@zeke-02/tinfoil 0.0.2

package/dist/verifier.d.ts

@@ -0,0 +1,141 @@
+/**
+ * Attestation measurement containing platform type and register values
+ */
+export interface AttestationMeasurement {
+    type: string;
+    registers: string[];
+}
+/**
+ * Attestation response containing cryptographic keys and measurements
+ * At least one of tlsPublicKeyFingerprint or hpkePublicKey must be present
+ */
+export interface AttestationResponse {
+    tlsPublicKeyFingerprint?: string;
+    hpkePublicKey?: string;
+    measurement: AttestationMeasurement;
+}
+/**
+ * State of an intermediate verification step
+ */
+export interface VerificationStepState {
+    status: "pending" | "success" | "failed";
+    error?: string;
+}
+/**
+ * Full verification document produced by a verify() call
+ * Includes state tracking for all intermediate steps
+ */
+export interface VerificationDocument {
+    configRepo: string;
+    enclaveHost: string;
+    releaseDigest: string;
+    codeMeasurement: AttestationMeasurement;
+    enclaveMeasurement: AttestationResponse;
+    securityVerified: boolean;
+    steps: {
+        fetchDigest: VerificationStepState;
+        verifyCode: VerificationStepState;
+        verifyEnclave: VerificationStepState;
+        compareMeasurements: VerificationStepState;
+        createTransport?: VerificationStepState;
+        verifyHPKEKey?: VerificationStepState;
+        otherError?: VerificationStepState;
+    };
+}
+export interface MeasurementComparisonResult {
+    match: boolean;
+    error?: Error;
+}
+export declare function compareMeasurementsDetailed(codeMeasurement: AttestationMeasurement, runtimeMeasurement: AttestationMeasurement): MeasurementComparisonResult;
+/**
+ * Compare two measurements according to platform-specific rules
+ * This is predicate function for comparing attestation measurements
+ * taken from https://github.com/tinfoilsh/verifier/blob/main/attestation/attestation.go
+ *
+ * @param codeMeasurement - Expected measurement from code attestation
+ * @param runtimeMeasurement - Actual measurement from runtime attestation
+ * @returns true if measurements match according to platform rules
+ */
+export declare function compareMeasurements(codeMeasurement: AttestationMeasurement, runtimeMeasurement: AttestationMeasurement): boolean;
+/**
+ * Verifier performs attestation verification for Tinfoil enclaves
+ *
+ * The verifier loads a WebAssembly module that:
+ * 1. Fetches the latest code release digest from GitHub
+ * 2. Performs runtime attestation against the enclave
+ * 3. Performs code attestation using the digest
+ * 4. Compares measurements using platform-specific logic
+ */
+export declare class Verifier {
+    private static goInstance;
+    private static initializationPromise;
+    private static readonly defaultWasmUrl;
+    static originalFsWriteSync: ((fd: number, buf: Uint8Array) => number) | null;
+    static wasmLogsSuppressed: boolean;
+    static globalsInitialized: boolean;
+    private lastVerificationDocument?;
+    protected readonly serverURL: string;
+    protected readonly configRepo: string;
+    constructor(options?: {
+        serverURL?: string;
+        configRepo?: string;
+    });
+    /**
+     * Execute a function with a fresh WASM instance that auto-cleans up
+     * This ensures Go runtime doesn't keep the process alive
+     */
+    private static executeWithWasm;
+    /**
+     * Fetch the latest release digest from GitHub
+     * @param configRepo - Repository name (e.g., "tinfoilsh/confidential-inference-proxy")
+     * @returns The digest hash
+     */
+    fetchLatestDigest(configRepo?: string): Promise<string>;
+    /**
+     * Perform runtime attestation on the enclave
+     * @param enclaveHost - The enclave hostname
+     * @returns Attestation response with measurement and keys
+     */
+    verifyEnclave(enclaveHost?: string): Promise<AttestationResponse>;
+    /**
+     * Perform code attestation
+     * @param configRepo - Repository name
+     * @param digest - Code digest hash
+     * @returns Code measurement
+     */
+    verifyCode(configRepo: string, digest: string): Promise<{
+        measurement: AttestationMeasurement;
+    }>;
+    /**
+     * Perform attestation verification
+     *
+     * This method:
+     * 1. Fetches the latest code digest from GitHub releases
+     * 2. Calls verifyCode to get the expected measurement for the code
+     * 3. Calls verifyEnclave to get the actual runtime measurement
+     * 4. Compares measurements using platform-specific logic (see `compareMeasurements()`)
+     * 5. Returns the attestation response if verification succeeds
+     *
+     * The WASM runtime is automatically initialized and cleaned up within this method.
+     *
+     * @throws Error if measurements don't match or verification fails
+     */
+    verify(): Promise<AttestationResponse>;
+    /**
+     * Internal verification logic that runs within WASM context
+     */
+    private verifyInternal;
+    /**
+     * Returns the full verification document from the last successful verify() call
+     */
+    getVerificationDocument(): VerificationDocument | undefined;
+}
+/**
+ * Control WASM log output
+ *
+ * The Go WASM runtime outputs logs through a polyfilled fs.writeSync.
+ * This function allows suppressing those logs without affecting other console output.
+ *
+ * @param suppress - Whether to suppress WASM logs (default: true)
+ */
+export declare function suppressWasmLogs(suppress?: boolean): void;