secretvm-verify 0.1.0

package/dist/workload.d.ts

@@ -0,0 +1,62 @@
+export type WorkloadStatus = "authentic_match" | "authentic_mismatch" | "not_authentic";
+export interface WorkloadResult {
+    status: WorkloadStatus;
+    /** Only set when status !== "not_authentic" */
+    template_name?: string;
+    vm_type?: string;
+    artifacts_ver?: string;
+    env?: string;
+}
+/**
+ * Given a TDX quote (hex string), look up the matching SecretVM version and
+ * template.  Returns null when the quote is not from a known SecretVM.
+ */
+export declare function resolveSecretVmVersion(quoteHex: string): {
+    template_name: string;
+    artifacts_ver: string;
+} | null;
+/**
+ * Given an AMD SEV-SNP attestation report (base64), look up the matching
+ * SecretVM registry entry.  Returns null when not found.
+ */
+export declare function resolveAmdSevVersion(quoteBase64: string): {
+    template_name: string;
+    vm_type: string;
+    artifacts_ver: string;
+} | null;
+/**
+ * Verify that a TDX quote (hex) was produced by a known SecretVM running the
+ * given docker-compose YAML.
+ *
+ * Steps:
+ *  1. Parse mrtd + rtmr0..3 from the quote.
+ *  2. Find all registry rows matching mrtd+rtmr0..2.
+ *  3. If none → not_authentic.
+ *  4. For each candidate row: calculate expected RTMR3 from the compose YAML
+ *     and the row's rootfs_data, then compare to the quote's rtmr3.
+ *  5. If any row matches → authentic_match.
+ *  6. Otherwise → authentic_mismatch.
+ */
+export declare function verifyTdxWorkload(quoteHex: string, dockerComposeYaml: string): WorkloadResult;
+export declare function formatWorkloadResult(r: WorkloadResult): string;
+/**
+ * Verify an AMD SEV-SNP workload against a docker-compose.yaml.
+ *
+ * Recomputes the SEV-SNP GCTX launch digest from the registry entry matching
+ * the quote's `family_id` / `image_id` and the provided compose content, then
+ * compares it against the measurement in the report.
+ *
+ * @param quoteBase64      Base64-encoded AMD SEV-SNP attestation report.
+ * @param dockerComposeYaml  Contents of the docker-compose.yaml file.
+ */
+export declare function verifySevWorkload(quoteBase64: string, dockerComposeYaml: string): WorkloadResult;
+/**
+ * Verify that a CPU quote was produced by a known SecretVM running the given
+ * docker-compose YAML.  Automatically detects whether the quote is an Intel
+ * TDX (hex) or AMD SEV-SNP (base64) quote and delegates to the appropriate
+ * lower-level function.
+ *
+ * @param quoteData       Hex-encoded TDX quote **or** base64-encoded SEV-SNP report.
+ * @param dockerComposeYaml  Contents of the docker-compose.yaml file.
+ */
+export declare function verifyWorkload(quoteData: string, dockerComposeYaml: string): WorkloadResult;

package/dist/workload.js

@@ -0,0 +1,253 @@
+import { parseTdxQuoteFields } from "./tdx.js";
+import { detectCpuQuoteType } from "./cpu.js";
+import { findMatchingArtifacts, pickNewestVersion, loadSevRegistry, } from "./artifacts.js";
+import { calculateRtmr3 } from "./rtmr.js";
+import { calcSevMeasurement, parseSevFamilyId } from "./sevGctx.js";
+import { createHash } from "node:crypto";
+// ---------------------------------------------------------------------------
+// Version resolution (no workload check)
+// ---------------------------------------------------------------------------
+/**
+ * Given a TDX quote (hex string), look up the matching SecretVM version and
+ * template.  Returns null when the quote is not from a known SecretVM.
+ */
+export function resolveSecretVmVersion(quoteHex) {
+    const { mrtd, rtmr0, rtmr1, rtmr2 } = parseTdxQuoteFields(quoteHex);
+    const matches = findMatchingArtifacts(mrtd, rtmr0, rtmr1, rtmr2);
+    const newest = pickNewestVersion(matches);
+    if (!newest)
+        return null;
+    return {
+        template_name: newest.template_name,
+        artifacts_ver: newest.artifacts_ver,
+    };
+}
+/**
+ * Given an AMD SEV-SNP attestation report (base64), look up the matching
+ * SecretVM registry entry.  Returns null when not found.
+ */
+export function resolveAmdSevVersion(quoteBase64) {
+    let raw;
+    try {
+        raw = Buffer.from(quoteBase64.trim(), "base64");
+    }
+    catch {
+        return null;
+    }
+    if (raw.length < 0x030)
+        return null;
+    const family = parseSevFamilyId(raw.subarray(0x010, 0x020));
+    if (!family)
+        return null;
+    const imageId = raw.subarray(0x020, 0x030).toString("utf8").replace(/[\x00#]+$/, "");
+    if (!imageId)
+        return null;
+    let registry;
+    try {
+        registry = loadSevRegistry();
+    }
+    catch {
+        return null;
+    }
+    const entry = registry.find((e) => e.vm_type === family.vmType && e.artifacts_ver === imageId);
+    if (!entry)
+        return null;
+    return {
+        template_name: family.templateName,
+        vm_type: family.vmType,
+        artifacts_ver: imageId,
+    };
+}
+// ---------------------------------------------------------------------------
+// Workload verification
+// ---------------------------------------------------------------------------
+/**
+ * Verify that a TDX quote (hex) was produced by a known SecretVM running the
+ * given docker-compose YAML.
+ *
+ * Steps:
+ *  1. Parse mrtd + rtmr0..3 from the quote.
+ *  2. Find all registry rows matching mrtd+rtmr0..2.
+ *  3. If none → not_authentic.
+ *  4. For each candidate row: calculate expected RTMR3 from the compose YAML
+ *     and the row's rootfs_data, then compare to the quote's rtmr3.
+ *  5. If any row matches → authentic_match.
+ *  6. Otherwise → authentic_mismatch.
+ */
+export function verifyTdxWorkload(quoteHex, dockerComposeYaml) {
+    let mrtd, rtmr0, rtmr1, rtmr2, quoteRtmr3;
+    try {
+        const fields = parseTdxQuoteFields(quoteHex);
+        mrtd = fields.mrtd;
+        rtmr0 = fields.rtmr0;
+        rtmr1 = fields.rtmr1;
+        rtmr2 = fields.rtmr2;
+        quoteRtmr3 = fields.rtmr3;
+    }
+    catch {
+        return { status: "not_authentic" };
+    }
+    const candidates = findMatchingArtifacts(mrtd, rtmr0, rtmr1, rtmr2);
+    if (candidates.length === 0) {
+        return { status: "not_authentic" };
+    }
+    // Pick "best" entry for reporting (newest version)
+    const best = pickNewestVersion(candidates);
+    const template_name = best.template_name;
+    // vm_type column in CSV stores the environment (prod/dev)
+    const env = best.vm_type;
+    const artifacts_ver = best.artifacts_ver;
+    // Check compose against every candidate entry (different rootfs_data or envs)
+    for (const entry of candidates) {
+        const expected = calculateRtmr3(dockerComposeYaml, entry.rootfs_data);
+        if (expected === quoteRtmr3) {
+            return {
+                status: "authentic_match",
+                template_name: entry.template_name,
+                vm_type: entry.vm_type,
+                artifacts_ver: entry.artifacts_ver,
+                env: entry.vm_type,
+            };
+        }
+    }
+    return {
+        status: "authentic_mismatch",
+        template_name,
+        vm_type: best.vm_type,
+        artifacts_ver,
+        env,
+    };
+}
+// ---------------------------------------------------------------------------
+// Human-readable output
+// ---------------------------------------------------------------------------
+export function formatWorkloadResult(r) {
+    if (r.status === "not_authentic") {
+        return "🚫 Attestation doesn't belong to an authentic SecretVM";
+    }
+    const vmLine = `✅ Confirmed an authentic SecretVM, vm_type ${r.template_name}, artifacts ${r.artifacts_ver}, environment ${r.env}`;
+    if (r.status === "authentic_match") {
+        return (vmLine +
+            "\n✅ Confirmed that the VM is running the specified docker-compose.yaml");
+    }
+    // authentic_mismatch
+    return (vmLine +
+        "\n🚫 Attestation does not match the specified docker-compose.yaml");
+}
+// ---------------------------------------------------------------------------
+// SEV-SNP workload verification
+// ---------------------------------------------------------------------------
+/**
+ * Verify an AMD SEV-SNP workload against a docker-compose.yaml.
+ *
+ * Recomputes the SEV-SNP GCTX launch digest from the registry entry matching
+ * the quote's `family_id` / `image_id` and the provided compose content, then
+ * compares it against the measurement in the report.
+ *
+ * @param quoteBase64      Base64-encoded AMD SEV-SNP attestation report.
+ * @param dockerComposeYaml  Contents of the docker-compose.yaml file.
+ */
+export function verifySevWorkload(quoteBase64, dockerComposeYaml) {
+    let raw;
+    try {
+        raw = Buffer.from(quoteBase64.trim(), "base64");
+    }
+    catch {
+        return { status: "not_authentic" };
+    }
+    if (raw.length < 0x090 + 48)
+        return { status: "not_authentic" };
+    let quoteMeasurement;
+    let family;
+    let imageId;
+    try {
+        quoteMeasurement = raw.subarray(0x090, 0x090 + 48).toString("hex");
+        family = parseSevFamilyId(raw.subarray(0x010, 0x020));
+        if (!family)
+            return { status: "not_authentic" };
+        imageId = raw.subarray(0x020, 0x030).toString("utf8").replace(/[\x00#]+$/, "");
+    }
+    catch {
+        return { status: "not_authentic" };
+    }
+    let registry;
+    try {
+        registry = loadSevRegistry();
+    }
+    catch {
+        return { status: "not_authentic" };
+    }
+    const { vmType, templateName, vcpus } = family;
+    // raw SHA256 — matches jeeves compute_file_hash() (no YAML normalization)
+    const composeHash = createHash("sha256").update(dockerComposeYaml, "utf8").digest("hex");
+    const candidates = registry.filter((e) => e.vm_type === vmType);
+    const versionEntries = imageId ? candidates.filter((e) => e.artifacts_ver === imageId) : [];
+    function tryEntry(entry) {
+        const cmdline = `console=ttyS0 loglevel=7 docker_compose_hash=${composeHash} rootfs_hash=${entry.rootfs_hash}`;
+        try {
+            return calcSevMeasurement(entry, vcpus, cmdline) === quoteMeasurement;
+        }
+        catch {
+            return false;
+        }
+    }
+    // Try version-specific entries first
+    for (const entry of versionEntries) {
+        if (tryEntry(entry)) {
+            return {
+                status: "authentic_match",
+                template_name: templateName,
+                vm_type: templateName,
+                artifacts_ver: entry.artifacts_ver,
+                env: vmType,
+            };
+        }
+    }
+    // Fallback: other entries for this vm_type
+    for (const entry of candidates) {
+        if (imageId && entry.artifacts_ver === imageId)
+            continue; // already tried above
+        if (tryEntry(entry)) {
+            return {
+                status: "authentic_match",
+                template_name: templateName,
+                vm_type: templateName,
+                artifacts_ver: entry.artifacts_ver,
+                env: vmType,
+            };
+        }
+    }
+    // No compose match. If the version is in the registry the VM is authentic
+    // but the provided compose doesn't match the measurement.
+    if (versionEntries.length > 0) {
+        return {
+            status: "authentic_mismatch",
+            template_name: templateName,
+            vm_type: templateName,
+            artifacts_ver: imageId,
+            env: vmType,
+        };
+    }
+    return { status: "not_authentic" };
+}
+// ---------------------------------------------------------------------------
+// Generic workload verifier (auto-detects TDX vs SEV-SNP)
+// ---------------------------------------------------------------------------
+/**
+ * Verify that a CPU quote was produced by a known SecretVM running the given
+ * docker-compose YAML.  Automatically detects whether the quote is an Intel
+ * TDX (hex) or AMD SEV-SNP (base64) quote and delegates to the appropriate
+ * lower-level function.
+ *
+ * @param quoteData       Hex-encoded TDX quote **or** base64-encoded SEV-SNP report.
+ * @param dockerComposeYaml  Contents of the docker-compose.yaml file.
+ */
+export function verifyWorkload(quoteData, dockerComposeYaml) {
+    const type = detectCpuQuoteType(quoteData);
+    if (type === "TDX")
+        return verifyTdxWorkload(quoteData, dockerComposeYaml);
+    if (type === "SEV-SNP")
+        return verifySevWorkload(quoteData, dockerComposeYaml);
+    return { status: "not_authentic" };
+}
+//# sourceMappingURL=workload.js.map

package/dist/workload.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"workload.js","sourceRoot":"","sources":["../src/workload.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,MAAM,UAAU,CAAC;AAC/C,OAAO,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAC;AAC9C,OAAO,EACH,qBAAqB,EACrB,iBAAiB,EACjB,eAAe,GAGlB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAC3C,OAAO,EAAE,kBAAkB,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AACpE,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAoBzC,8EAA8E;AAC9E,yCAAyC;AACzC,8EAA8E;AAE9E;;;GAGG;AACH,MAAM,UAAU,sBAAsB,CAClC,QAAgB;IAEhB,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,mBAAmB,CAAC,QAAQ,CAAC,CAAC;IACpE,MAAM,OAAO,GAAG,qBAAqB,CAAC,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC;IACjE,MAAM,MAAM,GAAG,iBAAiB,CAAC,OAAO,CAAC,CAAC;IAC1C,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IACzB,OAAO;QACH,aAAa,EAAE,MAAM,CAAC,aAAa;QACnC,aAAa,EAAE,MAAM,CAAC,aAAa;KACtC,CAAC;AACN,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,oBAAoB,CAChC,WAAmB;IAEnB,IAAI,GAAW,CAAC;IAChB,IAAI,CAAC;QACD,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,EAAE,EAAE,QAAQ,CAAC,CAAC;IACpD,CAAC;IAAC,MAAM,CAAC;QACL,OAAO,IAAI,CAAC;IAChB,CAAC;IACD,IAAI,GAAG,CAAC,MAAM,GAAG,KAAK;QAAE,OAAO,IAAI,CAAC;IACpC,MAAM,MAAM,GAAG,gBAAgB,CAAC,GAAG,CAAC,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC;IAC5D,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IACzB,MAAM,OAAO,GAAG,GAAG,CAAC,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;IACrF,IAAI,CAAC,OAAO;QAAE,OAAO,IAAI,CAAC;IAC1B,IAAI,QAA4B,CAAC;IACjC,IAAI,CAAC;QACD,QAAQ,GAAG,eAAe,EAAE,CAAC;IACjC,CAAC;IAAC,MAAM,CAAC;QACL,OAAO,IAAI,CAAC;IAChB,CAAC;IACD,MAAM,KAAK,GAAG,QAAQ,CAAC,IAAI,CACvB,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,MAAM,CAAC,MAAM,IAAI,CAAC,CAAC,aAAa,KAAK,OAAO,CACpE,CAAC;IACF,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IACxB,OAAO;QACH,aAAa,EAAE,MAAM,CAAC,YAAY;QAClC,OAAO,EAAE,MAAM,CAAC,MAAM;QACtB,aAAa,EAAE,OAAO;KACzB,CAAC;AACN,CAAC;AAED,8EAA8E;AAC9E,wBAAwB;AACxB,8EAA8E;AAE9E;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,iBAAiB,CAC7B,QAAgB,EAChB,iBAAyB;IAEzB,IAAI,IAAY,EAAE,KAAa,EAAE,KAAa,EAAE,KAAa,EAAE,UAAkB,CAAC;IAClF,IAAI,CAAC;QACD,MAAM,MAAM,GAAG,mBAAmB,CAAC,QAAQ,CAAC,CAAC;QAC7C,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC;QACnB,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC;QACrB,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC;QACrB,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC;QACrB,UAAU,GAAG,MAAM,CAAC,KAAK,CAAC;IAC9B,CAAC;IAAC,MAAM,CAAC;QACL,OAAO,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;IACvC,CAAC;IAED,MAAM,UAAU,GAAG,qBAAqB,CAAC,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC;IAEpE,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1B,OAAO,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;IACvC,CAAC;IAED,mDAAmD;IACnD,MAAM,IAAI,GAAqB,iBAAiB,CAAC,UAAU,CAAE,CAAC;IAC9D,MAAM,aAAa,GAAG,IAAI,CAAC,aAAa,CAAC;IACzC,0DAA0D;IAC1D,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC;IACzB,MAAM,aAAa,GAAG,IAAI,CAAC,aAAa,CAAC;IAEzC,8EAA8E;IAC9E,KAAK,MAAM,KAAK,IAAI,UAAU,EAAE,CAAC;QAC7B,MAAM,QAAQ,GAAG,cAAc,CAAC,iBAAiB,EAAE,KAAK,CAAC,WAAW,CAAC,CAAC;QACtE,IAAI,QAAQ,KAAK,UAAU,EAAE,CAAC;YAC1B,OAAO;gBACH,MAAM,EAAE,iBAAiB;gBACzB,aAAa,EAAE,KAAK,CAAC,aAAa;gBAClC,OAAO,EAAE,KAAK,CAAC,OAAO;gBACtB,aAAa,EAAE,KAAK,CAAC,aAAa;gBAClC,GAAG,EAAE,KAAK,CAAC,OAAO;aACrB,CAAC;QACN,CAAC;IACL,CAAC;IAED,OAAO;QACH,MAAM,EAAE,oBAAoB;QAC5B,aAAa;QACb,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,aAAa;QACb,GAAG;KACN,CAAC;AACN,CAAC;AAED,8EAA8E;AAC9E,wBAAwB;AACxB,8EAA8E;AAE9E,MAAM,UAAU,oBAAoB,CAAC,CAAiB;IAClD,IAAI,CAAC,CAAC,MAAM,KAAK,eAAe,EAAE,CAAC;QAC/B,OAAO,wDAAwD,CAAC;IACpE,CAAC;IAED,MAAM,MAAM,GAAG,8CAA8C,CAAC,CAAC,aAAa,eAAe,CAAC,CAAC,aAAa,iBAAiB,CAAC,CAAC,GAAG,EAAE,CAAC;IAEnI,IAAI,CAAC,CAAC,MAAM,KAAK,iBAAiB,EAAE,CAAC;QACjC,OAAO,CACH,MAAM;YACN,wEAAwE,CAC3E,CAAC;IACN,CAAC;IAED,qBAAqB;IACrB,OAAO,CACH,MAAM;QACN,mEAAmE,CACtE,CAAC;AACN,CAAC;AAED,8EAA8E;AAC9E,gCAAgC;AAChC,8EAA8E;AAE9E;;;;;;;;;GASG;AACH,MAAM,UAAU,iBAAiB,CAC7B,WAAmB,EACnB,iBAAyB;IAEzB,IAAI,GAAW,CAAC;IAChB,IAAI,CAAC;QACD,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,EAAE,EAAE,QAAQ,CAAC,CAAC;IACpD,CAAC;IAAC,MAAM,CAAC;QACL,OAAO,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;IACvC,CAAC;IAED,IAAI,GAAG,CAAC,MAAM,GAAG,KAAK,GAAG,EAAE;QAAE,OAAO,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;IAEhE,IAAI,gBAAwB,CAAC;IAC7B,IAAI,MAA2C,CAAC;IAChD,IAAI,OAAe,CAAC;IACpB,IAAI,CAAC;QACD,gBAAgB,GAAG,GAAG,CAAC,QAAQ,CAAC,KAAK,EAAE,KAAK,GAAG,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QACnE,MAAM,GAAG,gBAAgB,CAAC,GAAG,CAAC,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC;QACtD,IAAI,CAAC,MAAM;YAAE,OAAO,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;QAChD,OAAO,GAAG,GAAG,CAAC,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;IACnF,CAAC;IAAC,MAAM,CAAC;QACL,OAAO,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;IACvC,CAAC;IAED,IAAI,QAA4B,CAAC;IACjC,IAAI,CAAC;QACD,QAAQ,GAAG,eAAe,EAAE,CAAC;IACjC,CAAC;IAAC,MAAM,CAAC;QACL,OAAO,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;IACvC,CAAC;IAED,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,KAAK,EAAE,GAAG,MAAM,CAAC;IAE/C,0EAA0E;IAC1E,MAAM,WAAW,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,iBAAiB,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAEzF,MAAM,UAAU,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,MAAM,CAAC,CAAC;IAChE,MAAM,cAAc,GAAG,OAAO,CAAC,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,aAAa,KAAK,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IAE5F,SAAS,QAAQ,CAAC,KAAuB;QACrC,MAAM,OAAO,GAAG,gDAAgD,WAAW,gBAAgB,KAAK,CAAC,WAAW,EAAE,CAAC;QAC/G,IAAI,CAAC;YACD,OAAO,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,gBAAgB,CAAC;QAC1E,CAAC;QAAC,MAAM,CAAC;YACL,OAAO,KAAK,CAAC;QACjB,CAAC;IACL,CAAC;IAED,qCAAqC;IACrC,KAAK,MAAM,KAAK,IAAI,cAAc,EAAE,CAAC;QACjC,IAAI,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YAClB,OAAO;gBACH,MAAM,EAAE,iBAAiB;gBACzB,aAAa,EAAE,YAAY;gBAC3B,OAAO,EAAE,YAAY;gBACrB,aAAa,EAAE,KAAK,CAAC,aAAa;gBAClC,GAAG,EAAE,MAAM;aACd,CAAC;QACN,CAAC;IACL,CAAC;IAED,2CAA2C;IAC3C,KAAK,MAAM,KAAK,IAAI,UAAU,EAAE,CAAC;QAC7B,IAAI,OAAO,IAAI,KAAK,CAAC,aAAa,KAAK,OAAO;YAAE,SAAS,CAAC,sBAAsB;QAChF,IAAI,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YAClB,OAAO;gBACH,MAAM,EAAE,iBAAiB;gBACzB,aAAa,EAAE,YAAY;gBAC3B,OAAO,EAAE,YAAY;gBACrB,aAAa,EAAE,KAAK,CAAC,aAAa;gBAClC,GAAG,EAAE,MAAM;aACd,CAAC;QACN,CAAC;IACL,CAAC;IAED,0EAA0E;IAC1E,0DAA0D;IAC1D,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5B,OAAO;YACH,MAAM,EAAE,oBAAoB;YAC5B,aAAa,EAAE,YAAY;YAC3B,OAAO,EAAE,YAAY;YACrB,aAAa,EAAE,OAAO;YACtB,GAAG,EAAE,MAAM;SACd,CAAC;IACN,CAAC;IACD,OAAO,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;AACvC,CAAC;AAED,8EAA8E;AAC9E,0DAA0D;AAC1D,8EAA8E;AAE9E;;;;;;;;GAQG;AACH,MAAM,UAAU,cAAc,CAC1B,SAAiB,EACjB,iBAAyB;IAEzB,MAAM,IAAI,GAAG,kBAAkB,CAAC,SAAS,CAAC,CAAC;IAC3C,IAAI,IAAI,KAAK,KAAK;QAAE,OAAO,iBAAiB,CAAC,SAAS,EAAE,iBAAiB,CAAC,CAAC;IAC3E,IAAI,IAAI,KAAK,SAAS;QAAE,OAAO,iBAAiB,CAAC,SAAS,EAAE,iBAAiB,CAAC,CAAC;IAC/E,OAAO,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;AACvC,CAAC"}

package/package.json

@@ -0,0 +1,39 @@
+{
+  "name": "secretvm-verify",
+  "version": "0.1.0",
+  "description": "Attestation verification for Intel TDX, AMD SEV-SNP, and NVIDIA GPU",
+  "type": "module",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    }
+  },
+  "bin": {
+    "secretvm-verify": "dist/cli.js"
+  },
+  "scripts": {
+    "build": "tsc",
+    "test": "node --test dist/**/*.test.js",
+    "prepublishOnly": "npm run build"
+  },
+  "keywords": [
+    "attestation",
+    "tdx",
+    "sev-snp",
+    "nvidia",
+    "confidential-computing",
+    "tee"
+  ],
+  "license": "MIT",
+  "dependencies": {
+    "ethers": "^6.16.0",
+    "yaml": "^2.4.0"
+  },
+  "devDependencies": {
+    "@types/node": "^20.11.0",
+    "typescript": "^5.3.0"
+  }
+}