@dooor-ai/trust
Version:
TEE Attestation and Confidential Computing utilities for Dooor OS
79 lines (53 loc) • 4.41 kB
Markdown
# -ai/trust
[](https://www.npmjs.com/package/@dooor-ai/trust)
[](https://github.com/Dooor-AI/dooor-js-sdk/blob/main/LICENSE)
Part of the **Dooor OS**, the `-ai/trust` library provides essential utilities for Trusted Execution Environment (TEE) attestation and confidential computing within Node.js applications. It allows you to easily expose TEE-specific endpoints for health checks and token attestation, ensuring that your workloads are running in a verified, secure environment.
This package is designed to be lightweight and easy to integrate, with a focus on providing a seamless developer experience for both NestJS and other Node.js frameworks.
## Features
- **TEE Attestation Endpoints**: Quickly expose `/health` and `/token` endpoints for TEE verification.
- **Framework Agnostic Core**: Core logic is framework-independent, allowing for use in any Node.js project.
- **Simple NestJS Integration**: A one-line `attachToNest` function to integrate with any NestJS application.
- **Loopback Security**: Enforces that attestation requests come from the local machine by default, a common security practice for TEEs.
- **Zero Dependencies**: The core logic has zero external dependencies, keeping your application lean.
## Installation
```bash
npm install -ai/trust
```
## Quick Start: NestJS Integration
The easiest way to use `-ai/trust` in a NestJS project is with the `attachToNest` helper function. It automatically detects your HTTP adapter (Express or Fastify) and registers the necessary routes.
**1. Update your `main.ts`**
In your main application file (`src/main.ts`), import and call `attachToNest` right after you create your Nest app instance.
```typescript
// src/main.ts
import { NestFactory } from '/core';
import { AppModule } from './app.module';
import { attachToNest } from '-ai/trust'; // 1. Import the helper
async function bootstrap() {
const app = await NestFactory.create(AppModule);
// 2. Attach the TEE routes before listening
attachToNest(app, {
prefix: '/__attestation', // Optional: The base path for TEE routes
audience: 'my-workload-id', // Required: A unique identifier for your workload
requireLoopback: true, // Optional (default: true): Enforce requests come from 127.0.0.1
});
await app.listen(process.env.PORT || 8080);
}
bootstrap();
```
**2. That's it!**
Your application will now expose the following endpoints:
- `GET /__attestation/tee/health`: A simple health check endpoint.
- `POST /__attestation/tee/token`: The main attestation endpoint.
### How it Works
The `attachToNest` function adds a few raw routes to the underlying HTTP adapter (Express or Fastify) *before* the application starts listening for requests. This is a lightweight way to add functionality without creating a full NestJS module.
Because these routes are not full NestJS controllers, they **do not** participate in the standard NestJS lifecycle (e.g., they will not trigger global guards, pipes, or interceptors). This is intentional, as these endpoints are typically meant for internal, infrastructure-level communication.
## Configuration
The `attachToNest` function accepts the following options:
| Option | Type | Default | Description |
| ----------------- | --------- | ------------------- | ------------------------------------------------------------------------------------------------------- |
| `audience` | `string` | **Required** | A unique identifier for your application workload. This is used as the `aud` claim in the attestation JWT. |
| `prefix` | `string` | `"/__attestation"` | The base path under which the TEE routes (`/tee/health`, `/tee/token`) will be registered. |
| `requireLoopback` | `boolean` | `true` | If `true`, rejects any request that does not originate from a loopback IP address (`127.0.0.1` or `::1`). |
| `tokenType` | `'PKI' , 'OIDC'` | `'PKI'` | The type of token to request from the TEE environment. |
## License
This project is licensed under the Apache-2.0 License.