npm - @kya-os/agentshield-nextjs - Versions diffs - 0.1.41 → 0.1.43 - Mend

@kya-os/agentshield-nextjs 0.1.41 → 0.1.43

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (79) hide show

package/dist/.tsbuildinfo +1 -0
package/dist/api-client.d.mts +145 -0
package/dist/api-client.d.ts +145 -0
package/dist/api-client.js +130 -0
package/dist/api-client.js.map +1 -0
package/dist/api-client.mjs +126 -0
package/dist/api-client.mjs.map +1 -0
package/dist/api-middleware.d.mts +118 -0
package/dist/api-middleware.d.ts +118 -0
package/dist/api-middleware.js +295 -0
package/dist/api-middleware.js.map +1 -0
package/dist/api-middleware.mjs +292 -0
package/dist/api-middleware.mjs.map +1 -0
package/dist/create-middleware.d.mts +2 -1
package/dist/create-middleware.d.ts +2 -1
package/dist/create-middleware.js +474 -200
package/dist/create-middleware.js.map +1 -1
package/dist/create-middleware.mjs +454 -200
package/dist/create-middleware.mjs.map +1 -1
package/dist/edge/index.d.mts +110 -0
package/dist/edge/index.d.ts +110 -0
package/dist/edge/index.js +253 -0
package/dist/edge/index.js.map +1 -0
package/dist/edge/index.mjs +251 -0
package/dist/edge/index.mjs.map +1 -0
package/dist/edge-detector-wrapper.d.mts +6 -15
package/dist/edge-detector-wrapper.d.ts +6 -15
package/dist/edge-detector-wrapper.js +314 -95
package/dist/edge-detector-wrapper.js.map +1 -1
package/dist/edge-detector-wrapper.mjs +294 -95
package/dist/edge-detector-wrapper.mjs.map +1 -1
package/dist/edge-runtime-loader.d.mts +1 -1
package/dist/edge-runtime-loader.d.ts +1 -1
package/dist/edge-runtime-loader.js +10 -25
package/dist/edge-runtime-loader.js.map +1 -1
package/dist/edge-runtime-loader.mjs +11 -23
package/dist/edge-runtime-loader.mjs.map +1 -1
package/dist/edge-wasm-middleware.js +2 -1
package/dist/edge-wasm-middleware.js.map +1 -1
package/dist/edge-wasm-middleware.mjs +2 -1
package/dist/edge-wasm-middleware.mjs.map +1 -1
package/dist/enhanced-middleware.d.mts +153 -0
package/dist/enhanced-middleware.d.ts +153 -0
package/dist/enhanced-middleware.js +1074 -0
package/dist/enhanced-middleware.js.map +1 -0
package/dist/enhanced-middleware.mjs +1072 -0
package/dist/enhanced-middleware.mjs.map +1 -0
package/dist/index.d.mts +8 -153
package/dist/index.d.ts +8 -153
package/dist/index.js +821 -233
package/dist/index.js.map +1 -1
package/dist/index.mjs +797 -234
package/dist/index.mjs.map +1 -1
package/dist/middleware.d.mts +2 -1
package/dist/middleware.d.ts +2 -1
package/dist/middleware.js +474 -200
package/dist/middleware.js.map +1 -1
package/dist/middleware.mjs +454 -200
package/dist/middleware.mjs.map +1 -1
package/dist/session-tracker.d.mts +1 -1
package/dist/session-tracker.d.ts +1 -1
package/dist/session-tracker.js.map +1 -1
package/dist/session-tracker.mjs.map +1 -1
package/dist/signature-verifier.d.mts +1 -0
package/dist/signature-verifier.d.ts +1 -0
package/dist/signature-verifier.js +204 -44
package/dist/signature-verifier.js.map +1 -1
package/dist/signature-verifier.mjs +184 -44
package/dist/signature-verifier.mjs.map +1 -1
package/dist/{types-BJTEUa4T.d.mts → types-DVmy9NE3.d.mts} +19 -2
package/dist/{types-BJTEUa4T.d.ts → types-DVmy9NE3.d.ts} +19 -2
package/dist/wasm-middleware.js +15 -6
package/dist/wasm-middleware.js.map +1 -1
package/dist/wasm-middleware.mjs +15 -6
package/dist/wasm-middleware.mjs.map +1 -1
package/package.json +42 -22
package/wasm/agentshield_wasm.js +209 -152
package/wasm/agentshield_wasm_bg.wasm +0 -0
package/wasm/package.json +30 -0

package/dist/session-tracker.mjs.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../src/session-tracker.ts"],"names":[],"mappings":";AAuBO,IAAM,qBAAN,MAAyB;AAAA,EACb,MAAA;AAAA,EAEjB,YAAY,MAAA,EAA+B;AACzC,IAAA,IAAA,CAAK,MAAA,GAAS;AAAA,MACZ,SAAS,MAAA,CAAO,OAAA;AAAA,MAChB,UAAA,EAAY,OAAO,UAAA,IAAc,uBAAA;AAAA,MACjC,YAAA,EAAc,OAAO,YAAA,IAAgB,IAAA;AAAA;AAAA,MACrC,aAAA,EACE,MAAA,CAAO,aAAA,IACP,OAAA,CAAQ,IAAI,kBAAA,IACZ;AAAA,KACJ;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,KAAA,CACJ,QAAA,EACA,QAAA,EACA,MAAA,EACuB;AACvB,IAAA,IAAI;AACF,MAAA,IAAI,CAAC,IAAA,CAAK,MAAA,CAAO,OAAA,IAAW,CAAC,OAAO,OAAA,EAAS;AAC3C,QAAA,OAAO,QAAA;AAAA,MACT;AAEA,MAAA,MAAM,WAAA,GAA2B;AAAA,QAC/B,EAAA,EAAI,OAAO,UAAA,EAAW;AAAA,QACtB,KAAA,EAAO,MAAA,CAAO,aAAA,EAAe,IAAA,IAAQ,SAAA;AAAA,QACrC,YAAY,MAAA,CAAO,UAAA;AAAA,QACnB,UAAA,EAAY,KAAK,GAAA,EAAI;AAAA,QACrB,SAAS,IAAA,CAAK,GAAA,EAAI,GAAI,IAAA,CAAK,OAAO,YAAA,GAAe;AAAA,OACnD;AAGA,MAAA,MAAM,YAAY,MAAM,IAAA,CAAK,QAAQ,IAAA,CAAK,SAAA,CAAU,WAAW,CAAC,CAAA;AAGhE,MAAA,QAAA,CAAS,OAAA,CAAQ,GAAA,CAAI,IAAA,CAAK,MAAA,CAAO,YAAY,SAAA,EAAW;AAAA,QACtD,QAAA,EAAU,IAAA;AAAA,QACV,MAAA,EAAQ,OAAA,CAAQ,GAAA,CAAI,QAAA,KAAa,YAAA;AAAA,QACjC,QAAA,EAAU,KAAA;AAAA,QACV,MAAA,EAAQ,KAAK,MAAA,CAAO,YAAA;AAAA,QACpB,IAAA,EAAM;AAAA,OACP,CAAA;AAED,MAAA,OAAO,QAAA;AAAA,IACT,SAAS,KAAA,EAAO;AAEd,MAAA,IAAI,OAAA,CAAQ,IAAI,iBAAA,EAAmB;AACjC,QAAA,OAAA,CAAQ,IAAA,CAAK,yCAAyC,KAAK,CAAA;AAAA,MAC7D;AACA,MAAA,OAAO,QAAA;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,MAAM,OAAA,EAAmD;AAC7D,IAAA,IAAI;AACF,MAAA,IAAI,CAAC,IAAA,CAAK,MAAA,CAAO,OAAA,EAAS;AACxB,QAAA,OAAO,IAAA;AAAA,MACT;AAEA,MAAA,MAAM,SAAS,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,IAAA,CAAK,OAAO,UAAU,CAAA;AACzD,MAAA,IAAI,CAAC,QAAQ,KAAA,EAAO;AAClB,QAAA,OAAO,IAAA;AAAA,MACT;AAGA,MAAA,MAAM,SAAA,GAAY,MAAM,IAAA,CAAK,OAAA,CAAQ,OAAO,KAAK,CAAA;AACjD,MAAA,MAAM,OAAA,GAAuB,IAAA,CAAK,KAAA,CAAM,SAAS,CAAA;AAGjD,MAAA,IAAI,OAAA,CAAQ,OAAA,GAAU,IAAA,CAAK,GAAA,EAAI,EAAG;AAChC,QAAA,OAAO,IAAA;AAAA,MACT;AAEA,MAAA,OAAO,OAAA;AAAA,IACT,SAAS,KAAA,EAAO;AAEd,MAAA,IAAI,OAAA,CAAQ,IAAI,iBAAA,EAAmB;AACjC,QAAA,OAAA,CAAQ,IAAA,CAAK,yCAAyC,KAAK,CAAA;AAAA,MAC7D;AACA,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,QAAA,EAAsC;AAC1C,IAAA,IAAI;AACF,MAAA,QAAA,CAAS,OAAA,CAAQ,MAAA,CAAO,IAAA,CAAK,MAAA,CAAO,UAAU,CAAA;AAAA,IAChD,SAAS,KAAA,EAAO;AAEd,MAAA,IAAI,OAAA,CAAQ,IAAI,iBAAA,EAAmB;AACjC,QAAA,OAAA,CAAQ,IAAA,CAAK,yCAAyC,KAAK,CAAA;AAAA,MAC7D;AAAA,IACF;AACA,IAAA,OAAO,QAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,QAAQ,IAAA,EAA+B;AACnD,IAAA,IAAI;AAGF,MAAA,MAAM,GAAA,GAAM,KAAK,MAAA,CAAO,aAAA;AACxB,MAAA,MAAM,OAAA,GAAU,IAAI,WAAA,EAAY,CAAE,OAAO,IAAI,CAAA;AAG7C,MAAA,MAAM,UAAA,GAAa,IAAI,UAAA,CAAW,OAAA,CAAQ,MAAM,CAAA;AAChD,MAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,OAAA,CAAQ,QAAQ,CAAA,EAAA,EAAK;AACvC,QAAA,UAAA,CAAW,CAAC,CAAA,GAAA,CAAK,OAAA,CAAQ,CAAC,CAAA,IAAK,KAAK,GAAA,CAAI,UAAA,CAAW,CAAA,GAAI,GAAA,CAAI,MAAM,CAAA;AAAA,MACnE;AAGA,MAAA,OAAO,IAAA;AAAA,QACL,KAAA,CAAM,IAAA,CAAK,UAAA,EAAY,CAAA,IAAA,KAAQ,MAAA,CAAO,aAAa,IAAI,CAAC,CAAA,CAAE,IAAA,CAAK,EAAE;AAAA,OACnE;AAAA,IACF,SAAS,KAAA,EAAO;AAEd,MAAA,OAAO,KAAK,IAAI,CAAA;AAAA,IAClB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,QAAQ,IAAA,EAA+B;AACnD,IAAA,IAAI;AACF,MAAA,MAAM,GAAA,GAAM,KAAK,MAAA,CAAO,aAAA;AACxB,MAAA,MAAM,OAAA,GAAU,UAAA,CAAW,IAAA,CAAK,IAAA,CAAK,IAAI,GAAG,CAAA,CAAA,KAAK,CAAA,CAAE,UAAA,CAAW,CAAC,CAAC,CAAA;AAGhE,MAAA,MAAM,YAAA,GAAe,IAAI,UAAA,CAAW,OAAA,CAAQ,MAAM,CAAA;AAClD,MAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,OAAA,CAAQ,QAAQ,CAAA,EAAA,EAAK;AACvC,QAAA,YAAA,CAAa,CAAC,CAAA,GAAA,CAAK,OAAA,CAAQ,CAAC,CAAA,IAAK,KAAK,GAAA,CAAI,UAAA,CAAW,CAAA,GAAI,GAAA,CAAI,MAAM,CAAA;AAAA,MACrE;AAEA,MAAA,OAAO,IAAI,WAAA,EAAY,CAAE,MAAA,CAAO,YAAY,CAAA;AAAA,IAC9C,SAAS,KAAA,EAAO;AAEd,MAAA,OAAO,KAAK,IAAI,CAAA;AAAA,IAClB;AAAA,EACF;AACF;AAMO,IAAM,0BAAN,MAA8B;AAAA,EACnC,OAAO,MAAM,OAAA,EAAqD;AAChE,IAAA,IAAI;AAEF,MAAA,MAAM,KAAA,GAAQ,QAAQ,6BAA6B,CAAA;AACnD,MAAA,MAAM,UAAA,GAAa,QAAQ,kCAAkC,CAAA;AAC7D,MAAA,MAAM,SAAA,GAAY,QAAQ,0BAA0B,CAAA;AAEpD,MAAA,IAAI,KAAA,IAAS,cAAc,SAAA,EAAW;AACpC,QAAA,OAAO;AAAA,UACL,EAAA,EAAI,SAAA;AAAA,UACJ,KAAA;AAAA,UACA,UAAA,EAAY,WAAW,UAAU,CAAA;AAAA,UACjC,UAAA,EAAY,KAAK,GAAA,EAAI;AAAA,UACrB,OAAA,EAAS,IAAA,CAAK,GAAA,EAAI,GAAI;AAAA;AAAA,SACxB;AAAA,MACF;AAGA,MAAA,MAAM,YAAA,GAAe,QAAQ,QAAQ,CAAA;AACrC,MAAA,IAAI,YAAA,IAAgB,YAAA,CAAa,QAAA,CAAS,wBAAwB,CAAA,EAAG;AAEnE,QAAA,MAAM,KAAA,GAAQ,YAAA,CAAa,KAAA,CAAM,+BAA+B,CAAA;AAChE,QAAA,IAAI,KAAA,IAAS,KAAA,CAAM,CAAC,CAAA,EAAG;AACrB,UAAA,IAAI;AACF,YAAA,MAAM,OAAA,GAAU,IAAA,CAAK,KAAA,CAAM,CAAC,CAAC,CAAA;AAC7B,YAAA,OAAO,IAAA,CAAK,MAAM,OAAO,CAAA;AAAA,UAC3B,CAAA,CAAA,MAAQ;AAAA,UAER;AAAA,QACF;AAAA,MACF;AAEA,MAAA,OAAO,IAAA;AAAA,IACT,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAAA,EAEA,OAAO,UAAA,CAAW,QAAA,EAAe,OAAA,EAA4B;AAC3D,IAAA,IAAI;AAEF,MAAA,IAAI,SAAS,SAAA,EAAW;AACtB,QAAA,QAAA,CAAS,SAAA,CAAU,6BAAA,EAA+B,OAAA,CAAQ,KAAK,CAAA;AAC/D,QAAA,QAAA,CAAS,SAAA;AAAA,UACP,kCAAA;AAAA,UACA,OAAA,CAAQ,WAAW,QAAA;AAAS,SAC9B;AACA,QAAA,QAAA,CAAS,SAAA,CAAU,0BAAA,EAA4B,OAAA,CAAQ,EAAE,CAAA;AAAA,MAC3D,CAAA,MAAA,IAAW,QAAA,CAAS,OAAA,IAAW,QAAA,CAAS,QAAQ,GAAA,EAAK;AACnD,QAAA,QAAA,CAAS,OAAA,CAAQ,GAAA,CAAI,6BAAA,EAA+B,OAAA,CAAQ,KAAK,CAAA;AACjE,QAAA,QAAA,CAAS,OAAA,CAAQ,GAAA;AAAA,UACf,kCAAA;AAAA,UACA,OAAA,CAAQ,WAAW,QAAA;AAAS,SAC9B;AACA,QAAA,QAAA,CAAS,OAAA,CAAQ,GAAA,CAAI,0BAAA,EAA4B,OAAA,CAAQ,EAAE,CAAA;AAAA,MAC7D;AAAA,IACF,CAAA,CAAA,MAAQ;AAAA,IAER;AAAA,EACF;AACF","file":"session-tracker.mjs","sourcesContent":["/*\n Edge-compatible session tracking for AI agents\n * Uses cookie-based storage to work in Edge Runtime\n /\n\nimport type { NextRequest, NextResponse } from 'next/server';\nimport type { DetectionResult } from '@kya-os/agentshield';\n\nexport interface SessionData {\n id: string;\n agent: string;\n confidence: number;\n detectedAt: number;\n expires: number;\n}\n\nexport interface SessionTrackingConfig {\n enabled: boolean;\n cookieName?: string;\n cookieMaxAge?: number; // in seconds\n encryptionKey?: string;\n}\n\nexport class EdgeSessionTracker {\n private readonly config: Required<SessionTrackingConfig>;\n\n constructor(config: SessionTrackingConfig) {\n this.config = {\n enabled: config.enabled,\n cookieName: config.cookieName \|\| '__agentshield_session',\n cookieMaxAge: config.cookieMaxAge \|\| 3600, // 1 hour default\n encryptionKey:\n config.encryptionKey \|\|\n process.env.AGENTSHIELD_SECRET \|\|\n 'agentshield-default-key',\n };\n }\n\n /\n Track a new AI agent session\n /\n async track(\n _request: NextRequest,\n response: NextResponse,\n result: DetectionResult\n ): Promise<NextResponse> {\n try {\n if (!this.config.enabled \|\| !result.isAgent) {\n return response;\n }\n\n const sessionData: SessionData = {\n id: crypto.randomUUID(),\n agent: result.detectedAgent?.name \|\| 'unknown',\n confidence: result.confidence,\n detectedAt: Date.now(),\n expires: Date.now() + this.config.cookieMaxAge 1000,\n };\n\n // Encrypt session data for security\n const encrypted = await this.encrypt(JSON.stringify(sessionData));\n\n // Set secure httpOnly cookie\n response.cookies.set(this.config.cookieName, encrypted, {\n httpOnly: true,\n secure: process.env.NODE_ENV === 'production',\n sameSite: 'lax',\n maxAge: this.config.cookieMaxAge,\n path: '/',\n });\n\n return response;\n } catch (error) {\n // Fail gracefully - log error but don't break request\n if (process.env.DEBUG_AGENTSHIELD) {\n console.warn('AgentShield: Failed to track session:', error);\n }\n return response;\n }\n }\n\n /*\n Check for existing AI agent session\n /\n async check(request: NextRequest): Promise<SessionData \| null> {\n try {\n if (!this.config.enabled) {\n return null;\n }\n\n const cookie = request.cookies.get(this.config.cookieName);\n if (!cookie?.value) {\n return null;\n }\n\n // Decrypt and parse session data\n const decrypted = await this.decrypt(cookie.value);\n const session: SessionData = JSON.parse(decrypted);\n\n // Check if session is expired\n if (session.expires < Date.now()) {\n return null;\n }\n\n return session;\n } catch (error) {\n // Fail gracefully - invalid or corrupted session\n if (process.env.DEBUG_AGENTSHIELD) {\n console.warn('AgentShield: Failed to check session:', error);\n }\n return null;\n }\n }\n\n /\n Clear an existing session\n /\n clear(response: NextResponse): NextResponse {\n try {\n response.cookies.delete(this.config.cookieName);\n } catch (error) {\n // Fail gracefully\n if (process.env.DEBUG_AGENTSHIELD) {\n console.warn('AgentShield: Failed to clear session:', error);\n }\n }\n return response;\n }\n\n /\n Simple encryption using Web Crypto API (Edge-compatible)\n /\n private async encrypt(data: string): Promise<string> {\n try {\n // For Edge Runtime, use simple base64 encoding with obfuscation\n // In production, consider using Web Crypto API subtle.encrypt()\n const key = this.config.encryptionKey;\n const encoded = new TextEncoder().encode(data);\n\n // Simple XOR obfuscation\n const obfuscated = new Uint8Array(encoded.length);\n for (let i = 0; i < encoded.length; i++) {\n obfuscated[i] = (encoded[i] \|\| 0) ^ key.charCodeAt(i % key.length);\n }\n\n // Convert to base64\n return btoa(\n Array.from(obfuscated, byte => String.fromCharCode(byte)).join('')\n );\n } catch (error) {\n // Fallback to simple base64 if encryption fails\n return btoa(data);\n }\n }\n\n /\n Simple decryption (Edge-compatible)\n /\n private async decrypt(data: string): Promise<string> {\n try {\n const key = this.config.encryptionKey;\n const decoded = Uint8Array.from(atob(data), c => c.charCodeAt(0));\n\n // Reverse XOR obfuscation\n const deobfuscated = new Uint8Array(decoded.length);\n for (let i = 0; i < decoded.length; i++) {\n deobfuscated[i] = (decoded[i] \|\| 0) ^ key.charCodeAt(i % key.length);\n }\n\n return new TextDecoder().decode(deobfuscated);\n } catch (error) {\n // Fallback to simple base64 if decryption fails\n return atob(data);\n }\n }\n}\n\n/\n Stateless session checker for non-Next.js environments (Express, etc.)\n * Uses a combination of headers to identify continued sessions\n */\nexport class StatelessSessionChecker {\n static check(headers: Record<string, string>): SessionData \| null {\n try {\n // Check for session headers (set by previous response)\n const agent = headers['x-agentshield-session-agent'];\n const confidence = headers['x-agentshield-session-confidence'];\n const sessionId = headers['x-agentshield-session-id'];\n\n if (agent && confidence && sessionId) {\n return {\n id: sessionId,\n agent,\n confidence: parseFloat(confidence),\n detectedAt: Date.now(),\n expires: Date.now() + 3600000, // 1 hour\n };\n }\n\n // Check for cookie-based session (if cookies are parsed)\n const cookieHeader = headers['cookie'];\n if (cookieHeader && cookieHeader.includes('__agentshield_session=')) {\n // Simple cookie parsing\n const match = cookieHeader.match(/__agentshield_session=([^;]+)/);\n if (match && match[1]) {\n try {\n const decoded = atob(match[1]);\n return JSON.parse(decoded);\n } catch {\n // Invalid session data\n }\n }\n }\n\n return null;\n } catch {\n return null;\n }\n }\n\n static setHeaders(response: any, session: SessionData): void {\n try {\n // Set session headers for stateless tracking\n if (response.setHeader) {\n response.setHeader('X-AgentShield-Session-Agent', session.agent);\n response.setHeader(\n 'X-AgentShield-Session-Confidence',\n session.confidence.toString()\n );\n response.setHeader('X-AgentShield-Session-Id', session.id);\n } else if (response.headers && response.headers.set) {\n response.headers.set('x-agentshield-session-agent', session.agent);\n response.headers.set(\n 'x-agentshield-session-confidence',\n session.confidence.toString()\n );\n response.headers.set('x-agentshield-session-id', session.id);\n }\n } catch {\n // Fail gracefully\n }\n }\n}\n"]}
1	+ {"version":3,"sources":["../src/session-tracker.ts"],"names":[],"mappings":";AAuBO,IAAM,qBAAN,MAAyB;AAAA,EACb,MAAA;AAAA,EAEjB,YAAY,MAAA,EAA+B;AACzC,IAAA,IAAA,CAAK,MAAA,GAAS;AAAA,MACZ,SAAS,MAAA,CAAO,OAAA;AAAA,MAChB,UAAA,EAAY,OAAO,UAAA,IAAc,uBAAA;AAAA,MACjC,YAAA,EAAc,OAAO,YAAA,IAAgB,IAAA;AAAA;AAAA,MACrC,aAAA,EACE,MAAA,CAAO,aAAA,IACP,OAAA,CAAQ,IAAI,kBAAA,IACZ;AAAA,KACJ;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,KAAA,CACJ,QAAA,EACA,QAAA,EACA,MAAA,EACuB;AACvB,IAAA,IAAI;AACF,MAAA,IAAI,CAAC,IAAA,CAAK,MAAA,CAAO,OAAA,IAAW,CAAC,OAAO,OAAA,EAAS;AAC3C,QAAA,OAAO,QAAA;AAAA,MACT;AAEA,MAAA,MAAM,WAAA,GAA2B;AAAA,QAC/B,EAAA,EAAI,OAAO,UAAA,EAAW;AAAA,QACtB,KAAA,EAAO,MAAA,CAAO,aAAA,EAAe,IAAA,IAAQ,SAAA;AAAA,QACrC,YAAY,MAAA,CAAO,UAAA;AAAA,QACnB,UAAA,EAAY,KAAK,GAAA,EAAI;AAAA,QACrB,SAAS,IAAA,CAAK,GAAA,EAAI,GAAI,IAAA,CAAK,OAAO,YAAA,GAAe;AAAA,OACnD;AAGA,MAAA,MAAM,YAAY,MAAM,IAAA,CAAK,QAAQ,IAAA,CAAK,SAAA,CAAU,WAAW,CAAC,CAAA;AAGhE,MAAA,QAAA,CAAS,OAAA,CAAQ,GAAA,CAAI,IAAA,CAAK,MAAA,CAAO,YAAY,SAAA,EAAW;AAAA,QACtD,QAAA,EAAU,IAAA;AAAA,QACV,MAAA,EAAQ,OAAA,CAAQ,GAAA,CAAI,QAAA,KAAa,YAAA;AAAA,QACjC,QAAA,EAAU,KAAA;AAAA,QACV,MAAA,EAAQ,KAAK,MAAA,CAAO,YAAA;AAAA,QACpB,IAAA,EAAM;AAAA,OACP,CAAA;AAED,MAAA,OAAO,QAAA;AAAA,IACT,SAAS,KAAA,EAAO;AAEd,MAAA,IAAI,OAAA,CAAQ,IAAI,iBAAA,EAAmB;AACjC,QAAA,OAAA,CAAQ,IAAA,CAAK,yCAAyC,KAAK,CAAA;AAAA,MAC7D;AACA,MAAA,OAAO,QAAA;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,MAAM,OAAA,EAAmD;AAC7D,IAAA,IAAI;AACF,MAAA,IAAI,CAAC,IAAA,CAAK,MAAA,CAAO,OAAA,EAAS;AACxB,QAAA,OAAO,IAAA;AAAA,MACT;AAEA,MAAA,MAAM,SAAS,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,IAAA,CAAK,OAAO,UAAU,CAAA;AACzD,MAAA,IAAI,CAAC,QAAQ,KAAA,EAAO;AAClB,QAAA,OAAO,IAAA;AAAA,MACT;AAGA,MAAA,MAAM,SAAA,GAAY,MAAM,IAAA,CAAK,OAAA,CAAQ,OAAO,KAAK,CAAA;AACjD,MAAA,MAAM,OAAA,GAAuB,IAAA,CAAK,KAAA,CAAM,SAAS,CAAA;AAGjD,MAAA,IAAI,OAAA,CAAQ,OAAA,GAAU,IAAA,CAAK,GAAA,EAAI,EAAG;AAChC,QAAA,OAAO,IAAA;AAAA,MACT;AAEA,MAAA,OAAO,OAAA;AAAA,IACT,SAAS,KAAA,EAAO;AAEd,MAAA,IAAI,OAAA,CAAQ,IAAI,iBAAA,EAAmB;AACjC,QAAA,OAAA,CAAQ,IAAA,CAAK,yCAAyC,KAAK,CAAA;AAAA,MAC7D;AACA,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,QAAA,EAAsC;AAC1C,IAAA,IAAI;AACF,MAAA,QAAA,CAAS,OAAA,CAAQ,MAAA,CAAO,IAAA,CAAK,MAAA,CAAO,UAAU,CAAA;AAAA,IAChD,SAAS,KAAA,EAAO;AAEd,MAAA,IAAI,OAAA,CAAQ,IAAI,iBAAA,EAAmB;AACjC,QAAA,OAAA,CAAQ,IAAA,CAAK,yCAAyC,KAAK,CAAA;AAAA,MAC7D;AAAA,IACF;AACA,IAAA,OAAO,QAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,QAAQ,IAAA,EAA+B;AACnD,IAAA,IAAI;AAGF,MAAA,MAAM,GAAA,GAAM,KAAK,MAAA,CAAO,aAAA;AACxB,MAAA,MAAM,OAAA,GAAU,IAAI,WAAA,EAAY,CAAE,OAAO,IAAI,CAAA;AAG7C,MAAA,MAAM,UAAA,GAAa,IAAI,UAAA,CAAW,OAAA,CAAQ,MAAM,CAAA;AAChD,MAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,OAAA,CAAQ,QAAQ,CAAA,EAAA,EAAK;AACvC,QAAA,UAAA,CAAW,CAAC,CAAA,GAAA,CAAK,OAAA,CAAQ,CAAC,CAAA,IAAK,KAAK,GAAA,CAAI,UAAA,CAAW,CAAA,GAAI,GAAA,CAAI,MAAM,CAAA;AAAA,MACnE;AAGA,MAAA,OAAO,IAAA;AAAA,QACL,KAAA,CAAM,IAAA,CAAK,UAAA,EAAY,CAAA,IAAA,KAAQ,MAAA,CAAO,aAAa,IAAI,CAAC,CAAA,CAAE,IAAA,CAAK,EAAE;AAAA,OACnE;AAAA,IACF,SAAS,KAAA,EAAO;AAEd,MAAA,OAAO,KAAK,IAAI,CAAA;AAAA,IAClB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,QAAQ,IAAA,EAA+B;AACnD,IAAA,IAAI;AACF,MAAA,MAAM,GAAA,GAAM,KAAK,MAAA,CAAO,aAAA;AACxB,MAAA,MAAM,OAAA,GAAU,UAAA,CAAW,IAAA,CAAK,IAAA,CAAK,IAAI,GAAG,CAAA,CAAA,KAAK,CAAA,CAAE,UAAA,CAAW,CAAC,CAAC,CAAA;AAGhE,MAAA,MAAM,YAAA,GAAe,IAAI,UAAA,CAAW,OAAA,CAAQ,MAAM,CAAA;AAClD,MAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,OAAA,CAAQ,QAAQ,CAAA,EAAA,EAAK;AACvC,QAAA,YAAA,CAAa,CAAC,CAAA,GAAA,CAAK,OAAA,CAAQ,CAAC,CAAA,IAAK,KAAK,GAAA,CAAI,UAAA,CAAW,CAAA,GAAI,GAAA,CAAI,MAAM,CAAA;AAAA,MACrE;AAEA,MAAA,OAAO,IAAI,WAAA,EAAY,CAAE,MAAA,CAAO,YAAY,CAAA;AAAA,IAC9C,SAAS,KAAA,EAAO;AAEd,MAAA,OAAO,KAAK,IAAI,CAAA;AAAA,IAClB;AAAA,EACF;AACF;AAMO,IAAM,0BAAN,MAA8B;AAAA,EACnC,OAAO,MAAM,OAAA,EAAqD;AAChE,IAAA,IAAI;AAEF,MAAA,MAAM,KAAA,GAAQ,QAAQ,6BAA6B,CAAA;AACnD,MAAA,MAAM,UAAA,GAAa,QAAQ,kCAAkC,CAAA;AAC7D,MAAA,MAAM,SAAA,GAAY,QAAQ,0BAA0B,CAAA;AAEpD,MAAA,IAAI,KAAA,IAAS,cAAc,SAAA,EAAW;AACpC,QAAA,OAAO;AAAA,UACL,EAAA,EAAI,SAAA;AAAA,UACJ,KAAA;AAAA,UACA,UAAA,EAAY,WAAW,UAAU,CAAA;AAAA,UACjC,UAAA,EAAY,KAAK,GAAA,EAAI;AAAA,UACrB,OAAA,EAAS,IAAA,CAAK,GAAA,EAAI,GAAI;AAAA;AAAA,SACxB;AAAA,MACF;AAGA,MAAA,MAAM,YAAA,GAAe,QAAQ,QAAQ,CAAA;AACrC,MAAA,IAAI,YAAA,IAAgB,YAAA,CAAa,QAAA,CAAS,wBAAwB,CAAA,EAAG;AAEnE,QAAA,MAAM,KAAA,GAAQ,YAAA,CAAa,KAAA,CAAM,+BAA+B,CAAA;AAChE,QAAA,IAAI,KAAA,IAAS,KAAA,CAAM,CAAC,CAAA,EAAG;AACrB,UAAA,IAAI;AACF,YAAA,MAAM,OAAA,GAAU,IAAA,CAAK,KAAA,CAAM,CAAC,CAAC,CAAA;AAC7B,YAAA,OAAO,IAAA,CAAK,MAAM,OAAO,CAAA;AAAA,UAC3B,CAAA,CAAA,MAAQ;AAAA,UAER;AAAA,QACF;AAAA,MACF;AAEA,MAAA,OAAO,IAAA;AAAA,IACT,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAAA,EAEA,OAAO,UAAA,CAAW,QAAA,EAAe,OAAA,EAA4B;AAC3D,IAAA,IAAI;AAEF,MAAA,IAAI,SAAS,SAAA,EAAW;AACtB,QAAA,QAAA,CAAS,SAAA,CAAU,6BAAA,EAA+B,OAAA,CAAQ,KAAK,CAAA;AAC/D,QAAA,QAAA,CAAS,SAAA;AAAA,UACP,kCAAA;AAAA,UACA,OAAA,CAAQ,WAAW,QAAA;AAAS,SAC9B;AACA,QAAA,QAAA,CAAS,SAAA,CAAU,0BAAA,EAA4B,OAAA,CAAQ,EAAE,CAAA;AAAA,MAC3D,CAAA,MAAA,IAAW,QAAA,CAAS,OAAA,IAAW,QAAA,CAAS,QAAQ,GAAA,EAAK;AACnD,QAAA,QAAA,CAAS,OAAA,CAAQ,GAAA,CAAI,6BAAA,EAA+B,OAAA,CAAQ,KAAK,CAAA;AACjE,QAAA,QAAA,CAAS,OAAA,CAAQ,GAAA;AAAA,UACf,kCAAA;AAAA,UACA,OAAA,CAAQ,WAAW,QAAA;AAAS,SAC9B;AACA,QAAA,QAAA,CAAS,OAAA,CAAQ,GAAA,CAAI,0BAAA,EAA4B,OAAA,CAAQ,EAAE,CAAA;AAAA,MAC7D;AAAA,IACF,CAAA,CAAA,MAAQ;AAAA,IAER;AAAA,EACF;AACF","file":"session-tracker.mjs","sourcesContent":["/*\n Edge-compatible session tracking for AI agents\n * Uses cookie-based storage to work in Edge Runtime\n /\n\nimport type { NextRequest, NextResponse } from 'next/server';\nimport type { DetectionResult } from '@kya-os/agentshield-shared';\n\nexport interface SessionData {\n id: string;\n agent: string;\n confidence: number;\n detectedAt: number;\n expires: number;\n}\n\nexport interface SessionTrackingConfig {\n enabled: boolean;\n cookieName?: string;\n cookieMaxAge?: number; // in seconds\n encryptionKey?: string;\n}\n\nexport class EdgeSessionTracker {\n private readonly config: Required<SessionTrackingConfig>;\n\n constructor(config: SessionTrackingConfig) {\n this.config = {\n enabled: config.enabled,\n cookieName: config.cookieName \|\| '__agentshield_session',\n cookieMaxAge: config.cookieMaxAge \|\| 3600, // 1 hour default\n encryptionKey:\n config.encryptionKey \|\|\n process.env.AGENTSHIELD_SECRET \|\|\n 'agentshield-default-key',\n };\n }\n\n /\n Track a new AI agent session\n /\n async track(\n _request: NextRequest,\n response: NextResponse,\n result: DetectionResult\n ): Promise<NextResponse> {\n try {\n if (!this.config.enabled \|\| !result.isAgent) {\n return response;\n }\n\n const sessionData: SessionData = {\n id: crypto.randomUUID(),\n agent: result.detectedAgent?.name \|\| 'unknown',\n confidence: result.confidence,\n detectedAt: Date.now(),\n expires: Date.now() + this.config.cookieMaxAge 1000,\n };\n\n // Encrypt session data for security\n const encrypted = await this.encrypt(JSON.stringify(sessionData));\n\n // Set secure httpOnly cookie\n response.cookies.set(this.config.cookieName, encrypted, {\n httpOnly: true,\n secure: process.env.NODE_ENV === 'production',\n sameSite: 'lax',\n maxAge: this.config.cookieMaxAge,\n path: '/',\n });\n\n return response;\n } catch (error) {\n // Fail gracefully - log error but don't break request\n if (process.env.DEBUG_AGENTSHIELD) {\n console.warn('AgentShield: Failed to track session:', error);\n }\n return response;\n }\n }\n\n /*\n Check for existing AI agent session\n /\n async check(request: NextRequest): Promise<SessionData \| null> {\n try {\n if (!this.config.enabled) {\n return null;\n }\n\n const cookie = request.cookies.get(this.config.cookieName);\n if (!cookie?.value) {\n return null;\n }\n\n // Decrypt and parse session data\n const decrypted = await this.decrypt(cookie.value);\n const session: SessionData = JSON.parse(decrypted);\n\n // Check if session is expired\n if (session.expires < Date.now()) {\n return null;\n }\n\n return session;\n } catch (error) {\n // Fail gracefully - invalid or corrupted session\n if (process.env.DEBUG_AGENTSHIELD) {\n console.warn('AgentShield: Failed to check session:', error);\n }\n return null;\n }\n }\n\n /\n Clear an existing session\n /\n clear(response: NextResponse): NextResponse {\n try {\n response.cookies.delete(this.config.cookieName);\n } catch (error) {\n // Fail gracefully\n if (process.env.DEBUG_AGENTSHIELD) {\n console.warn('AgentShield: Failed to clear session:', error);\n }\n }\n return response;\n }\n\n /\n Simple encryption using Web Crypto API (Edge-compatible)\n /\n private async encrypt(data: string): Promise<string> {\n try {\n // For Edge Runtime, use simple base64 encoding with obfuscation\n // In production, consider using Web Crypto API subtle.encrypt()\n const key = this.config.encryptionKey;\n const encoded = new TextEncoder().encode(data);\n\n // Simple XOR obfuscation\n const obfuscated = new Uint8Array(encoded.length);\n for (let i = 0; i < encoded.length; i++) {\n obfuscated[i] = (encoded[i] \|\| 0) ^ key.charCodeAt(i % key.length);\n }\n\n // Convert to base64\n return btoa(\n Array.from(obfuscated, byte => String.fromCharCode(byte)).join('')\n );\n } catch (error) {\n // Fallback to simple base64 if encryption fails\n return btoa(data);\n }\n }\n\n /\n Simple decryption (Edge-compatible)\n /\n private async decrypt(data: string): Promise<string> {\n try {\n const key = this.config.encryptionKey;\n const decoded = Uint8Array.from(atob(data), c => c.charCodeAt(0));\n\n // Reverse XOR obfuscation\n const deobfuscated = new Uint8Array(decoded.length);\n for (let i = 0; i < decoded.length; i++) {\n deobfuscated[i] = (decoded[i] \|\| 0) ^ key.charCodeAt(i % key.length);\n }\n\n return new TextDecoder().decode(deobfuscated);\n } catch (error) {\n // Fallback to simple base64 if decryption fails\n return atob(data);\n }\n }\n}\n\n/\n Stateless session checker for non-Next.js environments (Express, etc.)\n * Uses a combination of headers to identify continued sessions\n */\nexport class StatelessSessionChecker {\n static check(headers: Record<string, string>): SessionData \| null {\n try {\n // Check for session headers (set by previous response)\n const agent = headers['x-agentshield-session-agent'];\n const confidence = headers['x-agentshield-session-confidence'];\n const sessionId = headers['x-agentshield-session-id'];\n\n if (agent && confidence && sessionId) {\n return {\n id: sessionId,\n agent,\n confidence: parseFloat(confidence),\n detectedAt: Date.now(),\n expires: Date.now() + 3600000, // 1 hour\n };\n }\n\n // Check for cookie-based session (if cookies are parsed)\n const cookieHeader = headers['cookie'];\n if (cookieHeader && cookieHeader.includes('__agentshield_session=')) {\n // Simple cookie parsing\n const match = cookieHeader.match(/__agentshield_session=([^;]+)/);\n if (match && match[1]) {\n try {\n const decoded = atob(match[1]);\n return JSON.parse(decoded);\n } catch {\n // Invalid session data\n }\n }\n }\n\n return null;\n } catch {\n return null;\n }\n }\n\n static setHeaders(response: any, session: SessionData): void {\n try {\n // Set session headers for stateless tracking\n if (response.setHeader) {\n response.setHeader('X-AgentShield-Session-Agent', session.agent);\n response.setHeader(\n 'X-AgentShield-Session-Confidence',\n session.confidence.toString()\n );\n response.setHeader('X-AgentShield-Session-Id', session.id);\n } else if (response.headers && response.headers.set) {\n response.headers.set('x-agentshield-session-agent', session.agent);\n response.headers.set(\n 'x-agentshield-session-confidence',\n session.confidence.toString()\n );\n response.headers.set('x-agentshield-session-id', session.id);\n }\n } catch {\n // Fail gracefully\n }\n }\n}\n"]}

package/dist/signature-verifier.d.mts CHANGED Viewed

@@ -26,6 +26,7 @@ declare function verifyAgentSignature(method: string, path: string, headers: Rec
 declare function hasSignatureHeaders(headers: Record<string, string>): boolean;
 /**
  * Check if this is a ChatGPT signature based on headers
+ * Uses secure URL parsing to prevent spoofing attacks
  */
 declare function isChatGPTSignature(headers: Record<string, string>): boolean;

package/dist/signature-verifier.d.ts CHANGED Viewed

@@ -26,6 +26,7 @@ declare function verifyAgentSignature(method: string, path: string, headers: Rec
 declare function hasSignatureHeaders(headers: Record<string, string>): boolean;
 /**
  * Check if this is a ChatGPT signature based on headers
+ * Uses secure URL parsing to prevent spoofing attacks
  */
 declare function isChatGPTSignature(headers: Record<string, string>): boolean;

package/dist/signature-verifier.js CHANGED Viewed

@@ -1,17 +1,149 @@
 'use strict';
+var ed25519 = require('@noble/ed25519');
+var sha2_js = require('@noble/hashes/sha2.js');
+function _interopNamespace(e) {
+  if (e && e.__esModule) return e;
+  var n = Object.create(null);
+  if (e) {
+    Object.keys(e).forEach(function (k) {
+      if (k !== 'default') {
+        var d = Object.getOwnPropertyDescriptor(e, k);
+        Object.defineProperty(n, k, d.get ? d : {
+          enumerable: true,
+          get: function () { return e[k]; }
+        });
+      }
+    });
+  }
+  n.default = e;
+  return Object.freeze(n);
+}
+var ed25519__namespace = /*#__PURE__*/_interopNamespace(ed25519);
 // src/signature-verifier.ts
+ed25519__namespace.etc.sha512Sync = (...m) => sha2_js.sha512(ed25519__namespace.etc.concatBytes(...m));
 var KNOWN_KEYS = {
   chatgpt: [
     {
       kid: "otMqcjr17mGyruktGvJU8oojQTSMHlVm7uO-lrcqbdg",
       // ChatGPT's current Ed25519 public key (base64)
+      // Source: https://chatgpt.com/.well-known/http-message-signatures-directory
       publicKey: "7F_3jDlxaquwh291MiACkcS3Opq88NksyHiakzS-Y1g",
-      validFrom: (/* @__PURE__ */ new Date("2025-01-01")).getTime() / 1e3,
-      validUntil: (/* @__PURE__ */ new Date("2025-04-11")).getTime() / 1e3
+      validFrom: 1735689600,
+      // Jan 1, 2025 (from OpenAI's nbf)
+      // Extended expiration as fallback safety - API fetch should provide fresh keys
+      // Check OpenAI's well-known endpoint for actual expiration dates
+      validUntil: 1799625600
+      // Jan 1, 2027 (extended for fallback safety)
     }
   ]
 };
+var keyCache = /* @__PURE__ */ new Map();
+var CACHE_TTL_MS = 5 * 60 * 1e3;
+var CACHE_MAX_SIZE = 100;
+function getApiBaseUrl() {
+  if (typeof window !== "undefined") {
+    return "/api/internal";
+  }
+  const baseUrl = process.env.NEXT_PUBLIC_APP_URL || process.env.NEXT_PUBLIC_API_URL || process.env.API_URL || (process.env.VERCEL_URL ? `https://${process.env.VERCEL_URL}` : null);
+  if (baseUrl) {
+    return baseUrl.replace(/\/$/, "") + "/api/internal";
+  }
+  if (process.env.NODE_ENV !== "production") {
+    console.warn(
+      "[Signature] No base URL configured for server-side fetch. Using localhost fallback."
+    );
+    return "http://localhost:3000/api/internal";
+  }
+  console.error(
+    "[Signature] CRITICAL: No base URL configured for server-side fetch in production!"
+  );
+  return "/api/internal";
+}
+function cleanupExpiredCache() {
+  const now = Date.now();
+  const entriesToDelete = [];
+  for (const [agent, cached] of keyCache.entries()) {
+    if (now - cached.cachedAt > CACHE_TTL_MS) {
+      entriesToDelete.push(agent);
+    }
+  }
+  for (const agent of entriesToDelete) {
+    keyCache.delete(agent);
+  }
+  if (keyCache.size > CACHE_MAX_SIZE) {
+    const entries = Array.from(keyCache.entries()).map(([agent, cached]) => ({
+      agent,
+      cachedAt: cached.cachedAt
+    }));
+    entries.sort((a, b) => a.cachedAt - b.cachedAt);
+    const toRemove = entries.slice(0, keyCache.size - CACHE_MAX_SIZE);
+    for (const entry of toRemove) {
+      keyCache.delete(entry.agent);
+    }
+  }
+}
+async function fetchKeysFromApi(agent) {
+  if (keyCache.size > CACHE_MAX_SIZE) {
+    cleanupExpiredCache();
+  }
+  const cached = keyCache.get(agent);
+  if (cached && Date.now() - cached.cachedAt < CACHE_TTL_MS) {
+    return cached.keys;
+  }
+  if (typeof fetch === "undefined") {
+    console.warn("[Signature] fetch() not available in this environment");
+    return null;
+  }
+  try {
+    const apiBaseUrl = getApiBaseUrl();
+    const url = `${apiBaseUrl}/signature-keys?agent=${encodeURIComponent(agent)}`;
+    const response = await fetch(url, {
+      method: "GET",
+      headers: {
+        "Content-Type": "application/json"
+      },
+      // 5 second timeout
+      signal: AbortSignal.timeout(5e3)
+    });
+    if (!response.ok) {
+      console.warn(`[Signature] Failed to fetch keys from API: ${response.status}`);
+      return null;
+    }
+    const data = await response.json();
+    if (!data.keys || !Array.isArray(data.keys) || data.keys.length === 0) {
+      console.warn(`[Signature] No keys returned from API for agent: ${agent}`);
+      return null;
+    }
+    keyCache.set(agent, {
+      keys: data.keys,
+      cachedAt: Date.now()
+    });
+    return data.keys;
+  } catch (error) {
+    console.warn("[Signature] Error fetching keys from API, using fallback", {
+      error: error instanceof Error ? error.message : "Unknown error",
+      agent
+    });
+    return null;
+  }
+}
+function isValidAgent(agent) {
+  return agent in KNOWN_KEYS;
+}
+async function getKeysForAgent(agent) {
+  const apiKeys = await fetchKeysFromApi(agent);
+  if (apiKeys && apiKeys.length > 0) {
+    return apiKeys;
+  }
+  if (isValidAgent(agent)) {
+    return KNOWN_KEYS[agent];
+  }
+  return [];
+}
 function parseSignatureInput(signatureInput) {
   try {
     const match = signatureInput.match(/sig1=\((.*?)\);(.+)/);
@@ -47,21 +179,29 @@ function buildSignatureBase(method, path, headers, signedHeaders) {
       case "@authority":
         value = headers["host"] || headers["Host"] || "";
         break;
-      default:
-        const key = Object.keys(headers).find(
-          (k) => k.toLowerCase() === headerName.toLowerCase()
-        );
+      default: {
+        const key = Object.keys(headers).find((k) => k.toLowerCase() === headerName.toLowerCase());
         value = key ? headers[key] || "" : "";
         break;
+      }
     }
     components.push(`"${headerName}": ${value}`);
   }
   return components.join("\n");
 }
+function base64ToBytes(base64) {
+  let standardBase64 = base64.replace(/-/g, "+").replace(/_/g, "/");
+  const padding = standardBase64.length % 4;
+  if (padding) {
+    standardBase64 += "=".repeat(4 - padding);
+  }
+  const binaryString = atob(standardBase64);
+  return Uint8Array.from(binaryString, (c) => c.charCodeAt(0));
+}
 async function verifyEd25519Signature(publicKeyBase64, signatureBase64, message) {
   try {
-    const publicKeyBytes = Uint8Array.from(atob(publicKeyBase64), (c) => c.charCodeAt(0));
-    const signatureBytes = Uint8Array.from(atob(signatureBase64), (c) => c.charCodeAt(0));
+    const publicKeyBytes = base64ToBytes(publicKeyBase64);
+    const signatureBytes = base64ToBytes(signatureBase64);
     const messageBytes = new TextEncoder().encode(message);
     if (publicKeyBytes.length !== 32) {
       console.error("[Signature] Invalid public key length:", publicKeyBytes.length);
@@ -71,34 +211,36 @@ async function verifyEd25519Signature(publicKeyBase64, signatureBase64, message)
       console.error("[Signature] Invalid signature length:", signatureBytes.length);
       return false;
     }
-    const publicKey = await crypto.subtle.importKey(
-      "raw",
-      publicKeyBytes,
-      {
-        name: "Ed25519",
-        namedCurve: "Ed25519"
-      },
-      false,
-      ["verify"]
-    );
-    const isValid = await crypto.subtle.verify(
-      "Ed25519",
-      publicKey,
-      signatureBytes,
-      messageBytes
-    );
-    return isValid;
-  } catch (error) {
-    console.error("[Signature] Ed25519 verification failed:", error);
-    if (typeof window === "undefined") {
-      try {
-        console.warn("[Signature] Ed25519 not supported in this environment");
-        return false;
-      } catch {
-        return false;
-      }
+    return ed25519__namespace.verify(signatureBytes, messageBytes, publicKeyBytes);
+  } catch (nobleError) {
+    console.warn("[Signature] @noble/ed25519 failed, trying Web Crypto fallback:", nobleError);
+    try {
+      const publicKeyBytes = base64ToBytes(publicKeyBase64);
+      const signatureBytes = base64ToBytes(signatureBase64);
+      const messageBytes = new TextEncoder().encode(message);
+      const publicKey = await crypto.subtle.importKey(
+        "raw",
+        publicKeyBytes.buffer,
+        {
+          name: "Ed25519",
+          namedCurve: "Ed25519"
+        },
+        false,
+        ["verify"]
+      );
+      return await crypto.subtle.verify(
+        "Ed25519",
+        publicKey,
+        signatureBytes.buffer,
+        messageBytes
+      );
+    } catch (cryptoError) {
+      console.error("[Signature] Both @noble/ed25519 and Web Crypto failed:", {
+        nobleError: nobleError instanceof Error ? nobleError.message : "Unknown",
+        cryptoError: cryptoError instanceof Error ? cryptoError.message : "Unknown"
+      });
+      return false;
     }
-    return false;
   }
 }
 async function verifyAgentSignature(method, path, headers) {
@@ -143,12 +285,12 @@ async function verifyAgentSignature(method, path, headers) {
     }
   }
   let agent;
-  let knownKeys;
+  let agentKey;
   if (signatureAgent === '"https://chatgpt.com"' || signatureAgent?.includes("chatgpt.com")) {
     agent = "ChatGPT";
-    knownKeys = KNOWN_KEYS.chatgpt;
+    agentKey = "chatgpt";
   }
-  if (!agent || !knownKeys) {
+  if (!agent || !agentKey) {
     return {
       isValid: false,
       confidence: 0,
@@ -156,6 +298,15 @@ async function verifyAgentSignature(method, path, headers) {
       verificationMethod: "none"
     };
   }
+  const knownKeys = await getKeysForAgent(agentKey);
+  if (knownKeys.length === 0) {
+    return {
+      isValid: false,
+      confidence: 0,
+      reason: "No keys available for agent",
+      verificationMethod: "none"
+    };
+  }
   const key = knownKeys.find((k) => k.kid === parsed.keyid);
   if (!key) {
     return {
@@ -182,11 +333,7 @@ async function verifyAgentSignature(method, path, headers) {
   if (signatureValue.endsWith(":")) {
     signatureValue = signatureValue.slice(0, -1);
   }
-  const isValid = await verifyEd25519Signature(
-    key.publicKey,
-    signatureValue,
-    signatureBase
-  );
+  const isValid = await verifyEd25519Signature(key.publicKey, signatureValue, signatureBase);
   if (isValid) {
     return {
       isValid: true,
@@ -210,7 +357,20 @@ function hasSignatureHeaders(headers) {
 }
 function isChatGPTSignature(headers) {
   const signatureAgent = headers["signature-agent"] || headers["Signature-Agent"];
-  return signatureAgent === '"https://chatgpt.com"' || (signatureAgent?.includes("chatgpt.com") || false);
+  if (!signatureAgent) {
+    return false;
+  }
+  const agentUrlStr = signatureAgent.replace(/^"+|"+$/g, "");
+  if (agentUrlStr === "https://chatgpt.com") {
+    return true;
+  }
+  try {
+    const agentUrl = new URL(agentUrlStr);
+    const allowedHosts = ["chatgpt.com", "www.chatgpt.com"];
+    return allowedHosts.includes(agentUrl.host);
+  } catch {
+    return false;
+  }
 }
 exports.hasSignatureHeaders = hasSignatureHeaders;

package/dist/signature-verifier.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../src/signature-verifier.ts"],"names":["now"],"mappings":";;;AAWA,IAAM,UAAA,GAAa;AAAA,EACjB,OAAA,EAAS;AAAA,IACP;AAAA,MACE,GAAA,EAAK,6CAAA;AAAA;AAAA,MAEL,SAAA,EAAW,6CAAA;AAAA,MACX,4BAAW,IAAI,IAAA,CAAK,YAAY,CAAA,EAAE,SAAQ,GAAI,GAAA;AAAA,MAC9C,6BAAY,IAAI,IAAA,CAAK,YAAY,CAAA,EAAE,SAAQ,GAAI;AAAA;AACjD;AAEJ,CAAA;AAKA,SAAS,oBAAoB,cAAA,EAKpB;AACP,EAAA,IAAI;AAEF,IAAA,MAAM,KAAA,GAAQ,cAAA,CAAe,KAAA,CAAM,qBAAqB,CAAA;AACxD,IAAA,IAAI,CAAC,OAAO,OAAO,IAAA;AAEnB,IAAA,MAAM,GAAG,WAAA,EAAa,MAAM,CAAA,GAAI,KAAA;AAGhC,IAAA,MAAM,aAAA,GAAgB,cAClB,WAAA,CACG,KAAA,CAAM,GAAG,CAAA,CACT,GAAA,CAAI,CAAA,CAAA,KAAK,CAAA,CAAE,OAAA,CAAQ,IAAA,EAAM,EAAE,CAAA,CAAE,IAAA,EAAM,CAAA,CACnC,MAAA,CAAO,OAAK,CAAA,CAAE,MAAA,GAAS,CAAC,CAAA,GAC3B,EAAC;AAGL,IAAA,MAAM,UAAA,GAAa,MAAA,GAAS,MAAA,CAAO,KAAA,CAAM,iBAAiB,CAAA,GAAI,IAAA;AAC9D,IAAA,MAAM,YAAA,GAAe,MAAA,GAAS,MAAA,CAAO,KAAA,CAAM,eAAe,CAAA,GAAI,IAAA;AAC9D,IAAA,MAAM,YAAA,GAAe,MAAA,GAAS,MAAA,CAAO,KAAA,CAAM,eAAe,CAAA,GAAI,IAAA;AAE9D,IAAA,IAAI,CAAC,UAAA,IAAc,CAAC,UAAA,CAAW,CAAC,GAAG,OAAO,IAAA;AAE1C,IAAA,OAAO;AAAA,MACL,KAAA,EAAO,WAAW,CAAC,CAAA;AAAA,MACnB,OAAA,EAAS,gBAAgB,YAAA,CAAa,CAAC,IAAI,QAAA,CAAS,YAAA,CAAa,CAAC,CAAC,CAAA,GAAI,KAAA,CAAA;AAAA,MACvE,OAAA,EAAS,gBAAgB,YAAA,CAAa,CAAC,IAAI,QAAA,CAAS,YAAA,CAAa,CAAC,CAAC,CAAA,GAAI,KAAA,CAAA;AAAA,MACvE;AAAA,KACF;AAAA,EACF,SAAS,KAAA,EAAO;AACd,IAAA,OAAA,CAAQ,KAAA,CAAM,gDAAgD,KAAK,CAAA;AACnE,IAAA,OAAO,IAAA;AAAA,EACT;AACF;AAMA,SAAS,kBAAA,CACP,MAAA,EACA,IAAA,EACA,OAAA,EACA,aAAA,EACQ;AACR,EAAA,MAAM,aAAuB,EAAC;AAE9B,EAAA,KAAA,MAAW,cAAc,aAAA,EAAe;AACtC,IAAA,IAAI,KAAA;AAEJ,IAAA,QAAQ,UAAA;AAAY,MAClB,KAAK,SAAA;AACH,QAAA,KAAA,GAAQ,OAAO,WAAA,EAAY;AAC3B,QAAA;AAAA,MACF,KAAK,OAAA;AACH,QAAA,KAAA,GAAQ,IAAA;AACR,QAAA;AAAA,MACF,KAAK,YAAA;AAEH,QAAA,KAAA,GAAQ,OAAA,CAAQ,MAAM,CAAA,IAAK,OAAA,CAAQ,MAAM,CAAA,IAAK,EAAA;AAC9C,QAAA;AAAA,MACF;AAEE,QAAA,MAAM,GAAA,GAAM,MAAA,CAAO,IAAA,CAAK,OAAO,CAAA,CAAE,IAAA;AAAA,UAC/B,CAAA,CAAA,KAAK,CAAA,CAAE,WAAA,EAAY,KAAM,WAAW,WAAA;AAAY,SAClD;AACA,QAAA,KAAA,GAAQ,GAAA,GAAM,OAAA,CAAQ,GAAG,CAAA,IAAK,EAAA,GAAK,EAAA;AACnC,QAAA;AAAA;AAIJ,IAAA,UAAA,CAAW,IAAA,CAAK,CAAA,CAAA,EAAI,UAAU,CAAA,GAAA,EAAM,KAAK,CAAA,CAAE,CAAA;AAAA,EAC7C;AAEA,EAAA,OAAO,UAAA,CAAW,KAAK,IAAI,CAAA;AAC7B;AAKA,eAAe,sBAAA,CACb,eAAA,EACA,eAAA,EACA,OAAA,EACkB;AAClB,EAAA,IAAI;AAEF,IAAA,MAAM,cAAA,GAAiB,UAAA,CAAW,IAAA,CAAK,IAAA,CAAK,eAAe,GAAG,CAAA,CAAA,KAAK,CAAA,CAAE,UAAA,CAAW,CAAC,CAAC,CAAA;AAClF,IAAA,MAAM,cAAA,GAAiB,UAAA,CAAW,IAAA,CAAK,IAAA,CAAK,eAAe,GAAG,CAAA,CAAA,KAAK,CAAA,CAAE,UAAA,CAAW,CAAC,CAAC,CAAA;AAClF,IAAA,MAAM,YAAA,GAAe,IAAI,WAAA,EAAY,CAAE,OAAO,OAAO,CAAA;AAGrD,IAAA,IAAI,cAAA,CAAe,WAAW,EAAA,EAAI;AAChC,MAAA,OAAA,CAAQ,KAAA,CAAM,wCAAA,EAA0C,cAAA,CAAe,MAAM,CAAA;AAC7E,MAAA,OAAO,KAAA;AAAA,IACT;AACA,IAAA,IAAI,cAAA,CAAe,WAAW,EAAA,EAAI;AAChC,MAAA,OAAA,CAAQ,KAAA,CAAM,uCAAA,EAAyC,cAAA,CAAe,MAAM,CAAA;AAC5E,MAAA,OAAO,KAAA;AAAA,IACT;AAGA,IAAA,MAAM,SAAA,GAAY,MAAM,MAAA,CAAO,MAAA,CAAO,SAAA;AAAA,MACpC,KAAA;AAAA,MACA,cAAA;AAAA,MACA;AAAA,QACE,IAAA,EAAM,SAAA;AAAA,QACN,UAAA,EAAY;AAAA,OACd;AAAA,MACA,KAAA;AAAA,MACA,CAAC,QAAQ;AAAA,KACX;AAGA,IAAA,MAAM,OAAA,GAAU,MAAM,MAAA,CAAO,MAAA,CAAO,MAAA;AAAA,MAClC,SAAA;AAAA,MACA,SAAA;AAAA,MACA,cAAA;AAAA,MACA;AAAA,KACF;AAEA,IAAA,OAAO,OAAA;AAAA,EACT,SAAS,KAAA,EAAO;AACd,IAAA,OAAA,CAAQ,KAAA,CAAM,4CAA4C,KAAK,CAAA;AAG/D,IAAA,IAAI,OAAO,WAAW,WAAA,EAAa;AACjC,MAAA,IAAI;AAGF,QAAA,OAAA,CAAQ,KAAK,uDAAuD,CAAA;AACpE,QAAA,OAAO,KAAA;AAAA,MACT,CAAA,CAAA,MAAQ;AACN,QAAA,OAAO,KAAA;AAAA,MACT;AAAA,IACF;AAEA,IAAA,OAAO,KAAA;AAAA,EACT;AACF;AAiBA,eAAsB,oBAAA,CACpB,MAAA,EACA,IAAA,EACA,OAAA,EACsC;AAEtC,EAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,WAAW,CAAA,IAAK,QAAQ,WAAW,CAAA;AAC7D,EAAA,MAAM,cAAA,GAAiB,OAAA,CAAQ,iBAAiB,CAAA,IAAK,QAAQ,iBAAiB,CAAA;AAC9E,EAAA,MAAM,cAAA,GAAiB,OAAA,CAAQ,iBAAiB,CAAA,IAAK,QAAQ,iBAAiB,CAAA;AAG9E,EAAA,IAAI,CAAC,SAAA,IAAa,CAAC,cAAA,EAAgB;AACjC,IAAA,OAAO;AAAA,MACL,OAAA,EAAS,KAAA;AAAA,MACT,UAAA,EAAY,CAAA;AAAA,MACZ,MAAA,EAAQ,8BAAA;AAAA,MACR,kBAAA,EAAoB;AAAA,KACtB;AAAA,EACF;AAGA,EAAA,MAAM,MAAA,GAAS,oBAAoB,cAAc,CAAA;AACjD,EAAA,IAAI,CAAC,MAAA,EAAQ;AACX,IAAA,OAAO;AAAA,MACL,OAAA,EAAS,KAAA;AAAA,MACT,UAAA,EAAY,CAAA;AAAA,MACZ,MAAA,EAAQ,gCAAA;AAAA,MACR,kBAAA,EAAoB;AAAA,KACtB;AAAA,EACF;AAGA,EAAA,IAAI,OAAO,OAAA,EAAS;AAClB,IAAA,MAAMA,OAAM,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AACxC,IAAA,MAAM,GAAA,GAAMA,OAAM,MAAA,CAAO,OAAA;AAGzB,IAAA,IAAI,MAAM,GAAA,EAAK;AACb,MAAA,OAAO;AAAA,QACL,OAAA,EAAS,KAAA;AAAA,QACT,UAAA,EAAY,CAAA;AAAA,QACZ,MAAA,EAAQ,0CAAA;AAAA,QACR,kBAAA,EAAoB;AAAA,OACtB;AAAA,IACF;AAGA,IAAA,IAAI,MAAM,GAAA,EAAK;AACb,MAAA,OAAO;AAAA,QACL,OAAA,EAAS,KAAA;AAAA,QACT,UAAA,EAAY,CAAA;AAAA,QACZ,MAAA,EAAQ,sCAAA;AAAA,QACR,kBAAA,EAAoB;AAAA,OACtB;AAAA,IACF;AAAA,EACF;AAGA,EAAA,IAAI,KAAA;AACJ,EAAA,IAAI,SAAA;AAEJ,EAAA,IAAI,cAAA,KAAmB,uBAAA,IAA2B,cAAA,EAAgB,QAAA,CAAS,aAAa,CAAA,EAAG;AACzF,IAAA,KAAA,GAAQ,SAAA;AACR,IAAA,SAAA,GAAY,UAAA,CAAW,OAAA;AAAA,EACzB;AAGA,EAAA,IAAI,CAAC,KAAA,IAAS,CAAC,SAAA,EAAW;AACxB,IAAA,OAAO;AAAA,MACL,OAAA,EAAS,KAAA;AAAA,MACT,UAAA,EAAY,CAAA;AAAA,MACZ,MAAA,EAAQ,yBAAA;AAAA,MACR,kBAAA,EAAoB;AAAA,KACtB;AAAA,EACF;AAGA,EAAA,MAAM,MAAM,SAAA,CAAU,IAAA,CAAK,OAAK,CAAA,CAAE,GAAA,KAAQ,OAAO,KAAK,CAAA;AACtD,EAAA,IAAI,CAAC,GAAA,EAAK;AACR,IAAA,OAAO;AAAA,MACL,OAAA,EAAS,KAAA;AAAA,MACT,UAAA,EAAY,CAAA;AAAA,MACZ,MAAA,EAAQ,CAAA,gBAAA,EAAmB,MAAA,CAAO,KAAK,CAAA,CAAA;AAAA,MACvC,kBAAA,EAAoB;AAAA,KACtB;AAAA,EACF;AAGA,EAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AACxC,EAAA,IAAI,GAAA,GAAM,GAAA,CAAI,SAAA,IAAa,GAAA,GAAM,IAAI,UAAA,EAAY;AAC/C,IAAA,OAAO;AAAA,MACL,OAAA,EAAS,KAAA;AAAA,MACT,UAAA,EAAY,CAAA;AAAA,MACZ,MAAA,EAAQ,kCAAA;AAAA,MACR,kBAAA,EAAoB;AAAA,KACtB;AAAA,EACF;AAGA,EAAA,MAAM,gBAAgB,kBAAA,CAAmB,MAAA,EAAQ,IAAA,EAAM,OAAA,EAAS,OAAO,aAAa,CAAA;AAGpF,EAAA,IAAI,cAAA,GAAiB,SAAA;AACrB,EAAA,IAAI,cAAA,CAAe,UAAA,CAAW,QAAQ,CAAA,EAAG;AACvC,IAAA,cAAA,GAAiB,cAAA,CAAe,UAAU,CAAC,CAAA;AAAA,EAC7C;AACA,EAAA,IAAI,cAAA,CAAe,QAAA,CAAS,GAAG,CAAA,EAAG;AAChC,IAAA,cAAA,GAAiB,cAAA,CAAe,KAAA,CAAM,CAAA,EAAG,EAAE,CAAA;AAAA,EAC7C;AAGA,EAAA,MAAM,UAAU,MAAM,sBAAA;AAAA,IACpB,GAAA,CAAI,SAAA;AAAA,IACJ,cAAA;AAAA,IACA;AAAA,GACF;AAEA,EAAA,IAAI,OAAA,EAAS;AACX,IAAA,OAAO;AAAA,MACL,OAAA,EAAS,IAAA;AAAA,MACT,KAAA;AAAA,MACA,OAAO,MAAA,CAAO,KAAA;AAAA,MACd,UAAA,EAAY,CAAA;AAAA;AAAA,MACZ,kBAAA,EAAoB;AAAA,KACtB;AAAA,EACF,CAAA,MAAO;AACL,IAAA,OAAO;AAAA,MACL,OAAA,EAAS,KAAA;AAAA,MACT,UAAA,EAAY,CAAA;AAAA,MACZ,MAAA,EAAQ,+BAAA;AAAA,MACR,kBAAA,EAAoB;AAAA,KACtB;AAAA,EACF;AACF;AAKO,SAAS,oBAAoB,OAAA,EAA0C;AAC5E,EAAA,OAAO,CAAC,EAAA,CACL,OAAA,CAAQ,WAAW,CAAA,IAAK,OAAA,CAAQ,WAAW,CAAA,MAC3C,OAAA,CAAQ,iBAAiB,CAAA,IAAK,OAAA,CAAQ,iBAAiB,CAAA,CAAA,CAAA;AAE5D;AAKO,SAAS,mBAAmB,OAAA,EAA0C;AAC3E,EAAA,MAAM,cAAA,GAAiB,OAAA,CAAQ,iBAAiB,CAAA,IAAK,QAAQ,iBAAiB,CAAA;AAC9E,EAAA,OAAO,cAAA,KAAmB,uBAAA,KAA4B,cAAA,EAAgB,QAAA,CAAS,aAAa,CAAA,IAAK,KAAA,CAAA;AACnG","file":"signature-verifier.js","sourcesContent":["/*\n Ed25519 Signature Verification for HTTP Message Signatures\n * Implements proper cryptographic verification for ChatGPT and other agents\n * \n * Based on RFC 9421 (HTTP Message Signatures) and ChatGPT's implementation\n * Reference: https://help.openai.com/en/articles/9785974-chatgpt-user-allowlisting\n /\n\n/\n Known public keys for AI agents\n /\nconst KNOWN_KEYS = {\n chatgpt: [\n {\n kid: 'otMqcjr17mGyruktGvJU8oojQTSMHlVm7uO-lrcqbdg',\n // ChatGPT's current Ed25519 public key (base64)\n publicKey: '7F_3jDlxaquwh291MiACkcS3Opq88NksyHiakzS-Y1g',\n validFrom: new Date('2025-01-01').getTime() / 1000,\n validUntil: new Date('2025-04-11').getTime() / 1000,\n },\n ],\n};\n\n/\n Parse the Signature-Input header according to RFC 9421\n /\nfunction parseSignatureInput(signatureInput: string): {\n keyid: string;\n created?: number \| undefined;\n expires?: number \| undefined;\n signedHeaders: string[];\n} \| null {\n try {\n // Example: sig1=(\"@method\" \"@path\" \"@authority\" \"date\");keyid=\"...\";created=1234567890\n const match = signatureInput.match(/sig1=\$(.?)\$;(.+)/);\n if (!match) return null;\n\n const [, headersList, params] = match;\n \n // Parse signed headers\n const signedHeaders = headersList\n ? headersList\n .split(' ')\n .map(h => h.replace(/\"/g, '').trim())\n .filter(h => h.length > 0)\n : [];\n\n // Parse parameters\n const keyidMatch = params ? params.match(/keyid=\"([^\"]+)\"/) : null;\n const createdMatch = params ? params.match(/created=(\\d+)/) : null;\n const expiresMatch = params ? params.match(/expires=(\\d+)/) : null;\n\n if (!keyidMatch \|\| !keyidMatch[1]) return null;\n\n return {\n keyid: keyidMatch[1],\n created: createdMatch && createdMatch[1] ? parseInt(createdMatch[1]) : undefined,\n expires: expiresMatch && expiresMatch[1] ? parseInt(expiresMatch[1]) : undefined,\n signedHeaders,\n };\n } catch (error) {\n console.error('[Signature] Failed to parse Signature-Input:', error);\n return null;\n }\n}\n\n/*\n Build the signature base string according to RFC 9421\n * This is what gets signed\n /\nfunction buildSignatureBase(\n method: string,\n path: string,\n headers: Record<string, string>,\n signedHeaders: string[]\n): string {\n const components: string[] = [];\n \n for (const headerName of signedHeaders) {\n let value: string;\n \n switch (headerName) {\n case '@method':\n value = method.toUpperCase();\n break;\n case '@path':\n value = path;\n break;\n case '@authority':\n // Get from Host header or URL\n value = headers['host'] \|\| headers['Host'] \|\| '';\n break;\n default:\n // Regular headers (case-insensitive lookup)\n const key = Object.keys(headers).find(\n k => k.toLowerCase() === headerName.toLowerCase()\n );\n value = key ? headers[key] \|\| '' : '';\n break;\n }\n \n // Format according to RFC 9421\n components.push(`\"${headerName}\": ${value}`);\n }\n \n return components.join('\\n');\n}\n\n/\n Verify Ed25519 signature using Web Crypto API\n /\nasync function verifyEd25519Signature(\n publicKeyBase64: string,\n signatureBase64: string,\n message: string\n): Promise<boolean> {\n try {\n // Decode base64 to Uint8Array\n const publicKeyBytes = Uint8Array.from(atob(publicKeyBase64), c => c.charCodeAt(0));\n const signatureBytes = Uint8Array.from(atob(signatureBase64), c => c.charCodeAt(0));\n const messageBytes = new TextEncoder().encode(message);\n \n // Check key and signature lengths\n if (publicKeyBytes.length !== 32) {\n console.error('[Signature] Invalid public key length:', publicKeyBytes.length);\n return false;\n }\n if (signatureBytes.length !== 64) {\n console.error('[Signature] Invalid signature length:', signatureBytes.length);\n return false;\n }\n \n // Import the public key\n const publicKey = await crypto.subtle.importKey(\n 'raw',\n publicKeyBytes,\n {\n name: 'Ed25519',\n namedCurve: 'Ed25519',\n },\n false,\n ['verify']\n );\n \n // Verify the signature\n const isValid = await crypto.subtle.verify(\n 'Ed25519',\n publicKey,\n signatureBytes,\n messageBytes\n );\n \n return isValid;\n } catch (error) {\n console.error('[Signature] Ed25519 verification failed:', error);\n \n // Fallback: Try with @noble/ed25519 if available (for environments without Ed25519 support)\n if (typeof window === 'undefined') {\n try {\n // In Node.js/Edge Runtime, we might need to use a polyfill\n // For now, we'll return false if Web Crypto doesn't support Ed25519\n console.warn('[Signature] Ed25519 not supported in this environment');\n return false;\n } catch {\n return false;\n }\n }\n \n return false;\n }\n}\n\n/\n Signature verification result\n /\nexport interface SignatureVerificationResult {\n isValid: boolean;\n agent?: string;\n keyid?: string;\n confidence: number;\n reason?: string;\n verificationMethod: 'signature' \| 'none';\n}\n\n/\n Verify HTTP Message Signature for AI agents\n /\nexport async function verifyAgentSignature(\n method: string,\n path: string,\n headers: Record<string, string>\n): Promise<SignatureVerificationResult> {\n // Check for signature headers\n const signature = headers['signature'] \|\| headers['Signature'];\n const signatureInput = headers['signature-input'] \|\| headers['Signature-Input'];\n const signatureAgent = headers['signature-agent'] \|\| headers['Signature-Agent'];\n \n // No signature present\n if (!signature \|\| !signatureInput) {\n return {\n isValid: false,\n confidence: 0,\n reason: 'No signature headers present',\n verificationMethod: 'none',\n };\n }\n \n // Parse Signature-Input header\n const parsed = parseSignatureInput(signatureInput);\n if (!parsed) {\n return {\n isValid: false,\n confidence: 0,\n reason: 'Invalid Signature-Input header',\n verificationMethod: 'none',\n };\n }\n \n // Check timestamp if present\n if (parsed.created) {\n const now = Math.floor(Date.now() / 1000);\n const age = now - parsed.created;\n \n // Reject signatures older than 5 minutes\n if (age > 300) {\n return {\n isValid: false,\n confidence: 0,\n reason: 'Signature expired (older than 5 minutes)',\n verificationMethod: 'none',\n };\n }\n \n // Reject signatures from the future (clock skew tolerance: 30 seconds)\n if (age < -30) {\n return {\n isValid: false,\n confidence: 0,\n reason: 'Signature timestamp is in the future',\n verificationMethod: 'none',\n };\n }\n }\n \n // Determine which agent based on signature-agent header\n let agent: string \| undefined;\n let knownKeys: typeof KNOWN_KEYS.chatgpt \| undefined;\n \n if (signatureAgent === '\"https://chatgpt.com\"' \|\| signatureAgent?.includes('chatgpt.com')) {\n agent = 'ChatGPT';\n knownKeys = KNOWN_KEYS.chatgpt;\n }\n // Add other agents here as needed\n \n if (!agent \|\| !knownKeys) {\n return {\n isValid: false,\n confidence: 0,\n reason: 'Unknown signature agent',\n verificationMethod: 'none',\n };\n }\n \n // Find the key by ID\n const key = knownKeys.find(k => k.kid === parsed.keyid);\n if (!key) {\n return {\n isValid: false,\n confidence: 0,\n reason: `Unknown key ID: ${parsed.keyid}`,\n verificationMethod: 'none',\n };\n }\n \n // Check key validity period\n const now = Math.floor(Date.now() / 1000);\n if (now < key.validFrom \|\| now > key.validUntil) {\n return {\n isValid: false,\n confidence: 0,\n reason: 'Key is not valid at current time',\n verificationMethod: 'none',\n };\n }\n \n // Build the signature base string\n const signatureBase = buildSignatureBase(method, path, headers, parsed.signedHeaders);\n \n // Extract the actual signature value (remove \"sig1=:\" prefix and \"::\" suffix if present)\n let signatureValue = signature;\n if (signatureValue.startsWith('sig1=:')) {\n signatureValue = signatureValue.substring(6);\n }\n if (signatureValue.endsWith(':')) {\n signatureValue = signatureValue.slice(0, -1);\n }\n \n // Verify the signature\n const isValid = await verifyEd25519Signature(\n key.publicKey,\n signatureValue,\n signatureBase\n );\n \n if (isValid) {\n return {\n isValid: true,\n agent,\n keyid: parsed.keyid,\n confidence: 1.0, // 100% confidence for valid signature\n verificationMethod: 'signature',\n };\n } else {\n return {\n isValid: false,\n confidence: 0,\n reason: 'Signature verification failed',\n verificationMethod: 'none',\n };\n }\n}\n\n/\n Quick check if signature headers are present (for performance)\n /\nexport function hasSignatureHeaders(headers: Record<string, string>): boolean {\n return !!(\n (headers['signature'] \|\| headers['Signature']) &&\n (headers['signature-input'] \|\| headers['Signature-Input'])\n );\n}\n\n/\n Check if this is a ChatGPT signature based on headers\n */\nexport function isChatGPTSignature(headers: Record<string, string>): boolean {\n const signatureAgent = headers['signature-agent'] \|\| headers['Signature-Agent'];\n return signatureAgent === '\"https://chatgpt.com\"' \|\| (signatureAgent?.includes('chatgpt.com') \|\| false);\n}"]}
1	+ {"version":3,"sources":["../src/signature-verifier.ts"],"names":["ed25519","sha512","now"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;AAaQA,kBAAA,CAAA,GAAA,CAAI,UAAA,GAAa,IAAI,CAAA,KAAMC,cAAA,CAAeD,uBAAI,WAAA,CAAY,GAAG,CAAC,CAAC,CAAA;AAcvE,IAAM,UAAA,GAAa;AAAA,EACjB,OAAA,EAAS;AAAA,IACP;AAAA,MACE,GAAA,EAAK,6CAAA;AAAA;AAAA;AAAA,MAGL,SAAA,EAAW,6CAAA;AAAA,MACX,SAAA,EAAW,UAAA;AAAA;AAAA;AAAA;AAAA,MAGX,UAAA,EAAY;AAAA;AAAA;AACd;AAEJ,CAAA;AAeA,IAAM,QAAA,uBAAe,GAAA,EAAwB;AAC7C,IAAM,YAAA,GAAe,IAAI,EAAA,GAAK,GAAA;AAC9B,IAAM,cAAA,GAAiB,GAAA;AAMvB,SAAS,aAAA,GAAwB;AAC/B,EAAA,IAAI,OAAO,WAAW,WAAA,EAAa;AAEjC,IAAA,OAAO,eAAA;AAAA,EACT;AAIA,EAAA,MAAM,UACJ,OAAA,CAAQ,GAAA,CAAI,mBAAA,IACZ,OAAA,CAAQ,IAAI,mBAAA,IACZ,OAAA,CAAQ,GAAA,CAAI,OAAA,KACX,QAAQ,GAAA,CAAI,UAAA,GAAa,WAAW,OAAA,CAAQ,GAAA,CAAI,UAAU,CAAA,CAAA,GAAK,IAAA,CAAA;AAElE,EAAA,IAAI,OAAA,EAAS;AACX,IAAA,OAAO,OAAA,CAAQ,OAAA,CAAQ,KAAA,EAAO,EAAE,CAAA,GAAI,eAAA;AAAA,EACtC;AAKA,EAAA,IAAI,OAAA,CAAQ,GAAA,CAAI,QAAA,KAAa,YAAA,EAAc;AACzC,IAAA,OAAA,CAAQ,IAAA;AAAA,MACN;AAAA,KACF;AACA,IAAA,OAAO,oCAAA;AAAA,EACT;AAGA,EAAA,OAAA,CAAQ,KAAA;AAAA,IACN;AAAA,GACF;AACA,EAAA,OAAO,eAAA;AACT;AAOA,SAAS,mBAAA,GAA4B;AACnC,EAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,EAAA,MAAM,kBAA4B,EAAC;AAGnC,EAAA,KAAA,MAAW,CAAC,KAAA,EAAO,MAAM,CAAA,IAAK,QAAA,CAAS,SAAQ,EAAG;AAChD,IAAA,IAAI,GAAA,GAAM,MAAA,CAAO,QAAA,GAAW,YAAA,EAAc;AACxC,MAAA,eAAA,CAAgB,KAAK,KAAK,CAAA;AAAA,IAC5B;AAAA,EACF;AAEA,EAAA,KAAA,MAAW,SAAS,eAAA,EAAiB;AACnC,IAAA,QAAA,CAAS,OAAO,KAAK,CAAA;AAAA,EACvB;AAGA,EAAA,IAAI,QAAA,CAAS,OAAO,cAAA,EAAgB;AAElC,IAAA,MAAM,OAAA,GAAU,KAAA,CAAM,IAAA,CAAK,QAAA,CAAS,OAAA,EAAS,CAAA,CAAE,GAAA,CAAI,CAAC,CAAC,KAAA,EAAO,MAAM,CAAA,MAAO;AAAA,MACvE,KAAA;AAAA,MACA,UAAU,MAAA,CAAO;AAAA,KACnB,CAAE,CAAA;AAGF,IAAA,OAAA,CAAQ,KAAK,CAAC,CAAA,EAAG,MAAM,CAAA,CAAE,QAAA,GAAW,EAAE,QAAQ,CAAA;AAG9C,IAAA,MAAM,WAAW,OAAA,CAAQ,KAAA,CAAM,CAAA,EAAG,QAAA,CAAS,OAAO,cAAc,CAAA;AAChE,IAAA,KAAA,MAAW,SAAS,QAAA,EAAU;AAC5B,MAAA,QAAA,CAAS,MAAA,CAAO,MAAM,KAAK,CAAA;AAAA,IAC7B;AAAA,EACF;AACF;AAKA,eAAe,iBAAiB,KAAA,EAKrB;AAET,EAAA,IAAI,QAAA,CAAS,OAAO,cAAA,EAAgB;AAClC,IAAA,mBAAA,EAAoB;AAAA,EACtB;AAGA,EAAA,MAAM,MAAA,GAAS,QAAA,CAAS,GAAA,CAAI,KAAK,CAAA;AACjC,EAAA,IAAI,UAAU,IAAA,CAAK,GAAA,EAAI,GAAI,MAAA,CAAO,WAAW,YAAA,EAAc;AACzD,IAAA,OAAO,MAAA,CAAO,IAAA;AAAA,EAChB;AAGA,EAAA,IAAI,OAAO,UAAU,WAAA,EAAa;AAChC,IAAA,OAAA,CAAQ,KAAK,uDAAuD,CAAA;AACpE,IAAA,OAAO,IAAA;AAAA,EACT;AAEA,EAAA,IAAI;AACF,IAAA,MAAM,aAAa,aAAA,EAAc;AACjC,IAAA,MAAM,MAAM,CAAA,EAAG,UAAU,CAAA,sBAAA,EAAyB,kBAAA,CAAmB,KAAK,CAAC,CAAA,CAAA;AAE3E,IAAA,MAAM,QAAA,GAAW,MAAM,KAAA,CAAM,GAAA,EAAK;AAAA,MAChC,MAAA,EAAQ,KAAA;AAAA,MACR,OAAA,EAAS;AAAA,QACP,cAAA,EAAgB;AAAA,OAClB;AAAA;AAAA,MAEA,MAAA,EAAQ,WAAA,CAAY,OAAA,CAAQ,GAAI;AAAA,KACjC,CAAA;AAED,IAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,MAAA,OAAA,CAAQ,IAAA,CAAK,CAAA,2CAAA,EAA8C,QAAA,CAAS,MAAM,CAAA,CAAE,CAAA;AAC5E,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,MAAM,IAAA,GAAO,MAAM,QAAA,CAAS,IAAA,EAAK;AAEjC,IAAA,IAAI,CAAC,IAAA,CAAK,IAAA,IAAQ,CAAC,KAAA,CAAM,OAAA,CAAQ,IAAA,CAAK,IAAI,CAAA,IAAK,IAAA,CAAK,IAAA,CAAK,MAAA,KAAW,CAAA,EAAG;AACrE,MAAA,OAAA,CAAQ,IAAA,CAAK,CAAA,iDAAA,EAAoD,KAAK,CAAA,CAAE,CAAA;AACxE,MAAA,OAAO,IAAA;AAAA,IACT;AAGA,IAAA,QAAA,CAAS,IAAI,KAAA,EAAO;AAAA,MAClB,MAAM,IAAA,CAAK,IAAA;AAAA,MACX,QAAA,EAAU,KAAK,GAAA;AAAI,KACpB,CAAA;AAED,IAAA,OAAO,IAAA,CAAK,IAAA;AAAA,EACd,SAAS,KAAA,EAAO;AACd,IAAA,OAAA,CAAQ,KAAK,0DAAA,EAA4D;AAAA,MACvE,KAAA,EAAO,KAAA,YAAiB,KAAA,GAAQ,KAAA,CAAM,OAAA,GAAU,eAAA;AAAA,MAChD;AAAA,KACD,CAAA;AACD,IAAA,OAAO,IAAA;AAAA,EACT;AACF;AAKA,SAAS,aAAa,KAAA,EAAiD;AACrE,EAAA,OAAO,KAAA,IAAS,UAAA;AAClB;AAKA,eAAe,gBAAgB,KAAA,EAO7B;AAEA,EAAA,MAAM,OAAA,GAAU,MAAM,gBAAA,CAAiB,KAAK,CAAA;AAC5C,EAAA,IAAI,OAAA,IAAW,OAAA,CAAQ,MAAA,GAAS,CAAA,EAAG;AACjC,IAAA,OAAO,OAAA;AAAA,EACT;AAGA,EAAA,IAAI,YAAA,CAAa,KAAK,CAAA,EAAG;AACvB,IAAA,OAAO,WAAW,KAAK,CAAA;AAAA,EACzB;AAEA,EAAA,OAAO,EAAC;AACV;AAKA,SAAS,oBAAoB,cAAA,EAKpB;AACP,EAAA,IAAI;AAEF,IAAA,MAAM,KAAA,GAAQ,cAAA,CAAe,KAAA,CAAM,qBAAqB,CAAA;AACxD,IAAA,IAAI,CAAC,OAAO,OAAO,IAAA;AAEnB,IAAA,MAAM,GAAG,WAAA,EAAa,MAAM,CAAA,GAAI,KAAA;AAGhC,IAAA,MAAM,aAAA,GAAgB,WAAA,GAClB,WAAA,CACG,KAAA,CAAM,GAAG,EACT,GAAA,CAAI,CAAC,CAAA,KAAM,CAAA,CAAE,OAAA,CAAQ,IAAA,EAAM,EAAE,CAAA,CAAE,IAAA,EAAM,CAAA,CACrC,MAAA,CAAO,CAAC,MAAM,CAAA,CAAE,MAAA,GAAS,CAAC,CAAA,GAC7B,EAAC;AAGL,IAAA,MAAM,UAAA,GAAa,MAAA,GAAS,MAAA,CAAO,KAAA,CAAM,iBAAiB,CAAA,GAAI,IAAA;AAC9D,IAAA,MAAM,YAAA,GAAe,MAAA,GAAS,MAAA,CAAO,KAAA,CAAM,eAAe,CAAA,GAAI,IAAA;AAC9D,IAAA,MAAM,YAAA,GAAe,MAAA,GAAS,MAAA,CAAO,KAAA,CAAM,eAAe,CAAA,GAAI,IAAA;AAE9D,IAAA,IAAI,CAAC,UAAA,IAAc,CAAC,UAAA,CAAW,CAAC,GAAG,OAAO,IAAA;AAE1C,IAAA,OAAO;AAAA,MACL,KAAA,EAAO,WAAW,CAAC,CAAA;AAAA,MACnB,OAAA,EAAS,gBAAgB,YAAA,CAAa,CAAC,IAAI,QAAA,CAAS,YAAA,CAAa,CAAC,CAAC,CAAA,GAAI,KAAA,CAAA;AAAA,MACvE,OAAA,EAAS,gBAAgB,YAAA,CAAa,CAAC,IAAI,QAAA,CAAS,YAAA,CAAa,CAAC,CAAC,CAAA,GAAI,KAAA,CAAA;AAAA,MACvE;AAAA,KACF;AAAA,EACF,SAAS,KAAA,EAAO;AACd,IAAA,OAAA,CAAQ,KAAA,CAAM,gDAAgD,KAAK,CAAA;AACnE,IAAA,OAAO,IAAA;AAAA,EACT;AACF;AAMA,SAAS,kBAAA,CACP,MAAA,EACA,IAAA,EACA,OAAA,EACA,aAAA,EACQ;AACR,EAAA,MAAM,aAAuB,EAAC;AAE9B,EAAA,KAAA,MAAW,cAAc,aAAA,EAAe;AACtC,IAAA,IAAI,KAAA;AAEJ,IAAA,QAAQ,UAAA;AAAY,MAClB,KAAK,SAAA;AACH,QAAA,KAAA,GAAQ,OAAO,WAAA,EAAY;AAC3B,QAAA;AAAA,MACF,KAAK,OAAA;AACH,QAAA,KAAA,GAAQ,IAAA;AACR,QAAA;AAAA,MACF,KAAK,YAAA;AAEH,QAAA,KAAA,GAAQ,OAAA,CAAQ,MAAM,CAAA,IAAK,OAAA,CAAQ,MAAM,CAAA,IAAK,EAAA;AAC9C,QAAA;AAAA,MACF,SAAS;AAEP,QAAA,MAAM,GAAA,GAAM,MAAA,CAAO,IAAA,CAAK,OAAO,CAAA,CAAE,IAAA,CAAK,CAAC,CAAA,KAAM,CAAA,CAAE,WAAA,EAAY,KAAM,UAAA,CAAW,aAAa,CAAA;AACzF,QAAA,KAAA,GAAQ,GAAA,GAAM,OAAA,CAAQ,GAAG,CAAA,IAAK,EAAA,GAAK,EAAA;AACnC,QAAA;AAAA,MACF;AAAA;AAIF,IAAA,UAAA,CAAW,IAAA,CAAK,CAAA,CAAA,EAAI,UAAU,CAAA,GAAA,EAAM,KAAK,CAAA,CAAE,CAAA;AAAA,EAC7C;AAEA,EAAA,OAAO,UAAA,CAAW,KAAK,IAAI,CAAA;AAC7B;AAMA,SAAS,cAAc,MAAA,EAA4B;AAEjD,EAAA,IAAI,cAAA,GAAiB,OAAO,OAAA,CAAQ,IAAA,EAAM,GAAG,CAAA,CAAE,OAAA,CAAQ,MAAM,GAAG,CAAA;AAGhE,EAAA,MAAM,OAAA,GAAU,eAAe,MAAA,GAAS,CAAA;AACxC,EAAA,IAAI,OAAA,EAAS;AACX,IAAA,cAAA,IAAkB,GAAA,CAAI,MAAA,CAAO,CAAA,GAAI,OAAO,CAAA;AAAA,EAC1C;AAEA,EAAA,MAAM,YAAA,GAAe,KAAK,cAAc,CAAA;AACxC,EAAA,OAAO,UAAA,CAAW,KAAK,YAAA,EAAc,CAAC,MAAM,CAAA,CAAE,UAAA,CAAW,CAAC,CAAC,CAAA;AAC7D;AAMA,eAAe,sBAAA,CACb,eAAA,EACA,eAAA,EACA,OAAA,EACkB;AAClB,EAAA,IAAI;AAEF,IAAA,MAAM,cAAA,GAAiB,cAAc,eAAe,CAAA;AACpD,IAAA,MAAM,cAAA,GAAiB,cAAc,eAAe,CAAA;AACpD,IAAA,MAAM,YAAA,GAAe,IAAI,WAAA,EAAY,CAAE,OAAO,OAAO,CAAA;AAGrD,IAAA,IAAI,cAAA,CAAe,WAAW,EAAA,EAAI;AAChC,MAAA,OAAA,CAAQ,KAAA,CAAM,wCAAA,EAA0C,cAAA,CAAe,MAAM,CAAA;AAC7E,MAAA,OAAO,KAAA;AAAA,IACT;AACA,IAAA,IAAI,cAAA,CAAe,WAAW,EAAA,EAAI;AAChC,MAAA,OAAA,CAAQ,KAAA,CAAM,uCAAA,EAAyC,cAAA,CAAe,MAAM,CAAA;AAC5E,MAAA,OAAO,KAAA;AAAA,IACT;AAGA,IAAA,OAAeA,kBAAA,CAAA,MAAA,CAAO,cAAA,EAAgB,YAAA,EAAc,cAAc,CAAA;AAAA,EACpE,SAAS,UAAA,EAAY;AACnB,IAAA,OAAA,CAAQ,IAAA,CAAK,kEAAkE,UAAU,CAAA;AAGzF,IAAA,IAAI;AACF,MAAA,MAAM,cAAA,GAAiB,cAAc,eAAe,CAAA;AACpD,MAAA,MAAM,cAAA,GAAiB,cAAc,eAAe,CAAA;AACpD,MAAA,MAAM,YAAA,GAAe,IAAI,WAAA,EAAY,CAAE,OAAO,OAAO,CAAA;AAErD,MAAA,MAAM,SAAA,GAAY,MAAM,MAAA,CAAO,MAAA,CAAO,SAAA;AAAA,QACpC,KAAA;AAAA,QACA,cAAA,CAAe,MAAA;AAAA,QACf;AAAA,UACE,IAAA,EAAM,SAAA;AAAA,UACN,UAAA,EAAY;AAAA,SACd;AAAA,QACA,KAAA;AAAA,QACA,CAAC,QAAQ;AAAA,OACX;AAEA,MAAA,OAAO,MAAM,OAAO,MAAA,CAAO,MAAA;AAAA,QACzB,SAAA;AAAA,QACA,SAAA;AAAA,QACA,cAAA,CAAe,MAAA;AAAA,QACf;AAAA,OACF;AAAA,IACF,SAAS,WAAA,EAAa;AACpB,MAAA,OAAA,CAAQ,MAAM,wDAAA,EAA0D;AAAA,QACtE,UAAA,EAAY,UAAA,YAAsB,KAAA,GAAQ,UAAA,CAAW,OAAA,GAAU,SAAA;AAAA,QAC/D,WAAA,EAAa,WAAA,YAAuB,KAAA,GAAQ,WAAA,CAAY,OAAA,GAAU;AAAA,OACnE,CAAA;AACD,MAAA,OAAO,KAAA;AAAA,IACT;AAAA,EACF;AACF;AAiBA,eAAsB,oBAAA,CACpB,MAAA,EACA,IAAA,EACA,OAAA,EACsC;AAEtC,EAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,WAAW,CAAA,IAAK,QAAQ,WAAW,CAAA;AAC7D,EAAA,MAAM,cAAA,GAAiB,OAAA,CAAQ,iBAAiB,CAAA,IAAK,QAAQ,iBAAiB,CAAA;AAC9E,EAAA,MAAM,cAAA,GAAiB,OAAA,CAAQ,iBAAiB,CAAA,IAAK,QAAQ,iBAAiB,CAAA;AAG9E,EAAA,IAAI,CAAC,SAAA,IAAa,CAAC,cAAA,EAAgB;AACjC,IAAA,OAAO;AAAA,MACL,OAAA,EAAS,KAAA;AAAA,MACT,UAAA,EAAY,CAAA;AAAA,MACZ,MAAA,EAAQ,8BAAA;AAAA,MACR,kBAAA,EAAoB;AAAA,KACtB;AAAA,EACF;AAGA,EAAA,MAAM,MAAA,GAAS,oBAAoB,cAAc,CAAA;AACjD,EAAA,IAAI,CAAC,MAAA,EAAQ;AACX,IAAA,OAAO;AAAA,MACL,OAAA,EAAS,KAAA;AAAA,MACT,UAAA,EAAY,CAAA;AAAA,MACZ,MAAA,EAAQ,gCAAA;AAAA,MACR,kBAAA,EAAoB;AAAA,KACtB;AAAA,EACF;AAGA,EAAA,IAAI,OAAO,OAAA,EAAS;AAClB,IAAA,MAAME,OAAM,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AACxC,IAAA,MAAM,GAAA,GAAMA,OAAM,MAAA,CAAO,OAAA;AAGzB,IAAA,IAAI,MAAM,GAAA,EAAK;AACb,MAAA,OAAO;AAAA,QACL,OAAA,EAAS,KAAA;AAAA,QACT,UAAA,EAAY,CAAA;AAAA,QACZ,MAAA,EAAQ,0CAAA;AAAA,QACR,kBAAA,EAAoB;AAAA,OACtB;AAAA,IACF;AAGA,IAAA,IAAI,MAAM,GAAA,EAAK;AACb,MAAA,OAAO;AAAA,QACL,OAAA,EAAS,KAAA;AAAA,QACT,UAAA,EAAY,CAAA;AAAA,QACZ,MAAA,EAAQ,sCAAA;AAAA,QACR,kBAAA,EAAoB;AAAA,OACtB;AAAA,IACF;AAAA,EACF;AAGA,EAAA,IAAI,KAAA;AACJ,EAAA,IAAI,QAAA;AAEJ,EAAA,IAAI,cAAA,KAAmB,uBAAA,IAA2B,cAAA,EAAgB,QAAA,CAAS,aAAa,CAAA,EAAG;AACzF,IAAA,KAAA,GAAQ,SAAA;AACR,IAAA,QAAA,GAAW,SAAA;AAAA,EACb;AAGA,EAAA,IAAI,CAAC,KAAA,IAAS,CAAC,QAAA,EAAU;AACvB,IAAA,OAAO;AAAA,MACL,OAAA,EAAS,KAAA;AAAA,MACT,UAAA,EAAY,CAAA;AAAA,MACZ,MAAA,EAAQ,yBAAA;AAAA,MACR,kBAAA,EAAoB;AAAA,KACtB;AAAA,EACF;AAGA,EAAA,MAAM,SAAA,GAAY,MAAM,eAAA,CAAgB,QAAQ,CAAA;AAEhD,EAAA,IAAI,SAAA,CAAU,WAAW,CAAA,EAAG;AAC1B,IAAA,OAAO;AAAA,MACL,OAAA,EAAS,KAAA;AAAA,MACT,UAAA,EAAY,CAAA;AAAA,MACZ,MAAA,EAAQ,6BAAA;AAAA,MACR,kBAAA,EAAoB;AAAA,KACtB;AAAA,EACF;AAGA,EAAA,MAAM,GAAA,GAAM,UAAU,IAAA,CAAK,CAAC,MAAM,CAAA,CAAE,GAAA,KAAQ,OAAO,KAAK,CAAA;AACxD,EAAA,IAAI,CAAC,GAAA,EAAK;AACR,IAAA,OAAO;AAAA,MACL,OAAA,EAAS,KAAA;AAAA,MACT,UAAA,EAAY,CAAA;AAAA,MACZ,MAAA,EAAQ,CAAA,gBAAA,EAAmB,MAAA,CAAO,KAAK,CAAA,CAAA;AAAA,MACvC,kBAAA,EAAoB;AAAA,KACtB;AAAA,EACF;AAGA,EAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AACxC,EAAA,IAAI,GAAA,GAAM,GAAA,CAAI,SAAA,IAAa,GAAA,GAAM,IAAI,UAAA,EAAY;AAC/C,IAAA,OAAO;AAAA,MACL,OAAA,EAAS,KAAA;AAAA,MACT,UAAA,EAAY,CAAA;AAAA,MACZ,MAAA,EAAQ,kCAAA;AAAA,MACR,kBAAA,EAAoB;AAAA,KACtB;AAAA,EACF;AAGA,EAAA,MAAM,gBAAgB,kBAAA,CAAmB,MAAA,EAAQ,IAAA,EAAM,OAAA,EAAS,OAAO,aAAa,CAAA;AAGpF,EAAA,IAAI,cAAA,GAAiB,SAAA;AACrB,EAAA,IAAI,cAAA,CAAe,UAAA,CAAW,QAAQ,CAAA,EAAG;AACvC,IAAA,cAAA,GAAiB,cAAA,CAAe,UAAU,CAAC,CAAA;AAAA,EAC7C;AACA,EAAA,IAAI,cAAA,CAAe,QAAA,CAAS,GAAG,CAAA,EAAG;AAChC,IAAA,cAAA,GAAiB,cAAA,CAAe,KAAA,CAAM,CAAA,EAAG,EAAE,CAAA;AAAA,EAC7C;AAGA,EAAA,MAAM,UAAU,MAAM,sBAAA,CAAuB,GAAA,CAAI,SAAA,EAAW,gBAAgB,aAAa,CAAA;AAEzF,EAAA,IAAI,OAAA,EAAS;AACX,IAAA,OAAO;AAAA,MACL,OAAA,EAAS,IAAA;AAAA,MACT,KAAA;AAAA,MACA,OAAO,MAAA,CAAO,KAAA;AAAA,MACd,UAAA,EAAY,CAAA;AAAA;AAAA,MACZ,kBAAA,EAAoB;AAAA,KACtB;AAAA,EACF,CAAA,MAAO;AACL,IAAA,OAAO;AAAA,MACL,OAAA,EAAS,KAAA;AAAA,MACT,UAAA,EAAY,CAAA;AAAA,MACZ,MAAA,EAAQ,+BAAA;AAAA,MACR,kBAAA,EAAoB;AAAA,KACtB;AAAA,EACF;AACF;AAKO,SAAS,oBAAoB,OAAA,EAA0C;AAC5E,EAAA,OAAO,CAAC,EAAA,CACL,OAAA,CAAQ,WAAW,CAAA,IAAK,OAAA,CAAQ,WAAW,CAAA,MAC3C,OAAA,CAAQ,iBAAiB,CAAA,IAAK,OAAA,CAAQ,iBAAiB,CAAA,CAAA,CAAA;AAE5D;AAMO,SAAS,mBAAmB,OAAA,EAA0C;AAC3E,EAAA,MAAM,cAAA,GAAiB,OAAA,CAAQ,iBAAiB,CAAA,IAAK,QAAQ,iBAAiB,CAAA;AAE9E,EAAA,IAAI,CAAC,cAAA,EAAgB;AACnB,IAAA,OAAO,KAAA;AAAA,EACT;AAGA,EAAA,MAAM,WAAA,GAAc,cAAA,CAAe,OAAA,CAAQ,UAAA,EAAY,EAAE,CAAA;AAGzD,EAAA,IAAI,gBAAgB,qBAAA,EAAuB;AACzC,IAAA,OAAO,IAAA;AAAA,EACT;AAGA,EAAA,IAAI;AACF,IAAA,MAAM,QAAA,GAAW,IAAI,GAAA,CAAI,WAAW,CAAA;AACpC,IAAA,MAAM,YAAA,GAAe,CAAC,aAAA,EAAe,iBAAiB,CAAA;AACtD,IAAA,OAAO,YAAA,CAAa,QAAA,CAAS,QAAA,CAAS,IAAI,CAAA;AAAA,EAC5C,CAAA,CAAA,MAAQ;AAEN,IAAA,OAAO,KAAA;AAAA,EACT;AACF","file":"signature-verifier.js","sourcesContent":["/*\n Ed25519 Signature Verification for HTTP Message Signatures\n * Implements proper cryptographic verification for ChatGPT and other agents\n \n Based on RFC 9421 (HTTP Message Signatures) and ChatGPT's implementation\n * Reference: https://help.openai.com/en/articles/9785974-chatgpt-user-allowlisting\n /\n\nimport as ed25519 from '@noble/ed25519';\nimport { sha512 } from '@noble/hashes/sha2.js';\n\n// Configure @noble/ed25519 to use sync SHA-512 from @noble/hashes\n// This works in all environments including Edge Runtime\ned25519.etc.sha512Sync = (...m) => sha512(ed25519.etc.concatBytes(...m));\n\n/*\n Known public keys for AI agents (fallback)\n \n IMPORTANT: These keys are used as fallback when the API is unavailable.\n * The primary source of keys should be the /api/internal/signature-keys endpoint\n * which fetches from https://chatgpt.com/.well-known/http-message-signatures-directory\n \n TODO: Implement automated key rotation by:\n * 1. Setting up a cron job to fetch from OpenAI's well-known endpoint\n * 2. Storing keys in database/KV store with proper expiration handling\n * 3. Removing hardcoded fallback keys entirely\n /\nconst KNOWN_KEYS = {\n chatgpt: [\n {\n kid: 'otMqcjr17mGyruktGvJU8oojQTSMHlVm7uO-lrcqbdg',\n // ChatGPT's current Ed25519 public key (base64)\n // Source: https://chatgpt.com/.well-known/http-message-signatures-directory\n publicKey: '7F_3jDlxaquwh291MiACkcS3Opq88NksyHiakzS-Y1g',\n validFrom: 1735689600, // Jan 1, 2025 (from OpenAI's nbf)\n // Extended expiration as fallback safety - API fetch should provide fresh keys\n // Check OpenAI's well-known endpoint for actual expiration dates\n validUntil: 1799625600, // Jan 1, 2027 (extended for fallback safety)\n },\n ],\n};\n\n/\n In-memory cache for API-fetched keys\n /\ninterface CachedKeys {\n keys: Array<{\n kid: string;\n publicKey: string;\n validFrom: number;\n validUntil: number;\n }>;\n cachedAt: number;\n}\n\nconst keyCache = new Map<string, CachedKeys>();\nconst CACHE_TTL_MS = 5 60 * 1000; // 5 minutes\nconst CACHE_MAX_SIZE = 100; // Maximum cache entries before cleanup\n\n/*\n Get API base URL for fetching keys\n * Returns absolute URL for server-side, relative for browser\n /\nfunction getApiBaseUrl(): string {\n if (typeof window !== 'undefined') {\n // Browser: use relative path\n return '/api/internal';\n }\n\n // Server-side: must use absolute URL\n // Try environment variables first\n const baseUrl =\n process.env.NEXT_PUBLIC_APP_URL \|\|\n process.env.NEXT_PUBLIC_API_URL \|\|\n process.env.API_URL \|\|\n (process.env.VERCEL_URL ? `https://${process.env.VERCEL_URL}` : null);\n\n if (baseUrl) {\n return baseUrl.replace(/\\/$/, '') + '/api/internal';\n }\n\n // Fallback: try to construct from request context if available\n // For middleware/edge runtime, we may need to pass the request URL\n // For now, return relative path and log warning\n if (process.env.NODE_ENV !== 'production') {\n console.warn(\n '[Signature] No base URL configured for server-side fetch. Using localhost fallback.'\n );\n return 'http://localhost:3000/api/internal';\n }\n\n // Production fallback - should not reach here if properly configured\n console.error(\n '[Signature] CRITICAL: No base URL configured for server-side fetch in production!'\n );\n return '/api/internal'; // Will fail, but prevents silent success\n}\n\n/\n Clean up expired cache entries and enforce size limit\n * Called periodically to prevent unbounded memory growth\n * Uses LRU-style eviction: removes expired entries first, then oldest entries if still over limit\n /\nfunction cleanupExpiredCache(): void {\n const now = Date.now();\n const entriesToDelete: string[] = [];\n\n // First pass: remove expired entries\n for (const [agent, cached] of keyCache.entries()) {\n if (now - cached.cachedAt > CACHE_TTL_MS) {\n entriesToDelete.push(agent);\n }\n }\n\n for (const agent of entriesToDelete) {\n keyCache.delete(agent);\n }\n\n // Second pass: if still over limit, remove oldest entries (LRU eviction)\n if (keyCache.size > CACHE_MAX_SIZE) {\n // Convert entries to array with cachedAt timestamp for sorting\n const entries = Array.from(keyCache.entries()).map(([agent, cached]) => ({\n agent,\n cachedAt: cached.cachedAt,\n }));\n\n // Sort by cachedAt (oldest first)\n entries.sort((a, b) => a.cachedAt - b.cachedAt);\n\n // Remove oldest entries until we're under the limit\n const toRemove = entries.slice(0, keyCache.size - CACHE_MAX_SIZE);\n for (const entry of toRemove) {\n keyCache.delete(entry.agent);\n }\n }\n}\n\n/\n Fetch keys from API with caching\n /\nasync function fetchKeysFromApi(agent: string): Promise<Array<{\n kid: string;\n publicKey: string;\n validFrom: number;\n validUntil: number;\n}> \| null> {\n // Periodic cleanup to prevent memory leaks\n if (keyCache.size > CACHE_MAX_SIZE) {\n cleanupExpiredCache();\n }\n\n // Check cache first\n const cached = keyCache.get(agent);\n if (cached && Date.now() - cached.cachedAt < CACHE_TTL_MS) {\n return cached.keys;\n }\n\n // Check if fetch is available (Edge Runtime compatibility)\n if (typeof fetch === 'undefined') {\n console.warn('[Signature] fetch() not available in this environment');\n return null;\n }\n\n try {\n const apiBaseUrl = getApiBaseUrl();\n const url = `${apiBaseUrl}/signature-keys?agent=${encodeURIComponent(agent)}`;\n\n const response = await fetch(url, {\n method: 'GET',\n headers: {\n 'Content-Type': 'application/json',\n },\n // 5 second timeout\n signal: AbortSignal.timeout(5000),\n });\n\n if (!response.ok) {\n console.warn(`[Signature] Failed to fetch keys from API: ${response.status}`);\n return null;\n }\n\n const data = await response.json();\n\n if (!data.keys \|\| !Array.isArray(data.keys) \|\| data.keys.length === 0) {\n console.warn(`[Signature] No keys returned from API for agent: ${agent}`);\n return null;\n }\n\n // Cache the result\n keyCache.set(agent, {\n keys: data.keys,\n cachedAt: Date.now(),\n });\n\n return data.keys;\n } catch (error) {\n console.warn('[Signature] Error fetching keys from API, using fallback', {\n error: error instanceof Error ? error.message : 'Unknown error',\n agent,\n });\n return null;\n }\n}\n\n/\n Type guard to check if agent is a valid key in KNOWN_KEYS\n /\nfunction isValidAgent(agent: string): agent is keyof typeof KNOWN_KEYS {\n return agent in KNOWN_KEYS;\n}\n\n/\n Get keys for an agent (API first, then fallback)\n /\nasync function getKeysForAgent(agent: string): Promise<\n Array<{\n kid: string;\n publicKey: string;\n validFrom: number;\n validUntil: number;\n }>\n> {\n // Try API first\n const apiKeys = await fetchKeysFromApi(agent);\n if (apiKeys && apiKeys.length > 0) {\n return apiKeys;\n }\n\n // Fallback to hardcoded keys with type guard\n if (isValidAgent(agent)) {\n return KNOWN_KEYS[agent];\n }\n\n return [];\n}\n\n/\n Parse the Signature-Input header according to RFC 9421\n /\nfunction parseSignatureInput(signatureInput: string): {\n keyid: string;\n created?: number \| undefined;\n expires?: number \| undefined;\n signedHeaders: string[];\n} \| null {\n try {\n // Example: sig1=(\"@method\" \"@path\" \"@authority\" \"date\");keyid=\"...\";created=1234567890\n const match = signatureInput.match(/sig1=\$(.?)\$;(.+)/);\n if (!match) return null;\n\n const [, headersList, params] = match;\n\n // Parse signed headers\n const signedHeaders = headersList\n ? headersList\n .split(' ')\n .map((h) => h.replace(/\"/g, '').trim())\n .filter((h) => h.length > 0)\n : [];\n\n // Parse parameters\n const keyidMatch = params ? params.match(/keyid=\"([^\"]+)\"/) : null;\n const createdMatch = params ? params.match(/created=(\\d+)/) : null;\n const expiresMatch = params ? params.match(/expires=(\\d+)/) : null;\n\n if (!keyidMatch \|\| !keyidMatch[1]) return null;\n\n return {\n keyid: keyidMatch[1],\n created: createdMatch && createdMatch[1] ? parseInt(createdMatch[1]) : undefined,\n expires: expiresMatch && expiresMatch[1] ? parseInt(expiresMatch[1]) : undefined,\n signedHeaders,\n };\n } catch (error) {\n console.error('[Signature] Failed to parse Signature-Input:', error);\n return null;\n }\n}\n\n/*\n Build the signature base string according to RFC 9421\n * This is what gets signed\n /\nfunction buildSignatureBase(\n method: string,\n path: string,\n headers: Record<string, string>,\n signedHeaders: string[]\n): string {\n const components: string[] = [];\n\n for (const headerName of signedHeaders) {\n let value: string;\n\n switch (headerName) {\n case '@method':\n value = method.toUpperCase();\n break;\n case '@path':\n value = path;\n break;\n case '@authority':\n // Get from Host header or URL\n value = headers['host'] \|\| headers['Host'] \|\| '';\n break;\n default: {\n // Regular headers (case-insensitive lookup)\n const key = Object.keys(headers).find((k) => k.toLowerCase() === headerName.toLowerCase());\n value = key ? headers[key] \|\| '' : '';\n break;\n }\n }\n\n // Format according to RFC 9421\n components.push(`\"${headerName}\": ${value}`);\n }\n\n return components.join('\\n');\n}\n\n/\n Decode base64 (handles both standard and URL-safe variants)\n * URL-safe base64 uses - instead of + and _ instead of /\n /\nfunction base64ToBytes(base64: string): Uint8Array {\n // Convert URL-safe base64 to standard base64\n let standardBase64 = base64.replace(/-/g, '+').replace(/_/g, '/');\n\n // Add padding if needed\n const padding = standardBase64.length % 4;\n if (padding) {\n standardBase64 += '='.repeat(4 - padding);\n }\n\n const binaryString = atob(standardBase64);\n return Uint8Array.from(binaryString, (c) => c.charCodeAt(0));\n}\n\n/\n Verify Ed25519 signature using @noble/ed25519 (works in all environments including Edge Runtime)\n * Falls back to Web Crypto API if available\n /\nasync function verifyEd25519Signature(\n publicKeyBase64: string,\n signatureBase64: string,\n message: string\n): Promise<boolean> {\n try {\n // Decode base64 to Uint8Array (handles URL-safe base64)\n const publicKeyBytes = base64ToBytes(publicKeyBase64);\n const signatureBytes = base64ToBytes(signatureBase64);\n const messageBytes = new TextEncoder().encode(message);\n\n // Check key and signature lengths\n if (publicKeyBytes.length !== 32) {\n console.error('[Signature] Invalid public key length:', publicKeyBytes.length);\n return false;\n }\n if (signatureBytes.length !== 64) {\n console.error('[Signature] Invalid signature length:', signatureBytes.length);\n return false;\n }\n\n // Use @noble/ed25519 with sync SHA-512 - works in all environments including Edge Runtime\n return ed25519.verify(signatureBytes, messageBytes, publicKeyBytes);\n } catch (nobleError) {\n console.warn('[Signature] @noble/ed25519 failed, trying Web Crypto fallback:', nobleError);\n\n // Fallback to Web Crypto API (may not work in Edge Runtime)\n try {\n const publicKeyBytes = base64ToBytes(publicKeyBase64);\n const signatureBytes = base64ToBytes(signatureBase64);\n const messageBytes = new TextEncoder().encode(message);\n\n const publicKey = await crypto.subtle.importKey(\n 'raw',\n publicKeyBytes.buffer as ArrayBuffer,\n {\n name: 'Ed25519',\n namedCurve: 'Ed25519',\n },\n false,\n ['verify']\n );\n\n return await crypto.subtle.verify(\n 'Ed25519',\n publicKey,\n signatureBytes.buffer as ArrayBuffer,\n messageBytes\n );\n } catch (cryptoError) {\n console.error('[Signature] Both @noble/ed25519 and Web Crypto failed:', {\n nobleError: nobleError instanceof Error ? nobleError.message : 'Unknown',\n cryptoError: cryptoError instanceof Error ? cryptoError.message : 'Unknown',\n });\n return false;\n }\n }\n}\n\n/\n Signature verification result\n /\nexport interface SignatureVerificationResult {\n isValid: boolean;\n agent?: string;\n keyid?: string;\n confidence: number;\n reason?: string;\n verificationMethod: 'signature' \| 'none';\n}\n\n/\n Verify HTTP Message Signature for AI agents\n /\nexport async function verifyAgentSignature(\n method: string,\n path: string,\n headers: Record<string, string>\n): Promise<SignatureVerificationResult> {\n // Check for signature headers\n const signature = headers['signature'] \|\| headers['Signature'];\n const signatureInput = headers['signature-input'] \|\| headers['Signature-Input'];\n const signatureAgent = headers['signature-agent'] \|\| headers['Signature-Agent'];\n\n // No signature present\n if (!signature \|\| !signatureInput) {\n return {\n isValid: false,\n confidence: 0,\n reason: 'No signature headers present',\n verificationMethod: 'none',\n };\n }\n\n // Parse Signature-Input header\n const parsed = parseSignatureInput(signatureInput);\n if (!parsed) {\n return {\n isValid: false,\n confidence: 0,\n reason: 'Invalid Signature-Input header',\n verificationMethod: 'none',\n };\n }\n\n // Check timestamp if present\n if (parsed.created) {\n const now = Math.floor(Date.now() / 1000);\n const age = now - parsed.created;\n\n // Reject signatures older than 5 minutes\n if (age > 300) {\n return {\n isValid: false,\n confidence: 0,\n reason: 'Signature expired (older than 5 minutes)',\n verificationMethod: 'none',\n };\n }\n\n // Reject signatures from the future (clock skew tolerance: 30 seconds)\n if (age < -30) {\n return {\n isValid: false,\n confidence: 0,\n reason: 'Signature timestamp is in the future',\n verificationMethod: 'none',\n };\n }\n }\n\n // Determine which agent based on signature-agent header\n let agent: string \| undefined;\n let agentKey: string \| undefined;\n\n if (signatureAgent === '\"https://chatgpt.com\"' \|\| signatureAgent?.includes('chatgpt.com')) {\n agent = 'ChatGPT';\n agentKey = 'chatgpt';\n }\n // Add other agents here as needed\n\n if (!agent \|\| !agentKey) {\n return {\n isValid: false,\n confidence: 0,\n reason: 'Unknown signature agent',\n verificationMethod: 'none',\n };\n }\n\n // Get keys (API first, then fallback)\n const knownKeys = await getKeysForAgent(agentKey);\n\n if (knownKeys.length === 0) {\n return {\n isValid: false,\n confidence: 0,\n reason: 'No keys available for agent',\n verificationMethod: 'none',\n };\n }\n\n // Find the key by ID\n const key = knownKeys.find((k) => k.kid === parsed.keyid);\n if (!key) {\n return {\n isValid: false,\n confidence: 0,\n reason: `Unknown key ID: ${parsed.keyid}`,\n verificationMethod: 'none',\n };\n }\n\n // Check key validity period\n const now = Math.floor(Date.now() / 1000);\n if (now < key.validFrom \|\| now > key.validUntil) {\n return {\n isValid: false,\n confidence: 0,\n reason: 'Key is not valid at current time',\n verificationMethod: 'none',\n };\n }\n\n // Build the signature base string\n const signatureBase = buildSignatureBase(method, path, headers, parsed.signedHeaders);\n\n // Extract the actual signature value (remove \"sig1=:\" prefix and \"::\" suffix if present)\n let signatureValue = signature;\n if (signatureValue.startsWith('sig1=:')) {\n signatureValue = signatureValue.substring(6);\n }\n if (signatureValue.endsWith(':')) {\n signatureValue = signatureValue.slice(0, -1);\n }\n\n // Verify the signature\n const isValid = await verifyEd25519Signature(key.publicKey, signatureValue, signatureBase);\n\n if (isValid) {\n return {\n isValid: true,\n agent,\n keyid: parsed.keyid,\n confidence: 1.0, // 100% confidence for valid signature\n verificationMethod: 'signature',\n };\n } else {\n return {\n isValid: false,\n confidence: 0,\n reason: 'Signature verification failed',\n verificationMethod: 'none',\n };\n }\n}\n\n/\n Quick check if signature headers are present (for performance)\n /\nexport function hasSignatureHeaders(headers: Record<string, string>): boolean {\n return !!(\n (headers['signature'] \|\| headers['Signature']) &&\n (headers['signature-input'] \|\| headers['Signature-Input'])\n );\n}\n\n/\n Check if this is a ChatGPT signature based on headers\n * Uses secure URL parsing to prevent spoofing attacks\n */\nexport function isChatGPTSignature(headers: Record<string, string>): boolean {\n const signatureAgent = headers['signature-agent'] \|\| headers['Signature-Agent'];\n\n if (!signatureAgent) {\n return false;\n }\n\n // Strip leading/trailing quotes if present\n const agentUrlStr = signatureAgent.replace(/^\"+\|\"+$/g, '');\n\n // Exact match for the standard ChatGPT signature agent\n if (agentUrlStr === 'https://chatgpt.com') {\n return true;\n }\n\n // Parse URL and validate host to prevent spoofing\n try {\n const agentUrl = new URL(agentUrlStr);\n const allowedHosts = ['chatgpt.com', 'www.chatgpt.com'];\n return allowedHosts.includes(agentUrl.host);\n } catch {\n // Not a valid URL, return false for security\n return false;\n }\n}\n"]}