Skip to content

Am/example/tvc chainalysis#1

Open
am-hernandez wants to merge 54 commits into
mainfrom
am/example/tvc-chainalysis
Open

Am/example/tvc chainalysis#1
am-hernandez wants to merge 54 commits into
mainfrom
am/example/tvc-chainalysis

Conversation

@am-hernandez

Copy link
Copy Markdown
Contributor

adds TVC-Chainalysis Example

Imports a new Turnkey Verifiable Cloud example application: tvc-chainalysis.

This app mocks calls to Chainalysis for OFAC sanctions screening, demonstrating how to run a verifiable screening service on TVC.

Details

  • Added under tvc-chainalysis/ via git subtree (full history preserved).
  • Contains two apps:
    • apps/tvc-app — Go service (the verifiable workload + proof generation)
    • apps/web — Next.js frontend (screening UI, send-ETH flow, proof badge)
  • The example's README.md is a full walkthrough/guide for building, deploying, and verifying the TVC app
    • guide covers Turnkey dashboard and CLI routes

…af03a90'

git-subtree-dir: tvc-chainalysis
git-subtree-mainline: 55e3e1b
git-subtree-split: f64f4ea
@socket-security

socket-security Bot commented Jun 24, 2026

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm @esbuild/aix-ppc64 is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: tvc-chainalysis/pnpm-lock.yamlnpm/drizzle-kit@0.21.4npm/@esbuild/aix-ppc64@0.19.12

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@esbuild/aix-ppc64@0.19.12. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm @internationalized/date is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: tvc-chainalysis/pnpm-lock.yamlnpm/@turnkey/react-wallet-kit@1.11.1npm/@internationalized/date@3.12.1

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@internationalized/date@3.12.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm @noble/hashes is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: tvc-chainalysis/pnpm-lock.yamlnpm/@turnkey/react-wallet-kit@1.11.1npm/@turnkey/sdk-server@1.7.3npm/@noble/hashes@1.8.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@noble/hashes@1.8.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm @noble/hashes is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: tvc-chainalysis/pnpm-lock.yamlnpm/@turnkey/react-wallet-kit@1.11.1npm/@turnkey/sdk-server@1.7.3npm/@noble/hashes@1.8.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@noble/hashes@1.8.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm better-sqlite3 is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: tvc-chainalysis/apps/web/package.jsonnpm/better-sqlite3@12.9.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/better-sqlite3@12.9.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm brace-expansion is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: tvc-chainalysis/pnpm-lock.yamlnpm/eslint-config-next@16.2.4npm/brace-expansion@5.0.5

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/brace-expansion@5.0.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm caniuse-lite is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: tvc-chainalysis/pnpm-lock.yamlnpm/eslint-config-next@16.2.4npm/next@16.2.10npm/@turnkey/sdk-server@1.7.3npm/caniuse-lite@1.0.30001788

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/caniuse-lite@1.0.30001788. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm caniuse-lite is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: tvc-chainalysis/pnpm-lock.yamlnpm/eslint-config-next@16.2.4npm/next@16.2.10npm/@turnkey/sdk-server@1.7.3npm/caniuse-lite@1.0.30001788

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/caniuse-lite@1.0.30001788. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm caniuse-lite is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: tvc-chainalysis/pnpm-lock.yamlnpm/eslint-config-next@16.2.4npm/next@16.2.10npm/@turnkey/sdk-server@1.7.3npm/caniuse-lite@1.0.30001788

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/caniuse-lite@1.0.30001788. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm commander is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: tvc-chainalysis/pnpm-lock.yamlnpm/drizzle-kit@0.21.4npm/commander@9.5.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/commander@9.5.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm damerau-levenshtein is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: tvc-chainalysis/pnpm-lock.yamlnpm/eslint-config-next@16.2.4npm/damerau-levenshtein@1.0.8

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/damerau-levenshtein@1.0.8. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm es-abstract is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: tvc-chainalysis/pnpm-lock.yamlnpm/eslint-config-next@16.2.4npm/es-abstract@1.24.2

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/es-abstract@1.24.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Protestware or unwanted behavior: npm es5-ext

Note: The script attempts to run a local post-install script, which could potentially contain malicious code. The error handling suggests that it is designed to fail silently, which is a common tactic in malicious scripts.

From: tvc-chainalysis/pnpm-lock.yamlnpm/drizzle-kit@0.21.4npm/es5-ext@0.10.64

ℹ Read more on: This package | This alert | What is protestware?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Consider that consuming this package may come along with functionality unrelated to its primary purpose.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/es5-ext@0.10.64. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm eslint-plugin-react is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: tvc-chainalysis/pnpm-lock.yamlnpm/eslint-config-next@16.2.4npm/eslint-plugin-react@7.37.5

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/eslint-plugin-react@7.37.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm jiti is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: tvc-chainalysis/pnpm-lock.yamlnpm/eslint@9.39.4npm/@tailwindcss/postcss@4.2.2npm/jiti@2.6.1

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/jiti@2.6.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm next is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: tvc-chainalysis/pnpm-lock.yamlnpm/@turnkey/sdk-server@1.7.3npm/next@15.5.20

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/next@15.5.20. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm node-fetch-native is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: tvc-chainalysis/pnpm-lock.yamlnpm/@turnkey/react-wallet-kit@1.11.1npm/node-fetch-native@1.6.7

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/node-fetch-native@1.6.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm string.prototype.trimend is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: tvc-chainalysis/pnpm-lock.yamlnpm/eslint-config-next@16.2.4npm/string.prototype.trimend@1.0.9

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/string.prototype.trimend@1.0.9. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

richardpringle
richardpringle previously approved these changes Jun 29, 2026

@richardpringle richardpringle left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Basically all nits. I do think you should consider my comments, but I think it would be better to apply changes in a follow up

func (c *ChainalysisClient) CheckAddress(ctx context.Context, address string) (*chainalysisResponse, error) {
if mocked, ok := mockedAddresses[strings.ToLower(address)]; ok {
return mocked, nil
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure this really matters, but it's a little strange to me that the request either goes to the real Chainalysis OR you get a cached mock-response. I would have a mock-client that gives back 100% mocked responses or a real client, not a combination of the two.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My thinking here was that I can get mocked responses for two addresses, one sanctioned and one not sanctioned. And any other address would actually attempt to call Chainalysis API. The latter case remained so that I can view the error thrown and in case egress became available, but it was more useful during testing than it is right now. I agree it should be 100% mock response now, and I can always update in the future for egress availability.

Comment thread tvc-chainalysis/apps/tvc-app/main.go Outdated
Comment on lines +59 to +63
mux.HandleFunc("GET /health", func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Type", "application/json")
w.WriteHeader(http.StatusOK)
fmt.Fprintln(w, `{"status":"ok"}`)
})

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When I'm looking at examples, I often want to look at the meat of the example and ignore the boilerplate. If would be nice if instead of using a closure here that we just had a func healthcheck.

Comment thread tvc-chainalysis/apps/tvc-app/main.go Outdated
Comment on lines +88 to +90
if identifications == nil {
identifications = []Identification{}
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You could add this normalization to the chainalysis client. It might also be good to add a comment as to why it's needed

Comment thread tvc-chainalysis/apps/tvc-app/main.go Outdated
})

// Screen an address for sanctions.
mux.HandleFunc("POST /screen", func(w http.ResponseWriter, r *http.Request) {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would also be good if we had a named function instead of a closure for this

Comment thread tvc-chainalysis/apps/tvc-app/proof.go Outdated

const ephemeralKeyFile = "/qos.ephemeral.key"

// QOS derive paths — must match qos_p256/src/lib.rs

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this should probably be a permalink or a link to the docs:
https://docs.rs/qos_p256/0.10.2/qos_p256/constant.P256_ENCRYPT_DERIVE_PATH.html

Comment thread tvc-chainalysis/README.md Outdated
| `TURNKEY_API_PRIVATE_KEY` | Same (shown once on creation) |
| `TURNKEY_ORG_ID` | Turnkey dashboard → Settings → Organization |
| `NEXT_PUBLIC_TURNKEY_ORG_ID` | Same as above |
| `NEXT_PUBLIC_AUTH_PROXY_CONFIG_ID` | See Step 2 below |

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not set up the Auth Proxy before setting the .env file?

Comment thread tvc-chainalysis/README.md Outdated
4. On success `authState` becomes `Authenticated` and the screening tool appears
5. Sign-out calls `logout()` from `useTurnkey()` — no server-side session involved

Authentication is entirely client-side via `@turnkey/react-wallet-kit`. No cookies, no JWTs, no custom session management.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this a plug? Do we want to link docs for those interested?

Comment thread tvc-chainalysis/README.md Outdated
| `0x1da5821544e25c636c1417ba96ade4cf6d2f9b5a` | Sanctioned (OFAC SDN — Secondeye Solution) |
| `0xffc93b73e5f9fa038598b675ed394faed168688b` | Clean |

Any other address will attempt the real Chainalysis API call (which will fail inside the enclave until egress is enabled).

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

😢

Comment thread tvc-chainalysis/README.md
3. Paste your operator public key (from `tvc login`)
4. Click **Create new TVC App**

### Option B — CLI

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wait, we shouldn't push the audience to download and build the cli from source if they use the UI. I think we can just point them to the tvc readme for installation here.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Connected to the earlier comment on the options for installing the tvc CLI, the audience require the CLI to login and obtain the operator key and API public key. I wanted this readme to cover both dashboard and CLI flows originally, but the first step and the approval step require the CLI in either flow.

I am adding a link to the tvc readme in the prerequisites so that the audience is always able to get the current installation instruction.

Comment thread tvc-chainalysis/README.md

---

## Database schema

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Better to just link to the file here, otherwise it'll be confusing if the file gets updated and this gets out of sync.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants