pi-privacy 0.1.0 → 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "pi-privacy",
3
- "version": "0.1.0",
3
+ "version": "0.1.1",
4
4
  "description": "Privacy posture + TEE attestation for Pi providers: cryptographically verified confidential-enclave (TEE) inference, enforced/labeled zero-data-retention (ZDR), and on-device detection — honestly graded so a verified guarantee never reads like a claimed one.",
5
5
  "type": "module",
6
6
  "license": "MIT",
@@ -168,11 +168,19 @@ export const httpsTransport: TinfoilTransport = (host) =>
168
168
  path: url.pathname,
169
169
  method: "GET",
170
170
  timeout: TIMEOUT_MS,
171
+ // Force a fresh connection + full TLS handshake every time. A pooled/
172
+ // resumed TLS session skips re-sending the server cert, so
173
+ // getPeerCertificate() returns {} on the abbreviated handshake and the
174
+ // key binding silently fails (posture flips green→yellow on re-verify).
175
+ // Attestation must observe a real handshake anyway, so no session reuse.
176
+ agent: false,
171
177
  },
172
178
  (res) => {
173
179
  let liveTlsKeyFp: string | undefined;
174
180
  try {
175
- const peer = (res.socket as TLSSocket).getPeerCertificate();
181
+ // getPeerCertificate(true) include the full chain / raw DER even when
182
+ // the default view would omit it.
183
+ const peer = (res.socket as TLSSocket).getPeerCertificate(true);
176
184
  if (peer?.raw) {
177
185
  const spki = new X509Certificate(peer.raw).publicKey.export({ type: "spki", format: "der" });
178
186
  liveTlsKeyFp = createHash("sha256").update(spki).digest("hex");