npm - @kya-os/agentshield-nextjs - Versions diffs - 0.2.7 → 0.2.8 - Mend

@kya-os/agentshield-nextjs 0.2.7 → 0.2.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

package/dist/.tsbuildinfo +1 -1
package/dist/index.d.mts +2 -1
package/dist/index.d.ts +2 -1
package/dist/index.js +175 -0
package/dist/index.js.map +1 -1
package/dist/index.mjs +155 -2
package/dist/index.mjs.map +1 -1
package/dist/policy.d.mts +150 -0
package/dist/policy.d.ts +150 -0
package/dist/policy.js +185 -0
package/dist/policy.js.map +1 -0
package/dist/policy.mjs +161 -0
package/dist/policy.mjs.map +1 -0
package/package.json +9 -4
package/wasm/agentshield_wasm.d.ts +6 -33
package/wasm/agentshield_wasm.js +516 -626
package/wasm/agentshield_wasm_bg.wasm +0 -0

package/dist/policy.d.mts ADDED Viewed

@@ -0,0 +1,150 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { DetectionResult, PolicyConfig, PolicyEvaluationResult, PolicyEvaluationContext } from '@kya-os/agentshield-shared';
+export { DEFAULT_POLICY, ENFORCEMENT_ACTIONS, PolicyConfig, PolicyEvaluationContext, PolicyEvaluationResult, createEvaluationContext, evaluatePolicy } from '@kya-os/agentshield-shared';
+/**
+ * Policy Integration for agentshield-nextjs
+ *
+ * This module provides policy evaluation support for the Next.js middleware.
+ * It can use:
+ * - Local policy configuration (static)
+ * - Fetched policy from AgentShield API (dynamic with caching)
+ * - Fallback/default policies
+ *
+ * @example
+ * ```typescript
+ * import { createPolicyMiddleware } from '@kya-os/agentshield-nextjs/policy';
+ *
+ * export default createPolicyMiddleware({
+ *   policy: {
+ *     enabled: true,
+ *     defaultAction: 'allow',
+ *     thresholds: { confidenceThreshold: 80, confidenceAction: 'block' },
+ *     allowList: [{ clientName: 'ChatGPT' }],
+ *   },
+ * });
+ * ```
+ */
+/**
+ * Policy middleware configuration
+ */
+interface PolicyMiddlewareConfig {
+    /**
+     * Local policy configuration (static)
+     * If provided, this policy is used instead of fetching from API
+     */
+    policy?: Partial<PolicyConfig>;
+    /**
+     * Fetch policy from AgentShield API
+     * Requires projectId and optionally an apiKey
+     */
+    fetchPolicy?: {
+        /** Project ID to fetch policy for */
+        projectId: string;
+        /** API base URL (defaults to production) */
+        apiUrl?: string;
+        /** API key for authentication */
+        apiKey?: string;
+        /** Cache TTL in seconds (default: 300) */
+        cacheTtlSeconds?: number;
+    };
+    /**
+     * Fallback policy to use when fetch fails
+     * Defaults to DEFAULT_POLICY (allow all)
+     */
+    fallbackPolicy?: Partial<PolicyConfig>;
+    /**
+     * Custom blocked response
+     */
+    blockedResponse?: {
+        status?: number;
+        message?: string;
+        headers?: Record<string, string>;
+    };
+    /**
+     * Default redirect URL for redirect actions
+     */
+    redirectUrl?: string;
+    /**
+     * Callback when policy decision is made
+     */
+    onPolicyDecision?: (request: NextRequest, decision: PolicyEvaluationResult, context: PolicyEvaluationContext) => void | Promise<void>;
+    /**
+     * Custom response builder for blocked requests
+     */
+    customBlockedResponse?: (request: NextRequest, decision: PolicyEvaluationResult) => NextResponse | Promise<NextResponse>;
+    /**
+     * Whether to fail open (allow) on policy evaluation errors
+     * Default: true (recommended for production)
+     */
+    failOpen?: boolean;
+    /**
+     * Enable debug logging
+     */
+    debug?: boolean;
+}
+/**
+ * Combined middleware configuration with policy support
+ */
+interface NextJSPolicyMiddlewareConfig extends PolicyMiddlewareConfig {
+    /**
+     * Paths to skip (in addition to policy excludedPaths)
+     */
+    skipPaths?: string[];
+    /**
+     * Only enforce on these paths (overrides policy includedPaths)
+     */
+    includePaths?: string[];
+}
+/**
+ * Create policy evaluation context from detection result and request
+ */
+declare function createContextFromDetection(detection: DetectionResult, request: NextRequest): PolicyEvaluationContext;
+/**
+ * Evaluate policy for a detection result
+ */
+declare function evaluatePolicyForDetection(detection: DetectionResult, request: NextRequest, policy: PolicyConfig): PolicyEvaluationResult;
+/**
+ * Build blocked response based on policy decision
+ */
+declare function buildBlockedResponse(decision: PolicyEvaluationResult, config: PolicyMiddlewareConfig): NextResponse;
+/**
+ * Build redirect response based on policy decision
+ */
+declare function buildRedirectResponse(request: NextRequest, decision: PolicyEvaluationResult, config: PolicyMiddlewareConfig): NextResponse;
+/**
+ * Build challenge response (placeholder - future implementation)
+ */
+declare function buildChallengeResponse(request: NextRequest, decision: PolicyEvaluationResult, config: PolicyMiddlewareConfig): NextResponse;
+/**
+ * Handle policy decision and return appropriate response
+ */
+declare function handlePolicyDecision(request: NextRequest, decision: PolicyEvaluationResult, config: PolicyMiddlewareConfig): Promise<NextResponse | null>;
+/**
+ * Get policy (local, fetched, or fallback)
+ */
+declare function getPolicy(config: PolicyMiddlewareConfig): Promise<PolicyConfig>;
+/**
+ * Apply policy to a detection result
+ *
+ * This function can be used standalone to evaluate policy after detection.
+ * Supports extended config with skipPaths and includePaths for path-based filtering.
+ *
+ * @example
+ * ```typescript
+ * const result = await detector.analyze(context);
+ * const response = await applyPolicy(request, result, {
+ *   policy: { thresholds: { confidenceThreshold: 80 } },
+ *   skipPaths: ['/health', '/api/public/*'],
+ *   includePaths: ['/api/*'],
+ * });
+ *
+ * if (response) {
+ *   return response; // Policy blocked the request
+ * }
+ * ```
+ */
+declare function applyPolicy(request: NextRequest, detection: DetectionResult, config: NextJSPolicyMiddlewareConfig): Promise<NextResponse | null>;
+export { type NextJSPolicyMiddlewareConfig, type PolicyMiddlewareConfig, applyPolicy, buildBlockedResponse, buildChallengeResponse, buildRedirectResponse, createContextFromDetection, evaluatePolicyForDetection, getPolicy, handlePolicyDecision };

package/dist/policy.d.ts ADDED Viewed

@@ -0,0 +1,150 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { DetectionResult, PolicyConfig, PolicyEvaluationResult, PolicyEvaluationContext } from '@kya-os/agentshield-shared';
+export { DEFAULT_POLICY, ENFORCEMENT_ACTIONS, PolicyConfig, PolicyEvaluationContext, PolicyEvaluationResult, createEvaluationContext, evaluatePolicy } from '@kya-os/agentshield-shared';
+/**
+ * Policy Integration for agentshield-nextjs
+ *
+ * This module provides policy evaluation support for the Next.js middleware.
+ * It can use:
+ * - Local policy configuration (static)
+ * - Fetched policy from AgentShield API (dynamic with caching)
+ * - Fallback/default policies
+ *
+ * @example
+ * ```typescript
+ * import { createPolicyMiddleware } from '@kya-os/agentshield-nextjs/policy';
+ *
+ * export default createPolicyMiddleware({
+ *   policy: {
+ *     enabled: true,
+ *     defaultAction: 'allow',
+ *     thresholds: { confidenceThreshold: 80, confidenceAction: 'block' },
+ *     allowList: [{ clientName: 'ChatGPT' }],
+ *   },
+ * });
+ * ```
+ */
+/**
+ * Policy middleware configuration
+ */
+interface PolicyMiddlewareConfig {
+    /**
+     * Local policy configuration (static)
+     * If provided, this policy is used instead of fetching from API
+     */
+    policy?: Partial<PolicyConfig>;
+    /**
+     * Fetch policy from AgentShield API
+     * Requires projectId and optionally an apiKey
+     */
+    fetchPolicy?: {
+        /** Project ID to fetch policy for */
+        projectId: string;
+        /** API base URL (defaults to production) */
+        apiUrl?: string;
+        /** API key for authentication */
+        apiKey?: string;
+        /** Cache TTL in seconds (default: 300) */
+        cacheTtlSeconds?: number;
+    };
+    /**
+     * Fallback policy to use when fetch fails
+     * Defaults to DEFAULT_POLICY (allow all)
+     */
+    fallbackPolicy?: Partial<PolicyConfig>;
+    /**
+     * Custom blocked response
+     */
+    blockedResponse?: {
+        status?: number;
+        message?: string;
+        headers?: Record<string, string>;
+    };
+    /**
+     * Default redirect URL for redirect actions
+     */
+    redirectUrl?: string;
+    /**
+     * Callback when policy decision is made
+     */
+    onPolicyDecision?: (request: NextRequest, decision: PolicyEvaluationResult, context: PolicyEvaluationContext) => void | Promise<void>;
+    /**
+     * Custom response builder for blocked requests
+     */
+    customBlockedResponse?: (request: NextRequest, decision: PolicyEvaluationResult) => NextResponse | Promise<NextResponse>;
+    /**
+     * Whether to fail open (allow) on policy evaluation errors
+     * Default: true (recommended for production)
+     */
+    failOpen?: boolean;
+    /**
+     * Enable debug logging
+     */
+    debug?: boolean;
+}
+/**
+ * Combined middleware configuration with policy support
+ */
+interface NextJSPolicyMiddlewareConfig extends PolicyMiddlewareConfig {
+    /**
+     * Paths to skip (in addition to policy excludedPaths)
+     */
+    skipPaths?: string[];
+    /**
+     * Only enforce on these paths (overrides policy includedPaths)
+     */
+    includePaths?: string[];
+}
+/**
+ * Create policy evaluation context from detection result and request
+ */
+declare function createContextFromDetection(detection: DetectionResult, request: NextRequest): PolicyEvaluationContext;
+/**
+ * Evaluate policy for a detection result
+ */
+declare function evaluatePolicyForDetection(detection: DetectionResult, request: NextRequest, policy: PolicyConfig): PolicyEvaluationResult;
+/**
+ * Build blocked response based on policy decision
+ */
+declare function buildBlockedResponse(decision: PolicyEvaluationResult, config: PolicyMiddlewareConfig): NextResponse;
+/**
+ * Build redirect response based on policy decision
+ */
+declare function buildRedirectResponse(request: NextRequest, decision: PolicyEvaluationResult, config: PolicyMiddlewareConfig): NextResponse;
+/**
+ * Build challenge response (placeholder - future implementation)
+ */
+declare function buildChallengeResponse(request: NextRequest, decision: PolicyEvaluationResult, config: PolicyMiddlewareConfig): NextResponse;
+/**
+ * Handle policy decision and return appropriate response
+ */
+declare function handlePolicyDecision(request: NextRequest, decision: PolicyEvaluationResult, config: PolicyMiddlewareConfig): Promise<NextResponse | null>;
+/**
+ * Get policy (local, fetched, or fallback)
+ */
+declare function getPolicy(config: PolicyMiddlewareConfig): Promise<PolicyConfig>;
+/**
+ * Apply policy to a detection result
+ *
+ * This function can be used standalone to evaluate policy after detection.
+ * Supports extended config with skipPaths and includePaths for path-based filtering.
+ *
+ * @example
+ * ```typescript
+ * const result = await detector.analyze(context);
+ * const response = await applyPolicy(request, result, {
+ *   policy: { thresholds: { confidenceThreshold: 80 } },
+ *   skipPaths: ['/health', '/api/public/*'],
+ *   includePaths: ['/api/*'],
+ * });
+ *
+ * if (response) {
+ *   return response; // Policy blocked the request
+ * }
+ * ```
+ */
+declare function applyPolicy(request: NextRequest, detection: DetectionResult, config: NextJSPolicyMiddlewareConfig): Promise<NextResponse | null>;
+export { type NextJSPolicyMiddlewareConfig, type PolicyMiddlewareConfig, applyPolicy, buildBlockedResponse, buildChallengeResponse, buildRedirectResponse, createContextFromDetection, evaluatePolicyForDetection, getPolicy, handlePolicyDecision };

package/dist/policy.js ADDED Viewed

@@ -0,0 +1,185 @@
+'use strict';
+var server = require('next/server');
+var agentshieldShared = require('@kya-os/agentshield-shared');
+// src/policy.ts
+function createContextFromDetection(detection, request) {
+  return agentshieldShared.createEvaluationContext({
+    agentType: detection.detectedAgent?.type,
+    agentName: detection.detectedAgent?.name,
+    agentVendor: detection.detectedAgent?.vendor,
+    confidence: detection.confidence,
+    riskLevel: detection.riskLevel,
+    path: request.nextUrl.pathname,
+    method: request.method,
+    signatureVerified: detection.verificationMethod === "signature",
+    isAuthenticated: false,
+    // TODO: integrate with auth
+    userAgent: request.headers.get("user-agent") || void 0
+  });
+}
+function evaluatePolicyForDetection(detection, request, policy) {
+  const context = createContextFromDetection(detection, request);
+  return agentshieldShared.evaluatePolicy(policy, context);
+}
+function buildBlockedResponse(decision, config) {
+  const status = config.blockedResponse?.status ?? 403;
+  const message = config.blockedResponse?.message ?? decision.message ?? "Access denied";
+  const response = server.NextResponse.json(
+    {
+      error: message,
+      code: "POLICY_BLOCKED",
+      reason: decision.reason,
+      ruleId: decision.ruleId,
+      matchType: decision.matchType
+    },
+    { status }
+  );
+  if (config.blockedResponse?.headers) {
+    for (const [key, value] of Object.entries(config.blockedResponse.headers)) {
+      response.headers.set(key, value);
+    }
+  }
+  response.headers.set("X-AgentShield-Action", decision.action);
+  response.headers.set("X-AgentShield-Reason", decision.reason);
+  response.headers.set("X-AgentShield-MatchType", decision.matchType);
+  return response;
+}
+function buildRedirectResponse(request, decision, config) {
+  const redirectUrl = decision.redirectUrl || config.redirectUrl || "/blocked";
+  const url = new URL(redirectUrl, request.url);
+  url.searchParams.set("reason", decision.reason);
+  if (decision.ruleId) {
+    url.searchParams.set("ruleId", decision.ruleId);
+  }
+  return server.NextResponse.redirect(url);
+}
+function buildChallengeResponse(request, decision, config) {
+  return buildRedirectResponse(request, decision, config);
+}
+async function handlePolicyDecision(request, decision, config) {
+  switch (decision.action) {
+    case agentshieldShared.ENFORCEMENT_ACTIONS.BLOCK:
+      if (config.customBlockedResponse) {
+        return await config.customBlockedResponse(request, decision);
+      }
+      return buildBlockedResponse(decision, config);
+    case agentshieldShared.ENFORCEMENT_ACTIONS.REDIRECT:
+      return buildRedirectResponse(request, decision, config);
+    case agentshieldShared.ENFORCEMENT_ACTIONS.CHALLENGE:
+      return buildChallengeResponse(request, decision, config);
+    case agentshieldShared.ENFORCEMENT_ACTIONS.LOG:
+      console.log("[AgentShield] Policy decision (log):", {
+        path: request.nextUrl.pathname,
+        action: decision.action,
+        reason: decision.reason,
+        matchType: decision.matchType,
+        ruleId: decision.ruleId
+      });
+      return null;
+    // Continue to allow
+    case agentshieldShared.ENFORCEMENT_ACTIONS.ALLOW:
+    default:
+      return null;
+  }
+}
+var fetcherCache = /* @__PURE__ */ new Map();
+function getFetcherCacheKey(config) {
+  return `${config.apiUrl ?? "default"}:${config.apiKey ?? ""}:${config.cacheTtlSeconds ?? "default"}`;
+}
+function getPolicyFetcher(config) {
+  if (!config) {
+    throw new Error("fetchPolicy config required");
+  }
+  const cacheKey = getFetcherCacheKey(config);
+  let fetcher = fetcherCache.get(cacheKey);
+  if (!fetcher) {
+    const fetcherConfig = {
+      apiBaseUrl: config.apiUrl || "https://kya.vouched.id",
+      apiKey: config.apiKey,
+      cacheTtlSeconds: config.cacheTtlSeconds
+    };
+    fetcher = agentshieldShared.createPolicyFetcher(fetcherConfig);
+    fetcherCache.set(cacheKey, fetcher);
+  }
+  return fetcher;
+}
+async function getPolicy(config) {
+  if (config.policy) {
+    return agentshieldShared.PolicyConfigSchema.parse({ ...agentshieldShared.DEFAULT_POLICY, ...config.policy });
+  }
+  if (config.fetchPolicy) {
+    try {
+      const fetcher = getPolicyFetcher(config.fetchPolicy);
+      return await fetcher.getPolicy(config.fetchPolicy.projectId);
+    } catch (error) {
+      if (config.debug) {
+        console.warn("[AgentShield] Policy fetch failed, using fallback:", error);
+      }
+      return agentshieldShared.PolicyConfigSchema.parse({
+        ...agentshieldShared.DEFAULT_POLICY,
+        ...config.fallbackPolicy || {}
+      });
+    }
+  }
+  return agentshieldShared.PolicyConfigSchema.parse(agentshieldShared.DEFAULT_POLICY);
+}
+async function applyPolicy(request, detection, config) {
+  try {
+    const path = request.nextUrl.pathname;
+    if (config.skipPaths?.some((pattern) => agentshieldShared.matchPath(path, pattern))) {
+      return null;
+    }
+    if (config.includePaths && config.includePaths.length > 0) {
+      if (!config.includePaths.some((pattern) => agentshieldShared.matchPath(path, pattern))) {
+        return null;
+      }
+    }
+    const policy = await getPolicy(config);
+    const context = createContextFromDetection(detection, request);
+    const decision = agentshieldShared.evaluatePolicy(policy, context);
+    if (config.onPolicyDecision) {
+      await config.onPolicyDecision(request, decision, context);
+    }
+    return await handlePolicyDecision(request, decision, config);
+  } catch (error) {
+    if (config.debug) {
+      console.error("[AgentShield] Policy evaluation error:", error);
+    }
+    if (config.failOpen !== false) {
+      return null;
+    }
+    return server.NextResponse.json(
+      { error: "Security check failed", code: "POLICY_ERROR" },
+      { status: 503 }
+    );
+  }
+}
+Object.defineProperty(exports, "DEFAULT_POLICY", {
+  enumerable: true,
+  get: function () { return agentshieldShared.DEFAULT_POLICY; }
+});
+Object.defineProperty(exports, "ENFORCEMENT_ACTIONS", {
+  enumerable: true,
+  get: function () { return agentshieldShared.ENFORCEMENT_ACTIONS; }
+});
+Object.defineProperty(exports, "createEvaluationContext", {
+  enumerable: true,
+  get: function () { return agentshieldShared.createEvaluationContext; }
+});
+Object.defineProperty(exports, "evaluatePolicy", {
+  enumerable: true,
+  get: function () { return agentshieldShared.evaluatePolicy; }
+});
+exports.applyPolicy = applyPolicy;
+exports.buildBlockedResponse = buildBlockedResponse;
+exports.buildChallengeResponse = buildChallengeResponse;
+exports.buildRedirectResponse = buildRedirectResponse;
+exports.createContextFromDetection = createContextFromDetection;
+exports.evaluatePolicyForDetection = evaluatePolicyForDetection;
+exports.getPolicy = getPolicy;
+exports.handlePolicyDecision = handlePolicyDecision;
+//# sourceMappingURL=policy.js.map
+//# sourceMappingURL=policy.js.map

package/dist/policy.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/policy.ts"],"names":["createEvaluationContext","evaluatePolicy","NextResponse","ENFORCEMENT_ACTIONS","createPolicyFetcher","PolicyConfigSchema","DEFAULT_POLICY","matchPath"],"mappings":";;;;;;AAwJO,SAAS,0BAAA,CACd,WACA,OAAA,EACyB;AACzB,EAAA,OAAOA,yCAAA,CAAwB;AAAA,IAC7B,SAAA,EAAW,UAAU,aAAA,EAAe,IAAA;AAAA,IACpC,SAAA,EAAW,UAAU,aAAA,EAAe,IAAA;AAAA,IACpC,WAAA,EAAa,UAAU,aAAA,EAAe,MAAA;AAAA,IACtC,YAAY,SAAA,CAAU,UAAA;AAAA,IACtB,WAAW,SAAA,CAAU,SAAA;AAAA,IACrB,IAAA,EAAM,QAAQ,OAAA,CAAQ,QAAA;AAAA,IACtB,QAAQ,OAAA,CAAQ,MAAA;AAAA,IAChB,iBAAA,EAAmB,UAAU,kBAAA,KAAuB,WAAA;AAAA,IACpD,eAAA,EAAiB,KAAA;AAAA;AAAA,IACjB,SAAA,EAAW,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,YAAY,CAAA,IAAK;AAAA,GACjD,CAAA;AACH;AAKO,SAAS,0BAAA,CACd,SAAA,EACA,OAAA,EACA,MAAA,EACwB;AACxB,EAAA,MAAM,OAAA,GAAU,0BAAA,CAA2B,SAAA,EAAW,OAAO,CAAA;AAC7D,EAAA,OAAOC,gCAAA,CAAe,QAAQ,OAAO,CAAA;AACvC;AASO,SAAS,oBAAA,CACd,UACA,MAAA,EACc;AACd,EAAA,MAAM,MAAA,GAAS,MAAA,CAAO,eAAA,EAAiB,MAAA,IAAU,GAAA;AACjD,EAAA,MAAM,OAAA,GAAU,MAAA,CAAO,eAAA,EAAiB,OAAA,IAAW,SAAS,OAAA,IAAW,eAAA;AAEvE,EAAA,MAAM,WAAWC,mBAAA,CAAa,IAAA;AAAA,IAC5B;AAAA,MACE,KAAA,EAAO,OAAA;AAAA,MACP,IAAA,EAAM,gBAAA;AAAA,MACN,QAAQ,QAAA,CAAS,MAAA;AAAA,MACjB,QAAQ,QAAA,CAAS,MAAA;AAAA,MACjB,WAAW,QAAA,CAAS;AAAA,KACtB;AAAA,IACA,EAAE,MAAA;AAAO,GACX;AAGA,EAAA,IAAI,MAAA,CAAO,iBAAiB,OAAA,EAAS;AACnC,IAAA,KAAA,MAAW,CAAC,KAAK,KAAK,CAAA,IAAK,OAAO,OAAA,CAAQ,MAAA,CAAO,eAAA,CAAgB,OAAO,CAAA,EAAG;AACzE,MAAA,QAAA,CAAS,OAAA,CAAQ,GAAA,CAAI,GAAA,EAAK,KAAK,CAAA;AAAA,IACjC;AAAA,EACF;AAGA,EAAA,QAAA,CAAS,OAAA,CAAQ,GAAA,CAAI,sBAAA,EAAwB,QAAA,CAAS,MAAM,CAAA;AAC5D,EAAA,QAAA,CAAS,OAAA,CAAQ,GAAA,CAAI,sBAAA,EAAwB,QAAA,CAAS,MAAM,CAAA;AAC5D,EAAA,QAAA,CAAS,OAAA,CAAQ,GAAA,CAAI,yBAAA,EAA2B,QAAA,CAAS,SAAS,CAAA;AAElE,EAAA,OAAO,QAAA;AACT;AAKO,SAAS,qBAAA,CACd,OAAA,EACA,QAAA,EACA,MAAA,EACc;AACd,EAAA,MAAM,WAAA,GAAc,QAAA,CAAS,WAAA,IAAe,MAAA,CAAO,WAAA,IAAe,UAAA;AAClE,EAAA,MAAM,GAAA,GAAM,IAAI,GAAA,CAAI,WAAA,EAAa,QAAQ,GAAG,CAAA;AAG5C,EAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,QAAA,EAAU,QAAA,CAAS,MAAM,CAAA;AAC9C,EAAA,IAAI,SAAS,MAAA,EAAQ;AACnB,IAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,QAAA,EAAU,QAAA,CAAS,MAAM,CAAA;AAAA,EAChD;AAEA,EAAA,OAAOA,mBAAA,CAAa,SAAS,GAAG,CAAA;AAClC;AAKO,SAAS,sBAAA,CACd,OAAA,EACA,QAAA,EACA,MAAA,EACc;AAGd,EAAA,OAAO,qBAAA,CAAsB,OAAA,EAAS,QAAA,EAAU,MAAM,CAAA;AACxD;AASA,eAAsB,oBAAA,CACpB,OAAA,EACA,QAAA,EACA,MAAA,EAC8B;AAC9B,EAAA,QAAQ,SAAS,MAAA;AAAQ,IACvB,KAAKC,qCAAA,CAAoB,KAAA;AACvB,MAAA,IAAI,OAAO,qBAAA,EAAuB;AAChC,QAAA,OAAO,MAAM,MAAA,CAAO,qBAAA,CAAsB,OAAA,EAAS,QAAQ,CAAA;AAAA,MAC7D;AACA,MAAA,OAAO,oBAAA,CAAqB,UAAU,MAAM,CAAA;AAAA,IAE9C,KAAKA,qCAAA,CAAoB,QAAA;AACvB,MAAA,OAAO,qBAAA,CAAsB,OAAA,EAAS,QAAA,EAAU,MAAM,CAAA;AAAA,IAExD,KAAKA,qCAAA,CAAoB,SAAA;AACvB,MAAA,OAAO,sBAAA,CAAuB,OAAA,EAAS,QAAA,EAAU,MAAM,CAAA;AAAA,IAEzD,KAAKA,qCAAA,CAAoB,GAAA;AAGvB,MAAA,OAAA,CAAQ,IAAI,sCAAA,EAAwC;AAAA,QAClD,IAAA,EAAM,QAAQ,OAAA,CAAQ,QAAA;AAAA,QACtB,QAAQ,QAAA,CAAS,MAAA;AAAA,QACjB,QAAQ,QAAA,CAAS,MAAA;AAAA,QACjB,WAAW,QAAA,CAAS,SAAA;AAAA,QACpB,QAAQ,QAAA,CAAS;AAAA,OAClB,CAAA;AACD,MAAA,OAAO,IAAA;AAAA;AAAA,IAET,KAAKA,qCAAA,CAAoB,KAAA;AAAA,IACzB;AACE,MAAA,OAAO,IAAA;AAAA;AAEb;AAQA,IAAM,YAAA,uBAAmB,GAAA,EAA2B;AAMpD,SAAS,mBAAmB,MAAA,EAAoE;AAC9F,EAAA,OAAO,CAAA,EAAG,MAAA,CAAO,MAAA,IAAU,SAAS,CAAA,CAAA,EAAI,MAAA,CAAO,MAAA,IAAU,EAAE,CAAA,CAAA,EAAI,MAAA,CAAO,eAAA,IAAmB,SAAS,CAAA,CAAA;AACpG;AAKA,SAAS,iBAAiB,MAAA,EAA8D;AACtF,EAAA,IAAI,CAAC,MAAA,EAAQ;AACX,IAAA,MAAM,IAAI,MAAM,6BAA6B,CAAA;AAAA,EAC/C;AAEA,EAAA,MAAM,QAAA,GAAW,mBAAmB,MAAM,CAAA;AAC1C,EAAA,IAAI,OAAA,GAAU,YAAA,CAAa,GAAA,CAAI,QAAQ,CAAA;AAEvC,EAAA,IAAI,CAAC,OAAA,EAAS;AACZ,IAAA,MAAM,aAAA,GAAqC;AAAA,MACzC,UAAA,EAAY,OAAO,MAAA,IAAU,wBAAA;AAAA,MAC7B,QAAQ,MAAA,CAAO,MAAA;AAAA,MACf,iBAAiB,MAAA,CAAO;AAAA,KAC1B;AACA,IAAA,OAAA,GAAUC,sCAAoB,aAAa,CAAA;AAC3C,IAAA,YAAA,CAAa,GAAA,CAAI,UAAU,OAAO,CAAA;AAAA,EACpC;AAEA,EAAA,OAAO,OAAA;AACT;AAKA,eAAsB,UAAU,MAAA,EAAuD;AAErF,EAAA,IAAI,OAAO,MAAA,EAAQ;AACjB,IAAA,OAAOC,oCAAA,CAAmB,MAAM,EAAE,GAAGC,kCAAgB,GAAG,MAAA,CAAO,QAAQ,CAAA;AAAA,EACzE;AAGA,EAAA,IAAI,OAAO,WAAA,EAAa;AACtB,IAAA,IAAI;AACF,MAAA,MAAM,OAAA,GAAU,gBAAA,CAAiB,MAAA,CAAO,WAAW,CAAA;AACnD,MAAA,OAAO,MAAM,OAAA,CAAQ,SAAA,CAAU,MAAA,CAAO,YAAY,SAAS,CAAA;AAAA,IAC7D,SAAS,KAAA,EAAO;AACd,MAAA,IAAI,OAAO,KAAA,EAAO;AAChB,QAAA,OAAA,CAAQ,IAAA,CAAK,sDAAsD,KAAK,CAAA;AAAA,MAC1E;AAEA,MAAA,OAAOD,qCAAmB,KAAA,CAAM;AAAA,QAC9B,GAAGC,gCAAA;AAAA,QACH,GAAI,MAAA,CAAO,cAAA,IAAkB;AAAC,OAC/B,CAAA;AAAA,IACH;AAAA,EACF;AAGA,EAAA,OAAOD,oCAAA,CAAmB,MAAMC,gCAAc,CAAA;AAChD;AA0BA,eAAsB,WAAA,CACpB,OAAA,EACA,SAAA,EACA,MAAA,EAC8B;AAC9B,EAAA,IAAI;AACF,IAAA,MAAM,IAAA,GAAO,QAAQ,OAAA,CAAQ,QAAA;AAG7B,IAAA,IAAI,MAAA,CAAO,WAAW,IAAA,CAAK,CAAC,YAAYC,2BAAA,CAAU,IAAA,EAAM,OAAO,CAAC,CAAA,EAAG;AACjE,MAAA,OAAO,IAAA;AAAA,IACT;AAGA,IAAA,IAAI,MAAA,CAAO,YAAA,IAAgB,MAAA,CAAO,YAAA,CAAa,SAAS,CAAA,EAAG;AACzD,MAAA,IAAI,CAAC,MAAA,CAAO,YAAA,CAAa,IAAA,CAAK,CAAC,YAAYA,2BAAA,CAAU,IAAA,EAAM,OAAO,CAAC,CAAA,EAAG;AACpE,QAAA,OAAO,IAAA;AAAA,MACT;AAAA,IACF;AAGA,IAAA,MAAM,MAAA,GAAS,MAAM,SAAA,CAAU,MAAM,CAAA;AAGrC,IAAA,MAAM,OAAA,GAAU,0BAAA,CAA2B,SAAA,EAAW,OAAO,CAAA;AAC7D,IAAA,MAAM,QAAA,GAAWN,gCAAA,CAAe,MAAA,EAAQ,OAAO,CAAA;AAG/C,IAAA,IAAI,OAAO,gBAAA,EAAkB;AAC3B,MAAA,MAAM,MAAA,CAAO,gBAAA,CAAiB,OAAA,EAAS,QAAA,EAAU,OAAO,CAAA;AAAA,IAC1D;AAGA,IAAA,OAAO,MAAM,oBAAA,CAAqB,OAAA,EAAS,QAAA,EAAU,MAAM,CAAA;AAAA,EAC7D,SAAS,KAAA,EAAO;AACd,IAAA,IAAI,OAAO,KAAA,EAAO;AAChB,MAAA,OAAA,CAAQ,KAAA,CAAM,0CAA0C,KAAK,CAAA;AAAA,IAC/D;AAEA,IAAA,IAAI,MAAA,CAAO,aAAa,KAAA,EAAO;AAC7B,MAAA,OAAO,IAAA;AAAA,IACT;AAGA,IAAA,OAAOC,mBAAA,CAAa,IAAA;AAAA,MAClB,EAAE,KAAA,EAAO,uBAAA,EAAyB,IAAA,EAAM,cAAA,EAAe;AAAA,MACvD,EAAE,QAAQ,GAAA;AAAI,KAChB;AAAA,EACF;AACF","file":"policy.js","sourcesContent":["/**\n * Policy Integration for agentshield-nextjs\n *\n * This module provides policy evaluation support for the Next.js middleware.\n * It can use:\n * - Local policy configuration (static)\n * - Fetched policy from AgentShield API (dynamic with caching)\n * - Fallback/default policies\n *\n * @example\n * ```typescript\n * import { createPolicyMiddleware } from '@kya-os/agentshield-nextjs/policy';\n *\n * export default createPolicyMiddleware({\n * policy: {\n * enabled: true,\n * defaultAction: 'allow',\n * thresholds: { confidenceThreshold: 80, confidenceAction: 'block' },\n * allowList: [{ clientName: 'ChatGPT' }],\n * },\n * });\n * ```\n */\n\nimport { NextRequest, NextResponse } from 'next/server';\nimport {\n evaluatePolicy,\n createEvaluationContext,\n createPolicyFetcher,\n matchPath,\n PolicyFetcher,\n PolicyConfigSchema,\n ENFORCEMENT_ACTIONS,\n DEFAULT_POLICY,\n type PolicyConfig,\n type PolicyEvaluationContext,\n type PolicyEvaluationResult,\n type PolicyFetcherConfig,\n type DetectionResult,\n} from '@kya-os/agentshield-shared';\n\n// Re-export shared policy types for convenience\nexport {\n evaluatePolicy,\n createEvaluationContext,\n type PolicyConfig,\n type PolicyEvaluationContext,\n type PolicyEvaluationResult,\n ENFORCEMENT_ACTIONS,\n DEFAULT_POLICY,\n} from '@kya-os/agentshield-shared';\n\n// ============================================================================\n// Types\n// ============================================================================\n\n/**\n * Policy middleware configuration\n */\nexport interface PolicyMiddlewareConfig {\n /**\n * Local policy configuration (static)\n * If provided, this policy is used instead of fetching from API\n */\n policy?: Partial<PolicyConfig>;\n\n /**\n * Fetch policy from AgentShield API\n * Requires projectId and optionally an apiKey\n */\n fetchPolicy?: {\n /** Project ID to fetch policy for */\n projectId: string;\n /** API base URL (defaults to production) */\n apiUrl?: string;\n /** API key for authentication */\n apiKey?: string;\n /** Cache TTL in seconds (default: 300) */\n cacheTtlSeconds?: number;\n };\n\n /**\n * Fallback policy to use when fetch fails\n * Defaults to DEFAULT_POLICY (allow all)\n */\n fallbackPolicy?: Partial<PolicyConfig>;\n\n /**\n * Custom blocked response\n */\n blockedResponse?: {\n status?: number;\n message?: string;\n headers?: Record<string, string>;\n };\n\n /**\n * Default redirect URL for redirect actions\n */\n redirectUrl?: string;\n\n /**\n * Callback when policy decision is made\n */\n onPolicyDecision?: (\n request: NextRequest,\n decision: PolicyEvaluationResult,\n context: PolicyEvaluationContext\n ) => void | Promise<void>;\n\n /**\n * Custom response builder for blocked requests\n */\n customBlockedResponse?: (\n request: NextRequest,\n decision: PolicyEvaluationResult\n ) => NextResponse | Promise<NextResponse>;\n\n /**\n * Whether to fail open (allow) on policy evaluation errors\n * Default: true (recommended for production)\n */\n failOpen?: boolean;\n\n /**\n * Enable debug logging\n */\n debug?: boolean;\n}\n\n/**\n * Combined middleware configuration with policy support\n */\nexport interface NextJSPolicyMiddlewareConfig extends PolicyMiddlewareConfig {\n /**\n * Paths to skip (in addition to policy excludedPaths)\n */\n skipPaths?: string[];\n\n /**\n * Only enforce on these paths (overrides policy includedPaths)\n */\n includePaths?: string[];\n}\n\n// ============================================================================\n// Policy Evaluation Helper\n// ============================================================================\n\n/**\n * Create policy evaluation context from detection result and request\n */\nexport function createContextFromDetection(\n detection: DetectionResult,\n request: NextRequest\n): PolicyEvaluationContext {\n return createEvaluationContext({\n agentType: detection.detectedAgent?.type,\n agentName: detection.detectedAgent?.name,\n agentVendor: detection.detectedAgent?.vendor,\n confidence: detection.confidence,\n riskLevel: detection.riskLevel,\n path: request.nextUrl.pathname,\n method: request.method,\n signatureVerified: detection.verificationMethod === 'signature',\n isAuthenticated: false, // TODO: integrate with auth\n userAgent: request.headers.get('user-agent') || undefined,\n });\n}\n\n/**\n * Evaluate policy for a detection result\n */\nexport function evaluatePolicyForDetection(\n detection: DetectionResult,\n request: NextRequest,\n policy: PolicyConfig\n): PolicyEvaluationResult {\n const context = createContextFromDetection(detection, request);\n return evaluatePolicy(policy, context);\n}\n\n// ============================================================================\n// Response Builders\n// ============================================================================\n\n/**\n * Build blocked response based on policy decision\n */\nexport function buildBlockedResponse(\n decision: PolicyEvaluationResult,\n config: PolicyMiddlewareConfig\n): NextResponse {\n const status = config.blockedResponse?.status ?? 403;\n const message = config.blockedResponse?.message ?? decision.message ?? 'Access denied';\n\n const response = NextResponse.json(\n {\n error: message,\n code: 'POLICY_BLOCKED',\n reason: decision.reason,\n ruleId: decision.ruleId,\n matchType: decision.matchType,\n },\n { status }\n );\n\n // Add custom headers\n if (config.blockedResponse?.headers) {\n for (const [key, value] of Object.entries(config.blockedResponse.headers)) {\n response.headers.set(key, value);\n }\n }\n\n // Add AgentShield headers\n response.headers.set('X-AgentShield-Action', decision.action);\n response.headers.set('X-AgentShield-Reason', decision.reason);\n response.headers.set('X-AgentShield-MatchType', decision.matchType);\n\n return response;\n}\n\n/**\n * Build redirect response based on policy decision\n */\nexport function buildRedirectResponse(\n request: NextRequest,\n decision: PolicyEvaluationResult,\n config: PolicyMiddlewareConfig\n): NextResponse {\n const redirectUrl = decision.redirectUrl || config.redirectUrl || '/blocked';\n const url = new URL(redirectUrl, request.url);\n\n // Add query params with policy info\n url.searchParams.set('reason', decision.reason);\n if (decision.ruleId) {\n url.searchParams.set('ruleId', decision.ruleId);\n }\n\n return NextResponse.redirect(url);\n}\n\n/**\n * Build challenge response (placeholder - future implementation)\n */\nexport function buildChallengeResponse(\n request: NextRequest,\n decision: PolicyEvaluationResult,\n config: PolicyMiddlewareConfig\n): NextResponse {\n // For now, treat challenge as redirect\n // Future: implement CAPTCHA, proof-of-work, etc.\n return buildRedirectResponse(request, decision, config);\n}\n\n// ============================================================================\n// Policy Handler\n// ============================================================================\n\n/**\n * Handle policy decision and return appropriate response\n */\nexport async function handlePolicyDecision(\n request: NextRequest,\n decision: PolicyEvaluationResult,\n config: PolicyMiddlewareConfig\n): Promise<NextResponse | null> {\n switch (decision.action) {\n case ENFORCEMENT_ACTIONS.BLOCK:\n if (config.customBlockedResponse) {\n return await config.customBlockedResponse(request, decision);\n }\n return buildBlockedResponse(decision, config);\n\n case ENFORCEMENT_ACTIONS.REDIRECT:\n return buildRedirectResponse(request, decision, config);\n\n case ENFORCEMENT_ACTIONS.CHALLENGE:\n return buildChallengeResponse(request, decision, config);\n\n case ENFORCEMENT_ACTIONS.LOG:\n // LOG action always logs - that's its purpose\n // (debug flag controls verbose debugging output, not LOG action behavior)\n console.log('[AgentShield] Policy decision (log):', {\n path: request.nextUrl.pathname,\n action: decision.action,\n reason: decision.reason,\n matchType: decision.matchType,\n ruleId: decision.ruleId,\n });\n return null; // Continue to allow\n\n case ENFORCEMENT_ACTIONS.ALLOW:\n default:\n return null; // Continue\n }\n}\n\n// ============================================================================\n// Policy Fetcher Integration\n// ============================================================================\n\n// Cache fetchers by config to avoid recreating them, but also support\n// different configurations (different apiUrl, apiKey, etc.)\nconst fetcherCache = new Map<string, PolicyFetcher>();\n\n/**\n * Generate a cache key for fetcher config.\n * Uses ?? to distinguish between explicit 0 and undefined values.\n */\nfunction getFetcherCacheKey(config: NonNullable<PolicyMiddlewareConfig['fetchPolicy']>): string {\n return `${config.apiUrl ?? 'default'}:${config.apiKey ?? ''}:${config.cacheTtlSeconds ?? 'default'}`;\n}\n\n/**\n * Get or create policy fetcher for the given config\n */\nfunction getPolicyFetcher(config: PolicyMiddlewareConfig['fetchPolicy']): PolicyFetcher {\n if (!config) {\n throw new Error('fetchPolicy config required');\n }\n\n const cacheKey = getFetcherCacheKey(config);\n let fetcher = fetcherCache.get(cacheKey);\n\n if (!fetcher) {\n const fetcherConfig: PolicyFetcherConfig = {\n apiBaseUrl: config.apiUrl || 'https://kya.vouched.id',\n apiKey: config.apiKey,\n cacheTtlSeconds: config.cacheTtlSeconds,\n };\n fetcher = createPolicyFetcher(fetcherConfig);\n fetcherCache.set(cacheKey, fetcher);\n }\n\n return fetcher;\n}\n\n/**\n * Get policy (local, fetched, or fallback)\n */\nexport async function getPolicy(config: PolicyMiddlewareConfig): Promise<PolicyConfig> {\n // Use local policy if provided\n if (config.policy) {\n return PolicyConfigSchema.parse({ ...DEFAULT_POLICY, ...config.policy });\n }\n\n // Fetch from API if configured\n if (config.fetchPolicy) {\n try {\n const fetcher = getPolicyFetcher(config.fetchPolicy);\n return await fetcher.getPolicy(config.fetchPolicy.projectId);\n } catch (error) {\n if (config.debug) {\n console.warn('[AgentShield] Policy fetch failed, using fallback:', error);\n }\n // Return fallback policy\n return PolicyConfigSchema.parse({\n ...DEFAULT_POLICY,\n ...(config.fallbackPolicy || {}),\n });\n }\n }\n\n // No policy configured - return default (allow all)\n return PolicyConfigSchema.parse(DEFAULT_POLICY);\n}\n\n// ============================================================================\n// Standalone Policy Middleware\n// ============================================================================\n\n/**\n * Apply policy to a detection result\n *\n * This function can be used standalone to evaluate policy after detection.\n * Supports extended config with skipPaths and includePaths for path-based filtering.\n *\n * @example\n * ```typescript\n * const result = await detector.analyze(context);\n * const response = await applyPolicy(request, result, {\n * policy: { thresholds: { confidenceThreshold: 80 } },\n * skipPaths: ['/health', '/api/public/*'],\n * includePaths: ['/api/*'],\n * });\n *\n * if (response) {\n * return response; // Policy blocked the request\n * }\n * ```\n */\nexport async function applyPolicy(\n request: NextRequest,\n detection: DetectionResult,\n config: NextJSPolicyMiddlewareConfig\n): Promise<NextResponse | null> {\n try {\n const path = request.nextUrl.pathname;\n\n // Check skipPaths - if path matches any skip pattern, allow through\n if (config.skipPaths?.some((pattern) => matchPath(path, pattern))) {\n return null; // Skip policy enforcement for this path\n }\n\n // Check includePaths - if defined, path must match at least one pattern\n if (config.includePaths && config.includePaths.length > 0) {\n if (!config.includePaths.some((pattern) => matchPath(path, pattern))) {\n return null; // Path not in included paths, skip policy enforcement\n }\n }\n\n // Get policy\n const policy = await getPolicy(config);\n\n // Create context and evaluate\n const context = createContextFromDetection(detection, request);\n const decision = evaluatePolicy(policy, context);\n\n // Call decision callback if provided\n if (config.onPolicyDecision) {\n await config.onPolicyDecision(request, decision, context);\n }\n\n // Handle decision\n return await handlePolicyDecision(request, decision, config);\n } catch (error) {\n if (config.debug) {\n console.error('[AgentShield] Policy evaluation error:', error);\n }\n\n if (config.failOpen !== false) {\n return null; // Allow on error\n }\n\n // Fail closed\n return NextResponse.json(\n { error: 'Security check failed', code: 'POLICY_ERROR' },\n { status: 503 }\n );\n }\n}\n"]}