare function encryptedBodyRequest(input: RequestInfo | URL, hpkePublicKey: string, init?: RequestInit, transportInstance?: Transport): Promise<Response>;
+export declare function createEncryptedBodyFetch(baseURL: string, hpkePublicKey: string, enclaveURL?: string): SecureTransport;
+/**
+ * WARNING: THIS FUNCTION IS INSECURE.
+ *
+ * Creates an encrypted body fetch that fetches the HPKE key from the server without
+ * attestation verification. This is vulnerable to man-in-the-middle attacks where
+ * a malicious server could provide its own key.
+ *
+ * This function is useful for testing the EHBP protocol against a local development
+ * server that doesn't have attestation set up. For production, use createEncryptedBodyFetch
+ * with a key obtained through attestation verification.
+ *
+ * @param baseURL - Base URL for API requests
+ * @param keyOrigin - Origin URL for fetching the HPKE public key. If not provided, derived from baseURL.
+ */
+export declare function createUnverifiedEncryptedBodyFetch(baseURL: string, keyOrigin?: string): SecureTransport;
+//# sourceMappingURL=encrypted-body-fetch.d.ts.map

package/dist/encrypted-body-fetch.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"encrypted-body-fetch.d.ts","sourceRoot":"","sources":["../src/encrypted-body-fetch.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAY,KAAK,oBAAoB,EAAE,MAAM,MAAM,CAAC;AAGhF,YAAY,EAAE,oBAAoB,EAAE,MAAM,MAAM,CAAC;AACjD,OAAO,EAAE,wBAAwB,EAAE,MAAM,MAAM,CAAC;AAEhD,MAAM,WAAW,eAAe;IAC9B,KAAK,EAAE,OAAO,KAAK,CAAC;IACpB,uBAAuB,IAAI,OAAO,CAAC,oBAAoB,CAAC,CAAC;CAC1D;AAUD;;;GAGG;AACH,wBAAsB,iBAAiB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC,CAoB7E;AAED,wBAAgB,iCAAiC,CAC/C,KAAK,EAAE,WAAW,GAAG,GAAG,EACxB,IAAI,CAAC,EAAE,WAAW,GACjB;IAAE,GAAG,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,WAAW,CAAA;CAAE,CAuBrC;AAED,wBAAsB,oBAAoB,CACxC,KAAK,EAAE,WAAW,GAAG,GAAG,EACxB,aAAa,EAAE,MAAM,EACrB,IAAI,CAAC,EAAE,WAAW,EAClB,iBAAiB,CAAC,EAAE,SAAS,GAC5B,OAAO,CAAC,QAAQ,CAAC,CAgBnB;AAID,wBAAgB,wBAAwB,CAAC,OAAO,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,GAAG,eAAe,CAoCrH;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAgB,kCAAkC,CAAC,OAAO,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,MAAM,GAAG,eAAe,CA2CvG"}

package/dist/encrypted-body-fetch.js

@@ -1,33 +1,34 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.getHPKEKey = getHPKEKey;
-exports.normalizeEncryptedBodyRequestArgs = normalizeEncryptedBodyRequestArgs;
-exports.encryptedBodyRequest = encryptedBodyRequest;
-exports.createEncryptedBodyFetch = createEncryptedBodyFetch;
-exports.getTransportForOrigin = getTransportForOrigin;
-const ehbp_1 = require("@zeke-02/ehbp");
-const fetch_adapter_1 = require("./fetch-adapter");
-// Public API
-async function getHPKEKey(enclaveURL) {
-    const url = new URL(enclaveURL);
-    const keysURL = new URL(ehbp_1.PROTOCOL.KEYS_PATH, enclaveURL);
-    if (keysURL.protocol !== "https:") {
-        throw new Error(`HTTPS is required for remote key retrieval. Invalid protocol: ${keysURL.protocol}`);
+import { Identity, Transport, PROTOCOL } from "ehbp";
+import { ConfigurationError, FetchError } from "./verifier.js";
+export { decryptResponseWithToken } from "ehbp";
+/**
+ * Create an Identity from a raw public key hex string.
+ * This avoids fetching from the server when the key is already known.
+ */
+async function createIdentityFromPublicKeyHex(publicKeyHex) {
+    return Identity.fromPublicKeyHex(publicKeyHex);
+}
+/**
+ * Fetch and parse server identity from the HPKE keys endpoint.
+ * Returns the server Identity which can be used to create a Transport.
+ */
+export async function getServerIdentity(enclaveURL) {
+    const keysURL = new URL(PROTOCOL.KEYS_PATH, enclaveURL);
+    if (keysURL.protocol !== 'https:') {
+        throw new ConfigurationError(`HTTPS is required for key retrieval. Got ${keysURL.protocol}`);
     }
-    const fetchFn = (0, fetch_adapter_1.getFetch)();
-    const response = await fetchFn(keysURL.toString());
+    const response = await fetch(keysURL.toString());
     if (!response.ok) {
-        throw new Error(`Failed to get server public key: ${response.status}`);
+        throw new FetchError(`Failed to fetch HPKE public key from enclave: HTTP ${response.status}`);
     }
-    const contentType = response.headers.get("content-type");
-    if (contentType !== ehbp_1.PROTOCOL.KEYS_MEDIA_TYPE) {
-        throw new Error(`Invalid content type: ${contentType}`);
+    const contentType = response.headers.get('content-type');
+    if (contentType !== PROTOCOL.KEYS_MEDIA_TYPE) {
+        throw new FetchError(`Invalid response from HPKE key endpoint: Expected content-type "${PROTOCOL.KEYS_MEDIA_TYPE}", got "${contentType}"`);
     }
     const keysData = new Uint8Array(await response.arrayBuffer());
-    const serverIdentity = await ehbp_1.Identity.unmarshalPublicConfig(keysData);
-    return serverIdentity.getPublicKey();
+    return await Identity.unmarshalPublicConfig(keysData);
 }
-function normalizeEncryptedBodyRequestArgs(input, init) {
+export function normalizeEncryptedBodyRequestArgs(input, init) {
     if (typeof input === "string") {
         return { url: input, init };
     }
@@ -47,66 +48,107 @@ function normalizeEncryptedBodyRequestArgs(input, init) {
         init: { ...derivedInit, ...init },
     };
 }
-async function encryptedBodyRequest(input, hpkePublicKey, init, enclaveURL, transportInstance) {
+export async function encryptedBodyRequest(input, hpkePublicKey, init, transportInstance) {
     const { url: requestUrl, init: requestInit } = normalizeEncryptedBodyRequestArgs(input, init);
     let actualTransport;
     if (transportInstance) {
-        // Use provided transport instance
         actualTransport = transportInstance;
     }
     else {
-        // Create a new transport for this request
         const u = new URL(requestUrl);
-        const { origin } = u;
-        const keyOrigin = enclaveURL ? new URL(enclaveURL).origin : origin;
-        actualTransport = await getTransportForOrigin(origin, keyOrigin);
-    }
-    if (hpkePublicKey) {
-        const transportKeyHash = await actualTransport.getServerPublicKeyHex();
-        if (transportKeyHash !== hpkePublicKey) {
-            throw new Error(`HPKE public key mismatch. Expected: ${hpkePublicKey}, Got: ${transportKeyHash}`);
-        }
+        actualTransport = await getTransportForOrigin(u.origin, hpkePublicKey);
     }
     return actualTransport.request(requestUrl, requestInit);
 }
-function createEncryptedBodyFetch(baseURL, hpkePublicKey, enclaveURL) {
-    // Create a dedicated transport instance for this fetch function
+const ENCLAVE_URL_HEADER = 'X-Tinfoil-Enclave-Url';
+export function createEncryptedBodyFetch(baseURL, hpkePublicKey, enclaveURL) {
+    const baseOrigin = new URL(baseURL).origin;
+    const needsEnclaveHeader = !!enclaveURL && new URL(enclaveURL).origin !== baseOrigin;
     let transportPromise = null;
-    const getOrCreateTransport = async () => {
+    const getOrCreateTransport = () => {
         if (!transportPromise) {
-            const baseUrl = new URL(baseURL);
-            const keyOrigin = enclaveURL
-                ? new URL(enclaveURL).origin
-                : baseUrl.origin;
-            transportPromise = getTransportForOrigin(baseUrl.origin, keyOrigin);
+            transportPromise = getTransportForOrigin(baseOrigin, hpkePublicKey);
         }
         return transportPromise;
     };
-    const secureFetch = (async (input, init) => {
-        const normalized = normalizeEncryptedBodyRequestArgs(input, init);
-        const targetUrl = new URL(normalized.url, baseURL);
-        // Get the dedicated transport instance for this fetch function
-        const transportInstance = await getOrCreateTransport();
-        return encryptedBodyRequest(targetUrl.toString(), hpkePublicKey, normalized.init, enclaveURL, transportInstance);
-    });
-    // Expose Response constructor for OpenAI SDK's FormData support detection
-    // This prevents the SDK from making a test request to 'data:,' which would fail through EHBP
-    secureFetch.Response = Response;
-    return secureFetch;
+    return {
+        fetch: async (input, init) => {
+            const normalized = normalizeEncryptedBodyRequestArgs(input, init);
+            const targetUrl = new URL(normalized.url, baseURL);
+            const headers = new Headers(normalized.init?.headers);
+            if (needsEnclaveHeader) {
+                headers.set(ENCLAVE_URL_HEADER, enclaveURL);
+            }
+            const initWithHeader = { ...normalized.init, headers };
+            const transportInstance = await getOrCreateTransport();
+            return encryptedBodyRequest(targetUrl.toString(), hpkePublicKey, initWithHeader, transportInstance);
+        },
+        async getSessionRecoveryToken() {
+            if (!transportPromise) {
+                throw new Error('No session recovery token available — no request has been made yet');
+            }
+            const transport = await transportPromise;
+            return transport.getSessionRecoveryToken();
+        },
+    };
 }
-async function getTransportForOrigin(origin, keyOrigin) {
-    if (typeof globalThis !== "undefined") {
-        const isSecure = globalThis.isSecureContext !== false;
-        const hasSubtle = !!(globalThis.crypto && globalThis.crypto.subtle);
-        if (!isSecure || !hasSubtle) {
-            const reason = !isSecure
-                ? "insecure context (use HTTPS or localhost)"
-                : "missing WebCrypto SubtleCrypto";
-            throw new Error(`EHBP requires a secure browser context: ${reason}`);
+/**
+ * WARNING: THIS FUNCTION IS INSECURE.
+ *
+ * Creates an encrypted body fetch that fetches the HPKE key from the server without
+ * attestation verification. This is vulnerable to man-in-the-middle attacks where
+ * a malicious server could provide its own key.
+ *
+ * This function is useful for testing the EHBP protocol against a local development
+ * server that doesn't have attestation set up. For production, use createEncryptedBodyFetch
+ * with a key obtained through attestation verification.
+ *
+ * @param baseURL - Base URL for API requests
+ * @param keyOrigin - Origin URL for fetching the HPKE public key. If not provided, derived from baseURL.
+ */
+export function createUnverifiedEncryptedBodyFetch(baseURL, keyOrigin) {
+    console.warn("[tinfoil] WARNING: createUnverifiedEncryptedBodyFetch is insecure. " +
+        "The HPKE key is fetched from the server without attestation verification. " +
+        "Only use for local development and testing of the EHBP protocol.");
+    const baseOrigin = new URL(baseURL).origin;
+    const resolvedKeyOrigin = keyOrigin ? new URL(keyOrigin).origin : baseOrigin;
+    const needsEnclaveHeader = !!keyOrigin && resolvedKeyOrigin !== baseOrigin;
+    let transportPromise = null;
+    const getOrCreateTransport = async () => {
+        if (!transportPromise) {
+            transportPromise = getUnverifiedTransportForOrigin(baseOrigin, resolvedKeyOrigin);
         }
-    }
-    const clientIdentity = await ehbp_1.Identity.generate();
-    const serverPublicKey = await getHPKEKey(keyOrigin);
+        return transportPromise;
+    };
+    return {
+        fetch: async (input, init) => {
+            const normalized = normalizeEncryptedBodyRequestArgs(input, init);
+            const targetUrl = new URL(normalized.url, baseURL);
+            const headers = new Headers(normalized.init?.headers);
+            if (needsEnclaveHeader) {
+                headers.set(ENCLAVE_URL_HEADER, keyOrigin);
+            }
+            const initWithEnclaveHeader = { ...normalized.init, headers };
+            const transportInstance = await getOrCreateTransport();
+            return transportInstance.request(targetUrl.toString(), initWithEnclaveHeader);
+        },
+        async getSessionRecoveryToken() {
+            if (!transportPromise) {
+                throw new Error('No session recovery token available — no request has been made yet');
+            }
+            const transport = await transportPromise;
+            return transport.getSessionRecoveryToken();
+        },
+    };
+}
+async function getUnverifiedTransportForOrigin(origin, keyOrigin) {
+    const serverIdentity = await getServerIdentity(keyOrigin);
+    const requestHost = new URL(origin).host;
+    return new Transport(serverIdentity, requestHost);
+}
+async function getTransportForOrigin(origin, hpkePublicKeyHex) {
+    const serverIdentity = await createIdentityFromPublicKeyHex(hpkePublicKeyHex);
     const requestHost = new URL(origin).host;
-    return new ehbp_1.Transport(clientIdentity, requestHost, serverPublicKey);
+    return new Transport(serverIdentity, requestHost);
 }
+//# sourceMappingURL=encrypted-body-fetch.js.map

package/dist/encrypted-body-fetch.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"encrypted-body-fetch.js","sourceRoot":"","sources":["../src/encrypted-body-fetch.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAA6B,MAAM,MAAM,CAAC;AAChF,OAAO,EAAE,kBAAkB,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAG/D,OAAO,EAAE,wBAAwB,EAAE,MAAM,MAAM,CAAC;AAOhD;;;GAGG;AACH,KAAK,UAAU,8BAA8B,CAAC,YAAoB;IAChE,OAAO,QAAQ,CAAC,gBAAgB,CAAC,YAAY,CAAC,CAAC;AACjD,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,UAAkB;IACxD,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;IAExD,IAAI,OAAO,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAClC,MAAM,IAAI,kBAAkB,CAAC,4CAA4C,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC;IAC/F,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC;IAEjD,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,UAAU,CAAC,sDAAsD,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;IAChG,CAAC;IAED,MAAM,WAAW,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;IACzD,IAAI,WAAW,KAAK,QAAQ,CAAC,eAAe,EAAE,CAAC;QAC7C,MAAM,IAAI,UAAU,CAAC,mEAAmE,QAAQ,CAAC,eAAe,WAAW,WAAW,GAAG,CAAC,CAAC;IAC7I,CAAC;IAED,MAAM,QAAQ,GAAG,IAAI,UAAU,CAAC,MAAM,QAAQ,CAAC,WAAW,EAAE,CAAC,CAAC;IAC9D,OAAO,MAAM,QAAQ,CAAC,qBAAqB,CAAC,QAAQ,CAAC,CAAC;AACxD,CAAC;AAED,MAAM,UAAU,iCAAiC,CAC/C,KAAwB,EACxB,IAAkB;IAElB,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IAC9B,CAAC;IAED,IAAI,KAAK,YAAY,GAAG,EAAE,CAAC;QACzB,OAAO,EAAE,GAAG,EAAE,KAAK,CAAC,QAAQ,EAAE,EAAE,IAAI,EAAE,CAAC;IACzC,CAAC;IAED,MAAM,OAAO,GAAG,KAAgB,CAAC;IACjC,MAAM,MAAM,GAAG,OAAO,CAAC,KAAK,EAAE,CAAC;IAE/B,MAAM,WAAW,GAAgB;QAC/B,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,OAAO,EAAE,IAAI,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC;QACpC,IAAI,EAAE,MAAM,CAAC,IAAI,IAAI,SAAS;QAC9B,MAAM,EAAE,MAAM,CAAC,MAAM;KACtB,CAAC;IAEF,OAAO;QACL,GAAG,EAAE,MAAM,CAAC,GAAG;QACf,IAAI,EAAE,EAAE,GAAG,WAAW,EAAE,GAAG,IAAI,EAAE;KAClC,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,KAAwB,EACxB,aAAqB,EACrB,IAAkB,EAClB,iBAA6B;IAE7B,MAAM,EAAE,GAAG,EAAE,UAAU,EAAE,IAAI,EAAE,WAAW,EAAE,GAAG,iCAAiC,CAC9E,KAAK,EACL,IAAI,CACL,CAAC;IAEF,IAAI,eAA0B,CAAC;IAE/B,IAAI,iBAAiB,EAAE,CAAC;QACtB,eAAe,GAAG,iBAAiB,CAAC;IACtC,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,CAAC;QAC9B,eAAe,GAAG,MAAM,qBAAqB,CAAC,CAAC,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC;IACzE,CAAC;IAED,OAAO,eAAe,CAAC,OAAO,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;AAC1D,CAAC;AAED,MAAM,kBAAkB,GAAG,uBAAuB,CAAC;AAEnD,MAAM,UAAU,wBAAwB,CAAC,OAAe,EAAE,aAAqB,EAAE,UAAmB;IAClG,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC;IAC3C,MAAM,kBAAkB,GAAG,CAAC,CAAC,UAAU,IAAI,IAAI,GAAG,CAAC,UAAU,CAAC,CAAC,MAAM,KAAK,UAAU,CAAC;IAErF,IAAI,gBAAgB,GAA8B,IAAI,CAAC;IAEvD,MAAM,oBAAoB,GAAG,GAAuB,EAAE;QACpD,IAAI,CAAC,gBAAgB,EAAE,CAAC;YACtB,gBAAgB,GAAG,qBAAqB,CAAC,UAAU,EAAE,aAAa,CAAC,CAAC;QACtE,CAAC;QACD,OAAO,gBAAgB,CAAC;IAC1B,CAAC,CAAC;IAEF,OAAO;QACL,KAAK,EAAE,KAAK,EAAE,KAAwB,EAAE,IAAkB,EAAE,EAAE;YAC5D,MAAM,UAAU,GAAG,iCAAiC,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;YAClE,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;YAEnD,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YACtD,IAAI,kBAAkB,EAAE,CAAC;gBACvB,OAAO,CAAC,GAAG,CAAC,kBAAkB,EAAE,UAAW,CAAC,CAAC;YAC/C,CAAC;YACD,MAAM,cAAc,GAAG,EAAE,GAAG,UAAU,CAAC,IAAI,EAAE,OAAO,EAAE,CAAC;YAEvD,MAAM,iBAAiB,GAAG,MAAM,oBAAoB,EAAE,CAAC;YACvD,OAAO,oBAAoB,CAAC,SAAS,CAAC,QAAQ,EAAE,EAAE,aAAa,EAAE,cAAc,EAAE,iBAAiB,CAAC,CAAC;QACtG,CAAC;QAED,KAAK,CAAC,uBAAuB;YAC3B,IAAI,CAAC,gBAAgB,EAAE,CAAC;gBACtB,MAAM,IAAI,KAAK,CAAC,oEAAoE,CAAC,CAAC;YACxF,CAAC;YACD,MAAM,SAAS,GAAG,MAAM,gBAAgB,CAAC;YACzC,OAAO,SAAS,CAAC,uBAAuB,EAAE,CAAC;QAC7C,CAAC;KACF,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,kCAAkC,CAAC,OAAe,EAAE,SAAkB;IACpF,OAAO,CAAC,IAAI,CACV,qEAAqE;QACrE,4EAA4E;QAC5E,kEAAkE,CACnE,CAAC;IAEF,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC;IAC3C,MAAM,iBAAiB,GAAG,SAAS,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,UAAU,CAAC;IAC7E,MAAM,kBAAkB,GAAG,CAAC,CAAC,SAAS,IAAI,iBAAiB,KAAK,UAAU,CAAC;IAE3E,IAAI,gBAAgB,GAA8B,IAAI,CAAC;IAEvD,MAAM,oBAAoB,GAAG,KAAK,IAAwB,EAAE;QAC1D,IAAI,CAAC,gBAAgB,EAAE,CAAC;YACtB,gBAAgB,GAAG,+BAA+B,CAAC,UAAU,EAAE,iBAAiB,CAAC,CAAC;QACpF,CAAC;QACD,OAAO,gBAAgB,CAAC;IAC1B,CAAC,CAAC;IAEF,OAAO;QACL,KAAK,EAAE,KAAK,EAAE,KAAwB,EAAE,IAAkB,EAAE,EAAE;YAC5D,MAAM,UAAU,GAAG,iCAAiC,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;YAClE,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;YAEnD,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YACtD,IAAI,kBAAkB,EAAE,CAAC;gBACvB,OAAO,CAAC,GAAG,CAAC,kBAAkB,EAAE,SAAU,CAAC,CAAC;YAC9C,CAAC;YACD,MAAM,qBAAqB,GAAG,EAAE,GAAG,UAAU,CAAC,IAAI,EAAE,OAAO,EAAE,CAAC;YAE9D,MAAM,iBAAiB,GAAG,MAAM,oBAAoB,EAAE,CAAC;YACvD,OAAO,iBAAiB,CAAC,OAAO,CAAC,SAAS,CAAC,QAAQ,EAAE,EAAE,qBAAqB,CAAC,CAAC;QAChF,CAAC;QAED,KAAK,CAAC,uBAAuB;YAC3B,IAAI,CAAC,gBAAgB,EAAE,CAAC;gBACtB,MAAM,IAAI,KAAK,CAAC,oEAAoE,CAAC,CAAC;YACxF,CAAC;YACD,MAAM,SAAS,GAAG,MAAM,gBAAgB,CAAC;YACzC,OAAO,SAAS,CAAC,uBAAuB,EAAE,CAAC;QAC7C,CAAC;KACF,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,+BAA+B,CAAC,MAAc,EAAE,SAAiB;IAC9E,MAAM,cAAc,GAAG,MAAM,iBAAiB,CAAC,SAAS,CAAC,CAAC;IAC1D,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC;IACzC,OAAO,IAAI,SAAS,CAAC,cAAc,EAAE,WAAW,CAAC,CAAC;AACpD,CAAC;AAED,KAAK,UAAU,qBAAqB,CAAC,MAAc,EAAE,gBAAwB;IAC3E,MAAM,cAAc,GAAG,MAAM,8BAA8B,CAAC,gBAAgB,CAAC,CAAC;IAC9E,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC;IACzC,OAAO,IAAI,SAAS,CAAC,cAAc,EAAE,WAAW,CAAC,CAAC;AACpD,CAAC"}

package/dist/env.d.ts

@@ -1,5 +1,8 @@
+export declare function isBun(): boolean;
 /**
  * Detects if the code is running in a real browser environment.
- * Returns false for Node.js environments, even with WASM loaded.
+ * Returns false for server-side runtimes (Node.js, Bun, Deno, edge runtimes).
+ * Only returns true when we can positively identify a browser environment.
  */
 export declare function isRealBrowser(): boolean;
+//# sourceMappingURL=env.d.ts.map

package/dist/env.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"env.d.ts","sourceRoot":"","sources":["../src/env.ts"],"names":[],"mappings":"AAAA,wBAAgB,KAAK,IAAI,OAAO,CAI/B;AAED;;;;GAIG;AACH,wBAAgB,aAAa,IAAI,OAAO,CAuCvC"}

package/dist/env.js

@@ -1,20 +1,43 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.isRealBrowser = isRealBrowser;
+export function isBun() {
+    return typeof process !== "undefined" &&
+        !!process.versions &&
+        !!process.versions.bun;
+}
 /**
  * Detects if the code is running in a real browser environment.
- * Returns false for Node.js environments, even with WASM loaded.
+ * Returns false for server-side runtimes (Node.js, Bun, Deno, edge runtimes).
+ * Only returns true when we can positively identify a browser environment.
  */
-function isRealBrowser() {
+export function isRealBrowser() {
+    // Check for Node.js
     if (typeof process !== "undefined" &&
         process.versions &&
         process.versions.node) {
         return false;
     }
+    // Check for Bun
+    if (isBun()) {
+        return false;
+    }
+    // Check for Deno
+    if (typeof globalThis.Deno !== "undefined") {
+        return false;
+    }
+    // Check for Cloudflare Workers (has 'Cloudflare-Workers' userAgent when global_navigator flag is set)
+    if (typeof navigator !== "undefined" && navigator.userAgent === "Cloudflare-Workers") {
+        return false;
+    }
+    // Check for Cloudflare Workers via caches.default (alternative detection)
+    if (typeof caches !== "undefined" && caches.default !== undefined) {
+        return false;
+    }
+    // Check for real browser: must have window, document, and a real userAgent
     if (typeof window !== "undefined" && typeof window.document !== "undefined") {
         if (typeof navigator !== "undefined" && navigator.userAgent) {
             return true;
         }
     }
+    // Unknown runtime - treat as server-side (safer default)
     return false;
 }
+//# sourceMappingURL=env.js.map

package/dist/env.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"env.js","sourceRoot":"","sources":["../src/env.ts"],"names":[],"mappings":"AAAA,MAAM,UAAU,KAAK;IACnB,OAAO,OAAO,OAAO,KAAK,WAAW;QACnC,CAAC,CAAE,OAAe,CAAC,QAAQ;QAC3B,CAAC,CAAE,OAAe,CAAC,QAAQ,CAAC,GAAG,CAAC;AACpC,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,aAAa;IAC3B,oBAAoB;IACpB,IACE,OAAO,OAAO,KAAK,WAAW;QAC7B,OAAe,CAAC,QAAQ;QACxB,OAAe,CAAC,QAAQ,CAAC,IAAI,EAC9B,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,gBAAgB;IAChB,IAAI,KAAK,EAAE,EAAE,CAAC;QACZ,OAAO,KAAK,CAAC;IACf,CAAC;IAED,iBAAiB;IACjB,IAAI,OAAQ,UAAkB,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;QACpD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,sGAAsG;IACtG,IAAI,OAAO,SAAS,KAAK,WAAW,IAAI,SAAS,CAAC,SAAS,KAAK,oBAAoB,EAAE,CAAC;QACrF,OAAO,KAAK,CAAC;IACf,CAAC;IAED,0EAA0E;IAC1E,IAAI,OAAO,MAAM,KAAK,WAAW,IAAK,MAAc,CAAC,OAAO,KAAK,SAAS,EAAE,CAAC;QAC3E,OAAO,KAAK,CAAC;IACf,CAAC;IAED,2EAA2E;IAC3E,IAAI,OAAO,MAAM,KAAK,WAAW,IAAI,OAAO,MAAM,CAAC,QAAQ,KAAK,WAAW,EAAE,CAAC;QAC5E,IAAI,OAAO,SAAS,KAAK,WAAW,IAAI,SAAS,CAAC,SAAS,EAAE,CAAC;YAC5D,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,yDAAyD;IACzD,OAAO,KAAK,CAAC;AACf,CAAC"}