@aamp/protocol 1.1.5 → 1.1.6

package/dist/agent.d.ts

@@ -1,7 +1,7 @@
 /**
  * Layer 2: Agent SDK
  */
-import { AccessPurpose, SignedAccessRequest, FeedbackSignal, QualityFlag, AgentIdentityManifest } from './types';
+import { AccessPurpose, SignedAccessRequest, FeedbackSignal, QualityFlag, AgentIdentityManifest } from './types.js';
 export interface AccessOptions {
     adsDisplayed?: boolean;
 }

package/dist/agent.js

@@ -1,9 +1,6 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.AAMPAgent = void 0;
-const crypto_1 = require("./crypto");
-const constants_1 = require("./constants");
-class AAMPAgent {
+import { generateKeyPair, signData, exportPublicKey } from './crypto.js';
+import { AAMP_VERSION } from './constants.js';
+export class AAMPAgent {
     constructor() {
         this.keyPair = null;
         this.agentId = "pending";
@@ -13,7 +10,7 @@ class AAMPAgent {
      * @param customAgentId For PRODUCTION, this should be your domain (e.g., "bot.openai.com")
      */
     async initialize(customAgentId) {
-        this.keyPair = await (0, crypto_1.generateKeyPair)();
+        this.keyPair = await generateKeyPair();
         // Use the provided ID (authentic) or generate a session ID (ephemeral)
         this.agentId = customAgentId || "agent_" + Math.random().toString(36).substring(7);
     }
@@ -21,7 +18,7 @@ class AAMPAgent {
         if (!this.keyPair)
             throw new Error("Agent not initialized. Call initialize() first.");
         const header = {
-            v: constants_1.AAMP_VERSION,
+            v: AAMP_VERSION,
             ts: new Date().toISOString(),
             agent_id: this.agentId,
             resource,
@@ -30,8 +27,8 @@ class AAMPAgent {
                 ads_displayed: options.adsDisplayed || false
             }
         };
-        const signature = await (0, crypto_1.signData)(this.keyPair.privateKey, JSON.stringify(header));
-        const publicKeyExport = await (0, crypto_1.exportPublicKey)(this.keyPair.publicKey);
+        const signature = await signData(this.keyPair.privateKey, JSON.stringify(header));
+        const publicKeyExport = await exportPublicKey(this.keyPair.publicKey);
         return { header, signature, publicKey: publicKeyExport };
     }
     /**
@@ -41,7 +38,7 @@ class AAMPAgent {
     async getIdentityManifest(contactEmail) {
         if (!this.keyPair)
             throw new Error("Agent not initialized.");
-        const publicKey = await (0, crypto_1.exportPublicKey)(this.keyPair.publicKey);
+        const publicKey = await exportPublicKey(this.keyPair.publicKey);
         return {
             agent_id: this.agentId,
             public_key: publicKey,
@@ -62,8 +59,7 @@ class AAMPAgent {
             flags,
             timestamp: new Date().toISOString()
         };
-        const signature = await (0, crypto_1.signData)(this.keyPair.privateKey, JSON.stringify(signal));
+        const signature = await signData(this.keyPair.privateKey, JSON.stringify(signal));
         return { signal, signature };
     }
 }
-exports.AAMPAgent = AAMPAgent;

package/dist/constants.d.ts

@@ -13,6 +13,9 @@ export declare const HEADERS: {
     readonly ALGORITHM: "x-aamp-alg";
     readonly CONTENT_ORIGIN: "x-aamp-content-origin";
     readonly PROVENANCE_SIG: "x-aamp-provenance-sig";
+    readonly PROOF_TOKEN: "x-aamp-proof";
+    readonly PAYMENT_CREDENTIAL: "x-aamp-credential";
+    readonly FEEDBACK: "x-aamp-feedback";
 };
 export declare const CRYPTO_CONFIG: {
     readonly ALGORITHM_NAME: "ECDSA";

package/dist/constants.js

@@ -1,16 +1,13 @@
-"use strict";
 /**
  * Layer 1: Protocol Constants
  * These values are immutable and defined by the AAMP Specification.
  */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.MAX_CLOCK_SKEW_MS = exports.CRYPTO_CONFIG = exports.HEADERS = exports.WELL_KNOWN_AGENT_PATH = exports.AAMP_VERSION = void 0;
-exports.AAMP_VERSION = '1.1';
+export const AAMP_VERSION = '1.1';
 // The path where Agents MUST host their public key to prove identity.
 // Example: https://bot.openai.com/.well-known/aamp-agent.json
-exports.WELL_KNOWN_AGENT_PATH = '/.well-known/aamp-agent.json';
+export const WELL_KNOWN_AGENT_PATH = '/.well-known/aamp-agent.json';
 // HTTP Headers used for the handshake
-exports.HEADERS = {
+export const HEADERS = {
     // Transport: The signed payload (Base64 encoded JSON of ProtocolHeader)
     PAYLOAD: 'x-aamp-payload',
     // Transport: The cryptographic signature (Hex)
@@ -23,13 +20,19 @@ exports.HEADERS = {
     ALGORITHM: 'x-aamp-alg',
     // v1.1 Addition: Provenance (Server to Agent)
     CONTENT_ORIGIN: 'x-aamp-content-origin',
-    PROVENANCE_SIG: 'x-aamp-provenance-sig'
+    PROVENANCE_SIG: 'x-aamp-provenance-sig',
+    // v1.2 Proof of Value
+    PROOF_TOKEN: 'x-aamp-proof',
+    // v1.2 Payment Credential (The "Digital Receipt")
+    PAYMENT_CREDENTIAL: 'x-aamp-credential',
+    // v1.2 Quality Feedback (The "Dispute Token")
+    FEEDBACK: 'x-aamp-feedback'
 };
 // Cryptographic Settings
-exports.CRYPTO_CONFIG = {
+export const CRYPTO_CONFIG = {
     ALGORITHM_NAME: 'ECDSA',
     CURVE: 'P-256',
     HASH: 'SHA-256',
 };
 // Tolerance
-exports.MAX_CLOCK_SKEW_MS = 5 * 60 * 1000; // 5 minutes
+export const MAX_CLOCK_SKEW_MS = 5 * 60 * 1000; // 5 minutes

package/dist/crypto.js

@@ -1,25 +1,18 @@
-"use strict";
 /**
  * Layer 1: Cryptographic Primitives
  * Implementation of ECDSA P-256 signing/verification.
  */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.generateKeyPair = generateKeyPair;
-exports.signData = signData;
-exports.verifySignature = verifySignature;
-exports.exportPublicKey = exportPublicKey;
-exports.importPublicKey = importPublicKey;
-async function generateKeyPair() {
+export async function generateKeyPair() {
     // Uses standard Web Crypto API (Node 19+ compatible)
     return await crypto.subtle.generateKey({ name: "ECDSA", namedCurve: "P-256" }, true, ["sign", "verify"]);
 }
-async function signData(privateKey, data) {
+export async function signData(privateKey, data) {
     const encoder = new TextEncoder();
     const encoded = encoder.encode(data);
     const signature = await crypto.subtle.sign({ name: "ECDSA", hash: { name: "SHA-256" } }, privateKey, encoded);
     return bufToHex(signature);
 }
-async function verifySignature(publicKey, data, signatureHex) {
+export async function verifySignature(publicKey, data, signatureHex) {
     const encoder = new TextEncoder();
     const encodedData = encoder.encode(data);
     const signatureBytes = hexToBuf(signatureHex);
@@ -28,11 +21,11 @@ async function verifySignature(publicKey, data, signatureHex) {
     console.log(`   ${isValid ? "✅" : "❌"} [AAMP Crypto] Signature Result: ${isValid ? "VALID" : "INVALID"}`);
     return isValid;
 }
-async function exportPublicKey(key) {
+export async function exportPublicKey(key) {
     const exported = await crypto.subtle.exportKey("spki", key);
     return btoa(String.fromCharCode(...new Uint8Array(exported)));
 }
-async function importPublicKey(keyData) {
+export async function importPublicKey(keyData) {
     const binaryString = atob(keyData);
     const bytes = new Uint8Array(binaryString.length);
     for (let i = 0; i < binaryString.length; i++) {

package/dist/express.d.ts

@@ -1,4 +1,4 @@
-import { AccessPolicy, ContentOrigin, UnauthenticatedStrategy, IdentityCache } from './types';
+import { AccessPolicy, ContentOrigin, UnauthenticatedStrategy, IdentityCache } from './types.js';
 export interface AAMPConfig {
     policy: Omit<AccessPolicy, 'version'>;
     meta: {

package/dist/express.js

@@ -1,18 +1,15 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.AAMP = void 0;
 /**
  * Layer 3: Framework Adapters
  * Zero-friction integration for Express/Node.js.
  */
-const publisher_1 = require("./publisher");
-const types_1 = require("./types");
-const crypto_1 = require("./crypto");
-class AAMP {
+import { AAMPPublisher } from './publisher.js';
+import { ContentOrigin } from './types.js';
+import { generateKeyPair } from './crypto.js';
+export class AAMP {
     constructor(config) {
-        this.publisher = new publisher_1.AAMPPublisher({ version: '1.1', ...config.policy }, config.strategy || 'PASSIVE', config.cache);
-        this.origin = types_1.ContentOrigin[config.meta.origin];
-        this.ready = (0, crypto_1.generateKeyPair)().then(keys => {
+        this.publisher = new AAMPPublisher({ version: '1.1', ...config.policy }, config.strategy || 'PASSIVE', config.cache);
+        this.origin = ContentOrigin[config.meta.origin];
+        this.ready = generateKeyPair().then(keys => {
             return this.publisher.initialize(keys);
         });
     }
@@ -39,7 +36,8 @@ class AAMP {
             if (!result.allowed) {
                 res.status(result.status).json({
                     error: result.reason,
-                    visitor_type: result.visitorType
+                    visitor_type: result.visitorType,
+                    proof_used: result.proofUsed
                 });
                 return;
             }
@@ -64,4 +62,3 @@ class AAMP {
         };
     }
 }
-exports.AAMP = AAMP;

package/dist/index.d.ts

@@ -3,10 +3,10 @@
  *
  * This is the main entry point for the library.
  */
-export * from './types';
-export * from './constants';
-export * from './agent';
-export * from './publisher';
-export * from './crypto';
-export * from './express';
-export { AAMPNext } from './nextjs';
+export * from './types.js';
+export * from './constants.js';
+export * from './agent.js';
+export * from './publisher.js';
+export * from './crypto.js';
+export * from './express.js';
+export { AAMPNext } from './nextjs.js';

package/dist/index.js

@@ -1,30 +1,12 @@
-"use strict";
 /**
  * AAMP SDK Public API
  *
  * This is the main entry point for the library.
  */
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __exportStar = (this && this.__exportStar) || function(m, exports) {
-    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.AAMPNext = void 0;
-__exportStar(require("./types"), exports);
-__exportStar(require("./constants"), exports);
-__exportStar(require("./agent"), exports);
-__exportStar(require("./publisher"), exports);
-__exportStar(require("./crypto"), exports);
-__exportStar(require("./express"), exports); // Node.js / Express Adapter
-var nextjs_1 = require("./nextjs"); // Serverless / Next.js Adapter
-Object.defineProperty(exports, "AAMPNext", { enumerable: true, get: function () { return nextjs_1.AAMPNext; } });
+export * from './types.js';
+export * from './constants.js';
+export * from './agent.js';
+export * from './publisher.js';
+export * from './crypto.js';
+export * from './express.js'; // Node.js / Express Adapter
+export { AAMPNext } from './nextjs.js'; // Serverless / Next.js Adapter

package/dist/nextjs.d.ts

@@ -1,4 +1,4 @@
-import { AccessPolicy, ContentOrigin, UnauthenticatedStrategy, IdentityCache } from './types';
+import { AccessPolicy, ContentOrigin, UnauthenticatedStrategy, IdentityCache } from './types.js';
 type NextRequest = any;
 type NextResponse = any;
 export interface AAMPConfig {

package/dist/nextjs.js

@@ -1,24 +1,21 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.AAMPNext = void 0;
 /**
  * Layer 3: Framework Adapters
  * Serverless integration for Next.js (App Router & API Routes).
  */
-const publisher_1 = require("./publisher");
-const types_1 = require("./types");
-const crypto_1 = require("./crypto");
+import { AAMPPublisher } from './publisher.js';
+import { ContentOrigin } from './types.js';
+import { generateKeyPair } from './crypto.js';
 const createJsonResponse = (body, status = 200) => {
     return new Response(JSON.stringify(body), {
         status,
         headers: { 'Content-Type': 'application/json' }
     });
 };
-class AAMPNext {
+export class AAMPNext {
     constructor(config) {
-        this.publisher = new publisher_1.AAMPPublisher({ version: '1.1', ...config.policy }, config.strategy || 'PASSIVE', config.cache);
-        this.origin = types_1.ContentOrigin[config.meta.origin];
-        this.ready = (0, crypto_1.generateKeyPair)().then(keys => this.publisher.initialize(keys));
+        this.publisher = new AAMPPublisher({ version: '1.1', ...config.policy }, config.strategy || 'PASSIVE', config.cache);
+        this.origin = ContentOrigin[config.meta.origin];
+        this.ready = generateKeyPair().then(keys => this.publisher.initialize(keys));
     }
     static init(config) {
         return new AAMPNext(config);
@@ -39,7 +36,8 @@ class AAMPNext {
             if (!result.allowed) {
                 return createJsonResponse({
                     error: result.reason,
-                    visitor_type: result.visitorType
+                    visitor_type: result.visitorType,
+                    proof_used: result.proofUsed
                 }, result.status);
             }
             // Execute Handler
@@ -60,4 +58,3 @@ class AAMPNext {
         };
     }
 }
-exports.AAMPNext = AAMPNext;

package/dist/proof.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Verifies a JWT (Proof Token or Payment Credential) using JWKS.
+ *
+ * @param token The JWT string
+ * @param jwksUrl The URL to fetch Public Keys
+ * @param issuer The expected issuer
+ * @param audience The expected audience range
+ */
+export declare function verifyJwt(token: string, jwksUrl: string, issuer: string, audience?: string): Promise<boolean>;

package/dist/proof.js

@@ -0,0 +1,27 @@
+import { createRemoteJWKSet, jwtVerify } from 'jose';
+// In-memory cache for JWKS to avoid repeated fetches
+// Jose's createRemoteJWKSet handles caching/cooldowns internally.
+/**
+ * Verifies a JWT (Proof Token or Payment Credential) using JWKS.
+ *
+ * @param token The JWT string
+ * @param jwksUrl The URL to fetch Public Keys
+ * @param issuer The expected issuer
+ * @param audience The expected audience range
+ */
+export async function verifyJwt(token, jwksUrl, issuer, audience) {
+    try {
+        const JWKS = createRemoteJWKSet(new URL(jwksUrl));
+        const { payload } = await jwtVerify(token, JWKS, {
+            issuer: issuer,
+            audience: audience // specific audience check if provided
+        });
+        // Check specific AAMP claims if we standardize them
+        // if (payload.type !== 'AD_IMPRESSION') return false;
+        return true;
+    }
+    catch (error) {
+        // console.error("Ad Proof Verification Failed:", error);
+        return false;
+    }
+}

package/dist/publisher.d.ts

@@ -1,4 +1,4 @@
-import { AccessPolicy, ContentOrigin, EvaluationResult, IdentityCache, UnauthenticatedStrategy } from './types';
+import { AccessPolicy, ContentOrigin, EvaluationResult, IdentityCache, UnauthenticatedStrategy } from './types.js';
 export declare class AAMPPublisher {
     private policy;
     private keyPair;
@@ -27,4 +27,9 @@ export declare class AAMPPublisher {
     private verifyDnsBinding;
     private isDomain;
     generateResponseHeaders(origin: ContentOrigin): Promise<Record<string, string>>;
+    /**
+     * Handling Quality Feedback (The "Dispute" Layer)
+     * This runs when an Agent sends 'x-aamp-feedback'.
+     */
+    private handleFeedback;
 }

package/dist/publisher.js

@@ -1,13 +1,11 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.AAMPPublisher = void 0;
 /**
  * Layer 2: Publisher Middleware
  * Used by content owners to enforce policy, log access, and filter bots.
  */
-const constants_1 = require("./constants");
-const crypto_1 = require("./crypto");
-const types_1 = require("./types");
+import { HEADERS, MAX_CLOCK_SKEW_MS, WELL_KNOWN_AGENT_PATH } from './constants.js';
+import { exportPublicKey, signData, verifySignature } from './crypto.js';
+import { AccessPurpose } from './types.js';
+import { verifyJwt } from './proof.js';
 /**
  * Default In-Memory Cache (Fallback only)
  * NOT recommended for high-traffic Serverless production.
@@ -33,7 +31,7 @@ class MemoryCache {
         });
     }
 }
-class AAMPPublisher {
+export class AAMPPublisher {
     constructor(policy, strategy = 'PASSIVE', cacheImpl) {
         this.keyPair = null;
         // Default TTL: 1 Hour
@@ -53,7 +51,11 @@ class AAMPPublisher {
      */
     async evaluateVisitor(reqHeaders, rawPayload) {
         // 1. Check for AAMP Headers
-        const hasAamp = reqHeaders[constants_1.HEADERS.PAYLOAD] && reqHeaders[constants_1.HEADERS.SIGNATURE] && reqHeaders[constants_1.HEADERS.PUBLIC_KEY];
+        const hasAamp = reqHeaders[HEADERS.PAYLOAD] && reqHeaders[HEADERS.SIGNATURE] && reqHeaders[HEADERS.PUBLIC_KEY];
+        const feedbackToken = reqHeaders[HEADERS.FEEDBACK];
+        if (feedbackToken) {
+            await this.handleFeedback(feedbackToken, reqHeaders);
+        }
         if (hasAamp) {
             console.log("\n🔎 [AAMP Middleware] Detected Agent Headers. Starting Verification...");
             // It claims to be an Agent. Verify it.
@@ -129,9 +131,9 @@ class AAMPPublisher {
      */
     async handleAgent(reqHeaders, rawPayload) {
         try {
-            const payloadHeader = reqHeaders[constants_1.HEADERS.PAYLOAD];
-            const sigHeader = reqHeaders[constants_1.HEADERS.SIGNATURE];
-            const keyHeader = reqHeaders[constants_1.HEADERS.PUBLIC_KEY];
+            const payloadHeader = reqHeaders[HEADERS.PAYLOAD];
+            const sigHeader = reqHeaders[HEADERS.SIGNATURE];
+            const keyHeader = reqHeaders[HEADERS.PUBLIC_KEY];
             const headerJson = atob(payloadHeader);
             const requestHeader = JSON.parse(headerJson);
             const signedRequest = {
@@ -140,10 +142,17 @@ class AAMPPublisher {
                 publicKey: keyHeader
             };
             const agentKey = await crypto.subtle.importKey("spki", new Uint8Array(atob(keyHeader).split('').map(c => c.charCodeAt(0))), { name: "ECDSA", namedCurve: "P-256" }, true, ["verify"]);
+            const proofToken = reqHeaders[HEADERS.PROOF_TOKEN];
+            const paymentCredential = reqHeaders[HEADERS.PAYMENT_CREDENTIAL];
             // Verify Core Logic
-            const result = await this.verifyRequestLogic(signedRequest, agentKey, headerJson);
+            const result = await this.verifyRequestLogic(signedRequest, agentKey, proofToken, paymentCredential, headerJson);
             if (!result.allowed) {
-                console.log(`⛔ [AAMP Deny] Reason: ${result.reason}`);
+                console.log(`⛔ [AAMP BLOCK] 
+        Agent: ${requestHeader.agent_id}
+        Reason: ${result.reason}
+        VisitorType: ${result.visitorType}
+        Proof: ${result.proofUsed || 'None'}
+        Identity Verified: ${result.identityVerified}`);
                 return {
                     allowed: false,
                     status: 403,
@@ -151,7 +160,11 @@ class AAMPPublisher {
                     visitorType: 'VERIFIED_AGENT'
                 };
             }
-            console.log(`✅ [AAMP Allow] Verified Agent: ${requestHeader.agent_id}`);
+            console.log(`✅ [AAMP ALLOW] 
+      Agent: ${requestHeader.agent_id}
+      Reason: AAMP_VERIFIED
+      Payment Method: ${result.proofUsed}
+      Identity Verified: ${result.identityVerified}`);
             return {
                 allowed: true,
                 status: 200,
@@ -165,21 +178,21 @@ class AAMPPublisher {
             return { allowed: false, status: 400, reason: "INVALID_SIGNATURE", visitorType: 'UNIDENTIFIED_BOT' };
         }
     }
-    async verifyRequestLogic(request, requestPublicKey, rawPayload) {
+    async verifyRequestLogic(request, requestPublicKey, proofToken, paymentCredential, rawPayload) {
         // 1. Replay Attack Prevention
         const requestTime = new Date(request.header.ts).getTime();
-        if (Math.abs(Date.now() - requestTime) > constants_1.MAX_CLOCK_SKEW_MS) {
+        if (Math.abs(Date.now() - requestTime) > MAX_CLOCK_SKEW_MS) {
             return { allowed: false, reason: 'TIMESTAMP_INVALID', identityVerified: false };
         }
         // 2. Crypto Verification
         const signableString = rawPayload || JSON.stringify(request.header);
-        const isCryptoValid = await (0, crypto_1.verifySignature)(requestPublicKey, signableString, request.signature);
+        const isCryptoValid = await verifySignature(requestPublicKey, signableString, request.signature);
         if (!isCryptoValid)
             return { allowed: false, reason: 'CRYPTO_FAIL', identityVerified: false };
         // 3. Identity Verification (DNS Binding) with Cache
         let identityVerified = false;
         const claimedDomain = request.header.agent_id;
-        const pubKeyString = await (0, crypto_1.exportPublicKey)(requestPublicKey);
+        const pubKeyString = await exportPublicKey(requestPublicKey);
         console.log(`   🆔 [AAMP Identity] Verifying DNS Binding for: ${claimedDomain}`);
         // Check Cache First
         const cachedKey = await this.cache.get(claimedDomain);
@@ -198,17 +211,56 @@ class AAMPPublisher {
             return { allowed: false, reason: 'IDENTITY_FAIL: DNS Binding could not be verified.', identityVerified: false };
         }
         // 4. Policy Check: Purpose
-        if (request.header.purpose === types_1.AccessPurpose.CRAWL_TRAINING && !this.policy.allowTraining) {
+        if (request.header.purpose === AccessPurpose.CRAWL_TRAINING && !this.policy.allowTraining) {
             return { allowed: false, reason: 'POLICY_DENIED: Training not allowed.', identityVerified };
         }
-        if (request.header.purpose === types_1.AccessPurpose.RAG_RETRIEVAL && !this.policy.allowRAG) {
+        if (request.header.purpose === AccessPurpose.RAG_RETRIEVAL && !this.policy.allowRAG) {
             return { allowed: false, reason: 'POLICY_DENIED: RAG not allowed.', identityVerified };
         }
-        // 5. Policy Check: Economics
+        // 5. Policy Check: Economics (v1.2)
         if (this.policy.requiresPayment) {
-            const isAdExempt = this.policy.allowAdSupportedAccess && request.header.context.ads_displayed;
-            if (!isAdExempt) {
-                return { allowed: false, reason: 'PAYMENT_REQUIRED: Content requires payment or ads.', identityVerified };
+            let paymentSatisfied = false;
+            // Method A: Flexible Payment Callback (DB / Custom Logic)
+            if (this.policy.monetization?.checkPayment) {
+                const isPaid = await this.policy.monetization.checkPayment(request.header.agent_id, request.header.purpose);
+                if (isPaid) {
+                    console.log(`   💰 [AAMP Audit] Whitelist Check Passed via Callback.`);
+                    return { allowed: true, reason: 'OK', identityVerified, proofUsed: 'WHITELIST_CALLBACK' };
+                }
+            }
+            // Method B: Payment Credentials (Unified JWT)
+            if (!paymentSatisfied && this.policy.monetization?.paymentConfig && paymentCredential) {
+                const { jwksUrl, issuer } = this.policy.monetization.paymentConfig;
+                console.log(`   🔐 [AAMP Audit] Verifying Payment Credential (Issuer: ${issuer})...`);
+                const isValidCredential = await verifyJwt(paymentCredential, jwksUrl, issuer);
+                if (isValidCredential) {
+                    console.log(`   ✅ [AAMP Audit] Credential Signature VALID.`);
+                    return { allowed: true, reason: 'OK', identityVerified, proofUsed: 'PAYMENT_CREDENTIAL_JWT' };
+                }
+                else {
+                    console.log(`   ❌ [AAMP Audit] Credential Signature INVALID.`);
+                }
+            }
+            // Method C: Ad-Supported (Proof Verification)
+            if (!paymentSatisfied && this.policy.allowAdSupportedAccess && request.header.context.ads_displayed) {
+                if (proofToken && this.policy.monetization?.adNetwork) {
+                    const { jwksUrl, issuer } = this.policy.monetization.adNetwork;
+                    console.log(`   📺 [AAMP Audit] Verifying Ad Proof (Issuer: ${issuer})...`);
+                    const isValidProof = await verifyJwt(proofToken, jwksUrl, issuer);
+                    if (isValidProof) {
+                        console.log(`   ✅ [AAMP Audit] Ad Proof Signature VALID.`);
+                        return { allowed: true, reason: 'OK', identityVerified, proofUsed: 'AD_PROOF_JWT' };
+                    }
+                    else {
+                        console.log(`   ❌ [AAMP Audit] Ad Proof Signature INVALID.`);
+                    }
+                }
+                else {
+                    console.log(`   ⚠️ [AAMP Audit] Ad Proof MISSING.`);
+                }
+            }
+            if (!paymentSatisfied) {
+                return { allowed: false, reason: 'PAYMENT_REQUIRED: Whitelist, Credential, and Ad Proof checks ALL failed.', identityVerified, proofUsed: 'NONE', visitorType: 'VERIFIED_AGENT' };
             }
         }
         return { allowed: true, reason: 'OK', identityVerified };
@@ -217,7 +269,7 @@ class AAMPPublisher {
         try {
             // Allow HTTP for localhost testing
             const protocol = (domain.includes('localhost') || domain.match(/:\d+$/)) ? 'http' : 'https';
-            const url = `${protocol}://${domain}${constants_1.WELL_KNOWN_AGENT_PATH}`;
+            const url = `${protocol}://${domain}${WELL_KNOWN_AGENT_PATH}`;
             console.log(`   🌍 [AAMP DNS] Fetching Manifest: ${url} ...`);
             // In production, we need a short timeout to prevent hanging
             const controller = new AbortController();
@@ -256,11 +308,31 @@ class AAMPPublisher {
         if (!this.keyPair)
             throw new Error("Publisher keys not initialized");
         const payload = JSON.stringify({ origin, ts: Date.now() });
-        const signature = await (0, crypto_1.signData)(this.keyPair.privateKey, payload);
+        const signature = await signData(this.keyPair.privateKey, payload);
         return {
-            [constants_1.HEADERS.CONTENT_ORIGIN]: origin,
-            [constants_1.HEADERS.PROVENANCE_SIG]: signature
+            [HEADERS.CONTENT_ORIGIN]: origin,
+            [HEADERS.PROVENANCE_SIG]: signature
         };
     }
+    /**
+     * Handling Quality Feedback (The "Dispute" Layer)
+     * This runs when an Agent sends 'x-aamp-feedback'.
+     */
+    async handleFeedback(token, headers) {
+        // NOTE: In production, you would fetch the Agent's specific key. 
+        // For now, we assume standard Discovery or a centralized Key Set (like adNetwork).
+        // Ideally, the SDK config should have a 'qualityOracle' key set.
+        // 1. We just Decode it to Log it (Verification is optional but recommended)
+        try {
+            const parts = token.split('.');
+            const payload = JSON.parse(atob(parts[1]));
+            console.log(`\n📢 [AAMP QUALITY ALERT] Feedback Received from ${payload.agent_id}`);
+            console.log(`   Reason: ${payload.reason} | Score: ${payload.quality_score}`);
+            console.log(`   Resource: ${payload.url}`);
+            console.log(`   (Signature available for dispute evidence)`);
+        }
+        catch (e) {
+            console.log(`   ⚠️ [AAMP Warning] Malformed Feedback Token.`);
+        }
+    }
 }
-exports.AAMPPublisher = AAMPPublisher;

package/dist/types.d.ts

@@ -37,12 +37,22 @@ export interface IdentityCache {
     get(key: string): Promise<string | null>;
     set(key: string, value: string, ttlSeconds: number): Promise<void>;
 }
+/**
+ * Optional Monetization (The Settlement Layer)
+ */
 /**
  * Optional Monetization (The Settlement Layer)
  */
 export interface MonetizationConfig {
-    method: 'BROKER' | 'CRYPTO' | 'PRIVATE_TREATY';
-    location: string;
+    checkPayment?: (agentId: string, purpose: string) => boolean | Promise<boolean>;
+    adNetwork?: {
+        jwksUrl: string;
+        issuer: string;
+    };
+    paymentConfig?: {
+        jwksUrl: string;
+        issuer: string;
+    };
 }
 /**
  * Handling Non-AAMP Visitors
@@ -91,4 +101,13 @@ export interface EvaluationResult {
     reason: string;
     visitorType: 'VERIFIED_AGENT' | 'LIKELY_HUMAN' | 'UNIDENTIFIED_BOT';
     metadata?: any;
+    payment_status?: 'PAID_SUBSCRIBER' | 'AD_FUNDED' | 'UNPAID';
+    proofUsed?: string;
+}
+export interface FeedbackSignalToken {
+    url: string;
+    agent_id: string;
+    quality_score: number;
+    reason: string;
+    timestamp: number;
 }