@kya-os/agentshield-nextjs 0.2.9 → 0.2.11

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kya-os/agentshield-nextjs",
-  "version": "0.2.9",
+  "version": "0.2.11",
   "description": "Next.js middleware for AgentShield AI agent detection",
   "keywords": [
     "nextjs",
@@ -95,6 +95,22 @@
   "engines": {
     "node": ">=18.0.0"
   },
+  "scripts": {
+    "build": "tsup",
+    "build:watch": "tsup --watch",
+    "predev": "pnpm --filter=@kya-os/agentshield-shared build && pnpm --filter=@kya-os/agentshield build",
+    "dev": "tsup --watch",
+    "clean": "rimraf dist .tsbuildinfo",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "test:coverage": "vitest run --coverage",
+    "type-check": "tsc --noEmit",
+    "lint": "eslint src --ext .ts,.tsx",
+    "lint:fix": "eslint src --ext .ts,.tsx --fix",
+    "format": "prettier --write \"src/**/*.{ts,tsx,json,md}\"",
+    "format:check": "prettier --check \"src/**/*.{ts,tsx,json,md}\"",
+    "prepublishOnly": "pnpm build && pnpm test"
+  },
   "devDependencies": {
     "@testing-library/react": "^14.2.1",
     "@testing-library/react-hooks": "^8.0.1",
@@ -125,25 +141,10 @@
   },
   "sideEffects": false,
   "dependencies": {
+    "@kya-os/agentshield": "workspace:*",
+    "@kya-os/agentshield-shared": "workspace:*",
+    "@kya-os/agentshield-wasm-runtime": "workspace:*",
     "@noble/ed25519": "^2.2.3",
-    "@noble/hashes": "^2.0.1",
-    "@kya-os/agentshield": "0.1.39",
-    "@kya-os/agentshield-shared": "0.2.3",
-    "@kya-os/agentshield-wasm-runtime": "0.1.6"
-  },
-  "scripts": {
-    "build": "tsup",
-    "build:watch": "tsup --watch",
-    "predev": "pnpm --filter=@kya-os/agentshield-shared build && pnpm --filter=@kya-os/agentshield build",
-    "dev": "tsup --watch",
-    "clean": "rimraf dist .tsbuildinfo",
-    "test": "vitest run",
-    "test:watch": "vitest",
-    "test:coverage": "vitest run --coverage",
-    "type-check": "tsc --noEmit",
-    "lint": "eslint src --ext .ts,.tsx",
-    "lint:fix": "eslint src --ext .ts,.tsx --fix",
-    "format": "prettier --write \"src/**/*.{ts,tsx,json,md}\"",
-    "format:check": "prettier --check \"src/**/*.{ts,tsx,json,md}\""
+    "@noble/hashes": "^2.0.1"
   }
-}
+}

package/wasm/agentshield_wasm.d.ts

@@ -12,24 +12,156 @@ export function detect_agent(metadata: JsRequestMetadata): JsDetectionResult;
  * Get the version of the AgentShield library
  */
 export function version(): string;
+/**
+ * Get the version of the AgentShield library
+ */
+export function get_version(): string;
+/**
+ * Get build information
+ */
+export function get_build_info(): string;
+/**
+ * Verify an MCP-I proof (VC-JWT token)
+ *
+ * This function verifies a Verifiable Credential JWT and extracts the
+ * principal (issuer) and agent (subject) DIDs.
+ *
+ * # Arguments
+ *
+ * * `vc_jwt` - The VC-JWT token string (header.payload.signature)
+ * * `current_time_secs` - Current Unix timestamp in seconds (for expiration check)
+ *
+ * # Returns
+ *
+ * A `JsMcpIVerificationResult` with verification status and extracted DIDs.
+ */
+export function verify_mcp_i_proof(
+  vc_jwt: string,
+  current_time_secs: bigint
+): JsMcpIVerificationResult;
+/**
+ * Resolve a did:key identifier to its public key
+ *
+ * # Arguments
+ *
+ * * `did` - The did:key identifier (e.g., "did:key:z6Mkf...")
+ *
+ * # Returns
+ *
+ * A `JsDidKeyResult` with the resolved public key or an error.
+ */
+export function resolve_did_key_wasm(did: string): JsDidKeyResult;
+/**
+ * Check if a requested scope is permitted by granted scopes
+ *
+ * # Arguments
+ *
+ * * `requested` - The scope being requested (e.g., "read:email")
+ * * `granted_json` - JSON array of granted scopes (e.g., "[\"read:*\", \"write:calendar\"]")
+ *
+ * # Returns
+ *
+ * A `JsScopeCheckResult` indicating whether the scope is permitted.
+ */
+export function check_delegation_scope(requested: string, granted_json: string): JsScopeCheckResult;
+/**
+ * Verify a delegation with time constraints
+ *
+ * # Arguments
+ *
+ * * `requested` - The scope being requested
+ * * `granted_json` - JSON array of granted scopes
+ * * `not_before` - Optional Unix timestamp (0 to skip)
+ * * `not_after` - Optional Unix timestamp (0 to skip)
+ * * `current_time` - Current Unix timestamp (0 to skip time checks)
+ *
+ * # Returns
+ *
+ * A `JsScopeCheckResult` indicating whether the delegation is valid.
+ */
+export function verify_delegation_scope(
+  requested: string,
+  granted_json: string,
+  not_before: bigint,
+  not_after: bigint,
+  current_time: bigint
+): JsScopeCheckResult;
+/**
+ * Evaluate a request against a policy configuration
+ *
+ * # Arguments
+ *
+ * * `policy_json` - Policy configuration as JSON string
+ * * `context_json` - Evaluation context as JSON string
+ *
+ * # Returns
+ *
+ * A `JsPolicyEvaluationResult` with the enforcement action and reason.
+ *
+ * # Example
+ *
+ * ```javascript
+ * const policy = JSON.stringify({
+ *   version: "1.0.0",
+ *   enabled: true,
+ *   defaultAction: "allow",
+ *   thresholds: { confidenceThreshold: 80, confidenceAction: "block" },
+ *   denyList: [],
+ *   allowList: [],
+ *   rules: []
+ * });
+ *
+ * const context = JSON.stringify({
+ *   agentType: "ai_agent",
+ *   agentName: "ChatGPT",
+ *   confidence: 95
+ * });
+ *
+ * const result = evaluate_policy(policy, context);
+ * console.log(result.action); // "block" (confidence exceeded threshold)
+ * ```
+ */
+export function evaluate_policy(
+  policy_json: string,
+  context_json: string
+): JsPolicyEvaluationResult;
+/**
+ * Check if a policy allows a request (convenience function)
+ *
+ * # Arguments
+ *
+ * * `policy_json` - Policy configuration as JSON string
+ * * `context_json` - Evaluation context as JSON string
+ *
+ * # Returns
+ *
+ * `true` if the request is allowed, `false` otherwise.
+ */
+export function policy_allows(policy_json: string, context_json: string): boolean;
 /**
  * JavaScript-compatible detection result
  */
 export class JsDetectionResult {
   private constructor();
   free(): void;
+  [Symbol.dispose](): void;
   /**
    * Whether the request was identified as coming from an agent
    */
   is_agent: boolean;
   /**
-   * Confidence score (0.0 to 1.0)
+   * Confidence score (0.0 to 1.0 scale)
    */
   confidence: number;
   /**
    * Get the detected agent name
    */
   readonly agent: string | undefined;
+  /**
+   * Get the detection class for database storage
+   * Returns: 'human', 'ai_agent', 'bot', 'automation', or 'unknown'
+   */
+  readonly detection_class: string;
   /**
    * Get the verification method as a string
    */
@@ -43,15 +175,127 @@ export class JsDetectionResult {
    */
   readonly timestamp: string;
 }
+/**
+ * JavaScript-compatible result from did:key resolution
+ */
+export class JsDidKeyResult {
+  private constructor();
+  free(): void;
+  [Symbol.dispose](): void;
+  /**
+   * Whether the resolution was successful
+   */
+  success: boolean;
+  /**
+   * Get the public key as hex string
+   */
+  readonly public_key_hex: string | undefined;
+  /**
+   * Get the key type
+   */
+  readonly key_type: string | undefined;
+  /**
+   * Get the error message
+   */
+  readonly error: string | undefined;
+}
+/**
+ * JavaScript-compatible result from MCP-I verification
+ */
+export class JsMcpIVerificationResult {
+  private constructor();
+  free(): void;
+  [Symbol.dispose](): void;
+  /**
+   * Whether the verification was successful
+   */
+  verified: boolean;
+  /**
+   * Confidence score (0.0 to 1.0 scale) - 0.99 for verified MCP-I
+   */
+  confidence: number;
+  /**
+   * Get the issuer DID (principal)
+   */
+  readonly issuer_did: string | undefined;
+  /**
+   * Get the subject DID (agent)
+   */
+  readonly subject_did: string | undefined;
+  /**
+   * Get the error message
+   */
+  readonly error: string | undefined;
+}
+/**
+ * JavaScript-compatible policy evaluation result
+ */
+export class JsPolicyEvaluationResult {
+  private constructor();
+  free(): void;
+  [Symbol.dispose](): void;
+  /**
+   * Check if the action permits the request to proceed
+   * Returns true for 'allow' and 'log' (allow but log for monitoring)
+   */
+  is_allowed(): boolean;
+  /**
+   * Check if the action blocks the request
+   * Returns true for 'block', 'redirect', and 'challenge'
+   */
+  is_blocked(): boolean;
+  /**
+   * Convert to JSON string for serialization
+   */
+  to_json(): string;
+  /**
+   * Get the enforcement action
+   */
+  readonly action: string;
+  /**
+   * Get the reason for the action
+   */
+  readonly reason: string;
+  /**
+   * Get the matched rule ID
+   */
+  readonly rule_id: string | undefined;
+  /**
+   * Get the matched rule name
+   */
+  readonly rule_name: string | undefined;
+  /**
+   * Get the redirect URL
+   */
+  readonly redirect_url: string | undefined;
+  /**
+   * Get the custom message
+   */
+  readonly message: string | undefined;
+  /**
+   * Get the match type
+   */
+  readonly match_type: string;
+}
 /**
  * JavaScript-compatible request metadata
  */
 export class JsRequestMetadata {
   free(): void;
+  [Symbol.dispose](): void;
   /**
    * Constructor for JsRequestMetadata
    */
-  constructor(user_agent: string | null | undefined, ip_address: string | null | undefined, headers: string, timestamp: string);
+  constructor(
+    user_agent: string | null | undefined,
+    ip_address: string | null | undefined,
+    headers: string,
+    timestamp: string,
+    url?: string | null,
+    method?: string | null,
+    client_fingerprint?: string | null,
+    tls_fingerprint?: string | null
+  );
   /**
    * Get the user agent
    */
@@ -68,6 +312,46 @@ export class JsRequestMetadata {
    * Get the timestamp
    */
   readonly timestamp: string;
+  /**
+   * Get the URL
+   */
+  readonly url: string | undefined;
+  /**
+   * Get the method
+   */
+  readonly method: string | undefined;
+  /**
+   * Get the client fingerprint
+   */
+  readonly client_fingerprint: string | undefined;
+  /**
+   * Get the TLS fingerprint
+   */
+  readonly tls_fingerprint: string | undefined;
+}
+/**
+ * JavaScript-compatible result from scope check
+ */
+export class JsScopeCheckResult {
+  private constructor();
+  free(): void;
+  [Symbol.dispose](): void;
+  /**
+   * Whether the scope is permitted
+   */
+  permitted: boolean;
+  /**
+   * Get the matching scope
+   */
+  readonly matched_by: string | undefined;
+  /**
+   * Get the match type
+   */
+  readonly match_type: string;
+  /**
+   * Get the error message
+   */
+  readonly error: string | undefined;
 }
 
 export type InitInput = RequestInfo | URL | Response | BufferSource | WebAssembly.Module;
@@ -80,42 +364,116 @@ export interface InitOutput {
   readonly __wbg_get_jsdetectionresult_confidence: (a: number) => number;
   readonly __wbg_set_jsdetectionresult_confidence: (a: number, b: number) => void;
   readonly jsdetectionresult_agent: (a: number, b: number) => void;
+  readonly jsdetectionresult_detection_class: (a: number, b: number) => void;
   readonly jsdetectionresult_verification_method: (a: number, b: number) => void;
   readonly jsdetectionresult_risk_level: (a: number, b: number) => void;
   readonly jsdetectionresult_timestamp: (a: number, b: number) => void;
   readonly __wbg_jsrequestmetadata_free: (a: number, b: number) => void;
-  readonly jsrequestmetadata_new: (a: number, b: number, c: number, d: number, e: number, f: number, g: number, h: number) => number;
+  readonly jsrequestmetadata_new: (
+    a: number,
+    b: number,
+    c: number,
+    d: number,
+    e: number,
+    f: number,
+    g: number,
+    h: number,
+    i: number,
+    j: number,
+    k: number,
+    l: number,
+    m: number,
+    n: number,
+    o: number,
+    p: number
+  ) => number;
   readonly jsrequestmetadata_user_agent: (a: number, b: number) => void;
   readonly jsrequestmetadata_ip_address: (a: number, b: number) => void;
   readonly jsrequestmetadata_headers: (a: number, b: number) => void;
   readonly jsrequestmetadata_timestamp: (a: number, b: number) => void;
+  readonly jsrequestmetadata_url: (a: number, b: number) => void;
+  readonly jsrequestmetadata_method: (a: number, b: number) => void;
+  readonly jsrequestmetadata_client_fingerprint: (a: number, b: number) => void;
+  readonly jsrequestmetadata_tls_fingerprint: (a: number, b: number) => void;
   readonly init: () => void;
   readonly detect_agent: (a: number, b: number) => void;
+  readonly get_version: (a: number) => void;
+  readonly get_build_info: (a: number) => void;
+  readonly __wbg_jsmcpiverificationresult_free: (a: number, b: number) => void;
+  readonly __wbg_get_jsmcpiverificationresult_verified: (a: number) => number;
+  readonly __wbg_set_jsmcpiverificationresult_verified: (a: number, b: number) => void;
+  readonly jsmcpiverificationresult_issuer_did: (a: number, b: number) => void;
+  readonly jsmcpiverificationresult_subject_did: (a: number, b: number) => void;
+  readonly jsmcpiverificationresult_error: (a: number, b: number) => void;
+  readonly verify_mcp_i_proof: (a: number, b: number, c: bigint) => number;
+  readonly __wbg_jsdidkeyresult_free: (a: number, b: number) => void;
+  readonly __wbg_get_jsdidkeyresult_success: (a: number) => number;
+  readonly __wbg_set_jsdidkeyresult_success: (a: number, b: number) => void;
+  readonly jsdidkeyresult_public_key_hex: (a: number, b: number) => void;
+  readonly jsdidkeyresult_key_type: (a: number, b: number) => void;
+  readonly jsdidkeyresult_error: (a: number, b: number) => void;
+  readonly resolve_did_key_wasm: (a: number, b: number) => number;
+  readonly __wbg_jsscopecheckresult_free: (a: number, b: number) => void;
+  readonly jsscopecheckresult_matched_by: (a: number, b: number) => void;
+  readonly jsscopecheckresult_match_type: (a: number, b: number) => void;
+  readonly jsscopecheckresult_error: (a: number, b: number) => void;
+  readonly check_delegation_scope: (a: number, b: number, c: number, d: number) => number;
+  readonly verify_delegation_scope: (
+    a: number,
+    b: number,
+    c: number,
+    d: number,
+    e: bigint,
+    f: bigint,
+    g: bigint
+  ) => number;
+  readonly __wbg_jspolicyevaluationresult_free: (a: number, b: number) => void;
+  readonly jspolicyevaluationresult_action: (a: number, b: number) => void;
+  readonly jspolicyevaluationresult_reason: (a: number, b: number) => void;
+  readonly jspolicyevaluationresult_rule_id: (a: number, b: number) => void;
+  readonly jspolicyevaluationresult_rule_name: (a: number, b: number) => void;
+  readonly jspolicyevaluationresult_redirect_url: (a: number, b: number) => void;
+  readonly jspolicyevaluationresult_message: (a: number, b: number) => void;
+  readonly jspolicyevaluationresult_match_type: (a: number, b: number) => void;
+  readonly jspolicyevaluationresult_is_allowed: (a: number) => number;
+  readonly jspolicyevaluationresult_is_blocked: (a: number) => number;
+  readonly jspolicyevaluationresult_to_json: (a: number, b: number) => void;
+  readonly evaluate_policy: (a: number, b: number, c: number, d: number, e: number) => void;
+  readonly policy_allows: (a: number, b: number, c: number, d: number) => number;
   readonly version: (a: number) => void;
-  readonly __wbindgen_export_0: (a: number, b: number, c: number) => void;
-  readonly __wbindgen_export_1: (a: number, b: number) => number;
-  readonly __wbindgen_export_2: (a: number, b: number, c: number, d: number) => number;
+  readonly __wbg_get_jsscopecheckresult_permitted: (a: number) => number;
+  readonly __wbg_set_jsscopecheckresult_permitted: (a: number, b: number) => void;
+  readonly __wbg_set_jsmcpiverificationresult_confidence: (a: number, b: number) => void;
+  readonly __wbg_get_jsmcpiverificationresult_confidence: (a: number) => number;
+  readonly __wbindgen_export: (a: number, b: number, c: number) => void;
+  readonly __wbindgen_export2: (a: number, b: number) => number;
+  readonly __wbindgen_export3: (a: number, b: number, c: number, d: number) => number;
   readonly __wbindgen_add_to_stack_pointer: (a: number) => number;
   readonly __wbindgen_start: () => void;
 }
 
 export type SyncInitInput = BufferSource | WebAssembly.Module;
 /**
-* Instantiates the given `module`, which can either be bytes or
-* a precompiled `WebAssembly.Module`.
-*
-* @param {{ module: SyncInitInput }} module - Passing `SyncInitInput` directly is deprecated.
-*
-* @returns {InitOutput}
-*/
+ * Instantiates the given `module`, which can either be bytes or
+ * a precompiled `WebAssembly.Module`.
+ *
+ * @param {{ module: SyncInitInput }} module - Passing `SyncInitInput` directly is deprecated.
+ *
+ * @returns {InitOutput}
+ */
 export function initSync(module: { module: SyncInitInput } | SyncInitInput): InitOutput;
 
 /**
-* If `module_or_path` is {RequestInfo} or {URL}, makes a request and
-* for everything else, calls `WebAssembly.instantiate` directly.
-*
-* @param {{ module_or_path: InitInput | Promise<InitInput> }} module_or_path - Passing `InitInput` directly is deprecated.
-*
-* @returns {Promise<InitOutput>}
-*/
-export default function __wbg_init (module_or_path?: { module_or_path: InitInput | Promise<InitInput> } | InitInput | Promise<InitInput>): Promise<InitOutput>;
+ * If `module_or_path` is {RequestInfo} or {URL}, makes a request and
+ * for everything else, calls `WebAssembly.instantiate` directly.
+ *
+ * @param {{ module_or_path: InitInput | Promise<InitInput> }} module_or_path - Passing `InitInput` directly is deprecated.
+ *
+ * @returns {Promise<InitOutput>}
+ */
+export default function __wbg_init(
+  module_or_path?:
+    | { module_or_path: InitInput | Promise<InitInput> }
+    | InitInput
+    | Promise<InitInput>
+): Promise<InitOutput>;