npm - @kya-os/agentshield-nextjs - Versions diffs - 0.2.13 → 0.3.1 - Mend

@kya-os/agentshield-nextjs 0.2.13 → 0.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (73) hide show

package/dist/api-client.d.mts +6 -1
package/dist/api-client.d.ts +6 -1
package/dist/api-client.js.map +1 -1
package/dist/api-client.mjs.map +1 -1
package/dist/api-middleware.d.mts +13 -0
package/dist/api-middleware.d.ts +13 -0
package/dist/api-middleware.js +149 -19
package/dist/api-middleware.js.map +1 -1
package/dist/api-middleware.mjs +149 -19
package/dist/api-middleware.mjs.map +1 -1
package/dist/create-middleware.js +565 -487
package/dist/create-middleware.js.map +1 -1
package/dist/create-middleware.mjs +565 -487
package/dist/create-middleware.mjs.map +1 -1
package/dist/edge/index.js +69 -46
package/dist/edge/index.js.map +1 -1
package/dist/edge/index.mjs +69 -46
package/dist/edge/index.mjs.map +1 -1
package/dist/edge-detector-wrapper.js +9 -1
package/dist/edge-detector-wrapper.js.map +1 -1
package/dist/edge-detector-wrapper.mjs +9 -1
package/dist/edge-detector-wrapper.mjs.map +1 -1
package/dist/edge-runtime-loader.d.mts +1 -0
package/dist/edge-runtime-loader.d.ts +1 -0
package/dist/edge-runtime-loader.js +19 -3
package/dist/edge-runtime-loader.js.map +1 -1
package/dist/edge-runtime-loader.mjs +19 -3
package/dist/edge-runtime-loader.mjs.map +1 -1
package/dist/edge-wasm-middleware.d.mts +1 -0
package/dist/edge-wasm-middleware.d.ts +1 -0
package/dist/edge-wasm-middleware.js +10 -2
package/dist/edge-wasm-middleware.js.map +1 -1
package/dist/edge-wasm-middleware.mjs +11 -3
package/dist/edge-wasm-middleware.mjs.map +1 -1
package/dist/enhanced-middleware.js +48 -20
package/dist/enhanced-middleware.js.map +1 -1
package/dist/enhanced-middleware.mjs +49 -21
package/dist/enhanced-middleware.mjs.map +1 -1
package/dist/index.d.mts +1 -1
package/dist/index.d.ts +1 -1
package/dist/index.js +263 -102
package/dist/index.js.map +1 -1
package/dist/index.mjs +264 -103
package/dist/index.mjs.map +1 -1
package/dist/middleware.js +565 -487
package/dist/middleware.js.map +1 -1
package/dist/middleware.mjs +565 -487
package/dist/middleware.mjs.map +1 -1
package/dist/policy.d.mts +16 -4
package/dist/policy.d.ts +16 -4
package/dist/policy.js +14 -10
package/dist/policy.js.map +1 -1
package/dist/policy.mjs +14 -10
package/dist/policy.mjs.map +1 -1
package/dist/session-tracker.js +13 -19
package/dist/session-tracker.js.map +1 -1
package/dist/session-tracker.mjs +13 -19
package/dist/session-tracker.mjs.map +1 -1
package/dist/signature-verifier.js +9 -1
package/dist/signature-verifier.js.map +1 -1
package/dist/signature-verifier.mjs +9 -1
package/dist/signature-verifier.mjs.map +1 -1
package/dist/wasm-middleware.d.mts +1 -0
package/dist/wasm-middleware.d.ts +1 -0
package/dist/wasm-middleware.js +15 -15
package/dist/wasm-middleware.js.map +1 -1
package/dist/wasm-middleware.mjs +15 -15
package/dist/wasm-middleware.mjs.map +1 -1
package/package.json +3 -3
package/wasm/agentshield_wasm.d.ts +379 -21
package/wasm/agentshield_wasm.js +1409 -506
package/wasm/agentshield_wasm_bg.wasm +0 -0
package/dist/.tsbuildinfo +0 -1

package/dist/middleware.js CHANGED Viewed

@@ -1,9 +1,9 @@
 'use strict';
+var agentshieldShared = require('@kya-os/agentshield-shared');
 var server = require('next/server');
 var ed25519 = require('@noble/ed25519');
 var sha2_js = require('@noble/hashes/sha2.js');
-var agentshieldShared = require('@kya-os/agentshield-shared');
 function _interopNamespace(e) {
   if (e && e.__esModule) return e;
@@ -25,7 +25,455 @@ function _interopNamespace(e) {
 var ed25519__namespace = /*#__PURE__*/_interopNamespace(ed25519);
-// src/middleware.ts
+var __defProp = Object.defineProperty;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+// src/wasm-loader.ts
+function setWasmBaseUrl(url) {
+  baseUrl = url;
+}
+function getWasmUrl() {
+  if (baseUrl) {
+    try {
+      const url = new URL(baseUrl);
+      return `${url.origin}${WASM_PATH}`;
+    } catch {
+      return WASM_PATH;
+    }
+  }
+  return WASM_PATH;
+}
+async function initWasm() {
+  if (wasmExports) return true;
+  if (initPromise) {
+    await initPromise;
+    return !!wasmExports;
+  }
+  initPromise = (async () => {
+    try {
+      const controller = new AbortController();
+      const timeout = setTimeout(() => controller.abort(), 3e3);
+      try {
+        const wasmUrl = getWasmUrl();
+        if (typeof WebAssembly.instantiateStreaming === "function") {
+          try {
+            const response2 = await fetch(wasmUrl, { signal: controller.signal });
+            clearTimeout(timeout);
+            if (!response2.ok) {
+              throw new Error(`Failed to fetch WASM: ${response2.status}`);
+            }
+            const streamResponse = response2.clone();
+            const { instance } = await WebAssembly.instantiateStreaming(streamResponse, {
+              wbg: {
+                __wbg_log_1d3ae13c3d5e6b8e: (ptr, len) => {
+                  if (process.env.NODE_ENV !== "production") {
+                    console.debug("WASM:", ptr, len);
+                  }
+                },
+                __wbindgen_throw: (ptr, len) => {
+                  throw new Error(`WASM Error at ${ptr}, length ${len}`);
+                }
+              }
+            });
+            wasmInstance = instance;
+            wasmExports = instance.exports;
+            if (process.env.NODE_ENV !== "production") {
+              console.debug("[AgentShield] \u2705 WASM module initialized with streaming");
+            }
+            return;
+          } catch (streamError) {
+            if (!controller.signal.aborted) {
+              if (process.env.NODE_ENV !== "production") {
+                console.debug(
+                  "[AgentShield] Streaming compilation failed, falling back to standard compilation"
+                );
+              }
+            } else {
+              throw streamError;
+            }
+          }
+        }
+        const response = await fetch(wasmUrl, { signal: controller.signal });
+        clearTimeout(timeout);
+        if (!response.ok) {
+          throw new Error(`Failed to fetch WASM: ${response.status}`);
+        }
+        const wasmArrayBuffer = await response.arrayBuffer();
+        const compiledModule = await WebAssembly.compile(wasmArrayBuffer);
+        const imports = {
+          wbg: {
+            __wbg_log_1d3ae13c3d5e6b8e: (ptr, len) => {
+              if (process.env.NODE_ENV !== "production") {
+                console.debug("WASM:", ptr, len);
+              }
+            },
+            __wbindgen_throw: (ptr, len) => {
+              throw new Error(`WASM Error at ${ptr}, length ${len}`);
+            }
+          }
+        };
+        wasmInstance = await WebAssembly.instantiate(compiledModule, imports);
+        wasmExports = wasmInstance.exports;
+        if (process.env.NODE_ENV !== "production") {
+          console.debug("[AgentShield] \u2705 WASM module initialized via fallback");
+        }
+      } catch (fetchError) {
+        const error = fetchError;
+        if (error.name === "AbortError") {
+          console.warn(
+            "[AgentShield] WASM fetch timed out after 3 seconds - using pattern detection"
+          );
+        } else {
+          console.warn(
+            "[AgentShield] Failed to fetch WASM file:",
+            error.message || "Unknown error"
+          );
+        }
+        wasmExports = null;
+      }
+    } catch (error) {
+      console.error("[AgentShield] Failed to initialize WASM:", error);
+      wasmExports = null;
+    }
+  })();
+  await initPromise;
+  return !!wasmExports;
+}
+async function detectAgentWithWasm(_userAgent, _headers, _ipAddress) {
+  return null;
+}
+async function getWasmVersion() {
+  const initialized = await initWasm();
+  if (!initialized || !wasmExports) {
+    return null;
+  }
+  if (typeof wasmExports.version === "function") {
+    return wasmExports.version();
+  }
+  return "unknown";
+}
+async function isWasmAvailable() {
+  try {
+    const initialized = await initWasm();
+    if (!initialized) return false;
+    const version = await getWasmVersion();
+    return version !== null;
+  } catch {
+    return false;
+  }
+}
+var wasmInstance, wasmExports, initPromise, WASM_PATH, baseUrl;
+var init_wasm_loader = __esm({
+  "src/wasm-loader.ts"() {
+    wasmInstance = null;
+    wasmExports = null;
+    initPromise = null;
+    WASM_PATH = "/wasm/agentshield_wasm_bg.wasm";
+    baseUrl = null;
+  }
+});
+// src/edge-detector-with-wasm.ts
+var edge_detector_with_wasm_exports = {};
+__export(edge_detector_with_wasm_exports, {
+  EdgeAgentDetectorWithWasm: () => EdgeAgentDetectorWithWasm,
+  EdgeAgentDetectorWrapperWithWasm: () => EdgeAgentDetectorWrapperWithWasm
+});
+var rules2, EdgeAgentDetectorWithWasm, EdgeAgentDetectorWrapperWithWasm;
+var init_edge_detector_with_wasm = __esm({
+  "src/edge-detector-with-wasm.ts"() {
+    init_wasm_loader();
+    rules2 = agentshieldShared.loadRulesSync();
+    EdgeAgentDetectorWithWasm = class {
+      constructor(enableWasm = true) {
+        this.enableWasm = enableWasm;
+        this.rules = rules2;
+      }
+      wasmEnabled = false;
+      initPromise = null;
+      baseUrl = null;
+      rules;
+      /**
+       * Set the base URL for WASM loading in Edge Runtime
+       */
+      setBaseUrl(url) {
+        this.baseUrl = url;
+        setWasmBaseUrl(url);
+      }
+      /**
+       * Initialize the detector (including WASM if enabled)
+       */
+      async init() {
+        if (!this.enableWasm) {
+          this.wasmEnabled = false;
+          return;
+        }
+        if (this.initPromise) {
+          await this.initPromise;
+          return;
+        }
+        this.initPromise = (async () => {
+          try {
+            const wasmAvailable = await isWasmAvailable();
+            if (wasmAvailable) {
+              if (this.baseUrl) {
+                setWasmBaseUrl(this.baseUrl);
+              }
+              await initWasm();
+              this.wasmEnabled = true;
+            } else {
+              this.wasmEnabled = false;
+            }
+          } catch (error) {
+            console.error("[AgentShield] Failed to initialize WASM:", error);
+            this.wasmEnabled = false;
+          }
+        })();
+        await this.initPromise;
+      }
+      /**
+       * Pattern-based detection (fallback)
+       */
+      async patternDetection(input) {
+        const reasons = [];
+        let detectedAgent;
+        let verificationMethod;
+        let confidence = 0;
+        const headers = input.headers || {};
+        const normalizedHeaders = {};
+        for (const [key, value] of Object.entries(headers)) {
+          normalizedHeaders[key.toLowerCase()] = value;
+        }
+        const signaturePresent = !!(normalizedHeaders["signature"] || normalizedHeaders["signature-input"]);
+        const signatureAgent = normalizedHeaders["signature-agent"];
+        const isChatGPT = (() => {
+          try {
+            const url = new URL(signatureAgent?.replace(/^"|"$/g, "") || "");
+            return url.hostname === "chatgpt.com" || url.hostname.endsWith(".chatgpt.com");
+          } catch {
+            return false;
+          }
+        })();
+        if (isChatGPT) {
+          confidence = 85;
+          reasons.push("signature_agent:chatgpt");
+          detectedAgent = { type: "chatgpt", name: "ChatGPT" };
+          verificationMethod = "signature";
+        } else if (signaturePresent) {
+          confidence = Math.max(confidence, 40);
+          reasons.push("signature_present");
+        }
+        const userAgent = input.userAgent || input.headers?.["user-agent"] || "";
+        if (userAgent) {
+          for (const [agentKey, agentRule] of Object.entries(this.rules.rules.userAgents)) {
+            const matched = agentRule.patterns.some((pattern) => {
+              const regex = new RegExp(pattern, "i");
+              return regex.test(userAgent);
+            });
+            if (matched) {
+              const agentType = this.getAgentType(agentKey);
+              const agentName = this.getAgentName(agentKey);
+              confidence = Math.max(confidence, Math.round(agentRule.confidence * 0.85 * 100));
+              reasons.push(`known_pattern:${agentType}`);
+              if (!detectedAgent) {
+                detectedAgent = { type: agentType, name: agentName };
+                verificationMethod = "pattern";
+              }
+              break;
+            }
+          }
+        }
+        const suspiciousHeaders = this.rules.rules.headers.suspicious;
+        const foundAiHeaders = suspiciousHeaders.filter(
+          (headerRule) => normalizedHeaders[headerRule.name.toLowerCase()]
+        );
+        if (foundAiHeaders.length > 0) {
+          const maxConfidence = Math.max(...foundAiHeaders.map((h) => h.confidence));
+          confidence = Math.max(confidence, maxConfidence);
+          reasons.push(`ai_headers:${foundAiHeaders.length}`);
+        }
+        const ip = input.ip || input.ipAddress;
+        if (ip && !normalizedHeaders["x-forwarded-for"] && !normalizedHeaders["x-real-ip"]) {
+          const ipRanges = "providers" in this.rules.rules.ipRanges ? this.rules.rules.ipRanges.providers : this.rules.rules.ipRanges;
+          for (const [provider, ipRule] of Object.entries(ipRanges)) {
+            if (!ipRule || typeof ipRule !== "object" || !("ranges" in ipRule) || !Array.isArray(ipRule.ranges))
+              continue;
+            const matched = ipRule.ranges.some((range) => {
+              const prefix = range.split("/")[0];
+              const prefixParts = prefix.split(".");
+              const ipParts = ip.split(".");
+              for (let i = 0; i < Math.min(prefixParts.length - 1, 2); i++) {
+                if (prefixParts[i] !== ipParts[i] && prefixParts[i] !== "0") {
+                  return false;
+                }
+              }
+              return true;
+            });
+            if (matched) {
+              confidence = Math.max(confidence, Math.round(ipRule.confidence * 0.4 * 100));
+              reasons.push(`cloud_provider:${provider}`);
+              break;
+            }
+          }
+        }
+        if (reasons.length > 2) {
+          confidence = Math.min(Math.round(confidence * 1.2), 95);
+        }
+        confidence = Math.min(Math.max(confidence, 0), 100);
+        return {
+          isAgent: confidence > 30,
+          // 30% threshold
+          confidence,
+          detectionClass: confidence > 30 && detectedAgent ? { type: "AiAgent", agentType: detectedAgent.name } : confidence > 30 ? { type: "Unknown" } : { type: "Human" },
+          signals: [],
+          // Will be populated by enhanced detection engine in future tasks
+          ...detectedAgent && { detectedAgent },
+          reasons,
+          ...verificationMethod && {
+            verificationMethod: agentshieldShared.mapVerificationMethod(verificationMethod)
+          },
+          forgeabilityRisk: confidence > 80 ? "medium" : "high",
+          timestamp: /* @__PURE__ */ new Date()
+        };
+      }
+      /**
+       * Analyze request with WASM enhancement when available
+       */
+      async analyze(input) {
+        await this.init();
+        if (this.wasmEnabled) {
+          try {
+            const wasmResult = await detectAgentWithWasm(
+              input.userAgent || input.headers?.["user-agent"],
+              input.headers || {},
+              input.ip || input.ipAddress
+            );
+            if (wasmResult) {
+              const detectedAgent = wasmResult.agent ? this.mapAgentName(wasmResult.agent) : void 0;
+              return {
+                isAgent: wasmResult.isAgent,
+                confidence: wasmResult.confidence,
+                detectionClass: wasmResult.isAgent && detectedAgent ? { type: "AiAgent", agentType: detectedAgent.name } : wasmResult.isAgent ? { type: "Unknown" } : { type: "Human" },
+                signals: [],
+                // Will be populated by enhanced detection engine in future tasks
+                ...detectedAgent && { detectedAgent },
+                reasons: [`wasm:${wasmResult.verificationMethod}`],
+                verificationMethod: agentshieldShared.mapVerificationMethod(wasmResult.verificationMethod),
+                forgeabilityRisk: wasmResult.verificationMethod === "signature" ? "low" : wasmResult.confidence > 90 ? "medium" : "high",
+                timestamp: /* @__PURE__ */ new Date()
+              };
+            }
+          } catch (error) {
+            console.error("[AgentShield] WASM detection error:", error);
+          }
+        }
+        const patternResult = await this.patternDetection(input);
+        if (this.wasmEnabled && patternResult.confidence >= 85) {
+          patternResult.confidence = Math.min(95, patternResult.confidence + 10);
+          patternResult.reasons.push("wasm_enhanced");
+        }
+        return patternResult;
+      }
+      /**
+       * Get agent type from rule key
+       */
+      getAgentType(agentKey) {
+        const typeMap = {
+          openai_gptbot: "openai",
+          anthropic_claude: "anthropic",
+          perplexity_bot: "perplexity",
+          google_ai: "google",
+          microsoft_ai: "microsoft",
+          meta_ai: "meta",
+          cohere_bot: "cohere",
+          huggingface_bot: "huggingface",
+          generic_bot: "generic",
+          dev_tools: "dev",
+          automation_tools: "automation"
+        };
+        return typeMap[agentKey] || agentKey;
+      }
+      /**
+       * Get agent name from rule key
+       */
+      getAgentName(agentKey) {
+        const nameMap = {
+          openai_gptbot: "ChatGPT/GPTBot",
+          anthropic_claude: "Claude",
+          perplexity_bot: "Perplexity",
+          google_ai: "Google AI",
+          microsoft_ai: "Microsoft Copilot",
+          meta_ai: "Meta AI",
+          cohere_bot: "Cohere",
+          huggingface_bot: "HuggingFace",
+          generic_bot: "Generic Bot",
+          dev_tools: "Development Tool",
+          automation_tools: "Automation Tool"
+        };
+        return nameMap[agentKey] || agentKey;
+      }
+      /**
+       * Map agent names from WASM to consistent format
+       */
+      mapAgentName(agent) {
+        const lowerAgent = agent.toLowerCase();
+        if (lowerAgent.includes("chatgpt")) {
+          return { type: "chatgpt", name: "ChatGPT" };
+        } else if (lowerAgent.includes("claude")) {
+          return { type: "claude", name: "Claude" };
+        } else if (lowerAgent.includes("perplexity")) {
+          return { type: "perplexity", name: "Perplexity" };
+        } else if (lowerAgent.includes("bing")) {
+          return { type: "bing", name: "Bing AI" };
+        } else if (lowerAgent.includes("anthropic")) {
+          return { type: "anthropic", name: "Anthropic" };
+        }
+        return { type: "unknown", name: agent };
+      }
+    };
+    EdgeAgentDetectorWrapperWithWasm = class {
+      detector;
+      events = /* @__PURE__ */ new Map();
+      constructor(config) {
+        this.detector = new EdgeAgentDetectorWithWasm(config?.enableWasm ?? true);
+        if (config?.baseUrl) {
+          this.detector.setBaseUrl(config.baseUrl);
+        }
+      }
+      setBaseUrl(url) {
+        this.detector.setBaseUrl(url);
+      }
+      async analyze(input) {
+        const result = await this.detector.analyze(input);
+        if (result.isAgent && this.events.has("agent.detected")) {
+          const handlers = this.events.get("agent.detected") || [];
+          handlers.forEach((handler) => handler(result, input));
+        }
+        return result;
+      }
+      on(event, handler) {
+        if (!this.events.has(event)) {
+          this.events.set(event, []);
+        }
+        this.events.get(event).push(handler);
+      }
+      emit(event, ...args) {
+        const handlers = this.events.get(event) || [];
+        handlers.forEach((handler) => handler(...args));
+      }
+      async init() {
+        await this.detector.init();
+      }
+    };
+  }
+});
 ed25519__namespace.etc.sha512Sync = (...m) => sha2_js.sha512(ed25519__namespace.etc.concatBytes(...m));
 var KNOWN_KEYS = {
   chatgpt: [
@@ -286,7 +734,15 @@ async function verifyAgentSignature(method, path, headers) {
   }
   let agent;
   let agentKey;
-  if (signatureAgent === '"https://chatgpt.com"' || signatureAgent?.includes("chatgpt.com")) {
+  const isChatGPT = signatureAgent === '"https://chatgpt.com"' || (() => {
+    try {
+      const url = new URL(signatureAgent?.replace(/^"|"$/g, "") || "");
+      return url.hostname === "chatgpt.com" || url.hostname.endsWith(".chatgpt.com");
+    } catch {
+      return false;
+    }
+  })();
+  if (isChatGPT) {
     agent = "ChatGPT";
     agentKey = "chatgpt";
   }
@@ -583,462 +1039,46 @@ var EdgeAgentDetectorWrapper = class {
     return;
   }
 };
-// src/wasm-loader.ts
-var wasmInstance = null;
-var wasmExports = null;
-var initPromise = null;
-var WASM_PATH = "/wasm/agentshield_wasm_bg.wasm";
-var baseUrl = null;
-function setWasmBaseUrl(url) {
-  baseUrl = url;
-}
-function getWasmUrl() {
-  if (baseUrl) {
+var EdgeSessionTracker = class {
+  config;
+  constructor(config) {
+    this.config = {
+      enabled: config.enabled,
+      cookieName: config.cookieName || "__agentshield_session",
+      cookieMaxAge: config.cookieMaxAge || 3600,
+      // 1 hour default
+      encryptionKey: config.encryptionKey || process.env.AGENTSHIELD_SECRET || "agentshield-default-key"
+    };
+  }
+  /**
+   * Track a new AI agent session
+   */
+  async track(_request, response, result) {
     try {
-      const url = new URL(baseUrl);
-      return `${url.origin}${WASM_PATH}`;
-    } catch {
-      return WASM_PATH;
-    }
-  }
-  return WASM_PATH;
-}
-async function initWasm() {
-  if (wasmExports) return true;
-  if (initPromise) {
-    await initPromise;
-    return !!wasmExports;
-  }
-  initPromise = (async () => {
-    try {
-      const controller = new AbortController();
-      const timeout = setTimeout(() => controller.abort(), 3e3);
-      try {
-        const wasmUrl = getWasmUrl();
-        if (typeof WebAssembly.instantiateStreaming === "function") {
-          try {
-            const response2 = await fetch(wasmUrl, { signal: controller.signal });
-            clearTimeout(timeout);
-            if (!response2.ok) {
-              throw new Error(`Failed to fetch WASM: ${response2.status}`);
-            }
-            const streamResponse = response2.clone();
-            const { instance } = await WebAssembly.instantiateStreaming(streamResponse, {
-              wbg: {
-                __wbg_log_1d3ae13c3d5e6b8e: (ptr, len) => {
-                  if (process.env.NODE_ENV !== "production") {
-                    console.debug("WASM:", ptr, len);
-                  }
-                },
-                __wbindgen_throw: (ptr, len) => {
-                  throw new Error(`WASM Error at ${ptr}, length ${len}`);
-                }
-              }
-            });
-            wasmInstance = instance;
-            wasmExports = instance.exports;
-            if (process.env.NODE_ENV !== "production") {
-              console.debug("[AgentShield] \u2705 WASM module initialized with streaming");
-            }
-            return;
-          } catch (streamError) {
-            if (!controller.signal.aborted) {
-              if (process.env.NODE_ENV !== "production") {
-                console.debug(
-                  "[AgentShield] Streaming compilation failed, falling back to standard compilation"
-                );
-              }
-            } else {
-              throw streamError;
-            }
-          }
-        }
-        const response = await fetch(wasmUrl, { signal: controller.signal });
-        clearTimeout(timeout);
-        if (!response.ok) {
-          throw new Error(`Failed to fetch WASM: ${response.status}`);
-        }
-        const wasmArrayBuffer = await response.arrayBuffer();
-        const compiledModule = await WebAssembly.compile(wasmArrayBuffer);
-        const imports = {
-          wbg: {
-            __wbg_log_1d3ae13c3d5e6b8e: (ptr, len) => {
-              if (process.env.NODE_ENV !== "production") {
-                console.debug("WASM:", ptr, len);
-              }
-            },
-            __wbindgen_throw: (ptr, len) => {
-              throw new Error(`WASM Error at ${ptr}, length ${len}`);
-            }
-          }
-        };
-        wasmInstance = await WebAssembly.instantiate(compiledModule, imports);
-        wasmExports = wasmInstance.exports;
-        if (process.env.NODE_ENV !== "production") {
-          console.debug("[AgentShield] \u2705 WASM module initialized via fallback");
-        }
-      } catch (fetchError) {
-        const error = fetchError;
-        if (error.name === "AbortError") {
-          console.warn(
-            "[AgentShield] WASM fetch timed out after 3 seconds - using pattern detection"
-          );
-        } else {
-          console.warn(
-            "[AgentShield] Failed to fetch WASM file:",
-            error.message || "Unknown error"
-          );
-        }
-        wasmExports = null;
-      }
-    } catch (error) {
-      console.error("[AgentShield] Failed to initialize WASM:", error);
-      wasmExports = null;
-    }
-  })();
-  await initPromise;
-  return !!wasmExports;
-}
-async function detectAgentWithWasm(_userAgent, _headers, _ipAddress) {
-  return null;
-}
-async function getWasmVersion() {
-  const initialized = await initWasm();
-  if (!initialized || !wasmExports) {
-    return null;
-  }
-  if (typeof wasmExports.version === "function") {
-    return wasmExports.version();
-  }
-  return "unknown";
-}
-async function isWasmAvailable() {
-  try {
-    const initialized = await initWasm();
-    if (!initialized) return false;
-    const version = await getWasmVersion();
-    return version !== null;
-  } catch {
-    return false;
-  }
-}
-var rules2 = agentshieldShared.loadRulesSync();
-var EdgeAgentDetectorWithWasm = class {
-  constructor(enableWasm = true) {
-    this.enableWasm = enableWasm;
-    this.rules = rules2;
-  }
-  wasmEnabled = false;
-  initPromise = null;
-  baseUrl = null;
-  rules;
-  /**
-   * Set the base URL for WASM loading in Edge Runtime
-   */
-  setBaseUrl(url) {
-    this.baseUrl = url;
-    setWasmBaseUrl(url);
-  }
-  /**
-   * Initialize the detector (including WASM if enabled)
-   */
-  async init() {
-    if (!this.enableWasm) {
-      this.wasmEnabled = false;
-      return;
-    }
-    if (this.initPromise) {
-      await this.initPromise;
-      return;
-    }
-    this.initPromise = (async () => {
-      try {
-        const wasmAvailable = await isWasmAvailable();
-        if (wasmAvailable) {
-          if (this.baseUrl) {
-            setWasmBaseUrl(this.baseUrl);
-          }
-          await initWasm();
-          this.wasmEnabled = true;
-        } else {
-          this.wasmEnabled = false;
-        }
-      } catch (error) {
-        console.error("[AgentShield] Failed to initialize WASM:", error);
-        this.wasmEnabled = false;
-      }
-    })();
-    await this.initPromise;
-  }
-  /**
-   * Pattern-based detection (fallback)
-   */
-  async patternDetection(input) {
-    const reasons = [];
-    let detectedAgent;
-    let verificationMethod;
-    let confidence = 0;
-    const headers = input.headers || {};
-    const normalizedHeaders = {};
-    for (const [key, value] of Object.entries(headers)) {
-      normalizedHeaders[key.toLowerCase()] = value;
-    }
-    const signaturePresent = !!(normalizedHeaders["signature"] || normalizedHeaders["signature-input"]);
-    const signatureAgent = normalizedHeaders["signature-agent"];
-    if (signatureAgent?.includes("chatgpt.com")) {
-      confidence = 85;
-      reasons.push("signature_agent:chatgpt");
-      detectedAgent = { type: "chatgpt", name: "ChatGPT" };
-      verificationMethod = "signature";
-    } else if (signaturePresent) {
-      confidence = Math.max(confidence, 40);
-      reasons.push("signature_present");
-    }
-    const userAgent = input.userAgent || input.headers?.["user-agent"] || "";
-    if (userAgent) {
-      for (const [agentKey, agentRule] of Object.entries(this.rules.rules.userAgents)) {
-        const matched = agentRule.patterns.some((pattern) => {
-          const regex = new RegExp(pattern, "i");
-          return regex.test(userAgent);
-        });
-        if (matched) {
-          const agentType = this.getAgentType(agentKey);
-          const agentName = this.getAgentName(agentKey);
-          confidence = Math.max(confidence, Math.round(agentRule.confidence * 0.85 * 100));
-          reasons.push(`known_pattern:${agentType}`);
-          if (!detectedAgent) {
-            detectedAgent = { type: agentType, name: agentName };
-            verificationMethod = "pattern";
-          }
-          break;
-        }
-      }
-    }
-    const suspiciousHeaders = this.rules.rules.headers.suspicious;
-    const foundAiHeaders = suspiciousHeaders.filter(
-      (headerRule) => normalizedHeaders[headerRule.name.toLowerCase()]
-    );
-    if (foundAiHeaders.length > 0) {
-      const maxConfidence = Math.max(...foundAiHeaders.map((h) => h.confidence));
-      confidence = Math.max(confidence, maxConfidence);
-      reasons.push(`ai_headers:${foundAiHeaders.length}`);
-    }
-    const ip = input.ip || input.ipAddress;
-    if (ip && !normalizedHeaders["x-forwarded-for"] && !normalizedHeaders["x-real-ip"]) {
-      const ipRanges = "providers" in this.rules.rules.ipRanges ? this.rules.rules.ipRanges.providers : this.rules.rules.ipRanges;
-      for (const [provider, ipRule] of Object.entries(ipRanges)) {
-        if (!ipRule || typeof ipRule !== "object" || !("ranges" in ipRule) || !Array.isArray(ipRule.ranges))
-          continue;
-        const matched = ipRule.ranges.some((range) => {
-          const prefix = range.split("/")[0];
-          const prefixParts = prefix.split(".");
-          const ipParts = ip.split(".");
-          for (let i = 0; i < Math.min(prefixParts.length - 1, 2); i++) {
-            if (prefixParts[i] !== ipParts[i] && prefixParts[i] !== "0") {
-              return false;
-            }
-          }
-          return true;
-        });
-        if (matched) {
-          confidence = Math.max(confidence, Math.round(ipRule.confidence * 0.4 * 100));
-          reasons.push(`cloud_provider:${provider}`);
-          break;
-        }
-      }
-    }
-    if (reasons.length > 2) {
-      confidence = Math.min(Math.round(confidence * 1.2), 95);
-    }
-    confidence = Math.min(Math.max(confidence, 0), 100);
-    return {
-      isAgent: confidence > 30,
-      // 30% threshold
-      confidence,
-      detectionClass: confidence > 30 && detectedAgent ? { type: "AiAgent", agentType: detectedAgent.name } : confidence > 30 ? { type: "Unknown" } : { type: "Human" },
-      signals: [],
-      // Will be populated by enhanced detection engine in future tasks
-      ...detectedAgent && { detectedAgent },
-      reasons,
-      ...verificationMethod && {
-        verificationMethod: agentshieldShared.mapVerificationMethod(verificationMethod)
-      },
-      forgeabilityRisk: confidence > 80 ? "medium" : "high",
-      timestamp: /* @__PURE__ */ new Date()
-    };
-  }
-  /**
-   * Analyze request with WASM enhancement when available
-   */
-  async analyze(input) {
-    await this.init();
-    if (this.wasmEnabled) {
-      try {
-        const wasmResult = await detectAgentWithWasm(
-          input.userAgent || input.headers?.["user-agent"],
-          input.headers || {},
-          input.ip || input.ipAddress
-        );
-        if (wasmResult) {
-          const detectedAgent = wasmResult.agent ? this.mapAgentName(wasmResult.agent) : void 0;
-          return {
-            isAgent: wasmResult.isAgent,
-            confidence: wasmResult.confidence,
-            detectionClass: wasmResult.isAgent && detectedAgent ? { type: "AiAgent", agentType: detectedAgent.name } : wasmResult.isAgent ? { type: "Unknown" } : { type: "Human" },
-            signals: [],
-            // Will be populated by enhanced detection engine in future tasks
-            ...detectedAgent && { detectedAgent },
-            reasons: [`wasm:${wasmResult.verificationMethod}`],
-            verificationMethod: agentshieldShared.mapVerificationMethod(wasmResult.verificationMethod),
-            forgeabilityRisk: wasmResult.verificationMethod === "signature" ? "low" : wasmResult.confidence > 90 ? "medium" : "high",
-            timestamp: /* @__PURE__ */ new Date()
-          };
-        }
-      } catch (error) {
-        console.error("[AgentShield] WASM detection error:", error);
-      }
-    }
-    const patternResult = await this.patternDetection(input);
-    if (this.wasmEnabled && patternResult.confidence >= 85) {
-      patternResult.confidence = Math.min(95, patternResult.confidence + 10);
-      patternResult.reasons.push("wasm_enhanced");
-    }
-    return patternResult;
-  }
-  /**
-   * Get agent type from rule key
-   */
-  getAgentType(agentKey) {
-    const typeMap = {
-      openai_gptbot: "openai",
-      anthropic_claude: "anthropic",
-      perplexity_bot: "perplexity",
-      google_ai: "google",
-      microsoft_ai: "microsoft",
-      meta_ai: "meta",
-      cohere_bot: "cohere",
-      huggingface_bot: "huggingface",
-      generic_bot: "generic",
-      dev_tools: "dev",
-      automation_tools: "automation"
-    };
-    return typeMap[agentKey] || agentKey;
-  }
-  /**
-   * Get agent name from rule key
-   */
-  getAgentName(agentKey) {
-    const nameMap = {
-      openai_gptbot: "ChatGPT/GPTBot",
-      anthropic_claude: "Claude",
-      perplexity_bot: "Perplexity",
-      google_ai: "Google AI",
-      microsoft_ai: "Microsoft Copilot",
-      meta_ai: "Meta AI",
-      cohere_bot: "Cohere",
-      huggingface_bot: "HuggingFace",
-      generic_bot: "Generic Bot",
-      dev_tools: "Development Tool",
-      automation_tools: "Automation Tool"
-    };
-    return nameMap[agentKey] || agentKey;
-  }
-  /**
-   * Map agent names from WASM to consistent format
-   */
-  mapAgentName(agent) {
-    const lowerAgent = agent.toLowerCase();
-    if (lowerAgent.includes("chatgpt")) {
-      return { type: "chatgpt", name: "ChatGPT" };
-    } else if (lowerAgent.includes("claude")) {
-      return { type: "claude", name: "Claude" };
-    } else if (lowerAgent.includes("perplexity")) {
-      return { type: "perplexity", name: "Perplexity" };
-    } else if (lowerAgent.includes("bing")) {
-      return { type: "bing", name: "Bing AI" };
-    } else if (lowerAgent.includes("anthropic")) {
-      return { type: "anthropic", name: "Anthropic" };
-    }
-    return { type: "unknown", name: agent };
-  }
-};
-var EdgeAgentDetectorWrapperWithWasm = class {
-  detector;
-  events = /* @__PURE__ */ new Map();
-  constructor(config) {
-    this.detector = new EdgeAgentDetectorWithWasm(config?.enableWasm ?? true);
-    if (config?.baseUrl) {
-      this.detector.setBaseUrl(config.baseUrl);
-    }
-  }
-  setBaseUrl(url) {
-    this.detector.setBaseUrl(url);
-  }
-  async analyze(input) {
-    const result = await this.detector.analyze(input);
-    if (result.isAgent && this.events.has("agent.detected")) {
-      const handlers = this.events.get("agent.detected") || [];
-      handlers.forEach((handler) => handler(result, input));
-    }
-    return result;
-  }
-  on(event, handler) {
-    if (!this.events.has(event)) {
-      this.events.set(event, []);
-    }
-    this.events.get(event).push(handler);
-  }
-  emit(event, ...args) {
-    const handlers = this.events.get(event) || [];
-    handlers.forEach((handler) => handler(...args));
-  }
-  async init() {
-    await this.detector.init();
-  }
-};
-// src/session-tracker.ts
-var EdgeSessionTracker = class {
-  config;
-  constructor(config) {
-    this.config = {
-      enabled: config.enabled,
-      cookieName: config.cookieName || "__agentshield_session",
-      cookieMaxAge: config.cookieMaxAge || 3600,
-      // 1 hour default
-      encryptionKey: config.encryptionKey || process.env.AGENTSHIELD_SECRET || "agentshield-default-key"
-    };
-  }
-  /**
-   * Track a new AI agent session
-   */
-  async track(_request, response, result) {
-    try {
-      if (!this.config.enabled || !result.isAgent) {
-        return response;
-      }
-      const sessionData = {
-        id: crypto.randomUUID(),
-        agent: result.detectedAgent?.name || "unknown",
-        confidence: result.confidence,
-        detectedAt: Date.now(),
-        expires: Date.now() + this.config.cookieMaxAge * 1e3
-      };
-      const encrypted = await this.encrypt(JSON.stringify(sessionData));
-      response.cookies.set(this.config.cookieName, encrypted, {
-        httpOnly: true,
-        secure: process.env.NODE_ENV === "production",
-        sameSite: "lax",
-        maxAge: this.config.cookieMaxAge,
-        path: "/"
-      });
-      return response;
-    } catch (error) {
-      if (process.env.DEBUG_AGENTSHIELD) {
-        console.warn("AgentShield: Failed to track session:", error);
-      }
-      return response;
+      if (!this.config.enabled || !agentshieldShared.shouldEnforce(result)) {
+        return response;
+      }
+      const sessionData = {
+        id: crypto.randomUUID(),
+        agent: result.detectedAgent?.name || "unknown",
+        confidence: result.confidence,
+        detectedAt: Date.now(),
+        expires: Date.now() + this.config.cookieMaxAge * 1e3
+      };
+      const encrypted = await this.encrypt(JSON.stringify(sessionData));
+      response.cookies.set(this.config.cookieName, encrypted, {
+        httpOnly: true,
+        secure: process.env.NODE_ENV === "production",
+        sameSite: "lax",
+        maxAge: this.config.cookieMaxAge,
+        path: "/"
+      });
+      return response;
+    } catch (error) {
+      if (process.env.DEBUG_AGENTSHIELD) {
+        console.warn("AgentShield: Failed to track session:", error);
+      }
+      return response;
     }
   }
   /**
@@ -1090,9 +1130,7 @@ var EdgeSessionTracker = class {
       for (let i = 0; i < encoded.length; i++) {
         obfuscated[i] = (encoded[i] || 0) ^ key.charCodeAt(i % key.length);
       }
-      return btoa(
-        Array.from(obfuscated, (byte) => String.fromCharCode(byte)).join("")
-      );
+      return btoa(Array.from(obfuscated, (byte) => String.fromCharCode(byte)).join(""));
     } catch (error) {
       return btoa(data);
     }
@@ -1115,14 +1153,29 @@ var EdgeSessionTracker = class {
   }
 };
-// src/middleware.ts
+// src/utils.ts
+function getClientIp(request) {
+  const forwardedFor = request.headers.get("x-forwarded-for");
+  if (forwardedFor) {
+    const ip = forwardedFor.split(",")[0]?.trim();
+    if (ip) return ip;
+  }
+  const realIp = request.headers.get("x-real-ip");
+  if (realIp) return realIp;
+  const cfIp = request.headers.get("cf-connecting-ip");
+  if (cfIp) return cfIp;
+  const clientIp = request.headers.get("x-client-ip");
+  if (clientIp) return clientIp;
+  return void 0;
+}
 function createAgentShieldMiddleware(config = {}) {
-  const detector = config.enableWasm ? new EdgeAgentDetectorWrapperWithWasm({ enableWasm: true }) : new EdgeAgentDetectorWrapper(config);
+  let detector = config.enableWasm ? null : new EdgeAgentDetectorWrapper(config);
+  let detectorInitPromise = null;
   const sessionTracker = config.sessionTracking?.enabled || config.enableWasm ? new EdgeSessionTracker({
     enabled: true,
     ...config.sessionTracking
   }) : null;
-  if (config.events) {
+  if (detector && config.events) {
     Object.entries(config.events).forEach(([event, handler]) => {
       if (handler) {
         detector.on(event, handler);
@@ -1143,6 +1196,23 @@ function createAgentShieldMiddleware(config = {}) {
   } = config;
   return async (request) => {
     try {
+      if (!detector) {
+        if (!detectorInitPromise) {
+          detectorInitPromise = (async () => {
+            const { EdgeAgentDetectorWrapperWithWasm: EdgeAgentDetectorWrapperWithWasm2 } = await Promise.resolve().then(() => (init_edge_detector_with_wasm(), edge_detector_with_wasm_exports));
+            detector = new EdgeAgentDetectorWrapperWithWasm2({ enableWasm: true });
+            if (config.events) {
+              Object.entries(config.events).forEach(([event, handler]) => {
+                if (handler) {
+                  detector.on(event, handler);
+                }
+              });
+            }
+          })();
+        }
+        await detectorInitPromise;
+      }
+      const activeDetector = detector;
       const shouldSkip = skipPaths.some((pattern) => {
         if (typeof pattern === "string") {
           return request.nextUrl.pathname.startsWith(pattern);
@@ -1156,11 +1226,11 @@ function createAgentShieldMiddleware(config = {}) {
       const existingSession = sessionTracker ? await sessionTracker.check(request) : null;
       if (existingSession) {
         const response2 = server.NextResponse.next();
-        response2.headers.set("x-agentshield-detected", "true");
-        response2.headers.set("x-agentshield-agent", existingSession.agent);
-        response2.headers.set("x-agentshield-confidence", existingSession.confidence.toString());
-        response2.headers.set("x-agentshield-session", "continued");
-        response2.headers.set("x-agentshield-session-id", existingSession.id);
+        response2.headers.set("kya-detected", "true");
+        response2.headers.set("kya-agent", existingSession.agent);
+        response2.headers.set("kya-confidence", existingSession.confidence.toString());
+        response2.headers.set("kya-session", "continued");
+        response2.headers.set("kya-session-id", existingSession.id);
         request.agentShield = {
           result: {
             isAgent: true,
@@ -1180,17 +1250,17 @@ function createAgentShieldMiddleware(config = {}) {
         };
         const context2 = {
           userAgent: request.headers.get("user-agent") || "",
-          ipAddress: (request.ip ?? request.headers.get("x-forwarded-for")) || "",
+          ipAddress: getClientIp(request) || "",
           headers: Object.fromEntries(request.headers.entries()),
           url: request.url,
           method: request.method,
           timestamp: /* @__PURE__ */ new Date()
         };
-        detector.emit("agent.session.continued", existingSession, context2);
+        activeDetector.emit("agent.session.continued", existingSession, context2);
         return response2;
       }
       const userAgent = request.headers.get("user-agent");
-      const ipAddress = request.ip ?? request.headers.get("x-forwarded-for");
+      const ipAddress = getClientIp(request);
       const url = new URL(request.url);
       const pathWithQuery = url.pathname + url.search;
       const context = {
@@ -1202,15 +1272,19 @@ function createAgentShieldMiddleware(config = {}) {
         method: request.method,
         timestamp: /* @__PURE__ */ new Date()
       };
-      const result = await detector.analyze(context);
-      if (result.isAgent && result.confidence >= (config.confidenceThreshold ?? 70)) {
+      const result = await activeDetector.analyze(context);
+      const decision = agentshieldShared.evaluateEnforcement(result, {
+        confidenceThreshold: config.confidenceThreshold,
+        defaultAction: onAgentDetected
+      });
+      if (decision.shouldNotify) {
         if (onDetection) {
           const customResponse = await onDetection(request, result);
           if (customResponse) {
             return customResponse;
           }
         }
-        switch (onAgentDetected) {
+        switch (decision.action) {
           case "block": {
             const response2 = server.NextResponse.json(
               {
@@ -1226,11 +1300,17 @@ function createAgentShieldMiddleware(config = {}) {
                 response2.headers.set(key, value);
               });
             }
-            detector.emit("agent.blocked", result, context);
+            activeDetector.emit("agent.blocked", result, context);
             return response2;
           }
-          case "redirect":
-            return server.NextResponse.redirect(new URL(redirectUrl, request.url));
+          case "redirect": {
+            const redirectTarget = new URL(redirectUrl, request.url);
+            const agentName = result.detectedAgent?.name;
+            if (agentName && !redirectTarget.searchParams.has("agent")) {
+              redirectTarget.searchParams.set("agent", agentName.toLowerCase());
+            }
+            return server.NextResponse.redirect(redirectTarget);
+          }
           case "rewrite":
             return server.NextResponse.rewrite(new URL(rewriteUrl, request.url));
           case "log":
@@ -1246,9 +1326,7 @@ function createAgentShieldMiddleware(config = {}) {
             break;
           case "allow":
           default:
-            if (result.isAgent && result.confidence >= (config.confidenceThreshold ?? 70)) {
-              detector.emit("agent.allowed", result, context);
-            }
+            activeDetector.emit("agent.allowed", result, context);
             break;
         }
       }
@@ -1257,15 +1335,15 @@ function createAgentShieldMiddleware(config = {}) {
         skipped: false
       };
       let response = server.NextResponse.next();
-      response.headers.set("x-agentshield-detected", result.isAgent.toString());
-      response.headers.set("x-agentshield-confidence", result.confidence.toString());
+      response.headers.set("kya-detected", result.isAgent.toString());
+      response.headers.set("kya-confidence", result.confidence.toString());
       if (result.detectedAgent?.name) {
-        response.headers.set("x-agentshield-agent", result.detectedAgent.name);
+        response.headers.set("kya-agent", result.detectedAgent.name);
       }
-      if (sessionTracker && result.isAgent && result.confidence >= (config.confidenceThreshold ?? 70)) {
+      if (sessionTracker && decision.shouldNotify) {
         response = await sessionTracker.track(request, response, result);
-        response.headers.set("x-agentshield-session", "new");
-        detector.emit("agent.session.started", result, context);
+        response.headers.set("kya-session", "new");
+        activeDetector.emit("agent.session.started", result, context);
       }
       return response;
     } catch (error) {