Add TLSNotary Support

.beads/.local_version

@@ -1 +1 @@
-0.42.0
+0.43.0

.env.example

@@ -27,3 +27,15 @@ OMNI_MAX_CONNECTIONS_PER_IP=10
 OMNI_MAX_REQUESTS_PER_SECOND_PER_IP=100
 OMNI_MAX_REQUESTS_PER_SECOND_PER_IDENTITY=200
 
+# TLSNotary HTTPS Attestation (optional - disabled by default)
+# Enables MPC-TLS attestation for verifiable HTTPS proofs
+TLSNOTARY_ENABLED=false
+TLSNOTARY_PORT=7047
+# TLSNOTARY_SIGNING_KEY: 32-byte hex secp256k1 private key (required if enabled)
+# Generate with: openssl rand -hex 32
+TLSNOTARY_SIGNING_KEY=
+# WebSocket proxy port for browser TCP tunneling
+TLSNOTARY_PROXY_PORT=55688
+# Optional: Adjust data limits (bytes)
+TLSNOTARY_MAX_SENT_DATA=16384
+TLSNOTARY_MAX_RECV_DATA=65536

.gitignore

@@ -205,3 +205,6 @@ devnet/identities/
 devnet/.env
 devnet/postgres-data/
 ipfs_53550/data_53550/ipfs
+.tlsnotary-key
+src/features/tlsnotary/SDK_INTEGRATION.md
+src/features/tlsnotary/SDK_INTEGRATION.md

.serena/memories/tlsnotary_integration_context.md

@@ -0,0 +1,79 @@
+# TLSNotary Backend Integration Context
+
+## Beads Tracking
+
+- **Epic**: `node-6lo` - TLSNotary Backend Integration
+- **Tasks** (in dependency order):
+  1. `node-3yq` - Copy pre-built .so library (READY)
+  2. `node-ebc` - Create FFI bindings 
+  3. `node-r72` - Create TLSNotaryService
+  4. `node-9kw` - Create Fastify routes
+  5. `node-mwm` - Create feature entry point
+  6. `node-2fw` - Integrate with node startup
+  7. `node-hgf` - Add SDK discovery endpoint
+  8. `node-8sq` - Type check and lint
+
+## Reference Code Locations
+
+### Pre-built Binary
+```
+/home/tcsenpai/tlsn/demos_tlsnotary/node/rust/target/release/libtlsn_notary.so
+```
+Target: `libs/tlsn/libtlsn_notary.so`
+
+### FFI Reference Implementation
+```
+/home/tcsenpai/tlsn/demos_tlsnotary/node/ts/TLSNotary.ts
+```
+Complete working bun:ffi bindings to adapt for `src/features/tlsnotary/ffi.ts`
+
+### Demo App Reference
+```
+/home/tcsenpai/tlsn/demos_tlsnotary/demo/src/app.tsx
+```
+Browser-side attestation flow with tlsn-js WASM
+
+### Integration Documentation
+```
+/home/tcsenpai/tlsn/demos_tlsnotary/BACKEND_INTEGRATION.md
+/home/tcsenpai/tlsn/demos_tlsnotary/INTEGRATION.md
+```
+
+## FFI Symbols (from reference TLSNotary.ts)
+
+```typescript
+const symbols = {
+  tlsn_init: { args: [], returns: FFIType.i32 },
+  tlsn_notary_create: { args: [FFIType.ptr], returns: FFIType.ptr },
+  tlsn_notary_start_server: { args: [FFIType.ptr, FFIType.u16], returns: FFIType.i32 },
+  tlsn_notary_stop_server: { args: [FFIType.ptr], returns: FFIType.i32 },
+  tlsn_verify_attestation: { args: [FFIType.ptr, FFIType.u64], returns: FFIType.ptr },
+  tlsn_notary_get_public_key: { args: [FFIType.ptr, FFIType.ptr, FFIType.u64], returns: FFIType.i32 },
+  tlsn_notary_destroy: { args: [FFIType.ptr], returns: FFIType.void },
+  tlsn_free_verification_result: { args: [FFIType.ptr], returns: FFIType.void },
+  tlsn_free_string: { args: [FFIType.ptr], returns: FFIType.void },
+};
+```
+
+## FFI Struct Layouts
+
+### NotaryConfig (40 bytes)
+- signing_key ptr (8 bytes)
+- signing_key_len (8 bytes) 
+- max_sent_data (8 bytes)
+- max_recv_data (8 bytes)
+- server_port (2 bytes + padding)
+
+### VerificationResultFFI (40 bytes)
+- status (4 bytes + 4 padding)
+- server_name ptr (8 bytes)
+- connection_time (8 bytes)
+- sent_len (4 bytes)
+- recv_len (4 bytes)
+- error_message ptr (8 bytes)
+
+## SDK Integration (Already Complete)
+
+Package `@kynesyslabs/demosdk` v2.7.2 has `tlsnotary/` module with:
+- TLSNotary class: initialize(), attest(), verify(), getTranscript()
+- Located in `/home/tcsenpai/kynesys/sdks/src/tlsnotary/`

devnet/scripts/generate-identity-helper.ts

@@ -35,5 +35,5 @@ const identity = await ucrypto.getIdentity("ed25519")
 // uint8ArrayToHex already includes 0x prefix
 const pubkeyHex = uint8ArrayToHex(identity.publicKey)
 
-console.log('MNEMONIC:' + mnemonic)
-console.log('PUBKEY:' + pubkeyHex)
+console.log("MNEMONIC:" + mnemonic)
+console.log("PUBKEY:" + pubkeyHex)

install-deps.sh

@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+set -e
+set -u
+set -o pipefail
+
+# Verify prerequisites
+command -v bun >/dev/null 2>&1 || { echo "Error: bun is not installed" >&2; exit 1; }
+command -v cargo >/dev/null 2>&1 || { echo "Error: cargo is not installed" >&2; exit 1; }
+
+bun install
+bun pm trust --all || true
+
+# Install wstcp only if not already present
+if ! command -v wstcp >/dev/null 2>&1; then
+  echo "Installing wstcp..."
+  cargo install wstcp
+else
+  echo "wstcp already installed, skipping"
+fi
+
+echo "All dependencies have been installed"
+

package.json

@@ -59,14 +59,13 @@
         "@fastify/cors": "^9.0.1",
         "@fastify/swagger": "^8.15.0",
         "@fastify/swagger-ui": "^4.1.0",
-        "@kynesyslabs/demosdk": "^2.5.13",
+        "@kynesyslabs/demosdk": "^2.7.10",
         "@metaplex-foundation/js": "^0.20.1",
         "@modelcontextprotocol/sdk": "^1.13.3",
         "@noble/ed25519": "^3.0.0",
         "@noble/hashes": "^2.0.1",
         "@octokit/core": "^6.1.5",
         "@scure/bip39": "^2.0.1",
-        "@octokit/core": "^6.1.5",
         "@solana/web3.js": "^1.98.4",
         "@types/express": "^4.17.21",
         "@types/http-proxy": "^1.17.14",
@@ -91,7 +90,7 @@
         "lodash": "^4.17.21",
         "node-disk-info": "^1.3.0",
         "node-fetch": "2",
-        "node-forge": "^1.3.1",
+        "node-forge": "^1.3.3",
         "node-seal": "^5.1.3",
         "npm-check-updates": "^16.14.18",
         "ntp-client": "^0.5.3",

run

@@ -351,6 +351,12 @@ function ctrl_c() {
         docker compose down
         cd ..
     fi
+    # Stop TLSNotary container if running (enabled by default)
+    if [ "$TLSNOTARY_DISABLED" != "true" ] && [ -d "tlsnotary" ]; then
+        (cd tlsnotary && docker compose down --timeout 5 2>/dev/null) || true
+        # Force kill if still running
+        docker rm -f "tlsn-notary-${TLSNOTARY_PORT:-7047}" 2>/dev/null || true
+    fi
 }
 
 # Function to check if we are on the first run with the .RUN file
@@ -746,6 +752,51 @@ if [ "$EXTERNAL_DB" = false ]; then
     fi
 fi
 
+# TLSNotary Docker container management (enabled by default)
+# Set TLSNOTARY_DISABLED=true to disable
+if [ "$TLSNOTARY_DISABLED" != "true" ]; then
+    TLSNOTARY_PORT="${TLSNOTARY_PORT:-7047}"
+    echo "🔐 Starting TLSNotary notary container..."
+
+    if [ -d "tlsnotary" ]; then
+        cd tlsnotary
+
+        # Stop any existing container
+        docker compose down > /dev/null 2>&1 || true
+
+        # Start the TLSNotary container
+        log_verbose "Starting TLSNotary container on port $TLSNOTARY_PORT"
+        if ! TLSNOTARY_PORT=$TLSNOTARY_PORT docker compose up -d; then
+            echo "⚠️  Warning: Failed to start TLSNotary container"
+            echo "💡 TLSNotary attestation features will not be available"
+        else
+            echo "✅ TLSNotary container started on port $TLSNOTARY_PORT"
+
+            # Wait for TLSNotary to be healthy (max 15 seconds)
+            log_verbose "Waiting for TLSNotary to be healthy..."
+            TLSN_TIMEOUT=15
+            TLSN_COUNT=0
+            while ! curl -sf "http://localhost:$TLSNOTARY_PORT/info" > /dev/null 2>&1; do
+                TLSN_COUNT=$((TLSN_COUNT+1))
+                if [ $TLSN_COUNT -gt $TLSN_TIMEOUT ]; then
+                    echo "⚠️  Warning: TLSNotary health check timeout"
+                    break
+                fi
+                sleep 1
+            done
+
+            if [ $TLSN_COUNT -le $TLSN_TIMEOUT ]; then
+                echo "✅ TLSNotary is ready"
+            fi
+        fi
+        cd ..
+    else
+        echo "⚠️  Warning: tlsnotary folder not found, skipping TLSNotary setup"
+    fi
+else
+    log_verbose "TLSNotary disabled (TLSNOTARY_DISABLED=true)"
+fi
+
 # Ensuring the logs folder exists
 mkdir -p logs
 
@@ -809,6 +860,26 @@ if [ "$EXTERNAL_DB" = false ]; then
     cd ..
 fi
 
+# Stop TLSNotary container if it was started (enabled by default)
+if [ "$TLSNOTARY_DISABLED" != "true" ] && [ -d "tlsnotary" ]; then
+    echo "🛑 Stopping TLSNotary container..."
+    TLSN_CONTAINER="tlsn-notary-${TLSNOTARY_PORT:-7047}"
+
+    # Try graceful shutdown first with short timeout
+    cd tlsnotary
+    docker compose down --timeout 5 2>/dev/null || true
+    cd ..
+
+    # Force kill if still running
+    if docker ps -q -f "name=$TLSN_CONTAINER" 2>/dev/null | grep -q .; then
+        echo "   Force stopping TLSNotary container..."
+        docker kill "$TLSN_CONTAINER" 2>/dev/null || true
+        docker rm -f "$TLSN_CONTAINER" 2>/dev/null || true
+    fi
+
+    echo "✅ TLSNotary stopped"
+fi
+
 echo ""
 echo "🏁 Demos Network node session completed"
 echo "💡 Thank you for running a Demos Network node!"