elizaOS
diff --git a/‎evidence/tee/full-stack-local-2026-05-20.json‎
Lines changed: 591 additions & 153 deletions b/‎evidence/tee/full-stack-local-2026-05-20.json‎
Lines changed: 591 additions & 153 deletions
diff --git a/‎packages/agent/scripts/tee-full-stack-local.ts‎
Lines changed: 692 additions & 259 deletions b/‎packages/agent/scripts/tee-full-stack-local.ts‎
Lines changed: 692 additions & 259 deletions
diff --git a/‎packages/agent/src/api/server.ts‎
Lines changed: 18 additions & 5 deletions b/‎packages/agent/src/api/server.ts‎
Lines changed: 18 additions & 5 deletions
diff --git a/‎packages/agent/src/runtime/agent-wallets-tee-gate.test.ts‎
Lines changed: 101 additions & 0 deletions b/‎packages/agent/src/runtime/agent-wallets-tee-gate.test.ts‎
Lines changed: 101 additions & 0 deletions
diff --git a/‎packages/agent/src/runtime/agent-wallets.ts‎
Lines changed: 21 additions & 0 deletions b/‎packages/agent/src/runtime/agent-wallets.ts‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎packages/agent/src/runtime/eliza.ts‎
Lines changed: 9 additions & 5 deletions b/‎packages/agent/src/runtime/eliza.ts‎
Lines changed: 9 additions & 5 deletions
diff --git a/‎packages/agent/src/services/tee-boot-gate-state.test.ts‎
Lines changed: 81 additions & 0 deletions b/‎packages/agent/src/services/tee-boot-gate-state.test.ts‎
Lines changed: 81 additions & 0 deletions
diff --git a/‎packages/agent/src/services/tee-boot-gate-state.ts‎
Lines changed: 47 additions & 0 deletions b/‎packages/agent/src/services/tee-boot-gate-state.ts‎
Lines changed: 47 additions & 0 deletions
@@ -1552,9 +1552,9 @@ async function handleRequest(
     pathname === "/api/onboarding/status" &&
     isCloudProvisioned;
   const isWhatsAppWebhookEndpoint = pathname === "/api/whatsapp/webhook";
-  const isBlueBubblesWebhookEndpoint =
-    pathname ===
-    resolveBlueBubblesWebhookPath({
+  const blueBubblesWebhookPath =
+    typeof resolveBlueBubblesWebhookPath === "function"
+      ? resolveBlueBubblesWebhookPath({
       runtime: state.runtime
         ? {
             getService: (type: string) =>
@@ -1563,7 +1563,10 @@ async function handleRequest(
               ).getService(type),
           }
         : undefined,
-    });
+        })
+      : null;
+  const isBlueBubblesWebhookEndpoint =
+    blueBubblesWebhookPath != null && pathname === blueBubblesWebhookPath;
   const isAuthProtectedPath = isAuthProtectedRoute(pathname);
 
   const canonicalizeRestartReason = (reason: string): string => {
@@ -1700,8 +1703,12 @@ async function handleRequest(
   }
 
   const localInferenceServerApi = await getLocalInferenceServerApi();
-  if (await localInferenceServerApi.handleLocalInferenceRoutes(req, res))
+  if (
+    typeof localInferenceServerApi.handleLocalInferenceRoutes === "function" &&
+    (await localInferenceServerApi.handleLocalInferenceRoutes(req, res))
+  ) {
     return;
+  }
   if (
     localInferenceServerApi.handleLocalInferenceTtsRoute &&
     (await localInferenceServerApi.handleLocalInferenceTtsRoute(req, res, {
@@ -4422,6 +4429,12 @@ export async function startApiServer(opts?: {
         agentId,
       },
     );
+    if (!result || typeof result !== "object") {
+      logger.warn(
+        "[x402] startup validator returned no result; skipping x402 route validation",
+      );
+      return;
+    }
     if (!result.valid) {
       throw new Error(
         `x402 configuration invalid:\n${result.errors.map((e) => `  • ${e}`).join("\n")}`,
 
@@ -0,0 +1,101 @@
+import { afterEach, beforeEach, describe, expect, it } from "vitest";
+import { createTestVault, type TestVault } from "@elizaos/vault";
+import type { TeeBootGate } from "../services/tee-boot-gate.ts";
+import {
+  clearTeeBootGateState,
+  setTeeBootGateState,
+} from "../services/tee-boot-gate-state.ts";
+import {
+  bridgeAgentWalletsToProcessEnv,
+  ensureAgentWallets,
+  revealAgentWalletPrivateKey,
+} from "./agent-wallets.ts";
+
+const blockingGate: TeeBootGate = {
+  policy: undefined,
+  teeConfigured: true,
+  required: true,
+  productionProfile: false,
+  secretsEnabled: false,
+};
+
+const AGENT_ID = "tee-gate-agent";
+
+describe("agent-wallets TEE boot-gate enforcement", () => {
+  let test: TestVault;
+
+  beforeEach(async () => {
+    clearTeeBootGateState();
+    test = await createTestVault();
+    await ensureAgentWallets(test.vault, AGENT_ID, "test");
+  });
+
+  afterEach(async () => {
+    clearTeeBootGateState();
+    delete process.env.ELIZA_AGENT_WALLET_AS_USER;
+    delete process.env.EVM_PRIVATE_KEY;
+    delete process.env.SOLANA_PRIVATE_KEY;
+    await test.dispose();
+  });
+
+  describe("revealAgentWalletPrivateKey", () => {
+    it("reveals normally when no gate is set (inert default)", async () => {
+      const pk = await revealAgentWalletPrivateKey(
+        test.vault,
+        AGENT_ID,
+        "evm",
+        "test",
+      );
+      expect(typeof pk).toBe("string");
+      expect(pk.length).toBeGreaterThan(0);
+    });
+
+    it("refuses with a [TeeBootGate] error when the gate blocks", async () => {
+      setTeeBootGateState(blockingGate);
+      await expect(
+        revealAgentWalletPrivateKey(test.vault, AGENT_ID, "evm", "test"),
+      ).rejects.toThrow(/\[TeeBootGate\].*reveal blocked/);
+    });
+  });
+
+  describe("bridgeAgentWalletsToProcessEnv", () => {
+    it("bridges to process.env when opted in and no gate is set", async () => {
+      process.env.ELIZA_AGENT_WALLET_AS_USER = "1";
+      const descriptors = [
+        {
+          agentId: AGENT_ID,
+          chain: "evm" as const,
+          address: "0xabc",
+          lastModified: Date.now(),
+        },
+      ];
+      await bridgeAgentWalletsToProcessEnv(
+        test.vault,
+        AGENT_ID,
+        descriptors,
+        "test",
+      );
+      expect(process.env.EVM_PRIVATE_KEY?.length ?? 0).toBeGreaterThan(0);
+    });
+
+    it("skips the bridge (no env write) when the gate blocks", async () => {
+      process.env.ELIZA_AGENT_WALLET_AS_USER = "1";
+      setTeeBootGateState(blockingGate);
+      const descriptors = [
+        {
+          agentId: AGENT_ID,
+          chain: "evm" as const,
+          address: "0xabc",
+          lastModified: Date.now(),
+        },
+      ];
+      await bridgeAgentWalletsToProcessEnv(
+        test.vault,
+        AGENT_ID,
+        descriptors,
+        "test",
+      );
+      expect(process.env.EVM_PRIVATE_KEY).toBeUndefined();
+    });
+  });
+});
@@ -18,9 +18,11 @@
  * up — see `runtime/eliza.ts`.
  */
 
+import { logger } from "@elizaos/core";
 import type { WalletChain } from "@elizaos/shared";
 import { removeEntryMeta, setEntryMeta, type Vault } from "@elizaos/vault";
 import { deriveEvmAddress, generateWalletForChain } from "../api/wallet.ts";
+import { teeBootGateBlocksSecrets } from "../services/tee-boot-gate-state.ts";
 
 const PREFIX = "agent";
 const SEGMENT = "wallet";
@@ -146,6 +148,15 @@ export async function revealAgentWalletPrivateKey(
   chain: WalletChain,
   caller?: string,
 ): Promise<string> {
+  // Fail-closed under a blocking TEE boot gate: a signing private key is a
+  // high-value secret and must not be revealed when TEE evidence is not
+  // trusted. Inert when no TEE policy is configured (the gate is unset/not
+  // required), so normal/local-only boots are unaffected.
+  if (teeBootGateBlocksSecrets()) {
+    throw new Error(
+      `[TeeBootGate] agent-wallet private-key reveal blocked: TEE evidence is not trusted (agentId=${agentId}, chain=${chain}).`,
+    );
+  }
   const key = walletKey(agentId, chain);
   const raw = await vault.reveal(key, caller);
   return parseStored(raw).privateKey;
@@ -342,6 +353,16 @@ export async function bridgeAgentWalletsToProcessEnv(
 ): Promise<void> {
   // Default off. Skipping bridge unless explicitly opted in.
   if (process.env.ELIZA_AGENT_WALLET_AS_USER !== "1") return;
+  // Fail-closed under a blocking TEE boot gate: do not write private keys into
+  // process.env when TEE evidence is not trusted. Skip-with-warn so the boot
+  // continues secret-less. Inert when no TEE policy is configured.
+  if (teeBootGateBlocksSecrets()) {
+    logger.warn(
+      { agentId },
+      "[TeeBootGate] Skipping agent-wallet → process.env bridge: TEE evidence is not trusted.",
+    );
+    return;
+  }
   for (const d of descriptors) {
     const envKey = CHAIN_TO_ENV_KEY[d.chain];
     if (process.env[envKey]?.trim()) continue; // user-set wins
 
@@ -226,6 +226,10 @@ import {
   evaluateTeeBootGate,
   type TeeBootGate,
 } from "../services/tee-boot-gate.ts";
+import {
+  setTeeBootGateState,
+  teeBootGateBlocksSecrets,
+} from "../services/tee-boot-gate-state.ts";
 import {
   resolveDefaultAgentWorkspaceDir,
   shouldBootstrapWorkspaceInitFiles,
@@ -4007,9 +4011,8 @@ export async function startEliza(
   // gate fails closed and high-value capabilities (remote plugin sync; future
   // model-key/signing consumers) are withheld. Boot still proceeds in a
   // degraded, secret-less mode — it never silently continues with secrets.
-  let teeBootGate: TeeBootGate | undefined;
-
   const runTeeBootGate = async (): Promise<void> => {
+    let teeBootGate: TeeBootGate;
     try {
       teeBootGate = await evaluateTeeBootGate({
         env: process.env,
@@ -4029,11 +4032,12 @@ export async function startEliza(
         `[TeeBootGate] TEE evidence evaluation failed; secrets disabled (fail-closed): ${formatError(err)}`,
       );
     }
+    // Publish the one-time decision so secret-path modules (agent-wallet key
+    // reveal/bridge, remote plugin sync) can consult it via the shared
+    // singleton. Inert when no TEE: the gate's `required` is false.
+    setTeeBootGateState(teeBootGate);
   };
 
-  const teeBootGateBlocksSecrets = (): boolean =>
-    teeBootGate?.required === true && teeBootGate.secretsEnabled === false;
-
   const syncRemoteCapabilityPluginsIfAvailable = async (): Promise<void> => {
     if (teeBootGateBlocksSecrets()) {
       logger.warn(
 
@@ -0,0 +1,81 @@
+import { afterEach, describe, expect, it } from "vitest";
+import type { TeeBootGate } from "./tee-boot-gate.ts";
+import {
+  clearTeeBootGateState,
+  getTeeBootGateState,
+  setTeeBootGateState,
+  teeBootGateBlocksSecrets,
+} from "./tee-boot-gate-state.ts";
+
+const blockingGate: TeeBootGate = {
+  policy: undefined,
+  teeConfigured: true,
+  required: true,
+  productionProfile: false,
+  secretsEnabled: false,
+};
+
+const trustedRequiredGate: TeeBootGate = {
+  policy: undefined,
+  teeConfigured: true,
+  required: true,
+  productionProfile: false,
+  secretsEnabled: true,
+};
+
+const localOnlyGate: TeeBootGate = {
+  policy: undefined,
+  teeConfigured: false,
+  required: false,
+  productionProfile: false,
+  secretsEnabled: true,
+};
+
+describe("tee-boot-gate-state", () => {
+  afterEach(() => {
+    clearTeeBootGateState();
+  });
+
+  it("is inert by default (no gate set)", () => {
+    expect(getTeeBootGateState()).toBeUndefined();
+    expect(teeBootGateBlocksSecrets()).toBe(false);
+  });
+
+  it("set/get round-trips the published decision", () => {
+    setTeeBootGateState(blockingGate);
+    expect(getTeeBootGateState()).toBe(blockingGate);
+  });
+
+  it("clear resets to the inert default", () => {
+    setTeeBootGateState(blockingGate);
+    clearTeeBootGateState();
+    expect(getTeeBootGateState()).toBeUndefined();
+    expect(teeBootGateBlocksSecrets()).toBe(false);
+  });
+
+  it("blocks only when required AND secrets disabled", () => {
+    setTeeBootGateState(blockingGate);
+    expect(teeBootGateBlocksSecrets()).toBe(true);
+  });
+
+  it("does not block when TEE is required but evidence is trusted", () => {
+    setTeeBootGateState(trustedRequiredGate);
+    expect(teeBootGateBlocksSecrets()).toBe(false);
+  });
+
+  it("does not block for a local-only (not required) gate", () => {
+    setTeeBootGateState(localOnlyGate);
+    expect(teeBootGateBlocksSecrets()).toBe(false);
+  });
+
+  it("does not block when secrets are disabled but policy is not required", () => {
+    setTeeBootGateState({
+      policy: undefined,
+      teeConfigured: true,
+      required: false,
+      productionProfile: false,
+      secretsEnabled: false,
+    });
+    expect(teeBootGateBlocksSecrets()).toBe(false);
+  });
+});
@@ -0,0 +1,47 @@
+/**
+ * In-process holder for the one-time TEE boot-gate decision (plan §4.1).
+ *
+ * The boot path evaluates the gate exactly once (see
+ * `runtime/eliza.ts` → `runTeeBootGate`). Modules that guard real secret
+ * paths — agent-wallet key reveal/bridge, remote plugin sync — cannot reach
+ * that closure-local decision, so the boot path publishes it here and those
+ * modules consult `teeBootGateBlocksSecrets()`.
+ *
+ * Inert by default: the singleton starts unset. Non-TEE / local-only boots
+ * either never set a gate or set one whose `required === false`, so
+ * `teeBootGateBlocksSecrets()` returns false and gated paths behave exactly as
+ * they did before TEE gating existed.
+ */
+
+import type { TeeBootGate } from "./tee-boot-gate.ts";
+
+let currentGate: TeeBootGate | undefined;
+
+/** Publish the one-time boot-gate decision for cross-module consumption. */
+export function setTeeBootGateState(gate: TeeBootGate): void {
+  currentGate = gate;
+}
+
+/** The published boot-gate decision, or undefined when none has been set. */
+export function getTeeBootGateState(): TeeBootGate | undefined {
+  return currentGate;
+}
+
+/** Reset the singleton. Tests only — production sets the gate exactly once. */
+export function clearTeeBootGateState(): void {
+  currentGate = undefined;
+}
+
+/**
+ * True ONLY when a gate is set, the policy requires trusted TEE evidence, and
+ * that evidence is not trusted (secrets disabled). When no gate is set, or the
+ * policy is not required, or secrets are enabled, this returns false — so the
+ * default (non-TEE) case is fully inert.
+ */
+export function teeBootGateBlocksSecrets(): boolean {
+  return (
+    currentGate !== undefined &&
+    currentGate.required === true &&
+    currentGate.secretsEnabled === false
+  );
+}