@zeke-02/tinfoil 0.0.2 → 0.0.4

package/dist/ai-sdk-provider.js

@@ -5,8 +5,8 @@ const openai_compatible_1 = require("@ai-sdk/openai-compatible");
 const config_1 = require("./config");
 const secure_client_1 = require("./secure-client");
 async function createTinfoilAI(apiKey, options = {}) {
-    const baseURL = options.baseURL || config_1.TINFOIL_CONFIG.INFERENCE_BASE_URL;
-    const enclaveURL = options.enclaveURL || config_1.TINFOIL_CONFIG.ENCLAVE_URL;
+    const baseURL = options.baseURL;
+    const enclaveURL = options.enclaveURL;
     const configRepo = options.configRepo || config_1.TINFOIL_CONFIG.INFERENCE_PROXY_REPO;
     const secureClient = new secure_client_1.SecureClient({
         baseURL,
@@ -14,9 +14,14 @@ async function createTinfoilAI(apiKey, options = {}) {
         configRepo,
     });
     await secureClient.ready();
+    // Get the baseURL from SecureClient after initialization
+    const finalBaseURL = baseURL || secureClient.getBaseURL();
+    if (!finalBaseURL) {
+        throw new Error("Unable to determine baseURL for AI SDK provider");
+    }
     return (0, openai_compatible_1.createOpenAICompatible)({
         name: "tinfoil",
-        baseURL: baseURL.replace(/\/$/, ""),
+        baseURL: finalBaseURL,
         apiKey: apiKey,
         fetch: secureClient.fetch,
     });

package/dist/config.d.ts

@@ -2,16 +2,12 @@
  * Configuration constants for the Tinfoil Node SDK
  */
 export declare const TINFOIL_CONFIG: {
-    /**
-     * The base URL for the Tinfoil router API
-     */
-    readonly INFERENCE_BASE_URL: "https://router.inf6.tinfoil.sh/v1/";
-    /**
-     * The URL for enclave key discovery and attestation endpoints
-     */
-    readonly ENCLAVE_URL: "https://router.inf6.tinfoil.sh";
     /**
      * The GitHub repository for code attestation verification
      */
     readonly INFERENCE_PROXY_REPO: "tinfoilsh/confidential-model-router";
+    /**
+     * The ATC (Attestation and Trust Center) API URL for fetching available routers
+     */
+    readonly ATC_API_URL: "https://atc.tinfoil.sh/routers";
 };

package/dist/config.js

@@ -5,16 +5,12 @@ exports.TINFOIL_CONFIG = void 0;
  * Configuration constants for the Tinfoil Node SDK
  */
 exports.TINFOIL_CONFIG = {
-    /**
-     * The base URL for the Tinfoil router API
-     */
-    INFERENCE_BASE_URL: "https://router.inf6.tinfoil.sh/v1/",
-    /**
-     * The URL for enclave key discovery and attestation endpoints
-     */
-    ENCLAVE_URL: "https://router.inf6.tinfoil.sh",
     /**
      * The GitHub repository for code attestation verification
      */
     INFERENCE_PROXY_REPO: "tinfoilsh/confidential-model-router",
+    /**
+     * The ATC (Attestation and Trust Center) API URL for fetching available routers
+     */
+    ATC_API_URL: "https://atc.tinfoil.sh/routers",
 };

package/dist/encrypted-body-fetch.d.ts

@@ -1,8 +1,9 @@
+import type { Transport as EhbpTransport } from "@zeke-02/ehbp";
 export declare function getHPKEKey(enclaveURL: string): Promise<CryptoKey>;
 export declare function normalizeEncryptedBodyRequestArgs(input: RequestInfo | URL, init?: RequestInit): {
     url: string;
     init?: RequestInit;
 };
-export declare function encryptedBodyRequest(input: RequestInfo | URL, hpkePublicKey?: string, init?: RequestInit, enclaveURL?: string): Promise<Response>;
+export declare function encryptedBodyRequest(input: RequestInfo | URL, hpkePublicKey?: string, init?: RequestInit, enclaveURL?: string, transportInstance?: EhbpTransport): Promise<Response>;
 export declare function createEncryptedBodyFetch(baseURL: string, hpkePublicKey?: string, enclaveURL?: string): typeof fetch;
-export declare function resetTransport(): void;
+export declare function getTransportForOrigin(origin: string, keyOrigin: string): Promise<EhbpTransport>;

package/dist/encrypted-body-fetch.js

@@ -4,12 +4,12 @@ exports.getHPKEKey = getHPKEKey;
 exports.normalizeEncryptedBodyRequestArgs = normalizeEncryptedBodyRequestArgs;
 exports.encryptedBodyRequest = encryptedBodyRequest;
 exports.createEncryptedBodyFetch = createEncryptedBodyFetch;
-exports.resetTransport = resetTransport;
+exports.getTransportForOrigin = getTransportForOrigin;
 const ehbp_1 = require("@zeke-02/ehbp");
 const fetch_adapter_1 = require("./fetch-adapter");
-let transport = null;
 // Public API
 async function getHPKEKey(enclaveURL) {
+    const url = new URL(enclaveURL);
     const keysURL = new URL(ehbp_1.PROTOCOL.KEYS_PATH, enclaveURL);
     if (keysURL.protocol !== "https:") {
         throw new Error(`HTTPS is required for remote key retrieval. Invalid protocol: ${keysURL.protocol}`);
@@ -47,34 +47,49 @@ function normalizeEncryptedBodyRequestArgs(input, init) {
         init: { ...derivedInit, ...init },
     };
 }
-async function encryptedBodyRequest(input, hpkePublicKey, init, enclaveURL) {
+async function encryptedBodyRequest(input, hpkePublicKey, init, enclaveURL, transportInstance) {
     const { url: requestUrl, init: requestInit } = normalizeEncryptedBodyRequestArgs(input, init);
-    const u = new URL(requestUrl);
-    const { origin } = u;
-    const keyOrigin = enclaveURL ? new URL(enclaveURL).origin : origin;
-    if (!transport) {
-        transport = getTransportForOrigin(origin, keyOrigin);
+    let actualTransport;
+    if (transportInstance) {
+        // Use provided transport instance
+        actualTransport = transportInstance;
+    }
+    else {
+        // Create a new transport for this request
+        const u = new URL(requestUrl);
+        const { origin } = u;
+        const keyOrigin = enclaveURL ? new URL(enclaveURL).origin : origin;
+        actualTransport = await getTransportForOrigin(origin, keyOrigin);
     }
-    const transportInstance = await transport;
     if (hpkePublicKey) {
-        const transportKeyHash = await transportInstance.getServerPublicKeyHex();
+        const transportKeyHash = await actualTransport.getServerPublicKeyHex();
         if (transportKeyHash !== hpkePublicKey) {
-            transport = null;
             throw new Error(`HPKE public key mismatch. Expected: ${hpkePublicKey}, Got: ${transportKeyHash}`);
         }
     }
-    return transportInstance.request(requestUrl, requestInit);
+    return actualTransport.request(requestUrl, requestInit);
 }
 function createEncryptedBodyFetch(baseURL, hpkePublicKey, enclaveURL) {
+    // Create a dedicated transport instance for this fetch function
+    let transportPromise = null;
+    const getOrCreateTransport = async () => {
+        if (!transportPromise) {
+            const baseUrl = new URL(baseURL);
+            const keyOrigin = enclaveURL
+                ? new URL(enclaveURL).origin
+                : baseUrl.origin;
+            transportPromise = getTransportForOrigin(baseUrl.origin, keyOrigin);
+        }
+        return transportPromise;
+    };
     return (async (input, init) => {
         const normalized = normalizeEncryptedBodyRequestArgs(input, init);
         const targetUrl = new URL(normalized.url, baseURL);
-        return encryptedBodyRequest(targetUrl.toString(), hpkePublicKey, normalized.init, enclaveURL);
+        // Get the dedicated transport instance for this fetch function
+        const transportInstance = await getOrCreateTransport();
+        return encryptedBodyRequest(targetUrl.toString(), hpkePublicKey, normalized.init, enclaveURL, transportInstance);
     });
 }
-function resetTransport() {
-    transport = null;
-}
 async function getTransportForOrigin(origin, keyOrigin) {
     if (typeof globalThis !== "undefined") {
         const isSecure = globalThis.isSecureContext !== false;

package/dist/esm/{ai-sdk-provider.js → ai-sdk-provider.mjs}

@@ -1,9 +1,9 @@
 import { createOpenAICompatible } from "@ai-sdk/openai-compatible";
-import { TINFOIL_CONFIG } from "./config";
-import { SecureClient } from "./secure-client";
+import { TINFOIL_CONFIG } from "./config.mjs";
+import { SecureClient } from "./secure-client.mjs";
 export async function createTinfoilAI(apiKey, options = {}) {
-    const baseURL = options.baseURL || TINFOIL_CONFIG.INFERENCE_BASE_URL;
-    const enclaveURL = options.enclaveURL || TINFOIL_CONFIG.ENCLAVE_URL;
+    const baseURL = options.baseURL;
+    const enclaveURL = options.enclaveURL;
     const configRepo = options.configRepo || TINFOIL_CONFIG.INFERENCE_PROXY_REPO;
     const secureClient = new SecureClient({
         baseURL,
@@ -11,9 +11,14 @@ export async function createTinfoilAI(apiKey, options = {}) {
         configRepo,
     });
     await secureClient.ready();
+    // Get the baseURL from SecureClient after initialization
+    const finalBaseURL = baseURL || secureClient.getBaseURL();
+    if (!finalBaseURL) {
+        throw new Error("Unable to determine baseURL for AI SDK provider");
+    }
     return createOpenAICompatible({
         name: "tinfoil",
-        baseURL: baseURL.replace(/\/$/, ""),
+        baseURL: finalBaseURL,
         apiKey: apiKey,
         fetch: secureClient.fetch,
     });

package/dist/esm/config.d.ts

@@ -2,16 +2,12 @@
  * Configuration constants for the Tinfoil Node SDK
  */
 export declare const TINFOIL_CONFIG: {
-    /**
-     * The base URL for the Tinfoil router API
-     */
-    readonly INFERENCE_BASE_URL: "https://router.inf6.tinfoil.sh/v1/";
-    /**
-     * The URL for enclave key discovery and attestation endpoints
-     */
-    readonly ENCLAVE_URL: "https://router.inf6.tinfoil.sh";
     /**
      * The GitHub repository for code attestation verification
      */
     readonly INFERENCE_PROXY_REPO: "tinfoilsh/confidential-model-router";
+    /**
+     * The ATC (Attestation and Trust Center) API URL for fetching available routers
+     */
+    readonly ATC_API_URL: "https://atc.tinfoil.sh/routers";
 };

package/dist/esm/{config.js → config.mjs}

@@ -2,16 +2,12 @@
  * Configuration constants for the Tinfoil Node SDK
  */
 export const TINFOIL_CONFIG = {
-    /**
-     * The base URL for the Tinfoil router API
-     */
-    INFERENCE_BASE_URL: "https://router.inf6.tinfoil.sh/v1/",
-    /**
-     * The URL for enclave key discovery and attestation endpoints
-     */
-    ENCLAVE_URL: "https://router.inf6.tinfoil.sh",
     /**
      * The GitHub repository for code attestation verification
      */
     INFERENCE_PROXY_REPO: "tinfoilsh/confidential-model-router",
+    /**
+     * The ATC (Attestation and Trust Center) API URL for fetching available routers
+     */
+    ATC_API_URL: "https://atc.tinfoil.sh/routers",
 };

package/dist/esm/encrypted-body-fetch.d.ts

@@ -1,8 +1,9 @@
+import type { Transport as EhbpTransport } from "@zeke-02/ehbp";
 export declare function getHPKEKey(enclaveURL: string): Promise<CryptoKey>;
 export declare function normalizeEncryptedBodyRequestArgs(input: RequestInfo | URL, init?: RequestInit): {
     url: string;
     init?: RequestInit;
 };
-export declare function encryptedBodyRequest(input: RequestInfo | URL, hpkePublicKey?: string, init?: RequestInit, enclaveURL?: string): Promise<Response>;
+export declare function encryptedBodyRequest(input: RequestInfo | URL, hpkePublicKey?: string, init?: RequestInit, enclaveURL?: string, transportInstance?: EhbpTransport): Promise<Response>;
 export declare function createEncryptedBodyFetch(baseURL: string, hpkePublicKey?: string, enclaveURL?: string): typeof fetch;
-export declare function resetTransport(): void;
+export declare function getTransportForOrigin(origin: string, keyOrigin: string): Promise<EhbpTransport>;

package/dist/esm/{encrypted-body-fetch.js → encrypted-body-fetch.mjs}

@@ -1,8 +1,8 @@
 import { Identity, Transport, PROTOCOL } from "@zeke-02/ehbp";
-import { getFetch } from "./fetch-adapter";
-let transport = null;
+import { getFetch } from "./fetch-adapter.mjs";
 // Public API
 export async function getHPKEKey(enclaveURL) {
+    const url = new URL(enclaveURL);
     const keysURL = new URL(PROTOCOL.KEYS_PATH, enclaveURL);
     if (keysURL.protocol !== "https:") {
         throw new Error(`HTTPS is required for remote key retrieval. Invalid protocol: ${keysURL.protocol}`);
@@ -40,35 +40,50 @@ export function normalizeEncryptedBodyRequestArgs(input, init) {
         init: { ...derivedInit, ...init },
     };
 }
-export async function encryptedBodyRequest(input, hpkePublicKey, init, enclaveURL) {
+export async function encryptedBodyRequest(input, hpkePublicKey, init, enclaveURL, transportInstance) {
     const { url: requestUrl, init: requestInit } = normalizeEncryptedBodyRequestArgs(input, init);
-    const u = new URL(requestUrl);
-    const { origin } = u;
-    const keyOrigin = enclaveURL ? new URL(enclaveURL).origin : origin;
-    if (!transport) {
-        transport = getTransportForOrigin(origin, keyOrigin);
+    let actualTransport;
+    if (transportInstance) {
+        // Use provided transport instance
+        actualTransport = transportInstance;
+    }
+    else {
+        // Create a new transport for this request
+        const u = new URL(requestUrl);
+        const { origin } = u;
+        const keyOrigin = enclaveURL ? new URL(enclaveURL).origin : origin;
+        actualTransport = await getTransportForOrigin(origin, keyOrigin);
     }
-    const transportInstance = await transport;
     if (hpkePublicKey) {
-        const transportKeyHash = await transportInstance.getServerPublicKeyHex();
+        const transportKeyHash = await actualTransport.getServerPublicKeyHex();
         if (transportKeyHash !== hpkePublicKey) {
-            transport = null;
             throw new Error(`HPKE public key mismatch. Expected: ${hpkePublicKey}, Got: ${transportKeyHash}`);
         }
     }
-    return transportInstance.request(requestUrl, requestInit);
+    return actualTransport.request(requestUrl, requestInit);
 }
 export function createEncryptedBodyFetch(baseURL, hpkePublicKey, enclaveURL) {
+    // Create a dedicated transport instance for this fetch function
+    let transportPromise = null;
+    const getOrCreateTransport = async () => {
+        if (!transportPromise) {
+            const baseUrl = new URL(baseURL);
+            const keyOrigin = enclaveURL
+                ? new URL(enclaveURL).origin
+                : baseUrl.origin;
+            transportPromise = getTransportForOrigin(baseUrl.origin, keyOrigin);
+        }
+        return transportPromise;
+    };
     return (async (input, init) => {
         const normalized = normalizeEncryptedBodyRequestArgs(input, init);
         const targetUrl = new URL(normalized.url, baseURL);
-        return encryptedBodyRequest(targetUrl.toString(), hpkePublicKey, normalized.init, enclaveURL);
+        // Get the dedicated transport instance for this fetch function
+        const transportInstance = await getOrCreateTransport();
+        return encryptedBodyRequest(targetUrl.toString(), hpkePublicKey, normalized.init, enclaveURL, transportInstance);
     });
 }
-export function resetTransport() {
-    transport = null;
-}
-async function getTransportForOrigin(origin, keyOrigin) {
+export async function getTransportForOrigin(origin, keyOrigin) {
     if (typeof globalThis !== "undefined") {
         const isSecure = globalThis.isSecureContext !== false;
         const hasSubtle = !!(globalThis.crypto && globalThis.crypto.subtle);

package/dist/esm/index.browser.mjs

@@ -0,0 +1,8 @@
+// Browser-safe entry point: avoids Node built-ins
+export { TinfoilAI } from "./tinfoilai.mjs";
+export { TinfoilAI as default } from "./tinfoilai.mjs";
+export * from "./verifier.mjs";
+export * from "./ai-sdk-provider.mjs";
+export * from "./config.mjs";
+export { SecureClient } from "./secure-client.mjs";
+export { UnverifiedClient } from "./unverified-client.mjs";

package/dist/esm/index.d.ts

@@ -5,4 +5,5 @@ export * from "./ai-sdk-provider";
 export * from "./config";
 export { SecureClient } from "./secure-client";
 export { UnverifiedClient } from "./unverified-client";
+export { fetchRouter } from "./router";
 export { type Uploadable, toFile, APIPromise, PagePromise, OpenAIError, APIError, APIConnectionError, APIConnectionTimeoutError, APIUserAbortError, NotFoundError, ConflictError, RateLimitError, BadRequestError, AuthenticationError, InternalServerError, PermissionDeniedError, UnprocessableEntityError, } from "openai";

package/dist/esm/{index.js → index.mjs}

@@ -1,12 +1,13 @@
 // Re-export the TinfoilAI class
-export { TinfoilAI } from "./tinfoilai";
-export { TinfoilAI as default } from "./tinfoilai";
+export { TinfoilAI } from "./tinfoilai.mjs";
+export { TinfoilAI as default } from "./tinfoilai.mjs";
 // Export verifier
-export * from "./verifier";
-export * from "./ai-sdk-provider";
-export * from "./config";
-export { SecureClient } from "./secure-client";
-export { UnverifiedClient } from "./unverified-client";
+export * from "./verifier.mjs";
+export * from "./ai-sdk-provider.mjs";
+export * from "./config.mjs";
+export { SecureClient } from "./secure-client.mjs";
+export { UnverifiedClient } from "./unverified-client.mjs";
+export { fetchRouter } from "./router.mjs";
 // Re-export OpenAI utility types and classes that users might need
 // Using public exports from the main OpenAI package instead of deep imports
 export { toFile, APIPromise, PagePromise, OpenAIError, APIError, APIConnectionError, APIConnectionTimeoutError, APIUserAbortError, NotFoundError, ConflictError, RateLimitError, BadRequestError, AuthenticationError, InternalServerError, PermissionDeniedError, UnprocessableEntityError, } from "openai";

package/dist/esm/router.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Router utilities for fetching available Tinfoil routers
+ */
+/**
+ * Fetches the list of available routers from the ATC API
+ * and returns a randomly selected address.
+ *
+ * @returns Promise<string> A randomly selected router address
+ * @throws Error if no routers are found or if the request fails
+ */
+export declare function fetchRouter(): Promise<string>;

package/dist/esm/router.mjs

@@ -0,0 +1,33 @@
+import { TINFOIL_CONFIG } from "./config.mjs";
+/**
+ * Router utilities for fetching available Tinfoil routers
+ */
+/**
+ * Fetches the list of available routers from the ATC API
+ * and returns a randomly selected address.
+ *
+ * @returns Promise<string> A randomly selected router address
+ * @throws Error if no routers are found or if the request fails
+ */
+export async function fetchRouter() {
+    const routersUrl = TINFOIL_CONFIG.ATC_API_URL;
+    try {
+        const response = await fetch(routersUrl);
+        if (!response.ok) {
+            throw new Error(`Failed to fetch routers: ${response.status} ${response.statusText}`);
+        }
+        const routers = await response.json();
+        if (!Array.isArray(routers) || routers.length === 0) {
+            throw new Error("No routers found in the response");
+        }
+        // Return a randomly selected router
+        const randomIndex = Math.floor(Math.random() * routers.length);
+        return routers[randomIndex];
+    }
+    catch (error) {
+        if (error instanceof Error) {
+            throw new Error(`Failed to fetch router: ${error.message}`);
+        }
+        throw new Error("Failed to fetch router: Unknown error");
+    }
+}

package/dist/esm/secure-client.d.ts

@@ -8,13 +8,14 @@ export declare class SecureClient {
     private initPromise;
     private verificationDocument;
     private _fetch;
-    private readonly baseURL?;
-    private readonly enclaveURL?;
+    private baseURL?;
+    private enclaveURL?;
     private readonly configRepo?;
     constructor(options?: SecureClientOptions);
     ready(): Promise<void>;
     private initSecureClient;
     getVerificationDocument(): Promise<VerificationDocument>;
+    getBaseURL(): string | undefined;
     get fetch(): typeof fetch;
 }
 export {};

package/dist/esm/{secure-client.js → secure-client.mjs}

@@ -1,13 +1,14 @@
-import { Verifier } from "./verifier";
-import { TINFOIL_CONFIG } from "./config";
-import { createSecureFetch } from "./secure-fetch";
+import { Verifier } from "./verifier.mjs";
+import { TINFOIL_CONFIG } from "./config.mjs";
+import { createSecureFetch } from "./secure-fetch.mjs";
+import { fetchRouter } from "./router.mjs";
 export class SecureClient {
     constructor(options = {}) {
         this.initPromise = null;
         this.verificationDocument = null;
         this._fetch = null;
-        this.baseURL = options.baseURL || TINFOIL_CONFIG.INFERENCE_BASE_URL;
-        this.enclaveURL = options.enclaveURL || TINFOIL_CONFIG.ENCLAVE_URL;
+        this.baseURL = options.baseURL;
+        this.enclaveURL = options.enclaveURL;
         this.configRepo = options.configRepo || TINFOIL_CONFIG.INFERENCE_PROXY_REPO;
     }
     async ready() {
@@ -17,6 +18,33 @@ export class SecureClient {
         return this.initPromise;
     }
     async initSecureClient() {
+        // Only fetch router if neither baseURL nor enclaveURL is provided
+        if (!this.baseURL && !this.enclaveURL) {
+            const routerAddress = await fetchRouter();
+            this.enclaveURL = `https://${routerAddress}`;
+            this.baseURL = `https://${routerAddress}/v1/`;
+        }
+        // Ensure both baseURL and enclaveURL are initialized
+        if (!this.baseURL) {
+            if (this.enclaveURL) {
+                // If enclaveURL is provided but baseURL is not, derive baseURL from enclaveURL
+                const enclaveUrl = new URL(this.enclaveURL);
+                this.baseURL = `${enclaveUrl.origin}/v1/`;
+            }
+            else {
+                throw new Error("Unable to determine baseURL: neither baseURL nor enclaveURL provided");
+            }
+        }
+        if (!this.enclaveURL) {
+            if (this.baseURL) {
+                // If baseURL is provided but enclaveURL is not, derive enclaveURL from baseURL
+                const baseUrl = new URL(this.baseURL);
+                this.enclaveURL = baseUrl.origin;
+            }
+            else {
+                throw new Error("Unable to determine enclaveURL: neither baseURL nor enclaveURL provided");
+            }
+        }
         const verifier = new Verifier({
             serverURL: this.enclaveURL,
             configRepo: this.configRepo,
@@ -77,6 +105,9 @@ export class SecureClient {
         }
         return this.verificationDocument;
     }
+    getBaseURL() {
+        return this.baseURL;
+    }
     get fetch() {
         return async (input, init) => {
             await this.ready();

package/dist/esm/{secure-fetch.browser.js → secure-fetch.browser.mjs}

@@ -1,4 +1,4 @@
-import { createEncryptedBodyFetch } from "./encrypted-body-fetch";
+import { createEncryptedBodyFetch } from "./encrypted-body-fetch.mjs";
 export function createSecureFetch(baseURL, enclaveURL, hpkePublicKey, tlsPublicKeyFingerprint) {
     if (hpkePublicKey) {
         return createEncryptedBodyFetch(baseURL, hpkePublicKey, enclaveURL);

package/dist/esm/{secure-fetch.js → secure-fetch.mjs}

@@ -1,6 +1,6 @@
-import { createEncryptedBodyFetch } from "./encrypted-body-fetch";
-import { createPinnedTlsFetch } from "./pinned-tls-fetch";
-import { isRealBrowser } from "./env";
+import { createEncryptedBodyFetch } from "./encrypted-body-fetch.mjs";
+import { createPinnedTlsFetch } from "./pinned-tls-fetch.mjs";
+import { isRealBrowser } from "./env.mjs";
 export function createSecureFetch(baseURL, enclaveURL, hpkePublicKey, tlsPublicKeyFingerprint) {
     let fetchFunction;
     if (hpkePublicKey) {

package/dist/esm/{tinfoilai.js → tinfoilai.mjs}

@@ -1,7 +1,7 @@
 import OpenAI from "openai";
-import { SecureClient } from "./secure-client";
-import { TINFOIL_CONFIG } from "./config";
-import { isRealBrowser } from "./env";
+import { SecureClient } from "./secure-client.mjs";
+import { TINFOIL_CONFIG } from "./config.mjs";
+import { isRealBrowser } from "./env.mjs";
 function createAsyncProxy(promise) {
     return new Proxy({}, {
         get(target, prop) {
@@ -36,8 +36,8 @@ export class TinfoilAI {
             openAIOptions.apiKey = process.env.TINFOIL_API_KEY;
         }
         this.apiKey = openAIOptions.apiKey;
-        this.baseURL = options.baseURL || TINFOIL_CONFIG.INFERENCE_BASE_URL;
-        this.enclaveURL = options.enclaveURL || TINFOIL_CONFIG.ENCLAVE_URL;
+        this.baseURL = options.baseURL;
+        this.enclaveURL = options.enclaveURL;
         this.configRepo = options.configRepo || TINFOIL_CONFIG.INFERENCE_PROXY_REPO;
         this.secureClient = new SecureClient({
             baseURL: this.baseURL,
@@ -63,9 +63,11 @@ export class TinfoilAI {
         if (!this.verificationDocument) {
             throw new Error("Verification document not available after successful verification");
         }
+        // Use the provided baseURL, or get it from SecureClient after initialization
+        const baseURL = this.baseURL || this.secureClient.getBaseURL();
         const clientOptions = {
             ...options,
-            baseURL: this.baseURL,
+            baseURL: baseURL,
             fetch: this.secureClient.fetch,
         };
         if (isRealBrowser() || options.dangerouslyAllowBrowser === true) {

package/dist/esm/unverified-client.d.ts

@@ -6,8 +6,8 @@ interface UnverifiedClientOptions {
 export declare class UnverifiedClient {
     private initPromise;
     private _fetch;
-    private readonly baseURL;
-    private readonly enclaveURL;
+    private baseURL?;
+    private enclaveURL?;
     private readonly configRepo;
     constructor(options?: UnverifiedClientOptions);
     ready(): Promise<void>;

package/dist/esm/unverified-client.mjs

@@ -0,0 +1,61 @@
+import { TINFOIL_CONFIG } from "./config.mjs";
+import { createEncryptedBodyFetch } from "./encrypted-body-fetch.mjs";
+import { fetchRouter } from "./router.mjs";
+export class UnverifiedClient {
+    constructor(options = {}) {
+        this.initPromise = null;
+        this._fetch = null;
+        this.baseURL = options.baseURL;
+        this.enclaveURL = options.enclaveURL;
+        this.configRepo = options.configRepo || TINFOIL_CONFIG.INFERENCE_PROXY_REPO;
+    }
+    async ready() {
+        if (!this.initPromise) {
+            this.initPromise = this.initUnverifiedClient();
+        }
+        return this.initPromise;
+    }
+    async initUnverifiedClient() {
+        // Only fetch router if neither baseURL nor enclaveURL is provided
+        if (!this.baseURL && !this.enclaveURL) {
+            const routerAddress = await fetchRouter();
+            this.enclaveURL = `https://${routerAddress}`;
+            this.baseURL = `https://${routerAddress}/v1/`;
+        }
+        // Ensure both baseURL and enclaveURL are initialized
+        if (!this.baseURL) {
+            if (this.enclaveURL) {
+                // If enclaveURL is provided but baseURL is not, derive baseURL from enclaveURL
+                const enclaveUrl = new URL(this.enclaveURL);
+                this.baseURL = `${enclaveUrl.origin}/v1/`;
+            }
+            else {
+                throw new Error("Unable to determine baseURL: neither baseURL nor enclaveURL provided");
+            }
+        }
+        if (!this.enclaveURL) {
+            if (this.baseURL) {
+                // If baseURL is provided but enclaveURL is not, derive enclaveURL from baseURL
+                const baseUrl = new URL(this.baseURL);
+                this.enclaveURL = baseUrl.origin;
+            }
+            else {
+                throw new Error("Unable to determine enclaveURL: neither baseURL nor enclaveURL provided");
+            }
+        }
+        this._fetch = createEncryptedBodyFetch(this.baseURL, undefined, this.enclaveURL);
+    }
+    async getVerificationDocument() {
+        if (!this.initPromise) {
+            await this.ready();
+        }
+        await this.initPromise;
+        throw new Error("Verification document unavailable: this version of the client is unverified");
+    }
+    get fetch() {
+        return async (input, init) => {
+            await this.ready();
+            return this._fetch(input, init);
+        };
+    }
+}

package/dist/esm/verifier.d.ts

@@ -87,7 +87,7 @@ export declare class Verifier {
     private static executeWithWasm;
     /**
      * Fetch the latest release digest from GitHub
-     * @param configRepo - Repository name (e.g., "tinfoilsh/confidential-inference-proxy")
+     * @param configRepo - Repository name (e.g., "tinfoilsh/confidential-model-router")
      * @returns The digest hash
      */
     fetchLatestDigest(configRepo?: string): Promise<string>;