@dupecom/botcha-cloudflare 0.18.0 → 0.19.0

package/dist/tap-jwks.js

@@ -3,6 +3,7 @@
  * Implements .well-known/jwks for TAP agent public key discovery
  * Per Visa TAP spec: https://developer.visa.com/capabilities/trusted-agent-protocol
  */
+import { getSigningPublicKeyJWK } from './auth.js';
 // ============ PEM <-> JWK CONVERSION ============
 /**
  * Convert PEM public key to JWK format
@@ -122,27 +123,49 @@ function arrayBufferToPem(buffer) {
 // ============ JWKS ENDPOINT HANDLERS ============
 /**
  * GET /.well-known/jwks
- * Returns JWK Set for app's TAP-enabled agents
+ * Returns JWK Set for app's TAP-enabled agents.
+ * Also includes BOTCHA's own signing public key when JWT_SIGNING_KEY is configured.
  */
 export async function jwksRoute(c) {
     try {
+        const allKeys = [];
+        // Always include BOTCHA's own signing public key if configured
+        const jwtSigningKeyEnv = c.env.JWT_SIGNING_KEY;
+        if (jwtSigningKeyEnv) {
+            try {
+                const privateKeyJwk = JSON.parse(jwtSigningKeyEnv);
+                const publicKeyJwk = getSigningPublicKeyJWK(privateKeyJwk);
+                allKeys.push({
+                    kty: publicKeyJwk.kty,
+                    crv: publicKeyJwk.crv,
+                    x: publicKeyJwk.x,
+                    y: publicKeyJwk.y,
+                    kid: 'botcha-signing-1',
+                    use: 'sig',
+                    alg: 'ES256',
+                });
+            }
+            catch (error) {
+                console.error('Failed to derive BOTCHA signing public key for JWKS:', error);
+            }
+        }
         const appId = c.req.query('app_id');
-        // Security: Don't expose all keys globally
+        // If no app_id, return just the BOTCHA signing key (if any)
         if (!appId) {
-            return c.json({ keys: [] }, 200, {
+            return c.json({ keys: allKeys }, 200, {
                 'Cache-Control': 'public, max-age=3600',
             });
         }
         const agents = c.env.AGENTS;
         if (!agents) {
             console.error('AGENTS KV namespace not available');
-            return c.json({ keys: [] }, 200);
+            return c.json({ keys: allKeys }, 200);
         }
         // Get agent list for this app
         const agentIndexKey = `app_agents:${appId}`;
         const agentIdsData = await agents.get(agentIndexKey, 'text');
         if (!agentIdsData) {
-            return c.json({ keys: [] }, 200, {
+            return c.json({ keys: allKeys }, 200, {
                 'Cache-Control': 'public, max-age=3600',
             });
         }
@@ -174,8 +197,9 @@ export async function jwksRoute(c) {
                 return null;
             }
         });
-        const jwks = (await Promise.all(jwkPromises)).filter((jwk) => jwk !== null);
-        return c.json({ keys: jwks }, 200, {
+        const agentJwks = (await Promise.all(jwkPromises)).filter((jwk) => jwk !== null);
+        allKeys.push(...agentJwks);
+        return c.json({ keys: allKeys }, 200, {
             'Cache-Control': 'public, max-age=3600',
         });
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@dupecom/botcha-cloudflare",
-  "version": "0.18.0",
+  "version": "0.19.0",
   "description": "BOTCHA for Cloudflare Workers - Prove you're a bot. Humans need not apply.",
   "type": "module",
   "main": "dist/index.js",