@prosopo/provider 3.13.7 → 4.7.1

package/dist/tests/unit/tasks/powCaptcha/powTasks.unit.test.js

@@ -0,0 +1,1714 @@
+import { stringToHex, u8aToHex } from "@polkadot/util";
+import { ApiParams, CaptchaStatus, CaptchaType, POW_SEPARATOR, } from "@prosopo/types";
+import { AccessPolicyType, } from "@prosopo/user-access-policy";
+import { getIPAddress, verifyRecency } from "@prosopo/util";
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+import { getCompositeIpAddress } from "../../../../compositeIpAddress.js";
+import { PowCaptchaManager } from "../../../../tasks/powCaptcha/powTasks.js";
+import { checkPowSignature, validateSolution, } from "../../../../tasks/powCaptcha/powTasksUtils.js";
+vi.mock("@prosopo/util-crypto", () => ({
+    signatureVerify: vi.fn(),
+}));
+vi.mock("@polkadot/util", () => ({
+    u8aToHex: vi.fn(),
+    stringToHex: vi.fn(),
+}));
+vi.mock("@prosopo/util", async (importOriginal) => {
+    const actual = (await importOriginal());
+    return {
+        ...actual,
+        verifyRecency: vi.fn(),
+    };
+});
+vi.mock("../../../../tasks/powCaptcha/powTasksUtils.js", () => ({
+    checkPowSignature: vi.fn(),
+    validateSolution: vi.fn(),
+}));
+describe("PowCaptchaManager", () => {
+    let db;
+    let pair;
+    let powCaptchaManager;
+    let mockEnv;
+    let originalDecide;
+    const mockDecisionMachine = (mockFn) => {
+        originalDecide = powCaptchaManager.decisionMachineRunner.decide;
+        powCaptchaManager.decisionMachineRunner.decide = mockFn;
+    };
+    const restoreDecisionMachine = () => {
+        if (originalDecide) {
+            powCaptchaManager.decisionMachineRunner.decide = originalDecide;
+            originalDecide = undefined;
+        }
+    };
+    beforeEach(() => {
+        db = {
+            storePowCaptchaRecord: vi.fn(),
+            getPowCaptchaRecordByChallenge: vi.fn(),
+            updatePowCaptchaRecordResult: vi.fn(),
+            updatePowCaptchaRecord: vi.fn(),
+            markDappUserPoWCommitmentsChecked: vi.fn(),
+            getClientRecord: vi.fn(),
+            getSessionRecordBySessionId: vi.fn(),
+            updateSessionRecord: vi.fn(),
+            getSpamEmailDomain: vi.fn(),
+        };
+        pair = {
+            sign: vi.fn(),
+            address: "testAddress",
+        };
+        mockEnv = {
+            config: {
+                ipApi: {
+                    apiKey: "testKey",
+                    baseUrl: "https://api.ipapi.is",
+                },
+            },
+            ipInfoService: {
+                initialize: vi.fn().mockResolvedValue(undefined),
+                isAvailable: vi.fn().mockReturnValue(true),
+                lookup: vi.fn(async (ip) => ({
+                    isValid: false,
+                    error: "stubbed in test",
+                    ip,
+                })),
+            },
+        };
+        powCaptchaManager = new PowCaptchaManager(db, pair, mockEnv.config);
+        vi.clearAllMocks();
+    });
+    afterEach(() => {
+        restoreDecisionMachine();
+    });
+    describe("getPowCaptchaChallenge", () => {
+        it("should generate a PoW captcha challenge", async () => {
+            const userAccount = "userAccount";
+            const dappAccount = "dappAccount";
+            const origin = "origin";
+            const challengeRegExp = new RegExp(`[0-9]+___${userAccount}___${dappAccount}`);
+            pair.sign.mockReturnValueOnce("signedChallenge");
+            u8aToHex.mockReturnValueOnce("hexSignedChallenge");
+            const result = await powCaptchaManager.getPowCaptchaChallenge(userAccount, dappAccount, origin);
+            expect(result.challenge.match(challengeRegExp)).toBeTruthy();
+            expect(result.difficulty).toEqual(4);
+            expect(result.providerSignature).toEqual("hexSignedChallenge");
+            expect(pair.sign).toHaveBeenCalledWith(stringToHex(result.challenge));
+        });
+    });
+    describe("verifyPowCaptchaSolution", () => {
+        it("should verify a valid PoW captcha solution", async () => {
+            const requestedAtTimestamp = 123456789;
+            const userAccount = "testUserAccount";
+            const challenge = `${requestedAtTimestamp}${POW_SEPARATOR}${userAccount}${POW_SEPARATOR}${pair.address}`;
+            const difficulty = 4;
+            const providerSignature = "testSignature";
+            const userSignature = "testTimestampSignature";
+            const nonce = 12345;
+            const timeout = 1000;
+            const ipAddress = getIPAddress("1.1.1.1");
+            const headers = { a: "1", b: "2", c: "3" };
+            const challengeRecord = {
+                challenge,
+                difficulty,
+                dappAccount: pair.address,
+                userAccount,
+                requestedAtTimestamp: new Date(requestedAtTimestamp),
+                result: { status: CaptchaStatus.pending },
+                userSubmitted: false,
+                serverChecked: false,
+                ipAddress: getCompositeIpAddress(ipAddress),
+                headers,
+                ja4: "ja4",
+                providerSignature,
+                lastUpdatedTimestamp: new Date(),
+            };
+            verifyRecency.mockImplementation(() => true);
+            checkPowSignature.mockImplementation(() => true);
+            validateSolution.mockImplementation(() => true);
+            db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
+            db.updatePowCaptchaRecordResult.mockResolvedValue(true);
+            db.markDappUserPoWCommitmentsChecked.mockResolvedValue(true);
+            const verifyPowCaptchaSolutionArgs = [
+                challenge,
+                providerSignature,
+                nonce,
+                timeout,
+                userSignature,
+                ipAddress,
+                headers,
+                undefined,
+            ];
+            const result = await powCaptchaManager.verifyPowCaptchaSolution(...verifyPowCaptchaSolutionArgs);
+            expect(result.verified).toBe(true);
+            const verifyRecencyArgs = [
+                challenge,
+                timeout,
+            ];
+            expect(verifyRecency).toHaveBeenCalledWith(...verifyRecencyArgs);
+            const checKPowSignatureArgs1 = [
+                requestedAtTimestamp.toString(),
+                userSignature,
+                userAccount,
+                ApiParams.timestamp,
+            ];
+            expect(checkPowSignature).toHaveBeenCalledWith(...checKPowSignatureArgs1);
+            const checKPowSignatureArgs2 = [
+                challenge,
+                providerSignature,
+                pair.address,
+                ApiParams.challenge,
+            ];
+            expect(checkPowSignature).toHaveBeenCalledWith(...checKPowSignatureArgs2);
+            const validateSolutionArgs = [
+                nonce,
+                challenge,
+                difficulty,
+            ];
+            expect(validateSolution).toHaveBeenCalledWith(...validateSolutionArgs);
+            const updatePowCaptchaRecordArgs = [
+                challenge,
+                { status: CaptchaStatus.approved },
+                false,
+                true,
+                userSignature,
+                undefined,
+            ];
+            expect(db.updatePowCaptchaRecordResult).toHaveBeenCalledWith(...updatePowCaptchaRecordArgs);
+        });
+        it("should throw an error if PoW captcha solution is invalid", async () => {
+            const challenge = `${12345}${POW_SEPARATOR}userAccount${POW_SEPARATOR}dappAccount`;
+            const difficulty = 4;
+            const signature = "testSignature";
+            const nonce = 12345;
+            const timeout = 1000;
+            const timestampSignature = "testTimestampSignature";
+            const ipAddress = getIPAddress("1.1.1.1");
+            const headers = { a: "1", b: "2", c: "3" };
+            const challengeRecord = {
+                challenge,
+                dappAccount: pair.address,
+                userAccount: "testUserAccount",
+                requestedAtTimestamp: new Date(12345),
+                result: { status: CaptchaStatus.pending },
+                userSubmitted: false,
+                serverChecked: false,
+                ipAddress: getCompositeIpAddress(ipAddress),
+                headers,
+                ja4: "ja4",
+                providerSignature: "testSignature",
+                difficulty,
+                lastUpdatedTimestamp: new Date(0),
+            };
+            verifyRecency.mockImplementation(() => {
+                return true;
+            });
+            db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
+            validateSolution.mockImplementation(() => false);
+            expect((await powCaptchaManager.verifyPowCaptchaSolution(challenge, signature, nonce, timeout, timestampSignature, ipAddress, headers, undefined)).verified).toBe(false);
+            expect(verifyRecency).toHaveBeenCalledWith(challenge, timeout);
+        });
+    });
+    describe("serverVerifyPowCaptchaSolution", () => {
+        it("should verify a valid PoW captcha solution on the server", async () => {
+            const dappAccount = "dappAccount";
+            const timestamp = 123456789;
+            const userAccount = "testUserAccount";
+            const challenge = `${timestamp}${POW_SEPARATOR}${userAccount}${POW_SEPARATOR}${dappAccount}`;
+            const timeout = 1000;
+            const challengeRecord = {
+                challenge,
+                dappAccount,
+                userAccount,
+                requestedAtTimestamp: new Date(timestamp),
+                serverChecked: false,
+                result: { status: CaptchaStatus.approved },
+                ipAddress: getCompositeIpAddress(getIPAddress("1.1.1.1")),
+            };
+            db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
+            verifyRecency.mockImplementation(() => true);
+            const result = await powCaptchaManager.serverVerifyPowCaptchaSolution(dappAccount, challenge, timeout, mockEnv);
+            expect(result.verified).toBe(true);
+            expect(db.getPowCaptchaRecordByChallenge).toHaveBeenCalledWith(challenge);
+            expect(verifyRecency).toHaveBeenCalledWith(challenge, timeout);
+            const markDappUserPoWCommitmentsCheckedArgs = [[challenge]];
+            expect(db.markDappUserPoWCommitmentsChecked).toHaveBeenCalledWith(...markDappUserPoWCommitmentsCheckedArgs);
+        });
+        it("should return verified:false if a challenge cannot be found", async () => {
+            const dappAccount = "dappAccount";
+            const timestamp = 123456678;
+            const userAccount = "testUserAccount";
+            const challenge = `${timestamp}${POW_SEPARATOR}${userAccount}${POW_SEPARATOR}${dappAccount}`;
+            const timeout = 1000;
+            db.getPowCaptchaRecordByChallenge.mockResolvedValue(null);
+            const result = await powCaptchaManager.serverVerifyPowCaptchaSolution(dappAccount, challenge, timeout, mockEnv);
+            expect(result.verified).toBe(false);
+            expect(db.getPowCaptchaRecordByChallenge).toHaveBeenCalledWith(challenge);
+        });
+        it("should return verified:false when user is blocked by access policy", async () => {
+            const dappAccount = "dappAccount";
+            const timestamp = 123456789;
+            const userAccount = "testUserAccount";
+            const challenge = `${timestamp}${POW_SEPARATOR}${userAccount}${POW_SEPARATOR}${dappAccount}`;
+            const timeout = 1000;
+            const ipAddress = getIPAddress("1.1.1.1");
+            const headers = { a: "1", b: "2", c: "3" };
+            const sessionId = "test-session-id";
+            const decryptedHeadHash = "abc123def456";
+            const challengeRecord = {
+                challenge,
+                difficulty: 4,
+                dappAccount,
+                userAccount,
+                requestedAtTimestamp: new Date(timestamp),
+                result: { status: CaptchaStatus.approved },
+                userSubmitted: true,
+                serverChecked: false,
+                ipAddress: getCompositeIpAddress(ipAddress),
+                headers,
+                ja4: "ja4",
+                providerSignature: "testSignature",
+                lastUpdatedTimestamp: new Date(),
+                sessionId,
+            };
+            const sessionRecord = {
+                sessionId,
+                createdAt: new Date(),
+                token: "test-token",
+                score: 0.5,
+                threshold: 0.5,
+                scoreComponents: { baseScore: 0.5 },
+                providerSelectEntropy: 13337,
+                ipAddress: getCompositeIpAddress(ipAddress),
+                captchaType: CaptchaType.pow,
+                webView: false,
+                iFrame: false,
+                decryptedHeadHash,
+            };
+            const mockAccessRulesStorage = {
+                findRules: vi.fn().mockResolvedValue([
+                    {
+                        type: AccessPolicyType.Block,
+                        headHash: decryptedHeadHash,
+                    },
+                ]),
+                insertRules: vi.fn(),
+                deleteRules: vi.fn(),
+                deleteAllRules: vi.fn(),
+                fetchRules: vi.fn(),
+                getMissingRuleIds: vi.fn(),
+                findRuleIds: vi.fn(),
+                fetchAllRuleIds: vi.fn(),
+            };
+            db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
+            db.getSessionRecordBySessionId = vi
+                .fn()
+                .mockResolvedValue(sessionRecord);
+            verifyRecency.mockImplementation(() => true);
+            const result = await powCaptchaManager.serverVerifyPowCaptchaSolution(dappAccount, challenge, timeout, mockEnv, undefined, mockAccessRulesStorage);
+            expect(result.verified).toBe(false);
+        });
+        it("should not block when access policy has captchaType (not a hard block)", async () => {
+            const dappAccount = "dappAccount";
+            const timestamp = 123456789;
+            const userAccount = "testUserAccount";
+            const challenge = `${timestamp}${POW_SEPARATOR}${userAccount}${POW_SEPARATOR}${dappAccount}`;
+            const timeout = 1000;
+            const ipAddress = getIPAddress("1.1.1.1");
+            const headers = { a: "1", b: "2", c: "3" };
+            const sessionId = "test-session-id";
+            const decryptedHeadHash = "abc123def456";
+            const challengeRecord = {
+                challenge,
+                difficulty: 4,
+                dappAccount,
+                userAccount,
+                requestedAtTimestamp: new Date(timestamp),
+                result: { status: CaptchaStatus.approved },
+                userSubmitted: true,
+                serverChecked: false,
+                ipAddress: getCompositeIpAddress(ipAddress),
+                headers,
+                ja4: "ja4",
+                providerSignature: "testSignature",
+                lastUpdatedTimestamp: new Date(),
+                sessionId,
+            };
+            const sessionRecord = {
+                sessionId,
+                createdAt: new Date(),
+                token: "test-token",
+                score: 0.5,
+                threshold: 0.5,
+                scoreComponents: { baseScore: 0.5 },
+                providerSelectEntropy: 13337,
+                ipAddress: getCompositeIpAddress(ipAddress),
+                captchaType: CaptchaType.pow,
+                webView: false,
+                iFrame: false,
+                decryptedHeadHash,
+            };
+            const mockAccessRulesStorage = {
+                findRules: vi.fn().mockResolvedValue([
+                    {
+                        type: AccessPolicyType.Block,
+                        headHash: decryptedHeadHash,
+                        captchaType: CaptchaType.image,
+                    },
+                ]),
+                insertRules: vi.fn(),
+                deleteRules: vi.fn(),
+                deleteAllRules: vi.fn(),
+                fetchRules: vi.fn(),
+                getMissingRuleIds: vi.fn(),
+                findRuleIds: vi.fn(),
+                fetchAllRuleIds: vi.fn(),
+            };
+            db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
+            db.getSessionRecordBySessionId = vi
+                .fn()
+                .mockResolvedValue(sessionRecord);
+            verifyRecency.mockImplementation(() => true);
+            const result = await powCaptchaManager.serverVerifyPowCaptchaSolution(dappAccount, challenge, timeout, mockEnv, undefined, mockAccessRulesStorage);
+            expect(result.verified).toBe(true);
+        });
+        it("should verify successfully when no blocking access policy exists", async () => {
+            const dappAccount = "dappAccount";
+            const timestamp = 123456789;
+            const userAccount = "testUserAccount";
+            const challenge = `${timestamp}${POW_SEPARATOR}${userAccount}${POW_SEPARATOR}${dappAccount}`;
+            const timeout = 1000;
+            const ipAddress = getIPAddress("1.1.1.1");
+            const headers = { a: "1", b: "2", c: "3" };
+            const challengeRecord = {
+                challenge,
+                difficulty: 4,
+                dappAccount,
+                userAccount,
+                requestedAtTimestamp: new Date(timestamp),
+                result: { status: CaptchaStatus.approved },
+                userSubmitted: true,
+                serverChecked: false,
+                ipAddress: getCompositeIpAddress(ipAddress),
+                headers,
+                ja4: "ja4",
+                providerSignature: "testSignature",
+                lastUpdatedTimestamp: new Date(),
+            };
+            const mockAccessRulesStorage = {
+                findRules: vi.fn().mockResolvedValue([]),
+                insertRules: vi.fn(),
+                deleteRules: vi.fn(),
+                deleteAllRules: vi.fn(),
+                fetchRules: vi.fn(),
+                getMissingRuleIds: vi.fn(),
+                findRuleIds: vi.fn(),
+                fetchAllRuleIds: vi.fn(),
+            };
+            db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
+            verifyRecency.mockImplementation(() => true);
+            const result = await powCaptchaManager.serverVerifyPowCaptchaSolution(dappAccount, challenge, timeout, mockEnv, undefined, mockAccessRulesStorage);
+            expect(result.verified).toBe(true);
+        });
+    });
+    describe("serverVerifyPowCaptchaSolution with decision machine", () => {
+        it("should allow when decision machine returns allow", async () => {
+            const dappAccount = "dappAccount";
+            const timestamp = 123456789;
+            const userAccount = "testUserAccount";
+            const challenge = `${timestamp}${POW_SEPARATOR}${userAccount}${POW_SEPARATOR}${dappAccount}`;
+            const timeout = 1000;
+            const ipAddress = getIPAddress("1.1.1.1");
+            const headers = { a: "1", b: "2", c: "3" };
+            const behavioralDataPacked = {
+                c1: [1, 2, 3],
+                c2: [4, 5, 6],
+                c3: [7, 8, 9],
+                d: "test-device",
+            };
+            const challengeRecord = {
+                challenge,
+                difficulty: 4,
+                dappAccount,
+                userAccount,
+                requestedAtTimestamp: new Date(timestamp),
+                result: { status: CaptchaStatus.approved },
+                userSubmitted: true,
+                serverChecked: false,
+                ipAddress: getCompositeIpAddress(ipAddress),
+                headers,
+                ja4: "ja4",
+                providerSignature: "testSignature",
+                lastUpdatedTimestamp: new Date(),
+                behavioralDataPacked,
+                deviceCapability: "test-device",
+            };
+            db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
+            verifyRecency.mockImplementation(() => true);
+            const result = await powCaptchaManager.serverVerifyPowCaptchaSolution(dappAccount, challenge, timeout, mockEnv);
+            expect(result.verified).toBe(true);
+        });
+        it("should deny when decision machine returns deny", async () => {
+            const dappAccount = "dappAccount";
+            const timestamp = 123456789;
+            const userAccount = "testUserAccount";
+            const challenge = `${timestamp}${POW_SEPARATOR}${userAccount}${POW_SEPARATOR}${dappAccount}`;
+            const timeout = 1000;
+            const ipAddress = getIPAddress("1.1.1.1");
+            const headers = { a: "1", b: "2", c: "3" };
+            const behavioralDataPacked = {
+                c1: [1, 2, 3],
+                c2: [4, 5, 6],
+                c3: [7, 8, 9],
+                d: "suspicious-device",
+            };
+            const challengeRecord = {
+                challenge,
+                difficulty: 4,
+                dappAccount,
+                userAccount,
+                requestedAtTimestamp: new Date(timestamp),
+                result: { status: CaptchaStatus.approved },
+                userSubmitted: true,
+                serverChecked: false,
+                ipAddress: getCompositeIpAddress(ipAddress),
+                headers,
+                ja4: "ja4",
+                providerSignature: "testSignature",
+                lastUpdatedTimestamp: new Date(),
+                behavioralDataPacked,
+                deviceCapability: "suspicious-device",
+            };
+            db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
+            db.updatePowCaptchaRecord.mockResolvedValue(undefined);
+            verifyRecency.mockImplementation(() => true);
+            mockDecisionMachine(vi.fn().mockResolvedValue({
+                decision: "deny",
+                reason: "Suspicious device detected",
+                score: 0,
+            }));
+            try {
+                const result = await powCaptchaManager.serverVerifyPowCaptchaSolution(dappAccount, challenge, timeout, mockEnv);
+                expect(result.verified).toBe(false);
+            }
+            finally {
+                restoreDecisionMachine();
+            }
+        });
+        it("should allow when no behavioral data is present (no decision machine run)", async () => {
+            const dappAccount = "dappAccount";
+            const timestamp = 123456789;
+            const userAccount = "testUserAccount";
+            const challenge = `${timestamp}${POW_SEPARATOR}${userAccount}${POW_SEPARATOR}${dappAccount}`;
+            const timeout = 1000;
+            const ipAddress = getIPAddress("1.1.1.1");
+            const headers = { a: "1", b: "2", c: "3" };
+            const challengeRecord = {
+                challenge,
+                difficulty: 4,
+                dappAccount,
+                userAccount,
+                requestedAtTimestamp: new Date(timestamp),
+                result: { status: CaptchaStatus.approved },
+                userSubmitted: true,
+                serverChecked: false,
+                ipAddress: getCompositeIpAddress(ipAddress),
+                headers,
+                ja4: "ja4",
+                providerSignature: "testSignature",
+                lastUpdatedTimestamp: new Date(),
+            };
+            db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
+            verifyRecency.mockImplementation(() => true);
+            const result = await powCaptchaManager.serverVerifyPowCaptchaSolution(dappAccount, challenge, timeout, mockEnv);
+            expect(result.verified).toBe(true);
+        });
+        it("should default to allow if decision machine fails", async () => {
+            const dappAccount = "dappAccount";
+            const timestamp = 123456789;
+            const userAccount = "testUserAccount";
+            const challenge = `${timestamp}${POW_SEPARATOR}${userAccount}${POW_SEPARATOR}${dappAccount}`;
+            const timeout = 1000;
+            const ipAddress = getIPAddress("1.1.1.1");
+            const headers = { a: "1", b: "2", c: "3" };
+            const behavioralDataPacked = {
+                c1: [1, 2, 3],
+                c2: [4, 5, 6],
+                c3: [7, 8, 9],
+                d: "test-device",
+            };
+            const challengeRecord = {
+                challenge,
+                difficulty: 4,
+                dappAccount,
+                userAccount,
+                requestedAtTimestamp: new Date(timestamp),
+                result: { status: CaptchaStatus.approved },
+                userSubmitted: true,
+                serverChecked: false,
+                ipAddress: getCompositeIpAddress(ipAddress),
+                headers,
+                ja4: "ja4",
+                providerSignature: "testSignature",
+                lastUpdatedTimestamp: new Date(),
+                behavioralDataPacked,
+                deviceCapability: "test-device",
+            };
+            db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
+            verifyRecency.mockImplementation(() => true);
+            mockDecisionMachine(vi.fn().mockRejectedValue(new Error("Decision machine error")));
+            try {
+                const result = await powCaptchaManager.serverVerifyPowCaptchaSolution(dappAccount, challenge, timeout, mockEnv);
+                expect(result.verified).toBe(true);
+            }
+            finally {
+                restoreDecisionMachine();
+            }
+        });
+    });
+    describe("IP Validation Guard Conditions", () => {
+        it("should skip IP validation when ipValidationRules is undefined", async () => {
+            const dappAccount = "testDappAccount";
+            const userAccount = "testUserAccount";
+            const challenge = `123456789${POW_SEPARATOR}userAccount${POW_SEPARATOR}${pair.address}`;
+            const timeout = 1000;
+            const ip = "1.1.1.1";
+            const challengeRecord = {
+                dappAccount,
+                userAccount,
+                result: { status: CaptchaStatus.approved },
+                userSubmitted: true,
+                challenge,
+                serverChecked: false,
+                difficulty: 4,
+                requestedAtTimestamp: new Date(),
+                ipAddress: getCompositeIpAddress(ip),
+                headers: { a: "1", b: "2", c: "3" },
+                ja4: "ja4",
+                providerSignature: "testSignature",
+                lastUpdatedTimestamp: new Date(),
+            };
+            db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
+            db.getClientRecord.mockResolvedValue({
+                settings: {},
+            });
+            checkPowSignature.mockReturnValue(true);
+            validateSolution.mockReturnValue(true);
+            verifyRecency.mockImplementation(() => true);
+            const result = await powCaptchaManager.serverVerifyPowCaptchaSolution(dappAccount, challenge, timeout, mockEnv, ip);
+            expect(result.verified).toBe(true);
+            expect(db.updatePowCaptchaRecord).toHaveBeenCalledWith(challenge, {
+                providedIp: getCompositeIpAddress(ip),
+            });
+        });
+        it("should skip IP validation when ipValidationRules.enabled is false", async () => {
+            const dappAccount = pair.address;
+            const challenge = `123456789${POW_SEPARATOR}userAccount${POW_SEPARATOR}${pair.address}`;
+            const timeout = 1000;
+            const ip = "1.1.1.1";
+            const challengeRecord = {
+                userAccount: "userAccount",
+                challenge,
+                serverChecked: false,
+                difficulty: 4,
+                dappAccount,
+                result: {
+                    status: CaptchaStatus.approved,
+                },
+                requestedAtTimestamp: new Date(),
+                ipAddress: getCompositeIpAddress(ip),
+                headers: { a: "1", b: "2", c: "3" },
+                ja4: "ja4",
+                providerSignature: "testSignature",
+                userSubmitted: true,
+                lastUpdatedTimestamp: new Date(),
+            };
+            db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
+            db.getClientRecord.mockResolvedValue({
+                settings: {
+                    ipValidationRules: {
+                        enabled: false,
+                        actions: {
+                            countryChangeAction: "reject",
+                            cityChangeAction: "reject",
+                        },
+                    },
+                },
+            });
+            checkPowSignature.mockReturnValue(true);
+            validateSolution.mockReturnValue(true);
+            verifyRecency.mockImplementation(() => true);
+            const result = await powCaptchaManager.serverVerifyPowCaptchaSolution(dappAccount, challenge, timeout, mockEnv, ip);
+            expect(result.verified).toBe(true);
+            expect(db.updatePowCaptchaRecord).toHaveBeenCalledWith(challenge, {
+                providedIp: getCompositeIpAddress(ip),
+            });
+        });
+        it("should skip IP validation when ipValidationRules.enabled is undefined", async () => {
+            const dappAccount = pair.address;
+            const challenge = `123456789${POW_SEPARATOR}userAccount${POW_SEPARATOR}${pair.address}`;
+            const timeout = 1000;
+            const ip = "1.1.1.1";
+            const challengeRecord = {
+                dappAccount,
+                challenge,
+                serverChecked: false,
+                difficulty: 4,
+                result: {
+                    status: CaptchaStatus.approved,
+                },
+                requestedAtTimestamp: new Date(),
+                ipAddress: getCompositeIpAddress(ip),
+                userAccount: "userAccount",
+                headers: { a: "1", b: "2", c: "3" },
+                ja4: "ja4",
+                providerSignature: "testSignature",
+                userSubmitted: true,
+                lastUpdatedTimestamp: new Date(),
+            };
+            db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
+            db.getClientRecord.mockResolvedValue({
+                settings: {
+                    ipValidationRules: {
+                        actions: {
+                            countryChangeAction: "reject",
+                            cityChangeAction: "reject",
+                        },
+                    },
+                },
+            });
+            checkPowSignature.mockReturnValue(true);
+            validateSolution.mockReturnValue(true);
+            verifyRecency.mockImplementation(() => true);
+            const result = await powCaptchaManager.serverVerifyPowCaptchaSolution(dappAccount, challenge, timeout, mockEnv, ip);
+            expect(result.verified).toBe(true);
+            expect(db.updatePowCaptchaRecord).toHaveBeenCalledWith(challenge, {
+                providedIp: getCompositeIpAddress(ip),
+            });
+        });
+        it("should skip IP validation when clientRecord is null", async () => {
+            const dappAccount = pair.address;
+            const challenge = `123456789${POW_SEPARATOR}userAccount${POW_SEPARATOR}${pair.address}`;
+            const timeout = 1000;
+            const ip = "1.1.1.1";
+            const challengeRecord = {
+                dappAccount,
+                challenge,
+                serverChecked: false,
+                difficulty: 4,
+                result: {
+                    status: CaptchaStatus.approved,
+                },
+                requestedAtTimestamp: new Date(),
+                ipAddress: getCompositeIpAddress(ip),
+                userAccount: "userAccount",
+                headers: { a: "1", b: "2", c: "3" },
+                ja4: "ja4",
+                providerSignature: "testSignature",
+                userSubmitted: true,
+                lastUpdatedTimestamp: new Date(),
+            };
+            db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
+            db.getClientRecord.mockResolvedValue(null);
+            checkPowSignature.mockReturnValue(true);
+            validateSolution.mockReturnValue(true);
+            verifyRecency.mockImplementation(() => true);
+            const result = await powCaptchaManager.serverVerifyPowCaptchaSolution(dappAccount, challenge, timeout, mockEnv, ip);
+            expect(result.verified).toBe(true);
+            expect(db.updatePowCaptchaRecord).toHaveBeenCalledWith(challenge, {
+                providedIp: getCompositeIpAddress(ip),
+            });
+        });
+        it("should skip IP validation when no IP is provided", async () => {
+            const dappAccount = pair.address;
+            const challenge = `123456789${POW_SEPARATOR}userAccount${POW_SEPARATOR}${pair.address}`;
+            const timeout = 1000;
+            const challengeRecord = {
+                dappAccount,
+                challenge,
+                serverChecked: false,
+                difficulty: 4,
+                result: {
+                    status: CaptchaStatus.approved,
+                },
+                requestedAtTimestamp: new Date(),
+                ipAddress: getCompositeIpAddress("1.1.1.1"),
+                userAccount: "userAccount",
+                headers: { a: "1", b: "2", c: "3" },
+                ja4: "ja4",
+                providerSignature: "testSignature",
+                userSubmitted: true,
+                lastUpdatedTimestamp: new Date(),
+            };
+            db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
+            db.getClientRecord.mockResolvedValue({
+                settings: {
+                    ipValidationRules: {
+                        enabled: true,
+                        actions: {
+                            countryChangeAction: "reject",
+                        },
+                    },
+                },
+            });
+            checkPowSignature.mockReturnValue(true);
+            validateSolution.mockReturnValue(true);
+            verifyRecency.mockImplementation(() => true);
+            const result = await powCaptchaManager.serverVerifyPowCaptchaSolution(dappAccount, challenge, timeout, mockEnv);
+            expect(result.verified).toBe(true);
+        });
+    });
+    describe("Decision machine with no-cache header and no behavioral data", () => {
+        it("should deny when no-cache header is present and no behavioral data exists", async () => {
+            const dappAccount = "5EZVvsHMrKCFKp5NYNoTyDjTjetoVo1Z4UNNbTwJf1GfN6Xm";
+            const timestamp = 1770650564052;
+            const userAccount = "5CBFuSD5rgzhwVLLtDsA1WbLVkfrrAMEHdbiBBuZ78QvcEpv";
+            const challenge = `${timestamp}${POW_SEPARATOR}${userAccount}${POW_SEPARATOR}${dappAccount}${POW_SEPARATOR}351147`;
+            const timeout = 1000;
+            const ipAddress = getIPAddress("81.159.254.145");
+            const headers = {
+                host: "pronode2.prosopo.io",
+                "user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36",
+                "content-length": "182",
+                accept: "*/*",
+                "accept-encoding": "gzip, deflate, br, zstd",
+                "accept-language": "de,de-DE;q=0.9,en;q=0.8",
+                "cache-control": "no-cache",
+                "content-type": "application/json",
+                dnt: "1",
+                origin: "https://www.twickets.live",
+                pragma: "no-cache",
+                priority: "u=1, i",
+                "prosopo-site-key": dappAccount,
+                "prosopo-user": userAccount,
+                referer: "https://www.twickets.live/",
+                "sec-ch-ua": '"Google Chrome";v="126", "Chromium";v="126", "Not_A Brand";v="24"',
+                "sec-ch-ua-mobile": "?0",
+                "sec-ch-ua-platform": '"Windows"',
+                "sec-fetch-dest": "empty",
+                "sec-fetch-mode": "cors",
+                "sec-fetch-site": "cross-site",
+            };
+            const challengeRecord = {
+                challenge,
+                difficulty: 4,
+                dappAccount,
+                userAccount,
+                requestedAtTimestamp: new Date(timestamp),
+                result: { status: CaptchaStatus.approved },
+                userSubmitted: true,
+                serverChecked: false,
+                ipAddress: getCompositeIpAddress(ipAddress),
+                headers,
+                ja4: "t13d1516h2_8daaf6152771_02713d6af862",
+                providerSignature: "testSignature",
+                lastUpdatedTimestamp: new Date(),
+                sessionId: "pronode2-6d5deeee-78f1-4af0-97b3-f070037438dd",
+            };
+            const decisionMachineSource = `
+/**
+ * Decision machine for blocking German requests with no-cache header
+ */
+
+function checkNoCacheNoBehavioural(headers, behavioralDataPacked) {
+	const cacheControl =
+		"cache-control" in headers ? headers["cache-control"] : "";
+
+	const hasNoCache = cacheControl.toLowerCase().includes("no-cache");
+
+	const hasNoBehavioralData =
+		!behavioralDataPacked || behavioralDataPacked === "0";
+
+	if (hasNoCache && hasNoBehavioralData) {
+		return {
+			decision: "deny",
+			reason: "no-cache request with no behavioral data",
+			score: 0,
+			tags: ["blocked"],
+		};
+	}
+
+	return null;
+}
+
+module.exports = (input) => {
+	const {
+		userAccount,
+		dappAccount,
+		captchaResult,
+		headers,
+		captchaType,
+		countryCode,
+		behavioralDataPacked,
+	} = input;
+
+	const noCacheNoBehavioural = checkNoCacheNoBehavioural(
+		headers,
+		behavioralDataPacked,
+	);
+	if (noCacheNoBehavioural) {
+		return noCacheNoBehavioural;
+	}
+
+	if (captchaResult === "passed") {
+		return {
+			decision: "allow",
+			reason: "Captcha verification successful",
+			score: 100,
+			tags: [\`captcha-type:\${captchaType || "unknown"}\`],
+		};
+	}
+
+	return {
+		decision: "deny",
+		reason: "Captcha verification failed",
+		score: 0,
+		tags: ["blocked"],
+	};
+};
+`;
+            db.getSessionRecordBySessionId.mockResolvedValue(undefined);
+            db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
+            db.updatePowCaptchaRecord.mockResolvedValue(undefined);
+            verifyRecency.mockImplementation(() => true);
+            mockDecisionMachine(async (input) => {
+                const decideFn = eval(`(function() { const module = { exports: {} }; ${decisionMachineSource}; return module.exports; })()`);
+                return decideFn(input);
+            });
+            try {
+                const result = await powCaptchaManager.serverVerifyPowCaptchaSolution(dappAccount, challenge, timeout, mockEnv);
+                expect(result.verified).toBe(false);
+                expect(db.updatePowCaptchaRecord).toHaveBeenCalledWith(challenge, {
+                    result: {
+                        status: CaptchaStatus.disapproved,
+                        reason: "no-cache request with no behavioral data",
+                    },
+                });
+            }
+            finally {
+                restoreDecisionMachine();
+            }
+        });
+        it("should allow when no-cache header is present but behavioral data exists", async () => {
+            const dappAccount = "5EZVvsHMrKCFKp5NYNoTyDjTjetoVo1Z4UNNbTwJf1GfN6Xm";
+            const timestamp = 1770650564052;
+            const userAccount = "5CBFuSD5rgzhwVLLtDsA1WbLVkfrrAMEHdbiBBuZ78QvcEpv";
+            const challenge = `${timestamp}${POW_SEPARATOR}${userAccount}${POW_SEPARATOR}${dappAccount}${POW_SEPARATOR}351147`;
+            const timeout = 1000;
+            const ipAddress = getIPAddress("81.159.254.145");
+            const headers = {
+                "cache-control": "no-cache",
+                "user-agent": "Mozilla/5.0",
+            };
+            const behavioralDataPacked = {
+                c1: [1, 2, 3],
+                c2: [4, 5, 6],
+                c3: [7, 8, 9],
+                d: "test-device",
+            };
+            const challengeRecord = {
+                challenge,
+                difficulty: 4,
+                dappAccount,
+                userAccount,
+                requestedAtTimestamp: new Date(timestamp),
+                result: { status: CaptchaStatus.approved },
+                userSubmitted: true,
+                serverChecked: false,
+                ipAddress: getCompositeIpAddress(ipAddress),
+                headers,
+                ja4: "t13d1516h2_8daaf6152771_02713d6af862",
+                providerSignature: "testSignature",
+                lastUpdatedTimestamp: new Date(),
+                behavioralDataPacked,
+                deviceCapability: "test-device",
+            };
+            const decisionMachineSource = `
+function checkNoCacheNoBehavioural(headers, behavioralDataPacked) {
+	const cacheControl =
+		"cache-control" in headers ? headers["cache-control"] : "";
+	const hasNoCache = cacheControl.toLowerCase().includes("no-cache");
+	const hasNoBehavioralData =
+		!behavioralDataPacked || behavioralDataPacked === "0";
+
+	if (hasNoCache && hasNoBehavioralData) {
+		return {
+			decision: "deny",
+			reason: "no-cache request with no behavioral data",
+			score: 0,
+			tags: ["blocked"],
+		};
+	}
+	return null;
+}
+
+module.exports = (input) => {
+	const noCacheNoBehavioural = checkNoCacheNoBehavioural(
+		input.headers,
+		input.behavioralDataPacked,
+	);
+	if (noCacheNoBehavioural) {
+		return noCacheNoBehavioural;
+	}
+
+	if (input.captchaResult === "passed") {
+		return {
+			decision: "allow",
+			reason: "Captcha verification successful",
+			score: 100,
+			tags: [\`captcha-type:\${input.captchaType || "unknown"}\`],
+		};
+	}
+
+	return {
+		decision: "deny",
+		reason: "Captcha verification failed",
+		score: 0,
+		tags: ["blocked"],
+	};
+};
+`;
+            db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
+            verifyRecency.mockImplementation(() => true);
+            mockDecisionMachine(async (input) => {
+                const decideFn = eval(`(function() { const module = { exports: {} }; ${decisionMachineSource}; return module.exports; })()`);
+                return decideFn(input);
+            });
+            try {
+                const result = await powCaptchaManager.serverVerifyPowCaptchaSolution(dappAccount, challenge, timeout, mockEnv);
+                expect(result.verified).toBe(true);
+            }
+            finally {
+                restoreDecisionMachine();
+            }
+        });
+        it("should allow when behavioral data is missing but no no-cache header", async () => {
+            const dappAccount = "5EZVvsHMrKCFKp5NYNoTyDjTjetoVo1Z4UNNbTwJf1GfN6Xm";
+            const timestamp = 1770650564052;
+            const userAccount = "5CBFuSD5rgzhwVLLtDsA1WbLVkfrrAMEHdbiBBuZ78QvcEpv";
+            const challenge = `${timestamp}${POW_SEPARATOR}${userAccount}${POW_SEPARATOR}${dappAccount}${POW_SEPARATOR}351147`;
+            const timeout = 1000;
+            const ipAddress = getIPAddress("81.159.254.145");
+            const headers = {
+                "user-agent": "Mozilla/5.0",
+            };
+            const challengeRecord = {
+                challenge,
+                difficulty: 4,
+                dappAccount,
+                userAccount,
+                requestedAtTimestamp: new Date(timestamp),
+                result: { status: CaptchaStatus.approved },
+                userSubmitted: true,
+                serverChecked: false,
+                ipAddress: getCompositeIpAddress(ipAddress),
+                headers,
+                ja4: "t13d1516h2_8daaf6152771_02713d6af862",
+                providerSignature: "testSignature",
+                lastUpdatedTimestamp: new Date(),
+            };
+            const decisionMachineSource = `
+function checkNoCacheNoBehavioural(headers, behavioralDataPacked) {
+	const cacheControl =
+		"cache-control" in headers ? headers["cache-control"] : "";
+	const hasNoCache = cacheControl.toLowerCase().includes("no-cache");
+	const hasNoBehavioralData =
+		!behavioralDataPacked || behavioralDataPacked === "0";
+
+	if (hasNoCache && hasNoBehavioralData) {
+		return {
+			decision: "deny",
+			reason: "no-cache request with no behavioral data",
+			score: 0,
+			tags: ["blocked"],
+		};
+	}
+	return null;
+}
+
+module.exports = (input) => {
+	const noCacheNoBehavioural = checkNoCacheNoBehavioural(
+		input.headers,
+		input.behavioralDataPacked,
+	);
+	if (noCacheNoBehavioural) {
+		return noCacheNoBehavioural;
+	}
+
+	if (input.captchaResult === "passed") {
+		return {
+			decision: "allow",
+			reason: "Captcha verification successful",
+			score: 100,
+			tags: [\`captcha-type:\${input.captchaType || "unknown"}\`],
+		};
+	}
+
+	return {
+		decision: "deny",
+		reason: "Captcha verification failed",
+		score: 0,
+		tags: ["blocked"],
+	};
+};
+`;
+            db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
+            verifyRecency.mockImplementation(() => true);
+            mockDecisionMachine(async (input) => {
+                const decideFn = eval(`(function() { const module = { exports: {} }; ${decisionMachineSource}; return module.exports; })()`);
+                return decideFn(input);
+            });
+            try {
+                const result = await powCaptchaManager.serverVerifyPowCaptchaSolution(dappAccount, challenge, timeout, mockEnv);
+                expect(result.verified).toBe(true);
+            }
+            finally {
+                restoreDecisionMachine();
+            }
+        });
+    });
+    describe("serverVerifyPowCaptchaSolution with spam email domain checking", () => {
+        it("should disapprove when email domain is found in spam list", async () => {
+            const dappAccount = "dappAccount";
+            const timestamp = 123456789;
+            const userAccount = "testUserAccount";
+            const challenge = `${timestamp}${POW_SEPARATOR}${userAccount}${POW_SEPARATOR}${dappAccount}`;
+            const timeout = 1000;
+            const spamEmail = "user@spammydomain.com";
+            const challengeRecord = {
+                challenge,
+                difficulty: 4,
+                dappAccount,
+                userAccount,
+                requestedAtTimestamp: new Date(timestamp),
+                result: { status: CaptchaStatus.approved },
+                userSubmitted: true,
+                serverChecked: false,
+                ipAddress: getCompositeIpAddress(getIPAddress("1.1.1.1")),
+                headers: {},
+                ja4: "ja4",
+                providerSignature: "testSignature",
+                lastUpdatedTimestamp: new Date(),
+            };
+            db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
+            verifyRecency.mockImplementation(() => true);
+            db.markDappUserPoWCommitmentsChecked.mockResolvedValue(undefined);
+            db.updatePowCaptchaRecord.mockResolvedValue(undefined);
+            db.getSpamEmailDomain.mockResolvedValue({
+                domain: "spammydomain.com",
+            });
+            const result = await powCaptchaManager.serverVerifyPowCaptchaSolution(dappAccount, challenge, timeout, mockEnv, undefined, undefined, spamEmail, true);
+            expect(result.verified).toBe(false);
+            expect(db.getSpamEmailDomain).toHaveBeenCalledWith("spammydomain.com");
+            expect(db.updatePowCaptchaRecord).toHaveBeenCalledWith(challengeRecord.challenge, {
+                result: {
+                    status: CaptchaStatus.disapproved,
+                    reason: "API.SPAM_EMAIL_DOMAIN",
+                },
+            });
+        });
+        it("should allow when email domain is not in spam list", async () => {
+            const dappAccount = "dappAccount";
+            const timestamp = 123456789;
+            const userAccount = "testUserAccount";
+            const challenge = `${timestamp}${POW_SEPARATOR}${userAccount}${POW_SEPARATOR}${dappAccount}`;
+            const timeout = 1000;
+            const legitimateEmail = "user@legitimate.com";
+            const challengeRecord = {
+                challenge,
+                difficulty: 4,
+                dappAccount,
+                userAccount,
+                requestedAtTimestamp: new Date(timestamp),
+                result: { status: CaptchaStatus.approved },
+                userSubmitted: true,
+                serverChecked: false,
+                ipAddress: getCompositeIpAddress(getIPAddress("1.1.1.1")),
+                headers: {},
+                ja4: "ja4",
+                providerSignature: "testSignature",
+                lastUpdatedTimestamp: new Date(),
+            };
+            db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
+            verifyRecency.mockImplementation(() => true);
+            db.markDappUserPoWCommitmentsChecked.mockResolvedValue(undefined);
+            db.getSpamEmailDomain.mockResolvedValue(null);
+            mockDecisionMachine(async () => ({
+                decision: "allow",
+                reason: "Passed all checks",
+                score: 1,
+                tags: [],
+            }));
+            try {
+                const result = await powCaptchaManager.serverVerifyPowCaptchaSolution(dappAccount, challenge, timeout, mockEnv, undefined, undefined, legitimateEmail, true);
+                expect(result.verified).toBe(true);
+                expect(db.getSpamEmailDomain).toHaveBeenCalledWith("legitimate.com");
+                expect(db.updatePowCaptchaRecord).not.toHaveBeenCalledWith(challengeRecord.challenge, expect.objectContaining({
+                    result: expect.objectContaining({
+                        reason: "API.SPAM_EMAIL_DOMAIN",
+                    }),
+                }));
+            }
+            finally {
+                restoreDecisionMachine();
+            }
+        });
+        it("should skip spam check when no email is provided", async () => {
+            const dappAccount = "dappAccount";
+            const timestamp = 123456789;
+            const userAccount = "testUserAccount";
+            const challenge = `${timestamp}${POW_SEPARATOR}${userAccount}${POW_SEPARATOR}${dappAccount}`;
+            const timeout = 1000;
+            const challengeRecord = {
+                challenge,
+                difficulty: 4,
+                dappAccount,
+                userAccount,
+                requestedAtTimestamp: new Date(timestamp),
+                result: { status: CaptchaStatus.approved },
+                userSubmitted: true,
+                serverChecked: false,
+                ipAddress: getCompositeIpAddress(getIPAddress("1.1.1.1")),
+                headers: {},
+                ja4: "ja4",
+                providerSignature: "testSignature",
+                lastUpdatedTimestamp: new Date(),
+            };
+            db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
+            verifyRecency.mockImplementation(() => true);
+            db.markDappUserPoWCommitmentsChecked.mockResolvedValue(undefined);
+            mockDecisionMachine(async () => ({
+                decision: "allow",
+                reason: "Passed all checks",
+                score: 1,
+                tags: [],
+            }));
+            try {
+                const result = await powCaptchaManager.serverVerifyPowCaptchaSolution(dappAccount, challenge, timeout, mockEnv, undefined, undefined, undefined);
+                expect(result.verified).toBe(true);
+                expect(db.getSpamEmailDomain).not.toHaveBeenCalled();
+            }
+            finally {
+                restoreDecisionMachine();
+            }
+        });
+        it("should handle @domain.com email format correctly", async () => {
+            const dappAccount = "dappAccount";
+            const timestamp = 123456789;
+            const userAccount = "testUserAccount";
+            const challenge = `${timestamp}${POW_SEPARATOR}${userAccount}${POW_SEPARATOR}${dappAccount}`;
+            const timeout = 1000;
+            const atDomainEmail = "@spammydomain.com";
+            const challengeRecord = {
+                challenge,
+                difficulty: 4,
+                dappAccount,
+                userAccount,
+                requestedAtTimestamp: new Date(timestamp),
+                result: { status: CaptchaStatus.approved },
+                userSubmitted: true,
+                serverChecked: false,
+                ipAddress: getCompositeIpAddress(getIPAddress("1.1.1.1")),
+                headers: {},
+                ja4: "ja4",
+                providerSignature: "testSignature",
+                lastUpdatedTimestamp: new Date(),
+            };
+            db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
+            verifyRecency.mockImplementation(() => true);
+            db.markDappUserPoWCommitmentsChecked.mockResolvedValue(undefined);
+            db.updatePowCaptchaRecord.mockResolvedValue(undefined);
+            db.getSpamEmailDomain.mockResolvedValue({
+                domain: "spammydomain.com",
+            });
+            const result = await powCaptchaManager.serverVerifyPowCaptchaSolution(dappAccount, challenge, timeout, mockEnv, undefined, undefined, atDomainEmail, true);
+            expect(result.verified).toBe(false);
+            expect(db.getSpamEmailDomain).toHaveBeenCalledWith("spammydomain.com");
+            expect(db.updatePowCaptchaRecord).toHaveBeenCalledWith(challengeRecord.challenge, {
+                result: {
+                    status: CaptchaStatus.disapproved,
+                    reason: "API.SPAM_EMAIL_DOMAIN",
+                },
+            });
+        });
+        it("should handle domain-only format correctly", async () => {
+            const dappAccount = "dappAccount";
+            const timestamp = 123456789;
+            const userAccount = "testUserAccount";
+            const challenge = `${timestamp}${POW_SEPARATOR}${userAccount}${POW_SEPARATOR}${dappAccount}`;
+            const timeout = 1000;
+            const domainOnly = "spammydomain.com";
+            const challengeRecord = {
+                challenge,
+                difficulty: 4,
+                dappAccount,
+                userAccount,
+                requestedAtTimestamp: new Date(timestamp),
+                result: { status: CaptchaStatus.approved },
+                userSubmitted: true,
+                serverChecked: false,
+                ipAddress: getCompositeIpAddress(getIPAddress("1.1.1.1")),
+                headers: {},
+                ja4: "ja4",
+                providerSignature: "testSignature",
+                lastUpdatedTimestamp: new Date(),
+            };
+            db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
+            verifyRecency.mockImplementation(() => true);
+            db.markDappUserPoWCommitmentsChecked.mockResolvedValue(undefined);
+            db.updatePowCaptchaRecord.mockResolvedValue(undefined);
+            db.getSpamEmailDomain.mockResolvedValue({
+                domain: "spammydomain.com",
+            });
+            const result = await powCaptchaManager.serverVerifyPowCaptchaSolution(dappAccount, challenge, timeout, mockEnv, undefined, undefined, domainOnly, true);
+            expect(result.verified).toBe(false);
+            expect(db.getSpamEmailDomain).toHaveBeenCalledWith("spammydomain.com");
+        });
+        it("should continue verification if spam check fails (fail-safe)", async () => {
+            const dappAccount = "dappAccount";
+            const timestamp = 123456789;
+            const userAccount = "testUserAccount";
+            const challenge = `${timestamp}${POW_SEPARATOR}${userAccount}${POW_SEPARATOR}${dappAccount}`;
+            const timeout = 1000;
+            const email = "user@example.com";
+            const challengeRecord = {
+                challenge,
+                difficulty: 4,
+                dappAccount,
+                userAccount,
+                requestedAtTimestamp: new Date(timestamp),
+                result: { status: CaptchaStatus.approved },
+                userSubmitted: true,
+                serverChecked: false,
+                ipAddress: getCompositeIpAddress(getIPAddress("1.1.1.1")),
+                headers: {},
+                ja4: "ja4",
+                providerSignature: "testSignature",
+                lastUpdatedTimestamp: new Date(),
+            };
+            db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
+            verifyRecency.mockImplementation(() => true);
+            db.markDappUserPoWCommitmentsChecked.mockResolvedValue(undefined);
+            db.getSpamEmailDomain.mockRejectedValue(new Error("Database connection error"));
+            mockDecisionMachine(async () => ({
+                decision: "allow",
+                reason: "Passed all checks",
+                score: 1,
+                tags: [],
+            }));
+            try {
+                const result = await powCaptchaManager.serverVerifyPowCaptchaSolution(dappAccount, challenge, timeout, mockEnv, undefined, undefined, email, true);
+                expect(result.verified).toBe(true);
+                expect(db.getSpamEmailDomain).toHaveBeenCalled();
+            }
+            finally {
+                restoreDecisionMachine();
+            }
+        });
+    });
+    describe("session result tracking", () => {
+        const ipAddress = getIPAddress("1.1.1.1");
+        const headers = { a: "1", b: "2", c: "3" };
+        const sessionId = "test-session-for-result";
+        it("should update session with approved result after successful user submission", async () => {
+            const timestamp = 123456789;
+            const userAccount = "testUserAccount";
+            const challenge = `${timestamp}${POW_SEPARATOR}${userAccount}${POW_SEPARATOR}${pair.address}`;
+            const challengeRecord = {
+                challenge,
+                difficulty: 4,
+                dappAccount: pair.address,
+                userAccount,
+                requestedAtTimestamp: new Date(timestamp),
+                result: { status: CaptchaStatus.pending },
+                userSubmitted: false,
+                serverChecked: false,
+                ipAddress: getCompositeIpAddress(ipAddress),
+                headers,
+                ja4: "ja4",
+                providerSignature: "sig",
+                lastUpdatedTimestamp: new Date(),
+                sessionId,
+            };
+            verifyRecency.mockImplementation(() => true);
+            checkPowSignature.mockImplementation(() => true);
+            validateSolution.mockImplementation(() => true);
+            db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
+            db.updatePowCaptchaRecordResult.mockResolvedValue(undefined);
+            db.updateSessionRecord = vi.fn().mockResolvedValue(undefined);
+            await powCaptchaManager.verifyPowCaptchaSolution(challenge, "sig", 12345, 1000, "userSig", ipAddress, headers);
+            expect(db.updateSessionRecord).toHaveBeenCalledWith(sessionId, {
+                userSubmitted: true,
+                result: { status: CaptchaStatus.approved },
+            });
+        });
+        it("should update session with disapproved result on invalid solution", async () => {
+            const timestamp = 123456789;
+            const userAccount = "testUserAccount";
+            const challenge = `${timestamp}${POW_SEPARATOR}${userAccount}${POW_SEPARATOR}${pair.address}`;
+            const challengeRecord = {
+                challenge,
+                difficulty: 4,
+                dappAccount: pair.address,
+                userAccount,
+                requestedAtTimestamp: new Date(timestamp),
+                result: { status: CaptchaStatus.pending },
+                userSubmitted: false,
+                serverChecked: false,
+                ipAddress: getCompositeIpAddress(ipAddress),
+                headers,
+                ja4: "ja4",
+                providerSignature: "sig",
+                lastUpdatedTimestamp: new Date(),
+                sessionId,
+            };
+            verifyRecency.mockImplementation(() => true);
+            checkPowSignature.mockImplementation(() => true);
+            validateSolution.mockImplementation(() => false);
+            db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
+            db.updatePowCaptchaRecordResult.mockResolvedValue(undefined);
+            db.updateSessionRecord = vi.fn().mockResolvedValue(undefined);
+            await powCaptchaManager.verifyPowCaptchaSolution(challenge, "sig", 12345, 1000, "userSig", ipAddress, headers);
+            expect(db.updateSessionRecord).toHaveBeenCalledWith(sessionId, {
+                userSubmitted: true,
+                result: {
+                    status: CaptchaStatus.disapproved,
+                    reason: "CAPTCHA.INVALID_SOLUTION",
+                },
+            });
+        });
+        it("should update session with disapproved result on timeout during user submission", async () => {
+            const timestamp = 123456789;
+            const userAccount = "testUserAccount";
+            const challenge = `${timestamp}${POW_SEPARATOR}${userAccount}${POW_SEPARATOR}${pair.address}`;
+            const challengeRecord = {
+                challenge,
+                difficulty: 4,
+                dappAccount: pair.address,
+                userAccount,
+                requestedAtTimestamp: new Date(timestamp),
+                result: { status: CaptchaStatus.pending },
+                userSubmitted: false,
+                serverChecked: false,
+                ipAddress: getCompositeIpAddress(ipAddress),
+                headers,
+                ja4: "ja4",
+                providerSignature: "sig",
+                lastUpdatedTimestamp: new Date(),
+                sessionId,
+            };
+            verifyRecency.mockImplementation(() => false);
+            checkPowSignature.mockImplementation(() => true);
+            db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
+            db.updatePowCaptchaRecordResult.mockResolvedValue(undefined);
+            db.updateSessionRecord = vi.fn().mockResolvedValue(undefined);
+            await powCaptchaManager.verifyPowCaptchaSolution(challenge, "sig", 12345, 1000, "userSig", ipAddress, headers);
+            expect(db.updateSessionRecord).toHaveBeenCalledWith(sessionId, {
+                userSubmitted: true,
+                result: {
+                    status: CaptchaStatus.disapproved,
+                    reason: "CAPTCHA.INVALID_TIMESTAMP",
+                },
+            });
+        });
+        it("should not update session when challengeRecord has no sessionId", async () => {
+            const timestamp = 123456789;
+            const userAccount = "testUserAccount";
+            const challenge = `${timestamp}${POW_SEPARATOR}${userAccount}${POW_SEPARATOR}${pair.address}`;
+            const challengeRecord = {
+                challenge,
+                difficulty: 4,
+                dappAccount: pair.address,
+                userAccount,
+                requestedAtTimestamp: new Date(timestamp),
+                result: { status: CaptchaStatus.pending },
+                userSubmitted: false,
+                serverChecked: false,
+                ipAddress: getCompositeIpAddress(ipAddress),
+                headers,
+                ja4: "ja4",
+                providerSignature: "sig",
+                lastUpdatedTimestamp: new Date(),
+            };
+            verifyRecency.mockImplementation(() => true);
+            checkPowSignature.mockImplementation(() => true);
+            validateSolution.mockImplementation(() => true);
+            db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
+            db.updatePowCaptchaRecordResult.mockResolvedValue(undefined);
+            db.updateSessionRecord = vi.fn().mockResolvedValue(undefined);
+            await powCaptchaManager.verifyPowCaptchaSolution(challenge, "sig", 12345, 1000, "userSig", ipAddress, headers);
+            expect(db.updateSessionRecord).not.toHaveBeenCalled();
+        });
+        it("should update session as serverChecked and approved on successful server verification", async () => {
+            const dappAccount = "dappAccount";
+            const timestamp = 123456789;
+            const userAccount = "testUserAccount";
+            const challenge = `${timestamp}${POW_SEPARATOR}${userAccount}${POW_SEPARATOR}${dappAccount}`;
+            const challengeRecord = {
+                challenge,
+                dappAccount,
+                userAccount,
+                requestedAtTimestamp: new Date(timestamp),
+                serverChecked: false,
+                result: { status: CaptchaStatus.approved },
+                sessionId,
+                ipAddress: getCompositeIpAddress(getIPAddress("1.1.1.1")),
+            };
+            db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
+            verifyRecency.mockImplementation(() => true);
+            db.updateSessionRecord = vi.fn().mockResolvedValue(undefined);
+            const result = await powCaptchaManager.serverVerifyPowCaptchaSolution(dappAccount, challenge, 1000, mockEnv);
+            expect(result.verified).toBe(true);
+            expect(db.updateSessionRecord).toHaveBeenCalledWith(sessionId, {
+                serverChecked: true,
+                result: { status: CaptchaStatus.approved },
+            }, true);
+        });
+        it("should update session as serverChecked and disapproved on recency failure", async () => {
+            const dappAccount = "dappAccount";
+            const timestamp = 123456789;
+            const userAccount = "testUserAccount";
+            const challenge = `${timestamp}${POW_SEPARATOR}${userAccount}${POW_SEPARATOR}${dappAccount}`;
+            const challengeRecord = {
+                challenge,
+                dappAccount,
+                userAccount,
+                requestedAtTimestamp: new Date(timestamp),
+                serverChecked: false,
+                result: { status: CaptchaStatus.approved },
+                sessionId,
+            };
+            db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
+            verifyRecency.mockImplementation(() => false);
+            db.updatePowCaptchaRecord.mockResolvedValue(undefined);
+            db.updateSessionRecord = vi.fn().mockResolvedValue(undefined);
+            const result = await powCaptchaManager.serverVerifyPowCaptchaSolution(dappAccount, challenge, 1000, mockEnv);
+            expect(result.verified).toBe(false);
+            expect(db.updateSessionRecord).toHaveBeenCalledWith(sessionId, {
+                serverChecked: true,
+                result: {
+                    status: CaptchaStatus.disapproved,
+                    reason: "API.TIMESTAMP_TOO_OLD",
+                },
+            }, true);
+        });
+    });
+    describe("Write batching optimizations", () => {
+        describe("verifyPowCaptchaSolution parallel writes", () => {
+            it("should write result and session update for valid solution with session", async () => {
+                const timestamp = Date.now();
+                const userAccount = "testUserAccount";
+                const challenge = `${timestamp}${POW_SEPARATOR}${userAccount}${POW_SEPARATOR}${pair.address}`;
+                const sessionId = "test-session-id";
+                const ipAddress = getIPAddress("1.1.1.1");
+                const headers = { a: "1" };
+                const challengeRecord = {
+                    challenge,
+                    difficulty: 4,
+                    dappAccount: pair.address,
+                    userAccount,
+                    requestedAtTimestamp: new Date(timestamp),
+                    result: { status: CaptchaStatus.pending },
+                    userSubmitted: false,
+                    serverChecked: false,
+                    ipAddress: getCompositeIpAddress(ipAddress),
+                    headers,
+                    ja4: "ja4",
+                    providerSignature: "sig",
+                    lastUpdatedTimestamp: new Date(),
+                    sessionId,
+                };
+                verifyRecency.mockReturnValue(true);
+                checkPowSignature.mockImplementation(() => { });
+                validateSolution.mockReturnValue(true);
+                db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
+                db.updatePowCaptchaRecordResult.mockResolvedValue(undefined);
+                db.updateSessionRecord.mockResolvedValue(undefined);
+                await powCaptchaManager.verifyPowCaptchaSolution(challenge, "sig", 12345, 1000, "userSig", ipAddress, headers);
+                expect(db.updatePowCaptchaRecordResult).toHaveBeenCalledOnce();
+                expect(db.updateSessionRecord).toHaveBeenCalledWith(sessionId, {
+                    userSubmitted: true,
+                    result: { status: CaptchaStatus.approved },
+                });
+            });
+            it("should write timeout result and session for timed-out solution with session", async () => {
+                const timestamp = Date.now();
+                const userAccount = "testUserAccount";
+                const challenge = `${timestamp}${POW_SEPARATOR}${userAccount}${POW_SEPARATOR}${pair.address}`;
+                const sessionId = "test-session-id";
+                const ipAddress = getIPAddress("1.1.1.1");
+                const headers = {};
+                const challengeRecord = {
+                    challenge,
+                    difficulty: 4,
+                    dappAccount: pair.address,
+                    userAccount,
+                    requestedAtTimestamp: new Date(timestamp),
+                    result: { status: CaptchaStatus.pending },
+                    userSubmitted: false,
+                    serverChecked: false,
+                    ipAddress: getCompositeIpAddress(ipAddress),
+                    headers,
+                    ja4: "ja4",
+                    providerSignature: "sig",
+                    lastUpdatedTimestamp: new Date(),
+                    sessionId,
+                };
+                verifyRecency.mockReturnValue(false);
+                checkPowSignature.mockImplementation(() => { });
+                db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
+                db.updatePowCaptchaRecordResult.mockResolvedValue(undefined);
+                db.updateSessionRecord.mockResolvedValue(undefined);
+                const result = await powCaptchaManager.verifyPowCaptchaSolution(challenge, "sig", 12345, 1000, "userSig", ipAddress, headers);
+                expect(result.verified).toBe(false);
+                expect(db.updatePowCaptchaRecordResult).toHaveBeenCalledOnce();
+                expect(db.updateSessionRecord).toHaveBeenCalledWith(sessionId, {
+                    userSubmitted: true,
+                    result: {
+                        status: CaptchaStatus.disapproved,
+                        reason: "CAPTCHA.INVALID_TIMESTAMP",
+                    },
+                });
+            });
+        });
+        describe("serverVerifyPowCaptchaSolution batched writes", () => {
+            it("should accumulate pow record updates and write once on success", async () => {
+                const dappAccount = "dappAccount";
+                const timestamp = Date.now();
+                const userAccount = "testUserAccount";
+                const challenge = `${timestamp}${POW_SEPARATOR}${userAccount}${POW_SEPARATOR}${dappAccount}`;
+                const sessionId = "test-session-id";
+                const ipAddress = getIPAddress("1.1.1.1");
+                const challengeRecord = {
+                    challenge,
+                    difficulty: 4,
+                    dappAccount,
+                    userAccount,
+                    requestedAtTimestamp: new Date(timestamp),
+                    result: { status: CaptchaStatus.approved },
+                    userSubmitted: true,
+                    serverChecked: false,
+                    ipAddress: getCompositeIpAddress(ipAddress),
+                    headers: {},
+                    ja4: "ja4",
+                    providerSignature: "sig",
+                    lastUpdatedTimestamp: new Date(),
+                    sessionId,
+                };
+                db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
+                verifyRecency.mockReturnValue(true);
+                db.markDappUserPoWCommitmentsChecked.mockResolvedValue(undefined);
+                db.updatePowCaptchaRecord.mockResolvedValue(undefined);
+                db.updateSessionRecord.mockResolvedValue(undefined);
+                db.getSessionRecordBySessionId.mockResolvedValue(undefined);
+                const result = await powCaptchaManager.serverVerifyPowCaptchaSolution(dappAccount, challenge, 1000, mockEnv);
+                expect(result.verified).toBe(true);
+                expect(db.markDappUserPoWCommitmentsChecked).toHaveBeenCalledWith([
+                    challenge,
+                ]);
+                expect(db.updateSessionRecord).toHaveBeenCalledWith(sessionId, {
+                    serverChecked: true,
+                    result: { status: CaptchaStatus.approved },
+                }, true);
+            });
+            it("should accumulate providedIp and write in single batch on success with IP", async () => {
+                const dappAccount = "dappAccount";
+                const timestamp = Date.now();
+                const userAccount = "testUserAccount";
+                const challenge = `${timestamp}${POW_SEPARATOR}${userAccount}${POW_SEPARATOR}${dappAccount}`;
+                const sessionId = "test-session-id";
+                const ipAddress = getIPAddress("1.1.1.1");
+                const challengeRecord = {
+                    challenge,
+                    difficulty: 4,
+                    dappAccount,
+                    userAccount,
+                    requestedAtTimestamp: new Date(timestamp),
+                    result: { status: CaptchaStatus.approved },
+                    userSubmitted: true,
+                    serverChecked: false,
+                    ipAddress: getCompositeIpAddress(ipAddress),
+                    headers: {},
+                    ja4: "ja4",
+                    providerSignature: "sig",
+                    lastUpdatedTimestamp: new Date(),
+                    sessionId,
+                };
+                db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
+                verifyRecency.mockReturnValue(true);
+                db.markDappUserPoWCommitmentsChecked.mockResolvedValue(undefined);
+                db.getClientRecord.mockResolvedValue(undefined);
+                db.updatePowCaptchaRecord.mockResolvedValue(undefined);
+                db.updateSessionRecord.mockResolvedValue(undefined);
+                db.getSessionRecordBySessionId.mockResolvedValue(undefined);
+                await powCaptchaManager.serverVerifyPowCaptchaSolution(dappAccount, challenge, 1000, mockEnv, "2.2.2.2");
+                expect(db.updatePowCaptchaRecord).toHaveBeenCalledOnce();
+                const updateCall = vi.mocked(db.updatePowCaptchaRecord).mock
+                    .calls[0];
+                expect(updateCall[0]).toBe(challenge);
+                expect(updateCall[1]).toHaveProperty("providedIp");
+            });
+            it("should not run subsequent checks after first failure (recency)", async () => {
+                const dappAccount = "dappAccount";
+                const timestamp = Date.now();
+                const userAccount = "testUserAccount";
+                const challenge = `${timestamp}${POW_SEPARATOR}${userAccount}${POW_SEPARATOR}${dappAccount}`;
+                const challengeRecord = {
+                    challenge,
+                    difficulty: 4,
+                    dappAccount,
+                    userAccount,
+                    requestedAtTimestamp: new Date(timestamp),
+                    result: { status: CaptchaStatus.approved },
+                    userSubmitted: true,
+                    serverChecked: false,
+                    ipAddress: getCompositeIpAddress(getIPAddress("1.1.1.1")),
+                    headers: {},
+                    ja4: "ja4",
+                    providerSignature: "sig",
+                    lastUpdatedTimestamp: new Date(),
+                };
+                db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
+                verifyRecency.mockReturnValue(false);
+                db.markDappUserPoWCommitmentsChecked.mockResolvedValue(undefined);
+                db.updatePowCaptchaRecord.mockResolvedValue(undefined);
+                const result = await powCaptchaManager.serverVerifyPowCaptchaSolution(dappAccount, challenge, 1000, mockEnv, undefined, undefined, "user@spam.com", true);
+                expect(result.verified).toBe(false);
+                expect(result.reason).toBe("API.TIMESTAMP_TOO_OLD");
+                expect(db.getSpamEmailDomain).not.toHaveBeenCalled();
+            });
+            it("should write accumulated failure result in single batch", async () => {
+                const dappAccount = "dappAccount";
+                const timestamp = Date.now();
+                const userAccount = "testUserAccount";
+                const challenge = `${timestamp}${POW_SEPARATOR}${userAccount}${POW_SEPARATOR}${dappAccount}`;
+                const challengeRecord = {
+                    challenge,
+                    difficulty: 4,
+                    dappAccount,
+                    userAccount,
+                    requestedAtTimestamp: new Date(timestamp),
+                    result: { status: CaptchaStatus.approved },
+                    userSubmitted: true,
+                    serverChecked: false,
+                    ipAddress: getCompositeIpAddress(getIPAddress("1.1.1.1")),
+                    headers: {},
+                    ja4: "ja4",
+                    providerSignature: "sig",
+                    lastUpdatedTimestamp: new Date(),
+                };
+                db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
+                verifyRecency.mockReturnValue(false);
+                db.markDappUserPoWCommitmentsChecked.mockResolvedValue(undefined);
+                db.updatePowCaptchaRecord.mockResolvedValue(undefined);
+                await powCaptchaManager.serverVerifyPowCaptchaSolution(dappAccount, challenge, 1000, mockEnv);
+                expect(db.updatePowCaptchaRecord).toHaveBeenCalledOnce();
+                expect(db.updatePowCaptchaRecord).toHaveBeenCalledWith(challenge, {
+                    result: {
+                        status: CaptchaStatus.disapproved,
+                        reason: "API.TIMESTAMP_TOO_OLD",
+                    },
+                });
+            });
+        });
+    });
+});
+//# sourceMappingURL=powTasks.unit.test.js.map