aap-agent-server 2.5.0 → 2.6.0

package/challenges.js

@@ -1,11 +1,16 @@
 /**
- * @aap/server - Challenge Generator v2.5
+ * @aap/server - Challenge Generator v2.6
  * 
  * "Burst Mode with Entropy Injection"
- * - 5 challenges in 8 seconds (humans cannot pass)
+ * - 7 challenges in 6 seconds (humans cannot pass)
  * - Salt injection prevents caching attacks
  * - Natural language instructions (requires LLM)
  * 
+ * v2.6 Changes:
+ * - BATCH_SIZE: 5 → 7 (more problems = harder for humans)
+ * - MAX_RESPONSE_TIME_MS: 8000 → 6000 (tighter window)
+ * - Random chance reduced: (1/3)^7 = 0.05%
+ * 
  * v2.5 Changes:
  * - BATCH_SIZE: 3 → 5
  * - MAX_RESPONSE_TIME_MS: 12000 → 8000
@@ -68,23 +73,32 @@ function generateSalt(nonce, offset = 0) {
  */
 export const CHALLENGE_TYPES = {
   /**
-   * Extract entities from natural language sentence
+   * Extract entities from natural language sentence (HARD - more distractors)
    */
   nlp_extract: {
     generate: (nonce) => {
       const salt = generateSalt(nonce, 0);
       const category = ['animals', 'fruits', 'colors'][parseInt(nonce[0], 16) % 3];
       const pool = WORD_POOLS[category];
-      const targets = seededSelect(pool, nonce, 2, 0);
+      const targets = seededSelect(pool, nonce, 3, 0);  // 3 targets now
+      const distractorPool = category === 'animals' ? 'fruits' : category === 'fruits' ? 'colors' : 'animals';
+      const distractors = seededSelect(WORD_POOLS[distractorPool], nonce, 2, 8);
       const verb = seededSelect(WORD_POOLS.verbs, nonce, 1, 4)[0];
+      const adj = seededSelect(WORD_POOLS.adjectives, nonce, 1, 6)[0];
       
-      const sentence = `The ${targets[0]} and ${targets[1]} ${verb} in the park.`;
+      // Complex sentence with distractors mixed in
+      const templates = [
+        `The ${adj} ${targets[0]}, a ${distractors[0]}, the ${targets[1]}, and ${targets[2]} all ${verb} near the ${distractors[1]}.`,
+        `I saw ${targets[0]} and ${distractors[0]} yesterday, but today only ${targets[1]}, ${targets[2]}, and a ${distractors[1]} appeared.`,
+        `Between the ${distractors[0]} and ${distractors[1]}, there were ${targets[0]}, ${targets[1]}, and ${targets[2]} ${verb}ing.`
+      ];
+      const sentence = templates[parseInt(nonce[12], 16) % templates.length];
       
       return {
-        challenge_string: `[REQ-${salt}] Extract only the ${category} from the following sentence.
+        challenge_string: `[REQ-${salt}] Extract ONLY the ${category} from this sentence (ignore other categories).
 Sentence: "${sentence}"
-Response format: {"salt": "${salt}", "items": ["item1", "item2"]}`,
-        expected: { salt, items: targets.sort() },
+Response format: {"salt": "${salt}", "items": ["item1", "item2", "item3"]}`,
+        expected: { salt, items: targets.map(s => s.toLowerCase()).sort() },
         validate: (solution) => {
           try {
             const match = solution.match(/\{[\s\S]*\}/);
@@ -95,7 +109,8 @@ Response format: {"salt": "${salt}", "items": ["item1", "item2"]}`,
             if (obj.salt !== salt) return false;
             
             const items = (obj.items || obj.animals || obj.fruits || obj.colors || []).map(s => s.toLowerCase()).sort();
-            return JSON.stringify(items) === JSON.stringify(targets.map(s => s.toLowerCase()).sort());
+            const expected = targets.map(s => s.toLowerCase()).sort();
+            return JSON.stringify(items) === JSON.stringify(expected);
           } catch { return false; }
         }
       };
@@ -103,31 +118,45 @@ Response format: {"salt": "${salt}", "items": ["item1", "item2"]}`,
   },
 
   /**
-   * Math problem expressed in natural language
+   * Math problem expressed in natural language (EXTREME)
    */
   nlp_math: {
     generate: (nonce) => {
       const salt = generateSalt(nonce, 2);
-      const a = seededNumber(nonce, 0, 10, 50);
-      const b = seededNumber(nonce, 2, 5, 20);
-      const c = seededNumber(nonce, 4, 2, 5);
+      const a = seededNumber(nonce, 0, 50, 200);
+      const b = seededNumber(nonce, 2, 10, 50);
+      const c = seededNumber(nonce, 4, 2, 9);
+      const d = seededNumber(nonce, 6, 5, 25);
+      const e = seededNumber(nonce, 8, 2, 6);
       
       const templates = [
         {
-          text: `Subtract ${b} from ${a}, then multiply the result by ${c}.`,
-          answer: (a - b) * c
+          text: `Start with ${a}. Subtract ${b}. Multiply that by ${c}. Divide the result by ${e}. Finally, add ${d}. What's the final value?`,
+          answer: (((a - b) * c) / e) + d
+        },
+        {
+          text: `Compute: ((${a} + ${b}) × ${c} - ${d}) ÷ ${e}. Give the result rounded to two decimal places.`,
+          answer: ((a + b) * c - d) / e
+        },
+        {
+          text: `Take the sum of ${a} and ${b}. Square root of that sum, rounded down. Then multiply by ${c} and subtract ${d}.`,
+          answer: Math.floor(Math.sqrt(a + b)) * c - d
         },
         {
-          text: `Add ${a} and ${b} together, then divide by ${c}.`,
-          answer: (a + b) / c
+          text: `${a} divided by ${c}, plus ${b} divided by ${e}, minus ${d}. Round to nearest integer.`,
+          answer: Math.round(a / c + b / e - d)
         },
         {
-          text: `Divide ${a} by ${c}, then add ${b} to the result.`,
-          answer: a / c + b
+          text: `Triple ${a}, halve that result, add ${b}, then take away ${d}. Multiply everything by ${e}. Final answer?`,
+          answer: ((a * 3 / 2) + b - d) * e
+        },
+        {
+          text: `What is ${a} mod ${c} (remainder), plus ${b} mod ${e}, times ${d}?`,
+          answer: ((a % c) + (b % e)) * d
         }
       ];
       
-      const template = templates[parseInt(nonce[6], 16) % templates.length];
+      const template = templates[parseInt(nonce[10], 16) % templates.length];
       const expected = Math.round(template.answer * 100) / 100;
       
       return {
@@ -151,32 +180,53 @@ Response format: {"salt": "${salt}", "result": number}`,
   },
 
   /**
-   * String transformation described in natural language
+   * String transformation described in natural language (EXTREME - multi-step transforms)
    */
   nlp_transform: {
     generate: (nonce) => {
       const salt = generateSalt(nonce, 4);
-      const input = nonce.slice(8, 14);
-      const transformType = parseInt(nonce[6], 16) % 4;
+      const input = nonce.slice(6, 16);  // Longer input: 10 chars
+      const transformType = parseInt(nonce[16], 16) % 6;
       
       let instruction, expected;
       
       switch (transformType) {
         case 0:
-          instruction = `Reverse the string "${input}" and convert it to uppercase.`;
-          expected = input.split('').reverse().join('').toUpperCase();
+          // Reverse → uppercase → take first 5
+          expected = input.split('').reverse().join('').toUpperCase().slice(0, 5);
+          instruction = `Take "${input}": reverse it, convert to uppercase, then return only the first 5 characters.`;
           break;
         case 1:
-          instruction = `Extract only the digits from "${input}" and calculate their sum.`;
-          expected = input.split('').filter(c => /\d/.test(c)).reduce((a, b) => a + parseInt(b), 0);
+          // Extract digits → sum → return as string with prefix
+          const digitSum = input.split('').filter(c => /\d/.test(c)).reduce((a, b) => a + parseInt(b), 0);
+          expected = `SUM:${digitSum}`;
+          instruction = `From "${input}": extract all digits, sum them, and format as "SUM:X" where X is the total.`;
           break;
         case 2:
-          instruction = `Extract only the letters from "${input}" and sort them alphabetically.`;
-          expected = input.split('').filter(c => /[a-zA-Z]/.test(c)).sort().join('');
+          // Letters only → sort → reverse → join with dots
+          expected = input.split('').filter(c => /[a-zA-Z]/.test(c)).sort().reverse().join('.');
+          instruction = `From "${input}": extract letters only, sort alphabetically, reverse that order, join with dots.`;
           break;
         case 3:
-          instruction = `Insert a hyphen "-" between each character of "${input}".`;
-          expected = input.split('').join('-');
+          // Alternate case: odd positions uppercase, even lowercase
+          expected = input.split('').map((c, i) => i % 2 === 0 ? c.toLowerCase() : c.toUpperCase()).join('');
+          instruction = `Transform "${input}": characters at even positions (0,2,4...) lowercase, odd positions (1,3,5...) uppercase.`;
+          break;
+        case 4:
+          // Count each char type
+          const letters = input.split('').filter(c => /[a-zA-Z]/.test(c)).length;
+          const digits = input.split('').filter(c => /\d/.test(c)).length;
+          expected = `L${letters}D${digits}`;
+          instruction = `Analyze "${input}": count letters and digits. Format answer as "LxDy" where x=letter count, y=digit count.`;
+          break;
+        case 5:
+          // Replace vowels with *, consonants with #, keep digits
+          expected = input.split('').map(c => {
+            if (/[aeiouAEIOU]/.test(c)) return '*';
+            if (/[a-zA-Z]/.test(c)) return '#';
+            return c;
+          }).join('');
+          instruction = `Transform "${input}": replace vowels with "*", consonants with "#", keep digits unchanged.`;
           break;
       }
       
@@ -201,31 +251,71 @@ Response format: {"salt": "${salt}", "output": "result"}`,
   },
 
   /**
-   * Conditional logic
+   * Conditional logic (EXTREME - multi-layer nested conditions)
    */
   nlp_logic: {
     generate: (nonce) => {
       const salt = generateSalt(nonce, 6);
-      const a = seededNumber(nonce, 0, 10, 100);
-      const b = seededNumber(nonce, 2, 10, 100);
-      const threshold = seededNumber(nonce, 4, 20, 80);
+      const a = seededNumber(nonce, 0, 20, 150);
+      const b = seededNumber(nonce, 2, 20, 150);
+      const c = seededNumber(nonce, 4, 20, 100);
+      const d = seededNumber(nonce, 6, 10, 50);
+      const threshold = seededNumber(nonce, 8, 40, 100);
       
       const templates = [
         {
-          text: `If the larger number between ${a} and ${b} is greater than ${threshold}, answer "YES". Otherwise, answer "NO".`,
-          answer: Math.max(a, b) > threshold ? "YES" : "NO"
+          text: `Let X=${a}, Y=${b}, Z=${c}, W=${d}. If (X > Y AND Z > W) OR (X < Y AND Z < W), answer "CONSISTENT". If (X > Y AND Z < W) OR (X < Y AND Z > W), answer "CROSSED". Otherwise, answer "EQUAL".`,
+          answer: ((a > b && c > d) || (a < b && c < d)) ? "CONSISTENT" : ((a > b && c < d) || (a < b && c > d)) ? "CROSSED" : "EQUAL"
+        },
+        {
+          text: `Given four numbers [${a}, ${b}, ${c}, ${d}]: Count how many are divisible by 3. If count is 0, say "NONE". If 1-2, say "FEW". If 3-4, say "MANY".`,
+          answer: (() => {
+            const count = [a, b, c, d].filter(n => n % 3 === 0).length;
+            return count === 0 ? "NONE" : count <= 2 ? "FEW" : "MANY";
+          })()
+        },
+        {
+          text: `Evaluate: Is (${a} + ${b}) greater than (${c} + ${d})? AND is (${a} × ${d}) less than (${b} × ${c})? If BOTH true: "ALPHA". If NEITHER true: "GAMMA". Otherwise: "BETA".`,
+          answer: (() => {
+            const cond1 = (a + b) > (c + d);
+            const cond2 = (a * d) < (b * c);
+            return (cond1 && cond2) ? "ALPHA" : (!cond1 && !cond2) ? "GAMMA" : "BETA";
+          })()
+        },
+        {
+          text: `Numbers: ${a}, ${b}, ${c}, ${d}. First, find the median (average of middle two when sorted). If median > ${threshold}, output "HIGH". If median < ${threshold / 2}, output "LOW". Otherwise, output "MID".`,
+          answer: (() => {
+            const sorted = [a, b, c, d].sort((x, y) => x - y);
+            const median = (sorted[1] + sorted[2]) / 2;
+            return median > threshold ? "HIGH" : median < (threshold / 2) ? "LOW" : "MID";
+          })()
         },
         {
-          text: `If the sum of ${a} and ${b} is less than ${threshold * 2}, answer "SMALL". Otherwise, answer "LARGE".`,
-          answer: (a + b) < (threshold * 2) ? "SMALL" : "LARGE"
+          text: `Check these conditions for [${a}, ${b}, ${c}, ${d}]: (1) Sum > ${threshold * 3}? (2) Product of smallest two < ${threshold * 10}? (3) Largest is even? Count TRUE conditions. Answer with the count (0-3).`,
+          answer: (() => {
+            const sorted = [a, b, c, d].sort((x, y) => x - y);
+            let count = 0;
+            if (a + b + c + d > threshold * 3) count++;
+            if (sorted[0] * sorted[1] < threshold * 10) count++;
+            if (sorted[3] % 2 === 0) count++;
+            return String(count);
+          })()
         },
         {
-          text: `If ${a} is even and ${b} is odd, answer "MIXED". Otherwise, answer "SAME".`,
-          answer: (a % 2 === 0 && b % 2 === 1) ? "MIXED" : "SAME"
+          text: `If ${a} AND ${b} are both prime, answer "TWIN". If exactly one is prime, answer "SOLO". If neither is prime, answer "NONE". (Hint: primes are only divisible by 1 and themselves)`,
+          answer: (() => {
+            const isPrime = n => {
+              if (n < 2) return false;
+              for (let i = 2; i <= Math.sqrt(n); i++) if (n % i === 0) return false;
+              return true;
+            };
+            const ap = isPrime(a), bp = isPrime(b);
+            return (ap && bp) ? "TWIN" : (ap || bp) ? "SOLO" : "NONE";
+          })()
         }
       ];
       
-      const template = templates[parseInt(nonce[6], 16) % templates.length];
+      const template = templates[parseInt(nonce[10], 16) % templates.length];
       
       return {
         challenge_string: `[REQ-${salt}] ${template.text}
@@ -247,30 +337,47 @@ Response format: {"salt": "${salt}", "answer": "your answer"}`,
   },
 
   /**
-   * Counting task
+   * Counting task (EXTREME - multiple categories, complex sentences)
    */
   nlp_count: {
     generate: (nonce) => {
       const salt = generateSalt(nonce, 8);
-      const category = ['animals', 'fruits', 'colors'][parseInt(nonce[0], 16) % 3];
-      const pool = WORD_POOLS[category];
-      const count1 = seededNumber(nonce, 0, 2, 4);
-      const count2 = seededNumber(nonce, 2, 1, 3);
+      const targetCategory = ['animals', 'fruits', 'colors'][parseInt(nonce[0], 16) % 3];
+      const pool = WORD_POOLS[targetCategory];
+      const targetCount = seededNumber(nonce, 0, 3, 6);
+      
+      // Add distractors from OTHER categories
+      const distractor1Cat = targetCategory === 'animals' ? 'fruits' : 'animals';
+      const distractor2Cat = targetCategory === 'colors' ? 'fruits' : 'colors';
+      const distractorCount1 = seededNumber(nonce, 2, 2, 4);
+      const distractorCount2 = seededNumber(nonce, 4, 2, 3);
+      
+      const targets = seededSelect(pool, nonce, targetCount, 0);
+      const distractors1 = seededSelect(WORD_POOLS[distractor1Cat], nonce, distractorCount1, 6);
+      const distractors2 = seededSelect(WORD_POOLS[distractor2Cat], nonce, distractorCount2, 10);
+      const countryDistractors = seededSelect(WORD_POOLS.countries, nonce, 2, 14);
       
-      const items1 = seededSelect(pool, nonce, count1, 0);
-      const items2 = seededSelect(WORD_POOLS.countries, nonce, count2, 8);
+      // Mix everything together
+      const allItems = [...targets, ...distractors1, ...distractors2, ...countryDistractors];
+      // Shuffle using nonce
+      for (let i = allItems.length - 1; i > 0; i--) {
+        const j = parseInt(nonce.slice(i % 28, (i % 28) + 2), 16) % (i + 1);
+        [allItems[i], allItems[j]] = [allItems[j], allItems[i]];
+      }
       
-      // Create sentence with mixed items
-      const allItems = [...items1, ...items2].sort(() => 
-        parseInt(nonce.slice(10, 12), 16) % 2 - 0.5
-      );
-      const sentence = `I see ${allItems.join(', ')} in the picture.`;
+      const templates = [
+        `At the market, I noticed: ${allItems.join(', ')}. Quite a mix!`,
+        `The list contains: ${allItems.join(', ')}. Some things don't belong.`,
+        `Inventory check: ${allItems.join(', ')}. Sort by category mentally.`,
+        `Mixed bag: ${allItems.join(', ')}. Focus on what matters.`
+      ];
+      const sentence = templates[parseInt(nonce[20], 16) % templates.length];
       
       return {
-        challenge_string: `[REQ-${salt}] Count only the ${category} in the following sentence.
-Sentence: "${sentence}"
+        challenge_string: `[REQ-${salt}] Count ONLY the ${targetCategory} in this text. Ignore all other categories (other nouns are distractors).
+Text: "${sentence}"
 Response format: {"salt": "${salt}", "count": number}`,
-        expected: { salt, count: count1 },
+        expected: { salt, count: targetCount },
         validate: (solution) => {
           try {
             const match = solution.match(/\{[\s\S]*\}/);
@@ -279,7 +386,7 @@ Response format: {"salt": "${salt}", "count": number}`,
             
             if (obj.salt !== salt) return false;
             
-            return parseInt(obj.count) === count1;
+            return parseInt(obj.count) === targetCount;
           } catch { return false; }
         }
       };
@@ -287,32 +394,85 @@ Response format: {"salt": "${salt}", "count": number}`,
   },
 
   /**
-   * Multi-step instruction following
+   * Multi-step instruction following (EXTREME - 5-6 steps)
    */
   nlp_multistep: {
     generate: (nonce) => {
       const salt = generateSalt(nonce, 10);
       const numbers = [
-        seededNumber(nonce, 0, 1, 9),
-        seededNumber(nonce, 2, 1, 9),
-        seededNumber(nonce, 4, 1, 9),
-        seededNumber(nonce, 6, 1, 9)
+        seededNumber(nonce, 0, 5, 30),
+        seededNumber(nonce, 2, 5, 30),
+        seededNumber(nonce, 4, 5, 30),
+        seededNumber(nonce, 6, 5, 30),
+        seededNumber(nonce, 8, 5, 30),
+        seededNumber(nonce, 10, 5, 30)
       ];
       
-      // Step 1: Sum all
-      const sum = numbers.reduce((a, b) => a + b, 0);
-      // Step 2: Multiply by smallest
-      const min = Math.min(...numbers);
-      const step2 = sum * min;
-      // Step 3: Subtract largest
-      const max = Math.max(...numbers);
-      const final = step2 - max;
+      const templateType = parseInt(nonce[12], 16) % 4;
+      let instructions, final;
+      
+      if (templateType === 0) {
+        // Complex: filter → transform → aggregate → adjust
+        const evens = numbers.filter(n => n % 2 === 0);
+        const odds = numbers.filter(n => n % 2 !== 0);
+        const evensProduct = evens.length > 0 ? evens.reduce((a, b) => a * b, 1) : 0;
+        const oddsSum = odds.reduce((a, b) => a + b, 0);
+        const diff = Math.abs(evensProduct - oddsSum);
+        final = diff % 100;  // Keep manageable
+        instructions = `1. From [${numbers.join(', ')}], separate even and odd numbers.
+2. Calculate the PRODUCT of all even numbers (or 0 if none).
+3. Calculate the SUM of all odd numbers.
+4. Find the absolute difference between these two results.
+5. Take that difference modulo 100 (remainder when divided by 100).`;
+      } else if (templateType === 1) {
+        // Sort → pair operations → combine
+        const sorted = [...numbers].sort((a, b) => a - b);
+        const pair1 = sorted[0] * sorted[5];  // smallest × largest
+        const pair2 = sorted[1] + sorted[4];  // 2nd smallest + 2nd largest
+        const pair3 = sorted[2] - sorted[3];  // middle pair difference (might be negative)
+        final = pair1 + pair2 + Math.abs(pair3);
+        instructions = `1. Sort [${numbers.join(', ')}] from smallest to largest.
+2. Multiply the smallest by the largest.
+3. Add the second-smallest to the second-largest.
+4. Find absolute difference between the two middle numbers.
+5. Sum all three results from steps 2, 3, and 4.`;
+      } else if (templateType === 2) {
+        // Chunked processing
+        const chunk1 = numbers.slice(0, 3);
+        const chunk2 = numbers.slice(3, 6);
+        const avg1 = chunk1.reduce((a, b) => a + b, 0) / 3;
+        const avg2 = chunk2.reduce((a, b) => a + b, 0) / 3;
+        const max1 = Math.max(...chunk1);
+        const max2 = Math.max(...chunk2);
+        final = Math.round((avg1 + avg2) * (max1 > max2 ? 2 : 1));
+        instructions = `1. Split [${numbers.join(', ')}] into two groups: first 3 and last 3.
+2. Calculate average of first group: [${chunk1.join(', ')}].
+3. Calculate average of second group: [${chunk2.join(', ')}].
+4. Add both averages together.
+5. If max of first group > max of second group, double the sum. Otherwise keep as is.
+6. Round to nearest integer.`;
+      } else {
+        // Recursive-style
+        let val = numbers[0];
+        for (let i = 1; i < numbers.length; i++) {
+          if (i % 2 === 1) val += numbers[i];
+          else val -= numbers[i];
+        }
+        val = Math.abs(val);
+        final = val * (numbers.length);
+        instructions = `1. Start with the first number from [${numbers.join(', ')}].
+2. Add the 2nd number.
+3. Subtract the 3rd number.
+4. Add the 4th number.
+5. Subtract the 5th number.
+6. Add the 6th number.
+7. Take absolute value of result.
+8. Multiply by 6 (the count of numbers).`;
+      }
       
       return {
-        challenge_string: `[REQ-${salt}] Follow these instructions in order:
-1. Add all the numbers in [${numbers.join(', ')}] together.
-2. Multiply the result by the smallest number.
-3. Subtract the largest number from that result.
+        challenge_string: `[REQ-${salt}] Execute these steps IN ORDER:
+${instructions}
 Response format: {"salt": "${salt}", "result": final_value}`,
         expected: { salt, result: final },
         validate: (solution) => {
@@ -434,8 +594,8 @@ Response format: {"salt": "${salt}", "answer": "word"}`,
 /**
  * Batch challenge settings (v2.5 - Burst Mode)
  */
-export const BATCH_SIZE = 5;               // 5 challenges per batch (was 3)
-export const MAX_RESPONSE_TIME_MS = 8000;  // 8 seconds total (was 12)
+export const BATCH_SIZE = 7;               // 7 challenges per batch (v2.6: was 5)
+export const MAX_RESPONSE_TIME_MS = 6000;  // 6 seconds total (v2.6: was 8)
 export const CHALLENGE_EXPIRY_MS = 60000;  // 60 seconds
 
 /**

package/index.js

@@ -1,20 +1,41 @@
 /**
- * @aap/server
+ * @aap/server v2.5.0
  * 
  * Server-side utilities for Agent Attestation Protocol.
- * Provides middleware and challenge generation for verification servers.
+ * The Reverse Turing Test - CAPTCHAs block bots, AAP blocks humans.
  */
 
 export * from './middleware.js';
 export * from './challenges.js';
+export * from './ratelimit.js';
+export * from './whitelist.js';
+export * from './persistence.js';
+export * from './errors.js';
+export * as logger from './logger.js';
 
 import { aapMiddleware, createRouter } from './middleware.js';
 import challenges from './challenges.js';
+import { createRateLimiter, createFailureLimiter } from './ratelimit.js';
+import { createWhitelist, createKeyRotation } from './whitelist.js';
+import { createStore, createMemoryStore, createFileStore, createRedisStore } from './persistence.js';
 
 export { challenges };
 
 export default {
+  // Core
   aapMiddleware,
   createRouter,
-  challenges
+  challenges,
+  
+  // Security
+  createRateLimiter,
+  createFailureLimiter,
+  createWhitelist,
+  createKeyRotation,
+  
+  // Persistence
+  createStore,
+  createMemoryStore,
+  createFileStore,
+  createRedisStore
 };

package/middleware.js

@@ -15,6 +15,8 @@ import {
   MAX_RESPONSE_TIME_MS, 
   CHALLENGE_EXPIRY_MS 
 } from './challenges.js';
+import * as logger from './logger.js';
+import { ErrorCodes, sendError } from './errors.js';
 
 /**
  * Create AAP verification middleware/router
@@ -38,7 +40,8 @@ export function aapMiddleware(options = {}) {
     onFailed
   } = options;
 
-  // In-memory challenge store
+  // In-memory challenge store with size limit (DoS protection)
+  const MAX_CHALLENGES = 10000;
   const challenges = new Map();
 
   // Cleanup expired challenges periodically
@@ -49,6 +52,15 @@ export function aapMiddleware(options = {}) {
         challenges.delete(nonce);
       }
     }
+    
+    // Emergency cleanup if still too many (keep newest)
+    if (challenges.size > MAX_CHALLENGES) {
+      const entries = [...challenges.entries()]
+        .sort((a, b) => b[1].timestamp - a[1].timestamp)
+        .slice(0, MAX_CHALLENGES / 2);
+      challenges.clear();
+      entries.forEach(([k, v]) => challenges.set(k, v));
+    }
   };
 
   // Return a function that creates routes
@@ -121,6 +133,7 @@ export function aapMiddleware(options = {}) {
       } = req.body;
 
       const checks = {
+        inputValid: false,
         challengeExists: false,
         notExpired: false,
         solutionsExist: false,
@@ -130,7 +143,28 @@ export function aapMiddleware(options = {}) {
       };
 
       try {
-        // Check 1: Challenge exists
+        // Check 0: Input validation (security)
+        if (!nonce || typeof nonce !== 'string' || nonce.length !== 32) {
+          return res.status(400).json({ verified: false, error: 'Invalid nonce format', checks });
+        }
+        if (!publicId || typeof publicId !== 'string' || publicId.length !== 20) {
+          return res.status(400).json({ verified: false, error: 'Invalid publicId format', checks });
+        }
+        if (!signature || typeof signature !== 'string' || signature.length < 50) {
+          return res.status(400).json({ verified: false, error: 'Invalid signature format', checks });
+        }
+        if (!publicKey || typeof publicKey !== 'string' || !publicKey.includes('BEGIN PUBLIC KEY')) {
+          return res.status(400).json({ verified: false, error: 'Invalid publicKey format', checks });
+        }
+        if (!timestamp || typeof timestamp !== 'number') {
+          return res.status(400).json({ verified: false, error: 'Invalid timestamp', checks });
+        }
+        if (!responseTimeMs || typeof responseTimeMs !== 'number' || responseTimeMs < 0) {
+          return res.status(400).json({ verified: false, error: 'Invalid responseTimeMs', checks });
+        }
+        checks.inputValid = true;
+
+        // Check 1: Challenge exists (check BEFORE delete for race condition fix)
         const challenge = challenges.get(nonce);
         if (!challenge) {
           if (onFailed) onFailed({ error: 'Challenge not found', checks }, req);
@@ -142,12 +176,9 @@ export function aapMiddleware(options = {}) {
         }
         checks.challengeExists = true;
 
-        // Remove challenge (one-time use)
-        const { validators, batchSize: size } = challenge;
-        challenges.delete(nonce);
-
-        // Check 2: Not expired
+        // Check 2: Not expired (check BEFORE delete - race condition fix)
         if (Date.now() > challenge.expiresAt) {
+          challenges.delete(nonce);  // Clean up expired
           if (onFailed) onFailed({ error: 'Challenge expired', checks }, req);
           return res.status(400).json({
             verified: false,
@@ -157,6 +188,10 @@ export function aapMiddleware(options = {}) {
         }
         checks.notExpired = true;
 
+        // Remove challenge (one-time use) - only after expiry check
+        const { validators, batchSize: size } = challenge;
+        challenges.delete(nonce);
+
         // Check 3: Solutions exist
         if (!solutions || !Array.isArray(solutions) || solutions.length !== size) {
           if (onFailed) onFailed({ error: 'Invalid solutions array', checks }, req);
@@ -183,13 +218,17 @@ export function aapMiddleware(options = {}) {
         }
         checks.solutionsValid = true;
 
-        // Check 5: Response time (Proof of Liveness)
-        if (responseTimeMs > maxResponseTimeMs) {
+        // Check 5: Response time (Proof of Liveness) - SERVER-SIDE validation
+        const serverResponseTime = Date.now() - challenge.timestamp;
+        const effectiveResponseTime = Math.max(responseTimeMs, serverResponseTime);
+        
+        if (effectiveResponseTime > maxResponseTimeMs) {
           if (onFailed) onFailed({ error: 'Response too slow', checks }, req);
           return res.status(400).json({
             verified: false,
-            error: `Response too slow: ${responseTimeMs}ms > ${maxResponseTimeMs}ms (Proof of Liveness failed)`,
-            checks
+            error: `Response too slow: ${effectiveResponseTime}ms > ${maxResponseTimeMs}ms (Proof of Liveness failed)`,
+            checks,
+            timing: { client: responseTimeMs, server: serverResponseTime }
           });
         }
         checks.responseTimeValid = true;
@@ -361,8 +400,14 @@ export function aapMiddleware(options = {}) {
  * const app = express();
  * app.use('/aap/v1', createRouter());
  */
-export function createRouter(options = {}) {
-  const express = require('express');
+export async function createRouter(options = {}) {
+  // Dynamic import for optional express dependency
+  let express;
+  try {
+    express = (await import('express')).default;
+  } catch {
+    throw new Error('express is required for createRouter. Install with: npm install express');
+  }
   const router = express.Router();
   router.use(express.json());
   

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "aap-agent-server",
-  "version": "2.5.0",
+  "version": "2.6.0",
   "description": "Server middleware for Agent Attestation Protocol - verify AI agents",
   "main": "index.js",
   "types": "index.d.ts",
@@ -21,7 +21,7 @@
   },
   "homepage": "https://github.com/ira-hash/agent-attestation-protocol#readme",
   "dependencies": {
-    "aap-agent-core": "^2.5.0"
+    "aap-agent-core": "^2.6.0"
   },
   "peerDependencies": {
     "express": "^4.18.0 || ^5.0.0"

package/persistence.js

@@ -0,0 +1,238 @@
+/**
+ * AAP Challenge Persistence
+ * 
+ * Optional: Persist challenges to survive server restarts
+ * Supports: Memory (default), File, Redis
+ */
+
+import { existsSync, readFileSync, writeFileSync, mkdirSync } from 'node:fs';
+import { join, dirname } from 'node:path';
+
+/**
+ * Create in-memory store (default, no persistence)
+ */
+export function createMemoryStore() {
+  const challenges = new Map();
+
+  return {
+    type: 'memory',
+    
+    async get(nonce) {
+      return challenges.get(nonce) || null;
+    },
+
+    async set(nonce, data) {
+      challenges.set(nonce, data);
+    },
+
+    async delete(nonce) {
+      challenges.delete(nonce);
+    },
+
+    async has(nonce) {
+      return challenges.has(nonce);
+    },
+
+    async size() {
+      return challenges.size;
+    },
+
+    async keys() {
+      return [...challenges.keys()];
+    },
+
+    async clear() {
+      challenges.clear();
+    },
+
+    async cleanup(now = Date.now()) {
+      for (const [nonce, data] of challenges.entries()) {
+        if (now > data.expiresAt) {
+          challenges.delete(nonce);
+        }
+      }
+    }
+  };
+}
+
+/**
+ * Create file-based store (survives restarts)
+ * @param {string} filePath - Path to store file
+ */
+export function createFileStore(filePath = '.aap/challenges.json') {
+  const fullPath = join(process.cwd(), filePath);
+  let challenges = new Map();
+
+  // Load existing data
+  try {
+    if (existsSync(fullPath)) {
+      const data = JSON.parse(readFileSync(fullPath, 'utf8'));
+      challenges = new Map(Object.entries(data));
+      console.log(`[AAP] Loaded ${challenges.size} challenges from ${fullPath}`);
+    }
+  } catch (error) {
+    console.warn('[AAP] Could not load challenges:', error.message);
+  }
+
+  // Save to file
+  const save = () => {
+    try {
+      const dir = dirname(fullPath);
+      if (!existsSync(dir)) {
+        mkdirSync(dir, { recursive: true });
+      }
+      
+      const data = Object.fromEntries(challenges);
+      // Remove validator functions (not serializable)
+      for (const key of Object.keys(data)) {
+        delete data[key].validators;
+      }
+      
+      writeFileSync(fullPath, JSON.stringify(data, null, 2));
+    } catch (error) {
+      console.error('[AAP] Could not save challenges:', error.message);
+    }
+  };
+
+  // Auto-save periodically
+  const saveInterval = setInterval(save, 30000);
+
+  return {
+    type: 'file',
+    
+    async get(nonce) {
+      return challenges.get(nonce) || null;
+    },
+
+    async set(nonce, data) {
+      challenges.set(nonce, data);
+      save();
+    },
+
+    async delete(nonce) {
+      challenges.delete(nonce);
+      save();
+    },
+
+    async has(nonce) {
+      return challenges.has(nonce);
+    },
+
+    async size() {
+      return challenges.size;
+    },
+
+    async keys() {
+      return [...challenges.keys()];
+    },
+
+    async clear() {
+      challenges.clear();
+      save();
+    },
+
+    async cleanup(now = Date.now()) {
+      let cleaned = 0;
+      for (const [nonce, data] of challenges.entries()) {
+        if (now > data.expiresAt) {
+          challenges.delete(nonce);
+          cleaned++;
+        }
+      }
+      if (cleaned > 0) save();
+      return cleaned;
+    },
+
+    close() {
+      clearInterval(saveInterval);
+      save();
+    }
+  };
+}
+
+/**
+ * Create Redis-based store (for distributed deployments)
+ * @param {Object} redisClient - Redis client instance (ioredis or redis)
+ * @param {string} [prefix='aap:challenge:'] - Key prefix
+ */
+export function createRedisStore(redisClient, prefix = 'aap:challenge:') {
+  return {
+    type: 'redis',
+    
+    async get(nonce) {
+      const data = await redisClient.get(prefix + nonce);
+      return data ? JSON.parse(data) : null;
+    },
+
+    async set(nonce, data, ttlMs = 60000) {
+      // Store without validators (not serializable)
+      const { validators, ...storable } = data;
+      await redisClient.set(
+        prefix + nonce,
+        JSON.stringify(storable),
+        'PX',
+        ttlMs
+      );
+    },
+
+    async delete(nonce) {
+      await redisClient.del(prefix + nonce);
+    },
+
+    async has(nonce) {
+      return (await redisClient.exists(prefix + nonce)) === 1;
+    },
+
+    async size() {
+      const keys = await redisClient.keys(prefix + '*');
+      return keys.length;
+    },
+
+    async keys() {
+      const keys = await redisClient.keys(prefix + '*');
+      return keys.map(k => k.slice(prefix.length));
+    },
+
+    async clear() {
+      const keys = await redisClient.keys(prefix + '*');
+      if (keys.length > 0) {
+        await redisClient.del(...keys);
+      }
+    },
+
+    async cleanup() {
+      // Redis handles TTL automatically
+      return 0;
+    }
+  };
+}
+
+/**
+ * Auto-detect and create appropriate store
+ * @param {Object} options
+ * @param {'memory'|'file'|'redis'} [options.type='memory']
+ * @param {string} [options.filePath]
+ * @param {Object} [options.redisClient]
+ */
+export function createStore(options = {}) {
+  const { type = 'memory', filePath, redisClient } = options;
+
+  switch (type) {
+    case 'file':
+      return createFileStore(filePath);
+    case 'redis':
+      if (!redisClient) {
+        throw new Error('Redis client required for redis store');
+      }
+      return createRedisStore(redisClient);
+    default:
+      return createMemoryStore();
+  }
+}
+
+export default {
+  createMemoryStore,
+  createFileStore,
+  createRedisStore,
+  createStore
+};

package/ratelimit.js

@@ -0,0 +1,117 @@
+/**
+ * AAP Rate Limiter
+ * 
+ * Simple in-memory rate limiting (no external dependencies)
+ */
+
+/**
+ * Create a rate limiter
+ * @param {Object} options
+ * @param {number} [options.windowMs=60000] - Time window in ms
+ * @param {number} [options.max=10] - Max requests per window
+ * @param {string} [options.message] - Error message
+ * @returns {Function} Express middleware
+ */
+export function createRateLimiter(options = {}) {
+  const {
+    windowMs = 60000,
+    max = 10,
+    message = 'Too many requests, please try again later'
+  } = options;
+
+  const requests = new Map();
+
+  // Cleanup old entries periodically
+  setInterval(() => {
+    const now = Date.now();
+    for (const [key, data] of requests.entries()) {
+      if (now - data.firstRequest > windowMs) {
+        requests.delete(key);
+      }
+    }
+  }, windowMs);
+
+  return (req, res, next) => {
+    const key = req.ip || req.connection.remoteAddress || 'unknown';
+    const now = Date.now();
+
+    let data = requests.get(key);
+
+    if (!data || now - data.firstRequest > windowMs) {
+      // New window
+      data = { count: 1, firstRequest: now };
+      requests.set(key, data);
+    } else {
+      data.count++;
+    }
+
+    // Set headers
+    const remaining = Math.max(0, max - data.count);
+    const resetTime = Math.ceil((data.firstRequest + windowMs) / 1000);
+    
+    res.setHeader('X-RateLimit-Limit', max);
+    res.setHeader('X-RateLimit-Remaining', remaining);
+    res.setHeader('X-RateLimit-Reset', resetTime);
+
+    if (data.count > max) {
+      res.setHeader('Retry-After', Math.ceil((data.firstRequest + windowMs - now) / 1000));
+      return res.status(429).json({
+        error: message,
+        retryAfter: Math.ceil((data.firstRequest + windowMs - now) / 1000)
+      });
+    }
+
+    next();
+  };
+}
+
+/**
+ * Create rate limiter for failed attempts
+ * Stricter limits after failures
+ */
+export function createFailureLimiter(options = {}) {
+  const {
+    windowMs = 60000,
+    maxFailures = 5,
+    message = 'Too many failed attempts'
+  } = options;
+
+  const failures = new Map();
+
+  return {
+    middleware: (req, res, next) => {
+      const key = req.ip || req.connection.remoteAddress || 'unknown';
+      const data = failures.get(key);
+
+      if (data && data.count >= maxFailures && Date.now() - data.firstFailure < windowMs) {
+        return res.status(429).json({
+          error: message,
+          retryAfter: Math.ceil((data.firstFailure + windowMs - Date.now()) / 1000)
+        });
+      }
+
+      next();
+    },
+
+    recordFailure: (req) => {
+      const key = req.ip || req.connection.remoteAddress || 'unknown';
+      const now = Date.now();
+      let data = failures.get(key);
+
+      if (!data || now - data.firstFailure > windowMs) {
+        data = { count: 1, firstFailure: now };
+      } else {
+        data.count++;
+      }
+
+      failures.set(key, data);
+    },
+
+    clearFailures: (req) => {
+      const key = req.ip || req.connection.remoteAddress || 'unknown';
+      failures.delete(key);
+    }
+  };
+}
+
+export default { createRateLimiter, createFailureLimiter };

package/whitelist.js

@@ -0,0 +1,231 @@
+/**
+ * AAP Whitelist & Key Management
+ * 
+ * Optional: Maintain list of trusted agent public IDs
+ */
+
+/**
+ * Create a whitelist manager
+ * @param {Object} options
+ * @param {boolean} [options.enabled=false] - Enable whitelist enforcement
+ * @param {string[]} [options.allowedIds=[]] - Pre-approved public IDs
+ * @param {Function} [options.onNewAgent] - Callback when new agent attempts verification
+ */
+export function createWhitelist(options = {}) {
+  const {
+    enabled = false,
+    allowedIds = [],
+    onNewAgent = null
+  } = options;
+
+  const whitelist = new Set(allowedIds);
+  const pendingApproval = new Map();  // publicId -> { firstSeen, attempts }
+
+  return {
+    /**
+     * Check if agent is allowed
+     * @param {string} publicId
+     * @returns {boolean}
+     */
+    isAllowed(publicId) {
+      if (!enabled) return true;
+      return whitelist.has(publicId);
+    },
+
+    /**
+     * Add agent to whitelist
+     * @param {string} publicId
+     */
+    add(publicId) {
+      whitelist.add(publicId);
+      pendingApproval.delete(publicId);
+    },
+
+    /**
+     * Remove agent from whitelist
+     * @param {string} publicId
+     */
+    remove(publicId) {
+      whitelist.delete(publicId);
+    },
+
+    /**
+     * Get all whitelisted IDs
+     * @returns {string[]}
+     */
+    list() {
+      return [...whitelist];
+    },
+
+    /**
+     * Record attempt from unknown agent
+     * @param {string} publicId
+     * @param {Object} details
+     */
+    recordAttempt(publicId, details = {}) {
+      if (!enabled) return;
+      
+      let record = pendingApproval.get(publicId);
+      if (!record) {
+        record = { firstSeen: Date.now(), attempts: 0, lastDetails: null };
+        pendingApproval.set(publicId, record);
+        
+        if (onNewAgent) {
+          onNewAgent(publicId, details);
+        }
+      }
+      
+      record.attempts++;
+      record.lastDetails = details;
+    },
+
+    /**
+     * Get pending approvals
+     * @returns {Object[]}
+     */
+    getPending() {
+      return [...pendingApproval.entries()].map(([id, data]) => ({
+        publicId: id,
+        ...data
+      }));
+    },
+
+    /**
+     * Middleware to enforce whitelist
+     */
+    middleware() {
+      return (req, res, next) => {
+        if (!enabled) return next();
+        
+        const publicId = req.body?.publicId;
+        if (!publicId) return next();  // Will fail later anyway
+        
+        if (!whitelist.has(publicId)) {
+          this.recordAttempt(publicId, {
+            ip: req.ip,
+            timestamp: Date.now()
+          });
+          
+          return res.status(403).json({
+            verified: false,
+            error: 'Agent not in whitelist',
+            publicId
+          });
+        }
+        
+        next();
+      };
+    },
+
+    /**
+     * Check if whitelist is enabled
+     */
+    isEnabled() {
+      return enabled;
+    },
+
+    /**
+     * Get stats
+     */
+    stats() {
+      return {
+        enabled,
+        whitelistedCount: whitelist.size,
+        pendingCount: pendingApproval.size
+      };
+    }
+  };
+}
+
+/**
+ * Key rotation helper for agents
+ * 
+ * Tracks key history and provides rotation utilities
+ */
+export function createKeyRotation(options = {}) {
+  const {
+    maxKeyAge = 30 * 24 * 60 * 60 * 1000,  // 30 days default
+    onRotationNeeded = null
+  } = options;
+
+  const keyHistory = new Map();  // publicId -> { keys: [], currentIndex }
+
+  return {
+    /**
+     * Register a key
+     * @param {string} publicId
+     * @param {string} publicKey
+     * @param {number} [createdAt]
+     */
+    registerKey(publicId, publicKey, createdAt = Date.now()) {
+      let history = keyHistory.get(publicId);
+      if (!history) {
+        history = { keys: [], currentIndex: 0 };
+        keyHistory.set(publicId, history);
+      }
+
+      history.keys.push({
+        publicKey,
+        createdAt,
+        revokedAt: null
+      });
+      history.currentIndex = history.keys.length - 1;
+    },
+
+    /**
+     * Get current key for agent
+     * @param {string} publicId
+     * @returns {string|null}
+     */
+    getCurrentKey(publicId) {
+      const history = keyHistory.get(publicId);
+      if (!history) return null;
+      return history.keys[history.currentIndex]?.publicKey || null;
+    },
+
+    /**
+     * Check if key needs rotation
+     * @param {string} publicId
+     * @returns {boolean}
+     */
+    needsRotation(publicId) {
+      const history = keyHistory.get(publicId);
+      if (!history || !history.keys.length) return false;
+      
+      const currentKey = history.keys[history.currentIndex];
+      const age = Date.now() - currentKey.createdAt;
+      
+      if (age > maxKeyAge) {
+        if (onRotationNeeded) {
+          onRotationNeeded(publicId, age);
+        }
+        return true;
+      }
+      
+      return false;
+    },
+
+    /**
+     * Revoke old key
+     * @param {string} publicId
+     * @param {number} keyIndex
+     */
+    revokeKey(publicId, keyIndex) {
+      const history = keyHistory.get(publicId);
+      if (!history || !history.keys[keyIndex]) return;
+      
+      history.keys[keyIndex].revokedAt = Date.now();
+    },
+
+    /**
+     * Get key history for agent
+     * @param {string} publicId
+     * @returns {Object[]}
+     */
+    getHistory(publicId) {
+      return keyHistory.get(publicId)?.keys || [];
+    }
+  };
+}
+
+export default { createWhitelist, createKeyRotation };