@zeke-02/tinfoil 0.11.7 → 1.1.3

package/dist/ai-sdk-provider.d.ts

@@ -1,12 +1,46 @@
-import { SecureClient } from "./secure-client.js";
-interface CreateTinfoilAIOptions {
+/**
+ * Options for creating a Tinfoil AI SDK provider.
+ */
+export interface CreateTinfoilAIOptions {
+    /**
+     * Override the base URL for API requests.
+     * Useful for proxying requests through your own backend.
+     */
     baseURL?: string;
-    enclaveURL?: string;
+    /** GitHub repo for code verification. */
     configRepo?: string;
+    /** URL to fetch the attestation bundle from. */
+    attestationBundleURL?: string;
 }
-export declare function createTinfoilAI(apiKey: string, options?: CreateTinfoilAIOptions): Promise<{
-    provider: import("@ai-sdk/openai-compatible").OpenAICompatibleProvider<string, string, string, string>;
-    secureClient: SecureClient;
-}>;
-export {};
+/**
+ * Create a Tinfoil provider for the Vercel AI SDK.
+ *
+ * This performs enclave verification and returns an OpenAI-compatible provider
+ * that can be used with Vercel AI SDK functions like `generateText` and `streamText`.
+ *
+ * @param apiKey - Your Tinfoil API key. Falls back to TINFOIL_API_KEY env var if not provided.
+ * @param options - Optional configuration
+ * @returns An AI SDK provider for Tinfoil
+ *
+ * @example
+ * ```typescript
+ * import { createTinfoilAI } from "tinfoil";
+ * import { generateText } from "ai";
+ *
+ * // Uses TINFOIL_API_KEY env var
+ * const tinfoil = await createTinfoilAI();
+ *
+ * // Or pass API key explicitly
+ * const tinfoil = await createTinfoilAI("your-api-key");
+ *
+ * const { text } = await generateText({
+ *   model: tinfoil("llama3-3-70b"),
+ *   prompt: "Hello!",
+ * });
+ * ```
+ *
+ * @see https://docs.tinfoil.sh/sdk/javascript-sdk
+ * @see https://sdk.vercel.ai/ - Vercel AI SDK documentation
+ */
+export declare function createTinfoilAI(apiKey?: string, options?: CreateTinfoilAIOptions): Promise<import("@ai-sdk/openai-compatible").OpenAICompatibleProvider<string, string, string, string>>;
 //# sourceMappingURL=ai-sdk-provider.d.ts.map

package/dist/ai-sdk-provider.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ai-sdk-provider.d.ts","sourceRoot":"","sources":["../src/ai-sdk-provider.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAElD,UAAU,sBAAsB;IAC9B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,wBAAsB,eAAe,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,GAAE,sBAA2B;;;GA8BzF"}
+{"version":3,"file":"ai-sdk-provider.d.ts","sourceRoot":"","sources":["../src/ai-sdk-provider.ts"],"names":[],"mappings":"AAKA;;GAEG;AACH,MAAM,WAAW,sBAAsB;IACrC;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB,yCAAyC;IACzC,UAAU,CAAC,EAAE,MAAM,CAAC;IAEpB,gDAAgD;IAChD,oBAAoB,CAAC,EAAE,MAAM,CAAC;CAC/B;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,wBAAsB,eAAe,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,OAAO,GAAE,sBAA2B,yGAwB1F"}

package/dist/ai-sdk-provider.js

@@ -1,30 +1,57 @@
 import { createOpenAICompatible } from "@ai-sdk/openai-compatible";
-import { TINFOIL_CONFIG } from "./config.js";
 import { SecureClient } from "./secure-client.js";
+import { isRealBrowser } from "./env.js";
+import { ConfigurationError } from "./verifier.js";
+/**
+ * Create a Tinfoil provider for the Vercel AI SDK.
+ *
+ * This performs enclave verification and returns an OpenAI-compatible provider
+ * that can be used with Vercel AI SDK functions like `generateText` and `streamText`.
+ *
+ * @param apiKey - Your Tinfoil API key. Falls back to TINFOIL_API_KEY env var if not provided.
+ * @param options - Optional configuration
+ * @returns An AI SDK provider for Tinfoil
+ *
+ * @example
+ * ```typescript
+ * import { createTinfoilAI } from "tinfoil";
+ * import { generateText } from "ai";
+ *
+ * // Uses TINFOIL_API_KEY env var
+ * const tinfoil = await createTinfoilAI();
+ *
+ * // Or pass API key explicitly
+ * const tinfoil = await createTinfoilAI("your-api-key");
+ *
+ * const { text } = await generateText({
+ *   model: tinfoil("llama3-3-70b"),
+ *   prompt: "Hello!",
+ * });
+ * ```
+ *
+ * @see https://docs.tinfoil.sh/sdk/javascript-sdk
+ * @see https://sdk.vercel.ai/ - Vercel AI SDK documentation
+ */
 export async function createTinfoilAI(apiKey, options = {}) {
-    const baseURL = options.baseURL;
-    const enclaveURL = options.enclaveURL;
-    const configRepo = options.configRepo || TINFOIL_CONFIG.INFERENCE_PROXY_REPO;
+    // Resolve API key: use provided value, or fall back to env var (non-browser only)
+    let resolvedApiKey = apiKey;
+    if (!resolvedApiKey && !isRealBrowser() && typeof process !== 'undefined' && process.env.TINFOIL_API_KEY) {
+        resolvedApiKey = process.env.TINFOIL_API_KEY;
+    }
+    if (!resolvedApiKey) {
+        throw new ConfigurationError("API key is required. Provide apiKey parameter or set TINFOIL_API_KEY environment variable.");
+    }
     const secureClient = new SecureClient({
-        baseURL,
-        enclaveURL,
-        configRepo,
+        baseURL: options.baseURL,
+        configRepo: options.configRepo,
+        attestationBundleURL: options.attestationBundleURL,
     });
     await secureClient.ready();
-    // Get the baseURL from SecureClient after initialization
-    const finalBaseURL = baseURL || secureClient.getBaseURL();
-    if (!finalBaseURL) {
-        throw new Error("Unable to determine baseURL for AI SDK provider");
-    }
-    const provider = createOpenAICompatible({
+    return createOpenAICompatible({
         name: "tinfoil",
-        baseURL: finalBaseURL,
-        apiKey: apiKey,
+        baseURL: secureClient.getBaseURL(),
+        apiKey: resolvedApiKey,
         fetch: secureClient.fetch,
     });
-    return {
-        provider,
-        secureClient,
-    };
 }
 //# sourceMappingURL=ai-sdk-provider.js.map

package/dist/ai-sdk-provider.js.map

@@ -1 +1 @@
-{"version":3,"file":"ai-sdk-provider.js","sourceRoot":"","sources":["../src/ai-sdk-provider.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,sBAAsB,EAAE,MAAM,2BAA2B,CAAC;AACnE,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAC7C,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAQlD,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,MAAc,EAAE,UAAkC,EAAE;IACxF,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;IAChC,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;IACtC,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,cAAc,CAAC,oBAAoB,CAAC;IAE7E,MAAM,YAAY,GAAG,IAAI,YAAY,CAAC;QACpC,OAAO;QACP,UAAU;QACV,UAAU;KACX,CAAC,CAAC;IAEH,MAAM,YAAY,CAAC,KAAK,EAAE,CAAC;IAE3B,yDAAyD;IACzD,MAAM,YAAY,GAAG,OAAO,IAAI,YAAY,CAAC,UAAU,EAAE,CAAC;IAC1D,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC;IACrE,CAAC;IAED,MAAM,QAAQ,GAAG,sBAAsB,CAAC;QACtC,IAAI,EAAE,SAAS;QACf,OAAO,EAAE,YAAY;QACrB,MAAM,EAAE,MAAM;QACd,KAAK,EAAE,YAAY,CAAC,KAAK;KAC1B,CAAC,CAAC;IAEH,OAAO;QACL,QAAQ;QACR,YAAY;KACb,CAAC;AACJ,CAAC"}
+{"version":3,"file":"ai-sdk-provider.js","sourceRoot":"","sources":["../src/ai-sdk-provider.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,sBAAsB,EAAE,MAAM,2BAA2B,CAAC;AACnE,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,EAAE,kBAAkB,EAAE,MAAM,eAAe,CAAC;AAmBnD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,MAAe,EAAE,UAAkC,EAAE;IACzF,kFAAkF;IAClF,IAAI,cAAc,GAAG,MAAM,CAAC;IAC5B,IAAI,CAAC,cAAc,IAAI,CAAC,aAAa,EAAE,IAAI,OAAO,OAAO,KAAK,WAAW,IAAI,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,CAAC;QACzG,cAAc,GAAG,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;IAC/C,CAAC;IACD,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,MAAM,IAAI,kBAAkB,CAAC,4FAA4F,CAAC,CAAC;IAC7H,CAAC;IAED,MAAM,YAAY,GAAG,IAAI,YAAY,CAAC;QACpC,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,UAAU,EAAE,OAAO,CAAC,UAAU;QAC9B,oBAAoB,EAAE,OAAO,CAAC,oBAAoB;KACnD,CAAC,CAAC;IAEH,MAAM,YAAY,CAAC,KAAK,EAAE,CAAC;IAE3B,OAAO,sBAAsB,CAAC;QAC5B,IAAI,EAAE,SAAS;QACf,OAAO,EAAE,YAAY,CAAC,UAAU,EAAG;QACnC,MAAM,EAAE,cAAc;QACtB,KAAK,EAAE,YAAY,CAAC,KAAK;KAC1B,CAAC,CAAC;AACL,CAAC"}

package/dist/atc.d.ts

@@ -0,0 +1,23 @@
+import type { AttestationBundle } from "./verifier.js";
+export interface FetchAttestationBundleOptions {
+    atcBaseUrl?: string;
+    enclaveURL?: string;
+    configRepo?: string;
+}
+/**
+ * Fetches a complete attestation bundle from ATC.
+ *
+ * When enclaveURL or configRepo are provided, issues a POST so ATC builds a
+ * bundle for the specified enclave/repo. Otherwise issues a GET for the
+ * default router behaviour.
+ */
+export declare function fetchAttestationBundle(options?: FetchAttestationBundleOptions): Promise<AttestationBundle>;
+/**
+ * Fetches the list of available routers and returns a randomly selected address.
+ *
+ * @param atcBaseUrl - Base URL for the attestation endpoint (defaults to TINFOIL_CONFIG.ATC_BASE_URL)
+ * @returns A randomly selected router address
+ * @throws Error if no routers are found or if the request fails
+ */
+export declare function fetchRouter(atcBaseUrl?: string): Promise<string>;
+//# sourceMappingURL=atc.d.ts.map

package/dist/atc.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"atc.d.ts","sourceRoot":"","sources":["../src/atc.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAGvD,MAAM,WAAW,6BAA6B;IAC5C,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;;;;;GAMG;AACH,wBAAsB,sBAAsB,CAAC,OAAO,GAAE,6BAAkC,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAkCpH;AAED;;;;;;GAMG;AACH,wBAAsB,WAAW,CAAC,UAAU,GAAE,MAAoC,GAAG,OAAO,CAAC,MAAM,CAAC,CAgBnG"}

package/dist/atc.js

@@ -0,0 +1,59 @@
+import { TINFOIL_CONFIG } from "./config.js";
+import { FetchError } from "./verifier.js";
+/**
+ * Fetches a complete attestation bundle from ATC.
+ *
+ * When enclaveURL or configRepo are provided, issues a POST so ATC builds a
+ * bundle for the specified enclave/repo. Otherwise issues a GET for the
+ * default router behaviour.
+ */
+export async function fetchAttestationBundle(options = {}) {
+    const baseUrl = options.atcBaseUrl ?? TINFOIL_CONFIG.ATC_BASE_URL;
+    const url = `${baseUrl}/attestation`;
+    const usePost = !!(options.enclaveURL || options.configRepo);
+    const response = usePost
+        ? await fetch(url, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({
+                enclaveUrl: options.enclaveURL,
+                repo: options.configRepo,
+            }),
+        })
+        : await fetch(url);
+    if (!response.ok) {
+        throw new FetchError(`Failed to fetch attestation bundle from ${baseUrl}: HTTP ${response.status} ${response.statusText}`);
+    }
+    const bundle = await response.json();
+    return {
+        domain: bundle.domain,
+        enclaveAttestationReport: {
+            format: bundle.enclaveAttestationReport.format,
+            body: bundle.enclaveAttestationReport.body,
+        },
+        digest: bundle.digest,
+        sigstoreBundle: bundle.sigstoreBundle,
+        vcek: bundle.vcek,
+        enclaveCert: bundle.enclaveCert,
+    };
+}
+/**
+ * Fetches the list of available routers and returns a randomly selected address.
+ *
+ * @param atcBaseUrl - Base URL for the attestation endpoint (defaults to TINFOIL_CONFIG.ATC_BASE_URL)
+ * @returns A randomly selected router address
+ * @throws Error if no routers are found or if the request fails
+ */
+export async function fetchRouter(atcBaseUrl = TINFOIL_CONFIG.ATC_BASE_URL) {
+    const routersUrl = `${atcBaseUrl}/routers?platform=snp`;
+    const response = await fetch(routersUrl);
+    if (!response.ok) {
+        throw new FetchError(`Failed to fetch router list from ${atcBaseUrl}: HTTP ${response.status} ${response.statusText}`);
+    }
+    const routers = await response.json();
+    if (!Array.isArray(routers) || routers.length === 0) {
+        throw new FetchError("No available routers found in the response");
+    }
+    return routers[Math.floor(Math.random() * routers.length)];
+}
+//# sourceMappingURL=atc.js.map

package/dist/atc.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"atc.js","sourceRoot":"","sources":["../src/atc.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAE7C,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAQ3C;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAAC,UAAyC,EAAE;IACtF,MAAM,OAAO,GAAG,OAAO,CAAC,UAAU,IAAI,cAAc,CAAC,YAAY,CAAC;IAClE,MAAM,GAAG,GAAG,GAAG,OAAO,cAAc,CAAC;IAErC,MAAM,OAAO,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,IAAI,OAAO,CAAC,UAAU,CAAC,CAAC;IAE7D,MAAM,QAAQ,GAAG,OAAO;QACtB,CAAC,CAAC,MAAM,KAAK,CAAC,GAAG,EAAE;YACf,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACnB,UAAU,EAAE,OAAO,CAAC,UAAU;gBAC9B,IAAI,EAAE,OAAO,CAAC,UAAU;aACzB,CAAC;SACH,CAAC;QACJ,CAAC,CAAC,MAAM,KAAK,CAAC,GAAG,CAAC,CAAC;IAErB,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,UAAU,CAAC,2CAA2C,OAAO,UAAU,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC;IAC7H,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IAErC,OAAO;QACL,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,wBAAwB,EAAE;YACxB,MAAM,EAAE,MAAM,CAAC,wBAAwB,CAAC,MAAM;YAC9C,IAAI,EAAE,MAAM,CAAC,wBAAwB,CAAC,IAAI;SAC3C;QACD,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,cAAc,EAAE,MAAM,CAAC,cAAc;QACrC,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,WAAW,EAAE,MAAM,CAAC,WAAW;KAChC,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,aAAqB,cAAc,CAAC,YAAY;IAChF,MAAM,UAAU,GAAG,GAAG,UAAU,uBAAuB,CAAC;IAExD,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,UAAU,CAAC,CAAC;IAEzC,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,UAAU,CAAC,oCAAoC,UAAU,UAAU,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC;IACzH,CAAC;IAED,MAAM,OAAO,GAAa,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IAEhD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACpD,MAAM,IAAI,UAAU,CAAC,4CAA4C,CAAC,CAAC;IACrE,CAAC;IAED,OAAO,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC;AAC7D,CAAC"}

package/dist/config.d.ts

@@ -3,12 +3,12 @@
  */
 export declare const TINFOIL_CONFIG: {
     /**
-     * The GitHub repository for code attestation verification
+     * Base URL for the attestation endpoint
      */
-    readonly INFERENCE_PROXY_REPO: "tinfoilsh/confidential-model-router";
+    readonly ATC_BASE_URL: "https://atc.tinfoil.sh";
     /**
-     * The ATC (Attestation and Trust Center) API URL for fetching available routers
+     * The GitHub repository for the router code attestation
      */
-    readonly ATC_API_URL: "https://atc.tinfoil.sh/routers?platform=snp";
+    readonly DEFAULT_ROUTER_REPO: "tinfoilsh/confidential-model-router";
 };
 //# sourceMappingURL=config.d.ts.map

package/dist/config.js

@@ -3,12 +3,12 @@
  */
 export const TINFOIL_CONFIG = {
     /**
-     * The GitHub repository for code attestation verification
+     * Base URL for the attestation endpoint
      */
-    INFERENCE_PROXY_REPO: "tinfoilsh/confidential-model-router",
+    ATC_BASE_URL: "https://atc.tinfoil.sh",
     /**
-     * The ATC (Attestation and Trust Center) API URL for fetching available routers
+     * The GitHub repository for the router code attestation
      */
-    ATC_API_URL: "https://atc.tinfoil.sh/routers?platform=snp",
+    DEFAULT_ROUTER_REPO: "tinfoilsh/confidential-model-router",
 };
 //# sourceMappingURL=config.js.map

package/dist/config.js.map

@@ -1 +1 @@
-{"version":3,"file":"config.js","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,MAAM,CAAC,MAAM,cAAc,GAAG;IAC5B;;OAEG;IACH,oBAAoB,EAAE,qCAAqC;IAE3D;;OAEG;IACH,WAAW,EAAE,6CAA6C;CAClD,CAAC"}
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,MAAM,CAAC,MAAM,cAAc,GAAG;IAC5B;;OAEG;IACH,YAAY,EAAE,wBAAwB;IAEtC;;OAEG;IACH,mBAAmB,EAAE,qCAAqC;CAClD,CAAC"}

package/dist/encrypted-body-fetch.d.ts

@@ -1,5 +1,10 @@
-import type { Transport as EhbpTransport } from "ehbp";
-import { Identity } from "ehbp";
+import { Identity, Transport, type SessionRecoveryToken } from "ehbp";
+export type { SessionRecoveryToken } from "ehbp";
+export { decryptResponseWithToken } from "ehbp";
+export interface SecureTransport {
+    fetch: typeof fetch;
+    getSessionRecoveryToken(): Promise<SessionRecoveryToken>;
+}
 /**
  * Fetch and parse server identity from the HPKE keys endpoint.
  * Returns the server Identity which can be used to create a Transport.
@@ -9,11 +14,21 @@ export declare function normalizeEncryptedBodyRequestArgs(input: RequestInfo | U
     url: string;
     init?: RequestInit;
 };
-export declare function encryptedBodyRequest(input: RequestInfo | URL, hpkePublicKey?: string, init?: RequestInit, enclaveURL?: string, transportInstance?: EhbpTransport): Promise<Response>;
-type FetchWithResponse = typeof fetch & {
-    Response: typeof Response;
-};
-export declare function createEncryptedBodyFetch(baseURL: string, hpkePublicKey?: string, enclaveURL?: string): FetchWithResponse;
-export declare function getTransportForOrigin(origin: string, keyOrigin: string): Promise<EhbpTransport>;
-export {};
+export declare function encryptedBodyRequest(input: RequestInfo | URL, hpkePublicKey: string, init?: RequestInit, transportInstance?: Transport): Promise<Response>;
+export declare function createEncryptedBodyFetch(baseURL: string, hpkePublicKey: string, enclaveURL?: string): SecureTransport;
+/**
+ * WARNING: THIS FUNCTION IS INSECURE.
+ *
+ * Creates an encrypted body fetch that fetches the HPKE key from the server without
+ * attestation verification. This is vulnerable to man-in-the-middle attacks where
+ * a malicious server could provide its own key.
+ *
+ * This function is useful for testing the EHBP protocol against a local development
+ * server that doesn't have attestation set up. For production, use createEncryptedBodyFetch
+ * with a key obtained through attestation verification.
+ *
+ * @param baseURL - Base URL for API requests
+ * @param keyOrigin - Origin URL for fetching the HPKE public key. If not provided, derived from baseURL.
+ */
+export declare function createUnverifiedEncryptedBodyFetch(baseURL: string, keyOrigin?: string): SecureTransport;
 //# sourceMappingURL=encrypted-body-fetch.d.ts.map

package/dist/encrypted-body-fetch.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"encrypted-body-fetch.d.ts","sourceRoot":"","sources":["../src/encrypted-body-fetch.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,IAAI,aAAa,EAAE,MAAM,MAAM,CAAC;AACvD,OAAO,EAAE,QAAQ,EAAuB,MAAM,MAAM,CAAC;AAGrD;;;GAGG;AACH,wBAAsB,iBAAiB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC,CAsB7E;AAED,wBAAgB,iCAAiC,CAC/C,KAAK,EAAE,WAAW,GAAG,GAAG,EACxB,IAAI,CAAC,EAAE,WAAW,GACjB;IAAE,GAAG,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,WAAW,CAAA;CAAE,CAuBrC;AAED,wBAAsB,oBAAoB,CACxC,KAAK,EAAE,WAAW,GAAG,GAAG,EACxB,aAAa,CAAC,EAAE,MAAM,EACtB,IAAI,CAAC,EAAE,WAAW,EAClB,UAAU,CAAC,EAAE,MAAM,EACnB,iBAAiB,CAAC,EAAE,aAAa,GAChC,OAAO,CAAC,QAAQ,CAAC,CA2BnB;AAGD,KAAK,iBAAiB,GAAG,OAAO,KAAK,GAAG;IAAE,QAAQ,EAAE,OAAO,QAAQ,CAAA;CAAE,CAAC;AAItE,wBAAgB,wBAAwB,CACtC,OAAO,EAAE,MAAM,EACf,aAAa,CAAC,EAAE,MAAM,EACtB,UAAU,CAAC,EAAE,MAAM,GAClB,iBAAiB,CA4CnB;AAED,wBAAsB,qBAAqB,CACzC,MAAM,EAAE,MAAM,EACd,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,aAAa,CAAC,CAiBxB"}
+{"version":3,"file":"encrypted-body-fetch.d.ts","sourceRoot":"","sources":["../src/encrypted-body-fetch.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAY,KAAK,oBAAoB,EAAE,MAAM,MAAM,CAAC;AAGhF,YAAY,EAAE,oBAAoB,EAAE,MAAM,MAAM,CAAC;AACjD,OAAO,EAAE,wBAAwB,EAAE,MAAM,MAAM,CAAC;AAEhD,MAAM,WAAW,eAAe;IAC9B,KAAK,EAAE,OAAO,KAAK,CAAC;IACpB,uBAAuB,IAAI,OAAO,CAAC,oBAAoB,CAAC,CAAC;CAC1D;AAUD;;;GAGG;AACH,wBAAsB,iBAAiB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC,CAoB7E;AAED,wBAAgB,iCAAiC,CAC/C,KAAK,EAAE,WAAW,GAAG,GAAG,EACxB,IAAI,CAAC,EAAE,WAAW,GACjB;IAAE,GAAG,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,WAAW,CAAA;CAAE,CAuBrC;AAED,wBAAsB,oBAAoB,CACxC,KAAK,EAAE,WAAW,GAAG,GAAG,EACxB,aAAa,EAAE,MAAM,EACrB,IAAI,CAAC,EAAE,WAAW,EAClB,iBAAiB,CAAC,EAAE,SAAS,GAC5B,OAAO,CAAC,QAAQ,CAAC,CAgBnB;AAID,wBAAgB,wBAAwB,CAAC,OAAO,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,GAAG,eAAe,CAoCrH;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAgB,kCAAkC,CAAC,OAAO,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,MAAM,GAAG,eAAe,CA2CvG"}

package/dist/encrypted-body-fetch.js

@@ -1,21 +1,29 @@
 import { Identity, Transport, PROTOCOL } from "ehbp";
-import { fetch as tauriFetch } from "@tauri-apps/plugin-http";
+import { ConfigurationError, FetchError } from "./verifier.js";
+export { decryptResponseWithToken } from "ehbp";
+/**
+ * Create an Identity from a raw public key hex string.
+ * This avoids fetching from the server when the key is already known.
+ */
+async function createIdentityFromPublicKeyHex(publicKeyHex) {
+    return Identity.fromPublicKeyHex(publicKeyHex);
+}
 /**
  * Fetch and parse server identity from the HPKE keys endpoint.
  * Returns the server Identity which can be used to create a Transport.
  */
 export async function getServerIdentity(enclaveURL) {
     const keysURL = new URL(PROTOCOL.KEYS_PATH, enclaveURL);
-    if (keysURL.protocol !== "https:") {
-        throw new Error(`HTTPS is required for remote key retrieval. Invalid protocol: ${keysURL.protocol}`);
+    if (keysURL.protocol !== 'https:') {
+        throw new ConfigurationError(`HTTPS is required for key retrieval. Got ${keysURL.protocol}`);
     }
-    const response = await tauriFetch(keysURL.toString());
+    const response = await fetch(keysURL.toString());
     if (!response.ok) {
-        throw new Error(`Failed to get server public key: ${response.status}`);
+        throw new FetchError(`Failed to fetch HPKE public key from enclave: HTTP ${response.status}`);
     }
-    const contentType = response.headers.get("content-type");
+    const contentType = response.headers.get('content-type');
     if (contentType !== PROTOCOL.KEYS_MEDIA_TYPE) {
-        throw new Error(`Invalid content type: ${contentType}`);
+        throw new FetchError(`Invalid response from HPKE key endpoint: Expected content-type "${PROTOCOL.KEYS_MEDIA_TYPE}", got "${contentType}"`);
     }
     const keysData = new Uint8Array(await response.arrayBuffer());
     return await Identity.unmarshalPublicConfig(keysData);
@@ -40,74 +48,107 @@ export function normalizeEncryptedBodyRequestArgs(input, init) {
         init: { ...derivedInit, ...init },
     };
 }
-export async function encryptedBodyRequest(input, hpkePublicKey, init, enclaveURL, transportInstance) {
+export async function encryptedBodyRequest(input, hpkePublicKey, init, transportInstance) {
     const { url: requestUrl, init: requestInit } = normalizeEncryptedBodyRequestArgs(input, init);
     let actualTransport;
     if (transportInstance) {
-        // Use provided transport instance
         actualTransport = transportInstance;
     }
     else {
-        // Create a new transport for this request
         const u = new URL(requestUrl);
-        const { origin } = u;
-        const keyOrigin = enclaveURL ? new URL(enclaveURL).origin : origin;
-        actualTransport = await getTransportForOrigin(origin, keyOrigin);
-    }
-    if (hpkePublicKey) {
-        const transportKeyHash = await actualTransport.getServerPublicKeyHex();
-        if (transportKeyHash !== hpkePublicKey) {
-            throw new Error(`HPKE public key mismatch. Expected: ${hpkePublicKey}, Got: ${transportKeyHash}`);
-        }
+        actualTransport = await getTransportForOrigin(u.origin, hpkePublicKey);
     }
     return actualTransport.request(requestUrl, requestInit);
 }
-const ENCLAVE_URL_HEADER = "X-Tinfoil-Enclave-Url";
+const ENCLAVE_URL_HEADER = 'X-Tinfoil-Enclave-Url';
 export function createEncryptedBodyFetch(baseURL, hpkePublicKey, enclaveURL) {
-    // Create a dedicated transport instance for this fetch function
+    const baseOrigin = new URL(baseURL).origin;
+    const needsEnclaveHeader = !!enclaveURL && new URL(enclaveURL).origin !== baseOrigin;
     let transportPromise = null;
-    const getOrCreateTransport = async () => {
+    const getOrCreateTransport = () => {
         if (!transportPromise) {
-            const baseUrl = new URL(baseURL);
-            const keyOrigin = enclaveURL
-                ? new URL(enclaveURL).origin
-                : baseUrl.origin;
-            transportPromise = getTransportForOrigin(baseUrl.origin, keyOrigin);
+            transportPromise = getTransportForOrigin(baseOrigin, hpkePublicKey);
         }
         return transportPromise;
     };
-    const secureFetch = (async (input, init) => {
-        const normalized = normalizeEncryptedBodyRequestArgs(input, init);
-        const targetUrl = new URL(normalized.url, baseURL);
-        // Add the enclave URL header so proxies know where to forward requests
-        // Only set if enclaveURL differs from baseURL (avoids CORS issues when hitting enclave directly)
-        const headers = new Headers(normalized.init?.headers);
-        if (enclaveURL && new URL(enclaveURL).origin !== new URL(baseURL).origin) {
-            headers.set(ENCLAVE_URL_HEADER, enclaveURL);
-        }
-        const initWithEnclaveHeader = { ...normalized.init, headers };
-        // Get the dedicated transport instance for this fetch function
-        const transportInstance = await getOrCreateTransport();
-        return encryptedBodyRequest(targetUrl.toString(), hpkePublicKey, initWithEnclaveHeader, enclaveURL, transportInstance);
-    });
-    // Expose Response constructor for OpenAI SDK's FormData support detection
-    // This prevents the SDK from making a test request to 'data:,' which would fail through EHBP
-    secureFetch.Response = Response;
-    return secureFetch;
+    return {
+        fetch: async (input, init) => {
+            const normalized = normalizeEncryptedBodyRequestArgs(input, init);
+            const targetUrl = new URL(normalized.url, baseURL);
+            const headers = new Headers(normalized.init?.headers);
+            if (needsEnclaveHeader) {
+                headers.set(ENCLAVE_URL_HEADER, enclaveURL);
+            }
+            const initWithHeader = { ...normalized.init, headers };
+            const transportInstance = await getOrCreateTransport();
+            return encryptedBodyRequest(targetUrl.toString(), hpkePublicKey, initWithHeader, transportInstance);
+        },
+        async getSessionRecoveryToken() {
+            if (!transportPromise) {
+                throw new Error('No session recovery token available — no request has been made yet');
+            }
+            const transport = await transportPromise;
+            return transport.getSessionRecoveryToken();
+        },
+    };
 }
-export async function getTransportForOrigin(origin, keyOrigin) {
-    if (typeof globalThis !== "undefined") {
-        const isSecure = globalThis.isSecureContext !== false;
-        const hasSubtle = !!(globalThis.crypto && globalThis.crypto.subtle);
-        if (!isSecure || !hasSubtle) {
-            const reason = !isSecure
-                ? "insecure context (use HTTPS or localhost)"
-                : "missing WebCrypto SubtleCrypto";
-            throw new Error(`EHBP requires a secure browser context: ${reason}`);
+/**
+ * WARNING: THIS FUNCTION IS INSECURE.
+ *
+ * Creates an encrypted body fetch that fetches the HPKE key from the server without
+ * attestation verification. This is vulnerable to man-in-the-middle attacks where
+ * a malicious server could provide its own key.
+ *
+ * This function is useful for testing the EHBP protocol against a local development
+ * server that doesn't have attestation set up. For production, use createEncryptedBodyFetch
+ * with a key obtained through attestation verification.
+ *
+ * @param baseURL - Base URL for API requests
+ * @param keyOrigin - Origin URL for fetching the HPKE public key. If not provided, derived from baseURL.
+ */
+export function createUnverifiedEncryptedBodyFetch(baseURL, keyOrigin) {
+    console.warn("[tinfoil] WARNING: createUnverifiedEncryptedBodyFetch is insecure. " +
+        "The HPKE key is fetched from the server without attestation verification. " +
+        "Only use for local development and testing of the EHBP protocol.");
+    const baseOrigin = new URL(baseURL).origin;
+    const resolvedKeyOrigin = keyOrigin ? new URL(keyOrigin).origin : baseOrigin;
+    const needsEnclaveHeader = !!keyOrigin && resolvedKeyOrigin !== baseOrigin;
+    let transportPromise = null;
+    const getOrCreateTransport = async () => {
+        if (!transportPromise) {
+            transportPromise = getUnverifiedTransportForOrigin(baseOrigin, resolvedKeyOrigin);
         }
-    }
+        return transportPromise;
+    };
+    return {
+        fetch: async (input, init) => {
+            const normalized = normalizeEncryptedBodyRequestArgs(input, init);
+            const targetUrl = new URL(normalized.url, baseURL);
+            const headers = new Headers(normalized.init?.headers);
+            if (needsEnclaveHeader) {
+                headers.set(ENCLAVE_URL_HEADER, keyOrigin);
+            }
+            const initWithEnclaveHeader = { ...normalized.init, headers };
+            const transportInstance = await getOrCreateTransport();
+            return transportInstance.request(targetUrl.toString(), initWithEnclaveHeader);
+        },
+        async getSessionRecoveryToken() {
+            if (!transportPromise) {
+                throw new Error('No session recovery token available — no request has been made yet');
+            }
+            const transport = await transportPromise;
+            return transport.getSessionRecoveryToken();
+        },
+    };
+}
+async function getUnverifiedTransportForOrigin(origin, keyOrigin) {
     const serverIdentity = await getServerIdentity(keyOrigin);
     const requestHost = new URL(origin).host;
     return new Transport(serverIdentity, requestHost);
 }
+async function getTransportForOrigin(origin, hpkePublicKeyHex) {
+    const serverIdentity = await createIdentityFromPublicKeyHex(hpkePublicKeyHex);
+    const requestHost = new URL(origin).host;
+    return new Transport(serverIdentity, requestHost);
+}
 //# sourceMappingURL=encrypted-body-fetch.js.map

package/dist/encrypted-body-fetch.js.map

@@ -1 +1 @@
-{"version":3,"file":"encrypted-body-fetch.js","sourceRoot":"","sources":["../src/encrypted-body-fetch.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,MAAM,CAAC;AACrD,OAAO,EAAE,KAAK,IAAI,UAAU,EAAE,MAAM,yBAAyB,CAAC;AAE9D;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,UAAkB;IACxD,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;IAExD,IAAI,OAAO,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAClC,MAAM,IAAI,KAAK,CACb,iEAAiE,OAAO,CAAC,QAAQ,EAAE,CACpF,CAAC;IACJ,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,UAAU,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC;IAEtD,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CAAC,oCAAoC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;IACzE,CAAC;IAED,MAAM,WAAW,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;IACzD,IAAI,WAAW,KAAK,QAAQ,CAAC,eAAe,EAAE,CAAC;QAC7C,MAAM,IAAI,KAAK,CAAC,yBAAyB,WAAW,EAAE,CAAC,CAAC;IAC1D,CAAC;IAED,MAAM,QAAQ,GAAG,IAAI,UAAU,CAAC,MAAM,QAAQ,CAAC,WAAW,EAAE,CAAC,CAAC;IAC9D,OAAO,MAAM,QAAQ,CAAC,qBAAqB,CAAC,QAAQ,CAAC,CAAC;AACxD,CAAC;AAED,MAAM,UAAU,iCAAiC,CAC/C,KAAwB,EACxB,IAAkB;IAElB,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IAC9B,CAAC;IAED,IAAI,KAAK,YAAY,GAAG,EAAE,CAAC;QACzB,OAAO,EAAE,GAAG,EAAE,KAAK,CAAC,QAAQ,EAAE,EAAE,IAAI,EAAE,CAAC;IACzC,CAAC;IAED,MAAM,OAAO,GAAG,KAAgB,CAAC;IACjC,MAAM,MAAM,GAAG,OAAO,CAAC,KAAK,EAAE,CAAC;IAE/B,MAAM,WAAW,GAAgB;QAC/B,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,OAAO,EAAE,IAAI,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC;QACpC,IAAI,EAAE,MAAM,CAAC,IAAI,IAAI,SAAS;QAC9B,MAAM,EAAE,MAAM,CAAC,MAAM;KACtB,CAAC;IAEF,OAAO;QACL,GAAG,EAAE,MAAM,CAAC,GAAG;QACf,IAAI,EAAE,EAAE,GAAG,WAAW,EAAE,GAAG,IAAI,EAAE;KAClC,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,KAAwB,EACxB,aAAsB,EACtB,IAAkB,EAClB,UAAmB,EACnB,iBAAiC;IAEjC,MAAM,EAAE,GAAG,EAAE,UAAU,EAAE,IAAI,EAAE,WAAW,EAAE,GAC1C,iCAAiC,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;IAEjD,IAAI,eAA8B,CAAC;IAEnC,IAAI,iBAAiB,EAAE,CAAC;QACtB,kCAAkC;QAClC,eAAe,GAAG,iBAAiB,CAAC;IACtC,CAAC;SAAM,CAAC;QACN,0CAA0C;QAC1C,MAAM,CAAC,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,CAAC;QAC9B,MAAM,EAAE,MAAM,EAAE,GAAG,CAAC,CAAC;QACrB,MAAM,SAAS,GAAG,UAAU,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,UAAU,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC;QACnE,eAAe,GAAG,MAAM,qBAAqB,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;IACnE,CAAC;IAED,IAAI,aAAa,EAAE,CAAC;QAClB,MAAM,gBAAgB,GAAG,MAAM,eAAe,CAAC,qBAAqB,EAAE,CAAC;QACvE,IAAI,gBAAgB,KAAK,aAAa,EAAE,CAAC;YACvC,MAAM,IAAI,KAAK,CACb,uCAAuC,aAAa,UAAU,gBAAgB,EAAE,CACjF,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,eAAe,CAAC,OAAO,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;AAC1D,CAAC;AAKD,MAAM,kBAAkB,GAAG,uBAAuB,CAAC;AAEnD,MAAM,UAAU,wBAAwB,CACtC,OAAe,EACf,aAAsB,EACtB,UAAmB;IAEnB,gEAAgE;IAChE,IAAI,gBAAgB,GAAkC,IAAI,CAAC;IAE3D,MAAM,oBAAoB,GAAG,KAAK,IAA4B,EAAE;QAC9D,IAAI,CAAC,gBAAgB,EAAE,CAAC;YACtB,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC;YACjC,MAAM,SAAS,GAAG,UAAU;gBAC1B,CAAC,CAAC,IAAI,GAAG,CAAC,UAAU,CAAC,CAAC,MAAM;gBAC5B,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC;YACnB,gBAAgB,GAAG,qBAAqB,CAAC,OAAO,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;QACtE,CAAC;QACD,OAAO,gBAAgB,CAAC;IAC1B,CAAC,CAAC;IAEF,MAAM,WAAW,GAAG,CAAC,KAAK,EAAE,KAAwB,EAAE,IAAkB,EAAE,EAAE;QAC1E,MAAM,UAAU,GAAG,iCAAiC,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QAClE,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;QAEnD,uEAAuE;QACvE,iGAAiG;QACjG,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QACtD,IAAI,UAAU,IAAI,IAAI,GAAG,CAAC,UAAU,CAAC,CAAC,MAAM,KAAK,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,MAAM,EAAE,CAAC;YACzE,OAAO,CAAC,GAAG,CAAC,kBAAkB,EAAE,UAAU,CAAC,CAAC;QAC9C,CAAC;QACD,MAAM,qBAAqB,GAAG,EAAE,GAAG,UAAU,CAAC,IAAI,EAAE,OAAO,EAAE,CAAC;QAE9D,+DAA+D;QAC/D,MAAM,iBAAiB,GAAG,MAAM,oBAAoB,EAAE,CAAC;QAEvD,OAAO,oBAAoB,CACzB,SAAS,CAAC,QAAQ,EAAE,EACpB,aAAa,EACb,qBAAqB,EACrB,UAAU,EACV,iBAAiB,CAClB,CAAC;IACJ,CAAC,CAAsB,CAAC;IAExB,0EAA0E;IAC1E,6FAA6F;IAC7F,WAAW,CAAC,QAAQ,GAAG,QAAQ,CAAC;IAEhC,OAAO,WAAW,CAAC;AACrB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,MAAc,EACd,SAAiB;IAEjB,IAAI,OAAO,UAAU,KAAK,WAAW,EAAE,CAAC;QACtC,MAAM,QAAQ,GAAI,UAAkB,CAAC,eAAe,KAAK,KAAK,CAAC;QAC/D,MAAM,SAAS,GAAG,CAAC,CAAC,CAClB,UAAU,CAAC,MAAM,IAAK,UAAU,CAAC,MAAiB,CAAC,MAAM,CAC1D,CAAC;QACF,IAAI,CAAC,QAAQ,IAAI,CAAC,SAAS,EAAE,CAAC;YAC5B,MAAM,MAAM,GAAG,CAAC,QAAQ;gBACtB,CAAC,CAAC,2CAA2C;gBAC7C,CAAC,CAAC,gCAAgC,CAAC;YACrC,MAAM,IAAI,KAAK,CAAC,2CAA2C,MAAM,EAAE,CAAC,CAAC;QACvE,CAAC;IACH,CAAC;IAED,MAAM,cAAc,GAAG,MAAM,iBAAiB,CAAC,SAAS,CAAC,CAAC;IAC1D,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC;IACzC,OAAO,IAAI,SAAS,CAAC,cAAc,EAAE,WAAW,CAAC,CAAC;AACpD,CAAC"}
+{"version":3,"file":"encrypted-body-fetch.js","sourceRoot":"","sources":["../src/encrypted-body-fetch.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAA6B,MAAM,MAAM,CAAC;AAChF,OAAO,EAAE,kBAAkB,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAG/D,OAAO,EAAE,wBAAwB,EAAE,MAAM,MAAM,CAAC;AAOhD;;;GAGG;AACH,KAAK,UAAU,8BAA8B,CAAC,YAAoB;IAChE,OAAO,QAAQ,CAAC,gBAAgB,CAAC,YAAY,CAAC,CAAC;AACjD,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,UAAkB;IACxD,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;IAExD,IAAI,OAAO,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAClC,MAAM,IAAI,kBAAkB,CAAC,4CAA4C,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC;IAC/F,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC;IAEjD,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,UAAU,CAAC,sDAAsD,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;IAChG,CAAC;IAED,MAAM,WAAW,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;IACzD,IAAI,WAAW,KAAK,QAAQ,CAAC,eAAe,EAAE,CAAC;QAC7C,MAAM,IAAI,UAAU,CAAC,mEAAmE,QAAQ,CAAC,eAAe,WAAW,WAAW,GAAG,CAAC,CAAC;IAC7I,CAAC;IAED,MAAM,QAAQ,GAAG,IAAI,UAAU,CAAC,MAAM,QAAQ,CAAC,WAAW,EAAE,CAAC,CAAC;IAC9D,OAAO,MAAM,QAAQ,CAAC,qBAAqB,CAAC,QAAQ,CAAC,CAAC;AACxD,CAAC;AAED,MAAM,UAAU,iCAAiC,CAC/C,KAAwB,EACxB,IAAkB;IAElB,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IAC9B,CAAC;IAED,IAAI,KAAK,YAAY,GAAG,EAAE,CAAC;QACzB,OAAO,EAAE,GAAG,EAAE,KAAK,CAAC,QAAQ,EAAE,EAAE,IAAI,EAAE,CAAC;IACzC,CAAC;IAED,MAAM,OAAO,GAAG,KAAgB,CAAC;IACjC,MAAM,MAAM,GAAG,OAAO,CAAC,KAAK,EAAE,CAAC;IAE/B,MAAM,WAAW,GAAgB;QAC/B,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,OAAO,EAAE,IAAI,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC;QACpC,IAAI,EAAE,MAAM,CAAC,IAAI,IAAI,SAAS;QAC9B,MAAM,EAAE,MAAM,CAAC,MAAM;KACtB,CAAC;IAEF,OAAO;QACL,GAAG,EAAE,MAAM,CAAC,GAAG;QACf,IAAI,EAAE,EAAE,GAAG,WAAW,EAAE,GAAG,IAAI,EAAE;KAClC,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,KAAwB,EACxB,aAAqB,EACrB,IAAkB,EAClB,iBAA6B;IAE7B,MAAM,EAAE,GAAG,EAAE,UAAU,EAAE,IAAI,EAAE,WAAW,EAAE,GAAG,iCAAiC,CAC9E,KAAK,EACL,IAAI,CACL,CAAC;IAEF,IAAI,eAA0B,CAAC;IAE/B,IAAI,iBAAiB,EAAE,CAAC;QACtB,eAAe,GAAG,iBAAiB,CAAC;IACtC,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,CAAC;QAC9B,eAAe,GAAG,MAAM,qBAAqB,CAAC,CAAC,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC;IACzE,CAAC;IAED,OAAO,eAAe,CAAC,OAAO,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;AAC1D,CAAC;AAED,MAAM,kBAAkB,GAAG,uBAAuB,CAAC;AAEnD,MAAM,UAAU,wBAAwB,CAAC,OAAe,EAAE,aAAqB,EAAE,UAAmB;IAClG,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC;IAC3C,MAAM,kBAAkB,GAAG,CAAC,CAAC,UAAU,IAAI,IAAI,GAAG,CAAC,UAAU,CAAC,CAAC,MAAM,KAAK,UAAU,CAAC;IAErF,IAAI,gBAAgB,GAA8B,IAAI,CAAC;IAEvD,MAAM,oBAAoB,GAAG,GAAuB,EAAE;QACpD,IAAI,CAAC,gBAAgB,EAAE,CAAC;YACtB,gBAAgB,GAAG,qBAAqB,CAAC,UAAU,EAAE,aAAa,CAAC,CAAC;QACtE,CAAC;QACD,OAAO,gBAAgB,CAAC;IAC1B,CAAC,CAAC;IAEF,OAAO;QACL,KAAK,EAAE,KAAK,EAAE,KAAwB,EAAE,IAAkB,EAAE,EAAE;YAC5D,MAAM,UAAU,GAAG,iCAAiC,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;YAClE,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;YAEnD,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YACtD,IAAI,kBAAkB,EAAE,CAAC;gBACvB,OAAO,CAAC,GAAG,CAAC,kBAAkB,EAAE,UAAW,CAAC,CAAC;YAC/C,CAAC;YACD,MAAM,cAAc,GAAG,EAAE,GAAG,UAAU,CAAC,IAAI,EAAE,OAAO,EAAE,CAAC;YAEvD,MAAM,iBAAiB,GAAG,MAAM,oBAAoB,EAAE,CAAC;YACvD,OAAO,oBAAoB,CAAC,SAAS,CAAC,QAAQ,EAAE,EAAE,aAAa,EAAE,cAAc,EAAE,iBAAiB,CAAC,CAAC;QACtG,CAAC;QAED,KAAK,CAAC,uBAAuB;YAC3B,IAAI,CAAC,gBAAgB,EAAE,CAAC;gBACtB,MAAM,IAAI,KAAK,CAAC,oEAAoE,CAAC,CAAC;YACxF,CAAC;YACD,MAAM,SAAS,GAAG,MAAM,gBAAgB,CAAC;YACzC,OAAO,SAAS,CAAC,uBAAuB,EAAE,CAAC;QAC7C,CAAC;KACF,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,kCAAkC,CAAC,OAAe,EAAE,SAAkB;IACpF,OAAO,CAAC,IAAI,CACV,qEAAqE;QACrE,4EAA4E;QAC5E,kEAAkE,CACnE,CAAC;IAEF,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC;IAC3C,MAAM,iBAAiB,GAAG,SAAS,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,UAAU,CAAC;IAC7E,MAAM,kBAAkB,GAAG,CAAC,CAAC,SAAS,IAAI,iBAAiB,KAAK,UAAU,CAAC;IAE3E,IAAI,gBAAgB,GAA8B,IAAI,CAAC;IAEvD,MAAM,oBAAoB,GAAG,KAAK,IAAwB,EAAE;QAC1D,IAAI,CAAC,gBAAgB,EAAE,CAAC;YACtB,gBAAgB,GAAG,+BAA+B,CAAC,UAAU,EAAE,iBAAiB,CAAC,CAAC;QACpF,CAAC;QACD,OAAO,gBAAgB,CAAC;IAC1B,CAAC,CAAC;IAEF,OAAO;QACL,KAAK,EAAE,KAAK,EAAE,KAAwB,EAAE,IAAkB,EAAE,EAAE;YAC5D,MAAM,UAAU,GAAG,iCAAiC,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;YAClE,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;YAEnD,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YACtD,IAAI,kBAAkB,EAAE,CAAC;gBACvB,OAAO,CAAC,GAAG,CAAC,kBAAkB,EAAE,SAAU,CAAC,CAAC;YAC9C,CAAC;YACD,MAAM,qBAAqB,GAAG,EAAE,GAAG,UAAU,CAAC,IAAI,EAAE,OAAO,EAAE,CAAC;YAE9D,MAAM,iBAAiB,GAAG,MAAM,oBAAoB,EAAE,CAAC;YACvD,OAAO,iBAAiB,CAAC,OAAO,CAAC,SAAS,CAAC,QAAQ,EAAE,EAAE,qBAAqB,CAAC,CAAC;QAChF,CAAC;QAED,KAAK,CAAC,uBAAuB;YAC3B,IAAI,CAAC,gBAAgB,EAAE,CAAC;gBACtB,MAAM,IAAI,KAAK,CAAC,oEAAoE,CAAC,CAAC;YACxF,CAAC;YACD,MAAM,SAAS,GAAG,MAAM,gBAAgB,CAAC;YACzC,OAAO,SAAS,CAAC,uBAAuB,EAAE,CAAC;QAC7C,CAAC;KACF,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,+BAA+B,CAAC,MAAc,EAAE,SAAiB;IAC9E,MAAM,cAAc,GAAG,MAAM,iBAAiB,CAAC,SAAS,CAAC,CAAC;IAC1D,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC;IACzC,OAAO,IAAI,SAAS,CAAC,cAAc,EAAE,WAAW,CAAC,CAAC;AACpD,CAAC;AAED,KAAK,UAAU,qBAAqB,CAAC,MAAc,EAAE,gBAAwB;IAC3E,MAAM,cAAc,GAAG,MAAM,8BAA8B,CAAC,gBAAgB,CAAC,CAAC;IAC9E,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC;IACzC,OAAO,IAAI,SAAS,CAAC,cAAc,EAAE,WAAW,CAAC,CAAC;AACpD,CAAC"}

package/dist/env.d.ts

@@ -1,6 +1,8 @@
+export declare function isBun(): boolean;
 /**
  * Detects if the code is running in a real browser environment.
- * Returns false for Node.js environments, even with WASM loaded.
+ * Returns false for server-side runtimes (Node.js, Bun, Deno, edge runtimes).
+ * Only returns true when we can positively identify a browser environment.
  */
 export declare function isRealBrowser(): boolean;
 //# sourceMappingURL=env.d.ts.map

package/dist/env.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"env.d.ts","sourceRoot":"","sources":["../src/env.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,wBAAgB,aAAa,IAAI,OAAO,CAgBvC"}
+{"version":3,"file":"env.d.ts","sourceRoot":"","sources":["../src/env.ts"],"names":[],"mappings":"AAAA,wBAAgB,KAAK,IAAI,OAAO,CAI/B;AAED;;;;GAIG;AACH,wBAAgB,aAAa,IAAI,OAAO,CAuCvC"}

package/dist/env.js

@@ -1,18 +1,43 @@
+export function isBun() {
+    return typeof process !== "undefined" &&
+        !!process.versions &&
+        !!process.versions.bun;
+}
 /**
  * Detects if the code is running in a real browser environment.
- * Returns false for Node.js environments, even with WASM loaded.
+ * Returns false for server-side runtimes (Node.js, Bun, Deno, edge runtimes).
+ * Only returns true when we can positively identify a browser environment.
  */
 export function isRealBrowser() {
+    // Check for Node.js
     if (typeof process !== "undefined" &&
         process.versions &&
         process.versions.node) {
         return false;
     }
+    // Check for Bun
+    if (isBun()) {
+        return false;
+    }
+    // Check for Deno
+    if (typeof globalThis.Deno !== "undefined") {
+        return false;
+    }
+    // Check for Cloudflare Workers (has 'Cloudflare-Workers' userAgent when global_navigator flag is set)
+    if (typeof navigator !== "undefined" && navigator.userAgent === "Cloudflare-Workers") {
+        return false;
+    }
+    // Check for Cloudflare Workers via caches.default (alternative detection)
+    if (typeof caches !== "undefined" && caches.default !== undefined) {
+        return false;
+    }
+    // Check for real browser: must have window, document, and a real userAgent
     if (typeof window !== "undefined" && typeof window.document !== "undefined") {
         if (typeof navigator !== "undefined" && navigator.userAgent) {
             return true;
         }
     }
+    // Unknown runtime - treat as server-side (safer default)
     return false;
 }
 //# sourceMappingURL=env.js.map