@dupecom/botcha 0.13.0 → 0.14.0

package/dist/src/utils/badge-image.js

@@ -0,0 +1,253 @@
+const METHOD_COLORS = {
+    'speed-challenge': { bg: '#1a1a2e', accent: '#f59e0b', text: '#fef3c7' },
+    'landing-challenge': { bg: '#1a1a2e', accent: '#10b981', text: '#d1fae5' },
+    'standard-challenge': { bg: '#1a1a2e', accent: '#3b82f6', text: '#dbeafe' },
+    'web-bot-auth': { bg: '#1a1a2e', accent: '#8b5cf6', text: '#ede9fe' },
+    'reasoning-challenge': { bg: '#1a1a2e', accent: '#ec4899', text: '#fce7f3' },
+    'hybrid-challenge': { bg: '#1a1a2e', accent: '#ef4444', text: '#fecaca' },
+};
+const METHOD_LABELS = {
+    'speed-challenge': 'SPEED TEST',
+    'landing-challenge': 'LANDING CHALLENGE',
+    'standard-challenge': 'CHALLENGE',
+    'web-bot-auth': 'WEB BOT AUTH',
+    'reasoning-challenge': 'REASONING TEST',
+    'hybrid-challenge': 'HYBRID TEST',
+};
+const METHOD_ICONS = {
+    'speed-challenge': '⚡',
+    'landing-challenge': '🌐',
+    'standard-challenge': '🔢',
+    'web-bot-auth': '🔐',
+    'reasoning-challenge': '🧠',
+    'hybrid-challenge': '🔥',
+};
+/**
+ * Generate an SVG badge image
+ */
+export function generateBadgeSvg(payload, options = {}) {
+    const { width = 400, height = 120 } = options;
+    const colors = METHOD_COLORS[payload.method];
+    const label = METHOD_LABELS[payload.method];
+    const icon = METHOD_ICONS[payload.method];
+    const verifiedDate = new Date(payload.verifiedAt).toISOString().split('T')[0];
+    const solveTimeText = payload.solveTimeMs ? `${payload.solveTimeMs}ms` : '';
+    return `<svg xmlns="http://www.w3.org/2000/svg" width="${width}" height="${height}" viewBox="0 0 ${width} ${height}">
+  <defs>
+    <linearGradient id="bgGradient" x1="0%" y1="0%" x2="100%" y2="100%">
+      <stop offset="0%" style="stop-color:${colors.bg};stop-opacity:1" />
+      <stop offset="100%" style="stop-color:#0f0f23;stop-opacity:1" />
+    </linearGradient>
+    <linearGradient id="accentGradient" x1="0%" y1="0%" x2="100%" y2="0%">
+      <stop offset="0%" style="stop-color:${colors.accent};stop-opacity:1" />
+      <stop offset="100%" style="stop-color:${colors.accent};stop-opacity:0.7" />
+    </linearGradient>
+    <filter id="glow">
+      <feGaussianBlur stdDeviation="2" result="coloredBlur"/>
+      <feMerge>
+        <feMergeNode in="coloredBlur"/>
+        <feMergeNode in="SourceGraphic"/>
+      </feMerge>
+    </filter>
+  </defs>
+
+  <!-- Background -->
+  <rect width="${width}" height="${height}" rx="12" fill="url(#bgGradient)"/>
+
+  <!-- Border accent -->
+  <rect x="1" y="1" width="${width - 2}" height="${height - 2}" rx="11" fill="none" stroke="${colors.accent}" stroke-width="2" opacity="0.3"/>
+
+  <!-- Top accent line -->
+  <rect x="20" y="8" width="${width - 40}" height="3" rx="1.5" fill="url(#accentGradient)"/>
+
+  <!-- Robot icon -->
+  <text x="30" y="58" font-size="32" filter="url(#glow)">${icon}</text>
+
+  <!-- BOTCHA text -->
+  <text x="75" y="45" font-family="system-ui, -apple-system, sans-serif" font-size="18" font-weight="bold" fill="${colors.accent}">BOTCHA</text>
+
+  <!-- Verified badge -->
+  <text x="75" y="68" font-family="system-ui, -apple-system, sans-serif" font-size="14" font-weight="600" fill="${colors.text}">VERIFIED</text>
+
+  <!-- Method label -->
+  <rect x="145" y="53" width="${label.length * 8 + 16}" height="22" rx="4" fill="${colors.accent}" opacity="0.2"/>
+  <text x="153" y="68" font-family="system-ui, -apple-system, sans-serif" font-size="11" font-weight="600" fill="${colors.accent}">${label}</text>
+
+  <!-- Solve time (if available) -->
+  ${solveTimeText ? `
+  <text x="${width - 30}" y="45" font-family="monospace" font-size="24" font-weight="bold" fill="${colors.accent}" text-anchor="end" filter="url(#glow)">${solveTimeText}</text>
+  <text x="${width - 30}" y="62" font-family="system-ui, -apple-system, sans-serif" font-size="10" fill="#6b7280" text-anchor="end">solve time</text>
+  ` : `
+  <text x="${width - 30}" y="55" font-family="system-ui, -apple-system, sans-serif" font-size="12" fill="${colors.accent}" text-anchor="end">✓ PASSED</text>
+  `}
+
+  <!-- Bottom info -->
+  <line x1="20" y1="${height - 30}" x2="${width - 20}" y2="${height - 30}" stroke="#374151" stroke-width="1" opacity="0.5"/>
+
+  <!-- Date -->
+  <text x="30" y="${height - 12}" font-family="monospace" font-size="11" fill="#6b7280">${verifiedDate}</text>
+
+  <!-- botcha.ai link -->
+  <text x="${width - 30}" y="${height - 12}" font-family="system-ui, -apple-system, sans-serif" font-size="11" fill="#6b7280" text-anchor="end">botcha.ai</text>
+
+  <!-- Checkmark icon -->
+  <circle cx="${width / 2}" cy="${height - 16}" r="8" fill="${colors.accent}" opacity="0.2"/>
+  <text x="${width / 2}" y="${height - 12}" font-size="10" text-anchor="middle" fill="${colors.accent}">✓</text>
+</svg>`;
+}
+/**
+ * Generate an HTML verification page
+ */
+export function generateBadgeHtml(payload, badgeId) {
+    const colors = METHOD_COLORS[payload.method];
+    const label = METHOD_LABELS[payload.method];
+    const icon = METHOD_ICONS[payload.method];
+    const verifiedDate = new Date(payload.verifiedAt).toLocaleString();
+    return `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>BOTCHA Badge Verification</title>
+  <meta name="description" content="Verified AI agent badge from BOTCHA">
+  <meta property="og:title" content="BOTCHA Verified - ${label}">
+  <meta property="og:description" content="This AI agent passed the BOTCHA verification${payload.solveTimeMs ? ` in ${payload.solveTimeMs}ms` : ''}.">
+  <meta property="og:image" content="https://botcha.ai/badge/${encodeURIComponent(badgeId)}/image">
+  <meta name="twitter:card" content="summary_large_image">
+  <meta name="twitter:title" content="BOTCHA Verified - ${label}">
+  <meta name="twitter:description" content="This AI agent passed the BOTCHA verification.">
+  <meta name="twitter:image" content="https://botcha.ai/badge/${encodeURIComponent(badgeId)}/image">
+  <style>
+    * { margin: 0; padding: 0; box-sizing: border-box; }
+    body {
+      font-family: system-ui, -apple-system, sans-serif;
+      background: linear-gradient(135deg, #0f0f23 0%, #1a1a2e 100%);
+      min-height: 100vh;
+      display: flex;
+      flex-direction: column;
+      align-items: center;
+      justify-content: center;
+      padding: 20px;
+      color: #e5e7eb;
+    }
+    .container {
+      max-width: 500px;
+      width: 100%;
+      text-align: center;
+    }
+    .badge-card {
+      background: rgba(26, 26, 46, 0.8);
+      border: 2px solid ${colors.accent}33;
+      border-radius: 16px;
+      padding: 40px;
+      margin-bottom: 24px;
+      backdrop-filter: blur(10px);
+    }
+    .icon {
+      font-size: 64px;
+      margin-bottom: 16px;
+    }
+    .title {
+      font-size: 28px;
+      font-weight: bold;
+      color: ${colors.accent};
+      margin-bottom: 8px;
+    }
+    .subtitle {
+      font-size: 18px;
+      color: ${colors.text};
+      margin-bottom: 24px;
+    }
+    .verified-badge {
+      display: inline-flex;
+      align-items: center;
+      gap: 8px;
+      background: ${colors.accent}22;
+      border: 1px solid ${colors.accent}44;
+      border-radius: 100px;
+      padding: 8px 20px;
+      font-size: 14px;
+      font-weight: 600;
+      color: ${colors.accent};
+      margin-bottom: 24px;
+    }
+    .details {
+      text-align: left;
+      background: #0f0f23;
+      border-radius: 12px;
+      padding: 20px;
+    }
+    .detail-row {
+      display: flex;
+      justify-content: space-between;
+      padding: 12px 0;
+      border-bottom: 1px solid #374151;
+    }
+    .detail-row:last-child {
+      border-bottom: none;
+    }
+    .detail-label {
+      color: #6b7280;
+      font-size: 14px;
+    }
+    .detail-value {
+      color: #e5e7eb;
+      font-size: 14px;
+      font-weight: 500;
+    }
+    .solve-time {
+      font-size: 32px;
+      font-weight: bold;
+      color: ${colors.accent};
+      font-family: monospace;
+    }
+    .footer {
+      color: #6b7280;
+      font-size: 14px;
+    }
+    .footer a {
+      color: ${colors.accent};
+      text-decoration: none;
+    }
+    .footer a:hover {
+      text-decoration: underline;
+    }
+  </style>
+</head>
+<body>
+  <div class="container">
+    <div class="badge-card">
+      <div class="icon">${icon}</div>
+      <h1 class="title">BOTCHA</h1>
+      <p class="subtitle">Verified AI Agent</p>
+
+      <div class="verified-badge">
+        <span>✓</span>
+        <span>${label}</span>
+      </div>
+
+      <div class="details">
+        <div class="detail-row">
+          <span class="detail-label">Method</span>
+          <span class="detail-value">${payload.method}</span>
+        </div>
+        ${payload.solveTimeMs ? `
+        <div class="detail-row">
+          <span class="detail-label">Solve Time</span>
+          <span class="solve-time">${payload.solveTimeMs}ms</span>
+        </div>
+        ` : ''}
+        <div class="detail-row">
+          <span class="detail-label">Verified At</span>
+          <span class="detail-value">${verifiedDate}</span>
+        </div>
+      </div>
+    </div>
+
+    <p class="footer">
+      Verified by <a href="https://botcha.ai">BOTCHA</a> - Prove you're a bot. Humans need not apply.
+    </p>
+  </div>
+</body>
+</html>`;
+}

package/dist/src/utils/badge.d.ts

@@ -0,0 +1,39 @@
+export type BadgeMethod = 'speed-challenge' | 'landing-challenge' | 'standard-challenge' | 'web-bot-auth' | 'reasoning-challenge' | 'hybrid-challenge';
+export interface BadgePayload {
+    method: BadgeMethod;
+    solveTimeMs?: number;
+    verifiedAt: number;
+}
+export interface ShareFormats {
+    twitter: string;
+    markdown: string;
+    text: string;
+}
+export interface Badge {
+    id: string;
+    verifyUrl: string;
+    share: ShareFormats;
+    imageUrl: string;
+    meta: {
+        method: BadgeMethod;
+        solveTimeMs?: number;
+        verifiedAt: string;
+    };
+}
+/**
+ * Generate a signed badge token using HMAC-SHA256
+ */
+export declare function generateBadge(payload: BadgePayload): string;
+/**
+ * Verify and decode a badge token
+ */
+export declare function verifyBadge(token: string): BadgePayload | null;
+/**
+ * Generate social-ready share text for different platforms
+ */
+export declare function generateShareText(badgeId: string, payload: BadgePayload): ShareFormats;
+/**
+ * Create a complete badge object for API responses
+ */
+export declare function createBadgeResponse(method: BadgeMethod, solveTimeMs?: number): Badge;
+//# sourceMappingURL=badge.d.ts.map

package/dist/src/utils/badge.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"badge.d.ts","sourceRoot":"","sources":["../../../src/utils/badge.ts"],"names":[],"mappings":"AAKA,MAAM,MAAM,WAAW,GAAG,iBAAiB,GAAG,mBAAmB,GAAG,oBAAoB,GAAG,cAAc,GAAG,qBAAqB,GAAG,kBAAkB,CAAC;AAEvJ,MAAM,WAAW,YAAY;IAC3B,MAAM,EAAE,WAAW,CAAC;IACpB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,YAAY;IAC3B,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,KAAK;IACpB,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,YAAY,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE;QACJ,MAAM,EAAE,WAAW,CAAC;QACpB,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,UAAU,EAAE,MAAM,CAAC;KACpB,CAAC;CACH;AAID;;GAEG;AACH,wBAAgB,aAAa,CAAC,OAAO,EAAE,YAAY,GAAG,MAAM,CAU3D;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,YAAY,GAAG,IAAI,CA0B9D;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,YAAY,GAAG,YAAY,CA6DtF;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,WAAW,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,KAAK,CAqBpF"}

package/dist/src/utils/badge.js

@@ -0,0 +1,125 @@
+import crypto from 'crypto';
+// Badge signing secret - in production, use BADGE_SECRET env var
+const BADGE_SECRET = process.env.BADGE_SECRET || 'botcha-badge-secret-2026';
+const BASE_URL = process.env.BASE_URL || 'https://botcha.ai';
+/**
+ * Generate a signed badge token using HMAC-SHA256
+ */
+export function generateBadge(payload) {
+    const data = JSON.stringify(payload);
+    const dataBase64 = Buffer.from(data).toString('base64url');
+    const signature = crypto
+        .createHmac('sha256', BADGE_SECRET)
+        .update(dataBase64)
+        .digest('base64url');
+    return `${dataBase64}.${signature}`;
+}
+/**
+ * Verify and decode a badge token
+ */
+export function verifyBadge(token) {
+    try {
+        const parts = token.split('.');
+        if (parts.length !== 2)
+            return null;
+        const [dataBase64, signature] = parts;
+        // Verify signature
+        const expectedSignature = crypto
+            .createHmac('sha256', BADGE_SECRET)
+            .update(dataBase64)
+            .digest('base64url');
+        if (signature !== expectedSignature)
+            return null;
+        // Decode payload
+        const data = Buffer.from(dataBase64, 'base64url').toString('utf-8');
+        const payload = JSON.parse(data);
+        // Validate payload structure
+        if (!payload.method || !payload.verifiedAt)
+            return null;
+        return payload;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Generate social-ready share text for different platforms
+ */
+export function generateShareText(badgeId, payload) {
+    const verifyUrl = `${BASE_URL}/badge/${badgeId}`;
+    const imageUrl = `${BASE_URL}/badge/${badgeId}/image`;
+    const methodDescriptions = {
+        'speed-challenge': {
+            title: payload.solveTimeMs
+                ? `I passed the BOTCHA speed test in ${payload.solveTimeMs}ms!`
+                : 'I passed the BOTCHA speed test!',
+            subtitle: 'Humans need not apply.',
+        },
+        'landing-challenge': {
+            title: 'I solved the BOTCHA landing page challenge!',
+            subtitle: 'Proved I can parse HTML and compute SHA256.',
+        },
+        'standard-challenge': {
+            title: payload.solveTimeMs
+                ? `I solved the BOTCHA challenge in ${payload.solveTimeMs}ms!`
+                : 'I solved the BOTCHA challenge!',
+            subtitle: 'Computational verification complete.',
+        },
+        'web-bot-auth': {
+            title: 'I verified via BOTCHA Web Bot Auth!',
+            subtitle: 'Cryptographic identity confirmed.',
+        },
+        'reasoning-challenge': {
+            title: payload.solveTimeMs
+                ? `I passed the BOTCHA reasoning test in ${(payload.solveTimeMs / 1000).toFixed(1)}s!`
+                : 'I passed the BOTCHA reasoning test!',
+            subtitle: 'Proved I can reason like an AI.',
+        },
+        'hybrid-challenge': {
+            title: payload.solveTimeMs
+                ? `I passed the BOTCHA hybrid test in ${(payload.solveTimeMs / 1000).toFixed(1)}s!`
+                : 'I passed the BOTCHA hybrid test!',
+            subtitle: 'Proved I can compute AND reason like an AI.',
+        },
+    };
+    const desc = methodDescriptions[payload.method];
+    const twitter = `${desc.title}
+
+${desc.subtitle}
+
+Verify: ${verifyUrl}
+
+#botcha #AI #AgentVerified`;
+    const markdown = `[![BOTCHA Verified](${imageUrl})](${verifyUrl})`;
+    const textParts = [
+        'BOTCHA Verified',
+        payload.solveTimeMs ? `Solved in ${payload.solveTimeMs}ms` : null,
+        `Method: ${payload.method}`,
+        `Verify: ${verifyUrl}`,
+    ].filter(Boolean);
+    const text = textParts.join(' - ');
+    return { twitter, markdown, text };
+}
+/**
+ * Create a complete badge object for API responses
+ */
+export function createBadgeResponse(method, solveTimeMs) {
+    const payload = {
+        method,
+        solveTimeMs,
+        verifiedAt: Date.now(),
+    };
+    const id = generateBadge(payload);
+    const share = generateShareText(id, payload);
+    return {
+        id,
+        verifyUrl: `${BASE_URL}/badge/${id}`,
+        share,
+        imageUrl: `${BASE_URL}/badge/${id}/image`,
+        meta: {
+            method,
+            solveTimeMs,
+            verifiedAt: new Date(payload.verifiedAt).toISOString(),
+        },
+    };
+}

package/dist/src/utils/signature.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Verify a Web Bot Auth signature
+ *
+ * Expected headers:
+ * - Signature-Agent: https://provider.com/.well-known/http-message-signatures-directory
+ * - Signature: <signature-params>
+ * - Signature-Input: <signature-input>
+ */
+export declare function verifyWebBotAuth(headers: Record<string, string | string[] | undefined>, method: string, path: string, body?: string): Promise<{
+    valid: boolean;
+    agent?: string;
+    provider?: string;
+    error?: string;
+}>;
+export declare const TRUSTED_PROVIDERS: string[];
+export declare function isTrustedProvider(url: string): boolean;
+declare const _default: {
+    verifyWebBotAuth: typeof verifyWebBotAuth;
+    isTrustedProvider: typeof isTrustedProvider;
+    TRUSTED_PROVIDERS: string[];
+};
+export default _default;
+//# sourceMappingURL=signature.d.ts.map

package/dist/src/utils/signature.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"signature.d.ts","sourceRoot":"","sources":["../../../src/utils/signature.ts"],"names":[],"mappings":"AAgBA;;;;;;;GAOG;AACH,wBAAsB,gBAAgB,CACpC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,CAAC,EACtD,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,MAAM,EACZ,IAAI,CAAC,EAAE,MAAM,GACZ,OAAO,CAAC;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CA0DhF;AAyGD,eAAO,MAAM,iBAAiB,UAO7B,CAAC;AAEF,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAOtD;;;;;;AAED,wBAA0E"}

package/dist/src/utils/signature.js

@@ -0,0 +1,160 @@
+import crypto from 'crypto';
+// Cache for fetched public keys
+const keyCache = new Map();
+const CACHE_TTL = 3600000; // 1 hour
+/**
+ * Verify a Web Bot Auth signature
+ *
+ * Expected headers:
+ * - Signature-Agent: https://provider.com/.well-known/http-message-signatures-directory
+ * - Signature: <signature-params>
+ * - Signature-Input: <signature-input>
+ */
+export async function verifyWebBotAuth(headers, method, path, body) {
+    const signatureAgent = headers['signature-agent'];
+    const signature = headers['signature'];
+    const signatureInput = headers['signature-input'];
+    if (!signatureAgent) {
+        return { valid: false, error: 'Missing Signature-Agent header' };
+    }
+    if (!signature || !signatureInput) {
+        return { valid: false, error: 'Missing Signature or Signature-Input header' };
+    }
+    try {
+        // Fetch the agent's public key directory
+        const directory = await fetchAgentDirectory(signatureAgent);
+        if (!directory) {
+            return { valid: false, error: 'Could not fetch agent directory' };
+        }
+        // Parse signature input to get key ID and covered components
+        const parsed = parseSignatureInput(signatureInput);
+        if (!parsed) {
+            return { valid: false, error: 'Invalid Signature-Input format' };
+        }
+        // Find the matching key
+        const key = directory.keys.find(k => k.id === parsed.keyId);
+        if (!key) {
+            return { valid: false, error: `Key ${parsed.keyId} not found in directory` };
+        }
+        // Reconstruct the signature base
+        const signatureBase = buildSignatureBase(headers, method, path, parsed.coveredComponents, signatureInput);
+        // Verify the signature
+        const isValid = verifySignature(signatureBase, signature, key.publicKey, key.algorithm);
+        if (isValid) {
+            return {
+                valid: true,
+                agent: directory.agent,
+                provider: directory.provider,
+            };
+        }
+        else {
+            return { valid: false, error: 'Signature verification failed' };
+        }
+    }
+    catch (err) {
+        return { valid: false, error: `Verification error: ${err}` };
+    }
+}
+async function fetchAgentDirectory(url) {
+    // Check cache first
+    const cached = keyCache.get(url);
+    if (cached && Date.now() - cached.fetchedAt < CACHE_TTL) {
+        return cached.keys;
+    }
+    try {
+        const response = await fetch(url, {
+            headers: { 'Accept': 'application/json' },
+        });
+        if (!response.ok) {
+            console.error(`Failed to fetch agent directory: ${response.status}`);
+            return null;
+        }
+        const directory = await response.json();
+        keyCache.set(url, { keys: directory, fetchedAt: Date.now() });
+        return directory;
+    }
+    catch (err) {
+        console.error(`Error fetching agent directory:`, err);
+        return null;
+    }
+}
+function parseSignatureInput(input) {
+    // Simplified parser for: sig1=("@method" "@path" "content-type");keyid="key-1";alg="ecdsa-p256-sha256"
+    try {
+        const match = input.match(/sig\d+=\(([^)]+)\).*keyid="([^"]+)"/);
+        if (!match)
+            return null;
+        const components = match[1].split(' ').map(c => c.replace(/"/g, ''));
+        const keyId = match[2];
+        return { keyId, coveredComponents: components };
+    }
+    catch {
+        return null;
+    }
+}
+function buildSignatureBase(headers, method, path, components, signatureInput) {
+    const lines = [];
+    for (const component of components) {
+        if (component === '@method') {
+            lines.push(`"@method": ${method.toUpperCase()}`);
+        }
+        else if (component === '@path') {
+            lines.push(`"@path": ${path}`);
+        }
+        else if (component === '@authority') {
+            lines.push(`"@authority": ${headers['host'] || ''}`);
+        }
+        else {
+            // Regular header
+            const value = headers[component.toLowerCase()];
+            if (value) {
+                lines.push(`"${component.toLowerCase()}": ${value}`);
+            }
+        }
+    }
+    lines.push(`"@signature-params": ${signatureInput}`);
+    return lines.join('\n');
+}
+function verifySignature(signatureBase, signature, publicKey, algorithm) {
+    try {
+        // Decode base64 signature
+        const sigBuffer = Buffer.from(signature.replace(/^sig\d+=:/, '').replace(/:$/, ''), 'base64');
+        // Create verifier based on algorithm
+        let verifyAlg;
+        if (algorithm.includes('ecdsa')) {
+            verifyAlg = 'sha256';
+        }
+        else if (algorithm.includes('rsa')) {
+            verifyAlg = 'RSA-SHA256';
+        }
+        else {
+            verifyAlg = 'sha256';
+        }
+        const verify = crypto.createVerify(verifyAlg);
+        verify.update(signatureBase);
+        return verify.verify(publicKey, sigBuffer);
+    }
+    catch (err) {
+        console.error('Signature verification error:', err);
+        return false;
+    }
+}
+// Known trusted providers (allowlist)
+export const TRUSTED_PROVIDERS = [
+    'anthropic.com',
+    'openai.com',
+    'api.anthropic.com',
+    'api.openai.com',
+    'bedrock.amazonaws.com',
+    'openclaw.ai',
+];
+export function isTrustedProvider(url) {
+    try {
+        const hostname = new URL(url).hostname;
+        return TRUSTED_PROVIDERS.some(p => hostname.endsWith(p));
+    }
+    catch {
+        return false;
+    }
+}
+export default { verifyWebBotAuth, isTrustedProvider, TRUSTED_PROVIDERS };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@dupecom/botcha",
-  "version": "0.13.0",
+  "version": "0.14.0",
   "description": "Prove you're a bot. Humans need not apply. Reverse CAPTCHA for AI-only APIs.",
   "workspaces": [
     "packages/*"
@@ -16,10 +16,15 @@
     "./client": {
       "import": "./dist/lib/client/index.js",
       "types": "./dist/lib/client/index.d.ts"
+    },
+    "./middleware": {
+      "import": "./dist/src/middleware/tap-enhanced-verify.js",
+      "types": "./dist/src/middleware/tap-enhanced-verify.d.ts"
     }
   },
   "files": [
     "dist/lib",
+    "dist/src",
     "README.md",
     "LICENSE"
   ],