Attested Mode (Preview)¶
Attested mode routes the transformation through a TEE-backed execution path
and emits attestation evidence. If enclave: "auto" is used and a native
enclave runtime is unavailable, the SDK uses a simulator fallback
(no hardware security guarantees).
When to use attested mode¶
- You need cryptographic evidence that the transformation executed as expected
- You need verification artifacts for compliance and audit trails
- You can accept the overhead of attestation and verification
Recommended settings¶
const axiom = new Axiom({
securityTier: "attested",
enclave: "auto",
policyVersion: "v1",
platform: {
type: "sev-snp",
verificationMode: "permissive",
},
});
Required mode¶
Use enclave: "required" to fail if native enclave execution is unavailable:
const axiom = new Axiom({
securityTier: "attested",
enclave: "required",
policyVersion: "v1",
});
If a native enclave runtime is unavailable, axiom.reason() throws a
ConfigurationError.
Evidence contents¶
attestationEvidence includes:
report: raw attestation report bytesmeasurement: enclave code identityconfigHash,sessionId,outputHash,timestamp
Simulator notes¶
Simulator mode is for development and testing only. It produces structurally valid evidence without real platform authentication.
Prev: Configuration | Next: Verification