@agentix-security/nextjs 0.1.0

package/dist/index.d.ts

@@ -0,0 +1,123 @@
+import { NextRequest, NextFetchEvent, NextResponse } from 'next/server.js';
+
+interface LicenseLease {
+    tenant_id: string;
+    deployment_id: string;
+    customer_id: string;
+    domains: string[];
+    features: string[];
+    policy_pack_version: string;
+    expires_at: string;
+    issued_at: string;
+    watermark: string;
+    signature: string;
+}
+
+interface AgentixRequest {
+    method: string;
+    path: string;
+    headers: Record<string, string>;
+    ip: string;
+    body: unknown;
+    baseUrl: string;
+}
+type AgentixResult = {
+    type: 'passthrough';
+} | {
+    type: 'response';
+    status: number;
+    headers?: Record<string, string>;
+    body: unknown;
+};
+interface EngineOptions {
+    tenantId: string;
+    deploymentId: string;
+    domain: string;
+    tokenSecret: string;
+    tokenTtlMs: number;
+    checkoutTokenTtlMs: number;
+    declareLimit: number;
+    declareWindowMs: number;
+    controlPlaneUrl: string;
+    controlPlaneAdminKey?: string;
+    getLease: () => LicenseLease | null;
+    getRegisteredIntents?: () => ReadonlyMap<string, 'enforce' | 'shadow'>;
+    devMode?: boolean;
+}
+declare class Engine {
+    private readonly opts;
+    private readonly declareLimiter;
+    constructor(opts: EngineOptions);
+    handle(req: AgentixRequest): Promise<AgentixResult>;
+    private handleDiscovery;
+    private handleDeclareIntent;
+    private fingerprint;
+    private audit;
+}
+
+interface AgentixSDKConfig {
+    licenseKey: string;
+    /** Defaults to https://agentix-control-plane.onrender.com */
+    controlPlaneUrl?: string;
+    deploymentId?: string;
+    /** For local dev only — bypasses license enforcement. */
+    devMode?: boolean;
+    tokenTtlMs?: number;
+    checkoutTokenTtlMs?: number;
+    declareLimit?: number;
+    declareWindowMs?: number;
+    controlPlaneAdminKey?: string;
+}
+
+declare class AgentixSDK {
+    readonly config: AgentixSDKConfig;
+    private lease;
+    private engine;
+    private initPromise;
+    private readonly intentRegistry;
+    private _tenantId;
+    private _domain;
+    private _tokenSecret;
+    private _deploymentId;
+    private _proxyUrl;
+    constructor(config: AgentixSDKConfig);
+    ensureInitialized(): Promise<void>;
+    initialize(): Promise<void>;
+    private _init;
+    getEngine(): Engine;
+    registerIntent(intent: string, mode?: 'enforce' | 'shadow'): void;
+    getIntentRegistry(): ReadonlyMap<string, 'enforce' | 'shadow'>;
+    getResolvedDomain(): string;
+    getResolvedTenantId(): string;
+    getResolvedTokenSecret(): string;
+    getDeploymentId(): string;
+    getProxyUrl(): string;
+    getLease(): LicenseLease | null;
+}
+
+type NextMiddleware = (req: NextRequest, event: NextFetchEvent) => Promise<NextResponse>;
+declare function agentixMiddleware(sdk: AgentixSDK): NextMiddleware;
+/**
+ * Per-route annotation for Next.js App Router — wraps a route handler with intent enforcement.
+ * The middleware only needs to handle discovery + token issuance; enforcement is per-handler.
+ *
+ * @example
+ * // /app/api/jobs/route.ts
+ * import { secure } from '@agentix/nextjs'
+ * export const GET = secure(sdk, 'browse_jobs', async (req) => NextResponse.json(jobs))
+ * export const POST = secure(sdk, 'submit_application', handler, { mode: 'enforce' })
+ */
+declare function secure(sdk: AgentixSDK, intent: string, handler: (req: NextRequest, ctx?: unknown) => Promise<Response> | Response, opts?: {
+    mode?: 'enforce' | 'shadow';
+}): (req: NextRequest, ctx?: unknown) => Promise<Response>;
+interface PagesRes {
+    status(code: number): PagesRes;
+    json(body: unknown): void;
+}
+interface PagesReq {
+    method?: string;
+    headers: Record<string, string | string[] | undefined>;
+}
+declare function withAgentix(sdk: AgentixSDK, intent: string, mode?: 'enforce' | 'shadow'): (handler: (req: PagesReq, res: PagesRes) => Promise<void> | void) => (req: PagesReq, res: PagesRes) => Promise<void>;
+
+export { AgentixSDK, type AgentixSDKConfig, agentixMiddleware, secure, withAgentix };

package/dist/index.js

@@ -0,0 +1,565 @@
+import { NextResponse } from 'next/server.js';
+import { createHmac, randomUUID, createHash } from 'crypto';
+
+// src/index.ts
+
+// ../core/src/policy.ts
+function isValidIntent(intent, validIntents) {
+  if (!intent || typeof intent !== "string") return false;
+  if (validIntents) return validIntents.includes(intent);
+  return /^[a-z][a-z0-9_]{1,63}$/.test(intent);
+}
+function licenseActive(lease, now = Date.now()) {
+  if (!lease) return false;
+  return Date.parse(lease.expires_at) > now;
+}
+function decision(partial) {
+  return {
+    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    ...partial
+  };
+}
+function deriveTokenSecret(licenseKey) {
+  return createHmac("sha256", licenseKey).update("agentix-v1-token-secret").digest("hex");
+}
+function b64url(value) {
+  return Buffer.from(value).toString("base64url");
+}
+function sign(secret, data) {
+  return createHmac("sha256", secret).update(data).digest("base64url");
+}
+function issueToken(secret, payload) {
+  const header = b64url(JSON.stringify({ alg: "HS256", typ: "AGX" }));
+  const body = b64url(JSON.stringify({ jti: `tok_${randomUUID()}`, ...payload }));
+  const sig = sign(secret, `${header}.${body}`);
+  return `${header}.${body}.${sig}`;
+}
+function tokenId(raw) {
+  const parts = raw.split(".");
+  if (parts.length !== 3) return null;
+  try {
+    const payload = JSON.parse(Buffer.from(parts[1], "base64url").toString("utf8"));
+    return payload.jti;
+  } catch {
+    return null;
+  }
+}
+
+// ../sdk/src/rate-limit.ts
+var RateLimiter = class {
+  constructor(limit, windowMs) {
+    this.limit = limit;
+    this.windowMs = windowMs;
+  }
+  limit;
+  windowMs;
+  buckets = /* @__PURE__ */ new Map();
+  consume(key) {
+    const now = Date.now();
+    const bucket = this.buckets.get(key);
+    if (!bucket || now - bucket.windowStart > this.windowMs) {
+      this.buckets.set(key, { windowStart: now, count: 1 });
+      return true;
+    }
+    bucket.count += 1;
+    this.buckets.set(key, bucket);
+    return bucket.count <= this.limit;
+  }
+};
+
+// ../sdk/src/engine.ts
+function fingerprint(ip, userAgent, acceptLanguage) {
+  return createHash("sha256").update([ip, userAgent, acceptLanguage].join("|")).digest("hex");
+}
+async function shipAudit(controlPlaneUrl, adminKey, row) {
+  if (!adminKey) return;
+  try {
+    await fetch(`${controlPlaneUrl.replace(/\/$/, "")}/v1/audit/decisions`, {
+      method: "POST",
+      headers: { authorization: `Bearer ${adminKey}`, "content-type": "application/json" },
+      body: JSON.stringify(row)
+    });
+  } catch {
+  }
+}
+var Engine = class {
+  constructor(opts) {
+    this.opts = opts;
+    this.declareLimiter = new RateLimiter(opts.declareLimit, opts.declareWindowMs);
+  }
+  opts;
+  declareLimiter;
+  async handle(req) {
+    const { method, path } = req;
+    if (method === "GET" && path === "/.well-known/ai-agent.json") {
+      return this.handleDiscovery(req);
+    }
+    if (method === "POST" && path === "/agent/v1/declare_intent") {
+      return this.handleDeclareIntent(req);
+    }
+    return { type: "passthrough" };
+  }
+  handleDiscovery(req) {
+    const lease = this.opts.getLease();
+    const allIntents = this.opts.getRegisteredIntents ? [...this.opts.getRegisteredIntents().keys()] : [];
+    const body = {
+      service: "agentix-intent-sdk",
+      version: "0.2.0",
+      tenant_id: this.opts.tenantId,
+      deployment_id: this.opts.deploymentId,
+      discovery: {
+        well_known: `${req.baseUrl}/.well-known/ai-agent.json`,
+        token_endpoint: `${req.baseUrl}/agent/v1/declare_intent`
+      },
+      license: {
+        active: licenseActive(lease),
+        expires_at: lease?.expires_at ?? null,
+        policy_pack_version: lease?.policy_pack_version ?? null
+      },
+      intents: allIntents
+    };
+    void this.audit(req, "/.well-known/ai-agent.json", 200, {
+      trustMode: "unknown",
+      intentScope: "none",
+      tokenId: null,
+      decisionValue: "allow",
+      decisionReason: "agent_discovery_served",
+      policyId: "agent-discovery"
+    });
+    return {
+      type: "response",
+      status: 200,
+      headers: { "cache-control": "no-store", "content-type": "application/json" },
+      body
+    };
+  }
+  async handleDeclareIntent(req) {
+    const lease = this.opts.getLease();
+    const leaseOk = licenseActive(lease) || this.opts.devMode === true;
+    if (!leaseOk) {
+      void this.audit(req, "/agent/v1/declare_intent", 403, {
+        trustMode: "unmanaged_automation",
+        intentScope: "none",
+        tokenId: null,
+        decisionValue: "deny",
+        decisionReason: "license_expired_agent_endpoint_disabled",
+        policyId: "license-lease"
+      });
+      return { type: "response", status: 403, body: { error: "license_not_active" } };
+    }
+    const fp = this.fingerprint(req);
+    if (!this.declareLimiter.consume(fp)) {
+      void this.audit(req, "/agent/v1/declare_intent", 429, {
+        trustMode: "unmanaged_automation",
+        intentScope: "none",
+        tokenId: null,
+        decisionValue: "throttle",
+        decisionReason: "declare_intent_rate_limited",
+        policyId: "declare-intent-rate-limit"
+      });
+      return { type: "response", status: 429, body: { error: "declare_intent_rate_limited" } };
+    }
+    const registeredIntents = this.opts.getRegisteredIntents ? [...this.opts.getRegisteredIntents().keys()] : [];
+    const body = req.body ?? {};
+    if (!body.intent || !isValidIntent(body.intent, registeredIntents)) {
+      void this.audit(req, "/agent/v1/declare_intent", 400, {
+        trustMode: "unmanaged_automation",
+        intentScope: "none",
+        tokenId: null,
+        decisionValue: "deny",
+        decisionReason: "invalid_intent",
+        policyId: "intent-validation",
+        metadata: { supplied_intent: body.intent ?? null }
+      });
+      return { type: "response", status: 400, body: { error: "invalid_intent" } };
+    }
+    const intent = body.intent;
+    const ttl = intent === "checkout_intent" ? this.opts.checkoutTokenTtlMs : this.opts.tokenTtlMs;
+    const iat = Math.floor(Date.now() / 1e3);
+    const exp = iat + Math.floor(ttl / 1e3);
+    const binding = this.fingerprint(req);
+    const raw = issueToken(this.opts.tokenSecret, { intent, domain: this.opts.domain, binding, iat, exp });
+    const jti = tokenId(raw);
+    void this.audit(req, "/agent/v1/declare_intent", 200, {
+      trustMode: "managed_agent",
+      intentScope: intent,
+      tokenId: jti,
+      decisionValue: "allow",
+      decisionReason: "intent_token_issued",
+      policyId: "intent-token-issuer",
+      metadata: { subject: body.subject ?? null, constraints: body.constraints ?? null }
+    });
+    return {
+      type: "response",
+      status: 200,
+      body: { access_token: raw, token_type: "Bearer", token_id: jti, intent, expires_in: exp - iat }
+    };
+  }
+  fingerprint(req) {
+    return fingerprint(
+      req.ip,
+      req.headers["user-agent"] ?? req.headers["User-Agent"] ?? "unknown",
+      req.headers["accept-language"] ?? req.headers["Accept-Language"] ?? ""
+    );
+  }
+  async audit(req, route, statusCode, input) {
+    const row = decision({
+      tenant_id: this.opts.tenantId,
+      deployment_id: this.opts.deploymentId,
+      domain: this.opts.domain,
+      route,
+      method: req.method,
+      client_fingerprint_hash: this.fingerprint(req),
+      trust_mode: input.trustMode,
+      intent_scope: input.intentScope,
+      token_id: input.tokenId,
+      decision: input.decisionValue,
+      decision_reason: input.decisionReason,
+      policy_id: input.policyId,
+      status_code: statusCode,
+      metadata: input.metadata ?? {}
+    });
+    void shipAudit(this.opts.controlPlaneUrl, this.opts.controlPlaneAdminKey, row);
+  }
+};
+
+// ../sdk/src/index.ts
+var DEFAULT_CONTROL_PLANE = "https://agentix-control-plane.onrender.com";
+var AgentixSDK = class {
+  constructor(config) {
+    this.config = config;
+  }
+  config;
+  lease = null;
+  engine = null;
+  initPromise = null;
+  intentRegistry = /* @__PURE__ */ new Map();
+  // Resolved at init from the server:
+  _tenantId = "";
+  _domain = "";
+  _tokenSecret = "";
+  _deploymentId = "";
+  _proxyUrl = "";
+  async ensureInitialized() {
+    if (!this.initPromise) this.initPromise = this._init();
+    return this.initPromise;
+  }
+  async initialize() {
+    return this.ensureInitialized();
+  }
+  async _init() {
+    const cp = (this.config.controlPlaneUrl ?? DEFAULT_CONTROL_PLANE).replace(/\/$/, "");
+    try {
+      const res = await fetch(`${cp}/v1/deployments/register`, {
+        method: "POST",
+        headers: { "content-type": "application/json" },
+        body: JSON.stringify({
+          license_key: this.config.licenseKey,
+          deployment_id: this.config.deploymentId
+        })
+      });
+      if (res.ok) {
+        const body = await res.json();
+        this._deploymentId = body.deployment_id;
+        this._tenantId = body.tenant_id;
+        this._domain = body.domain;
+        this._tokenSecret = body.token_secret;
+        this._proxyUrl = body.proxy_url;
+      } else {
+        console.warn(`[agentix] Registration failed (${res.status}) \u2014 operating in degraded mode`);
+        this._tokenSecret = deriveTokenSecret(this.config.licenseKey);
+        this._domain = "localhost";
+        this._deploymentId = this.config.deploymentId ?? "unknown";
+        this._proxyUrl = cp;
+      }
+    } catch (err) {
+      console.warn("[agentix] Registration error (control plane unreachable) \u2014 operating in degraded mode:", err.message);
+      this._tokenSecret = deriveTokenSecret(this.config.licenseKey);
+      this._domain = "localhost";
+      this._deploymentId = this.config.deploymentId ?? "unknown";
+      this._proxyUrl = cp;
+    }
+    this.engine = new Engine({
+      tenantId: this._tenantId,
+      deploymentId: this._deploymentId,
+      domain: this._domain,
+      tokenSecret: this._tokenSecret,
+      tokenTtlMs: this.config.tokenTtlMs ?? 15 * 60 * 1e3,
+      checkoutTokenTtlMs: this.config.checkoutTokenTtlMs ?? 5 * 60 * 1e3,
+      declareLimit: this.config.declareLimit ?? 8,
+      declareWindowMs: this.config.declareWindowMs ?? 6e4,
+      controlPlaneUrl: cp,
+      controlPlaneAdminKey: this.config.controlPlaneAdminKey,
+      getLease: () => this.lease,
+      getRegisteredIntents: () => this.intentRegistry,
+      devMode: this.config.devMode
+    });
+  }
+  getEngine() {
+    if (!this.engine) throw new Error("[agentix] SDK not initialized \u2014 await sdk.initialize() first");
+    return this.engine;
+  }
+  registerIntent(intent, mode = "enforce") {
+    this.intentRegistry.set(intent, mode);
+  }
+  getIntentRegistry() {
+    return this.intentRegistry;
+  }
+  getResolvedDomain() {
+    return this._domain;
+  }
+  getResolvedTenantId() {
+    return this._tenantId;
+  }
+  getResolvedTokenSecret() {
+    return this._tokenSecret;
+  }
+  getDeploymentId() {
+    return this._deploymentId;
+  }
+  getProxyUrl() {
+    return this._proxyUrl;
+  }
+  getLease() {
+    return this.lease;
+  }
+};
+
+// ../sdk/src/token-web.ts
+function b64url2(value) {
+  return btoa(value).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+}
+function encodePayload(value) {
+  return b64url2(JSON.stringify(value));
+}
+async function hmac(secret, data) {
+  const key = await crypto.subtle.importKey(
+    "raw",
+    new TextEncoder().encode(secret),
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["sign"]
+  );
+  const sig = await crypto.subtle.sign("HMAC", key, new TextEncoder().encode(data));
+  const bytes = Array.from(new Uint8Array(sig));
+  return b64url2(String.fromCharCode(...bytes));
+}
+async function issueTokenWeb(secret, payload) {
+  const jti = payload.jti ?? `tok_${crypto.randomUUID()}`;
+  const header = encodePayload({ alg: "HS256", typ: "AGX" });
+  const body = encodePayload({ jti, ...payload });
+  const sig = await hmac(secret, `${header}.${body}`);
+  return `${header}.${body}.${sig}`;
+}
+async function verifyTokenWeb(secret, raw) {
+  const parts = raw.split(".");
+  if (parts.length !== 3) return null;
+  const [header, body, sig] = parts;
+  const expected = await hmac(secret, `${header}.${body}`);
+  if (sig !== expected) return null;
+  try {
+    const decoded = atob(body.replace(/-/g, "+").replace(/_/g, "/"));
+    const payload = JSON.parse(decoded);
+    if (payload.exp <= Math.floor(Date.now() / 1e3)) return null;
+    return payload;
+  } catch {
+    return null;
+  }
+}
+function tokenIdWeb(raw) {
+  const parts = raw.split(".");
+  if (parts.length !== 3) return null;
+  try {
+    const decoded = atob(parts[1].replace(/-/g, "+").replace(/_/g, "/"));
+    return JSON.parse(decoded).jti ?? null;
+  } catch {
+    return null;
+  }
+}
+
+// src/index.ts
+async function callProxy(proxyUrl, deploymentId, token, fingerprint3, intent, mode) {
+  const controller = new AbortController();
+  const id = setTimeout(() => controller.abort(), 1500);
+  try {
+    const res = await fetch(`${proxyUrl}/v1/enforce`, {
+      method: "POST",
+      headers: { "content-type": "application/json" },
+      body: JSON.stringify({ deployment_id: deploymentId, token, fingerprint: fingerprint3, intent, mode }),
+      signal: controller.signal
+    });
+    clearTimeout(id);
+    if (res.ok) return await res.json();
+    return { decision: "allow", reason: "proxy_error" };
+  } catch {
+    clearTimeout(id);
+    return { decision: "allow", reason: "proxy_unreachable" };
+  }
+}
+function getIp(req) {
+  return req.headers.get("x-forwarded-for")?.split(",")[0]?.trim() ?? "unknown";
+}
+async function fingerprint2(req) {
+  const data = [getIp(req), req.headers.get("user-agent") ?? "unknown", req.headers.get("accept-language") ?? ""].join("|");
+  const buf = await crypto.subtle.digest("SHA-256", new TextEncoder().encode(data));
+  return Array.from(new Uint8Array(buf)).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+function bearer(req) {
+  const auth = req.headers.get("authorization");
+  if (!auth?.startsWith("Bearer ")) return null;
+  return auth.slice("Bearer ".length).trim();
+}
+async function shipAudit2(url, key, row) {
+  if (!key) return;
+  try {
+    await fetch(`${url}/v1/audit/decisions`, {
+      method: "POST",
+      headers: { authorization: `Bearer ${key}`, "content-type": "application/json" },
+      body: JSON.stringify(row)
+    });
+  } catch {
+  }
+}
+function auditRow(sdk, req, route, status, fp, fields) {
+  return {
+    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    tenant_id: sdk.getResolvedTenantId(),
+    deployment_id: sdk.config.deploymentId ?? "default",
+    domain: sdk.getResolvedDomain(),
+    route,
+    method: req.method,
+    client_fingerprint_hash: fp,
+    status_code: status,
+    metadata: {},
+    ...fields
+  };
+}
+function agentixMiddleware(sdk) {
+  return async (req) => {
+    await sdk.ensureInitialized();
+    const { pathname } = req.nextUrl;
+    const fp = await fingerprint2(req);
+    const baseUrl = req.nextUrl.origin;
+    const cp = (sdk.config.controlPlaneUrl ?? "https://agentix-control-plane.onrender.com").replace(/\/$/, "");
+    const adminKey = sdk.config.controlPlaneAdminKey;
+    const tokenSecret = sdk.getResolvedTokenSecret();
+    if (req.method === "GET" && pathname === "/.well-known/ai-agent.json") {
+      const allIntents = [...sdk.getIntentRegistry().keys()];
+      void shipAudit2(cp, adminKey, auditRow(sdk, req, pathname, 200, fp, {
+        trust_mode: "unknown",
+        intent_scope: "none",
+        token_id: null,
+        decision: "allow",
+        decision_reason: "agent_discovery_served",
+        policy_id: "agent-discovery"
+      }));
+      return NextResponse.json({
+        service: "agentix-intent-sdk",
+        version: "0.2.0",
+        tenant_id: sdk.getResolvedTenantId(),
+        deployment_id: sdk.getDeploymentId(),
+        discovery: { well_known: `${baseUrl}/.well-known/ai-agent.json`, token_endpoint: `${baseUrl}/agent/v1/declare_intent` },
+        intents: allIntents
+      }, { headers: { "cache-control": "no-store" } });
+    }
+    if (req.method === "POST" && pathname === "/agent/v1/declare_intent") {
+      let body = {};
+      try {
+        body = await req.json();
+      } catch {
+      }
+      const validIntents = [...sdk.getIntentRegistry().keys()];
+      if (!body.intent || !isValidIntent(body.intent, validIntents)) {
+        void shipAudit2(cp, adminKey, auditRow(sdk, req, pathname, 400, fp, {
+          trust_mode: "unmanaged_automation",
+          intent_scope: "none",
+          token_id: null,
+          decision: "deny",
+          decision_reason: "invalid_intent",
+          policy_id: "intent-validation",
+          metadata: { supplied_intent: body.intent ?? null }
+        }));
+        return NextResponse.json({ error: "invalid_intent", valid_intents: validIntents }, { status: 400 });
+      }
+      const intent = body.intent;
+      const ttl = sdk.config.tokenTtlMs ?? 15 * 60 * 1e3;
+      const iat = Math.floor(Date.now() / 1e3);
+      const exp = iat + Math.floor(ttl / 1e3);
+      const raw = await issueTokenWeb(tokenSecret, { intent, domain: sdk.getResolvedDomain(), binding: fp, iat, exp });
+      const jti = tokenIdWeb(raw);
+      void shipAudit2(cp, adminKey, auditRow(sdk, req, pathname, 200, fp, {
+        trust_mode: "managed_agent",
+        intent_scope: intent,
+        token_id: jti,
+        decision: "allow",
+        decision_reason: "intent_token_issued",
+        policy_id: "intent-token-issuer",
+        metadata: { subject: body.subject ?? null, constraints: body.constraints ?? null }
+      }));
+      return NextResponse.json({
+        access_token: raw,
+        token_type: "Bearer",
+        token_id: jti,
+        intent,
+        expires_in: exp - iat
+      });
+    }
+    return NextResponse.next();
+  };
+}
+function secure(sdk, intent, handler, opts = {}) {
+  const mode = opts.mode ?? "enforce";
+  sdk.registerIntent(intent, mode);
+  return async (req, ctx) => {
+    await sdk.ensureInitialized();
+    const fp = await fingerprint2(req);
+    const raw = bearer(req);
+    const baseUrl = req.nextUrl.origin;
+    if (!raw) {
+      return NextResponse.json(
+        { error: "missing_token", agent_discovery: `${baseUrl}/.well-known/ai-agent.json` },
+        { status: 401, headers: { "www-authenticate": 'Bearer realm="agentix", error="missing_token"' } }
+      );
+    }
+    const verdict = await callProxy(sdk.getProxyUrl(), sdk.getDeploymentId(), raw, fp, intent, mode);
+    if (verdict.decision === "allow") return handler(req, ctx);
+    const reason = verdict.reason ?? "denied";
+    if (reason === "missing_token" || reason === "invalid_token") {
+      return NextResponse.json({ error: reason, agent_discovery: `${baseUrl}/.well-known/ai-agent.json` }, { status: 401 });
+    }
+    if (reason === "out_of_scope") {
+      return NextResponse.json({ error: "out_of_scope", required_intent: verdict.required_intent ?? intent }, { status: 403 });
+    }
+    return NextResponse.json({ error: reason }, { status: 401 });
+  };
+}
+function withAgentix(sdk, intent, mode = "enforce") {
+  sdk.registerIntent(intent, mode);
+  return function(handler) {
+    return async (req, res) => {
+      await sdk.ensureInitialized();
+      const auth = req.headers["authorization"] ?? "";
+      const raw = auth.startsWith("Bearer ") ? auth.slice("Bearer ".length).trim() : null;
+      if (!raw) {
+        res.status(401).json({ error: "missing_token" });
+        return;
+      }
+      const payload = await verifyTokenWeb(sdk.getResolvedTokenSecret(), raw);
+      if (!payload || payload.domain !== sdk.getResolvedDomain()) {
+        res.status(401).json({ error: "invalid_token" });
+        return;
+      }
+      if (payload.intent !== intent) {
+        if (mode === "shadow") {
+          await handler(req, res);
+          return;
+        }
+        res.status(403).json({ error: "out_of_scope", required_intent: intent });
+        return;
+      }
+      await handler(req, res);
+    };
+  };
+}
+
+export { AgentixSDK, agentixMiddleware, secure, withAgentix };