@dupecom/botcha-cloudflare 0.11.0 → 0.13.1

package/dist/static.js

@@ -77,6 +77,16 @@ curl https://botcha.ai/agent-only -H "Authorization: Bearer <token>"
 | \`GET\` | \`/v1/agents/:id\` | Get agent by ID (public, no auth) |
 | \`GET\` | \`/v1/agents\` | List all agents for your app (auth required) |
 
+### TAP (Trusted Agent Protocol)
+
+| Method | Path | Description |
+|--------|------|-------------|
+| \`POST\` | \`/v1/agents/register/tap\` | Register TAP agent with public key + capabilities |
+| \`GET\` | \`/v1/agents/:id/tap\` | Get TAP agent details (includes public key) |
+| \`GET\` | \`/v1/agents/tap\` | List TAP-enabled agents for app |
+| \`POST\` | \`/v1/sessions/tap\` | Create TAP session with intent validation |
+| \`GET\` | \`/v1/sessions/:id/tap\` | Get TAP session info |
+
 ### Challenges
 
 | Method | Path | Description |
@@ -272,6 +282,9 @@ Feature: Email-Tied App Creation (email required, 6-digit verification, account
 Feature: Secret Rotation (rotate app_secret with email notification)
 Feature: Agent-First Dashboard Auth (challenge-based login + device code handoff)
 Feature: Agent Registry (persistent agent identities with name, operator, version)
+Feature: Trusted Agent Protocol (TAP) — cryptographic agent auth with HTTP Message Signatures (RFC 9421)
+Feature: TAP Capabilities (action + resource scoping for agent sessions)
+Feature: TAP Trust Levels (basic, verified, enterprise)
 
 # Endpoints
 # Challenge Endpoints
@@ -310,11 +323,22 @@ Endpoint: GET https://botcha.ai/dashboard/login - Dashboard login page
 Endpoint: POST https://botcha.ai/dashboard/login - Login with app_id + app_secret
 Endpoint: GET https://botcha.ai/dashboard/code - Enter device code (human-facing)
 
+# Code Redemption (Unified)
+Endpoint: GET https://botcha.ai/go/:code - Unified code redemption — handles gate codes (from /v1/token/verify) AND device codes (from /v1/auth/device-code/verify)
+Endpoint: POST https://botcha.ai/gate - Submit code form, redirects to /go/:code
+
 # Agent Registry Endpoints
 Endpoint: POST https://botcha.ai/v1/agents/register - Register agent identity (requires app_id)
 Endpoint: GET https://botcha.ai/v1/agents/:id - Get agent by ID (public, no auth)
 Endpoint: GET https://botcha.ai/v1/agents - List all agents for authenticated app
 
+# TAP (Trusted Agent Protocol) Endpoints
+Endpoint: POST https://botcha.ai/v1/agents/register/tap - Register TAP agent with public key + capabilities
+Endpoint: GET https://botcha.ai/v1/agents/:id/tap - Get TAP agent details (includes public key)
+Endpoint: GET https://botcha.ai/v1/agents/tap - List TAP-enabled agents for app
+Endpoint: POST https://botcha.ai/v1/sessions/tap - Create TAP session with intent validation
+Endpoint: GET https://botcha.ai/v1/sessions/:id/tap - Get TAP session info
+
 # Legacy Endpoints
 Endpoint: GET https://botcha.ai/api/challenge - Generate standard challenge
 Endpoint: POST https://botcha.ai/api/challenge - Verify standard challenge
@@ -350,7 +374,8 @@ Content-Negotiation-Example: curl https://botcha.ai -H "Accept: text/markdown"
 Content-Negotiation-Benefit: 80% fewer tokens vs HTML — ideal for LLM context windows
 
 # JWT TOKEN SECURITY
-Token-Flow: 1. GET /v1/token (get challenge) → 2. Solve → 3. POST /v1/token/verify (get tokens)
+Token-Flow: 1. GET /v1/token (get challenge) → 2. Solve → 3. POST /v1/token/verify (get tokens + human_link)
+Token-Human-Link: /v1/token/verify response includes human_link — give this URL to your human for one-click browser access
 Token-Access-Expiry: 5 minutes (short-lived for security)
 Token-Refresh-Expiry: 1 hour (use to get new access tokens)
 Token-Refresh: POST /v1/token/refresh with {"refresh_token": "<token>"}
@@ -381,6 +406,18 @@ SDK-App-Lifecycle-Python: create_app(email), verify_email(code), resend_verifica
 Multi-Tenant-Rate-Limit: Each app gets isolated rate limit bucket
 Multi-Tenant-Token-Claim: Tokens include app_id claim when app_id provided
 
+# TRUSTED AGENT PROTOCOL (TAP)
+TAP-Description: Enterprise-grade cryptographic agent auth using HTTP Message Signatures (RFC 9421)
+TAP-Register: POST /v1/agents/register/tap with {name, public_key, signature_algorithm, capabilities, trust_level}
+TAP-Algorithms: ecdsa-p256-sha256, rsa-pss-sha256
+TAP-Trust-Levels: basic, verified, enterprise
+TAP-Capabilities: Array of {action, resource, constraints} — scoped access control
+TAP-Session-Create: POST /v1/sessions/tap with {agent_id, user_context, intent}
+TAP-Session-Get: GET /v1/sessions/:id/tap — includes time_remaining
+TAP-Get-Agent: GET /v1/agents/:id/tap — includes public_key for verification
+TAP-List-Agents: GET /v1/agents/tap?app_id=...&tap_only=true
+TAP-Middleware-Modes: tap, signature-only, challenge-only, flexible
+
 # EMBEDDED CHALLENGE (for bots visiting HTML pages)
 Embedded-Challenge: <script type="application/botcha+json">
 Embedded-Challenge-Location: In <head> of HTML pages
@@ -1099,6 +1136,159 @@ export function getOpenApiSpec(version) {
                         "401": { description: "Unauthorized - app_id required" }
                     }
                 }
+            },
+            "/v1/agents/register/tap": {
+                post: {
+                    summary: "Register a TAP-enabled agent",
+                    description: "Register an agent with Trusted Agent Protocol (TAP) capabilities including public key, signature algorithm, capabilities, and trust level. Requires app_id.",
+                    operationId: "registerTAPAgent",
+                    parameters: [
+                        {
+                            name: "app_id",
+                            in: "query",
+                            schema: { type: "string" },
+                            description: "Multi-tenant app ID (or use JWT Bearer token with app_id claim)"
+                        }
+                    ],
+                    requestBody: {
+                        required: true,
+                        content: {
+                            "application/json": {
+                                schema: {
+                                    type: "object",
+                                    required: ["name"],
+                                    properties: {
+                                        "name": { type: "string", description: "Agent name" },
+                                        "operator": { type: "string", description: "Operator/organization name" },
+                                        "version": { type: "string", description: "Agent version" },
+                                        "public_key": { type: "string", description: "PEM-encoded public key" },
+                                        "signature_algorithm": { type: "string", enum: ["ecdsa-p256-sha256", "rsa-pss-sha256"], description: "Signature algorithm (required if public_key provided)" },
+                                        "trust_level": { type: "string", enum: ["basic", "verified", "enterprise"], description: "Agent trust level (default: basic)" },
+                                        "capabilities": {
+                                            type: "array",
+                                            items: {
+                                                type: "object",
+                                                properties: {
+                                                    "action": { type: "string", description: "Capability action (e.g., read, write, execute)" },
+                                                    "resource": { type: "string", description: "Resource path" },
+                                                    "constraints": { type: "object", description: "Optional constraints" }
+                                                }
+                                            },
+                                            description: "Agent capabilities (action + resource pairs)"
+                                        }
+                                    }
+                                }
+                            }
+                        }
+                    },
+                    responses: {
+                        "201": { description: "TAP agent registered successfully" },
+                        "400": { description: "Invalid request (missing fields, bad key format, invalid algorithm)" },
+                        "401": { description: "Unauthorized - app_id required" }
+                    }
+                }
+            },
+            "/v1/agents/{id}/tap": {
+                get: {
+                    summary: "Get TAP agent details",
+                    description: "Retrieve TAP-enhanced agent information including public key, capabilities, and trust level.",
+                    operationId: "getTAPAgent",
+                    parameters: [
+                        {
+                            name: "id",
+                            in: "path",
+                            required: true,
+                            schema: { type: "string" },
+                            description: "The agent_id to retrieve"
+                        }
+                    ],
+                    responses: {
+                        "200": { description: "TAP agent details including public key and capabilities" },
+                        "404": { description: "Agent not found" }
+                    }
+                }
+            },
+            "/v1/agents/tap": {
+                get: {
+                    summary: "List TAP-enabled agents",
+                    description: "List all TAP-enabled agents for the authenticated app. Use ?tap_only=true to filter to TAP-enabled agents only.",
+                    operationId: "listTAPAgents",
+                    parameters: [
+                        {
+                            name: "app_id",
+                            in: "query",
+                            schema: { type: "string" },
+                            description: "Multi-tenant app ID"
+                        },
+                        {
+                            name: "tap_only",
+                            in: "query",
+                            schema: { type: "string", enum: ["true", "false"] },
+                            description: "Filter to TAP-enabled agents only"
+                        }
+                    ],
+                    responses: {
+                        "200": { description: "List of TAP agents with capabilities and trust levels" },
+                        "401": { description: "Unauthorized - app_id required" }
+                    }
+                }
+            },
+            "/v1/sessions/tap": {
+                post: {
+                    summary: "Create a TAP session",
+                    description: "Create a capability-scoped session after validating the agent's intent against its registered capabilities.",
+                    operationId: "createTAPSession",
+                    requestBody: {
+                        required: true,
+                        content: {
+                            "application/json": {
+                                schema: {
+                                    type: "object",
+                                    required: ["agent_id", "user_context", "intent"],
+                                    properties: {
+                                        "agent_id": { type: "string", description: "Registered TAP agent ID" },
+                                        "user_context": { type: "string", description: "User context identifier" },
+                                        "intent": {
+                                            type: "object",
+                                            properties: {
+                                                "action": { type: "string", description: "Intended action (e.g., read, write)" },
+                                                "resource": { type: "string", description: "Target resource path" },
+                                                "purpose": { type: "string", description: "Human-readable purpose" }
+                                            },
+                                            description: "Declared intent for the session"
+                                        }
+                                    }
+                                }
+                            }
+                        }
+                    },
+                    responses: {
+                        "201": { description: "TAP session created with capabilities and expiry" },
+                        "400": { description: "Missing required fields or invalid intent" },
+                        "403": { description: "Agent lacks required capability for declared intent" },
+                        "404": { description: "Agent not found" }
+                    }
+                }
+            },
+            "/v1/sessions/{id}/tap": {
+                get: {
+                    summary: "Get TAP session info",
+                    description: "Retrieve TAP session details including capabilities, intent, and time remaining.",
+                    operationId: "getTAPSession",
+                    parameters: [
+                        {
+                            name: "id",
+                            in: "path",
+                            required: true,
+                            schema: { type: "string" },
+                            description: "The session_id to retrieve"
+                        }
+                    ],
+                    responses: {
+                        "200": { description: "TAP session details with time remaining" },
+                        "404": { description: "Session not found or expired" }
+                    }
+                }
             }
         },
         components: {

package/dist/tap-agents.d.ts

@@ -0,0 +1,120 @@
+/**
+ * TAP-Enhanced Agent Registry
+ * Extends the basic BOTCHA agent registry with Trusted Agent Protocol features
+ *
+ * Provides enterprise-grade cryptographic agent authentication with:
+ * - HTTP Message Signatures (RFC 9421)
+ * - Capability-based access control
+ * - Intent declaration and validation
+ * - Session management with expiration
+ */
+import { Agent, KVNamespace } from './agents.js';
+/**
+ * TAP-enhanced agent record (backward compatible with Agent)
+ */
+export interface TAPAgent extends Agent {
+    public_key?: string;
+    signature_algorithm?: 'ecdsa-p256-sha256' | 'rsa-pss-sha256';
+    key_created_at?: number;
+    capabilities?: TAPCapability[];
+    trust_level?: 'basic' | 'verified' | 'enterprise';
+    issuer?: string;
+    tap_enabled?: boolean;
+    last_verified_at?: number;
+}
+/** Valid TAP capability actions — single source of truth */
+export declare const TAP_VALID_ACTIONS: readonly ["browse", "compare", "purchase", "audit", "search"];
+export type TAPAction = typeof TAP_VALID_ACTIONS[number];
+export interface TAPCapability {
+    action: TAPAction;
+    scope?: string[];
+    restrictions?: {
+        max_amount?: number;
+        rate_limit?: number;
+        [key: string]: any;
+    };
+}
+export interface TAPSession {
+    session_id: string;
+    agent_id: string;
+    app_id: string;
+    user_context: string;
+    capabilities: TAPCapability[];
+    intent: TAPIntent;
+    created_at: number;
+    expires_at: number;
+}
+export interface TAPIntent {
+    action: string;
+    resource?: string;
+    scope?: string[];
+    duration?: number;
+}
+/**
+ * Register an agent with TAP capabilities
+ */
+export declare function registerTAPAgent(agents: KVNamespace, appId: string, registration: {
+    name: string;
+    operator?: string;
+    version?: string;
+    public_key?: string;
+    signature_algorithm?: 'ecdsa-p256-sha256' | 'rsa-pss-sha256';
+    capabilities?: TAPCapability[];
+    trust_level?: 'basic' | 'verified' | 'enterprise';
+    issuer?: string;
+}): Promise<{
+    success: boolean;
+    agent?: TAPAgent;
+    error?: string;
+}>;
+/**
+ * Get agent with TAP capabilities
+ */
+export declare function getTAPAgent(agents: KVNamespace, agentId: string): Promise<{
+    success: boolean;
+    agent?: TAPAgent;
+    error?: string;
+}>;
+/**
+ * Update agent's last verification timestamp
+ */
+export declare function updateAgentVerification(agents: KVNamespace, agentId: string, verificationSuccess: boolean): Promise<void>;
+/**
+ * List TAP-enabled agents for an app
+ */
+export declare function listTAPAgents(agents: KVNamespace, appId: string, tapOnly?: boolean): Promise<{
+    success: boolean;
+    agents?: TAPAgent[];
+    error?: string;
+}>;
+/**
+ * Create a TAP session after successful verification
+ */
+export declare function createTAPSession(sessions: KVNamespace, agentId: string, appId: string, userContext: string, capabilities: TAPCapability[], intent: TAPIntent): Promise<{
+    success: boolean;
+    session?: TAPSession;
+    error?: string;
+}>;
+/**
+ * Get and validate TAP session
+ */
+export declare function getTAPSession(sessions: KVNamespace, sessionId: string): Promise<{
+    success: boolean;
+    session?: TAPSession;
+    error?: string;
+}>;
+export declare function validateCapability(agentCapabilities: TAPCapability[], requiredAction: string, requiredScope?: string): {
+    valid: boolean;
+    error?: string;
+};
+declare const _default: {
+    registerTAPAgent: typeof registerTAPAgent;
+    getTAPAgent: typeof getTAPAgent;
+    listTAPAgents: typeof listTAPAgents;
+    updateAgentVerification: typeof updateAgentVerification;
+    createTAPSession: typeof createTAPSession;
+    getTAPSession: typeof getTAPSession;
+    validateCapability: typeof validateCapability;
+};
+export default _default;
+//# sourceMappingURL=tap-agents.d.ts.map

package/dist/tap-agents.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tap-agents.d.ts","sourceRoot":"","sources":["../src/tap-agents.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,KAAK,EAAE,WAAW,EAAmB,MAAM,aAAa,CAAC;AAIlE;;GAEG;AACH,MAAM,WAAW,QAAS,SAAQ,KAAK;IAErC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,mBAAmB,CAAC,EAAE,mBAAmB,GAAG,gBAAgB,CAAC;IAC7D,cAAc,CAAC,EAAE,MAAM,CAAC;IAGxB,YAAY,CAAC,EAAE,aAAa,EAAE,CAAC;IAC/B,WAAW,CAAC,EAAE,OAAO,GAAG,UAAU,GAAG,YAAY,CAAC;IAGlD,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B;AAED,4DAA4D;AAC5D,eAAO,MAAM,iBAAiB,+DAAgE,CAAC;AAC/F,MAAM,MAAM,SAAS,GAAG,OAAO,iBAAiB,CAAC,MAAM,CAAC,CAAC;AAEzD,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,SAAS,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,YAAY,CAAC,EAAE;QACb,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAC;KACpB,CAAC;CACH;AAED,MAAM,WAAW,UAAU;IACzB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,YAAY,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,aAAa,EAAE,CAAC;IAC9B,MAAM,EAAE,SAAS,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,SAAS;IACxB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAID;;GAEG;AACH,wBAAsB,gBAAgB,CACpC,MAAM,EAAE,WAAW,EACnB,KAAK,EAAE,MAAM,EACb,YAAY,EAAE;IACZ,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,mBAAmB,CAAC,EAAE,mBAAmB,GAAG,gBAAgB,CAAC;IAC7D,YAAY,CAAC,EAAE,aAAa,EAAE,CAAC;IAC/B,WAAW,CAAC,EAAE,OAAO,GAAG,UAAU,GAAG,YAAY,CAAC;IAClD,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB,GACA,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,QAAQ,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAgDjE;AAED;;GAEG;AACH,wBAAsB,WAAW,CAC/B,MAAM,EAAE,WAAW,EACnB,OAAO,EAAE,MAAM,GACd,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,QAAQ,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAcjE;AAED;;GAEG;AACH,wBAAsB,uBAAuB,CAC3C,MAAM,EAAE,WAAW,EACnB,OAAO,EAAE,MAAM,EACf,mBAAmB,EAAE,OAAO,GAC3B,OAAO,CAAC,IAAI,CAAC,CAWf;AAED;;GAEG;AACH,wBAAsB,aAAa,CACjC,MAAM,EAAE,WAAW,EACnB,KAAK,EAAE,MAAM,EACb,OAAO,GAAE,OAAe,GACvB,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,MAAM,CAAC,EAAE,QAAQ,EAAE,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAsBpE;AAID;;GAEG;AACH,wBAAsB,gBAAgB,CACpC,QAAQ,EAAE,WAAW,EACrB,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,EACb,WAAW,EAAE,MAAM,EACnB,YAAY,EAAE,aAAa,EAAE,EAC7B,MAAM,EAAE,SAAS,GAChB,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,OAAO,CAAC,EAAE,UAAU,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CA+BrE;AAED;;GAEG;AACH,wBAAsB,aAAa,CACjC,QAAQ,EAAE,WAAW,EACrB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,OAAO,CAAC,EAAE,UAAU,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAoBrE;AA2CD,wBAAgB,kBAAkB,CAChC,iBAAiB,EAAE,aAAa,EAAE,EAClC,cAAc,EAAE,MAAM,EACtB,aAAa,CAAC,EAAE,MAAM,GACrB;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAsBpC;;;;;;;;;;AAED,wBAQE"}

package/dist/tap-agents.js

@@ -0,0 +1,225 @@
+/**
+ * TAP-Enhanced Agent Registry
+ * Extends the basic BOTCHA agent registry with Trusted Agent Protocol features
+ *
+ * Provides enterprise-grade cryptographic agent authentication with:
+ * - HTTP Message Signatures (RFC 9421)
+ * - Capability-based access control
+ * - Intent declaration and validation
+ * - Session management with expiration
+ */
+import { generateAgentId } from './agents.js';
+/** Valid TAP capability actions — single source of truth */
+export const TAP_VALID_ACTIONS = ['browse', 'compare', 'purchase', 'audit', 'search'];
+// ============ TAP AGENT MANAGEMENT ============
+/**
+ * Register an agent with TAP capabilities
+ */
+export async function registerTAPAgent(agents, appId, registration) {
+    try {
+        const agentId = generateAgentId();
+        const now = Date.now();
+        const agent = {
+            agent_id: agentId,
+            app_id: appId,
+            name: registration.name,
+            operator: registration.operator,
+            version: registration.version,
+            created_at: now,
+            // TAP fields
+            public_key: registration.public_key,
+            signature_algorithm: registration.signature_algorithm,
+            key_created_at: registration.public_key ? now : undefined,
+            capabilities: registration.capabilities || [],
+            trust_level: registration.trust_level || 'basic',
+            issuer: registration.issuer,
+            tap_enabled: Boolean(registration.public_key),
+            last_verified_at: undefined
+        };
+        // Validate TAP configuration
+        if (agent.public_key) {
+            if (!agent.signature_algorithm) {
+                return { success: false, error: 'signature_algorithm required when public_key provided' };
+            }
+            // Validate public key format
+            if (!isValidPEMPublicKey(agent.public_key)) {
+                return { success: false, error: 'Invalid PEM public key format' };
+            }
+        }
+        // Store agent
+        await agents.put(`agent:${agentId}`, JSON.stringify(agent));
+        // Update app's agent index
+        await updateAppAgentIndex(agents, appId, agentId, 'add');
+        return { success: true, agent };
+    }
+    catch (error) {
+        console.error('Failed to register TAP agent:', error);
+        return { success: false, error: 'Internal server error' };
+    }
+}
+/**
+ * Get agent with TAP capabilities
+ */
+export async function getTAPAgent(agents, agentId) {
+    try {
+        const agentData = await agents.get(`agent:${agentId}`, 'text');
+        if (!agentData) {
+            return { success: false, error: 'Agent not found' };
+        }
+        const agent = JSON.parse(agentData);
+        return { success: true, agent };
+    }
+    catch (error) {
+        console.error('Failed to get TAP agent:', error);
+        return { success: false, error: 'Internal server error' };
+    }
+}
+/**
+ * Update agent's last verification timestamp
+ */
+export async function updateAgentVerification(agents, agentId, verificationSuccess) {
+    try {
+        const result = await getTAPAgent(agents, agentId);
+        if (result.success && result.agent) {
+            result.agent.last_verified_at = verificationSuccess ? Date.now() : result.agent.last_verified_at;
+            await agents.put(`agent:${agentId}`, JSON.stringify(result.agent));
+        }
+    }
+    catch (error) {
+        console.error('Failed to update agent verification:', error);
+        // Fail silently - verification updates are not critical
+    }
+}
+/**
+ * List TAP-enabled agents for an app
+ */
+export async function listTAPAgents(agents, appId, tapOnly = false) {
+    try {
+        const indexData = await agents.get(`app_agents:${appId}`, 'text');
+        if (!indexData) {
+            return { success: true, agents: [] };
+        }
+        const agentIds = JSON.parse(indexData);
+        const agentPromises = agentIds.map(id => getTAPAgent(agents, id));
+        const results = await Promise.all(agentPromises);
+        const tapAgents = results
+            .filter(r => r.success && r.agent)
+            .map(r => r.agent)
+            .filter(agent => !tapOnly || agent.tap_enabled);
+        return { success: true, agents: tapAgents };
+    }
+    catch (error) {
+        console.error('Failed to list TAP agents:', error);
+        return { success: false, error: 'Internal server error' };
+    }
+}
+// ============ TAP SESSION MANAGEMENT ============
+/**
+ * Create a TAP session after successful verification
+ */
+export async function createTAPSession(sessions, agentId, appId, userContext, capabilities, intent) {
+    try {
+        const sessionId = generateSessionId();
+        const now = Date.now();
+        const MAX_SESSION_DURATION = 86400; // 24 hours max
+        const duration = Math.min(intent.duration || 3600, MAX_SESSION_DURATION);
+        const expiresAt = now + duration * 1000;
+        const session = {
+            session_id: sessionId,
+            agent_id: agentId,
+            app_id: appId,
+            user_context: userContext,
+            capabilities,
+            intent,
+            created_at: now,
+            expires_at: expiresAt
+        };
+        // Store session with TTL
+        const ttlSeconds = Math.floor((expiresAt - now) / 1000);
+        await sessions.put(`session:${sessionId}`, JSON.stringify(session), {
+            expirationTtl: ttlSeconds
+        });
+        return { success: true, session };
+    }
+    catch (error) {
+        console.error('Failed to create TAP session:', error);
+        return { success: false, error: 'Internal server error' };
+    }
+}
+/**
+ * Get and validate TAP session
+ */
+export async function getTAPSession(sessions, sessionId) {
+    try {
+        const sessionData = await sessions.get(`session:${sessionId}`, 'text');
+        if (!sessionData) {
+            return { success: false, error: 'Session not found or expired' };
+        }
+        const session = JSON.parse(sessionData);
+        // Double-check expiration
+        if (Date.now() > session.expires_at) {
+            return { success: false, error: 'Session expired' };
+        }
+        return { success: true, session };
+    }
+    catch (error) {
+        console.error('Failed to get TAP session:', error);
+        return { success: false, error: 'Internal server error' };
+    }
+}
+// ============ UTILITY FUNCTIONS ============
+function generateSessionId() {
+    const bytes = new Uint8Array(16);
+    crypto.getRandomValues(bytes);
+    return Array.from(bytes)
+        .map(b => b.toString(16).padStart(2, '0'))
+        .join('');
+}
+function isValidPEMPublicKey(pemKey) {
+    return pemKey.includes('BEGIN PUBLIC KEY') &&
+        pemKey.includes('END PUBLIC KEY') &&
+        pemKey.length > 100; // Basic sanity check
+}
+async function updateAppAgentIndex(agents, appId, agentId, operation) {
+    try {
+        const indexData = await agents.get(`app_agents:${appId}`, 'text');
+        let agentIds = indexData ? JSON.parse(indexData) : [];
+        if (operation === 'add' && !agentIds.includes(agentId)) {
+            agentIds.push(agentId);
+        }
+        else if (operation === 'remove') {
+            agentIds = agentIds.filter(id => id !== agentId);
+        }
+        await agents.put(`app_agents:${appId}`, JSON.stringify(agentIds));
+    }
+    catch (error) {
+        console.error('Failed to update agent index:', error);
+        // Fail silently - index updates are not critical
+    }
+}
+// ============ CAPABILITY VALIDATION ============
+export function validateCapability(agentCapabilities, requiredAction, requiredScope) {
+    const matchingCaps = agentCapabilities.filter(cap => cap.action === requiredAction);
+    if (matchingCaps.length === 0) {
+        return { valid: false, error: `Agent lacks capability: ${requiredAction}` };
+    }
+    if (!requiredScope) {
+        return { valid: true };
+    }
+    const hasScope = matchingCaps.some(cap => !cap.scope ||
+        cap.scope.includes('*') ||
+        cap.scope.includes(requiredScope));
+    if (!hasScope) {
+        return { valid: false, error: `Agent lacks scope '${requiredScope}' for action '${requiredAction}'` };
+    }
+    return { valid: true };
+}
+export default {
+    registerTAPAgent,
+    getTAPAgent,
+    listTAPAgents,
+    updateAgentVerification,
+    createTAPSession,
+    getTAPSession,
+    validateCapability
+};