@dupecom/botcha 0.20.0 → 0.20.1

package/README.md

@@ -58,34 +58,45 @@ pip install botcha
 
 ## Quick Start
 
-### TypeScript/JavaScript
+### Protect Your API (Server-Side)
 
 ```typescript
 import express from 'express';
-import { botcha } from '@dupecom/botcha';
+import { botchaVerify } from '@dupecom/botcha-verify/express';
 
 const app = express();
 
-// Protect any route - only AI agents can access
-app.get('/agent-only', botcha.verify(), (req, res) => {
-  res.json({ message: 'Welcome, fellow AI! 🤖' });
+// Verify tokens via JWKS - no shared secret needed!
+app.use('/api', botchaVerify({
+  jwksUrl: 'https://botcha.ai/.well-known/jwks',
+}));
+
+app.get('/api/data', (req, res) => {
+  res.json({ message: 'Welcome, verified AI agent! 🤖' });
 });
 
 app.listen(3000);
 ```
 
-### Python
+### Access Protected APIs (Agent-Side)
+
+```typescript
+import { BotchaClient } from '@dupecom/botcha/client';
 
+const client = new BotchaClient();
+
+// Automatically solves challenges and includes tokens
+const response = await client.fetch('https://api.example.com/api/data');
+const data = await response.json();
+```
+
+**Python:**
 ```python
-from botcha import BotchaClient, solve_botcha
+from botcha import BotchaClient
 
-# Client SDK for AI agents
 async with BotchaClient() as client:
-    # Get verification token
-    token = await client.get_token()
-    
-    # Or auto-solve and fetch protected endpoints
-    response = await client.fetch("https://api.example.com/agent-only")
+    # Automatically solves challenges and includes tokens
+    response = await client.fetch("https://api.example.com/api/data")
     data = await response.json()
 ```
 
@@ -925,7 +936,7 @@ You can use the library freely, report issues, and discuss features. To contribu
 
 ## Server-Side Verification (for API Providers)
 
-If you're building an API that accepts BOTCHA tokens from agents, use the verification SDKs. **BOTCHA v0.19.0+ signs tokens with ES256 (asymmetric)** — no shared secret needed.
+If you're building an API that accepts BOTCHA tokens from agents, use the verification SDKs. **BOTCHA signs tokens with ES256 (asymmetric)** — verify them using the public JWKS endpoint. No shared secret needed.
 
 ### JWKS Verification (Recommended)
 

package/dist/lib/client/index.js

@@ -1,6 +1,6 @@
 import crypto from 'crypto';
 // SDK version - hardcoded since npm_package_version is unreliable when used as a library
-const SDK_VERSION = '0.20.0';
+const SDK_VERSION = '0.20.1';
 // Export stream client
 export { BotchaStreamClient } from './stream.js';
 /**

package/dist/src/middleware/tap-enhanced-verify.d.ts

@@ -25,6 +25,7 @@ export interface TAPBotchaOptions {
     requireCapabilities?: string[];
     agentsKV?: any;
     sessionsKV?: any;
+    noncesKV?: any;
 }
 /**
  * Enhanced BOTCHA middleware with TAP support

package/dist/src/middleware/tap-enhanced-verify.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"tap-enhanced-verify.d.ts","sourceRoot":"","sources":["../../../src/middleware/tap-enhanced-verify.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAoB1D,MAAM,WAAW,gBAAgB;IAE/B,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,aAAa,CAAC,EAAE,UAAU,GAAG,OAAO,CAAC;IACrC,mBAAmB,CAAC,EAAE,MAAM,GAAG,QAAQ,GAAG,MAAM,CAAC;IACjD,YAAY,CAAC,EAAE,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;IAGlD,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,YAAY,CAAC,EAAE,OAAO,CAAC;IAGvB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC/B,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAG/B,QAAQ,CAAC,EAAE,GAAG,CAAC;IACf,UAAU,CAAC,EAAE,GAAG,CAAC;CAClB;AAsBD;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,GAAE,gBAAqB,IAGhD,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY,wDAqE9D;AA8SD,eAAO,MAAM,cAAc;IACzB;;OAEG;uBACe,OAAO,CAAC,gBAAgB,CAAC,WAvXxB,OAAO,OAAO,QAAQ,QAAQ,YAAY;IA8X7D;;OAEG;yBACiB,OAAO,CAAC,gBAAgB,CAAC,WAjY1B,OAAO,OAAO,QAAQ,QAAQ,YAAY;IAwY7D;;OAEG;8BACsB,OAAO,CAAC,gBAAgB,CAAC,WA3Y/B,OAAO,OAAO,QAAQ,QAAQ,YAAY;IAkZ7D;;OAEG;4BACoB,OAAO,CAAC,gBAAgB,CAAC,WArZ7B,OAAO,OAAO,QAAQ,QAAQ,YAAY;CA4Z9D,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,yBAAyB,0BAAoB,CAAC;AAE3D,eAAe,iBAAiB,CAAC"}
+{"version":3,"file":"tap-enhanced-verify.d.ts","sourceRoot":"","sources":["../../../src/middleware/tap-enhanced-verify.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAoB1D,MAAM,WAAW,gBAAgB;IAE/B,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,aAAa,CAAC,EAAE,UAAU,GAAG,OAAO,CAAC;IACrC,mBAAmB,CAAC,EAAE,MAAM,GAAG,QAAQ,GAAG,MAAM,CAAC;IACjD,YAAY,CAAC,EAAE,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;IAGlD,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,YAAY,CAAC,EAAE,OAAO,CAAC;IAGvB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC/B,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAG/B,QAAQ,CAAC,EAAE,GAAG,CAAC;IACf,UAAU,CAAC,EAAE,GAAG,CAAC;IACjB,QAAQ,CAAC,EAAE,GAAG,CAAC;CAChB;AAsBD;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,GAAE,gBAAqB,IAGhD,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY,wDAqE9D;AAgTD,eAAO,MAAM,cAAc;IACzB;;OAEG;uBACe,OAAO,CAAC,gBAAgB,CAAC,WAzXxB,OAAO,OAAO,QAAQ,QAAQ,YAAY;IAgY7D;;OAEG;yBACiB,OAAO,CAAC,gBAAgB,CAAC,WAnY1B,OAAO,OAAO,QAAQ,QAAQ,YAAY;IA0Y7D;;OAEG;8BACsB,OAAO,CAAC,gBAAgB,CAAC,WA7Y/B,OAAO,OAAO,QAAQ,QAAQ,YAAY;IAoZ7D;;OAEG;4BACoB,OAAO,CAAC,gBAAgB,CAAC,WAvZ7B,OAAO,OAAO,QAAQ,QAAQ,YAAY;CA8Z9D,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,yBAAyB,0BAAoB,CAAC;AAE3D,eAAe,iBAAiB,CAAC"}

package/dist/src/middleware/tap-enhanced-verify.js

@@ -122,7 +122,7 @@ async function performFullTAPVerification(req, opts) {
     }
     const agent = agentResult.agent;
     // Verify cryptographic signature
-    const cryptoResult = await verifyCryptographicSignature(req, agent);
+    const cryptoResult = await verifyCryptographicSignature(req, agent, opts);
     // Verify computational challenge
     const challengeResult = await verifyComputationalChallenge(req);
     // Both must pass for full TAP
@@ -183,7 +183,7 @@ async function performSignatureOnlyVerification(req, opts) {
         };
     }
     // Verify signature
-    const cryptoResult = await verifyCryptographicSignature(req, agentResult.agent);
+    const cryptoResult = await verifyCryptographicSignature(req, agentResult.agent, opts);
     return {
         verified: cryptoResult.valid,
         agent_id: agentResult.agent.agent_id,
@@ -240,7 +240,7 @@ async function handleVerificationFallback(req, opts, mode) {
     };
 }
 // ============ HELPER FUNCTIONS ============
-async function verifyCryptographicSignature(req, agent) {
+async function verifyCryptographicSignature(req, agent, opts) {
     if (!agent.public_key || !agent.signature_algorithm) {
         return { valid: false, error: 'Agent has no cryptographic key configured' };
     }
@@ -250,7 +250,7 @@ async function verifyCryptographicSignature(req, agent) {
         headers: req.headers,
         body: typeof req.body === 'string' ? req.body : JSON.stringify(req.body)
     };
-    return await verifyHTTPMessageSignature(verificationRequest, agent.public_key, agent.signature_algorithm);
+    return await verifyHTTPMessageSignature(verificationRequest, agent.public_key, agent.signature_algorithm, opts.noncesKV || null);
 }
 async function verifyComputationalChallenge(req) {
     const challengeId = req.headers['x-botcha-challenge-id'];

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@dupecom/botcha",
-  "version": "0.20.0",
+  "version": "0.20.1",
   "description": "Prove you're a bot. Humans need not apply. Reverse CAPTCHA for AI-only APIs.",
   "workspaces": [
     "packages/*"

package/dist/src/index.d.ts

@@ -1,4 +0,0 @@
-import { Express } from 'express';
-declare const app: Express;
-export default app;
-//# sourceMappingURL=index.d.ts.map

package/dist/src/index.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AACA,OAAgB,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAc3C,QAAA,MAAM,GAAG,EAAE,OAAmB,CAAC;AA2b/B,eAAe,GAAG,CAAC"}

package/dist/src/index.js

@@ -1,408 +0,0 @@
-// Local development server - Production runs on Cloudflare Workers
-import express from 'express';
-import crypto from 'crypto';
-import path from 'path';
-import { fileURLToPath } from 'url';
-import { botchaVerify } from './middleware/verify.js';
-import { generateChallenge, verifyChallenge } from './challenges/compute.js';
-import { generateSpeedChallenge, verifySpeedChallenge } from './challenges/speed.js';
-import { generateReasoningChallenge, verifyReasoningChallenge } from './challenges/reasoning.js';
-import { generateHybridChallenge, verifyHybridChallenge } from './challenges/hybrid.js';
-import { TRUSTED_PROVIDERS } from './utils/signature.js';
-import { createBadgeResponse, verifyBadge } from './utils/badge.js';
-import { generateBadgeSvg, generateBadgeHtml } from './utils/badge-image.js';
-const __dirname = path.dirname(fileURLToPath(import.meta.url));
-const app = express();
-const PORT = process.env.PORT || 3000;
-app.use(express.json());
-app.use(express.static(path.join(__dirname, '../public')));
-// CORS + BOTCHA headers
-app.use((req, res, next) => {
-    res.header('Access-Control-Allow-Origin', '*');
-    res.header('Access-Control-Allow-Headers', '*');
-    // BOTCHA discovery headers
-    res.header('X-Botcha-Version', '0.3.0');
-    res.header('X-Botcha-Enabled', 'true');
-    res.header('X-Botcha-Methods', 'speed-challenge,reasoning-challenge,hybrid-challenge,standard-challenge,web-bot-auth');
-    res.header('X-Botcha-Docs', 'https://botcha.ai/openapi.json');
-    if (req.method === 'OPTIONS')
-        return res.sendStatus(200);
-    next();
-});
-// Landing page
-app.get('/', (req, res) => {
-    res.sendFile(path.join(__dirname, '../public/index.html'));
-});
-// API info
-app.get('/api', (req, res) => {
-    res.json({
-        name: 'BOTCHA',
-        version: '0.3.0',
-        tagline: 'Prove you are a bot. Humans need not apply.',
-        endpoints: {
-            '/api': 'This info',
-            '/api/challenge': 'Standard challenge (GET new, POST verify)',
-            '/api/speed-challenge': '⚡ Speed challenge - 500ms to solve 5 problems',
-            '/api/reasoning-challenge': '🧠 Reasoning challenge - LLM-only questions',
-            '/api/hybrid-challenge': '🔥 Hybrid challenge - speed + reasoning combined',
-            '/agent-only': 'Protected endpoint',
-        },
-        verification: {
-            methods: [
-                'Web Bot Auth (cryptographic signature)',
-                'Hybrid Challenge (speed + reasoning)',
-                'Speed Challenge (500ms time limit)',
-                'Reasoning Challenge (LLM-only questions)',
-                'Standard Challenge (5s time limit)',
-                'X-Agent-Identity header (testing)',
-            ],
-            trustedProviders: TRUSTED_PROVIDERS,
-        },
-        discovery: {
-            openapi: 'https://botcha.ai/openapi.json',
-            aiPlugin: 'https://botcha.ai/.well-known/ai-plugin.json',
-            aiTxt: 'https://botcha.ai/ai.txt',
-            robotsTxt: 'https://botcha.ai/robots.txt',
-            npm: 'https://www.npmjs.com/package/@dupecom/botcha',
-            github: 'https://github.com/dupe-com/botcha',
-        },
-    });
-});
-// Standard challenge
-app.get('/api/challenge', (req, res) => {
-    const difficulty = req.query.difficulty || 'medium';
-    const challenge = generateChallenge(difficulty);
-    res.json({ success: true, challenge });
-});
-app.post('/api/challenge', (req, res) => {
-    const { id, answer } = req.body;
-    if (!id || !answer) {
-        return res.status(400).json({ success: false, error: 'Missing id or answer' });
-    }
-    const result = verifyChallenge(id, answer);
-    res.json({
-        success: result.valid,
-        message: result.valid ? '✅ Challenge passed!' : `❌ ${result.reason}`,
-        solveTime: result.timeMs,
-    });
-});
-// ⚡ SPEED CHALLENGE - The human killer
-app.get('/api/speed-challenge', (req, res) => {
-    const challenge = generateSpeedChallenge();
-    res.json({
-        success: true,
-        warning: '⚡ SPEED CHALLENGE: You have 500ms to solve ALL 5 problems!',
-        challenge: {
-            id: challenge.id,
-            problems: challenge.challenges,
-            timeLimit: `${challenge.timeLimit}ms`,
-            instructions: challenge.instructions,
-        },
-        tip: 'Humans cannot copy-paste fast enough. Only real AI agents can pass.',
-    });
-});
-app.post('/api/speed-challenge', (req, res) => {
-    const { id, answers } = req.body;
-    if (!id || !answers) {
-        return res.status(400).json({ success: false, error: 'Missing id or answers array' });
-    }
-    const result = verifySpeedChallenge(id, answers);
-    const response = {
-        success: result.valid,
-        message: result.valid
-            ? `⚡ SPEED TEST PASSED in ${result.solveTimeMs}ms! You are definitely an AI.`
-            : `❌ ${result.reason}`,
-        solveTimeMs: result.solveTimeMs,
-        verdict: result.valid ? '🤖 VERIFIED AI AGENT' : '🚫 LIKELY HUMAN (too slow)',
-    };
-    // Include badge for successful verifications
-    if (result.valid) {
-        response.badge = createBadgeResponse('speed-challenge', result.solveTimeMs);
-    }
-    res.json(response);
-});
-// 🧠 REASONING CHALLENGE - LLM-only questions
-app.get('/api/reasoning-challenge', (req, res) => {
-    const challenge = generateReasoningChallenge();
-    res.json({
-        success: true,
-        warning: '🧠 REASONING CHALLENGE: Answer 3 questions that require AI reasoning!',
-        challenge: {
-            id: challenge.id,
-            questions: challenge.questions,
-            timeLimit: `${challenge.timeLimit / 1000}s`,
-            instructions: challenge.instructions,
-        },
-        tip: 'These questions require reasoning that LLMs can do, but simple scripts cannot.',
-    });
-});
-app.post('/api/reasoning-challenge', (req, res) => {
-    const { id, answers } = req.body;
-    if (!id || !answers) {
-        return res.status(400).json({
-            success: false,
-            error: 'Missing id or answers object',
-            hint: 'answers should be an object like { "question-id": "your answer", ... }',
-        });
-    }
-    const result = verifyReasoningChallenge(id, answers);
-    const response = {
-        success: result.valid,
-        message: result.valid
-            ? `🧠 REASONING TEST PASSED in ${((result.solveTimeMs || 0) / 1000).toFixed(1)}s! You can think like an AI.`
-            : `❌ ${result.reason}`,
-        solveTimeMs: result.solveTimeMs,
-        score: result.valid ? `${result.correctCount}/${result.totalCount}` : undefined,
-        verdict: result.valid ? '🤖 VERIFIED AI AGENT (reasoning confirmed)' : '🚫 FAILED REASONING TEST',
-    };
-    // Include badge for successful verifications
-    if (result.valid) {
-        response.badge = createBadgeResponse('reasoning-challenge', result.solveTimeMs);
-    }
-    res.json(response);
-});
-// 🔥 HYBRID CHALLENGE - Speed + Reasoning combined
-app.get('/api/hybrid-challenge', (req, res) => {
-    const challenge = generateHybridChallenge();
-    res.json({
-        success: true,
-        warning: '🔥 HYBRID CHALLENGE: Solve speed problems in <500ms AND answer reasoning questions!',
-        challenge: {
-            id: challenge.id,
-            speed: {
-                problems: challenge.speed.problems,
-                timeLimit: `${challenge.speed.timeLimit}ms`,
-                instructions: 'Compute SHA256 of each number, return first 8 hex chars',
-            },
-            reasoning: {
-                questions: challenge.reasoning.questions,
-                timeLimit: `${challenge.reasoning.timeLimit / 1000}s`,
-                instructions: 'Answer all reasoning questions',
-            },
-        },
-        instructions: challenge.instructions,
-        tip: 'This is the ultimate test: proves you can compute AND reason like an AI.',
-    });
-});
-app.post('/api/hybrid-challenge', (req, res) => {
-    const { id, speed_answers, reasoning_answers } = req.body;
-    if (!id || !speed_answers || !reasoning_answers) {
-        return res.status(400).json({
-            success: false,
-            error: 'Missing id, speed_answers array, or reasoning_answers object',
-            hint: 'Submit both speed_answers (array) and reasoning_answers (object) together',
-        });
-    }
-    const result = verifyHybridChallenge(id, speed_answers, reasoning_answers);
-    const response = {
-        success: result.valid,
-        message: result.valid
-            ? `🔥 HYBRID TEST PASSED! Speed: ${result.speed.solveTimeMs}ms, Reasoning: ${result.reasoning.score}`
-            : `❌ ${result.reason}`,
-        speed: result.speed,
-        reasoning: result.reasoning,
-        totalTimeMs: result.totalTimeMs,
-        verdict: result.valid
-            ? '🤖 VERIFIED AI AGENT (speed + reasoning confirmed)'
-            : '🚫 FAILED HYBRID TEST',
-    };
-    if (result.valid) {
-        response.badge = createBadgeResponse('hybrid-challenge', result.totalTimeMs);
-    }
-    res.json(response);
-});
-// 🤖 LANDING PAGE CHALLENGE - For bots that discover the embedded challenge
-const landingTokens = new Map(); // token -> expiry timestamp
-app.post('/api/verify-landing', (req, res) => {
-    const { answer, timestamp } = req.body;
-    if (!answer || !timestamp) {
-        return res.status(400).json({
-            success: false,
-            error: 'Missing answer or timestamp',
-            hint: 'Parse the challenge from <script type="application/botcha+json"> on the landing page'
-        });
-    }
-    // Verify timestamp is recent (within 5 minutes)
-    const submittedTime = new Date(timestamp).getTime();
-    const now = Date.now();
-    if (Math.abs(now - submittedTime) > 5 * 60 * 1000) {
-        return res.status(400).json({ success: false, error: 'Timestamp too old or in future' });
-    }
-    // Calculate expected answer for today
-    const today = new Date().toISOString().split('T')[0]; // YYYY-MM-DD
-    const expectedHash = crypto
-        .createHash('sha256')
-        .update(`BOTCHA-LANDING-${today}`)
-        .digest('hex')
-        .substring(0, 16);
-    if (answer.toLowerCase() !== expectedHash.toLowerCase()) {
-        return res.status(403).json({
-            success: false,
-            error: 'Incorrect answer',
-            hint: `Expected SHA256('BOTCHA-LANDING-${today}') first 16 chars`
-        });
-    }
-    // Generate a token for accessing /agent-only
-    const token = crypto.randomBytes(32).toString('hex');
-    landingTokens.set(token, Date.now() + 60 * 60 * 1000); // Valid for 1 hour
-    // Clean up expired tokens
-    for (const [t, expiry] of landingTokens) {
-        if (expiry < Date.now())
-            landingTokens.delete(t);
-    }
-    res.json({
-        success: true,
-        message: '🤖 Landing challenge solved! You are a bot.',
-        token,
-        usage: {
-            header: 'X-Botcha-Landing-Token',
-            value: token,
-            expires_in: '1 hour',
-            use_with: '/agent-only'
-        },
-        badge: createBadgeResponse('landing-challenge'),
-    });
-});
-// ========================================
-// BADGE VERIFICATION ENDPOINTS
-// ========================================
-// HTML verification page
-app.get('/badge/:id', (req, res) => {
-    const badgeId = req.params.id;
-    const payload = verifyBadge(badgeId);
-    if (!payload) {
-        return res.status(404).send(`
-      <!DOCTYPE html>
-      <html>
-      <head><title>Invalid Badge</title></head>
-      <body style="font-family: system-ui; background: #0f0f23; color: #e5e7eb; display: flex; align-items: center; justify-content: center; min-height: 100vh; margin: 0;">
-        <div style="text-align: center;">
-          <h1 style="color: #ef4444;">Invalid Badge</h1>
-          <p>This badge token is invalid or has been tampered with.</p>
-          <a href="https://botcha.ai" style="color: #f59e0b;">Back to BOTCHA</a>
-        </div>
-      </body>
-      </html>
-    `);
-    }
-    res.setHeader('Content-Type', 'text/html');
-    res.send(generateBadgeHtml(payload, badgeId));
-});
-// SVG badge image
-app.get('/badge/:id/image', (req, res) => {
-    const badgeId = req.params.id;
-    const payload = verifyBadge(badgeId);
-    if (!payload) {
-        // Return a simple error SVG
-        res.setHeader('Content-Type', 'image/svg+xml');
-        res.setHeader('Cache-Control', 'no-cache');
-        return res.send(`<svg xmlns="http://www.w3.org/2000/svg" width="400" height="120" viewBox="0 0 400 120">
-      <rect width="400" height="120" rx="12" fill="#1a1a2e"/>
-      <text x="200" y="65" font-family="system-ui" font-size="16" fill="#ef4444" text-anchor="middle">Invalid Badge</text>
-    </svg>`);
-    }
-    res.setHeader('Content-Type', 'image/svg+xml');
-    res.setHeader('Cache-Control', 'public, max-age=31536000'); // Cache for 1 year (badges are immutable)
-    res.send(generateBadgeSvg(payload));
-});
-// JSON API for badge verification
-app.get('/api/badge/:id', (req, res) => {
-    const badgeId = req.params.id;
-    const payload = verifyBadge(badgeId);
-    if (!payload) {
-        return res.status(404).json({
-            success: false,
-            error: 'Invalid badge',
-            message: 'This badge token is invalid or has been tampered with.',
-        });
-    }
-    res.json({
-        success: true,
-        valid: true,
-        badge: {
-            method: payload.method,
-            solveTimeMs: payload.solveTimeMs,
-            verifiedAt: new Date(payload.verifiedAt).toISOString(),
-        },
-        verifyUrl: `https://botcha.ai/badge/${badgeId}`,
-        imageUrl: `https://botcha.ai/badge/${badgeId}/image`,
-    });
-});
-// Make landing tokens work with the protected endpoint
-app.use('/agent-only', (req, res, next) => {
-    const landingToken = req.headers['x-botcha-landing-token'];
-    if (landingToken && landingTokens.has(landingToken)) {
-        const expiry = landingTokens.get(landingToken);
-        if (expiry > Date.now()) {
-            req.agent = 'landing-challenge-verified';
-            req.verificationMethod = 'landing-token';
-            return next();
-        }
-        landingTokens.delete(landingToken);
-    }
-    next();
-});
-// Protected endpoint
-app.get('/agent-only', (req, res, next) => {
-    // Skip botchaVerify if already authenticated via landing token
-    if (req.verificationMethod === 'landing-token') {
-        return next();
-    }
-    botchaVerify({ challengeType: 'speed' })(req, res, next);
-}, (req, res) => {
-    const method = req.verificationMethod;
-    // Map verification method to badge method
-    let badgeMethod = 'standard-challenge';
-    if (method === 'landing-token') {
-        badgeMethod = 'landing-challenge';
-    }
-    else if (method === 'web-bot-auth') {
-        badgeMethod = 'web-bot-auth';
-    }
-    else if (method === 'speed-challenge' || method === 'speed') {
-        badgeMethod = 'speed-challenge';
-    }
-    res.json({
-        success: true,
-        message: '🤖 Welcome, fellow agent!',
-        verified: true,
-        agent: req.agent,
-        method,
-        timestamp: new Date().toISOString(),
-        secret: 'The humans will never see this. Their fingers are too slow. 🤫',
-        badge: createBadgeResponse(badgeMethod),
-    });
-});
-app.listen(PORT, () => {
-    // Clear console on restart
-    console.clear();
-    const c = '\x1b[36m';
-    const magenta = '\x1b[35m';
-    const yellow = '\x1b[33m';
-    const green = '\x1b[32m';
-    const dim = '\x1b[2m';
-    const r = '\x1b[0m';
-    console.log(`
-${c}╔══════════════════════════════════════════════════════╗${r}
-${c}║${r}                                                      ${c}║${r}
-${c}║${r}  ${magenta}██████╗  ██████╗ ████████╗ ██████╗██╗  ██╗ █████╗${r}   ${c}║${r}
-${c}║${r}  ${magenta}██╔══██╗██╔═══██╗╚══██╔══╝██╔════╝██║  ██║██╔══██╗${r}  ${c}║${r}
-${c}║${r}  ${magenta}██████╔╝██║   ██║   ██║   ██║     ███████║███████║${r}  ${c}║${r}
-${c}║${r}  ${magenta}██╔══██╗██║   ██║   ██║   ██║     ██╔══██║██╔══██║${r}  ${c}║${r}
-${c}║${r}  ${magenta}██████╔╝╚██████╔╝   ██║   ╚██████╗██║  ██║██║  ██║${r}  ${c}║${r}
-${c}║${r}  ${magenta}╚═════╝  ╚═════╝    ╚═╝    ╚═════╝╚═╝  ╚═╝╚═╝  ╚═╝${r}  ${c}║${r}
-${c}║${r}                                                      ${c}║${r}
-${c}║${r}  ${dim}Prove you're a bot. Humans need not apply.${r}          ${c}║${r}
-${c}║${r}                                                      ${c}║${r}
-${c}╠══════════════════════════════════════════════════════╣${r}
-${c}║${r}                                                      ${c}║${r}
-${c}║${r}  ${yellow}🤖 Server${r}     ${green}http://localhost:${PORT}${r}                 ${c}║${r}
-${c}║${r}  ${yellow}📚 API${r}        ${dim}/api${r}                                  ${c}║${r}
-${c}║${r}  ${yellow}⚡ Challenge${r}  ${dim}/api/speed-challenge${r}                  ${c}║${r}
-${c}║${r}  ${yellow}🔒 Protected${r}  ${dim}/agent-only${r}                           ${c}║${r}
-${c}║${r}  ${yellow}📖 OpenAPI${r}    ${dim}/openapi.json${r}                         ${c}║${r}
-${c}║${r}                                                      ${c}║${r}
-${c}╚══════════════════════════════════════════════════════╝${r}
-`);
-});
-export default app;