ContextQMD
Back to Eliza

@elizaos/plugin-tee

plugins/plugin-tee/README.md

2.0.14.2 KB
Original Source

@elizaos/plugin-tee

Trusted Execution Environment (TEE) integration plugin for elizaOS, providing secure key management and remote attestation capabilities.

Features

  • šŸ” Remote Attestation - Generate verifiable proofs that your agent is running in a secure TEE
  • šŸ”‘ Key Derivation - Securely derive Ed25519 (Solana) and ECDSA (EVM) keypairs within the TEE
  • šŸ›”ļø Vendor Support - Extensible vendor system (currently supports Phala Network)
  • āš” Type Safe - Strong typing with TypeScript

Quick Start

TypeScript

typescript
import { teePlugin, TEEService } from "@elizaos/plugin-tee";
import { AgentRuntime } from "@elizaos/core";

// Register the plugin
const runtime = new AgentRuntime({
  plugins: [teePlugin],
});

// Or use the service directly
const service = await TEEService.start(runtime);
const solanaKeys = await service.deriveEd25519Keypair(
  "salt",
  "solana",
  agentId,
);
const evmKeys = await service.deriveEcdsaKeypair("salt", "evm", agentId);

Configuration

Environment Variables

VariableDescriptionRequiredDefault
TEE_MODEOperation mode: LOCAL, DOCKER, PRODUCTIONYes-
WALLET_SECRET_SALTSecret salt for deterministic key derivationYes-
TEE_VENDORTEE vendor to useNophala

TEE Modes

  • LOCAL: Development mode using simulator at localhost:8090
  • DOCKER: Docker development mode using simulator at host.docker.internal:8090
  • PRODUCTION: Production mode connecting to real TEE infrastructure

Components

Actions

ActionDescription
REMOTE_ATTESTATIONGenerate and upload a remote attestation quote to prove TEE execution

Providers

ProviderDescription
phala-derive-keyDerive Solana and EVM keypairs with attestation
phala-remote-attestationGenerate remote attestation quotes

Services

ServiceDescription
TEEServiceMain service for key derivation and management

API Reference

TEEService

typescript
class TEEService {
  // Derive Ed25519 keypair for Solana
  async deriveEd25519Keypair(
    path: string,
    subject: string,
    agentId: UUID,
  ): Promise<{ keypair: Keypair; attestation: RemoteAttestationQuote }>;

  // Derive ECDSA keypair for EVM
  async deriveEcdsaKeypair(
    path: string,
    subject: string,
    agentId: UUID,
  ): Promise<{
    keypair: PrivateKeyAccount;
    attestation: RemoteAttestationQuote;
  }>;

  // Derive raw key for custom use cases
  async rawDeriveKey(path: string, subject: string): Promise<DeriveKeyResponse>;
}

Remote Attestation

typescript
class PhalaRemoteAttestationProvider {
  // Generate attestation quote
  async generateAttestation(
    reportData: string,
    hashAlgorithm?: TdxQuoteHashAlgorithm,
  ): Promise<RemoteAttestationQuote>;
}

Directory Structure

plugins/plugin-tee/
ā”œā”€ā”€ typescript/           # TypeScript implementation
ā”‚   ā”œā”€ā”€ src/
ā”‚   ā”‚   ā”œā”€ā”€ actions/      # Remote attestation action
ā”‚   ā”‚   ā”œā”€ā”€ providers/    # Key derivation & attestation providers
ā”‚   ā”‚   ā”œā”€ā”€ services/     # TEE service
ā”‚   ā”‚   ā”œā”€ā”€ types/        # Type definitions
ā”‚   ā”‚   ā”œā”€ā”€ vendors/      # Vendor implementations
ā”‚   ā”‚   ā””ā”€ā”€ index.ts      # Main entry point
ā”‚   ā””ā”€ā”€ __tests__/        # Unit tests
ā”œā”€ā”€ package.json          # NPM manifest
ā””ā”€ā”€ README.md             # This file

Development

Building

bash
bun run build
bun run test

Linting

bash
# TypeScript
bun run format:check