@zeke-02/tinfoil 0.0.2

package/README.md

@@ -0,0 +1,169 @@
+# Tinfoil Node Client
+
+[![Build Status](https://github.com/tinfoilsh/tinfoil-node/actions/workflows/test.yml/badge.svg)](https://github.com/tinfoilsh/tinfoil-node/actions)
+[![NPM version](https://img.shields.io/npm/v/tinfoil.svg)](https://npmjs.org/package/tinfoil)
+
+This client library provides secure and convenient access to the Tinfoil Priavate Inference endpoints from TypeScript or JavaScript.
+
+It is a wrapper around the OpenAI client that verifies enclave attestation and routes traffic to the Tinfoil Private Inference endpoints through an [EHBP](https://github.com/tinfoilsh/encrypted-http-body-protocol)-secured transport. EHBP encrypts all payloads directly to an attested enclave using [HPKE (RFC 9180)](https://www.rfc-editor.org/rfc/rfc9180.html).
+
+## Installation
+
+```bash
+npm install tinfoil
+```
+
+## Requirements
+
+Node 20+.
+
+## Quick Start
+
+```typescript
+import { TinfoilAI } from "tinfoil";
+
+const client = new TinfoilAI({
+  apiKey: "<YOUR_API_KEY>", // or use TINFOIL_API_KEY env var
+});
+
+// Uses identical method calls as the OpenAI client
+const completion = await client.chat.completions.create({
+  messages: [{ role: "user", content: "Hello!" }],
+  model: "llama3-3-70b",
+});
+```
+
+## Browser Support
+
+The SDK supports browser environments. This allows you to use the secure enclave-backed OpenAI API directly from web applications.
+
+### ⚠️ Security Warning
+
+Using API keys directly in the browser exposes them to anyone who can view your page source.
+For production applications, always use a backend server to handle API keys.
+
+### Browser Usage
+
+```javascript
+import { TinfoilAI } from 'tinfoil';
+
+const client = new TinfoilAI({
+  apiKey: 'your-api-key',
+  dangerouslyAllowBrowser: true // Required for browser usage
+});
+
+// Optional: pre-initialize; you can also call APIs directly
+await client.ready();
+
+const completion = await client.chat.completions.create({
+  model: 'llama3-3-70b',
+  messages: [{ role: 'user', content: 'Hello!' }]
+});
+```
+
+### Browser Requirements
+
+- Modern browsers with ES2020 support
+- WebAssembly support for enclave verification
+
+
+## Verification helpers
+
+This package exposes verification helpers that load the Go-based WebAssembly verifier once per process and provide structured, stepwise attestation results you can use in applications (e.g., to show progress, log transitions, or gate features).
+
+The verification functionality is contained in `verifier.ts`.
+
+
+### Core Verifier API
+
+```typescript
+import { Verifier } from "tinfoil";
+
+const verifier = new Verifier();
+
+// Perform runtime attestation
+const runtime = await verifier.verifyEnclave("enclave.host.com");
+// Returns: { measurement: AttestationMeasurement, tlsPublicKeyFingerprint: string, hpkePublicKey: string }
+
+// Perform code attestation
+const code = await verifier.verifyCode("tinfoilsh/repo", "digest-hash");
+// Returns: { measurement: AttestationMeasurement }
+
+// Fetch latest digest from GitHub releases
+const digest = await verifier.fetchLatestDigest("tinfoilsh/repo");
+```
+
+### Verification Document
+
+The `SecureClient` provides access to a comprehensive verification document that tracks all verification steps, including failures:
+
+```typescript
+import { SecureClient } from "tinfoil";
+
+const client = new SecureClient();
+
+try {
+  await client.ready();
+  const response = await client.fetch('https://api.example.com/data');
+} catch (error) {
+  // Even on error, you can access the verification document
+  const doc = await client.getVerificationDocument();
+
+  // The document contains detailed step information:
+  // - fetchDigest: GitHub release digest retrieval
+  // - verifyCode: Code measurement verification
+  // - verifyEnclave: Runtime attestation verification
+  // - compareMeasurements: Code vs runtime measurement comparison
+  // - createTransport: Transport initialization (optional)
+  // - verifyHPKEKey: HPKE key verification (optional)
+  // - otherError: Catch-all for unexpected errors (optional)
+
+  console.log('Security verified:', doc.securityVerified);
+
+  // Check individual steps
+  if (doc.steps.verifyEnclave.status === 'failed') {
+    console.log('Enclave verification failed:', doc.steps.verifyEnclave.error);
+  }
+}
+```
+
+## Testing
+
+The project includes both unit tests and integration tests:
+
+### Running Unit Tests
+
+```bash
+npm test
+```
+
+### Running Integration Tests
+
+```bash
+RUN_TINFOIL_INTEGRATION=true npm test
+```
+
+This runs the full test suite including integration tests that:
+- Make actual network requests to Tinfoil services
+- Perform real enclave attestation verification
+- Test end-to-end functionality with live services
+
+Integration tests are skipped by default to keep the test suite fast and avoid network dependencies during development.
+
+## Running examples
+
+See [examples/README.md](https://github.com/tinfoilsh/tinfoil-node/blob/main/examples/README.md).
+
+## API Documentation
+
+This library mirrors the official OpenAI Node.js client for common endpoints (e.g., chat, images, embeddings) and types, and is designed to feel familiar. Some less commonly used surfaces may not be fully covered. See the [OpenAI client](https://github.com/openai/openai-node) for complete API usage and documentation.
+
+## Reporting Vulnerabilities
+
+Please report security vulnerabilities by either:
+
+- Emailing [security@tinfoil.sh](mailto:security@tinfoil.sh)
+
+- Opening an issue on GitHub on this repository
+
+We aim to respond to security reports within 24 hours and will keep you updated on our progress.

package/dist/__tests__/test-utils.d.ts

@@ -0,0 +1 @@
+export declare function withMockedModules(mocks: Record<string, unknown>, modulesToReload: string[], run: () => Promise<void>): Promise<void>;

package/dist/__tests__/test-utils.js

@@ -0,0 +1,44 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.withMockedModules = withMockedModules;
+const module_1 = __importDefault(require("module"));
+const testRequire = module_1.default.createRequire(__filename);
+async function withMockedModules(mocks, modulesToReload, run) {
+    const moduleAny = module_1.default;
+    const originalLoad = moduleAny._load;
+    moduleAny._load = function (request, parent, isMain) {
+        if (Object.prototype.hasOwnProperty.call(mocks, request)) {
+            return mocks[request];
+        }
+        // eslint-disable-next-line prefer-rest-params
+        return originalLoad.apply(this, arguments);
+    };
+    const restoredCache = [];
+    for (const specifier of modulesToReload) {
+        try {
+            const resolved = testRequire.resolve(specifier);
+            restoredCache.push({ path: resolved, cached: require.cache[resolved] });
+            delete require.cache[resolved];
+        }
+        catch {
+            // Module not yet cached; nothing to remove.
+        }
+    }
+    try {
+        await run();
+    }
+    finally {
+        moduleAny._load = originalLoad;
+        for (const entry of restoredCache) {
+            if (entry.cached) {
+                require.cache[entry.path] = entry.cached;
+            }
+            else {
+                delete require.cache[entry.path];
+            }
+        }
+    }
+}

package/dist/ai-sdk-provider.d.ts

@@ -0,0 +1,7 @@
+interface CreateTinfoilAIOptions {
+    baseURL?: string;
+    enclaveURL?: string;
+    configRepo?: string;
+}
+export declare function createTinfoilAI(apiKey: string, options?: CreateTinfoilAIOptions): Promise<import("@ai-sdk/openai-compatible").OpenAICompatibleProvider<string, string, string, string>>;
+export {};

package/dist/ai-sdk-provider.js

@@ -0,0 +1,23 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createTinfoilAI = createTinfoilAI;
+const openai_compatible_1 = require("@ai-sdk/openai-compatible");
+const config_1 = require("./config");
+const secure_client_1 = require("./secure-client");
+async function createTinfoilAI(apiKey, options = {}) {
+    const baseURL = options.baseURL || config_1.TINFOIL_CONFIG.INFERENCE_BASE_URL;
+    const enclaveURL = options.enclaveURL || config_1.TINFOIL_CONFIG.ENCLAVE_URL;
+    const configRepo = options.configRepo || config_1.TINFOIL_CONFIG.INFERENCE_PROXY_REPO;
+    const secureClient = new secure_client_1.SecureClient({
+        baseURL,
+        enclaveURL,
+        configRepo,
+    });
+    await secureClient.ready();
+    return (0, openai_compatible_1.createOpenAICompatible)({
+        name: "tinfoil",
+        baseURL: baseURL.replace(/\/$/, ""),
+        apiKey: apiKey,
+        fetch: secureClient.fetch,
+    });
+}

package/dist/config.d.ts

@@ -0,0 +1,17 @@
+/**
+ * Configuration constants for the Tinfoil Node SDK
+ */
+export declare const TINFOIL_CONFIG: {
+    /**
+     * The base URL for the Tinfoil router API
+     */
+    readonly INFERENCE_BASE_URL: "https://router.inf6.tinfoil.sh/v1/";
+    /**
+     * The URL for enclave key discovery and attestation endpoints
+     */
+    readonly ENCLAVE_URL: "https://router.inf6.tinfoil.sh";
+    /**
+     * The GitHub repository for code attestation verification
+     */
+    readonly INFERENCE_PROXY_REPO: "tinfoilsh/confidential-model-router";
+};

package/dist/config.js

@@ -0,0 +1,20 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TINFOIL_CONFIG = void 0;
+/**
+ * Configuration constants for the Tinfoil Node SDK
+ */
+exports.TINFOIL_CONFIG = {
+    /**
+     * The base URL for the Tinfoil router API
+     */
+    INFERENCE_BASE_URL: "https://router.inf6.tinfoil.sh/v1/",
+    /**
+     * The URL for enclave key discovery and attestation endpoints
+     */
+    ENCLAVE_URL: "https://router.inf6.tinfoil.sh",
+    /**
+     * The GitHub repository for code attestation verification
+     */
+    INFERENCE_PROXY_REPO: "tinfoilsh/confidential-model-router",
+};

package/dist/encrypted-body-fetch.d.ts

@@ -0,0 +1,8 @@
+export declare function getHPKEKey(enclaveURL: string): Promise<CryptoKey>;
+export declare function normalizeEncryptedBodyRequestArgs(input: RequestInfo | URL, init?: RequestInit): {
+    url: string;
+    init?: RequestInit;
+};
+export declare function encryptedBodyRequest(input: RequestInfo | URL, hpkePublicKey?: string, init?: RequestInit, enclaveURL?: string): Promise<Response>;
+export declare function createEncryptedBodyFetch(baseURL: string, hpkePublicKey?: string, enclaveURL?: string): typeof fetch;
+export declare function resetTransport(): void;

package/dist/encrypted-body-fetch.js

@@ -0,0 +1,93 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getHPKEKey = getHPKEKey;
+exports.normalizeEncryptedBodyRequestArgs = normalizeEncryptedBodyRequestArgs;
+exports.encryptedBodyRequest = encryptedBodyRequest;
+exports.createEncryptedBodyFetch = createEncryptedBodyFetch;
+exports.resetTransport = resetTransport;
+const ehbp_1 = require("@zeke-02/ehbp");
+const fetch_adapter_1 = require("./fetch-adapter");
+let transport = null;
+// Public API
+async function getHPKEKey(enclaveURL) {
+    const keysURL = new URL(ehbp_1.PROTOCOL.KEYS_PATH, enclaveURL);
+    if (keysURL.protocol !== "https:") {
+        throw new Error(`HTTPS is required for remote key retrieval. Invalid protocol: ${keysURL.protocol}`);
+    }
+    const fetchFn = (0, fetch_adapter_1.getFetch)();
+    const response = await fetchFn(keysURL.toString());
+    if (!response.ok) {
+        throw new Error(`Failed to get server public key: ${response.status}`);
+    }
+    const contentType = response.headers.get("content-type");
+    if (contentType !== ehbp_1.PROTOCOL.KEYS_MEDIA_TYPE) {
+        throw new Error(`Invalid content type: ${contentType}`);
+    }
+    const keysData = new Uint8Array(await response.arrayBuffer());
+    const serverIdentity = await ehbp_1.Identity.unmarshalPublicConfig(keysData);
+    return serverIdentity.getPublicKey();
+}
+function normalizeEncryptedBodyRequestArgs(input, init) {
+    if (typeof input === "string") {
+        return { url: input, init };
+    }
+    if (input instanceof URL) {
+        return { url: input.toString(), init };
+    }
+    const request = input;
+    const cloned = request.clone();
+    const derivedInit = {
+        method: cloned.method,
+        headers: new Headers(cloned.headers),
+        body: cloned.body ?? undefined,
+        signal: cloned.signal,
+    };
+    return {
+        url: cloned.url,
+        init: { ...derivedInit, ...init },
+    };
+}
+async function encryptedBodyRequest(input, hpkePublicKey, init, enclaveURL) {
+    const { url: requestUrl, init: requestInit } = normalizeEncryptedBodyRequestArgs(input, init);
+    const u = new URL(requestUrl);
+    const { origin } = u;
+    const keyOrigin = enclaveURL ? new URL(enclaveURL).origin : origin;
+    if (!transport) {
+        transport = getTransportForOrigin(origin, keyOrigin);
+    }
+    const transportInstance = await transport;
+    if (hpkePublicKey) {
+        const transportKeyHash = await transportInstance.getServerPublicKeyHex();
+        if (transportKeyHash !== hpkePublicKey) {
+            transport = null;
+            throw new Error(`HPKE public key mismatch. Expected: ${hpkePublicKey}, Got: ${transportKeyHash}`);
+        }
+    }
+    return transportInstance.request(requestUrl, requestInit);
+}
+function createEncryptedBodyFetch(baseURL, hpkePublicKey, enclaveURL) {
+    return (async (input, init) => {
+        const normalized = normalizeEncryptedBodyRequestArgs(input, init);
+        const targetUrl = new URL(normalized.url, baseURL);
+        return encryptedBodyRequest(targetUrl.toString(), hpkePublicKey, normalized.init, enclaveURL);
+    });
+}
+function resetTransport() {
+    transport = null;
+}
+async function getTransportForOrigin(origin, keyOrigin) {
+    if (typeof globalThis !== "undefined") {
+        const isSecure = globalThis.isSecureContext !== false;
+        const hasSubtle = !!(globalThis.crypto && globalThis.crypto.subtle);
+        if (!isSecure || !hasSubtle) {
+            const reason = !isSecure
+                ? "insecure context (use HTTPS or localhost)"
+                : "missing WebCrypto SubtleCrypto";
+            throw new Error(`EHBP requires a secure browser context: ${reason}`);
+        }
+    }
+    const clientIdentity = await ehbp_1.Identity.generate();
+    const serverPublicKey = await getHPKEKey(keyOrigin);
+    const requestHost = new URL(origin).host;
+    return new ehbp_1.Transport(clientIdentity, requestHost, serverPublicKey);
+}

package/dist/env.d.ts

@@ -0,0 +1,5 @@
+/**
+ * Detects if the code is running in a real browser environment.
+ * Returns false for Node.js environments, even with WASM loaded.
+ */
+export declare function isRealBrowser(): boolean;

package/dist/env.js

@@ -0,0 +1,20 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isRealBrowser = isRealBrowser;
+/**
+ * Detects if the code is running in a real browser environment.
+ * Returns false for Node.js environments, even with WASM loaded.
+ */
+function isRealBrowser() {
+    if (typeof process !== "undefined" &&
+        process.versions &&
+        process.versions.node) {
+        return false;
+    }
+    if (typeof window !== "undefined" && typeof window.document !== "undefined") {
+        if (typeof navigator !== "undefined" && navigator.userAgent) {
+            return true;
+        }
+    }
+    return false;
+}

package/dist/esm/__tests__/test-utils.d.ts

@@ -0,0 +1 @@
+export declare function withMockedModules(mocks: Record<string, unknown>, modulesToReload: string[], run: () => Promise<void>): Promise<void>;

package/dist/esm/__tests__/test-utils.js

@@ -0,0 +1,38 @@
+import Module from "module";
+const testRequire = Module.createRequire(__filename);
+export async function withMockedModules(mocks, modulesToReload, run) {
+    const moduleAny = Module;
+    const originalLoad = moduleAny._load;
+    moduleAny._load = function (request, parent, isMain) {
+        if (Object.prototype.hasOwnProperty.call(mocks, request)) {
+            return mocks[request];
+        }
+        // eslint-disable-next-line prefer-rest-params
+        return originalLoad.apply(this, arguments);
+    };
+    const restoredCache = [];
+    for (const specifier of modulesToReload) {
+        try {
+            const resolved = testRequire.resolve(specifier);
+            restoredCache.push({ path: resolved, cached: require.cache[resolved] });
+            delete require.cache[resolved];
+        }
+        catch {
+            // Module not yet cached; nothing to remove.
+        }
+    }
+    try {
+        await run();
+    }
+    finally {
+        moduleAny._load = originalLoad;
+        for (const entry of restoredCache) {
+            if (entry.cached) {
+                require.cache[entry.path] = entry.cached;
+            }
+            else {
+                delete require.cache[entry.path];
+            }
+        }
+    }
+}

package/dist/esm/ai-sdk-provider.d.ts

@@ -0,0 +1,7 @@
+interface CreateTinfoilAIOptions {
+    baseURL?: string;
+    enclaveURL?: string;
+    configRepo?: string;
+}
+export declare function createTinfoilAI(apiKey: string, options?: CreateTinfoilAIOptions): Promise<import("@ai-sdk/openai-compatible").OpenAICompatibleProvider<string, string, string, string>>;
+export {};

package/dist/esm/ai-sdk-provider.js

@@ -0,0 +1,20 @@
+import { createOpenAICompatible } from "@ai-sdk/openai-compatible";
+import { TINFOIL_CONFIG } from "./config";
+import { SecureClient } from "./secure-client";
+export async function createTinfoilAI(apiKey, options = {}) {
+    const baseURL = options.baseURL || TINFOIL_CONFIG.INFERENCE_BASE_URL;
+    const enclaveURL = options.enclaveURL || TINFOIL_CONFIG.ENCLAVE_URL;
+    const configRepo = options.configRepo || TINFOIL_CONFIG.INFERENCE_PROXY_REPO;
+    const secureClient = new SecureClient({
+        baseURL,
+        enclaveURL,
+        configRepo,
+    });
+    await secureClient.ready();
+    return createOpenAICompatible({
+        name: "tinfoil",
+        baseURL: baseURL.replace(/\/$/, ""),
+        apiKey: apiKey,
+        fetch: secureClient.fetch,
+    });
+}

package/dist/esm/config.d.ts

@@ -0,0 +1,17 @@
+/**
+ * Configuration constants for the Tinfoil Node SDK
+ */
+export declare const TINFOIL_CONFIG: {
+    /**
+     * The base URL for the Tinfoil router API
+     */
+    readonly INFERENCE_BASE_URL: "https://router.inf6.tinfoil.sh/v1/";
+    /**
+     * The URL for enclave key discovery and attestation endpoints
+     */
+    readonly ENCLAVE_URL: "https://router.inf6.tinfoil.sh";
+    /**
+     * The GitHub repository for code attestation verification
+     */
+    readonly INFERENCE_PROXY_REPO: "tinfoilsh/confidential-model-router";
+};

package/dist/esm/config.js

@@ -0,0 +1,17 @@
+/**
+ * Configuration constants for the Tinfoil Node SDK
+ */
+export const TINFOIL_CONFIG = {
+    /**
+     * The base URL for the Tinfoil router API
+     */
+    INFERENCE_BASE_URL: "https://router.inf6.tinfoil.sh/v1/",
+    /**
+     * The URL for enclave key discovery and attestation endpoints
+     */
+    ENCLAVE_URL: "https://router.inf6.tinfoil.sh",
+    /**
+     * The GitHub repository for code attestation verification
+     */
+    INFERENCE_PROXY_REPO: "tinfoilsh/confidential-model-router",
+};

package/dist/esm/encrypted-body-fetch.d.ts

@@ -0,0 +1,8 @@
+export declare function getHPKEKey(enclaveURL: string): Promise<CryptoKey>;
+export declare function normalizeEncryptedBodyRequestArgs(input: RequestInfo | URL, init?: RequestInit): {
+    url: string;
+    init?: RequestInit;
+};
+export declare function encryptedBodyRequest(input: RequestInfo | URL, hpkePublicKey?: string, init?: RequestInit, enclaveURL?: string): Promise<Response>;
+export declare function createEncryptedBodyFetch(baseURL: string, hpkePublicKey?: string, enclaveURL?: string): typeof fetch;
+export declare function resetTransport(): void;

package/dist/esm/encrypted-body-fetch.js

@@ -0,0 +1,86 @@
+import { Identity, Transport, PROTOCOL } from "@zeke-02/ehbp";
+import { getFetch } from "./fetch-adapter";
+let transport = null;
+// Public API
+export async function getHPKEKey(enclaveURL) {
+    const keysURL = new URL(PROTOCOL.KEYS_PATH, enclaveURL);
+    if (keysURL.protocol !== "https:") {
+        throw new Error(`HTTPS is required for remote key retrieval. Invalid protocol: ${keysURL.protocol}`);
+    }
+    const fetchFn = getFetch();
+    const response = await fetchFn(keysURL.toString());
+    if (!response.ok) {
+        throw new Error(`Failed to get server public key: ${response.status}`);
+    }
+    const contentType = response.headers.get("content-type");
+    if (contentType !== PROTOCOL.KEYS_MEDIA_TYPE) {
+        throw new Error(`Invalid content type: ${contentType}`);
+    }
+    const keysData = new Uint8Array(await response.arrayBuffer());
+    const serverIdentity = await Identity.unmarshalPublicConfig(keysData);
+    return serverIdentity.getPublicKey();
+}
+export function normalizeEncryptedBodyRequestArgs(input, init) {
+    if (typeof input === "string") {
+        return { url: input, init };
+    }
+    if (input instanceof URL) {
+        return { url: input.toString(), init };
+    }
+    const request = input;
+    const cloned = request.clone();
+    const derivedInit = {
+        method: cloned.method,
+        headers: new Headers(cloned.headers),
+        body: cloned.body ?? undefined,
+        signal: cloned.signal,
+    };
+    return {
+        url: cloned.url,
+        init: { ...derivedInit, ...init },
+    };
+}
+export async function encryptedBodyRequest(input, hpkePublicKey, init, enclaveURL) {
+    const { url: requestUrl, init: requestInit } = normalizeEncryptedBodyRequestArgs(input, init);
+    const u = new URL(requestUrl);
+    const { origin } = u;
+    const keyOrigin = enclaveURL ? new URL(enclaveURL).origin : origin;
+    if (!transport) {
+        transport = getTransportForOrigin(origin, keyOrigin);
+    }
+    const transportInstance = await transport;
+    if (hpkePublicKey) {
+        const transportKeyHash = await transportInstance.getServerPublicKeyHex();
+        if (transportKeyHash !== hpkePublicKey) {
+            transport = null;
+            throw new Error(`HPKE public key mismatch. Expected: ${hpkePublicKey}, Got: ${transportKeyHash}`);
+        }
+    }
+    return transportInstance.request(requestUrl, requestInit);
+}
+export function createEncryptedBodyFetch(baseURL, hpkePublicKey, enclaveURL) {
+    return (async (input, init) => {
+        const normalized = normalizeEncryptedBodyRequestArgs(input, init);
+        const targetUrl = new URL(normalized.url, baseURL);
+        return encryptedBodyRequest(targetUrl.toString(), hpkePublicKey, normalized.init, enclaveURL);
+    });
+}
+export function resetTransport() {
+    transport = null;
+}
+async function getTransportForOrigin(origin, keyOrigin) {
+    if (typeof globalThis !== "undefined") {
+        const isSecure = globalThis.isSecureContext !== false;
+        const hasSubtle = !!(globalThis.crypto && globalThis.crypto.subtle);
+        if (!isSecure || !hasSubtle) {
+            const reason = !isSecure
+                ? "insecure context (use HTTPS or localhost)"
+                : "missing WebCrypto SubtleCrypto";
+            throw new Error(`EHBP requires a secure browser context: ${reason}`);
+        }
+    }
+    const clientIdentity = await Identity.generate();
+    const serverPublicKey = await getHPKEKey(keyOrigin);
+    const requestHost = new URL(origin).host;
+    return new Transport(clientIdentity, requestHost, serverPublicKey);
+}

package/dist/esm/env.d.ts

@@ -0,0 +1,5 @@
+/**
+ * Detects if the code is running in a real browser environment.
+ * Returns false for Node.js environments, even with WASM loaded.
+ */
+export declare function isRealBrowser(): boolean;

package/dist/esm/env.js

@@ -0,0 +1,17 @@
+/**
+ * Detects if the code is running in a real browser environment.
+ * Returns false for Node.js environments, even with WASM loaded.
+ */
+export function isRealBrowser() {
+    if (typeof process !== "undefined" &&
+        process.versions &&
+        process.versions.node) {
+        return false;
+    }
+    if (typeof window !== "undefined" && typeof window.document !== "undefined") {
+        if (typeof navigator !== "undefined" && navigator.userAgent) {
+            return true;
+        }
+    }
+    return false;
+}

package/dist/esm/fetch-adapter.d.ts

@@ -0,0 +1,21 @@
+/**
+ * Fetch adapter for Tauri v2
+ *
+ * This module provides a centralized fetch implementation for Tauri v2.
+ * For testing purposes, the fetch function can be overridden by setting
+ * the global __TINFOIL_TEST_FETCH__ property.
+ */
+import { fetch as tauriFetch } from "@tauri-apps/plugin-http";
+declare global {
+    var __TINFOIL_TEST_FETCH__: typeof fetch | undefined;
+}
+/**
+ * Get the fetch implementation to use.
+ * In tests, this can be overridden by setting globalThis.__TINFOIL_TEST_FETCH__
+ */
+export declare function getFetch(): typeof tauriFetch;
+/**
+ * The fetch function to use throughout the application.
+ * Uses Tauri's fetch by default, but can be mocked for testing.
+ */
+export declare const fetch: typeof tauriFetch;