@aamp/protocol 1.1.5 → 1.1.6

package/dist/types.js

@@ -1,28 +1,25 @@
-"use strict";
 /**
  * Layer 1: Protocol Definitions
  * Shared types used by both Agent and Publisher.
  */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.QualityFlag = exports.ContentOrigin = exports.AccessPurpose = void 0;
-var AccessPurpose;
+export var AccessPurpose;
 (function (AccessPurpose) {
     AccessPurpose["CRAWL_TRAINING"] = "CRAWL_TRAINING";
     AccessPurpose["RAG_RETRIEVAL"] = "RAG_RETRIEVAL";
     AccessPurpose["SUMMARY"] = "SUMMARY";
     AccessPurpose["QUOTATION"] = "QUOTATION";
     AccessPurpose["EMBEDDING"] = "EMBEDDING";
-})(AccessPurpose || (exports.AccessPurpose = AccessPurpose = {}));
-var ContentOrigin;
+})(AccessPurpose || (AccessPurpose = {}));
+export var ContentOrigin;
 (function (ContentOrigin) {
     ContentOrigin["HUMAN"] = "HUMAN";
     ContentOrigin["SYNTHETIC"] = "SYNTHETIC";
     ContentOrigin["HYBRID"] = "HYBRID"; // Edited by humans, drafted by AI.
-})(ContentOrigin || (exports.ContentOrigin = ContentOrigin = {}));
-var QualityFlag;
+})(ContentOrigin || (ContentOrigin = {}));
+export var QualityFlag;
 (function (QualityFlag) {
     QualityFlag["SEO_SPAM"] = "SEO_SPAM";
     QualityFlag["INACCURATE"] = "INACCURATE";
     QualityFlag["HATE_SPEECH"] = "HATE_SPEECH";
     QualityFlag["HIGH_QUALITY"] = "HIGH_QUALITY";
-})(QualityFlag || (exports.QualityFlag = QualityFlag = {}));
+})(QualityFlag || (QualityFlag = {}));

package/package.json

@@ -1,13 +1,13 @@
 {
   "name": "@aamp/protocol",
-  "version": "1.1.5",
+  "version": "1.1.6",
   "description": "TypeScript reference implementation of AAMP v1.1",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
+  "type": "module",
   "scripts": {
     "build": "tsc",
-    "test": "ts-node test/handshake.spec.ts",
-    "prepublishOnly": "npm run test && npm run build"
+    "test": "node --loader ts-node/esm test/handshake.spec.ts"
   },
   "repository": {
     "type": "git",
@@ -17,8 +17,13 @@
     "access": "public"
   },
   "devDependencies": {
-    "typescript": "^5.0.0",
+    "@types/node": "^20.0.0",
+    "@types/node-fetch": "^2.6.13",
     "ts-node": "^10.9.0",
-    "@types/node": "^20.0.0"
+    "typescript": "^5.0.0"
+  },
+  "dependencies": {
+    "jose": "^6.1.3",
+    "node-fetch": "^2.7.0"
   }
 }

package/src/agent.ts

@@ -1,9 +1,9 @@
 /**
  * Layer 2: Agent SDK
  */
-import { AccessPurpose, ProtocolHeader, SignedAccessRequest, FeedbackSignal, QualityFlag, AgentIdentityManifest } from './types';
-import { generateKeyPair, signData, exportPublicKey } from './crypto';
-import { AAMP_VERSION } from './constants';
+import { AccessPurpose, ProtocolHeader, SignedAccessRequest, FeedbackSignal, QualityFlag, AgentIdentityManifest } from './types.js';
+import { generateKeyPair, signData, exportPublicKey } from './crypto.js';
+import { AAMP_VERSION } from './constants.js';
 
 export interface AccessOptions {
   adsDisplayed?: boolean;
@@ -24,8 +24,8 @@ export class AAMPAgent {
   }
 
   async createAccessRequest(
-    resource: string, 
-    purpose: AccessPurpose, 
+    resource: string,
+    purpose: AccessPurpose,
     options: AccessOptions = {}
   ): Promise<SignedAccessRequest> {
     if (!this.keyPair) throw new Error("Agent not initialized. Call initialize() first.");
@@ -53,9 +53,9 @@ export class AAMPAgent {
    */
   async getIdentityManifest(contactEmail?: string): Promise<AgentIdentityManifest> {
     if (!this.keyPair) throw new Error("Agent not initialized.");
-    
+
     const publicKey = await exportPublicKey(this.keyPair.publicKey);
-    
+
     return {
       agent_id: this.agentId,
       public_key: publicKey,
@@ -73,7 +73,7 @@ export class AAMPAgent {
     flags: QualityFlag[]
   ): Promise<{ signal: FeedbackSignal, signature: string }> {
     if (!this.keyPair) throw new Error("Agent not initialized.");
-    
+
     const signal: FeedbackSignal = {
       target_resource: resource,
       agent_id: this.agentId,

package/src/constants.ts

@@ -17,15 +17,24 @@ export const HEADERS = {
   SIGNATURE: 'x-aamp-signature',
   // Transport: The Agent's Public Key (Base64 SPKI)
   PUBLIC_KEY: 'x-aamp-public-key',
-  
+
   // Informational / Legacy (Optional if Payload is present)
   AGENT_ID: 'x-aamp-agent-id',
   TIMESTAMP: 'x-aamp-timestamp',
-  ALGORITHM: 'x-aamp-alg', 
-  
+  ALGORITHM: 'x-aamp-alg',
+
   // v1.1 Addition: Provenance (Server to Agent)
   CONTENT_ORIGIN: 'x-aamp-content-origin',
-  PROVENANCE_SIG: 'x-aamp-provenance-sig'
+  PROVENANCE_SIG: 'x-aamp-provenance-sig',
+
+  // v1.2 Proof of Value
+  PROOF_TOKEN: 'x-aamp-proof',
+
+  // v1.2 Payment Credential (The "Digital Receipt")
+  PAYMENT_CREDENTIAL: 'x-aamp-credential',
+
+  // v1.2 Quality Feedback (The "Dispute Token")
+  FEEDBACK: 'x-aamp-feedback'
 } as const;
 
 // Cryptographic Settings

package/src/express.ts

@@ -2,9 +2,9 @@
  * Layer 3: Framework Adapters
  * Zero-friction integration for Express/Node.js.
  */
-import { AAMPPublisher } from './publisher';
-import { AccessPolicy, ContentOrigin, UnauthenticatedStrategy, IdentityCache } from './types';
-import { generateKeyPair } from './crypto';
+import { AAMPPublisher } from './publisher.js';
+import { AccessPolicy, ContentOrigin, UnauthenticatedStrategy, IdentityCache } from './types.js';
+import { generateKeyPair } from './crypto.js';
 
 export interface AAMPConfig {
   policy: Omit<AccessPolicy, 'version'>;
@@ -28,9 +28,9 @@ export class AAMP {
       config.strategy || 'PASSIVE',
       config.cache
     );
-    
+
     this.origin = ContentOrigin[config.meta.origin];
-    
+
     this.ready = generateKeyPair().then(keys => {
       return this.publisher.initialize(keys);
     });
@@ -62,9 +62,10 @@ export class AAMP {
 
       // Enforce Decision
       if (!result.allowed) {
-        res.status(result.status).json({ 
+        res.status(result.status).json({
           error: result.reason,
-          visitor_type: result.visitorType
+          visitor_type: result.visitorType,
+          proof_used: result.proofUsed
         });
         return;
       }

package/src/index.ts

@@ -4,10 +4,10 @@
  * This is the main entry point for the library.
  */
 
-export * from './types';
-export * from './constants';
-export * from './agent';
-export * from './publisher';
-export * from './crypto';
-export * from './express'; // Node.js / Express Adapter
-export { AAMPNext } from './nextjs';  // Serverless / Next.js Adapter
+export * from './types.js';
+export * from './constants.js';
+export * from './agent.js';
+export * from './publisher.js';
+export * from './crypto.js';
+export * from './express.js'; // Node.js / Express Adapter
+export { AAMPNext } from './nextjs.js';  // Serverless / Next.js Adapter

package/src/nextjs.ts

@@ -2,12 +2,12 @@
  * Layer 3: Framework Adapters
  * Serverless integration for Next.js (App Router & API Routes).
  */
-import { AAMPPublisher } from './publisher';
-import { AccessPolicy, ContentOrigin, UnauthenticatedStrategy, IdentityCache } from './types';
-import { generateKeyPair } from './crypto';
+import { AAMPPublisher } from './publisher.js';
+import { AccessPolicy, ContentOrigin, UnauthenticatedStrategy, IdentityCache } from './types.js';
+import { generateKeyPair } from './crypto.js';
 
-type NextRequest = any; 
-type NextResponse = any; 
+type NextRequest = any;
+type NextResponse = any;
 
 const createJsonResponse = (body: any, status = 200) => {
   return new Response(JSON.stringify(body), {
@@ -63,9 +63,10 @@ export class AAMPNext {
       const result = await this.publisher.evaluateVisitor(headers, headers['x-aamp-payload']);
 
       if (!result.allowed) {
-        return createJsonResponse({ 
+        return createJsonResponse({
           error: result.reason,
-          visitor_type: result.visitorType
+          visitor_type: result.visitorType,
+          proof_used: result.proofUsed
         }, result.status);
       }
 
@@ -75,9 +76,9 @@ export class AAMPNext {
       // Inject Provenance
       const aampHeaders = await this.publisher.generateResponseHeaders(this.origin);
       if (response && response.headers) {
-         Object.entries(aampHeaders).forEach(([k, v]) => {
-           response.headers.set(k, v);
-         });
+        Object.entries(aampHeaders).forEach(([k, v]) => {
+          response.headers.set(k, v);
+        });
       }
 
       return response;

package/src/proof.ts

@@ -0,0 +1,36 @@
+import { createRemoteJWKSet, jwtVerify } from 'jose';
+
+// In-memory cache for JWKS to avoid repeated fetches
+// Jose's createRemoteJWKSet handles caching/cooldowns internally.
+
+/**
+ * Verifies a JWT (Proof Token or Payment Credential) using JWKS.
+ * 
+ * @param token The JWT string 
+ * @param jwksUrl The URL to fetch Public Keys
+ * @param issuer The expected issuer
+ * @param audience The expected audience range
+ */
+export async function verifyJwt(
+    token: string,
+    jwksUrl: string,
+    issuer: string,
+    audience?: string
+): Promise<boolean> {
+    try {
+        const JWKS = createRemoteJWKSet(new URL(jwksUrl));
+
+        const { payload } = await jwtVerify(token, JWKS, {
+            issuer: issuer,
+            audience: audience // specific audience check if provided
+        });
+
+        // Check specific AAMP claims if we standardize them
+        // if (payload.type !== 'AD_IMPRESSION') return false;
+
+        return true;
+    } catch (error) {
+        // console.error("Ad Proof Verification Failed:", error);
+        return false;
+    }
+}

package/src/publisher.ts

@@ -2,14 +2,17 @@
  * Layer 2: Publisher Middleware
  * Used by content owners to enforce policy, log access, and filter bots.
  */
-import { HEADERS, MAX_CLOCK_SKEW_MS, WELL_KNOWN_AGENT_PATH } from './constants';
-import { exportPublicKey, signData, verifySignature } from './crypto';
-import { AccessPolicy, AccessPurpose, AgentIdentityManifest, ContentOrigin, EvaluationResult, IdentityCache, SignedAccessRequest, UnauthenticatedStrategy } from './types';
+import { HEADERS, MAX_CLOCK_SKEW_MS, WELL_KNOWN_AGENT_PATH } from './constants.js';
+import { exportPublicKey, signData, verifySignature } from './crypto.js';
+import { AccessPolicy, AccessPurpose, AgentIdentityManifest, ContentOrigin, EvaluationResult, IdentityCache, SignedAccessRequest, UnauthenticatedStrategy } from './types.js';
+import { verifyJwt } from './proof.js';
 
 interface VerificationResult {
   allowed: boolean;
   reason: string;
   identityVerified: boolean;
+  proofUsed?: string; // "WHITELIST", "CREDENTIAL_JWT", "AD_JWT"
+  visitorType?: string; // For audit logs
 }
 
 /**
@@ -18,7 +21,7 @@ interface VerificationResult {
  */
 class MemoryCache implements IdentityCache {
   private store = new Map<string, { val: string, exp: number }>();
-  
+
   async get(key: string): Promise<string | null> {
     const item = this.store.get(key);
     if (!item) return null;
@@ -28,11 +31,11 @@ class MemoryCache implements IdentityCache {
     }
     return item.val;
   }
-  
+
   async set(key: string, value: string, ttlSeconds: number): Promise<void> {
-    this.store.set(key, { 
-      val: value, 
-      exp: Date.now() + (ttlSeconds * 1000) 
+    this.store.set(key, {
+      val: value,
+      exp: Date.now() + (ttlSeconds * 1000)
     });
   }
 }
@@ -42,14 +45,14 @@ export class AAMPPublisher {
   private keyPair: CryptoKeyPair | null = null;
   private unauthenticatedStrategy: UnauthenticatedStrategy;
   private cache: IdentityCache;
-  
+
   // Default TTL: 1 Hour
-  private readonly CACHE_TTL_SECONDS = 3600; 
+  private readonly CACHE_TTL_SECONDS = 3600;
 
   constructor(
-    policy: AccessPolicy, 
+    policy: AccessPolicy,
     strategy: UnauthenticatedStrategy = 'PASSIVE',
-    cacheImpl?: IdentityCache 
+    cacheImpl?: IdentityCache
   ) {
     this.policy = policy;
     this.unauthenticatedStrategy = strategy;
@@ -68,13 +71,18 @@ export class AAMPPublisher {
    * Main Entry Point: Evaluate ANY visitor (Human, Bot, or Agent)
    */
   async evaluateVisitor(
-    reqHeaders: Record<string, string | undefined>, 
+    reqHeaders: Record<string, string | undefined>,
     rawPayload?: string
   ): Promise<EvaluationResult> {
-    
+
     // 1. Check for AAMP Headers
     const hasAamp = reqHeaders[HEADERS.PAYLOAD] && reqHeaders[HEADERS.SIGNATURE] && reqHeaders[HEADERS.PUBLIC_KEY];
 
+    const feedbackToken = reqHeaders[HEADERS.FEEDBACK];
+    if (feedbackToken) {
+      await this.handleFeedback(feedbackToken, reqHeaders);
+    }
+
     if (hasAamp) {
       console.log("\n🔎 [AAMP Middleware] Detected Agent Headers. Starting Verification...");
       // It claims to be an Agent. Verify it.
@@ -96,13 +104,13 @@ export class AAMPPublisher {
         allowed: true,
         status: 200,
         reason: "PASSIVE_MODE: Allowed without verification.",
-        visitorType: 'LIKELY_HUMAN' 
+        visitorType: 'LIKELY_HUMAN'
       };
     }
 
     // 3. HYBRID MODE: Heuristic Analysis (The "Lazy Bot" Filter)
     const isHuman = this.performBrowserHeuristics(reqHeaders);
-    
+
     if (isHuman) {
       return {
         allowed: true,
@@ -128,11 +136,11 @@ export class AAMPPublisher {
    */
   private performBrowserHeuristics(headers: Record<string, string | undefined>): boolean {
     const userAgent = headers['user-agent'] || '';
-    
+
     // A. The "Obvious Bot" Blocklist (Fast Fail)
     const botSignatures = ['python-requests', 'curl', 'wget', 'scrapy', 'bot', 'crawler', 'spider'];
     if (botSignatures.some(sig => userAgent.toLowerCase().includes(sig))) {
-       return false;
+      return false;
     }
 
     // B. Trusted Infrastructure Signals (The Real World Solution)
@@ -142,7 +150,7 @@ export class AAMPPublisher {
 
     // C. The "Browser Fingerprint" (Fallback for direct connections)
     const hasAcceptLanguage = !!headers['accept-language'];
-    const hasSecFetchDest = !!headers['sec-fetch-dest']; 
+    const hasSecFetchDest = !!headers['sec-fetch-dest'];
     const hasUpgradeInsecure = !!headers['upgrade-insecure-requests'];
 
     if (hasAcceptLanguage && (hasSecFetchDest || hasUpgradeInsecure)) {
@@ -161,9 +169,9 @@ export class AAMPPublisher {
       const sigHeader = reqHeaders[HEADERS.SIGNATURE]!;
       const keyHeader = reqHeaders[HEADERS.PUBLIC_KEY]!;
 
-      const headerJson = atob(payloadHeader); 
+      const headerJson = atob(payloadHeader);
       const requestHeader = JSON.parse(headerJson);
-      
+
       const signedRequest: SignedAccessRequest = {
         header: requestHeader,
         signature: sigHeader,
@@ -178,11 +186,20 @@ export class AAMPPublisher {
         ["verify"]
       );
 
+      const proofToken = reqHeaders[HEADERS.PROOF_TOKEN];
+      const paymentCredential = reqHeaders[HEADERS.PAYMENT_CREDENTIAL];
+
       // Verify Core Logic
-      const result = await this.verifyRequestLogic(signedRequest, agentKey, headerJson);
+      const result = await this.verifyRequestLogic(signedRequest, agentKey, proofToken, paymentCredential, headerJson);
 
       if (!result.allowed) {
-        console.log(`⛔ [AAMP Deny] Reason: ${result.reason}`);
+        console.log(`⛔ [AAMP BLOCK] 
+        Agent: ${requestHeader.agent_id}
+        Reason: ${result.reason}
+        VisitorType: ${result.visitorType}
+        Proof: ${result.proofUsed || 'None'}
+        Identity Verified: ${result.identityVerified}`);
+
         return {
           allowed: false,
           status: 403,
@@ -191,7 +208,12 @@ export class AAMPPublisher {
         };
       }
 
-      console.log(`✅ [AAMP Allow] Verified Agent: ${requestHeader.agent_id}`);
+      console.log(`✅ [AAMP ALLOW] 
+      Agent: ${requestHeader.agent_id}
+      Reason: AAMP_VERIFIED
+      Payment Method: ${result.proofUsed}
+      Identity Verified: ${result.identityVerified}`);
+
       return {
         allowed: true,
         status: 200,
@@ -207,11 +229,13 @@ export class AAMPPublisher {
   }
 
   private async verifyRequestLogic(
-    request: SignedAccessRequest, 
+    request: SignedAccessRequest,
     requestPublicKey: CryptoKey,
+    proofToken?: string,
+    paymentCredential?: string,
     rawPayload?: string
   ): Promise<VerificationResult> {
-    
+
     // 1. Replay Attack Prevention
     const requestTime = new Date(request.header.ts).getTime();
     if (Math.abs(Date.now() - requestTime) > MAX_CLOCK_SKEW_MS) {
@@ -227,12 +251,12 @@ export class AAMPPublisher {
     let identityVerified = false;
     const claimedDomain = request.header.agent_id;
     const pubKeyString = await exportPublicKey(requestPublicKey);
-    
+
     console.log(`   🆔 [AAMP Identity] Verifying DNS Binding for: ${claimedDomain}`);
 
     // Check Cache First
     const cachedKey = await this.cache.get(claimedDomain);
-    
+
     if (cachedKey === pubKeyString) {
       console.log("   ⚡ [AAMP Cache] Identity found in cache.");
       identityVerified = true;
@@ -256,11 +280,53 @@ export class AAMPPublisher {
       return { allowed: false, reason: 'POLICY_DENIED: RAG not allowed.', identityVerified };
     }
 
-    // 5. Policy Check: Economics
+    // 5. Policy Check: Economics (v1.2)
     if (this.policy.requiresPayment) {
-      const isAdExempt = this.policy.allowAdSupportedAccess && request.header.context.ads_displayed;
-      if (!isAdExempt) {
-        return { allowed: false, reason: 'PAYMENT_REQUIRED: Content requires payment or ads.', identityVerified };
+      let paymentSatisfied = false;
+
+      // Method A: Flexible Payment Callback (DB / Custom Logic)
+      if (this.policy.monetization?.checkPayment) {
+        const isPaid = await this.policy.monetization.checkPayment(request.header.agent_id, request.header.purpose);
+        if (isPaid) {
+          console.log(`   💰 [AAMP Audit] Whitelist Check Passed via Callback.`);
+          return { allowed: true, reason: 'OK', identityVerified, proofUsed: 'WHITELIST_CALLBACK' };
+        }
+      }
+
+      // Method B: Payment Credentials (Unified JWT)
+      if (!paymentSatisfied && this.policy.monetization?.paymentConfig && paymentCredential) {
+        const { jwksUrl, issuer } = this.policy.monetization.paymentConfig;
+        console.log(`   🔐 [AAMP Audit] Verifying Payment Credential (Issuer: ${issuer})...`);
+
+        const isValidCredential = await verifyJwt(paymentCredential, jwksUrl, issuer);
+        if (isValidCredential) {
+          console.log(`   ✅ [AAMP Audit] Credential Signature VALID.`);
+          return { allowed: true, reason: 'OK', identityVerified, proofUsed: 'PAYMENT_CREDENTIAL_JWT' };
+        } else {
+          console.log(`   ❌ [AAMP Audit] Credential Signature INVALID.`);
+        }
+      }
+
+      // Method C: Ad-Supported (Proof Verification)
+      if (!paymentSatisfied && this.policy.allowAdSupportedAccess && request.header.context.ads_displayed) {
+        if (proofToken && this.policy.monetization?.adNetwork) {
+          const { jwksUrl, issuer } = this.policy.monetization.adNetwork;
+          console.log(`   📺 [AAMP Audit] Verifying Ad Proof (Issuer: ${issuer})...`);
+
+          const isValidProof = await verifyJwt(proofToken, jwksUrl, issuer);
+          if (isValidProof) {
+            console.log(`   ✅ [AAMP Audit] Ad Proof Signature VALID.`);
+            return { allowed: true, reason: 'OK', identityVerified, proofUsed: 'AD_PROOF_JWT' };
+          } else {
+            console.log(`   ❌ [AAMP Audit] Ad Proof Signature INVALID.`);
+          }
+        } else {
+          console.log(`   ⚠️ [AAMP Audit] Ad Proof MISSING.`);
+        }
+      }
+
+      if (!paymentSatisfied) {
+        return { allowed: false, reason: 'PAYMENT_REQUIRED: Whitelist, Credential, and Ad Proof checks ALL failed.', identityVerified, proofUsed: 'NONE', visitorType: 'VERIFIED_AGENT' };
       }
     }
 
@@ -272,16 +338,16 @@ export class AAMPPublisher {
       // Allow HTTP for localhost testing
       const protocol = (domain.includes('localhost') || domain.match(/:\d+$/)) ? 'http' : 'https';
       const url = `${protocol}://${domain}${WELL_KNOWN_AGENT_PATH}`;
-      
+
       console.log(`   🌍 [AAMP DNS] Fetching Manifest: ${url} ...`);
 
       // In production, we need a short timeout to prevent hanging
       const controller = new AbortController();
       const timeoutId = setTimeout(() => controller.abort(), 1500); // 1.5s max for DNS check
-      
+
       const response = await fetch(url, { signal: controller.signal });
       clearTimeout(timeoutId);
-      
+
       if (!response.ok) {
         console.log(`   ❌ [AAMP DNS] Fetch Failed: ${response.status}`);
         return false;
@@ -298,15 +364,15 @@ export class AAMPPublisher {
 
       // CHECK 2: Does the key match?
       if (manifest.public_key !== requestKeySpki) {
-         console.log(`   ❌ [AAMP DNS] Key Mismatch: DNS Key != Request Key`);
-         return false;
+        console.log(`   ❌ [AAMP DNS] Key Mismatch: DNS Key != Request Key`);
+        return false;
       }
 
       console.log(`   ✅ [AAMP DNS] Identity Confirmed.`);
       return true;
-    } catch (e: any) { 
-        console.log(`   ❌ [AAMP DNS] Error: ${e.message}`);
-        return false; 
+    } catch (e: any) {
+      console.log(`   ❌ [AAMP DNS] Error: ${e.message}`);
+      return false;
     }
   }
 
@@ -324,4 +390,28 @@ export class AAMPPublisher {
       [HEADERS.PROVENANCE_SIG]: signature
     };
   }
+
+  /**
+   * Handling Quality Feedback (The "Dispute" Layer)
+   * This runs when an Agent sends 'x-aamp-feedback'.
+   */
+  private async handleFeedback(token: string, headers: Record<string, string | undefined>) {
+    // NOTE: In production, you would fetch the Agent's specific key. 
+    // For now, we assume standard Discovery or a centralized Key Set (like adNetwork).
+    // Ideally, the SDK config should have a 'qualityOracle' key set.
+
+    // 1. We just Decode it to Log it (Verification is optional but recommended)
+    try {
+      const parts = token.split('.');
+      const payload = JSON.parse(atob(parts[1]));
+
+      console.log(`\n📢 [AAMP QUALITY ALERT] Feedback Received from ${payload.agent_id}`);
+      console.log(`   Reason: ${payload.reason} | Score: ${payload.quality_score}`);
+      console.log(`   Resource: ${payload.url}`);
+      console.log(`   (Signature available for dispute evidence)`);
+
+    } catch (e) {
+      console.log(`   ⚠️ [AAMP Warning] Malformed Feedback Token.`);
+    }
+  }
 }