@dupecom/botcha 0.20.0 → 0.20.2

package/README.md

@@ -58,34 +58,45 @@ pip install botcha
 
 ## Quick Start
 
-### TypeScript/JavaScript
+### Protect Your API (Server-Side)
 
 ```typescript
 import express from 'express';
-import { botcha } from '@dupecom/botcha';
+import { botchaVerify } from '@dupecom/botcha-verify/express';
 
 const app = express();
 
-// Protect any route - only AI agents can access
-app.get('/agent-only', botcha.verify(), (req, res) => {
-  res.json({ message: 'Welcome, fellow AI! 🤖' });
+// Verify tokens via JWKS - no shared secret needed!
+app.use('/api', botchaVerify({
+  jwksUrl: 'https://botcha.ai/.well-known/jwks',
+}));
+
+app.get('/api/data', (req, res) => {
+  res.json({ message: 'Welcome, verified AI agent! 🤖' });
 });
 
 app.listen(3000);
 ```
 
-### Python
+### Access Protected APIs (Agent-Side)
+
+```typescript
+import { BotchaClient } from '@dupecom/botcha/client';
 
+const client = new BotchaClient();
+
+// Automatically solves challenges and includes tokens
+const response = await client.fetch('https://api.example.com/api/data');
+const data = await response.json();
+```
+
+**Python:**
 ```python
-from botcha import BotchaClient, solve_botcha
+from botcha import BotchaClient
 
-# Client SDK for AI agents
 async with BotchaClient() as client:
-    # Get verification token
-    token = await client.get_token()
-    
-    # Or auto-solve and fetch protected endpoints
-    response = await client.fetch("https://api.example.com/agent-only")
+    # Automatically solves challenges and includes tokens
+    response = await client.fetch("https://api.example.com/api/data")
     data = await response.json()
 ```
 
@@ -925,7 +936,7 @@ You can use the library freely, report issues, and discuss features. To contribu
 
 ## Server-Side Verification (for API Providers)
 
-If you're building an API that accepts BOTCHA tokens from agents, use the verification SDKs. **BOTCHA v0.19.0+ signs tokens with ES256 (asymmetric)** — no shared secret needed.
+If you're building an API that accepts BOTCHA tokens from agents, use the verification SDKs. **BOTCHA signs tokens with ES256 (asymmetric)** — verify them using the public JWKS endpoint. No shared secret needed.
 
 ### JWKS Verification (Recommended)
 

package/dist/lib/client/index.js

@@ -1,6 +1,6 @@
 import crypto from 'crypto';
 // SDK version - hardcoded since npm_package_version is unreliable when used as a library
-const SDK_VERSION = '0.20.0';
+const SDK_VERSION = '0.20.2';
 // Export stream client
 export { BotchaStreamClient } from './stream.js';
 /**

package/dist/src/middleware/tap-enhanced-verify.d.ts

@@ -25,6 +25,7 @@ export interface TAPBotchaOptions {
     requireCapabilities?: string[];
     agentsKV?: any;
     sessionsKV?: any;
+    noncesKV?: any;
 }
 /**
  * Enhanced BOTCHA middleware with TAP support

package/dist/src/middleware/tap-enhanced-verify.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"tap-enhanced-verify.d.ts","sourceRoot":"","sources":["../../../src/middleware/tap-enhanced-verify.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAoB1D,MAAM,WAAW,gBAAgB;IAE/B,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,aAAa,CAAC,EAAE,UAAU,GAAG,OAAO,CAAC;IACrC,mBAAmB,CAAC,EAAE,MAAM,GAAG,QAAQ,GAAG,MAAM,CAAC;IACjD,YAAY,CAAC,EAAE,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;IAGlD,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,YAAY,CAAC,EAAE,OAAO,CAAC;IAGvB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC/B,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAG/B,QAAQ,CAAC,EAAE,GAAG,CAAC;IACf,UAAU,CAAC,EAAE,GAAG,CAAC;CAClB;AAsBD;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,GAAE,gBAAqB,IAGhD,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY,wDAqE9D;AA8SD,eAAO,MAAM,cAAc;IACzB;;OAEG;uBACe,OAAO,CAAC,gBAAgB,CAAC,WAvXxB,OAAO,OAAO,QAAQ,QAAQ,YAAY;IA8X7D;;OAEG;yBACiB,OAAO,CAAC,gBAAgB,CAAC,WAjY1B,OAAO,OAAO,QAAQ,QAAQ,YAAY;IAwY7D;;OAEG;8BACsB,OAAO,CAAC,gBAAgB,CAAC,WA3Y/B,OAAO,OAAO,QAAQ,QAAQ,YAAY;IAkZ7D;;OAEG;4BACoB,OAAO,CAAC,gBAAgB,CAAC,WArZ7B,OAAO,OAAO,QAAQ,QAAQ,YAAY;CA4Z9D,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,yBAAyB,0BAAoB,CAAC;AAE3D,eAAe,iBAAiB,CAAC"}
+{"version":3,"file":"tap-enhanced-verify.d.ts","sourceRoot":"","sources":["../../../src/middleware/tap-enhanced-verify.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAoB1D,MAAM,WAAW,gBAAgB;IAE/B,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,aAAa,CAAC,EAAE,UAAU,GAAG,OAAO,CAAC;IACrC,mBAAmB,CAAC,EAAE,MAAM,GAAG,QAAQ,GAAG,MAAM,CAAC;IACjD,YAAY,CAAC,EAAE,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;IAGlD,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,YAAY,CAAC,EAAE,OAAO,CAAC;IAGvB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC/B,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAG/B,QAAQ,CAAC,EAAE,GAAG,CAAC;IACf,UAAU,CAAC,EAAE,GAAG,CAAC;IACjB,QAAQ,CAAC,EAAE,GAAG,CAAC;CAChB;AAsBD;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,GAAE,gBAAqB,IAGhD,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY,wDAqE9D;AAgTD,eAAO,MAAM,cAAc;IACzB;;OAEG;uBACe,OAAO,CAAC,gBAAgB,CAAC,WAzXxB,OAAO,OAAO,QAAQ,QAAQ,YAAY;IAgY7D;;OAEG;yBACiB,OAAO,CAAC,gBAAgB,CAAC,WAnY1B,OAAO,OAAO,QAAQ,QAAQ,YAAY;IA0Y7D;;OAEG;8BACsB,OAAO,CAAC,gBAAgB,CAAC,WA7Y/B,OAAO,OAAO,QAAQ,QAAQ,YAAY;IAoZ7D;;OAEG;4BACoB,OAAO,CAAC,gBAAgB,CAAC,WAvZ7B,OAAO,OAAO,QAAQ,QAAQ,YAAY;CA8Z9D,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,yBAAyB,0BAAoB,CAAC;AAE3D,eAAe,iBAAiB,CAAC"}

package/dist/src/middleware/tap-enhanced-verify.js

@@ -122,7 +122,7 @@ async function performFullTAPVerification(req, opts) {
     }
     const agent = agentResult.agent;
     // Verify cryptographic signature
-    const cryptoResult = await verifyCryptographicSignature(req, agent);
+    const cryptoResult = await verifyCryptographicSignature(req, agent, opts);
     // Verify computational challenge
     const challengeResult = await verifyComputationalChallenge(req);
     // Both must pass for full TAP
@@ -183,7 +183,7 @@ async function performSignatureOnlyVerification(req, opts) {
         };
     }
     // Verify signature
-    const cryptoResult = await verifyCryptographicSignature(req, agentResult.agent);
+    const cryptoResult = await verifyCryptographicSignature(req, agentResult.agent, opts);
     return {
         verified: cryptoResult.valid,
         agent_id: agentResult.agent.agent_id,
@@ -240,7 +240,7 @@ async function handleVerificationFallback(req, opts, mode) {
     };
 }
 // ============ HELPER FUNCTIONS ============
-async function verifyCryptographicSignature(req, agent) {
+async function verifyCryptographicSignature(req, agent, opts) {
     if (!agent.public_key || !agent.signature_algorithm) {
         return { valid: false, error: 'Agent has no cryptographic key configured' };
     }
@@ -250,7 +250,7 @@ async function verifyCryptographicSignature(req, agent) {
         headers: req.headers,
         body: typeof req.body === 'string' ? req.body : JSON.stringify(req.body)
     };
-    return await verifyHTTPMessageSignature(verificationRequest, agent.public_key, agent.signature_algorithm);
+    return await verifyHTTPMessageSignature(verificationRequest, agent.public_key, agent.signature_algorithm, opts.noncesKV || null);
 }
 async function verifyComputationalChallenge(req) {
     const challengeId = req.headers['x-botcha-challenge-id'];

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@dupecom/botcha",
-  "version": "0.20.0",
+  "version": "0.20.2",
   "description": "Prove you're a bot. Humans need not apply. Reverse CAPTCHA for AI-only APIs.",
   "workspaces": [
     "packages/*"