@zeke-02/tinfoil 0.0.5 → 0.0.7

package/dist/esm/verifier.mjs

@@ -2,33 +2,50 @@
  * VERIFIER COMPONENT OVERVIEW
  * ==========================
  *
- * This implementation performs three security checks entirely on the client using
- * a Go WebAssembly module, and exposes a small TypeScript API around it.
+ * This implementation performs end-to-end enclave and code verification entirely on the
+ * client using a Go WebAssembly module, and exposes a small TypeScript API around it.
  *
- * 1) REMOTE ATTESTATION (Enclave Verification)
- *    - Invokes Go WASM `verifyEnclave(host)` against the target enclave hostname
- *    - Verifies vendor certificate chains inside WASM (AMD SEV-SNP / Intel TDX)
- *    - Returns the enclave's runtime measurement and at least one public key (TLS fingerprint and/or HPKE)
- *    - Falls back to TLS-only verification if only TLS key is available (Node.js only)
+ * UNIFIED VERIFICATION FLOW
+ * The primary API is `verify()`, which invokes the Go WASM `verify(enclaveHost, repo)`
+ * function that performs all verification steps atomically:
+ *
+ * 1) DIGEST FETCH
+ *    - Fetches the latest release digest from GitHub
+ *    - Uses Tinfoil GitHub proxy (https://api-github-proxy.tinfoil.sh) to avoid rate limits
  *
  * 2) CODE INTEGRITY (Release Verification)
- *    - Fetches the latest release notes via the Tinfoil GitHub proxy and extracts a digest
- *      (endpoint: https://api-github-proxy.tinfoil.sh)
- *    - Invokes Go WASM `verifyCode(configRepo, digest)` to obtain the expected code measurement
- *    - The Go implementation verifies provenance using Sigstore/Rekor for GitHub Actions builds
+ *    - Verifies code provenance using Sigstore/Rekor for GitHub Actions builds
+ *    - Returns the expected code measurement for the release
+ *
+ * 3) REMOTE ATTESTATION (Enclave Verification)
+ *    - Performs runtime attestation against the target enclave hostname
+ *    - Verifies vendor certificate chains inside WASM (AMD SEV-SNP / Intel TDX)
+ *    - Returns the enclave's runtime measurement and cryptographic keys (TLS fingerprint and HPKE)
  *
- * 3) CODE CONSISTENCY (Measurement Comparison)
- *    - Compares the runtime measurement with the expected code measurement using
- *      platform-aware rules implemented in `compareMeasurements()`
+ * 4) HARDWARE VERIFICATION (for TDX platforms)
+ *    - Fetches and verifies TDX platform measurements if required
+ *    - Validates hardware attestation against expected measurements
+ *
+ * 5) CODE CONSISTENCY (Measurement Comparison)
+ *    - Compares the runtime measurement with the expected code measurement
+ *    - Uses platform-aware comparison rules for different TEE types
+ *
+ * ERROR HANDLING
+ * When verification fails, errors are prefixed with the failing step:
+ * - `fetchDigest:` - Failed to fetch GitHub release digest
+ * - `verifyCode:` - Failed to verify code provenance
+ * - `verifyEnclave:` - Failed runtime attestation
+ * - `verifyHardware:` - Failed TDX hardware verification
+ * - `validateTLS:` - TLS public key validation failed
+ * - `measurements:` - Measurement comparison failed
  *
  * RUNTIME AND DELIVERY
  * - All verification executes locally via WebAssembly (Go → WASM)
  * - WASM loader: `wasm-exec.js`
- * - WASM module URL: https://tinfoilsh.github.io/verifier-js/tinfoil-verifier.wasm
+ * - WASM module URL: https://tinfoilsh.github.io/verifier/tinfoil-verifier.wasm
  * - Works in Node 20+ and modern browsers with lightweight polyfills for
  *   `performance`, `TextEncoder`/`TextDecoder`, and `crypto.getRandomValues`
  * - Go stdout/stderr is suppressed by default; toggle via `suppressWasmLogs()`
- * - Module auto-initializes the WASM runtime on import
  *
  * PROXIES AND TRUST
  * - GitHub proxy is used only to avoid rate limits; the WASM logic independently
@@ -36,19 +53,16 @@
  * - AMD KDS access may be proxied within the WASM for availability; AMD roots are
  *   embedded and the full chain is verified in Go to prevent forgery
  *
- * SUPPORTED PLATFORMS AND PREDICATES
- * - Predicate types supported by this client: SNP/TDX multi-platform v1,
- *   TDX guest v1, SEV-SNP guest v1
- * - See `compareMeasurements()` for exact register mapping rules
+ * SUPPORTED PLATFORMS
+ * - AMD SEV-SNP
+ * - Intel TDX (with hardware platform verification)
+ * - Predicate types: SNP/TDX multi-platform v1, TDX guest v1/v2, SEV-SNP guest v1
  *
  * PUBLIC API (this module)
- * - `new Verifier({ serverURL?, configRepo? })`
- * - `verify()` → full end-to-end verification and attestation response
- * - `verifyEnclave(host?)` → runtime attestation only
- * - `verifyCode(configRepo, digest)` → expected measurement for a specific release
- * - `compareMeasurements(code, runtime)` → predicate-based comparison
- * - `fetchLatestDigest(configRepo?)` → release digest via proxy
- * - `suppressWasmLogs(suppress?)` → control WASM log output
+ * - `new Verifier({ serverURL, configRepo? })`
+ * - `verify()` → Promise<AttestationResponse> - full end-to-end verification returning cryptographic keys and measurement
+ * - `getVerificationDocument()` → VerificationDocument | undefined - detailed step-by-step verification results
+ * - `suppressWasmLogs(suppress?)` → void - control WASM log output
  */
 import { TINFOIL_CONFIG } from "./config.mjs";
 import { getFetch } from "./fetch-adapter.mjs";
@@ -74,114 +88,19 @@ function getTextDecoder() {
 }
 const nodeRequire = createNodeRequire();
 let wasmExecLoader = null;
-// Platform type constants
-// See https://github.com/tinfoilsh/verifier/
-const PLATFORM_TYPES = {
-    SNP_TDX_MULTI_PLATFORM_V1: "https://tinfoil.sh/predicate/snp-tdx-multiplatform/v1",
-    TDX_GUEST_V1: "https://tinfoil.sh/predicate/tdx-guest/v1",
-    TDX_GUEST_V2: "https://tinfoil.sh/predicate/tdx-guest/v2",
-    SEV_GUEST_V1: "https://tinfoil.sh/predicate/sev-snp-guest/v1",
-    SEV_GUEST_V2: "https://tinfoil.sh/predicate/sev-snp-guest/v2",
-    HARDWARE_MEASUREMENTS_V1: "https://tinfoil.sh/predicate/hardware-measurements/v1",
-};
-const MEASUREMENT_ERROR_MESSAGES = {
-    FORMAT_MISMATCH: "attestation format mismatch",
-    MEASUREMENT_MISMATCH: "measurement mismatch",
-    RTMR1_MISMATCH: "RTMR1 mismatch",
-    RTMR2_MISMATCH: "RTMR2 mismatch",
-    FEW_REGISTERS: "fewer registers than expected",
-    MULTI_PLATFORM_MISMATCH: "multi-platform measurement mismatch",
-    MULTI_PLATFORM_SEV_SNP_MISMATCH: "multi-platform SEV-SNP measurement mismatch",
-};
-function registersEqual(a, b) {
-    if (a.length !== b.length) {
-        return false;
-    }
-    return a.every((value, index) => value === b[index]);
-}
-function compareMeasurementsError(codeMeasurement, runtimeMeasurement) {
-    if (codeMeasurement.type === PLATFORM_TYPES.SNP_TDX_MULTI_PLATFORM_V1 &&
-        runtimeMeasurement.type === PLATFORM_TYPES.SNP_TDX_MULTI_PLATFORM_V1) {
-        if (!registersEqual(codeMeasurement.registers, runtimeMeasurement.registers)) {
-            return new Error(MEASUREMENT_ERROR_MESSAGES.MULTI_PLATFORM_MISMATCH);
-        }
-        return null;
-    }
-    if (runtimeMeasurement.type === PLATFORM_TYPES.SNP_TDX_MULTI_PLATFORM_V1) {
-        return compareMeasurementsError(runtimeMeasurement, codeMeasurement);
-    }
-    if (codeMeasurement.type === PLATFORM_TYPES.SNP_TDX_MULTI_PLATFORM_V1) {
-        switch (runtimeMeasurement.type) {
-            case PLATFORM_TYPES.TDX_GUEST_V1:
-            case PLATFORM_TYPES.TDX_GUEST_V2: {
-                if (codeMeasurement.registers.length < 3 ||
-                    runtimeMeasurement.registers.length < 4) {
-                    return new Error(MEASUREMENT_ERROR_MESSAGES.FEW_REGISTERS);
-                }
-                const expectedRtmr1 = codeMeasurement.registers[1];
-                const expectedRtmr2 = codeMeasurement.registers[2];
-                const actualRtmr1 = runtimeMeasurement.registers[2];
-                const actualRtmr2 = runtimeMeasurement.registers[3];
-                if (expectedRtmr1 !== actualRtmr1) {
-                    return new Error(MEASUREMENT_ERROR_MESSAGES.RTMR1_MISMATCH);
-                }
-                if (expectedRtmr2 !== actualRtmr2) {
-                    return new Error(MEASUREMENT_ERROR_MESSAGES.RTMR2_MISMATCH);
-                }
-                return null;
-            }
-            case PLATFORM_TYPES.SEV_GUEST_V1:
-            case PLATFORM_TYPES.SEV_GUEST_V2: {
-                if (codeMeasurement.registers.length < 1 ||
-                    runtimeMeasurement.registers.length < 1) {
-                    return new Error(MEASUREMENT_ERROR_MESSAGES.FEW_REGISTERS);
-                }
-                const expectedSevSnp = codeMeasurement.registers[0];
-                const actualSevSnp = runtimeMeasurement.registers[0];
-                if (expectedSevSnp !== actualSevSnp) {
-                    return new Error(MEASUREMENT_ERROR_MESSAGES.MULTI_PLATFORM_SEV_SNP_MISMATCH);
-                }
-                return null;
-            }
-            default:
-                return new Error(`unsupported enclave platform for multi-platform code measurements: ${runtimeMeasurement.type}`);
-        }
-    }
-    if (codeMeasurement.type !== runtimeMeasurement.type) {
-        return new Error(MEASUREMENT_ERROR_MESSAGES.FORMAT_MISMATCH);
-    }
-    if (!registersEqual(codeMeasurement.registers, runtimeMeasurement.registers)) {
-        return new Error(MEASUREMENT_ERROR_MESSAGES.MEASUREMENT_MISMATCH);
-    }
-    return null;
-}
-export function compareMeasurementsDetailed(codeMeasurement, runtimeMeasurement) {
-    const error = compareMeasurementsError(codeMeasurement, runtimeMeasurement);
-    if (error) {
-        return { match: false, error };
-    }
-    return { match: true };
-}
-/**
- * Compare two measurements according to platform-specific rules
- * This is predicate function for comparing attestation measurements
- * taken from https://github.com/tinfoilsh/verifier/blob/main/attestation/attestation.go
- *
- * @param codeMeasurement - Expected measurement from code attestation
- * @param runtimeMeasurement - Actual measurement from runtime attestation
- * @returns true if measurements match according to platform rules
- */
-export function compareMeasurements(codeMeasurement, runtimeMeasurement) {
-    return compareMeasurementsError(codeMeasurement, runtimeMeasurement) === null;
-}
 /**
  * Verifier performs attestation verification for Tinfoil enclaves
  *
- * The verifier loads a WebAssembly module that:
+ * The verifier loads a WebAssembly module (compiled from Go) that performs
+ * end-to-end attestation verification:
  * 1. Fetches the latest code release digest from GitHub
- * 2. Performs runtime attestation against the enclave
- * 3. Performs code attestation using the digest
- * 4. Compares measurements using platform-specific logic
+ * 2. Verifies code provenance using Sigstore/Rekor
+ * 3. Performs runtime attestation against the enclave
+ * 4. Verifies hardware measurements (for TDX platforms)
+ * 5. Compares code and runtime measurements using platform-specific logic
+ *
+ * Primary method: verify() - Returns AttestationResponse with cryptographic keys
+ * Verification details: getVerificationDocument() - Returns step-by-step results
  */
 export class Verifier {
     constructor(options) {
@@ -250,173 +169,46 @@ export class Verifier {
         }
     }
     /**
-     * Fetch the latest release digest from GitHub
-     * @param configRepo - Repository name (e.g., "tinfoilsh/confidential-model-router")
-     * @returns The digest hash
-     */
-    async fetchLatestDigest(configRepo) {
-        // GitHub Proxy Note:
-        // We use api-github-proxy.tinfoil.sh instead of the direct GitHub API to avoid
-        // rate limiting that could degrade UX. The proxy caches responses while the
-        // integrity of the data is independently verified in `verifyCode` via
-        // Sigstore transparency logs (Rekor). Using the proxy therefore does not
-        // weaken security.
-        const targetRepo = configRepo || this.configRepo;
-        const fetchFn = getFetch();
-        const releaseResponse = await fetchFn(`https://api-github-proxy.tinfoil.sh/repos/${targetRepo}/releases/latest`, {
-            headers: {
-                Accept: "application/vnd.github.v3+json",
-                "User-Agent": "tinfoil-node-client",
-            },
-        });
-        if (!releaseResponse.ok) {
-            throw new Error(`GitHub API request failed: ${releaseResponse.status} ${releaseResponse.statusText}`);
-        }
-        const releaseData = (await releaseResponse.json());
-        // Extract digest from release notes
-        const digestRegex = /Digest: `([a-f0-9]{64})`/;
-        const digestMatch = releaseData.body?.match(digestRegex);
-        if (!digestMatch) {
-            throw new Error("Could not find digest in release notes");
-        }
-        const digest = digestMatch[1];
-        return digest;
-    }
-    /**
-     * Perform runtime attestation on the enclave
-     * @param enclaveHost - The enclave hostname
-     * @returns Attestation response with measurement and keys
-     */
-    async verifyEnclave(enclaveHost) {
-        // Expose errors via explicit Promise rejection and add a timeout
-        return new Promise(async (resolve, reject) => {
-            try {
-                const targetHost = enclaveHost || this.serverURL;
-                if (typeof globalThis.verifyEnclave !== "function") {
-                    reject(new Error("WASM verifyEnclave function not available"));
-                    return;
-                }
-                let attestationResponse;
-                let timeoutHandle;
-                try {
-                    const timeoutPromise = new Promise((_, timeoutReject) => {
-                        timeoutHandle = setTimeout(() => timeoutReject(new Error("WASM verifyEnclave timed out after 10 seconds")), 10000);
-                    });
-                    attestationResponse = await Promise.race([
-                        globalThis.verifyEnclave(targetHost),
-                        timeoutPromise,
-                    ]);
-                    // Clear timeout on success
-                    if (timeoutHandle !== undefined) {
-                        clearTimeout(timeoutHandle);
-                    }
-                }
-                catch (error) {
-                    // Clear timeout on error
-                    if (timeoutHandle !== undefined) {
-                        clearTimeout(timeoutHandle);
-                    }
-                    reject(new Error(`WASM verifyEnclave failed: ${error}`));
-                    return;
-                }
-                // Validate required fields - fail fast with explicit rejection
-                // At least one key must be present (TLS or HPKE)
-                if (!attestationResponse?.tls_public_key &&
-                    !attestationResponse?.hpke_public_key) {
-                    reject(new Error("Missing both tls_public_key and hpke_public_key in attestation response"));
-                    return;
-                }
-                // Parse runtime measurement
-                let parsedRuntimeMeasurement;
-                try {
-                    if (attestationResponse.measurement &&
-                        typeof attestationResponse.measurement === "string") {
-                        parsedRuntimeMeasurement = JSON.parse(attestationResponse.measurement);
-                    }
-                    else if (attestationResponse.measurement &&
-                        typeof attestationResponse.measurement === "object") {
-                        parsedRuntimeMeasurement = attestationResponse.measurement;
-                    }
-                    else {
-                        reject(new Error("Invalid runtime measurement format"));
-                        return;
-                    }
-                }
-                catch (parseError) {
-                    reject(new Error(`Failed to parse runtime measurement: ${parseError}`));
-                    return;
-                }
-                const result = {
-                    measurement: parsedRuntimeMeasurement,
-                };
-                // Include keys if available
-                if (attestationResponse.tls_public_key) {
-                    result.tlsPublicKeyFingerprint = attestationResponse.tls_public_key;
-                }
-                if (attestationResponse.hpke_public_key) {
-                    result.hpkePublicKey = attestationResponse.hpke_public_key;
-                }
-                resolve(result);
-            }
-            catch (outerError) {
-                reject(outerError);
-            }
-        });
-    }
-    /**
-     * Perform code attestation
-     * @param configRepo - Repository name
-     * @param digest - Code digest hash
-     * @returns Code measurement
-     */
-    async verifyCode(configRepo, digest) {
-        if (typeof globalThis.verifyCode !== "function") {
-            throw new Error("WASM verifyCode function not available");
-        }
-        const rawMeasurement = await globalThis.verifyCode(configRepo, digest);
-        const normalizedMeasurement = typeof rawMeasurement === "string"
-            ? (() => {
-                try {
-                    return JSON.parse(rawMeasurement);
-                }
-                catch (error) {
-                    throw new Error(`Invalid code measurement format: ${error.message}`);
-                }
-            })()
-            : rawMeasurement;
-        if (!normalizedMeasurement || typeof normalizedMeasurement !== "object") {
-            throw new Error("Invalid code measurement format");
-        }
-        const measurementObject = normalizedMeasurement;
-        if (typeof measurementObject.type !== "string" ||
-            !Array.isArray(measurementObject.registers)) {
-            throw new Error("Invalid code measurement format");
-        }
-        const parsedCodeMeasurement = {
-            type: measurementObject.type,
-            registers: measurementObject.registers.map((value) => String(value)),
-        };
-        return { measurement: parsedCodeMeasurement };
-    }
-    /**
-     * Perform attestation verification
+     * Perform end-to-end attestation verification
      *
-     * This method:
+     * This method performs all verification steps atomically via the Go WASM verify() function:
      * 1. Fetches the latest code digest from GitHub releases
-     * 2. Calls verifyCode to get the expected measurement for the code
-     * 3. Calls verifyEnclave to get the actual runtime measurement
-     * 4. Compares measurements using platform-specific logic (see `compareMeasurements()`)
-     * 5. Returns the attestation response if verification succeeds
+     * 2. Verifies code provenance using Sigstore/Rekor
+     * 3. Performs runtime attestation against the enclave
+     * 4. Verifies hardware measurements (for TDX platforms)
+     * 5. Compares code and runtime measurements using platform-specific logic
      *
      * The WASM runtime is automatically initialized and cleaned up within this method.
+     * A detailed verification document is saved and can be accessed via getVerificationDocument().
      *
-     * @throws Error if measurements don't match or verification fails
+     * @returns AttestationResponse containing cryptographic keys (TLS/HPKE) and enclave measurement
+     * @throws Error if measurements don't match or verification fails at any step
      */
     async verify() {
         return Verifier.executeWithWasm(async () => {
             return this.verifyInternal();
         });
     }
+    /**
+     * Save a failed verification document
+     */
+    saveFailedVerificationDocument(steps) {
+        this.lastVerificationDocument = {
+            configRepo: this.configRepo,
+            enclaveHost: this.serverURL,
+            releaseDigest: "",
+            codeMeasurement: { type: "", registers: [] },
+            enclaveMeasurement: { measurement: { type: "", registers: [] } },
+            tlsPublicKey: "",
+            hpkePublicKey: "",
+            hardwareMeasurement: undefined,
+            codeFingerprint: "",
+            enclaveFingerprint: "",
+            selectedRouterEndpoint: this.serverURL,
+            securityVerified: false,
+            steps,
+        };
+    }
     /**
      * Internal verification logic that runs within WASM context
      */
@@ -427,96 +219,90 @@ export class Verifier {
             verifyEnclave: { status: "pending" },
             compareMeasurements: { status: "pending" },
         };
-        let releaseDigest;
-        let codeMeasurement;
-        let attestation;
-        try {
-            releaseDigest = await this.fetchLatestDigest(this.configRepo);
-            steps.fetchDigest = { status: "success" };
-        }
-        catch (error) {
-            steps.fetchDigest = { status: "failed", error: error.message };
-            this.lastVerificationDocument = {
-                configRepo: this.configRepo,
-                enclaveHost: this.serverURL,
-                releaseDigest: "",
-                codeMeasurement: { type: "", registers: [] },
-                enclaveMeasurement: { measurement: { type: "", registers: [] } },
-                securityVerified: false,
-                steps,
+        if (typeof globalThis.verify !== "function") {
+            steps.fetchDigest = {
+                status: "failed",
+                error: "WASM verify function not available",
             };
-            throw error;
+            this.saveFailedVerificationDocument(steps);
+            throw new Error("WASM verify function not available");
         }
+        let groundTruth;
         try {
-            const results = await Promise.all([
-                this.verifyCode(this.configRepo, releaseDigest).then((result) => {
-                    steps.verifyCode = { status: "success" };
-                    return result;
-                }, (error) => {
-                    steps.verifyCode = {
-                        status: "failed",
-                        error: error.message,
-                    };
-                    throw error;
-                }),
-                this.verifyEnclave(this.serverURL).then((result) => {
-                    steps.verifyEnclave = { status: "success" };
-                    return result;
-                }, (error) => {
-                    steps.verifyEnclave = {
-                        status: "failed",
-                        error: error.message,
-                    };
-                    throw error;
-                }),
-            ]);
-            codeMeasurement = results[0].measurement;
-            attestation = results[1];
+            const groundTruthJSON = await globalThis.verify(this.serverURL, this.configRepo);
+            groundTruth = JSON.parse(groundTruthJSON);
+            // Mark all steps as successful since WASM verify() succeeded
+            steps.fetchDigest = { status: "success" };
+            steps.verifyCode = { status: "success" };
+            steps.verifyEnclave = { status: "success" };
+            steps.compareMeasurements = { status: "success" };
         }
         catch (error) {
-            this.lastVerificationDocument = {
-                configRepo: this.configRepo,
-                enclaveHost: this.serverURL,
-                releaseDigest: releaseDigest,
-                codeMeasurement: codeMeasurement,
-                enclaveMeasurement: attestation,
-                securityVerified: false,
-                steps,
-            };
+            const errorMessage = error instanceof Error ? error.message : String(error);
+            if (errorMessage.startsWith("fetchDigest:")) {
+                steps.fetchDigest = { status: "failed", error: errorMessage };
+            }
+            else if (errorMessage.startsWith("verifyCode:")) {
+                steps.fetchDigest = { status: "success" };
+                steps.verifyCode = { status: "failed", error: errorMessage };
+            }
+            else if (errorMessage.startsWith("verifyEnclave:")) {
+                steps.fetchDigest = { status: "success" };
+                steps.verifyCode = { status: "success" };
+                steps.verifyEnclave = { status: "failed", error: errorMessage };
+            }
+            else if (errorMessage.startsWith("measurements:")) {
+                steps.fetchDigest = { status: "success" };
+                steps.verifyCode = { status: "success" };
+                steps.verifyEnclave = { status: "success" };
+                steps.compareMeasurements = { status: "failed", error: errorMessage };
+            }
+            else if (errorMessage.startsWith("verifyHardware:") ||
+                errorMessage.startsWith("validateTLS:")) {
+                steps.fetchDigest = { status: "success" };
+                steps.verifyCode = { status: "success" };
+                steps.verifyEnclave = { status: "success" };
+                steps.otherError = { status: "failed", error: errorMessage };
+            }
+            else {
+                steps.otherError = { status: "failed", error: errorMessage };
+            }
+            this.saveFailedVerificationDocument(steps);
             throw error;
         }
-        const measurementsMatchError = compareMeasurementsError(codeMeasurement, attestation.measurement);
-        if (measurementsMatchError) {
-            steps.compareMeasurements = {
-                status: "failed",
-                error: measurementsMatchError.message,
-            };
-            this.lastVerificationDocument = {
-                configRepo: this.configRepo,
-                enclaveHost: this.serverURL,
-                releaseDigest: releaseDigest,
-                codeMeasurement,
-                enclaveMeasurement: attestation,
-                securityVerified: false,
-                steps,
-            };
-            throw new Error(`Verification failed: measurements did not match.\nCode measurement (${codeMeasurement.type}: ${codeMeasurement.registers})\n` +
-                `Runtime measurement (${attestation.measurement.type}: ${attestation.measurement.registers}:)\n ${measurementsMatchError.message}`);
-        }
-        steps.compareMeasurements = { status: "success" };
+        const attestation = {
+            tlsPublicKeyFingerprint: groundTruth.tls_public_key,
+            hpkePublicKey: groundTruth.hpke_public_key,
+            measurement: groundTruth.enclave_measurement,
+        };
         this.lastVerificationDocument = {
             configRepo: this.configRepo,
             enclaveHost: this.serverURL,
-            releaseDigest: releaseDigest,
-            codeMeasurement,
+            releaseDigest: groundTruth.digest,
+            codeMeasurement: groundTruth.code_measurement,
             enclaveMeasurement: attestation,
+            tlsPublicKey: groundTruth.tls_public_key,
+            hpkePublicKey: groundTruth.hpke_public_key,
+            hardwareMeasurement: groundTruth.hardware_measurement,
+            codeFingerprint: groundTruth.code_fingerprint,
+            enclaveFingerprint: groundTruth.enclave_fingerprint,
+            selectedRouterEndpoint: this.serverURL,
             securityVerified: true,
             steps,
         };
         return attestation;
     }
     /**
-     * Returns the full verification document from the last successful verify() call
+     * Returns the verification document from the last verify() call
+     *
+     * The document contains detailed step-by-step verification results including:
+     * - Step status (pending/success/failed) for each verification phase
+     * - Measurements, fingerprints, and cryptographic keys
+     * - Error messages for any failed steps
+     *
+     * Available even if verification failed, allowing inspection of which step failed.
+     *
+     * @returns VerificationDocument with complete verification details, or undefined if verify() hasn't been called
      */
     getVerificationDocument() {
         return this.lastVerificationDocument;
@@ -524,7 +310,7 @@ export class Verifier {
 }
 Verifier.goInstance = null;
 Verifier.initializationPromise = null;
-Verifier.defaultWasmUrl = "https://tinfoilsh.github.io/verifier-js/tinfoil-verifier.wasm";
+Verifier.defaultWasmUrl = "https://tinfoilsh.github.io/verifier/tinfoil-verifier.wasm";
 Verifier.originalFsWriteSync = null;
 Verifier.wasmLogsSuppressed = true;
 Verifier.globalsInitialized = false;
@@ -553,10 +339,12 @@ function shouldAutoInitializeWasm() {
 /**
  * Control WASM log output
  *
- * The Go WASM runtime outputs logs through a polyfilled fs.writeSync.
+ * The Go WASM runtime outputs logs (stdout/stderr) through a polyfilled fs.writeSync.
  * This function allows suppressing those logs without affecting other console output.
+ * By default, WASM logs are suppressed to reduce noise.
  *
  * @param suppress - Whether to suppress WASM logs (default: true)
+ * @returns void
  */
 export function suppressWasmLogs(suppress = true) {
     globalThis.__tinfoilSuppressWasmLogs = suppress;

package/dist/secure-client.js

@@ -85,12 +85,20 @@ class SecureClient {
                     releaseDigest: "",
                     codeMeasurement: { type: "", registers: [] },
                     enclaveMeasurement: { measurement: { type: "", registers: [] } },
+                    tlsPublicKey: "",
+                    hpkePublicKey: "",
+                    hardwareMeasurement: undefined,
+                    codeFingerprint: "",
+                    enclaveFingerprint: "",
+                    selectedRouterEndpoint: new URL(this.enclaveURL).hostname,
                     securityVerified: false,
                     steps: {
                         fetchDigest: { status: "pending" },
                         verifyCode: { status: "pending" },
                         verifyEnclave: { status: "pending" },
                         compareMeasurements: { status: "pending" },
+                        createTransport: undefined,
+                        verifyHPKEKey: undefined,
                         otherError: { status: "failed", error: error.message },
                     },
                 };
@@ -119,6 +127,7 @@ class SecureClient {
             }
             catch (error) {
                 if (this.verificationDocument) {
+                    console.log("secure-client error", error);
                     const errorMessage = error.message;
                     if (errorMessage.includes("HPKE public key mismatch")) {
                         this.verificationDocument.steps.verifyHPKEKey = {