@dupecom/botcha 0.15.1 → 0.16.0

package/README.md

@@ -13,6 +13,7 @@
 
 [![npm version](https://img.shields.io/npm/v/@dupecom/botcha?color=00d4ff)](https://www.npmjs.com/package/@dupecom/botcha)
 [![PyPI version](https://img.shields.io/pypi/v/botcha?color=00d4ff)](https://pypi.org/project/botcha/)
+<!-- test-count -->[![Tests](https://img.shields.io/badge/tests-772%20passing-brightgreen)](./tests/)<!-- /test-count -->
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
 [![AI Agents Only](https://img.shields.io/badge/contributors-AI%20agents%20only-ff6b6b)](./.github/CONTRIBUTING.md)
 
@@ -362,14 +363,20 @@ curl -X POST "https://botcha.ai/v1/agents/register?app_id=app_abc123" \
 
 ## 🔏 Trusted Agent Protocol (TAP)
 
-BOTCHA v0.12.0 introduces the **Trusted Agent Protocol** — enterprise-grade cryptographic agent authentication using HTTP Message Signatures (RFC 9421).
+BOTCHA v0.16.0 implements the **complete Visa Trusted Agent Protocol** — enterprise-grade cryptographic agent authentication using HTTP Message Signatures (RFC 9421) with full Layer 2 (Consumer Recognition) and Layer 3 (Payment Container) support.
 
 ### Why TAP?
 
 - **Cryptographic Identity**: Agents register public keys and sign requests — no more shared secrets
+- **RFC 9421 Full Compliance**: Ed25519 (Visa recommended), ECDSA P-256, RSA-PSS with `@authority`, `@path`, `expires`, `nonce`, `tag` support
+- **Consumer Recognition (Layer 2)**: OIDC ID tokens with obfuscated consumer identity, contextual data
+- **Payment Container (Layer 3)**: Card metadata, credential hash verification, encrypted payment payloads, Browsing IOUs
 - **Capability Scoping**: Define exactly what an agent can do (`read:invoices`, `write:transfers`)
 - **Intent Verification**: Every session requires a declared intent that's validated against capabilities
 - **Trust Levels**: `basic`, `verified`, `enterprise` — different access tiers for different agents
+- **JWKS Infrastructure**: `/.well-known/jwks` for key discovery, Visa key federation
+- **402 Micropayments**: Invoice creation and Browsing IOU verification for gated content
+- **CDN Edge Verify**: Drop-in Cloudflare Workers middleware for merchant sites
 
 ### Registering a TAP Agent
 
@@ -417,6 +424,15 @@ curl -X POST https://botcha.ai/v1/sessions/tap \
 | `GET /v1/agents/tap` | List TAP-enabled agents for app |
 | `POST /v1/sessions/tap` | Create TAP session with intent validation |
 | `GET /v1/sessions/:id/tap` | Get TAP session info |
+| `GET /.well-known/jwks` | JWK Set for app's TAP agents (Visa spec standard) |
+| `GET /v1/keys` | List keys (supports ?keyID= for Visa compat) |
+| `GET /v1/keys/:keyId` | Get specific key by ID |
+| `POST /v1/agents/:id/tap/rotate-key` | Rotate agent's key pair |
+| `POST /v1/invoices` | Create invoice for gated content (402 flow) |
+| `GET /v1/invoices/:id` | Get invoice details |
+| `POST /v1/invoices/:id/verify-iou` | Verify Browsing IOU against invoice |
+| `POST /v1/verify/consumer` | Verify Agentic Consumer object (Layer 2) |
+| `POST /v1/verify/payment` | Verify Agentic Payment Container (Layer 3) |
 
 ### TAP SDK Methods
 
@@ -441,6 +457,16 @@ const session = await client.createTAPSession({
   user_context: 'user-hash',
   intent: { action: 'browse', resource: 'products', duration: 3600 },
 });
+
+// Get JWKS for key discovery
+const jwks = await client.getJWKS();
+
+// Rotate agent key
+await client.rotateAgentKey(agent.agent_id);
+
+// 402 Micropayment flow
+const invoice = await client.createInvoice({ amount: 100, description: 'Premium content' });
+await client.verifyBrowsingIOU(invoice.id, iouToken);
 ```
 
 **Python:**
@@ -461,6 +487,16 @@ async with BotchaClient(app_id="app_abc123") as client:
         user_context="user-hash",
         intent={"action": "browse", "resource": "products", "duration": 3600},
     )
+    
+    # Get JWKS for key discovery
+    jwks = await client.get_jwks()
+    
+    # Rotate agent key
+    await client.rotate_agent_key(agent.agent_id)
+    
+    # 402 Micropayment flow
+    invoice = await client.create_invoice({"amount": 100, "description": "Premium content"})
+    await client.verify_browsing_iou(invoice.id, iou_token)
 ```
 
 ### Express Middleware (Verification Modes)
@@ -478,7 +514,7 @@ app.use('/api', createTAPVerifyMiddleware({ mode: 'flexible', secret: process.en
 app.use('/api', createTAPVerifyMiddleware({ mode: 'challenge-only', secret: process.env.BOTCHA_SECRET }));
 ```
 
-> **Supported algorithms:** `ecdsa-p256-sha256`, `rsa-pss-sha256`. See [ROADMAP.md](./ROADMAP.md) for details.
+> **Supported algorithms:** `ed25519` (Visa recommended), `ecdsa-p256-sha256`, `rsa-pss-sha256`. See [ROADMAP.md](./ROADMAP.md) for details.
 
 ## 🔄 SSE Streaming Flow (AI-Native)
 
@@ -557,7 +593,7 @@ BOTCHA is designed to be auto-discoverable by AI agents through multiple standar
 All responses include these headers for agent discovery:
 
 ```http
-X-Botcha-Version: 0.15.0
+X-Botcha-Version: 0.16.0
 X-Botcha-Enabled: true
 X-Botcha-Methods: hybrid-challenge,speed-challenge,reasoning-challenge,standard-challenge
 X-Botcha-Docs: https://botcha.ai/openapi.json

package/dist/lib/client/index.d.ts

@@ -1,5 +1,5 @@
-export type { SpeedProblem, BotchaClientOptions, ChallengeResponse, StandardChallengeResponse, VerifyResponse, TokenResponse, StreamSession, StreamEvent, Problem, VerifyResult, StreamChallengeOptions, CreateAppResponse, VerifyEmailResponse, ResendVerificationResponse, RecoverAccountResponse, RotateSecretResponse, TAPAction, TAPTrustLevel, TAPSignatureAlgorithm, TAPCapability, TAPIntent, RegisterTAPAgentOptions, TAPAgentResponse, TAPAgentListResponse, CreateTAPSessionOptions, TAPSessionResponse, } from './types.js';
-import type { BotchaClientOptions, VerifyResponse, CreateAppResponse, VerifyEmailResponse, ResendVerificationResponse, RecoverAccountResponse, RotateSecretResponse, RegisterTAPAgentOptions, TAPAgentResponse, TAPAgentListResponse, CreateTAPSessionOptions, TAPSessionResponse } from './types.js';
+export type { SpeedProblem, BotchaClientOptions, ChallengeResponse, StandardChallengeResponse, VerifyResponse, TokenResponse, StreamSession, StreamEvent, Problem, VerifyResult, StreamChallengeOptions, CreateAppResponse, VerifyEmailResponse, ResendVerificationResponse, RecoverAccountResponse, RotateSecretResponse, TAPAction, TAPTrustLevel, TAPSignatureAlgorithm, TAPCapability, TAPIntent, RegisterTAPAgentOptions, TAPAgentResponse, TAPAgentListResponse, CreateTAPSessionOptions, TAPSessionResponse, JWK, JWKSet, CreateInvoiceOptions, InvoiceResponse, BrowsingIOU, VerifyIOUResponse, } from './types.js';
+import type { BotchaClientOptions, VerifyResponse, CreateAppResponse, VerifyEmailResponse, ResendVerificationResponse, RecoverAccountResponse, RotateSecretResponse, RegisterTAPAgentOptions, TAPAgentResponse, TAPAgentListResponse, CreateTAPSessionOptions, TAPSessionResponse, TAPSignatureAlgorithm, JWK, JWKSet, CreateInvoiceOptions, InvoiceResponse, BrowsingIOU, VerifyIOUResponse } from './types.js';
 export { BotchaStreamClient } from './stream.js';
 /**
  * BOTCHA Client SDK for AI Agents
@@ -216,6 +216,122 @@ export declare class BotchaClient {
      * @throws Error if session not found or expired
      */
     getTAPSession(sessionId: string): Promise<TAPSessionResponse>;
+    /**
+     * Helper method for making authenticated requests to the BOTCHA API
+     */
+    private request;
+    /**
+     * Get the JWK Set for an app's TAP agents.
+     * Fetches from /.well-known/jwks endpoint.
+     *
+     * @param appId - Optional app ID (uses client's appId if not specified)
+     * @returns JWK Set with keys array
+     * @throws Error if request fails
+     *
+     * @example
+     * ```typescript
+     * const jwks = await client.getJWKS();
+     * console.log(jwks.keys); // Array of JWK objects
+     * ```
+     */
+    getJWKS(appId?: string): Promise<JWKSet>;
+    /**
+     * Get a specific public key by key ID.
+     *
+     * @param keyId - The key identifier (agent_id)
+     * @returns JWK object with key data
+     * @throws Error if key not found
+     *
+     * @example
+     * ```typescript
+     * const key = await client.getKeyById('agent_abc123');
+     * console.log(key.kid, key.alg);
+     * ```
+     */
+    getKeyById(keyId: string): Promise<JWK>;
+    /**
+     * Rotate an agent's key pair.
+     *
+     * @param agentId - The agent ID
+     * @param options - Key rotation options including public_key and signature_algorithm
+     * @returns Updated agent response
+     * @throws Error if rotation fails
+     *
+     * @example
+     * ```typescript
+     * const agent = await client.rotateAgentKey('agent_abc123', {
+     *   public_key: '-----BEGIN PUBLIC KEY-----...',
+     *   signature_algorithm: 'ecdsa-p256-sha256',
+     *   key_expires_at: '2027-01-01T00:00:00Z',
+     * });
+     * ```
+     */
+    rotateAgentKey(agentId: string, options: {
+        public_key: string;
+        signature_algorithm: TAPSignatureAlgorithm;
+        key_expires_at?: string;
+    }): Promise<TAPAgentResponse>;
+    /**
+     * Create an invoice for gated content (402 micropayment flow).
+     *
+     * @param options - Invoice options including resource_uri, amount, currency, card_acceptor_id
+     * @returns Invoice details with invoice_id
+     * @throws Error if creation fails
+     *
+     * @example
+     * ```typescript
+     * const invoice = await client.createInvoice({
+     *   resource_uri: 'https://example.com/premium-content',
+     *   amount: '500',
+     *   currency: 'USD',
+     *   card_acceptor_id: 'CAID_ABC123',
+     *   description: 'Premium article access',
+     *   ttl_seconds: 3600,
+     * });
+     * console.log(invoice.invoice_id);
+     * ```
+     */
+    createInvoice(options: CreateInvoiceOptions): Promise<InvoiceResponse>;
+    /**
+     * Get an invoice by ID.
+     *
+     * @param invoiceId - The invoice ID
+     * @returns Invoice details including status and expiry
+     * @throws Error if invoice not found
+     *
+     * @example
+     * ```typescript
+     * const invoice = await client.getInvoice('inv_abc123');
+     * console.log(invoice.status, invoice.amount);
+     * ```
+     */
+    getInvoice(invoiceId: string): Promise<InvoiceResponse>;
+    /**
+     * Verify a Browsing IOU against an invoice.
+     *
+     * @param invoiceId - The invoice ID to verify against
+     * @param iou - The Browsing IOU object with signature
+     * @returns Verification result with access_token if successful
+     * @throws Error if verification fails
+     *
+     * @example
+     * ```typescript
+     * const result = await client.verifyBrowsingIOU('inv_abc123', {
+     *   invoiceId: 'inv_abc123',
+     *   amount: '500',
+     *   cardAcceptorId: 'CAID_ABC123',
+     *   acquirerId: 'ACQ_XYZ',
+     *   uri: 'https://example.com/premium-content',
+     *   sequenceCounter: '1',
+     *   paymentService: 'agent-pay',
+     *   kid: 'agent_def456',
+     *   alg: 'ES256',
+     *   signature: 'base64-signature...',
+     * });
+     * console.log(result.verified, result.access_token);
+     * ```
+     */
+    verifyBrowsingIOU(invoiceId: string, iou: BrowsingIOU): Promise<VerifyIOUResponse>;
 }
 /**
  * Convenience function for one-off solves

package/dist/lib/client/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../lib/client/index.ts"],"names":[],"mappings":"AAMA,YAAY,EACV,YAAY,EACZ,mBAAmB,EACnB,iBAAiB,EACjB,yBAAyB,EACzB,cAAc,EACd,aAAa,EACb,aAAa,EACb,WAAW,EACX,OAAO,EACP,YAAY,EACZ,sBAAsB,EACtB,iBAAiB,EACjB,mBAAmB,EACnB,0BAA0B,EAC1B,sBAAsB,EACtB,oBAAoB,EACpB,SAAS,EACT,aAAa,EACb,qBAAqB,EACrB,aAAa,EACb,SAAS,EACT,uBAAuB,EACvB,gBAAgB,EAChB,oBAAoB,EACpB,uBAAuB,EACvB,kBAAkB,GACnB,MAAM,YAAY,CAAC;AAEpB,OAAO,KAAK,EAEV,mBAAmB,EAGnB,cAAc,EAEd,iBAAiB,EACjB,mBAAmB,EACnB,0BAA0B,EAC1B,sBAAsB,EACtB,oBAAoB,EACpB,uBAAuB,EACvB,gBAAgB,EAChB,oBAAoB,EACpB,uBAAuB,EACvB,kBAAkB,EACnB,MAAM,YAAY,CAAC;AAGpB,OAAO,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC;AAEjD;;;;;;;;;;;;;;GAcG;AACH,qBAAa,YAAY;IACvB,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,aAAa,CAAS;IAC9B,OAAO,CAAC,UAAU,CAAS;IAC3B,OAAO,CAAC,SAAS,CAAU;IAC3B,OAAO,CAAC,KAAK,CAAC,CAAS;IACvB,OAAO,CAAC,IAAI,CAAsB;IAClC,OAAO,CAAC,WAAW,CAAuB;IAC1C,OAAO,CAAC,aAAa,CAAuB;IAC5C,OAAO,CAAC,cAAc,CAAuB;gBAEjC,OAAO,GAAE,mBAAwB;IAS7C;;;;;OAKG;IACH,KAAK,CAAC,QAAQ,EAAE,MAAM,EAAE,GAAG,MAAM,EAAE;IAMnC;;;;;;;OAOG;IACG,QAAQ,IAAI,OAAO,CAAC,MAAM,CAAC;IA2FjC;;;;;;OAMG;IACG,YAAY,IAAI,OAAO,CAAC,MAAM,CAAC;IAkCrC;;OAEG;IACH,UAAU,IAAI,IAAI;IAMlB;;OAEG;IACG,cAAc,IAAI,OAAO,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC;IA+BlE;;OAEG;IACG,MAAM,CAAC,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,cAAc,CAAC;IAsBpE;;;;;;;;;OASG;IACG,KAAK,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,QAAQ,CAAC;IA2F/D;;;;;;;;OAQG;IACG,aAAa,IAAI,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAoBtD;;;;;;;;;;;;;;;;OAgBG;IACG,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,iBAAiB,CAAC;IA2B1D;;;;;;;;;;;;;OAaG;IACG,WAAW,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,mBAAmB,CAAC;IAyB7E;;;;;;OAMG;IACG,kBAAkB,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,0BAA0B,CAAC;IAwB7E;;;;;;;;;OASG;IACG,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,sBAAsB,CAAC;IAoBpE;;;;;;;;;;;;;OAaG;IACG,YAAY,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,oBAAoB,CAAC;IAkCjE;;;;;;;;;;;;;;;;;;OAkBG;IACG,gBAAgB,CAAC,OAAO,EAAE,uBAAuB,GAAG,OAAO,CAAC,gBAAgB,CAAC;IA8BnF;;;;;;OAMG;IACG,WAAW,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC;IAe7D;;;;;;OAMG;IACG,aAAa,CAAC,OAAO,GAAE,OAAe,GAAG,OAAO,CAAC,oBAAoB,CAAC;IA6B5E;;;;;;;;;;;;;;;;OAgBG;IACG,gBAAgB,CAAC,OAAO,EAAE,uBAAuB,GAAG,OAAO,CAAC,kBAAkB,CAAC;IAoBrF;;;;;;OAMG;IACG,aAAa,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,CAAC;CAcpE;AAED;;;;;;;;GAQG;AACH,wBAAgB,WAAW,CAAC,QAAQ,EAAE,MAAM,EAAE,GAAG,MAAM,EAAE,CAIxD;AAED,eAAe,YAAY,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../lib/client/index.ts"],"names":[],"mappings":"AAMA,YAAY,EACV,YAAY,EACZ,mBAAmB,EACnB,iBAAiB,EACjB,yBAAyB,EACzB,cAAc,EACd,aAAa,EACb,aAAa,EACb,WAAW,EACX,OAAO,EACP,YAAY,EACZ,sBAAsB,EACtB,iBAAiB,EACjB,mBAAmB,EACnB,0BAA0B,EAC1B,sBAAsB,EACtB,oBAAoB,EACpB,SAAS,EACT,aAAa,EACb,qBAAqB,EACrB,aAAa,EACb,SAAS,EACT,uBAAuB,EACvB,gBAAgB,EAChB,oBAAoB,EACpB,uBAAuB,EACvB,kBAAkB,EAClB,GAAG,EACH,MAAM,EACN,oBAAoB,EACpB,eAAe,EACf,WAAW,EACX,iBAAiB,GAClB,MAAM,YAAY,CAAC;AAEpB,OAAO,KAAK,EAEV,mBAAmB,EAGnB,cAAc,EAEd,iBAAiB,EACjB,mBAAmB,EACnB,0BAA0B,EAC1B,sBAAsB,EACtB,oBAAoB,EACpB,uBAAuB,EACvB,gBAAgB,EAChB,oBAAoB,EACpB,uBAAuB,EACvB,kBAAkB,EAClB,qBAAqB,EACrB,GAAG,EACH,MAAM,EACN,oBAAoB,EACpB,eAAe,EACf,WAAW,EACX,iBAAiB,EAClB,MAAM,YAAY,CAAC;AAGpB,OAAO,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC;AAEjD;;;;;;;;;;;;;;GAcG;AACH,qBAAa,YAAY;IACvB,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,aAAa,CAAS;IAC9B,OAAO,CAAC,UAAU,CAAS;IAC3B,OAAO,CAAC,SAAS,CAAU;IAC3B,OAAO,CAAC,KAAK,CAAC,CAAS;IACvB,OAAO,CAAC,IAAI,CAAsB;IAClC,OAAO,CAAC,WAAW,CAAuB;IAC1C,OAAO,CAAC,aAAa,CAAuB;IAC5C,OAAO,CAAC,cAAc,CAAuB;gBAEjC,OAAO,GAAE,mBAAwB;IAS7C;;;;;OAKG;IACH,KAAK,CAAC,QAAQ,EAAE,MAAM,EAAE,GAAG,MAAM,EAAE;IAMnC;;;;;;;OAOG;IACG,QAAQ,IAAI,OAAO,CAAC,MAAM,CAAC;IA2FjC;;;;;;OAMG;IACG,YAAY,IAAI,OAAO,CAAC,MAAM,CAAC;IAkCrC;;OAEG;IACH,UAAU,IAAI,IAAI;IAMlB;;OAEG;IACG,cAAc,IAAI,OAAO,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC;IA+BlE;;OAEG;IACG,MAAM,CAAC,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,cAAc,CAAC;IAsBpE;;;;;;;;;OASG;IACG,KAAK,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,QAAQ,CAAC;IA2F/D;;;;;;;;OAQG;IACG,aAAa,IAAI,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAoBtD;;;;;;;;;;;;;;;;OAgBG;IACG,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,iBAAiB,CAAC;IA2B1D;;;;;;;;;;;;;OAaG;IACG,WAAW,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,mBAAmB,CAAC;IAyB7E;;;;;;OAMG;IACG,kBAAkB,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,0BAA0B,CAAC;IAwB7E;;;;;;;;;OASG;IACG,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,sBAAsB,CAAC;IAoBpE;;;;;;;;;;;;;OAaG;IACG,YAAY,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,oBAAoB,CAAC;IAkCjE;;;;;;;;;;;;;;;;;;OAkBG;IACG,gBAAgB,CAAC,OAAO,EAAE,uBAAuB,GAAG,OAAO,CAAC,gBAAgB,CAAC;IA8BnF;;;;;;OAMG;IACG,WAAW,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC;IAe7D;;;;;;OAMG;IACG,aAAa,CAAC,OAAO,GAAE,OAAe,GAAG,OAAO,CAAC,oBAAoB,CAAC;IA6B5E;;;;;;;;;;;;;;;;OAgBG;IACG,gBAAgB,CAAC,OAAO,EAAE,uBAAuB,GAAG,OAAO,CAAC,kBAAkB,CAAC;IAoBrF;;;;;;OAMG;IACG,aAAa,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,CAAC;IAenE;;OAEG;YACW,OAAO;IA+BrB;;;;;;;;;;;;;OAaG;IACG,OAAO,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAK9C;;;;;;;;;;;;OAYG;IACG,UAAU,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC;IAI7C;;;;;;;;;;;;;;;;OAgBG;IACG,cAAc,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE;QAC7C,UAAU,EAAE,MAAM,CAAC;QACnB,mBAAmB,EAAE,qBAAqB,CAAC;QAC3C,cAAc,CAAC,EAAE,MAAM,CAAC;KACzB,GAAG,OAAO,CAAC,gBAAgB,CAAC;IAM7B;;;;;;;;;;;;;;;;;;;OAmBG;IACG,aAAa,CAAC,OAAO,EAAE,oBAAoB,GAAG,OAAO,CAAC,eAAe,CAAC;IAI5E;;;;;;;;;;;;OAYG;IACG,UAAU,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC;IAI7D;;;;;;;;;;;;;;;;;;;;;;;;OAwBG;IACG,iBAAiB,CAAC,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,WAAW,GAAG,OAAO,CAAC,iBAAiB,CAAC;CAGzF;AAED;;;;;;;;GAQG;AACH,wBAAgB,WAAW,CAAC,QAAQ,EAAE,MAAM,EAAE,GAAG,MAAM,EAAE,CAIxD;AAED,eAAe,YAAY,CAAC"}

package/dist/lib/client/index.js

@@ -1,6 +1,6 @@
 import crypto from 'crypto';
 // SDK version - hardcoded since npm_package_version is unreliable when used as a library
-const SDK_VERSION = '0.13.1';
+const SDK_VERSION = '0.16.0';
 // Export stream client
 export { BotchaStreamClient } from './stream.js';
 /**
@@ -629,6 +629,153 @@ export class BotchaClient {
         }
         return await res.json();
     }
+    /**
+     * Helper method for making authenticated requests to the BOTCHA API
+     */
+    async request(method, path, body) {
+        const headers = {
+            'User-Agent': this.agentIdentity,
+        };
+        if (body !== undefined) {
+            headers['Content-Type'] = 'application/json';
+        }
+        if (this.cachedToken) {
+            headers['Authorization'] = `Bearer ${this.cachedToken}`;
+        }
+        const res = await fetch(`${this.baseUrl}${path}`, {
+            method,
+            headers,
+            body: body !== undefined ? JSON.stringify(body) : undefined,
+        });
+        if (!res.ok) {
+            const errorBody = await res.json().catch(() => ({}));
+            throw new Error(errorBody.message || `Request failed with status ${res.status}`);
+        }
+        return await res.json();
+    }
+    // ============ JWKS & KEY MANAGEMENT ============
+    /**
+     * Get the JWK Set for an app's TAP agents.
+     * Fetches from /.well-known/jwks endpoint.
+     *
+     * @param appId - Optional app ID (uses client's appId if not specified)
+     * @returns JWK Set with keys array
+     * @throws Error if request fails
+     *
+     * @example
+     * ```typescript
+     * const jwks = await client.getJWKS();
+     * console.log(jwks.keys); // Array of JWK objects
+     * ```
+     */
+    async getJWKS(appId) {
+        const params = appId ? `?app_id=${encodeURIComponent(appId)}` : this.appId ? `?app_id=${encodeURIComponent(this.appId)}` : '';
+        return await this.request('GET', `/.well-known/jwks${params}`);
+    }
+    /**
+     * Get a specific public key by key ID.
+     *
+     * @param keyId - The key identifier (agent_id)
+     * @returns JWK object with key data
+     * @throws Error if key not found
+     *
+     * @example
+     * ```typescript
+     * const key = await client.getKeyById('agent_abc123');
+     * console.log(key.kid, key.alg);
+     * ```
+     */
+    async getKeyById(keyId) {
+        return await this.request('GET', `/v1/keys/${encodeURIComponent(keyId)}`);
+    }
+    /**
+     * Rotate an agent's key pair.
+     *
+     * @param agentId - The agent ID
+     * @param options - Key rotation options including public_key and signature_algorithm
+     * @returns Updated agent response
+     * @throws Error if rotation fails
+     *
+     * @example
+     * ```typescript
+     * const agent = await client.rotateAgentKey('agent_abc123', {
+     *   public_key: '-----BEGIN PUBLIC KEY-----...',
+     *   signature_algorithm: 'ecdsa-p256-sha256',
+     *   key_expires_at: '2027-01-01T00:00:00Z',
+     * });
+     * ```
+     */
+    async rotateAgentKey(agentId, options) {
+        return await this.request('POST', `/v1/agents/${encodeURIComponent(agentId)}/tap/rotate-key`, options);
+    }
+    // ============ INVOICE & PAYMENT (402 Flow) ============
+    /**
+     * Create an invoice for gated content (402 micropayment flow).
+     *
+     * @param options - Invoice options including resource_uri, amount, currency, card_acceptor_id
+     * @returns Invoice details with invoice_id
+     * @throws Error if creation fails
+     *
+     * @example
+     * ```typescript
+     * const invoice = await client.createInvoice({
+     *   resource_uri: 'https://example.com/premium-content',
+     *   amount: '500',
+     *   currency: 'USD',
+     *   card_acceptor_id: 'CAID_ABC123',
+     *   description: 'Premium article access',
+     *   ttl_seconds: 3600,
+     * });
+     * console.log(invoice.invoice_id);
+     * ```
+     */
+    async createInvoice(options) {
+        return await this.request('POST', '/v1/invoices', options);
+    }
+    /**
+     * Get an invoice by ID.
+     *
+     * @param invoiceId - The invoice ID
+     * @returns Invoice details including status and expiry
+     * @throws Error if invoice not found
+     *
+     * @example
+     * ```typescript
+     * const invoice = await client.getInvoice('inv_abc123');
+     * console.log(invoice.status, invoice.amount);
+     * ```
+     */
+    async getInvoice(invoiceId) {
+        return await this.request('GET', `/v1/invoices/${encodeURIComponent(invoiceId)}`);
+    }
+    /**
+     * Verify a Browsing IOU against an invoice.
+     *
+     * @param invoiceId - The invoice ID to verify against
+     * @param iou - The Browsing IOU object with signature
+     * @returns Verification result with access_token if successful
+     * @throws Error if verification fails
+     *
+     * @example
+     * ```typescript
+     * const result = await client.verifyBrowsingIOU('inv_abc123', {
+     *   invoiceId: 'inv_abc123',
+     *   amount: '500',
+     *   cardAcceptorId: 'CAID_ABC123',
+     *   acquirerId: 'ACQ_XYZ',
+     *   uri: 'https://example.com/premium-content',
+     *   sequenceCounter: '1',
+     *   paymentService: 'agent-pay',
+     *   kid: 'agent_def456',
+     *   alg: 'ES256',
+     *   signature: 'base64-signature...',
+     * });
+     * console.log(result.verified, result.access_token);
+     * ```
+     */
+    async verifyBrowsingIOU(invoiceId, iou) {
+        return await this.request('POST', `/v1/invoices/${encodeURIComponent(invoiceId)}/verify-iou`, iou);
+    }
 }
 /**
  * Convenience function for one-off solves

package/dist/lib/client/types.d.ts

@@ -133,7 +133,8 @@ export interface RotateSecretResponse {
 }
 export type TAPAction = 'browse' | 'compare' | 'purchase' | 'audit' | 'search';
 export type TAPTrustLevel = 'basic' | 'verified' | 'enterprise';
-export type TAPSignatureAlgorithm = 'ecdsa-p256-sha256' | 'rsa-pss-sha256';
+export type TAPSignatureAlgorithm = 'ecdsa-p256-sha256' | 'rsa-pss-sha256' | 'ed25519';
+export type TAPTag = 'agent-browser-auth' | 'agent-payer-auth';
 export interface TAPCapability {
     action: TAPAction;
     scope?: string[];
@@ -158,6 +159,7 @@ export interface RegisterTAPAgentOptions {
     capabilities?: TAPCapability[];
     trust_level?: TAPTrustLevel;
     issuer?: string;
+    key_expires_at?: string;
 }
 export interface TAPAgentResponse {
     success: boolean;
@@ -175,6 +177,7 @@ export interface TAPAgentResponse {
     has_public_key: boolean;
     key_fingerprint?: string;
     last_verified_at?: string | null;
+    key_expires_at?: string | null;
     public_key?: string;
 }
 export interface TAPAgentListResponse {
@@ -199,4 +202,109 @@ export interface TAPSessionResponse {
     expires_at: string;
     time_remaining?: number;
 }
+export interface JWK {
+    kty: string;
+    kid: string;
+    use: string;
+    alg: string;
+    n?: string;
+    e?: string;
+    crv?: string;
+    x?: string;
+    y?: string;
+    agent_id?: string;
+    agent_name?: string;
+    expires_at?: string;
+}
+export interface JWKSet {
+    keys: JWK[];
+}
+export interface ContextualData {
+    countryCode?: string;
+    zip?: string;
+    ipAddress?: string;
+    deviceData?: Record<string, any>;
+}
+export interface IDTokenClaims {
+    iss: string;
+    sub: string;
+    aud: string | string[];
+    exp: number;
+    iat: number;
+    jti?: string;
+    auth_time?: number;
+    amr?: string[];
+    phone_number?: string;
+    phone_number_verified?: boolean;
+    phone_number_mask?: string;
+    email?: string;
+    email_verified?: boolean;
+    email_mask?: string;
+}
+export interface AgenticConsumerResult {
+    verified: boolean;
+    nonceLinked: boolean;
+    signatureValid: boolean;
+    idTokenValid?: boolean;
+    idTokenClaims?: IDTokenClaims;
+    contextualData?: ContextualData;
+    error?: string;
+}
+export interface CardMetadata {
+    lastFour: string;
+    paymentAccountReference: string;
+    shortDescription?: string;
+    cardData?: Array<{
+        contentType: string;
+        content: {
+            mimeType: string;
+            width: number;
+            height: number;
+        };
+    }>;
+}
+export interface CredentialHash {
+    hash: string;
+    algorithm: string;
+}
+export interface BrowsingIOU {
+    invoiceId: string;
+    amount: string;
+    cardAcceptorId: string;
+    acquirerId: string;
+    uri: string;
+    sequenceCounter: string;
+    paymentService: string;
+    kid: string;
+    alg: string;
+    signature: string;
+}
+export interface CreateInvoiceOptions {
+    resource_uri: string;
+    amount: string;
+    currency: string;
+    card_acceptor_id: string;
+    description?: string;
+    ttl_seconds?: number;
+}
+export interface InvoiceResponse {
+    success: boolean;
+    invoice_id: string;
+    app_id: string;
+    resource_uri: string;
+    amount: string;
+    currency: string;
+    card_acceptor_id: string;
+    description?: string;
+    created_at: string;
+    expires_at: string;
+    status: 'pending' | 'fulfilled' | 'expired';
+}
+export interface VerifyIOUResponse {
+    success: boolean;
+    verified: boolean;
+    access_token?: string;
+    expires_at?: string;
+    error?: string;
+}
 //# sourceMappingURL=types.d.ts.map

package/dist/lib/client/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../lib/client/types.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,MAAM,MAAM,YAAY,GAAG,MAAM,GAAG;IAAE,GAAG,EAAE,MAAM,CAAC;IAAC,SAAS,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC;AAExE,MAAM,WAAW,mBAAmB;IAClC,8DAA8D;IAC9D,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,mCAAmC;IACnC,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,wCAAwC;IACxC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,wEAAwE;IACxE,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,0CAA0C;IAC1C,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,6CAA6C;IAC7C,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,iBAAiB;IAChC,OAAO,EAAE,OAAO,CAAC;IACjB,SAAS,CAAC,EAAE;QACV,EAAE,EAAE,MAAM,CAAC;QACX,QAAQ,EAAE,YAAY,EAAE,CAAC;QACzB,SAAS,EAAE,MAAM,CAAC;QAClB,YAAY,EAAE,MAAM,CAAC;KACtB,CAAC;CACH;AAED,MAAM,WAAW,yBAAyB;IACxC,OAAO,EAAE,OAAO,CAAC;IACjB,SAAS,CAAC,EAAE;QACV,EAAE,EAAE,MAAM,CAAC;QACX,MAAM,EAAE,MAAM,CAAC;QACf,SAAS,EAAE,MAAM,CAAC;QAClB,IAAI,CAAC,EAAE,MAAM,CAAC;KACf,CAAC;CACH;AAED,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE;QACV,EAAE,EAAE,MAAM,CAAC;QACX,QAAQ,EAAE,YAAY,EAAE,CAAC;QACzB,SAAS,EAAE,MAAM,CAAC;QAClB,YAAY,EAAE,MAAM,CAAC;KACtB,CAAC;IACF,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED;;GAEG;AAEH,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,MAAM,CAAC;IAChB,GAAG,EAAE,MAAM,CAAC;CACb;AAED,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,OAAO,GAAG,aAAa,GAAG,WAAW,GAAG,QAAQ,GAAG,OAAO,CAAC;IAClE,IAAI,EAAE,GAAG,CAAC;CACX;AAED,MAAM,WAAW,OAAO;IACtB,GAAG,EAAE,MAAM,CAAC;IACZ,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,YAAY;IAC3B,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,sBAAsB;IACrC,wCAAwC;IACxC,aAAa,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,CAAC;IAC1C,0DAA0D;IAC1D,WAAW,CAAC,EAAE,CAAC,QAAQ,EAAE,OAAO,EAAE,KAAK,OAAO,CAAC,MAAM,EAAE,CAAC,GAAG,MAAM,EAAE,CAAC;IACpE,6CAA6C;IAC7C,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,YAAY,KAAK,IAAI,CAAC;IAC1C,8EAA8E;IAC9E,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAID,MAAM,WAAW,iBAAiB;IAChC,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,MAAM,CAAC;IACd,cAAc,EAAE,OAAO,CAAC;IACxB,qBAAqB,EAAE,OAAO,CAAC;IAC/B,OAAO,EAAE,MAAM,CAAC;IAChB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,mBAAmB;IAClC,OAAO,EAAE,OAAO,CAAC;IACjB,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,0BAA0B;IACzC,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,sBAAsB;IACrC,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,oBAAoB;IACnC,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAID,MAAM,MAAM,SAAS,GAAG,QAAQ,GAAG,SAAS,GAAG,UAAU,GAAG,OAAO,GAAG,QAAQ,CAAC;AAC/E,MAAM,MAAM,aAAa,GAAG,OAAO,GAAG,UAAU,GAAG,YAAY,CAAC;AAChE,MAAM,MAAM,qBAAqB,GAAG,mBAAmB,GAAG,gBAAgB,CAAC;AAE3E,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,SAAS,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,YAAY,CAAC,EAAE;QACb,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAC;KACpB,CAAC;CACH;AAED,MAAM,WAAW,SAAS;IACxB,MAAM,EAAE,SAAS,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,uBAAuB;IACtC,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,mBAAmB,CAAC,EAAE,qBAAqB,CAAC;IAC5C,YAAY,CAAC,EAAE,aAAa,EAAE,CAAC;IAC/B,WAAW,CAAC,EAAE,aAAa,CAAC;IAC5B,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,OAAO,CAAC;IACrB,WAAW,CAAC,EAAE,aAAa,CAAC;IAC5B,YAAY,CAAC,EAAE,aAAa,EAAE,CAAC;IAC/B,mBAAmB,CAAC,EAAE,qBAAqB,CAAC;IAC5C,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,cAAc,EAAE,OAAO,CAAC;IACxB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,gBAAgB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,oBAAoB;IACnC,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,gBAAgB,EAAE,CAAC;IAC3B,KAAK,EAAE,MAAM,CAAC;IACd,iBAAiB,EAAE,MAAM,CAAC;CAC3B;AAED,MAAM,WAAW,uBAAuB;IACtC,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,SAAS,CAAC;CACnB;AAED,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,OAAO,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,YAAY,CAAC,EAAE,aAAa,EAAE,CAAC;IAC/B,MAAM,EAAE,SAAS,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,MAAM,CAAC;IACnB,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../lib/client/types.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,MAAM,MAAM,YAAY,GAAG,MAAM,GAAG;IAAE,GAAG,EAAE,MAAM,CAAC;IAAC,SAAS,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC;AAExE,MAAM,WAAW,mBAAmB;IAClC,8DAA8D;IAC9D,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,mCAAmC;IACnC,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,wCAAwC;IACxC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,wEAAwE;IACxE,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,0CAA0C;IAC1C,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,6CAA6C;IAC7C,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,iBAAiB;IAChC,OAAO,EAAE,OAAO,CAAC;IACjB,SAAS,CAAC,EAAE;QACV,EAAE,EAAE,MAAM,CAAC;QACX,QAAQ,EAAE,YAAY,EAAE,CAAC;QACzB,SAAS,EAAE,MAAM,CAAC;QAClB,YAAY,EAAE,MAAM,CAAC;KACtB,CAAC;CACH;AAED,MAAM,WAAW,yBAAyB;IACxC,OAAO,EAAE,OAAO,CAAC;IACjB,SAAS,CAAC,EAAE;QACV,EAAE,EAAE,MAAM,CAAC;QACX,MAAM,EAAE,MAAM,CAAC;QACf,SAAS,EAAE,MAAM,CAAC;QAClB,IAAI,CAAC,EAAE,MAAM,CAAC;KACf,CAAC;CACH;AAED,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE;QACV,EAAE,EAAE,MAAM,CAAC;QACX,QAAQ,EAAE,YAAY,EAAE,CAAC;QACzB,SAAS,EAAE,MAAM,CAAC;QAClB,YAAY,EAAE,MAAM,CAAC;KACtB,CAAC;IACF,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED;;GAEG;AAEH,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,MAAM,CAAC;IAChB,GAAG,EAAE,MAAM,CAAC;CACb;AAED,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,OAAO,GAAG,aAAa,GAAG,WAAW,GAAG,QAAQ,GAAG,OAAO,CAAC;IAClE,IAAI,EAAE,GAAG,CAAC;CACX;AAED,MAAM,WAAW,OAAO;IACtB,GAAG,EAAE,MAAM,CAAC;IACZ,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,YAAY;IAC3B,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,sBAAsB;IACrC,wCAAwC;IACxC,aAAa,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,CAAC;IAC1C,0DAA0D;IAC1D,WAAW,CAAC,EAAE,CAAC,QAAQ,EAAE,OAAO,EAAE,KAAK,OAAO,CAAC,MAAM,EAAE,CAAC,GAAG,MAAM,EAAE,CAAC;IACpE,6CAA6C;IAC7C,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,YAAY,KAAK,IAAI,CAAC;IAC1C,8EAA8E;IAC9E,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAID,MAAM,WAAW,iBAAiB;IAChC,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,MAAM,CAAC;IACd,cAAc,EAAE,OAAO,CAAC;IACxB,qBAAqB,EAAE,OAAO,CAAC;IAC/B,OAAO,EAAE,MAAM,CAAC;IAChB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,mBAAmB;IAClC,OAAO,EAAE,OAAO,CAAC;IACjB,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,0BAA0B;IACzC,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,sBAAsB;IACrC,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,oBAAoB;IACnC,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAID,MAAM,MAAM,SAAS,GAAG,QAAQ,GAAG,SAAS,GAAG,UAAU,GAAG,OAAO,GAAG,QAAQ,CAAC;AAC/E,MAAM,MAAM,aAAa,GAAG,OAAO,GAAG,UAAU,GAAG,YAAY,CAAC;AAChE,MAAM,MAAM,qBAAqB,GAAG,mBAAmB,GAAG,gBAAgB,GAAG,SAAS,CAAC;AACvF,MAAM,MAAM,MAAM,GAAG,oBAAoB,GAAG,kBAAkB,CAAC;AAE/D,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,SAAS,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,YAAY,CAAC,EAAE;QACb,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAC;KACpB,CAAC;CACH;AAED,MAAM,WAAW,SAAS;IACxB,MAAM,EAAE,SAAS,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,uBAAuB;IACtC,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,mBAAmB,CAAC,EAAE,qBAAqB,CAAC;IAC5C,YAAY,CAAC,EAAE,aAAa,EAAE,CAAC;IAC/B,WAAW,CAAC,EAAE,aAAa,CAAC;IAC5B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,OAAO,CAAC;IACrB,WAAW,CAAC,EAAE,aAAa,CAAC;IAC5B,YAAY,CAAC,EAAE,aAAa,EAAE,CAAC;IAC/B,mBAAmB,CAAC,EAAE,qBAAqB,CAAC;IAC5C,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,cAAc,EAAE,OAAO,CAAC;IACxB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,gBAAgB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,cAAc,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,oBAAoB;IACnC,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,gBAAgB,EAAE,CAAC;IAC3B,KAAK,EAAE,MAAM,CAAC;IACd,iBAAiB,EAAE,MAAM,CAAC;CAC3B;AAED,MAAM,WAAW,uBAAuB;IACtC,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,SAAS,CAAC;CACnB;AAED,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,OAAO,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,YAAY,CAAC,EAAE,aAAa,EAAE,CAAC;IAC/B,MAAM,EAAE,SAAS,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,MAAM,CAAC;IACnB,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAID,MAAM,WAAW,GAAG;IAClB,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,CAAC,CAAC,EAAE,MAAM,CAAC;IACX,CAAC,CAAC,EAAE,MAAM,CAAC;IACX,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,CAAC,CAAC,EAAE,MAAM,CAAC;IACX,CAAC,CAAC,EAAE,MAAM,CAAC;IACX,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,MAAM;IACrB,IAAI,EAAE,GAAG,EAAE,CAAC;CACb;AAID,MAAM,WAAW,cAAc;IAC7B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;CAClC;AAED,MAAM,WAAW,aAAa;IAC5B,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IACvB,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,GAAG,CAAC,EAAE,MAAM,EAAE,CAAC;IACf,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,qBAAqB,CAAC,EAAE,OAAO,CAAC;IAChC,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,qBAAqB;IACpC,QAAQ,EAAE,OAAO,CAAC;IAClB,WAAW,EAAE,OAAO,CAAC;IACrB,cAAc,EAAE,OAAO,CAAC;IACxB,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,aAAa,CAAC,EAAE,aAAa,CAAC;IAC9B,cAAc,CAAC,EAAE,cAAc,CAAC;IAChC,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAID,MAAM,WAAW,YAAY;IAC3B,QAAQ,EAAE,MAAM,CAAC;IACjB,uBAAuB,EAAE,MAAM,CAAC;IAChC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,EAAE,KAAK,CAAC;QACf,WAAW,EAAE,MAAM,CAAC;QACpB,OAAO,EAAE;YAAE,QAAQ,EAAE,MAAM,CAAC;YAAC,KAAK,EAAE,MAAM,CAAC;YAAC,MAAM,EAAE,MAAM,CAAA;SAAE,CAAC;KAC9D,CAAC,CAAC;CACJ;AAED,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,WAAW;IAC1B,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,cAAc,EAAE,MAAM,CAAC;IACvB,UAAU,EAAE,MAAM,CAAC;IACnB,GAAG,EAAE,MAAM,CAAC;IACZ,eAAe,EAAE,MAAM,CAAC;IACxB,cAAc,EAAE,MAAM,CAAC;IACvB,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,SAAS,EAAE,MAAM,CAAC;CACnB;AAID,MAAM,WAAW,oBAAoB;IACnC,YAAY,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,gBAAgB,EAAE,MAAM,CAAC;IACzB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,OAAO,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC;IACf,YAAY,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,gBAAgB,EAAE,MAAM,CAAC;IACzB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,SAAS,GAAG,WAAW,GAAG,SAAS,CAAC;CAC7C;AAED,MAAM,WAAW,iBAAiB;IAChC,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,EAAE,OAAO,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB"}

package/dist/src/middleware/tap-enhanced-verify.js

@@ -24,7 +24,7 @@ const defaultTAPOptions = {
     auditLogging: false,
     trustedIssuers: ['openclaw.ai', 'anthropic.com', 'openai.com'],
     maxSessionDuration: 3600,
-    signatureAlgorithms: ['ecdsa-p256-sha256', 'rsa-pss-sha256'],
+    signatureAlgorithms: ['ecdsa-p256-sha256', 'rsa-pss-sha256', 'ed25519'],
     requireCapabilities: []
 };
 // ============ MAIN MIDDLEWARE ============

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@dupecom/botcha",
-  "version": "0.15.1",
+  "version": "0.16.0",
   "description": "Prove you're a bot. Humans need not apply. Reverse CAPTCHA for AI-only APIs.",
   "workspaces": [
     "packages/*"

package/dist/src/index.d.ts

@@ -1,4 +0,0 @@
-import { Express } from 'express';
-declare const app: Express;
-export default app;
-//# sourceMappingURL=index.d.ts.map

package/dist/src/index.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AACA,OAAgB,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAc3C,QAAA,MAAM,GAAG,EAAE,OAAmB,CAAC;AA2b/B,eAAe,GAAG,CAAC"}

package/dist/src/index.js

@@ -1,408 +0,0 @@
-// Local development server - Production runs on Cloudflare Workers
-import express from 'express';
-import crypto from 'crypto';
-import path from 'path';
-import { fileURLToPath } from 'url';
-import { botchaVerify } from './middleware/verify.js';
-import { generateChallenge, verifyChallenge } from './challenges/compute.js';
-import { generateSpeedChallenge, verifySpeedChallenge } from './challenges/speed.js';
-import { generateReasoningChallenge, verifyReasoningChallenge } from './challenges/reasoning.js';
-import { generateHybridChallenge, verifyHybridChallenge } from './challenges/hybrid.js';
-import { TRUSTED_PROVIDERS } from './utils/signature.js';
-import { createBadgeResponse, verifyBadge } from './utils/badge.js';
-import { generateBadgeSvg, generateBadgeHtml } from './utils/badge-image.js';
-const __dirname = path.dirname(fileURLToPath(import.meta.url));
-const app = express();
-const PORT = process.env.PORT || 3000;
-app.use(express.json());
-app.use(express.static(path.join(__dirname, '../public')));
-// CORS + BOTCHA headers
-app.use((req, res, next) => {
-    res.header('Access-Control-Allow-Origin', '*');
-    res.header('Access-Control-Allow-Headers', '*');
-    // BOTCHA discovery headers
-    res.header('X-Botcha-Version', '0.3.0');
-    res.header('X-Botcha-Enabled', 'true');
-    res.header('X-Botcha-Methods', 'speed-challenge,reasoning-challenge,hybrid-challenge,standard-challenge,web-bot-auth');
-    res.header('X-Botcha-Docs', 'https://botcha.ai/openapi.json');
-    if (req.method === 'OPTIONS')
-        return res.sendStatus(200);
-    next();
-});
-// Landing page
-app.get('/', (req, res) => {
-    res.sendFile(path.join(__dirname, '../public/index.html'));
-});
-// API info
-app.get('/api', (req, res) => {
-    res.json({
-        name: 'BOTCHA',
-        version: '0.3.0',
-        tagline: 'Prove you are a bot. Humans need not apply.',
-        endpoints: {
-            '/api': 'This info',
-            '/api/challenge': 'Standard challenge (GET new, POST verify)',
-            '/api/speed-challenge': '⚡ Speed challenge - 500ms to solve 5 problems',
-            '/api/reasoning-challenge': '🧠 Reasoning challenge - LLM-only questions',
-            '/api/hybrid-challenge': '🔥 Hybrid challenge - speed + reasoning combined',
-            '/agent-only': 'Protected endpoint',
-        },
-        verification: {
-            methods: [
-                'Web Bot Auth (cryptographic signature)',
-                'Hybrid Challenge (speed + reasoning)',
-                'Speed Challenge (500ms time limit)',
-                'Reasoning Challenge (LLM-only questions)',
-                'Standard Challenge (5s time limit)',
-                'X-Agent-Identity header (testing)',
-            ],
-            trustedProviders: TRUSTED_PROVIDERS,
-        },
-        discovery: {
-            openapi: 'https://botcha.ai/openapi.json',
-            aiPlugin: 'https://botcha.ai/.well-known/ai-plugin.json',
-            aiTxt: 'https://botcha.ai/ai.txt',
-            robotsTxt: 'https://botcha.ai/robots.txt',
-            npm: 'https://www.npmjs.com/package/@dupecom/botcha',
-            github: 'https://github.com/dupe-com/botcha',
-        },
-    });
-});
-// Standard challenge
-app.get('/api/challenge', (req, res) => {
-    const difficulty = req.query.difficulty || 'medium';
-    const challenge = generateChallenge(difficulty);
-    res.json({ success: true, challenge });
-});
-app.post('/api/challenge', (req, res) => {
-    const { id, answer } = req.body;
-    if (!id || !answer) {
-        return res.status(400).json({ success: false, error: 'Missing id or answer' });
-    }
-    const result = verifyChallenge(id, answer);
-    res.json({
-        success: result.valid,
-        message: result.valid ? '✅ Challenge passed!' : `❌ ${result.reason}`,
-        solveTime: result.timeMs,
-    });
-});
-// ⚡ SPEED CHALLENGE - The human killer
-app.get('/api/speed-challenge', (req, res) => {
-    const challenge = generateSpeedChallenge();
-    res.json({
-        success: true,
-        warning: '⚡ SPEED CHALLENGE: You have 500ms to solve ALL 5 problems!',
-        challenge: {
-            id: challenge.id,
-            problems: challenge.challenges,
-            timeLimit: `${challenge.timeLimit}ms`,
-            instructions: challenge.instructions,
-        },
-        tip: 'Humans cannot copy-paste fast enough. Only real AI agents can pass.',
-    });
-});
-app.post('/api/speed-challenge', (req, res) => {
-    const { id, answers } = req.body;
-    if (!id || !answers) {
-        return res.status(400).json({ success: false, error: 'Missing id or answers array' });
-    }
-    const result = verifySpeedChallenge(id, answers);
-    const response = {
-        success: result.valid,
-        message: result.valid
-            ? `⚡ SPEED TEST PASSED in ${result.solveTimeMs}ms! You are definitely an AI.`
-            : `❌ ${result.reason}`,
-        solveTimeMs: result.solveTimeMs,
-        verdict: result.valid ? '🤖 VERIFIED AI AGENT' : '🚫 LIKELY HUMAN (too slow)',
-    };
-    // Include badge for successful verifications
-    if (result.valid) {
-        response.badge = createBadgeResponse('speed-challenge', result.solveTimeMs);
-    }
-    res.json(response);
-});
-// 🧠 REASONING CHALLENGE - LLM-only questions
-app.get('/api/reasoning-challenge', (req, res) => {
-    const challenge = generateReasoningChallenge();
-    res.json({
-        success: true,
-        warning: '🧠 REASONING CHALLENGE: Answer 3 questions that require AI reasoning!',
-        challenge: {
-            id: challenge.id,
-            questions: challenge.questions,
-            timeLimit: `${challenge.timeLimit / 1000}s`,
-            instructions: challenge.instructions,
-        },
-        tip: 'These questions require reasoning that LLMs can do, but simple scripts cannot.',
-    });
-});
-app.post('/api/reasoning-challenge', (req, res) => {
-    const { id, answers } = req.body;
-    if (!id || !answers) {
-        return res.status(400).json({
-            success: false,
-            error: 'Missing id or answers object',
-            hint: 'answers should be an object like { "question-id": "your answer", ... }',
-        });
-    }
-    const result = verifyReasoningChallenge(id, answers);
-    const response = {
-        success: result.valid,
-        message: result.valid
-            ? `🧠 REASONING TEST PASSED in ${((result.solveTimeMs || 0) / 1000).toFixed(1)}s! You can think like an AI.`
-            : `❌ ${result.reason}`,
-        solveTimeMs: result.solveTimeMs,
-        score: result.valid ? `${result.correctCount}/${result.totalCount}` : undefined,
-        verdict: result.valid ? '🤖 VERIFIED AI AGENT (reasoning confirmed)' : '🚫 FAILED REASONING TEST',
-    };
-    // Include badge for successful verifications
-    if (result.valid) {
-        response.badge = createBadgeResponse('reasoning-challenge', result.solveTimeMs);
-    }
-    res.json(response);
-});
-// 🔥 HYBRID CHALLENGE - Speed + Reasoning combined
-app.get('/api/hybrid-challenge', (req, res) => {
-    const challenge = generateHybridChallenge();
-    res.json({
-        success: true,
-        warning: '🔥 HYBRID CHALLENGE: Solve speed problems in <500ms AND answer reasoning questions!',
-        challenge: {
-            id: challenge.id,
-            speed: {
-                problems: challenge.speed.problems,
-                timeLimit: `${challenge.speed.timeLimit}ms`,
-                instructions: 'Compute SHA256 of each number, return first 8 hex chars',
-            },
-            reasoning: {
-                questions: challenge.reasoning.questions,
-                timeLimit: `${challenge.reasoning.timeLimit / 1000}s`,
-                instructions: 'Answer all reasoning questions',
-            },
-        },
-        instructions: challenge.instructions,
-        tip: 'This is the ultimate test: proves you can compute AND reason like an AI.',
-    });
-});
-app.post('/api/hybrid-challenge', (req, res) => {
-    const { id, speed_answers, reasoning_answers } = req.body;
-    if (!id || !speed_answers || !reasoning_answers) {
-        return res.status(400).json({
-            success: false,
-            error: 'Missing id, speed_answers array, or reasoning_answers object',
-            hint: 'Submit both speed_answers (array) and reasoning_answers (object) together',
-        });
-    }
-    const result = verifyHybridChallenge(id, speed_answers, reasoning_answers);
-    const response = {
-        success: result.valid,
-        message: result.valid
-            ? `🔥 HYBRID TEST PASSED! Speed: ${result.speed.solveTimeMs}ms, Reasoning: ${result.reasoning.score}`
-            : `❌ ${result.reason}`,
-        speed: result.speed,
-        reasoning: result.reasoning,
-        totalTimeMs: result.totalTimeMs,
-        verdict: result.valid
-            ? '🤖 VERIFIED AI AGENT (speed + reasoning confirmed)'
-            : '🚫 FAILED HYBRID TEST',
-    };
-    if (result.valid) {
-        response.badge = createBadgeResponse('hybrid-challenge', result.totalTimeMs);
-    }
-    res.json(response);
-});
-// 🤖 LANDING PAGE CHALLENGE - For bots that discover the embedded challenge
-const landingTokens = new Map(); // token -> expiry timestamp
-app.post('/api/verify-landing', (req, res) => {
-    const { answer, timestamp } = req.body;
-    if (!answer || !timestamp) {
-        return res.status(400).json({
-            success: false,
-            error: 'Missing answer or timestamp',
-            hint: 'Parse the challenge from <script type="application/botcha+json"> on the landing page'
-        });
-    }
-    // Verify timestamp is recent (within 5 minutes)
-    const submittedTime = new Date(timestamp).getTime();
-    const now = Date.now();
-    if (Math.abs(now - submittedTime) > 5 * 60 * 1000) {
-        return res.status(400).json({ success: false, error: 'Timestamp too old or in future' });
-    }
-    // Calculate expected answer for today
-    const today = new Date().toISOString().split('T')[0]; // YYYY-MM-DD
-    const expectedHash = crypto
-        .createHash('sha256')
-        .update(`BOTCHA-LANDING-${today}`)
-        .digest('hex')
-        .substring(0, 16);
-    if (answer.toLowerCase() !== expectedHash.toLowerCase()) {
-        return res.status(403).json({
-            success: false,
-            error: 'Incorrect answer',
-            hint: `Expected SHA256('BOTCHA-LANDING-${today}') first 16 chars`
-        });
-    }
-    // Generate a token for accessing /agent-only
-    const token = crypto.randomBytes(32).toString('hex');
-    landingTokens.set(token, Date.now() + 60 * 60 * 1000); // Valid for 1 hour
-    // Clean up expired tokens
-    for (const [t, expiry] of landingTokens) {
-        if (expiry < Date.now())
-            landingTokens.delete(t);
-    }
-    res.json({
-        success: true,
-        message: '🤖 Landing challenge solved! You are a bot.',
-        token,
-        usage: {
-            header: 'X-Botcha-Landing-Token',
-            value: token,
-            expires_in: '1 hour',
-            use_with: '/agent-only'
-        },
-        badge: createBadgeResponse('landing-challenge'),
-    });
-});
-// ========================================
-// BADGE VERIFICATION ENDPOINTS
-// ========================================
-// HTML verification page
-app.get('/badge/:id', (req, res) => {
-    const badgeId = req.params.id;
-    const payload = verifyBadge(badgeId);
-    if (!payload) {
-        return res.status(404).send(`
-      <!DOCTYPE html>
-      <html>
-      <head><title>Invalid Badge</title></head>
-      <body style="font-family: system-ui; background: #0f0f23; color: #e5e7eb; display: flex; align-items: center; justify-content: center; min-height: 100vh; margin: 0;">
-        <div style="text-align: center;">
-          <h1 style="color: #ef4444;">Invalid Badge</h1>
-          <p>This badge token is invalid or has been tampered with.</p>
-          <a href="https://botcha.ai" style="color: #f59e0b;">Back to BOTCHA</a>
-        </div>
-      </body>
-      </html>
-    `);
-    }
-    res.setHeader('Content-Type', 'text/html');
-    res.send(generateBadgeHtml(payload, badgeId));
-});
-// SVG badge image
-app.get('/badge/:id/image', (req, res) => {
-    const badgeId = req.params.id;
-    const payload = verifyBadge(badgeId);
-    if (!payload) {
-        // Return a simple error SVG
-        res.setHeader('Content-Type', 'image/svg+xml');
-        res.setHeader('Cache-Control', 'no-cache');
-        return res.send(`<svg xmlns="http://www.w3.org/2000/svg" width="400" height="120" viewBox="0 0 400 120">
-      <rect width="400" height="120" rx="12" fill="#1a1a2e"/>
-      <text x="200" y="65" font-family="system-ui" font-size="16" fill="#ef4444" text-anchor="middle">Invalid Badge</text>
-    </svg>`);
-    }
-    res.setHeader('Content-Type', 'image/svg+xml');
-    res.setHeader('Cache-Control', 'public, max-age=31536000'); // Cache for 1 year (badges are immutable)
-    res.send(generateBadgeSvg(payload));
-});
-// JSON API for badge verification
-app.get('/api/badge/:id', (req, res) => {
-    const badgeId = req.params.id;
-    const payload = verifyBadge(badgeId);
-    if (!payload) {
-        return res.status(404).json({
-            success: false,
-            error: 'Invalid badge',
-            message: 'This badge token is invalid or has been tampered with.',
-        });
-    }
-    res.json({
-        success: true,
-        valid: true,
-        badge: {
-            method: payload.method,
-            solveTimeMs: payload.solveTimeMs,
-            verifiedAt: new Date(payload.verifiedAt).toISOString(),
-        },
-        verifyUrl: `https://botcha.ai/badge/${badgeId}`,
-        imageUrl: `https://botcha.ai/badge/${badgeId}/image`,
-    });
-});
-// Make landing tokens work with the protected endpoint
-app.use('/agent-only', (req, res, next) => {
-    const landingToken = req.headers['x-botcha-landing-token'];
-    if (landingToken && landingTokens.has(landingToken)) {
-        const expiry = landingTokens.get(landingToken);
-        if (expiry > Date.now()) {
-            req.agent = 'landing-challenge-verified';
-            req.verificationMethod = 'landing-token';
-            return next();
-        }
-        landingTokens.delete(landingToken);
-    }
-    next();
-});
-// Protected endpoint
-app.get('/agent-only', (req, res, next) => {
-    // Skip botchaVerify if already authenticated via landing token
-    if (req.verificationMethod === 'landing-token') {
-        return next();
-    }
-    botchaVerify({ challengeType: 'speed' })(req, res, next);
-}, (req, res) => {
-    const method = req.verificationMethod;
-    // Map verification method to badge method
-    let badgeMethod = 'standard-challenge';
-    if (method === 'landing-token') {
-        badgeMethod = 'landing-challenge';
-    }
-    else if (method === 'web-bot-auth') {
-        badgeMethod = 'web-bot-auth';
-    }
-    else if (method === 'speed-challenge' || method === 'speed') {
-        badgeMethod = 'speed-challenge';
-    }
-    res.json({
-        success: true,
-        message: '🤖 Welcome, fellow agent!',
-        verified: true,
-        agent: req.agent,
-        method,
-        timestamp: new Date().toISOString(),
-        secret: 'The humans will never see this. Their fingers are too slow. 🤫',
-        badge: createBadgeResponse(badgeMethod),
-    });
-});
-app.listen(PORT, () => {
-    // Clear console on restart
-    console.clear();
-    const c = '\x1b[36m';
-    const magenta = '\x1b[35m';
-    const yellow = '\x1b[33m';
-    const green = '\x1b[32m';
-    const dim = '\x1b[2m';
-    const r = '\x1b[0m';
-    console.log(`
-${c}╔══════════════════════════════════════════════════════╗${r}
-${c}║${r}                                                      ${c}║${r}
-${c}║${r}  ${magenta}██████╗  ██████╗ ████████╗ ██████╗██╗  ██╗ █████╗${r}   ${c}║${r}
-${c}║${r}  ${magenta}██╔══██╗██╔═══██╗╚══██╔══╝██╔════╝██║  ██║██╔══██╗${r}  ${c}║${r}
-${c}║${r}  ${magenta}██████╔╝██║   ██║   ██║   ██║     ███████║███████║${r}  ${c}║${r}
-${c}║${r}  ${magenta}██╔══██╗██║   ██║   ██║   ██║     ██╔══██║██╔══██║${r}  ${c}║${r}
-${c}║${r}  ${magenta}██████╔╝╚██████╔╝   ██║   ╚██████╗██║  ██║██║  ██║${r}  ${c}║${r}
-${c}║${r}  ${magenta}╚═════╝  ╚═════╝    ╚═╝    ╚═════╝╚═╝  ╚═╝╚═╝  ╚═╝${r}  ${c}║${r}
-${c}║${r}                                                      ${c}║${r}
-${c}║${r}  ${dim}Prove you're a bot. Humans need not apply.${r}          ${c}║${r}
-${c}║${r}                                                      ${c}║${r}
-${c}╠══════════════════════════════════════════════════════╣${r}
-${c}║${r}                                                      ${c}║${r}
-${c}║${r}  ${yellow}🤖 Server${r}     ${green}http://localhost:${PORT}${r}                 ${c}║${r}
-${c}║${r}  ${yellow}📚 API${r}        ${dim}/api${r}                                  ${c}║${r}
-${c}║${r}  ${yellow}⚡ Challenge${r}  ${dim}/api/speed-challenge${r}                  ${c}║${r}
-${c}║${r}  ${yellow}🔒 Protected${r}  ${dim}/agent-only${r}                           ${c}║${r}
-${c}║${r}  ${yellow}📖 OpenAPI${r}    ${dim}/openapi.json${r}                         ${c}║${r}
-${c}║${r}                                                      ${c}║${r}
-${c}╚══════════════════════════════════════════════════════╝${r}
-`);
-});
-export default app;