@kya-os/agentshield-nextjs 0.1.40 → 0.1.42

package/dist/index.mjs

@@ -1,379 +1,19 @@
+import { loadRulesSync, mapVerificationMethod } from '@kya-os/agentshield-shared';
 import { NextResponse } from 'next/server';
+import * as ed25519 from '@noble/ed25519';
+import { sha512 } from '@noble/hashes/sha2';
 
-// src/create-middleware.ts
-
-// src/signature-verifier.ts
-var KNOWN_KEYS = {
-  chatgpt: [
-    {
-      kid: "otMqcjr17mGyruktGvJU8oojQTSMHlVm7uO-lrcqbdg",
-      // ChatGPT's current Ed25519 public key (base64)
-      publicKey: "7F_3jDlxaquwh291MiACkcS3Opq88NksyHiakzS-Y1g",
-      validFrom: (/* @__PURE__ */ new Date("2025-01-01")).getTime() / 1e3,
-      validUntil: (/* @__PURE__ */ new Date("2025-04-11")).getTime() / 1e3
-    }
-  ]
-};
-function parseSignatureInput(signatureInput) {
-  try {
-    const match = signatureInput.match(/sig1=\((.*?)\);(.+)/);
-    if (!match) return null;
-    const [, headersList, params] = match;
-    const signedHeaders = headersList ? headersList.split(" ").map((h) => h.replace(/"/g, "").trim()).filter((h) => h.length > 0) : [];
-    const keyidMatch = params ? params.match(/keyid="([^"]+)"/) : null;
-    const createdMatch = params ? params.match(/created=(\d+)/) : null;
-    const expiresMatch = params ? params.match(/expires=(\d+)/) : null;
-    if (!keyidMatch || !keyidMatch[1]) return null;
-    return {
-      keyid: keyidMatch[1],
-      created: createdMatch && createdMatch[1] ? parseInt(createdMatch[1]) : void 0,
-      expires: expiresMatch && expiresMatch[1] ? parseInt(expiresMatch[1]) : void 0,
-      signedHeaders
-    };
-  } catch (error) {
-    console.error("[Signature] Failed to parse Signature-Input:", error);
-    return null;
-  }
-}
-function buildSignatureBase(method, path, headers, signedHeaders) {
-  const components = [];
-  for (const headerName of signedHeaders) {
-    let value;
-    switch (headerName) {
-      case "@method":
-        value = method.toUpperCase();
-        break;
-      case "@path":
-        value = path;
-        break;
-      case "@authority":
-        value = headers["host"] || headers["Host"] || "";
-        break;
-      default:
-        const key = Object.keys(headers).find(
-          (k) => k.toLowerCase() === headerName.toLowerCase()
-        );
-        value = key ? headers[key] || "" : "";
-        break;
-    }
-    components.push(`"${headerName}": ${value}`);
-  }
-  return components.join("\n");
-}
-async function verifyEd25519Signature(publicKeyBase64, signatureBase64, message) {
-  try {
-    const publicKeyBytes = Uint8Array.from(atob(publicKeyBase64), (c) => c.charCodeAt(0));
-    const signatureBytes = Uint8Array.from(atob(signatureBase64), (c) => c.charCodeAt(0));
-    const messageBytes = new TextEncoder().encode(message);
-    if (publicKeyBytes.length !== 32) {
-      console.error("[Signature] Invalid public key length:", publicKeyBytes.length);
-      return false;
-    }
-    if (signatureBytes.length !== 64) {
-      console.error("[Signature] Invalid signature length:", signatureBytes.length);
-      return false;
-    }
-    const publicKey = await crypto.subtle.importKey(
-      "raw",
-      publicKeyBytes,
-      {
-        name: "Ed25519",
-        namedCurve: "Ed25519"
-      },
-      false,
-      ["verify"]
-    );
-    const isValid = await crypto.subtle.verify(
-      "Ed25519",
-      publicKey,
-      signatureBytes,
-      messageBytes
-    );
-    return isValid;
-  } catch (error) {
-    console.error("[Signature] Ed25519 verification failed:", error);
-    if (typeof window === "undefined") {
-      try {
-        console.warn("[Signature] Ed25519 not supported in this environment");
-        return false;
-      } catch {
-        return false;
-      }
-    }
-    return false;
-  }
-}
-async function verifyAgentSignature(method, path, headers) {
-  const signature = headers["signature"] || headers["Signature"];
-  const signatureInput = headers["signature-input"] || headers["Signature-Input"];
-  const signatureAgent = headers["signature-agent"] || headers["Signature-Agent"];
-  if (!signature || !signatureInput) {
-    return {
-      isValid: false,
-      confidence: 0,
-      reason: "No signature headers present",
-      verificationMethod: "none"
-    };
-  }
-  const parsed = parseSignatureInput(signatureInput);
-  if (!parsed) {
-    return {
-      isValid: false,
-      confidence: 0,
-      reason: "Invalid Signature-Input header",
-      verificationMethod: "none"
-    };
-  }
-  if (parsed.created) {
-    const now2 = Math.floor(Date.now() / 1e3);
-    const age = now2 - parsed.created;
-    if (age > 300) {
-      return {
-        isValid: false,
-        confidence: 0,
-        reason: "Signature expired (older than 5 minutes)",
-        verificationMethod: "none"
-      };
-    }
-    if (age < -30) {
-      return {
-        isValid: false,
-        confidence: 0,
-        reason: "Signature timestamp is in the future",
-        verificationMethod: "none"
-      };
-    }
-  }
-  let agent;
-  let knownKeys;
-  if (signatureAgent === '"https://chatgpt.com"' || signatureAgent?.includes("chatgpt.com")) {
-    agent = "ChatGPT";
-    knownKeys = KNOWN_KEYS.chatgpt;
-  }
-  if (!agent || !knownKeys) {
-    return {
-      isValid: false,
-      confidence: 0,
-      reason: "Unknown signature agent",
-      verificationMethod: "none"
-    };
-  }
-  const key = knownKeys.find((k) => k.kid === parsed.keyid);
-  if (!key) {
-    return {
-      isValid: false,
-      confidence: 0,
-      reason: `Unknown key ID: ${parsed.keyid}`,
-      verificationMethod: "none"
-    };
-  }
-  const now = Math.floor(Date.now() / 1e3);
-  if (now < key.validFrom || now > key.validUntil) {
-    return {
-      isValid: false,
-      confidence: 0,
-      reason: "Key is not valid at current time",
-      verificationMethod: "none"
-    };
-  }
-  const signatureBase = buildSignatureBase(method, path, headers, parsed.signedHeaders);
-  let signatureValue = signature;
-  if (signatureValue.startsWith("sig1=:")) {
-    signatureValue = signatureValue.substring(6);
-  }
-  if (signatureValue.endsWith(":")) {
-    signatureValue = signatureValue.slice(0, -1);
-  }
-  const isValid = await verifyEd25519Signature(
-    key.publicKey,
-    signatureValue,
-    signatureBase
-  );
-  if (isValid) {
-    return {
-      isValid: true,
-      agent,
-      keyid: parsed.keyid,
-      confidence: 1,
-      // 100% confidence for valid signature
-      verificationMethod: "signature"
-    };
-  } else {
-    return {
-      isValid: false,
-      confidence: 0,
-      reason: "Signature verification failed",
-      verificationMethod: "none"
-    };
-  }
-}
-function hasSignatureHeaders(headers) {
-  return !!((headers["signature"] || headers["Signature"]) && (headers["signature-input"] || headers["Signature-Input"]));
-}
-function isChatGPTSignature(headers) {
-  const signatureAgent = headers["signature-agent"] || headers["Signature-Agent"];
-  return signatureAgent === '"https://chatgpt.com"' || (signatureAgent?.includes("chatgpt.com") || false);
-}
-
-// src/edge-detector-wrapper.ts
-var AI_AGENT_PATTERNS = [
-  { pattern: /chatgpt-user/i, type: "chatgpt", name: "ChatGPT" },
-  { pattern: /claude-web/i, type: "claude", name: "Claude" },
-  { pattern: /perplexitybot/i, type: "perplexity", name: "Perplexity" },
-  { pattern: /perplexity-user/i, type: "perplexity", name: "Perplexity" },
-  { pattern: /perplexity-ai/i, type: "perplexity", name: "Perplexity" },
-  { pattern: /perplexity/i, type: "perplexity", name: "Perplexity" },
-  // Fallback
-  { pattern: /bingbot/i, type: "bing", name: "Bing AI" },
-  { pattern: /anthropic-ai/i, type: "anthropic", name: "Anthropic" }
-];
-var CLOUD_PROVIDERS = {
-  aws: ["54.", "52.", "35.", "18.", "3."],
-  gcp: ["35.", "34.", "104.", "107.", "108."],
-  azure: ["13.", "20.", "40.", "52.", "104."]
-};
-var EdgeAgentDetector = class {
-  async analyze(input) {
-    const reasons = [];
-    let detectedAgent;
-    let verificationMethod;
-    let confidence = 0;
-    const headers = input.headers || {};
-    const normalizedHeaders = {};
-    for (const [key, value] of Object.entries(headers)) {
-      normalizedHeaders[key.toLowerCase()] = value;
-    }
-    if (hasSignatureHeaders(headers)) {
-      try {
-        const signatureResult = await verifyAgentSignature(
-          input.method || "GET",
-          input.url || "/",
-          headers
-        );
-        if (signatureResult.isValid) {
-          confidence = signatureResult.confidence;
-          reasons.push(`verified_signature:${signatureResult.agent?.toLowerCase() || "unknown"}`);
-          if (signatureResult.agent) {
-            detectedAgent = {
-              type: signatureResult.agent.toLowerCase(),
-              name: signatureResult.agent
-            };
-          }
-          verificationMethod = signatureResult.verificationMethod;
-          if (signatureResult.keyid) {
-            reasons.push(`keyid:${signatureResult.keyid}`);
-          }
-        } else {
-          confidence = Math.max(confidence, 0.3);
-          reasons.push("invalid_signature");
-          if (signatureResult.reason) {
-            reasons.push(`signature_error:${signatureResult.reason}`);
-          }
-          if (isChatGPTSignature(headers)) {
-            reasons.push("claims_chatgpt");
-            detectedAgent = { type: "chatgpt", name: "ChatGPT (unverified)" };
-          }
-        }
-      } catch (error) {
-        console.error("[EdgeAgentDetector] Signature verification error:", error);
-        confidence = Math.max(confidence, 0.2);
-        reasons.push("signature_verification_error");
-      }
-    }
-    const userAgent = input.userAgent || input.headers?.["user-agent"] || "";
-    if (userAgent) {
-      for (const { pattern, type, name } of AI_AGENT_PATTERNS) {
-        if (pattern.test(userAgent)) {
-          const highConfidenceAgents = [
-            "chatgpt",
-            "claude",
-            "perplexity",
-            "anthropic"
-          ];
-          const patternConfidence = highConfidenceAgents.includes(type) ? 0.85 : 0.5;
-          confidence = Math.max(confidence, patternConfidence);
-          reasons.push(`known_pattern:${type}`);
-          if (!detectedAgent) {
-            detectedAgent = { type, name };
-            verificationMethod = "pattern";
-          }
-          break;
-        }
-      }
-    }
-    const aiHeaders = [
-      "openai-conversation-id",
-      "openai-ephemeral-user-id",
-      "anthropic-client-id",
-      "x-goog-api-client",
-      "x-ms-copilot-id"
-    ];
-    const foundAiHeaders = aiHeaders.filter(
-      (header) => normalizedHeaders[header]
-    );
-    if (foundAiHeaders.length > 0) {
-      confidence = Math.max(confidence, 0.6);
-      reasons.push(`ai_headers:${foundAiHeaders.length}`);
-    }
-    const ip = input.ip || input.ipAddress;
-    if (ip && !normalizedHeaders["x-forwarded-for"] && !normalizedHeaders["x-real-ip"]) {
-      for (const [provider, prefixes] of Object.entries(CLOUD_PROVIDERS)) {
-        if (prefixes.some((prefix) => ip.startsWith(prefix))) {
-          confidence = Math.max(confidence, 0.4);
-          reasons.push(`cloud_provider:${provider}`);
-          break;
-        }
-      }
-    }
-    if (reasons.length > 2 && confidence < 1) {
-      confidence = Math.min(confidence * 1.2, 0.95);
-    }
-    return {
-      isAgent: confidence > 0.3,
-      confidence,
-      ...detectedAgent && { detectedAgent },
-      reasons,
-      ...verificationMethod && { verificationMethod },
-      forgeabilityRisk: verificationMethod === "signature" ? "low" : confidence > 0.8 ? "medium" : "high",
-      timestamp: /* @__PURE__ */ new Date()
-    };
-  }
+var __defProp = Object.defineProperty;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
 };
-var EdgeAgentDetectorWrapper = class {
-  detector;
-  events = /* @__PURE__ */ new Map();
-  constructor(_config) {
-    this.detector = new EdgeAgentDetector();
-  }
-  async analyze(input) {
-    const result = await this.detector.analyze(input);
-    if (result.isAgent && this.events.has("agent.detected")) {
-      const handlers = this.events.get("agent.detected") || [];
-      handlers.forEach((handler) => handler(result, input));
-    }
-    return result;
-  }
-  on(event, handler) {
-    if (!this.events.has(event)) {
-      this.events.set(event, []);
-    }
-    this.events.get(event).push(handler);
-  }
-  emit(event, ...args) {
-    const handlers = this.events.get(event) || [];
-    handlers.forEach((handler) => handler(...args));
-  }
-  async init() {
-    return;
-  }
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
 };
 
 // src/wasm-loader.ts
-var wasmInstance = null;
-var wasmExports = null;
-var initPromise = null;
-var WASM_PATH = "/wasm/agentshield_wasm_bg.wasm";
-var baseUrl = null;
 function setWasmBaseUrl(url) {
   baseUrl = url;
 }
@@ -408,26 +48,31 @@ async function initWasm() {
               throw new Error(`Failed to fetch WASM: ${response2.status}`);
             }
             const streamResponse = response2.clone();
-            const { instance } = await WebAssembly.instantiateStreaming(
-              streamResponse,
-              {
-                wbg: {
-                  __wbg_log_1d3ae13c3d5e6b8e: (ptr, len) => {
-                    console.log("WASM:", ptr, len);
-                  },
-                  __wbindgen_throw: (ptr, len) => {
-                    throw new Error(`WASM Error at ${ptr}, length ${len}`);
+            const { instance } = await WebAssembly.instantiateStreaming(streamResponse, {
+              wbg: {
+                __wbg_log_1d3ae13c3d5e6b8e: (ptr, len) => {
+                  if (process.env.NODE_ENV !== "production") {
+                    console.debug("WASM:", ptr, len);
                   }
+                },
+                __wbindgen_throw: (ptr, len) => {
+                  throw new Error(`WASM Error at ${ptr}, length ${len}`);
                 }
               }
-            );
+            });
             wasmInstance = instance;
             wasmExports = instance.exports;
-            console.log("[AgentShield] \u2705 WASM module initialized with streaming");
+            if (process.env.NODE_ENV !== "production") {
+              console.debug("[AgentShield] \u2705 WASM module initialized with streaming");
+            }
             return;
           } catch (streamError) {
             if (!controller.signal.aborted) {
-              console.log("[AgentShield] Streaming compilation failed, falling back to standard compilation");
+              if (process.env.NODE_ENV !== "production") {
+                console.debug(
+                  "[AgentShield] Streaming compilation failed, falling back to standard compilation"
+                );
+              }
             } else {
               throw streamError;
             }
@@ -443,7 +88,9 @@ async function initWasm() {
         const imports = {
           wbg: {
             __wbg_log_1d3ae13c3d5e6b8e: (ptr, len) => {
-              console.log("WASM:", ptr, len);
+              if (process.env.NODE_ENV !== "production") {
+                console.debug("WASM:", ptr, len);
+              }
             },
             __wbindgen_throw: (ptr, len) => {
               throw new Error(`WASM Error at ${ptr}, length ${len}`);
@@ -452,12 +99,20 @@ async function initWasm() {
         };
         wasmInstance = await WebAssembly.instantiate(compiledModule, imports);
         wasmExports = wasmInstance.exports;
-        console.log("[AgentShield] \u2705 WASM module initialized via fallback");
+        if (process.env.NODE_ENV !== "production") {
+          console.debug("[AgentShield] \u2705 WASM module initialized via fallback");
+        }
       } catch (fetchError) {
-        if (fetchError.name === "AbortError") {
-          console.warn("[AgentShield] WASM fetch timed out after 3 seconds - using pattern detection");
+        const error = fetchError;
+        if (error.name === "AbortError") {
+          console.warn(
+            "[AgentShield] WASM fetch timed out after 3 seconds - using pattern detection"
+          );
         } else {
-          console.warn("[AgentShield] Failed to fetch WASM file:", fetchError.message);
+          console.warn(
+            "[AgentShield] Failed to fetch WASM file:",
+            error.message || "Unknown error"
+          );
         }
         wasmExports = null;
       }
@@ -465,122 +120,765 @@ async function initWasm() {
       console.error("[AgentShield] Failed to initialize WASM:", error);
       wasmExports = null;
     }
-  })();
-  await initPromise;
-  return !!wasmExports;
+  })();
+  await initPromise;
+  return !!wasmExports;
+}
+async function detectAgentWithWasm(userAgent, headers, ipAddress) {
+  const initialized = await initWasm();
+  if (!initialized || !wasmExports) {
+    return null;
+  }
+  try {
+    const headersJson = JSON.stringify(headers);
+    if (typeof wasmExports.detect_agent === "function") {
+      const result = wasmExports.detect_agent(
+        userAgent || "",
+        headersJson,
+        ipAddress || "",
+        (/* @__PURE__ */ new Date()).toISOString()
+      );
+      return {
+        isAgent: result.is_agent || false,
+        confidence: result.confidence || 0,
+        agent: result.agent,
+        verificationMethod: result.verification_method || "wasm",
+        riskLevel: result.risk_level || "low"
+      };
+    }
+    console.warn("[AgentShield] WASM exports do not include detect_agent function");
+    return null;
+  } catch (error) {
+    console.error("[AgentShield] WASM detection failed:", error);
+    return null;
+  }
+}
+async function getWasmVersion() {
+  const initialized = await initWasm();
+  if (!initialized || !wasmExports) {
+    return null;
+  }
+  if (typeof wasmExports.version === "function") {
+    return wasmExports.version();
+  }
+  return "unknown";
+}
+async function isWasmAvailable() {
+  try {
+    const initialized = await initWasm();
+    if (!initialized) return false;
+    const version = await getWasmVersion();
+    return version !== null;
+  } catch {
+    return false;
+  }
+}
+var wasmInstance, wasmExports, initPromise, WASM_PATH, baseUrl;
+var init_wasm_loader = __esm({
+  "src/wasm-loader.ts"() {
+    wasmInstance = null;
+    wasmExports = null;
+    initPromise = null;
+    WASM_PATH = "/wasm/agentshield_wasm_bg.wasm";
+    baseUrl = null;
+  }
+});
+
+// src/edge-detector-with-wasm.ts
+var edge_detector_with_wasm_exports = {};
+__export(edge_detector_with_wasm_exports, {
+  EdgeAgentDetectorWithWasm: () => EdgeAgentDetectorWithWasm,
+  EdgeAgentDetectorWrapperWithWasm: () => EdgeAgentDetectorWrapperWithWasm
+});
+var rules2, EdgeAgentDetectorWithWasm, EdgeAgentDetectorWrapperWithWasm;
+var init_edge_detector_with_wasm = __esm({
+  "src/edge-detector-with-wasm.ts"() {
+    init_wasm_loader();
+    rules2 = loadRulesSync();
+    EdgeAgentDetectorWithWasm = class {
+      constructor(enableWasm = true) {
+        this.enableWasm = enableWasm;
+        this.rules = rules2;
+      }
+      wasmEnabled = false;
+      initPromise = null;
+      baseUrl = null;
+      rules;
+      /**
+       * Set the base URL for WASM loading in Edge Runtime
+       */
+      setBaseUrl(url) {
+        this.baseUrl = url;
+        setWasmBaseUrl(url);
+      }
+      /**
+       * Initialize the detector (including WASM if enabled)
+       */
+      async init() {
+        if (!this.enableWasm) {
+          this.wasmEnabled = false;
+          return;
+        }
+        if (this.initPromise) {
+          await this.initPromise;
+          return;
+        }
+        this.initPromise = (async () => {
+          try {
+            const wasmAvailable = await isWasmAvailable();
+            if (wasmAvailable) {
+              if (this.baseUrl) {
+                setWasmBaseUrl(this.baseUrl);
+              }
+              await initWasm();
+              this.wasmEnabled = true;
+            } else {
+              this.wasmEnabled = false;
+            }
+          } catch (error) {
+            console.error("[AgentShield] Failed to initialize WASM:", error);
+            this.wasmEnabled = false;
+          }
+        })();
+        await this.initPromise;
+      }
+      /**
+       * Pattern-based detection (fallback)
+       */
+      async patternDetection(input) {
+        const reasons = [];
+        let detectedAgent;
+        let verificationMethod;
+        let confidence = 0;
+        const headers = input.headers || {};
+        const normalizedHeaders = {};
+        for (const [key, value] of Object.entries(headers)) {
+          normalizedHeaders[key.toLowerCase()] = value;
+        }
+        const signaturePresent = !!(normalizedHeaders["signature"] || normalizedHeaders["signature-input"]);
+        const signatureAgent = normalizedHeaders["signature-agent"];
+        if (signatureAgent?.includes("chatgpt.com")) {
+          confidence = 85;
+          reasons.push("signature_agent:chatgpt");
+          detectedAgent = { type: "chatgpt", name: "ChatGPT" };
+          verificationMethod = "signature";
+        } else if (signaturePresent) {
+          confidence = Math.max(confidence, 40);
+          reasons.push("signature_present");
+        }
+        const userAgent = input.userAgent || input.headers?.["user-agent"] || "";
+        if (userAgent) {
+          for (const [agentKey, agentRule] of Object.entries(this.rules.rules.userAgents)) {
+            const matched = agentRule.patterns.some((pattern) => {
+              const regex = new RegExp(pattern, "i");
+              return regex.test(userAgent);
+            });
+            if (matched) {
+              const agentType = this.getAgentType(agentKey);
+              const agentName = this.getAgentName(agentKey);
+              confidence = Math.max(confidence, Math.round(agentRule.confidence * 0.85 * 100));
+              reasons.push(`known_pattern:${agentType}`);
+              if (!detectedAgent) {
+                detectedAgent = { type: agentType, name: agentName };
+                verificationMethod = "pattern";
+              }
+              break;
+            }
+          }
+        }
+        const suspiciousHeaders = this.rules.rules.headers.suspicious;
+        const foundAiHeaders = suspiciousHeaders.filter(
+          (headerRule) => normalizedHeaders[headerRule.name.toLowerCase()]
+        );
+        if (foundAiHeaders.length > 0) {
+          const maxConfidence = Math.max(...foundAiHeaders.map((h) => h.confidence));
+          confidence = Math.max(confidence, maxConfidence);
+          reasons.push(`ai_headers:${foundAiHeaders.length}`);
+        }
+        const ip = input.ip || input.ipAddress;
+        if (ip && !normalizedHeaders["x-forwarded-for"] && !normalizedHeaders["x-real-ip"]) {
+          const ipRanges = "providers" in this.rules.rules.ipRanges ? this.rules.rules.ipRanges.providers : this.rules.rules.ipRanges;
+          for (const [provider, ipRule] of Object.entries(ipRanges)) {
+            if (!ipRule || typeof ipRule !== "object" || !("ranges" in ipRule) || !Array.isArray(ipRule.ranges))
+              continue;
+            const matched = ipRule.ranges.some((range) => {
+              const prefix = range.split("/")[0];
+              const prefixParts = prefix.split(".");
+              const ipParts = ip.split(".");
+              for (let i = 0; i < Math.min(prefixParts.length - 1, 2); i++) {
+                if (prefixParts[i] !== ipParts[i] && prefixParts[i] !== "0") {
+                  return false;
+                }
+              }
+              return true;
+            });
+            if (matched) {
+              confidence = Math.max(confidence, Math.round(ipRule.confidence * 0.4 * 100));
+              reasons.push(`cloud_provider:${provider}`);
+              break;
+            }
+          }
+        }
+        if (reasons.length > 2) {
+          confidence = Math.min(Math.round(confidence * 1.2), 95);
+        }
+        confidence = Math.min(Math.max(confidence, 0), 100);
+        return {
+          isAgent: confidence > 30,
+          // 30% threshold
+          confidence,
+          detectionClass: confidence > 30 && detectedAgent ? { type: "AiAgent", agentType: detectedAgent.name } : confidence > 30 ? { type: "Unknown" } : { type: "Human" },
+          signals: [],
+          // Will be populated by enhanced detection engine in future tasks
+          ...detectedAgent && { detectedAgent },
+          reasons,
+          ...verificationMethod && {
+            verificationMethod: mapVerificationMethod(verificationMethod)
+          },
+          forgeabilityRisk: confidence > 80 ? "medium" : "high",
+          timestamp: /* @__PURE__ */ new Date()
+        };
+      }
+      /**
+       * Analyze request with WASM enhancement when available
+       */
+      async analyze(input) {
+        await this.init();
+        if (this.wasmEnabled) {
+          try {
+            const wasmResult = await detectAgentWithWasm(
+              input.userAgent || input.headers?.["user-agent"],
+              input.headers || {},
+              input.ip || input.ipAddress
+            );
+            if (wasmResult) {
+              const detectedAgent = wasmResult.agent ? this.mapAgentName(wasmResult.agent) : void 0;
+              return {
+                isAgent: wasmResult.isAgent,
+                confidence: wasmResult.confidence,
+                detectionClass: wasmResult.isAgent && detectedAgent ? { type: "AiAgent", agentType: detectedAgent.name } : wasmResult.isAgent ? { type: "Unknown" } : { type: "Human" },
+                signals: [],
+                // Will be populated by enhanced detection engine in future tasks
+                ...detectedAgent && { detectedAgent },
+                reasons: [`wasm:${wasmResult.verificationMethod}`],
+                verificationMethod: mapVerificationMethod(wasmResult.verificationMethod),
+                forgeabilityRisk: wasmResult.verificationMethod === "signature" ? "low" : wasmResult.confidence > 90 ? "medium" : "high",
+                timestamp: /* @__PURE__ */ new Date()
+              };
+            }
+          } catch (error) {
+            console.error("[AgentShield] WASM detection error:", error);
+          }
+        }
+        const patternResult = await this.patternDetection(input);
+        if (this.wasmEnabled && patternResult.confidence >= 85) {
+          patternResult.confidence = Math.min(95, patternResult.confidence + 10);
+          patternResult.reasons.push("wasm_enhanced");
+        }
+        return patternResult;
+      }
+      /**
+       * Get agent type from rule key
+       */
+      getAgentType(agentKey) {
+        const typeMap = {
+          openai_gptbot: "openai",
+          anthropic_claude: "anthropic",
+          perplexity_bot: "perplexity",
+          google_ai: "google",
+          microsoft_ai: "microsoft",
+          meta_ai: "meta",
+          cohere_bot: "cohere",
+          huggingface_bot: "huggingface",
+          generic_bot: "generic",
+          dev_tools: "dev",
+          automation_tools: "automation"
+        };
+        return typeMap[agentKey] || agentKey;
+      }
+      /**
+       * Get agent name from rule key
+       */
+      getAgentName(agentKey) {
+        const nameMap = {
+          openai_gptbot: "ChatGPT/GPTBot",
+          anthropic_claude: "Claude",
+          perplexity_bot: "Perplexity",
+          google_ai: "Google AI",
+          microsoft_ai: "Microsoft Copilot",
+          meta_ai: "Meta AI",
+          cohere_bot: "Cohere",
+          huggingface_bot: "HuggingFace",
+          generic_bot: "Generic Bot",
+          dev_tools: "Development Tool",
+          automation_tools: "Automation Tool"
+        };
+        return nameMap[agentKey] || agentKey;
+      }
+      /**
+       * Map agent names from WASM to consistent format
+       */
+      mapAgentName(agent) {
+        const lowerAgent = agent.toLowerCase();
+        if (lowerAgent.includes("chatgpt")) {
+          return { type: "chatgpt", name: "ChatGPT" };
+        } else if (lowerAgent.includes("claude")) {
+          return { type: "claude", name: "Claude" };
+        } else if (lowerAgent.includes("perplexity")) {
+          return { type: "perplexity", name: "Perplexity" };
+        } else if (lowerAgent.includes("bing")) {
+          return { type: "bing", name: "Bing AI" };
+        } else if (lowerAgent.includes("anthropic")) {
+          return { type: "anthropic", name: "Anthropic" };
+        }
+        return { type: "unknown", name: agent };
+      }
+    };
+    EdgeAgentDetectorWrapperWithWasm = class {
+      detector;
+      events = /* @__PURE__ */ new Map();
+      constructor(config) {
+        this.detector = new EdgeAgentDetectorWithWasm(config?.enableWasm ?? true);
+        if (config?.baseUrl) {
+          this.detector.setBaseUrl(config.baseUrl);
+        }
+      }
+      setBaseUrl(url) {
+        this.detector.setBaseUrl(url);
+      }
+      async analyze(input) {
+        const result = await this.detector.analyze(input);
+        if (result.isAgent && this.events.has("agent.detected")) {
+          const handlers = this.events.get("agent.detected") || [];
+          handlers.forEach((handler) => handler(result, input));
+        }
+        return result;
+      }
+      on(event, handler) {
+        if (!this.events.has(event)) {
+          this.events.set(event, []);
+        }
+        this.events.get(event).push(handler);
+      }
+      emit(event, ...args) {
+        const handlers = this.events.get(event) || [];
+        handlers.forEach((handler) => handler(...args));
+      }
+      async init() {
+        await this.detector.init();
+      }
+    };
+  }
+});
+
+// src/wasm-confidence.ts
+var wasm_confidence_exports = {};
+__export(wasm_confidence_exports, {
+  checkWasmAvailability: () => checkWasmAvailability,
+  getVerificationMethod: () => getVerificationMethod,
+  getWasmConfidenceBoost: () => getWasmConfidenceBoost,
+  shouldIndicateWasmVerification: () => shouldIndicateWasmVerification
+});
+async function checkWasmAvailability() {
+  try {
+    if (typeof WebAssembly === "undefined") {
+      return false;
+    }
+    if (!WebAssembly.instantiate || !WebAssembly.Module) {
+      return false;
+    }
+    return true;
+  } catch {
+    return false;
+  }
+}
+function shouldIndicateWasmVerification(confidence) {
+  return confidence >= 85 && confidence < 100;
+}
+function getWasmConfidenceBoost(baseConfidence, reasons = []) {
+  if (reasons.some(
+    (r) => r.includes("signature_agent") && !r.includes("signature_headers_present")
+  )) {
+    return 100;
+  }
+  if (baseConfidence >= 85) {
+    return 95;
+  }
+  if (baseConfidence >= 70) {
+    return Math.min(baseConfidence * 1.1, 90);
+  }
+  return baseConfidence;
+}
+function getVerificationMethod(confidence, reasons = []) {
+  if (reasons.some(
+    (r) => r.includes("signature_agent") && !r.includes("signature_headers_present")
+  )) {
+    return "signature";
+  }
+  if (shouldIndicateWasmVerification(confidence)) {
+    return "wasm-enhanced";
+  }
+  return "pattern";
+}
+var init_wasm_confidence = __esm({
+  "src/wasm-confidence.ts"() {
+  }
+});
+ed25519.etc.sha512Sync = (...m) => sha512(ed25519.etc.concatBytes(...m));
+var KNOWN_KEYS = {
+  chatgpt: [
+    {
+      kid: "otMqcjr17mGyruktGvJU8oojQTSMHlVm7uO-lrcqbdg",
+      // ChatGPT's current Ed25519 public key (base64)
+      // Source: https://chatgpt.com/.well-known/http-message-signatures-directory
+      publicKey: "7F_3jDlxaquwh291MiACkcS3Opq88NksyHiakzS-Y1g",
+      validFrom: 1735689600,
+      // Jan 1, 2025 (from OpenAI's nbf)
+      // Extended expiration as fallback safety - API fetch should provide fresh keys
+      // Check OpenAI's well-known endpoint for actual expiration dates
+      validUntil: 1799625600
+      // Jan 1, 2027 (extended for fallback safety)
+    }
+  ]
+};
+var keyCache = /* @__PURE__ */ new Map();
+var CACHE_TTL_MS = 5 * 60 * 1e3;
+var CACHE_MAX_SIZE = 100;
+function getApiBaseUrl() {
+  if (typeof window !== "undefined") {
+    return "/api/internal";
+  }
+  const baseUrl2 = process.env.NEXT_PUBLIC_APP_URL || process.env.NEXT_PUBLIC_API_URL || process.env.API_URL || (process.env.VERCEL_URL ? `https://${process.env.VERCEL_URL}` : null);
+  if (baseUrl2) {
+    return baseUrl2.replace(/\/$/, "") + "/api/internal";
+  }
+  if (process.env.NODE_ENV !== "production") {
+    console.warn(
+      "[Signature] No base URL configured for server-side fetch. Using localhost fallback."
+    );
+    return "http://localhost:3000/api/internal";
+  }
+  console.error(
+    "[Signature] CRITICAL: No base URL configured for server-side fetch in production!"
+  );
+  return "/api/internal";
+}
+function cleanupExpiredCache() {
+  const now = Date.now();
+  const entriesToDelete = [];
+  for (const [agent, cached] of keyCache.entries()) {
+    if (now - cached.cachedAt > CACHE_TTL_MS) {
+      entriesToDelete.push(agent);
+    }
+  }
+  for (const agent of entriesToDelete) {
+    keyCache.delete(agent);
+  }
+  if (keyCache.size > CACHE_MAX_SIZE) {
+    const entries = Array.from(keyCache.entries()).map(([agent, cached]) => ({
+      agent,
+      cachedAt: cached.cachedAt
+    }));
+    entries.sort((a, b) => a.cachedAt - b.cachedAt);
+    const toRemove = entries.slice(0, keyCache.size - CACHE_MAX_SIZE);
+    for (const entry of toRemove) {
+      keyCache.delete(entry.agent);
+    }
+  }
 }
-async function detectAgentWithWasm(userAgent, headers, ipAddress) {
-  const initialized = await initWasm();
-  if (!initialized || !wasmExports) {
+async function fetchKeysFromApi(agent) {
+  if (keyCache.size > CACHE_MAX_SIZE) {
+    cleanupExpiredCache();
+  }
+  const cached = keyCache.get(agent);
+  if (cached && Date.now() - cached.cachedAt < CACHE_TTL_MS) {
+    return cached.keys;
+  }
+  if (typeof fetch === "undefined") {
+    console.warn("[Signature] fetch() not available in this environment");
     return null;
   }
   try {
-    const headersJson = JSON.stringify(headers);
-    if (typeof wasmExports.detect_agent === "function") {
-      const result = wasmExports.detect_agent(
-        userAgent || "",
-        headersJson,
-        ipAddress || "",
-        (/* @__PURE__ */ new Date()).toISOString()
-      );
-      return {
-        isAgent: result.is_agent || false,
-        confidence: result.confidence || 0,
-        agent: result.agent,
-        verificationMethod: result.verification_method || "wasm",
-        riskLevel: result.risk_level || "low"
-      };
+    const apiBaseUrl = getApiBaseUrl();
+    const url = `${apiBaseUrl}/signature-keys?agent=${encodeURIComponent(agent)}`;
+    const response = await fetch(url, {
+      method: "GET",
+      headers: {
+        "Content-Type": "application/json"
+      },
+      // 5 second timeout
+      signal: AbortSignal.timeout(5e3)
+    });
+    if (!response.ok) {
+      console.warn(`[Signature] Failed to fetch keys from API: ${response.status}`);
+      return null;
     }
-    console.warn("[AgentShield] WASM exports do not include detect_agent function");
-    return null;
+    const data = await response.json();
+    if (!data.keys || !Array.isArray(data.keys) || data.keys.length === 0) {
+      console.warn(`[Signature] No keys returned from API for agent: ${agent}`);
+      return null;
+    }
+    keyCache.set(agent, {
+      keys: data.keys,
+      cachedAt: Date.now()
+    });
+    return data.keys;
   } catch (error) {
-    console.error("[AgentShield] WASM detection failed:", error);
+    console.warn("[Signature] Error fetching keys from API, using fallback", {
+      error: error instanceof Error ? error.message : "Unknown error",
+      agent
+    });
     return null;
   }
 }
-async function getWasmVersion() {
-  const initialized = await initWasm();
-  if (!initialized || !wasmExports) {
+function isValidAgent(agent) {
+  return agent in KNOWN_KEYS;
+}
+async function getKeysForAgent(agent) {
+  const apiKeys = await fetchKeysFromApi(agent);
+  if (apiKeys && apiKeys.length > 0) {
+    return apiKeys;
+  }
+  if (isValidAgent(agent)) {
+    return KNOWN_KEYS[agent];
+  }
+  return [];
+}
+function parseSignatureInput(signatureInput) {
+  try {
+    const match = signatureInput.match(/sig1=\((.*?)\);(.+)/);
+    if (!match) return null;
+    const [, headersList, params] = match;
+    const signedHeaders = headersList ? headersList.split(" ").map((h) => h.replace(/"/g, "").trim()).filter((h) => h.length > 0) : [];
+    const keyidMatch = params ? params.match(/keyid="([^"]+)"/) : null;
+    const createdMatch = params ? params.match(/created=(\d+)/) : null;
+    const expiresMatch = params ? params.match(/expires=(\d+)/) : null;
+    if (!keyidMatch || !keyidMatch[1]) return null;
+    return {
+      keyid: keyidMatch[1],
+      created: createdMatch && createdMatch[1] ? parseInt(createdMatch[1]) : void 0,
+      expires: expiresMatch && expiresMatch[1] ? parseInt(expiresMatch[1]) : void 0,
+      signedHeaders
+    };
+  } catch (error) {
+    console.error("[Signature] Failed to parse Signature-Input:", error);
     return null;
   }
-  if (typeof wasmExports.version === "function") {
-    return wasmExports.version();
+}
+function buildSignatureBase(method, path, headers, signedHeaders) {
+  const components = [];
+  for (const headerName of signedHeaders) {
+    let value;
+    switch (headerName) {
+      case "@method":
+        value = method.toUpperCase();
+        break;
+      case "@path":
+        value = path;
+        break;
+      case "@authority":
+        value = headers["host"] || headers["Host"] || "";
+        break;
+      default: {
+        const key = Object.keys(headers).find((k) => k.toLowerCase() === headerName.toLowerCase());
+        value = key ? headers[key] || "" : "";
+        break;
+      }
+    }
+    components.push(`"${headerName}": ${value}`);
   }
-  return "unknown";
+  return components.join("\n");
 }
-async function isWasmAvailable() {
+function base64ToBytes(base64) {
+  let standardBase64 = base64.replace(/-/g, "+").replace(/_/g, "/");
+  const padding = standardBase64.length % 4;
+  if (padding) {
+    standardBase64 += "=".repeat(4 - padding);
+  }
+  const binaryString = atob(standardBase64);
+  return Uint8Array.from(binaryString, (c) => c.charCodeAt(0));
+}
+async function verifyEd25519Signature(publicKeyBase64, signatureBase64, message) {
   try {
-    const initialized = await initWasm();
-    if (!initialized) return false;
-    const version = await getWasmVersion();
-    return version !== null;
-  } catch {
-    return false;
+    const publicKeyBytes = base64ToBytes(publicKeyBase64);
+    const signatureBytes = base64ToBytes(signatureBase64);
+    const messageBytes = new TextEncoder().encode(message);
+    if (publicKeyBytes.length !== 32) {
+      console.error("[Signature] Invalid public key length:", publicKeyBytes.length);
+      return false;
+    }
+    if (signatureBytes.length !== 64) {
+      console.error("[Signature] Invalid signature length:", signatureBytes.length);
+      return false;
+    }
+    return ed25519.verify(signatureBytes, messageBytes, publicKeyBytes);
+  } catch (nobleError) {
+    console.warn("[Signature] @noble/ed25519 failed, trying Web Crypto fallback:", nobleError);
+    try {
+      const publicKeyBytes = base64ToBytes(publicKeyBase64);
+      const signatureBytes = base64ToBytes(signatureBase64);
+      const messageBytes = new TextEncoder().encode(message);
+      const publicKey = await crypto.subtle.importKey(
+        "raw",
+        publicKeyBytes.buffer,
+        {
+          name: "Ed25519",
+          namedCurve: "Ed25519"
+        },
+        false,
+        ["verify"]
+      );
+      return await crypto.subtle.verify(
+        "Ed25519",
+        publicKey,
+        signatureBytes.buffer,
+        messageBytes
+      );
+    } catch (cryptoError) {
+      console.error("[Signature] Both @noble/ed25519 and Web Crypto failed:", {
+        nobleError: nobleError instanceof Error ? nobleError.message : "Unknown",
+        cryptoError: cryptoError instanceof Error ? cryptoError.message : "Unknown"
+      });
+      return false;
+    }
   }
 }
-
-// src/edge-detector-with-wasm.ts
-var AI_AGENT_PATTERNS2 = [
-  { pattern: /chatgpt-user/i, type: "chatgpt", name: "ChatGPT" },
-  { pattern: /claude-web/i, type: "claude", name: "Claude" },
-  { pattern: /perplexitybot/i, type: "perplexity", name: "Perplexity" },
-  { pattern: /perplexity-user/i, type: "perplexity", name: "Perplexity" },
-  { pattern: /perplexity-ai/i, type: "perplexity", name: "Perplexity" },
-  { pattern: /perplexity/i, type: "perplexity", name: "Perplexity" },
-  { pattern: /bingbot/i, type: "bing", name: "Bing AI" },
-  { pattern: /anthropic-ai/i, type: "anthropic", name: "Anthropic" }
-];
-var CLOUD_PROVIDERS2 = {
-  aws: ["54.", "52.", "35.", "18.", "3."],
-  gcp: ["35.", "34.", "104.", "107.", "108."],
-  azure: ["13.", "20.", "40.", "52.", "104."]
-};
-var EdgeAgentDetectorWithWasm = class {
-  constructor(enableWasm = true) {
-    this.enableWasm = enableWasm;
+async function verifyAgentSignature(method, path, headers) {
+  const signature = headers["signature"] || headers["Signature"];
+  const signatureInput = headers["signature-input"] || headers["Signature-Input"];
+  const signatureAgent = headers["signature-agent"] || headers["Signature-Agent"];
+  if (!signature || !signatureInput) {
+    return {
+      isValid: false,
+      confidence: 0,
+      reason: "No signature headers present",
+      verificationMethod: "none"
+    };
   }
-  wasmEnabled = false;
-  initPromise = null;
-  baseUrl = null;
-  /**
-   * Set the base URL for WASM loading in Edge Runtime
-   */
-  setBaseUrl(url) {
-    this.baseUrl = url;
-    setWasmBaseUrl(url);
+  const parsed = parseSignatureInput(signatureInput);
+  if (!parsed) {
+    return {
+      isValid: false,
+      confidence: 0,
+      reason: "Invalid Signature-Input header",
+      verificationMethod: "none"
+    };
   }
-  /**
-   * Initialize the detector (including WASM if enabled)
-   */
-  async init() {
-    if (!this.enableWasm) {
-      this.wasmEnabled = false;
-      return;
+  if (parsed.created) {
+    const now2 = Math.floor(Date.now() / 1e3);
+    const age = now2 - parsed.created;
+    if (age > 300) {
+      return {
+        isValid: false,
+        confidence: 0,
+        reason: "Signature expired (older than 5 minutes)",
+        verificationMethod: "none"
+      };
     }
-    if (this.initPromise) {
-      await this.initPromise;
-      return;
+    if (age < -30) {
+      return {
+        isValid: false,
+        confidence: 0,
+        reason: "Signature timestamp is in the future",
+        verificationMethod: "none"
+      };
     }
-    this.initPromise = (async () => {
-      try {
-        const wasmAvailable = await isWasmAvailable();
-        this.wasmEnabled = wasmAvailable;
-        if (this.wasmEnabled) {
-          console.log("[AgentShield] WASM detection enabled");
-        } else {
-          console.log("[AgentShield] WASM not available, using pattern detection");
-        }
-      } catch (error) {
-        console.error("[AgentShield] Failed to initialize WASM:", error);
-        this.wasmEnabled = false;
-      }
-    })();
-    await this.initPromise;
   }
-  /**
-   * Pattern-based detection (fallback)
-   */
-  async patternDetection(input) {
+  let agent;
+  let agentKey;
+  if (signatureAgent === '"https://chatgpt.com"' || signatureAgent?.includes("chatgpt.com")) {
+    agent = "ChatGPT";
+    agentKey = "chatgpt";
+  }
+  if (!agent || !agentKey) {
+    return {
+      isValid: false,
+      confidence: 0,
+      reason: "Unknown signature agent",
+      verificationMethod: "none"
+    };
+  }
+  const knownKeys = await getKeysForAgent(agentKey);
+  if (knownKeys.length === 0) {
+    return {
+      isValid: false,
+      confidence: 0,
+      reason: "No keys available for agent",
+      verificationMethod: "none"
+    };
+  }
+  const key = knownKeys.find((k) => k.kid === parsed.keyid);
+  if (!key) {
+    return {
+      isValid: false,
+      confidence: 0,
+      reason: `Unknown key ID: ${parsed.keyid}`,
+      verificationMethod: "none"
+    };
+  }
+  const now = Math.floor(Date.now() / 1e3);
+  if (now < key.validFrom || now > key.validUntil) {
+    return {
+      isValid: false,
+      confidence: 0,
+      reason: "Key is not valid at current time",
+      verificationMethod: "none"
+    };
+  }
+  const signatureBase = buildSignatureBase(method, path, headers, parsed.signedHeaders);
+  let signatureValue = signature;
+  if (signatureValue.startsWith("sig1=:")) {
+    signatureValue = signatureValue.substring(6);
+  }
+  if (signatureValue.endsWith(":")) {
+    signatureValue = signatureValue.slice(0, -1);
+  }
+  const isValid = await verifyEd25519Signature(key.publicKey, signatureValue, signatureBase);
+  if (isValid) {
+    return {
+      isValid: true,
+      agent,
+      keyid: parsed.keyid,
+      confidence: 1,
+      // 100% confidence for valid signature
+      verificationMethod: "signature"
+    };
+  } else {
+    return {
+      isValid: false,
+      confidence: 0,
+      reason: "Signature verification failed",
+      verificationMethod: "none"
+    };
+  }
+}
+function hasSignatureHeaders(headers) {
+  return !!((headers["signature"] || headers["Signature"]) && (headers["signature-input"] || headers["Signature-Input"]));
+}
+function isChatGPTSignature(headers) {
+  const signatureAgent = headers["signature-agent"] || headers["Signature-Agent"];
+  if (!signatureAgent) {
+    return false;
+  }
+  const agentUrlStr = signatureAgent.replace(/^"+|"+$/g, "");
+  if (agentUrlStr === "https://chatgpt.com") {
+    return true;
+  }
+  try {
+    const agentUrl = new URL(agentUrlStr);
+    const allowedHosts = ["chatgpt.com", "www.chatgpt.com"];
+    return allowedHosts.includes(agentUrl.host);
+  } catch {
+    return false;
+  }
+}
+var rules = loadRulesSync();
+var EdgeAgentDetector = class {
+  rules;
+  constructor() {
+    this.rules = rules;
+  }
+  async analyze(input) {
     const reasons = [];
     let detectedAgent;
     let verificationMethod;
@@ -590,144 +888,178 @@ var EdgeAgentDetectorWithWasm = class {
     for (const [key, value] of Object.entries(headers)) {
       normalizedHeaders[key.toLowerCase()] = value;
     }
-    const signaturePresent = !!(normalizedHeaders["signature"] || normalizedHeaders["signature-input"]);
-    const signatureAgent = normalizedHeaders["signature-agent"];
-    if (signatureAgent?.includes("chatgpt.com")) {
-      confidence = 0.85;
-      reasons.push("signature_agent:chatgpt");
-      detectedAgent = { type: "chatgpt", name: "ChatGPT" };
-      verificationMethod = "signature";
-    } else if (signaturePresent) {
-      confidence = Math.max(confidence, 0.4);
-      reasons.push("signature_present");
+    if (hasSignatureHeaders(headers)) {
+      try {
+        const signatureResult = await verifyAgentSignature(
+          input.method || "GET",
+          input.url || "/",
+          headers
+        );
+        if (signatureResult.isValid) {
+          confidence = signatureResult.confidence * 100;
+          reasons.push(`verified_signature:${signatureResult.agent?.toLowerCase() || "unknown"}`);
+          if (signatureResult.agent) {
+            detectedAgent = {
+              type: signatureResult.agent.toLowerCase(),
+              name: signatureResult.agent
+            };
+          }
+          verificationMethod = signatureResult.verificationMethod;
+          if (signatureResult.keyid) {
+            reasons.push(`keyid:${signatureResult.keyid}`);
+          }
+        } else {
+          console.warn("[EdgeAgentDetector] Signature verification failed:", {
+            reason: signatureResult.reason,
+            agent: signatureResult.agent,
+            hasSignatureAgent: !!headers["signature-agent"] || !!headers["Signature-Agent"],
+            signatureAgentValue: headers["signature-agent"] || headers["Signature-Agent"]
+          });
+          confidence = Math.max(confidence, 30);
+          reasons.push("invalid_signature");
+          if (signatureResult.reason) {
+            reasons.push(`signature_error:${signatureResult.reason}`);
+          }
+          if (isChatGPTSignature(headers)) {
+            reasons.push("claims_chatgpt");
+            detectedAgent = { type: "chatgpt", name: "ChatGPT (unverified)" };
+          }
+        }
+      } catch (error) {
+        console.error("[EdgeAgentDetector] Signature verification error:", error);
+        confidence = Math.max(confidence, 20);
+        reasons.push("signature_verification_error");
+      }
     }
     const userAgent = input.userAgent || input.headers?.["user-agent"] || "";
     if (userAgent) {
-      for (const { pattern, type, name } of AI_AGENT_PATTERNS2) {
-        if (pattern.test(userAgent)) {
-          const highConfidenceAgents = [
-            "chatgpt",
-            "claude",
-            "perplexity",
-            "anthropic"
-          ];
-          const patternConfidence = highConfidenceAgents.includes(type) ? 0.85 : 0.5;
-          confidence = Math.max(confidence, patternConfidence);
-          reasons.push(`known_pattern:${type}`);
+      const userAgentEntries = Object.entries(this.rules.rules.userAgents);
+      const genericKeys = ["generic_bot", "dev_tools", "automation_tools"];
+      const sortedEntries = userAgentEntries.sort((a, b) => {
+        const aIsGeneric = genericKeys.includes(a[0]);
+        const bIsGeneric = genericKeys.includes(b[0]);
+        if (aIsGeneric && !bIsGeneric) return 1;
+        if (!aIsGeneric && bIsGeneric) return -1;
+        return 0;
+      });
+      for (const [agentKey, agentRule] of sortedEntries) {
+        const rule = agentRule;
+        const matched = rule.patterns.some((pattern) => {
+          const regex = new RegExp(pattern, "i");
+          return regex.test(userAgent);
+        });
+        if (matched) {
+          const agentType = this.getAgentType(agentKey);
+          const agentName = this.getAgentName(agentKey);
+          confidence = Math.max(confidence, rule.confidence * 100);
+          reasons.push(`known_pattern:${agentType}`);
           if (!detectedAgent) {
-            detectedAgent = { type, name };
+            detectedAgent = { type: agentType, name: agentName };
             verificationMethod = "pattern";
           }
           break;
         }
       }
     }
-    const aiHeaders = [
-      "openai-conversation-id",
-      "openai-ephemeral-user-id",
-      "anthropic-client-id",
-      "x-goog-api-client",
-      "x-ms-copilot-id"
-    ];
-    const foundAiHeaders = aiHeaders.filter(
-      (header) => normalizedHeaders[header]
+    const suspiciousHeaders = this.rules.rules.headers.suspicious;
+    const foundAiHeaders = suspiciousHeaders.filter(
+      (headerRule) => normalizedHeaders[headerRule.name.toLowerCase()]
     );
     if (foundAiHeaders.length > 0) {
-      confidence = Math.max(confidence, 0.6);
+      const maxConfidence = Math.max(...foundAiHeaders.map((h) => h.confidence * 100));
+      confidence = Math.max(confidence, maxConfidence);
       reasons.push(`ai_headers:${foundAiHeaders.length}`);
     }
     const ip = input.ip || input.ipAddress;
     if (ip && !normalizedHeaders["x-forwarded-for"] && !normalizedHeaders["x-real-ip"]) {
-      for (const [provider, prefixes] of Object.entries(CLOUD_PROVIDERS2)) {
-        if (prefixes.some((prefix) => ip.startsWith(prefix))) {
-          confidence = Math.max(confidence, 0.4);
+      const ipRanges = "providers" in this.rules.rules.ipRanges ? this.rules.rules.ipRanges.providers : this.rules.rules.ipRanges;
+      for (const [provider, ipRule] of Object.entries(ipRanges)) {
+        if (!ipRule || typeof ipRule !== "object" || !("ranges" in ipRule) || !Array.isArray(ipRule.ranges))
+          continue;
+        const matched = ipRule.ranges.some((range) => {
+          const prefix = range.split("/")[0];
+          const prefixParts = prefix.split(".");
+          const ipParts = ip.split(".");
+          for (let i = 0; i < Math.min(prefixParts.length - 1, 2); i++) {
+            if (prefixParts[i] !== ipParts[i] && prefixParts[i] !== "0") {
+              return false;
+            }
+          }
+          return true;
+        });
+        if (matched) {
+          const rule = ipRule;
+          confidence = Math.max(confidence, rule.confidence * 40);
           reasons.push(`cloud_provider:${provider}`);
           break;
         }
       }
     }
-    if (reasons.length > 2) {
-      confidence = Math.min(confidence * 1.2, 0.95);
+    if (reasons.length > 2 && confidence < 100) {
+      confidence = Math.min(confidence * 1.2, 95);
     }
+    confidence = Math.min(Math.max(confidence, 0), 100);
     return {
-      isAgent: confidence > 0.3,
+      isAgent: confidence > 30,
+      // Updated to 0-100 scale (was 0.3)
       confidence,
+      detectionClass: confidence > 30 && detectedAgent ? { type: "AiAgent", agentType: detectedAgent.name } : confidence > 30 ? { type: "Unknown" } : { type: "Human" },
+      signals: [],
+      // Will be populated by enhanced detection engine in future tasks
       ...detectedAgent && { detectedAgent },
       reasons,
-      ...verificationMethod && { verificationMethod },
-      forgeabilityRisk: confidence > 0.8 ? "medium" : "high",
+      ...verificationMethod && {
+        verificationMethod
+      },
+      forgeabilityRisk: verificationMethod === "signature" ? "low" : confidence > 80 ? "medium" : "high",
+      // Updated to 0-100 scale
       timestamp: /* @__PURE__ */ new Date()
     };
   }
   /**
-   * Analyze request with WASM enhancement when available
+   * Get agent type from rule key
    */
-  async analyze(input) {
-    await this.init();
-    if (this.wasmEnabled) {
-      try {
-        const wasmResult = await detectAgentWithWasm(
-          input.userAgent || input.headers?.["user-agent"],
-          input.headers || {},
-          input.ip || input.ipAddress
-        );
-        if (wasmResult) {
-          console.log("[AgentShield] Using WASM detection result");
-          const detectedAgent = wasmResult.agent ? this.mapAgentName(wasmResult.agent) : void 0;
-          return {
-            isAgent: wasmResult.isAgent,
-            confidence: wasmResult.confidence,
-            ...detectedAgent && { detectedAgent },
-            reasons: [`wasm:${wasmResult.verificationMethod}`],
-            verificationMethod: wasmResult.verificationMethod,
-            forgeabilityRisk: wasmResult.verificationMethod === "signature" ? "low" : wasmResult.confidence > 0.9 ? "medium" : "high",
-            timestamp: /* @__PURE__ */ new Date()
-          };
-        }
-      } catch (error) {
-        console.error("[AgentShield] WASM detection error:", error);
-      }
-    }
-    const patternResult = await this.patternDetection(input);
-    if (this.wasmEnabled && patternResult.confidence >= 0.85) {
-      patternResult.confidence = Math.min(0.95, patternResult.confidence + 0.1);
-      patternResult.reasons.push("wasm_enhanced");
-      if (!patternResult.verificationMethod) {
-        patternResult.verificationMethod = "wasm-enhanced";
-      }
-    }
-    return patternResult;
+  getAgentType(agentKey) {
+    const typeMap = {
+      openai_gptbot: "openai",
+      anthropic_claude: "anthropic",
+      perplexity_bot: "perplexity",
+      google_ai: "google",
+      microsoft_ai: "microsoft",
+      meta_ai: "meta",
+      cohere_bot: "cohere",
+      huggingface_bot: "huggingface",
+      generic_bot: "generic",
+      dev_tools: "dev",
+      automation_tools: "automation"
+    };
+    return typeMap[agentKey] || agentKey;
   }
   /**
-   * Map agent names from WASM to consistent format
+   * Get agent name from rule key
    */
-  mapAgentName(agent) {
-    const lowerAgent = agent.toLowerCase();
-    if (lowerAgent.includes("chatgpt")) {
-      return { type: "chatgpt", name: "ChatGPT" };
-    } else if (lowerAgent.includes("claude")) {
-      return { type: "claude", name: "Claude" };
-    } else if (lowerAgent.includes("perplexity")) {
-      return { type: "perplexity", name: "Perplexity" };
-    } else if (lowerAgent.includes("bing")) {
-      return { type: "bing", name: "Bing AI" };
-    } else if (lowerAgent.includes("anthropic")) {
-      return { type: "anthropic", name: "Anthropic" };
-    }
-    return { type: "unknown", name: agent };
+  getAgentName(agentKey) {
+    const nameMap = {
+      openai_gptbot: "ChatGPT/GPTBot",
+      anthropic_claude: "Claude",
+      perplexity_bot: "Perplexity",
+      google_ai: "Google AI",
+      microsoft_ai: "Microsoft Copilot",
+      meta_ai: "Meta AI",
+      cohere_bot: "Cohere",
+      huggingface_bot: "HuggingFace",
+      generic_bot: "Generic Bot",
+      dev_tools: "Development Tool",
+      automation_tools: "Automation Tool"
+    };
+    return nameMap[agentKey] || agentKey;
   }
 };
-var EdgeAgentDetectorWrapperWithWasm = class {
+var EdgeAgentDetectorWrapper = class {
   detector;
   events = /* @__PURE__ */ new Map();
-  constructor(config) {
-    this.detector = new EdgeAgentDetectorWithWasm(config?.enableWasm ?? true);
-    if (config?.baseUrl) {
-      this.detector.setBaseUrl(config.baseUrl);
-    }
-  }
-  setBaseUrl(url) {
-    this.detector.setBaseUrl(url);
+  constructor(_config) {
+    this.detector = new EdgeAgentDetector();
   }
   async analyze(input) {
     const result = await this.detector.analyze(input);
@@ -748,10 +1080,13 @@ var EdgeAgentDetectorWrapperWithWasm = class {
     handlers.forEach((handler) => handler(...args));
   }
   async init() {
-    await this.detector.init();
+    return;
   }
 };
 
+// src/middleware.ts
+init_edge_detector_with_wasm();
+
 // src/session-tracker.ts
 var EdgeSessionTracker = class {
   config;
@@ -931,7 +1266,9 @@ function createAgentShieldMiddleware(config = {}) {
   }) : null;
   if (config.events) {
     Object.entries(config.events).forEach(([event, handler]) => {
-      detector.on(event, handler);
+      if (handler) {
+        detector.on(event, handler);
+      }
     });
   }
   const {
@@ -963,19 +1300,22 @@ function createAgentShieldMiddleware(config = {}) {
         const response2 = NextResponse.next();
         response2.headers.set("x-agentshield-detected", "true");
         response2.headers.set("x-agentshield-agent", existingSession.agent);
-        response2.headers.set(
-          "x-agentshield-confidence",
-          existingSession.confidence.toString()
-        );
+        response2.headers.set("x-agentshield-confidence", existingSession.confidence.toString());
         response2.headers.set("x-agentshield-session", "continued");
         response2.headers.set("x-agentshield-session-id", existingSession.id);
         request.agentShield = {
           result: {
             isAgent: true,
             confidence: existingSession.confidence,
-            detectedAgent: { name: existingSession.agent },
+            detectionClass: { type: "AiAgent" },
+            detectedAgent: {
+              type: "ai_agent",
+              name: existingSession.agent
+            },
             timestamp: /* @__PURE__ */ new Date(),
-            verificationMethod: "session"
+            verificationMethod: "behavioral",
+            reasons: ["Session continued"],
+            signals: []
           },
           session: existingSession,
           skipped: false
@@ -1005,7 +1345,7 @@ function createAgentShieldMiddleware(config = {}) {
         timestamp: /* @__PURE__ */ new Date()
       };
       const result = await detector.analyze(context);
-      if (result.isAgent && result.confidence >= (config.confidenceThreshold ?? 0.7)) {
+      if (result.isAgent && result.confidence >= (config.confidenceThreshold ?? 70)) {
         if (onDetection) {
           const customResponse = await onDetection(request, result);
           if (customResponse) {
@@ -1024,11 +1364,9 @@ function createAgentShieldMiddleware(config = {}) {
               { status: blockedResponse.status }
             );
             if (blockedResponse.headers) {
-              Object.entries(blockedResponse.headers).forEach(
-                ([key, value]) => {
-                  response2.headers.set(key, value);
-                }
-              );
+              Object.entries(blockedResponse.headers).forEach(([key, value]) => {
+                response2.headers.set(key, value);
+              });
             }
             detector.emit("agent.blocked", result, context);
             return response2;
@@ -1038,17 +1376,19 @@ function createAgentShieldMiddleware(config = {}) {
           case "rewrite":
             return NextResponse.rewrite(new URL(rewriteUrl, request.url));
           case "log":
-            console.warn("AgentShield: Agent detected", {
-              ipAddress: context.ipAddress,
-              userAgent: context.userAgent,
-              confidence: result.confidence,
-              reasons: result.reasons,
-              pathname: request.nextUrl.pathname
-            });
+            if (process.env.NODE_ENV !== "production") {
+              console.debug("AgentShield: Agent detected", {
+                ipAddress: context.ipAddress,
+                userAgent: context.userAgent,
+                confidence: result.confidence,
+                reasons: result.reasons,
+                pathname: request.nextUrl.pathname
+              });
+            }
             break;
           case "allow":
           default:
-            if (result.isAgent && result.confidence >= (config.confidenceThreshold ?? 0.7)) {
+            if (result.isAgent && result.confidence >= (config.confidenceThreshold ?? 70)) {
               detector.emit("agent.allowed", result, context);
             }
             break;
@@ -1060,14 +1400,11 @@ function createAgentShieldMiddleware(config = {}) {
       };
       let response = NextResponse.next();
       response.headers.set("x-agentshield-detected", result.isAgent.toString());
-      response.headers.set(
-        "x-agentshield-confidence",
-        result.confidence.toString()
-      );
+      response.headers.set("x-agentshield-confidence", result.confidence.toString());
       if (result.detectedAgent?.name) {
         response.headers.set("x-agentshield-agent", result.detectedAgent.name);
       }
-      if (sessionTracker && result.isAgent && result.confidence >= (config.confidenceThreshold ?? 0.7)) {
+      if (sessionTracker && result.isAgent && result.confidence >= (config.confidenceThreshold ?? 70)) {
         response = await sessionTracker.track(request, response, result);
         response.headers.set("x-agentshield-session", "new");
         detector.emit("agent.session.started", result, context);
@@ -1085,7 +1422,7 @@ var middlewareInstance = null;
 var isInitializing = false;
 var initPromise2 = null;
 function createAgentShieldMiddleware2(config) {
-  return async function agentShieldMiddleware(request) {
+  return async function agentShieldMiddleware2(request) {
     if (!middlewareInstance) {
       if (!isInitializing) {
         isInitializing = true;
@@ -1102,48 +1439,81 @@ function createAgentShieldMiddleware2(config) {
   };
 }
 
-// src/wasm-confidence.ts
-async function checkWasmAvailability() {
-  try {
-    if (typeof WebAssembly === "undefined") {
-      return false;
+// src/edge-safe-detector.ts
+var AI_AGENT_PATTERNS = [
+  { pattern: /chatgpt-user/i, type: "chatgpt", name: "ChatGPT" },
+  { pattern: /claude-web/i, type: "claude", name: "Claude" },
+  { pattern: /perplexitybot/i, type: "perplexity", name: "Perplexity" },
+  { pattern: /perplexity-user/i, type: "perplexity", name: "Perplexity" },
+  { pattern: /perplexity/i, type: "perplexity", name: "Perplexity" },
+  { pattern: /bingbot/i, type: "bing", name: "Bing AI" },
+  { pattern: /anthropic-ai/i, type: "anthropic", name: "Anthropic" }
+];
+var EdgeSafeDetector = class {
+  async analyze(input) {
+    const reasons = [];
+    let detectedAgent;
+    let confidence = 0;
+    const headers = input.headers || {};
+    const normalizedHeaders = {};
+    for (const [key, value] of Object.entries(headers)) {
+      normalizedHeaders[key.toLowerCase()] = value;
     }
-    if (!WebAssembly.instantiate || !WebAssembly.Module) {
-      return false;
+    const userAgent = input.userAgent || normalizedHeaders["user-agent"] || "";
+    if (userAgent) {
+      for (const { pattern, type, name } of AI_AGENT_PATTERNS) {
+        if (pattern.test(userAgent)) {
+          confidence = 85;
+          reasons.push(`known_pattern:${type}`);
+          detectedAgent = { type, name };
+          break;
+        }
+      }
     }
-    return true;
-  } catch {
-    return false;
-  }
-}
-function shouldIndicateWasmVerification(confidence) {
-  return confidence >= 0.85 && confidence < 1;
-}
-function getWasmConfidenceBoost(baseConfidence, reasons = []) {
-  if (reasons.some(
-    (r) => r.includes("signature_agent") && !r.includes("signature_headers_present")
-  )) {
-    return 1;
-  }
-  if (baseConfidence >= 0.85) {
-    return 0.95;
-  }
-  if (baseConfidence >= 0.7) {
-    return Math.min(baseConfidence * 1.1, 0.9);
-  }
-  return baseConfidence;
-}
-function getVerificationMethod(confidence, reasons = []) {
-  if (reasons.some(
-    (r) => r.includes("signature_agent") && !r.includes("signature_headers_present")
-  )) {
-    return "signature";
-  }
-  if (shouldIndicateWasmVerification(confidence)) {
-    return "wasm-enhanced";
+    const hasChrome = userAgent.toLowerCase().includes("chrome");
+    const hasFirefox = userAgent.toLowerCase().includes("firefox");
+    const hasSafari = userAgent.toLowerCase().includes("safari");
+    const hasBrowserUA = hasChrome || hasFirefox || hasSafari;
+    if (hasBrowserUA) {
+      const hasSecChUa = !!normalizedHeaders["sec-ch-ua"];
+      const hasSecFetch = !!normalizedHeaders["sec-fetch-site"];
+      const hasAcceptLanguage = !!normalizedHeaders["accept-language"];
+      const hasCookies = !!normalizedHeaders["cookie"];
+      const missingHeaders = [];
+      if (!hasSecChUa && hasChrome) missingHeaders.push("sec-ch-ua");
+      if (!hasSecFetch) missingHeaders.push("sec-fetch");
+      if (!hasAcceptLanguage) missingHeaders.push("accept-language");
+      if (!hasCookies) missingHeaders.push("cookies");
+      if (missingHeaders.length >= 2) {
+        confidence = Math.max(confidence, 85);
+        reasons.push("browser_ua_missing_headers");
+        if (!detectedAgent && hasChrome && !hasSecChUa) {
+          detectedAgent = { type: "perplexity", name: "Perplexity" };
+        }
+      }
+    }
+    const aiHeaders = ["openai-conversation-id", "anthropic-client-id", "x-goog-api-client"];
+    const foundAiHeaders = aiHeaders.filter((h) => normalizedHeaders[h]);
+    if (foundAiHeaders.length > 0) {
+      confidence = Math.max(confidence, 60);
+      reasons.push(`ai_headers:${foundAiHeaders.length}`);
+    }
+    return {
+      isAgent: confidence > 30,
+      // Updated to 0-100 scale (was 0.3)
+      confidence,
+      detectionClass: confidence > 30 && detectedAgent ? { type: "AiAgent", agentType: detectedAgent.name } : confidence > 30 ? { type: "Unknown" } : { type: "Human" },
+      signals: [],
+      // Will be populated by enhanced detection engine in future tasks
+      detectedAgent,
+      reasons,
+      verificationMethod: "pattern",
+      timestamp: /* @__PURE__ */ new Date(),
+      confidenceLevel: confidence >= 80 ? "high" : confidence >= 50 ? "medium" : "low"
+      // Updated to 0-100 scale
+    };
   }
-  return "pattern";
-}
+};
 
 // src/storage/memory-adapter.ts
 var MemoryStorageAdapter = class {
@@ -1343,11 +1713,7 @@ var RedisStorageAdapter = class {
   }
   async cleanup(olderThan) {
     const cutoff = olderThan.getTime();
-    await this.redis.zremrangebyrank(
-      this.timelineKey(),
-      0,
-      Math.floor(cutoff / 1e3)
-    );
+    await this.redis.zremrangebyrank(this.timelineKey(), 0, Math.floor(cutoff / 1e3));
   }
 };
 
@@ -1368,7 +1734,10 @@ async function createStorageAdapter(config) {
       });
       return new RedisStorageAdapter(redis, config.ttl);
     } catch (error) {
-      console.warn("[AgentShield] Failed to initialize Redis storage, falling back to memory:", error);
+      console.warn(
+        "[AgentShield] Failed to initialize Redis storage, falling back to memory:",
+        error
+      );
       return new MemoryStorageAdapter();
     }
   }
@@ -1418,39 +1787,60 @@ function createEnhancedAgentShieldMiddleware(config = {}) {
   };
   let detector = null;
   let detectorInitPromise = null;
+  let wasmConfidenceUtils = null;
   const getDetector = async (requestUrl) => {
     if (detector) {
-      if (requestUrl && "setBaseUrl" in detector) {
-        detector.setBaseUrl(requestUrl);
-      }
       return detector;
     }
     if (detectorInitPromise) {
       await detectorInitPromise;
-      if (requestUrl && detector && "setBaseUrl" in detector) {
-        detector.setBaseUrl(requestUrl);
-      }
       return detector;
     }
     detectorInitPromise = (async () => {
-      try {
-        const wasmAvailable = await checkWasmAvailability();
-        if (wasmAvailable) {
-          console.log("[AgentShield] \u2705 WASM support detected - enhanced detection enabled");
-          detector = new EdgeAgentDetectorWrapperWithWasm({ enableWasm: true });
-        } else {
-          console.log("[AgentShield] \u2139\uFE0F Using pattern-based detection (WASM not available)");
-          detector = new EdgeAgentDetectorWrapper({});
+      const isEdgeRuntime = typeof globalThis.EdgeRuntime !== "undefined" || process.env.NEXT_RUNTIME === "edge";
+      if (isEdgeRuntime) {
+        if (process.env.NODE_ENV !== "production") {
+          console.debug("[AgentShield] Edge Runtime detected - using pattern detection");
+        }
+        detector = new EdgeSafeDetector();
+      } else {
+        try {
+          try {
+            const wasmUtils = await Promise.resolve().then(() => (init_wasm_confidence(), wasm_confidence_exports));
+            wasmConfidenceUtils = wasmUtils;
+            const wasmAvailable = await wasmUtils.checkWasmAvailability();
+            if (wasmAvailable) {
+              const { EdgeAgentDetectorWrapperWithWasm: EdgeAgentDetectorWrapperWithWasm2 } = await Promise.resolve().then(() => (init_edge_detector_with_wasm(), edge_detector_with_wasm_exports));
+              if (process.env.NODE_ENV !== "production") {
+                console.debug(
+                  "[AgentShield] \u2705 WASM support detected - enhanced detection enabled"
+                );
+              }
+              detector = new EdgeAgentDetectorWrapperWithWasm2({ enableWasm: true });
+              if (requestUrl && "setBaseUrl" in detector) {
+                detector.setBaseUrl(requestUrl);
+              }
+            } else {
+              if (process.env.NODE_ENV !== "production") {
+                console.debug(
+                  "[AgentShield] \u2139\uFE0F Using pattern-based detection (WASM not available)"
+                );
+              }
+              detector = new EdgeSafeDetector();
+            }
+          } catch (wasmError) {
+            if (process.env.NODE_ENV !== "production") {
+              console.debug("[AgentShield] WASM utilities not available, using pattern detection");
+            }
+            detector = new EdgeSafeDetector();
+          }
+        } catch (error) {
+          console.warn("[AgentShield] Failed to initialize enhanced detector, using fallback");
+          detector = new EdgeSafeDetector();
         }
-      } catch (error) {
-        console.warn("[AgentShield] Failed to initialize WASM, using fallback:", error);
-        detector = new EdgeAgentDetectorWrapper({});
       }
     })();
     await detectorInitPromise;
-    if (requestUrl && detector && "setBaseUrl" in detector) {
-      detector.setBaseUrl(requestUrl);
-    }
     return detector;
   };
   const sessionManager = new SessionManager();
@@ -1476,17 +1866,20 @@ function createEnhancedAgentShieldMiddleware(config = {}) {
     const result = await activeDetector.analyze(context);
     let finalConfidence = result.confidence;
     let verificationMethod = result.verificationMethod || "pattern";
-    if (result.isAgent) {
+    if (result.isAgent && wasmConfidenceUtils) {
       const reasons = result.reasons || [];
-      if (shouldIndicateWasmVerification(result.confidence)) {
-        finalConfidence = getWasmConfidenceBoost(result.confidence, reasons);
-        verificationMethod = getVerificationMethod(finalConfidence, reasons);
+      if (wasmConfidenceUtils.shouldIndicateWasmVerification(result.confidence)) {
+        finalConfidence = wasmConfidenceUtils.getWasmConfidenceBoost(result.confidence, reasons);
+        verificationMethod = wasmConfidenceUtils.getVerificationMethod(finalConfidence, reasons);
       }
     }
     if (result.isAgent && finalConfidence >= (config.confidenceThreshold ?? 0.7)) {
       if (sessionTrackingEnabled) {
         const storage = await getStorage();
-        const sessionId = sessionManager.generateSessionId(ipAddress || void 0, userAgent || void 0);
+        const sessionId = sessionManager.generateSessionId(
+          ipAddress || void 0,
+          userAgent || void 0
+        );
         const event = {
           eventId: `agent_${Date.now()}_${Math.random().toString(36).substring(2, 11)}`,
           sessionId,
@@ -1552,15 +1945,18 @@ function createEnhancedAgentShieldMiddleware(config = {}) {
             { status }
           );
           response2.headers.set("x-agentshield-detected", "true");
-          response2.headers.set("x-agentshield-confidence", String(Math.round(finalConfidence * 100)));
+          response2.headers.set(
+            "x-agentshield-confidence",
+            String(Math.round(finalConfidence * 100))
+          );
           response2.headers.set("x-agentshield-agent", result.detectedAgent?.name || "Unknown");
           response2.headers.set("x-agentshield-verification", verificationMethod);
           return response2;
         }
-        case "log":
+        case "log": {
           const isInteresting = finalConfidence >= 0.9 || result.detectedAgent?.name?.toLowerCase().includes("chatgpt") || result.detectedAgent?.name?.toLowerCase().includes("perplexity") || verificationMethod === "signature";
-          if (isInteresting) {
-            console.log(`[AgentShield] \u{1F916} AI Agent detected (${verificationMethod}):`, {
+          if (isInteresting && process.env.NODE_ENV !== "production") {
+            console.debug(`[AgentShield] \u{1F916} AI Agent detected (${verificationMethod}):`, {
               agent: result.detectedAgent?.name,
               confidence: `${(finalConfidence * 100).toFixed(0)}%`,
               path: pathWithQuery,
@@ -1568,6 +1964,7 @@ function createEnhancedAgentShieldMiddleware(config = {}) {
             });
           }
           break;
+        }
       }
     }
     const response = NextResponse.next();
@@ -1586,6 +1983,294 @@ function createEnhancedAgentShieldMiddleware(config = {}) {
   };
 }
 
+// src/api-client.ts
+var DEFAULT_BASE_URL = "https://api.agentshield.ai";
+var DEFAULT_TIMEOUT = 5e3;
+var AgentShieldClient = class {
+  apiKey;
+  baseUrl;
+  timeout;
+  debug;
+  constructor(config) {
+    if (!config.apiKey) {
+      throw new Error("AgentShield API key is required");
+    }
+    this.apiKey = config.apiKey;
+    this.baseUrl = config.baseUrl || DEFAULT_BASE_URL;
+    this.timeout = config.timeout || DEFAULT_TIMEOUT;
+    this.debug = config.debug || false;
+  }
+  /**
+   * Call the enforce API to check if a request should be allowed
+   */
+  async enforce(input) {
+    const startTime = Date.now();
+    try {
+      const controller = new AbortController();
+      const timeoutId = setTimeout(() => controller.abort(), this.timeout);
+      try {
+        const response = await fetch(`${this.baseUrl}/api/v1/enforce`, {
+          method: "POST",
+          headers: {
+            "Content-Type": "application/json",
+            Authorization: `Bearer ${this.apiKey}`,
+            "X-Request-ID": input.requestId || crypto.randomUUID()
+          },
+          body: JSON.stringify(input),
+          signal: controller.signal
+        });
+        clearTimeout(timeoutId);
+        const data = await response.json();
+        if (this.debug) {
+          console.log("[AgentShield] Enforce response:", {
+            status: response.status,
+            action: data.data?.decision.action,
+            processingTimeMs: Date.now() - startTime
+          });
+        }
+        if (!response.ok) {
+          return {
+            success: false,
+            error: {
+              code: `HTTP_${response.status}`,
+              message: data.error?.message || `HTTP error: ${response.status}`
+            }
+          };
+        }
+        return data;
+      } catch (error) {
+        clearTimeout(timeoutId);
+        throw error;
+      }
+    } catch (error) {
+      if (error instanceof Error && error.name === "AbortError") {
+        if (this.debug) {
+          console.warn("[AgentShield] Request timed out");
+        }
+        return {
+          success: false,
+          error: {
+            code: "TIMEOUT",
+            message: `Request timed out after ${this.timeout}ms`
+          }
+        };
+      }
+      if (this.debug) {
+        console.error("[AgentShield] Request failed:", error);
+      }
+      return {
+        success: false,
+        error: {
+          code: "NETWORK_ERROR",
+          message: error instanceof Error ? error.message : "Network request failed"
+        }
+      };
+    }
+  }
+  /**
+   * Quick check - returns just the action without full response parsing
+   * Useful for very fast middleware that just needs allow/block
+   */
+  async quickCheck(input) {
+    const result = await this.enforce(input);
+    if (!result.success || !result.data) {
+      return {
+        action: "allow",
+        error: result.error?.message
+      };
+    }
+    return {
+      action: result.data.decision.action
+    };
+  }
+};
+var clientInstance = null;
+function getAgentShieldClient(config) {
+  if (!clientInstance) {
+    const apiKey = config?.apiKey || process.env.AGENTSHIELD_API_KEY;
+    if (!apiKey) {
+      throw new Error(
+        "AgentShield API key is required. Set AGENTSHIELD_API_KEY environment variable or pass apiKey in config."
+      );
+    }
+    clientInstance = new AgentShieldClient({
+      apiKey,
+      baseUrl: config?.baseUrl || process.env.AGENTSHIELD_API_URL,
+      timeout: config?.timeout,
+      debug: config?.debug || process.env.AGENTSHIELD_DEBUG === "true"
+    });
+  }
+  return clientInstance;
+}
+function resetAgentShieldClient() {
+  clientInstance = null;
+}
+
+// src/api-middleware.ts
+function matchPath(path, pattern) {
+  if (pattern === path) return true;
+  if (pattern.includes("*")) {
+    const regexPattern = pattern.replace(/[.+?^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*");
+    return new RegExp(`^${regexPattern}$`).test(path);
+  }
+  if (pattern.endsWith("/")) {
+    return path.startsWith(pattern) || path === pattern.slice(0, -1);
+  }
+  return path.startsWith(pattern);
+}
+function shouldSkipPath(path, skipPaths) {
+  return skipPaths.some((pattern) => matchPath(path, pattern));
+}
+function shouldIncludePath(path, includePaths) {
+  if (!includePaths || includePaths.length === 0) return true;
+  return includePaths.some((pattern) => matchPath(path, pattern));
+}
+function buildBlockedResponse(decision, config) {
+  const status = config.blockedResponse?.status ?? 403;
+  const message = config.blockedResponse?.message ?? decision.message ?? "Access denied";
+  const response = NextResponse.json(
+    {
+      error: message,
+      code: "AGENT_BLOCKED",
+      reason: decision.reason,
+      agentType: decision.agentType
+    },
+    { status }
+  );
+  if (config.blockedResponse?.headers) {
+    for (const [key, value] of Object.entries(config.blockedResponse.headers)) {
+      response.headers.set(key, value);
+    }
+  }
+  response.headers.set("X-AgentShield-Action", decision.action);
+  response.headers.set("X-AgentShield-Reason", decision.reason);
+  return response;
+}
+function buildRedirectResponse(request, decision, config) {
+  const redirectUrl = config.redirectUrl || decision.redirectUrl || "/blocked";
+  const url = new URL(redirectUrl, request.url);
+  url.searchParams.set("reason", decision.reason);
+  if (decision.agentType) {
+    url.searchParams.set("agent", decision.agentType);
+  }
+  return NextResponse.redirect(url);
+}
+function withAgentShield(config = {}) {
+  let client = null;
+  const getClient = () => {
+    if (!client) {
+      client = getAgentShieldClient({
+        apiKey: config.apiKey,
+        baseUrl: config.apiUrl,
+        timeout: config.timeout,
+        debug: config.debug
+      });
+    }
+    return client;
+  };
+  const defaultSkipPaths = [
+    "/_next/static/*",
+    "/_next/image/*",
+    "/favicon.ico",
+    "/robots.txt",
+    "/sitemap.xml"
+  ];
+  const skipPaths = [...defaultSkipPaths, ...config.skipPaths || []];
+  const failOpen = config.failOpen ?? true;
+  return async function middleware(request) {
+    const path = request.nextUrl.pathname;
+    const startTime = Date.now();
+    if (shouldSkipPath(path, skipPaths)) {
+      return NextResponse.next();
+    }
+    if (!shouldIncludePath(path, config.includePaths)) {
+      return NextResponse.next();
+    }
+    try {
+      const result = await getClient().enforce({
+        headers: Object.fromEntries(request.headers.entries()),
+        userAgent: request.headers.get("user-agent") || void 0,
+        ipAddress: request.ip || request.headers.get("x-forwarded-for")?.split(",")[0]?.trim() || request.headers.get("x-real-ip") || void 0,
+        path,
+        url: request.url,
+        method: request.method,
+        requestId: request.headers.get("x-request-id") || void 0,
+        options: {
+          includeDetectionResult: config.debug
+        }
+      });
+      if (!result.success || !result.data) {
+        if (config.debug) {
+          console.warn("[AgentShield] API error:", result.error);
+        }
+        if (failOpen) {
+          return NextResponse.next();
+        }
+        return NextResponse.json(
+          { error: "Security check failed", code: "API_ERROR" },
+          { status: 503 }
+        );
+      }
+      const decision = result.data.decision;
+      if (config.debug) {
+        console.log("[AgentShield] Decision:", {
+          path,
+          action: decision.action,
+          isAgent: decision.isAgent,
+          confidence: decision.confidence,
+          agentName: decision.agentName,
+          processingTimeMs: Date.now() - startTime
+        });
+      }
+      if (decision.isAgent && config.onAgentDetected) {
+        await config.onAgentDetected(request, decision);
+      }
+      switch (decision.action) {
+        case "block": {
+          if (config.customBlockedResponse) {
+            return config.customBlockedResponse(request, decision);
+          }
+          if (config.onBlock === "redirect") {
+            return buildRedirectResponse(request, decision, config);
+          }
+          return buildBlockedResponse(decision, config);
+        }
+        case "redirect": {
+          return buildRedirectResponse(request, decision, config);
+        }
+        case "challenge": {
+          return buildRedirectResponse(request, decision, config);
+        }
+        case "log":
+        case "allow":
+        default: {
+          const response = NextResponse.next();
+          if (decision.isAgent) {
+            response.headers.set("X-AgentShield-Detected", "true");
+            response.headers.set("X-AgentShield-Confidence", decision.confidence.toString());
+            if (decision.agentName) {
+              response.headers.set("X-AgentShield-Agent", decision.agentName);
+            }
+          }
+          return response;
+        }
+      }
+    } catch (error) {
+      if (config.debug) {
+        console.error("[AgentShield] Middleware error:", error);
+      }
+      if (failOpen) {
+        return NextResponse.next();
+      }
+      return NextResponse.json(
+        { error: "Security check failed", code: "MIDDLEWARE_ERROR" },
+        { status: 503 }
+      );
+    }
+  };
+}
+var agentShieldMiddleware = withAgentShield();
+
 // src/index.ts
 var VERSION = "0.1.0";
 /**
@@ -1594,6 +2279,6 @@ var VERSION = "0.1.0";
  * @license MIT OR Apache-2.0
  */
 
-export { EdgeSessionTracker, StatelessSessionChecker, VERSION, createAgentShieldMiddleware2 as createAgentShieldMiddleware, createAgentShieldMiddleware as createAgentShieldMiddlewareBase, createEnhancedAgentShieldMiddleware, createAgentShieldMiddleware2 as createMiddleware };
+export { AgentShieldClient, EdgeSessionTracker, StatelessSessionChecker, VERSION, agentShieldMiddleware, createAgentShieldMiddleware2 as createAgentShieldMiddleware, createAgentShieldMiddleware as createAgentShieldMiddlewareBase, createEnhancedAgentShieldMiddleware, createAgentShieldMiddleware2 as createMiddleware, getAgentShieldClient, resetAgentShieldClient, withAgentShield };
 //# sourceMappingURL=index.mjs.map
 //# sourceMappingURL=index.mjs.map