@zeke-02/tinfoil 0.0.2 → 0.0.3

package/dist/ai-sdk-provider.js

@@ -5,8 +5,8 @@ const openai_compatible_1 = require("@ai-sdk/openai-compatible");
 const config_1 = require("./config");
 const secure_client_1 = require("./secure-client");
 async function createTinfoilAI(apiKey, options = {}) {
-    const baseURL = options.baseURL || config_1.TINFOIL_CONFIG.INFERENCE_BASE_URL;
-    const enclaveURL = options.enclaveURL || config_1.TINFOIL_CONFIG.ENCLAVE_URL;
+    const baseURL = options.baseURL;
+    const enclaveURL = options.enclaveURL;
     const configRepo = options.configRepo || config_1.TINFOIL_CONFIG.INFERENCE_PROXY_REPO;
     const secureClient = new secure_client_1.SecureClient({
         baseURL,
@@ -14,9 +14,14 @@ async function createTinfoilAI(apiKey, options = {}) {
         configRepo,
     });
     await secureClient.ready();
+    // Get the baseURL from SecureClient after initialization
+    const finalBaseURL = baseURL || secureClient.getBaseURL();
+    if (!finalBaseURL) {
+        throw new Error("Unable to determine baseURL for AI SDK provider");
+    }
     return (0, openai_compatible_1.createOpenAICompatible)({
         name: "tinfoil",
-        baseURL: baseURL.replace(/\/$/, ""),
+        baseURL: finalBaseURL,
         apiKey: apiKey,
         fetch: secureClient.fetch,
     });

package/dist/config.d.ts

@@ -2,16 +2,12 @@
  * Configuration constants for the Tinfoil Node SDK
  */
 export declare const TINFOIL_CONFIG: {
-    /**
-     * The base URL for the Tinfoil router API
-     */
-    readonly INFERENCE_BASE_URL: "https://router.inf6.tinfoil.sh/v1/";
-    /**
-     * The URL for enclave key discovery and attestation endpoints
-     */
-    readonly ENCLAVE_URL: "https://router.inf6.tinfoil.sh";
     /**
      * The GitHub repository for code attestation verification
      */
     readonly INFERENCE_PROXY_REPO: "tinfoilsh/confidential-model-router";
+    /**
+     * The ATC (Attestation and Trust Center) API URL for fetching available routers
+     */
+    readonly ATC_API_URL: "https://atc.tinfoil.sh/routers";
 };

package/dist/config.js

@@ -5,16 +5,12 @@ exports.TINFOIL_CONFIG = void 0;
  * Configuration constants for the Tinfoil Node SDK
  */
 exports.TINFOIL_CONFIG = {
-    /**
-     * The base URL for the Tinfoil router API
-     */
-    INFERENCE_BASE_URL: "https://router.inf6.tinfoil.sh/v1/",
-    /**
-     * The URL for enclave key discovery and attestation endpoints
-     */
-    ENCLAVE_URL: "https://router.inf6.tinfoil.sh",
     /**
      * The GitHub repository for code attestation verification
      */
     INFERENCE_PROXY_REPO: "tinfoilsh/confidential-model-router",
+    /**
+     * The ATC (Attestation and Trust Center) API URL for fetching available routers
+     */
+    ATC_API_URL: "https://atc.tinfoil.sh/routers",
 };

package/dist/encrypted-body-fetch.d.ts

@@ -1,8 +1,9 @@
+import type { Transport as EhbpTransport } from "@zeke-02/ehbp";
 export declare function getHPKEKey(enclaveURL: string): Promise<CryptoKey>;
 export declare function normalizeEncryptedBodyRequestArgs(input: RequestInfo | URL, init?: RequestInit): {
     url: string;
     init?: RequestInit;
 };
-export declare function encryptedBodyRequest(input: RequestInfo | URL, hpkePublicKey?: string, init?: RequestInit, enclaveURL?: string): Promise<Response>;
+export declare function encryptedBodyRequest(input: RequestInfo | URL, hpkePublicKey?: string, init?: RequestInit, enclaveURL?: string, transportInstance?: EhbpTransport): Promise<Response>;
 export declare function createEncryptedBodyFetch(baseURL: string, hpkePublicKey?: string, enclaveURL?: string): typeof fetch;
-export declare function resetTransport(): void;
+export declare function getTransportForOrigin(origin: string, keyOrigin: string): Promise<EhbpTransport>;

package/dist/encrypted-body-fetch.js

@@ -4,12 +4,12 @@ exports.getHPKEKey = getHPKEKey;
 exports.normalizeEncryptedBodyRequestArgs = normalizeEncryptedBodyRequestArgs;
 exports.encryptedBodyRequest = encryptedBodyRequest;
 exports.createEncryptedBodyFetch = createEncryptedBodyFetch;
-exports.resetTransport = resetTransport;
+exports.getTransportForOrigin = getTransportForOrigin;
 const ehbp_1 = require("@zeke-02/ehbp");
 const fetch_adapter_1 = require("./fetch-adapter");
-let transport = null;
 // Public API
 async function getHPKEKey(enclaveURL) {
+    const url = new URL(enclaveURL);
     const keysURL = new URL(ehbp_1.PROTOCOL.KEYS_PATH, enclaveURL);
     if (keysURL.protocol !== "https:") {
         throw new Error(`HTTPS is required for remote key retrieval. Invalid protocol: ${keysURL.protocol}`);
@@ -47,34 +47,49 @@ function normalizeEncryptedBodyRequestArgs(input, init) {
         init: { ...derivedInit, ...init },
     };
 }
-async function encryptedBodyRequest(input, hpkePublicKey, init, enclaveURL) {
+async function encryptedBodyRequest(input, hpkePublicKey, init, enclaveURL, transportInstance) {
     const { url: requestUrl, init: requestInit } = normalizeEncryptedBodyRequestArgs(input, init);
-    const u = new URL(requestUrl);
-    const { origin } = u;
-    const keyOrigin = enclaveURL ? new URL(enclaveURL).origin : origin;
-    if (!transport) {
-        transport = getTransportForOrigin(origin, keyOrigin);
+    let actualTransport;
+    if (transportInstance) {
+        // Use provided transport instance
+        actualTransport = transportInstance;
+    }
+    else {
+        // Create a new transport for this request
+        const u = new URL(requestUrl);
+        const { origin } = u;
+        const keyOrigin = enclaveURL ? new URL(enclaveURL).origin : origin;
+        actualTransport = await getTransportForOrigin(origin, keyOrigin);
     }
-    const transportInstance = await transport;
     if (hpkePublicKey) {
-        const transportKeyHash = await transportInstance.getServerPublicKeyHex();
+        const transportKeyHash = await actualTransport.getServerPublicKeyHex();
         if (transportKeyHash !== hpkePublicKey) {
-            transport = null;
             throw new Error(`HPKE public key mismatch. Expected: ${hpkePublicKey}, Got: ${transportKeyHash}`);
         }
     }
-    return transportInstance.request(requestUrl, requestInit);
+    return actualTransport.request(requestUrl, requestInit);
 }
 function createEncryptedBodyFetch(baseURL, hpkePublicKey, enclaveURL) {
+    // Create a dedicated transport instance for this fetch function
+    let transportPromise = null;
+    const getOrCreateTransport = async () => {
+        if (!transportPromise) {
+            const baseUrl = new URL(baseURL);
+            const keyOrigin = enclaveURL
+                ? new URL(enclaveURL).origin
+                : baseUrl.origin;
+            transportPromise = getTransportForOrigin(baseUrl.origin, keyOrigin);
+        }
+        return transportPromise;
+    };
     return (async (input, init) => {
         const normalized = normalizeEncryptedBodyRequestArgs(input, init);
         const targetUrl = new URL(normalized.url, baseURL);
-        return encryptedBodyRequest(targetUrl.toString(), hpkePublicKey, normalized.init, enclaveURL);
+        // Get the dedicated transport instance for this fetch function
+        const transportInstance = await getOrCreateTransport();
+        return encryptedBodyRequest(targetUrl.toString(), hpkePublicKey, normalized.init, enclaveURL, transportInstance);
     });
 }
-function resetTransport() {
-    transport = null;
-}
 async function getTransportForOrigin(origin, keyOrigin) {
     if (typeof globalThis !== "undefined") {
         const isSecure = globalThis.isSecureContext !== false;

package/dist/esm/ai-sdk-provider.js

@@ -2,8 +2,8 @@ import { createOpenAICompatible } from "@ai-sdk/openai-compatible";
 import { TINFOIL_CONFIG } from "./config";
 import { SecureClient } from "./secure-client";
 export async function createTinfoilAI(apiKey, options = {}) {
-    const baseURL = options.baseURL || TINFOIL_CONFIG.INFERENCE_BASE_URL;
-    const enclaveURL = options.enclaveURL || TINFOIL_CONFIG.ENCLAVE_URL;
+    const baseURL = options.baseURL;
+    const enclaveURL = options.enclaveURL;
     const configRepo = options.configRepo || TINFOIL_CONFIG.INFERENCE_PROXY_REPO;
     const secureClient = new SecureClient({
         baseURL,
@@ -11,9 +11,14 @@ export async function createTinfoilAI(apiKey, options = {}) {
         configRepo,
     });
     await secureClient.ready();
+    // Get the baseURL from SecureClient after initialization
+    const finalBaseURL = baseURL || secureClient.getBaseURL();
+    if (!finalBaseURL) {
+        throw new Error("Unable to determine baseURL for AI SDK provider");
+    }
     return createOpenAICompatible({
         name: "tinfoil",
-        baseURL: baseURL.replace(/\/$/, ""),
+        baseURL: finalBaseURL,
         apiKey: apiKey,
         fetch: secureClient.fetch,
     });

package/dist/esm/config.d.ts

@@ -2,16 +2,12 @@
  * Configuration constants for the Tinfoil Node SDK
  */
 export declare const TINFOIL_CONFIG: {
-    /**
-     * The base URL for the Tinfoil router API
-     */
-    readonly INFERENCE_BASE_URL: "https://router.inf6.tinfoil.sh/v1/";
-    /**
-     * The URL for enclave key discovery and attestation endpoints
-     */
-    readonly ENCLAVE_URL: "https://router.inf6.tinfoil.sh";
     /**
      * The GitHub repository for code attestation verification
      */
     readonly INFERENCE_PROXY_REPO: "tinfoilsh/confidential-model-router";
+    /**
+     * The ATC (Attestation and Trust Center) API URL for fetching available routers
+     */
+    readonly ATC_API_URL: "https://atc.tinfoil.sh/routers";
 };

package/dist/esm/config.js

@@ -2,16 +2,12 @@
  * Configuration constants for the Tinfoil Node SDK
  */
 export const TINFOIL_CONFIG = {
-    /**
-     * The base URL for the Tinfoil router API
-     */
-    INFERENCE_BASE_URL: "https://router.inf6.tinfoil.sh/v1/",
-    /**
-     * The URL for enclave key discovery and attestation endpoints
-     */
-    ENCLAVE_URL: "https://router.inf6.tinfoil.sh",
     /**
      * The GitHub repository for code attestation verification
      */
     INFERENCE_PROXY_REPO: "tinfoilsh/confidential-model-router",
+    /**
+     * The ATC (Attestation and Trust Center) API URL for fetching available routers
+     */
+    ATC_API_URL: "https://atc.tinfoil.sh/routers",
 };

package/dist/esm/encrypted-body-fetch.d.ts

@@ -1,8 +1,9 @@
+import type { Transport as EhbpTransport } from "@zeke-02/ehbp";
 export declare function getHPKEKey(enclaveURL: string): Promise<CryptoKey>;
 export declare function normalizeEncryptedBodyRequestArgs(input: RequestInfo | URL, init?: RequestInit): {
     url: string;
     init?: RequestInit;
 };
-export declare function encryptedBodyRequest(input: RequestInfo | URL, hpkePublicKey?: string, init?: RequestInit, enclaveURL?: string): Promise<Response>;
+export declare function encryptedBodyRequest(input: RequestInfo | URL, hpkePublicKey?: string, init?: RequestInit, enclaveURL?: string, transportInstance?: EhbpTransport): Promise<Response>;
 export declare function createEncryptedBodyFetch(baseURL: string, hpkePublicKey?: string, enclaveURL?: string): typeof fetch;
-export declare function resetTransport(): void;
+export declare function getTransportForOrigin(origin: string, keyOrigin: string): Promise<EhbpTransport>;

package/dist/esm/encrypted-body-fetch.js

@@ -1,8 +1,8 @@
 import { Identity, Transport, PROTOCOL } from "@zeke-02/ehbp";
 import { getFetch } from "./fetch-adapter";
-let transport = null;
 // Public API
 export async function getHPKEKey(enclaveURL) {
+    const url = new URL(enclaveURL);
     const keysURL = new URL(PROTOCOL.KEYS_PATH, enclaveURL);
     if (keysURL.protocol !== "https:") {
         throw new Error(`HTTPS is required for remote key retrieval. Invalid protocol: ${keysURL.protocol}`);
@@ -40,35 +40,50 @@ export function normalizeEncryptedBodyRequestArgs(input, init) {
         init: { ...derivedInit, ...init },
     };
 }
-export async function encryptedBodyRequest(input, hpkePublicKey, init, enclaveURL) {
+export async function encryptedBodyRequest(input, hpkePublicKey, init, enclaveURL, transportInstance) {
     const { url: requestUrl, init: requestInit } = normalizeEncryptedBodyRequestArgs(input, init);
-    const u = new URL(requestUrl);
-    const { origin } = u;
-    const keyOrigin = enclaveURL ? new URL(enclaveURL).origin : origin;
-    if (!transport) {
-        transport = getTransportForOrigin(origin, keyOrigin);
+    let actualTransport;
+    if (transportInstance) {
+        // Use provided transport instance
+        actualTransport = transportInstance;
+    }
+    else {
+        // Create a new transport for this request
+        const u = new URL(requestUrl);
+        const { origin } = u;
+        const keyOrigin = enclaveURL ? new URL(enclaveURL).origin : origin;
+        actualTransport = await getTransportForOrigin(origin, keyOrigin);
     }
-    const transportInstance = await transport;
     if (hpkePublicKey) {
-        const transportKeyHash = await transportInstance.getServerPublicKeyHex();
+        const transportKeyHash = await actualTransport.getServerPublicKeyHex();
         if (transportKeyHash !== hpkePublicKey) {
-            transport = null;
             throw new Error(`HPKE public key mismatch. Expected: ${hpkePublicKey}, Got: ${transportKeyHash}`);
         }
     }
-    return transportInstance.request(requestUrl, requestInit);
+    return actualTransport.request(requestUrl, requestInit);
 }
 export function createEncryptedBodyFetch(baseURL, hpkePublicKey, enclaveURL) {
+    // Create a dedicated transport instance for this fetch function
+    let transportPromise = null;
+    const getOrCreateTransport = async () => {
+        if (!transportPromise) {
+            const baseUrl = new URL(baseURL);
+            const keyOrigin = enclaveURL
+                ? new URL(enclaveURL).origin
+                : baseUrl.origin;
+            transportPromise = getTransportForOrigin(baseUrl.origin, keyOrigin);
+        }
+        return transportPromise;
+    };
     return (async (input, init) => {
         const normalized = normalizeEncryptedBodyRequestArgs(input, init);
         const targetUrl = new URL(normalized.url, baseURL);
-        return encryptedBodyRequest(targetUrl.toString(), hpkePublicKey, normalized.init, enclaveURL);
+        // Get the dedicated transport instance for this fetch function
+        const transportInstance = await getOrCreateTransport();
+        return encryptedBodyRequest(targetUrl.toString(), hpkePublicKey, normalized.init, enclaveURL, transportInstance);
     });
 }
-export function resetTransport() {
-    transport = null;
-}
-async function getTransportForOrigin(origin, keyOrigin) {
+export async function getTransportForOrigin(origin, keyOrigin) {
     if (typeof globalThis !== "undefined") {
         const isSecure = globalThis.isSecureContext !== false;
         const hasSubtle = !!(globalThis.crypto && globalThis.crypto.subtle);

package/dist/esm/index.d.ts

@@ -5,4 +5,5 @@ export * from "./ai-sdk-provider";
 export * from "./config";
 export { SecureClient } from "./secure-client";
 export { UnverifiedClient } from "./unverified-client";
+export { fetchRouter } from "./router";
 export { type Uploadable, toFile, APIPromise, PagePromise, OpenAIError, APIError, APIConnectionError, APIConnectionTimeoutError, APIUserAbortError, NotFoundError, ConflictError, RateLimitError, BadRequestError, AuthenticationError, InternalServerError, PermissionDeniedError, UnprocessableEntityError, } from "openai";

package/dist/esm/index.js

@@ -7,6 +7,7 @@ export * from "./ai-sdk-provider";
 export * from "./config";
 export { SecureClient } from "./secure-client";
 export { UnverifiedClient } from "./unverified-client";
+export { fetchRouter } from "./router";
 // Re-export OpenAI utility types and classes that users might need
 // Using public exports from the main OpenAI package instead of deep imports
 export { toFile, APIPromise, PagePromise, OpenAIError, APIError, APIConnectionError, APIConnectionTimeoutError, APIUserAbortError, NotFoundError, ConflictError, RateLimitError, BadRequestError, AuthenticationError, InternalServerError, PermissionDeniedError, UnprocessableEntityError, } from "openai";

package/dist/esm/router.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Router utilities for fetching available Tinfoil routers
+ */
+/**
+ * Fetches the list of available routers from the ATC API
+ * and returns a randomly selected address.
+ *
+ * @returns Promise<string> A randomly selected router address
+ * @throws Error if no routers are found or if the request fails
+ */
+export declare function fetchRouter(): Promise<string>;

package/dist/esm/router.js

@@ -0,0 +1,33 @@
+import { TINFOIL_CONFIG } from "./config";
+/**
+ * Router utilities for fetching available Tinfoil routers
+ */
+/**
+ * Fetches the list of available routers from the ATC API
+ * and returns a randomly selected address.
+ *
+ * @returns Promise<string> A randomly selected router address
+ * @throws Error if no routers are found or if the request fails
+ */
+export async function fetchRouter() {
+    const routersUrl = TINFOIL_CONFIG.ATC_API_URL;
+    try {
+        const response = await fetch(routersUrl);
+        if (!response.ok) {
+            throw new Error(`Failed to fetch routers: ${response.status} ${response.statusText}`);
+        }
+        const routers = await response.json();
+        if (!Array.isArray(routers) || routers.length === 0) {
+            throw new Error("No routers found in the response");
+        }
+        // Return a randomly selected router
+        const randomIndex = Math.floor(Math.random() * routers.length);
+        return routers[randomIndex];
+    }
+    catch (error) {
+        if (error instanceof Error) {
+            throw new Error(`Failed to fetch router: ${error.message}`);
+        }
+        throw new Error("Failed to fetch router: Unknown error");
+    }
+}

package/dist/esm/secure-client.d.ts

@@ -8,13 +8,14 @@ export declare class SecureClient {
     private initPromise;
     private verificationDocument;
     private _fetch;
-    private readonly baseURL?;
-    private readonly enclaveURL?;
+    private baseURL?;
+    private enclaveURL?;
     private readonly configRepo?;
     constructor(options?: SecureClientOptions);
     ready(): Promise<void>;
     private initSecureClient;
     getVerificationDocument(): Promise<VerificationDocument>;
+    getBaseURL(): string | undefined;
     get fetch(): typeof fetch;
 }
 export {};

package/dist/esm/secure-client.js

@@ -1,13 +1,14 @@
 import { Verifier } from "./verifier";
 import { TINFOIL_CONFIG } from "./config";
 import { createSecureFetch } from "./secure-fetch";
+import { fetchRouter } from "./router";
 export class SecureClient {
     constructor(options = {}) {
         this.initPromise = null;
         this.verificationDocument = null;
         this._fetch = null;
-        this.baseURL = options.baseURL || TINFOIL_CONFIG.INFERENCE_BASE_URL;
-        this.enclaveURL = options.enclaveURL || TINFOIL_CONFIG.ENCLAVE_URL;
+        this.baseURL = options.baseURL;
+        this.enclaveURL = options.enclaveURL;
         this.configRepo = options.configRepo || TINFOIL_CONFIG.INFERENCE_PROXY_REPO;
     }
     async ready() {
@@ -17,6 +18,33 @@ export class SecureClient {
         return this.initPromise;
     }
     async initSecureClient() {
+        // Only fetch router if neither baseURL nor enclaveURL is provided
+        if (!this.baseURL && !this.enclaveURL) {
+            const routerAddress = await fetchRouter();
+            this.enclaveURL = `https://${routerAddress}`;
+            this.baseURL = `https://${routerAddress}/v1/`;
+        }
+        // Ensure both baseURL and enclaveURL are initialized
+        if (!this.baseURL) {
+            if (this.enclaveURL) {
+                // If enclaveURL is provided but baseURL is not, derive baseURL from enclaveURL
+                const enclaveUrl = new URL(this.enclaveURL);
+                this.baseURL = `${enclaveUrl.origin}/v1/`;
+            }
+            else {
+                throw new Error("Unable to determine baseURL: neither baseURL nor enclaveURL provided");
+            }
+        }
+        if (!this.enclaveURL) {
+            if (this.baseURL) {
+                // If baseURL is provided but enclaveURL is not, derive enclaveURL from baseURL
+                const baseUrl = new URL(this.baseURL);
+                this.enclaveURL = baseUrl.origin;
+            }
+            else {
+                throw new Error("Unable to determine enclaveURL: neither baseURL nor enclaveURL provided");
+            }
+        }
         const verifier = new Verifier({
             serverURL: this.enclaveURL,
             configRepo: this.configRepo,
@@ -77,6 +105,9 @@ export class SecureClient {
         }
         return this.verificationDocument;
     }
+    getBaseURL() {
+        return this.baseURL;
+    }
     get fetch() {
         return async (input, init) => {
             await this.ready();

package/dist/esm/tinfoilai.js

@@ -36,8 +36,8 @@ export class TinfoilAI {
             openAIOptions.apiKey = process.env.TINFOIL_API_KEY;
         }
         this.apiKey = openAIOptions.apiKey;
-        this.baseURL = options.baseURL || TINFOIL_CONFIG.INFERENCE_BASE_URL;
-        this.enclaveURL = options.enclaveURL || TINFOIL_CONFIG.ENCLAVE_URL;
+        this.baseURL = options.baseURL;
+        this.enclaveURL = options.enclaveURL;
         this.configRepo = options.configRepo || TINFOIL_CONFIG.INFERENCE_PROXY_REPO;
         this.secureClient = new SecureClient({
             baseURL: this.baseURL,
@@ -63,9 +63,11 @@ export class TinfoilAI {
         if (!this.verificationDocument) {
             throw new Error("Verification document not available after successful verification");
         }
+        // Use the provided baseURL, or get it from SecureClient after initialization
+        const baseURL = this.baseURL || this.secureClient.getBaseURL();
         const clientOptions = {
             ...options,
-            baseURL: this.baseURL,
+            baseURL: baseURL,
             fetch: this.secureClient.fetch,
         };
         if (isRealBrowser() || options.dangerouslyAllowBrowser === true) {

package/dist/esm/unverified-client.d.ts

@@ -6,8 +6,8 @@ interface UnverifiedClientOptions {
 export declare class UnverifiedClient {
     private initPromise;
     private _fetch;
-    private readonly baseURL;
-    private readonly enclaveURL;
+    private baseURL?;
+    private enclaveURL?;
     private readonly configRepo;
     constructor(options?: UnverifiedClientOptions);
     ready(): Promise<void>;

package/dist/esm/unverified-client.js

@@ -1,11 +1,12 @@
 import { TINFOIL_CONFIG } from "./config";
 import { createEncryptedBodyFetch } from "./encrypted-body-fetch";
+import { fetchRouter } from "./router";
 export class UnverifiedClient {
     constructor(options = {}) {
         this.initPromise = null;
         this._fetch = null;
-        this.baseURL = options.baseURL || TINFOIL_CONFIG.INFERENCE_BASE_URL;
-        this.enclaveURL = options.enclaveURL || TINFOIL_CONFIG.ENCLAVE_URL;
+        this.baseURL = options.baseURL;
+        this.enclaveURL = options.enclaveURL;
         this.configRepo = options.configRepo || TINFOIL_CONFIG.INFERENCE_PROXY_REPO;
     }
     async ready() {
@@ -15,6 +16,33 @@ export class UnverifiedClient {
         return this.initPromise;
     }
     async initUnverifiedClient() {
+        // Only fetch router if neither baseURL nor enclaveURL is provided
+        if (!this.baseURL && !this.enclaveURL) {
+            const routerAddress = await fetchRouter();
+            this.enclaveURL = `https://${routerAddress}`;
+            this.baseURL = `https://${routerAddress}/v1/`;
+        }
+        // Ensure both baseURL and enclaveURL are initialized
+        if (!this.baseURL) {
+            if (this.enclaveURL) {
+                // If enclaveURL is provided but baseURL is not, derive baseURL from enclaveURL
+                const enclaveUrl = new URL(this.enclaveURL);
+                this.baseURL = `${enclaveUrl.origin}/v1/`;
+            }
+            else {
+                throw new Error("Unable to determine baseURL: neither baseURL nor enclaveURL provided");
+            }
+        }
+        if (!this.enclaveURL) {
+            if (this.baseURL) {
+                // If baseURL is provided but enclaveURL is not, derive enclaveURL from baseURL
+                const baseUrl = new URL(this.baseURL);
+                this.enclaveURL = baseUrl.origin;
+            }
+            else {
+                throw new Error("Unable to determine enclaveURL: neither baseURL nor enclaveURL provided");
+            }
+        }
         this._fetch = createEncryptedBodyFetch(this.baseURL, undefined, this.enclaveURL);
     }
     async getVerificationDocument() {

package/dist/esm/verifier.d.ts

@@ -87,7 +87,7 @@ export declare class Verifier {
     private static executeWithWasm;
     /**
      * Fetch the latest release digest from GitHub
-     * @param configRepo - Repository name (e.g., "tinfoilsh/confidential-inference-proxy")
+     * @param configRepo - Repository name (e.g., "tinfoilsh/confidential-model-router")
      * @returns The digest hash
      */
     fetchLatestDigest(configRepo?: string): Promise<string>;

package/dist/esm/verifier.js

@@ -112,7 +112,8 @@ function compareMeasurementsError(codeMeasurement, runtimeMeasurement) {
     }
     if (codeMeasurement.type === PLATFORM_TYPES.SNP_TDX_MULTI_PLATFORM_V1) {
         switch (runtimeMeasurement.type) {
-            case PLATFORM_TYPES.TDX_GUEST_V1: {
+            case PLATFORM_TYPES.TDX_GUEST_V1:
+            case PLATFORM_TYPES.TDX_GUEST_V2: {
                 if (codeMeasurement.registers.length < 3 ||
                     runtimeMeasurement.registers.length < 4) {
                     return new Error(MEASUREMENT_ERROR_MESSAGES.FEW_REGISTERS);
@@ -184,8 +185,10 @@ export function compareMeasurements(codeMeasurement, runtimeMeasurement) {
  */
 export class Verifier {
     constructor(options) {
-        const serverURL = options?.serverURL ?? TINFOIL_CONFIG.INFERENCE_BASE_URL;
-        this.serverURL = new URL(serverURL).hostname;
+        if (!options?.serverURL) {
+            throw new Error("serverURL is required for Verifier");
+        }
+        this.serverURL = new URL(options.serverURL).hostname;
         this.configRepo =
             options?.configRepo ?? TINFOIL_CONFIG.INFERENCE_PROXY_REPO;
     }
@@ -248,7 +251,7 @@ export class Verifier {
     }
     /**
      * Fetch the latest release digest from GitHub
-     * @param configRepo - Repository name (e.g., "tinfoilsh/confidential-inference-proxy")
+     * @param configRepo - Repository name (e.g., "tinfoilsh/confidential-model-router")
      * @returns The digest hash
      */
     async fetchLatestDigest(configRepo) {

package/dist/index.d.ts

@@ -5,4 +5,5 @@ export * from "./ai-sdk-provider";
 export * from "./config";
 export { SecureClient } from "./secure-client";
 export { UnverifiedClient } from "./unverified-client";
+export { fetchRouter } from "./router";
 export { type Uploadable, toFile, APIPromise, PagePromise, OpenAIError, APIError, APIConnectionError, APIConnectionTimeoutError, APIUserAbortError, NotFoundError, ConflictError, RateLimitError, BadRequestError, AuthenticationError, InternalServerError, PermissionDeniedError, UnprocessableEntityError, } from "openai";

package/dist/index.js

@@ -14,7 +14,7 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
     for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.UnprocessableEntityError = exports.PermissionDeniedError = exports.InternalServerError = exports.AuthenticationError = exports.BadRequestError = exports.RateLimitError = exports.ConflictError = exports.NotFoundError = exports.APIUserAbortError = exports.APIConnectionTimeoutError = exports.APIConnectionError = exports.APIError = exports.OpenAIError = exports.PagePromise = exports.APIPromise = exports.toFile = exports.UnverifiedClient = exports.SecureClient = exports.default = exports.TinfoilAI = void 0;
+exports.UnprocessableEntityError = exports.PermissionDeniedError = exports.InternalServerError = exports.AuthenticationError = exports.BadRequestError = exports.RateLimitError = exports.ConflictError = exports.NotFoundError = exports.APIUserAbortError = exports.APIConnectionTimeoutError = exports.APIConnectionError = exports.APIError = exports.OpenAIError = exports.PagePromise = exports.APIPromise = exports.toFile = exports.fetchRouter = exports.UnverifiedClient = exports.SecureClient = exports.default = exports.TinfoilAI = void 0;
 // Re-export the TinfoilAI class
 var tinfoilai_1 = require("./tinfoilai");
 Object.defineProperty(exports, "TinfoilAI", { enumerable: true, get: function () { return tinfoilai_1.TinfoilAI; } });
@@ -28,6 +28,8 @@ var secure_client_1 = require("./secure-client");
 Object.defineProperty(exports, "SecureClient", { enumerable: true, get: function () { return secure_client_1.SecureClient; } });
 var unverified_client_1 = require("./unverified-client");
 Object.defineProperty(exports, "UnverifiedClient", { enumerable: true, get: function () { return unverified_client_1.UnverifiedClient; } });
+var router_1 = require("./router");
+Object.defineProperty(exports, "fetchRouter", { enumerable: true, get: function () { return router_1.fetchRouter; } });
 // Re-export OpenAI utility types and classes that users might need
 // Using public exports from the main OpenAI package instead of deep imports
 var openai_1 = require("openai");

package/dist/router.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Router utilities for fetching available Tinfoil routers
+ */
+/**
+ * Fetches the list of available routers from the ATC API
+ * and returns a randomly selected address.
+ *
+ * @returns Promise<string> A randomly selected router address
+ * @throws Error if no routers are found or if the request fails
+ */
+export declare function fetchRouter(): Promise<string>;

package/dist/router.js

@@ -0,0 +1,36 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.fetchRouter = fetchRouter;
+const config_1 = require("./config");
+/**
+ * Router utilities for fetching available Tinfoil routers
+ */
+/**
+ * Fetches the list of available routers from the ATC API
+ * and returns a randomly selected address.
+ *
+ * @returns Promise<string> A randomly selected router address
+ * @throws Error if no routers are found or if the request fails
+ */
+async function fetchRouter() {
+    const routersUrl = config_1.TINFOIL_CONFIG.ATC_API_URL;
+    try {
+        const response = await fetch(routersUrl);
+        if (!response.ok) {
+            throw new Error(`Failed to fetch routers: ${response.status} ${response.statusText}`);
+        }
+        const routers = await response.json();
+        if (!Array.isArray(routers) || routers.length === 0) {
+            throw new Error("No routers found in the response");
+        }
+        // Return a randomly selected router
+        const randomIndex = Math.floor(Math.random() * routers.length);
+        return routers[randomIndex];
+    }
+    catch (error) {
+        if (error instanceof Error) {
+            throw new Error(`Failed to fetch router: ${error.message}`);
+        }
+        throw new Error("Failed to fetch router: Unknown error");
+    }
+}

package/dist/secure-client.d.ts

@@ -8,13 +8,14 @@ export declare class SecureClient {
     private initPromise;
     private verificationDocument;
     private _fetch;
-    private readonly baseURL?;
-    private readonly enclaveURL?;
+    private baseURL?;
+    private enclaveURL?;
     private readonly configRepo?;
     constructor(options?: SecureClientOptions);
     ready(): Promise<void>;
     private initSecureClient;
     getVerificationDocument(): Promise<VerificationDocument>;
+    getBaseURL(): string | undefined;
     get fetch(): typeof fetch;
 }
 export {};

package/dist/secure-client.js

@@ -4,13 +4,14 @@ exports.SecureClient = void 0;
 const verifier_1 = require("./verifier");
 const config_1 = require("./config");
 const secure_fetch_1 = require("./secure-fetch");
+const router_1 = require("./router");
 class SecureClient {
     constructor(options = {}) {
         this.initPromise = null;
         this.verificationDocument = null;
         this._fetch = null;
-        this.baseURL = options.baseURL || config_1.TINFOIL_CONFIG.INFERENCE_BASE_URL;
-        this.enclaveURL = options.enclaveURL || config_1.TINFOIL_CONFIG.ENCLAVE_URL;
+        this.baseURL = options.baseURL;
+        this.enclaveURL = options.enclaveURL;
         this.configRepo = options.configRepo || config_1.TINFOIL_CONFIG.INFERENCE_PROXY_REPO;
     }
     async ready() {
@@ -20,6 +21,33 @@ class SecureClient {
         return this.initPromise;
     }
     async initSecureClient() {
+        // Only fetch router if neither baseURL nor enclaveURL is provided
+        if (!this.baseURL && !this.enclaveURL) {
+            const routerAddress = await (0, router_1.fetchRouter)();
+            this.enclaveURL = `https://${routerAddress}`;
+            this.baseURL = `https://${routerAddress}/v1/`;
+        }
+        // Ensure both baseURL and enclaveURL are initialized
+        if (!this.baseURL) {
+            if (this.enclaveURL) {
+                // If enclaveURL is provided but baseURL is not, derive baseURL from enclaveURL
+                const enclaveUrl = new URL(this.enclaveURL);
+                this.baseURL = `${enclaveUrl.origin}/v1/`;
+            }
+            else {
+                throw new Error("Unable to determine baseURL: neither baseURL nor enclaveURL provided");
+            }
+        }
+        if (!this.enclaveURL) {
+            if (this.baseURL) {
+                // If baseURL is provided but enclaveURL is not, derive enclaveURL from baseURL
+                const baseUrl = new URL(this.baseURL);
+                this.enclaveURL = baseUrl.origin;
+            }
+            else {
+                throw new Error("Unable to determine enclaveURL: neither baseURL nor enclaveURL provided");
+            }
+        }
         const verifier = new verifier_1.Verifier({
             serverURL: this.enclaveURL,
             configRepo: this.configRepo,
@@ -80,6 +108,9 @@ class SecureClient {
         }
         return this.verificationDocument;
     }
+    getBaseURL() {
+        return this.baseURL;
+    }
     get fetch() {
         return async (input, init) => {
             await this.ready();

package/dist/tinfoilai.js

@@ -42,8 +42,8 @@ class TinfoilAI {
             openAIOptions.apiKey = process.env.TINFOIL_API_KEY;
         }
         this.apiKey = openAIOptions.apiKey;
-        this.baseURL = options.baseURL || config_1.TINFOIL_CONFIG.INFERENCE_BASE_URL;
-        this.enclaveURL = options.enclaveURL || config_1.TINFOIL_CONFIG.ENCLAVE_URL;
+        this.baseURL = options.baseURL;
+        this.enclaveURL = options.enclaveURL;
         this.configRepo = options.configRepo || config_1.TINFOIL_CONFIG.INFERENCE_PROXY_REPO;
         this.secureClient = new secure_client_1.SecureClient({
             baseURL: this.baseURL,
@@ -69,9 +69,11 @@ class TinfoilAI {
         if (!this.verificationDocument) {
             throw new Error("Verification document not available after successful verification");
         }
+        // Use the provided baseURL, or get it from SecureClient after initialization
+        const baseURL = this.baseURL || this.secureClient.getBaseURL();
         const clientOptions = {
             ...options,
-            baseURL: this.baseURL,
+            baseURL: baseURL,
             fetch: this.secureClient.fetch,
         };
         if ((0, env_1.isRealBrowser)() || options.dangerouslyAllowBrowser === true) {

package/dist/unverified-client.d.ts

@@ -6,8 +6,8 @@ interface UnverifiedClientOptions {
 export declare class UnverifiedClient {
     private initPromise;
     private _fetch;
-    private readonly baseURL;
-    private readonly enclaveURL;
+    private baseURL?;
+    private enclaveURL?;
     private readonly configRepo;
     constructor(options?: UnverifiedClientOptions);
     ready(): Promise<void>;

package/dist/unverified-client.js

@@ -3,12 +3,13 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.UnverifiedClient = void 0;
 const config_1 = require("./config");
 const encrypted_body_fetch_1 = require("./encrypted-body-fetch");
+const router_1 = require("./router");
 class UnverifiedClient {
     constructor(options = {}) {
         this.initPromise = null;
         this._fetch = null;
-        this.baseURL = options.baseURL || config_1.TINFOIL_CONFIG.INFERENCE_BASE_URL;
-        this.enclaveURL = options.enclaveURL || config_1.TINFOIL_CONFIG.ENCLAVE_URL;
+        this.baseURL = options.baseURL;
+        this.enclaveURL = options.enclaveURL;
         this.configRepo = options.configRepo || config_1.TINFOIL_CONFIG.INFERENCE_PROXY_REPO;
     }
     async ready() {
@@ -18,6 +19,33 @@ class UnverifiedClient {
         return this.initPromise;
     }
     async initUnverifiedClient() {
+        // Only fetch router if neither baseURL nor enclaveURL is provided
+        if (!this.baseURL && !this.enclaveURL) {
+            const routerAddress = await (0, router_1.fetchRouter)();
+            this.enclaveURL = `https://${routerAddress}`;
+            this.baseURL = `https://${routerAddress}/v1/`;
+        }
+        // Ensure both baseURL and enclaveURL are initialized
+        if (!this.baseURL) {
+            if (this.enclaveURL) {
+                // If enclaveURL is provided but baseURL is not, derive baseURL from enclaveURL
+                const enclaveUrl = new URL(this.enclaveURL);
+                this.baseURL = `${enclaveUrl.origin}/v1/`;
+            }
+            else {
+                throw new Error("Unable to determine baseURL: neither baseURL nor enclaveURL provided");
+            }
+        }
+        if (!this.enclaveURL) {
+            if (this.baseURL) {
+                // If baseURL is provided but enclaveURL is not, derive enclaveURL from baseURL
+                const baseUrl = new URL(this.baseURL);
+                this.enclaveURL = baseUrl.origin;
+            }
+            else {
+                throw new Error("Unable to determine enclaveURL: neither baseURL nor enclaveURL provided");
+            }
+        }
         this._fetch = (0, encrypted_body_fetch_1.createEncryptedBodyFetch)(this.baseURL, undefined, this.enclaveURL);
     }
     async getVerificationDocument() {

package/dist/verifier.d.ts

@@ -87,7 +87,7 @@ export declare class Verifier {
     private static executeWithWasm;
     /**
      * Fetch the latest release digest from GitHub
-     * @param configRepo - Repository name (e.g., "tinfoilsh/confidential-inference-proxy")
+     * @param configRepo - Repository name (e.g., "tinfoilsh/confidential-model-router")
      * @returns The digest hash
      */
     fetchLatestDigest(configRepo?: string): Promise<string>;

package/dist/verifier.js

@@ -151,7 +151,8 @@ function compareMeasurementsError(codeMeasurement, runtimeMeasurement) {
     }
     if (codeMeasurement.type === PLATFORM_TYPES.SNP_TDX_MULTI_PLATFORM_V1) {
         switch (runtimeMeasurement.type) {
-            case PLATFORM_TYPES.TDX_GUEST_V1: {
+            case PLATFORM_TYPES.TDX_GUEST_V1:
+            case PLATFORM_TYPES.TDX_GUEST_V2: {
                 if (codeMeasurement.registers.length < 3 ||
                     runtimeMeasurement.registers.length < 4) {
                     return new Error(MEASUREMENT_ERROR_MESSAGES.FEW_REGISTERS);
@@ -223,8 +224,10 @@ function compareMeasurements(codeMeasurement, runtimeMeasurement) {
  */
 class Verifier {
     constructor(options) {
-        const serverURL = options?.serverURL ?? config_1.TINFOIL_CONFIG.INFERENCE_BASE_URL;
-        this.serverURL = new URL(serverURL).hostname;
+        if (!options?.serverURL) {
+            throw new Error("serverURL is required for Verifier");
+        }
+        this.serverURL = new URL(options.serverURL).hostname;
         this.configRepo =
             options?.configRepo ?? config_1.TINFOIL_CONFIG.INFERENCE_PROXY_REPO;
     }
@@ -287,7 +290,7 @@ class Verifier {
     }
     /**
      * Fetch the latest release digest from GitHub
-     * @param configRepo - Repository name (e.g., "tinfoilsh/confidential-inference-proxy")
+     * @param configRepo - Repository name (e.g., "tinfoilsh/confidential-model-router")
      * @returns The digest hash
      */
     async fetchLatestDigest(configRepo) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@zeke-02/tinfoil",
-  "version": "0.0.2",
+  "version": "0.0.3",
   "description": "Tinfoil secure OpenAI client wrapper for Tauri v2",
   "main": "dist/index.js",
   "module": "dist/esm/index.js",