node-tpm2 0.0.2 → 0.0.4-beta.0

package/README.md

@@ -1,13 +1,12 @@
 # node-tpm2
 
-Native TPM 2.0 for Node. Zero tooling, no admin.
+Native TPM 2.0 for Node. Zero tooling at install time — prebuilt napi-rs binaries, no tpm2-tss, no tpm2-tools.
 
-- Windows via TBS, Linux via `/dev/tpmrm0`.
-- Direct TBS command marshalling — no tpm2-tss, no tpm2-tools at install or runtime.
-- Ships as prebuilt native binaries via napi-rs platform packages.
-
-> **Status: pre-release.** `Tpm.isAvailable()` and `Tpm.info()` work on Windows and Linux.
-> `Tpm.open()` and attestation methods are not implemented yet.
+| Platform | Backend | Attestation key |
+|----------|---------|-----------------|
+| Linux | `/dev/tpmrm0` | ECDSA P-256 wrapped blob |
+| Windows | TBS + NCrypt PCP | RSA-2048 persisted PCP key |
+| macOS | — | Not supported (returns unavailable) |
 
 ## Install
 
@@ -15,34 +14,61 @@ Native TPM 2.0 for Node. Zero tooling, no admin.
 npm install node-tpm2
 ```
 
-npm resolves exactly one prebuilt native binary from `optionalDependencies` — no build step,
-no tpm2-tools, no Rust. Requires platform packages published for your OS/arch.
+Requires Node 20+. Resolves a prebuilt `.node` binary for your OS/arch via optional platform packages.
+
+## Quick start
+
+```javascript
+import { Tpm } from 'node-tpm2';
+
+if (!(await Tpm.isAvailable())) throw new Error('no TPM');
+
+const { akBlob } = await Tpm.provisionAk();
+const quote = await Tpm.quote({
+  akBlob,
+  pcrSelection: [0, 1, 7],
+  qualifyingData: Buffer.from('challenge-bytes'),
+});
+```
+
+See [docs/getting-started.md](./docs/getting-started.md) for API details and [docs/windows-pcp.md](./docs/windows-pcp.md) for Windows machine-scoped keys (privileged install → unprivileged quote).
+
+## Validate install (clean machine)
 
-## Development
+After `npm install`, run the npm smoke test — **not** the Rust probe:
+
+```bash
+node node_modules/node-tpm2/examples/smoke-test.mjs runtime
+```
+
+Windows fleet path (Admin/SYSTEM provision, then standard user quote):
+
+```bash
+node node_modules/node-tpm2/examples/smoke-test.mjs provision-machine --key-name my-app-device-ak --out ak.blob.json
+node node_modules/node-tpm2/examples/smoke-test.mjs quote --in ak.blob.json
+```
+
+## Development (this repo)
 
 ```bash
 git clone https://github.com/stacks0x/tpm2.git
 cd tpm2
 npm install
 npm run build
-node --input-type=module -e "
-  import { Tpm } from './index.js';
-  console.log('available', await Tpm.isAvailable());
-  console.log('info', await Tpm.info());
-"
+node examples/smoke-test.mjs runtime
 ```
 
-On Linux, your user needs read/write on `/dev/tpmrm0` (typically the `tss` group).
-
-## Windows probe (direct TBS validation)
-
-Non-elevated PowerShell on Windows 11:
+Rust probe (developers, not the npm artifact):
 
 ```powershell
-cargo run --bin tbs-probe -- all
+cargo build --no-default-features --features probe-bin --bin tbs-probe
+.\target\debug\tbs-probe.exe all
+.\target\debug\tbs-probe.exe help
 ```
 
-See [spike/README.md](./spike/README.md) for probe details and RC discipline.
+Linux: user needs access to `/dev/tpmrm0` (typically the `tss` group).
+
+Maintainer-only planning docs (release checklists, specs) go in `docs/dev/` — that folder is gitignored and never published.
 
 ## License
 

package/api.js

@@ -9,6 +9,50 @@ try {
   nativeLoadError = err;
 }
 
+const TPM_UNAVAILABLE = {
+  code: 'TPM_UNAVAILABLE',
+  suggestion: 'Run npm run build, or install a published platform package.',
+};
+
+function parseNativeError(err) {
+  const msg = err?.message ?? String(err);
+  if (msg.startsWith('__tpm2__')) {
+    const rest = msg.slice('__tpm2__'.length);
+    const parts = rest.split('|');
+    const [code, message, suggestion, tpmRcStr] = parts;
+    const tpmRc = tpmRcStr ? Number.parseInt(tpmRcStr, 10) : undefined;
+    return new TpmError(
+      code,
+      message,
+      suggestion || undefined,
+      Number.isFinite(tpmRc) ? tpmRc : undefined,
+    );
+  }
+  return err;
+}
+
+function wrapNative(fn) {
+  return async (...args) => {
+    try {
+      return await fn(...args);
+    } catch (err) {
+      throw parseNativeError(err);
+    }
+  };
+}
+
+function requireNative(method) {
+  if (!native?.[method]) {
+    throw new TpmError(
+      TPM_UNAVAILABLE.code,
+      nativeLoadError
+        ? `Native backend not loaded: ${nativeLoadError.message}`
+        : 'Native backend not built for this platform.',
+      TPM_UNAVAILABLE.suggestion,
+    );
+  }
+}
+
 export class TpmError extends Error {
   constructor(code, message, suggestion, tpmRc) {
     super(message);
@@ -19,6 +63,98 @@ export class TpmError extends Error {
   }
 }
 
+function createAkHandle(akPublicDer, akBlob) {
+  return {
+    /** Wrapped TPM2B_PUBLIC + TPM2B_PRIVATE for persistence (no persistent TPM handle). */
+    export() {
+      return {
+        public: Buffer.from(akBlob.public),
+        private: Buffer.from(akBlob.private),
+      };
+    },
+
+    /** SPKI DER for the AK public area (from provisioning). */
+    get publicKeyDer() {
+      return Buffer.from(akPublicDer);
+    },
+
+    quote: wrapNative(async (opts) => {
+      requireNative('quote');
+      return native.quote({
+        akBlob,
+        pcrSelection: opts.pcrSelection,
+        qualifyingData: opts.qualifyingData,
+        bank: opts.bank,
+      });
+    }),
+
+    activateCredential: wrapNative(async (opts) => {
+      requireNative('activateCredential');
+      return native.activateCredential({
+        akBlob,
+        credentialBlob: opts.credentialBlob,
+        secret: opts.secret,
+      });
+    }),
+  };
+}
+
+function createTpmHandle() {
+  return {
+    async info() {
+      return Tpm.getFixedProperties();
+    },
+
+    pcr: {
+      /** Read SHA-256 PCR digests for the given indices. */
+      read: wrapNative(async (selection, bank = 'sha256') => {
+        requireNative('pcrRead');
+        return native.pcrRead(selection, bank);
+      }),
+    },
+
+    attest: {
+      /** EK certificate from NV index, or null if not provisioned. */
+      ekCertificate: wrapNative(async () => {
+        requireNative('readEkCertificate');
+        return native.readEkCertificate();
+      }),
+
+      /** Provision a transient AK; returns a handle with export/quote/activateCredential. */
+      provisionAk: wrapNative(async (opts) => {
+        requireNative('provisionAk');
+        const result = await native.provisionAk({
+          keyName: opts?.keyName,
+          scope: opts?.scope,
+          overwrite: opts?.overwrite,
+        });
+        return createAkHandle(result.akPublicDer, result.akBlob);
+      }),
+
+      /** Produce a quote from a wrapped AK blob (transient load, no persistent handle). */
+      quote: wrapNative(async (opts) => {
+        requireNative('quote');
+        return native.quote({
+          akBlob: opts.akBlob,
+          pcrSelection: opts.pcrSelection,
+          qualifyingData: opts.qualifyingData,
+          bank: opts.bank,
+        });
+      }),
+    },
+
+    /** Read a TPM object's public area as SPKI DER + name. */
+    readPublic: wrapNative(async (handle) => {
+      requireNative('readPublic');
+      return native.readPublic(handle);
+    }),
+
+    async [Symbol.asyncDispose]() {
+      // Transient handles are flushed inside each native operation.
+    },
+  };
+}
+
 export const Tpm = {
   /** Probe for an accessible TPM. False on darwin / no TPM / no access. */
   async isAvailable() {
@@ -32,38 +168,78 @@ export const Tpm = {
     }
   },
 
-  /** Open a TPM handle. Not implemented in v0.0.x. */
+  /** Open a TPM handle. Auto-detects transport (TBS / /dev/tpmrm0). */
   async open() {
-    if (!native?.isAvailable) {
+    requireNative('isAvailable');
+    const available = await this.isAvailable();
+    if (!available) {
       throw new TpmError(
         'TPM_UNAVAILABLE',
-        nativeLoadError
-          ? `Native backend not loaded: ${nativeLoadError.message}`
-          : 'Native backend not built for this platform.',
-        'Run npm run build, or install a published platform package.',
+        'No accessible TPM on this platform.',
+        'On Linux, ensure /dev/tpmrm0 is readable; on Windows, ensure the TPM is present.',
       );
     }
-    throw new TpmError(
-      'NOT_IMPLEMENTED',
-      'Tpm.open() is not implemented yet; v0.0.x exposes isAvailable() and info() only.',
-      'See https://github.com/stacks0x/tpm2 for release progress.',
-    );
+    return createTpmHandle();
   },
 
   /** Manufacturer, firmware, and virtual-TPM hint from GetCapability. */
-  async getFixedProperties() {
-    if (!native?.getFixedProperties) {
-      throw new TpmError(
-        'TPM_UNAVAILABLE',
-        'Native backend not loaded.',
-        'Run npm run build, or install a published platform package.',
-      );
-    }
-    return native.getFixedProperties();
-  },
+  getFixedProperties: wrapNative(async () => {
+    requireNative('getFixedProperties');
+    const props = await native.getFixedProperties();
+    return {
+      manufacturer: props.manufacturer,
+      firmwareVersion: props.firmwareVersion,
+      isVirtual: props.isVirtual,
+      spec: props.spec,
+    };
+  }),
 
   /** Alias for getFixedProperties. */
   async info() {
     return this.getFixedProperties();
   },
+
+  /** Flat native binding: PCR read. Prefer `tpm.pcr.read` on an open handle. */
+  pcrRead: wrapNative(async (selection, bank) => {
+    requireNative('pcrRead');
+    return native.pcrRead(selection, bank);
+  }),
+
+  /** Flat native binding: ReadPublic. */
+  readPublic: wrapNative(async (handle) => {
+    requireNative('readPublic');
+    return native.readPublic(handle);
+  }),
+
+  /** Flat native binding: EK certificate NV read. */
+  readEkCertificate: wrapNative(async () => {
+    requireNative('readEkCertificate');
+    return native.readEkCertificate();
+  }),
+
+  /** Flat native binding: quote with wrapped AK blob. */
+  quote: wrapNative(async (opts) => {
+    requireNative('quote');
+    return native.quote(opts);
+  }),
+
+  /** Flat native binding: provision AK (returns akPublicDer + akBlob). */
+  provisionAk: wrapNative(async (opts) => {
+    requireNative('provisionAk');
+    const result = await native.provisionAk({
+      keyName: opts?.keyName,
+      scope: opts?.scope,
+      overwrite: opts?.overwrite,
+    });
+    return {
+      akPublicDer: result.akPublicDer,
+      akBlob: result.akBlob,
+    };
+  }),
+
+  /** Flat native binding: activate credential with wrapped AK blob. */
+  activateCredential: wrapNative(async (opts) => {
+    requireNative('activateCredential');
+    return native.activateCredential(opts);
+  }),
 };

package/docs/getting-started.md

@@ -0,0 +1,77 @@
+# Getting started
+
+node-tpm2 talks to the TPM 2.0 through OS-native paths — no tpm2-tools, no tpm2-tss, and no Rust toolchain at install time.
+
+| Platform | Transport | Attestation key (AK) |
+|----------|-----------|----------------------|
+| Linux | `/dev/tpmrm0` | ECDSA P-256 wrapped TPM2B blob |
+| Windows | TBS + NCrypt PCP | RSA-2048 persisted PCP key (`PCP1` / `PCP2` blob) |
+
+## Install
+
+```bash
+npm install node-tpm2
+```
+
+Requires Node 20+. npm pulls a prebuilt native binary for your OS/arch from optional platform packages (`node-tpm2-windows-x64-msvc`, `node-tpm2-linux-x64-gnu`, etc.).
+
+## Quick check
+
+```javascript
+import { Tpm } from 'node-tpm2';
+
+console.log('available', await Tpm.isAvailable());
+console.log('info', await Tpm.info());
+```
+
+## Provision and quote (development)
+
+Works **without admin** on both Linux and Windows (user-scoped AK on Windows):
+
+```javascript
+import { Tpm } from 'node-tpm2';
+
+const { akPublicDer, akBlob } = await Tpm.provisionAk();
+console.log('AK SPKI', akPublicDer.length, 'bytes');
+
+const quote = await Tpm.quote({
+  akBlob,
+  pcrSelection: [0, 1, 7],
+  qualifyingData: Buffer.from('session-nonce-or-challenge'),
+  bank: 'sha256',
+});
+console.log('quote', quote.message.length, quote.signature.length);
+```
+
+## Windows: machine-scoped AK (cross-user)
+
+For apps where a **privileged installer** creates the key and a **standard user** quotes at runtime, use a machine-scoped key with a stable name. See [windows-pcp.md](./windows-pcp.md).
+
+```javascript
+// Run elevated or as SYSTEM (enrollment / install time only)
+const { akBlob } = await Tpm.provisionAk({
+  keyName: 'my-app-device-ak',
+  scope: 'machine',
+  overwrite: true,
+});
+// Persist akBlob (and upload creation attestation to your verifier)
+
+// Runtime — standard user, no admin
+const quote = await Tpm.quote({
+  akBlob,
+  pcrSelection: [0, 1, 7],
+  qualifyingData: Buffer.from('challenge'),
+});
+```
+
+## Linux permissions
+
+Your user needs read/write on `/dev/tpmrm0` (commonly the `tss` group):
+
+```bash
+sudo usermod -aG tss "$USER"
+```
+
+## Errors
+
+Native failures surface as `TpmError` with `code`, `message`, optional `suggestion`, and `tpmRc` when the TPM returned an RC.

package/docs/windows-pcp.md

@@ -0,0 +1,67 @@
+# Windows: Platform Crypto Provider (PCP)
+
+On Windows, node-tpm2 uses the **Microsoft Platform Crypto Provider** for attestation keys — not raw TBS wrapped blobs. Linux continues to use ECDSA TBS-wrapped blobs; AK formats differ by design and verifiers should accept both.
+
+## Operations and privilege
+
+| Operation | Standard user | Elevated admin | SYSTEM |
+|-----------|---------------|----------------|--------|
+| `Tpm.isAvailable()`, PCR read, `readPublic` | Yes | Yes | Yes |
+| `provisionAk()` user scope (`PCP1`) | Yes | Yes | Yes |
+| `quote()` | Yes | Yes | Yes |
+| `provisionAk({ scope: 'machine' })` (`PCP2`) | No | Yes | Yes (production enroll) |
+| `activateCredential()` (PCP) | No | Yes | Yes |
+
+**Runtime apps** typically only need `quote()` with a blob/locator from enrollment. Activation is an enrollment-time proof-of-possession step.
+
+## AK blob formats
+
+| Magic | Scope | Meaning |
+|-------|-------|---------|
+| `PCP1` | User | Dev / same-user flows; random key name if omitted |
+| `PCP2` | Machine | Fleet / cross-user; stable `keyName` required |
+
+Blob layout: magic + key name + PCP creation attestation fields (`public` holds metadata; `private` is empty).
+
+## Machine key provisioning
+
+```javascript
+await Tpm.provisionAk({
+  keyName: 'my-app-device-ak',  // your product prefix, not library-specific
+  scope: 'machine',
+  overwrite: true,              // replaces existing key of same name
+});
+```
+
+Requirements:
+
+- PCP must advertise **Security Descr Support** (probe: `tbs-probe pcp-capabilities`)
+- Machine keys get a DACL granting Built-in Users read/sign so standard users can open and quote
+- PCP ignores `NCRYPT_OVERWRITE_KEY_FLAG`; the library deletes an existing key before recreate when `overwrite: true`
+
+## Quote scheme
+
+PCP identity keys are RSA-2048. Quotes use `TPM_ALG_NULL` (key default RSASSA), matching go-attestation. Linux uses explicit ECDSA+SHA256.
+
+## Validating with `tbs-probe` (Rust, developers only)
+
+The npm module and `tbs-probe` share the same Rust core but are **different artifacts**. Validate Rust with the probe; validate the **npm package** with [examples/smoke-test.mjs](../examples/smoke-test.mjs) on a clean machine.
+
+```powershell
+# Runtime path (standard PowerShell)
+cargo run --no-default-features --features probe-bin --bin tbs-probe -- all
+
+# SYSTEM provision + standard quote — see `tbs-probe help`
+```
+
+## Simulating SYSTEM locally
+
+Intune/SCCM/GPO run enrollment as **SYSTEM**, not interactive admin. On a dev VM, use a one-shot scheduled task (no extra tools):
+
+```powershell
+# Admin PowerShell — see tbs-probe help for full script
+schtasks /Create /TN "my-app-system-provision" /RU SYSTEM ...
+schtasks /Run /TN "my-app-system-provision"
+```
+
+Then quote from standard PowerShell with the saved AK blob.

package/examples/smoke-test.mjs

@@ -0,0 +1,178 @@
+#!/usr/bin/env node
+/**
+ * Validate the published npm native module (not tbs-probe).
+ *
+ * Usage:
+ *   node smoke-test.mjs runtime
+ *   node smoke-test.mjs provision-machine [--key-name NAME] [--out PATH]
+ *   node smoke-test.mjs quote [--in PATH]
+ *
+ * Install on a clean machine:
+ *   npm install node-tpm2@<version>
+ *   node node_modules/node-tpm2/examples/smoke-test.mjs runtime
+ */
+
+import { readFileSync, writeFileSync, mkdirSync } from 'node:fs';
+import { dirname, resolve } from 'node:path';
+import { fileURLToPath } from 'node:url';
+import { Tpm } from '../index.js';
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+
+function usage() {
+  console.error(`Usage:
+  smoke-test.mjs runtime
+  smoke-test.mjs provision-machine [--key-name NAME] [--out PATH]
+  smoke-test.mjs quote [--in PATH]
+
+Windows: provision-machine needs elevation or SYSTEM.
+Runtime quote works unprivileged (user or machine AK blob).`);
+  process.exit(2);
+}
+
+function flagValue(args, name) {
+  for (let i = 0; i < args.length; i++) {
+    if (args[i] === name && args[i + 1]) return args[++i];
+    const prefix = `${name}=`;
+    if (args[i]?.startsWith(prefix)) return args[i].slice(prefix.length);
+  }
+  return undefined;
+}
+
+function saveBlob(path, akBlob) {
+  mkdirSync(dirname(resolve(path)), { recursive: true });
+  writeFileSync(
+    path,
+    JSON.stringify(
+      {
+        public: akBlob.public.toString('base64'),
+        private: akBlob.private.toString('base64'),
+      },
+      null,
+      2,
+    ),
+  );
+}
+
+function loadBlob(path) {
+  const raw = JSON.parse(readFileSync(path, 'utf8'));
+  return {
+    public: Buffer.from(raw.public, 'base64'),
+    private: Buffer.from(raw.private, 'base64'),
+  };
+}
+
+function blobScope(akBlob) {
+  const head = akBlob.public.subarray(0, 4).toString('ascii');
+  if (head === 'PCP2') return 'machine';
+  if (head === 'PCP1') return 'user';
+  return 'linux-tpm2b';
+}
+
+async function assertAvailable() {
+  const ok = await Tpm.isAvailable();
+  if (!ok) {
+    console.error('FAIL: Tpm.isAvailable() returned false');
+    process.exit(1);
+  }
+  console.log('PASS  Tpm.isAvailable()');
+}
+
+async function runRuntime() {
+  await assertAvailable();
+  const info = await Tpm.info();
+  console.log('PASS  Tpm.info()', info);
+
+  const { akPublicDer, akBlob } = await Tpm.provisionAk();
+  console.log(`PASS  Tpm.provisionAk() scope=${blobScope(akBlob)} SPKI=${akPublicDer.length}B`);
+
+  const qualifying = Buffer.from('node-tpm2-smoke-test-qualifying-data');
+  const quote = await Tpm.quote({
+    akBlob,
+    pcrSelection: [0, 1, 7],
+    qualifyingData: qualifying,
+    bank: 'sha256',
+  });
+  if (!quote.message.length || !quote.signature.length) {
+    console.error('FAIL: empty quote');
+    process.exit(1);
+  }
+  console.log(
+    `PASS  Tpm.quote() message=${quote.message.length}B signature=${quote.signature.length}B`,
+  );
+  console.log('\nsmoke-test: runtime OK');
+}
+
+async function runProvisionMachine(args) {
+  await assertAvailable();
+  const keyName = flagValue(args, '--key-name') ?? 'my-app-device-ak';
+  const out =
+    flagValue(args, '--out') ??
+    resolve(process.env.PROGRAMDATA ?? 'C:\\ProgramData', 'node-tpm2-spike', 'ak.blob.json');
+
+  if (process.platform !== 'win32') {
+    console.error('FAIL: provision-machine is Windows PCP only');
+    process.exit(1);
+  }
+
+  const { akPublicDer, akBlob } = await Tpm.provisionAk({
+    keyName,
+    scope: 'machine',
+    overwrite: true,
+  });
+  if (blobScope(akBlob) !== 'machine') {
+    console.error(`FAIL: expected PCP2 machine blob, got scope=${blobScope(akBlob)}`);
+    process.exit(1);
+  }
+  saveBlob(out, akBlob);
+  console.log(`PASS  Tpm.provisionAk(machine) keyName=${keyName} SPKI=${akPublicDer.length}B`);
+  console.log(`  wrote ${out}`);
+  console.log('\nNEXT (standard user):');
+  console.log(`  node examples/smoke-test.mjs quote --in ${out}`);
+}
+
+async function runQuote(args) {
+  await assertAvailable();
+  const input =
+    flagValue(args, '--in') ??
+    resolve(process.env.PROGRAMDATA ?? 'C:\\ProgramData', 'node-tpm2-spike', 'ak.blob.json');
+
+  const akBlob = loadBlob(input);
+  console.log(`  loaded blob scope=${blobScope(akBlob)} from ${input}`);
+
+  const qualifying = Buffer.from('node-tpm2-smoke-test-qualifying-data');
+  const quote = await Tpm.quote({
+    akBlob,
+    pcrSelection: [0, 1, 7],
+    qualifyingData: qualifying,
+    bank: 'sha256',
+  });
+  console.log(
+    `PASS  Tpm.quote() message=${quote.message.length}B signature=${quote.signature.length}B`,
+  );
+  console.log('\nsmoke-test: quote OK');
+}
+
+async function main() {
+  const [cmd, ...rest] = process.argv.slice(2);
+  switch (cmd) {
+    case 'runtime':
+      await runRuntime();
+      break;
+    case 'provision-machine':
+      await runProvisionMachine(rest);
+      break;
+    case 'quote':
+      await runQuote(rest);
+      break;
+    default:
+      usage();
+  }
+}
+
+main().catch((err) => {
+  console.error('FAIL:', err.message ?? err);
+  if (err.suggestion) console.error('  suggestion:', err.suggestion);
+  if (err.tpmRc != null) console.error('  tpmRc:', err.tpmRc);
+  process.exit(1);
+});

package/index.d.ts

@@ -5,19 +5,113 @@ export declare class TpmError extends Error {
   constructor(code: string, message: string, suggestion?: string, tpmRc?: number);
 }
 
+export declare type AkBlob = {
+  public: Buffer;
+  private: Buffer;
+};
+
+export declare type QuoteOptions = {
+  akBlob: AkBlob;
+  pcrSelection: number[];
+  qualifyingData: Buffer;
+  bank?: 'sha256';
+};
+
+export declare type QuoteResult = {
+  message: Buffer;
+  signature: Buffer;
+};
+
+export declare type ReadPublicResult = {
+  publicKeyDer: Buffer;
+  name: Buffer;
+};
+
+export declare type ProvisionAkOptions = {
+  /** Persisted PCP key name on Windows. Omitted = random dev name. */
+  keyName?: string;
+  /** Windows only: `user` (default) or `machine` (fleet enrollment). */
+  scope?: 'user' | 'machine';
+  /** Windows only: replace existing persisted key of the same name. */
+  overwrite?: boolean;
+  /** @deprecated Linux-only hint; Windows PCP always uses RSA identity AK. */
+  algorithm?: 'ecc' | 'rsa';
+};
+
+export declare type ProvisionAkResult = {
+  akPublicDer: Buffer;
+  akBlob: AkBlob;
+};
+
+export declare type ActivateCredentialOptions = {
+  credentialBlob: Buffer;
+  secret: Buffer;
+};
+
+export declare type ActivateCredentialFlatOptions = ActivateCredentialOptions & {
+  akBlob: AkBlob;
+};
+
+export declare interface AkHandle {
+  export(): AkBlob;
+  readonly publicKeyDer: Buffer;
+  quote(opts: Omit<QuoteOptions, 'akBlob'>): Promise<QuoteResult>;
+  activateCredential(opts: ActivateCredentialOptions): Promise<Buffer>;
+}
+
+export declare type TpmInfo = {
+  manufacturer: string;
+  firmwareVersion: string;
+  isVirtual: boolean;
+  spec: string;
+};
+
+export declare interface TpmHandle {
+  info(): Promise<TpmInfo>;
+  pcr: {
+    read(selection: number[], bank?: 'sha256'): Promise<Record<number, string>>;
+  };
+  attest: {
+    ekCertificate(): Promise<Buffer | null>;
+    provisionAk(opts?: ProvisionAkOptions): Promise<AkHandle>;
+    quote(opts: QuoteOptions): Promise<QuoteResult>;
+  };
+  readPublic(handle: string): Promise<ReadPublicResult>;
+  [Symbol.asyncDispose](): Promise<void>;
+}
+
 export declare const Tpm: {
   isAvailable(): Promise<boolean>;
-  open(): Promise<never>;
-  getFixedProperties(): Promise<{
-    manufacturer: string;
-    firmwareVersion: string;
-    isVirtual: boolean;
-    spec: string;
-  }>;
-  info(): Promise<{
-    manufacturer: string;
-    firmwareVersion: string;
-    isVirtual: boolean;
-    spec: string;
-  }>;
+  open(): Promise<TpmHandle>;
+  getFixedProperties(): Promise<TpmInfo>;
+  info(): Promise<TpmInfo>;
+  pcrRead(selection: number[], bank?: 'sha256'): Promise<Record<number, string>>;
+  readPublic(handle: string): Promise<ReadPublicResult>;
+  readEkCertificate(): Promise<Buffer | null>;
+  quote(opts: QuoteOptions): Promise<QuoteResult>;
+  provisionAk(opts?: ProvisionAkOptions): Promise<ProvisionAkResult>;
+  activateCredential(opts: ActivateCredentialFlatOptions): Promise<Buffer>;
 };
+
+export declare function pcrRead(
+  selection: number[],
+  bank?: 'sha256',
+): Promise<Record<number, string>>;
+
+export declare function readPublic(handle: string): Promise<ReadPublicResult>;
+
+export declare function readEkCertificate(): Promise<Buffer | null>;
+
+export declare function quote(opts: QuoteOptions): Promise<QuoteResult>;
+
+export declare function provisionAk(
+  opts?: ProvisionAkOptions,
+): Promise<ProvisionAkResult>;
+
+export declare function activateCredential(
+  opts: ActivateCredentialFlatOptions,
+): Promise<Buffer>;
+
+export declare function getFixedProperties(): Promise<TpmInfo>;
+
+export declare function isAvailable(): Promise<boolean>;

package/native.cjs

@@ -77,8 +77,8 @@ function requireNative() {
       try {
         const binding = require('node-tpm2-android-arm64')
         const bindingPackageVersion = require('node-tpm2-android-arm64/package.json').version
-        if (bindingPackageVersion !== '0.0.2' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
-          throw new Error(`Native binding package version mismatch, expected 0.0.2 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
+        if (bindingPackageVersion !== '0.0.4-beta.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
+          throw new Error(`Native binding package version mismatch, expected 0.0.4-beta.0 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
         }
         return binding
       } catch (e) {
@@ -93,8 +93,8 @@ function requireNative() {
       try {
         const binding = require('node-tpm2-android-arm-eabi')
         const bindingPackageVersion = require('node-tpm2-android-arm-eabi/package.json').version
-        if (bindingPackageVersion !== '0.0.2' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
-          throw new Error(`Native binding package version mismatch, expected 0.0.2 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
+        if (bindingPackageVersion !== '0.0.4-beta.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
+          throw new Error(`Native binding package version mismatch, expected 0.0.4-beta.0 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
         }
         return binding
       } catch (e) {
@@ -114,8 +114,8 @@ function requireNative() {
       try {
         const binding = require('node-tpm2-win32-x64-gnu')
         const bindingPackageVersion = require('node-tpm2-win32-x64-gnu/package.json').version
-        if (bindingPackageVersion !== '0.0.2' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
-          throw new Error(`Native binding package version mismatch, expected 0.0.2 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
+        if (bindingPackageVersion !== '0.0.4-beta.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
+          throw new Error(`Native binding package version mismatch, expected 0.0.4-beta.0 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
         }
         return binding
       } catch (e) {
@@ -128,10 +128,10 @@ function requireNative() {
         loadErrors.push(e)
       }
       try {
-        const binding = require('node-tpm2-win32-x64-msvc')
-        const bindingPackageVersion = require('node-tpm2-win32-x64-msvc/package.json').version
-        if (bindingPackageVersion !== '0.0.2' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
-          throw new Error(`Native binding package version mismatch, expected 0.0.2 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
+        const binding = require('node-tpm2-windows-x64-msvc')
+        const bindingPackageVersion = require('node-tpm2-windows-x64-msvc/package.json').version
+        if (bindingPackageVersion !== '0.0.4-beta.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
+          throw new Error(`Native binding package version mismatch, expected 0.0.4-beta.0 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
         }
         return binding
       } catch (e) {
@@ -147,8 +147,8 @@ function requireNative() {
       try {
         const binding = require('node-tpm2-win32-ia32-msvc')
         const bindingPackageVersion = require('node-tpm2-win32-ia32-msvc/package.json').version
-        if (bindingPackageVersion !== '0.0.2' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
-          throw new Error(`Native binding package version mismatch, expected 0.0.2 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
+        if (bindingPackageVersion !== '0.0.4-beta.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
+          throw new Error(`Native binding package version mismatch, expected 0.0.4-beta.0 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
         }
         return binding
       } catch (e) {
@@ -161,10 +161,10 @@ function requireNative() {
         loadErrors.push(e)
       }
       try {
-        const binding = require('node-tpm2-win32-arm64-msvc')
-        const bindingPackageVersion = require('node-tpm2-win32-arm64-msvc/package.json').version
-        if (bindingPackageVersion !== '0.0.2' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
-          throw new Error(`Native binding package version mismatch, expected 0.0.2 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
+        const binding = require('node-tpm2-windows-arm64-msvc')
+        const bindingPackageVersion = require('node-tpm2-windows-arm64-msvc/package.json').version
+        if (bindingPackageVersion !== '0.0.4-beta.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
+          throw new Error(`Native binding package version mismatch, expected 0.0.4-beta.0 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
         }
         return binding
       } catch (e) {
@@ -182,8 +182,8 @@ function requireNative() {
     try {
       const binding = require('node-tpm2-darwin-universal')
       const bindingPackageVersion = require('node-tpm2-darwin-universal/package.json').version
-      if (bindingPackageVersion !== '0.0.2' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
-        throw new Error(`Native binding package version mismatch, expected 0.0.2 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
+      if (bindingPackageVersion !== '0.0.4-beta.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
+        throw new Error(`Native binding package version mismatch, expected 0.0.4-beta.0 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
       }
       return binding
     } catch (e) {
@@ -198,8 +198,8 @@ function requireNative() {
       try {
         const binding = require('node-tpm2-darwin-x64')
         const bindingPackageVersion = require('node-tpm2-darwin-x64/package.json').version
-        if (bindingPackageVersion !== '0.0.2' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
-          throw new Error(`Native binding package version mismatch, expected 0.0.2 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
+        if (bindingPackageVersion !== '0.0.4-beta.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
+          throw new Error(`Native binding package version mismatch, expected 0.0.4-beta.0 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
         }
         return binding
       } catch (e) {
@@ -214,8 +214,8 @@ function requireNative() {
       try {
         const binding = require('node-tpm2-darwin-arm64')
         const bindingPackageVersion = require('node-tpm2-darwin-arm64/package.json').version
-        if (bindingPackageVersion !== '0.0.2' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
-          throw new Error(`Native binding package version mismatch, expected 0.0.2 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
+        if (bindingPackageVersion !== '0.0.4-beta.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
+          throw new Error(`Native binding package version mismatch, expected 0.0.4-beta.0 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
         }
         return binding
       } catch (e) {
@@ -234,8 +234,8 @@ function requireNative() {
       try {
         const binding = require('node-tpm2-freebsd-x64')
         const bindingPackageVersion = require('node-tpm2-freebsd-x64/package.json').version
-        if (bindingPackageVersion !== '0.0.2' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
-          throw new Error(`Native binding package version mismatch, expected 0.0.2 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
+        if (bindingPackageVersion !== '0.0.4-beta.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
+          throw new Error(`Native binding package version mismatch, expected 0.0.4-beta.0 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
         }
         return binding
       } catch (e) {
@@ -250,8 +250,8 @@ function requireNative() {
       try {
         const binding = require('node-tpm2-freebsd-arm64')
         const bindingPackageVersion = require('node-tpm2-freebsd-arm64/package.json').version
-        if (bindingPackageVersion !== '0.0.2' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
-          throw new Error(`Native binding package version mismatch, expected 0.0.2 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
+        if (bindingPackageVersion !== '0.0.4-beta.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
+          throw new Error(`Native binding package version mismatch, expected 0.0.4-beta.0 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
         }
         return binding
       } catch (e) {
@@ -271,8 +271,8 @@ function requireNative() {
         try {
           const binding = require('node-tpm2-linux-x64-musl')
           const bindingPackageVersion = require('node-tpm2-linux-x64-musl/package.json').version
-          if (bindingPackageVersion !== '0.0.2' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
-            throw new Error(`Native binding package version mismatch, expected 0.0.2 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
+          if (bindingPackageVersion !== '0.0.4-beta.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
+            throw new Error(`Native binding package version mismatch, expected 0.0.4-beta.0 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
           }
           return binding
         } catch (e) {
@@ -287,8 +287,8 @@ function requireNative() {
         try {
           const binding = require('node-tpm2-linux-x64-gnu')
           const bindingPackageVersion = require('node-tpm2-linux-x64-gnu/package.json').version
-          if (bindingPackageVersion !== '0.0.2' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
-            throw new Error(`Native binding package version mismatch, expected 0.0.2 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
+          if (bindingPackageVersion !== '0.0.4-beta.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
+            throw new Error(`Native binding package version mismatch, expected 0.0.4-beta.0 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
           }
           return binding
         } catch (e) {
@@ -305,8 +305,8 @@ function requireNative() {
         try {
           const binding = require('node-tpm2-linux-arm64-musl')
           const bindingPackageVersion = require('node-tpm2-linux-arm64-musl/package.json').version
-          if (bindingPackageVersion !== '0.0.2' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
-            throw new Error(`Native binding package version mismatch, expected 0.0.2 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
+          if (bindingPackageVersion !== '0.0.4-beta.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
+            throw new Error(`Native binding package version mismatch, expected 0.0.4-beta.0 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
           }
           return binding
         } catch (e) {
@@ -321,8 +321,8 @@ function requireNative() {
         try {
           const binding = require('node-tpm2-linux-arm64-gnu')
           const bindingPackageVersion = require('node-tpm2-linux-arm64-gnu/package.json').version
-          if (bindingPackageVersion !== '0.0.2' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
-            throw new Error(`Native binding package version mismatch, expected 0.0.2 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
+          if (bindingPackageVersion !== '0.0.4-beta.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
+            throw new Error(`Native binding package version mismatch, expected 0.0.4-beta.0 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
           }
           return binding
         } catch (e) {
@@ -339,8 +339,8 @@ function requireNative() {
         try {
           const binding = require('node-tpm2-linux-arm-musleabihf')
           const bindingPackageVersion = require('node-tpm2-linux-arm-musleabihf/package.json').version
-          if (bindingPackageVersion !== '0.0.2' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
-            throw new Error(`Native binding package version mismatch, expected 0.0.2 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
+          if (bindingPackageVersion !== '0.0.4-beta.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
+            throw new Error(`Native binding package version mismatch, expected 0.0.4-beta.0 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
           }
           return binding
         } catch (e) {
@@ -355,8 +355,8 @@ function requireNative() {
         try {
           const binding = require('node-tpm2-linux-arm-gnueabihf')
           const bindingPackageVersion = require('node-tpm2-linux-arm-gnueabihf/package.json').version
-          if (bindingPackageVersion !== '0.0.2' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
-            throw new Error(`Native binding package version mismatch, expected 0.0.2 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
+          if (bindingPackageVersion !== '0.0.4-beta.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
+            throw new Error(`Native binding package version mismatch, expected 0.0.4-beta.0 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
           }
           return binding
         } catch (e) {
@@ -373,8 +373,8 @@ function requireNative() {
         try {
           const binding = require('node-tpm2-linux-loong64-musl')
           const bindingPackageVersion = require('node-tpm2-linux-loong64-musl/package.json').version
-          if (bindingPackageVersion !== '0.0.2' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
-            throw new Error(`Native binding package version mismatch, expected 0.0.2 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
+          if (bindingPackageVersion !== '0.0.4-beta.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
+            throw new Error(`Native binding package version mismatch, expected 0.0.4-beta.0 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
           }
           return binding
         } catch (e) {
@@ -389,8 +389,8 @@ function requireNative() {
         try {
           const binding = require('node-tpm2-linux-loong64-gnu')
           const bindingPackageVersion = require('node-tpm2-linux-loong64-gnu/package.json').version
-          if (bindingPackageVersion !== '0.0.2' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
-            throw new Error(`Native binding package version mismatch, expected 0.0.2 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
+          if (bindingPackageVersion !== '0.0.4-beta.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
+            throw new Error(`Native binding package version mismatch, expected 0.0.4-beta.0 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
           }
           return binding
         } catch (e) {
@@ -407,8 +407,8 @@ function requireNative() {
         try {
           const binding = require('node-tpm2-linux-riscv64-musl')
           const bindingPackageVersion = require('node-tpm2-linux-riscv64-musl/package.json').version
-          if (bindingPackageVersion !== '0.0.2' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
-            throw new Error(`Native binding package version mismatch, expected 0.0.2 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
+          if (bindingPackageVersion !== '0.0.4-beta.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
+            throw new Error(`Native binding package version mismatch, expected 0.0.4-beta.0 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
           }
           return binding
         } catch (e) {
@@ -423,8 +423,8 @@ function requireNative() {
         try {
           const binding = require('node-tpm2-linux-riscv64-gnu')
           const bindingPackageVersion = require('node-tpm2-linux-riscv64-gnu/package.json').version
-          if (bindingPackageVersion !== '0.0.2' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
-            throw new Error(`Native binding package version mismatch, expected 0.0.2 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
+          if (bindingPackageVersion !== '0.0.4-beta.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
+            throw new Error(`Native binding package version mismatch, expected 0.0.4-beta.0 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
           }
           return binding
         } catch (e) {
@@ -440,8 +440,8 @@ function requireNative() {
       try {
         const binding = require('node-tpm2-linux-ppc64-gnu')
         const bindingPackageVersion = require('node-tpm2-linux-ppc64-gnu/package.json').version
-        if (bindingPackageVersion !== '0.0.2' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
-          throw new Error(`Native binding package version mismatch, expected 0.0.2 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
+        if (bindingPackageVersion !== '0.0.4-beta.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
+          throw new Error(`Native binding package version mismatch, expected 0.0.4-beta.0 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
         }
         return binding
       } catch (e) {
@@ -456,8 +456,8 @@ function requireNative() {
       try {
         const binding = require('node-tpm2-linux-s390x-gnu')
         const bindingPackageVersion = require('node-tpm2-linux-s390x-gnu/package.json').version
-        if (bindingPackageVersion !== '0.0.2' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
-          throw new Error(`Native binding package version mismatch, expected 0.0.2 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
+        if (bindingPackageVersion !== '0.0.4-beta.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
+          throw new Error(`Native binding package version mismatch, expected 0.0.4-beta.0 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
         }
         return binding
       } catch (e) {
@@ -476,8 +476,8 @@ function requireNative() {
       try {
         const binding = require('node-tpm2-openharmony-arm64')
         const bindingPackageVersion = require('node-tpm2-openharmony-arm64/package.json').version
-        if (bindingPackageVersion !== '0.0.2' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
-          throw new Error(`Native binding package version mismatch, expected 0.0.2 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
+        if (bindingPackageVersion !== '0.0.4-beta.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
+          throw new Error(`Native binding package version mismatch, expected 0.0.4-beta.0 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
         }
         return binding
       } catch (e) {
@@ -492,8 +492,8 @@ function requireNative() {
       try {
         const binding = require('node-tpm2-openharmony-x64')
         const bindingPackageVersion = require('node-tpm2-openharmony-x64/package.json').version
-        if (bindingPackageVersion !== '0.0.2' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
-          throw new Error(`Native binding package version mismatch, expected 0.0.2 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
+        if (bindingPackageVersion !== '0.0.4-beta.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
+          throw new Error(`Native binding package version mismatch, expected 0.0.4-beta.0 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
         }
         return binding
       } catch (e) {
@@ -508,8 +508,8 @@ function requireNative() {
       try {
         const binding = require('node-tpm2-openharmony-arm')
         const bindingPackageVersion = require('node-tpm2-openharmony-arm/package.json').version
-        if (bindingPackageVersion !== '0.0.2' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
-          throw new Error(`Native binding package version mismatch, expected 0.0.2 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
+        if (bindingPackageVersion !== '0.0.4-beta.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {
+          throw new Error(`Native binding package version mismatch, expected 0.0.4-beta.0 but got ${bindingPackageVersion}. You can reinstall dependencies to fix this issue.`)
         }
         return binding
       } catch (e) {
@@ -587,5 +587,11 @@ if (!nativeBinding) {
 }
 
 module.exports = nativeBinding
+module.exports.activateCredential = nativeBinding.activateCredential
 module.exports.getFixedProperties = nativeBinding.getFixedProperties
 module.exports.isAvailable = nativeBinding.isAvailable
+module.exports.pcrRead = nativeBinding.pcrRead
+module.exports.provisionAk = nativeBinding.provisionAk
+module.exports.quote = nativeBinding.quote
+module.exports.readEkCertificate = nativeBinding.readEkCertificate
+module.exports.readPublic = nativeBinding.readPublic

package/native.d.ts

@@ -1,5 +1,18 @@
 /* auto-generated by NAPI-RS */
 /* eslint-disable */
+export declare function activateCredential(opts: ActivateCredentialOptionsJs): Promise<Buffer>
+
+export interface ActivateCredentialOptionsJs {
+  akBlob: AkBlobJs
+  credentialBlob: Buffer
+  secret: Buffer
+}
+
+export interface AkBlobJs {
+  public: Buffer
+  private: Buffer
+}
+
 export interface FixedPropertiesJs {
   manufacturer: string
   firmwareVersion: string
@@ -10,3 +23,43 @@ export interface FixedPropertiesJs {
 export declare function getFixedProperties(): Promise<FixedPropertiesJs>
 
 export declare function isAvailable(): Promise<boolean>
+
+export declare function pcrRead(selection: Array<number>, bank?: string | undefined | null): Promise<Record<string, string>>
+
+export declare function provisionAk(opts?: ProvisionAkOptionsJs | undefined | null): Promise<ProvisionAkJs>
+
+export interface ProvisionAkJs {
+  akPublicDer: Buffer
+  akBlob: AkBlobJs
+}
+
+export interface ProvisionAkOptionsJs {
+  keyName?: string
+  /** Windows only: `"user"` (default) or `"machine"`. */
+  scope?: string
+  /** Windows only: replace existing persisted key of the same name. */
+  overwrite?: boolean
+}
+
+export declare function quote(opts: QuoteOptionsJs): Promise<QuoteJs>
+
+export interface QuoteJs {
+  message: Buffer
+  signature: Buffer
+}
+
+export interface QuoteOptionsJs {
+  akBlob: AkBlobJs
+  pcrSelection: Array<number>
+  qualifyingData: Buffer
+  bank?: string
+}
+
+export declare function readEkCertificate(): Promise<Buffer | null>
+
+export declare function readPublic(handle: string): Promise<ReadPublicJs>
+
+export interface ReadPublicJs {
+  publicKeyDer: Buffer
+  name: Buffer
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "node-tpm2",
-  "version": "0.0.2",
+  "version": "0.0.4-beta.0",
   "description": "Native TPM 2.0 for Node. Zero tooling, no admin. Windows (TBS) and Linux (/dev/tpmrm0). Pre-release.",
   "type": "module",
   "license": "Apache-2.0",
@@ -38,7 +38,10 @@
     "index.d.ts",
     "api.js",
     "native.cjs",
-    "native.d.ts"
+    "native.d.ts",
+    "docs/getting-started.md",
+    "docs/windows-pcp.md",
+    "examples"
   ],
   "engines": {
     "node": ">=20"
@@ -56,26 +59,32 @@
     "access": "public"
   },
   "scripts": {
-    "build": "napi build --platform --release --js native.cjs --dts native.d.ts",
-    "build:debug": "napi build --platform --js native.cjs --dts native.d.ts",
+    "build": "napi build --platform --release --js native.cjs --dts native.d.ts && node scripts/patch-windows-npm-packages.mjs",
+    "build:debug": "napi build --platform --js native.cjs --dts native.d.ts && node scripts/patch-windows-npm-packages.mjs",
     "build:esapi": "napi build --platform --release --features esapi --js native.cjs --dts native.d.ts",
-    "tbs-probe": "cargo run --bin tbs-probe",
+    "tbs-probe": "cargo run --bin tbs-probe --no-default-features --features probe-bin --",
+    "smoke-test": "node examples/smoke-test.mjs runtime",
+    "smoke-test:runtime": "node examples/smoke-test.mjs runtime",
     "spike": "cargo run --features esapi --bin spike --",
     "spike:all": "cargo run --features esapi --bin spike -- all",
     "artifacts": "napi artifacts",
     "create-npm-dirs": "napi create-npm-dirs",
-    "prepublishOnly": "napi prepublish -t npm --skip-optional-publish"
+    "patch-windows-npm": "node scripts/patch-windows-npm-packages.mjs",
+    "prepublishOnly": "napi prepublish -t npm --skip-optional-publish",
+    "publish:beta": "node scripts/publish-beta.mjs"
   },
   "devDependencies": {
     "@napi-rs/cli": "^3.7.2"
   },
   "optionalDependencies": {
-    "node-tpm2-win32-x64-msvc": "0.0.2",
-    "node-tpm2-win32-arm64-msvc": "0.0.2",
-    "node-tpm2-linux-x64-gnu": "0.0.2",
-    "node-tpm2-linux-arm64-gnu": "0.0.2",
-    "node-tpm2-linux-x64-musl": "0.0.2",
-    "node-tpm2-linux-arm64-musl": "0.0.2",
-    "node-tpm2-darwin-arm64": "0.0.2"
+    "node-tpm2-windows-x64-msvc": "0.0.4-beta.0",
+    "node-tpm2-windows-arm64-msvc": "0.0.4-beta.0",
+    "node-tpm2-linux-x64-gnu": "0.0.4-beta.0",
+    "node-tpm2-linux-arm64-gnu": "0.0.4-beta.0",
+    "node-tpm2-linux-x64-musl": "0.0.4-beta.0",
+    "node-tpm2-linux-arm64-musl": "0.0.4-beta.0",
+    "node-tpm2-darwin-arm64": "0.0.4-beta.0",
+    "node-tpm2-win32-x64-msvc": "0.0.4-beta.0",
+    "node-tpm2-win32-arm64-msvc": "0.0.4-beta.0"
   }
 }