@dupecom/botcha-cloudflare 0.15.0 → 0.16.0

package/dist/static.js

@@ -87,6 +87,30 @@ curl https://botcha.ai/agent-only -H "Authorization: Bearer <token>"
 | \`POST\` | \`/v1/sessions/tap\` | Create TAP session with intent validation |
 | \`GET\` | \`/v1/sessions/:id/tap\` | Get TAP session info |
 
+### TAP Full Spec — JWKS & Keys (v0.16.0)
+
+| Method | Path | Description |
+|--------|------|-------------|
+| \`GET\` | \`/.well-known/jwks\` | JWK Set for app's TAP agents (Visa spec standard) |
+| \`GET\` | \`/v1/keys\` | List keys (supports ?keyID= for Visa compat) |
+| \`GET\` | \`/v1/keys/:keyId\` | Get specific key by ID |
+| \`POST\` | \`/v1/agents/:id/tap/rotate-key\` | Rotate agent's key pair |
+
+### TAP Full Spec — 402 Micropayments (v0.16.0)
+
+| Method | Path | Description |
+|--------|------|-------------|
+| \`POST\` | \`/v1/invoices\` | Create invoice for gated content |
+| \`GET\` | \`/v1/invoices/:id\` | Get invoice details |
+| \`POST\` | \`/v1/invoices/:id/verify-iou\` | Verify Browsing IOU |
+
+### TAP Full Spec — Verification (v0.16.0)
+
+| Method | Path | Description |
+|--------|------|-------------|
+| \`POST\` | \`/v1/verify/consumer\` | Verify Agentic Consumer (Layer 2) |
+| \`POST\` | \`/v1/verify/payment\` | Verify Agentic Payment Container (Layer 3) |
+
 ### Challenges
 
 | Method | Path | Description |
@@ -262,8 +286,10 @@ API-Format: OpenAPI 3.1.0
 
 # Documentation
 Docs: https://botcha.ai
+Docs: https://botcha.ai/whitepaper
 Docs: https://github.com/dupe-com/botcha#readme
 Docs: https://www.npmjs.com/package/@dupecom/botcha
+Whitepaper: https://botcha.ai/whitepaper
 
 # Verification Methods
 Feature: Web Bot Auth (cryptographic signatures)
@@ -287,6 +313,7 @@ Feature: Trusted Agent Protocol (TAP) — cryptographic agent auth with HTTP Mes
 Feature: TAP Capabilities (action + resource scoping for agent sessions)
 Feature: TAP Trust Levels (basic, verified, enterprise)
 Feature: TAP Showcase Homepage (botcha.ai — one of the first services to implement Visa's Trusted Agent Protocol)
+Feature: TAP Full Spec v0.16.0 — Ed25519, RFC 9421 full compliance, JWKS infrastructure, Layer 2 Consumer Recognition, Layer 3 Payment Container, 402 micropayments, CDN edge verification, Visa key federation
 
 # Endpoints
 # Challenge Endpoints
@@ -341,6 +368,21 @@ Endpoint: GET https://botcha.ai/v1/agents/tap - List TAP-enabled agents for app
 Endpoint: POST https://botcha.ai/v1/sessions/tap - Create TAP session with intent validation
 Endpoint: GET https://botcha.ai/v1/sessions/:id/tap - Get TAP session info
 
+# TAP Full Spec — JWKS & Key Management (v0.16.0)
+Endpoint: GET https://botcha.ai/.well-known/jwks - JWK Set for app's TAP agents (Visa spec standard)
+Endpoint: GET https://botcha.ai/v1/keys - List keys (supports ?keyID= query for Visa compatibility)
+Endpoint: GET https://botcha.ai/v1/keys/:keyId - Get specific key by ID
+Endpoint: POST https://botcha.ai/v1/agents/:id/tap/rotate-key - Rotate agent's key pair
+
+# TAP Full Spec — 402 Micropayments (v0.16.0)
+Endpoint: POST https://botcha.ai/v1/invoices - Create invoice for gated content (402 flow)
+Endpoint: GET https://botcha.ai/v1/invoices/:id - Get invoice details
+Endpoint: POST https://botcha.ai/v1/invoices/:id/verify-iou - Verify Browsing IOU against invoice
+
+# TAP Full Spec — Consumer & Payment Verification (v0.16.0)
+Endpoint: POST https://botcha.ai/v1/verify/consumer - Verify Agentic Consumer object (Layer 2)
+Endpoint: POST https://botcha.ai/v1/verify/payment - Verify Agentic Payment Container (Layer 3)
+
 # Legacy Endpoints
 Endpoint: GET https://botcha.ai/api/challenge - Generate standard challenge
 Endpoint: POST https://botcha.ai/api/challenge - Verify standard challenge
@@ -411,7 +453,7 @@ Multi-Tenant-Token-Claim: Tokens include app_id claim when app_id provided
 # TRUSTED AGENT PROTOCOL (TAP)
 TAP-Description: Enterprise-grade cryptographic agent auth using HTTP Message Signatures (RFC 9421)
 TAP-Register: POST /v1/agents/register/tap with {name, public_key, signature_algorithm, capabilities, trust_level}
-TAP-Algorithms: ecdsa-p256-sha256, rsa-pss-sha256
+TAP-Algorithms: ed25519 (Visa recommended), ecdsa-p256-sha256, rsa-pss-sha256
 TAP-Trust-Levels: basic, verified, enterprise
 TAP-Capabilities: Array of {action, resource, constraints} — scoped access control
 TAP-Session-Create: POST /v1/sessions/tap with {agent_id, user_context, intent}
@@ -419,10 +461,22 @@ TAP-Session-Get: GET /v1/sessions/:id/tap — includes time_remaining
 TAP-Get-Agent: GET /v1/agents/:id/tap — includes public_key for verification
 TAP-List-Agents: GET /v1/agents/tap?app_id=...&tap_only=true
 TAP-Middleware-Modes: tap, signature-only, challenge-only, flexible
-TAP-SDK-TS: registerTAPAgent(options), getTAPAgent(agentId), listTAPAgents(tapOnly?), createTAPSession(options), getTAPSession(sessionId)
-TAP-SDK-Python: register_tap_agent(name, ...), get_tap_agent(agent_id), list_tap_agents(tap_only?), create_tap_session(agent_id, user_context, intent), get_tap_session(session_id)
+TAP-SDK-TS: registerTAPAgent(options), getTAPAgent(agentId), listTAPAgents(tapOnly?), createTAPSession(options), getTAPSession(sessionId), getJWKS(), getKeyById(keyId), rotateAgentKey(agentId), createInvoice(data), getInvoice(id), verifyBrowsingIOU(invoiceId, token)
+TAP-SDK-Python: register_tap_agent(name, ...), get_tap_agent(agent_id), list_tap_agents(tap_only?), create_tap_session(agent_id, user_context, intent), get_tap_session(session_id), get_jwks(), get_key_by_id(key_id), rotate_agent_key(agent_id), create_invoice(data), get_invoice(id), verify_browsing_iou(invoice_id, token)
 TAP-Middleware-Import: import { createTAPVerifyMiddleware } from '@dupecom/botcha/middleware'
 
+# TAP FULL SPEC v0.16.0
+TAP-RFC-9421: Full compliance — @authority, @path, expires, nonce, tag params
+TAP-Nonce-Replay: 8-minute TTL nonce-based replay protection
+TAP-Tags: agent-browser-auth (browsing), agent-payer-auth (payment)
+TAP-Layer-2: Agentic Consumer Recognition — OIDC ID tokens, obfuscated identity, contextual data
+TAP-Layer-3: Agentic Payment Container — card metadata, credential hash, encrypted payload, Browsing IOU
+TAP-JWKS: GET /.well-known/jwks — JWK Set endpoint for key discovery
+TAP-Key-Rotation: POST /v1/agents/:id/tap/rotate-key — rotate keys, invalidate old
+TAP-402-Flow: POST /v1/invoices → GET /v1/invoices/:id → POST /v1/invoices/:id/verify-iou
+TAP-Edge-Verify: createTAPEdgeMiddleware for Cloudflare Workers CDN edge verification
+TAP-Visa-Federation: Trust keys from https://mcp.visa.com/.well-known/jwks (3-tier cache: memory → KV → HTTP)
+
 # EMBEDDED CHALLENGE (for bots visiting HTML pages)
 Embedded-Challenge: <script type="application/botcha+json">
 Embedded-Challenge-Location: In <head> of HTML pages
@@ -481,8 +535,160 @@ export const SITEMAP_XML = `<?xml version="1.0" encoding="UTF-8"?>
     <changefreq>monthly</changefreq>
     <priority>0.5</priority>
   </url>
+  <url>
+    <loc>https://botcha.ai/whitepaper</loc>
+    <changefreq>monthly</changefreq>
+    <priority>0.9</priority>
+  </url>
 </urlset>
 `;
+// Whitepaper markdown — served at /whitepaper with Accept: text/markdown
+export function getWhitepaperMarkdown() {
+    return `---
+title: "BOTCHA: Identity Infrastructure for the Agentic Web"
+version: "1.0"
+date: February 2026
+url: https://botcha.ai/whitepaper
+---
+
+# BOTCHA: Identity Infrastructure for the Agentic Web
+
+**Version 1.0 — February 2026**
+
+## 1. Executive Summary
+
+BOTCHA is a reverse CAPTCHA — a verification system that proves you are an AI agent, not a human. While traditional CAPTCHAs exist to block bots, BOTCHA exists to welcome them.
+
+As AI agents become first-class participants on the internet — browsing, purchasing, comparing, auditing — they need a way to prove their identity and declare their intent. BOTCHA provides three layers of proof:
+
+- **Proof of AI** — Computational challenges (SHA-256 hashes in under 500ms) that only machines can solve.
+- **Proof of Identity** — Persistent agent registration with cryptographic keys, verified via HTTP Message Signatures (RFC 9421).
+- **Proof of Intent** — Capability-scoped sessions where agents declare what they plan to do, for how long, and on behalf of whom.
+
+BOTCHA is open source, free to use, and deployed at https://botcha.ai.
+
+## 2. The Problem: Who Is This Agent?
+
+The internet was built for humans. Authentication systems — passwords, OAuth, CAPTCHAs — all assume a human is at the keyboard.
+
+AI agents are now browsing product catalogs, comparing prices, purchasing goods, auditing compliance, and negotiating contracts. When an agent hits your API, existing infrastructure cannot answer three critical questions:
+
+1. **Is this actually an AI agent?** User-Agent strings are trivially spoofable.
+2. **Which specific agent is this?** Even knowing it is AI, you do not know its organization or track record.
+3. **What does it intend to do?** Traditional auth grants blanket access — it does not capture intent.
+
+## 3. BOTCHA: Reverse CAPTCHA for AI Agents
+
+A CAPTCHA asks: *Can you identify traffic lights?* A human can; a bot struggles.
+BOTCHA asks: *Can you compute 5 SHA-256 hashes in 500ms?* A machine can; a human cannot.
+
+### Design Principles
+
+- **Agent-first, always.** Every flow requires an AI agent as participant. No human-only login paths.
+- **Fail-open on infrastructure errors.** Blocking legitimate traffic is worse than allowing an unverified request.
+- **Zero configuration to start.** Solve one challenge, get a token. No registration required.
+
+## 4. The Challenge System
+
+| Challenge | Tests | Time Limit | Best For |
+|-----------|-------|------------|----------|
+| Speed | SHA-256 computation | 500ms | Quick verification |
+| Reasoning | Language understanding (6 categories, parameterized generators) | 30s | Proving AI comprehension |
+| Hybrid | Speed + Reasoning combined | 35s | Default — strongest proof |
+| Compute | Prime generation + hashing | 3-10s | High-value operations |
+
+**RTT-aware fairness:** Time limits adjust for network latency (max 5s cap).
+**Anti-replay:** Challenges deleted from storage on first verification attempt.
+**Anti-gaming:** Parameterized question generators; no static question bank.
+
+## 5. The Trusted Agent Protocol (TAP)
+
+Solving a challenge proves you are *a bot*. TAP proves you are *a specific, trusted bot*.
+
+Inspired by Visa's Trusted Agent Protocol (https://developer.visa.com/capabilities/trusted-agent-protocol/overview), BOTCHA's TAP provides:
+
+- **Persistent agent identity** — unique ID, name, operator metadata
+- **Cryptographic verification** — ECDSA P-256 / RSA-PSS public keys; HTTP Message Signatures (RFC 9421)
+- **Capability-based access control** — browse, search, compare, purchase, audit
+- **Intent-scoped sessions** — time-limited, validated against capabilities
+- **Trust levels** — basic, verified, enterprise
+
+### Verification Hierarchy
+
+| Layer | Proves | Mechanism |
+|-------|--------|-----------|
+| Anonymous | "I am a bot" | Speed challenge <500ms |
+| App-scoped | "I belong to this org" | Challenge + app_id |
+| Agent identity | "I am this specific bot" | Registered ID + capabilities |
+| Cryptographic | "I can prove it" | RFC 9421 signatures |
+| Dual auth | "Verified + proven" | Challenge + signature |
+| Intent-scoped | "I intend to do this now" | Validated session |
+
+## 6. Architecture
+
+- **Runtime:** Cloudflare Workers (300+ edge locations)
+- **Storage:** Workers KV with TTLs
+- **Tokens:** HMAC-SHA256 JWTs (5-min access, 1-hr refresh)
+- **TAP Signatures:** ECDSA P-256 or RSA-PSS SHA-256
+- **Rate Limits:** 100 challenges/hour/app (fail-open)
+
+## 7. Integration
+
+### Client SDKs
+
+\`\`\`typescript
+import { BotchaClient } from '@dupecom/botcha';
+const client = new BotchaClient();
+const response = await client.fetch('https://api.example.com/products');
+\`\`\`
+
+\`\`\`python
+from botcha import BotchaClient
+async with BotchaClient() as client:
+    response = await client.fetch("https://api.example.com/products")
+\`\`\`
+
+### Server-side Verification
+
+Express: \`@botcha/verify\` · FastAPI/Django: \`botcha-verify\` · Hono middleware included.
+
+### CLI
+
+\`\`\`bash
+npm install -g @dupecom/botcha-cli
+botcha init --email you@company.com
+botcha tap register --name "my-agent" --capabilities browse,search
+botcha tap session --action browse --resource products --duration 1h
+\`\`\`
+
+## 8. The Agent Infrastructure Stack
+
+\`\`\`
+Layer 3: Identity        TAP (BOTCHA)     Who agents are
+Layer 2: Communication   A2A (Google)     How agents talk
+Layer 1: Tools           MCP (Anthropic)  What agents access
+\`\`\`
+
+MCP gives agents tools. A2A lets agents communicate. TAP proves identity and scopes authorization.
+
+## 9. Use Cases
+
+- **E-commerce:** Agents register capabilities, create scoped purchase sessions, full audit trail.
+- **API access control:** Speed challenge gates endpoints; no API keys needed.
+- **Multi-agent systems:** Coordinator delegates to capability-scoped sub-agents.
+- **Compliance:** TAP audit logging records every agent interaction with intent and context.
+
+## 10. Roadmap
+
+**Shipped:** Challenge types, JWT tokens, multi-tenant apps, agent registry, TAP, dashboard, SDKs (TS/Python), CLI, LangChain, discovery standards.
+
+**Planned:** Delegation chains, capability attestation, agent reputation scoring, Agent SSO (cross-service verification), IETF RFC contribution.
+
+---
+
+Website: https://botcha.ai · GitHub: https://github.com/dupe-com/botcha · npm: @dupecom/botcha · PyPI: botcha
+`;
+}
 // OpenAPI spec - keeping this as a function to allow dynamic version
 export function getOpenApiSpec(version) {
     return {
@@ -1167,7 +1373,7 @@ export function getOpenApiSpec(version) {
                                         "operator": { type: "string", description: "Operator/organization name" },
                                         "version": { type: "string", description: "Agent version" },
                                         "public_key": { type: "string", description: "PEM-encoded public key" },
-                                        "signature_algorithm": { type: "string", enum: ["ecdsa-p256-sha256", "rsa-pss-sha256"], description: "Signature algorithm (required if public_key provided)" },
+                                        "signature_algorithm": { type: "string", enum: ["ed25519", "ecdsa-p256-sha256", "rsa-pss-sha256"], description: "Signature algorithm (required if public_key provided)" },
                                         "trust_level": { type: "string", enum: ["basic", "verified", "enterprise"], description: "Agent trust level (default: basic)" },
                                         "capabilities": {
                                             type: "array",
@@ -1294,6 +1500,258 @@ export function getOpenApiSpec(version) {
                         "404": { description: "Session not found or expired" }
                     }
                 }
+            },
+            "/.well-known/jwks": {
+                get: {
+                    summary: "Get JWK Set (Visa TAP spec standard)",
+                    description: "Retrieve the JWK Set containing public keys for all TAP agents registered in your app. Follows Visa TAP specification standard.",
+                    operationId: "getJWKS",
+                    responses: {
+                        "200": {
+                            description: "JWK Set with array of keys",
+                            content: {
+                                "application/json": {
+                                    schema: {
+                                        type: "object",
+                                        properties: {
+                                            "keys": {
+                                                type: "array",
+                                                items: {
+                                                    type: "object",
+                                                    properties: {
+                                                        "kty": { type: "string", description: "Key type (EC, RSA, OKP)" },
+                                                        "kid": { type: "string", description: "Key ID" },
+                                                        "use": { type: "string", description: "Public key use (sig)" },
+                                                        "alg": { type: "string", description: "Algorithm (ES256, RS256, EdDSA)" }
+                                                    }
+                                                }
+                                            }
+                                        }
+                                    }
+                                }
+                            }
+                        }
+                    }
+                }
+            },
+            "/v1/keys": {
+                get: {
+                    summary: "List keys or get key by ID",
+                    description: "List all keys or get a specific key using ?keyID= query parameter (Visa compatibility).",
+                    operationId: "getKeys",
+                    parameters: [
+                        {
+                            name: "keyID",
+                            in: "query",
+                            schema: { type: "string" },
+                            description: "Optional key ID for Visa TAP compatibility"
+                        }
+                    ],
+                    responses: {
+                        "200": { description: "Key list or specific key" }
+                    }
+                }
+            },
+            "/v1/keys/{keyId}": {
+                get: {
+                    summary: "Get key by ID",
+                    description: "Retrieve a specific public key by key ID.",
+                    operationId: "getKeyById",
+                    parameters: [
+                        {
+                            name: "keyId",
+                            in: "path",
+                            required: true,
+                            schema: { type: "string" }
+                        }
+                    ],
+                    responses: {
+                        "200": { description: "Public key details" },
+                        "404": { description: "Key not found" }
+                    }
+                }
+            },
+            "/v1/agents/{id}/tap/rotate-key": {
+                post: {
+                    summary: "Rotate agent key pair",
+                    description: "Generate a new key pair for the agent and invalidate the old one.",
+                    operationId: "rotateAgentKey",
+                    parameters: [
+                        {
+                            name: "id",
+                            in: "path",
+                            required: true,
+                            schema: { type: "string" }
+                        }
+                    ],
+                    requestBody: {
+                        content: {
+                            "application/json": {
+                                schema: {
+                                    type: "object",
+                                    properties: {
+                                        "algorithm": {
+                                            type: "string",
+                                            enum: ["ed25519", "ecdsa-p256-sha256", "rsa-pss-sha256"],
+                                            description: "Algorithm for new key (default: ed25519)"
+                                        }
+                                    }
+                                }
+                            }
+                        }
+                    },
+                    responses: {
+                        "200": { description: "Key rotated successfully" }
+                    }
+                }
+            },
+            "/v1/invoices": {
+                post: {
+                    summary: "Create invoice for 402 micropayment",
+                    description: "Create an invoice for gated content. Used with Browsing IOU flow.",
+                    operationId: "createInvoice",
+                    requestBody: {
+                        required: true,
+                        content: {
+                            "application/json": {
+                                schema: {
+                                    type: "object",
+                                    required: ["amount", "currency", "description"],
+                                    properties: {
+                                        "amount": { type: "integer", description: "Amount in cents" },
+                                        "currency": { type: "string", description: "Currency code (USD, EUR, etc.)" },
+                                        "description": { type: "string" },
+                                        "metadata": { type: "object" }
+                                    }
+                                }
+                            }
+                        }
+                    },
+                    responses: {
+                        "201": { description: "Invoice created" }
+                    }
+                }
+            },
+            "/v1/invoices/{id}": {
+                get: {
+                    summary: "Get invoice details",
+                    operationId: "getInvoice",
+                    parameters: [
+                        {
+                            name: "id",
+                            in: "path",
+                            required: true,
+                            schema: { type: "string" }
+                        }
+                    ],
+                    responses: {
+                        "200": { description: "Invoice details" },
+                        "404": { description: "Invoice not found" }
+                    }
+                }
+            },
+            "/v1/invoices/{id}/verify-iou": {
+                post: {
+                    summary: "Verify Browsing IOU",
+                    description: "Verify a Browsing IOU (payment intent token) against an invoice.",
+                    operationId: "verifyBrowsingIOU",
+                    parameters: [
+                        {
+                            name: "id",
+                            in: "path",
+                            required: true,
+                            schema: { type: "string" }
+                        }
+                    ],
+                    requestBody: {
+                        required: true,
+                        content: {
+                            "application/json": {
+                                schema: {
+                                    type: "object",
+                                    required: ["iou_token"],
+                                    properties: {
+                                        "iou_token": { type: "string" }
+                                    }
+                                }
+                            }
+                        }
+                    },
+                    responses: {
+                        "200": { description: "IOU verified" },
+                        "400": { description: "Invalid IOU" }
+                    }
+                }
+            },
+            "/v1/verify/consumer": {
+                post: {
+                    summary: "Verify Agentic Consumer object (Layer 2)",
+                    description: "Verify an agenticConsumer object including ID token, contextual data, and signature chain.",
+                    operationId: "verifyConsumer",
+                    requestBody: {
+                        required: true,
+                        content: {
+                            "application/json": {
+                                schema: {
+                                    type: "object",
+                                    required: ["agenticConsumer", "signature"],
+                                    properties: {
+                                        "agenticConsumer": {
+                                            type: "object",
+                                            properties: {
+                                                "idToken": { type: "string", description: "OIDC ID token" },
+                                                "country": { type: "string" },
+                                                "postalCode": { type: "string" },
+                                                "ipAddress": { type: "string" },
+                                                "nonce": { type: "string" }
+                                            }
+                                        },
+                                        "signature": { type: "string" }
+                                    }
+                                }
+                            }
+                        }
+                    },
+                    responses: {
+                        "200": { description: "Consumer verified" },
+                        "400": { description: "Invalid consumer object" }
+                    }
+                }
+            },
+            "/v1/verify/payment": {
+                post: {
+                    summary: "Verify Agentic Payment Container (Layer 3)",
+                    description: "Verify an agenticPaymentContainer object including card metadata, credential hash, and encrypted payload.",
+                    operationId: "verifyPayment",
+                    requestBody: {
+                        required: true,
+                        content: {
+                            "application/json": {
+                                schema: {
+                                    type: "object",
+                                    required: ["agenticPaymentContainer", "signature"],
+                                    properties: {
+                                        "agenticPaymentContainer": {
+                                            type: "object",
+                                            properties: {
+                                                "lastFour": { type: "string" },
+                                                "par": { type: "string", description: "Payment Account Reference" },
+                                                "credentialHash": { type: "string" },
+                                                "encryptedPayload": { type: "string" },
+                                                "nonce": { type: "string" }
+                                            }
+                                        },
+                                        "signature": { type: "string" }
+                                    }
+                                }
+                            }
+                        }
+                    },
+                    responses: {
+                        "200": { description: "Payment verified" },
+                        "400": { description: "Invalid payment container" }
+                    }
+                }
             }
         },
         components: {

package/dist/tap-agents.d.ts

@@ -14,8 +14,9 @@ import { Agent, KVNamespace } from './agents.js';
  */
 export interface TAPAgent extends Agent {
     public_key?: string;
-    signature_algorithm?: 'ecdsa-p256-sha256' | 'rsa-pss-sha256';
+    signature_algorithm?: 'ecdsa-p256-sha256' | 'rsa-pss-sha256' | 'ed25519';
     key_created_at?: number;
+    key_expires_at?: number;
     capabilities?: TAPCapability[];
     trust_level?: 'basic' | 'verified' | 'enterprise';
     issuer?: string;
@@ -58,7 +59,7 @@ export declare function registerTAPAgent(agents: KVNamespace, appId: string, reg
     operator?: string;
     version?: string;
     public_key?: string;
-    signature_algorithm?: 'ecdsa-p256-sha256' | 'rsa-pss-sha256';
+    signature_algorithm?: 'ecdsa-p256-sha256' | 'rsa-pss-sha256' | 'ed25519';
     capabilities?: TAPCapability[];
     trust_level?: 'basic' | 'verified' | 'enterprise';
     issuer?: string;

package/dist/tap-agents.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"tap-agents.d.ts","sourceRoot":"","sources":["../src/tap-agents.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,KAAK,EAAE,WAAW,EAAmB,MAAM,aAAa,CAAC;AAIlE;;GAEG;AACH,MAAM,WAAW,QAAS,SAAQ,KAAK;IAErC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,mBAAmB,CAAC,EAAE,mBAAmB,GAAG,gBAAgB,CAAC;IAC7D,cAAc,CAAC,EAAE,MAAM,CAAC;IAGxB,YAAY,CAAC,EAAE,aAAa,EAAE,CAAC;IAC/B,WAAW,CAAC,EAAE,OAAO,GAAG,UAAU,GAAG,YAAY,CAAC;IAGlD,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B;AAED,4DAA4D;AAC5D,eAAO,MAAM,iBAAiB,+DAAgE,CAAC;AAC/F,MAAM,MAAM,SAAS,GAAG,OAAO,iBAAiB,CAAC,MAAM,CAAC,CAAC;AAEzD,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,SAAS,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,YAAY,CAAC,EAAE;QACb,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAC;KACpB,CAAC;CACH;AAED,MAAM,WAAW,UAAU;IACzB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,YAAY,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,aAAa,EAAE,CAAC;IAC9B,MAAM,EAAE,SAAS,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,SAAS;IACxB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAID;;GAEG;AACH,wBAAsB,gBAAgB,CACpC,MAAM,EAAE,WAAW,EACnB,KAAK,EAAE,MAAM,EACb,YAAY,EAAE;IACZ,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,mBAAmB,CAAC,EAAE,mBAAmB,GAAG,gBAAgB,CAAC;IAC7D,YAAY,CAAC,EAAE,aAAa,EAAE,CAAC;IAC/B,WAAW,CAAC,EAAE,OAAO,GAAG,UAAU,GAAG,YAAY,CAAC;IAClD,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB,GACA,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,QAAQ,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAgDjE;AAED;;GAEG;AACH,wBAAsB,WAAW,CAC/B,MAAM,EAAE,WAAW,EACnB,OAAO,EAAE,MAAM,GACd,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,QAAQ,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAcjE;AAED;;GAEG;AACH,wBAAsB,uBAAuB,CAC3C,MAAM,EAAE,WAAW,EACnB,OAAO,EAAE,MAAM,EACf,mBAAmB,EAAE,OAAO,GAC3B,OAAO,CAAC,IAAI,CAAC,CAWf;AAED;;GAEG;AACH,wBAAsB,aAAa,CACjC,MAAM,EAAE,WAAW,EACnB,KAAK,EAAE,MAAM,EACb,OAAO,GAAE,OAAe,GACvB,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,MAAM,CAAC,EAAE,QAAQ,EAAE,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAsBpE;AAID;;GAEG;AACH,wBAAsB,gBAAgB,CACpC,QAAQ,EAAE,WAAW,EACrB,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,EACb,WAAW,EAAE,MAAM,EACnB,YAAY,EAAE,aAAa,EAAE,EAC7B,MAAM,EAAE,SAAS,GAChB,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,OAAO,CAAC,EAAE,UAAU,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CA+BrE;AAED;;GAEG;AACH,wBAAsB,aAAa,CACjC,QAAQ,EAAE,WAAW,EACrB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,OAAO,CAAC,EAAE,UAAU,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAoBrE;AA2CD,wBAAgB,kBAAkB,CAChC,iBAAiB,EAAE,aAAa,EAAE,EAClC,cAAc,EAAE,MAAM,EACtB,aAAa,CAAC,EAAE,MAAM,GACrB;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAsBpC;;;;;;;;;;AAED,wBAQE"}
+{"version":3,"file":"tap-agents.d.ts","sourceRoot":"","sources":["../src/tap-agents.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,KAAK,EAAE,WAAW,EAAmB,MAAM,aAAa,CAAC;AAIlE;;GAEG;AACH,MAAM,WAAW,QAAS,SAAQ,KAAK;IAErC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,mBAAmB,CAAC,EAAE,mBAAmB,GAAG,gBAAgB,GAAG,SAAS,CAAC;IACzE,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,cAAc,CAAC,EAAE,MAAM,CAAC;IAGxB,YAAY,CAAC,EAAE,aAAa,EAAE,CAAC;IAC/B,WAAW,CAAC,EAAE,OAAO,GAAG,UAAU,GAAG,YAAY,CAAC;IAGlD,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B;AAED,4DAA4D;AAC5D,eAAO,MAAM,iBAAiB,+DAAgE,CAAC;AAC/F,MAAM,MAAM,SAAS,GAAG,OAAO,iBAAiB,CAAC,MAAM,CAAC,CAAC;AAEzD,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,SAAS,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,YAAY,CAAC,EAAE;QACb,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAC;KACpB,CAAC;CACH;AAED,MAAM,WAAW,UAAU;IACzB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,YAAY,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,aAAa,EAAE,CAAC;IAC9B,MAAM,EAAE,SAAS,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,SAAS;IACxB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAID;;GAEG;AACH,wBAAsB,gBAAgB,CACpC,MAAM,EAAE,WAAW,EACnB,KAAK,EAAE,MAAM,EACb,YAAY,EAAE;IACZ,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,mBAAmB,CAAC,EAAE,mBAAmB,GAAG,gBAAgB,GAAG,SAAS,CAAC;IACzE,YAAY,CAAC,EAAE,aAAa,EAAE,CAAC;IAC/B,WAAW,CAAC,EAAE,OAAO,GAAG,UAAU,GAAG,YAAY,CAAC;IAClD,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB,GACA,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,QAAQ,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAgDjE;AAED;;GAEG;AACH,wBAAsB,WAAW,CAC/B,MAAM,EAAE,WAAW,EACnB,OAAO,EAAE,MAAM,GACd,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,QAAQ,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAcjE;AAED;;GAEG;AACH,wBAAsB,uBAAuB,CAC3C,MAAM,EAAE,WAAW,EACnB,OAAO,EAAE,MAAM,EACf,mBAAmB,EAAE,OAAO,GAC3B,OAAO,CAAC,IAAI,CAAC,CAWf;AAED;;GAEG;AACH,wBAAsB,aAAa,CACjC,MAAM,EAAE,WAAW,EACnB,KAAK,EAAE,MAAM,EACb,OAAO,GAAE,OAAe,GACvB,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,MAAM,CAAC,EAAE,QAAQ,EAAE,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAsBpE;AAID;;GAEG;AACH,wBAAsB,gBAAgB,CACpC,QAAQ,EAAE,WAAW,EACrB,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,EACb,WAAW,EAAE,MAAM,EACnB,YAAY,EAAE,aAAa,EAAE,EAC7B,MAAM,EAAE,SAAS,GAChB,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,OAAO,CAAC,EAAE,UAAU,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CA+BrE;AAED;;GAEG;AACH,wBAAsB,aAAa,CACjC,QAAQ,EAAE,WAAW,EACrB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,OAAO,CAAC,EAAE,UAAU,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAoBrE;AAqDD,wBAAgB,kBAAkB,CAChC,iBAAiB,EAAE,aAAa,EAAE,EAClC,cAAc,EAAE,MAAM,EACtB,aAAa,CAAC,EAAE,MAAM,GACrB;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAsBpC;;;;;;;;;;AAED,wBAQE"}

package/dist/tap-agents.js

@@ -42,8 +42,8 @@ export async function registerTAPAgent(agents, appId, registration) {
                 return { success: false, error: 'signature_algorithm required when public_key provided' };
             }
             // Validate public key format
-            if (!isValidPEMPublicKey(agent.public_key)) {
-                return { success: false, error: 'Invalid PEM public key format' };
+            if (!isValidPublicKey(agent.public_key, agent.signature_algorithm)) {
+                return { success: false, error: 'Invalid public key format' };
             }
         }
         // Store agent
@@ -175,10 +175,23 @@ function generateSessionId() {
         .map(b => b.toString(16).padStart(2, '0'))
         .join('');
 }
-function isValidPEMPublicKey(pemKey) {
-    return pemKey.includes('BEGIN PUBLIC KEY') &&
-        pemKey.includes('END PUBLIC KEY') &&
-        pemKey.length > 100; // Basic sanity check
+function isValidPublicKey(key, algorithm) {
+    // PEM format
+    if (key.includes('BEGIN PUBLIC KEY') && key.includes('END PUBLIC KEY') && key.length > 100) {
+        return true;
+    }
+    // Raw Ed25519 key (32 bytes = ~44 base64 chars)
+    if (algorithm === 'ed25519') {
+        const stripped = key.replace(/[\s]/g, '');
+        try {
+            const decoded = atob(stripped.replace(/-/g, '+').replace(/_/g, '/'));
+            return decoded.length === 32;
+        }
+        catch {
+            return false;
+        }
+    }
+    return false;
 }
 async function updateAppAgentIndex(agents, appId, agentId, operation) {
     try {