npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@super-protocol/attestation-wasm

v0.1.1

Published

Shared Go WASM attestation verifier for browser extensions and Node.js.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

denisbezrukovspdenisbezrukovspagentrxagentrxnukrinukriserega_kserega_kvkspvksp

Keywords

Readme

@super-protocol/attestation-wasm

Shared Go/WASM attestation verifier for browser extensions and Node.js.

The package exposes one TypeScript API backed by shared Go code compiled with GOOS=js GOARCH=wasm.

Entrypoints:

  • @super-protocol/attestation-wasm/browser for Chrome extension and Vite/browser usage.
  • @super-protocol/attestation-wasm/node for Node.js usage on a PC.
  • @super-protocol/attestation-wasm as the default public entrypoint.

The runtime model is an async singleton: WASM initialization happens lazily once per JavaScript runtime, and public APIs return promises.

Usage

import { createAttestationVerifier } from '@super-protocol/attestation-wasm';

const verifier = await createAttestationVerifier();
const result = await verifier.verifyTdxQuote(quoteBytes);

For one-off calls:

import { verifyTdxQuote } from '@super-protocol/attestation-wasm';

const result = await verifyTdxQuote(quoteBytes);

The verifier expects a raw Intel TDX quote as Uint8Array or ArrayBuffer. By default, Intel PCS collateral and CRL checks are enabled. In browser extensions, run verification from an extension context with the required host_permissions, not from a content script.

verifyTdxQuote accepts TDX-only call options directly:

await verifier.verifyTdxQuote(quoteBytes, {
  getCollateral: true,
  checkRevocations: true,
});

verifyTeeEvidence accepts per-evidence options:

await verifier.verifyTeeEvidence(serializedTeeEvidence, {
  tdx: {
    getCollateral: true,
    checkRevocations: true,
  },
  sevSnp: {},
});

Verification results include logs captured from the underlying Go verifier. For APIs that throw, the thrown error also carries logs.

verifyTdxQuote returns separate verification checks so callers can make their own policy decision:

const { result, logs } = await verifier.verifyTdxQuote(quoteBytes);

result.quoteIntegrity; // true when the quote is cryptographically valid
// true when CRL was checked and the cert chain is not revoked;
// false when CRL was requested and the check did not confirm a clean status
// (cert revoked OR CRL fetch/parse failed — these are not distinguished);
// undefined when CRL was not requested or could not be evaluated.
result.certChainRevocationStatusOk;
result.tdxTcbStatus; // e.g. 'UpToDate' or 'OutOfDate'; undefined when not checked
result.qeTcbStatus;
logs; // logs captured from the underlying Go verifier

There is no top-level verdict in the TDX result. Callers decide whether to accept the evidence from the individual checks and TCB statuses. Invalid quotes and unclassified verifier failures throw instead of returning a structured failure state.

To use PCCS instead of Intel PCS, pass the same pccsUrl shape used by sgx_default_qcnl.conf:

await verifier.verifyTdxQuote(quoteBytes, {
  pccsUrl: 'https://pccs.example.com:8081/sgx/certification/v4/',
});

await verifier.verifyTeeEvidence(serializedTeeEvidence, {
  tdx: {
    pccsUrl: 'https://pccs.example.com:8081/sgx/certification/v4/',
  },
});

The value may include /sgx/certification/v4/, matching QCNL config, or just the PCCS server root. Intel PCS URLs keep their original /tdx/certification/v4/... or /sgx/certification/v4/... paths on that PCCS server. Intel Root CA CRL distribution URL is mapped to /sgx/certification/v4/rootcacrl and decoded from PCCS hex response to DER bytes for go-tdx-guest.

If pccsUrl is omitted, Intel PCS URLs are used as provided by go-tdx-guest.

Network retries follow go-tdx-guest defaults unless overridden:

await verifier.verifyTeeEvidence(serializedTeeEvidence, {
  tdx: {
    network: {
      timeoutMs: 120_000,
      initialRetryDelayMs: 2_000,
      maxRetryDelayMs: 30_000,
      retries: true,
    },
  },
});

Dependencies

This package pins github.com/google/go-tdx-guest to a pre-release pseudo-version rather than the latest release tag (v0.3.1). The reason is that v0.3.1 does not expose SupportedTcbLevelsFromCollateral (or an equivalent), so TCB/QE status cannot be read separately from the verdict — any OutOfDate (and similar non-fatal) status causes the whole verification to fail. That is too strict for our use case: we surface tdxTcbStatus and qeTcbStatus in the result and let the caller apply its own policy on which statuses are acceptable.

The pseudo-version will be replaced with the next upstream release tag that contains the required APIs.

Build

npm install
npm run build

The build compiles TypeScript, builds go/cmd/tdx-wasm to dist/tdx_verifier.wasm, and copies wasm_exec.js from the same Go toolchain into dist/.