@dupecom/botcha-cloudflare 0.16.0 → 0.19.0

package/dist/tap-jwks.js

@@ -3,6 +3,7 @@
  * Implements .well-known/jwks for TAP agent public key discovery
  * Per Visa TAP spec: https://developer.visa.com/capabilities/trusted-agent-protocol
  */
+import { getSigningPublicKeyJWK } from './auth.js';
 // ============ PEM <-> JWK CONVERSION ============
 /**
  * Convert PEM public key to JWK format
@@ -122,27 +123,49 @@ function arrayBufferToPem(buffer) {
 // ============ JWKS ENDPOINT HANDLERS ============
 /**
  * GET /.well-known/jwks
- * Returns JWK Set for app's TAP-enabled agents
+ * Returns JWK Set for app's TAP-enabled agents.
+ * Also includes BOTCHA's own signing public key when JWT_SIGNING_KEY is configured.
  */
 export async function jwksRoute(c) {
     try {
+        const allKeys = [];
+        // Always include BOTCHA's own signing public key if configured
+        const jwtSigningKeyEnv = c.env.JWT_SIGNING_KEY;
+        if (jwtSigningKeyEnv) {
+            try {
+                const privateKeyJwk = JSON.parse(jwtSigningKeyEnv);
+                const publicKeyJwk = getSigningPublicKeyJWK(privateKeyJwk);
+                allKeys.push({
+                    kty: publicKeyJwk.kty,
+                    crv: publicKeyJwk.crv,
+                    x: publicKeyJwk.x,
+                    y: publicKeyJwk.y,
+                    kid: 'botcha-signing-1',
+                    use: 'sig',
+                    alg: 'ES256',
+                });
+            }
+            catch (error) {
+                console.error('Failed to derive BOTCHA signing public key for JWKS:', error);
+            }
+        }
         const appId = c.req.query('app_id');
-        // Security: Don't expose all keys globally
+        // If no app_id, return just the BOTCHA signing key (if any)
         if (!appId) {
-            return c.json({ keys: [] }, 200, {
+            return c.json({ keys: allKeys }, 200, {
                 'Cache-Control': 'public, max-age=3600',
             });
         }
         const agents = c.env.AGENTS;
         if (!agents) {
             console.error('AGENTS KV namespace not available');
-            return c.json({ keys: [] }, 200);
+            return c.json({ keys: allKeys }, 200);
         }
         // Get agent list for this app
         const agentIndexKey = `app_agents:${appId}`;
         const agentIdsData = await agents.get(agentIndexKey, 'text');
         if (!agentIdsData) {
-            return c.json({ keys: [] }, 200, {
+            return c.json({ keys: allKeys }, 200, {
                 'Cache-Control': 'public, max-age=3600',
             });
         }
@@ -174,8 +197,9 @@ export async function jwksRoute(c) {
                 return null;
             }
         });
-        const jwks = (await Promise.all(jwkPromises)).filter((jwk) => jwk !== null);
-        return c.json({ keys: jwks }, 200, {
+        const agentJwks = (await Promise.all(jwkPromises)).filter((jwk) => jwk !== null);
+        allKeys.push(...agentJwks);
+        return c.json({ keys: allKeys }, 200, {
             'Cache-Control': 'public, max-age=3600',
         });
     }

package/dist/tap-reputation-routes.d.ts

@@ -0,0 +1,154 @@
+/**
+ * TAP Agent Reputation Scoring API Routes
+ *
+ * Endpoints for querying agent reputation scores, recording events,
+ * listing event history, and resetting scores.
+ *
+ * Routes:
+ *   GET    /v1/reputation/:agent_id          — Get agent reputation score
+ *   POST   /v1/reputation/events             — Record a reputation event
+ *   GET    /v1/reputation/:agent_id/events   — List reputation events
+ *   POST   /v1/reputation/:agent_id/reset    — Reset agent reputation (admin)
+ */
+import type { Context } from 'hono';
+import { type ReputationEventCategory, type ReputationEventAction } from './tap-reputation.js';
+/**
+ * GET /v1/reputation/:agent_id
+ * Get agent reputation score
+ */
+export declare function getReputationRoute(c: Context): Promise<(Response & import("hono").TypedResponse<{
+    success: false;
+    error: string | undefined;
+    message: string;
+}, 401, "json">) | (Response & import("hono").TypedResponse<{
+    success: false;
+    error: string;
+    message: string | undefined;
+}, any, "json">) | (Response & import("hono").TypedResponse<{
+    success: true;
+    agent_id: string;
+    app_id: string;
+    score: number;
+    tier: import("./tap-reputation.js").ReputationTier;
+    event_count: number;
+    positive_events: number;
+    negative_events: number;
+    last_event_at: string | null;
+    created_at: string;
+    updated_at: string;
+    category_scores: {
+        verification: number;
+        attestation: number;
+        delegation: number;
+        session: number;
+        violation: number;
+        endorsement: number;
+    };
+}, import("hono/utils/http-status").ContentfulStatusCode, "json">)>;
+/**
+ * POST /v1/reputation/events
+ * Record a reputation event for an agent
+ *
+ * Body:
+ *   agent_id  — required
+ *   category  — required (verification, attestation, delegation, session, violation, endorsement)
+ *   action    — required (e.g. "challenge_solved", "attestation_issued")
+ *   source_agent_id — optional (for endorsements)
+ *   metadata  — optional key/value pairs
+ */
+export declare function recordReputationEventRoute(c: Context): Promise<(Response & import("hono").TypedResponse<{
+    success: false;
+    error: string | undefined;
+    message: string;
+}, 401, "json">) | (Response & import("hono").TypedResponse<{
+    success: false;
+    error: string;
+    message: string | undefined;
+}, any, "json">) | (Response & import("hono").TypedResponse<{
+    success: true;
+    event: {
+        event_id: string;
+        agent_id: string;
+        category: ReputationEventCategory;
+        action: ReputationEventAction;
+        delta: number;
+        score_before: number;
+        score_after: number;
+        source_agent_id: string | null;
+        metadata: {
+            [x: string]: string;
+        } | null;
+        created_at: string;
+    };
+    score: {
+        score: number;
+        tier: import("./tap-reputation.js").ReputationTier;
+        event_count: number;
+    };
+}, 201, "json">)>;
+/**
+ * GET /v1/reputation/:agent_id/events
+ * List reputation events for an agent
+ *
+ * Query params:
+ *   category — optional, filter by category
+ *   limit    — optional, max events to return (default 50, max 100)
+ */
+export declare function listReputationEventsRoute(c: Context): Promise<(Response & import("hono").TypedResponse<{
+    success: false;
+    error: string;
+    message: string;
+}, 400, "json">) | (Response & import("hono").TypedResponse<{
+    success: false;
+    error: string | undefined;
+    message: string;
+}, 401, "json">) | (Response & import("hono").TypedResponse<{
+    success: false;
+    error: string;
+    message: string | undefined;
+}, 500, "json">) | (Response & import("hono").TypedResponse<{
+    success: true;
+    events: {
+        event_id: string;
+        agent_id: string;
+        category: ReputationEventCategory;
+        action: ReputationEventAction;
+        delta: number;
+        score_before: number;
+        score_after: number;
+        source_agent_id: string | null;
+        metadata: {
+            [x: string]: string;
+        } | null;
+        created_at: string;
+    }[];
+    count: number;
+    agent_id: string;
+}, import("hono/utils/http-status").ContentfulStatusCode, "json">)>;
+/**
+ * POST /v1/reputation/:agent_id/reset
+ * Reset agent reputation to default (admin action)
+ */
+export declare function resetReputationRoute(c: Context): Promise<(Response & import("hono").TypedResponse<{
+    success: false;
+    error: string | undefined;
+    message: string;
+}, 401, "json">) | (Response & import("hono").TypedResponse<{
+    success: false;
+    error: string;
+    message: string | undefined;
+}, any, "json">) | (Response & import("hono").TypedResponse<{
+    success: true;
+    agent_id: string;
+    score: number;
+    tier: import("./tap-reputation.js").ReputationTier;
+    message: string;
+}, import("hono/utils/http-status").ContentfulStatusCode, "json">)>;
+declare const _default: {
+    getReputationRoute: typeof getReputationRoute;
+    recordReputationEventRoute: typeof recordReputationEventRoute;
+    listReputationEventsRoute: typeof listReputationEventsRoute;
+    resetReputationRoute: typeof resetReputationRoute;
+};
+export default _default;
+//# sourceMappingURL=tap-reputation-routes.d.ts.map

package/dist/tap-reputation-routes.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tap-reputation-routes.d.ts","sourceRoot":"","sources":["../src/tap-reputation-routes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AAEpC,OAAO,EASL,KAAK,uBAAuB,EAC5B,KAAK,qBAAqB,EAC3B,MAAM,qBAAqB,CAAC;AAkC7B;;;GAGG;AACH,wBAAsB,kBAAkB,CAAC,CAAC,EAAE,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;oEA6DlD;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,0BAA0B,CAAC,CAAC,EAAE,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBA2H1D;AAED;;;;;;;GAOG;AACH,wBAAsB,yBAAyB,CAAC,CAAC,EAAE,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;oEA4EzD;AAED;;;GAGG;AACH,wBAAsB,oBAAoB,CAAC,CAAC,EAAE,OAAO;;;;;;;;;;;;;;oEAyDpD;;;;;;;AAED,wBAKE"}

package/dist/tap-reputation-routes.js

@@ -0,0 +1,341 @@
+/**
+ * TAP Agent Reputation Scoring API Routes
+ *
+ * Endpoints for querying agent reputation scores, recording events,
+ * listing event history, and resetting scores.
+ *
+ * Routes:
+ *   GET    /v1/reputation/:agent_id          — Get agent reputation score
+ *   POST   /v1/reputation/events             — Record a reputation event
+ *   GET    /v1/reputation/:agent_id/events   — List reputation events
+ *   POST   /v1/reputation/:agent_id/reset    — Reset agent reputation (admin)
+ */
+import { extractBearerToken, verifyToken } from './auth.js';
+import { getReputationScore, recordReputationEvent, listReputationEvents, resetReputation, isValidCategory, isValidAction, isValidCategoryAction, } from './tap-reputation.js';
+// ============ VALIDATION HELPERS ============
+async function validateAppAccess(c, requireAuth = true) {
+    const queryAppId = c.req.query('app_id');
+    let jwtAppId;
+    const authHeader = c.req.header('authorization');
+    const token = extractBearerToken(authHeader);
+    if (token) {
+        const result = await verifyToken(token, c.env.JWT_SECRET, c.env);
+        if (result.valid && result.payload) {
+            jwtAppId = result.payload.app_id;
+        }
+    }
+    const appId = queryAppId || jwtAppId;
+    if (requireAuth && !appId) {
+        return { valid: false, error: 'MISSING_APP_ID', status: 401 };
+    }
+    return { valid: true, appId };
+}
+// ============ ROUTE HANDLERS ============
+/**
+ * GET /v1/reputation/:agent_id
+ * Get agent reputation score
+ */
+export async function getReputationRoute(c) {
+    try {
+        const agentId = c.req.param('agent_id');
+        if (!agentId) {
+            return c.json({
+                success: false,
+                error: 'MISSING_AGENT_ID',
+                message: 'Agent ID is required'
+            }, 400);
+        }
+        const appAccess = await validateAppAccess(c, true);
+        if (!appAccess.valid) {
+            return c.json({
+                success: false,
+                error: appAccess.error,
+                message: 'Authentication required'
+            }, (appAccess.status || 401));
+        }
+        const result = await getReputationScore(c.env.SESSIONS, c.env.AGENTS, agentId, appAccess.appId);
+        if (!result.success || !result.score) {
+            const status = result.error?.includes('not found') ? 404 : 500;
+            return c.json({
+                success: false,
+                error: 'REPUTATION_LOOKUP_FAILED',
+                message: result.error
+            }, status);
+        }
+        const s = result.score;
+        return c.json({
+            success: true,
+            agent_id: s.agent_id,
+            app_id: s.app_id,
+            score: s.score,
+            tier: s.tier,
+            event_count: s.event_count,
+            positive_events: s.positive_events,
+            negative_events: s.negative_events,
+            last_event_at: s.last_event_at ? new Date(s.last_event_at).toISOString() : null,
+            created_at: new Date(s.created_at).toISOString(),
+            updated_at: new Date(s.updated_at).toISOString(),
+            category_scores: s.category_scores,
+        });
+    }
+    catch (error) {
+        console.error('Reputation lookup error:', error);
+        return c.json({
+            success: false,
+            error: 'INTERNAL_ERROR',
+            message: 'Internal server error'
+        }, 500);
+    }
+}
+/**
+ * POST /v1/reputation/events
+ * Record a reputation event for an agent
+ *
+ * Body:
+ *   agent_id  — required
+ *   category  — required (verification, attestation, delegation, session, violation, endorsement)
+ *   action    — required (e.g. "challenge_solved", "attestation_issued")
+ *   source_agent_id — optional (for endorsements)
+ *   metadata  — optional key/value pairs
+ */
+export async function recordReputationEventRoute(c) {
+    try {
+        const appAccess = await validateAppAccess(c, true);
+        if (!appAccess.valid) {
+            return c.json({
+                success: false,
+                error: appAccess.error,
+                message: 'Authentication required'
+            }, (appAccess.status || 401));
+        }
+        const body = await c.req.json().catch(() => ({}));
+        // Validate required fields
+        if (!body.agent_id) {
+            return c.json({
+                success: false,
+                error: 'MISSING_AGENT_ID',
+                message: 'agent_id is required'
+            }, 400);
+        }
+        if (!body.category) {
+            return c.json({
+                success: false,
+                error: 'MISSING_CATEGORY',
+                message: 'category is required (verification, attestation, delegation, session, violation, endorsement)'
+            }, 400);
+        }
+        if (!isValidCategory(body.category)) {
+            return c.json({
+                success: false,
+                error: 'INVALID_CATEGORY',
+                message: `Invalid category: "${body.category}". Must be one of: verification, attestation, delegation, session, violation, endorsement`
+            }, 400);
+        }
+        if (!body.action) {
+            return c.json({
+                success: false,
+                error: 'MISSING_ACTION',
+                message: 'action is required (e.g. "challenge_solved", "attestation_issued")'
+            }, 400);
+        }
+        if (!isValidAction(body.action)) {
+            return c.json({
+                success: false,
+                error: 'INVALID_ACTION',
+                message: `Invalid action: "${body.action}"`
+            }, 400);
+        }
+        if (!isValidCategoryAction(body.category, body.action)) {
+            return c.json({
+                success: false,
+                error: 'ACTION_CATEGORY_MISMATCH',
+                message: `Action "${body.action}" does not belong to category "${body.category}"`
+            }, 400);
+        }
+        const options = {
+            agent_id: body.agent_id,
+            category: body.category,
+            action: body.action,
+            source_agent_id: body.source_agent_id,
+            metadata: body.metadata,
+        };
+        const result = await recordReputationEvent(c.env.SESSIONS, c.env.AGENTS, appAccess.appId, options);
+        if (!result.success) {
+            const status = result.error?.includes('not found') ? 404
+                : result.error?.includes('does not belong') ? 403
+                    : result.error?.includes('cannot endorse itself') ? 400
+                        : result.error?.includes('does not belong to category') ? 400
+                            : 400;
+            return c.json({
+                success: false,
+                error: 'EVENT_RECORDING_FAILED',
+                message: result.error
+            }, status);
+        }
+        const event = result.event;
+        const score = result.score;
+        return c.json({
+            success: true,
+            event: {
+                event_id: event.event_id,
+                agent_id: event.agent_id,
+                category: event.category,
+                action: event.action,
+                delta: event.delta,
+                score_before: event.score_before,
+                score_after: event.score_after,
+                source_agent_id: event.source_agent_id || null,
+                metadata: event.metadata || null,
+                created_at: new Date(event.created_at).toISOString(),
+            },
+            score: {
+                score: score.score,
+                tier: score.tier,
+                event_count: score.event_count,
+            },
+        }, 201);
+    }
+    catch (error) {
+        console.error('Reputation event recording error:', error);
+        return c.json({
+            success: false,
+            error: 'INTERNAL_ERROR',
+            message: 'Internal server error'
+        }, 500);
+    }
+}
+/**
+ * GET /v1/reputation/:agent_id/events
+ * List reputation events for an agent
+ *
+ * Query params:
+ *   category — optional, filter by category
+ *   limit    — optional, max events to return (default 50, max 100)
+ */
+export async function listReputationEventsRoute(c) {
+    try {
+        const agentId = c.req.param('agent_id');
+        if (!agentId) {
+            return c.json({
+                success: false,
+                error: 'MISSING_AGENT_ID',
+                message: 'Agent ID is required'
+            }, 400);
+        }
+        const appAccess = await validateAppAccess(c, true);
+        if (!appAccess.valid) {
+            return c.json({
+                success: false,
+                error: appAccess.error,
+                message: 'Authentication required'
+            }, (appAccess.status || 401));
+        }
+        const categoryParam = c.req.query('category');
+        const limitParam = c.req.query('limit');
+        const limit = limitParam ? Math.min(parseInt(limitParam, 10) || 50, 100) : 50;
+        let category;
+        if (categoryParam) {
+            if (!isValidCategory(categoryParam)) {
+                return c.json({
+                    success: false,
+                    error: 'INVALID_CATEGORY',
+                    message: `Invalid category filter: "${categoryParam}"`
+                }, 400);
+            }
+            category = categoryParam;
+        }
+        const result = await listReputationEvents(c.env.SESSIONS, agentId, { category, limit });
+        if (!result.success) {
+            return c.json({
+                success: false,
+                error: 'EVENT_LISTING_FAILED',
+                message: result.error
+            }, 500);
+        }
+        const events = (result.events || [])
+            .filter(e => e.app_id === appAccess.appId)
+            .map(e => ({
+            event_id: e.event_id,
+            agent_id: e.agent_id,
+            category: e.category,
+            action: e.action,
+            delta: e.delta,
+            score_before: e.score_before,
+            score_after: e.score_after,
+            source_agent_id: e.source_agent_id || null,
+            metadata: e.metadata || null,
+            created_at: new Date(e.created_at).toISOString(),
+        }));
+        return c.json({
+            success: true,
+            events,
+            count: events.length,
+            agent_id: agentId,
+        });
+    }
+    catch (error) {
+        console.error('Reputation event listing error:', error);
+        return c.json({
+            success: false,
+            error: 'INTERNAL_ERROR',
+            message: 'Internal server error'
+        }, 500);
+    }
+}
+/**
+ * POST /v1/reputation/:agent_id/reset
+ * Reset agent reputation to default (admin action)
+ */
+export async function resetReputationRoute(c) {
+    try {
+        const agentId = c.req.param('agent_id');
+        if (!agentId) {
+            return c.json({
+                success: false,
+                error: 'MISSING_AGENT_ID',
+                message: 'Agent ID is required'
+            }, 400);
+        }
+        const appAccess = await validateAppAccess(c, true);
+        if (!appAccess.valid) {
+            return c.json({
+                success: false,
+                error: appAccess.error,
+                message: 'Authentication required'
+            }, (appAccess.status || 401));
+        }
+        const result = await resetReputation(c.env.SESSIONS, c.env.AGENTS, agentId, appAccess.appId);
+        if (!result.success) {
+            const status = result.error?.includes('not found') ? 404
+                : result.error?.includes('does not belong') ? 403
+                    : 500;
+            return c.json({
+                success: false,
+                error: 'REPUTATION_RESET_FAILED',
+                message: result.error
+            }, status);
+        }
+        const s = result.score;
+        return c.json({
+            success: true,
+            agent_id: s.agent_id,
+            score: s.score,
+            tier: s.tier,
+            message: 'Reputation reset to default. All event history cleared.',
+        });
+    }
+    catch (error) {
+        console.error('Reputation reset error:', error);
+        return c.json({
+            success: false,
+            error: 'INTERNAL_ERROR',
+            message: 'Internal server error'
+        }, 500);
+    }
+}
+export default {
+    getReputationRoute,
+    recordReputationEventRoute,
+    listReputationEventsRoute,
+    resetReputationRoute,
+};