Merge branch 'develop' into feat/kill-containers-feature

Author: standujar

evidence/tee/full-stack-local-2026-05-20.json

@@ -8,6 +8,7 @@ import type { TeeEvidence } from "../src/services/tee-evidence.ts";
 import {
   HttpTeeKeyReleaseClient,
   LocalTeeKeyReleaseClient,
+  wrapTeeReleaseKey,
 } from "../src/services/tee-key-release.ts";
 import { evaluateTeeEvidencePolicy } from "../src/services/tee-policy.ts";
 
@@ -191,6 +192,7 @@ async function handleKeyReleaseRequest(
     keyId: string;
     context?: string;
     nonce: string;
+    ephemeralPublicKey: string;
     policy: Parameters<typeof evaluateTeeEvidencePolicy>[1];
     evidence: TeeEvidence;
   };
@@ -207,11 +209,18 @@ async function handleKeyReleaseRequest(
     .update(payload.evidence.measurements?.agent ?? "", "utf8")
     .update(payload.evidence.measurements?.policy ?? "", "utf8")
     .digest("hex");
+  // Wrap the released key to the agent's ephemeral public key so the client's
+  // X25519/HKDF/AES-256-GCM unwrap succeeds (plan §3.2 step 5).
+  const wrappedKey = wrapTeeReleaseKey({
+    keyMaterialHex,
+    agentEphemeralPublicKeyDerBase64: payload.ephemeralPublicKey,
+    nonceHex: payload.nonce,
+  });
   response.writeHead(200, { "content-type": "application/json" });
   response.end(
     JSON.stringify({
       keyId: payload.keyId,
-      keyMaterialHex,
+      wrappedKey,
       // Echo the client-issued nonce for the replay-binding check.
       nonce: payload.nonce,
       decision,

packages/agent/scripts/tee-full-stack-local.ts

@@ -1552,9 +1552,9 @@ async function handleRequest(
     pathname === "/api/onboarding/status" &&
     isCloudProvisioned;
   const isWhatsAppWebhookEndpoint = pathname === "/api/whatsapp/webhook";
-  const isBlueBubblesWebhookEndpoint =
-    pathname ===
-    resolveBlueBubblesWebhookPath({
+  const blueBubblesWebhookPath =
+    typeof resolveBlueBubblesWebhookPath === "function"
+      ? resolveBlueBubblesWebhookPath({
       runtime: state.runtime
         ? {
             getService: (type: string) =>
@@ -1563,7 +1563,10 @@ async function handleRequest(
               ).getService(type),
           }
         : undefined,
-    });
+        })
+      : null;
+  const isBlueBubblesWebhookEndpoint =
+    blueBubblesWebhookPath != null && pathname === blueBubblesWebhookPath;
   const isAuthProtectedPath = isAuthProtectedRoute(pathname);
 
   const canonicalizeRestartReason = (reason: string): string => {
@@ -1700,8 +1703,12 @@ async function handleRequest(
   }
 
   const localInferenceServerApi = await getLocalInferenceServerApi();
-  if (await localInferenceServerApi.handleLocalInferenceRoutes(req, res))
+  if (
+    typeof localInferenceServerApi.handleLocalInferenceRoutes === "function" &&
+    (await localInferenceServerApi.handleLocalInferenceRoutes(req, res))
+  ) {
     return;
+  }
   if (
     localInferenceServerApi.handleLocalInferenceTtsRoute &&
     (await localInferenceServerApi.handleLocalInferenceTtsRoute(req, res, {
@@ -4422,6 +4429,12 @@ export async function startApiServer(opts?: {
         agentId,
       },
     );
+    if (!result || typeof result !== "object") {
+      logger.warn(
+        "[x402] startup validator returned no result; skipping x402 route validation",
+      );
+      return;
+    }
     if (!result.valid) {
       throw new Error(
         `x402 configuration invalid:\n${result.errors.map((e) => `  • ${e}`).join("\n")}`,

packages/agent/scripts/tee-local-smoke.ts

@@ -0,0 +1,101 @@
+import { afterEach, beforeEach, describe, expect, it } from "vitest";
+import { createTestVault, type TestVault } from "@elizaos/vault";
+import type { TeeBootGate } from "../services/tee-boot-gate.ts";
+import {
+  clearTeeBootGateState,
+  setTeeBootGateState,
+} from "../services/tee-boot-gate-state.ts";
+import {
+  bridgeAgentWalletsToProcessEnv,
+  ensureAgentWallets,
+  revealAgentWalletPrivateKey,
+} from "./agent-wallets.ts";
+
+const blockingGate: TeeBootGate = {
+  policy: undefined,
+  teeConfigured: true,
+  required: true,
+  productionProfile: false,
+  secretsEnabled: false,
+};
+
+const AGENT_ID = "tee-gate-agent";
+
+describe("agent-wallets TEE boot-gate enforcement", () => {
+  let test: TestVault;
+
+  beforeEach(async () => {
+    clearTeeBootGateState();
+    test = await createTestVault();
+    await ensureAgentWallets(test.vault, AGENT_ID, "test");
+  });
+
+  afterEach(async () => {
+    clearTeeBootGateState();
+    delete process.env.ELIZA_AGENT_WALLET_AS_USER;
+    delete process.env.EVM_PRIVATE_KEY;
+    delete process.env.SOLANA_PRIVATE_KEY;
+    await test.dispose();
+  });
+
+  describe("revealAgentWalletPrivateKey", () => {
+    it("reveals normally when no gate is set (inert default)", async () => {
+      const pk = await revealAgentWalletPrivateKey(
+        test.vault,
+        AGENT_ID,
+        "evm",
+        "test",
+      );
+      expect(typeof pk).toBe("string");
+      expect(pk.length).toBeGreaterThan(0);
+    });
+
+    it("refuses with a [TeeBootGate] error when the gate blocks", async () => {
+      setTeeBootGateState(blockingGate);
+      await expect(
+        revealAgentWalletPrivateKey(test.vault, AGENT_ID, "evm", "test"),
+      ).rejects.toThrow(/\[TeeBootGate\].*reveal blocked/);
+    });
+  });
+
+  describe("bridgeAgentWalletsToProcessEnv", () => {
+    it("bridges to process.env when opted in and no gate is set", async () => {
+      process.env.ELIZA_AGENT_WALLET_AS_USER = "1";
+      const descriptors = [
+        {
+          agentId: AGENT_ID,
+          chain: "evm" as const,
+          address: "0xabc",
+          lastModified: Date.now(),
+        },
+      ];
+      await bridgeAgentWalletsToProcessEnv(
+        test.vault,
+        AGENT_ID,
+        descriptors,
+        "test",
+      );
+      expect(process.env.EVM_PRIVATE_KEY?.length ?? 0).toBeGreaterThan(0);
+    });
+
+    it("skips the bridge (no env write) when the gate blocks", async () => {
+      process.env.ELIZA_AGENT_WALLET_AS_USER = "1";
+      setTeeBootGateState(blockingGate);
+      const descriptors = [
+        {
+          agentId: AGENT_ID,
+          chain: "evm" as const,
+          address: "0xabc",
+          lastModified: Date.now(),
+        },
+      ];
+      await bridgeAgentWalletsToProcessEnv(
+        test.vault,
+        AGENT_ID,
+        descriptors,
+        "test",
+      );
+      expect(process.env.EVM_PRIVATE_KEY).toBeUndefined();
+    });
+  });
+});

packages/agent/src/api/server.ts

@@ -18,9 +18,11 @@
  * up — see `runtime/eliza.ts`.
  */
 
+import { logger } from "@elizaos/core";
 import type { WalletChain } from "@elizaos/shared";
 import { removeEntryMeta, setEntryMeta, type Vault } from "@elizaos/vault";
 import { deriveEvmAddress, generateWalletForChain } from "../api/wallet.ts";
+import { teeBootGateBlocksSecrets } from "../services/tee-boot-gate-state.ts";
 
 const PREFIX = "agent";
 const SEGMENT = "wallet";
@@ -146,6 +148,15 @@ export async function revealAgentWalletPrivateKey(
   chain: WalletChain,
   caller?: string,
 ): Promise<string> {
+  // Fail-closed under a blocking TEE boot gate: a signing private key is a
+  // high-value secret and must not be revealed when TEE evidence is not
+  // trusted. Inert when no TEE policy is configured (the gate is unset/not
+  // required), so normal/local-only boots are unaffected.
+  if (teeBootGateBlocksSecrets()) {
+    throw new Error(
+      `[TeeBootGate] agent-wallet private-key reveal blocked: TEE evidence is not trusted (agentId=${agentId}, chain=${chain}).`,
+    );
+  }
   const key = walletKey(agentId, chain);
   const raw = await vault.reveal(key, caller);
   return parseStored(raw).privateKey;
@@ -342,6 +353,16 @@ export async function bridgeAgentWalletsToProcessEnv(
 ): Promise<void> {
   // Default off. Skipping bridge unless explicitly opted in.
   if (process.env.ELIZA_AGENT_WALLET_AS_USER !== "1") return;
+  // Fail-closed under a blocking TEE boot gate: do not write private keys into
+  // process.env when TEE evidence is not trusted. Skip-with-warn so the boot
+  // continues secret-less. Inert when no TEE policy is configured.
+  if (teeBootGateBlocksSecrets()) {
+    logger.warn(
+      { agentId },
+      "[TeeBootGate] Skipping agent-wallet → process.env bridge: TEE evidence is not trusted.",
+    );
+    return;
+  }
   for (const d of descriptors) {
     const envKey = CHAIN_TO_ENV_KEY[d.chain];
     if (process.env[envKey]?.trim()) continue; // user-set wins

packages/agent/src/runtime/agent-wallets-tee-gate.test.ts

@@ -221,6 +221,15 @@ import {
   SandboxManager,
   type SandboxMode,
 } from "../services/sandbox-manager.ts";
+import { createDstackTeeProvider } from "../services/dstack-tee-provider.ts";
+import {
+  evaluateTeeBootGate,
+  type TeeBootGate,
+} from "../services/tee-boot-gate.ts";
+import {
+  setTeeBootGateState,
+  teeBootGateBlocksSecrets,
+} from "../services/tee-boot-gate-state.ts";
 import {
   resolveDefaultAgentWorkspaceDir,
   shouldBootstrapWorkspaceInitFiles,
@@ -3995,7 +4004,47 @@ export async function startEliza(
     );
   };
 
+  // One-time TEE boot gate (plan §4.1 / agent A4). Inert when no TEE policy is
+  // configured: `evaluateTeeBootGate` returns secretsEnabled:true and normal/
+  // local-only boots are unaffected. When ELIZA_TEE_REQUIRED (or a production
+  // profile) resolves a required policy and the evidence is not trusted, the
+  // gate fails closed and high-value capabilities (remote plugin sync; future
+  // model-key/signing consumers) are withheld. Boot still proceeds in a
+  // degraded, secret-less mode — it never silently continues with secrets.
+  const runTeeBootGate = async (): Promise<void> => {
+    let teeBootGate: TeeBootGate;
+    try {
+      teeBootGate = await evaluateTeeBootGate({
+        env: process.env,
+        evidenceProvider: createDstackTeeProvider({ env: process.env }),
+      });
+    } catch (err) {
+      // A TEE policy was configured but evidence could not be collected or
+      // evaluated. Fail closed rather than crash the boot.
+      teeBootGate = {
+        policy: undefined,
+        teeConfigured: true,
+        required: true,
+        productionProfile: process.env.ELIZA_TEE_PRODUCTION_PROFILE === "true",
+        secretsEnabled: false,
+      };
+      logger.error(
+        `[TeeBootGate] TEE evidence evaluation failed; secrets disabled (fail-closed): ${formatError(err)}`,
+      );
+    }
+    // Publish the one-time decision so secret-path modules (agent-wallet key
+    // reveal/bridge, remote plugin sync) can consult it via the shared
+    // singleton. Inert when no TEE: the gate's `required` is false.
+    setTeeBootGateState(teeBootGate);
+  };
+
   const syncRemoteCapabilityPluginsIfAvailable = async (): Promise<void> => {
+    if (teeBootGateBlocksSecrets()) {
+      logger.warn(
+        "[TeeBootGate] Skipping remote capability plugin sync: TEE evidence is not trusted.",
+      );
+      return;
+    }
     try {
       const result = await bootstrapRemoteCapabilityPlugins(runtime, {
         unloadMissing: true,
@@ -4136,6 +4185,7 @@ export async function startEliza(
     await registerConnectorSetupService();
     await registerRemoteCodingRunner();
     await initializeCoreRuntime();
+    await runTeeBootGate();
     await syncRemoteCapabilityPluginsIfAvailable();
     await applyPluginRoleGatingIfAvailable();
     await registerConversationProximityProvider();

packages/agent/src/runtime/agent-wallets.ts

@@ -0,0 +1,81 @@
+import { afterEach, describe, expect, it } from "vitest";
+import type { TeeBootGate } from "./tee-boot-gate.ts";
+import {
+  clearTeeBootGateState,
+  getTeeBootGateState,
+  setTeeBootGateState,
+  teeBootGateBlocksSecrets,
+} from "./tee-boot-gate-state.ts";
+
+const blockingGate: TeeBootGate = {
+  policy: undefined,
+  teeConfigured: true,
+  required: true,
+  productionProfile: false,
+  secretsEnabled: false,
+};
+
+const trustedRequiredGate: TeeBootGate = {
+  policy: undefined,
+  teeConfigured: true,
+  required: true,
+  productionProfile: false,
+  secretsEnabled: true,
+};
+
+const localOnlyGate: TeeBootGate = {
+  policy: undefined,
+  teeConfigured: false,
+  required: false,
+  productionProfile: false,
+  secretsEnabled: true,
+};
+
+describe("tee-boot-gate-state", () => {
+  afterEach(() => {
+    clearTeeBootGateState();
+  });
+
+  it("is inert by default (no gate set)", () => {
+    expect(getTeeBootGateState()).toBeUndefined();
+    expect(teeBootGateBlocksSecrets()).toBe(false);
+  });
+
+  it("set/get round-trips the published decision", () => {
+    setTeeBootGateState(blockingGate);
+    expect(getTeeBootGateState()).toBe(blockingGate);
+  });
+
+  it("clear resets to the inert default", () => {
+    setTeeBootGateState(blockingGate);
+    clearTeeBootGateState();
+    expect(getTeeBootGateState()).toBeUndefined();
+    expect(teeBootGateBlocksSecrets()).toBe(false);
+  });
+
+  it("blocks only when required AND secrets disabled", () => {
+    setTeeBootGateState(blockingGate);
+    expect(teeBootGateBlocksSecrets()).toBe(true);
+  });
+
+  it("does not block when TEE is required but evidence is trusted", () => {
+    setTeeBootGateState(trustedRequiredGate);
+    expect(teeBootGateBlocksSecrets()).toBe(false);
+  });
+
+  it("does not block for a local-only (not required) gate", () => {
+    setTeeBootGateState(localOnlyGate);
+    expect(teeBootGateBlocksSecrets()).toBe(false);
+  });
+
+  it("does not block when secrets are disabled but policy is not required", () => {
+    setTeeBootGateState({
+      policy: undefined,
+      teeConfigured: true,
+      required: false,
+      productionProfile: false,
+      secretsEnabled: false,
+    });
+    expect(teeBootGateBlocksSecrets()).toBe(false);
+  });
+});