@dupecom/botcha-cloudflare 0.15.0 → 0.18.0

package/dist/tap-agents.d.ts

@@ -14,8 +14,9 @@ import { Agent, KVNamespace } from './agents.js';
  */
 export interface TAPAgent extends Agent {
     public_key?: string;
-    signature_algorithm?: 'ecdsa-p256-sha256' | 'rsa-pss-sha256';
+    signature_algorithm?: 'ecdsa-p256-sha256' | 'rsa-pss-sha256' | 'ed25519';
     key_created_at?: number;
+    key_expires_at?: number;
     capabilities?: TAPCapability[];
     trust_level?: 'basic' | 'verified' | 'enterprise';
     issuer?: string;
@@ -58,7 +59,7 @@ export declare function registerTAPAgent(agents: KVNamespace, appId: string, reg
     operator?: string;
     version?: string;
     public_key?: string;
-    signature_algorithm?: 'ecdsa-p256-sha256' | 'rsa-pss-sha256';
+    signature_algorithm?: 'ecdsa-p256-sha256' | 'rsa-pss-sha256' | 'ed25519';
     capabilities?: TAPCapability[];
     trust_level?: 'basic' | 'verified' | 'enterprise';
     issuer?: string;

package/dist/tap-agents.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"tap-agents.d.ts","sourceRoot":"","sources":["../src/tap-agents.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,KAAK,EAAE,WAAW,EAAmB,MAAM,aAAa,CAAC;AAIlE;;GAEG;AACH,MAAM,WAAW,QAAS,SAAQ,KAAK;IAErC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,mBAAmB,CAAC,EAAE,mBAAmB,GAAG,gBAAgB,CAAC;IAC7D,cAAc,CAAC,EAAE,MAAM,CAAC;IAGxB,YAAY,CAAC,EAAE,aAAa,EAAE,CAAC;IAC/B,WAAW,CAAC,EAAE,OAAO,GAAG,UAAU,GAAG,YAAY,CAAC;IAGlD,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B;AAED,4DAA4D;AAC5D,eAAO,MAAM,iBAAiB,+DAAgE,CAAC;AAC/F,MAAM,MAAM,SAAS,GAAG,OAAO,iBAAiB,CAAC,MAAM,CAAC,CAAC;AAEzD,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,SAAS,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,YAAY,CAAC,EAAE;QACb,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAC;KACpB,CAAC;CACH;AAED,MAAM,WAAW,UAAU;IACzB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,YAAY,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,aAAa,EAAE,CAAC;IAC9B,MAAM,EAAE,SAAS,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,SAAS;IACxB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAID;;GAEG;AACH,wBAAsB,gBAAgB,CACpC,MAAM,EAAE,WAAW,EACnB,KAAK,EAAE,MAAM,EACb,YAAY,EAAE;IACZ,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,mBAAmB,CAAC,EAAE,mBAAmB,GAAG,gBAAgB,CAAC;IAC7D,YAAY,CAAC,EAAE,aAAa,EAAE,CAAC;IAC/B,WAAW,CAAC,EAAE,OAAO,GAAG,UAAU,GAAG,YAAY,CAAC;IAClD,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB,GACA,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,QAAQ,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAgDjE;AAED;;GAEG;AACH,wBAAsB,WAAW,CAC/B,MAAM,EAAE,WAAW,EACnB,OAAO,EAAE,MAAM,GACd,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,QAAQ,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAcjE;AAED;;GAEG;AACH,wBAAsB,uBAAuB,CAC3C,MAAM,EAAE,WAAW,EACnB,OAAO,EAAE,MAAM,EACf,mBAAmB,EAAE,OAAO,GAC3B,OAAO,CAAC,IAAI,CAAC,CAWf;AAED;;GAEG;AACH,wBAAsB,aAAa,CACjC,MAAM,EAAE,WAAW,EACnB,KAAK,EAAE,MAAM,EACb,OAAO,GAAE,OAAe,GACvB,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,MAAM,CAAC,EAAE,QAAQ,EAAE,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAsBpE;AAID;;GAEG;AACH,wBAAsB,gBAAgB,CACpC,QAAQ,EAAE,WAAW,EACrB,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,EACb,WAAW,EAAE,MAAM,EACnB,YAAY,EAAE,aAAa,EAAE,EAC7B,MAAM,EAAE,SAAS,GAChB,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,OAAO,CAAC,EAAE,UAAU,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CA+BrE;AAED;;GAEG;AACH,wBAAsB,aAAa,CACjC,QAAQ,EAAE,WAAW,EACrB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,OAAO,CAAC,EAAE,UAAU,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAoBrE;AA2CD,wBAAgB,kBAAkB,CAChC,iBAAiB,EAAE,aAAa,EAAE,EAClC,cAAc,EAAE,MAAM,EACtB,aAAa,CAAC,EAAE,MAAM,GACrB;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAsBpC;;;;;;;;;;AAED,wBAQE"}
+{"version":3,"file":"tap-agents.d.ts","sourceRoot":"","sources":["../src/tap-agents.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,KAAK,EAAE,WAAW,EAAmB,MAAM,aAAa,CAAC;AAIlE;;GAEG;AACH,MAAM,WAAW,QAAS,SAAQ,KAAK;IAErC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,mBAAmB,CAAC,EAAE,mBAAmB,GAAG,gBAAgB,GAAG,SAAS,CAAC;IACzE,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,cAAc,CAAC,EAAE,MAAM,CAAC;IAGxB,YAAY,CAAC,EAAE,aAAa,EAAE,CAAC;IAC/B,WAAW,CAAC,EAAE,OAAO,GAAG,UAAU,GAAG,YAAY,CAAC;IAGlD,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B;AAED,4DAA4D;AAC5D,eAAO,MAAM,iBAAiB,+DAAgE,CAAC;AAC/F,MAAM,MAAM,SAAS,GAAG,OAAO,iBAAiB,CAAC,MAAM,CAAC,CAAC;AAEzD,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,SAAS,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,YAAY,CAAC,EAAE;QACb,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAC;KACpB,CAAC;CACH;AAED,MAAM,WAAW,UAAU;IACzB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,YAAY,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,aAAa,EAAE,CAAC;IAC9B,MAAM,EAAE,SAAS,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,SAAS;IACxB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAID;;GAEG;AACH,wBAAsB,gBAAgB,CACpC,MAAM,EAAE,WAAW,EACnB,KAAK,EAAE,MAAM,EACb,YAAY,EAAE;IACZ,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,mBAAmB,CAAC,EAAE,mBAAmB,GAAG,gBAAgB,GAAG,SAAS,CAAC;IACzE,YAAY,CAAC,EAAE,aAAa,EAAE,CAAC;IAC/B,WAAW,CAAC,EAAE,OAAO,GAAG,UAAU,GAAG,YAAY,CAAC;IAClD,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB,GACA,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,QAAQ,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAgDjE;AAED;;GAEG;AACH,wBAAsB,WAAW,CAC/B,MAAM,EAAE,WAAW,EACnB,OAAO,EAAE,MAAM,GACd,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,QAAQ,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAcjE;AAED;;GAEG;AACH,wBAAsB,uBAAuB,CAC3C,MAAM,EAAE,WAAW,EACnB,OAAO,EAAE,MAAM,EACf,mBAAmB,EAAE,OAAO,GAC3B,OAAO,CAAC,IAAI,CAAC,CAWf;AAED;;GAEG;AACH,wBAAsB,aAAa,CACjC,MAAM,EAAE,WAAW,EACnB,KAAK,EAAE,MAAM,EACb,OAAO,GAAE,OAAe,GACvB,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,MAAM,CAAC,EAAE,QAAQ,EAAE,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAsBpE;AAID;;GAEG;AACH,wBAAsB,gBAAgB,CACpC,QAAQ,EAAE,WAAW,EACrB,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,EACb,WAAW,EAAE,MAAM,EACnB,YAAY,EAAE,aAAa,EAAE,EAC7B,MAAM,EAAE,SAAS,GAChB,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,OAAO,CAAC,EAAE,UAAU,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CA+BrE;AAED;;GAEG;AACH,wBAAsB,aAAa,CACjC,QAAQ,EAAE,WAAW,EACrB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,OAAO,CAAC,EAAE,UAAU,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAoBrE;AAqDD,wBAAgB,kBAAkB,CAChC,iBAAiB,EAAE,aAAa,EAAE,EAClC,cAAc,EAAE,MAAM,EACtB,aAAa,CAAC,EAAE,MAAM,GACrB;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAsBpC;;;;;;;;;;AAED,wBAQE"}

package/dist/tap-agents.js

@@ -42,8 +42,8 @@ export async function registerTAPAgent(agents, appId, registration) {
                 return { success: false, error: 'signature_algorithm required when public_key provided' };
             }
             // Validate public key format
-            if (!isValidPEMPublicKey(agent.public_key)) {
-                return { success: false, error: 'Invalid PEM public key format' };
+            if (!isValidPublicKey(agent.public_key, agent.signature_algorithm)) {
+                return { success: false, error: 'Invalid public key format' };
             }
         }
         // Store agent
@@ -175,10 +175,23 @@ function generateSessionId() {
         .map(b => b.toString(16).padStart(2, '0'))
         .join('');
 }
-function isValidPEMPublicKey(pemKey) {
-    return pemKey.includes('BEGIN PUBLIC KEY') &&
-        pemKey.includes('END PUBLIC KEY') &&
-        pemKey.length > 100; // Basic sanity check
+function isValidPublicKey(key, algorithm) {
+    // PEM format
+    if (key.includes('BEGIN PUBLIC KEY') && key.includes('END PUBLIC KEY') && key.length > 100) {
+        return true;
+    }
+    // Raw Ed25519 key (32 bytes = ~44 base64 chars)
+    if (algorithm === 'ed25519') {
+        const stripped = key.replace(/[\s]/g, '');
+        try {
+            const decoded = atob(stripped.replace(/-/g, '+').replace(/_/g, '/'));
+            return decoded.length === 32;
+        }
+        catch {
+            return false;
+        }
+    }
+    return false;
 }
 async function updateAppAgentIndex(agents, appId, agentId, operation) {
     try {

package/dist/tap-attestation-routes.d.ts

@@ -0,0 +1,204 @@
+/**
+ * TAP Capability Attestation API Routes
+ *
+ * Endpoints for issuing, retrieving, revoking, and verifying
+ * capability attestation tokens for TAP agents.
+ *
+ * Routes:
+ *   POST   /v1/attestations              — Issue attestation token
+ *   GET    /v1/attestations/:id          — Get attestation details
+ *   GET    /v1/attestations              — List attestations for agent
+ *   POST   /v1/attestations/:id/revoke   — Revoke attestation
+ *   POST   /v1/verify/attestation        — Verify attestation + check capability
+ */
+import type { Context } from 'hono';
+/**
+ * POST /v1/attestations
+ * Issue a capability attestation token for an agent
+ */
+export declare function issueAttestationRoute(c: Context): Promise<(Response & import("hono").TypedResponse<{
+    success: false;
+    error: string | undefined;
+    message: string;
+}, 401, "json">) | (Response & import("hono").TypedResponse<{
+    success: false;
+    error: string;
+    message: string | undefined;
+}, any, "json">) | (Response & import("hono").TypedResponse<{
+    success: true;
+    attestation_id: string;
+    agent_id: string;
+    app_id: string;
+    token: string;
+    can: string[];
+    cannot: string[];
+    restrictions: {
+        [x: string]: any;
+        max_amount?: number | undefined;
+        rate_limit?: number | undefined;
+    } | null;
+    delegation_id: string | null;
+    metadata: {
+        [x: string]: string;
+    } | null;
+    created_at: string;
+    expires_at: string;
+}, 201, "json">)>;
+/**
+ * GET /v1/attestations/:id
+ * Get attestation details
+ */
+export declare function getAttestationRoute(c: Context): Promise<(Response & import("hono").TypedResponse<{
+    success: false;
+    error: string;
+    message: string;
+}, 400, "json">) | (Response & import("hono").TypedResponse<{
+    success: false;
+    error: string;
+    message: string;
+}, 404, "json">) | (Response & import("hono").TypedResponse<{
+    success: true;
+    attestation_id: string;
+    agent_id: string;
+    app_id: string;
+    can: string[];
+    cannot: string[];
+    restrictions: {
+        [x: string]: any;
+        max_amount?: number | undefined;
+        rate_limit?: number | undefined;
+    } | null;
+    delegation_id: string | null;
+    metadata: {
+        [x: string]: string;
+    } | null;
+    created_at: string;
+    expires_at: string;
+    revoked: boolean;
+    revoked_at: string | null;
+    revocation_reason: string | null;
+    time_remaining: number;
+}, import("hono/utils/http-status").ContentfulStatusCode, "json">) | (Response & import("hono").TypedResponse<{
+    success: false;
+    error: string;
+    message: string;
+}, 500, "json">)>;
+/**
+ * GET /v1/attestations
+ * List attestations for an agent
+ *
+ * Query params:
+ *   agent_id — required, the agent to list attestations for
+ */
+export declare function listAttestationsRoute(c: Context): Promise<(Response & import("hono").TypedResponse<{
+    success: false;
+    error: string | undefined;
+    message: string;
+}, 401, "json">) | (Response & import("hono").TypedResponse<{
+    success: false;
+    error: string;
+    message: string;
+}, 400, "json">) | (Response & import("hono").TypedResponse<{
+    success: true;
+    attestations: any[];
+    count: number;
+    agent_id: string;
+}, import("hono/utils/http-status").ContentfulStatusCode, "json">) | (Response & import("hono").TypedResponse<{
+    success: false;
+    error: string;
+    message: string;
+}, 500, "json">)>;
+/**
+ * POST /v1/attestations/:id/revoke
+ * Revoke an attestation
+ */
+export declare function revokeAttestationRoute(c: Context): Promise<(Response & import("hono").TypedResponse<{
+    success: false;
+    error: string;
+    message: string;
+}, 400, "json">) | (Response & import("hono").TypedResponse<{
+    success: false;
+    error: string | undefined;
+    message: string;
+}, 401, "json">) | (Response & import("hono").TypedResponse<{
+    success: false;
+    error: string;
+    message: string;
+}, 404, "json">) | (Response & import("hono").TypedResponse<{
+    success: false;
+    error: string;
+    message: string;
+}, 403, "json">) | (Response & import("hono").TypedResponse<{
+    success: false;
+    error: string;
+    message: string | undefined;
+}, 500, "json">) | (Response & import("hono").TypedResponse<{
+    success: true;
+    attestation_id: string;
+    revoked: true;
+    revoked_at: string | null;
+    revocation_reason: string | null;
+    message: string;
+}, import("hono/utils/http-status").ContentfulStatusCode, "json">)>;
+/**
+ * POST /v1/verify/attestation
+ * Verify an attestation token and optionally check a specific capability
+ *
+ * Body:
+ *   token     — required, the attestation JWT token
+ *   action    — optional, capability action to check (e.g. "read")
+ *   resource  — optional, capability resource to check (e.g. "invoices")
+ */
+export declare function verifyAttestationRoute(c: Context): Promise<(Response & import("hono").TypedResponse<{
+    success: false;
+    error: string;
+    message: string;
+}, 400, "json">) | (Response & import("hono").TypedResponse<{
+    success: false;
+    valid: false;
+    allowed: false;
+    agent_id: string | null;
+    error: string | undefined;
+    matched_rule: string | null;
+    checked_capability: any;
+}, 401 | 403, "json">) | (Response & import("hono").TypedResponse<{
+    success: true;
+    valid: true;
+    allowed: true;
+    agent_id: string | undefined;
+    reason: string | undefined;
+    matched_rule: string | undefined;
+    checked_capability: any;
+}, import("hono/utils/http-status").ContentfulStatusCode, "json">) | (Response & import("hono").TypedResponse<{
+    success: false;
+    valid: false;
+    error: string | undefined;
+}, 401, "json">) | (Response & import("hono").TypedResponse<{
+    success: true;
+    valid: true;
+    agent_id: string;
+    issuer: string;
+    can: string[];
+    cannot: string[];
+    restrictions: {
+        [x: string]: any;
+        max_amount?: number | undefined;
+        rate_limit?: number | undefined;
+    } | null;
+    delegation_id: string | null;
+    issued_at: string;
+    expires_at: string;
+}, import("hono/utils/http-status").ContentfulStatusCode, "json">) | (Response & import("hono").TypedResponse<{
+    success: false;
+    error: string;
+    message: string;
+}, 500, "json">)>;
+declare const _default: {
+    issueAttestationRoute: typeof issueAttestationRoute;
+    getAttestationRoute: typeof getAttestationRoute;
+    listAttestationsRoute: typeof listAttestationsRoute;
+    revokeAttestationRoute: typeof revokeAttestationRoute;
+    verifyAttestationRoute: typeof verifyAttestationRoute;
+};
+export default _default;
+//# sourceMappingURL=tap-attestation-routes.d.ts.map

package/dist/tap-attestation-routes.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tap-attestation-routes.d.ts","sourceRoot":"","sources":["../src/tap-attestation-routes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AA4CpC;;;GAGG;AACH,wBAAsB,qBAAqB,CAAC,CAAC,EAAE,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;kBA4GrD;AAED;;;GAGG;AACH,wBAAsB,mBAAmB,CAAC,CAAC,EAAE,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBAiDnD;AAED;;;;;;GAMG;AACH,wBAAsB,qBAAqB,CAAC,CAAC,EAAE,OAAO;;;;;;;;;;;;;;;;;kBA8DrD;AAED;;;GAGG;AACH,wBAAsB,sBAAsB,CAAC,CAAC,EAAE,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;oEAsEtD;AAED;;;;;;;;GAQG;AACH,wBAAsB,sBAAsB,CAAC,CAAC,EAAE,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBAmFtD;;;;;;;;AAED,wBAME"}

package/dist/tap-attestation-routes.js

@@ -0,0 +1,396 @@
+/**
+ * TAP Capability Attestation API Routes
+ *
+ * Endpoints for issuing, retrieving, revoking, and verifying
+ * capability attestation tokens for TAP agents.
+ *
+ * Routes:
+ *   POST   /v1/attestations              — Issue attestation token
+ *   GET    /v1/attestations/:id          — Get attestation details
+ *   GET    /v1/attestations              — List attestations for agent
+ *   POST   /v1/attestations/:id/revoke   — Revoke attestation
+ *   POST   /v1/verify/attestation        — Verify attestation + check capability
+ */
+import { extractBearerToken, verifyToken } from './auth.js';
+import { issueAttestation, getAttestation, revokeAttestation, verifyAttestationToken, verifyAndCheckCapability, isValidCapabilityPattern, } from './tap-attestation.js';
+// ============ VALIDATION HELPERS ============
+async function validateAppAccess(c, requireAuth = true) {
+    const queryAppId = c.req.query('app_id');
+    let jwtAppId;
+    const authHeader = c.req.header('authorization');
+    const token = extractBearerToken(authHeader);
+    if (token) {
+        const result = await verifyToken(token, c.env.JWT_SECRET, c.env);
+        if (result.valid && result.payload) {
+            jwtAppId = result.payload.app_id;
+        }
+    }
+    const appId = queryAppId || jwtAppId;
+    if (requireAuth && !appId) {
+        return { valid: false, error: 'MISSING_APP_ID', status: 401 };
+    }
+    return { valid: true, appId };
+}
+// ============ ROUTE HANDLERS ============
+/**
+ * POST /v1/attestations
+ * Issue a capability attestation token for an agent
+ */
+export async function issueAttestationRoute(c) {
+    try {
+        const appAccess = await validateAppAccess(c, true);
+        if (!appAccess.valid) {
+            return c.json({
+                success: false,
+                error: appAccess.error,
+                message: 'Authentication required'
+            }, (appAccess.status || 401));
+        }
+        const body = await c.req.json().catch(() => ({}));
+        // Validate required fields
+        if (!body.agent_id) {
+            return c.json({
+                success: false,
+                error: 'MISSING_AGENT_ID',
+                message: 'agent_id is required'
+            }, 400);
+        }
+        if (!body.can || !Array.isArray(body.can) || body.can.length === 0) {
+            return c.json({
+                success: false,
+                error: 'MISSING_CAPABILITIES',
+                message: 'At least one "can" rule is required (e.g. ["read:invoices", "browse:*"])'
+            }, 400);
+        }
+        // Validate capability patterns
+        for (const rule of body.can) {
+            if (!isValidCapabilityPattern(rule)) {
+                return c.json({
+                    success: false,
+                    error: 'INVALID_CAPABILITY_PATTERN',
+                    message: `Invalid capability pattern in "can": ${rule}. Use "action:resource" format.`
+                }, 400);
+            }
+        }
+        if (body.cannot && Array.isArray(body.cannot)) {
+            for (const rule of body.cannot) {
+                if (!isValidCapabilityPattern(rule)) {
+                    return c.json({
+                        success: false,
+                        error: 'INVALID_CAPABILITY_PATTERN',
+                        message: `Invalid capability pattern in "cannot": ${rule}. Use "action:resource" format.`
+                    }, 400);
+                }
+            }
+        }
+        const options = {
+            agent_id: body.agent_id,
+            can: body.can,
+            cannot: body.cannot,
+            restrictions: body.restrictions,
+            duration_seconds: body.duration_seconds,
+            delegation_id: body.delegation_id,
+            metadata: body.metadata,
+        };
+        const result = await issueAttestation(c.env.AGENTS, c.env.SESSIONS, appAccess.appId, c.env.JWT_SECRET, options);
+        if (!result.success) {
+            const status = result.error?.includes('not found') ? 404
+                : result.error?.includes('does not belong') ? 403
+                    : result.error?.includes('Too many rules') ? 400
+                        : 400;
+            return c.json({
+                success: false,
+                error: 'ATTESTATION_ISSUANCE_FAILED',
+                message: result.error
+            }, status);
+        }
+        const att = result.attestation;
+        return c.json({
+            success: true,
+            attestation_id: att.attestation_id,
+            agent_id: att.agent_id,
+            app_id: att.app_id,
+            token: att.token,
+            can: att.can,
+            cannot: att.cannot,
+            restrictions: att.restrictions || null,
+            delegation_id: att.delegation_id || null,
+            metadata: att.metadata || null,
+            created_at: new Date(att.created_at).toISOString(),
+            expires_at: new Date(att.expires_at).toISOString(),
+        }, 201);
+    }
+    catch (error) {
+        console.error('Attestation issuance error:', error);
+        return c.json({
+            success: false,
+            error: 'INTERNAL_ERROR',
+            message: 'Internal server error'
+        }, 500);
+    }
+}
+/**
+ * GET /v1/attestations/:id
+ * Get attestation details
+ */
+export async function getAttestationRoute(c) {
+    try {
+        const attestationId = c.req.param('id');
+        if (!attestationId) {
+            return c.json({
+                success: false,
+                error: 'MISSING_ATTESTATION_ID',
+                message: 'Attestation ID is required'
+            }, 400);
+        }
+        const result = await getAttestation(c.env.SESSIONS, attestationId);
+        if (!result.success || !result.attestation) {
+            return c.json({
+                success: false,
+                error: 'ATTESTATION_NOT_FOUND',
+                message: result.error || 'Attestation not found or expired'
+            }, 404);
+        }
+        const att = result.attestation;
+        return c.json({
+            success: true,
+            attestation_id: att.attestation_id,
+            agent_id: att.agent_id,
+            app_id: att.app_id,
+            can: att.can,
+            cannot: att.cannot,
+            restrictions: att.restrictions || null,
+            delegation_id: att.delegation_id || null,
+            metadata: att.metadata || null,
+            created_at: new Date(att.created_at).toISOString(),
+            expires_at: new Date(att.expires_at).toISOString(),
+            revoked: att.revoked,
+            revoked_at: att.revoked_at ? new Date(att.revoked_at).toISOString() : null,
+            revocation_reason: att.revocation_reason || null,
+            time_remaining: Math.max(0, att.expires_at - Date.now()),
+        });
+    }
+    catch (error) {
+        console.error('Attestation retrieval error:', error);
+        return c.json({
+            success: false,
+            error: 'INTERNAL_ERROR',
+            message: 'Internal server error'
+        }, 500);
+    }
+}
+/**
+ * GET /v1/attestations
+ * List attestations for an agent
+ *
+ * Query params:
+ *   agent_id — required, the agent to list attestations for
+ */
+export async function listAttestationsRoute(c) {
+    try {
+        const appAccess = await validateAppAccess(c, true);
+        if (!appAccess.valid) {
+            return c.json({
+                success: false,
+                error: appAccess.error,
+                message: 'Authentication required'
+            }, (appAccess.status || 401));
+        }
+        const agentId = c.req.query('agent_id');
+        if (!agentId) {
+            return c.json({
+                success: false,
+                error: 'MISSING_AGENT_ID',
+                message: 'agent_id query parameter is required'
+            }, 400);
+        }
+        // Get the attestation index for this agent
+        const indexKey = `agent_attestations:${agentId}`;
+        const indexData = await c.env.SESSIONS.get(indexKey, 'text');
+        const attestationIds = indexData ? JSON.parse(indexData) : [];
+        // Fetch each attestation (filter out expired/missing)
+        const attestations = [];
+        for (const id of attestationIds) {
+            const result = await getAttestation(c.env.SESSIONS, id);
+            if (result.success && result.attestation) {
+                const att = result.attestation;
+                // Only include attestations for this app
+                if (att.app_id === appAccess.appId) {
+                    attestations.push({
+                        attestation_id: att.attestation_id,
+                        agent_id: att.agent_id,
+                        can: att.can,
+                        cannot: att.cannot,
+                        created_at: new Date(att.created_at).toISOString(),
+                        expires_at: new Date(att.expires_at).toISOString(),
+                        revoked: att.revoked,
+                        delegation_id: att.delegation_id || null,
+                    });
+                }
+            }
+        }
+        return c.json({
+            success: true,
+            attestations,
+            count: attestations.length,
+            agent_id: agentId,
+        });
+    }
+    catch (error) {
+        console.error('Attestation listing error:', error);
+        return c.json({
+            success: false,
+            error: 'INTERNAL_ERROR',
+            message: 'Internal server error'
+        }, 500);
+    }
+}
+/**
+ * POST /v1/attestations/:id/revoke
+ * Revoke an attestation
+ */
+export async function revokeAttestationRoute(c) {
+    try {
+        const attestationId = c.req.param('id');
+        if (!attestationId) {
+            return c.json({
+                success: false,
+                error: 'MISSING_ATTESTATION_ID',
+                message: 'Attestation ID is required'
+            }, 400);
+        }
+        const appAccess = await validateAppAccess(c, true);
+        if (!appAccess.valid) {
+            return c.json({
+                success: false,
+                error: appAccess.error,
+                message: 'Authentication required'
+            }, (appAccess.status || 401));
+        }
+        // Verify attestation exists and belongs to this app
+        const existing = await getAttestation(c.env.SESSIONS, attestationId);
+        if (!existing.success || !existing.attestation) {
+            return c.json({
+                success: false,
+                error: 'ATTESTATION_NOT_FOUND',
+                message: 'Attestation not found or expired'
+            }, 404);
+        }
+        if (existing.attestation.app_id !== appAccess.appId) {
+            return c.json({
+                success: false,
+                error: 'UNAUTHORIZED',
+                message: 'Attestation does not belong to this app'
+            }, 403);
+        }
+        const body = await c.req.json().catch(() => ({}));
+        const reason = body.reason || undefined;
+        const result = await revokeAttestation(c.env.SESSIONS, attestationId, reason);
+        if (!result.success) {
+            return c.json({
+                success: false,
+                error: 'REVOCATION_FAILED',
+                message: result.error
+            }, 500);
+        }
+        const att = result.attestation;
+        return c.json({
+            success: true,
+            attestation_id: att.attestation_id,
+            revoked: true,
+            revoked_at: att.revoked_at ? new Date(att.revoked_at).toISOString() : null,
+            revocation_reason: att.revocation_reason || null,
+            message: 'Attestation revoked. Token will be rejected on verification.',
+        });
+    }
+    catch (error) {
+        console.error('Attestation revocation error:', error);
+        return c.json({
+            success: false,
+            error: 'INTERNAL_ERROR',
+            message: 'Internal server error'
+        }, 500);
+    }
+}
+/**
+ * POST /v1/verify/attestation
+ * Verify an attestation token and optionally check a specific capability
+ *
+ * Body:
+ *   token     — required, the attestation JWT token
+ *   action    — optional, capability action to check (e.g. "read")
+ *   resource  — optional, capability resource to check (e.g. "invoices")
+ */
+export async function verifyAttestationRoute(c) {
+    try {
+        const body = await c.req.json().catch(() => ({}));
+        if (!body.token) {
+            return c.json({
+                success: false,
+                error: 'MISSING_TOKEN',
+                message: 'Attestation token is required'
+            }, 400);
+        }
+        // If action specified, do full verify+check
+        if (body.action) {
+            const result = await verifyAndCheckCapability(c.env.SESSIONS, body.token, c.env.JWT_SECRET, body.action, body.resource);
+            if (!result.allowed) {
+                return c.json({
+                    success: false,
+                    valid: false,
+                    allowed: false,
+                    agent_id: result.agent_id || null,
+                    error: result.error || result.reason,
+                    matched_rule: result.matched_rule || null,
+                    checked_capability: body.resource ? `${body.action}:${body.resource}` : body.action,
+                }, result.error ? 401 : 403);
+            }
+            return c.json({
+                success: true,
+                valid: true,
+                allowed: true,
+                agent_id: result.agent_id,
+                reason: result.reason,
+                matched_rule: result.matched_rule,
+                checked_capability: body.resource ? `${body.action}:${body.resource}` : body.action,
+            });
+        }
+        // Otherwise just verify the token
+        const verification = await verifyAttestationToken(c.env.SESSIONS, body.token, c.env.JWT_SECRET);
+        if (!verification.valid || !verification.payload) {
+            return c.json({
+                success: false,
+                valid: false,
+                error: verification.error,
+            }, 401);
+        }
+        const payload = verification.payload;
+        return c.json({
+            success: true,
+            valid: true,
+            agent_id: payload.sub,
+            issuer: payload.iss,
+            can: payload.can,
+            cannot: payload.cannot,
+            restrictions: payload.restrictions || null,
+            delegation_id: payload.delegation_id || null,
+            issued_at: new Date(payload.iat * 1000).toISOString(),
+            expires_at: new Date(payload.exp * 1000).toISOString(),
+        });
+    }
+    catch (error) {
+        console.error('Attestation verification error:', error);
+        return c.json({
+            success: false,
+            error: 'INTERNAL_ERROR',
+            message: 'Internal server error'
+        }, 500);
+    }
+}
+export default {
+    issueAttestationRoute,
+    getAttestationRoute,
+    listAttestationsRoute,
+    revokeAttestationRoute,
+    verifyAttestationRoute,
+};