near · pbeza · May 15, 2026 · May 15, 2026 · May 15, 2026 · May 15, 2026
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/crates/attestation-cli/Cargo.toml b/crates/attestation-cli/Cargo.toml
@@ -10,10 +10,10 @@ path = "src/main.rs"
 
 [dependencies]
 anyhow = { workspace = true }
-attestation = { workspace = true }
+attestation-types = { workspace = true }
 bs58 = { workspace = true }
 clap = { workspace = true }
-mpc-attestation = { workspace = true }
+mpc-attestation = { workspace = true, features = ["local-verify"] }
 mpc-primitives = { workspace = true }
 node-types = { workspace = true }
 reqwest = { workspace = true }

diff --git a/crates/attestation-cli/src/output.rs b/crates/attestation-cli/src/output.rs
@@ -1,4 +1,4 @@
-use attestation::attestation::VerificationError;
+use attestation_types::verify_post_dcap::VerificationError;
 use node_types::http_server::StaticWebData;
 use time::OffsetDateTime;
 

diff --git a/crates/attestation-cli/src/verify.rs b/crates/attestation-cli/src/verify.rs
@@ -1,10 +1,10 @@
 use std::path::Path;
 
 use anyhow::Context;
-use attestation::{
-    attestation::VerificationError,
+use attestation_types::{
     measurements::{ExpectedMeasurements, Measurements},
     tcb_info::TcbInfo,
+    verify_post_dcap::VerificationError,
 };
 use mpc_attestation::attestation::{ValidatedDstackAttestation, VerifiedAttestation};
 use mpc_primitives::hash::{LauncherDockerComposeHash, NodeImageHash};
@@ -65,8 +65,12 @@ pub fn verify_at_timestamp(
         VerificationError::Custom(format!("failed to load expected measurements: {e}"))
     })?;
 
-    // Single verify call — same verification logic as the contract and node
-    let verified = attestation.verify(
+    // Off-chain local verification: dcap-qvl + post-DCAP in one call.
+    // (The on-chain `mpc-contract` does this in two steps over a
+    // cross-contract Promise; see `mpc-contract`'s
+    // `submit_participant_info` / `on_attestation_verified`.)
+    let verified = mpc_attestation::local_verify::local_verify(
+        attestation,
         report_data.into(),
         timestamp_seconds,
         &cli.allowed_image_hashes,

diff --git a/crates/attestation-types/src/dstack_attestation.rs b/crates/attestation-types/src/dstack_attestation.rs
@@ -15,7 +15,13 @@ use alloc::{format, string::String};
 
 use crate::{collateral::Collateral, quote::QuoteBytes, tcb_info::TcbInfo};
 
+// `BorshSchema` derive expands to `T::declaration().to_string()`, which is
+// only in scope under no_std when `alloc::string::ToString` is imported.
+#[cfg(feature = "borsh-schema")]
+use alloc::string::ToString as _;
+
 #[derive(Clone, Constructor, Serialize, Deserialize, BorshDeserialize, BorshSerialize)]
+#[cfg_attr(feature = "borsh-schema", derive(borsh::BorshSchema))]
 pub struct DstackAttestation {
     pub quote: QuoteBytes,
     pub collateral: Collateral,

diff --git a/crates/attestation-types/src/report_data.rs b/crates/attestation-types/src/report_data.rs
@@ -1,7 +1,15 @@
+use borsh::{BorshDeserialize, BorshSerialize};
+
+// `BorshSchema` derive expands to `T::declaration().to_string()`, which is
+// only in scope under no_std when `alloc::string::ToString` is imported.
+#[cfg(feature = "borsh-schema")]
+use alloc::string::ToString as _;
+
 /// Number of bytes for the report data.
 pub const REPORT_DATA_SIZE: usize = 64;
 
-#[derive(Debug, Clone, derive_more::From)]
+#[derive(Debug, Clone, derive_more::From, BorshSerialize, BorshDeserialize)]
+#[cfg_attr(feature = "borsh-schema", derive(borsh::BorshSchema))]
 pub struct ReportData([u8; REPORT_DATA_SIZE]);
 
 impl ReportData {

diff --git a/crates/attestation-types/src/tcb_info.rs b/crates/attestation-types/src/tcb_info.rs
@@ -6,6 +6,11 @@ use dstack_sdk_types::dstack::{EventLog as DstackEventLog, TcbInfo as DstackTcbI
 use serde::{Deserialize, Serialize};
 use serde_with::{FromInto, hex::Hex, serde_as};
 
+// `BorshSchema` derive expands to `T::declaration().to_string()`, which is
+// only in scope under no_std when `alloc::string::ToString` is imported.
+#[cfg(feature = "borsh-schema")]
+use alloc::string::ToString as _;
+
 #[derive(Clone, Debug, PartialEq, Eq, thiserror::Error)]
 pub enum ParsingError {
     #[error("wrong lenght: {0}")]
@@ -16,6 +21,7 @@ pub enum ParsingError {
 
 #[serde_as]
 #[derive(Debug, Clone, Serialize, Deserialize, BorshSerialize, BorshDeserialize)]
+#[cfg_attr(feature = "borsh-schema", derive(borsh::BorshSchema))]
 pub struct TcbInfo {
     pub mrtd: HexBytes<48>,
     pub rtmr0: HexBytes<48>,
@@ -32,6 +38,7 @@ pub struct TcbInfo {
 
 #[serde_as]
 #[derive(Debug, Clone, Serialize, Deserialize, BorshSerialize, BorshDeserialize)]
+#[cfg_attr(feature = "borsh-schema", derive(borsh::BorshSchema))]
 pub struct EventLog {
     pub imr: u32,
     pub event_type: u32,
@@ -57,6 +64,7 @@ pub struct EventLog {
     derive_more::AsRef,
     derive_more::Deref,
 )]
+#[cfg_attr(feature = "borsh-schema", derive(borsh::BorshSchema))]
 #[serde(transparent)]
 pub struct HexBytes<const N: usize>(#[serde_as(as = "Hex")] [u8; N]);
 

diff --git a/crates/contract/Cargo.toml b/crates/contract/Cargo.toml
@@ -37,13 +37,18 @@ container_build_command = [
 crate-type = ["cdylib", "lib"]
 
 [features]
+default = ["mainnet"]
 test-utils = ["rand", "threshold-signatures", "near-mpc-contract-interface/blstrs"]
 # WASM-compatible benchmark endpoints for sandbox gas testing
 bench-contract-methods = []
 # Exposes constructors for DTO-to-internal type conversion in the node.
 # TODO(#381): Remove once the node no longer depends on the contract crate.
 compat = []
 dev-utils = ["rand", "threshold-signatures", "near-mpc-contract-interface/blstrs"]
+# Selects the verifier account ID baked into `VERIFIER_ACCOUNT_ID`.
+# Default-on so `cargo near build` targets mainnet; sandbox tests
+# disable default features to fall through to the testnet account.
+mainnet = []
 abi = [
     "borsh/unstable__schema",
     "near-mpc-contract-interface/abi",
@@ -58,6 +63,7 @@ __abi-generate = ["abi", "near-sdk/__abi-generate"]
 
 [dependencies]
 assert_matches = { workspace = true }
+attestation-types = { workspace = true }
 blstrs = { workspace = true }
 borsh = { workspace = true }
 curve25519-dalek = { workspace = true }
@@ -86,6 +92,7 @@ rand = { workspace = true, optional = true }
 serde = { workspace = true }
 serde_json = { workspace = true }
 serde_with = { workspace = true }
+tee-verifier-interface = { workspace = true }
 thiserror = { workspace = true }
 threshold-signatures = { workspace = true, optional = true }
 
@@ -108,6 +115,7 @@ digest = { workspace = true }
 ecdsa = { workspace = true }
 futures = { workspace = true }
 insta = { workspace = true }
+mpc-attestation = { workspace = true, features = ["local-verify"] }
 mpc-contract = { workspace = true, features = ["compat", "test-utils"] }
 near-abi = { workspace = true }
 near-mpc-sdk = { workspace = true }