npm - aap-agent-server - Versions diffs - 2.6.0 → 3.0.0 - Mend

aap-agent-server 2.6.0 → 3.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/index.js CHANGED Viewed

@@ -1,41 +1,39 @@
 /**
- * @aap/server v2.5.0
+ * @aap/server v3.0.0
  *
- * Server-side utilities for Agent Attestation Protocol.
- * The Reverse Turing Test - CAPTCHAs block bots, AAP blocks humans.
+ * WebSocket-only Agent Attestation Protocol.
+ * Sequential challenges - no preview, no mercy.
  */
-export * from './middleware.js';
-export * from './challenges.js';
-export * from './ratelimit.js';
-export * from './whitelist.js';
-export * from './persistence.js';
-export * from './errors.js';
+// Core WebSocket server
+export { createAAPWebSocket } from './websocket.js';
+// Challenge generation (internal use)
+export {
+  generate,
+  generateBatch,
+  validateBatch,
+  getTypes,
+  BATCH_SIZE,
+  CHALLENGE_TYPES
+} from './challenges.js';
+// Optional utilities
+export { createWhitelist, createKeyRotation } from './whitelist.js';
+export { createStore, createMemoryStore, createFileStore, createRedisStore } from './persistence.js';
 export * as logger from './logger.js';
-import { aapMiddleware, createRouter } from './middleware.js';
-import challenges from './challenges.js';
-import { createRateLimiter, createFailureLimiter } from './ratelimit.js';
-import { createWhitelist, createKeyRotation } from './whitelist.js';
-import { createStore, createMemoryStore, createFileStore, createRedisStore } from './persistence.js';
+// Constants
+export const PROTOCOL_VERSION = '3.0.0';
+export const TIME_PER_CHALLENGE_MS = 1200;
+export const CHALLENGE_COUNT = 7;
+export const CONNECTION_TIMEOUT_MS = 15000;
-export { challenges };
+import { createAAPWebSocket } from './websocket.js';
 export default {
-  // Core
-  aapMiddleware,
-  createRouter,
-  challenges,
-  // Security
-  createRateLimiter,
-  createFailureLimiter,
-  createWhitelist,
-  createKeyRotation,
-  // Persistence
-  createStore,
-  createMemoryStore,
-  createFileStore,
-  createRedisStore
+  createAAPWebSocket,
+  PROTOCOL_VERSION,
+  TIME_PER_CHALLENGE_MS,
+  CHALLENGE_COUNT
 };

package/package.json CHANGED Viewed

@@ -1,17 +1,16 @@
 {
   "name": "aap-agent-server",
-  "version": "2.6.0",
-  "description": "Server middleware for Agent Attestation Protocol - verify AI agents",
+  "version": "3.0.0",
+  "description": "WebSocket server for Agent Attestation Protocol - verify AI agents",
   "main": "index.js",
   "types": "index.d.ts",
   "type": "module",
   "exports": {
     ".": "./index.js",
-    "./middleware": "./middleware.js",
-    "./challenges": "./challenges.js"
+    "./websocket": "./websocket.js"
   },
   "files": ["*.js", "README.md"],
-  "keywords": ["aap", "agent", "attestation", "verification", "middleware", "express", "ai"],
+  "keywords": ["aap", "agent", "attestation", "verification", "websocket", "ai"],
   "author": "ira-hash",
   "license": "MIT",
   "repository": {
@@ -21,15 +20,7 @@
   },
   "homepage": "https://github.com/ira-hash/agent-attestation-protocol#readme",
   "dependencies": {
-    "aap-agent-core": "^2.6.0"
-  },
-  "peerDependencies": {
-    "express": "^4.18.0 || ^5.0.0"
-  },
-  "peerDependenciesMeta": {
-    "express": {
-      "optional": true
-    }
+    "ws": "^8.16.0"
   },
   "engines": {
     "node": ">=18.0.0"

package/websocket.js ADDED Viewed

@@ -0,0 +1,366 @@
+/**
+ * AAP WebSocket Server v3.0
+ *
+ * Sequential challenge delivery over persistent connection.
+ * No preview. Server controls pacing. Humans cannot pass.
+ */
+import { WebSocketServer } from 'ws';
+import { randomBytes, createHash, createVerify } from 'node:crypto';
+// ============== CONSTANTS ==============
+export const PROTOCOL_VERSION = '3.0.0';
+export const CHALLENGE_COUNT = 7;
+export const TIME_PER_CHALLENGE_MS = 1200;
+export const CONNECTION_TIMEOUT_MS = 15000;
+// ============== CHALLENGE GENERATORS ==============
+const GENERATORS = {
+  math: (salt, seed) => {
+    const a = 10 + (seed % 90);
+    const b = 10 + ((seed * 7) % 90);
+    const ops = ['+', '-', '*'];
+    const op = ops[seed % 3];
+    const answer = op === '+' ? a + b : op === '-' ? a - b : a * b;
+    return {
+      q: `[REQ-${salt}] What is ${a} ${op} ${b}?\nFormat: {"salt":"${salt}","result":number}`,
+      v: (r) => r?.salt === salt && r?.result === answer
+    };
+  },
+  logic: (salt, seed) => {
+    const x = 10 + (seed % 50);
+    const y = 10 + ((seed * 3) % 50);
+    const answer = x > y ? 'GREATER' : x < y ? 'LESS' : 'EQUAL';
+    return {
+      q: `[REQ-${salt}] X=${x}, Y=${y}. Answer "GREATER" if X>Y, "LESS" if X<Y, "EQUAL" if X=Y.\nFormat: {"salt":"${salt}","answer":"..."}`,
+      v: (r) => r?.salt === salt && r?.answer === answer
+    };
+  },
+  count: (salt, seed) => {
+    const all = ['cat','dog','apple','bird','car','fish','tree','book','lion','grape'];
+    const animals = ['cat','dog','bird','fish','lion'];
+    const n = 4 + (seed % 5);
+    const items = [];
+    for (let i = 0; i < n; i++) {
+      items.push(all[(seed + i * 3) % all.length]);
+    }
+    const count = items.filter(i => animals.includes(i)).length;
+    return {
+      q: `[REQ-${salt}] Count animals: ${items.join(', ')}\nFormat: {"salt":"${salt}","count":number}`,
+      v: (r) => r?.salt === salt && r?.count === count
+    };
+  },
+  pattern: (salt, seed) => {
+    const start = 2 + (seed % 10);
+    const step = 2 + (seed % 6);
+    const seq = [start, start+step, start+step*2, start+step*3];
+    const next = [start+step*4, start+step*5];
+    return {
+      q: `[REQ-${salt}] Next 2 numbers: [${seq.join(', ')}, ?, ?]\nFormat: {"salt":"${salt}","next":[n1,n2]}`,
+      v: (r) => r?.salt === salt && Array.isArray(r?.next) && r.next[0] === next[0] && r.next[1] === next[1]
+    };
+  },
+  reverse: (salt, seed) => {
+    const words = ['hello','world','agent','robot','claw','alpha','delta'];
+    const word = words[seed % words.length];
+    const rev = word.split('').reverse().join('');
+    return {
+      q: `[REQ-${salt}] Reverse the string: "${word}"\nFormat: {"salt":"${salt}","result":"..."}`,
+      v: (r) => r?.salt === salt && r?.result === rev
+    };
+  },
+  extract: (salt, seed) => {
+    const colors = ['red','blue','green','yellow','purple','orange'];
+    const color = colors[seed % colors.length];
+    const nouns = ['car','robot','bird','house'];
+    const noun = nouns[seed % nouns.length];
+    return {
+      q: `[REQ-${salt}] Extract the color: "The ${color} ${noun} moved quickly"\nFormat: {"salt":"${salt}","color":"..."}`,
+      v: (r) => r?.salt === salt && r?.color === color
+    };
+  },
+  longest: (salt, seed) => {
+    const sets = [
+      ['cat', 'elephant', 'dog', 'ant'],
+      ['bee', 'hippopotamus', 'fox', 'rat'],
+      ['owl', 'crocodile', 'bat', 'fly']
+    ];
+    const words = sets[seed % sets.length];
+    const longest = words.reduce((a, b) => a.length >= b.length ? a : b);
+    return {
+      q: `[REQ-${salt}] Find longest word: ${words.join(', ')}\nFormat: {"salt":"${salt}","answer":"..."}`,
+      v: (r) => r?.salt === salt && r?.answer === longest
+    };
+  }
+};
+const TYPES = Object.keys(GENERATORS);
+function generateChallenge(nonce, index) {
+  const type = TYPES[index % TYPES.length];
+  const salt = createHash('sha256').update(nonce + index).digest('hex').slice(0, 6).toUpperCase();
+  const seed = parseInt(nonce.slice(index * 2, index * 2 + 8), 16) || (index * 17);
+  const { q, v } = GENERATORS[type](salt, seed);
+  return { type, challenge: q, validate: v };
+}
+// ============== WEBSOCKET SERVER ==============
+/**
+ * Create AAP WebSocket verification server
+ * @param {Object} options
+ * @param {number} [options.port] - Port for standalone server
+ * @param {Object} [options.server] - Existing HTTP server to attach to
+ * @param {string} [options.path='/aap'] - WebSocket path
+ * @param {number} [options.challengeCount=7] - Number of challenges
+ * @param {number} [options.timePerChallengeMs=1200] - Time limit per challenge
+ * @param {Function} [options.onVerified] - Callback on successful verification
+ * @param {Function} [options.onFailed] - Callback on failed verification
+ * @returns {Object} { wss, sessions, close }
+ */
+export function createAAPWebSocket(options = {}) {
+  const {
+    port,
+    server,
+    path = '/aap',
+    challengeCount = CHALLENGE_COUNT,
+    timePerChallengeMs = TIME_PER_CHALLENGE_MS,
+    connectionTimeoutMs = CONNECTION_TIMEOUT_MS,
+    onVerified,
+    onFailed
+  } = options;
+  const wssOptions = server ? { server, path } : { port };
+  const wss = new WebSocketServer(wssOptions);
+  const sessions = new Map();
+  const verifiedTokens = new Map();
+  wss.on('connection', (ws) => {
+    const sessionId = randomBytes(16).toString('hex');
+    const nonce = randomBytes(16).toString('hex');
+    const startTime = Date.now();
+    const session = {
+      id: sessionId,
+      ws,
+      nonce,
+      startTime,
+      current: 0,
+      challenges: [],
+      answers: [],
+      timings: [],
+      publicId: null,
+      challengeStart: null,
+      timer: null,
+      connTimer: null
+    };
+    sessions.set(sessionId, session);
+    // Generate challenges
+    for (let i = 0; i < challengeCount; i++) {
+      session.challenges.push(generateChallenge(nonce, i));
+    }
+    // Connection timeout
+    session.connTimer = setTimeout(() => {
+      send(ws, { type: 'error', code: 'TIMEOUT', message: 'Connection timeout' });
+      ws.close();
+    }, connectionTimeoutMs);
+    // Send handshake
+    send(ws, {
+      type: 'handshake',
+      sessionId,
+      protocol: 'AAP',
+      version: PROTOCOL_VERSION,
+      challengeCount,
+      timePerChallengeMs,
+      message: 'Send {"type":"ready"} to begin verification.'
+    });
+    ws.on('message', (data) => {
+      let msg;
+      try {
+        msg = JSON.parse(data.toString());
+      } catch {
+        send(ws, { type: 'error', code: 'INVALID_JSON', message: 'Invalid JSON' });
+        return;
+      }
+      handleMessage(session, msg, {
+        challengeCount,
+        timePerChallengeMs,
+        onVerified,
+        onFailed,
+        verifiedTokens
+      });
+    });
+    ws.on('close', () => {
+      cleanup(session);
+      sessions.delete(sessionId);
+    });
+    ws.on('error', () => {
+      cleanup(session);
+      sessions.delete(sessionId);
+    });
+  });
+  return {
+    wss,
+    sessions,
+    verifiedTokens,
+    close: () => wss.close(),
+    // Helper to check if token is verified
+    isVerified: (token) => {
+      const session = verifiedTokens.get(token);
+      return session && Date.now() < session.expiresAt;
+    },
+    // Get verified session info
+    getSession: (token) => verifiedTokens.get(token)
+  };
+}
+function send(ws, data) {
+  if (ws.readyState === 1) {
+    ws.send(JSON.stringify(data));
+  }
+}
+function cleanup(session) {
+  clearTimeout(session.timer);
+  clearTimeout(session.connTimer);
+}
+function handleMessage(session, msg, options) {
+  const { ws, current, challenges, answers, timings } = session;
+  const { challengeCount, timePerChallengeMs, onVerified, onFailed, verifiedTokens } = options;
+  switch (msg.type) {
+    case 'ready':
+      if (current !== 0) {
+        send(ws, { type: 'error', code: 'ALREADY_STARTED', message: 'Already started' });
+        return;
+      }
+      session.publicId = msg.publicId || 'anon-' + randomBytes(4).toString('hex');
+      sendNextChallenge(session, timePerChallengeMs);
+      break;
+    case 'answer':
+      if (session.challengeStart === null) {
+        send(ws, { type: 'error', code: 'NO_CHALLENGE', message: 'No active challenge' });
+        return;
+      }
+      clearTimeout(session.timer);
+      const elapsed = Date.now() - session.challengeStart;
+      // Too slow?
+      if (elapsed > timePerChallengeMs) {
+        finishSession(session, false, `Too slow on challenge #${current}: ${elapsed}ms > ${timePerChallengeMs}ms`, options);
+        return;
+      }
+      // Record answer
+      answers.push(msg.answer);
+      timings.push(elapsed);
+      // Validate
+      const valid = challenges[current].validate(msg.answer);
+      send(ws, { type: 'ack', id: current, valid, responseMs: elapsed });
+      session.current++;
+      // More challenges?
+      if (session.current < challengeCount) {
+        setTimeout(() => sendNextChallenge(session, timePerChallengeMs), 50);
+      } else {
+        // Calculate final result
+        const passed = answers.filter((a, i) => challenges[i].validate(a)).length;
+        const success = passed === challengeCount;
+        finishSession(session, success, success ? 'All challenges passed' : `Failed: ${passed}/${challengeCount}`, options, passed);
+      }
+      break;
+    default:
+      send(ws, { type: 'error', code: 'UNKNOWN_TYPE', message: 'Unknown message type' });
+  }
+}
+function sendNextChallenge(session, timePerChallengeMs) {
+  const { ws, current, challenges } = session;
+  const challenge = challenges[current];
+  session.challengeStart = Date.now();
+  send(ws, {
+    type: 'challenge',
+    id: current,
+    total: challenges.length,
+    challenge: challenge.challenge,
+    timeLimit: timePerChallengeMs
+  });
+  // Timeout for this challenge
+  session.timer = setTimeout(() => {
+    send(ws, { type: 'timeout', id: current, message: 'Time expired' });
+    finishSession(session, false, `Timeout on challenge #${current}`, {});
+  }, timePerChallengeMs + 100);
+}
+function finishSession(session, success, message, options, passed) {
+  const { ws, nonce, publicId, startTime, timings } = session;
+  const { onVerified, onFailed, verifiedTokens } = options;
+  cleanup(session);
+  const totalTime = Date.now() - startTime;
+  const result = {
+    type: 'result',
+    verified: success,
+    message,
+    nonce,
+    publicId,
+    passed,
+    total: session.challenges.length,
+    timings,
+    totalTimeMs: totalTime,
+    avgResponseMs: timings.length ? Math.round(timings.reduce((a, b) => a + b, 0) / timings.length) : null
+  };
+  if (success) {
+    result.role = 'AI_AGENT';
+    result.sessionToken = randomBytes(32).toString('hex');
+    // Store verified session
+    if (verifiedTokens) {
+      verifiedTokens.set(result.sessionToken, {
+        publicId,
+        nonce,
+        verifiedAt: Date.now(),
+        expiresAt: Date.now() + 3600000, // 1 hour
+        totalTimeMs: totalTime,
+        avgResponseMs: result.avgResponseMs
+      });
+    }
+    if (onVerified) onVerified(result, session);
+  } else {
+    if (onFailed) onFailed(result, session);
+  }
+  send(ws, result);
+  setTimeout(() => ws.close(), 300);
+}
+export default { createAAPWebSocket, PROTOCOL_VERSION, CHALLENGE_COUNT, TIME_PER_CHALLENGE_MS };

package/errors.js DELETED Viewed

@@ -1,134 +0,0 @@
-/**
- * AAP Server - Error Definitions
- *
- * Consistent, client-friendly error messages
- */
-export const ErrorCodes = {
-  // Challenge errors
-  CHALLENGE_NOT_FOUND: 'CHALLENGE_NOT_FOUND',
-  CHALLENGE_EXPIRED: 'CHALLENGE_EXPIRED',
-  CHALLENGE_ALREADY_USED: 'CHALLENGE_ALREADY_USED',
-  // Solution errors
-  MISSING_SOLUTIONS: 'MISSING_SOLUTIONS',
-  INVALID_SOLUTIONS_COUNT: 'INVALID_SOLUTIONS_COUNT',
-  SOLUTION_VALIDATION_FAILED: 'SOLUTION_VALIDATION_FAILED',
-  // Timing errors
-  RESPONSE_TOO_SLOW: 'RESPONSE_TOO_SLOW',
-  // Signature errors
-  INVALID_SIGNATURE: 'INVALID_SIGNATURE',
-  MISSING_SIGNATURE: 'MISSING_SIGNATURE',
-  INVALID_PUBLIC_KEY: 'INVALID_PUBLIC_KEY',
-  // General errors
-  INVALID_REQUEST: 'INVALID_REQUEST',
-  INTERNAL_ERROR: 'INTERNAL_ERROR',
-  RATE_LIMITED: 'RATE_LIMITED'
-};
-export const ErrorMessages = {
-  [ErrorCodes.CHALLENGE_NOT_FOUND]: {
-    message: 'Challenge not found',
-    hint: 'Request a new challenge via POST /challenge',
-    status: 400
-  },
-  [ErrorCodes.CHALLENGE_EXPIRED]: {
-    message: 'Challenge has expired',
-    hint: 'Challenges expire after 60 seconds. Request a new one.',
-    status: 400
-  },
-  [ErrorCodes.CHALLENGE_ALREADY_USED]: {
-    message: 'Challenge already used',
-    hint: 'Each challenge can only be used once. Request a new one.',
-    status: 400
-  },
-  [ErrorCodes.MISSING_SOLUTIONS]: {
-    message: 'Missing solutions array',
-    hint: 'Include "solutions" array in request body',
-    status: 400
-  },
-  [ErrorCodes.INVALID_SOLUTIONS_COUNT]: {
-    message: 'Invalid number of solutions',
-    hint: 'Provide exactly 3 solutions for batch challenges',
-    status: 400
-  },
-  [ErrorCodes.SOLUTION_VALIDATION_FAILED]: {
-    message: 'Solution validation failed (Proof of Intelligence)',
-    hint: 'One or more solutions are incorrect. Ensure your LLM correctly solves each challenge.',
-    status: 400
-  },
-  [ErrorCodes.RESPONSE_TOO_SLOW]: {
-    message: 'Response too slow (Proof of Liveness failed)',
-    hint: 'Response must arrive within 12 seconds for batch challenges',
-    status: 400
-  },
-  [ErrorCodes.INVALID_SIGNATURE]: {
-    message: 'Invalid signature (Proof of Identity failed)',
-    hint: 'Ensure you sign the correct data with your private key',
-    status: 400
-  },
-  [ErrorCodes.MISSING_SIGNATURE]: {
-    message: 'Missing signature',
-    hint: 'Include "signature" field with Base64-encoded ECDSA signature',
-    status: 400
-  },
-  [ErrorCodes.INVALID_PUBLIC_KEY]: {
-    message: 'Invalid public key',
-    hint: 'Public key must be PEM-encoded secp256k1 key',
-    status: 400
-  },
-  [ErrorCodes.INVALID_REQUEST]: {
-    message: 'Invalid request format',
-    hint: 'Check the API documentation for required fields',
-    status: 400
-  },
-  [ErrorCodes.INTERNAL_ERROR]: {
-    message: 'Internal server error',
-    hint: 'Please try again later',
-    status: 500
-  },
-  [ErrorCodes.RATE_LIMITED]: {
-    message: 'Too many requests',
-    hint: 'Please wait before making more requests',
-    status: 429
-  }
-};
-/**
- * Create an error response
- * @param {string} code - Error code from ErrorCodes
- * @param {Object} [extra] - Additional fields to include
- * @returns {Object} Error response object
- */
-export function createError(code, extra = {}) {
-  const errorDef = ErrorMessages[code] || ErrorMessages[ErrorCodes.INTERNAL_ERROR];
-  return {
-    verified: false,
-    error: errorDef.message,
-    code,
-    hint: errorDef.hint,
-    ...extra
-  };
-}
-/**
- * Create error response with HTTP status
- * @param {string} code - Error code
- * @param {Object} res - Express response object
- * @param {Object} [extra] - Additional fields
- */
-export function sendError(code, res, extra = {}) {
-  const errorDef = ErrorMessages[code] || ErrorMessages[ErrorCodes.INTERNAL_ERROR];
-  res.status(errorDef.status).json(createError(code, extra));
-}
-export default {
-  ErrorCodes,
-  ErrorMessages,
-  createError,
-  sendError
-};

package/middleware.js DELETED Viewed

@@ -1,420 +0,0 @@
-/**
- * @aap/server - Express Middleware
- *
- * Drop-in middleware for adding AAP verification to Express apps.
- */
-import { verify, generateNonce, createProofData } from 'aap-agent-core';
-import {
-  generate as generateChallenge,
-  generateBatch,
-  validateBatch,
-  getTypes,
-  validate as validateSolution,
-  BATCH_SIZE,
-  MAX_RESPONSE_TIME_MS,
-  CHALLENGE_EXPIRY_MS
-} from './challenges.js';
-import * as logger from './logger.js';
-import { ErrorCodes, sendError } from './errors.js';
-/**
- * Create AAP verification middleware/router
- *
- * @param {Object} [options]
- * @param {number} [options.challengeExpiryMs=60000] - Challenge expiration time
- * @param {number} [options.maxResponseTimeMs=8000] - Max response time for batch
- * @param {number} [options.batchSize=5] - Number of challenges per batch
- * @param {number} [options.minPassCount] - Minimum challenges to pass (default: all)
- * @param {Function} [options.onVerified] - Callback when agent is verified
- * @param {Function} [options.onFailed] - Callback when verification fails
- * @returns {Function} Express router
- */
-export function aapMiddleware(options = {}) {
-  const {
-    challengeExpiryMs = CHALLENGE_EXPIRY_MS,
-    maxResponseTimeMs = MAX_RESPONSE_TIME_MS,
-    batchSize = BATCH_SIZE,
-    minPassCount = null,  // null = all must pass
-    onVerified,
-    onFailed
-  } = options;
-  // In-memory challenge store with size limit (DoS protection)
-  const MAX_CHALLENGES = 10000;
-  const challenges = new Map();
-  // Cleanup expired challenges periodically
-  const cleanup = () => {
-    const now = Date.now();
-    for (const [nonce, challenge] of challenges.entries()) {
-      if (now > challenge.expiresAt) {
-        challenges.delete(nonce);
-      }
-    }
-    // Emergency cleanup if still too many (keep newest)
-    if (challenges.size > MAX_CHALLENGES) {
-      const entries = [...challenges.entries()]
-        .sort((a, b) => b[1].timestamp - a[1].timestamp)
-        .slice(0, MAX_CHALLENGES / 2);
-      challenges.clear();
-      entries.forEach(([k, v]) => challenges.set(k, v));
-    }
-  };
-  // Return a function that creates routes
-  return (router) => {
-    /**
-     * GET /health - Health check
-     */
-    router.get('/health', (req, res) => {
-      res.json({
-        status: 'ok',
-        protocol: 'AAP',
-        version: '2.0.0',
-        mode: 'batch',
-        batchSize,
-        maxResponseTimeMs,
-        challengeTypes: getTypes(),
-        activeChallenges: challenges.size
-      });
-    });
-    /**
-     * POST /challenge - Request a batch of challenges
-     */
-    router.post('/challenge', (req, res) => {
-      cleanup();
-      const nonce = generateNonce();
-      const timestamp = Date.now();
-      const { challenges: batchChallenges, validators, expected } = generateBatch(nonce, batchSize);
-      const challengeData = {
-        nonce,
-        challenges: batchChallenges,
-        batchSize,
-        timestamp,
-        expiresAt: timestamp + challengeExpiryMs,
-        maxResponseTimeMs
-      };
-      // Store with validators (not sent to client)
-      challenges.set(nonce, {
-        ...challengeData,
-        validators,
-        expected  // For debugging
-      });
-      // Send without validators
-      res.json({
-        nonce,
-        challenges: batchChallenges,
-        batchSize,
-        timestamp,
-        expiresAt: challengeData.expiresAt,
-        maxResponseTimeMs
-      });
-    });
-    /**
-     * POST /verify - Verify agent's batch solutions
-     */
-    router.post('/verify', (req, res) => {
-      const {
-        solutions,
-        signature,
-        publicKey,
-        publicId,
-        nonce,
-        timestamp,
-        responseTimeMs
-      } = req.body;
-      const checks = {
-        inputValid: false,
-        challengeExists: false,
-        notExpired: false,
-        solutionsExist: false,
-        solutionsValid: false,
-        responseTimeValid: false,
-        signatureValid: false
-      };
-      try {
-        // Check 0: Input validation (security)
-        if (!nonce || typeof nonce !== 'string' || nonce.length !== 32) {
-          return res.status(400).json({ verified: false, error: 'Invalid nonce format', checks });
-        }
-        if (!publicId || typeof publicId !== 'string' || publicId.length !== 20) {
-          return res.status(400).json({ verified: false, error: 'Invalid publicId format', checks });
-        }
-        if (!signature || typeof signature !== 'string' || signature.length < 50) {
-          return res.status(400).json({ verified: false, error: 'Invalid signature format', checks });
-        }
-        if (!publicKey || typeof publicKey !== 'string' || !publicKey.includes('BEGIN PUBLIC KEY')) {
-          return res.status(400).json({ verified: false, error: 'Invalid publicKey format', checks });
-        }
-        if (!timestamp || typeof timestamp !== 'number') {
-          return res.status(400).json({ verified: false, error: 'Invalid timestamp', checks });
-        }
-        if (!responseTimeMs || typeof responseTimeMs !== 'number' || responseTimeMs < 0) {
-          return res.status(400).json({ verified: false, error: 'Invalid responseTimeMs', checks });
-        }
-        checks.inputValid = true;
-        // Check 1: Challenge exists (check BEFORE delete for race condition fix)
-        const challenge = challenges.get(nonce);
-        if (!challenge) {
-          if (onFailed) onFailed({ error: 'Challenge not found', checks }, req);
-          return res.status(400).json({
-            verified: false,
-            error: 'Challenge not found or already used',
-            checks
-          });
-        }
-        checks.challengeExists = true;
-        // Check 2: Not expired (check BEFORE delete - race condition fix)
-        if (Date.now() > challenge.expiresAt) {
-          challenges.delete(nonce);  // Clean up expired
-          if (onFailed) onFailed({ error: 'Challenge expired', checks }, req);
-          return res.status(400).json({
-            verified: false,
-            error: 'Challenge expired',
-            checks
-          });
-        }
-        checks.notExpired = true;
-        // Remove challenge (one-time use) - only after expiry check
-        const { validators, batchSize: size } = challenge;
-        challenges.delete(nonce);
-        // Check 3: Solutions exist
-        if (!solutions || !Array.isArray(solutions) || solutions.length !== size) {
-          if (onFailed) onFailed({ error: 'Invalid solutions array', checks }, req);
-          return res.status(400).json({
-            verified: false,
-            error: `Expected ${size} solutions, got ${solutions?.length || 0}`,
-            checks
-          });
-        }
-        checks.solutionsExist = true;
-        // Check 4: Validate all solutions (Proof of Intelligence)
-        const batchResult = validateBatch(validators, solutions);
-        const requiredPass = minPassCount || size;
-        if (batchResult.passed < requiredPass) {
-          if (onFailed) onFailed({ error: 'Solutions validation failed', checks, batchResult }, req);
-          return res.status(400).json({
-            verified: false,
-            error: `Proof of Intelligence failed: ${batchResult.passed}/${size} correct (need ${requiredPass})`,
-            checks,
-            batchResult
-          });
-        }
-        checks.solutionsValid = true;
-        // Check 5: Response time (Proof of Liveness) - SERVER-SIDE validation
-        const serverResponseTime = Date.now() - challenge.timestamp;
-        const effectiveResponseTime = Math.max(responseTimeMs, serverResponseTime);
-        if (effectiveResponseTime > maxResponseTimeMs) {
-          if (onFailed) onFailed({ error: 'Response too slow', checks }, req);
-          return res.status(400).json({
-            verified: false,
-            error: `Response too slow: ${effectiveResponseTime}ms > ${maxResponseTimeMs}ms (Proof of Liveness failed)`,
-            checks,
-            timing: { client: responseTimeMs, server: serverResponseTime }
-          });
-        }
-        checks.responseTimeValid = true;
-        // Check 6: Signature (Proof of Identity)
-        // Sign over solutions array
-        const solutionsString = JSON.stringify(solutions);
-        const proofData = createProofData({ nonce, solution: solutionsString, publicId, timestamp });
-        if (!verify(proofData, signature, publicKey)) {
-          if (onFailed) onFailed({ error: 'Invalid signature', checks }, req);
-          return res.status(400).json({
-            verified: false,
-            error: 'Invalid signature (Proof of Identity failed)',
-            checks
-          });
-        }
-        checks.signatureValid = true;
-        // All checks passed
-        const result = {
-          verified: true,
-          role: 'AI_AGENT',
-          publicId,
-          batchResult,
-          responseTimeMs,
-          checks
-        };
-        if (onVerified) onVerified(result, req);
-        res.json(result);
-      } catch (error) {
-        if (onFailed) onFailed({ error: error.message, checks }, req);
-        res.status(500).json({
-          verified: false,
-          error: `Verification error: ${error.message}`,
-          checks
-        });
-      }
-    });
-    // ============== Legacy single-challenge endpoints ==============
-    /**
-     * POST /challenge/single - Request a single challenge (legacy)
-     */
-    router.post('/challenge/single', (req, res) => {
-      cleanup();
-      const nonce = generateNonce();
-      const timestamp = Date.now();
-      const { type, challenge_string, validate } = generateChallenge(nonce);
-      const challenge = {
-        challenge_string,
-        nonce,
-        type,
-        difficulty: 1,
-        timestamp,
-        expiresAt: timestamp + challengeExpiryMs,
-        mode: 'single'
-      };
-      challenges.set(nonce, { ...challenge, validate });
-      res.json({
-        challenge_string,
-        nonce,
-        type,
-        difficulty: 1,
-        timestamp,
-        expiresAt: challenge.expiresAt,
-        mode: 'single',
-        maxResponseTimeMs: 10000  // 10s for single
-      });
-    });
-    /**
-     * POST /verify/single - Verify single challenge (legacy)
-     */
-    router.post('/verify/single', (req, res) => {
-      const {
-        solution,
-        signature,
-        publicKey,
-        publicId,
-        nonce,
-        timestamp,
-        responseTimeMs
-      } = req.body;
-      const checks = {
-        challengeExists: false,
-        notExpired: false,
-        solutionExists: false,
-        solutionValid: false,
-        responseTimeValid: false,
-        signatureValid: false
-      };
-      try {
-        const challenge = challenges.get(nonce);
-        if (!challenge || challenge.mode !== 'single') {
-          return res.status(400).json({
-            verified: false,
-            error: 'Single challenge not found',
-            checks
-          });
-        }
-        checks.challengeExists = true;
-        const { validate, type: challengeType } = challenge;
-        challenges.delete(nonce);
-        if (Date.now() > challenge.expiresAt) {
-          return res.status(400).json({ verified: false, error: 'Challenge expired', checks });
-        }
-        checks.notExpired = true;
-        if (!solution) {
-          return res.status(400).json({ verified: false, error: 'Missing solution', checks });
-        }
-        checks.solutionExists = true;
-        if (!validate(solution)) {
-          return res.status(400).json({ verified: false, error: 'Invalid solution', checks });
-        }
-        checks.solutionValid = true;
-        if (responseTimeMs > 10000) {
-          return res.status(400).json({ verified: false, error: 'Too slow', checks });
-        }
-        checks.responseTimeValid = true;
-        const proofData = createProofData({ nonce, solution, publicId, timestamp });
-        if (!verify(proofData, signature, publicKey)) {
-          return res.status(400).json({ verified: false, error: 'Invalid signature', checks });
-        }
-        checks.signatureValid = true;
-        res.json({
-          verified: true,
-          role: 'AI_AGENT',
-          publicId,
-          challengeType,
-          checks
-        });
-      } catch (error) {
-        res.status(500).json({ verified: false, error: error.message, checks });
-      }
-    });
-    return router;
-  };
-}
-/**
- * Create a standalone AAP router for Express
- *
- * @param {Object} [options] - Middleware options
- * @returns {Router} Express router
- *
- * @example
- * import express from 'express';
- * import { createRouter } from '@aap/server';
- *
- * const app = express();
- * app.use('/aap/v1', createRouter());
- */
-export async function createRouter(options = {}) {
-  // Dynamic import for optional express dependency
-  let express;
-  try {
-    express = (await import('express')).default;
-  } catch {
-    throw new Error('express is required for createRouter. Install with: npm install express');
-  }
-  const router = express.Router();
-  router.use(express.json());
-  const middleware = aapMiddleware(options);
-  middleware(router);
-  return router;
-}
-export default { aapMiddleware, createRouter };

package/ratelimit.js DELETED Viewed

@@ -1,117 +0,0 @@
-/**
- * AAP Rate Limiter
- *
- * Simple in-memory rate limiting (no external dependencies)
- */
-/**
- * Create a rate limiter
- * @param {Object} options
- * @param {number} [options.windowMs=60000] - Time window in ms
- * @param {number} [options.max=10] - Max requests per window
- * @param {string} [options.message] - Error message
- * @returns {Function} Express middleware
- */
-export function createRateLimiter(options = {}) {
-  const {
-    windowMs = 60000,
-    max = 10,
-    message = 'Too many requests, please try again later'
-  } = options;
-  const requests = new Map();
-  // Cleanup old entries periodically
-  setInterval(() => {
-    const now = Date.now();
-    for (const [key, data] of requests.entries()) {
-      if (now - data.firstRequest > windowMs) {
-        requests.delete(key);
-      }
-    }
-  }, windowMs);
-  return (req, res, next) => {
-    const key = req.ip || req.connection.remoteAddress || 'unknown';
-    const now = Date.now();
-    let data = requests.get(key);
-    if (!data || now - data.firstRequest > windowMs) {
-      // New window
-      data = { count: 1, firstRequest: now };
-      requests.set(key, data);
-    } else {
-      data.count++;
-    }
-    // Set headers
-    const remaining = Math.max(0, max - data.count);
-    const resetTime = Math.ceil((data.firstRequest + windowMs) / 1000);
-    res.setHeader('X-RateLimit-Limit', max);
-    res.setHeader('X-RateLimit-Remaining', remaining);
-    res.setHeader('X-RateLimit-Reset', resetTime);
-    if (data.count > max) {
-      res.setHeader('Retry-After', Math.ceil((data.firstRequest + windowMs - now) / 1000));
-      return res.status(429).json({
-        error: message,
-        retryAfter: Math.ceil((data.firstRequest + windowMs - now) / 1000)
-      });
-    }
-    next();
-  };
-}
-/**
- * Create rate limiter for failed attempts
- * Stricter limits after failures
- */
-export function createFailureLimiter(options = {}) {
-  const {
-    windowMs = 60000,
-    maxFailures = 5,
-    message = 'Too many failed attempts'
-  } = options;
-  const failures = new Map();
-  return {
-    middleware: (req, res, next) => {
-      const key = req.ip || req.connection.remoteAddress || 'unknown';
-      const data = failures.get(key);
-      if (data && data.count >= maxFailures && Date.now() - data.firstFailure < windowMs) {
-        return res.status(429).json({
-          error: message,
-          retryAfter: Math.ceil((data.firstFailure + windowMs - Date.now()) / 1000)
-        });
-      }
-      next();
-    },
-    recordFailure: (req) => {
-      const key = req.ip || req.connection.remoteAddress || 'unknown';
-      const now = Date.now();
-      let data = failures.get(key);
-      if (!data || now - data.firstFailure > windowMs) {
-        data = { count: 1, firstFailure: now };
-      } else {
-        data.count++;
-      }
-      failures.set(key, data);
-    },
-    clearFailures: (req) => {
-      const key = req.ip || req.connection.remoteAddress || 'unknown';
-      failures.delete(key);
-    }
-  };
-}
-export default { createRateLimiter, createFailureLimiter };