@aamp/protocol 1.1.5 → 1.1.7

package/dist/agent.d.ts

@@ -1,7 +1,7 @@
 /**
  * Layer 2: Agent SDK
  */
-import { AccessPurpose, SignedAccessRequest, FeedbackSignal, QualityFlag, AgentIdentityManifest } from './types';
+import { AccessPurpose, SignedAccessRequest, FeedbackSignal, QualityFlag, AgentIdentityManifest } from './types.js';
 export interface AccessOptions {
     adsDisplayed?: boolean;
 }

package/dist/agent.js

@@ -1,9 +1,6 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.AAMPAgent = void 0;
-const crypto_1 = require("./crypto");
-const constants_1 = require("./constants");
-class AAMPAgent {
+import { generateKeyPair, signData, exportPublicKey } from './crypto.js';
+import { AAMP_VERSION } from './constants.js';
+export class AAMPAgent {
     constructor() {
         this.keyPair = null;
         this.agentId = "pending";
@@ -13,7 +10,7 @@ class AAMPAgent {
      * @param customAgentId For PRODUCTION, this should be your domain (e.g., "bot.openai.com")
      */
     async initialize(customAgentId) {
-        this.keyPair = await (0, crypto_1.generateKeyPair)();
+        this.keyPair = await generateKeyPair();
         // Use the provided ID (authentic) or generate a session ID (ephemeral)
         this.agentId = customAgentId || "agent_" + Math.random().toString(36).substring(7);
     }
@@ -21,7 +18,7 @@ class AAMPAgent {
         if (!this.keyPair)
             throw new Error("Agent not initialized. Call initialize() first.");
         const header = {
-            v: constants_1.AAMP_VERSION,
+            v: AAMP_VERSION,
             ts: new Date().toISOString(),
             agent_id: this.agentId,
             resource,
@@ -30,8 +27,8 @@ class AAMPAgent {
                 ads_displayed: options.adsDisplayed || false
             }
         };
-        const signature = await (0, crypto_1.signData)(this.keyPair.privateKey, JSON.stringify(header));
-        const publicKeyExport = await (0, crypto_1.exportPublicKey)(this.keyPair.publicKey);
+        const signature = await signData(this.keyPair.privateKey, JSON.stringify(header));
+        const publicKeyExport = await exportPublicKey(this.keyPair.publicKey);
         return { header, signature, publicKey: publicKeyExport };
     }
     /**
@@ -41,7 +38,7 @@ class AAMPAgent {
     async getIdentityManifest(contactEmail) {
         if (!this.keyPair)
             throw new Error("Agent not initialized.");
-        const publicKey = await (0, crypto_1.exportPublicKey)(this.keyPair.publicKey);
+        const publicKey = await exportPublicKey(this.keyPair.publicKey);
         return {
             agent_id: this.agentId,
             public_key: publicKey,
@@ -62,8 +59,7 @@ class AAMPAgent {
             flags,
             timestamp: new Date().toISOString()
         };
-        const signature = await (0, crypto_1.signData)(this.keyPair.privateKey, JSON.stringify(signal));
+        const signature = await signData(this.keyPair.privateKey, JSON.stringify(signal));
         return { signal, signature };
     }
 }
-exports.AAMPAgent = AAMPAgent;

package/dist/constants.d.ts

@@ -13,6 +13,9 @@ export declare const HEADERS: {
     readonly ALGORITHM: "x-aamp-alg";
     readonly CONTENT_ORIGIN: "x-aamp-content-origin";
     readonly PROVENANCE_SIG: "x-aamp-provenance-sig";
+    readonly PROOF_TOKEN: "x-aamp-proof";
+    readonly PAYMENT_CREDENTIAL: "x-aamp-credential";
+    readonly FEEDBACK: "x-aamp-feedback";
 };
 export declare const CRYPTO_CONFIG: {
     readonly ALGORITHM_NAME: "ECDSA";

package/dist/constants.js

@@ -1,16 +1,13 @@
-"use strict";
 /**
  * Layer 1: Protocol Constants
  * These values are immutable and defined by the AAMP Specification.
  */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.MAX_CLOCK_SKEW_MS = exports.CRYPTO_CONFIG = exports.HEADERS = exports.WELL_KNOWN_AGENT_PATH = exports.AAMP_VERSION = void 0;
-exports.AAMP_VERSION = '1.1';
+export const AAMP_VERSION = '1.1';
 // The path where Agents MUST host their public key to prove identity.
 // Example: https://bot.openai.com/.well-known/aamp-agent.json
-exports.WELL_KNOWN_AGENT_PATH = '/.well-known/aamp-agent.json';
+export const WELL_KNOWN_AGENT_PATH = '/.well-known/aamp-agent.json';
 // HTTP Headers used for the handshake
-exports.HEADERS = {
+export const HEADERS = {
     // Transport: The signed payload (Base64 encoded JSON of ProtocolHeader)
     PAYLOAD: 'x-aamp-payload',
     // Transport: The cryptographic signature (Hex)
@@ -23,13 +20,19 @@ exports.HEADERS = {
     ALGORITHM: 'x-aamp-alg',
     // v1.1 Addition: Provenance (Server to Agent)
     CONTENT_ORIGIN: 'x-aamp-content-origin',
-    PROVENANCE_SIG: 'x-aamp-provenance-sig'
+    PROVENANCE_SIG: 'x-aamp-provenance-sig',
+    // v1.2 Proof of Value
+    PROOF_TOKEN: 'x-aamp-proof',
+    // v1.2 Payment Credential (The "Digital Receipt")
+    PAYMENT_CREDENTIAL: 'x-aamp-credential',
+    // v1.2 Quality Feedback (The "Dispute Token")
+    FEEDBACK: 'x-aamp-feedback'
 };
 // Cryptographic Settings
-exports.CRYPTO_CONFIG = {
+export const CRYPTO_CONFIG = {
     ALGORITHM_NAME: 'ECDSA',
     CURVE: 'P-256',
     HASH: 'SHA-256',
 };
 // Tolerance
-exports.MAX_CLOCK_SKEW_MS = 5 * 60 * 1000; // 5 minutes
+export const MAX_CLOCK_SKEW_MS = 5 * 60 * 1000; // 5 minutes

package/dist/crypto.js

@@ -1,25 +1,18 @@
-"use strict";
 /**
  * Layer 1: Cryptographic Primitives
  * Implementation of ECDSA P-256 signing/verification.
  */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.generateKeyPair = generateKeyPair;
-exports.signData = signData;
-exports.verifySignature = verifySignature;
-exports.exportPublicKey = exportPublicKey;
-exports.importPublicKey = importPublicKey;
-async function generateKeyPair() {
+export async function generateKeyPair() {
     // Uses standard Web Crypto API (Node 19+ compatible)
     return await crypto.subtle.generateKey({ name: "ECDSA", namedCurve: "P-256" }, true, ["sign", "verify"]);
 }
-async function signData(privateKey, data) {
+export async function signData(privateKey, data) {
     const encoder = new TextEncoder();
     const encoded = encoder.encode(data);
     const signature = await crypto.subtle.sign({ name: "ECDSA", hash: { name: "SHA-256" } }, privateKey, encoded);
     return bufToHex(signature);
 }
-async function verifySignature(publicKey, data, signatureHex) {
+export async function verifySignature(publicKey, data, signatureHex) {
     const encoder = new TextEncoder();
     const encodedData = encoder.encode(data);
     const signatureBytes = hexToBuf(signatureHex);
@@ -28,11 +21,11 @@ async function verifySignature(publicKey, data, signatureHex) {
     console.log(`   ${isValid ? "✅" : "❌"} [AAMP Crypto] Signature Result: ${isValid ? "VALID" : "INVALID"}`);
     return isValid;
 }
-async function exportPublicKey(key) {
+export async function exportPublicKey(key) {
     const exported = await crypto.subtle.exportKey("spki", key);
     return btoa(String.fromCharCode(...new Uint8Array(exported)));
 }
-async function importPublicKey(keyData) {
+export async function importPublicKey(keyData) {
     const binaryString = atob(keyData);
     const bytes = new Uint8Array(binaryString.length);
     for (let i = 0; i < binaryString.length; i++) {

package/dist/express.d.ts

@@ -1,4 +1,4 @@
-import { AccessPolicy, ContentOrigin, UnauthenticatedStrategy, IdentityCache } from './types';
+import { AccessPolicy, ContentOrigin, UnauthenticatedStrategy, IdentityCache } from './types.js';
 export interface AAMPConfig {
     policy: Omit<AccessPolicy, 'version'>;
     meta: {

package/dist/express.js

@@ -1,18 +1,15 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.AAMP = void 0;
 /**
  * Layer 3: Framework Adapters
  * Zero-friction integration for Express/Node.js.
  */
-const publisher_1 = require("./publisher");
-const types_1 = require("./types");
-const crypto_1 = require("./crypto");
-class AAMP {
+import { AAMPPublisher } from './publisher.js';
+import { ContentOrigin } from './types.js';
+import { generateKeyPair } from './crypto.js';
+export class AAMP {
     constructor(config) {
-        this.publisher = new publisher_1.AAMPPublisher({ version: '1.1', ...config.policy }, config.strategy || 'PASSIVE', config.cache);
-        this.origin = types_1.ContentOrigin[config.meta.origin];
-        this.ready = (0, crypto_1.generateKeyPair)().then(keys => {
+        this.publisher = new AAMPPublisher({ version: '1.1', ...config.policy }, config.strategy || 'PASSIVE', config.cache);
+        this.origin = ContentOrigin[config.meta.origin];
+        this.ready = generateKeyPair().then(keys => {
             return this.publisher.initialize(keys);
         });
     }
@@ -39,7 +36,8 @@ class AAMP {
             if (!result.allowed) {
                 res.status(result.status).json({
                     error: result.reason,
-                    visitor_type: result.visitorType
+                    visitor_type: result.visitorType,
+                    proof_used: result.proofUsed
                 });
                 return;
             }
@@ -64,4 +62,3 @@ class AAMP {
         };
     }
 }
-exports.AAMP = AAMP;

package/dist/index.d.ts

@@ -3,10 +3,10 @@
  *
  * This is the main entry point for the library.
  */
-export * from './types';
-export * from './constants';
-export * from './agent';
-export * from './publisher';
-export * from './crypto';
-export * from './express';
-export { AAMPNext } from './nextjs';
+export * from './types.js';
+export * from './constants.js';
+export * from './agent.js';
+export * from './publisher.js';
+export * from './crypto.js';
+export * from './express.js';
+export { AAMPNext } from './nextjs.js';

package/dist/index.js

@@ -1,30 +1,12 @@
-"use strict";
 /**
  * AAMP SDK Public API
  *
  * This is the main entry point for the library.
  */
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __exportStar = (this && this.__exportStar) || function(m, exports) {
-    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.AAMPNext = void 0;
-__exportStar(require("./types"), exports);
-__exportStar(require("./constants"), exports);
-__exportStar(require("./agent"), exports);
-__exportStar(require("./publisher"), exports);
-__exportStar(require("./crypto"), exports);
-__exportStar(require("./express"), exports); // Node.js / Express Adapter
-var nextjs_1 = require("./nextjs"); // Serverless / Next.js Adapter
-Object.defineProperty(exports, "AAMPNext", { enumerable: true, get: function () { return nextjs_1.AAMPNext; } });
+export * from './types.js';
+export * from './constants.js';
+export * from './agent.js';
+export * from './publisher.js';
+export * from './crypto.js';
+export * from './express.js'; // Node.js / Express Adapter
+export { AAMPNext } from './nextjs.js'; // Serverless / Next.js Adapter

package/dist/nextjs.d.ts

@@ -1,4 +1,4 @@
-import { AccessPolicy, ContentOrigin, UnauthenticatedStrategy, IdentityCache } from './types';
+import { AccessPolicy, ContentOrigin, UnauthenticatedStrategy, IdentityCache } from './types.js';
 type NextRequest = any;
 type NextResponse = any;
 export interface AAMPConfig {

package/dist/nextjs.js

@@ -1,24 +1,21 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.AAMPNext = void 0;
 /**
  * Layer 3: Framework Adapters
  * Serverless integration for Next.js (App Router & API Routes).
  */
-const publisher_1 = require("./publisher");
-const types_1 = require("./types");
-const crypto_1 = require("./crypto");
+import { AAMPPublisher } from './publisher.js';
+import { ContentOrigin } from './types.js';
+import { generateKeyPair } from './crypto.js';
 const createJsonResponse = (body, status = 200) => {
     return new Response(JSON.stringify(body), {
         status,
         headers: { 'Content-Type': 'application/json' }
     });
 };
-class AAMPNext {
+export class AAMPNext {
     constructor(config) {
-        this.publisher = new publisher_1.AAMPPublisher({ version: '1.1', ...config.policy }, config.strategy || 'PASSIVE', config.cache);
-        this.origin = types_1.ContentOrigin[config.meta.origin];
-        this.ready = (0, crypto_1.generateKeyPair)().then(keys => this.publisher.initialize(keys));
+        this.publisher = new AAMPPublisher({ version: '1.1', ...config.policy }, config.strategy || 'PASSIVE', config.cache);
+        this.origin = ContentOrigin[config.meta.origin];
+        this.ready = generateKeyPair().then(keys => this.publisher.initialize(keys));
     }
     static init(config) {
         return new AAMPNext(config);
@@ -39,7 +36,8 @@ class AAMPNext {
             if (!result.allowed) {
                 return createJsonResponse({
                     error: result.reason,
-                    visitor_type: result.visitorType
+                    visitor_type: result.visitorType,
+                    proof_used: result.proofUsed
                 }, result.status);
             }
             // Execute Handler
@@ -60,4 +58,3 @@ class AAMPNext {
         };
     }
 }
-exports.AAMPNext = AAMPNext;

package/dist/proof.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Verifies a JWT (Proof Token or Payment Credential) using JWKS.
+ *
+ * @param token The JWT string
+ * @param jwksUrl The URL to fetch Public Keys
+ * @param issuer The expected issuer
+ * @param audience The expected audience range
+ */
+export declare function verifyJwt(token: string, jwksUrl: string, issuer: string, audience?: string): Promise<boolean>;

package/dist/proof.js

@@ -0,0 +1,27 @@
+import { createRemoteJWKSet, jwtVerify } from 'jose';
+// In-memory cache for JWKS to avoid repeated fetches
+// Jose's createRemoteJWKSet handles caching/cooldowns internally.
+/**
+ * Verifies a JWT (Proof Token or Payment Credential) using JWKS.
+ *
+ * @param token The JWT string
+ * @param jwksUrl The URL to fetch Public Keys
+ * @param issuer The expected issuer
+ * @param audience The expected audience range
+ */
+export async function verifyJwt(token, jwksUrl, issuer, audience) {
+    try {
+        const JWKS = createRemoteJWKSet(new URL(jwksUrl));
+        const { payload } = await jwtVerify(token, JWKS, {
+            issuer: issuer,
+            audience: audience // specific audience check if provided
+        });
+        // Check specific AAMP claims if we standardize them
+        // if (payload.type !== 'AD_IMPRESSION') return false;
+        return true;
+    }
+    catch (error) {
+        // console.error("Ad Proof Verification Failed:", error);
+        return false;
+    }
+}

package/dist/publisher.d.ts

@@ -1,4 +1,4 @@
-import { AccessPolicy, ContentOrigin, EvaluationResult, IdentityCache, UnauthenticatedStrategy } from './types';
+import { AccessPolicy, ContentOrigin, EvaluationResult, IdentityCache, UnauthenticatedStrategy } from './types.js';
 export declare class AAMPPublisher {
     private policy;
     private keyPair;
@@ -10,6 +10,9 @@ export declare class AAMPPublisher {
     getPolicy(): AccessPolicy;
     /**
      * Main Entry Point: Evaluate ANY visitor (Human, Bot, or Agent)
+     * STAGE 1: IDENTITY (Strict)
+     * STAGE 2: POLICY (Permissions)
+     * STAGE 3: ACCESS (HQ Content)
      */
     evaluateVisitor(reqHeaders: Record<string, string | undefined>, rawPayload?: string): Promise<EvaluationResult>;
     /**
@@ -20,11 +23,21 @@ export declare class AAMPPublisher {
      */
     private performBrowserHeuristics;
     /**
-     * Handle AAMP Protocol Logic
+     * Handle AAMP Protocol Logic (Strict Mode)
      */
+    private handleAgentStrict;
     private handleAgent;
+    /**
+     * STAGE 2: POLICY ENFORCEMENT CHECK
+     */
+    private checkPolicyStrict;
     private verifyRequestLogic;
     private verifyDnsBinding;
     private isDomain;
     generateResponseHeaders(origin: ContentOrigin): Promise<Record<string, string>>;
+    /**
+     * Handling Quality Feedback (The "Dispute" Layer)
+     * This runs when an Agent sends 'x-aamp-feedback'.
+     */
+    private handleFeedback;
 }