@kya-os/agentshield-nextjs 0.1.41 → 0.1.43

package/dist/index.mjs

@@ -1,4 +1,7 @@
+import { loadRulesSync, mapVerificationMethod } from '@kya-os/agentshield-shared';
 import { NextResponse } from 'next/server';
+import * as ed25519 from '@noble/ed25519';
+import { sha512 } from '@noble/hashes/sha2.js';
 
 var __defProp = Object.defineProperty;
 var __getOwnPropNames = Object.getOwnPropertyNames;
@@ -45,26 +48,31 @@ async function initWasm() {
               throw new Error(`Failed to fetch WASM: ${response2.status}`);
             }
             const streamResponse = response2.clone();
-            const { instance } = await WebAssembly.instantiateStreaming(
-              streamResponse,
-              {
-                wbg: {
-                  __wbg_log_1d3ae13c3d5e6b8e: (ptr, len) => {
-                    console.log("WASM:", ptr, len);
-                  },
-                  __wbindgen_throw: (ptr, len) => {
-                    throw new Error(`WASM Error at ${ptr}, length ${len}`);
+            const { instance } = await WebAssembly.instantiateStreaming(streamResponse, {
+              wbg: {
+                __wbg_log_1d3ae13c3d5e6b8e: (ptr, len) => {
+                  if (process.env.NODE_ENV !== "production") {
+                    console.debug("WASM:", ptr, len);
                   }
+                },
+                __wbindgen_throw: (ptr, len) => {
+                  throw new Error(`WASM Error at ${ptr}, length ${len}`);
                 }
               }
-            );
+            });
             wasmInstance = instance;
             wasmExports = instance.exports;
-            console.log("[AgentShield] \u2705 WASM module initialized with streaming");
+            if (process.env.NODE_ENV !== "production") {
+              console.debug("[AgentShield] \u2705 WASM module initialized with streaming");
+            }
             return;
           } catch (streamError) {
             if (!controller.signal.aborted) {
-              console.log("[AgentShield] Streaming compilation failed, falling back to standard compilation");
+              if (process.env.NODE_ENV !== "production") {
+                console.debug(
+                  "[AgentShield] Streaming compilation failed, falling back to standard compilation"
+                );
+              }
             } else {
               throw streamError;
             }
@@ -80,7 +88,9 @@ async function initWasm() {
         const imports = {
           wbg: {
             __wbg_log_1d3ae13c3d5e6b8e: (ptr, len) => {
-              console.log("WASM:", ptr, len);
+              if (process.env.NODE_ENV !== "production") {
+                console.debug("WASM:", ptr, len);
+              }
             },
             __wbindgen_throw: (ptr, len) => {
               throw new Error(`WASM Error at ${ptr}, length ${len}`);
@@ -89,12 +99,20 @@ async function initWasm() {
         };
         wasmInstance = await WebAssembly.instantiate(compiledModule, imports);
         wasmExports = wasmInstance.exports;
-        console.log("[AgentShield] \u2705 WASM module initialized via fallback");
+        if (process.env.NODE_ENV !== "production") {
+          console.debug("[AgentShield] \u2705 WASM module initialized via fallback");
+        }
       } catch (fetchError) {
-        if (fetchError.name === "AbortError") {
-          console.warn("[AgentShield] WASM fetch timed out after 3 seconds - using pattern detection");
+        const error = fetchError;
+        if (error.name === "AbortError") {
+          console.warn(
+            "[AgentShield] WASM fetch timed out after 3 seconds - using pattern detection"
+          );
         } else {
-          console.warn("[AgentShield] Failed to fetch WASM file:", fetchError.message);
+          console.warn(
+            "[AgentShield] Failed to fetch WASM file:",
+            error.message || "Unknown error"
+          );
         }
         wasmExports = null;
       }
@@ -172,32 +190,20 @@ __export(edge_detector_with_wasm_exports, {
   EdgeAgentDetectorWithWasm: () => EdgeAgentDetectorWithWasm,
   EdgeAgentDetectorWrapperWithWasm: () => EdgeAgentDetectorWrapperWithWasm
 });
-var AI_AGENT_PATTERNS2, CLOUD_PROVIDERS2, EdgeAgentDetectorWithWasm, EdgeAgentDetectorWrapperWithWasm;
+var rules2, EdgeAgentDetectorWithWasm, EdgeAgentDetectorWrapperWithWasm;
 var init_edge_detector_with_wasm = __esm({
   "src/edge-detector-with-wasm.ts"() {
     init_wasm_loader();
-    AI_AGENT_PATTERNS2 = [
-      { pattern: /chatgpt-user/i, type: "chatgpt", name: "ChatGPT" },
-      { pattern: /claude-web/i, type: "claude", name: "Claude" },
-      { pattern: /perplexitybot/i, type: "perplexity", name: "Perplexity" },
-      { pattern: /perplexity-user/i, type: "perplexity", name: "Perplexity" },
-      { pattern: /perplexity-ai/i, type: "perplexity", name: "Perplexity" },
-      { pattern: /perplexity/i, type: "perplexity", name: "Perplexity" },
-      { pattern: /bingbot/i, type: "bing", name: "Bing AI" },
-      { pattern: /anthropic-ai/i, type: "anthropic", name: "Anthropic" }
-    ];
-    CLOUD_PROVIDERS2 = {
-      aws: ["54.", "52.", "35.", "18.", "3."],
-      gcp: ["35.", "34.", "104.", "107.", "108."],
-      azure: ["13.", "20.", "40.", "52.", "104."]
-    };
+    rules2 = loadRulesSync();
     EdgeAgentDetectorWithWasm = class {
       constructor(enableWasm = true) {
         this.enableWasm = enableWasm;
+        this.rules = rules2;
       }
       wasmEnabled = false;
       initPromise = null;
       baseUrl = null;
+      rules;
       /**
        * Set the base URL for WASM loading in Edge Runtime
        */
@@ -220,11 +226,14 @@ var init_edge_detector_with_wasm = __esm({
         this.initPromise = (async () => {
           try {
             const wasmAvailable = await isWasmAvailable();
-            this.wasmEnabled = wasmAvailable;
-            if (this.wasmEnabled) {
-              console.log("[AgentShield] WASM detection enabled");
+            if (wasmAvailable) {
+              if (this.baseUrl) {
+                setWasmBaseUrl(this.baseUrl);
+              }
+              await initWasm();
+              this.wasmEnabled = true;
             } else {
-              console.log("[AgentShield] WASM not available, using pattern detection");
+              this.wasmEnabled = false;
             }
           } catch (error) {
             console.error("[AgentShield] Failed to initialize WASM:", error);
@@ -249,69 +258,84 @@ var init_edge_detector_with_wasm = __esm({
         const signaturePresent = !!(normalizedHeaders["signature"] || normalizedHeaders["signature-input"]);
         const signatureAgent = normalizedHeaders["signature-agent"];
         if (signatureAgent?.includes("chatgpt.com")) {
-          confidence = 0.85;
+          confidence = 85;
           reasons.push("signature_agent:chatgpt");
           detectedAgent = { type: "chatgpt", name: "ChatGPT" };
           verificationMethod = "signature";
         } else if (signaturePresent) {
-          confidence = Math.max(confidence, 0.4);
+          confidence = Math.max(confidence, 40);
           reasons.push("signature_present");
         }
         const userAgent = input.userAgent || input.headers?.["user-agent"] || "";
         if (userAgent) {
-          for (const { pattern, type, name } of AI_AGENT_PATTERNS2) {
-            if (pattern.test(userAgent)) {
-              const highConfidenceAgents = [
-                "chatgpt",
-                "claude",
-                "perplexity",
-                "anthropic"
-              ];
-              const patternConfidence = highConfidenceAgents.includes(type) ? 0.85 : 0.5;
-              confidence = Math.max(confidence, patternConfidence);
-              reasons.push(`known_pattern:${type}`);
+          for (const [agentKey, agentRule] of Object.entries(this.rules.rules.userAgents)) {
+            const matched = agentRule.patterns.some((pattern) => {
+              const regex = new RegExp(pattern, "i");
+              return regex.test(userAgent);
+            });
+            if (matched) {
+              const agentType = this.getAgentType(agentKey);
+              const agentName = this.getAgentName(agentKey);
+              confidence = Math.max(confidence, Math.round(agentRule.confidence * 0.85 * 100));
+              reasons.push(`known_pattern:${agentType}`);
               if (!detectedAgent) {
-                detectedAgent = { type, name };
+                detectedAgent = { type: agentType, name: agentName };
                 verificationMethod = "pattern";
               }
               break;
             }
           }
         }
-        const aiHeaders = [
-          "openai-conversation-id",
-          "openai-ephemeral-user-id",
-          "anthropic-client-id",
-          "x-goog-api-client",
-          "x-ms-copilot-id"
-        ];
-        const foundAiHeaders = aiHeaders.filter(
-          (header) => normalizedHeaders[header]
+        const suspiciousHeaders = this.rules.rules.headers.suspicious;
+        const foundAiHeaders = suspiciousHeaders.filter(
+          (headerRule) => normalizedHeaders[headerRule.name.toLowerCase()]
         );
         if (foundAiHeaders.length > 0) {
-          confidence = Math.max(confidence, 0.6);
+          const maxConfidence = Math.max(...foundAiHeaders.map((h) => h.confidence));
+          confidence = Math.max(confidence, maxConfidence);
           reasons.push(`ai_headers:${foundAiHeaders.length}`);
         }
         const ip = input.ip || input.ipAddress;
         if (ip && !normalizedHeaders["x-forwarded-for"] && !normalizedHeaders["x-real-ip"]) {
-          for (const [provider, prefixes] of Object.entries(CLOUD_PROVIDERS2)) {
-            if (prefixes.some((prefix) => ip.startsWith(prefix))) {
-              confidence = Math.max(confidence, 0.4);
+          const ipRanges = "providers" in this.rules.rules.ipRanges ? this.rules.rules.ipRanges.providers : this.rules.rules.ipRanges;
+          for (const [provider, ipRule] of Object.entries(ipRanges)) {
+            if (!ipRule || typeof ipRule !== "object" || !("ranges" in ipRule) || !Array.isArray(ipRule.ranges))
+              continue;
+            const matched = ipRule.ranges.some((range) => {
+              const prefix = range.split("/")[0];
+              const prefixParts = prefix.split(".");
+              const ipParts = ip.split(".");
+              for (let i = 0; i < Math.min(prefixParts.length - 1, 2); i++) {
+                if (prefixParts[i] !== ipParts[i] && prefixParts[i] !== "0") {
+                  return false;
+                }
+              }
+              return true;
+            });
+            if (matched) {
+              confidence = Math.max(confidence, Math.round(ipRule.confidence * 0.4 * 100));
               reasons.push(`cloud_provider:${provider}`);
               break;
             }
           }
         }
         if (reasons.length > 2) {
-          confidence = Math.min(confidence * 1.2, 0.95);
+          confidence = Math.min(Math.round(confidence * 1.2), 95);
         }
+        confidence = Math.min(Math.max(confidence, 0), 100);
         return {
-          isAgent: confidence > 0.3,
+          isAgent: confidence > 30,
+          // 30% threshold
           confidence,
+          detectionClass: confidence > 30 && detectedAgent ? { type: "AiAgent", agentType: detectedAgent.name } : confidence > 30 ? { type: "Unknown" } : { type: "Human" },
+          signals: [],
+          // Will be populated by enhanced detection engine in future tasks
           ...detectedAgent && { detectedAgent },
           reasons,
-          ...verificationMethod && { verificationMethod },
-          forgeabilityRisk: confidence > 0.8 ? "medium" : "high",
+          ...verificationMethod && {
+            verificationMethod: mapVerificationMethod(verificationMethod)
+          },
+          forgeabilityRisk: confidence > 80 ? "medium" : "high",
           timestamp: /* @__PURE__ */ new Date()
         };
       }
@@ -328,15 +352,17 @@ var init_edge_detector_with_wasm = __esm({
               input.ip || input.ipAddress
             );
             if (wasmResult) {
-              console.log("[AgentShield] Using WASM detection result");
               const detectedAgent = wasmResult.agent ? this.mapAgentName(wasmResult.agent) : void 0;
               return {
                 isAgent: wasmResult.isAgent,
                 confidence: wasmResult.confidence,
+                detectionClass: wasmResult.isAgent && detectedAgent ? { type: "AiAgent", agentType: detectedAgent.name } : wasmResult.isAgent ? { type: "Unknown" } : { type: "Human" },
+                signals: [],
+                // Will be populated by enhanced detection engine in future tasks
                 ...detectedAgent && { detectedAgent },
                 reasons: [`wasm:${wasmResult.verificationMethod}`],
-                verificationMethod: wasmResult.verificationMethod,
-                forgeabilityRisk: wasmResult.verificationMethod === "signature" ? "low" : wasmResult.confidence > 0.9 ? "medium" : "high",
+                verificationMethod: mapVerificationMethod(wasmResult.verificationMethod),
+                forgeabilityRisk: wasmResult.verificationMethod === "signature" ? "low" : wasmResult.confidence > 90 ? "medium" : "high",
                 timestamp: /* @__PURE__ */ new Date()
               };
             }
@@ -345,15 +371,50 @@ var init_edge_detector_with_wasm = __esm({
           }
         }
         const patternResult = await this.patternDetection(input);
-        if (this.wasmEnabled && patternResult.confidence >= 0.85) {
-          patternResult.confidence = Math.min(0.95, patternResult.confidence + 0.1);
+        if (this.wasmEnabled && patternResult.confidence >= 85) {
+          patternResult.confidence = Math.min(95, patternResult.confidence + 10);
           patternResult.reasons.push("wasm_enhanced");
-          if (!patternResult.verificationMethod) {
-            patternResult.verificationMethod = "wasm-enhanced";
-          }
         }
         return patternResult;
       }
+      /**
+       * Get agent type from rule key
+       */
+      getAgentType(agentKey) {
+        const typeMap = {
+          openai_gptbot: "openai",
+          anthropic_claude: "anthropic",
+          perplexity_bot: "perplexity",
+          google_ai: "google",
+          microsoft_ai: "microsoft",
+          meta_ai: "meta",
+          cohere_bot: "cohere",
+          huggingface_bot: "huggingface",
+          generic_bot: "generic",
+          dev_tools: "dev",
+          automation_tools: "automation"
+        };
+        return typeMap[agentKey] || agentKey;
+      }
+      /**
+       * Get agent name from rule key
+       */
+      getAgentName(agentKey) {
+        const nameMap = {
+          openai_gptbot: "ChatGPT/GPTBot",
+          anthropic_claude: "Claude",
+          perplexity_bot: "Perplexity",
+          google_ai: "Google AI",
+          microsoft_ai: "Microsoft Copilot",
+          meta_ai: "Meta AI",
+          cohere_bot: "Cohere",
+          huggingface_bot: "HuggingFace",
+          generic_bot: "Generic Bot",
+          dev_tools: "Development Tool",
+          automation_tools: "Automation Tool"
+        };
+        return nameMap[agentKey] || agentKey;
+      }
       /**
        * Map agent names from WASM to consistent format
        */
@@ -432,19 +493,19 @@ async function checkWasmAvailability() {
   }
 }
 function shouldIndicateWasmVerification(confidence) {
-  return confidence >= 0.85 && confidence < 1;
+  return confidence >= 85 && confidence < 100;
 }
 function getWasmConfidenceBoost(baseConfidence, reasons = []) {
   if (reasons.some(
     (r) => r.includes("signature_agent") && !r.includes("signature_headers_present")
   )) {
-    return 1;
+    return 100;
   }
-  if (baseConfidence >= 0.85) {
-    return 0.95;
+  if (baseConfidence >= 85) {
+    return 95;
   }
-  if (baseConfidence >= 0.7) {
-    return Math.min(baseConfidence * 1.1, 0.9);
+  if (baseConfidence >= 70) {
+    return Math.min(baseConfidence * 1.1, 90);
   }
   return baseConfidence;
 }
@@ -463,19 +524,126 @@ var init_wasm_confidence = __esm({
   "src/wasm-confidence.ts"() {
   }
 });
-
-// src/signature-verifier.ts
+ed25519.etc.sha512Sync = (...m) => sha512(ed25519.etc.concatBytes(...m));
 var KNOWN_KEYS = {
   chatgpt: [
     {
       kid: "otMqcjr17mGyruktGvJU8oojQTSMHlVm7uO-lrcqbdg",
       // ChatGPT's current Ed25519 public key (base64)
+      // Source: https://chatgpt.com/.well-known/http-message-signatures-directory
       publicKey: "7F_3jDlxaquwh291MiACkcS3Opq88NksyHiakzS-Y1g",
-      validFrom: (/* @__PURE__ */ new Date("2025-01-01")).getTime() / 1e3,
-      validUntil: (/* @__PURE__ */ new Date("2025-04-11")).getTime() / 1e3
+      validFrom: 1735689600,
+      // Jan 1, 2025 (from OpenAI's nbf)
+      // Extended expiration as fallback safety - API fetch should provide fresh keys
+      // Check OpenAI's well-known endpoint for actual expiration dates
+      validUntil: 1799625600
+      // Jan 1, 2027 (extended for fallback safety)
     }
   ]
 };
+var keyCache = /* @__PURE__ */ new Map();
+var CACHE_TTL_MS = 5 * 60 * 1e3;
+var CACHE_MAX_SIZE = 100;
+function getApiBaseUrl() {
+  if (typeof window !== "undefined") {
+    return "/api/internal";
+  }
+  const baseUrl2 = process.env.NEXT_PUBLIC_APP_URL || process.env.NEXT_PUBLIC_API_URL || process.env.API_URL || (process.env.VERCEL_URL ? `https://${process.env.VERCEL_URL}` : null);
+  if (baseUrl2) {
+    return baseUrl2.replace(/\/$/, "") + "/api/internal";
+  }
+  if (process.env.NODE_ENV !== "production") {
+    console.warn(
+      "[Signature] No base URL configured for server-side fetch. Using localhost fallback."
+    );
+    return "http://localhost:3000/api/internal";
+  }
+  console.error(
+    "[Signature] CRITICAL: No base URL configured for server-side fetch in production!"
+  );
+  return "/api/internal";
+}
+function cleanupExpiredCache() {
+  const now = Date.now();
+  const entriesToDelete = [];
+  for (const [agent, cached] of keyCache.entries()) {
+    if (now - cached.cachedAt > CACHE_TTL_MS) {
+      entriesToDelete.push(agent);
+    }
+  }
+  for (const agent of entriesToDelete) {
+    keyCache.delete(agent);
+  }
+  if (keyCache.size > CACHE_MAX_SIZE) {
+    const entries = Array.from(keyCache.entries()).map(([agent, cached]) => ({
+      agent,
+      cachedAt: cached.cachedAt
+    }));
+    entries.sort((a, b) => a.cachedAt - b.cachedAt);
+    const toRemove = entries.slice(0, keyCache.size - CACHE_MAX_SIZE);
+    for (const entry of toRemove) {
+      keyCache.delete(entry.agent);
+    }
+  }
+}
+async function fetchKeysFromApi(agent) {
+  if (keyCache.size > CACHE_MAX_SIZE) {
+    cleanupExpiredCache();
+  }
+  const cached = keyCache.get(agent);
+  if (cached && Date.now() - cached.cachedAt < CACHE_TTL_MS) {
+    return cached.keys;
+  }
+  if (typeof fetch === "undefined") {
+    console.warn("[Signature] fetch() not available in this environment");
+    return null;
+  }
+  try {
+    const apiBaseUrl = getApiBaseUrl();
+    const url = `${apiBaseUrl}/signature-keys?agent=${encodeURIComponent(agent)}`;
+    const response = await fetch(url, {
+      method: "GET",
+      headers: {
+        "Content-Type": "application/json"
+      },
+      // 5 second timeout
+      signal: AbortSignal.timeout(5e3)
+    });
+    if (!response.ok) {
+      console.warn(`[Signature] Failed to fetch keys from API: ${response.status}`);
+      return null;
+    }
+    const data = await response.json();
+    if (!data.keys || !Array.isArray(data.keys) || data.keys.length === 0) {
+      console.warn(`[Signature] No keys returned from API for agent: ${agent}`);
+      return null;
+    }
+    keyCache.set(agent, {
+      keys: data.keys,
+      cachedAt: Date.now()
+    });
+    return data.keys;
+  } catch (error) {
+    console.warn("[Signature] Error fetching keys from API, using fallback", {
+      error: error instanceof Error ? error.message : "Unknown error",
+      agent
+    });
+    return null;
+  }
+}
+function isValidAgent(agent) {
+  return agent in KNOWN_KEYS;
+}
+async function getKeysForAgent(agent) {
+  const apiKeys = await fetchKeysFromApi(agent);
+  if (apiKeys && apiKeys.length > 0) {
+    return apiKeys;
+  }
+  if (isValidAgent(agent)) {
+    return KNOWN_KEYS[agent];
+  }
+  return [];
+}
 function parseSignatureInput(signatureInput) {
   try {
     const match = signatureInput.match(/sig1=\((.*?)\);(.+)/);
@@ -511,21 +679,29 @@ function buildSignatureBase(method, path, headers, signedHeaders) {
       case "@authority":
         value = headers["host"] || headers["Host"] || "";
         break;
-      default:
-        const key = Object.keys(headers).find(
-          (k) => k.toLowerCase() === headerName.toLowerCase()
-        );
+      default: {
+        const key = Object.keys(headers).find((k) => k.toLowerCase() === headerName.toLowerCase());
         value = key ? headers[key] || "" : "";
         break;
+      }
     }
     components.push(`"${headerName}": ${value}`);
   }
   return components.join("\n");
 }
+function base64ToBytes(base64) {
+  let standardBase64 = base64.replace(/-/g, "+").replace(/_/g, "/");
+  const padding = standardBase64.length % 4;
+  if (padding) {
+    standardBase64 += "=".repeat(4 - padding);
+  }
+  const binaryString = atob(standardBase64);
+  return Uint8Array.from(binaryString, (c) => c.charCodeAt(0));
+}
 async function verifyEd25519Signature(publicKeyBase64, signatureBase64, message) {
   try {
-    const publicKeyBytes = Uint8Array.from(atob(publicKeyBase64), (c) => c.charCodeAt(0));
-    const signatureBytes = Uint8Array.from(atob(signatureBase64), (c) => c.charCodeAt(0));
+    const publicKeyBytes = base64ToBytes(publicKeyBase64);
+    const signatureBytes = base64ToBytes(signatureBase64);
     const messageBytes = new TextEncoder().encode(message);
     if (publicKeyBytes.length !== 32) {
       console.error("[Signature] Invalid public key length:", publicKeyBytes.length);
@@ -535,34 +711,36 @@ async function verifyEd25519Signature(publicKeyBase64, signatureBase64, message)
       console.error("[Signature] Invalid signature length:", signatureBytes.length);
       return false;
     }
-    const publicKey = await crypto.subtle.importKey(
-      "raw",
-      publicKeyBytes,
-      {
-        name: "Ed25519",
-        namedCurve: "Ed25519"
-      },
-      false,
-      ["verify"]
-    );
-    const isValid = await crypto.subtle.verify(
-      "Ed25519",
-      publicKey,
-      signatureBytes,
-      messageBytes
-    );
-    return isValid;
-  } catch (error) {
-    console.error("[Signature] Ed25519 verification failed:", error);
-    if (typeof window === "undefined") {
-      try {
-        console.warn("[Signature] Ed25519 not supported in this environment");
-        return false;
-      } catch {
-        return false;
-      }
+    return ed25519.verify(signatureBytes, messageBytes, publicKeyBytes);
+  } catch (nobleError) {
+    console.warn("[Signature] @noble/ed25519 failed, trying Web Crypto fallback:", nobleError);
+    try {
+      const publicKeyBytes = base64ToBytes(publicKeyBase64);
+      const signatureBytes = base64ToBytes(signatureBase64);
+      const messageBytes = new TextEncoder().encode(message);
+      const publicKey = await crypto.subtle.importKey(
+        "raw",
+        publicKeyBytes.buffer,
+        {
+          name: "Ed25519",
+          namedCurve: "Ed25519"
+        },
+        false,
+        ["verify"]
+      );
+      return await crypto.subtle.verify(
+        "Ed25519",
+        publicKey,
+        signatureBytes.buffer,
+        messageBytes
+      );
+    } catch (cryptoError) {
+      console.error("[Signature] Both @noble/ed25519 and Web Crypto failed:", {
+        nobleError: nobleError instanceof Error ? nobleError.message : "Unknown",
+        cryptoError: cryptoError instanceof Error ? cryptoError.message : "Unknown"
+      });
+      return false;
     }
-    return false;
   }
 }
 async function verifyAgentSignature(method, path, headers) {
@@ -607,12 +785,12 @@ async function verifyAgentSignature(method, path, headers) {
     }
   }
   let agent;
-  let knownKeys;
+  let agentKey;
   if (signatureAgent === '"https://chatgpt.com"' || signatureAgent?.includes("chatgpt.com")) {
     agent = "ChatGPT";
-    knownKeys = KNOWN_KEYS.chatgpt;
+    agentKey = "chatgpt";
   }
-  if (!agent || !knownKeys) {
+  if (!agent || !agentKey) {
     return {
       isValid: false,
       confidence: 0,
@@ -620,6 +798,15 @@ async function verifyAgentSignature(method, path, headers) {
       verificationMethod: "none"
     };
   }
+  const knownKeys = await getKeysForAgent(agentKey);
+  if (knownKeys.length === 0) {
+    return {
+      isValid: false,
+      confidence: 0,
+      reason: "No keys available for agent",
+      verificationMethod: "none"
+    };
+  }
   const key = knownKeys.find((k) => k.kid === parsed.keyid);
   if (!key) {
     return {
@@ -646,11 +833,7 @@ async function verifyAgentSignature(method, path, headers) {
   if (signatureValue.endsWith(":")) {
     signatureValue = signatureValue.slice(0, -1);
   }
-  const isValid = await verifyEd25519Signature(
-    key.publicKey,
-    signatureValue,
-    signatureBase
-  );
+  const isValid = await verifyEd25519Signature(key.publicKey, signatureValue, signatureBase);
   if (isValid) {
     return {
       isValid: true,
@@ -674,27 +857,27 @@ function hasSignatureHeaders(headers) {
 }
 function isChatGPTSignature(headers) {
   const signatureAgent = headers["signature-agent"] || headers["Signature-Agent"];
-  return signatureAgent === '"https://chatgpt.com"' || (signatureAgent?.includes("chatgpt.com") || false);
+  if (!signatureAgent) {
+    return false;
+  }
+  const agentUrlStr = signatureAgent.replace(/^"+|"+$/g, "");
+  if (agentUrlStr === "https://chatgpt.com") {
+    return true;
+  }
+  try {
+    const agentUrl = new URL(agentUrlStr);
+    const allowedHosts = ["chatgpt.com", "www.chatgpt.com"];
+    return allowedHosts.includes(agentUrl.host);
+  } catch {
+    return false;
+  }
 }
-
-// src/edge-detector-wrapper.ts
-var AI_AGENT_PATTERNS = [
-  { pattern: /chatgpt-user/i, type: "chatgpt", name: "ChatGPT" },
-  { pattern: /claude-web/i, type: "claude", name: "Claude" },
-  { pattern: /perplexitybot/i, type: "perplexity", name: "Perplexity" },
-  { pattern: /perplexity-user/i, type: "perplexity", name: "Perplexity" },
-  { pattern: /perplexity-ai/i, type: "perplexity", name: "Perplexity" },
-  { pattern: /perplexity/i, type: "perplexity", name: "Perplexity" },
-  // Fallback
-  { pattern: /bingbot/i, type: "bing", name: "Bing AI" },
-  { pattern: /anthropic-ai/i, type: "anthropic", name: "Anthropic" }
-];
-var CLOUD_PROVIDERS = {
-  aws: ["54.", "52.", "35.", "18.", "3."],
-  gcp: ["35.", "34.", "104.", "107.", "108."],
-  azure: ["13.", "20.", "40.", "52.", "104."]
-};
+var rules = loadRulesSync();
 var EdgeAgentDetector = class {
+  rules;
+  constructor() {
+    this.rules = rules;
+  }
   async analyze(input) {
     const reasons = [];
     let detectedAgent;
@@ -713,7 +896,7 @@ var EdgeAgentDetector = class {
           headers
         );
         if (signatureResult.isValid) {
-          confidence = signatureResult.confidence;
+          confidence = signatureResult.confidence * 100;
           reasons.push(`verified_signature:${signatureResult.agent?.toLowerCase() || "unknown"}`);
           if (signatureResult.agent) {
             detectedAgent = {
@@ -726,7 +909,13 @@ var EdgeAgentDetector = class {
             reasons.push(`keyid:${signatureResult.keyid}`);
           }
         } else {
-          confidence = Math.max(confidence, 0.3);
+          console.warn("[EdgeAgentDetector] Signature verification failed:", {
+            reason: signatureResult.reason,
+            agent: signatureResult.agent,
+            hasSignatureAgent: !!headers["signature-agent"] || !!headers["Signature-Agent"],
+            signatureAgentValue: headers["signature-agent"] || headers["Signature-Agent"]
+          });
+          confidence = Math.max(confidence, 30);
           reasons.push("invalid_signature");
           if (signatureResult.reason) {
             reasons.push(`signature_error:${signatureResult.reason}`);
@@ -738,68 +927,133 @@ var EdgeAgentDetector = class {
         }
       } catch (error) {
         console.error("[EdgeAgentDetector] Signature verification error:", error);
-        confidence = Math.max(confidence, 0.2);
+        confidence = Math.max(confidence, 20);
         reasons.push("signature_verification_error");
       }
     }
     const userAgent = input.userAgent || input.headers?.["user-agent"] || "";
     if (userAgent) {
-      for (const { pattern, type, name } of AI_AGENT_PATTERNS) {
-        if (pattern.test(userAgent)) {
-          const highConfidenceAgents = [
-            "chatgpt",
-            "claude",
-            "perplexity",
-            "anthropic"
-          ];
-          const patternConfidence = highConfidenceAgents.includes(type) ? 0.85 : 0.5;
-          confidence = Math.max(confidence, patternConfidence);
-          reasons.push(`known_pattern:${type}`);
+      const userAgentEntries = Object.entries(this.rules.rules.userAgents);
+      const genericKeys = ["generic_bot", "dev_tools", "automation_tools"];
+      const sortedEntries = userAgentEntries.sort((a, b) => {
+        const aIsGeneric = genericKeys.includes(a[0]);
+        const bIsGeneric = genericKeys.includes(b[0]);
+        if (aIsGeneric && !bIsGeneric) return 1;
+        if (!aIsGeneric && bIsGeneric) return -1;
+        return 0;
+      });
+      for (const [agentKey, agentRule] of sortedEntries) {
+        const rule = agentRule;
+        const matched = rule.patterns.some((pattern) => {
+          const regex = new RegExp(pattern, "i");
+          return regex.test(userAgent);
+        });
+        if (matched) {
+          const agentType = this.getAgentType(agentKey);
+          const agentName = this.getAgentName(agentKey);
+          confidence = Math.max(confidence, rule.confidence * 100);
+          reasons.push(`known_pattern:${agentType}`);
           if (!detectedAgent) {
-            detectedAgent = { type, name };
+            detectedAgent = { type: agentType, name: agentName };
             verificationMethod = "pattern";
           }
           break;
         }
       }
     }
-    const aiHeaders = [
-      "openai-conversation-id",
-      "openai-ephemeral-user-id",
-      "anthropic-client-id",
-      "x-goog-api-client",
-      "x-ms-copilot-id"
-    ];
-    const foundAiHeaders = aiHeaders.filter(
-      (header) => normalizedHeaders[header]
+    const suspiciousHeaders = this.rules.rules.headers.suspicious;
+    const foundAiHeaders = suspiciousHeaders.filter(
+      (headerRule) => normalizedHeaders[headerRule.name.toLowerCase()]
     );
     if (foundAiHeaders.length > 0) {
-      confidence = Math.max(confidence, 0.6);
+      const maxConfidence = Math.max(...foundAiHeaders.map((h) => h.confidence * 100));
+      confidence = Math.max(confidence, maxConfidence);
       reasons.push(`ai_headers:${foundAiHeaders.length}`);
     }
     const ip = input.ip || input.ipAddress;
     if (ip && !normalizedHeaders["x-forwarded-for"] && !normalizedHeaders["x-real-ip"]) {
-      for (const [provider, prefixes] of Object.entries(CLOUD_PROVIDERS)) {
-        if (prefixes.some((prefix) => ip.startsWith(prefix))) {
-          confidence = Math.max(confidence, 0.4);
+      const ipRanges = "providers" in this.rules.rules.ipRanges ? this.rules.rules.ipRanges.providers : this.rules.rules.ipRanges;
+      for (const [provider, ipRule] of Object.entries(ipRanges)) {
+        if (!ipRule || typeof ipRule !== "object" || !("ranges" in ipRule) || !Array.isArray(ipRule.ranges))
+          continue;
+        const matched = ipRule.ranges.some((range) => {
+          const prefix = range.split("/")[0];
+          const prefixParts = prefix.split(".");
+          const ipParts = ip.split(".");
+          for (let i = 0; i < Math.min(prefixParts.length - 1, 2); i++) {
+            if (prefixParts[i] !== ipParts[i] && prefixParts[i] !== "0") {
+              return false;
+            }
+          }
+          return true;
+        });
+        if (matched) {
+          const rule = ipRule;
+          confidence = Math.max(confidence, rule.confidence * 40);
           reasons.push(`cloud_provider:${provider}`);
           break;
         }
       }
     }
-    if (reasons.length > 2 && confidence < 1) {
-      confidence = Math.min(confidence * 1.2, 0.95);
+    if (reasons.length > 2 && confidence < 100) {
+      confidence = Math.min(confidence * 1.2, 95);
     }
+    confidence = Math.min(Math.max(confidence, 0), 100);
     return {
-      isAgent: confidence > 0.3,
+      isAgent: confidence > 30,
+      // Updated to 0-100 scale (was 0.3)
       confidence,
+      detectionClass: confidence > 30 && detectedAgent ? { type: "AiAgent", agentType: detectedAgent.name } : confidence > 30 ? { type: "Unknown" } : { type: "Human" },
+      signals: [],
+      // Will be populated by enhanced detection engine in future tasks
       ...detectedAgent && { detectedAgent },
       reasons,
-      ...verificationMethod && { verificationMethod },
-      forgeabilityRisk: verificationMethod === "signature" ? "low" : confidence > 0.8 ? "medium" : "high",
+      ...verificationMethod && {
+        verificationMethod
+      },
+      forgeabilityRisk: verificationMethod === "signature" ? "low" : confidence > 80 ? "medium" : "high",
+      // Updated to 0-100 scale
       timestamp: /* @__PURE__ */ new Date()
     };
   }
+  /**
+   * Get agent type from rule key
+   */
+  getAgentType(agentKey) {
+    const typeMap = {
+      openai_gptbot: "openai",
+      anthropic_claude: "anthropic",
+      perplexity_bot: "perplexity",
+      google_ai: "google",
+      microsoft_ai: "microsoft",
+      meta_ai: "meta",
+      cohere_bot: "cohere",
+      huggingface_bot: "huggingface",
+      generic_bot: "generic",
+      dev_tools: "dev",
+      automation_tools: "automation"
+    };
+    return typeMap[agentKey] || agentKey;
+  }
+  /**
+   * Get agent name from rule key
+   */
+  getAgentName(agentKey) {
+    const nameMap = {
+      openai_gptbot: "ChatGPT/GPTBot",
+      anthropic_claude: "Claude",
+      perplexity_bot: "Perplexity",
+      google_ai: "Google AI",
+      microsoft_ai: "Microsoft Copilot",
+      meta_ai: "Meta AI",
+      cohere_bot: "Cohere",
+      huggingface_bot: "HuggingFace",
+      generic_bot: "Generic Bot",
+      dev_tools: "Development Tool",
+      automation_tools: "Automation Tool"
+    };
+    return nameMap[agentKey] || agentKey;
+  }
 };
 var EdgeAgentDetectorWrapper = class {
   detector;
@@ -1012,7 +1266,9 @@ function createAgentShieldMiddleware(config = {}) {
   }) : null;
   if (config.events) {
     Object.entries(config.events).forEach(([event, handler]) => {
-      detector.on(event, handler);
+      if (handler) {
+        detector.on(event, handler);
+      }
     });
   }
   const {
@@ -1044,19 +1300,22 @@ function createAgentShieldMiddleware(config = {}) {
         const response2 = NextResponse.next();
         response2.headers.set("x-agentshield-detected", "true");
         response2.headers.set("x-agentshield-agent", existingSession.agent);
-        response2.headers.set(
-          "x-agentshield-confidence",
-          existingSession.confidence.toString()
-        );
+        response2.headers.set("x-agentshield-confidence", existingSession.confidence.toString());
         response2.headers.set("x-agentshield-session", "continued");
         response2.headers.set("x-agentshield-session-id", existingSession.id);
         request.agentShield = {
           result: {
             isAgent: true,
             confidence: existingSession.confidence,
-            detectedAgent: { name: existingSession.agent },
+            detectionClass: { type: "AiAgent" },
+            detectedAgent: {
+              type: "ai_agent",
+              name: existingSession.agent
+            },
             timestamp: /* @__PURE__ */ new Date(),
-            verificationMethod: "session"
+            verificationMethod: "behavioral",
+            reasons: ["Session continued"],
+            signals: []
           },
           session: existingSession,
           skipped: false
@@ -1086,7 +1345,7 @@ function createAgentShieldMiddleware(config = {}) {
         timestamp: /* @__PURE__ */ new Date()
       };
       const result = await detector.analyze(context);
-      if (result.isAgent && result.confidence >= (config.confidenceThreshold ?? 0.7)) {
+      if (result.isAgent && result.confidence >= (config.confidenceThreshold ?? 70)) {
         if (onDetection) {
           const customResponse = await onDetection(request, result);
           if (customResponse) {
@@ -1105,11 +1364,9 @@ function createAgentShieldMiddleware(config = {}) {
               { status: blockedResponse.status }
             );
             if (blockedResponse.headers) {
-              Object.entries(blockedResponse.headers).forEach(
-                ([key, value]) => {
-                  response2.headers.set(key, value);
-                }
-              );
+              Object.entries(blockedResponse.headers).forEach(([key, value]) => {
+                response2.headers.set(key, value);
+              });
             }
             detector.emit("agent.blocked", result, context);
             return response2;
@@ -1119,17 +1376,19 @@ function createAgentShieldMiddleware(config = {}) {
           case "rewrite":
             return NextResponse.rewrite(new URL(rewriteUrl, request.url));
           case "log":
-            console.warn("AgentShield: Agent detected", {
-              ipAddress: context.ipAddress,
-              userAgent: context.userAgent,
-              confidence: result.confidence,
-              reasons: result.reasons,
-              pathname: request.nextUrl.pathname
-            });
+            if (process.env.NODE_ENV !== "production") {
+              console.debug("AgentShield: Agent detected", {
+                ipAddress: context.ipAddress,
+                userAgent: context.userAgent,
+                confidence: result.confidence,
+                reasons: result.reasons,
+                pathname: request.nextUrl.pathname
+              });
+            }
             break;
           case "allow":
           default:
-            if (result.isAgent && result.confidence >= (config.confidenceThreshold ?? 0.7)) {
+            if (result.isAgent && result.confidence >= (config.confidenceThreshold ?? 70)) {
               detector.emit("agent.allowed", result, context);
             }
             break;
@@ -1141,14 +1400,11 @@ function createAgentShieldMiddleware(config = {}) {
       };
       let response = NextResponse.next();
       response.headers.set("x-agentshield-detected", result.isAgent.toString());
-      response.headers.set(
-        "x-agentshield-confidence",
-        result.confidence.toString()
-      );
+      response.headers.set("x-agentshield-confidence", result.confidence.toString());
       if (result.detectedAgent?.name) {
         response.headers.set("x-agentshield-agent", result.detectedAgent.name);
       }
-      if (sessionTracker && result.isAgent && result.confidence >= (config.confidenceThreshold ?? 0.7)) {
+      if (sessionTracker && result.isAgent && result.confidence >= (config.confidenceThreshold ?? 70)) {
         response = await sessionTracker.track(request, response, result);
         response.headers.set("x-agentshield-session", "new");
         detector.emit("agent.session.started", result, context);
@@ -1166,7 +1422,7 @@ var middlewareInstance = null;
 var isInitializing = false;
 var initPromise2 = null;
 function createAgentShieldMiddleware2(config) {
-  return async function agentShieldMiddleware(request) {
+  return async function agentShieldMiddleware2(request) {
     if (!middlewareInstance) {
       if (!isInitializing) {
         isInitializing = true;
@@ -1184,7 +1440,7 @@ function createAgentShieldMiddleware2(config) {
 }
 
 // src/edge-safe-detector.ts
-var AI_AGENT_PATTERNS3 = [
+var AI_AGENT_PATTERNS = [
   { pattern: /chatgpt-user/i, type: "chatgpt", name: "ChatGPT" },
   { pattern: /claude-web/i, type: "claude", name: "Claude" },
   { pattern: /perplexitybot/i, type: "perplexity", name: "Perplexity" },
@@ -1205,9 +1461,9 @@ var EdgeSafeDetector = class {
     }
     const userAgent = input.userAgent || normalizedHeaders["user-agent"] || "";
     if (userAgent) {
-      for (const { pattern, type, name } of AI_AGENT_PATTERNS3) {
+      for (const { pattern, type, name } of AI_AGENT_PATTERNS) {
         if (pattern.test(userAgent)) {
-          confidence = 0.85;
+          confidence = 85;
           reasons.push(`known_pattern:${type}`);
           detectedAgent = { type, name };
           break;
@@ -1229,31 +1485,32 @@ var EdgeSafeDetector = class {
       if (!hasAcceptLanguage) missingHeaders.push("accept-language");
       if (!hasCookies) missingHeaders.push("cookies");
       if (missingHeaders.length >= 2) {
-        confidence = Math.max(confidence, 0.85);
+        confidence = Math.max(confidence, 85);
         reasons.push("browser_ua_missing_headers");
         if (!detectedAgent && hasChrome && !hasSecChUa) {
           detectedAgent = { type: "perplexity", name: "Perplexity" };
         }
       }
     }
-    const aiHeaders = [
-      "openai-conversation-id",
-      "anthropic-client-id",
-      "x-goog-api-client"
-    ];
+    const aiHeaders = ["openai-conversation-id", "anthropic-client-id", "x-goog-api-client"];
     const foundAiHeaders = aiHeaders.filter((h) => normalizedHeaders[h]);
     if (foundAiHeaders.length > 0) {
-      confidence = Math.max(confidence, 0.6);
+      confidence = Math.max(confidence, 60);
       reasons.push(`ai_headers:${foundAiHeaders.length}`);
     }
     return {
-      isAgent: confidence > 0.3,
+      isAgent: confidence > 30,
+      // Updated to 0-100 scale (was 0.3)
       confidence,
+      detectionClass: confidence > 30 && detectedAgent ? { type: "AiAgent", agentType: detectedAgent.name } : confidence > 30 ? { type: "Unknown" } : { type: "Human" },
+      signals: [],
+      // Will be populated by enhanced detection engine in future tasks
       detectedAgent,
       reasons,
       verificationMethod: "pattern",
       timestamp: /* @__PURE__ */ new Date(),
-      confidenceLevel: confidence >= 0.8 ? "high" : confidence >= 0.5 ? "medium" : "low"
+      confidenceLevel: confidence >= 80 ? "high" : confidence >= 50 ? "medium" : "low"
+      // Updated to 0-100 scale
     };
   }
 };
@@ -1456,11 +1713,7 @@ var RedisStorageAdapter = class {
   }
   async cleanup(olderThan) {
     const cutoff = olderThan.getTime();
-    await this.redis.zremrangebyrank(
-      this.timelineKey(),
-      0,
-      Math.floor(cutoff / 1e3)
-    );
+    await this.redis.zremrangebyrank(this.timelineKey(), 0, Math.floor(cutoff / 1e3));
   }
 };
 
@@ -1481,7 +1734,10 @@ async function createStorageAdapter(config) {
       });
       return new RedisStorageAdapter(redis, config.ttl);
     } catch (error) {
-      console.warn("[AgentShield] Failed to initialize Redis storage, falling back to memory:", error);
+      console.warn(
+        "[AgentShield] Failed to initialize Redis storage, falling back to memory:",
+        error
+      );
       return new MemoryStorageAdapter();
     }
   }
@@ -1543,7 +1799,9 @@ function createEnhancedAgentShieldMiddleware(config = {}) {
     detectorInitPromise = (async () => {
       const isEdgeRuntime = typeof globalThis.EdgeRuntime !== "undefined" || process.env.NEXT_RUNTIME === "edge";
       if (isEdgeRuntime) {
-        console.log("[AgentShield] Edge Runtime detected - using pattern detection");
+        if (process.env.NODE_ENV !== "production") {
+          console.debug("[AgentShield] Edge Runtime detected - using pattern detection");
+        }
         detector = new EdgeSafeDetector();
       } else {
         try {
@@ -1553,17 +1811,27 @@ function createEnhancedAgentShieldMiddleware(config = {}) {
             const wasmAvailable = await wasmUtils.checkWasmAvailability();
             if (wasmAvailable) {
               const { EdgeAgentDetectorWrapperWithWasm: EdgeAgentDetectorWrapperWithWasm2 } = await Promise.resolve().then(() => (init_edge_detector_with_wasm(), edge_detector_with_wasm_exports));
-              console.log("[AgentShield] \u2705 WASM support detected - enhanced detection enabled");
+              if (process.env.NODE_ENV !== "production") {
+                console.debug(
+                  "[AgentShield] \u2705 WASM support detected - enhanced detection enabled"
+                );
+              }
               detector = new EdgeAgentDetectorWrapperWithWasm2({ enableWasm: true });
               if (requestUrl && "setBaseUrl" in detector) {
                 detector.setBaseUrl(requestUrl);
               }
             } else {
-              console.log("[AgentShield] \u2139\uFE0F Using pattern-based detection (WASM not available)");
+              if (process.env.NODE_ENV !== "production") {
+                console.debug(
+                  "[AgentShield] \u2139\uFE0F Using pattern-based detection (WASM not available)"
+                );
+              }
               detector = new EdgeSafeDetector();
             }
           } catch (wasmError) {
-            console.log("[AgentShield] WASM utilities not available, using pattern detection");
+            if (process.env.NODE_ENV !== "production") {
+              console.debug("[AgentShield] WASM utilities not available, using pattern detection");
+            }
             detector = new EdgeSafeDetector();
           }
         } catch (error) {
@@ -1608,7 +1876,10 @@ function createEnhancedAgentShieldMiddleware(config = {}) {
     if (result.isAgent && finalConfidence >= (config.confidenceThreshold ?? 0.7)) {
       if (sessionTrackingEnabled) {
         const storage = await getStorage();
-        const sessionId = sessionManager.generateSessionId(ipAddress || void 0, userAgent || void 0);
+        const sessionId = sessionManager.generateSessionId(
+          ipAddress || void 0,
+          userAgent || void 0
+        );
         const event = {
           eventId: `agent_${Date.now()}_${Math.random().toString(36).substring(2, 11)}`,
           sessionId,
@@ -1674,15 +1945,18 @@ function createEnhancedAgentShieldMiddleware(config = {}) {
             { status }
           );
           response2.headers.set("x-agentshield-detected", "true");
-          response2.headers.set("x-agentshield-confidence", String(Math.round(finalConfidence * 100)));
+          response2.headers.set(
+            "x-agentshield-confidence",
+            String(Math.round(finalConfidence * 100))
+          );
           response2.headers.set("x-agentshield-agent", result.detectedAgent?.name || "Unknown");
           response2.headers.set("x-agentshield-verification", verificationMethod);
           return response2;
         }
-        case "log":
+        case "log": {
           const isInteresting = finalConfidence >= 0.9 || result.detectedAgent?.name?.toLowerCase().includes("chatgpt") || result.detectedAgent?.name?.toLowerCase().includes("perplexity") || verificationMethod === "signature";
-          if (isInteresting) {
-            console.log(`[AgentShield] \u{1F916} AI Agent detected (${verificationMethod}):`, {
+          if (isInteresting && process.env.NODE_ENV !== "production") {
+            console.debug(`[AgentShield] \u{1F916} AI Agent detected (${verificationMethod}):`, {
               agent: result.detectedAgent?.name,
               confidence: `${(finalConfidence * 100).toFixed(0)}%`,
               path: pathWithQuery,
@@ -1690,6 +1964,7 @@ function createEnhancedAgentShieldMiddleware(config = {}) {
             });
           }
           break;
+        }
       }
     }
     const response = NextResponse.next();
@@ -1708,6 +1983,294 @@ function createEnhancedAgentShieldMiddleware(config = {}) {
   };
 }
 
+// src/api-client.ts
+var DEFAULT_BASE_URL = "https://api.agentshield.ai";
+var DEFAULT_TIMEOUT = 5e3;
+var AgentShieldClient = class {
+  apiKey;
+  baseUrl;
+  timeout;
+  debug;
+  constructor(config) {
+    if (!config.apiKey) {
+      throw new Error("AgentShield API key is required");
+    }
+    this.apiKey = config.apiKey;
+    this.baseUrl = config.baseUrl || DEFAULT_BASE_URL;
+    this.timeout = config.timeout || DEFAULT_TIMEOUT;
+    this.debug = config.debug || false;
+  }
+  /**
+   * Call the enforce API to check if a request should be allowed
+   */
+  async enforce(input) {
+    const startTime = Date.now();
+    try {
+      const controller = new AbortController();
+      const timeoutId = setTimeout(() => controller.abort(), this.timeout);
+      try {
+        const response = await fetch(`${this.baseUrl}/api/v1/enforce`, {
+          method: "POST",
+          headers: {
+            "Content-Type": "application/json",
+            Authorization: `Bearer ${this.apiKey}`,
+            "X-Request-ID": input.requestId || crypto.randomUUID()
+          },
+          body: JSON.stringify(input),
+          signal: controller.signal
+        });
+        clearTimeout(timeoutId);
+        const data = await response.json();
+        if (this.debug) {
+          console.log("[AgentShield] Enforce response:", {
+            status: response.status,
+            action: data.data?.decision.action,
+            processingTimeMs: Date.now() - startTime
+          });
+        }
+        if (!response.ok) {
+          return {
+            success: false,
+            error: {
+              code: `HTTP_${response.status}`,
+              message: data.error?.message || `HTTP error: ${response.status}`
+            }
+          };
+        }
+        return data;
+      } catch (error) {
+        clearTimeout(timeoutId);
+        throw error;
+      }
+    } catch (error) {
+      if (error instanceof Error && error.name === "AbortError") {
+        if (this.debug) {
+          console.warn("[AgentShield] Request timed out");
+        }
+        return {
+          success: false,
+          error: {
+            code: "TIMEOUT",
+            message: `Request timed out after ${this.timeout}ms`
+          }
+        };
+      }
+      if (this.debug) {
+        console.error("[AgentShield] Request failed:", error);
+      }
+      return {
+        success: false,
+        error: {
+          code: "NETWORK_ERROR",
+          message: error instanceof Error ? error.message : "Network request failed"
+        }
+      };
+    }
+  }
+  /**
+   * Quick check - returns just the action without full response parsing
+   * Useful for very fast middleware that just needs allow/block
+   */
+  async quickCheck(input) {
+    const result = await this.enforce(input);
+    if (!result.success || !result.data) {
+      return {
+        action: "allow",
+        error: result.error?.message
+      };
+    }
+    return {
+      action: result.data.decision.action
+    };
+  }
+};
+var clientInstance = null;
+function getAgentShieldClient(config) {
+  if (!clientInstance) {
+    const apiKey = config?.apiKey || process.env.AGENTSHIELD_API_KEY;
+    if (!apiKey) {
+      throw new Error(
+        "AgentShield API key is required. Set AGENTSHIELD_API_KEY environment variable or pass apiKey in config."
+      );
+    }
+    clientInstance = new AgentShieldClient({
+      apiKey,
+      baseUrl: config?.baseUrl || process.env.AGENTSHIELD_API_URL,
+      timeout: config?.timeout,
+      debug: config?.debug || process.env.AGENTSHIELD_DEBUG === "true"
+    });
+  }
+  return clientInstance;
+}
+function resetAgentShieldClient() {
+  clientInstance = null;
+}
+
+// src/api-middleware.ts
+function matchPath(path, pattern) {
+  if (pattern === path) return true;
+  if (pattern.includes("*")) {
+    const regexPattern = pattern.replace(/[.+?^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*");
+    return new RegExp(`^${regexPattern}$`).test(path);
+  }
+  if (pattern.endsWith("/")) {
+    return path.startsWith(pattern) || path === pattern.slice(0, -1);
+  }
+  return path.startsWith(pattern);
+}
+function shouldSkipPath(path, skipPaths) {
+  return skipPaths.some((pattern) => matchPath(path, pattern));
+}
+function shouldIncludePath(path, includePaths) {
+  if (!includePaths || includePaths.length === 0) return true;
+  return includePaths.some((pattern) => matchPath(path, pattern));
+}
+function buildBlockedResponse(decision, config) {
+  const status = config.blockedResponse?.status ?? 403;
+  const message = config.blockedResponse?.message ?? decision.message ?? "Access denied";
+  const response = NextResponse.json(
+    {
+      error: message,
+      code: "AGENT_BLOCKED",
+      reason: decision.reason,
+      agentType: decision.agentType
+    },
+    { status }
+  );
+  if (config.blockedResponse?.headers) {
+    for (const [key, value] of Object.entries(config.blockedResponse.headers)) {
+      response.headers.set(key, value);
+    }
+  }
+  response.headers.set("X-AgentShield-Action", decision.action);
+  response.headers.set("X-AgentShield-Reason", decision.reason);
+  return response;
+}
+function buildRedirectResponse(request, decision, config) {
+  const redirectUrl = config.redirectUrl || decision.redirectUrl || "/blocked";
+  const url = new URL(redirectUrl, request.url);
+  url.searchParams.set("reason", decision.reason);
+  if (decision.agentType) {
+    url.searchParams.set("agent", decision.agentType);
+  }
+  return NextResponse.redirect(url);
+}
+function withAgentShield(config = {}) {
+  let client = null;
+  const getClient = () => {
+    if (!client) {
+      client = getAgentShieldClient({
+        apiKey: config.apiKey,
+        baseUrl: config.apiUrl,
+        timeout: config.timeout,
+        debug: config.debug
+      });
+    }
+    return client;
+  };
+  const defaultSkipPaths = [
+    "/_next/static/*",
+    "/_next/image/*",
+    "/favicon.ico",
+    "/robots.txt",
+    "/sitemap.xml"
+  ];
+  const skipPaths = [...defaultSkipPaths, ...config.skipPaths || []];
+  const failOpen = config.failOpen ?? true;
+  return async function middleware(request) {
+    const path = request.nextUrl.pathname;
+    const startTime = Date.now();
+    if (shouldSkipPath(path, skipPaths)) {
+      return NextResponse.next();
+    }
+    if (!shouldIncludePath(path, config.includePaths)) {
+      return NextResponse.next();
+    }
+    try {
+      const result = await getClient().enforce({
+        headers: Object.fromEntries(request.headers.entries()),
+        userAgent: request.headers.get("user-agent") || void 0,
+        ipAddress: request.ip || request.headers.get("x-forwarded-for")?.split(",")[0]?.trim() || request.headers.get("x-real-ip") || void 0,
+        path,
+        url: request.url,
+        method: request.method,
+        requestId: request.headers.get("x-request-id") || void 0,
+        options: {
+          includeDetectionResult: config.debug
+        }
+      });
+      if (!result.success || !result.data) {
+        if (config.debug) {
+          console.warn("[AgentShield] API error:", result.error);
+        }
+        if (failOpen) {
+          return NextResponse.next();
+        }
+        return NextResponse.json(
+          { error: "Security check failed", code: "API_ERROR" },
+          { status: 503 }
+        );
+      }
+      const decision = result.data.decision;
+      if (config.debug) {
+        console.log("[AgentShield] Decision:", {
+          path,
+          action: decision.action,
+          isAgent: decision.isAgent,
+          confidence: decision.confidence,
+          agentName: decision.agentName,
+          processingTimeMs: Date.now() - startTime
+        });
+      }
+      if (decision.isAgent && config.onAgentDetected) {
+        await config.onAgentDetected(request, decision);
+      }
+      switch (decision.action) {
+        case "block": {
+          if (config.customBlockedResponse) {
+            return config.customBlockedResponse(request, decision);
+          }
+          if (config.onBlock === "redirect") {
+            return buildRedirectResponse(request, decision, config);
+          }
+          return buildBlockedResponse(decision, config);
+        }
+        case "redirect": {
+          return buildRedirectResponse(request, decision, config);
+        }
+        case "challenge": {
+          return buildRedirectResponse(request, decision, config);
+        }
+        case "log":
+        case "allow":
+        default: {
+          const response = NextResponse.next();
+          if (decision.isAgent) {
+            response.headers.set("X-AgentShield-Detected", "true");
+            response.headers.set("X-AgentShield-Confidence", decision.confidence.toString());
+            if (decision.agentName) {
+              response.headers.set("X-AgentShield-Agent", decision.agentName);
+            }
+          }
+          return response;
+        }
+      }
+    } catch (error) {
+      if (config.debug) {
+        console.error("[AgentShield] Middleware error:", error);
+      }
+      if (failOpen) {
+        return NextResponse.next();
+      }
+      return NextResponse.json(
+        { error: "Security check failed", code: "MIDDLEWARE_ERROR" },
+        { status: 503 }
+      );
+    }
+  };
+}
+var agentShieldMiddleware = withAgentShield();
+
 // src/index.ts
 var VERSION = "0.1.0";
 /**
@@ -1716,6 +2279,6 @@ var VERSION = "0.1.0";
  * @license MIT OR Apache-2.0
  */
 
-export { EdgeSessionTracker, StatelessSessionChecker, VERSION, createAgentShieldMiddleware2 as createAgentShieldMiddleware, createAgentShieldMiddleware as createAgentShieldMiddlewareBase, createEnhancedAgentShieldMiddleware, createAgentShieldMiddleware2 as createMiddleware };
+export { AgentShieldClient, EdgeSessionTracker, StatelessSessionChecker, VERSION, agentShieldMiddleware, createAgentShieldMiddleware2 as createAgentShieldMiddleware, createAgentShieldMiddleware as createAgentShieldMiddlewareBase, createEnhancedAgentShieldMiddleware, createAgentShieldMiddleware2 as createMiddleware, getAgentShieldClient, resetAgentShieldClient, withAgentShield };
 //# sourceMappingURL=index.mjs.map
 //# sourceMappingURL=index.mjs.map