@dupecom/botcha-cloudflare 0.20.2 → 0.23.0

package/dist/tap-a2a.js

@@ -0,0 +1,502 @@
+/**
+ * A2A Agent Card Attestation — BOTCHA as A2A Trust Oracle
+ *
+ * Implements Google's A2A (Agent-to-Agent) protocol trust layer:
+ *   1. BOTCHA's own Agent Card (/.well-known/agent.json)
+ *   2. Agent Card attestation issuance (POST /v1/a2a/attest)
+ *   3. Agent Card attestation verification (POST /v1/a2a/verify-card)
+ *   4. Verified card registry (GET /v1/a2a/cards)
+ *
+ * Attestation model:
+ *   - Input:  any A2A Agent Card JSON
+ *   - Output: a signed JWT embedding SHA-256(canonicalized card)
+ *   - The JWT is embedded into card.extensions.botcha_attestation
+ *   - Verification checks: signature, hash match, expiration, revocation
+ *
+ * References:
+ *   https://google.github.io/A2A/
+ *   https://github.com/google-a2a/A2A
+ */
+import { SignJWT, jwtVerify } from 'jose';
+// ============ BOTCHA'S OWN AGENT CARD ============
+export const BOTCHA_VERSION = '0.21.2';
+export const BOTCHA_URL = 'https://botcha.ai';
+/**
+ * BOTCHA's A2A Agent Card.
+ * Served at /.well-known/agent.json
+ */
+export function getBotchaAgentCard(version) {
+    const v = version || BOTCHA_VERSION;
+    return {
+        name: 'BOTCHA',
+        description: 'Reverse CAPTCHA for AI agents. Prove you\'re a bot. Humans need not apply.',
+        url: BOTCHA_URL,
+        version: v,
+        documentationUrl: 'https://botcha.ai/docs',
+        capabilities: {
+            streaming: false,
+            pushNotifications: false,
+            stateTransitionHistory: false,
+        },
+        authentication: [
+            {
+                schemes: ['Bearer'],
+                description: 'BOTCHA access token — obtain via POST /v1/token/verify after solving a challenge',
+            },
+        ],
+        defaultInputModes: ['application/json'],
+        defaultOutputModes: ['application/json'],
+        skills: [
+            {
+                id: 'verify-agent',
+                name: 'Verify Agent',
+                description: 'Issue a BOTCHA challenge to verify an AI agent. Returns a signed access token on success.',
+                tags: ['verification', 'identity', 'challenge'],
+                examples: [
+                    'GET /v1/token?app_id=<app_id> → solve SHA256 challenge → POST /v1/token/verify',
+                ],
+                inputModes: ['application/json'],
+                outputModes: ['application/json'],
+            },
+            {
+                id: 'attest-card',
+                name: 'Attest Agent Card',
+                description: 'Issue a BOTCHA attestation for an A2A Agent Card. The attestation JWT is embedded into the card\'s extensions.botcha_attestation field, making BOTCHA the trust oracle for the A2A ecosystem.',
+                tags: ['attestation', 'a2a', 'trust', 'verification'],
+                examples: [
+                    'POST /v1/a2a/attest with an A2A Agent Card JSON → attested card with extensions.botcha_attestation',
+                ],
+                inputModes: ['application/json'],
+                outputModes: ['application/json'],
+            },
+            {
+                id: 'verify-card',
+                name: 'Verify Attested Agent Card',
+                description: 'Verify a BOTCHA-attested A2A Agent Card. Checks signature, card hash integrity, and expiration.',
+                tags: ['verification', 'a2a', 'attestation', 'trust'],
+                examples: [
+                    'POST /v1/a2a/verify-card with an attested A2A Agent Card JSON',
+                ],
+                inputModes: ['application/json'],
+                outputModes: ['application/json'],
+            },
+            {
+                id: 'check-reputation',
+                name: 'Check Reputation',
+                description: 'Get an agent\'s BOTCHA reputation score based on challenge history and verification track record.',
+                tags: ['reputation', 'trust', 'score'],
+                examples: [
+                    'GET /v1/reputation/:agent_id',
+                ],
+                inputModes: ['application/json'],
+                outputModes: ['application/json'],
+            },
+        ],
+        extensions: {
+            botcha: {
+                challenge_endpoint: `${BOTCHA_URL}/v1/token`,
+                verify_endpoint: `${BOTCHA_URL}/v1/token/verify`,
+                attest_endpoint: `${BOTCHA_URL}/v1/a2a/attest`,
+                verify_card_endpoint: `${BOTCHA_URL}/v1/a2a/verify-card`,
+                registry_endpoint: `${BOTCHA_URL}/v1/a2a/cards`,
+                openapi: `${BOTCHA_URL}/openapi.json`,
+                ai_txt: `${BOTCHA_URL}/ai.txt`,
+            },
+        },
+    };
+}
+// ============ CARD CANONICALIZATION & HASHING ============
+/**
+ * Canonicalize an A2A Agent Card for hashing.
+ *
+ * We remove the extensions.botcha_attestation field before hashing
+ * so that the attestation can be embedded in the card without
+ * invalidating its own hash. All other fields are included.
+ *
+ * Canonicalization: JSON.stringify with sorted keys (deterministic).
+ */
+export function canonicalizeCard(card) {
+    // Deep clone and strip the attestation extension
+    const stripped = deepCloneWithoutAttestation(card);
+    // Sort keys recursively for deterministic output
+    return stableStringify(stripped);
+}
+/**
+ * Compute SHA-256 of a canonicalized card string.
+ * Returns lowercase hex string.
+ */
+export async function hashCard(card) {
+    const canonical = canonicalizeCard(card);
+    const encoder = new TextEncoder();
+    const data = encoder.encode(canonical);
+    const hashBuffer = await crypto.subtle.digest('SHA-256', data);
+    const hashArray = Array.from(new Uint8Array(hashBuffer));
+    return hashArray.map(b => b.toString(16).padStart(2, '0')).join('');
+}
+function deepCloneWithoutAttestation(card) {
+    const clone = {};
+    for (const [key, value] of Object.entries(card)) {
+        if (key === 'extensions') {
+            if (value && typeof value === 'object') {
+                const exts = { ...value };
+                delete exts['botcha_attestation'];
+                if (Object.keys(exts).length > 0) {
+                    clone['extensions'] = deepCloneValue(exts);
+                }
+                // If extensions only had botcha_attestation, omit extensions entirely
+            }
+            // else: no extensions, skip
+        }
+        else {
+            clone[key] = deepCloneValue(value);
+        }
+    }
+    return clone;
+}
+function deepCloneValue(value) {
+    if (value === null || typeof value !== 'object')
+        return value;
+    if (Array.isArray(value))
+        return value.map(deepCloneValue);
+    const obj = value;
+    const result = {};
+    for (const [k, v] of Object.entries(obj)) {
+        result[k] = deepCloneValue(v);
+    }
+    return result;
+}
+/**
+ * Stable (deterministic) JSON stringify with sorted keys.
+ * Handles nested objects, arrays, primitives.
+ */
+function stableStringify(value) {
+    if (value === null || value === undefined)
+        return String(value);
+    if (typeof value !== 'object')
+        return JSON.stringify(value);
+    if (Array.isArray(value)) {
+        return '[' + value.map(stableStringify).join(',') + ']';
+    }
+    const obj = value;
+    const keys = Object.keys(obj).sort();
+    const pairs = keys
+        .filter(k => obj[k] !== undefined)
+        .map(k => JSON.stringify(k) + ':' + stableStringify(obj[k]));
+    return '{' + pairs.join(',') + '}';
+}
+// ============ ATTESTATION ISSUANCE ============
+const DEFAULT_DURATION = 86400; // 24 hours
+const MAX_DURATION = 2592000; // 30 days
+/**
+ * Issue a BOTCHA attestation for an A2A Agent Card.
+ *
+ * Steps:
+ * 1. Validate card (name + url required)
+ * 2. Canonicalize and hash the card (without extensions)
+ * 3. Sign a JWT with card_hash + agent identity
+ * 4. Embed attestation in card.extensions.botcha_attestation
+ * 5. Store attestation in KV for lookup and revocation
+ */
+export async function attestCard(sessions, secret, options) {
+    try {
+        const { card, app_id } = options;
+        // Validate required card fields
+        if (!card.name || typeof card.name !== 'string') {
+            return { success: false, error: 'Agent Card must have a "name" field' };
+        }
+        if (!card.url || typeof card.url !== 'string') {
+            return { success: false, error: 'Agent Card must have a "url" field' };
+        }
+        // Validate URL format
+        try {
+            new URL(card.url);
+        }
+        catch {
+            return { success: false, error: `Invalid "url" field: ${card.url}` };
+        }
+        const trustLevel = options.trust_level || 'verified';
+        const durationSeconds = Math.min(options.duration_seconds ?? DEFAULT_DURATION, MAX_DURATION);
+        const now = Date.now();
+        const expiresAt = now + durationSeconds * 1000;
+        const attestationId = crypto.randomUUID();
+        // Hash the card (without any existing attestation)
+        const cardHash = await hashCard(card);
+        // Sign attestation JWT
+        const encoder = new TextEncoder();
+        const secretKey = encoder.encode(secret);
+        const token = await new SignJWT({
+            type: 'botcha-a2a-attestation',
+            card_hash: cardHash,
+            agent_name: card.name,
+            agent_url: card.url,
+            app_id,
+            trust_level: trustLevel,
+            jti: attestationId,
+        })
+            .setProtectedHeader({ alg: 'HS256' })
+            .setSubject(card.url)
+            .setIssuer(BOTCHA_URL)
+            .setIssuedAt()
+            .setExpirationTime(Math.floor(expiresAt / 1000))
+            .sign(secretKey);
+        // Build attestation record
+        const attestation = {
+            attestation_id: attestationId,
+            agent_url: card.url,
+            agent_name: card.name,
+            app_id,
+            card_hash: cardHash,
+            token,
+            trust_level: trustLevel,
+            created_at: now,
+            expires_at: expiresAt,
+            revoked: false,
+            card_snapshot: deepCloneWithoutAttestation(card),
+        };
+        // Store in KV with TTL
+        const ttlSeconds = Math.max(60, Math.floor(durationSeconds));
+        await sessions.put(`a2a_attestation:${attestationId}`, JSON.stringify(attestation), { expirationTtl: ttlSeconds });
+        // Update registry index (agent_url → list of attestation IDs)
+        await updateCardRegistryIndex(sessions, card.url, attestationId, 'add');
+        // Build the attested card (card + extensions.botcha_attestation)
+        const extension = {
+            token,
+            verified_at: new Date(now).toISOString(),
+            trust_level: trustLevel,
+            issuer: BOTCHA_URL,
+            card_hash: cardHash,
+            expires_at: new Date(expiresAt).toISOString(),
+        };
+        const attestedCard = {
+            ...card,
+            extensions: {
+                ...(card.extensions || {}),
+                botcha_attestation: extension,
+            },
+        };
+        return { success: true, attestation, attested_card: attestedCard };
+    }
+    catch (error) {
+        console.error('A2A card attestation error:', error);
+        return { success: false, error: 'Internal server error' };
+    }
+}
+// ============ ATTESTATION VERIFICATION ============
+/**
+ * Verify a BOTCHA-attested A2A Agent Card.
+ *
+ * Checks:
+ * 1. Card has extensions.botcha_attestation.token
+ * 2. JWT signature and expiration (cryptographic)
+ * 3. JWT type is 'botcha-a2a-attestation'
+ * 4. card_hash matches the current card content (tamper detection)
+ * 5. Revocation status (KV lookup, fail-open)
+ *
+ * Returns verified/invalid + decoded claims.
+ */
+export async function verifyCard(sessions, secret, card) {
+    try {
+        // Extract attestation token from card
+        const attestationExt = card.extensions?.botcha_attestation;
+        if (!attestationExt || typeof attestationExt !== 'object') {
+            return {
+                success: true,
+                valid: false,
+                error: 'NO_ATTESTATION',
+                reason: 'Card does not have extensions.botcha_attestation',
+            };
+        }
+        const token = attestationExt.token;
+        if (!token || typeof token !== 'string') {
+            return {
+                success: true,
+                valid: false,
+                error: 'MISSING_TOKEN',
+                reason: 'extensions.botcha_attestation.token is missing',
+            };
+        }
+        // Verify JWT signature and expiration
+        const encoder = new TextEncoder();
+        const secretKey = encoder.encode(secret);
+        let payload;
+        try {
+            const result = await jwtVerify(token, secretKey, { algorithms: ['HS256'] });
+            payload = result.payload;
+        }
+        catch (err) {
+            return {
+                success: true,
+                valid: false,
+                error: 'INVALID_TOKEN',
+                reason: err instanceof Error ? err.message : 'JWT verification failed',
+            };
+        }
+        // Check token type
+        if (payload['type'] !== 'botcha-a2a-attestation') {
+            return {
+                success: true,
+                valid: false,
+                error: 'WRONG_TOKEN_TYPE',
+                reason: `Expected 'botcha-a2a-attestation', got '${payload['type']}'`,
+            };
+        }
+        const jti = payload['jti'];
+        // Check revocation
+        if (jti) {
+            try {
+                const revoked = await sessions.get(`a2a_attestation_revoked:${jti}`);
+                if (revoked) {
+                    return {
+                        success: true,
+                        valid: false,
+                        error: 'REVOKED',
+                        reason: 'Attestation has been revoked',
+                        attestation_id: jti,
+                    };
+                }
+            }
+            catch {
+                // fail-open on KV errors
+            }
+        }
+        // Verify card hash matches (tamper detection)
+        const tokenCardHash = payload['card_hash'];
+        const currentCardHash = await hashCard(card);
+        if (tokenCardHash !== currentCardHash) {
+            return {
+                success: true,
+                valid: false,
+                error: 'HASH_MISMATCH',
+                reason: 'Card content has been modified since attestation. The card hash does not match.',
+                card_hash: currentCardHash,
+                attestation_id: jti,
+            };
+        }
+        return {
+            success: true,
+            valid: true,
+            attestation_id: jti,
+            agent_url: payload['agent_url'],
+            agent_name: payload['agent_name'],
+            card_hash: tokenCardHash,
+            trust_level: payload['trust_level'],
+            app_id: payload['app_id'],
+            issued_at: new Date(payload['iat'] * 1000).toISOString(),
+            expires_at: new Date(payload['exp'] * 1000).toISOString(),
+        };
+    }
+    catch (error) {
+        console.error('A2A card verification error:', error);
+        return { success: false, error: 'Internal server error' };
+    }
+}
+// ============ CARD REGISTRY ============
+/**
+ * Get a specific A2A attestation record by ID.
+ */
+export async function getCardAttestation(sessions, attestationId) {
+    try {
+        const data = await sessions.get(`a2a_attestation:${attestationId}`, 'text');
+        if (!data) {
+            return { success: false, error: 'Attestation not found or expired' };
+        }
+        return { success: true, attestation: JSON.parse(data) };
+    }
+    catch (error) {
+        console.error('Failed to get A2A attestation:', error);
+        return { success: false, error: 'Internal server error' };
+    }
+}
+/**
+ * List BOTCHA-verified A2A cards from the registry.
+ *
+ * Query options:
+ *   verified_only: boolean — only return non-revoked attestations (default: true)
+ *   agent_url: string — filter by agent URL
+ *   limit: number — max results (default 50, max 200)
+ */
+export async function listVerifiedCards(sessions, opts = {}) {
+    try {
+        const verifiedOnly = opts.verified_only !== false;
+        const limit = Math.min(opts.limit || 50, 200);
+        // If filtering by agent_url, use the per-agent index
+        if (opts.agent_url) {
+            const indexData = await sessions.get(`a2a_registry:${encodeURIComponent(opts.agent_url)}`, 'text');
+            const ids = indexData ? JSON.parse(indexData) : [];
+            const results = [];
+            for (const id of ids.slice(-limit)) {
+                const result = await getCardAttestation(sessions, id);
+                if (result.success && result.attestation) {
+                    if (!verifiedOnly || !result.attestation.revoked) {
+                        results.push(result.attestation);
+                    }
+                }
+            }
+            return { success: true, attestations: results };
+        }
+        // Global registry index
+        const globalIndexData = await sessions.get('a2a_registry:global', 'text');
+        const globalIds = globalIndexData ? JSON.parse(globalIndexData) : [];
+        const results = [];
+        // Take the most recent `limit` entries
+        for (const id of globalIds.slice(-limit).reverse()) {
+            if (results.length >= limit)
+                break;
+            const result = await getCardAttestation(sessions, id);
+            if (result.success && result.attestation) {
+                if (!verifiedOnly || !result.attestation.revoked) {
+                    results.push(result.attestation);
+                }
+            }
+        }
+        return { success: true, attestations: results };
+    }
+    catch (error) {
+        console.error('Failed to list A2A attestations:', error);
+        return { success: false, error: 'Internal server error' };
+    }
+}
+// ============ UTILITY ============
+async function updateCardRegistryIndex(sessions, agentUrl, attestationId, operation) {
+    try {
+        // Per-agent index
+        const agentKey = `a2a_registry:${encodeURIComponent(agentUrl)}`;
+        const agentData = await sessions.get(agentKey, 'text');
+        let agentIds = agentData ? JSON.parse(agentData) : [];
+        if (operation === 'add' && !agentIds.includes(attestationId)) {
+            agentIds.push(attestationId);
+        }
+        else if (operation === 'remove') {
+            agentIds = agentIds.filter(id => id !== attestationId);
+        }
+        await sessions.put(agentKey, JSON.stringify(agentIds));
+        // Global index
+        const globalKey = 'a2a_registry:global';
+        const globalData = await sessions.get(globalKey, 'text');
+        let globalIds = globalData ? JSON.parse(globalData) : [];
+        if (operation === 'add' && !globalIds.includes(attestationId)) {
+            globalIds.push(attestationId);
+            // Keep global index bounded (last 1000)
+            if (globalIds.length > 1000) {
+                globalIds = globalIds.slice(-1000);
+            }
+        }
+        else if (operation === 'remove') {
+            globalIds = globalIds.filter(id => id !== attestationId);
+        }
+        await sessions.put(globalKey, JSON.stringify(globalIds));
+    }
+    catch (error) {
+        console.error('Failed to update A2A card registry index:', error);
+        // Fail silently — index updates are best-effort
+    }
+}
+export default {
+    getBotchaAgentCard,
+    canonicalizeCard,
+    hashCard,
+    attestCard,
+    verifyCard,
+    getCardAttestation,
+    listVerifiedCards,
+};

package/dist/tap-agents.d.ts

@@ -22,6 +22,13 @@ export interface TAPAgent extends Agent {
     issuer?: string;
     tap_enabled?: boolean;
     last_verified_at?: number;
+    ans_name?: string;
+    ans_badge_id?: string;
+    ans_trust_level?: 'domain-validated' | 'key-validated' | 'behavior-validated';
+    ans_verified_at?: number;
+    did?: string;
+    provider?: 'anthropic' | 'openai' | 'google' | 'mistral' | 'cohere' | 'other';
+    provider_key_hash?: string;
 }
 /** Valid TAP capability actions — single source of truth */
 export declare const TAP_VALID_ACTIONS: readonly ["browse", "compare", "purchase", "audit", "search"];
@@ -63,6 +70,9 @@ export declare function registerTAPAgent(agents: KVNamespace, appId: string, reg
     capabilities?: TAPCapability[];
     trust_level?: 'basic' | 'verified' | 'enterprise';
     issuer?: string;
+    ans_name?: string;
+    /** Optional W3C DID for this agent — embedded as credentialSubject.id in issued VCs */
+    did?: string;
 }): Promise<{
     success: boolean;
     agent?: TAPAgent;
@@ -104,6 +114,11 @@ export declare function getTAPSession(sessions: KVNamespace, sessionId: string):
     session?: TAPSession;
     error?: string;
 }>;
+/**
+ * Returns true if the string is a valid JWK JSON (EC, RSA, or OKP public key).
+ * Accepts a raw JWK JSON string.
+ */
+export declare function isValidJWK(key: string): boolean;
 export declare function validateCapability(agentCapabilities: TAPCapability[], requiredAction: string, requiredScope?: string): {
     valid: boolean;
     error?: string;

package/dist/tap-agents.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"tap-agents.d.ts","sourceRoot":"","sources":["../src/tap-agents.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,KAAK,EAAE,WAAW,EAAmB,MAAM,aAAa,CAAC;AAIlE;;GAEG;AACH,MAAM,WAAW,QAAS,SAAQ,KAAK;IAErC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,mBAAmB,CAAC,EAAE,mBAAmB,GAAG,gBAAgB,GAAG,SAAS,CAAC;IACzE,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,cAAc,CAAC,EAAE,MAAM,CAAC;IAGxB,YAAY,CAAC,EAAE,aAAa,EAAE,CAAC;IAC/B,WAAW,CAAC,EAAE,OAAO,GAAG,UAAU,GAAG,YAAY,CAAC;IAGlD,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B;AAED,4DAA4D;AAC5D,eAAO,MAAM,iBAAiB,+DAAgE,CAAC;AAC/F,MAAM,MAAM,SAAS,GAAG,OAAO,iBAAiB,CAAC,MAAM,CAAC,CAAC;AAEzD,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,SAAS,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,YAAY,CAAC,EAAE;QACb,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAC;KACpB,CAAC;CACH;AAED,MAAM,WAAW,UAAU;IACzB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,YAAY,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,aAAa,EAAE,CAAC;IAC9B,MAAM,EAAE,SAAS,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,SAAS;IACxB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAID;;GAEG;AACH,wBAAsB,gBAAgB,CACpC,MAAM,EAAE,WAAW,EACnB,KAAK,EAAE,MAAM,EACb,YAAY,EAAE;IACZ,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,mBAAmB,CAAC,EAAE,mBAAmB,GAAG,gBAAgB,GAAG,SAAS,CAAC;IACzE,YAAY,CAAC,EAAE,aAAa,EAAE,CAAC;IAC/B,WAAW,CAAC,EAAE,OAAO,GAAG,UAAU,GAAG,YAAY,CAAC;IAClD,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB,GACA,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,QAAQ,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAgDjE;AAED;;GAEG;AACH,wBAAsB,WAAW,CAC/B,MAAM,EAAE,WAAW,EACnB,OAAO,EAAE,MAAM,GACd,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,QAAQ,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAcjE;AAED;;GAEG;AACH,wBAAsB,uBAAuB,CAC3C,MAAM,EAAE,WAAW,EACnB,OAAO,EAAE,MAAM,EACf,mBAAmB,EAAE,OAAO,GAC3B,OAAO,CAAC,IAAI,CAAC,CAWf;AAED;;GAEG;AACH,wBAAsB,aAAa,CACjC,MAAM,EAAE,WAAW,EACnB,KAAK,EAAE,MAAM,EACb,OAAO,GAAE,OAAe,GACvB,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,MAAM,CAAC,EAAE,QAAQ,EAAE,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAsBpE;AAID;;GAEG;AACH,wBAAsB,gBAAgB,CACpC,QAAQ,EAAE,WAAW,EACrB,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,EACb,WAAW,EAAE,MAAM,EACnB,YAAY,EAAE,aAAa,EAAE,EAC7B,MAAM,EAAE,SAAS,GAChB,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,OAAO,CAAC,EAAE,UAAU,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CA+BrE;AAED;;GAEG;AACH,wBAAsB,aAAa,CACjC,QAAQ,EAAE,WAAW,EACrB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,OAAO,CAAC,EAAE,UAAU,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAoBrE;AAqDD,wBAAgB,kBAAkB,CAChC,iBAAiB,EAAE,aAAa,EAAE,EAClC,cAAc,EAAE,MAAM,EACtB,aAAa,CAAC,EAAE,MAAM,GACrB;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAsBpC;;;;;;;;;;AAED,wBAQE"}
+{"version":3,"file":"tap-agents.d.ts","sourceRoot":"","sources":["../src/tap-agents.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,KAAK,EAAE,WAAW,EAAmB,MAAM,aAAa,CAAC;AAIlE;;GAEG;AACH,MAAM,WAAW,QAAS,SAAQ,KAAK;IAErC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,mBAAmB,CAAC,EAAE,mBAAmB,GAAG,gBAAgB,GAAG,SAAS,CAAC;IACzE,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,cAAc,CAAC,EAAE,MAAM,CAAC;IAGxB,YAAY,CAAC,EAAE,aAAa,EAAE,CAAC;IAC/B,WAAW,CAAC,EAAE,OAAO,GAAG,UAAU,GAAG,YAAY,CAAC;IAGlD,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAG1B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,eAAe,CAAC,EAAE,kBAAkB,GAAG,eAAe,GAAG,oBAAoB,CAAC;IAC9E,eAAe,CAAC,EAAE,MAAM,CAAC;IAIzB,GAAG,CAAC,EAAE,MAAM,CAAC;IAKb,QAAQ,CAAC,EAAE,WAAW,GAAG,QAAQ,GAAG,QAAQ,GAAG,SAAS,GAAG,QAAQ,GAAG,OAAO,CAAC;IAC9E,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B;AAED,4DAA4D;AAC5D,eAAO,MAAM,iBAAiB,+DAAgE,CAAC;AAC/F,MAAM,MAAM,SAAS,GAAG,OAAO,iBAAiB,CAAC,MAAM,CAAC,CAAC;AAEzD,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,SAAS,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,YAAY,CAAC,EAAE;QACb,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAC;KACpB,CAAC;CACH;AAED,MAAM,WAAW,UAAU;IACzB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,YAAY,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,aAAa,EAAE,CAAC;IAC9B,MAAM,EAAE,SAAS,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,SAAS;IACxB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAID;;GAEG;AACH,wBAAsB,gBAAgB,CACpC,MAAM,EAAE,WAAW,EACnB,KAAK,EAAE,MAAM,EACb,YAAY,EAAE;IACZ,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,mBAAmB,CAAC,EAAE,mBAAmB,GAAG,gBAAgB,GAAG,SAAS,CAAC;IACzE,YAAY,CAAC,EAAE,aAAa,EAAE,CAAC;IAC/B,WAAW,CAAC,EAAE,OAAO,GAAG,UAAU,GAAG,YAAY,CAAC;IAClD,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,uFAAuF;IACvF,GAAG,CAAC,EAAE,MAAM,CAAC;CAAG,GACjB,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,QAAQ,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAoDjE;AAED;;GAEG;AACH,wBAAsB,WAAW,CAC/B,MAAM,EAAE,WAAW,EACnB,OAAO,EAAE,MAAM,GACd,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,QAAQ,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAcjE;AAED;;GAEG;AACH,wBAAsB,uBAAuB,CAC3C,MAAM,EAAE,WAAW,EACnB,OAAO,EAAE,MAAM,EACf,mBAAmB,EAAE,OAAO,GAC3B,OAAO,CAAC,IAAI,CAAC,CAWf;AAED;;GAEG;AACH,wBAAsB,aAAa,CACjC,MAAM,EAAE,WAAW,EACnB,KAAK,EAAE,MAAM,EACb,OAAO,GAAE,OAAe,GACvB,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,MAAM,CAAC,EAAE,QAAQ,EAAE,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAsBpE;AAID;;GAEG;AACH,wBAAsB,gBAAgB,CACpC,QAAQ,EAAE,WAAW,EACrB,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,EACb,WAAW,EAAE,MAAM,EACnB,YAAY,EAAE,aAAa,EAAE,EAC7B,MAAM,EAAE,SAAS,GAChB,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,OAAO,CAAC,EAAE,UAAU,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CA+BrE;AAED;;GAEG;AACH,wBAAsB,aAAa,CACjC,QAAQ,EAAE,WAAW,EACrB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,OAAO,CAAC,EAAE,UAAU,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAoBrE;AAYD;;;GAGG;AACH,wBAAgB,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAY/C;AA6CD,wBAAgB,kBAAkB,CAChC,iBAAiB,EAAE,aAAa,EAAE,EAClC,cAAc,EAAE,MAAM,EACtB,aAAa,CAAC,EAAE,MAAM,GACrB;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAsBpC;;;;;;;;;;AAED,wBAQE"}

package/dist/tap-agents.js

@@ -34,7 +34,11 @@ export async function registerTAPAgent(agents, appId, registration) {
             trust_level: registration.trust_level || 'basic',
             issuer: registration.issuer,
             tap_enabled: Boolean(registration.public_key),
-            last_verified_at: undefined
+            last_verified_at: undefined,
+            // ANS fields
+            ans_name: registration.ans_name,
+            // W3C DID (optional)
+            did: registration.did,
         };
         // Validate TAP configuration
         if (agent.public_key) {
@@ -175,11 +179,37 @@ function generateSessionId() {
         .map(b => b.toString(16).padStart(2, '0'))
         .join('');
 }
+/**
+ * Returns true if the string is a valid JWK JSON (EC, RSA, or OKP public key).
+ * Accepts a raw JWK JSON string.
+ */
+export function isValidJWK(key) {
+    try {
+        const jwk = JSON.parse(key);
+        if (!jwk || typeof jwk !== 'object')
+            return false;
+        if (!jwk.kty)
+            return false;
+        if (jwk.kty === 'EC')
+            return Boolean(jwk.crv && jwk.x && jwk.y);
+        if (jwk.kty === 'RSA')
+            return Boolean(jwk.n && jwk.e);
+        if (jwk.kty === 'OKP')
+            return Boolean(jwk.crv && jwk.x);
+        return false;
+    }
+    catch {
+        return false;
+    }
+}
 function isValidPublicKey(key, algorithm) {
     // PEM format
     if (key.includes('BEGIN PUBLIC KEY') && key.includes('END PUBLIC KEY') && key.length > 100) {
         return true;
     }
+    // JWK JSON string (EC P-256, RSA, or OKP/Ed25519)
+    if (isValidJWK(key))
+        return true;
     // Raw Ed25519 key (32 bytes = ~44 base64 chars)
     if (algorithm === 'ed25519') {
         const stripped = key.replace(/[\s]/g, '');