@kya-os/agentshield-nextjs 0.3.2 → 0.3.5

package/dist/index.js

@@ -1,2717 +0,0 @@
-'use strict';
-
-var agentshieldShared = require('@kya-os/agentshield-shared');
-var server = require('next/server');
-var ed25519 = require('@noble/ed25519');
-var sha2_js = require('@noble/hashes/sha2.js');
-
-function _interopNamespace(e) {
-  if (e && e.__esModule) return e;
-  var n = Object.create(null);
-  if (e) {
-    Object.keys(e).forEach(function (k) {
-      if (k !== 'default') {
-        var d = Object.getOwnPropertyDescriptor(e, k);
-        Object.defineProperty(n, k, d.get ? d : {
-          enumerable: true,
-          get: function () { return e[k]; }
-        });
-      }
-    });
-  }
-  n.default = e;
-  return Object.freeze(n);
-}
-
-var ed25519__namespace = /*#__PURE__*/_interopNamespace(ed25519);
-
-var __defProp = Object.defineProperty;
-var __getOwnPropNames = Object.getOwnPropertyNames;
-var __esm = (fn, res) => function __init() {
-  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
-};
-var __export = (target, all) => {
-  for (var name in all)
-    __defProp(target, name, { get: all[name], enumerable: true });
-};
-
-// src/wasm-loader.ts
-function setWasmBaseUrl(url) {
-  baseUrl = url;
-}
-function getWasmUrl() {
-  if (baseUrl) {
-    try {
-      const url = new URL(baseUrl);
-      return `${url.origin}${WASM_PATH}`;
-    } catch {
-      return WASM_PATH;
-    }
-  }
-  return WASM_PATH;
-}
-async function initWasm() {
-  if (wasmExports) return true;
-  if (initPromise) {
-    await initPromise;
-    return !!wasmExports;
-  }
-  initPromise = (async () => {
-    try {
-      const controller = new AbortController();
-      const timeout = setTimeout(() => controller.abort(), 3e3);
-      try {
-        const wasmUrl = getWasmUrl();
-        if (typeof WebAssembly.instantiateStreaming === "function") {
-          try {
-            const response2 = await fetch(wasmUrl, { signal: controller.signal });
-            clearTimeout(timeout);
-            if (!response2.ok) {
-              throw new Error(`Failed to fetch WASM: ${response2.status}`);
-            }
-            const streamResponse = response2.clone();
-            const { instance } = await WebAssembly.instantiateStreaming(streamResponse, {
-              wbg: {
-                __wbg_log_1d3ae13c3d5e6b8e: (ptr, len) => {
-                  if (process.env.NODE_ENV !== "production") {
-                    console.debug("WASM:", ptr, len);
-                  }
-                },
-                __wbindgen_throw: (ptr, len) => {
-                  throw new Error(`WASM Error at ${ptr}, length ${len}`);
-                }
-              }
-            });
-            wasmInstance = instance;
-            wasmExports = instance.exports;
-            if (process.env.NODE_ENV !== "production") {
-              console.debug("[AgentShield] \u2705 WASM module initialized with streaming");
-            }
-            return;
-          } catch (streamError) {
-            if (!controller.signal.aborted) {
-              if (process.env.NODE_ENV !== "production") {
-                console.debug(
-                  "[AgentShield] Streaming compilation failed, falling back to standard compilation"
-                );
-              }
-            } else {
-              throw streamError;
-            }
-          }
-        }
-        const response = await fetch(wasmUrl, { signal: controller.signal });
-        clearTimeout(timeout);
-        if (!response.ok) {
-          throw new Error(`Failed to fetch WASM: ${response.status}`);
-        }
-        const wasmArrayBuffer = await response.arrayBuffer();
-        const compiledModule = await WebAssembly.compile(wasmArrayBuffer);
-        const imports = {
-          wbg: {
-            __wbg_log_1d3ae13c3d5e6b8e: (ptr, len) => {
-              if (process.env.NODE_ENV !== "production") {
-                console.debug("WASM:", ptr, len);
-              }
-            },
-            __wbindgen_throw: (ptr, len) => {
-              throw new Error(`WASM Error at ${ptr}, length ${len}`);
-            }
-          }
-        };
-        wasmInstance = await WebAssembly.instantiate(compiledModule, imports);
-        wasmExports = wasmInstance.exports;
-        if (process.env.NODE_ENV !== "production") {
-          console.debug("[AgentShield] \u2705 WASM module initialized via fallback");
-        }
-      } catch (fetchError) {
-        const error = fetchError;
-        if (error.name === "AbortError") {
-          console.warn(
-            "[AgentShield] WASM fetch timed out after 3 seconds - using pattern detection"
-          );
-        } else {
-          console.warn(
-            "[AgentShield] Failed to fetch WASM file:",
-            error.message || "Unknown error"
-          );
-        }
-        wasmExports = null;
-      }
-    } catch (error) {
-      console.error("[AgentShield] Failed to initialize WASM:", error);
-      wasmExports = null;
-    }
-  })();
-  await initPromise;
-  return !!wasmExports;
-}
-async function detectAgentWithWasm(_userAgent, _headers, _ipAddress) {
-  return null;
-}
-async function getWasmVersion() {
-  const initialized = await initWasm();
-  if (!initialized || !wasmExports) {
-    return null;
-  }
-  if (typeof wasmExports.version === "function") {
-    return wasmExports.version();
-  }
-  return "unknown";
-}
-async function isWasmAvailable() {
-  try {
-    const initialized = await initWasm();
-    if (!initialized) return false;
-    const version = await getWasmVersion();
-    return version !== null;
-  } catch {
-    return false;
-  }
-}
-var wasmInstance, wasmExports, initPromise, WASM_PATH, baseUrl;
-var init_wasm_loader = __esm({
-  "src/wasm-loader.ts"() {
-    wasmInstance = null;
-    wasmExports = null;
-    initPromise = null;
-    WASM_PATH = "/wasm/agentshield_wasm_bg.wasm";
-    baseUrl = null;
-  }
-});
-
-// src/edge-detector-with-wasm.ts
-var edge_detector_with_wasm_exports = {};
-__export(edge_detector_with_wasm_exports, {
-  EdgeAgentDetectorWithWasm: () => EdgeAgentDetectorWithWasm,
-  EdgeAgentDetectorWrapperWithWasm: () => EdgeAgentDetectorWrapperWithWasm
-});
-var rules2, EdgeAgentDetectorWithWasm, EdgeAgentDetectorWrapperWithWasm;
-var init_edge_detector_with_wasm = __esm({
-  "src/edge-detector-with-wasm.ts"() {
-    init_wasm_loader();
-    rules2 = agentshieldShared.loadRulesSync();
-    EdgeAgentDetectorWithWasm = class {
-      constructor(enableWasm = true) {
-        this.enableWasm = enableWasm;
-        this.rules = rules2;
-      }
-      wasmEnabled = false;
-      initPromise = null;
-      baseUrl = null;
-      rules;
-      /**
-       * Set the base URL for WASM loading in Edge Runtime
-       */
-      setBaseUrl(url) {
-        this.baseUrl = url;
-        setWasmBaseUrl(url);
-      }
-      /**
-       * Initialize the detector (including WASM if enabled)
-       */
-      async init() {
-        if (!this.enableWasm) {
-          this.wasmEnabled = false;
-          return;
-        }
-        if (this.initPromise) {
-          await this.initPromise;
-          return;
-        }
-        this.initPromise = (async () => {
-          try {
-            const wasmAvailable = await isWasmAvailable();
-            if (wasmAvailable) {
-              if (this.baseUrl) {
-                setWasmBaseUrl(this.baseUrl);
-              }
-              await initWasm();
-              this.wasmEnabled = true;
-            } else {
-              this.wasmEnabled = false;
-            }
-          } catch (error) {
-            console.error("[AgentShield] Failed to initialize WASM:", error);
-            this.wasmEnabled = false;
-          }
-        })();
-        await this.initPromise;
-      }
-      /**
-       * Pattern-based detection (fallback)
-       */
-      async patternDetection(input) {
-        const reasons = [];
-        let detectedAgent;
-        let verificationMethod;
-        let confidence = 0;
-        const headers = input.headers || {};
-        const normalizedHeaders = {};
-        for (const [key, value] of Object.entries(headers)) {
-          normalizedHeaders[key.toLowerCase()] = value;
-        }
-        const signaturePresent = !!(normalizedHeaders["signature"] || normalizedHeaders["signature-input"]);
-        const signatureAgent = normalizedHeaders["signature-agent"];
-        const isChatGPT = (() => {
-          try {
-            const url = new URL(signatureAgent?.replace(/^"|"$/g, "") || "");
-            return url.hostname === "chatgpt.com" || url.hostname.endsWith(".chatgpt.com");
-          } catch {
-            return false;
-          }
-        })();
-        if (isChatGPT) {
-          confidence = 85;
-          reasons.push("signature_agent:chatgpt");
-          detectedAgent = { type: "chatgpt", name: "ChatGPT" };
-          verificationMethod = "signature";
-        } else if (signaturePresent) {
-          confidence = Math.max(confidence, 40);
-          reasons.push("signature_present");
-        }
-        const userAgent = input.userAgent || input.headers?.["user-agent"] || "";
-        if (userAgent) {
-          for (const [agentKey, agentRule] of Object.entries(this.rules.rules.userAgents)) {
-            const matched = agentRule.patterns.some((pattern) => {
-              const regex = new RegExp(pattern, "i");
-              return regex.test(userAgent);
-            });
-            if (matched) {
-              const agentType = this.getAgentType(agentKey);
-              const agentName = this.getAgentName(agentKey);
-              confidence = Math.max(confidence, Math.round(agentRule.confidence * 0.85 * 100));
-              reasons.push(`known_pattern:${agentType}`);
-              if (!detectedAgent) {
-                detectedAgent = { type: agentType, name: agentName };
-                verificationMethod = "pattern";
-              }
-              break;
-            }
-          }
-        }
-        const suspiciousHeaders = this.rules.rules.headers.suspicious;
-        const foundAiHeaders = suspiciousHeaders.filter(
-          (headerRule) => normalizedHeaders[headerRule.name.toLowerCase()]
-        );
-        if (foundAiHeaders.length > 0) {
-          const maxConfidence = Math.max(...foundAiHeaders.map((h) => h.confidence));
-          confidence = Math.max(confidence, maxConfidence);
-          reasons.push(`ai_headers:${foundAiHeaders.length}`);
-        }
-        const ip = input.ip || input.ipAddress;
-        if (ip && !normalizedHeaders["x-forwarded-for"] && !normalizedHeaders["x-real-ip"]) {
-          const ipRanges = "providers" in this.rules.rules.ipRanges ? this.rules.rules.ipRanges.providers : this.rules.rules.ipRanges;
-          for (const [provider, ipRule] of Object.entries(ipRanges)) {
-            if (!ipRule || typeof ipRule !== "object" || !("ranges" in ipRule) || !Array.isArray(ipRule.ranges))
-              continue;
-            const matched = ipRule.ranges.some((range) => {
-              const prefix = range.split("/")[0];
-              const prefixParts = prefix.split(".");
-              const ipParts = ip.split(".");
-              for (let i = 0; i < Math.min(prefixParts.length - 1, 2); i++) {
-                if (prefixParts[i] !== ipParts[i] && prefixParts[i] !== "0") {
-                  return false;
-                }
-              }
-              return true;
-            });
-            if (matched) {
-              confidence = Math.max(confidence, Math.round(ipRule.confidence * 0.4 * 100));
-              reasons.push(`cloud_provider:${provider}`);
-              break;
-            }
-          }
-        }
-        if (reasons.length > 2) {
-          confidence = Math.min(Math.round(confidence * 1.2), 95);
-        }
-        confidence = Math.min(Math.max(confidence, 0), 100);
-        return {
-          isAgent: confidence > 30,
-          // 30% threshold
-          confidence,
-          detectionClass: confidence > 30 && detectedAgent ? { type: "AiAgent", agentType: detectedAgent.name } : confidence > 30 ? { type: "Unknown" } : { type: "Human" },
-          signals: [],
-          // Will be populated by enhanced detection engine in future tasks
-          ...detectedAgent && { detectedAgent },
-          reasons,
-          ...verificationMethod && {
-            verificationMethod: agentshieldShared.mapVerificationMethod(verificationMethod)
-          },
-          forgeabilityRisk: confidence > 80 ? "medium" : "high",
-          timestamp: /* @__PURE__ */ new Date()
-        };
-      }
-      /**
-       * Analyze request with WASM enhancement when available
-       */
-      async analyze(input) {
-        await this.init();
-        if (this.wasmEnabled) {
-          try {
-            const wasmResult = await detectAgentWithWasm(
-              input.userAgent || input.headers?.["user-agent"],
-              input.headers || {},
-              input.ip || input.ipAddress
-            );
-            if (wasmResult) {
-              const detectedAgent = wasmResult.agent ? this.mapAgentName(wasmResult.agent) : void 0;
-              return {
-                isAgent: wasmResult.isAgent,
-                confidence: wasmResult.confidence,
-                detectionClass: wasmResult.isAgent && detectedAgent ? { type: "AiAgent", agentType: detectedAgent.name } : wasmResult.isAgent ? { type: "Unknown" } : { type: "Human" },
-                signals: [],
-                // Will be populated by enhanced detection engine in future tasks
-                ...detectedAgent && { detectedAgent },
-                reasons: [`wasm:${wasmResult.verificationMethod}`],
-                verificationMethod: agentshieldShared.mapVerificationMethod(wasmResult.verificationMethod),
-                forgeabilityRisk: wasmResult.verificationMethod === "signature" ? "low" : wasmResult.confidence > 90 ? "medium" : "high",
-                timestamp: /* @__PURE__ */ new Date()
-              };
-            }
-          } catch (error) {
-            console.error("[AgentShield] WASM detection error:", error);
-          }
-        }
-        const patternResult = await this.patternDetection(input);
-        if (this.wasmEnabled && patternResult.confidence >= 85) {
-          patternResult.confidence = Math.min(95, patternResult.confidence + 10);
-          patternResult.reasons.push("wasm_enhanced");
-        }
-        return patternResult;
-      }
-      /**
-       * Get agent type from rule key
-       */
-      getAgentType(agentKey) {
-        const typeMap = {
-          openai_gptbot: "openai",
-          anthropic_claude: "anthropic",
-          perplexity_bot: "perplexity",
-          google_ai: "google",
-          microsoft_ai: "microsoft",
-          meta_ai: "meta",
-          cohere_bot: "cohere",
-          huggingface_bot: "huggingface",
-          generic_bot: "generic",
-          dev_tools: "dev",
-          automation_tools: "automation"
-        };
-        return typeMap[agentKey] || agentKey;
-      }
-      /**
-       * Get agent name from rule key
-       */
-      getAgentName(agentKey) {
-        const nameMap = {
-          openai_gptbot: "ChatGPT/GPTBot",
-          anthropic_claude: "Claude",
-          perplexity_bot: "Perplexity",
-          google_ai: "Google AI",
-          microsoft_ai: "Microsoft Copilot",
-          meta_ai: "Meta AI",
-          cohere_bot: "Cohere",
-          huggingface_bot: "HuggingFace",
-          generic_bot: "Generic Bot",
-          dev_tools: "Development Tool",
-          automation_tools: "Automation Tool"
-        };
-        return nameMap[agentKey] || agentKey;
-      }
-      /**
-       * Map agent names from WASM to consistent format
-       */
-      mapAgentName(agent) {
-        const lowerAgent = agent.toLowerCase();
-        if (lowerAgent.includes("chatgpt")) {
-          return { type: "chatgpt", name: "ChatGPT" };
-        } else if (lowerAgent.includes("claude")) {
-          return { type: "claude", name: "Claude" };
-        } else if (lowerAgent.includes("perplexity")) {
-          return { type: "perplexity", name: "Perplexity" };
-        } else if (lowerAgent.includes("bing")) {
-          return { type: "bing", name: "Bing AI" };
-        } else if (lowerAgent.includes("anthropic")) {
-          return { type: "anthropic", name: "Anthropic" };
-        }
-        return { type: "unknown", name: agent };
-      }
-    };
-    EdgeAgentDetectorWrapperWithWasm = class {
-      detector;
-      events = /* @__PURE__ */ new Map();
-      constructor(config) {
-        this.detector = new EdgeAgentDetectorWithWasm(config?.enableWasm ?? true);
-        if (config?.baseUrl) {
-          this.detector.setBaseUrl(config.baseUrl);
-        }
-      }
-      setBaseUrl(url) {
-        this.detector.setBaseUrl(url);
-      }
-      async analyze(input) {
-        const result = await this.detector.analyze(input);
-        if (result.isAgent && this.events.has("agent.detected")) {
-          const handlers = this.events.get("agent.detected") || [];
-          handlers.forEach((handler) => handler(result, input));
-        }
-        return result;
-      }
-      on(event, handler) {
-        if (!this.events.has(event)) {
-          this.events.set(event, []);
-        }
-        this.events.get(event).push(handler);
-      }
-      emit(event, ...args) {
-        const handlers = this.events.get(event) || [];
-        handlers.forEach((handler) => handler(...args));
-      }
-      async init() {
-        await this.detector.init();
-      }
-    };
-  }
-});
-
-// src/wasm-confidence.ts
-var wasm_confidence_exports = {};
-__export(wasm_confidence_exports, {
-  checkWasmAvailability: () => checkWasmAvailability,
-  getVerificationMethod: () => getVerificationMethod,
-  getWasmConfidenceBoost: () => getWasmConfidenceBoost,
-  shouldIndicateWasmVerification: () => shouldIndicateWasmVerification
-});
-async function checkWasmAvailability() {
-  try {
-    if (typeof WebAssembly === "undefined") {
-      return false;
-    }
-    if (!WebAssembly.instantiate || !WebAssembly.Module) {
-      return false;
-    }
-    return true;
-  } catch {
-    return false;
-  }
-}
-function shouldIndicateWasmVerification(confidence) {
-  return confidence >= 85 && confidence < 100;
-}
-function getWasmConfidenceBoost(baseConfidence, reasons = []) {
-  if (reasons.some(
-    (r) => r.includes("signature_agent") && !r.includes("signature_headers_present")
-  )) {
-    return 100;
-  }
-  if (baseConfidence >= 85) {
-    return 95;
-  }
-  if (baseConfidence >= 70) {
-    return Math.min(baseConfidence * 1.1, 90);
-  }
-  return baseConfidence;
-}
-function getVerificationMethod(confidence, reasons = []) {
-  if (reasons.some(
-    (r) => r.includes("signature_agent") && !r.includes("signature_headers_present")
-  )) {
-    return "signature";
-  }
-  if (shouldIndicateWasmVerification(confidence)) {
-    return "wasm-enhanced";
-  }
-  return "pattern";
-}
-var init_wasm_confidence = __esm({
-  "src/wasm-confidence.ts"() {
-  }
-});
-ed25519__namespace.etc.sha512Sync = (...m) => sha2_js.sha512(ed25519__namespace.etc.concatBytes(...m));
-var KNOWN_KEYS = {
-  chatgpt: [
-    {
-      kid: "otMqcjr17mGyruktGvJU8oojQTSMHlVm7uO-lrcqbdg",
-      // ChatGPT's current Ed25519 public key (base64)
-      // Source: https://chatgpt.com/.well-known/http-message-signatures-directory
-      publicKey: "7F_3jDlxaquwh291MiACkcS3Opq88NksyHiakzS-Y1g",
-      validFrom: 1735689600,
-      // Jan 1, 2025 (nbf from OpenAI)
-      validUntil: 1769029093
-      // Jan 21, 2026 (exp from OpenAI)
-    }
-  ]
-};
-var keyCache = /* @__PURE__ */ new Map();
-var CACHE_TTL_MS = 5 * 60 * 1e3;
-var CACHE_MAX_SIZE = 100;
-function getApiBaseUrl() {
-  if (typeof window !== "undefined") {
-    return "/api/internal";
-  }
-  const baseUrl2 = process.env.NEXT_PUBLIC_APP_URL || process.env.NEXT_PUBLIC_API_URL || process.env.API_URL || (process.env.VERCEL_URL ? `https://${process.env.VERCEL_URL}` : null);
-  if (baseUrl2) {
-    return baseUrl2.replace(/\/$/, "") + "/api/internal";
-  }
-  if (process.env.NODE_ENV !== "production") {
-    console.warn(
-      "[Signature] No base URL configured for server-side fetch. Using localhost fallback."
-    );
-    return "http://localhost:3000/api/internal";
-  }
-  console.error(
-    "[Signature] CRITICAL: No base URL configured for server-side fetch in production!"
-  );
-  return "/api/internal";
-}
-function cleanupExpiredCache() {
-  const now = Date.now();
-  const entriesToDelete = [];
-  for (const [agent, cached] of keyCache.entries()) {
-    if (now - cached.cachedAt > CACHE_TTL_MS) {
-      entriesToDelete.push(agent);
-    }
-  }
-  for (const agent of entriesToDelete) {
-    keyCache.delete(agent);
-  }
-  if (keyCache.size > CACHE_MAX_SIZE) {
-    const entries = Array.from(keyCache.entries()).map(([agent, cached]) => ({
-      agent,
-      cachedAt: cached.cachedAt
-    }));
-    entries.sort((a, b) => a.cachedAt - b.cachedAt);
-    const toRemove = entries.slice(0, keyCache.size - CACHE_MAX_SIZE);
-    for (const entry of toRemove) {
-      keyCache.delete(entry.agent);
-    }
-  }
-}
-async function fetchKeysFromApi(agent) {
-  if (keyCache.size > CACHE_MAX_SIZE) {
-    cleanupExpiredCache();
-  }
-  const cached = keyCache.get(agent);
-  if (cached && Date.now() - cached.cachedAt < CACHE_TTL_MS) {
-    return cached.keys;
-  }
-  if (typeof fetch === "undefined") {
-    console.warn("[Signature] fetch() not available in this environment");
-    return null;
-  }
-  try {
-    const apiBaseUrl = getApiBaseUrl();
-    const url = `${apiBaseUrl}/signature-keys?agent=${encodeURIComponent(agent)}`;
-    const response = await fetch(url, {
-      method: "GET",
-      headers: {
-        "Content-Type": "application/json"
-      },
-      // 5 second timeout
-      signal: AbortSignal.timeout(5e3)
-    });
-    if (!response.ok) {
-      console.warn(`[Signature] Failed to fetch keys from API: ${response.status}`);
-      return null;
-    }
-    const data = await response.json();
-    if (!data.keys || !Array.isArray(data.keys) || data.keys.length === 0) {
-      console.warn(`[Signature] No keys returned from API for agent: ${agent}`);
-      return null;
-    }
-    keyCache.set(agent, {
-      keys: data.keys,
-      cachedAt: Date.now()
-    });
-    return data.keys;
-  } catch (error) {
-    console.warn("[Signature] Error fetching keys from API, using fallback", {
-      error: error instanceof Error ? error.message : "Unknown error",
-      agent
-    });
-    return null;
-  }
-}
-function isValidAgent(agent) {
-  return agent in KNOWN_KEYS;
-}
-async function getKeysForAgent(agent) {
-  const apiKeys = await fetchKeysFromApi(agent);
-  if (apiKeys && apiKeys.length > 0) {
-    return apiKeys;
-  }
-  if (isValidAgent(agent)) {
-    return KNOWN_KEYS[agent];
-  }
-  return [];
-}
-function parseSignatureInput(signatureInput) {
-  try {
-    const match = signatureInput.match(/sig1=\((.*?)\);(.+)/);
-    if (!match) return null;
-    const [, headersList, params] = match;
-    const signedHeaders = headersList ? headersList.split(" ").map((h) => h.replace(/"/g, "").trim()).filter((h) => h.length > 0) : [];
-    const keyidMatch = params ? params.match(/keyid="([^"]+)"/) : null;
-    const createdMatch = params ? params.match(/created=(\d+)/) : null;
-    const expiresMatch = params ? params.match(/expires=(\d+)/) : null;
-    if (!keyidMatch || !keyidMatch[1]) return null;
-    return {
-      keyid: keyidMatch[1],
-      created: createdMatch && createdMatch[1] ? parseInt(createdMatch[1]) : void 0,
-      expires: expiresMatch && expiresMatch[1] ? parseInt(expiresMatch[1]) : void 0,
-      signedHeaders
-    };
-  } catch (error) {
-    console.error("[Signature] Failed to parse Signature-Input:", error);
-    return null;
-  }
-}
-function buildSignatureBase(method, path, headers, signedHeaders) {
-  const components = [];
-  for (const headerName of signedHeaders) {
-    let value;
-    switch (headerName) {
-      case "@method":
-        value = method.toUpperCase();
-        break;
-      case "@path":
-        value = path;
-        break;
-      case "@authority":
-        value = headers["host"] || headers["Host"] || "";
-        break;
-      default: {
-        const key = Object.keys(headers).find((k) => k.toLowerCase() === headerName.toLowerCase());
-        value = key ? headers[key] || "" : "";
-        break;
-      }
-    }
-    components.push(`"${headerName}": ${value}`);
-  }
-  return components.join("\n");
-}
-function base64ToBytes(base64) {
-  let standardBase64 = base64.replace(/-/g, "+").replace(/_/g, "/");
-  const padding = standardBase64.length % 4;
-  if (padding) {
-    standardBase64 += "=".repeat(4 - padding);
-  }
-  const binaryString = atob(standardBase64);
-  return Uint8Array.from(binaryString, (c) => c.charCodeAt(0));
-}
-async function verifyEd25519Signature(publicKeyBase64, signatureBase64, message) {
-  try {
-    const publicKeyBytes = base64ToBytes(publicKeyBase64);
-    const signatureBytes = base64ToBytes(signatureBase64);
-    const messageBytes = new TextEncoder().encode(message);
-    if (publicKeyBytes.length !== 32) {
-      console.error("[Signature] Invalid public key length:", publicKeyBytes.length);
-      return false;
-    }
-    if (signatureBytes.length !== 64) {
-      console.error("[Signature] Invalid signature length:", signatureBytes.length);
-      return false;
-    }
-    return ed25519__namespace.verify(signatureBytes, messageBytes, publicKeyBytes);
-  } catch (nobleError) {
-    console.warn("[Signature] @noble/ed25519 failed, trying Web Crypto fallback:", nobleError);
-    try {
-      const publicKeyBytes = base64ToBytes(publicKeyBase64);
-      const signatureBytes = base64ToBytes(signatureBase64);
-      const messageBytes = new TextEncoder().encode(message);
-      const publicKey = await crypto.subtle.importKey(
-        "raw",
-        publicKeyBytes.buffer,
-        {
-          name: "Ed25519",
-          namedCurve: "Ed25519"
-        },
-        false,
-        ["verify"]
-      );
-      return await crypto.subtle.verify(
-        "Ed25519",
-        publicKey,
-        signatureBytes.buffer,
-        messageBytes
-      );
-    } catch (cryptoError) {
-      console.error("[Signature] Both @noble/ed25519 and Web Crypto failed:", {
-        nobleError: nobleError instanceof Error ? nobleError.message : "Unknown",
-        cryptoError: cryptoError instanceof Error ? cryptoError.message : "Unknown"
-      });
-      return false;
-    }
-  }
-}
-async function verifyAgentSignature(method, path, headers) {
-  const signature = headers["signature"] || headers["Signature"];
-  const signatureInput = headers["signature-input"] || headers["Signature-Input"];
-  const signatureAgent = headers["signature-agent"] || headers["Signature-Agent"];
-  if (!signature || !signatureInput) {
-    return {
-      isValid: false,
-      confidence: 0,
-      reason: "No signature headers present",
-      verificationMethod: "none"
-    };
-  }
-  const parsed = parseSignatureInput(signatureInput);
-  if (!parsed) {
-    return {
-      isValid: false,
-      confidence: 0,
-      reason: "Invalid Signature-Input header",
-      verificationMethod: "none"
-    };
-  }
-  if (parsed.created) {
-    const now2 = Math.floor(Date.now() / 1e3);
-    const age = now2 - parsed.created;
-    if (age > 300) {
-      return {
-        isValid: false,
-        confidence: 0,
-        reason: "Signature expired (older than 5 minutes)",
-        verificationMethod: "none"
-      };
-    }
-    if (age < -30) {
-      return {
-        isValid: false,
-        confidence: 0,
-        reason: "Signature timestamp is in the future",
-        verificationMethod: "none"
-      };
-    }
-  }
-  let agent;
-  let agentKey;
-  const isChatGPT = signatureAgent === '"https://chatgpt.com"' || (() => {
-    try {
-      const url = new URL(signatureAgent?.replace(/^"|"$/g, "") || "");
-      return url.hostname === "chatgpt.com" || url.hostname.endsWith(".chatgpt.com");
-    } catch {
-      return false;
-    }
-  })();
-  if (isChatGPT) {
-    agent = "ChatGPT";
-    agentKey = "chatgpt";
-  }
-  if (!agent || !agentKey) {
-    return {
-      isValid: false,
-      confidence: 0,
-      reason: "Unknown signature agent",
-      verificationMethod: "none"
-    };
-  }
-  const knownKeys = await getKeysForAgent(agentKey);
-  if (knownKeys.length === 0) {
-    return {
-      isValid: false,
-      confidence: 0,
-      reason: "No keys available for agent",
-      verificationMethod: "none"
-    };
-  }
-  const key = knownKeys.find((k) => k.kid === parsed.keyid);
-  if (!key) {
-    return {
-      isValid: false,
-      confidence: 0,
-      reason: `Unknown key ID: ${parsed.keyid}`,
-      verificationMethod: "none"
-    };
-  }
-  const now = Math.floor(Date.now() / 1e3);
-  if (now < key.validFrom || now > key.validUntil) {
-    return {
-      isValid: false,
-      confidence: 0,
-      reason: "Key is not valid at current time",
-      verificationMethod: "none"
-    };
-  }
-  const signatureBase = buildSignatureBase(method, path, headers, parsed.signedHeaders);
-  let signatureValue = signature;
-  if (signatureValue.startsWith("sig1=:")) {
-    signatureValue = signatureValue.substring(6);
-  }
-  if (signatureValue.endsWith(":")) {
-    signatureValue = signatureValue.slice(0, -1);
-  }
-  const isValid = await verifyEd25519Signature(key.publicKey, signatureValue, signatureBase);
-  if (isValid) {
-    return {
-      isValid: true,
-      agent,
-      keyid: parsed.keyid,
-      confidence: 1,
-      // 100% confidence for valid signature
-      verificationMethod: "signature"
-    };
-  } else {
-    return {
-      isValid: false,
-      confidence: 0,
-      reason: "Signature verification failed",
-      verificationMethod: "none"
-    };
-  }
-}
-function hasSignatureHeaders(headers) {
-  return !!((headers["signature"] || headers["Signature"]) && (headers["signature-input"] || headers["Signature-Input"]));
-}
-function isChatGPTSignature(headers) {
-  const signatureAgent = headers["signature-agent"] || headers["Signature-Agent"];
-  if (!signatureAgent) {
-    return false;
-  }
-  const agentUrlStr = signatureAgent.replace(/^"+|"+$/g, "");
-  if (agentUrlStr === "https://chatgpt.com") {
-    return true;
-  }
-  try {
-    const agentUrl = new URL(agentUrlStr);
-    const allowedHosts = ["chatgpt.com", "www.chatgpt.com"];
-    return allowedHosts.includes(agentUrl.host);
-  } catch {
-    return false;
-  }
-}
-var rules = agentshieldShared.loadRulesSync();
-var EdgeAgentDetector = class {
-  rules;
-  constructor() {
-    this.rules = rules;
-  }
-  async analyze(input) {
-    const reasons = [];
-    let detectedAgent;
-    let verificationMethod;
-    let confidence = 0;
-    const headers = input.headers || {};
-    const normalizedHeaders = {};
-    for (const [key, value] of Object.entries(headers)) {
-      normalizedHeaders[key.toLowerCase()] = value;
-    }
-    if (hasSignatureHeaders(headers)) {
-      try {
-        const signatureResult = await verifyAgentSignature(
-          input.method || "GET",
-          input.url || "/",
-          headers
-        );
-        if (signatureResult.isValid) {
-          confidence = signatureResult.confidence * 100;
-          reasons.push(`verified_signature:${signatureResult.agent?.toLowerCase() || "unknown"}`);
-          if (signatureResult.agent) {
-            detectedAgent = {
-              type: signatureResult.agent.toLowerCase(),
-              name: signatureResult.agent
-            };
-          }
-          verificationMethod = signatureResult.verificationMethod;
-          if (signatureResult.keyid) {
-            reasons.push(`keyid:${signatureResult.keyid}`);
-          }
-        } else {
-          console.warn("[EdgeAgentDetector] Signature verification failed:", {
-            reason: signatureResult.reason,
-            agent: signatureResult.agent,
-            hasSignatureAgent: !!headers["signature-agent"] || !!headers["Signature-Agent"],
-            signatureAgentValue: headers["signature-agent"] || headers["Signature-Agent"]
-          });
-          confidence = Math.max(confidence, 30);
-          reasons.push("invalid_signature");
-          if (signatureResult.reason) {
-            reasons.push(`signature_error:${signatureResult.reason}`);
-          }
-          if (isChatGPTSignature(headers)) {
-            reasons.push("claims_chatgpt");
-            detectedAgent = { type: "chatgpt", name: "ChatGPT (unverified)" };
-          }
-        }
-      } catch (error) {
-        console.error("[EdgeAgentDetector] Signature verification error:", error);
-        confidence = Math.max(confidence, 20);
-        reasons.push("signature_verification_error");
-      }
-    }
-    const userAgent = input.userAgent || input.headers?.["user-agent"] || "";
-    if (userAgent) {
-      const userAgentEntries = Object.entries(this.rules.rules.userAgents);
-      const genericKeys = ["generic_bot", "dev_tools", "automation_tools"];
-      const sortedEntries = userAgentEntries.sort((a, b) => {
-        const aIsGeneric = genericKeys.includes(a[0]);
-        const bIsGeneric = genericKeys.includes(b[0]);
-        if (aIsGeneric && !bIsGeneric) return 1;
-        if (!aIsGeneric && bIsGeneric) return -1;
-        return 0;
-      });
-      for (const [agentKey, agentRule] of sortedEntries) {
-        const rule = agentRule;
-        const matched = rule.patterns.some((pattern) => {
-          const regex = new RegExp(pattern, "i");
-          return regex.test(userAgent);
-        });
-        if (matched) {
-          const agentType = this.getAgentType(agentKey);
-          const agentName = this.getAgentName(agentKey);
-          confidence = Math.max(confidence, rule.confidence * 100);
-          reasons.push(`known_pattern:${agentType}`);
-          if (!detectedAgent) {
-            detectedAgent = { type: agentType, name: agentName };
-            verificationMethod = "pattern";
-          }
-          break;
-        }
-      }
-    }
-    const suspiciousHeaders = this.rules.rules.headers.suspicious;
-    const foundAiHeaders = suspiciousHeaders.filter(
-      (headerRule) => normalizedHeaders[headerRule.name.toLowerCase()]
-    );
-    if (foundAiHeaders.length > 0) {
-      const maxConfidence = Math.max(...foundAiHeaders.map((h) => h.confidence * 100));
-      confidence = Math.max(confidence, maxConfidence);
-      reasons.push(`ai_headers:${foundAiHeaders.length}`);
-    }
-    const ip = input.ip || input.ipAddress;
-    if (ip && !normalizedHeaders["x-forwarded-for"] && !normalizedHeaders["x-real-ip"]) {
-      const ipRanges = "providers" in this.rules.rules.ipRanges ? this.rules.rules.ipRanges.providers : this.rules.rules.ipRanges;
-      for (const [provider, ipRule] of Object.entries(ipRanges)) {
-        if (!ipRule || typeof ipRule !== "object" || !("ranges" in ipRule) || !Array.isArray(ipRule.ranges))
-          continue;
-        const matched = ipRule.ranges.some((range) => {
-          const prefix = range.split("/")[0];
-          const prefixParts = prefix.split(".");
-          const ipParts = ip.split(".");
-          for (let i = 0; i < Math.min(prefixParts.length - 1, 2); i++) {
-            if (prefixParts[i] !== ipParts[i] && prefixParts[i] !== "0") {
-              return false;
-            }
-          }
-          return true;
-        });
-        if (matched) {
-          const rule = ipRule;
-          confidence = Math.max(confidence, rule.confidence * 40);
-          reasons.push(`cloud_provider:${provider}`);
-          break;
-        }
-      }
-    }
-    if (reasons.length > 2 && confidence < 100) {
-      confidence = Math.min(confidence * 1.2, 95);
-    }
-    confidence = Math.min(Math.max(confidence, 0), 100);
-    return {
-      isAgent: confidence > 30,
-      // Updated to 0-100 scale (was 0.3)
-      confidence,
-      detectionClass: confidence > 30 && detectedAgent ? { type: "AiAgent", agentType: detectedAgent.name } : confidence > 30 ? { type: "Unknown" } : { type: "Human" },
-      signals: [],
-      // Will be populated by enhanced detection engine in future tasks
-      ...detectedAgent && { detectedAgent },
-      reasons,
-      ...verificationMethod && {
-        verificationMethod
-      },
-      forgeabilityRisk: verificationMethod === "signature" ? "low" : confidence > 80 ? "medium" : "high",
-      // Updated to 0-100 scale
-      timestamp: /* @__PURE__ */ new Date()
-    };
-  }
-  /**
-   * Get agent type from rule key
-   */
-  getAgentType(agentKey) {
-    const typeMap = {
-      openai_gptbot: "openai",
-      anthropic_claude: "anthropic",
-      perplexity_bot: "perplexity",
-      google_ai: "google",
-      microsoft_ai: "microsoft",
-      meta_ai: "meta",
-      cohere_bot: "cohere",
-      huggingface_bot: "huggingface",
-      generic_bot: "generic",
-      dev_tools: "dev",
-      automation_tools: "automation"
-    };
-    return typeMap[agentKey] || agentKey;
-  }
-  /**
-   * Get agent name from rule key
-   */
-  getAgentName(agentKey) {
-    const nameMap = {
-      openai_gptbot: "ChatGPT/GPTBot",
-      anthropic_claude: "Claude",
-      perplexity_bot: "Perplexity",
-      google_ai: "Google AI",
-      microsoft_ai: "Microsoft Copilot",
-      meta_ai: "Meta AI",
-      cohere_bot: "Cohere",
-      huggingface_bot: "HuggingFace",
-      generic_bot: "Generic Bot",
-      dev_tools: "Development Tool",
-      automation_tools: "Automation Tool"
-    };
-    return nameMap[agentKey] || agentKey;
-  }
-};
-var EdgeAgentDetectorWrapper = class {
-  detector;
-  events = /* @__PURE__ */ new Map();
-  constructor(_config) {
-    this.detector = new EdgeAgentDetector();
-  }
-  async analyze(input) {
-    const result = await this.detector.analyze(input);
-    if (result.isAgent && this.events.has("agent.detected")) {
-      const handlers = this.events.get("agent.detected") || [];
-      handlers.forEach((handler) => handler(result, input));
-    }
-    return result;
-  }
-  on(event, handler) {
-    if (!this.events.has(event)) {
-      this.events.set(event, []);
-    }
-    this.events.get(event).push(handler);
-  }
-  emit(event, ...args) {
-    const handlers = this.events.get(event) || [];
-    handlers.forEach((handler) => handler(...args));
-  }
-  async init() {
-    return;
-  }
-};
-var EdgeSessionTracker = class {
-  config;
-  constructor(config) {
-    this.config = {
-      enabled: config.enabled,
-      cookieName: config.cookieName || "__agentshield_session",
-      cookieMaxAge: config.cookieMaxAge || 3600,
-      // 1 hour default
-      encryptionKey: config.encryptionKey || process.env.AGENTSHIELD_SECRET || "agentshield-default-key"
-    };
-  }
-  /**
-   * Track a new AI agent session
-   */
-  async track(_request, response, result) {
-    try {
-      if (!this.config.enabled || !agentshieldShared.shouldEnforce(result)) {
-        return response;
-      }
-      const sessionData = {
-        id: crypto.randomUUID(),
-        agent: result.detectedAgent?.name || "unknown",
-        confidence: result.confidence,
-        detectedAt: Date.now(),
-        expires: Date.now() + this.config.cookieMaxAge * 1e3
-      };
-      const encrypted = await this.encrypt(JSON.stringify(sessionData));
-      response.cookies.set(this.config.cookieName, encrypted, {
-        httpOnly: true,
-        secure: process.env.NODE_ENV === "production",
-        sameSite: "lax",
-        maxAge: this.config.cookieMaxAge,
-        path: "/"
-      });
-      return response;
-    } catch (error) {
-      if (process.env.DEBUG_AGENTSHIELD) {
-        console.warn("AgentShield: Failed to track session:", error);
-      }
-      return response;
-    }
-  }
-  /**
-   * Check for existing AI agent session
-   */
-  async check(request) {
-    try {
-      if (!this.config.enabled) {
-        return null;
-      }
-      const cookie = request.cookies.get(this.config.cookieName);
-      if (!cookie?.value) {
-        return null;
-      }
-      const decrypted = await this.decrypt(cookie.value);
-      const session = JSON.parse(decrypted);
-      if (session.expires < Date.now()) {
-        return null;
-      }
-      return session;
-    } catch (error) {
-      if (process.env.DEBUG_AGENTSHIELD) {
-        console.warn("AgentShield: Failed to check session:", error);
-      }
-      return null;
-    }
-  }
-  /**
-   * Clear an existing session
-   */
-  clear(response) {
-    try {
-      response.cookies.delete(this.config.cookieName);
-    } catch (error) {
-      if (process.env.DEBUG_AGENTSHIELD) {
-        console.warn("AgentShield: Failed to clear session:", error);
-      }
-    }
-    return response;
-  }
-  /**
-   * Simple encryption using Web Crypto API (Edge-compatible)
-   */
-  async encrypt(data) {
-    try {
-      const key = this.config.encryptionKey;
-      const encoded = new TextEncoder().encode(data);
-      const obfuscated = new Uint8Array(encoded.length);
-      for (let i = 0; i < encoded.length; i++) {
-        obfuscated[i] = (encoded[i] || 0) ^ key.charCodeAt(i % key.length);
-      }
-      return btoa(Array.from(obfuscated, (byte) => String.fromCharCode(byte)).join(""));
-    } catch (error) {
-      return btoa(data);
-    }
-  }
-  /**
-   * Simple decryption (Edge-compatible)
-   */
-  async decrypt(data) {
-    try {
-      const key = this.config.encryptionKey;
-      const decoded = Uint8Array.from(atob(data), (c) => c.charCodeAt(0));
-      const deobfuscated = new Uint8Array(decoded.length);
-      for (let i = 0; i < decoded.length; i++) {
-        deobfuscated[i] = (decoded[i] || 0) ^ key.charCodeAt(i % key.length);
-      }
-      return new TextDecoder().decode(deobfuscated);
-    } catch (error) {
-      return atob(data);
-    }
-  }
-};
-var StatelessSessionChecker = class {
-  static check(headers) {
-    try {
-      const agent = headers["kya-session-agent"];
-      const confidence = headers["kya-session-confidence"];
-      const sessionId = headers["kya-session-id"];
-      if (agent && confidence && sessionId) {
-        return {
-          id: sessionId,
-          agent,
-          confidence: parseFloat(confidence),
-          detectedAt: Date.now(),
-          expires: Date.now() + 36e5
-          // 1 hour
-        };
-      }
-      const cookieHeader = headers["cookie"];
-      if (cookieHeader && cookieHeader.includes("__agentshield_session=")) {
-        const match = cookieHeader.match(/__agentshield_session=([^;]+)/);
-        if (match && match[1]) {
-          try {
-            const decoded = atob(match[1]);
-            return JSON.parse(decoded);
-          } catch {
-          }
-        }
-      }
-      return null;
-    } catch {
-      return null;
-    }
-  }
-  static setHeaders(response, session) {
-    try {
-      if (response.setHeader) {
-        response.setHeader("KYA-Session-Agent", session.agent);
-        response.setHeader("KYA-Session-Confidence", session.confidence.toString());
-        response.setHeader("KYA-Session-Id", session.id);
-      } else if (response.headers && response.headers.set) {
-        response.headers.set("kya-session-agent", session.agent);
-        response.headers.set("kya-session-confidence", session.confidence.toString());
-        response.headers.set("kya-session-id", session.id);
-      }
-    } catch {
-    }
-  }
-};
-
-// src/utils.ts
-function getClientIp(request) {
-  const forwardedFor = request.headers.get("x-forwarded-for");
-  if (forwardedFor) {
-    const ip = forwardedFor.split(",")[0]?.trim();
-    if (ip) return ip;
-  }
-  const realIp = request.headers.get("x-real-ip");
-  if (realIp) return realIp;
-  const cfIp = request.headers.get("cf-connecting-ip");
-  if (cfIp) return cfIp;
-  const clientIp = request.headers.get("x-client-ip");
-  if (clientIp) return clientIp;
-  return void 0;
-}
-function safeHostname(url) {
-  try {
-    return new URL(url).hostname;
-  } catch {
-    return "this site";
-  }
-}
-function createAgentShieldMiddleware(config = {}) {
-  let detector = config.enableWasm ? null : new EdgeAgentDetectorWrapper(config);
-  let detectorInitPromise = null;
-  const sessionTracker = config.sessionTracking?.enabled || config.enableWasm ? new EdgeSessionTracker({
-    enabled: true,
-    ...config.sessionTracking
-  }) : null;
-  if (detector && config.events) {
-    Object.entries(config.events).forEach(([event, handler]) => {
-      if (handler) {
-        detector.on(event, handler);
-      }
-    });
-  }
-  const {
-    onAgentDetected = "log",
-    onDetection,
-    skipPaths = [],
-    blockedResponse = {
-      status: 403,
-      message: "Access denied: Automated agent detected",
-      headers: { "Content-Type": "application/json" }
-    },
-    redirectUrl = "/blocked",
-    rewriteUrl = "/blocked"
-  } = config;
-  return async (request) => {
-    try {
-      if (!detector) {
-        if (!detectorInitPromise) {
-          detectorInitPromise = (async () => {
-            const { EdgeAgentDetectorWrapperWithWasm: EdgeAgentDetectorWrapperWithWasm2 } = await Promise.resolve().then(() => (init_edge_detector_with_wasm(), edge_detector_with_wasm_exports));
-            detector = new EdgeAgentDetectorWrapperWithWasm2({ enableWasm: true });
-            if (config.events) {
-              Object.entries(config.events).forEach(([event, handler]) => {
-                if (handler) {
-                  detector.on(event, handler);
-                }
-              });
-            }
-          })();
-        }
-        await detectorInitPromise;
-      }
-      const activeDetector = detector;
-      const shouldSkip = skipPaths.some((pattern) => {
-        if (typeof pattern === "string") {
-          return request.nextUrl.pathname.startsWith(pattern);
-        }
-        return pattern.test(request.nextUrl.pathname);
-      });
-      if (shouldSkip) {
-        request.agentShield = { skipped: true };
-        return server.NextResponse.next();
-      }
-      const existingSession = sessionTracker ? await sessionTracker.check(request) : null;
-      if (existingSession) {
-        const response2 = server.NextResponse.next();
-        response2.headers.set("kya-detected", "true");
-        response2.headers.set("kya-agent", existingSession.agent);
-        response2.headers.set("kya-confidence", existingSession.confidence.toString());
-        response2.headers.set("kya-session", "continued");
-        response2.headers.set("kya-session-id", existingSession.id);
-        request.agentShield = {
-          result: {
-            isAgent: true,
-            confidence: existingSession.confidence,
-            detectionClass: { type: "AiAgent" },
-            detectedAgent: {
-              type: "ai_agent",
-              name: existingSession.agent
-            },
-            timestamp: /* @__PURE__ */ new Date(),
-            verificationMethod: "behavioral",
-            reasons: ["Session continued"],
-            signals: []
-          },
-          session: existingSession,
-          skipped: false
-        };
-        const context2 = {
-          userAgent: request.headers.get("user-agent") || "",
-          ipAddress: getClientIp(request) || "",
-          headers: Object.fromEntries(request.headers.entries()),
-          url: request.url,
-          method: request.method,
-          timestamp: /* @__PURE__ */ new Date()
-        };
-        activeDetector.emit("agent.session.continued", existingSession, context2);
-        return response2;
-      }
-      const userAgent = request.headers.get("user-agent");
-      const ipAddress = getClientIp(request);
-      const url = new URL(request.url);
-      const pathWithQuery = url.pathname + url.search;
-      const context = {
-        ...userAgent && { userAgent },
-        ...ipAddress && { ipAddress },
-        headers: Object.fromEntries(request.headers.entries()),
-        url: pathWithQuery,
-        // Use path instead of full URL for signature verification
-        method: request.method,
-        timestamp: /* @__PURE__ */ new Date()
-      };
-      const result = await activeDetector.analyze(context);
-      const decision = agentshieldShared.evaluateEnforcement(result, {
-        confidenceThreshold: config.confidenceThreshold,
-        defaultAction: onAgentDetected
-      });
-      if (decision.shouldNotify) {
-        if (onDetection) {
-          const customResponse = await onDetection(request, result);
-          if (customResponse) {
-            return customResponse;
-          }
-        }
-        switch (decision.action) {
-          case "block": {
-            const response2 = server.NextResponse.json(
-              {
-                error: blockedResponse.message,
-                detected: true,
-                confidence: result.confidence,
-                timestamp: result.timestamp
-              },
-              { status: blockedResponse.status }
-            );
-            if (blockedResponse.headers) {
-              Object.entries(blockedResponse.headers).forEach(([key, value]) => {
-                response2.headers.set(key, value);
-              });
-            }
-            activeDetector.emit("agent.blocked", result, context);
-            return response2;
-          }
-          case "redirect": {
-            const redirectTarget = new URL(redirectUrl, request.url);
-            const agentName = result.detectedAgent?.name;
-            if (agentName && !redirectTarget.searchParams.has("agent")) {
-              redirectTarget.searchParams.set("agent", agentName.toLowerCase());
-            }
-            return server.NextResponse.redirect(redirectTarget);
-          }
-          case "rewrite":
-            return server.NextResponse.rewrite(new URL(rewriteUrl, request.url));
-          case "log":
-            if (process.env.NODE_ENV !== "production") {
-              console.debug("AgentShield: Agent detected", {
-                ipAddress: context.ipAddress,
-                userAgent: context.userAgent,
-                confidence: result.confidence,
-                reasons: result.reasons,
-                pathname: request.nextUrl.pathname
-              });
-            }
-            break;
-          case "allow":
-          default:
-            activeDetector.emit("agent.allowed", result, context);
-            break;
-        }
-      }
-      request.agentShield = {
-        result,
-        skipped: false
-      };
-      let response = server.NextResponse.next();
-      response.headers.set("kya-detected", result.isAgent.toString());
-      response.headers.set("kya-confidence", result.confidence.toString());
-      if (result.detectedAgent?.name) {
-        response.headers.set("kya-agent", result.detectedAgent.name);
-      }
-      if (sessionTracker && decision.shouldNotify) {
-        response = await sessionTracker.track(request, response, result);
-        response.headers.set("kya-session", "new");
-        activeDetector.emit("agent.session.started", result, context);
-      }
-      return response;
-    } catch (error) {
-      console.error("AgentShield middleware error:", error);
-      return server.NextResponse.next();
-    }
-  };
-}
-
-// src/create-middleware.ts
-var middlewareInstance = null;
-var isInitializing = false;
-var initPromise2 = null;
-function createAgentShieldMiddleware2(config) {
-  return async function agentShieldMiddleware2(request) {
-    if (!middlewareInstance) {
-      if (!isInitializing) {
-        isInitializing = true;
-        initPromise2 = (async () => {
-          middlewareInstance = createAgentShieldMiddleware(config);
-          return middlewareInstance;
-        })();
-      }
-      if (initPromise2) {
-        middlewareInstance = await initPromise2;
-      }
-    }
-    return middlewareInstance ? middlewareInstance(request) : server.NextResponse.next();
-  };
-}
-
-// src/edge-safe-detector.ts
-var AI_AGENT_PATTERNS = [
-  { pattern: /chatgpt-user/i, type: "chatgpt", name: "ChatGPT" },
-  { pattern: /claude-web/i, type: "claude", name: "Claude" },
-  { pattern: /claude-user/i, type: "claude", name: "Claude" },
-  { pattern: /perplexitybot/i, type: "perplexity", name: "Perplexity" },
-  { pattern: /perplexity-user/i, type: "perplexity", name: "Perplexity" },
-  { pattern: /perplexity/i, type: "perplexity", name: "Perplexity" },
-  { pattern: /bingbot/i, type: "bing", name: "Bing AI" },
-  { pattern: /anthropic-ai/i, type: "anthropic", name: "Anthropic" }
-];
-var EdgeSafeDetector = class {
-  async analyze(input) {
-    const reasons = [];
-    let detectedAgent;
-    let confidence = 0;
-    const headers = input.headers || {};
-    const normalizedHeaders = {};
-    for (const [key, value] of Object.entries(headers)) {
-      normalizedHeaders[key.toLowerCase()] = value;
-    }
-    const userAgent = input.userAgent || normalizedHeaders["user-agent"] || "";
-    if (userAgent) {
-      for (const { pattern, type, name } of AI_AGENT_PATTERNS) {
-        if (pattern.test(userAgent)) {
-          confidence = 85;
-          reasons.push(`known_pattern:${type}`);
-          detectedAgent = { type, name };
-          break;
-        }
-      }
-    }
-    const hasChrome = userAgent.toLowerCase().includes("chrome");
-    const hasFirefox = userAgent.toLowerCase().includes("firefox");
-    const hasSafari = userAgent.toLowerCase().includes("safari");
-    const hasBrowserUA = hasChrome || hasFirefox || hasSafari;
-    if (hasBrowserUA) {
-      const hasSecChUa = !!normalizedHeaders["sec-ch-ua"];
-      const hasSecFetch = !!normalizedHeaders["sec-fetch-site"];
-      const hasAcceptLanguage = !!normalizedHeaders["accept-language"];
-      const hasCookies = !!normalizedHeaders["cookie"];
-      const missingHeaders = [];
-      if (!hasSecChUa && hasChrome) missingHeaders.push("sec-ch-ua");
-      if (!hasSecFetch) missingHeaders.push("sec-fetch");
-      if (!hasAcceptLanguage) missingHeaders.push("accept-language");
-      if (!hasCookies) missingHeaders.push("cookies");
-      if (missingHeaders.length >= 2) {
-        confidence = Math.max(confidence, 85);
-        reasons.push("browser_ua_missing_headers");
-        if (!detectedAgent && hasChrome && !hasSecChUa) {
-          detectedAgent = { type: "perplexity", name: "Perplexity" };
-        }
-      }
-    }
-    const aiHeaders = ["openai-conversation-id", "anthropic-client-id", "x-goog-api-client"];
-    const foundAiHeaders = aiHeaders.filter((h) => normalizedHeaders[h]);
-    if (foundAiHeaders.length > 0) {
-      confidence = Math.max(confidence, 60);
-      reasons.push(`ai_headers:${foundAiHeaders.length}`);
-    }
-    return {
-      isAgent: confidence > 30,
-      // Updated to 0-100 scale (was 0.3)
-      confidence,
-      detectionClass: confidence > 30 && detectedAgent ? { type: "AiAgent", agentType: detectedAgent.name } : confidence > 30 ? { type: "Unknown" } : { type: "Human" },
-      signals: [],
-      // Will be populated by enhanced detection engine in future tasks
-      detectedAgent,
-      reasons,
-      verificationMethod: "pattern",
-      timestamp: /* @__PURE__ */ new Date(),
-      confidenceLevel: confidence >= 80 ? "high" : confidence >= 50 ? "medium" : "low"
-      // Updated to 0-100 scale
-    };
-  }
-};
-
-// src/storage/memory-adapter.ts
-var MemoryStorageAdapter = class {
-  events = /* @__PURE__ */ new Map();
-  sessions = /* @__PURE__ */ new Map();
-  eventTimeline = [];
-  maxEvents = 1e3;
-  maxSessions = 100;
-  async storeEvent(event) {
-    const eventKey = `${event.timestamp}:${event.eventId}`;
-    this.events.set(eventKey, event);
-    this.eventTimeline.push({
-      timestamp: Date.parse(event.timestamp),
-      eventId: eventKey
-    });
-    this.eventTimeline.sort((a, b) => b.timestamp - a.timestamp);
-    if (this.eventTimeline.length > this.maxEvents) {
-      const removed = this.eventTimeline.splice(this.maxEvents);
-      removed.forEach((item) => this.events.delete(item.eventId));
-    }
-  }
-  async getRecentEvents(limit = 100) {
-    const recent = this.eventTimeline.slice(0, limit);
-    return recent.map((item) => this.events.get(item.eventId)).filter((event) => event !== void 0);
-  }
-  async getSessionEvents(sessionId) {
-    const events = [];
-    for (const event of this.events.values()) {
-      if (event.sessionId === sessionId) {
-        events.push(event);
-      }
-    }
-    return events.sort(
-      (a, b) => Date.parse(b.timestamp) - Date.parse(a.timestamp)
-    );
-  }
-  async storeSession(session) {
-    this.sessions.set(session.sessionId, session);
-    if (this.sessions.size > this.maxSessions) {
-      const sortedSessions = Array.from(this.sessions.entries()).sort((a, b) => Date.parse(b[1].lastSeen) - Date.parse(a[1].lastSeen));
-      const toRemove = sortedSessions.slice(this.maxSessions);
-      toRemove.forEach(([id]) => this.sessions.delete(id));
-    }
-  }
-  async getSession(sessionId) {
-    return this.sessions.get(sessionId) || null;
-  }
-  async getRecentSessions(limit = 10) {
-    const sorted = Array.from(this.sessions.values()).sort((a, b) => Date.parse(b.lastSeen) - Date.parse(a.lastSeen));
-    return sorted.slice(0, limit);
-  }
-  async cleanup(olderThan) {
-    const cutoff = olderThan.getTime();
-    this.eventTimeline = this.eventTimeline.filter((item) => {
-      if (item.timestamp < cutoff) {
-        this.events.delete(item.eventId);
-        return false;
-      }
-      return true;
-    });
-    for (const [id, session] of this.sessions.entries()) {
-      if (Date.parse(session.lastSeen) < cutoff) {
-        this.sessions.delete(id);
-      }
-    }
-  }
-};
-
-// src/storage/redis-adapter.ts
-var RedisStorageAdapter = class {
-  redis;
-  ttl;
-  keyPrefix = "agent-shield";
-  constructor(redis, ttl = 86400) {
-    this.redis = redis;
-    this.ttl = ttl;
-  }
-  eventKey(timestamp, eventId) {
-    return `${this.keyPrefix}:events:${timestamp}:${eventId}`;
-  }
-  sessionKey(sessionId) {
-    return `${this.keyPrefix}:sessions:${sessionId}`;
-  }
-  timelineKey() {
-    return `${this.keyPrefix}:events:timeline`;
-  }
-  async storeEvent(event) {
-    const key = this.eventKey(event.timestamp, event.eventId);
-    await this.redis.setex(key, this.ttl, JSON.stringify(event));
-    await this.redis.zadd(this.timelineKey(), {
-      score: Date.parse(event.timestamp),
-      member: key
-    });
-    const count = await this.redis.zcard(this.timelineKey());
-    if (count && count > 1e3) {
-      await this.redis.zremrangebyrank(this.timelineKey(), 0, -1001);
-    }
-  }
-  async getRecentEvents(limit = 100) {
-    const keys = await this.redis.zrevrange(this.timelineKey(), 0, limit - 1);
-    if (!keys || keys.length === 0) {
-      return [];
-    }
-    const events = [];
-    for (const key of keys) {
-      const data = await this.redis.get(key);
-      if (data) {
-        try {
-          const event = typeof data === "string" ? JSON.parse(data) : data;
-          events.push(event);
-        } catch (e) {
-          console.error(`Failed to parse event ${key}:`, e);
-        }
-      }
-    }
-    return events;
-  }
-  async getSessionEvents(sessionId) {
-    const keys = await this.redis.zrevrange(this.timelineKey(), 0, -1);
-    if (!keys || keys.length === 0) {
-      return [];
-    }
-    const events = [];
-    for (const key of keys) {
-      const data = await this.redis.get(key);
-      if (data) {
-        try {
-          const event = typeof data === "string" ? JSON.parse(data) : data;
-          if (event.sessionId === sessionId) {
-            events.push(event);
-          }
-        } catch (e) {
-          console.error(`Failed to parse event ${key}:`, e);
-        }
-      }
-    }
-    return events;
-  }
-  async storeSession(session) {
-    const key = this.sessionKey(session.sessionId);
-    const existing = await this.redis.get(key);
-    if (existing) {
-      const existingSession = typeof existing === "string" ? JSON.parse(existing) : existing;
-      const methods = /* @__PURE__ */ new Set([
-        ...existingSession.verificationMethods || [],
-        ...session.verificationMethods
-      ]);
-      const updatedSession = {
-        ...existingSession,
-        lastSeen: session.lastSeen,
-        eventCount: session.eventCount,
-        paths: Array.from(/* @__PURE__ */ new Set([...existingSession.paths, ...session.paths])),
-        averageConfidence: session.averageConfidence,
-        verificationMethods: Array.from(methods)
-      };
-      await this.redis.setex(key, this.ttl, JSON.stringify(updatedSession));
-    } else {
-      await this.redis.setex(key, this.ttl, JSON.stringify(session));
-    }
-  }
-  async getSession(sessionId) {
-    const key = this.sessionKey(sessionId);
-    const data = await this.redis.get(key);
-    if (!data) {
-      return null;
-    }
-    try {
-      return typeof data === "string" ? JSON.parse(data) : data;
-    } catch (e) {
-      console.error(`Failed to parse session ${sessionId}:`, e);
-      return null;
-    }
-  }
-  async getRecentSessions(limit = 10) {
-    const pattern = `${this.keyPrefix}:sessions:*`;
-    const sessions = [];
-    let cursor = 0;
-    do {
-      const [nextCursor, keys] = await this.redis.scan(cursor, {
-        match: pattern,
-        count: 100
-      });
-      cursor = parseInt(nextCursor);
-      for (const key of keys) {
-        const data = await this.redis.get(key);
-        if (data) {
-          try {
-            const session = typeof data === "string" ? JSON.parse(data) : data;
-            sessions.push(session);
-          } catch (e) {
-            console.error(`Failed to parse session from ${key}:`, e);
-          }
-        }
-      }
-    } while (cursor !== 0 && sessions.length < limit * 2);
-    return sessions.sort((a, b) => Date.parse(b.lastSeen) - Date.parse(a.lastSeen)).slice(0, limit);
-  }
-  async cleanup(olderThan) {
-    const cutoff = olderThan.getTime();
-    await this.redis.zremrangebyrank(this.timelineKey(), 0, Math.floor(cutoff / 1e3));
-  }
-};
-
-// src/storage/index.ts
-async function createStorageAdapter(config) {
-  if (!config || config.type === "memory") {
-    return new MemoryStorageAdapter();
-  }
-  if (config.type === "custom" && config.custom) {
-    return config.custom;
-  }
-  if (config.type === "redis" && config.redis) {
-    try {
-      const redisModuleName = "@upstash/redis";
-      const redisModule = await import(
-        /* webpackIgnore: true */
-        redisModuleName
-      );
-      const Redis = redisModule.Redis;
-      const redis = new Redis({
-        url: config.redis.url,
-        token: config.redis.token
-      });
-      return new RedisStorageAdapter(redis, config.ttl);
-    } catch (error) {
-      console.warn(
-        "[AgentShield] Redis storage requires @upstash/redis package. Install with: npm install @upstash/redis",
-        "\nFalling back to memory storage."
-      );
-      return new MemoryStorageAdapter();
-    }
-  }
-  return new MemoryStorageAdapter();
-}
-var SessionManager = class {
-  sessionLastActivity = /* @__PURE__ */ new Map();
-  generateSessionId(ipAddress, userAgent) {
-    const now = Date.now();
-    const timeWindow = Math.floor(now / (5 * 60 * 1e3));
-    const baseKey = `${ipAddress || "unknown"}:${userAgent || "unknown"}`;
-    const windowKey = `${baseKey}:${timeWindow}`;
-    const lastActivity = this.sessionLastActivity.get(windowKey);
-    const shouldCreateNewSession = !lastActivity || now - lastActivity > 3e4;
-    this.sessionLastActivity.set(windowKey, now);
-    if (this.sessionLastActivity.size > 100) {
-      const cutoff = now - 6e5;
-      for (const [key, time] of this.sessionLastActivity.entries()) {
-        if (time < cutoff) {
-          this.sessionLastActivity.delete(key);
-        }
-      }
-    }
-    const data = shouldCreateNewSession ? `${windowKey}:${now}` : `${windowKey}:${lastActivity}`;
-    let hash = 0;
-    for (let i = 0; i < data.length; i++) {
-      const char = data.charCodeAt(i);
-      hash = (hash << 5) - hash + char;
-      hash = hash & hash;
-    }
-    return Math.abs(hash).toString(16).padStart(12, "0").substring(0, 12);
-  }
-};
-function createEnhancedAgentShieldMiddleware(config = {}) {
-  let storageAdapter = null;
-  let storageInitPromise = null;
-  const getStorage = async () => {
-    if (storageAdapter) return storageAdapter;
-    if (storageInitPromise) return storageInitPromise;
-    storageInitPromise = createStorageAdapter(config.storage).then((adapter) => {
-      storageAdapter = adapter;
-      return adapter;
-    });
-    return storageInitPromise;
-  };
-  let detector = null;
-  let detectorInitPromise = null;
-  let wasmConfidenceUtils = null;
-  const getDetector = async (requestUrl) => {
-    if (detector) {
-      return detector;
-    }
-    if (detectorInitPromise) {
-      await detectorInitPromise;
-      return detector;
-    }
-    detectorInitPromise = (async () => {
-      const isEdgeRuntime = typeof globalThis.EdgeRuntime !== "undefined" || process.env.NEXT_RUNTIME === "edge";
-      if (isEdgeRuntime) {
-        if (process.env.NODE_ENV !== "production") {
-          console.debug("[AgentShield] Edge Runtime detected - using pattern detection");
-        }
-        detector = new EdgeSafeDetector();
-      } else {
-        try {
-          try {
-            const wasmUtils = await Promise.resolve().then(() => (init_wasm_confidence(), wasm_confidence_exports));
-            wasmConfidenceUtils = wasmUtils;
-            const wasmAvailable = await wasmUtils.checkWasmAvailability();
-            if (wasmAvailable) {
-              const { EdgeAgentDetectorWrapperWithWasm: EdgeAgentDetectorWrapperWithWasm2 } = await Promise.resolve().then(() => (init_edge_detector_with_wasm(), edge_detector_with_wasm_exports));
-              if (process.env.NODE_ENV !== "production") {
-                console.debug(
-                  "[AgentShield] \u2705 WASM support detected - enhanced detection enabled"
-                );
-              }
-              detector = new EdgeAgentDetectorWrapperWithWasm2({ enableWasm: true });
-              if (requestUrl && "setBaseUrl" in detector) {
-                detector.setBaseUrl(requestUrl);
-              }
-            } else {
-              if (process.env.NODE_ENV !== "production") {
-                console.debug(
-                  "[AgentShield] \u2139\uFE0F Using pattern-based detection (WASM not available)"
-                );
-              }
-              detector = new EdgeSafeDetector();
-            }
-          } catch (wasmError) {
-            if (process.env.NODE_ENV !== "production") {
-              console.debug("[AgentShield] WASM utilities not available, using pattern detection");
-            }
-            detector = new EdgeSafeDetector();
-          }
-        } catch (error) {
-          console.warn("[AgentShield] Failed to initialize enhanced detector, using fallback");
-          detector = new EdgeSafeDetector();
-        }
-      }
-    })();
-    await detectorInitPromise;
-    return detector;
-  };
-  const sessionManager = new SessionManager();
-  const sessionTrackingEnabled = config.sessionTracking?.enabled !== false;
-  return async (request) => {
-    const { pathname } = request.nextUrl;
-    if (config.skipPaths?.some((path) => pathname.startsWith(path))) {
-      return server.NextResponse.next();
-    }
-    const userAgent = request.headers.get("user-agent");
-    const ipAddress = getClientIp(request);
-    const url = new URL(request.url);
-    const pathWithQuery = url.pathname + url.search;
-    const context = {
-      userAgent: userAgent || "",
-      ipAddress: ipAddress || "",
-      headers: Object.fromEntries(request.headers.entries()),
-      url: pathWithQuery,
-      method: request.method,
-      timestamp: /* @__PURE__ */ new Date()
-    };
-    const activeDetector = await getDetector(request.url);
-    const result = await activeDetector.analyze(context);
-    let finalConfidence = result.confidence;
-    let verificationMethod = result.verificationMethod || "pattern";
-    if (agentshieldShared.shouldEnforce(result) && wasmConfidenceUtils) {
-      const reasons = result.reasons || [];
-      if (wasmConfidenceUtils.shouldIndicateWasmVerification(result.confidence)) {
-        finalConfidence = wasmConfidenceUtils.getWasmConfidenceBoost(result.confidence, reasons);
-        verificationMethod = wasmConfidenceUtils.getVerificationMethod(finalConfidence, reasons);
-      }
-    }
-    const decision = agentshieldShared.evaluateEnforcement(
-      { ...result, confidence: finalConfidence },
-      {
-        confidenceThreshold: config.confidenceThreshold,
-        defaultAction: config.onAgentDetected
-      }
-    );
-    if (decision.shouldNotify) {
-      if (sessionTrackingEnabled) {
-        const storage = await getStorage();
-        const sessionId = sessionManager.generateSessionId(
-          ipAddress || void 0,
-          userAgent || void 0
-        );
-        const event = {
-          eventId: `agent_${Date.now()}_${Math.random().toString(36).substring(2, 11)}`,
-          sessionId,
-          timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-          agentType: result.detectedAgent?.type || "unknown",
-          agentName: result.detectedAgent?.name || "Unknown",
-          confidence: finalConfidence,
-          path: pathWithQuery,
-          ...userAgent && { userAgent },
-          ...ipAddress && { ipAddress },
-          method: request.method,
-          detectionReasons: result.reasons || [],
-          verificationMethod,
-          detectionDetails: {
-            patterns: result.detectedAgent?.patterns,
-            behaviors: result.detectedAgent?.behaviors,
-            fingerprintMatches: result.detectedAgent?.fingerprints
-          }
-        };
-        try {
-          await storage.storeEvent(event);
-          let session = await storage.getSession(sessionId);
-          if (session) {
-            session.lastSeen = event.timestamp;
-            session.eventCount++;
-            if (!session.paths.includes(pathWithQuery)) {
-              session.paths.push(pathWithQuery);
-            }
-            session.averageConfidence = (session.averageConfidence * (session.eventCount - 1) + finalConfidence) / session.eventCount;
-            if (!session.verificationMethods.includes(verificationMethod)) {
-              session.verificationMethods.push(verificationMethod);
-            }
-          } else {
-            session = {
-              sessionId,
-              ...ipAddress && { ipAddress },
-              ...userAgent && { userAgent },
-              agentType: result.detectedAgent?.type || "unknown",
-              agentName: result.detectedAgent?.name || "Unknown",
-              firstSeen: event.timestamp,
-              lastSeen: event.timestamp,
-              eventCount: 1,
-              paths: [pathWithQuery],
-              averageConfidence: finalConfidence,
-              verificationMethods: [verificationMethod]
-            };
-          }
-          if (session) {
-            await storage.storeSession(session);
-          }
-        } catch (error) {
-          console.error("[AgentShield] Failed to store event:", error);
-        }
-      }
-      if (config.onDetection) {
-        await config.onDetection(result, context);
-      }
-      switch (decision.action) {
-        case "block": {
-          const { status = 403, message = "Access denied: AI agent detected" } = config.blockedResponse || {};
-          const response2 = server.NextResponse.json(
-            { error: message, detected: true, confidence: finalConfidence },
-            { status }
-          );
-          response2.headers.set("kya-detected", "true");
-          response2.headers.set("kya-confidence", String(Math.round(finalConfidence * 100)));
-          response2.headers.set("kya-agent", result.detectedAgent?.name || "Unknown");
-          response2.headers.set("kya-verification", verificationMethod);
-          return response2;
-        }
-        case "log": {
-          const isInteresting = finalConfidence >= 0.9 || result.detectedAgent?.name?.toLowerCase().includes("chatgpt") || result.detectedAgent?.name?.toLowerCase().includes("perplexity") || verificationMethod === "signature";
-          if (isInteresting && process.env.NODE_ENV !== "production") {
-            console.debug(`[AgentShield] AI Agent detected (${verificationMethod}):`, {
-              agent: result.detectedAgent?.name,
-              confidence: `${(finalConfidence * 100).toFixed(0)}%`,
-              path: pathWithQuery,
-              verification: verificationMethod
-            });
-          }
-          break;
-        }
-      }
-    }
-    const response = server.NextResponse.next();
-    if (result.isAgent) {
-      response.headers.set("kya-detected", "true");
-      response.headers.set("kya-confidence", String(Math.round(finalConfidence * 100)));
-      response.headers.set("kya-agent", result.detectedAgent?.name || "Unknown");
-      response.headers.set("kya-verification", verificationMethod);
-      if (finalConfidence > 0.9) {
-        response.headers.set("kya-ai-visitor", "true");
-        response.headers.set("kya-ai-confidence", finalConfidence.toString());
-        response.headers.set("kya-ai-verification", verificationMethod);
-      }
-    }
-    return response;
-  };
-}
-
-// src/api-client.ts
-var DEFAULT_BASE_URL = "https://kya.vouched.id";
-var EDGE_DETECT_URL = "https://detect.checkpoint-gateway.ai";
-var DEFAULT_TIMEOUT = 5e3;
-var AgentShieldClient = class {
-  apiKey;
-  baseUrl;
-  useEdge;
-  timeout;
-  debug;
-  constructor(config) {
-    if (!config.apiKey) {
-      throw new Error("AgentShield API key is required");
-    }
-    this.apiKey = config.apiKey;
-    this.useEdge = config.useEdge !== false;
-    this.baseUrl = config.baseUrl || (this.useEdge ? EDGE_DETECT_URL : DEFAULT_BASE_URL);
-    this.timeout = config.timeout || DEFAULT_TIMEOUT;
-    this.debug = config.debug || false;
-  }
-  /**
-   * Call the enforce API to check if a request should be allowed
-   */
-  async enforce(input) {
-    const startTime = Date.now();
-    try {
-      const controller = new AbortController();
-      const timeoutId = setTimeout(() => controller.abort(), this.timeout);
-      try {
-        const endpoint = this.useEdge ? `${this.baseUrl}/__detect/enforce` : `${this.baseUrl}/api/v1/enforce`;
-        const response = await fetch(endpoint, {
-          method: "POST",
-          headers: {
-            "Content-Type": "application/json",
-            Authorization: `Bearer ${this.apiKey}`,
-            "X-Request-ID": input.requestId || crypto.randomUUID()
-          },
-          body: JSON.stringify(input),
-          signal: controller.signal
-        });
-        clearTimeout(timeoutId);
-        const data = await response.json();
-        if (this.debug) {
-          console.log("[AgentShield] Enforce response:", {
-            status: response.status,
-            action: data.data?.decision.action,
-            processingTimeMs: Date.now() - startTime
-          });
-        }
-        if (!response.ok) {
-          return {
-            success: false,
-            error: {
-              code: `HTTP_${response.status}`,
-              message: data.error?.message || `HTTP error: ${response.status}`
-            }
-          };
-        }
-        return data;
-      } catch (error) {
-        clearTimeout(timeoutId);
-        throw error;
-      }
-    } catch (error) {
-      if (error instanceof Error && error.name === "AbortError") {
-        if (this.debug) {
-          console.warn("[AgentShield] Request timed out");
-        }
-        return {
-          success: false,
-          error: {
-            code: "TIMEOUT",
-            message: `Request timed out after ${this.timeout}ms`
-          }
-        };
-      }
-      if (this.debug) {
-        console.error("[AgentShield] Request failed:", error);
-      }
-      return {
-        success: false,
-        error: {
-          code: "NETWORK_ERROR",
-          message: error instanceof Error ? error.message : "Network request failed"
-        }
-      };
-    }
-  }
-  /**
-   * Quick check - returns just the action without full response parsing
-   * Useful for very fast middleware that just needs allow/block
-   */
-  async quickCheck(input) {
-    const result = await this.enforce(input);
-    if (!result.success || !result.data) {
-      return {
-        action: "allow",
-        error: result.error?.message
-      };
-    }
-    return {
-      action: result.data.decision.action
-    };
-  }
-  /**
-   * Check if this client is using edge detection (Gateway Worker)
-   */
-  isUsingEdge() {
-    return this.useEdge;
-  }
-  /**
-   * Log a detection result to AgentShield database.
-   * Use after Gateway Worker detection to persist results.
-   * Fire-and-forget - returns immediately without waiting for DB write.
-   *
-   * @example
-   * ```typescript
-   * // After receiving Gateway response
-   * if (client.isUsingEdge() && response.data?.detection) {
-   *   client.logDetection({
-   *     detection: response.data.detection,
-   *     context: { userAgent, ipAddress, path, url, method }
-   *   }).catch(err => console.error('Log failed:', err));
-   * }
-   * ```
-   */
-  async logDetection(input) {
-    const logEndpoint = this.useEdge ? `${DEFAULT_BASE_URL}/api/v1/log-detection` : `${this.baseUrl}/api/v1/log-detection`;
-    try {
-      const controller = new AbortController();
-      const timeoutId = setTimeout(() => controller.abort(), this.timeout);
-      try {
-        const response = await fetch(logEndpoint, {
-          method: "POST",
-          headers: {
-            "Content-Type": "application/json",
-            Authorization: `Bearer ${this.apiKey}`
-          },
-          body: JSON.stringify({
-            detection: {
-              isAgent: input.detection.isAgent,
-              confidence: input.detection.confidence,
-              agentName: input.detection.agentName,
-              agentType: input.detection.agentType,
-              detectionClass: input.detection.detectionClass,
-              verificationMethod: input.detection.verificationMethod,
-              reasons: input.detection.reasons
-            },
-            context: input.context,
-            source: input.source || "gateway"
-          }),
-          signal: controller.signal
-        });
-        clearTimeout(timeoutId);
-        if (!response.ok && this.debug) {
-          console.warn("[AgentShield] Log detection returned non-2xx:", response.status);
-        }
-      } catch (error) {
-        clearTimeout(timeoutId);
-        throw error;
-      }
-    } catch (error) {
-      if (this.debug) {
-        console.error("[AgentShield] Log detection failed:", error);
-      }
-      throw error;
-    }
-  }
-};
-var clientInstance = null;
-function getAgentShieldClient(config) {
-  if (!clientInstance) {
-    const apiKey = config?.apiKey || process.env.AGENTSHIELD_API_KEY;
-    if (!apiKey) {
-      throw new Error(
-        "AgentShield API key is required. Set AGENTSHIELD_API_KEY environment variable or pass apiKey in config."
-      );
-    }
-    clientInstance = new AgentShieldClient({
-      apiKey,
-      baseUrl: config?.baseUrl || process.env.AGENTSHIELD_API_URL,
-      // Default to edge detection unless explicitly disabled
-      useEdge: config?.useEdge ?? process.env.AGENTSHIELD_USE_EDGE !== "false",
-      timeout: config?.timeout,
-      debug: config?.debug || process.env.AGENTSHIELD_DEBUG === "true"
-    });
-  }
-  return clientInstance;
-}
-function resetAgentShieldClient() {
-  clientInstance = null;
-}
-var MCP_I_DOCS_URL = "https://docs.knowthat.ai/mcp-i/getting-started";
-var DEFAULT_CONNECT_PATH = "/connect";
-function buildAgentInstructionResponse(request, decision, redirectUrl) {
-  const resolved = resolveUrl(redirectUrl ?? DEFAULT_CONNECT_PATH, request.url);
-  const agentName = decision.agentName || decision.agentType || "unknown";
-  if (!resolved.searchParams.has("agent")) {
-    resolved.searchParams.set("agent", agentName.toLowerCase());
-  }
-  const authUrl = resolved.toString();
-  const hostname = safeHostname(request.url);
-  const body = {
-    // Markdown-formatted so clients that render markdown (Claude Desktop,
-    // ChatGPT web) surface the URL as a clickable link. Tone mirrors the
-    // gateway response so messaging stays consistent across platforms.
-    message: `I can't access ${hostname} yet \u2014 this site checks AI assistants at the front door.
-
-**To give me access, open this link:**
-[Connect securely to ${hostname}](${authUrl})
-
-It only takes a moment and you won't need to do it again. Once you're done, ask me to try again and I'll connect through the verified channel automatically.`,
-    user_action_required: {
-      action: `Connect securely to ${hostname}`,
-      url: authUrl,
-      reason: `${hostname} checks AI assistants before they connect. Open the link to give your assistant a verified key.`
-    },
-    mcp_i: {
-      version: "1.0",
-      action: "authenticate",
-      authorization_url: authUrl,
-      flow: {
-        type: "oauth2_delegation",
-        steps: [
-          "1. Direct your user to the authorization_url",
-          "2. User reviews requested scopes and grants consent",
-          "3. Receive delegation credential (JWT)",
-          "4. Include credential in KYA-Delegation header",
-          "5. Retry this request with the proof"
-        ]
-      },
-      retry_instructions: {
-        header: "KYA-Delegation",
-        format: "JWT delegation credential from authorization flow"
-      },
-      documentation: MCP_I_DOCS_URL
-    },
-    error: "mcp_authentication_required",
-    code: "AGENT_REQUIRES_DELEGATION",
-    detection: {
-      agent_type: decision.agentType || "ai_agent",
-      agent_name: decision.agentName || "Unknown Agent",
-      confidence: decision.confidence
-    }
-  };
-  const response = server.NextResponse.json(body, { status: 401 });
-  response.headers.set("WWW-Authenticate", `KYA realm="api", authorization_uri="${authUrl}"`);
-  response.headers.set(
-    "Link",
-    `<${authUrl}>; rel="kya-authorize", <${MCP_I_DOCS_URL}>; rel="help"`
-  );
-  response.headers.set("KYA-Auth-Required", "true");
-  response.headers.set("KYA-Auth-Url", authUrl);
-  response.headers.set("KYA-Action", "instruct");
-  response.headers.set("KYA-Detected-Agent", agentName);
-  response.headers.set("KYA-Confidence", decision.confidence.toString());
-  response.headers.set("Cache-Control", "no-store");
-  return response;
-}
-function resolveUrl(target, baseUrl2) {
-  try {
-    return new URL(target, baseUrl2);
-  } catch {
-    return new URL(DEFAULT_CONNECT_PATH, baseUrl2);
-  }
-}
-
-// src/api-middleware.ts
-function matchPath(path, pattern) {
-  if (pattern === path) return true;
-  if (pattern.includes("*")) {
-    const regexPattern = pattern.replace(/[.+?^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*");
-    return new RegExp(`^${regexPattern}$`).test(path);
-  }
-  if (pattern.endsWith("/")) {
-    return path.startsWith(pattern) || path === pattern.slice(0, -1);
-  }
-  return path.startsWith(pattern);
-}
-function shouldSkipPath(path, skipPaths) {
-  return skipPaths.some((pattern) => matchPath(path, pattern));
-}
-function shouldIncludePath(path, includePaths) {
-  if (!includePaths || includePaths.length === 0) return true;
-  return includePaths.some((pattern) => matchPath(path, pattern));
-}
-function buildBlockedResponse(request, decision, config) {
-  const status = config.blockedResponse?.status ?? 403;
-  const message = config.blockedResponse?.message ?? decision.message ?? "Access denied";
-  const recoveryUrl = resolveRecoveryUrl(request, config.redirectUrl || decision.redirectUrl);
-  const body = {
-    error: message,
-    code: "AGENT_BLOCKED",
-    reason: decision.reason,
-    agentType: decision.agentType
-  };
-  if (recoveryUrl) {
-    const hostname = safeHostname(request.url);
-    body.user_action_required = {
-      action: `Connect securely to ${hostname}`,
-      url: recoveryUrl,
-      reason: `${hostname} blocks unverified AI assistants. Open the link to give your assistant a verified key and try again.`
-    };
-    body.message = `I can't access ${hostname} \u2014 this site blocks unverified AI assistants.
-
-**To give me access, open this link:**
-[Connect securely to ${hostname}](${recoveryUrl})
-
-Once you're done, ask me to try again.`;
-  }
-  const response = server.NextResponse.json(body, { status });
-  if (config.blockedResponse?.headers) {
-    for (const [key, value] of Object.entries(config.blockedResponse.headers)) {
-      response.headers.set(key, value);
-    }
-  }
-  if (recoveryUrl) {
-    response.headers.set("Link", `<${recoveryUrl}>; rel="kya-authorize"`);
-    response.headers.set("KYA-Auth-Url", recoveryUrl);
-  }
-  response.headers.set("KYA-Action", decision.action);
-  response.headers.set("KYA-Reason", decision.reason);
-  return response;
-}
-function resolveRecoveryUrl(request, target) {
-  if (!target) return void 0;
-  try {
-    return new URL(target, request.url).toString();
-  } catch {
-    return void 0;
-  }
-}
-function buildRedirectResponse(request, decision, config) {
-  const redirectUrl = config.redirectUrl || decision.redirectUrl || "/blocked";
-  const url = new URL(redirectUrl, request.url);
-  url.searchParams.set("reason", decision.reason);
-  if (decision.agentType) {
-    url.searchParams.set("agent", decision.agentType);
-  }
-  return server.NextResponse.redirect(url);
-}
-function withAgentShield(config = {}) {
-  let client = null;
-  const getClient = () => {
-    if (!client) {
-      client = getAgentShieldClient({
-        apiKey: config.apiKey,
-        baseUrl: config.apiUrl,
-        useEdge: config.useEdge,
-        timeout: config.timeout,
-        debug: config.debug
-      });
-    }
-    return client;
-  };
-  const defaultSkipPaths = [
-    "/_next/static/*",
-    "/_next/image/*",
-    "/favicon.ico",
-    "/robots.txt",
-    "/sitemap.xml"
-  ];
-  const skipPaths = [...defaultSkipPaths, ...config.skipPaths || []];
-  const failOpen = config.failOpen ?? true;
-  return async function middleware(request) {
-    const path = request.nextUrl.pathname;
-    const startTime = Date.now();
-    if (shouldSkipPath(path, skipPaths)) {
-      return server.NextResponse.next();
-    }
-    if (!shouldIncludePath(path, config.includePaths)) {
-      return server.NextResponse.next();
-    }
-    try {
-      const client2 = getClient();
-      const userAgent = request.headers.get("user-agent") || void 0;
-      const ipAddress = getClientIp(request);
-      const result = await client2.enforce({
-        headers: Object.fromEntries(request.headers.entries()),
-        userAgent,
-        ipAddress,
-        path,
-        url: request.url,
-        method: request.method,
-        requestId: request.headers.get("x-request-id") || void 0,
-        options: {
-          // Always include detection results for logging (needed when using edge)
-          includeDetectionResult: true
-        }
-      });
-      if (!result.success || !result.data) {
-        if (config.debug) {
-          console.warn("[AgentShield] API error:", result.error);
-        }
-        if (failOpen) {
-          return server.NextResponse.next();
-        }
-        return server.NextResponse.json(
-          { error: "Security check failed", code: "API_ERROR" },
-          { status: 503 }
-        );
-      }
-      const decision = result.data.decision;
-      if (config.debug) {
-        console.log("[AgentShield] Decision:", {
-          path,
-          action: decision.action,
-          isAgent: decision.isAgent,
-          confidence: decision.confidence,
-          agentName: decision.agentName,
-          detectionMethod: result.data.detection?.detectionMethod || "not-included",
-          processingTimeMs: Date.now() - startTime
-        });
-      }
-      if (client2.isUsingEdge() && result.data.detection) {
-        client2.logDetection({
-          detection: result.data.detection,
-          context: { userAgent, ipAddress, path, url: request.url, method: request.method }
-        }).catch((err) => {
-          if (config.debug) {
-            console.error("[AgentShield] Log detection failed:", err);
-          }
-        });
-      }
-      if (decision.isAgent && config.onAgentDetected) {
-        await config.onAgentDetected(request, decision);
-      }
-      const redirectMode = config.redirectMode ?? "instruct";
-      switch (decision.action) {
-        case "block": {
-          if (config.customBlockedResponse) {
-            return config.customBlockedResponse(request, decision);
-          }
-          if (config.onBlock === "redirect") {
-            return buildRedirectResponse(request, decision, config);
-          }
-          return buildBlockedResponse(request, decision, config);
-        }
-        case "redirect":
-        case "instruct": {
-          if (redirectMode === "http" && decision.action === "redirect") {
-            return buildRedirectResponse(request, decision, config);
-          }
-          const targetUrl = config.redirectUrl || decision.redirectUrl;
-          return buildAgentInstructionResponse(request, decision, targetUrl);
-        }
-        case "challenge": {
-          return buildRedirectResponse(request, decision, config);
-        }
-        case "log":
-        case "allow":
-        default: {
-          const response = server.NextResponse.next();
-          if (decision.isAgent) {
-            response.headers.set("KYA-Detected", "true");
-            response.headers.set("KYA-Confidence", decision.confidence.toString());
-            if (decision.agentName) {
-              response.headers.set("KYA-Agent", decision.agentName);
-            }
-          }
-          return response;
-        }
-      }
-    } catch (error) {
-      if (config.debug) {
-        console.error("[AgentShield] Middleware error:", error);
-      }
-      if (failOpen) {
-        return server.NextResponse.next();
-      }
-      return server.NextResponse.json(
-        { error: "Security check failed", code: "MIDDLEWARE_ERROR" },
-        { status: 503 }
-      );
-    }
-  };
-}
-var agentShieldMiddleware = withAgentShield();
-function createContextFromDetection(detection, request) {
-  return agentshieldShared.createEvaluationContext({
-    agentType: detection.detectedAgent?.type,
-    agentName: detection.detectedAgent?.name,
-    agentVendor: detection.detectedAgent?.vendor,
-    confidence: detection.confidence,
-    riskLevel: detection.riskLevel,
-    path: request.nextUrl.pathname,
-    method: request.method,
-    signatureVerified: detection.verificationMethod === "signature",
-    isAuthenticated: false,
-    // TODO: integrate with auth
-    userAgent: request.headers.get("user-agent") || void 0
-  });
-}
-function evaluatePolicyForDetection(detection, request, policy) {
-  const context = createContextFromDetection(detection, request);
-  return agentshieldShared.evaluatePolicy(policy, context);
-}
-function buildBlockedResponse2(decision, config) {
-  const status = config.blockedResponse?.status ?? 403;
-  const message = config.blockedResponse?.message ?? decision.message ?? "Access denied";
-  const response = server.NextResponse.json(
-    {
-      error: message,
-      code: "POLICY_BLOCKED",
-      reason: decision.reason,
-      ruleId: decision.ruleId,
-      matchType: decision.matchType
-    },
-    { status }
-  );
-  if (config.blockedResponse?.headers) {
-    for (const [key, value] of Object.entries(config.blockedResponse.headers)) {
-      response.headers.set(key, value);
-    }
-  }
-  response.headers.set("KYA-Action", decision.action);
-  response.headers.set("KYA-Reason", decision.reason);
-  response.headers.set("KYA-Match-Type", decision.matchType);
-  return response;
-}
-function buildRedirectResponse2(request, decision, config, detection) {
-  const redirectUrl = decision.redirectUrl || config.redirectUrl || "/blocked";
-  const url = new URL(redirectUrl, request.url);
-  url.searchParams.set("reason", decision.reason);
-  if (decision.ruleId) {
-    url.searchParams.set("ruleId", decision.ruleId);
-  }
-  const agentName = detection?.detectedAgent?.name;
-  if (agentName && !url.searchParams.has("agent")) {
-    url.searchParams.set("agent", agentName.toLowerCase());
-  }
-  return server.NextResponse.redirect(url);
-}
-function buildChallengeResponse(request, decision, config, detection) {
-  return buildRedirectResponse2(request, decision, config, detection);
-}
-async function handlePolicyDecision(request, decision, config, detection) {
-  switch (decision.action) {
-    case agentshieldShared.ENFORCEMENT_ACTIONS.BLOCK:
-      if (config.customBlockedResponse) {
-        return await config.customBlockedResponse(request, decision);
-      }
-      return buildBlockedResponse2(decision, config);
-    case agentshieldShared.ENFORCEMENT_ACTIONS.REDIRECT:
-      return buildRedirectResponse2(request, decision, config, detection);
-    case agentshieldShared.ENFORCEMENT_ACTIONS.CHALLENGE:
-      return buildChallengeResponse(request, decision, config, detection);
-    case agentshieldShared.ENFORCEMENT_ACTIONS.LOG:
-      console.log("[AgentShield] Policy decision (log):", {
-        path: request.nextUrl.pathname,
-        action: decision.action,
-        reason: decision.reason,
-        matchType: decision.matchType,
-        ruleId: decision.ruleId
-      });
-      return null;
-    // Continue to allow
-    case agentshieldShared.ENFORCEMENT_ACTIONS.ALLOW:
-    default:
-      return null;
-  }
-}
-var fetcherCache = /* @__PURE__ */ new Map();
-function getFetcherCacheKey(config) {
-  return `${config.apiUrl ?? "default"}:${config.apiKey ?? ""}:${config.cacheTtlSeconds ?? "default"}`;
-}
-function getPolicyFetcher(config) {
-  if (!config) {
-    throw new Error("fetchPolicy config required");
-  }
-  const cacheKey = getFetcherCacheKey(config);
-  let fetcher = fetcherCache.get(cacheKey);
-  if (!fetcher) {
-    const fetcherConfig = {
-      apiBaseUrl: config.apiUrl || "https://kya.vouched.id",
-      apiKey: config.apiKey,
-      cacheTtlSeconds: config.cacheTtlSeconds
-    };
-    fetcher = agentshieldShared.createPolicyFetcher(fetcherConfig);
-    fetcherCache.set(cacheKey, fetcher);
-  }
-  return fetcher;
-}
-async function getPolicy(config) {
-  if (config.policy) {
-    return agentshieldShared.PolicyConfigSchema.parse({ ...agentshieldShared.DEFAULT_POLICY, ...config.policy });
-  }
-  if (config.fetchPolicy) {
-    try {
-      const fetcher = getPolicyFetcher(config.fetchPolicy);
-      return await fetcher.getPolicy(config.fetchPolicy.projectId);
-    } catch (error) {
-      if (config.debug) {
-        console.warn("[AgentShield] Policy fetch failed, using fallback:", error);
-      }
-      return agentshieldShared.PolicyConfigSchema.parse({
-        ...agentshieldShared.DEFAULT_POLICY,
-        ...config.fallbackPolicy || {}
-      });
-    }
-  }
-  return agentshieldShared.PolicyConfigSchema.parse(agentshieldShared.DEFAULT_POLICY);
-}
-async function applyPolicy(request, detection, config) {
-  try {
-    const path = request.nextUrl.pathname;
-    if (config.skipPaths?.some((pattern) => agentshieldShared.matchPath(path, pattern))) {
-      return null;
-    }
-    if (config.includePaths && config.includePaths.length > 0) {
-      if (!config.includePaths.some((pattern) => agentshieldShared.matchPath(path, pattern))) {
-        return null;
-      }
-    }
-    const policy = await getPolicy(config);
-    const context = createContextFromDetection(detection, request);
-    const decision = agentshieldShared.evaluatePolicy(policy, context);
-    if (config.onPolicyDecision) {
-      await config.onPolicyDecision(request, decision, context);
-    }
-    return await handlePolicyDecision(request, decision, config, detection);
-  } catch (error) {
-    if (config.debug) {
-      console.error("[AgentShield] Policy evaluation error:", error);
-    }
-    if (config.failOpen !== false) {
-      return null;
-    }
-    return server.NextResponse.json(
-      { error: "Security check failed", code: "POLICY_ERROR" },
-      { status: 503 }
-    );
-  }
-}
-
-// src/index.ts
-var VERSION = "0.1.0";
-/**
- * @fileoverview AgentShield Next.js Integration
- * @version 0.1.0
- * @license MIT OR Apache-2.0
- */
-
-Object.defineProperty(exports, "DEFAULT_POLICY", {
-  enumerable: true,
-  get: function () { return agentshieldShared.DEFAULT_POLICY; }
-});
-Object.defineProperty(exports, "ENFORCEMENT_ACTIONS", {
-  enumerable: true,
-  get: function () { return agentshieldShared.ENFORCEMENT_ACTIONS; }
-});
-Object.defineProperty(exports, "createEvaluationContext", {
-  enumerable: true,
-  get: function () { return agentshieldShared.createEvaluationContext; }
-});
-Object.defineProperty(exports, "evaluatePolicy", {
-  enumerable: true,
-  get: function () { return agentshieldShared.evaluatePolicy; }
-});
-exports.AgentShieldClient = AgentShieldClient;
-exports.EdgeSessionTracker = EdgeSessionTracker;
-exports.StatelessSessionChecker = StatelessSessionChecker;
-exports.VERSION = VERSION;
-exports.agentShieldMiddleware = agentShieldMiddleware;
-exports.applyPolicy = applyPolicy;
-exports.buildPolicyBlockedResponse = buildBlockedResponse2;
-exports.buildPolicyRedirectResponse = buildRedirectResponse2;
-exports.createAgentShieldMiddleware = createAgentShieldMiddleware2;
-exports.createAgentShieldMiddlewareBase = createAgentShieldMiddleware;
-exports.createContextFromDetection = createContextFromDetection;
-exports.createEnhancedAgentShieldMiddleware = createEnhancedAgentShieldMiddleware;
-exports.createMiddleware = createAgentShieldMiddleware2;
-exports.evaluatePolicyForDetection = evaluatePolicyForDetection;
-exports.getAgentShieldClient = getAgentShieldClient;
-exports.getPolicy = getPolicy;
-exports.handlePolicyDecision = handlePolicyDecision;
-exports.resetAgentShieldClient = resetAgentShieldClient;
-exports.withAgentShield = withAgentShield;
-//# sourceMappingURL=index.js.map
-//# sourceMappingURL=index.js.map