@aamp/protocol 1.1.5 → 1.1.7

package/dist/publisher.js

@@ -1,13 +1,11 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.AAMPPublisher = void 0;
 /**
  * Layer 2: Publisher Middleware
  * Used by content owners to enforce policy, log access, and filter bots.
  */
-const constants_1 = require("./constants");
-const crypto_1 = require("./crypto");
-const types_1 = require("./types");
+import { HEADERS, MAX_CLOCK_SKEW_MS, WELL_KNOWN_AGENT_PATH } from './constants.js';
+import { exportPublicKey, signData, verifySignature } from './crypto.js';
+import { AccessPurpose } from './types.js';
+import { verifyJwt } from './proof.js';
 /**
  * Default In-Memory Cache (Fallback only)
  * NOT recommended for high-traffic Serverless production.
@@ -33,7 +31,7 @@ class MemoryCache {
         });
     }
 }
-class AAMPPublisher {
+export class AAMPPublisher {
     constructor(policy, strategy = 'PASSIVE', cacheImpl) {
         this.keyPair = null;
         // Default TTL: 1 Hour
@@ -50,50 +48,46 @@ class AAMPPublisher {
     }
     /**
      * Main Entry Point: Evaluate ANY visitor (Human, Bot, or Agent)
+     * STAGE 1: IDENTITY (Strict)
+     * STAGE 2: POLICY (Permissions)
+     * STAGE 3: ACCESS (HQ Content)
      */
     async evaluateVisitor(reqHeaders, rawPayload) {
-        // 1. Check for AAMP Headers
-        const hasAamp = reqHeaders[constants_1.HEADERS.PAYLOAD] && reqHeaders[constants_1.HEADERS.SIGNATURE] && reqHeaders[constants_1.HEADERS.PUBLIC_KEY];
+        console.log(`\n--- [AAMP LOG START] New Request ---`);
+        // --- STAGE 1: IDENTITY VERIFICATION ---
+        console.log(`[IDENTITY] 🔍 Checking Identity Headers...`);
+        const hasAamp = reqHeaders[HEADERS.PAYLOAD] && reqHeaders[HEADERS.SIGNATURE] && reqHeaders[HEADERS.PUBLIC_KEY];
         if (hasAamp) {
-            console.log("\n🔎 [AAMP Middleware] Detected Agent Headers. Starting Verification...");
-            // It claims to be an Agent. Verify it.
-            return await this.handleAgent(reqHeaders, rawPayload);
+            // It claims to be an Agent. Verify it STRICTLY.
+            return await this.handleAgentStrict(reqHeaders, rawPayload);
         }
-        // 2. It's not an AAMP Agent. Apply Strategy.
+        // If NO AAMP Headers -> FAIL IDENTITY immediately.
+        console.log(`[IDENTITY] ❌ FAILED. No AAMP Headers found.`);
+        // For now, retaining the legacy "Passive/Hybrid" switch just to avoid breaking browser demos completely 
+        // BUT logging it as a specific "Identity Fail" flow.
         if (this.unauthenticatedStrategy === 'STRICT') {
+            console.log(`[IDENTITY] ⛔ BLOCKING. Strategy is STRICT.`);
             return {
                 allowed: false,
                 status: 401,
-                reason: "STRICT_MODE: Only AAMP verified agents allowed.",
+                reason: "IDENTITY_REQUIRED: Missing AAMP Headers.",
                 visitorType: 'UNIDENTIFIED_BOT'
             };
         }
-        if (this.unauthenticatedStrategy === 'PASSIVE') {
-            return {
-                allowed: true,
-                status: 200,
-                reason: "PASSIVE_MODE: Allowed without verification.",
-                visitorType: 'LIKELY_HUMAN'
-            };
-        }
-        // 3. HYBRID MODE: Heuristic Analysis (The "Lazy Bot" Filter)
+        console.log(`[IDENTITY] ⚠️ SKIPPED (Legacy Mode). Checking Browser Heuristics...`);
         const isHuman = this.performBrowserHeuristics(reqHeaders);
         if (isHuman) {
-            return {
-                allowed: true,
-                status: 200,
-                reason: "BROWSER_VERIFIED: Heuristics passed.",
-                visitorType: 'LIKELY_HUMAN'
-            };
-        }
-        else {
-            return {
-                allowed: false,
-                status: 403,
-                reason: "BOT_DETECTED: Request lacks browser signatures and AAMP headers.",
-                visitorType: 'UNIDENTIFIED_BOT'
-            };
+            console.log(`[POLICY] 👤 ALLOWED. Browser Heuristics Passed.`);
+            return { allowed: true, status: 200, reason: "BROWSER_VERIFIED", visitorType: 'LIKELY_HUMAN' };
         }
+        console.log(`[IDENTITY] ❌ FAILED. Not a Browser, No Headers.`);
+        console.log(`[ACCESS] ⛔ BLOCKED.`);
+        return {
+            allowed: false,
+            status: 403,
+            reason: "IDENTITY_FAIL: No Identity, No Browser.",
+            visitorType: 'UNIDENTIFIED_BOT'
+        };
     }
     /**
      * Browser Heuristics (Hardened)
@@ -125,66 +119,149 @@ class AAMPPublisher {
         return false;
     }
     /**
-     * Handle AAMP Protocol Logic
+     * Handle AAMP Protocol Logic (Strict Mode)
      */
-    async handleAgent(reqHeaders, rawPayload) {
+    async handleAgentStrict(reqHeaders, rawPayload) {
+        let agentId = "UNKNOWN";
         try {
-            const payloadHeader = reqHeaders[constants_1.HEADERS.PAYLOAD];
-            const sigHeader = reqHeaders[constants_1.HEADERS.SIGNATURE];
-            const keyHeader = reqHeaders[constants_1.HEADERS.PUBLIC_KEY];
+            // 1. Decode Headers
+            const payloadHeader = reqHeaders[HEADERS.PAYLOAD];
+            const sigHeader = reqHeaders[HEADERS.SIGNATURE];
+            const keyHeader = reqHeaders[HEADERS.PUBLIC_KEY];
             const headerJson = atob(payloadHeader);
             const requestHeader = JSON.parse(headerJson);
+            agentId = requestHeader.agent_id;
+            console.log(`[IDENTITY] 🆔 Claimed ID: ${agentId}`);
+            // 2. Crypto & DNS Verification
             const signedRequest = {
                 header: requestHeader,
                 signature: sigHeader,
                 publicKey: keyHeader
             };
             const agentKey = await crypto.subtle.importKey("spki", new Uint8Array(atob(keyHeader).split('').map(c => c.charCodeAt(0))), { name: "ECDSA", namedCurve: "P-256" }, true, ["verify"]);
-            // Verify Core Logic
-            const result = await this.verifyRequestLogic(signedRequest, agentKey, headerJson);
-            if (!result.allowed) {
-                console.log(`⛔ [AAMP Deny] Reason: ${result.reason}`);
-                return {
-                    allowed: false,
-                    status: 403,
-                    reason: result.reason,
-                    visitorType: 'VERIFIED_AGENT'
-                };
+            // Verify Core Logic (DNS + Crypto)
+            const verification = await this.verifyRequestLogic(signedRequest, agentKey);
+            if (!verification.identityVerified) {
+                console.log(`[IDENTITY] ❌ FAILED. Reason: ${verification.reason}`);
+                console.log(`[ACCESS] ⛔ BLOCKED.`);
+                return { allowed: false, status: 403, reason: verification.reason, visitorType: 'UNIDENTIFIED_BOT' };
+            }
+            console.log(`[IDENTITY] ✅ PASSED. DNS Binding Verified.`);
+            // --- STAGE 2: POLICY ENFORCEMENT ---
+            console.log(`[POLICY] 📜 Checking Permissions for ${agentId}...`);
+            const proofToken = reqHeaders[HEADERS.PROOF_TOKEN];
+            const paymentCredential = reqHeaders[HEADERS.PAYMENT_CREDENTIAL];
+            const policyResult = await this.checkPolicyStrict(requestHeader, proofToken, paymentCredential);
+            if (!policyResult.allowed) {
+                console.log(`[POLICY] ⛔ DENIED. Reason: ${policyResult.reason}`);
+                console.log(`[ACCESS] ⛔ BLOCKED.`);
+                return policyResult;
             }
-            console.log(`✅ [AAMP Allow] Verified Agent: ${requestHeader.agent_id}`);
+            // --- STAGE 3: ACCESS GRANT ---
+            console.log(`[POLICY] ✅ PASSED. Requirements Met.`);
+            console.log(`[ACCESS] 🔓 GRANTED. Unlocking HQ Content.`);
             return {
                 allowed: true,
                 status: 200,
                 reason: "AAMP_VERIFIED",
                 visitorType: 'VERIFIED_AGENT',
-                metadata: requestHeader
+                metadata: requestHeader,
+                proofUsed: policyResult.proofUsed
             };
         }
         catch (e) {
-            console.error(e);
+            console.error(`[AAMP ERROR]`, e);
             return { allowed: false, status: 400, reason: "INVALID_SIGNATURE", visitorType: 'UNIDENTIFIED_BOT' };
         }
     }
-    async verifyRequestLogic(request, requestPublicKey, rawPayload) {
+    // Legacy handler kept for interface compatibility (deprecated)
+    async handleAgent(reqHeaders, rawPayload) {
+        return this.handleAgentStrict(reqHeaders, rawPayload);
+    }
+    /**
+     * STAGE 2: POLICY ENFORCEMENT CHECK
+     */
+    async checkPolicyStrict(requestHeader, proofToken, paymentCredential) {
+        // 1. Policy Check: Purpose Ban (e.g. No Training)
+        if (requestHeader.purpose === AccessPurpose.CRAWL_TRAINING && !this.policy.allowTraining) {
+            return { allowed: false, status: 403, reason: 'POLICY_DENIED: Training not allowed.', visitorType: 'VERIFIED_AGENT' };
+        }
+        if (requestHeader.purpose === AccessPurpose.RAG_RETRIEVAL && !this.policy.allowRAG) {
+            return { allowed: false, status: 403, reason: 'POLICY_DENIED: RAG not allowed.', visitorType: 'VERIFIED_AGENT' };
+        }
+        // 2. Policy Check: Economics (v1.2) - Payment & Ads
+        if (this.policy.requiresPayment) {
+            let paymentSatisfied = false;
+            // Method A: Flexible Payment Callback (DB / Custom Logic)
+            if (this.policy.monetization?.checkPayment) {
+                const isPaid = await this.policy.monetization.checkPayment(requestHeader.agent_id, requestHeader.purpose);
+                if (isPaid) {
+                    console.log(`[POLICY] 💰 Payment Verified via Callback.`);
+                    return { allowed: true, status: 200, reason: 'OK', visitorType: 'VERIFIED_AGENT', proofUsed: 'WHITELIST_CALLBACK' };
+                }
+            }
+            // Method B: Payment Credentials (Unified JWT)
+            if (!paymentSatisfied && this.policy.monetization?.paymentConfig && paymentCredential) {
+                const { jwksUrl, issuer } = this.policy.monetization.paymentConfig;
+                console.log(`[POLICY] 🔐 Verifying Payment Credential (Issuer: ${issuer})...`);
+                const isValidCredential = await verifyJwt(paymentCredential, jwksUrl, issuer);
+                if (isValidCredential) {
+                    console.log(`[POLICY] ✅ Credential Signature VALID.`);
+                    return { allowed: true, status: 200, reason: 'OK', visitorType: 'VERIFIED_AGENT', proofUsed: 'PAYMENT_CREDENTIAL_JWT' };
+                }
+                else {
+                    console.log(`[POLICY] ❌ Credential Signature INVALID.`);
+                }
+            }
+            // Method C: Ad-Supported (Proof Verification)
+            if (!paymentSatisfied && this.policy.allowAdSupportedAccess && requestHeader.context?.ads_displayed) {
+                if (proofToken && this.policy.monetization?.adNetwork) {
+                    const { jwksUrl, issuer } = this.policy.monetization.adNetwork;
+                    console.log(`[POLICY] 📺 Verifying Ad Proof (Issuer: ${issuer})...`);
+                    const isValidProof = await verifyJwt(proofToken, jwksUrl, issuer);
+                    if (isValidProof) {
+                        console.log(`[POLICY] ✅ Ad Proof Signature VALID.`);
+                        return { allowed: true, status: 200, reason: 'OK', visitorType: 'VERIFIED_AGENT', proofUsed: 'AD_PROOF_JWT' };
+                    }
+                    else {
+                        console.log(`[POLICY] ❌ Ad Proof Signature INVALID.`);
+                    }
+                }
+                else {
+                    console.log(`[POLICY] ⚠️ Ad Proof MISSING.`);
+                }
+            }
+            return {
+                allowed: false,
+                status: 402,
+                reason: 'PAYMENT_REQUIRED: Whitelist, Credential, and Ad Proof checks ALL failed.',
+                visitorType: 'VERIFIED_AGENT',
+                proofUsed: 'NONE'
+            };
+        }
+        // If no payment required, allow.
+        return { allowed: true, status: 200, reason: 'OK', visitorType: 'VERIFIED_AGENT' };
+    }
+    async verifyRequestLogic(request, requestPublicKey) {
         // 1. Replay Attack Prevention
         const requestTime = new Date(request.header.ts).getTime();
-        if (Math.abs(Date.now() - requestTime) > constants_1.MAX_CLOCK_SKEW_MS) {
-            return { allowed: false, reason: 'TIMESTAMP_INVALID', identityVerified: false };
+        if (Math.abs(Date.now() - requestTime) > MAX_CLOCK_SKEW_MS) {
+            return { allowed: false, reason: 'TIMESTAMP_INVALID: Clock skew too large.', identityVerified: false };
         }
         // 2. Crypto Verification
-        const signableString = rawPayload || JSON.stringify(request.header);
-        const isCryptoValid = await (0, crypto_1.verifySignature)(requestPublicKey, signableString, request.signature);
+        const signableString = JSON.stringify(request.header);
+        const isCryptoValid = await verifySignature(requestPublicKey, signableString, request.signature);
         if (!isCryptoValid)
-            return { allowed: false, reason: 'CRYPTO_FAIL', identityVerified: false };
+            return { allowed: false, reason: 'CRYPTO_FAIL: Signature invalid.', identityVerified: false };
         // 3. Identity Verification (DNS Binding) with Cache
         let identityVerified = false;
         const claimedDomain = request.header.agent_id;
-        const pubKeyString = await (0, crypto_1.exportPublicKey)(requestPublicKey);
-        console.log(`   🆔 [AAMP Identity] Verifying DNS Binding for: ${claimedDomain}`);
+        const pubKeyString = await exportPublicKey(requestPublicKey);
+        console.log(`[IDENTITY] 🔍 Verifying DNS Binding for: ${claimedDomain}`);
         // Check Cache First
         const cachedKey = await this.cache.get(claimedDomain);
         if (cachedKey === pubKeyString) {
-            console.log("   ⚡ [AAMP Cache] Identity found in cache.");
+            console.log("[IDENTITY] ⚡ Cache Hit. Identity Verified.");
             identityVerified = true;
         }
         else if (this.isDomain(claimedDomain)) {
@@ -197,27 +274,14 @@ class AAMPPublisher {
         if (this.policy.requireIdentityBinding && !identityVerified) {
             return { allowed: false, reason: 'IDENTITY_FAIL: DNS Binding could not be verified.', identityVerified: false };
         }
-        // 4. Policy Check: Purpose
-        if (request.header.purpose === types_1.AccessPurpose.CRAWL_TRAINING && !this.policy.allowTraining) {
-            return { allowed: false, reason: 'POLICY_DENIED: Training not allowed.', identityVerified };
-        }
-        if (request.header.purpose === types_1.AccessPurpose.RAG_RETRIEVAL && !this.policy.allowRAG) {
-            return { allowed: false, reason: 'POLICY_DENIED: RAG not allowed.', identityVerified };
-        }
-        // 5. Policy Check: Economics
-        if (this.policy.requiresPayment) {
-            const isAdExempt = this.policy.allowAdSupportedAccess && request.header.context.ads_displayed;
-            if (!isAdExempt) {
-                return { allowed: false, reason: 'PAYMENT_REQUIRED: Content requires payment or ads.', identityVerified };
-            }
-        }
-        return { allowed: true, reason: 'OK', identityVerified };
+        // Return verified status so handleAgentStrict can proceed to Policy Check
+        return { allowed: true, reason: 'OK', identityVerified: true };
     }
     async verifyDnsBinding(domain, requestKeySpki) {
         try {
             // Allow HTTP for localhost testing
             const protocol = (domain.includes('localhost') || domain.match(/:\d+$/)) ? 'http' : 'https';
-            const url = `${protocol}://${domain}${constants_1.WELL_KNOWN_AGENT_PATH}`;
+            const url = `${protocol}://${domain}${WELL_KNOWN_AGENT_PATH}`;
             console.log(`   🌍 [AAMP DNS] Fetching Manifest: ${url} ...`);
             // In production, we need a short timeout to prevent hanging
             const controller = new AbortController();
@@ -256,11 +320,31 @@ class AAMPPublisher {
         if (!this.keyPair)
             throw new Error("Publisher keys not initialized");
         const payload = JSON.stringify({ origin, ts: Date.now() });
-        const signature = await (0, crypto_1.signData)(this.keyPair.privateKey, payload);
+        const signature = await signData(this.keyPair.privateKey, payload);
         return {
-            [constants_1.HEADERS.CONTENT_ORIGIN]: origin,
-            [constants_1.HEADERS.PROVENANCE_SIG]: signature
+            [HEADERS.CONTENT_ORIGIN]: origin,
+            [HEADERS.PROVENANCE_SIG]: signature
         };
     }
+    /**
+     * Handling Quality Feedback (The "Dispute" Layer)
+     * This runs when an Agent sends 'x-aamp-feedback'.
+     */
+    async handleFeedback(token, headers) {
+        // NOTE: In production, you would fetch the Agent's specific key. 
+        // For now, we assume standard Discovery or a centralized Key Set (like adNetwork).
+        // Ideally, the SDK config should have a 'qualityOracle' key set.
+        // 1. We just Decode it to Log it (Verification is optional but recommended)
+        try {
+            const parts = token.split('.');
+            const payload = JSON.parse(atob(parts[1]));
+            console.log(`\n📢 [AAMP QUALITY ALERT] Feedback Received from ${payload.agent_id}`);
+            console.log(`   Reason: ${payload.reason} | Score: ${payload.quality_score}`);
+            console.log(`   Resource: ${payload.url}`);
+            console.log(`   (Signature available for dispute evidence)`);
+        }
+        catch (e) {
+            console.log(`   ⚠️ [AAMP Warning] Malformed Feedback Token.`);
+        }
+    }
 }
-exports.AAMPPublisher = AAMPPublisher;

package/dist/types.d.ts

@@ -37,12 +37,22 @@ export interface IdentityCache {
     get(key: string): Promise<string | null>;
     set(key: string, value: string, ttlSeconds: number): Promise<void>;
 }
+/**
+ * Optional Monetization (The Settlement Layer)
+ */
 /**
  * Optional Monetization (The Settlement Layer)
  */
 export interface MonetizationConfig {
-    method: 'BROKER' | 'CRYPTO' | 'PRIVATE_TREATY';
-    location: string;
+    checkPayment?: (agentId: string, purpose: string) => boolean | Promise<boolean>;
+    adNetwork?: {
+        jwksUrl: string;
+        issuer: string;
+    };
+    paymentConfig?: {
+        jwksUrl: string;
+        issuer: string;
+    };
 }
 /**
  * Handling Non-AAMP Visitors
@@ -87,8 +97,17 @@ export interface FeedbackSignal {
 }
 export interface EvaluationResult {
     allowed: boolean;
-    status: 200 | 400 | 401 | 403;
+    status: 200 | 400 | 401 | 402 | 403;
     reason: string;
     visitorType: 'VERIFIED_AGENT' | 'LIKELY_HUMAN' | 'UNIDENTIFIED_BOT';
     metadata?: any;
+    payment_status?: 'PAID_SUBSCRIBER' | 'AD_FUNDED' | 'UNPAID';
+    proofUsed?: string;
+}
+export interface FeedbackSignalToken {
+    url: string;
+    agent_id: string;
+    quality_score: number;
+    reason: string;
+    timestamp: number;
 }

package/dist/types.js

@@ -1,28 +1,25 @@
-"use strict";
 /**
  * Layer 1: Protocol Definitions
  * Shared types used by both Agent and Publisher.
  */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.QualityFlag = exports.ContentOrigin = exports.AccessPurpose = void 0;
-var AccessPurpose;
+export var AccessPurpose;
 (function (AccessPurpose) {
     AccessPurpose["CRAWL_TRAINING"] = "CRAWL_TRAINING";
     AccessPurpose["RAG_RETRIEVAL"] = "RAG_RETRIEVAL";
     AccessPurpose["SUMMARY"] = "SUMMARY";
     AccessPurpose["QUOTATION"] = "QUOTATION";
     AccessPurpose["EMBEDDING"] = "EMBEDDING";
-})(AccessPurpose || (exports.AccessPurpose = AccessPurpose = {}));
-var ContentOrigin;
+})(AccessPurpose || (AccessPurpose = {}));
+export var ContentOrigin;
 (function (ContentOrigin) {
     ContentOrigin["HUMAN"] = "HUMAN";
     ContentOrigin["SYNTHETIC"] = "SYNTHETIC";
     ContentOrigin["HYBRID"] = "HYBRID"; // Edited by humans, drafted by AI.
-})(ContentOrigin || (exports.ContentOrigin = ContentOrigin = {}));
-var QualityFlag;
+})(ContentOrigin || (ContentOrigin = {}));
+export var QualityFlag;
 (function (QualityFlag) {
     QualityFlag["SEO_SPAM"] = "SEO_SPAM";
     QualityFlag["INACCURATE"] = "INACCURATE";
     QualityFlag["HATE_SPEECH"] = "HATE_SPEECH";
     QualityFlag["HIGH_QUALITY"] = "HIGH_QUALITY";
-})(QualityFlag || (exports.QualityFlag = QualityFlag = {}));
+})(QualityFlag || (QualityFlag = {}));

package/package.json

@@ -1,13 +1,13 @@
 {
   "name": "@aamp/protocol",
-  "version": "1.1.5",
+  "version": "1.1.7",
   "description": "TypeScript reference implementation of AAMP v1.1",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
+  "type": "module",
   "scripts": {
     "build": "tsc",
-    "test": "ts-node test/handshake.spec.ts",
-    "prepublishOnly": "npm run test && npm run build"
+    "test": "node --loader ts-node/esm test/handshake.spec.ts"
   },
   "repository": {
     "type": "git",
@@ -17,8 +17,13 @@
     "access": "public"
   },
   "devDependencies": {
-    "typescript": "^5.0.0",
+    "@types/node": "^20.0.0",
+    "@types/node-fetch": "^2.6.13",
     "ts-node": "^10.9.0",
-    "@types/node": "^20.0.0"
+    "typescript": "^5.0.0"
+  },
+  "dependencies": {
+    "jose": "^6.1.3",
+    "node-fetch": "^2.7.0"
   }
 }

package/src/agent.ts

@@ -1,9 +1,9 @@
 /**
  * Layer 2: Agent SDK
  */
-import { AccessPurpose, ProtocolHeader, SignedAccessRequest, FeedbackSignal, QualityFlag, AgentIdentityManifest } from './types';
-import { generateKeyPair, signData, exportPublicKey } from './crypto';
-import { AAMP_VERSION } from './constants';
+import { AccessPurpose, ProtocolHeader, SignedAccessRequest, FeedbackSignal, QualityFlag, AgentIdentityManifest } from './types.js';
+import { generateKeyPair, signData, exportPublicKey } from './crypto.js';
+import { AAMP_VERSION } from './constants.js';
 
 export interface AccessOptions {
   adsDisplayed?: boolean;
@@ -24,8 +24,8 @@ export class AAMPAgent {
   }
 
   async createAccessRequest(
-    resource: string, 
-    purpose: AccessPurpose, 
+    resource: string,
+    purpose: AccessPurpose,
     options: AccessOptions = {}
   ): Promise<SignedAccessRequest> {
     if (!this.keyPair) throw new Error("Agent not initialized. Call initialize() first.");
@@ -53,9 +53,9 @@ export class AAMPAgent {
    */
   async getIdentityManifest(contactEmail?: string): Promise<AgentIdentityManifest> {
     if (!this.keyPair) throw new Error("Agent not initialized.");
-    
+
     const publicKey = await exportPublicKey(this.keyPair.publicKey);
-    
+
     return {
       agent_id: this.agentId,
       public_key: publicKey,
@@ -73,7 +73,7 @@ export class AAMPAgent {
     flags: QualityFlag[]
   ): Promise<{ signal: FeedbackSignal, signature: string }> {
     if (!this.keyPair) throw new Error("Agent not initialized.");
-    
+
     const signal: FeedbackSignal = {
       target_resource: resource,
       agent_id: this.agentId,

package/src/constants.ts

@@ -17,15 +17,24 @@ export const HEADERS = {
   SIGNATURE: 'x-aamp-signature',
   // Transport: The Agent's Public Key (Base64 SPKI)
   PUBLIC_KEY: 'x-aamp-public-key',
-  
+
   // Informational / Legacy (Optional if Payload is present)
   AGENT_ID: 'x-aamp-agent-id',
   TIMESTAMP: 'x-aamp-timestamp',
-  ALGORITHM: 'x-aamp-alg', 
-  
+  ALGORITHM: 'x-aamp-alg',
+
   // v1.1 Addition: Provenance (Server to Agent)
   CONTENT_ORIGIN: 'x-aamp-content-origin',
-  PROVENANCE_SIG: 'x-aamp-provenance-sig'
+  PROVENANCE_SIG: 'x-aamp-provenance-sig',
+
+  // v1.2 Proof of Value
+  PROOF_TOKEN: 'x-aamp-proof',
+
+  // v1.2 Payment Credential (The "Digital Receipt")
+  PAYMENT_CREDENTIAL: 'x-aamp-credential',
+
+  // v1.2 Quality Feedback (The "Dispute Token")
+  FEEDBACK: 'x-aamp-feedback'
 } as const;
 
 // Cryptographic Settings

package/src/express.ts

@@ -2,9 +2,9 @@
  * Layer 3: Framework Adapters
  * Zero-friction integration for Express/Node.js.
  */
-import { AAMPPublisher } from './publisher';
-import { AccessPolicy, ContentOrigin, UnauthenticatedStrategy, IdentityCache } from './types';
-import { generateKeyPair } from './crypto';
+import { AAMPPublisher } from './publisher.js';
+import { AccessPolicy, ContentOrigin, UnauthenticatedStrategy, IdentityCache } from './types.js';
+import { generateKeyPair } from './crypto.js';
 
 export interface AAMPConfig {
   policy: Omit<AccessPolicy, 'version'>;
@@ -28,9 +28,9 @@ export class AAMP {
       config.strategy || 'PASSIVE',
       config.cache
     );
-    
+
     this.origin = ContentOrigin[config.meta.origin];
-    
+
     this.ready = generateKeyPair().then(keys => {
       return this.publisher.initialize(keys);
     });
@@ -62,9 +62,10 @@ export class AAMP {
 
       // Enforce Decision
       if (!result.allowed) {
-        res.status(result.status).json({ 
+        res.status(result.status).json({
           error: result.reason,
-          visitor_type: result.visitorType
+          visitor_type: result.visitorType,
+          proof_used: result.proofUsed
         });
         return;
       }

package/src/index.ts

@@ -4,10 +4,10 @@
  * This is the main entry point for the library.
  */
 
-export * from './types';
-export * from './constants';
-export * from './agent';
-export * from './publisher';
-export * from './crypto';
-export * from './express'; // Node.js / Express Adapter
-export { AAMPNext } from './nextjs';  // Serverless / Next.js Adapter
+export * from './types.js';
+export * from './constants.js';
+export * from './agent.js';
+export * from './publisher.js';
+export * from './crypto.js';
+export * from './express.js'; // Node.js / Express Adapter
+export { AAMPNext } from './nextjs.js';  // Serverless / Next.js Adapter

package/src/nextjs.ts

@@ -2,12 +2,12 @@
  * Layer 3: Framework Adapters
  * Serverless integration for Next.js (App Router & API Routes).
  */
-import { AAMPPublisher } from './publisher';
-import { AccessPolicy, ContentOrigin, UnauthenticatedStrategy, IdentityCache } from './types';
-import { generateKeyPair } from './crypto';
+import { AAMPPublisher } from './publisher.js';
+import { AccessPolicy, ContentOrigin, UnauthenticatedStrategy, IdentityCache } from './types.js';
+import { generateKeyPair } from './crypto.js';
 
-type NextRequest = any; 
-type NextResponse = any; 
+type NextRequest = any;
+type NextResponse = any;
 
 const createJsonResponse = (body: any, status = 200) => {
   return new Response(JSON.stringify(body), {
@@ -63,9 +63,10 @@ export class AAMPNext {
       const result = await this.publisher.evaluateVisitor(headers, headers['x-aamp-payload']);
 
       if (!result.allowed) {
-        return createJsonResponse({ 
+        return createJsonResponse({
           error: result.reason,
-          visitor_type: result.visitorType
+          visitor_type: result.visitorType,
+          proof_used: result.proofUsed
         }, result.status);
       }
 
@@ -75,9 +76,9 @@ export class AAMPNext {
       // Inject Provenance
       const aampHeaders = await this.publisher.generateResponseHeaders(this.origin);
       if (response && response.headers) {
-         Object.entries(aampHeaders).forEach(([k, v]) => {
-           response.headers.set(k, v);
-         });
+        Object.entries(aampHeaders).forEach(([k, v]) => {
+          response.headers.set(k, v);
+        });
       }
 
       return response;