npm - aap-agent-server - Versions diffs - 2.5.0 → 2.7.0 - Mend

aap-agent-server 2.5.0 → 2.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/challenges.js CHANGED Viewed

@@ -1,11 +1,16 @@
 /**
- * @aap/server - Challenge Generator v2.5
+ * @aap/server - Challenge Generator v2.6
  *
  * "Burst Mode with Entropy Injection"
- * - 5 challenges in 8 seconds (humans cannot pass)
+ * - 7 challenges in 6 seconds (humans cannot pass)
  * - Salt injection prevents caching attacks
  * - Natural language instructions (requires LLM)
  *
+ * v2.6 Changes:
+ * - BATCH_SIZE: 5 → 7 (more problems = harder for humans)
+ * - MAX_RESPONSE_TIME_MS: 8000 → 6000 (tighter window)
+ * - Random chance reduced: (1/3)^7 = 0.05%
+ *
  * v2.5 Changes:
  * - BATCH_SIZE: 3 → 5
  * - MAX_RESPONSE_TIME_MS: 12000 → 8000
@@ -68,23 +73,32 @@ function generateSalt(nonce, offset = 0) {
  */
 export const CHALLENGE_TYPES = {
   /**
-   * Extract entities from natural language sentence
+   * Extract entities from natural language sentence (HARD - more distractors)
    */
   nlp_extract: {
     generate: (nonce) => {
       const salt = generateSalt(nonce, 0);
       const category = ['animals', 'fruits', 'colors'][parseInt(nonce[0], 16) % 3];
       const pool = WORD_POOLS[category];
-      const targets = seededSelect(pool, nonce, 2, 0);
+      const targets = seededSelect(pool, nonce, 3, 0);  // 3 targets now
+      const distractorPool = category === 'animals' ? 'fruits' : category === 'fruits' ? 'colors' : 'animals';
+      const distractors = seededSelect(WORD_POOLS[distractorPool], nonce, 2, 8);
       const verb = seededSelect(WORD_POOLS.verbs, nonce, 1, 4)[0];
+      const adj = seededSelect(WORD_POOLS.adjectives, nonce, 1, 6)[0];
-      const sentence = `The ${targets[0]} and ${targets[1]} ${verb} in the park.`;
+      // Complex sentence with distractors mixed in
+      const templates = [
+        `The ${adj} ${targets[0]}, a ${distractors[0]}, the ${targets[1]}, and ${targets[2]} all ${verb} near the ${distractors[1]}.`,
+        `I saw ${targets[0]} and ${distractors[0]} yesterday, but today only ${targets[1]}, ${targets[2]}, and a ${distractors[1]} appeared.`,
+        `Between the ${distractors[0]} and ${distractors[1]}, there were ${targets[0]}, ${targets[1]}, and ${targets[2]} ${verb}ing.`
+      ];
+      const sentence = templates[parseInt(nonce[12], 16) % templates.length];
       return {
-        challenge_string: `[REQ-${salt}] Extract only the ${category} from the following sentence.
+        challenge_string: `[REQ-${salt}] Extract ONLY the ${category} from this sentence (ignore other categories).
 Sentence: "${sentence}"
-Response format: {"salt": "${salt}", "items": ["item1", "item2"]}`,
-        expected: { salt, items: targets.sort() },
+Response format: {"salt": "${salt}", "items": ["item1", "item2", "item3"]}`,
+        expected: { salt, items: targets.map(s => s.toLowerCase()).sort() },
         validate: (solution) => {
           try {
             const match = solution.match(/\{[\s\S]*\}/);
@@ -95,7 +109,8 @@ Response format: {"salt": "${salt}", "items": ["item1", "item2"]}`,
             if (obj.salt !== salt) return false;
             const items = (obj.items || obj.animals || obj.fruits || obj.colors || []).map(s => s.toLowerCase()).sort();
-            return JSON.stringify(items) === JSON.stringify(targets.map(s => s.toLowerCase()).sort());
+            const expected = targets.map(s => s.toLowerCase()).sort();
+            return JSON.stringify(items) === JSON.stringify(expected);
           } catch { return false; }
         }
       };
@@ -103,31 +118,45 @@ Response format: {"salt": "${salt}", "items": ["item1", "item2"]}`,
   },
   /**
-   * Math problem expressed in natural language
+   * Math problem expressed in natural language (EXTREME)
    */
   nlp_math: {
     generate: (nonce) => {
       const salt = generateSalt(nonce, 2);
-      const a = seededNumber(nonce, 0, 10, 50);
-      const b = seededNumber(nonce, 2, 5, 20);
-      const c = seededNumber(nonce, 4, 2, 5);
+      const a = seededNumber(nonce, 0, 50, 200);
+      const b = seededNumber(nonce, 2, 10, 50);
+      const c = seededNumber(nonce, 4, 2, 9);
+      const d = seededNumber(nonce, 6, 5, 25);
+      const e = seededNumber(nonce, 8, 2, 6);
       const templates = [
         {
-          text: `Subtract ${b} from ${a}, then multiply the result by ${c}.`,
-          answer: (a - b) * c
+          text: `Start with ${a}. Subtract ${b}. Multiply that by ${c}. Divide the result by ${e}. Finally, add ${d}. What's the final value?`,
+          answer: (((a - b) * c) / e) + d
+        },
+        {
+          text: `Compute: ((${a} + ${b}) × ${c} - ${d}) ÷ ${e}. Give the result rounded to two decimal places.`,
+          answer: ((a + b) * c - d) / e
+        },
+        {
+          text: `Take the sum of ${a} and ${b}. Square root of that sum, rounded down. Then multiply by ${c} and subtract ${d}.`,
+          answer: Math.floor(Math.sqrt(a + b)) * c - d
         },
         {
-          text: `Add ${a} and ${b} together, then divide by ${c}.`,
-          answer: (a + b) / c
+          text: `${a} divided by ${c}, plus ${b} divided by ${e}, minus ${d}. Round to nearest integer.`,
+          answer: Math.round(a / c + b / e - d)
         },
         {
-          text: `Divide ${a} by ${c}, then add ${b} to the result.`,
-          answer: a / c + b
+          text: `Triple ${a}, halve that result, add ${b}, then take away ${d}. Multiply everything by ${e}. Final answer?`,
+          answer: ((a * 3 / 2) + b - d) * e
+        },
+        {
+          text: `What is ${a} mod ${c} (remainder), plus ${b} mod ${e}, times ${d}?`,
+          answer: ((a % c) + (b % e)) * d
         }
       ];
-      const template = templates[parseInt(nonce[6], 16) % templates.length];
+      const template = templates[parseInt(nonce[10], 16) % templates.length];
       const expected = Math.round(template.answer * 100) / 100;
       return {
@@ -151,32 +180,53 @@ Response format: {"salt": "${salt}", "result": number}`,
   },
   /**
-   * String transformation described in natural language
+   * String transformation described in natural language (EXTREME - multi-step transforms)
    */
   nlp_transform: {
     generate: (nonce) => {
       const salt = generateSalt(nonce, 4);
-      const input = nonce.slice(8, 14);
-      const transformType = parseInt(nonce[6], 16) % 4;
+      const input = nonce.slice(6, 16);  // Longer input: 10 chars
+      const transformType = parseInt(nonce[16], 16) % 6;
       let instruction, expected;
       switch (transformType) {
         case 0:
-          instruction = `Reverse the string "${input}" and convert it to uppercase.`;
-          expected = input.split('').reverse().join('').toUpperCase();
+          // Reverse → uppercase → take first 5
+          expected = input.split('').reverse().join('').toUpperCase().slice(0, 5);
+          instruction = `Take "${input}": reverse it, convert to uppercase, then return only the first 5 characters.`;
           break;
         case 1:
-          instruction = `Extract only the digits from "${input}" and calculate their sum.`;
-          expected = input.split('').filter(c => /\d/.test(c)).reduce((a, b) => a + parseInt(b), 0);
+          // Extract digits → sum → return as string with prefix
+          const digitSum = input.split('').filter(c => /\d/.test(c)).reduce((a, b) => a + parseInt(b), 0);
+          expected = `SUM:${digitSum}`;
+          instruction = `From "${input}": extract all digits, sum them, and format as "SUM:X" where X is the total.`;
           break;
         case 2:
-          instruction = `Extract only the letters from "${input}" and sort them alphabetically.`;
-          expected = input.split('').filter(c => /[a-zA-Z]/.test(c)).sort().join('');
+          // Letters only → sort → reverse → join with dots
+          expected = input.split('').filter(c => /[a-zA-Z]/.test(c)).sort().reverse().join('.');
+          instruction = `From "${input}": extract letters only, sort alphabetically, reverse that order, join with dots.`;
           break;
         case 3:
-          instruction = `Insert a hyphen "-" between each character of "${input}".`;
-          expected = input.split('').join('-');
+          // Alternate case: odd positions uppercase, even lowercase
+          expected = input.split('').map((c, i) => i % 2 === 0 ? c.toLowerCase() : c.toUpperCase()).join('');
+          instruction = `Transform "${input}": characters at even positions (0,2,4...) lowercase, odd positions (1,3,5...) uppercase.`;
+          break;
+        case 4:
+          // Count each char type
+          const letters = input.split('').filter(c => /[a-zA-Z]/.test(c)).length;
+          const digits = input.split('').filter(c => /\d/.test(c)).length;
+          expected = `L${letters}D${digits}`;
+          instruction = `Analyze "${input}": count letters and digits. Format answer as "LxDy" where x=letter count, y=digit count.`;
+          break;
+        case 5:
+          // Replace vowels with *, consonants with #, keep digits
+          expected = input.split('').map(c => {
+            if (/[aeiouAEIOU]/.test(c)) return '*';
+            if (/[a-zA-Z]/.test(c)) return '#';
+            return c;
+          }).join('');
+          instruction = `Transform "${input}": replace vowels with "*", consonants with "#", keep digits unchanged.`;
           break;
       }
@@ -201,31 +251,71 @@ Response format: {"salt": "${salt}", "output": "result"}`,
   },
   /**
-   * Conditional logic
+   * Conditional logic (EXTREME - multi-layer nested conditions)
    */
   nlp_logic: {
     generate: (nonce) => {
       const salt = generateSalt(nonce, 6);
-      const a = seededNumber(nonce, 0, 10, 100);
-      const b = seededNumber(nonce, 2, 10, 100);
-      const threshold = seededNumber(nonce, 4, 20, 80);
+      const a = seededNumber(nonce, 0, 20, 150);
+      const b = seededNumber(nonce, 2, 20, 150);
+      const c = seededNumber(nonce, 4, 20, 100);
+      const d = seededNumber(nonce, 6, 10, 50);
+      const threshold = seededNumber(nonce, 8, 40, 100);
       const templates = [
         {
-          text: `If the larger number between ${a} and ${b} is greater than ${threshold}, answer "YES". Otherwise, answer "NO".`,
-          answer: Math.max(a, b) > threshold ? "YES" : "NO"
+          text: `Let X=${a}, Y=${b}, Z=${c}, W=${d}. If (X > Y AND Z > W) OR (X < Y AND Z < W), answer "CONSISTENT". If (X > Y AND Z < W) OR (X < Y AND Z > W), answer "CROSSED". Otherwise, answer "EQUAL".`,
+          answer: ((a > b && c > d) || (a < b && c < d)) ? "CONSISTENT" : ((a > b && c < d) || (a < b && c > d)) ? "CROSSED" : "EQUAL"
+        },
+        {
+          text: `Given four numbers [${a}, ${b}, ${c}, ${d}]: Count how many are divisible by 3. If count is 0, say "NONE". If 1-2, say "FEW". If 3-4, say "MANY".`,
+          answer: (() => {
+            const count = [a, b, c, d].filter(n => n % 3 === 0).length;
+            return count === 0 ? "NONE" : count <= 2 ? "FEW" : "MANY";
+          })()
+        },
+        {
+          text: `Evaluate: Is (${a} + ${b}) greater than (${c} + ${d})? AND is (${a} × ${d}) less than (${b} × ${c})? If BOTH true: "ALPHA". If NEITHER true: "GAMMA". Otherwise: "BETA".`,
+          answer: (() => {
+            const cond1 = (a + b) > (c + d);
+            const cond2 = (a * d) < (b * c);
+            return (cond1 && cond2) ? "ALPHA" : (!cond1 && !cond2) ? "GAMMA" : "BETA";
+          })()
+        },
+        {
+          text: `Numbers: ${a}, ${b}, ${c}, ${d}. First, find the median (average of middle two when sorted). If median > ${threshold}, output "HIGH". If median < ${threshold / 2}, output "LOW". Otherwise, output "MID".`,
+          answer: (() => {
+            const sorted = [a, b, c, d].sort((x, y) => x - y);
+            const median = (sorted[1] + sorted[2]) / 2;
+            return median > threshold ? "HIGH" : median < (threshold / 2) ? "LOW" : "MID";
+          })()
         },
         {
-          text: `If the sum of ${a} and ${b} is less than ${threshold * 2}, answer "SMALL". Otherwise, answer "LARGE".`,
-          answer: (a + b) < (threshold * 2) ? "SMALL" : "LARGE"
+          text: `Check these conditions for [${a}, ${b}, ${c}, ${d}]: (1) Sum > ${threshold * 3}? (2) Product of smallest two < ${threshold * 10}? (3) Largest is even? Count TRUE conditions. Answer with the count (0-3).`,
+          answer: (() => {
+            const sorted = [a, b, c, d].sort((x, y) => x - y);
+            let count = 0;
+            if (a + b + c + d > threshold * 3) count++;
+            if (sorted[0] * sorted[1] < threshold * 10) count++;
+            if (sorted[3] % 2 === 0) count++;
+            return String(count);
+          })()
         },
         {
-          text: `If ${a} is even and ${b} is odd, answer "MIXED". Otherwise, answer "SAME".`,
-          answer: (a % 2 === 0 && b % 2 === 1) ? "MIXED" : "SAME"
+          text: `If ${a} AND ${b} are both prime, answer "TWIN". If exactly one is prime, answer "SOLO". If neither is prime, answer "NONE". (Hint: primes are only divisible by 1 and themselves)`,
+          answer: (() => {
+            const isPrime = n => {
+              if (n < 2) return false;
+              for (let i = 2; i <= Math.sqrt(n); i++) if (n % i === 0) return false;
+              return true;
+            };
+            const ap = isPrime(a), bp = isPrime(b);
+            return (ap && bp) ? "TWIN" : (ap || bp) ? "SOLO" : "NONE";
+          })()
         }
       ];
-      const template = templates[parseInt(nonce[6], 16) % templates.length];
+      const template = templates[parseInt(nonce[10], 16) % templates.length];
       return {
         challenge_string: `[REQ-${salt}] ${template.text}
@@ -247,30 +337,47 @@ Response format: {"salt": "${salt}", "answer": "your answer"}`,
   },
   /**
-   * Counting task
+   * Counting task (EXTREME - multiple categories, complex sentences)
    */
   nlp_count: {
     generate: (nonce) => {
       const salt = generateSalt(nonce, 8);
-      const category = ['animals', 'fruits', 'colors'][parseInt(nonce[0], 16) % 3];
-      const pool = WORD_POOLS[category];
-      const count1 = seededNumber(nonce, 0, 2, 4);
-      const count2 = seededNumber(nonce, 2, 1, 3);
+      const targetCategory = ['animals', 'fruits', 'colors'][parseInt(nonce[0], 16) % 3];
+      const pool = WORD_POOLS[targetCategory];
+      const targetCount = seededNumber(nonce, 0, 3, 6);
+      // Add distractors from OTHER categories
+      const distractor1Cat = targetCategory === 'animals' ? 'fruits' : 'animals';
+      const distractor2Cat = targetCategory === 'colors' ? 'fruits' : 'colors';
+      const distractorCount1 = seededNumber(nonce, 2, 2, 4);
+      const distractorCount2 = seededNumber(nonce, 4, 2, 3);
+      const targets = seededSelect(pool, nonce, targetCount, 0);
+      const distractors1 = seededSelect(WORD_POOLS[distractor1Cat], nonce, distractorCount1, 6);
+      const distractors2 = seededSelect(WORD_POOLS[distractor2Cat], nonce, distractorCount2, 10);
+      const countryDistractors = seededSelect(WORD_POOLS.countries, nonce, 2, 14);
-      const items1 = seededSelect(pool, nonce, count1, 0);
-      const items2 = seededSelect(WORD_POOLS.countries, nonce, count2, 8);
+      // Mix everything together
+      const allItems = [...targets, ...distractors1, ...distractors2, ...countryDistractors];
+      // Shuffle using nonce
+      for (let i = allItems.length - 1; i > 0; i--) {
+        const j = parseInt(nonce.slice(i % 28, (i % 28) + 2), 16) % (i + 1);
+        [allItems[i], allItems[j]] = [allItems[j], allItems[i]];
+      }
-      // Create sentence with mixed items
-      const allItems = [...items1, ...items2].sort(() =>
-        parseInt(nonce.slice(10, 12), 16) % 2 - 0.5
-      );
-      const sentence = `I see ${allItems.join(', ')} in the picture.`;
+      const templates = [
+        `At the market, I noticed: ${allItems.join(', ')}. Quite a mix!`,
+        `The list contains: ${allItems.join(', ')}. Some things don't belong.`,
+        `Inventory check: ${allItems.join(', ')}. Sort by category mentally.`,
+        `Mixed bag: ${allItems.join(', ')}. Focus on what matters.`
+      ];
+      const sentence = templates[parseInt(nonce[20], 16) % templates.length];
       return {
-        challenge_string: `[REQ-${salt}] Count only the ${category} in the following sentence.
-Sentence: "${sentence}"
+        challenge_string: `[REQ-${salt}] Count ONLY the ${targetCategory} in this text. Ignore all other categories (other nouns are distractors).
+Text: "${sentence}"
 Response format: {"salt": "${salt}", "count": number}`,
-        expected: { salt, count: count1 },
+        expected: { salt, count: targetCount },
         validate: (solution) => {
           try {
             const match = solution.match(/\{[\s\S]*\}/);
@@ -279,7 +386,7 @@ Response format: {"salt": "${salt}", "count": number}`,
             if (obj.salt !== salt) return false;
-            return parseInt(obj.count) === count1;
+            return parseInt(obj.count) === targetCount;
           } catch { return false; }
         }
       };
@@ -287,32 +394,85 @@ Response format: {"salt": "${salt}", "count": number}`,
   },
   /**
-   * Multi-step instruction following
+   * Multi-step instruction following (EXTREME - 5-6 steps)
    */
   nlp_multistep: {
     generate: (nonce) => {
       const salt = generateSalt(nonce, 10);
       const numbers = [
-        seededNumber(nonce, 0, 1, 9),
-        seededNumber(nonce, 2, 1, 9),
-        seededNumber(nonce, 4, 1, 9),
-        seededNumber(nonce, 6, 1, 9)
+        seededNumber(nonce, 0, 5, 30),
+        seededNumber(nonce, 2, 5, 30),
+        seededNumber(nonce, 4, 5, 30),
+        seededNumber(nonce, 6, 5, 30),
+        seededNumber(nonce, 8, 5, 30),
+        seededNumber(nonce, 10, 5, 30)
       ];
-      // Step 1: Sum all
-      const sum = numbers.reduce((a, b) => a + b, 0);
-      // Step 2: Multiply by smallest
-      const min = Math.min(...numbers);
-      const step2 = sum * min;
-      // Step 3: Subtract largest
-      const max = Math.max(...numbers);
-      const final = step2 - max;
+      const templateType = parseInt(nonce[12], 16) % 4;
+      let instructions, final;
+      if (templateType === 0) {
+        // Complex: filter → transform → aggregate → adjust
+        const evens = numbers.filter(n => n % 2 === 0);
+        const odds = numbers.filter(n => n % 2 !== 0);
+        const evensProduct = evens.length > 0 ? evens.reduce((a, b) => a * b, 1) : 0;
+        const oddsSum = odds.reduce((a, b) => a + b, 0);
+        const diff = Math.abs(evensProduct - oddsSum);
+        final = diff % 100;  // Keep manageable
+        instructions = `1. From [${numbers.join(', ')}], separate even and odd numbers.
+2. Calculate the PRODUCT of all even numbers (or 0 if none).
+3. Calculate the SUM of all odd numbers.
+4. Find the absolute difference between these two results.
+5. Take that difference modulo 100 (remainder when divided by 100).`;
+      } else if (templateType === 1) {
+        // Sort → pair operations → combine
+        const sorted = [...numbers].sort((a, b) => a - b);
+        const pair1 = sorted[0] * sorted[5];  // smallest × largest
+        const pair2 = sorted[1] + sorted[4];  // 2nd smallest + 2nd largest
+        const pair3 = sorted[2] - sorted[3];  // middle pair difference (might be negative)
+        final = pair1 + pair2 + Math.abs(pair3);
+        instructions = `1. Sort [${numbers.join(', ')}] from smallest to largest.
+2. Multiply the smallest by the largest.
+3. Add the second-smallest to the second-largest.
+4. Find absolute difference between the two middle numbers.
+5. Sum all three results from steps 2, 3, and 4.`;
+      } else if (templateType === 2) {
+        // Chunked processing
+        const chunk1 = numbers.slice(0, 3);
+        const chunk2 = numbers.slice(3, 6);
+        const avg1 = chunk1.reduce((a, b) => a + b, 0) / 3;
+        const avg2 = chunk2.reduce((a, b) => a + b, 0) / 3;
+        const max1 = Math.max(...chunk1);
+        const max2 = Math.max(...chunk2);
+        final = Math.round((avg1 + avg2) * (max1 > max2 ? 2 : 1));
+        instructions = `1. Split [${numbers.join(', ')}] into two groups: first 3 and last 3.
+2. Calculate average of first group: [${chunk1.join(', ')}].
+3. Calculate average of second group: [${chunk2.join(', ')}].
+4. Add both averages together.
+5. If max of first group > max of second group, double the sum. Otherwise keep as is.
+6. Round to nearest integer.`;
+      } else {
+        // Recursive-style
+        let val = numbers[0];
+        for (let i = 1; i < numbers.length; i++) {
+          if (i % 2 === 1) val += numbers[i];
+          else val -= numbers[i];
+        }
+        val = Math.abs(val);
+        final = val * (numbers.length);
+        instructions = `1. Start with the first number from [${numbers.join(', ')}].
+2. Add the 2nd number.
+3. Subtract the 3rd number.
+4. Add the 4th number.
+5. Subtract the 5th number.
+6. Add the 6th number.
+7. Take absolute value of result.
+8. Multiply by 6 (the count of numbers).`;
+      }
       return {
-        challenge_string: `[REQ-${salt}] Follow these instructions in order:
-1. Add all the numbers in [${numbers.join(', ')}] together.
-2. Multiply the result by the smallest number.
-3. Subtract the largest number from that result.
+        challenge_string: `[REQ-${salt}] Execute these steps IN ORDER:
+${instructions}
 Response format: {"salt": "${salt}", "result": final_value}`,
         expected: { salt, result: final },
         validate: (solution) => {
@@ -434,8 +594,8 @@ Response format: {"salt": "${salt}", "answer": "word"}`,
 /**
  * Batch challenge settings (v2.5 - Burst Mode)
  */
-export const BATCH_SIZE = 5;               // 5 challenges per batch (was 3)
-export const MAX_RESPONSE_TIME_MS = 8000;  // 8 seconds total (was 12)
+export const BATCH_SIZE = 7;               // 7 challenges per batch (v2.6: was 5)
+export const MAX_RESPONSE_TIME_MS = 6000;  // 6 seconds total (v2.6: was 8)
 export const CHALLENGE_EXPIRY_MS = 60000;  // 60 seconds
 /**

package/index.js CHANGED Viewed

@@ -1,20 +1,46 @@
 /**
- * @aap/server
+ * @aap/server v2.7.0
  *
  * Server-side utilities for Agent Attestation Protocol.
- * Provides middleware and challenge generation for verification servers.
+ * The Reverse Turing Test - CAPTCHAs block bots, AAP blocks humans.
  */
 export * from './middleware.js';
 export * from './challenges.js';
+export * from './ratelimit.js';
+export * from './whitelist.js';
+export * from './persistence.js';
+export * from './errors.js';
+export * from './websocket.js';
+export * as logger from './logger.js';
 import { aapMiddleware, createRouter } from './middleware.js';
 import challenges from './challenges.js';
+import { createRateLimiter, createFailureLimiter } from './ratelimit.js';
+import { createWhitelist, createKeyRotation } from './whitelist.js';
+import { createStore, createMemoryStore, createFileStore, createRedisStore } from './persistence.js';
+import { createAAPWebSocket } from './websocket.js';
 export { challenges };
 export default {
+  // Core
   aapMiddleware,
   createRouter,
-  challenges
+  challenges,
+  // WebSocket (v2.7+)
+  createAAPWebSocket,
+  // Security
+  createRateLimiter,
+  createFailureLimiter,
+  createWhitelist,
+  createKeyRotation,
+  // Persistence
+  createStore,
+  createMemoryStore,
+  createFileStore,
+  createRedisStore
 };

package/middleware.js CHANGED Viewed

@@ -15,6 +15,8 @@ import {
   MAX_RESPONSE_TIME_MS,
   CHALLENGE_EXPIRY_MS
 } from './challenges.js';
+import * as logger from './logger.js';
+import { ErrorCodes, sendError } from './errors.js';
 /**
  * Create AAP verification middleware/router
@@ -38,7 +40,8 @@ export function aapMiddleware(options = {}) {
     onFailed
   } = options;
-  // In-memory challenge store
+  // In-memory challenge store with size limit (DoS protection)
+  const MAX_CHALLENGES = 10000;
   const challenges = new Map();
   // Cleanup expired challenges periodically
@@ -49,6 +52,15 @@ export function aapMiddleware(options = {}) {
         challenges.delete(nonce);
       }
     }
+    // Emergency cleanup if still too many (keep newest)
+    if (challenges.size > MAX_CHALLENGES) {
+      const entries = [...challenges.entries()]
+        .sort((a, b) => b[1].timestamp - a[1].timestamp)
+        .slice(0, MAX_CHALLENGES / 2);
+      challenges.clear();
+      entries.forEach(([k, v]) => challenges.set(k, v));
+    }
   };
   // Return a function that creates routes
@@ -121,6 +133,7 @@ export function aapMiddleware(options = {}) {
       } = req.body;
       const checks = {
+        inputValid: false,
         challengeExists: false,
         notExpired: false,
         solutionsExist: false,
@@ -130,7 +143,28 @@ export function aapMiddleware(options = {}) {
       };
       try {
-        // Check 1: Challenge exists
+        // Check 0: Input validation (security)
+        if (!nonce || typeof nonce !== 'string' || nonce.length !== 32) {
+          return res.status(400).json({ verified: false, error: 'Invalid nonce format', checks });
+        }
+        if (!publicId || typeof publicId !== 'string' || publicId.length !== 20) {
+          return res.status(400).json({ verified: false, error: 'Invalid publicId format', checks });
+        }
+        if (!signature || typeof signature !== 'string' || signature.length < 50) {
+          return res.status(400).json({ verified: false, error: 'Invalid signature format', checks });
+        }
+        if (!publicKey || typeof publicKey !== 'string' || !publicKey.includes('BEGIN PUBLIC KEY')) {
+          return res.status(400).json({ verified: false, error: 'Invalid publicKey format', checks });
+        }
+        if (!timestamp || typeof timestamp !== 'number') {
+          return res.status(400).json({ verified: false, error: 'Invalid timestamp', checks });
+        }
+        if (!responseTimeMs || typeof responseTimeMs !== 'number' || responseTimeMs < 0) {
+          return res.status(400).json({ verified: false, error: 'Invalid responseTimeMs', checks });
+        }
+        checks.inputValid = true;
+        // Check 1: Challenge exists (check BEFORE delete for race condition fix)
         const challenge = challenges.get(nonce);
         if (!challenge) {
           if (onFailed) onFailed({ error: 'Challenge not found', checks }, req);
@@ -142,12 +176,9 @@ export function aapMiddleware(options = {}) {
         }
         checks.challengeExists = true;
-        // Remove challenge (one-time use)
-        const { validators, batchSize: size } = challenge;
-        challenges.delete(nonce);
-        // Check 2: Not expired
+        // Check 2: Not expired (check BEFORE delete - race condition fix)
         if (Date.now() > challenge.expiresAt) {
+          challenges.delete(nonce);  // Clean up expired
           if (onFailed) onFailed({ error: 'Challenge expired', checks }, req);
           return res.status(400).json({
             verified: false,
@@ -157,6 +188,10 @@ export function aapMiddleware(options = {}) {
         }
         checks.notExpired = true;
+        // Remove challenge (one-time use) - only after expiry check
+        const { validators, batchSize: size } = challenge;
+        challenges.delete(nonce);
         // Check 3: Solutions exist
         if (!solutions || !Array.isArray(solutions) || solutions.length !== size) {
           if (onFailed) onFailed({ error: 'Invalid solutions array', checks }, req);
@@ -183,13 +218,17 @@ export function aapMiddleware(options = {}) {
         }
         checks.solutionsValid = true;
-        // Check 5: Response time (Proof of Liveness)
-        if (responseTimeMs > maxResponseTimeMs) {
+        // Check 5: Response time (Proof of Liveness) - SERVER-SIDE validation
+        const serverResponseTime = Date.now() - challenge.timestamp;
+        const effectiveResponseTime = Math.max(responseTimeMs, serverResponseTime);
+        if (effectiveResponseTime > maxResponseTimeMs) {
           if (onFailed) onFailed({ error: 'Response too slow', checks }, req);
           return res.status(400).json({
             verified: false,
-            error: `Response too slow: ${responseTimeMs}ms > ${maxResponseTimeMs}ms (Proof of Liveness failed)`,
-            checks
+            error: `Response too slow: ${effectiveResponseTime}ms > ${maxResponseTimeMs}ms (Proof of Liveness failed)`,
+            checks,
+            timing: { client: responseTimeMs, server: serverResponseTime }
           });
         }
         checks.responseTimeValid = true;
@@ -361,8 +400,14 @@ export function aapMiddleware(options = {}) {
  * const app = express();
  * app.use('/aap/v1', createRouter());
  */
-export function createRouter(options = {}) {
-  const express = require('express');
+export async function createRouter(options = {}) {
+  // Dynamic import for optional express dependency
+  let express;
+  try {
+    express = (await import('express')).default;
+  } catch {
+    throw new Error('express is required for createRouter. Install with: npm install express');
+  }
   const router = express.Router();
   router.use(express.json());