@speakspec/astro 0.0.1

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 SpeakSpec
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,193 @@
+# @speakspec/astro
+
+> AIDP 0.3 publishing channel for Astro 5.
+
+An Astro package that turns your site into a first-class AIDP source: publishes the entity directive at `/.well-known/aidp.json`, exposes signed content endpoints + a paginated content directory, injects `<link rel="aidp">` head tags, receives cache-invalidation webhooks, and observes AI-crawler traffic for upload to your dashboard.
+
+Feature-equivalent to [`@speakspec/nuxt`](https://docs.speakspec.com/developer/sdk-nuxt) and [`@speakspec/next`](https://docs.speakspec.com/developer/sdk-next).
+
+## Install
+
+```bash
+pnpm add @speakspec/astro
+```
+
+## Configure (env vars)
+
+```env
+# .env
+SPEAKSPEC_ENTITY_ID=your-entity-slug
+SPEAKSPEC_API_KEY=aidp_xxxxxxxxxxx
+SPEAKSPEC_WEBHOOK_SECRET=...
+PUBLIC_SPEAKSPEC_SITE_ORIGIN=https://yoursite.com
+SPEAKSPEC_BOT_TRACKING=true
+SPEAKSPEC_BOT_UPLOAD=true
+```
+
+## Wire the well-known routes
+
+Astro requires `output: 'server'` (or `output: 'hybrid'`) to serve dynamic API routes. Add one route file per AIDP endpoint:
+
+```ts
+// src/pages/.well-known/aidp.json.ts
+import { aidpEntityRoute } from '@speakspec/astro'
+export const GET = aidpEntityRoute()
+```
+
+```ts
+// src/pages/.well-known/aidp/content/[id].json.ts
+import { aidpContentRoute } from '@speakspec/astro'
+export const GET = aidpContentRoute()
+```
+
+```ts
+// src/pages/.well-known/aidp/content/index.ts
+import { aidpDirectoryRoute } from '@speakspec/astro'
+export const GET = aidpDirectoryRoute()
+```
+
+```ts
+// src/pages/api/aidp/invalidate.ts  ← NO leading underscore
+import { aidpWebhookRoute } from '@speakspec/astro'
+export const POST = aidpWebhookRoute()
+```
+
+> Astro 5 excludes any path segment starting with `_` from routing
+> (treats it as private). Use `api/aidp/...` (no leading underscore).
+> The path you register with the SpeakSpec dashboard must match.
+
+## Wire the bot-detection middleware
+
+```ts
+// src/middleware.ts
+import { aidpBotMiddleware } from '@speakspec/astro/middleware'
+export const onRequest = aidpBotMiddleware()
+```
+
+If you already have middleware, sequence them:
+
+```ts
+import { sequence } from 'astro:middleware'
+import { aidpBotMiddleware } from '@speakspec/astro/middleware'
+
+export const onRequest = sequence(myExisting, aidpBotMiddleware())
+```
+
+## Inject HTML link tags
+
+```astro
+---
+// src/layouts/BaseLayout.astro
+import AidpLinks from '@speakspec/astro/components/AidpLinks.astro'
+---
+<html>
+  <head>
+    <AidpLinks />
+  </head>
+  <body><slot /></body>
+</html>
+```
+
+For per-page binding on article / product / policy pages:
+
+```astro
+---
+// src/pages/articles/[id].astro
+import AidpContent from '@speakspec/astro/components/AidpContent.astro'
+const article = await loadArticle(Astro.params.id)
+---
+<AidpContent contentId={article.id} pathname={`/articles/${article.id}`} />
+<article set:html={article.body} />
+```
+
+`<AidpContent />` registers the `(path → content_id)` mapping with the SDK so subsequent AI crawler hits get enriched with `content_id`.
+
+## Cache layer
+
+Default in-memory cache. Plug in Redis / fs / etc. at boot:
+
+```ts
+// src/server-init.ts (called from astro:server:setup integration)
+import { setCacheStore } from '@speakspec/astro'
+import { redisStore } from './my-cache'
+
+setCacheStore(redisStore)
+```
+
+Any object satisfying:
+
+```ts
+interface FullStore {
+  getItem<T>(key: string): Promise<T | null>
+  setItem(key: string, value: unknown): Promise<void>
+  removeItem(key: string): Promise<void>
+  getKeys(base: string): Promise<string[]>
+}
+```
+
+works.
+
+## Cache tuning
+
+The SDK serves three well-known routes with `Cache-Control` headers
+tuned for fast revocation propagation. If you have Cloudflare /
+CloudFront in front of your site, those headers are what the CDN
+respects — so they directly bound how long it takes a revoked fact
+to disappear from AI agent answers.
+
+There are two TTLs to think about:
+
+| Layer | What it does | Default | Affects |
+|---|---|---|---|
+| **SDK internal** | how long the SDK process reuses a fetched bundle before re-fetching from SpeakSpec | 300s | origin load on SpeakSpec |
+| **`Cache-Control: max-age`** | how long downstream caches (CDN + AI agents) reuse the response | 60s (entity/directory), 300s (content) | revocation propagation, CDN cost |
+
+**Why entity = 60s but content = 300s by default?** The entity directive (`/.well-known/aidp.json`) is the revocation pivot — when a customer revokes a fact, this is the document AI agents re-fetch first to learn what's still valid. Short `max-age` keeps revocation fast. Per-content envelopes (`/.well-known/aidp/content/[id].json`) are content-addressed: each `updated_at` produces a new signed bundle, so longer caching is safe.
+
+**Setting `max-age=0`** disables CDN caching for that route but does NOT disable `stale-while-revalidate` — the CDN still serves stale within the SWR window while it revalidates. To fully disable caching, set both `*_MAX_AGE=0` and `*_SWR=0`.
+
+The SDK internal TTL is mostly the safety net for missed webhooks —
+when an entity is revoked, SpeakSpec sends a webhook that clears the
+SDK cache instantly. Downstream `max-age` is the real ceiling on how
+quickly AI agents see the revocation.
+
+All values are configurable via env vars (seconds):
+
+```env
+# SDK internal cache (default 300)
+SPEAKSPEC_CACHE_TTL_SEC=300
+
+# /.well-known/aidp.json (default 60 / 300)
+SPEAKSPEC_ENTITY_MAX_AGE=60
+SPEAKSPEC_ENTITY_SWR=300
+
+# /.well-known/aidp/content/[id] (default 300 / 600)
+SPEAKSPEC_CONTENT_MAX_AGE=300
+SPEAKSPEC_CONTENT_SWR=600
+
+# /.well-known/aidp/content (default 60 / 300)
+SPEAKSPEC_DIRECTORY_MAX_AGE=60
+SPEAKSPEC_DIRECTORY_SWR=300
+```
+
+**Trade-off**: longer `max-age` means lower origin/CDN bill but
+slower revocation. Worst-case revocation propagation is bounded by
+`max-age + stale-while-revalidate`. If you want sub-minute revocation
+across Cloudflare, also wire SpeakSpec's webhook to a Cloudflare
+purge — out of SDK scope.
+
+## Caveats vs `@speakspec/nuxt`
+
+- **Output mode**: requires Astro `output: 'server'` or `'hybrid'` for API routes to be dynamic. `output: 'static'` (the default) bakes all routes at build time and won't update directives without a rebuild.
+- **Multi-instance**: in-memory cache + impression queue are per-process. Customers running on Cloudflare or similar edge platforms should provide a Redis-backed cache via `setCacheStore`.
+- **First-hit content_id**: `<AidpContent />` registers on render, so the very first AI crawler hit on a path lands with `content_id=null`. Subsequent hits are enriched.
+
+## Spec & references
+
+- [AIDP 0.3 §4.8 Cryptographic Proof](https://docs.speakspec.com/spec/transport#cryptographic-proof)
+- [AIDP 0.3 §8.5–8.13 Transport](https://docs.speakspec.com/spec/transport)
+- [Authenticated API](https://docs.speakspec.com/api/authenticated)
+
+## License
+
+MIT

package/dist/index.d.ts

@@ -0,0 +1,10 @@
+export { aidpEntityRoute } from './runtime/server/routes/well-known-aidp';
+export { aidpContentRoute } from './runtime/server/routes/well-known-content';
+export { aidpDirectoryRoute } from './runtime/server/routes/well-known-directory';
+export { aidpWebhookRoute } from './runtime/server/routes/webhook';
+export { setCacheStore, getCacheStore, type FullStore } from './runtime/server/cache-store';
+export { type CacheStorage } from './runtime/server/utils/cache';
+export { readConfig, validateEntityId, type SpeakspecConfig } from './runtime/config';
+export { verifyBundle, fetchJwks, fetchRevocationList, type VerifyResult, type VerifyFailReason, } from './runtime/server/utils/aidp-verify';
+export { detectAICrawler, isAICrawler, type CrawlerMatch, type CrawlerSource } from './runtime/server/utils/bot-detect';
+export { registerContent, lookupContentId } from './runtime/server/utils/content-registry';

package/dist/index.js

@@ -0,0 +1,12 @@
+// @speakspec/astro — main entry. Exports the route-handler factories
+// and top-level config / cache primitives.
+export { aidpEntityRoute } from './runtime/server/routes/well-known-aidp';
+export { aidpContentRoute } from './runtime/server/routes/well-known-content';
+export { aidpDirectoryRoute } from './runtime/server/routes/well-known-directory';
+export { aidpWebhookRoute } from './runtime/server/routes/webhook';
+export { setCacheStore, getCacheStore } from './runtime/server/cache-store';
+export { readConfig, validateEntityId } from './runtime/config';
+// Re-export framework-agnostic primitives.
+export { verifyBundle, fetchJwks, fetchRevocationList, } from './runtime/server/utils/aidp-verify';
+export { detectAICrawler, isAICrawler } from './runtime/server/utils/bot-detect';
+export { registerContent, lookupContentId } from './runtime/server/utils/content-registry';

package/dist/middleware/index.d.ts

@@ -0,0 +1 @@
+export { aidpBotMiddleware } from '../runtime/middleware/ai-bot-detect';

package/dist/middleware/index.js

@@ -0,0 +1,2 @@
+// `@speakspec/astro/middleware` sub-entry — middleware-only export.
+export { aidpBotMiddleware } from '../runtime/middleware/ai-bot-detect';

package/dist/runtime/config.d.ts

@@ -0,0 +1,46 @@
+export interface SpeakspecCacheConfig {
+    /** SDK-internal cache TTL (seconds) — how long the SDK process
+     *  reuses a fetched bundle before re-fetching from SpeakSpec. The
+     *  webhook receiver invalidates this cache on directive change, so
+     *  this TTL is mostly the safety net for missed webhooks. */
+    ttlSec: number;
+    /** /.well-known/aidp.json `Cache-Control: max-age` (seconds). This
+     *  is the floor for revocation propagation through downstream CDN
+     *  caches (Cloudflare, CloudFront, etc.). Lower = faster revocation
+     *  + more origin load; higher = the opposite. */
+    entityMaxAge: number;
+    /** /.well-known/aidp.json `Cache-Control: stale-while-revalidate`. */
+    entitySwr: number;
+    /** /.well-known/aidp/content/[id] `Cache-Control: max-age`. */
+    contentMaxAge: number;
+    /** /.well-known/aidp/content/[id] `Cache-Control: stale-while-revalidate`. */
+    contentSwr: number;
+    /** /.well-known/aidp/content `Cache-Control: max-age`. */
+    directoryMaxAge: number;
+    /** /.well-known/aidp/content `Cache-Control: stale-while-revalidate`. */
+    directorySwr: number;
+}
+export interface SpeakspecConfig {
+    entityId: string;
+    apiKey: string;
+    webhookSecret: string;
+    endpoint: string;
+    siteOrigin: string;
+    cache: SpeakspecCacheConfig;
+    botTracking: {
+        enabled: boolean;
+        excludePaths: string[];
+        upload: {
+            enabled: boolean;
+            batchSize: number;
+            flushIntervalMs: number;
+            maxQueueBytes: number;
+            onError: 'fallback-stdout' | 'silent';
+        };
+    };
+}
+export declare const DEFAULT_CACHE_CONFIG: SpeakspecCacheConfig;
+export declare function readConfig(): SpeakspecConfig;
+export declare function validateEntityId(entityId: string): void;
+/** Build a `Cache-Control` header value from max-age + swr seconds. */
+export declare function buildCacheControl(maxAge: number, swr: number): string;

package/dist/runtime/config.js

@@ -0,0 +1,81 @@
+// Runtime configuration for @speakspec/astro.
+//
+// Astro reads env vars from import.meta.env (build-time) for client
+// code, and process.env (runtime) for server code. Since AIDP route
+// handlers are server-only, we read process.env directly.
+const DEFAULT_EXCLUDE_PATHS = ['/_astro/', '/api/aidp/'];
+export const DEFAULT_CACHE_CONFIG = {
+    ttlSec: 300,
+    entityMaxAge: 60,
+    entitySwr: 300,
+    contentMaxAge: 300,
+    contentSwr: 600,
+    directoryMaxAge: 60,
+    directorySwr: 300,
+};
+/** Strict integer-seconds parser. Rejects anything that isn't a plain
+ *  decimal digit string ("60"), so quirky `Number()` coercions like
+ *  `0x10`, `1e3`, `+60`, or numbers past `Number.MAX_SAFE_INTEGER`
+ *  fall back instead of silently producing surprising Cache-Control
+ *  values. Empty / unset env vars are treated as "use the default". */
+function readPositiveInt(value, fallback, label) {
+    if (value == null)
+        return fallback;
+    const trimmed = value.trim();
+    if (trimmed === '')
+        return fallback;
+    if (!/^\d+$/.test(trimmed)) {
+        console.warn(`[@speakspec/astro] invalid ${label}=${value}, falling back to ${fallback}`);
+        return fallback;
+    }
+    const n = Number(trimmed);
+    if (!Number.isSafeInteger(n)) {
+        console.warn(`[@speakspec/astro] ${label}=${value} exceeds safe integer range, falling back to ${fallback}`);
+        return fallback;
+    }
+    return n;
+}
+export function readConfig() {
+    const env = process.env;
+    return {
+        entityId: env.SPEAKSPEC_ENTITY_ID ?? '',
+        apiKey: env.SPEAKSPEC_API_KEY ?? '',
+        webhookSecret: env.SPEAKSPEC_WEBHOOK_SECRET ?? '',
+        endpoint: env.SPEAKSPEC_ENDPOINT ?? 'https://api.speakspec.com',
+        siteOrigin: env.PUBLIC_SPEAKSPEC_SITE_ORIGIN ?? env.PUBLIC_SITE_URL ?? '',
+        cache: {
+            ttlSec: readPositiveInt(env.SPEAKSPEC_CACHE_TTL_SEC, DEFAULT_CACHE_CONFIG.ttlSec, 'SPEAKSPEC_CACHE_TTL_SEC'),
+            entityMaxAge: readPositiveInt(env.SPEAKSPEC_ENTITY_MAX_AGE, DEFAULT_CACHE_CONFIG.entityMaxAge, 'SPEAKSPEC_ENTITY_MAX_AGE'),
+            entitySwr: readPositiveInt(env.SPEAKSPEC_ENTITY_SWR, DEFAULT_CACHE_CONFIG.entitySwr, 'SPEAKSPEC_ENTITY_SWR'),
+            contentMaxAge: readPositiveInt(env.SPEAKSPEC_CONTENT_MAX_AGE, DEFAULT_CACHE_CONFIG.contentMaxAge, 'SPEAKSPEC_CONTENT_MAX_AGE'),
+            contentSwr: readPositiveInt(env.SPEAKSPEC_CONTENT_SWR, DEFAULT_CACHE_CONFIG.contentSwr, 'SPEAKSPEC_CONTENT_SWR'),
+            directoryMaxAge: readPositiveInt(env.SPEAKSPEC_DIRECTORY_MAX_AGE, DEFAULT_CACHE_CONFIG.directoryMaxAge, 'SPEAKSPEC_DIRECTORY_MAX_AGE'),
+            directorySwr: readPositiveInt(env.SPEAKSPEC_DIRECTORY_SWR, DEFAULT_CACHE_CONFIG.directorySwr, 'SPEAKSPEC_DIRECTORY_SWR'),
+        },
+        botTracking: {
+            enabled: env.SPEAKSPEC_BOT_TRACKING === 'true',
+            excludePaths: env.SPEAKSPEC_BOT_EXCLUDE_PATHS
+                ? env.SPEAKSPEC_BOT_EXCLUDE_PATHS.split(',').map(s => s.trim()).filter(Boolean)
+                : DEFAULT_EXCLUDE_PATHS,
+            upload: {
+                enabled: env.SPEAKSPEC_BOT_UPLOAD === 'true',
+                batchSize: Number(env.SPEAKSPEC_BOT_BATCH_SIZE ?? 50),
+                flushIntervalMs: Number(env.SPEAKSPEC_BOT_FLUSH_MS ?? 60_000),
+                maxQueueBytes: Number(env.SPEAKSPEC_BOT_QUEUE_BYTES ?? 2 * 1024 * 1024),
+                onError: (env.SPEAKSPEC_BOT_ON_ERROR === 'silent' ? 'silent' : 'fallback-stdout'),
+            },
+        },
+    };
+}
+export function validateEntityId(entityId) {
+    if (entityId && !/^[a-z0-9][a-z0-9-]*[a-z0-9]$/.test(entityId)) {
+        console.warn(`[@speakspec/astro] entityId %o does not match SpeakSpec's slug rule `
+            + `(lowercase alphanumerics and hyphens, no leading/trailing hyphen). `
+            + `Verify against your SpeakSpec dashboard — pasting the URN form `
+            + `(urn:aidp:entity:foo) instead of the bare slug is a common mistake.`, entityId);
+    }
+}
+/** Build a `Cache-Control` header value from max-age + swr seconds. */
+export function buildCacheControl(maxAge, swr) {
+    return `public, max-age=${maxAge}, stale-while-revalidate=${swr}`;
+}

package/dist/runtime/middleware/ai-bot-detect.d.ts

@@ -0,0 +1,2 @@
+import type { MiddlewareHandler } from 'astro';
+export declare function aidpBotMiddleware(): MiddlewareHandler;

package/dist/runtime/middleware/ai-bot-detect.js

@@ -0,0 +1,73 @@
+// Astro middleware factory for AI crawler detection.
+//
+// Usage:
+//   // src/middleware.ts
+//   import { aidpBotMiddleware } from '@speakspec/astro/middleware'
+//   export const onRequest = aidpBotMiddleware()
+//
+// Behavior mirrors the Nuxt SDK:
+//   - Off when SPEAKSPEC_BOT_TRACKING !== 'true'
+//   - Skips paths under SPEAKSPEC_BOT_EXCLUDE_PATHS
+//   - On AI crawler match: emits structured impression
+//     - upload.enabled → batched POST to SpeakSpec
+//     - otherwise → console.log fallback
+//   - Never blocks the request — pass-through observer
+import { detectAICrawler, isExcludedPath } from '../server/utils/bot-detect';
+import { lookupContentId } from '../server/utils/content-registry';
+import { configureQueue, enqueueImpression } from '../server/utils/impression-queue';
+import { readConfig } from '../config';
+let queueConfigured = false;
+export function aidpBotMiddleware() {
+    return async (context, next) => {
+        const config = readConfig();
+        if (!config.botTracking.enabled) {
+            return next();
+        }
+        const path = context.url.pathname;
+        if (isExcludedPath(path, config.botTracking.excludePaths)) {
+            return next();
+        }
+        const ua = context.request.headers.get('user-agent') ?? '';
+        const matched = detectAICrawler(ua);
+        if (!matched) {
+            return next();
+        }
+        const impression = {
+            msg: 'aidp.crawler_impression',
+            crawler: matched.label,
+            crawler_source: matched.source,
+            path,
+            user_agent: ua.slice(0, 256),
+            ts: new Date().toISOString(),
+        };
+        if (config.entityId)
+            impression.entity_id = config.entityId;
+        const cid = lookupContentId(path);
+        if (cid)
+            impression.content_id = cid;
+        const ip = context.request.headers.get('x-forwarded-for')?.split(',')[0]?.trim()
+            ?? context.request.headers.get('x-real-ip')
+            ?? undefined;
+        if (ip)
+            impression.client_ip = ip;
+        const upload = config.botTracking.upload;
+        if (upload.enabled && config.entityId && config.apiKey) {
+            if (!queueConfigured) {
+                configureQueue({
+                    endpoint: config.endpoint,
+                    apiKey: config.apiKey,
+                    batchSize: upload.batchSize,
+                    flushIntervalMs: upload.flushIntervalMs,
+                    maxQueueBytes: upload.maxQueueBytes,
+                    onError: upload.onError,
+                });
+                queueConfigured = true;
+            }
+            enqueueImpression(impression);
+        }
+        else {
+            console.log(JSON.stringify(impression));
+        }
+        return next();
+    };
+}

package/dist/runtime/server/cache-store.d.ts

@@ -0,0 +1,8 @@
+import type { CacheStorage } from './utils/cache';
+export interface FullStore extends CacheStorage {
+    setItem: (key: string, value: unknown) => Promise<void>;
+    getItem: <T = unknown>(key: string) => Promise<T | null>;
+}
+export declare function getCacheStore(): FullStore;
+export declare function setCacheStore(store: FullStore): void;
+export declare function resetCacheStoreForTesting(): void;

package/dist/runtime/server/cache-store.js

@@ -0,0 +1,27 @@
+// In-memory cache store for SDK runtime. Per-process; customers can
+// plug in Redis / fs / etc. via setCacheStore().
+class InMemoryStore {
+    map = new Map();
+    async getItem(key) {
+        return this.map.get(key) ?? null;
+    }
+    async setItem(key, value) {
+        this.map.set(key, value);
+    }
+    async removeItem(key) {
+        this.map.delete(key);
+    }
+    async getKeys(base) {
+        return [...this.map.keys()].filter(k => k.startsWith(base));
+    }
+}
+let activeStore = new InMemoryStore();
+export function getCacheStore() {
+    return activeStore;
+}
+export function setCacheStore(store) {
+    activeStore = store;
+}
+export function resetCacheStoreForTesting() {
+    activeStore = new InMemoryStore();
+}

package/dist/runtime/server/routes/webhook.d.ts

@@ -0,0 +1,2 @@
+import type { APIRoute } from 'astro';
+export declare function aidpWebhookRoute(): APIRoute;

package/dist/runtime/server/routes/webhook.js

@@ -0,0 +1,90 @@
+// Astro API route factory for POST /api/_aidp/invalidate
+//
+// Usage:
+//   // src/pages/api/_aidp/invalidate.ts
+//   import { aidpWebhookRoute } from '@speakspec/astro'
+//   export const POST = aidpWebhookRoute()
+import { Buffer } from 'node:buffer';
+import { verifyHmacSignature, isTimestampFresh, urnToSlug } from '../utils/hmac-verify';
+import { invalidateEntityCache, invalidateContentCache, } from '../utils/cache';
+import { getCacheStore } from '../cache-store';
+import { readConfig } from '../../config';
+const MAX_WEBHOOK_BODY_BYTES = 64 * 1024;
+const VALID_SCOPES = new Set(['entity', 'content']);
+const VALID_EVENTS = new Set(['directive.updated']);
+export function aidpWebhookRoute() {
+    return async ({ request }) => {
+        const config = readConfig();
+        if (!config.webhookSecret) {
+            return errorResponse(503, 'AIDP webhook receiver not configured: missing webhookSecret');
+        }
+        const signature = request.headers.get('x-aidp-signature');
+        const timestamp = request.headers.get('x-aidp-timestamp');
+        if (!signature || !timestamp) {
+            return errorResponse(400, 'missing X-AIDP-Signature or X-AIDP-Timestamp header');
+        }
+        if (!isTimestampFresh(timestamp)) {
+            return errorResponse(401, 'X-AIDP-Timestamp outside ±5 minute window (replay protection)');
+        }
+        const rawBuffer = Buffer.from(await request.arrayBuffer());
+        if (rawBuffer.byteLength === 0) {
+            return errorResponse(400, 'empty request body');
+        }
+        if (rawBuffer.byteLength > MAX_WEBHOOK_BODY_BYTES) {
+            return errorResponse(413, `webhook body exceeds ${MAX_WEBHOOK_BODY_BYTES} bytes`);
+        }
+        const bodyString = rawBuffer.toString('utf8');
+        const valid = verifyHmacSignature({
+            secret: config.webhookSecret,
+            timestamp,
+            body: bodyString,
+            signature,
+        });
+        if (!valid) {
+            return errorResponse(401, 'X-AIDP-Signature does not match');
+        }
+        let payload;
+        try {
+            payload = JSON.parse(bodyString);
+        }
+        catch {
+            return errorResponse(400, 'invalid JSON body');
+        }
+        if (!payload.scope || !payload.entity_id) {
+            return errorResponse(400, 'payload missing required fields (scope, entity_id)');
+        }
+        if (payload.event && !VALID_EVENTS.has(payload.event)) {
+            return errorResponse(400, `unsupported event "${payload.event}" (expected one of: ${[...VALID_EVENTS].join(', ')})`);
+        }
+        if (!VALID_SCOPES.has(payload.scope)) {
+            return errorResponse(400, `unsupported scope "${payload.scope}" (expected entity|content)`);
+        }
+        if (payload.scope === 'content' && !payload.content_id) {
+            return errorResponse(400, 'scope=content requires content_id');
+        }
+        if (payload.timestamp && payload.timestamp !== timestamp) {
+            return errorResponse(400, 'body.timestamp does not match X-AIDP-Timestamp header');
+        }
+        let slug;
+        try {
+            slug = urnToSlug(payload.entity_id);
+        }
+        catch (err) {
+            return errorResponse(400, err.message);
+        }
+        const store = getCacheStore();
+        if (payload.scope === 'entity') {
+            await invalidateEntityCache(store, slug);
+        }
+        else {
+            await invalidateContentCache(store, slug, payload.content_id);
+        }
+        return new Response(null, { status: 204 });
+    };
+}
+function errorResponse(status, message) {
+    return new Response(JSON.stringify({ error: { statusCode: status, statusMessage: message } }), {
+        status,
+        headers: { 'content-type': 'application/json; charset=utf-8' },
+    });
+}

package/dist/runtime/server/routes/well-known-aidp.d.ts

@@ -0,0 +1,2 @@
+import type { APIRoute } from 'astro';
+export declare function aidpEntityRoute(): APIRoute;

package/dist/runtime/server/routes/well-known-aidp.js

@@ -0,0 +1,79 @@
+// Astro API route factory for /.well-known/aidp.json
+//
+// Usage:
+//   // src/pages/.well-known/aidp.json.ts
+//   import { aidpEntityRoute } from '@speakspec/astro'
+//   export const GET = aidpEntityRoute()
+//
+// Behavior (per AIDP transport spec §8.5–8.13):
+//   - Read cached payload + ETag; serve fresh + ETag + Cache-Control
+//   - Inbound If-None-Match → 304 short-circuit
+//   - Stale → fetch upstream with cached ETag; 304 → refresh; 200 → store
+//   - Upstream 4xx → 502 with detail; 5xx/network → serve stale or 502
+import { fetchEntityDirective } from '../utils/fetch-directive';
+import { cacheKey, isFresh, isUpstream4xx, respondWithCache, } from '../utils/cache';
+import { getCacheStore } from '../cache-store';
+import { readConfig, buildCacheControl } from '../../config';
+export function aidpEntityRoute() {
+    return async ({ request }) => {
+        const config = readConfig();
+        if (!config.entityId) {
+            return errorResponse(503, 'AIDP module not configured: missing entityId');
+        }
+        const FRESH_CACHE_CONTROL = buildCacheControl(config.cache.entityMaxAge, config.cache.entitySwr);
+        const STALE_CACHE_CONTROL = buildCacheControl(10, 60);
+        const ttlMs = config.cache.ttlSec * 1000;
+        const inboundIfNoneMatch = request.headers.get('if-none-match') ?? undefined;
+        const store = getCacheStore();
+        const key = cacheKey('entity', config.entityId);
+        const cached = await store.getItem(key);
+        if (isFresh(cached)) {
+            return respondWithCache(cached.etag, cached.payload, FRESH_CACHE_CONTROL, inboundIfNoneMatch);
+        }
+        const upstreamIfNoneMatch = cached?.etag || undefined;
+        let result;
+        try {
+            result = await fetchEntityDirective({
+                endpoint: config.endpoint,
+                entityId: config.entityId,
+                apiKey: config.apiKey || undefined,
+                ifNoneMatch: upstreamIfNoneMatch,
+            });
+        }
+        catch (err) {
+            if (isUpstream4xx(err)) {
+                const status = err.response?.status;
+                return errorResponse(502, `AIDP upstream rejected the directive fetch (${status})`);
+            }
+            if (cached) {
+                return respondWithCache(cached.etag, cached.payload, STALE_CACHE_CONTROL, inboundIfNoneMatch);
+            }
+            return errorResponse(502, 'AIDP upstream unreachable and no cached payload available');
+        }
+        if (result.notModified && cached) {
+            const refreshed = {
+                payload: cached.payload,
+                etag: cached.etag,
+                expiresAt: Date.now() + ttlMs,
+            };
+            await store.setItem(key, refreshed);
+            return respondWithCache(refreshed.etag, refreshed.payload, FRESH_CACHE_CONTROL, inboundIfNoneMatch);
+        }
+        if (!result.payload) {
+            return errorResponse(502, 'AIDP upstream returned empty payload');
+        }
+        const fresh = {
+            payload: result.payload,
+            etag: result.etag,
+            expiresAt: Date.now() + ttlMs,
+        };
+        await store.setItem(key, fresh);
+        return respondWithCache(fresh.etag, fresh.payload, FRESH_CACHE_CONTROL, inboundIfNoneMatch);
+    };
+}
+function errorResponse(status, message) {
+    return new Response(JSON.stringify({ error: { statusCode: status, statusMessage: message } }), {
+        status,
+        headers: { 'content-type': 'application/json; charset=utf-8' },
+    });
+}