feat: add verifySignatureNoTimestamp for batch/offline inference

Author: khalifaT

contracts/solidity/TEEInferenceVerifier.sol

@@ -6,25 +6,7 @@ import "./precompiles/tee/ITEEVerifier.sol";
 import "@openzeppelin/contracts/access/AccessControl.sol";
 
 /// @title TEEInferenceVerifier - Verification for TEE-signed inference outputs
-/// @notice Stateless verifier that confirms an AI inference output was produced by a
-///         registered, active TEE within an acceptable time window.
-///
-/// @dev ## How It Works
-///
-///  When a TEE runs an inference, it signs `keccak256(inputHash || outputHash || timestamp)`
-///  with its RSA-PSS private key. Any party (settlement relay, on-chain consumer, etc.) can
-///  then call `verifySignature` to confirm authenticity. The check is three-fold:
-///
-///    1. **TEE status** — the TEE must be active in the `TEERegistry`.
-///    2. **Timestamp bounds** — the signed timestamp must be within
-///       `[block.timestamp - MAX_INFERENCE_AGE, block.timestamp + FUTURE_TOLERANCE]`
-///       to prevent replay of stale results and reject clock-skewed signatures.
-///    3. **Cryptographic proof** — the RSA-PSS signature is verified against the TEE's
-///       on-chain public key via the 0x900 precompile.
-///
-///  The contract is intentionally read-only (no state mutations in `verifySignature`) so
-///  it can be called from view contexts and composed freely by downstream contracts like
-///  `InferenceSettlementRelay`.
+/// @notice Reads TEE public keys from TEERegistry and verifies RSA-PSS signatures with timestamp validation.
 contract TEEInferenceVerifier is AccessControl {
 
     // ============ Constants ============
@@ -82,35 +64,74 @@ contract TEEInferenceVerifier is AccessControl {
         return keccak256(abi.encodePacked(inputHash, outputHash, timestamp));
     }
 
-    /// @notice Verify a TEE signature with timestamp validation
-    /// @dev Returns false for invalid signatures, inactive TEEs, or out-of-bounds timestamps.
+    /// @notice Shared core verification logic (TEE active check + cryptographic verification)
+    /// @dev Does NOT check timestamp bounds — callers are responsible for that.
+    /// @param teeId Registered TEE identifier
+    /// @param inputHash Hash of the inference input
+    /// @param outputHash Hash of the inference output
+    /// @param timestamp Unix timestamp the TEE embedded when signing — still part of the signed hash
+    /// @param signature RSA-PSS signature from the TEE's signing key
+    /// @return True if TEE is active and signature is cryptographically valid
+    function _verifyCore(
+        bytes32 teeId,
+        bytes32 inputHash,
+        bytes32 outputHash,
+        uint256 timestamp,
+        bytes calldata signature
+    ) internal view returns (bool) {
+        // 1. TEE must be active in the registry
+        if (!registry.isActive(teeId)) return false;
+
+        // 2. Cryptographic verification
+        bytes memory pubKey = registry.getPublicKey(teeId);
+        bytes32 msgHash = computeMessageHash(inputHash, outputHash, timestamp);
+        return VERIFIER.verifyRSAPSS(pubKey, msgHash, signature);
+    }
 
+    /// @notice Verify a TEE signature with timestamp validation
+    /// @dev Use this for real-time inference — rejects results older than MAX_INFERENCE_AGE
+    ///      or timestamped more than FUTURE_TOLERANCE into the future (clock drift tolerance).
     /// @param teeId Registered TEE identifier
     /// @param inputHash Hash of the inference input
     /// @param outputHash Hash of the inference output
     /// @param timestamp Unix timestamp the TEE embedded when signing (seconds)
     /// @param signature RSA-PSS signature from the TEE's signing key
-    /// @return True if TEE is active, timestamp is valid, and signature is correct
+    /// @return True if TEE is active, timestamp is within bounds, and signature is correct
     function verifySignature(
         bytes32 teeId,
         bytes32 inputHash,
         bytes32 outputHash,
         uint256 timestamp,
         bytes calldata signature
     ) public view returns (bool) {
-        // 1. TEE must be enabled in the registry
-        if (!registry.isTEEEnabled(teeId)) return false;
-
-        // 2. Timestamp bounds
-        uint256 minTs = block.timestamp > MAX_INFERENCE_AGE 
-            ? block.timestamp - MAX_INFERENCE_AGE 
+        // Timestamp bounds — inference must be recent and not too far in the future
+        uint256 minTs = block.timestamp > MAX_INFERENCE_AGE
+            ? block.timestamp - MAX_INFERENCE_AGE
             : 0;
         uint256 maxTs = block.timestamp + FUTURE_TOLERANCE;
         if (timestamp < minTs || timestamp > maxTs) return false;
 
-        // 3. Cryptographic verification
-        bytes memory pubKey = registry.getTEEPublicKey(teeId);
-        bytes32 msgHash = computeMessageHash(inputHash, outputHash, timestamp);
-        return VERIFIER.verifyRSAPSS(pubKey, msgHash, signature);
+        return _verifyCore(teeId, inputHash, outputHash, timestamp, signature);
+    }
+
+    /// @notice Verify a TEE signature without timestamp bounds check
+    /// @dev Use this for batch inference, offline jobs, historical audits, or testing
+    ///      where the inference may have been produced outside the MAX_INFERENCE_AGE window.
+    ///      The timestamp is still part of the signed message and must match what the TEE signed —
+    ///      only the recency window check is skipped.
+    /// @param teeId Registered TEE identifier
+    /// @param inputHash Hash of the inference input
+    /// @param outputHash Hash of the inference output
+    /// @param timestamp Unix timestamp the TEE embedded when signing (seconds)
+    /// @param signature RSA-PSS signature from the TEE's signing key
+    /// @return True if TEE is active and signature is cryptographically valid
+    function verifySignatureNoTimestamp(
+        bytes32 teeId,
+        bytes32 inputHash,
+        bytes32 outputHash,
+        uint256 timestamp,
+        bytes calldata signature
+    ) public view returns (bool) {
+        return _verifyCore(teeId, inputHash, outputHash, timestamp, signature);
     }
 }