@kya-os/agentshield-nextjs 0.3.2 → 0.3.5

package/dist/api-client.d.ts

@@ -1,196 +0,0 @@
-import { EnforcementAction } from '@kya-os/agentshield-shared';
-export { EnforcementAction } from '@kya-os/agentshield-shared';
-
-/**
- * AgentShield API Client
- *
- * Lightweight client for calling the AgentShield enforce API from middleware.
- * Designed for Edge Runtime compatibility (no Node.js-specific APIs).
- */
-
-/**
- * API client configuration
- */
-interface AgentShieldClientConfig {
-    /** API key for authentication */
-    apiKey: string;
-    /** API base URL (defaults to production) */
-    baseUrl?: string;
-    /**
-     * Use edge detection for lower latency (~30-50ms vs ~150ms) and better coverage.
-     * Edge detection can identify non-JS clients (curl, Python, Claude Code WebFetch)
-     * that the pixel cannot detect since they don't execute JavaScript.
-     * @default true
-     */
-    useEdge?: boolean;
-    /** Request timeout in milliseconds (default: 5000) */
-    timeout?: number;
-    /** Enable debug logging */
-    debug?: boolean;
-}
-
-/**
- * Enforcement decision from the API
- */
-interface EnforcementDecision {
-    action: EnforcementAction;
-    reason: string;
-    isAgent: boolean;
-    confidence: number;
-    agentName?: string;
-    agentType?: string;
-    redirectUrl?: string;
-    message?: string;
-    metadata?: {
-        policyVersion?: string;
-        signatureVerified?: boolean;
-        denyListMatch?: {
-            clientDid?: string;
-            agentDid?: string;
-            clientName?: string;
-            reason?: string;
-        };
-    };
-}
-/**
- * Detection result (optional in response)
- */
-interface DetectionResult {
-    isAgent: boolean;
-    confidence: number;
-    agentName?: string;
-    agentType?: string;
-    /** Detection class: 'human', 'ai_agent', 'bot', 'incomplete_data' */
-    detectionClass?: string;
-    verificationMethod?: string;
-    reasons?: string[];
-    /** Detection engine used: 'wasm' or 'javascript-fallback' */
-    detectionMethod?: string;
-}
-/**
- * Enforce API response
- */
-interface EnforceResponse {
-    success: boolean;
-    data?: {
-        decision: EnforcementDecision;
-        processingTimeMs: number;
-        requestId: string;
-        detection?: DetectionResult;
-    };
-    error?: {
-        code: string;
-        message: string;
-    };
-}
-/**
- * Request input for enforce API
- */
-interface EnforceInput {
-    /** HTTP headers from the incoming request */
-    headers?: Record<string, string>;
-    /** User-Agent header */
-    userAgent?: string;
-    /** Client IP address */
-    ipAddress?: string;
-    /** Request path */
-    path?: string;
-    /** Request URL */
-    url?: string;
-    /** HTTP method */
-    method?: string;
-    /** Request ID for tracing */
-    requestId?: string;
-    /** Options */
-    options?: {
-        /** Include full detection result */
-        includeDetectionResult?: boolean;
-        /** Cache TTL override */
-        cacheTTL?: number;
-    };
-}
-/**
- * Input for logging a detection result
- */
-interface LogDetectionInput {
-    /** Detection result from Gateway */
-    detection: DetectionResult;
-    /** Request context */
-    context: {
-        userAgent?: string;
-        ipAddress?: string;
-        path?: string;
-        url?: string;
-        method?: string;
-    };
-    /** Source of the detection */
-    source?: 'gateway' | 'middleware';
-}
-/**
- * AgentShield API Client
- *
- * @example
- * ```typescript
- * const client = new AgentShieldClient({
- *   apiKey: process.env.AGENTSHIELD_API_KEY!,
- * });
- *
- * const result = await client.enforce({
- *   headers: Object.fromEntries(request.headers),
- *   path: request.nextUrl.pathname,
- *   method: request.method,
- * });
- *
- * if (result.decision.action === 'block') {
- *   return new Response('Access denied', { status: 403 });
- * }
- * ```
- */
-declare class AgentShieldClient {
-    private apiKey;
-    private baseUrl;
-    private useEdge;
-    private timeout;
-    private debug;
-    constructor(config: AgentShieldClientConfig);
-    /**
-     * Call the enforce API to check if a request should be allowed
-     */
-    enforce(input: EnforceInput): Promise<EnforceResponse>;
-    /**
-     * Quick check - returns just the action without full response parsing
-     * Useful for very fast middleware that just needs allow/block
-     */
-    quickCheck(input: EnforceInput): Promise<{
-        action: EnforcementAction;
-        error?: string;
-    }>;
-    /**
-     * Check if this client is using edge detection (Gateway Worker)
-     */
-    isUsingEdge(): boolean;
-    /**
-     * Log a detection result to AgentShield database.
-     * Use after Gateway Worker detection to persist results.
-     * Fire-and-forget - returns immediately without waiting for DB write.
-     *
-     * @example
-     * ```typescript
-     * // After receiving Gateway response
-     * if (client.isUsingEdge() && response.data?.detection) {
-     *   client.logDetection({
-     *     detection: response.data.detection,
-     *     context: { userAgent, ipAddress, path, url, method }
-     *   }).catch(err => console.error('Log failed:', err));
-     * }
-     * ```
-     */
-    logDetection(input: LogDetectionInput): Promise<void>;
-}
-declare function getAgentShieldClient(config?: Partial<AgentShieldClientConfig>): AgentShieldClient;
-/**
- * Reset the singleton client (useful for testing)
- */
-declare function resetAgentShieldClient(): void;
-
-export { AgentShieldClient, type AgentShieldClientConfig, type DetectionResult, type EnforceInput, type EnforceResponse, type EnforcementDecision, type LogDetectionInput, getAgentShieldClient, resetAgentShieldClient };

package/dist/api-client.js

@@ -1,200 +0,0 @@
-'use strict';
-
-// src/api-client.ts
-var DEFAULT_BASE_URL = "https://kya.vouched.id";
-var EDGE_DETECT_URL = "https://detect.checkpoint-gateway.ai";
-var DEFAULT_TIMEOUT = 5e3;
-var AgentShieldClient = class {
-  apiKey;
-  baseUrl;
-  useEdge;
-  timeout;
-  debug;
-  constructor(config) {
-    if (!config.apiKey) {
-      throw new Error("AgentShield API key is required");
-    }
-    this.apiKey = config.apiKey;
-    this.useEdge = config.useEdge !== false;
-    this.baseUrl = config.baseUrl || (this.useEdge ? EDGE_DETECT_URL : DEFAULT_BASE_URL);
-    this.timeout = config.timeout || DEFAULT_TIMEOUT;
-    this.debug = config.debug || false;
-  }
-  /**
-   * Call the enforce API to check if a request should be allowed
-   */
-  async enforce(input) {
-    const startTime = Date.now();
-    try {
-      const controller = new AbortController();
-      const timeoutId = setTimeout(() => controller.abort(), this.timeout);
-      try {
-        const endpoint = this.useEdge ? `${this.baseUrl}/__detect/enforce` : `${this.baseUrl}/api/v1/enforce`;
-        const response = await fetch(endpoint, {
-          method: "POST",
-          headers: {
-            "Content-Type": "application/json",
-            Authorization: `Bearer ${this.apiKey}`,
-            "X-Request-ID": input.requestId || crypto.randomUUID()
-          },
-          body: JSON.stringify(input),
-          signal: controller.signal
-        });
-        clearTimeout(timeoutId);
-        const data = await response.json();
-        if (this.debug) {
-          console.log("[AgentShield] Enforce response:", {
-            status: response.status,
-            action: data.data?.decision.action,
-            processingTimeMs: Date.now() - startTime
-          });
-        }
-        if (!response.ok) {
-          return {
-            success: false,
-            error: {
-              code: `HTTP_${response.status}`,
-              message: data.error?.message || `HTTP error: ${response.status}`
-            }
-          };
-        }
-        return data;
-      } catch (error) {
-        clearTimeout(timeoutId);
-        throw error;
-      }
-    } catch (error) {
-      if (error instanceof Error && error.name === "AbortError") {
-        if (this.debug) {
-          console.warn("[AgentShield] Request timed out");
-        }
-        return {
-          success: false,
-          error: {
-            code: "TIMEOUT",
-            message: `Request timed out after ${this.timeout}ms`
-          }
-        };
-      }
-      if (this.debug) {
-        console.error("[AgentShield] Request failed:", error);
-      }
-      return {
-        success: false,
-        error: {
-          code: "NETWORK_ERROR",
-          message: error instanceof Error ? error.message : "Network request failed"
-        }
-      };
-    }
-  }
-  /**
-   * Quick check - returns just the action without full response parsing
-   * Useful for very fast middleware that just needs allow/block
-   */
-  async quickCheck(input) {
-    const result = await this.enforce(input);
-    if (!result.success || !result.data) {
-      return {
-        action: "allow",
-        error: result.error?.message
-      };
-    }
-    return {
-      action: result.data.decision.action
-    };
-  }
-  /**
-   * Check if this client is using edge detection (Gateway Worker)
-   */
-  isUsingEdge() {
-    return this.useEdge;
-  }
-  /**
-   * Log a detection result to AgentShield database.
-   * Use after Gateway Worker detection to persist results.
-   * Fire-and-forget - returns immediately without waiting for DB write.
-   *
-   * @example
-   * ```typescript
-   * // After receiving Gateway response
-   * if (client.isUsingEdge() && response.data?.detection) {
-   *   client.logDetection({
-   *     detection: response.data.detection,
-   *     context: { userAgent, ipAddress, path, url, method }
-   *   }).catch(err => console.error('Log failed:', err));
-   * }
-   * ```
-   */
-  async logDetection(input) {
-    const logEndpoint = this.useEdge ? `${DEFAULT_BASE_URL}/api/v1/log-detection` : `${this.baseUrl}/api/v1/log-detection`;
-    try {
-      const controller = new AbortController();
-      const timeoutId = setTimeout(() => controller.abort(), this.timeout);
-      try {
-        const response = await fetch(logEndpoint, {
-          method: "POST",
-          headers: {
-            "Content-Type": "application/json",
-            Authorization: `Bearer ${this.apiKey}`
-          },
-          body: JSON.stringify({
-            detection: {
-              isAgent: input.detection.isAgent,
-              confidence: input.detection.confidence,
-              agentName: input.detection.agentName,
-              agentType: input.detection.agentType,
-              detectionClass: input.detection.detectionClass,
-              verificationMethod: input.detection.verificationMethod,
-              reasons: input.detection.reasons
-            },
-            context: input.context,
-            source: input.source || "gateway"
-          }),
-          signal: controller.signal
-        });
-        clearTimeout(timeoutId);
-        if (!response.ok && this.debug) {
-          console.warn("[AgentShield] Log detection returned non-2xx:", response.status);
-        }
-      } catch (error) {
-        clearTimeout(timeoutId);
-        throw error;
-      }
-    } catch (error) {
-      if (this.debug) {
-        console.error("[AgentShield] Log detection failed:", error);
-      }
-      throw error;
-    }
-  }
-};
-var clientInstance = null;
-function getAgentShieldClient(config) {
-  if (!clientInstance) {
-    const apiKey = config?.apiKey || process.env.AGENTSHIELD_API_KEY;
-    if (!apiKey) {
-      throw new Error(
-        "AgentShield API key is required. Set AGENTSHIELD_API_KEY environment variable or pass apiKey in config."
-      );
-    }
-    clientInstance = new AgentShieldClient({
-      apiKey,
-      baseUrl: config?.baseUrl || process.env.AGENTSHIELD_API_URL,
-      // Default to edge detection unless explicitly disabled
-      useEdge: config?.useEdge ?? process.env.AGENTSHIELD_USE_EDGE !== "false",
-      timeout: config?.timeout,
-      debug: config?.debug || process.env.AGENTSHIELD_DEBUG === "true"
-    });
-  }
-  return clientInstance;
-}
-function resetAgentShieldClient() {
-  clientInstance = null;
-}
-
-exports.AgentShieldClient = AgentShieldClient;
-exports.getAgentShieldClient = getAgentShieldClient;
-exports.resetAgentShieldClient = resetAgentShieldClient;
-//# sourceMappingURL=api-client.js.map
-//# sourceMappingURL=api-client.js.map

package/dist/api-client.js.map

@@ -1 +0,0 @@
-{"version":3,"sources":["../src/api-client.ts"],"names":[],"mappings":";;;AAsJA,IAAM,gBAAA,GAAmB,wBAAA;AACzB,IAAM,eAAA,GAAkB,sCAAA;AACxB,IAAM,eAAA,GAAkB,GAAA;AAsBjB,IAAM,oBAAN,MAAwB;AAAA,EACrB,MAAA;AAAA,EACA,OAAA;AAAA,EACA,OAAA;AAAA,EACA,OAAA;AAAA,EACA,KAAA;AAAA,EAER,YAAY,MAAA,EAAiC;AAC3C,IAAA,IAAI,CAAC,OAAO,MAAA,EAAQ;AAClB,MAAA,MAAM,IAAI,MAAM,iCAAiC,CAAA;AAAA,IACnD;AAEA,IAAA,IAAA,CAAK,SAAS,MAAA,CAAO,MAAA;AAErB,IAAA,IAAA,CAAK,OAAA,GAAU,OAAO,OAAA,KAAY,KAAA;AAClC,IAAA,IAAA,CAAK,OAAA,GAAU,MAAA,CAAO,OAAA,KAAY,IAAA,CAAK,UAAU,eAAA,GAAkB,gBAAA,CAAA;AACnE,IAAA,IAAA,CAAK,OAAA,GAAU,OAAO,OAAA,IAAW,eAAA;AACjC,IAAA,IAAA,CAAK,KAAA,GAAQ,OAAO,KAAA,IAAS,KAAA;AAAA,EAC/B;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,QAAQ,KAAA,EAA+C;AAC3D,IAAA,MAAM,SAAA,GAAY,KAAK,GAAA,EAAI;AAE3B,IAAA,IAAI;AAEF,MAAA,MAAM,UAAA,GAAa,IAAI,eAAA,EAAgB;AACvC,MAAA,MAAM,YAAY,UAAA,CAAW,MAAM,WAAW,KAAA,EAAM,EAAG,KAAK,OAAO,CAAA;AAEnE,MAAA,IAAI;AAEF,QAAA,MAAM,QAAA,GAAW,KAAK,OAAA,GAClB,CAAA,EAAG,KAAK,OAAO,CAAA,iBAAA,CAAA,GACf,CAAA,EAAG,IAAA,CAAK,OAAO,CAAA,eAAA,CAAA;AAEnB,QAAA,MAAM,QAAA,GAAW,MAAM,KAAA,CAAM,QAAA,EAAU;AAAA,UACrC,MAAA,EAAQ,MAAA;AAAA,UACR,OAAA,EAAS;AAAA,YACP,cAAA,EAAgB,kBAAA;AAAA,YAChB,aAAA,EAAe,CAAA,OAAA,EAAU,IAAA,CAAK,MAAM,CAAA,CAAA;AAAA,YACpC,cAAA,EAAgB,KAAA,CAAM,SAAA,IAAa,MAAA,CAAO,UAAA;AAAW,WACvD;AAAA,UACA,IAAA,EAAM,IAAA,CAAK,SAAA,CAAU,KAAK,CAAA;AAAA,UAC1B,QAAQ,UAAA,CAAW;AAAA,SACpB,CAAA;AAED,QAAA,YAAA,CAAa,SAAS,CAAA;AAGtB,QAAA,MAAM,IAAA,GAAQ,MAAM,QAAA,CAAS,IAAA,EAAK;AAElC,QAAA,IAAI,KAAK,KAAA,EAAO;AACd,UAAA,OAAA,CAAQ,IAAI,iCAAA,EAAmC;AAAA,YAC7C,QAAQ,QAAA,CAAS,MAAA;AAAA,YACjB,MAAA,EAAQ,IAAA,CAAK,IAAA,EAAM,QAAA,CAAS,MAAA;AAAA,YAC5B,gBAAA,EAAkB,IAAA,CAAK,GAAA,EAAI,GAAI;AAAA,WAChC,CAAA;AAAA,QACH;AAGA,QAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,UAAA,OAAO;AAAA,YACL,OAAA,EAAS,KAAA;AAAA,YACT,KAAA,EAAO;AAAA,cACL,IAAA,EAAM,CAAA,KAAA,EAAQ,QAAA,CAAS,MAAM,CAAA,CAAA;AAAA,cAC7B,SAAS,IAAA,CAAK,KAAA,EAAO,OAAA,IAAW,CAAA,YAAA,EAAe,SAAS,MAAM,CAAA;AAAA;AAChE,WACF;AAAA,QACF;AAEA,QAAA,OAAO,IAAA;AAAA,MACT,SAAS,KAAA,EAAO;AACd,QAAA,YAAA,CAAa,SAAS,CAAA;AACtB,QAAA,MAAM,KAAA;AAAA,MACR;AAAA,IACF,SAAS,KAAA,EAAO;AAEd,MAAA,IAAI,KAAA,YAAiB,KAAA,IAAS,KAAA,CAAM,IAAA,KAAS,YAAA,EAAc;AACzD,QAAA,IAAI,KAAK,KAAA,EAAO;AACd,UAAA,OAAA,CAAQ,KAAK,iCAAiC,CAAA;AAAA,QAChD;AACA,QAAA,OAAO;AAAA,UACL,OAAA,EAAS,KAAA;AAAA,UACT,KAAA,EAAO;AAAA,YACL,IAAA,EAAM,SAAA;AAAA,YACN,OAAA,EAAS,CAAA,wBAAA,EAA2B,IAAA,CAAK,OAAO,CAAA,EAAA;AAAA;AAClD,SACF;AAAA,MACF;AAGA,MAAA,IAAI,KAAK,KAAA,EAAO;AACd,QAAA,OAAA,CAAQ,KAAA,CAAM,iCAAiC,KAAK,CAAA;AAAA,MACtD;AAEA,MAAA,OAAO;AAAA,QACL,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAO;AAAA,UACL,IAAA,EAAM,eAAA;AAAA,UACN,OAAA,EAAS,KAAA,YAAiB,KAAA,GAAQ,KAAA,CAAM,OAAA,GAAU;AAAA;AACpD,OACF;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,WAAW,KAAA,EAGd;AACD,IAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,OAAA,CAAQ,KAAK,CAAA;AAEvC,IAAA,IAAI,CAAC,MAAA,CAAO,OAAA,IAAW,CAAC,OAAO,IAAA,EAAM;AAEnC,MAAA,OAAO;AAAA,QACL,MAAA,EAAQ,OAAA;AAAA,QACR,KAAA,EAAO,OAAO,KAAA,EAAO;AAAA,OACvB;AAAA,IACF;AAEA,IAAA,OAAO;AAAA,MACL,MAAA,EAAQ,MAAA,CAAO,IAAA,CAAK,QAAA,CAAS;AAAA,KAC/B;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,WAAA,GAAuB;AACrB,IAAA,OAAO,IAAA,CAAK,OAAA;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAkBA,MAAM,aAAa,KAAA,EAAyC;AAG1D,IAAA,MAAM,WAAA,GAAc,KAAK,OAAA,GACrB,CAAA,EAAG,gBAAgB,CAAA,qBAAA,CAAA,GACnB,CAAA,EAAG,KAAK,OAAO,CAAA,qBAAA,CAAA;AAEnB,IAAA,IAAI;AACF,MAAA,MAAM,UAAA,GAAa,IAAI,eAAA,EAAgB;AACvC,MAAA,MAAM,YAAY,UAAA,CAAW,MAAM,WAAW,KAAA,EAAM,EAAG,KAAK,OAAO,CAAA;AAEnE,MAAA,IAAI;AACF,QAAA,MAAM,QAAA,GAAW,MAAM,KAAA,CAAM,WAAA,EAAa;AAAA,UACxC,MAAA,EAAQ,MAAA;AAAA,UACR,OAAA,EAAS;AAAA,YACP,cAAA,EAAgB,kBAAA;AAAA,YAChB,aAAA,EAAe,CAAA,OAAA,EAAU,IAAA,CAAK,MAAM,CAAA;AAAA,WACtC;AAAA,UACA,IAAA,EAAM,KAAK,SAAA,CAAU;AAAA,YACnB,SAAA,EAAW;AAAA,cACT,OAAA,EAAS,MAAM,SAAA,CAAU,OAAA;AAAA,cACzB,UAAA,EAAY,MAAM,SAAA,CAAU,UAAA;AAAA,cAC5B,SAAA,EAAW,MAAM,SAAA,CAAU,SAAA;AAAA,cAC3B,SAAA,EAAW,MAAM,SAAA,CAAU,SAAA;AAAA,cAC3B,cAAA,EAAgB,MAAM,SAAA,CAAU,cAAA;AAAA,cAChC,kBAAA,EAAoB,MAAM,SAAA,CAAU,kBAAA;AAAA,cACpC,OAAA,EAAS,MAAM,SAAA,CAAU;AAAA,aAC3B;AAAA,YACA,SAAS,KAAA,CAAM,OAAA;AAAA,YACf,MAAA,EAAQ,MAAM,MAAA,IAAU;AAAA,WACzB,CAAA;AAAA,UACD,QAAQ,UAAA,CAAW;AAAA,SACpB,CAAA;AAED,QAAA,YAAA,CAAa,SAAS,CAAA;AAEtB,QAAA,IAAI,CAAC,QAAA,CAAS,EAAA,IAAM,IAAA,CAAK,KAAA,EAAO;AAC9B,UAAA,OAAA,CAAQ,IAAA,CAAK,+CAAA,EAAiD,QAAA,CAAS,MAAM,CAAA;AAAA,QAC/E;AAAA,MACF,SAAS,KAAA,EAAO;AACd,QAAA,YAAA,CAAa,SAAS,CAAA;AACtB,QAAA,MAAM,KAAA;AAAA,MACR;AAAA,IACF,SAAS,KAAA,EAAO;AAEd,MAAA,IAAI,KAAK,KAAA,EAAO;AACd,QAAA,OAAA,CAAQ,KAAA,CAAM,uCAAuC,KAAK,CAAA;AAAA,MAC5D;AAEA,MAAA,MAAM,KAAA;AAAA,IACR;AAAA,EACF;AACF;AAaA,IAAI,cAAA,GAA2C,IAAA;AAExC,SAAS,qBAAqB,MAAA,EAA8D;AACjG,EAAA,IAAI,CAAC,cAAA,EAAgB;AACnB,IAAA,MAAM,MAAA,GAAS,MAAA,EAAQ,MAAA,IAAU,OAAA,CAAQ,GAAA,CAAI,mBAAA;AAE7C,IAAA,IAAI,CAAC,MAAA,EAAQ;AACX,MAAA,MAAM,IAAI,KAAA;AAAA,QACR;AAAA,OACF;AAAA,IACF;AAEA,IAAA,cAAA,GAAiB,IAAI,iBAAA,CAAkB;AAAA,MACrC,MAAA;AAAA,MACA,OAAA,EAAS,MAAA,EAAQ,OAAA,IAAW,OAAA,CAAQ,GAAA,CAAI,mBAAA;AAAA;AAAA,MAExC,OAAA,EAAS,MAAA,EAAQ,OAAA,IAAW,OAAA,CAAQ,IAAI,oBAAA,KAAyB,OAAA;AAAA,MACjE,SAAS,MAAA,EAAQ,OAAA;AAAA,MACjB,KAAA,EAAO,MAAA,EAAQ,KAAA,IAAS,OAAA,CAAQ,IAAI,iBAAA,KAAsB;AAAA,KAC3D,CAAA;AAAA,EACH;AAEA,EAAA,OAAO,cAAA;AACT;AAKO,SAAS,sBAAA,GAA+B;AAC7C,EAAA,cAAA,GAAiB,IAAA;AACnB","file":"api-client.js","sourcesContent":["/**\n * AgentShield API Client\n *\n * Lightweight client for calling the AgentShield enforce API from middleware.\n * Designed for Edge Runtime compatibility (no Node.js-specific APIs).\n */\n\nimport type { EnforcementAction } from '@kya-os/agentshield-shared';\n\n// ============================================================================\n// Types\n// ============================================================================\n\n/**\n * API client configuration\n */\nexport interface AgentShieldClientConfig {\n  /** API key for authentication */\n  apiKey: string;\n  /** API base URL (defaults to production) */\n  baseUrl?: string;\n  /**\n   * Use edge detection for lower latency (~30-50ms vs ~150ms) and better coverage.\n   * Edge detection can identify non-JS clients (curl, Python, Claude Code WebFetch)\n   * that the pixel cannot detect since they don't execute JavaScript.\n   * @default true\n   */\n  useEdge?: boolean;\n  /** Request timeout in milliseconds (default: 5000) */\n  timeout?: number;\n  /** Enable debug logging */\n  debug?: boolean;\n}\n\n/**\n * Enforcement action — re-exported from `@kya-os/agentshield-shared`\n * so consumers of this package can keep importing it from the same\n * place. The canonical 6-value union is defined in\n * `packages/agentshield-shared/src/policy/constants.ts`. `'instruct'`\n * tells the middleware to emit a 401 with an MCP-I Link header\n * pointing the agent at a connect/consent URL.\n */\nexport type { EnforcementAction };\n\n/**\n * Enforcement decision from the API\n */\nexport interface EnforcementDecision {\n  action: EnforcementAction;\n  reason: string;\n  isAgent: boolean;\n  confidence: number;\n  agentName?: string;\n  agentType?: string;\n  redirectUrl?: string;\n  message?: string;\n  metadata?: {\n    policyVersion?: string;\n    signatureVerified?: boolean;\n    denyListMatch?: {\n      clientDid?: string;\n      agentDid?: string;\n      clientName?: string;\n      reason?: string;\n    };\n  };\n}\n\n/**\n * Detection result (optional in response)\n */\nexport interface DetectionResult {\n  isAgent: boolean;\n  confidence: number;\n  agentName?: string;\n  agentType?: string;\n  /** Detection class: 'human', 'ai_agent', 'bot', 'incomplete_data' */\n  detectionClass?: string;\n  verificationMethod?: string;\n  reasons?: string[];\n  /** Detection engine used: 'wasm' or 'javascript-fallback' */\n  detectionMethod?: string;\n}\n\n/**\n * Enforce API response\n */\nexport interface EnforceResponse {\n  success: boolean;\n  data?: {\n    decision: EnforcementDecision;\n    processingTimeMs: number;\n    requestId: string;\n    detection?: DetectionResult;\n  };\n  error?: {\n    code: string;\n    message: string;\n  };\n}\n\n/**\n * Request input for enforce API\n */\nexport interface EnforceInput {\n  /** HTTP headers from the incoming request */\n  headers?: Record<string, string>;\n  /** User-Agent header */\n  userAgent?: string;\n  /** Client IP address */\n  ipAddress?: string;\n  /** Request path */\n  path?: string;\n  /** Request URL */\n  url?: string;\n  /** HTTP method */\n  method?: string;\n  /** Request ID for tracing */\n  requestId?: string;\n  /** Options */\n  options?: {\n    /** Include full detection result */\n    includeDetectionResult?: boolean;\n    /** Cache TTL override */\n    cacheTTL?: number;\n  };\n}\n\n/**\n * Input for logging a detection result\n */\nexport interface LogDetectionInput {\n  /** Detection result from Gateway */\n  detection: DetectionResult;\n  /** Request context */\n  context: {\n    userAgent?: string;\n    ipAddress?: string;\n    path?: string;\n    url?: string;\n    method?: string;\n  };\n  /** Source of the detection */\n  source?: 'gateway' | 'middleware';\n}\n\n// ============================================================================\n// Client Implementation\n// ============================================================================\n\nconst DEFAULT_BASE_URL = 'https://kya.vouched.id';\nconst EDGE_DETECT_URL = 'https://detect.checkpoint-gateway.ai';\nconst DEFAULT_TIMEOUT = 5000;\n\n/**\n * AgentShield API Client\n *\n * @example\n * ```typescript\n * const client = new AgentShieldClient({\n *   apiKey: process.env.AGENTSHIELD_API_KEY!,\n * });\n *\n * const result = await client.enforce({\n *   headers: Object.fromEntries(request.headers),\n *   path: request.nextUrl.pathname,\n *   method: request.method,\n * });\n *\n * if (result.decision.action === 'block') {\n *   return new Response('Access denied', { status: 403 });\n * }\n * ```\n */\nexport class AgentShieldClient {\n  private apiKey: string;\n  private baseUrl: string;\n  private useEdge: boolean;\n  private timeout: number;\n  private debug: boolean;\n\n  constructor(config: AgentShieldClientConfig) {\n    if (!config.apiKey) {\n      throw new Error('AgentShield API key is required');\n    }\n\n    this.apiKey = config.apiKey;\n    // Default to edge detection for better coverage (detects non-JS clients)\n    this.useEdge = config.useEdge !== false; // true by default\n    this.baseUrl = config.baseUrl || (this.useEdge ? EDGE_DETECT_URL : DEFAULT_BASE_URL);\n    this.timeout = config.timeout || DEFAULT_TIMEOUT;\n    this.debug = config.debug || false;\n  }\n\n  /**\n   * Call the enforce API to check if a request should be allowed\n   */\n  async enforce(input: EnforceInput): Promise<EnforceResponse> {\n    const startTime = Date.now();\n\n    try {\n      // Create abort controller for timeout\n      const controller = new AbortController();\n      const timeoutId = setTimeout(() => controller.abort(), this.timeout);\n\n      try {\n        // Use edge endpoint or Vercel API based on configuration\n        const endpoint = this.useEdge\n          ? `${this.baseUrl}/__detect/enforce`\n          : `${this.baseUrl}/api/v1/enforce`;\n\n        const response = await fetch(endpoint, {\n          method: 'POST',\n          headers: {\n            'Content-Type': 'application/json',\n            Authorization: `Bearer ${this.apiKey}`,\n            'X-Request-ID': input.requestId || crypto.randomUUID(),\n          },\n          body: JSON.stringify(input),\n          signal: controller.signal,\n        });\n\n        clearTimeout(timeoutId);\n\n        // Parse response\n        const data = (await response.json()) as EnforceResponse;\n\n        if (this.debug) {\n          console.log('[AgentShield] Enforce response:', {\n            status: response.status,\n            action: data.data?.decision.action,\n            processingTimeMs: Date.now() - startTime,\n          });\n        }\n\n        // Handle non-2xx responses\n        if (!response.ok) {\n          return {\n            success: false,\n            error: {\n              code: `HTTP_${response.status}`,\n              message: data.error?.message || `HTTP error: ${response.status}`,\n            },\n          };\n        }\n\n        return data;\n      } catch (error) {\n        clearTimeout(timeoutId);\n        throw error;\n      }\n    } catch (error) {\n      // Handle timeout\n      if (error instanceof Error && error.name === 'AbortError') {\n        if (this.debug) {\n          console.warn('[AgentShield] Request timed out');\n        }\n        return {\n          success: false,\n          error: {\n            code: 'TIMEOUT',\n            message: `Request timed out after ${this.timeout}ms`,\n          },\n        };\n      }\n\n      // Handle network errors\n      if (this.debug) {\n        console.error('[AgentShield] Request failed:', error);\n      }\n\n      return {\n        success: false,\n        error: {\n          code: 'NETWORK_ERROR',\n          message: error instanceof Error ? error.message : 'Network request failed',\n        },\n      };\n    }\n  }\n\n  /**\n   * Quick check - returns just the action without full response parsing\n   * Useful for very fast middleware that just needs allow/block\n   */\n  async quickCheck(input: EnforceInput): Promise<{\n    action: EnforcementAction;\n    error?: string;\n  }> {\n    const result = await this.enforce(input);\n\n    if (!result.success || !result.data) {\n      // On error, default to allow (fail-open)\n      return {\n        action: 'allow',\n        error: result.error?.message,\n      };\n    }\n\n    return {\n      action: result.data.decision.action,\n    };\n  }\n\n  /**\n   * Check if this client is using edge detection (Gateway Worker)\n   */\n  isUsingEdge(): boolean {\n    return this.useEdge;\n  }\n\n  /**\n   * Log a detection result to AgentShield database.\n   * Use after Gateway Worker detection to persist results.\n   * Fire-and-forget - returns immediately without waiting for DB write.\n   *\n   * @example\n   * ```typescript\n   * // After receiving Gateway response\n   * if (client.isUsingEdge() && response.data?.detection) {\n   *   client.logDetection({\n   *     detection: response.data.detection,\n   *     context: { userAgent, ipAddress, path, url, method }\n   *   }).catch(err => console.error('Log failed:', err));\n   * }\n   * ```\n   */\n  async logDetection(input: LogDetectionInput): Promise<void> {\n    // Don't await - fire and forget\n    // Use the base URL (not edge) for logging since this goes to the main API\n    const logEndpoint = this.useEdge\n      ? `${DEFAULT_BASE_URL}/api/v1/log-detection`\n      : `${this.baseUrl}/api/v1/log-detection`;\n\n    try {\n      const controller = new AbortController();\n      const timeoutId = setTimeout(() => controller.abort(), this.timeout);\n\n      try {\n        const response = await fetch(logEndpoint, {\n          method: 'POST',\n          headers: {\n            'Content-Type': 'application/json',\n            Authorization: `Bearer ${this.apiKey}`,\n          },\n          body: JSON.stringify({\n            detection: {\n              isAgent: input.detection.isAgent,\n              confidence: input.detection.confidence,\n              agentName: input.detection.agentName,\n              agentType: input.detection.agentType,\n              detectionClass: input.detection.detectionClass,\n              verificationMethod: input.detection.verificationMethod,\n              reasons: input.detection.reasons,\n            },\n            context: input.context,\n            source: input.source || 'gateway',\n          }),\n          signal: controller.signal,\n        });\n\n        clearTimeout(timeoutId);\n\n        if (!response.ok && this.debug) {\n          console.warn('[AgentShield] Log detection returned non-2xx:', response.status);\n        }\n      } catch (error) {\n        clearTimeout(timeoutId);\n        throw error;\n      }\n    } catch (error) {\n      // Silently fail for fire-and-forget, but log in debug mode\n      if (this.debug) {\n        console.error('[AgentShield] Log detection failed:', error);\n      }\n      // Re-throw so caller can catch if needed\n      throw error;\n    }\n  }\n}\n\n/**\n * Create a singleton client instance\n *\n * @example\n * ```typescript\n * // In middleware.ts\n * import { getAgentShieldClient } from '@kya-os/agentshield-nextjs';\n *\n * const client = getAgentShieldClient();\n * ```\n */\nlet clientInstance: AgentShieldClient | null = null;\n\nexport function getAgentShieldClient(config?: Partial<AgentShieldClientConfig>): AgentShieldClient {\n  if (!clientInstance) {\n    const apiKey = config?.apiKey || process.env.AGENTSHIELD_API_KEY;\n\n    if (!apiKey) {\n      throw new Error(\n        'AgentShield API key is required. Set AGENTSHIELD_API_KEY environment variable or pass apiKey in config.'\n      );\n    }\n\n    clientInstance = new AgentShieldClient({\n      apiKey,\n      baseUrl: config?.baseUrl || process.env.AGENTSHIELD_API_URL,\n      // Default to edge detection unless explicitly disabled\n      useEdge: config?.useEdge ?? process.env.AGENTSHIELD_USE_EDGE !== 'false',\n      timeout: config?.timeout,\n      debug: config?.debug || process.env.AGENTSHIELD_DEBUG === 'true',\n    });\n  }\n\n  return clientInstance;\n}\n\n/**\n * Reset the singleton client (useful for testing)\n */\nexport function resetAgentShieldClient(): void {\n  clientInstance = null;\n}\n"]}

package/dist/api-client.mjs

@@ -1,196 +0,0 @@
-// src/api-client.ts
-var DEFAULT_BASE_URL = "https://kya.vouched.id";
-var EDGE_DETECT_URL = "https://detect.checkpoint-gateway.ai";
-var DEFAULT_TIMEOUT = 5e3;
-var AgentShieldClient = class {
-  apiKey;
-  baseUrl;
-  useEdge;
-  timeout;
-  debug;
-  constructor(config) {
-    if (!config.apiKey) {
-      throw new Error("AgentShield API key is required");
-    }
-    this.apiKey = config.apiKey;
-    this.useEdge = config.useEdge !== false;
-    this.baseUrl = config.baseUrl || (this.useEdge ? EDGE_DETECT_URL : DEFAULT_BASE_URL);
-    this.timeout = config.timeout || DEFAULT_TIMEOUT;
-    this.debug = config.debug || false;
-  }
-  /**
-   * Call the enforce API to check if a request should be allowed
-   */
-  async enforce(input) {
-    const startTime = Date.now();
-    try {
-      const controller = new AbortController();
-      const timeoutId = setTimeout(() => controller.abort(), this.timeout);
-      try {
-        const endpoint = this.useEdge ? `${this.baseUrl}/__detect/enforce` : `${this.baseUrl}/api/v1/enforce`;
-        const response = await fetch(endpoint, {
-          method: "POST",
-          headers: {
-            "Content-Type": "application/json",
-            Authorization: `Bearer ${this.apiKey}`,
-            "X-Request-ID": input.requestId || crypto.randomUUID()
-          },
-          body: JSON.stringify(input),
-          signal: controller.signal
-        });
-        clearTimeout(timeoutId);
-        const data = await response.json();
-        if (this.debug) {
-          console.log("[AgentShield] Enforce response:", {
-            status: response.status,
-            action: data.data?.decision.action,
-            processingTimeMs: Date.now() - startTime
-          });
-        }
-        if (!response.ok) {
-          return {
-            success: false,
-            error: {
-              code: `HTTP_${response.status}`,
-              message: data.error?.message || `HTTP error: ${response.status}`
-            }
-          };
-        }
-        return data;
-      } catch (error) {
-        clearTimeout(timeoutId);
-        throw error;
-      }
-    } catch (error) {
-      if (error instanceof Error && error.name === "AbortError") {
-        if (this.debug) {
-          console.warn("[AgentShield] Request timed out");
-        }
-        return {
-          success: false,
-          error: {
-            code: "TIMEOUT",
-            message: `Request timed out after ${this.timeout}ms`
-          }
-        };
-      }
-      if (this.debug) {
-        console.error("[AgentShield] Request failed:", error);
-      }
-      return {
-        success: false,
-        error: {
-          code: "NETWORK_ERROR",
-          message: error instanceof Error ? error.message : "Network request failed"
-        }
-      };
-    }
-  }
-  /**
-   * Quick check - returns just the action without full response parsing
-   * Useful for very fast middleware that just needs allow/block
-   */
-  async quickCheck(input) {
-    const result = await this.enforce(input);
-    if (!result.success || !result.data) {
-      return {
-        action: "allow",
-        error: result.error?.message
-      };
-    }
-    return {
-      action: result.data.decision.action
-    };
-  }
-  /**
-   * Check if this client is using edge detection (Gateway Worker)
-   */
-  isUsingEdge() {
-    return this.useEdge;
-  }
-  /**
-   * Log a detection result to AgentShield database.
-   * Use after Gateway Worker detection to persist results.
-   * Fire-and-forget - returns immediately without waiting for DB write.
-   *
-   * @example
-   * ```typescript
-   * // After receiving Gateway response
-   * if (client.isUsingEdge() && response.data?.detection) {
-   *   client.logDetection({
-   *     detection: response.data.detection,
-   *     context: { userAgent, ipAddress, path, url, method }
-   *   }).catch(err => console.error('Log failed:', err));
-   * }
-   * ```
-   */
-  async logDetection(input) {
-    const logEndpoint = this.useEdge ? `${DEFAULT_BASE_URL}/api/v1/log-detection` : `${this.baseUrl}/api/v1/log-detection`;
-    try {
-      const controller = new AbortController();
-      const timeoutId = setTimeout(() => controller.abort(), this.timeout);
-      try {
-        const response = await fetch(logEndpoint, {
-          method: "POST",
-          headers: {
-            "Content-Type": "application/json",
-            Authorization: `Bearer ${this.apiKey}`
-          },
-          body: JSON.stringify({
-            detection: {
-              isAgent: input.detection.isAgent,
-              confidence: input.detection.confidence,
-              agentName: input.detection.agentName,
-              agentType: input.detection.agentType,
-              detectionClass: input.detection.detectionClass,
-              verificationMethod: input.detection.verificationMethod,
-              reasons: input.detection.reasons
-            },
-            context: input.context,
-            source: input.source || "gateway"
-          }),
-          signal: controller.signal
-        });
-        clearTimeout(timeoutId);
-        if (!response.ok && this.debug) {
-          console.warn("[AgentShield] Log detection returned non-2xx:", response.status);
-        }
-      } catch (error) {
-        clearTimeout(timeoutId);
-        throw error;
-      }
-    } catch (error) {
-      if (this.debug) {
-        console.error("[AgentShield] Log detection failed:", error);
-      }
-      throw error;
-    }
-  }
-};
-var clientInstance = null;
-function getAgentShieldClient(config) {
-  if (!clientInstance) {
-    const apiKey = config?.apiKey || process.env.AGENTSHIELD_API_KEY;
-    if (!apiKey) {
-      throw new Error(
-        "AgentShield API key is required. Set AGENTSHIELD_API_KEY environment variable or pass apiKey in config."
-      );
-    }
-    clientInstance = new AgentShieldClient({
-      apiKey,
-      baseUrl: config?.baseUrl || process.env.AGENTSHIELD_API_URL,
-      // Default to edge detection unless explicitly disabled
-      useEdge: config?.useEdge ?? process.env.AGENTSHIELD_USE_EDGE !== "false",
-      timeout: config?.timeout,
-      debug: config?.debug || process.env.AGENTSHIELD_DEBUG === "true"
-    });
-  }
-  return clientInstance;
-}
-function resetAgentShieldClient() {
-  clientInstance = null;
-}
-
-export { AgentShieldClient, getAgentShieldClient, resetAgentShieldClient };
-//# sourceMappingURL=api-client.mjs.map
-//# sourceMappingURL=api-client.mjs.map

package/dist/api-client.mjs.map

@@ -1 +0,0 @@
-{"version":3,"sources":["../src/api-client.ts"],"names":[],"mappings":";AAsJA,IAAM,gBAAA,GAAmB,wBAAA;AACzB,IAAM,eAAA,GAAkB,sCAAA;AACxB,IAAM,eAAA,GAAkB,GAAA;AAsBjB,IAAM,oBAAN,MAAwB;AAAA,EACrB,MAAA;AAAA,EACA,OAAA;AAAA,EACA,OAAA;AAAA,EACA,OAAA;AAAA,EACA,KAAA;AAAA,EAER,YAAY,MAAA,EAAiC;AAC3C,IAAA,IAAI,CAAC,OAAO,MAAA,EAAQ;AAClB,MAAA,MAAM,IAAI,MAAM,iCAAiC,CAAA;AAAA,IACnD;AAEA,IAAA,IAAA,CAAK,SAAS,MAAA,CAAO,MAAA;AAErB,IAAA,IAAA,CAAK,OAAA,GAAU,OAAO,OAAA,KAAY,KAAA;AAClC,IAAA,IAAA,CAAK,OAAA,GAAU,MAAA,CAAO,OAAA,KAAY,IAAA,CAAK,UAAU,eAAA,GAAkB,gBAAA,CAAA;AACnE,IAAA,IAAA,CAAK,OAAA,GAAU,OAAO,OAAA,IAAW,eAAA;AACjC,IAAA,IAAA,CAAK,KAAA,GAAQ,OAAO,KAAA,IAAS,KAAA;AAAA,EAC/B;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,QAAQ,KAAA,EAA+C;AAC3D,IAAA,MAAM,SAAA,GAAY,KAAK,GAAA,EAAI;AAE3B,IAAA,IAAI;AAEF,MAAA,MAAM,UAAA,GAAa,IAAI,eAAA,EAAgB;AACvC,MAAA,MAAM,YAAY,UAAA,CAAW,MAAM,WAAW,KAAA,EAAM,EAAG,KAAK,OAAO,CAAA;AAEnE,MAAA,IAAI;AAEF,QAAA,MAAM,QAAA,GAAW,KAAK,OAAA,GAClB,CAAA,EAAG,KAAK,OAAO,CAAA,iBAAA,CAAA,GACf,CAAA,EAAG,IAAA,CAAK,OAAO,CAAA,eAAA,CAAA;AAEnB,QAAA,MAAM,QAAA,GAAW,MAAM,KAAA,CAAM,QAAA,EAAU;AAAA,UACrC,MAAA,EAAQ,MAAA;AAAA,UACR,OAAA,EAAS;AAAA,YACP,cAAA,EAAgB,kBAAA;AAAA,YAChB,aAAA,EAAe,CAAA,OAAA,EAAU,IAAA,CAAK,MAAM,CAAA,CAAA;AAAA,YACpC,cAAA,EAAgB,KAAA,CAAM,SAAA,IAAa,MAAA,CAAO,UAAA;AAAW,WACvD;AAAA,UACA,IAAA,EAAM,IAAA,CAAK,SAAA,CAAU,KAAK,CAAA;AAAA,UAC1B,QAAQ,UAAA,CAAW;AAAA,SACpB,CAAA;AAED,QAAA,YAAA,CAAa,SAAS,CAAA;AAGtB,QAAA,MAAM,IAAA,GAAQ,MAAM,QAAA,CAAS,IAAA,EAAK;AAElC,QAAA,IAAI,KAAK,KAAA,EAAO;AACd,UAAA,OAAA,CAAQ,IAAI,iCAAA,EAAmC;AAAA,YAC7C,QAAQ,QAAA,CAAS,MAAA;AAAA,YACjB,MAAA,EAAQ,IAAA,CAAK,IAAA,EAAM,QAAA,CAAS,MAAA;AAAA,YAC5B,gBAAA,EAAkB,IAAA,CAAK,GAAA,EAAI,GAAI;AAAA,WAChC,CAAA;AAAA,QACH;AAGA,QAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,UAAA,OAAO;AAAA,YACL,OAAA,EAAS,KAAA;AAAA,YACT,KAAA,EAAO;AAAA,cACL,IAAA,EAAM,CAAA,KAAA,EAAQ,QAAA,CAAS,MAAM,CAAA,CAAA;AAAA,cAC7B,SAAS,IAAA,CAAK,KAAA,EAAO,OAAA,IAAW,CAAA,YAAA,EAAe,SAAS,MAAM,CAAA;AAAA;AAChE,WACF;AAAA,QACF;AAEA,QAAA,OAAO,IAAA;AAAA,MACT,SAAS,KAAA,EAAO;AACd,QAAA,YAAA,CAAa,SAAS,CAAA;AACtB,QAAA,MAAM,KAAA;AAAA,MACR;AAAA,IACF,SAAS,KAAA,EAAO;AAEd,MAAA,IAAI,KAAA,YAAiB,KAAA,IAAS,KAAA,CAAM,IAAA,KAAS,YAAA,EAAc;AACzD,QAAA,IAAI,KAAK,KAAA,EAAO;AACd,UAAA,OAAA,CAAQ,KAAK,iCAAiC,CAAA;AAAA,QAChD;AACA,QAAA,OAAO;AAAA,UACL,OAAA,EAAS,KAAA;AAAA,UACT,KAAA,EAAO;AAAA,YACL,IAAA,EAAM,SAAA;AAAA,YACN,OAAA,EAAS,CAAA,wBAAA,EAA2B,IAAA,CAAK,OAAO,CAAA,EAAA;AAAA;AAClD,SACF;AAAA,MACF;AAGA,MAAA,IAAI,KAAK,KAAA,EAAO;AACd,QAAA,OAAA,CAAQ,KAAA,CAAM,iCAAiC,KAAK,CAAA;AAAA,MACtD;AAEA,MAAA,OAAO;AAAA,QACL,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAO;AAAA,UACL,IAAA,EAAM,eAAA;AAAA,UACN,OAAA,EAAS,KAAA,YAAiB,KAAA,GAAQ,KAAA,CAAM,OAAA,GAAU;AAAA;AACpD,OACF;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,WAAW,KAAA,EAGd;AACD,IAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,OAAA,CAAQ,KAAK,CAAA;AAEvC,IAAA,IAAI,CAAC,MAAA,CAAO,OAAA,IAAW,CAAC,OAAO,IAAA,EAAM;AAEnC,MAAA,OAAO;AAAA,QACL,MAAA,EAAQ,OAAA;AAAA,QACR,KAAA,EAAO,OAAO,KAAA,EAAO;AAAA,OACvB;AAAA,IACF;AAEA,IAAA,OAAO;AAAA,MACL,MAAA,EAAQ,MAAA,CAAO,IAAA,CAAK,QAAA,CAAS;AAAA,KAC/B;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,WAAA,GAAuB;AACrB,IAAA,OAAO,IAAA,CAAK,OAAA;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAkBA,MAAM,aAAa,KAAA,EAAyC;AAG1D,IAAA,MAAM,WAAA,GAAc,KAAK,OAAA,GACrB,CAAA,EAAG,gBAAgB,CAAA,qBAAA,CAAA,GACnB,CAAA,EAAG,KAAK,OAAO,CAAA,qBAAA,CAAA;AAEnB,IAAA,IAAI;AACF,MAAA,MAAM,UAAA,GAAa,IAAI,eAAA,EAAgB;AACvC,MAAA,MAAM,YAAY,UAAA,CAAW,MAAM,WAAW,KAAA,EAAM,EAAG,KAAK,OAAO,CAAA;AAEnE,MAAA,IAAI;AACF,QAAA,MAAM,QAAA,GAAW,MAAM,KAAA,CAAM,WAAA,EAAa;AAAA,UACxC,MAAA,EAAQ,MAAA;AAAA,UACR,OAAA,EAAS;AAAA,YACP,cAAA,EAAgB,kBAAA;AAAA,YAChB,aAAA,EAAe,CAAA,OAAA,EAAU,IAAA,CAAK,MAAM,CAAA;AAAA,WACtC;AAAA,UACA,IAAA,EAAM,KAAK,SAAA,CAAU;AAAA,YACnB,SAAA,EAAW;AAAA,cACT,OAAA,EAAS,MAAM,SAAA,CAAU,OAAA;AAAA,cACzB,UAAA,EAAY,MAAM,SAAA,CAAU,UAAA;AAAA,cAC5B,SAAA,EAAW,MAAM,SAAA,CAAU,SAAA;AAAA,cAC3B,SAAA,EAAW,MAAM,SAAA,CAAU,SAAA;AAAA,cAC3B,cAAA,EAAgB,MAAM,SAAA,CAAU,cAAA;AAAA,cAChC,kBAAA,EAAoB,MAAM,SAAA,CAAU,kBAAA;AAAA,cACpC,OAAA,EAAS,MAAM,SAAA,CAAU;AAAA,aAC3B;AAAA,YACA,SAAS,KAAA,CAAM,OAAA;AAAA,YACf,MAAA,EAAQ,MAAM,MAAA,IAAU;AAAA,WACzB,CAAA;AAAA,UACD,QAAQ,UAAA,CAAW;AAAA,SACpB,CAAA;AAED,QAAA,YAAA,CAAa,SAAS,CAAA;AAEtB,QAAA,IAAI,CAAC,QAAA,CAAS,EAAA,IAAM,IAAA,CAAK,KAAA,EAAO;AAC9B,UAAA,OAAA,CAAQ,IAAA,CAAK,+CAAA,EAAiD,QAAA,CAAS,MAAM,CAAA;AAAA,QAC/E;AAAA,MACF,SAAS,KAAA,EAAO;AACd,QAAA,YAAA,CAAa,SAAS,CAAA;AACtB,QAAA,MAAM,KAAA;AAAA,MACR;AAAA,IACF,SAAS,KAAA,EAAO;AAEd,MAAA,IAAI,KAAK,KAAA,EAAO;AACd,QAAA,OAAA,CAAQ,KAAA,CAAM,uCAAuC,KAAK,CAAA;AAAA,MAC5D;AAEA,MAAA,MAAM,KAAA;AAAA,IACR;AAAA,EACF;AACF;AAaA,IAAI,cAAA,GAA2C,IAAA;AAExC,SAAS,qBAAqB,MAAA,EAA8D;AACjG,EAAA,IAAI,CAAC,cAAA,EAAgB;AACnB,IAAA,MAAM,MAAA,GAAS,MAAA,EAAQ,MAAA,IAAU,OAAA,CAAQ,GAAA,CAAI,mBAAA;AAE7C,IAAA,IAAI,CAAC,MAAA,EAAQ;AACX,MAAA,MAAM,IAAI,KAAA;AAAA,QACR;AAAA,OACF;AAAA,IACF;AAEA,IAAA,cAAA,GAAiB,IAAI,iBAAA,CAAkB;AAAA,MACrC,MAAA;AAAA,MACA,OAAA,EAAS,MAAA,EAAQ,OAAA,IAAW,OAAA,CAAQ,GAAA,CAAI,mBAAA;AAAA;AAAA,MAExC,OAAA,EAAS,MAAA,EAAQ,OAAA,IAAW,OAAA,CAAQ,IAAI,oBAAA,KAAyB,OAAA;AAAA,MACjE,SAAS,MAAA,EAAQ,OAAA;AAAA,MACjB,KAAA,EAAO,MAAA,EAAQ,KAAA,IAAS,OAAA,CAAQ,IAAI,iBAAA,KAAsB;AAAA,KAC3D,CAAA;AAAA,EACH;AAEA,EAAA,OAAO,cAAA;AACT;AAKO,SAAS,sBAAA,GAA+B;AAC7C,EAAA,cAAA,GAAiB,IAAA;AACnB","file":"api-client.mjs","sourcesContent":["/**\n * AgentShield API Client\n *\n * Lightweight client for calling the AgentShield enforce API from middleware.\n * Designed for Edge Runtime compatibility (no Node.js-specific APIs).\n */\n\nimport type { EnforcementAction } from '@kya-os/agentshield-shared';\n\n// ============================================================================\n// Types\n// ============================================================================\n\n/**\n * API client configuration\n */\nexport interface AgentShieldClientConfig {\n  /** API key for authentication */\n  apiKey: string;\n  /** API base URL (defaults to production) */\n  baseUrl?: string;\n  /**\n   * Use edge detection for lower latency (~30-50ms vs ~150ms) and better coverage.\n   * Edge detection can identify non-JS clients (curl, Python, Claude Code WebFetch)\n   * that the pixel cannot detect since they don't execute JavaScript.\n   * @default true\n   */\n  useEdge?: boolean;\n  /** Request timeout in milliseconds (default: 5000) */\n  timeout?: number;\n  /** Enable debug logging */\n  debug?: boolean;\n}\n\n/**\n * Enforcement action — re-exported from `@kya-os/agentshield-shared`\n * so consumers of this package can keep importing it from the same\n * place. The canonical 6-value union is defined in\n * `packages/agentshield-shared/src/policy/constants.ts`. `'instruct'`\n * tells the middleware to emit a 401 with an MCP-I Link header\n * pointing the agent at a connect/consent URL.\n */\nexport type { EnforcementAction };\n\n/**\n * Enforcement decision from the API\n */\nexport interface EnforcementDecision {\n  action: EnforcementAction;\n  reason: string;\n  isAgent: boolean;\n  confidence: number;\n  agentName?: string;\n  agentType?: string;\n  redirectUrl?: string;\n  message?: string;\n  metadata?: {\n    policyVersion?: string;\n    signatureVerified?: boolean;\n    denyListMatch?: {\n      clientDid?: string;\n      agentDid?: string;\n      clientName?: string;\n      reason?: string;\n    };\n  };\n}\n\n/**\n * Detection result (optional in response)\n */\nexport interface DetectionResult {\n  isAgent: boolean;\n  confidence: number;\n  agentName?: string;\n  agentType?: string;\n  /** Detection class: 'human', 'ai_agent', 'bot', 'incomplete_data' */\n  detectionClass?: string;\n  verificationMethod?: string;\n  reasons?: string[];\n  /** Detection engine used: 'wasm' or 'javascript-fallback' */\n  detectionMethod?: string;\n}\n\n/**\n * Enforce API response\n */\nexport interface EnforceResponse {\n  success: boolean;\n  data?: {\n    decision: EnforcementDecision;\n    processingTimeMs: number;\n    requestId: string;\n    detection?: DetectionResult;\n  };\n  error?: {\n    code: string;\n    message: string;\n  };\n}\n\n/**\n * Request input for enforce API\n */\nexport interface EnforceInput {\n  /** HTTP headers from the incoming request */\n  headers?: Record<string, string>;\n  /** User-Agent header */\n  userAgent?: string;\n  /** Client IP address */\n  ipAddress?: string;\n  /** Request path */\n  path?: string;\n  /** Request URL */\n  url?: string;\n  /** HTTP method */\n  method?: string;\n  /** Request ID for tracing */\n  requestId?: string;\n  /** Options */\n  options?: {\n    /** Include full detection result */\n    includeDetectionResult?: boolean;\n    /** Cache TTL override */\n    cacheTTL?: number;\n  };\n}\n\n/**\n * Input for logging a detection result\n */\nexport interface LogDetectionInput {\n  /** Detection result from Gateway */\n  detection: DetectionResult;\n  /** Request context */\n  context: {\n    userAgent?: string;\n    ipAddress?: string;\n    path?: string;\n    url?: string;\n    method?: string;\n  };\n  /** Source of the detection */\n  source?: 'gateway' | 'middleware';\n}\n\n// ============================================================================\n// Client Implementation\n// ============================================================================\n\nconst DEFAULT_BASE_URL = 'https://kya.vouched.id';\nconst EDGE_DETECT_URL = 'https://detect.checkpoint-gateway.ai';\nconst DEFAULT_TIMEOUT = 5000;\n\n/**\n * AgentShield API Client\n *\n * @example\n * ```typescript\n * const client = new AgentShieldClient({\n *   apiKey: process.env.AGENTSHIELD_API_KEY!,\n * });\n *\n * const result = await client.enforce({\n *   headers: Object.fromEntries(request.headers),\n *   path: request.nextUrl.pathname,\n *   method: request.method,\n * });\n *\n * if (result.decision.action === 'block') {\n *   return new Response('Access denied', { status: 403 });\n * }\n * ```\n */\nexport class AgentShieldClient {\n  private apiKey: string;\n  private baseUrl: string;\n  private useEdge: boolean;\n  private timeout: number;\n  private debug: boolean;\n\n  constructor(config: AgentShieldClientConfig) {\n    if (!config.apiKey) {\n      throw new Error('AgentShield API key is required');\n    }\n\n    this.apiKey = config.apiKey;\n    // Default to edge detection for better coverage (detects non-JS clients)\n    this.useEdge = config.useEdge !== false; // true by default\n    this.baseUrl = config.baseUrl || (this.useEdge ? EDGE_DETECT_URL : DEFAULT_BASE_URL);\n    this.timeout = config.timeout || DEFAULT_TIMEOUT;\n    this.debug = config.debug || false;\n  }\n\n  /**\n   * Call the enforce API to check if a request should be allowed\n   */\n  async enforce(input: EnforceInput): Promise<EnforceResponse> {\n    const startTime = Date.now();\n\n    try {\n      // Create abort controller for timeout\n      const controller = new AbortController();\n      const timeoutId = setTimeout(() => controller.abort(), this.timeout);\n\n      try {\n        // Use edge endpoint or Vercel API based on configuration\n        const endpoint = this.useEdge\n          ? `${this.baseUrl}/__detect/enforce`\n          : `${this.baseUrl}/api/v1/enforce`;\n\n        const response = await fetch(endpoint, {\n          method: 'POST',\n          headers: {\n            'Content-Type': 'application/json',\n            Authorization: `Bearer ${this.apiKey}`,\n            'X-Request-ID': input.requestId || crypto.randomUUID(),\n          },\n          body: JSON.stringify(input),\n          signal: controller.signal,\n        });\n\n        clearTimeout(timeoutId);\n\n        // Parse response\n        const data = (await response.json()) as EnforceResponse;\n\n        if (this.debug) {\n          console.log('[AgentShield] Enforce response:', {\n            status: response.status,\n            action: data.data?.decision.action,\n            processingTimeMs: Date.now() - startTime,\n          });\n        }\n\n        // Handle non-2xx responses\n        if (!response.ok) {\n          return {\n            success: false,\n            error: {\n              code: `HTTP_${response.status}`,\n              message: data.error?.message || `HTTP error: ${response.status}`,\n            },\n          };\n        }\n\n        return data;\n      } catch (error) {\n        clearTimeout(timeoutId);\n        throw error;\n      }\n    } catch (error) {\n      // Handle timeout\n      if (error instanceof Error && error.name === 'AbortError') {\n        if (this.debug) {\n          console.warn('[AgentShield] Request timed out');\n        }\n        return {\n          success: false,\n          error: {\n            code: 'TIMEOUT',\n            message: `Request timed out after ${this.timeout}ms`,\n          },\n        };\n      }\n\n      // Handle network errors\n      if (this.debug) {\n        console.error('[AgentShield] Request failed:', error);\n      }\n\n      return {\n        success: false,\n        error: {\n          code: 'NETWORK_ERROR',\n          message: error instanceof Error ? error.message : 'Network request failed',\n        },\n      };\n    }\n  }\n\n  /**\n   * Quick check - returns just the action without full response parsing\n   * Useful for very fast middleware that just needs allow/block\n   */\n  async quickCheck(input: EnforceInput): Promise<{\n    action: EnforcementAction;\n    error?: string;\n  }> {\n    const result = await this.enforce(input);\n\n    if (!result.success || !result.data) {\n      // On error, default to allow (fail-open)\n      return {\n        action: 'allow',\n        error: result.error?.message,\n      };\n    }\n\n    return {\n      action: result.data.decision.action,\n    };\n  }\n\n  /**\n   * Check if this client is using edge detection (Gateway Worker)\n   */\n  isUsingEdge(): boolean {\n    return this.useEdge;\n  }\n\n  /**\n   * Log a detection result to AgentShield database.\n   * Use after Gateway Worker detection to persist results.\n   * Fire-and-forget - returns immediately without waiting for DB write.\n   *\n   * @example\n   * ```typescript\n   * // After receiving Gateway response\n   * if (client.isUsingEdge() && response.data?.detection) {\n   *   client.logDetection({\n   *     detection: response.data.detection,\n   *     context: { userAgent, ipAddress, path, url, method }\n   *   }).catch(err => console.error('Log failed:', err));\n   * }\n   * ```\n   */\n  async logDetection(input: LogDetectionInput): Promise<void> {\n    // Don't await - fire and forget\n    // Use the base URL (not edge) for logging since this goes to the main API\n    const logEndpoint = this.useEdge\n      ? `${DEFAULT_BASE_URL}/api/v1/log-detection`\n      : `${this.baseUrl}/api/v1/log-detection`;\n\n    try {\n      const controller = new AbortController();\n      const timeoutId = setTimeout(() => controller.abort(), this.timeout);\n\n      try {\n        const response = await fetch(logEndpoint, {\n          method: 'POST',\n          headers: {\n            'Content-Type': 'application/json',\n            Authorization: `Bearer ${this.apiKey}`,\n          },\n          body: JSON.stringify({\n            detection: {\n              isAgent: input.detection.isAgent,\n              confidence: input.detection.confidence,\n              agentName: input.detection.agentName,\n              agentType: input.detection.agentType,\n              detectionClass: input.detection.detectionClass,\n              verificationMethod: input.detection.verificationMethod,\n              reasons: input.detection.reasons,\n            },\n            context: input.context,\n            source: input.source || 'gateway',\n          }),\n          signal: controller.signal,\n        });\n\n        clearTimeout(timeoutId);\n\n        if (!response.ok && this.debug) {\n          console.warn('[AgentShield] Log detection returned non-2xx:', response.status);\n        }\n      } catch (error) {\n        clearTimeout(timeoutId);\n        throw error;\n      }\n    } catch (error) {\n      // Silently fail for fire-and-forget, but log in debug mode\n      if (this.debug) {\n        console.error('[AgentShield] Log detection failed:', error);\n      }\n      // Re-throw so caller can catch if needed\n      throw error;\n    }\n  }\n}\n\n/**\n * Create a singleton client instance\n *\n * @example\n * ```typescript\n * // In middleware.ts\n * import { getAgentShieldClient } from '@kya-os/agentshield-nextjs';\n *\n * const client = getAgentShieldClient();\n * ```\n */\nlet clientInstance: AgentShieldClient | null = null;\n\nexport function getAgentShieldClient(config?: Partial<AgentShieldClientConfig>): AgentShieldClient {\n  if (!clientInstance) {\n    const apiKey = config?.apiKey || process.env.AGENTSHIELD_API_KEY;\n\n    if (!apiKey) {\n      throw new Error(\n        'AgentShield API key is required. Set AGENTSHIELD_API_KEY environment variable or pass apiKey in config.'\n      );\n    }\n\n    clientInstance = new AgentShieldClient({\n      apiKey,\n      baseUrl: config?.baseUrl || process.env.AGENTSHIELD_API_URL,\n      // Default to edge detection unless explicitly disabled\n      useEdge: config?.useEdge ?? process.env.AGENTSHIELD_USE_EDGE !== 'false',\n      timeout: config?.timeout,\n      debug: config?.debug || process.env.AGENTSHIELD_DEBUG === 'true',\n    });\n  }\n\n  return clientInstance;\n}\n\n/**\n * Reset the singleton client (useful for testing)\n */\nexport function resetAgentShieldClient(): void {\n  clientInstance = null;\n}\n"]}