TEE Attestation and Confidential Computing utilities for Dooor OS
npm install @dooor-ai/trust
Part of the Dooor OS, the @dooor-ai/trust library provides essential utilities for Trusted Execution Environment (TEE) attestation and confidential computing within Node.js applications. It allows you to easily expose TEE-specific endpoints for health checks and token attestation, ensuring that your workloads are running in a verified, secure environment.
This package is designed to be lightweight and easy to integrate, with a focus on providing a seamless developer experience for both NestJS and other Node.js frameworks.
- TEE Attestation Endpoints: Quickly expose /health and /token endpoints for TEE verification.
- Framework Agnostic Core: Core logic is framework-independent, allowing for use in any Node.js project.
- Simple NestJS Integration: A one-line attachToNest function to integrate with any NestJS application.
- Loopback Security: Enforces that attestation requests come from the local machine by default, a common security practice for TEEs.
- Zero Dependencies: The core logic has zero external dependencies, keeping your application lean.
``bash`
npm install @dooor-ai/trust
The easiest way to use @dooor-ai/trust in a NestJS project is with the attachToNest helper function. It automatically detects your HTTP adapter (Express or Fastify) and registers the necessary routes.
1. Update your main.ts
In your main application file (src/main.ts), import and call attachToNest right after you create your Nest app instance.
`typescript
// src/main.ts
import { NestFactory } from '@nestjs/core';
import { AppModule } from './app.module';
import { attachToNest } from '@dooor-ai/trust'; // 1. Import the helper
async function bootstrap() {
const app = await NestFactory.create(AppModule);
// 2. Attach the TEE routes before listening
attachToNest(app, {
prefix: '/__attestation', // Optional: The base path for TEE routes
audience: 'my-workload-id', // Required: A unique identifier for your workload
requireLoopback: true, // Optional (default: true): Enforce requests come from 127.0.0.1
});
await app.listen(process.env.PORT || 8080);
}
bootstrap();
`
2. That's it!
Your application will now expose the following endpoints:
- GET /__attestation/tee/health: A simple health check endpoint.POST /__attestation/tee/token
- : The main attestation endpoint.
The attachToNest function adds a few raw routes to the underlying HTTP adapter (Express or Fastify) before the application starts listening for requests. This is a lightweight way to add functionality without creating a full NestJS module.
Because these routes are not full NestJS controllers, they do not participate in the standard NestJS lifecycle (e.g., they will not trigger global guards, pipes, or interceptors). This is intentional, as these endpoints are typically meant for internal, infrastructure-level communication.
The attachToNest function accepts the following options:
| Option | Type | Default | Description |
| ----------------- | --------- | ------------------- | ------------------------------------------------------------------------------------------------------- |
| audience | string | Required | A unique identifier for your application workload. This is used as the aud claim in the attestation JWT. |prefix
| | string | "/__attestation" | The base path under which the TEE routes (/tee/health, /tee/token) will be registered. |requireLoopback
| | boolean | true | If true, rejects any request that does not originate from a loopback IP address (127.0.0.1 or ::1). |tokenType
| | 'PKI' , 'OIDC' | 'PKI'` | The type of token to request from the TEE environment. |
This project is licensed under the Apache-2.0 License.