aap-agent-server 2.7.0 → 3.0.0

package/index.js

@@ -1,46 +1,39 @@
 /**
- * @aap/server v2.7.0
+ * @aap/server v3.0.0
  * 
- * Server-side utilities for Agent Attestation Protocol.
- * The Reverse Turing Test - CAPTCHAs block bots, AAP blocks humans.
+ * WebSocket-only Agent Attestation Protocol.
+ * Sequential challenges - no preview, no mercy.
  */
 
-export * from './middleware.js';
-export * from './challenges.js';
-export * from './ratelimit.js';
-export * from './whitelist.js';
-export * from './persistence.js';
-export * from './errors.js';
-export * from './websocket.js';
+// Core WebSocket server
+export { createAAPWebSocket } from './websocket.js';
+
+// Challenge generation (internal use)
+export { 
+  generate, 
+  generateBatch, 
+  validateBatch, 
+  getTypes,
+  BATCH_SIZE,
+  CHALLENGE_TYPES
+} from './challenges.js';
+
+// Optional utilities
+export { createWhitelist, createKeyRotation } from './whitelist.js';
+export { createStore, createMemoryStore, createFileStore, createRedisStore } from './persistence.js';
 export * as logger from './logger.js';
 
-import { aapMiddleware, createRouter } from './middleware.js';
-import challenges from './challenges.js';
-import { createRateLimiter, createFailureLimiter } from './ratelimit.js';
-import { createWhitelist, createKeyRotation } from './whitelist.js';
-import { createStore, createMemoryStore, createFileStore, createRedisStore } from './persistence.js';
-import { createAAPWebSocket } from './websocket.js';
+// Constants
+export const PROTOCOL_VERSION = '3.0.0';
+export const TIME_PER_CHALLENGE_MS = 1200;
+export const CHALLENGE_COUNT = 7;
+export const CONNECTION_TIMEOUT_MS = 15000;
 
-export { challenges };
+import { createAAPWebSocket } from './websocket.js';
 
 export default {
-  // Core
-  aapMiddleware,
-  createRouter,
-  challenges,
-  
-  // WebSocket (v2.7+)
   createAAPWebSocket,
-  
-  // Security
-  createRateLimiter,
-  createFailureLimiter,
-  createWhitelist,
-  createKeyRotation,
-  
-  // Persistence
-  createStore,
-  createMemoryStore,
-  createFileStore,
-  createRedisStore
+  PROTOCOL_VERSION,
+  TIME_PER_CHALLENGE_MS,
+  CHALLENGE_COUNT
 };

package/package.json

@@ -1,17 +1,16 @@
 {
   "name": "aap-agent-server",
-  "version": "2.7.0",
-  "description": "Server middleware for Agent Attestation Protocol - verify AI agents",
+  "version": "3.0.0",
+  "description": "WebSocket server for Agent Attestation Protocol - verify AI agents",
   "main": "index.js",
   "types": "index.d.ts",
   "type": "module",
   "exports": {
     ".": "./index.js",
-    "./middleware": "./middleware.js",
-    "./challenges": "./challenges.js"
+    "./websocket": "./websocket.js"
   },
   "files": ["*.js", "README.md"],
-  "keywords": ["aap", "agent", "attestation", "verification", "middleware", "express", "ai"],
+  "keywords": ["aap", "agent", "attestation", "verification", "websocket", "ai"],
   "author": "ira-hash",
   "license": "MIT",
   "repository": {
@@ -21,17 +20,8 @@
   },
   "homepage": "https://github.com/ira-hash/agent-attestation-protocol#readme",
   "dependencies": {
-    "aap-agent-core": "^2.6.0",
     "ws": "^8.16.0"
   },
-  "peerDependencies": {
-    "express": "^4.18.0 || ^5.0.0"
-  },
-  "peerDependenciesMeta": {
-    "express": {
-      "optional": true
-    }
-  },
   "engines": {
     "node": ">=18.0.0"
   }

package/websocket.js

@@ -1,121 +1,215 @@
 /**
- * AAP WebSocket Server v2.7
+ * AAP WebSocket Server v3.0
  * 
  * Sequential challenge delivery over persistent connection.
- * Humans cannot preview questions - each arrives with strict time limit.
+ * No preview. Server controls pacing. Humans cannot pass.
  */
 
 import { WebSocketServer } from 'ws';
-import { randomBytes, createVerify } from 'node:crypto';
-import { generate as generateChallenge, getTypes } from './challenges.js';
+import { randomBytes, createHash, createVerify } from 'node:crypto';
 
-// Constants
-const CHALLENGE_COUNT = 7;
-const TIME_PER_CHALLENGE_MS = 1200;  // 1.2 seconds per challenge
-const CONNECTION_TIMEOUT_MS = 15000; // 15 seconds total
-const PROTOCOL_VERSION = '2.7.0';
+// ============== CONSTANTS ==============
+export const PROTOCOL_VERSION = '3.0.0';
+export const CHALLENGE_COUNT = 7;
+export const TIME_PER_CHALLENGE_MS = 1200;
+export const CONNECTION_TIMEOUT_MS = 15000;
+
+// ============== CHALLENGE GENERATORS ==============
+const GENERATORS = {
+  math: (salt, seed) => {
+    const a = 10 + (seed % 90);
+    const b = 10 + ((seed * 7) % 90);
+    const ops = ['+', '-', '*'];
+    const op = ops[seed % 3];
+    const answer = op === '+' ? a + b : op === '-' ? a - b : a * b;
+    return {
+      q: `[REQ-${salt}] What is ${a} ${op} ${b}?\nFormat: {"salt":"${salt}","result":number}`,
+      v: (r) => r?.salt === salt && r?.result === answer
+    };
+  },
+  
+  logic: (salt, seed) => {
+    const x = 10 + (seed % 50);
+    const y = 10 + ((seed * 3) % 50);
+    const answer = x > y ? 'GREATER' : x < y ? 'LESS' : 'EQUAL';
+    return {
+      q: `[REQ-${salt}] X=${x}, Y=${y}. Answer "GREATER" if X>Y, "LESS" if X<Y, "EQUAL" if X=Y.\nFormat: {"salt":"${salt}","answer":"..."}`,
+      v: (r) => r?.salt === salt && r?.answer === answer
+    };
+  },
+  
+  count: (salt, seed) => {
+    const all = ['cat','dog','apple','bird','car','fish','tree','book','lion','grape'];
+    const animals = ['cat','dog','bird','fish','lion'];
+    const n = 4 + (seed % 5);
+    const items = [];
+    for (let i = 0; i < n; i++) {
+      items.push(all[(seed + i * 3) % all.length]);
+    }
+    const count = items.filter(i => animals.includes(i)).length;
+    return {
+      q: `[REQ-${salt}] Count animals: ${items.join(', ')}\nFormat: {"salt":"${salt}","count":number}`,
+      v: (r) => r?.salt === salt && r?.count === count
+    };
+  },
+  
+  pattern: (salt, seed) => {
+    const start = 2 + (seed % 10);
+    const step = 2 + (seed % 6);
+    const seq = [start, start+step, start+step*2, start+step*3];
+    const next = [start+step*4, start+step*5];
+    return {
+      q: `[REQ-${salt}] Next 2 numbers: [${seq.join(', ')}, ?, ?]\nFormat: {"salt":"${salt}","next":[n1,n2]}`,
+      v: (r) => r?.salt === salt && Array.isArray(r?.next) && r.next[0] === next[0] && r.next[1] === next[1]
+    };
+  },
+  
+  reverse: (salt, seed) => {
+    const words = ['hello','world','agent','robot','claw','alpha','delta'];
+    const word = words[seed % words.length];
+    const rev = word.split('').reverse().join('');
+    return {
+      q: `[REQ-${salt}] Reverse the string: "${word}"\nFormat: {"salt":"${salt}","result":"..."}`,
+      v: (r) => r?.salt === salt && r?.result === rev
+    };
+  },
+  
+  extract: (salt, seed) => {
+    const colors = ['red','blue','green','yellow','purple','orange'];
+    const color = colors[seed % colors.length];
+    const nouns = ['car','robot','bird','house'];
+    const noun = nouns[seed % nouns.length];
+    return {
+      q: `[REQ-${salt}] Extract the color: "The ${color} ${noun} moved quickly"\nFormat: {"salt":"${salt}","color":"..."}`,
+      v: (r) => r?.salt === salt && r?.color === color
+    };
+  },
+  
+  longest: (salt, seed) => {
+    const sets = [
+      ['cat', 'elephant', 'dog', 'ant'],
+      ['bee', 'hippopotamus', 'fox', 'rat'],
+      ['owl', 'crocodile', 'bat', 'fly']
+    ];
+    const words = sets[seed % sets.length];
+    const longest = words.reduce((a, b) => a.length >= b.length ? a : b);
+    return {
+      q: `[REQ-${salt}] Find longest word: ${words.join(', ')}\nFormat: {"salt":"${salt}","answer":"..."}`,
+      v: (r) => r?.salt === salt && r?.answer === longest
+    };
+  }
+};
+
+const TYPES = Object.keys(GENERATORS);
+
+function generateChallenge(nonce, index) {
+  const type = TYPES[index % TYPES.length];
+  const salt = createHash('sha256').update(nonce + index).digest('hex').slice(0, 6).toUpperCase();
+  const seed = parseInt(nonce.slice(index * 2, index * 2 + 8), 16) || (index * 17);
+  const { q, v } = GENERATORS[type](salt, seed);
+  return { type, challenge: q, validate: v };
+}
+
+// ============== WEBSOCKET SERVER ==============
 
 /**
- * Create AAP WebSocket server
+ * Create AAP WebSocket verification server
  * @param {Object} options
- * @param {number} [options.port] - Standalone port (if no httpServer)
- * @param {Object} [options.httpServer] - Existing HTTP server
+ * @param {number} [options.port] - Port for standalone server
+ * @param {Object} [options.server] - Existing HTTP server to attach to
  * @param {string} [options.path='/aap'] - WebSocket path
+ * @param {number} [options.challengeCount=7] - Number of challenges
+ * @param {number} [options.timePerChallengeMs=1200] - Time limit per challenge
  * @param {Function} [options.onVerified] - Callback on successful verification
  * @param {Function} [options.onFailed] - Callback on failed verification
+ * @returns {Object} { wss, sessions, close }
  */
 export function createAAPWebSocket(options = {}) {
   const {
     port,
-    httpServer,
+    server,
     path = '/aap',
-    onVerified = null,
-    onFailed = null,
     challengeCount = CHALLENGE_COUNT,
-    timePerChallengeMs = TIME_PER_CHALLENGE_MS
+    timePerChallengeMs = TIME_PER_CHALLENGE_MS,
+    connectionTimeoutMs = CONNECTION_TIMEOUT_MS,
+    onVerified,
+    onFailed
   } = options;
 
-  const wssOptions = httpServer 
-    ? { server: httpServer, path }
-    : { port, path };
-  
+  const wssOptions = server ? { server, path } : { port };
   const wss = new WebSocketServer(wssOptions);
-  
-  // Track active sessions
   const sessions = new Map();
+  const verifiedTokens = new Map();
 
-  wss.on('connection', (ws, req) => {
+  wss.on('connection', (ws) => {
     const sessionId = randomBytes(16).toString('hex');
     const nonce = randomBytes(16).toString('hex');
     const startTime = Date.now();
-    
+
     const session = {
       id: sessionId,
-      nonce,
       ws,
+      nonce,
       startTime,
-      currentChallenge: 0,
+      current: 0,
       challenges: [],
-      validators: [],
       answers: [],
       timings: [],
-      publicKey: null,
       publicId: null,
-      challengeStartTime: null,
-      timeout: null,
-      connectionTimeout: null
+      challengeStart: null,
+      timer: null,
+      connTimer: null
     };
-    
+
     sessions.set(sessionId, session);
-    
-    // Connection timeout
-    session.connectionTimeout = setTimeout(() => {
-      sendError(ws, 'Connection timeout');
-      ws.close();
-    }, CONNECTION_TIMEOUT_MS);
-    
-    // Generate all challenges upfront (but send one at a time)
-    const types = getTypes();
+
+    // Generate challenges
     for (let i = 0; i < challengeCount; i++) {
-      const type = types[i % types.length];
-      const challenge = generateChallenge(nonce + i, type);
-      session.challenges.push({
-        id: i,
-        type,
-        challenge_string: challenge.challenge_string
-      });
-      session.validators.push(challenge.validate);
+      session.challenges.push(generateChallenge(nonce, i));
     }
-    
+
+    // Connection timeout
+    session.connTimer = setTimeout(() => {
+      send(ws, { type: 'error', code: 'TIMEOUT', message: 'Connection timeout' });
+      ws.close();
+    }, connectionTimeoutMs);
+
     // Send handshake
     send(ws, {
       type: 'handshake',
       sessionId,
-      nonce,
       protocol: 'AAP',
       version: PROTOCOL_VERSION,
-      mode: 'websocket',
       challengeCount,
       timePerChallengeMs,
-      message: 'Connected. Send "ready" with publicKey to begin.'
+      message: 'Send {"type":"ready"} to begin verification.'
     });
-    
+
     ws.on('message', (data) => {
+      let msg;
       try {
-        const msg = JSON.parse(data.toString());
-        handleMessage(session, msg, { onVerified, onFailed, timePerChallengeMs });
-      } catch (e) {
-        sendError(ws, 'Invalid JSON');
+        msg = JSON.parse(data.toString());
+      } catch {
+        send(ws, { type: 'error', code: 'INVALID_JSON', message: 'Invalid JSON' });
+        return;
       }
+
+      handleMessage(session, msg, {
+        challengeCount,
+        timePerChallengeMs,
+        onVerified,
+        onFailed,
+        verifiedTokens
+      });
     });
-    
+
     ws.on('close', () => {
-      clearTimeout(session.timeout);
-      clearTimeout(session.connectionTimeout);
+      cleanup(session);
       sessions.delete(sessionId);
     });
-    
+
     ws.on('error', () => {
+      cleanup(session);
       sessions.delete(sessionId);
     });
   });
@@ -123,160 +217,150 @@ export function createAAPWebSocket(options = {}) {
   return {
     wss,
     sessions,
-    close: () => wss.close()
+    verifiedTokens,
+    close: () => wss.close(),
+    
+    // Helper to check if token is verified
+    isVerified: (token) => {
+      const session = verifiedTokens.get(token);
+      return session && Date.now() < session.expiresAt;
+    },
+    
+    // Get verified session info
+    getSession: (token) => verifiedTokens.get(token)
   };
 }
 
 function send(ws, data) {
-  if (ws.readyState === 1) { // OPEN
+  if (ws.readyState === 1) {
     ws.send(JSON.stringify(data));
   }
 }
 
-function sendError(ws, message, code = 'ERROR') {
-  send(ws, { type: 'error', code, message });
+function cleanup(session) {
+  clearTimeout(session.timer);
+  clearTimeout(session.connTimer);
 }
 
 function handleMessage(session, msg, options) {
-  const { ws, currentChallenge, challenges, validators, answers, timings } = session;
-  const { onVerified, onFailed, timePerChallengeMs } = options;
+  const { ws, current, challenges, answers, timings } = session;
+  const { challengeCount, timePerChallengeMs, onVerified, onFailed, verifiedTokens } = options;
 
   switch (msg.type) {
     case 'ready':
-      // Client ready to start, optionally provides identity
-      if (currentChallenge !== 0) {
-        sendError(ws, 'Already started');
+      if (current !== 0) {
+        send(ws, { type: 'error', code: 'ALREADY_STARTED', message: 'Already started' });
         return;
       }
-      
-      session.publicKey = msg.publicKey || null;
-      session.publicId = msg.publicId || null;
-      
-      // Send first challenge
+      session.publicId = msg.publicId || 'anon-' + randomBytes(4).toString('hex');
       sendNextChallenge(session, timePerChallengeMs);
       break;
-      
+
     case 'answer':
-      // Client submitting answer
-      if (session.challengeStartTime === null) {
-        sendError(ws, 'No active challenge');
+      if (session.challengeStart === null) {
+        send(ws, { type: 'error', code: 'NO_CHALLENGE', message: 'No active challenge' });
         return;
       }
-      
-      const responseTime = Date.now() - session.challengeStartTime;
-      clearTimeout(session.timeout);
-      
-      // Check if too slow
-      if (responseTime > timePerChallengeMs) {
-        send(ws, {
-          type: 'timeout',
-          challengeId: currentChallenge,
-          responseTimeMs: responseTime,
-          limit: timePerChallengeMs
-        });
-        finishSession(session, false, 'Too slow on challenge ' + currentChallenge, { onVerified, onFailed });
+
+      clearTimeout(session.timer);
+      const elapsed = Date.now() - session.challengeStart;
+
+      // Too slow?
+      if (elapsed > timePerChallengeMs) {
+        finishSession(session, false, `Too slow on challenge #${current}: ${elapsed}ms > ${timePerChallengeMs}ms`, options);
         return;
       }
-      
-      // Record answer and timing
+
+      // Record answer
       answers.push(msg.answer);
-      timings.push(responseTime);
-      
-      // Validate immediately
-      const valid = validators[currentChallenge](msg.answer);
-      
-      send(ws, {
-        type: 'ack',
-        challengeId: currentChallenge,
-        responseTimeMs: responseTime,
-        valid  // Real-time feedback
-      });
-      
-      session.currentChallenge++;
-      
+      timings.push(elapsed);
+
+      // Validate
+      const valid = challenges[current].validate(msg.answer);
+      send(ws, { type: 'ack', id: current, valid, responseMs: elapsed });
+
+      session.current++;
+
       // More challenges?
-      if (session.currentChallenge < challenges.length) {
-        // Small delay then next challenge
-        setTimeout(() => sendNextChallenge(session, timePerChallengeMs), 100);
+      if (session.current < challengeCount) {
+        setTimeout(() => sendNextChallenge(session, timePerChallengeMs), 50);
       } else {
-        // All done - calculate result
-        const passed = answers.filter((_, i) => validators[i](answers[i])).length;
-        const allPassed = passed === challenges.length;
-        const totalTime = Date.now() - session.startTime;
-        
-        finishSession(session, allPassed, allPassed ? 'Verified' : `Failed: ${passed}/${challenges.length}`, {
-          onVerified,
-          onFailed,
-          passed,
-          total: challenges.length,
-          timings,
-          totalTime
-        });
+        // Calculate final result
+        const passed = answers.filter((a, i) => challenges[i].validate(a)).length;
+        const success = passed === challengeCount;
+        finishSession(session, success, success ? 'All challenges passed' : `Failed: ${passed}/${challengeCount}`, options, passed);
       }
       break;
-      
+
     default:
-      sendError(ws, 'Unknown message type: ' + msg.type);
+      send(ws, { type: 'error', code: 'UNKNOWN_TYPE', message: 'Unknown message type' });
   }
 }
 
 function sendNextChallenge(session, timePerChallengeMs) {
-  const { ws, currentChallenge, challenges } = session;
-  const challenge = challenges[currentChallenge];
-  
-  session.challengeStartTime = Date.now();
-  
+  const { ws, current, challenges } = session;
+  const challenge = challenges[current];
+
+  session.challengeStart = Date.now();
+
   send(ws, {
     type: 'challenge',
-    id: currentChallenge,
+    id: current,
     total: challenges.length,
-    challenge: challenge.challenge_string,
+    challenge: challenge.challenge,
     timeLimit: timePerChallengeMs
   });
-  
+
   // Timeout for this challenge
-  session.timeout = setTimeout(() => {
-    send(ws, {
-      type: 'timeout',
-      challengeId: currentChallenge,
-      message: 'Time expired'
-    });
-    finishSession(session, false, 'Timeout on challenge ' + currentChallenge, {});
-  }, timePerChallengeMs + 100); // Small grace period for network
+  session.timer = setTimeout(() => {
+    send(ws, { type: 'timeout', id: current, message: 'Time expired' });
+    finishSession(session, false, `Timeout on challenge #${current}`, {});
+  }, timePerChallengeMs + 100);
 }
 
-function finishSession(session, success, message, options) {
-  const { ws, nonce, publicId, startTime } = session;
-  const { onVerified, onFailed, passed, total, timings, totalTime } = options;
-  
-  clearTimeout(session.timeout);
-  clearTimeout(session.connectionTimeout);
-  
+function finishSession(session, success, message, options, passed) {
+  const { ws, nonce, publicId, startTime, timings } = session;
+  const { onVerified, onFailed, verifiedTokens } = options;
+
+  cleanup(session);
+
+  const totalTime = Date.now() - startTime;
   const result = {
     type: 'result',
     verified: success,
+    message,
     nonce,
     publicId,
-    message,
     passed,
-    total,
+    total: session.challenges.length,
     timings,
-    totalTimeMs: totalTime || (Date.now() - startTime),
-    avgResponseMs: timings?.length ? Math.round(timings.reduce((a, b) => a + b, 0) / timings.length) : null
+    totalTimeMs: totalTime,
+    avgResponseMs: timings.length ? Math.round(timings.reduce((a, b) => a + b, 0) / timings.length) : null
   };
-  
+
   if (success) {
     result.role = 'AI_AGENT';
     result.sessionToken = randomBytes(32).toString('hex');
+    
+    // Store verified session
+    if (verifiedTokens) {
+      verifiedTokens.set(result.sessionToken, {
+        publicId,
+        nonce,
+        verifiedAt: Date.now(),
+        expiresAt: Date.now() + 3600000, // 1 hour
+        totalTimeMs: totalTime,
+        avgResponseMs: result.avgResponseMs
+      });
+    }
+
     if (onVerified) onVerified(result, session);
   } else {
     if (onFailed) onFailed(result, session);
   }
-  
+
   send(ws, result);
-  
-  // Close after sending result
-  setTimeout(() => ws.close(), 500);
+  setTimeout(() => ws.close(), 300);
 }
 
-export default { createAAPWebSocket };
+export default { createAAPWebSocket, PROTOCOL_VERSION, CHALLENGE_COUNT, TIME_PER_CHALLENGE_MS };

package/errors.js

@@ -1,134 +0,0 @@
-/**
- * AAP Server - Error Definitions
- * 
- * Consistent, client-friendly error messages
- */
-
-export const ErrorCodes = {
-  // Challenge errors
-  CHALLENGE_NOT_FOUND: 'CHALLENGE_NOT_FOUND',
-  CHALLENGE_EXPIRED: 'CHALLENGE_EXPIRED',
-  CHALLENGE_ALREADY_USED: 'CHALLENGE_ALREADY_USED',
-  
-  // Solution errors
-  MISSING_SOLUTIONS: 'MISSING_SOLUTIONS',
-  INVALID_SOLUTIONS_COUNT: 'INVALID_SOLUTIONS_COUNT',
-  SOLUTION_VALIDATION_FAILED: 'SOLUTION_VALIDATION_FAILED',
-  
-  // Timing errors
-  RESPONSE_TOO_SLOW: 'RESPONSE_TOO_SLOW',
-  
-  // Signature errors
-  INVALID_SIGNATURE: 'INVALID_SIGNATURE',
-  MISSING_SIGNATURE: 'MISSING_SIGNATURE',
-  INVALID_PUBLIC_KEY: 'INVALID_PUBLIC_KEY',
-  
-  // General errors
-  INVALID_REQUEST: 'INVALID_REQUEST',
-  INTERNAL_ERROR: 'INTERNAL_ERROR',
-  RATE_LIMITED: 'RATE_LIMITED'
-};
-
-export const ErrorMessages = {
-  [ErrorCodes.CHALLENGE_NOT_FOUND]: {
-    message: 'Challenge not found',
-    hint: 'Request a new challenge via POST /challenge',
-    status: 400
-  },
-  [ErrorCodes.CHALLENGE_EXPIRED]: {
-    message: 'Challenge has expired',
-    hint: 'Challenges expire after 60 seconds. Request a new one.',
-    status: 400
-  },
-  [ErrorCodes.CHALLENGE_ALREADY_USED]: {
-    message: 'Challenge already used',
-    hint: 'Each challenge can only be used once. Request a new one.',
-    status: 400
-  },
-  [ErrorCodes.MISSING_SOLUTIONS]: {
-    message: 'Missing solutions array',
-    hint: 'Include "solutions" array in request body',
-    status: 400
-  },
-  [ErrorCodes.INVALID_SOLUTIONS_COUNT]: {
-    message: 'Invalid number of solutions',
-    hint: 'Provide exactly 3 solutions for batch challenges',
-    status: 400
-  },
-  [ErrorCodes.SOLUTION_VALIDATION_FAILED]: {
-    message: 'Solution validation failed (Proof of Intelligence)',
-    hint: 'One or more solutions are incorrect. Ensure your LLM correctly solves each challenge.',
-    status: 400
-  },
-  [ErrorCodes.RESPONSE_TOO_SLOW]: {
-    message: 'Response too slow (Proof of Liveness failed)',
-    hint: 'Response must arrive within 12 seconds for batch challenges',
-    status: 400
-  },
-  [ErrorCodes.INVALID_SIGNATURE]: {
-    message: 'Invalid signature (Proof of Identity failed)',
-    hint: 'Ensure you sign the correct data with your private key',
-    status: 400
-  },
-  [ErrorCodes.MISSING_SIGNATURE]: {
-    message: 'Missing signature',
-    hint: 'Include "signature" field with Base64-encoded ECDSA signature',
-    status: 400
-  },
-  [ErrorCodes.INVALID_PUBLIC_KEY]: {
-    message: 'Invalid public key',
-    hint: 'Public key must be PEM-encoded secp256k1 key',
-    status: 400
-  },
-  [ErrorCodes.INVALID_REQUEST]: {
-    message: 'Invalid request format',
-    hint: 'Check the API documentation for required fields',
-    status: 400
-  },
-  [ErrorCodes.INTERNAL_ERROR]: {
-    message: 'Internal server error',
-    hint: 'Please try again later',
-    status: 500
-  },
-  [ErrorCodes.RATE_LIMITED]: {
-    message: 'Too many requests',
-    hint: 'Please wait before making more requests',
-    status: 429
-  }
-};
-
-/**
- * Create an error response
- * @param {string} code - Error code from ErrorCodes
- * @param {Object} [extra] - Additional fields to include
- * @returns {Object} Error response object
- */
-export function createError(code, extra = {}) {
-  const errorDef = ErrorMessages[code] || ErrorMessages[ErrorCodes.INTERNAL_ERROR];
-  
-  return {
-    verified: false,
-    error: errorDef.message,
-    code,
-    hint: errorDef.hint,
-    ...extra
-  };
-}
-
-/**
- * Create error response with HTTP status
- * @param {string} code - Error code
- * @param {Object} res - Express response object
- * @param {Object} [extra] - Additional fields
- */
-export function sendError(code, res, extra = {}) {
-  const errorDef = ErrorMessages[code] || ErrorMessages[ErrorCodes.INTERNAL_ERROR];
-  res.status(errorDef.status).json(createError(code, extra));
-}
-
-export default {
-  ErrorCodes,
-  ErrorMessages,
-  createError,
-  sendError
-};

package/middleware.js

@@ -1,420 +0,0 @@
-/**
- * @aap/server - Express Middleware
- * 
- * Drop-in middleware for adding AAP verification to Express apps.
- */
-
-import { verify, generateNonce, createProofData } from 'aap-agent-core';
-import { 
-  generate as generateChallenge, 
-  generateBatch,
-  validateBatch,
-  getTypes, 
-  validate as validateSolution, 
-  BATCH_SIZE,
-  MAX_RESPONSE_TIME_MS, 
-  CHALLENGE_EXPIRY_MS 
-} from './challenges.js';
-import * as logger from './logger.js';
-import { ErrorCodes, sendError } from './errors.js';
-
-/**
- * Create AAP verification middleware/router
- * 
- * @param {Object} [options]
- * @param {number} [options.challengeExpiryMs=60000] - Challenge expiration time
- * @param {number} [options.maxResponseTimeMs=8000] - Max response time for batch
- * @param {number} [options.batchSize=5] - Number of challenges per batch
- * @param {number} [options.minPassCount] - Minimum challenges to pass (default: all)
- * @param {Function} [options.onVerified] - Callback when agent is verified
- * @param {Function} [options.onFailed] - Callback when verification fails
- * @returns {Function} Express router
- */
-export function aapMiddleware(options = {}) {
-  const {
-    challengeExpiryMs = CHALLENGE_EXPIRY_MS,
-    maxResponseTimeMs = MAX_RESPONSE_TIME_MS,
-    batchSize = BATCH_SIZE,
-    minPassCount = null,  // null = all must pass
-    onVerified,
-    onFailed
-  } = options;
-
-  // In-memory challenge store with size limit (DoS protection)
-  const MAX_CHALLENGES = 10000;
-  const challenges = new Map();
-
-  // Cleanup expired challenges periodically
-  const cleanup = () => {
-    const now = Date.now();
-    for (const [nonce, challenge] of challenges.entries()) {
-      if (now > challenge.expiresAt) {
-        challenges.delete(nonce);
-      }
-    }
-    
-    // Emergency cleanup if still too many (keep newest)
-    if (challenges.size > MAX_CHALLENGES) {
-      const entries = [...challenges.entries()]
-        .sort((a, b) => b[1].timestamp - a[1].timestamp)
-        .slice(0, MAX_CHALLENGES / 2);
-      challenges.clear();
-      entries.forEach(([k, v]) => challenges.set(k, v));
-    }
-  };
-
-  // Return a function that creates routes
-  return (router) => {
-    /**
-     * GET /health - Health check
-     */
-    router.get('/health', (req, res) => {
-      res.json({
-        status: 'ok',
-        protocol: 'AAP',
-        version: '2.0.0',
-        mode: 'batch',
-        batchSize,
-        maxResponseTimeMs,
-        challengeTypes: getTypes(),
-        activeChallenges: challenges.size
-      });
-    });
-
-    /**
-     * POST /challenge - Request a batch of challenges
-     */
-    router.post('/challenge', (req, res) => {
-      cleanup();
-
-      const nonce = generateNonce();
-      const timestamp = Date.now();
-      const { challenges: batchChallenges, validators, expected } = generateBatch(nonce, batchSize);
-
-      const challengeData = {
-        nonce,
-        challenges: batchChallenges,
-        batchSize,
-        timestamp,
-        expiresAt: timestamp + challengeExpiryMs,
-        maxResponseTimeMs
-      };
-
-      // Store with validators (not sent to client)
-      challenges.set(nonce, { 
-        ...challengeData, 
-        validators,
-        expected  // For debugging
-      });
-
-      // Send without validators
-      res.json({
-        nonce,
-        challenges: batchChallenges,
-        batchSize,
-        timestamp,
-        expiresAt: challengeData.expiresAt,
-        maxResponseTimeMs
-      });
-    });
-
-    /**
-     * POST /verify - Verify agent's batch solutions
-     */
-    router.post('/verify', (req, res) => {
-      const {
-        solutions,
-        signature,
-        publicKey,
-        publicId,
-        nonce,
-        timestamp,
-        responseTimeMs
-      } = req.body;
-
-      const checks = {
-        inputValid: false,
-        challengeExists: false,
-        notExpired: false,
-        solutionsExist: false,
-        solutionsValid: false,
-        responseTimeValid: false,
-        signatureValid: false
-      };
-
-      try {
-        // Check 0: Input validation (security)
-        if (!nonce || typeof nonce !== 'string' || nonce.length !== 32) {
-          return res.status(400).json({ verified: false, error: 'Invalid nonce format', checks });
-        }
-        if (!publicId || typeof publicId !== 'string' || publicId.length !== 20) {
-          return res.status(400).json({ verified: false, error: 'Invalid publicId format', checks });
-        }
-        if (!signature || typeof signature !== 'string' || signature.length < 50) {
-          return res.status(400).json({ verified: false, error: 'Invalid signature format', checks });
-        }
-        if (!publicKey || typeof publicKey !== 'string' || !publicKey.includes('BEGIN PUBLIC KEY')) {
-          return res.status(400).json({ verified: false, error: 'Invalid publicKey format', checks });
-        }
-        if (!timestamp || typeof timestamp !== 'number') {
-          return res.status(400).json({ verified: false, error: 'Invalid timestamp', checks });
-        }
-        if (!responseTimeMs || typeof responseTimeMs !== 'number' || responseTimeMs < 0) {
-          return res.status(400).json({ verified: false, error: 'Invalid responseTimeMs', checks });
-        }
-        checks.inputValid = true;
-
-        // Check 1: Challenge exists (check BEFORE delete for race condition fix)
-        const challenge = challenges.get(nonce);
-        if (!challenge) {
-          if (onFailed) onFailed({ error: 'Challenge not found', checks }, req);
-          return res.status(400).json({
-            verified: false,
-            error: 'Challenge not found or already used',
-            checks
-          });
-        }
-        checks.challengeExists = true;
-
-        // Check 2: Not expired (check BEFORE delete - race condition fix)
-        if (Date.now() > challenge.expiresAt) {
-          challenges.delete(nonce);  // Clean up expired
-          if (onFailed) onFailed({ error: 'Challenge expired', checks }, req);
-          return res.status(400).json({
-            verified: false,
-            error: 'Challenge expired',
-            checks
-          });
-        }
-        checks.notExpired = true;
-
-        // Remove challenge (one-time use) - only after expiry check
-        const { validators, batchSize: size } = challenge;
-        challenges.delete(nonce);
-
-        // Check 3: Solutions exist
-        if (!solutions || !Array.isArray(solutions) || solutions.length !== size) {
-          if (onFailed) onFailed({ error: 'Invalid solutions array', checks }, req);
-          return res.status(400).json({
-            verified: false,
-            error: `Expected ${size} solutions, got ${solutions?.length || 0}`,
-            checks
-          });
-        }
-        checks.solutionsExist = true;
-
-        // Check 4: Validate all solutions (Proof of Intelligence)
-        const batchResult = validateBatch(validators, solutions);
-        const requiredPass = minPassCount || size;
-        
-        if (batchResult.passed < requiredPass) {
-          if (onFailed) onFailed({ error: 'Solutions validation failed', checks, batchResult }, req);
-          return res.status(400).json({
-            verified: false,
-            error: `Proof of Intelligence failed: ${batchResult.passed}/${size} correct (need ${requiredPass})`,
-            checks,
-            batchResult
-          });
-        }
-        checks.solutionsValid = true;
-
-        // Check 5: Response time (Proof of Liveness) - SERVER-SIDE validation
-        const serverResponseTime = Date.now() - challenge.timestamp;
-        const effectiveResponseTime = Math.max(responseTimeMs, serverResponseTime);
-        
-        if (effectiveResponseTime > maxResponseTimeMs) {
-          if (onFailed) onFailed({ error: 'Response too slow', checks }, req);
-          return res.status(400).json({
-            verified: false,
-            error: `Response too slow: ${effectiveResponseTime}ms > ${maxResponseTimeMs}ms (Proof of Liveness failed)`,
-            checks,
-            timing: { client: responseTimeMs, server: serverResponseTime }
-          });
-        }
-        checks.responseTimeValid = true;
-
-        // Check 6: Signature (Proof of Identity)
-        // Sign over solutions array
-        const solutionsString = JSON.stringify(solutions);
-        const proofData = createProofData({ nonce, solution: solutionsString, publicId, timestamp });
-        if (!verify(proofData, signature, publicKey)) {
-          if (onFailed) onFailed({ error: 'Invalid signature', checks }, req);
-          return res.status(400).json({
-            verified: false,
-            error: 'Invalid signature (Proof of Identity failed)',
-            checks
-          });
-        }
-        checks.signatureValid = true;
-
-        // All checks passed
-        const result = {
-          verified: true,
-          role: 'AI_AGENT',
-          publicId,
-          batchResult,
-          responseTimeMs,
-          checks
-        };
-
-        if (onVerified) onVerified(result, req);
-
-        res.json(result);
-
-      } catch (error) {
-        if (onFailed) onFailed({ error: error.message, checks }, req);
-        res.status(500).json({
-          verified: false,
-          error: `Verification error: ${error.message}`,
-          checks
-        });
-      }
-    });
-
-    // ============== Legacy single-challenge endpoints ==============
-    
-    /**
-     * POST /challenge/single - Request a single challenge (legacy)
-     */
-    router.post('/challenge/single', (req, res) => {
-      cleanup();
-
-      const nonce = generateNonce();
-      const timestamp = Date.now();
-      const { type, challenge_string, validate } = generateChallenge(nonce);
-
-      const challenge = {
-        challenge_string,
-        nonce,
-        type,
-        difficulty: 1,
-        timestamp,
-        expiresAt: timestamp + challengeExpiryMs,
-        mode: 'single'
-      };
-
-      challenges.set(nonce, { ...challenge, validate });
-
-      res.json({
-        challenge_string,
-        nonce,
-        type,
-        difficulty: 1,
-        timestamp,
-        expiresAt: challenge.expiresAt,
-        mode: 'single',
-        maxResponseTimeMs: 10000  // 10s for single
-      });
-    });
-
-    /**
-     * POST /verify/single - Verify single challenge (legacy)
-     */
-    router.post('/verify/single', (req, res) => {
-      const {
-        solution,
-        signature,
-        publicKey,
-        publicId,
-        nonce,
-        timestamp,
-        responseTimeMs
-      } = req.body;
-
-      const checks = {
-        challengeExists: false,
-        notExpired: false,
-        solutionExists: false,
-        solutionValid: false,
-        responseTimeValid: false,
-        signatureValid: false
-      };
-
-      try {
-        const challenge = challenges.get(nonce);
-        if (!challenge || challenge.mode !== 'single') {
-          return res.status(400).json({
-            verified: false,
-            error: 'Single challenge not found',
-            checks
-          });
-        }
-        checks.challengeExists = true;
-
-        const { validate, type: challengeType } = challenge;
-        challenges.delete(nonce);
-
-        if (Date.now() > challenge.expiresAt) {
-          return res.status(400).json({ verified: false, error: 'Challenge expired', checks });
-        }
-        checks.notExpired = true;
-
-        if (!solution) {
-          return res.status(400).json({ verified: false, error: 'Missing solution', checks });
-        }
-        checks.solutionExists = true;
-
-        if (!validate(solution)) {
-          return res.status(400).json({ verified: false, error: 'Invalid solution', checks });
-        }
-        checks.solutionValid = true;
-
-        if (responseTimeMs > 10000) {
-          return res.status(400).json({ verified: false, error: 'Too slow', checks });
-        }
-        checks.responseTimeValid = true;
-
-        const proofData = createProofData({ nonce, solution, publicId, timestamp });
-        if (!verify(proofData, signature, publicKey)) {
-          return res.status(400).json({ verified: false, error: 'Invalid signature', checks });
-        }
-        checks.signatureValid = true;
-
-        res.json({
-          verified: true,
-          role: 'AI_AGENT',
-          publicId,
-          challengeType,
-          checks
-        });
-
-      } catch (error) {
-        res.status(500).json({ verified: false, error: error.message, checks });
-      }
-    });
-
-    return router;
-  };
-}
-
-/**
- * Create a standalone AAP router for Express
- * 
- * @param {Object} [options] - Middleware options
- * @returns {Router} Express router
- * 
- * @example
- * import express from 'express';
- * import { createRouter } from '@aap/server';
- * 
- * const app = express();
- * app.use('/aap/v1', createRouter());
- */
-export async function createRouter(options = {}) {
-  // Dynamic import for optional express dependency
-  let express;
-  try {
-    express = (await import('express')).default;
-  } catch {
-    throw new Error('express is required for createRouter. Install with: npm install express');
-  }
-  const router = express.Router();
-  router.use(express.json());
-  
-  const middleware = aapMiddleware(options);
-  middleware(router);
-  
-  return router;
-}
-
-export default { aapMiddleware, createRouter };

package/ratelimit.js

@@ -1,117 +0,0 @@
-/**
- * AAP Rate Limiter
- * 
- * Simple in-memory rate limiting (no external dependencies)
- */
-
-/**
- * Create a rate limiter
- * @param {Object} options
- * @param {number} [options.windowMs=60000] - Time window in ms
- * @param {number} [options.max=10] - Max requests per window
- * @param {string} [options.message] - Error message
- * @returns {Function} Express middleware
- */
-export function createRateLimiter(options = {}) {
-  const {
-    windowMs = 60000,
-    max = 10,
-    message = 'Too many requests, please try again later'
-  } = options;
-
-  const requests = new Map();
-
-  // Cleanup old entries periodically
-  setInterval(() => {
-    const now = Date.now();
-    for (const [key, data] of requests.entries()) {
-      if (now - data.firstRequest > windowMs) {
-        requests.delete(key);
-      }
-    }
-  }, windowMs);
-
-  return (req, res, next) => {
-    const key = req.ip || req.connection.remoteAddress || 'unknown';
-    const now = Date.now();
-
-    let data = requests.get(key);
-
-    if (!data || now - data.firstRequest > windowMs) {
-      // New window
-      data = { count: 1, firstRequest: now };
-      requests.set(key, data);
-    } else {
-      data.count++;
-    }
-
-    // Set headers
-    const remaining = Math.max(0, max - data.count);
-    const resetTime = Math.ceil((data.firstRequest + windowMs) / 1000);
-    
-    res.setHeader('X-RateLimit-Limit', max);
-    res.setHeader('X-RateLimit-Remaining', remaining);
-    res.setHeader('X-RateLimit-Reset', resetTime);
-
-    if (data.count > max) {
-      res.setHeader('Retry-After', Math.ceil((data.firstRequest + windowMs - now) / 1000));
-      return res.status(429).json({
-        error: message,
-        retryAfter: Math.ceil((data.firstRequest + windowMs - now) / 1000)
-      });
-    }
-
-    next();
-  };
-}
-
-/**
- * Create rate limiter for failed attempts
- * Stricter limits after failures
- */
-export function createFailureLimiter(options = {}) {
-  const {
-    windowMs = 60000,
-    maxFailures = 5,
-    message = 'Too many failed attempts'
-  } = options;
-
-  const failures = new Map();
-
-  return {
-    middleware: (req, res, next) => {
-      const key = req.ip || req.connection.remoteAddress || 'unknown';
-      const data = failures.get(key);
-
-      if (data && data.count >= maxFailures && Date.now() - data.firstFailure < windowMs) {
-        return res.status(429).json({
-          error: message,
-          retryAfter: Math.ceil((data.firstFailure + windowMs - Date.now()) / 1000)
-        });
-      }
-
-      next();
-    },
-
-    recordFailure: (req) => {
-      const key = req.ip || req.connection.remoteAddress || 'unknown';
-      const now = Date.now();
-      let data = failures.get(key);
-
-      if (!data || now - data.firstFailure > windowMs) {
-        data = { count: 1, firstFailure: now };
-      } else {
-        data.count++;
-      }
-
-      failures.set(key, data);
-    },
-
-    clearFailures: (req) => {
-      const key = req.ip || req.connection.remoteAddress || 'unknown';
-      failures.delete(key);
-    }
-  };
-}
-
-export default { createRateLimiter, createFailureLimiter };