@kya-os/agentshield-nextjs 0.3.3 → 0.3.5

package/dist/policy.d.mts

@@ -1,162 +0,0 @@
-import { NextRequest, NextResponse } from 'next/server';
-import { PolicyConfig, PolicyEvaluationResult, PolicyEvaluationContext, DetectionResult } from '@kya-os/agentshield-shared';
-export { DEFAULT_POLICY, ENFORCEMENT_ACTIONS, PolicyConfig, PolicyEvaluationContext, PolicyEvaluationResult, createEvaluationContext, evaluatePolicy } from '@kya-os/agentshield-shared';
-
-/**
- * Policy Integration for agentshield-nextjs
- *
- * This module provides policy evaluation support for the Next.js middleware.
- * It can use:
- * - Local policy configuration (static)
- * - Fetched policy from AgentShield API (dynamic with caching)
- * - Fallback/default policies
- *
- * @example
- * ```typescript
- * import { createPolicyMiddleware } from '@kya-os/agentshield-nextjs/policy';
- *
- * export default createPolicyMiddleware({
- *   policy: {
- *     enabled: true,
- *     defaultAction: 'allow',
- *     thresholds: { confidenceThreshold: 80, confidenceAction: 'block' },
- *     allowList: [{ clientName: 'ChatGPT' }],
- *   },
- * });
- * ```
- */
-
-/**
- * Policy middleware configuration
- */
-interface PolicyMiddlewareConfig {
-    /**
-     * Local policy configuration (static)
-     * If provided, this policy is used instead of fetching from API
-     */
-    policy?: Partial<PolicyConfig>;
-    /**
-     * Fetch policy from AgentShield API
-     * Requires projectId and optionally an apiKey
-     */
-    fetchPolicy?: {
-        /** Project ID to fetch policy for */
-        projectId: string;
-        /** API base URL (defaults to production) */
-        apiUrl?: string;
-        /** API key for authentication */
-        apiKey?: string;
-        /** Cache TTL in seconds (default: 300) */
-        cacheTtlSeconds?: number;
-    };
-    /**
-     * Fallback policy to use when fetch fails
-     * Defaults to DEFAULT_POLICY (allow all)
-     */
-    fallbackPolicy?: Partial<PolicyConfig>;
-    /**
-     * Custom blocked response
-     */
-    blockedResponse?: {
-        status?: number;
-        message?: string;
-        headers?: Record<string, string>;
-    };
-    /**
-     * Default redirect URL for redirect actions
-     */
-    redirectUrl?: string;
-    /**
-     * Callback when policy decision is made
-     */
-    onPolicyDecision?: (request: NextRequest, decision: PolicyEvaluationResult, context: PolicyEvaluationContext) => void | Promise<void>;
-    /**
-     * Custom response builder for blocked requests
-     */
-    customBlockedResponse?: (request: NextRequest, decision: PolicyEvaluationResult) => NextResponse | Promise<NextResponse>;
-    /**
-     * Whether to fail open (allow) on policy evaluation errors
-     * Default: true (recommended for production)
-     */
-    failOpen?: boolean;
-    /**
-     * Enable debug logging
-     */
-    debug?: boolean;
-}
-/**
- * Combined middleware configuration with policy support
- */
-interface NextJSPolicyMiddlewareConfig extends PolicyMiddlewareConfig {
-    /**
-     * Paths to skip (in addition to policy excludedPaths)
-     */
-    skipPaths?: string[];
-    /**
-     * Only enforce on these paths (overrides policy includedPaths)
-     */
-    includePaths?: string[];
-}
-/**
- * Create policy evaluation context from detection result and request
- */
-declare function createContextFromDetection(detection: DetectionResult, request: NextRequest): PolicyEvaluationContext;
-/**
- * Evaluate policy for a detection result
- */
-declare function evaluatePolicyForDetection(detection: DetectionResult, request: NextRequest, policy: PolicyConfig): PolicyEvaluationResult;
-/**
- * Build blocked response based on policy decision
- */
-declare function buildBlockedResponse(decision: PolicyEvaluationResult, config: PolicyMiddlewareConfig): NextResponse;
-/**
- * Build redirect response based on policy decision
- */
-declare function buildRedirectResponse(request: NextRequest, decision: PolicyEvaluationResult, config: PolicyMiddlewareConfig, detection?: {
-    detectedAgent?: {
-        name?: string;
-    };
-}): NextResponse;
-/**
- * Build challenge response (placeholder - future implementation)
- */
-declare function buildChallengeResponse(request: NextRequest, decision: PolicyEvaluationResult, config: PolicyMiddlewareConfig, detection?: {
-    detectedAgent?: {
-        name?: string;
-    };
-}): NextResponse;
-/**
- * Handle policy decision and return appropriate response
- */
-declare function handlePolicyDecision(request: NextRequest, decision: PolicyEvaluationResult, config: PolicyMiddlewareConfig, detection?: {
-    detectedAgent?: {
-        name?: string;
-    };
-}): Promise<NextResponse | null>;
-/**
- * Get policy (local, fetched, or fallback)
- */
-declare function getPolicy(config: PolicyMiddlewareConfig): Promise<PolicyConfig>;
-/**
- * Apply policy to a detection result
- *
- * This function can be used standalone to evaluate policy after detection.
- * Supports extended config with skipPaths and includePaths for path-based filtering.
- *
- * @example
- * ```typescript
- * const result = await detector.analyze(context);
- * const response = await applyPolicy(request, result, {
- *   policy: { thresholds: { confidenceThreshold: 80 } },
- *   skipPaths: ['/health', '/api/public/*'],
- *   includePaths: ['/api/*'],
- * });
- *
- * if (response) {
- *   return response; // Policy blocked the request
- * }
- * ```
- */
-declare function applyPolicy(request: NextRequest, detection: DetectionResult, config: NextJSPolicyMiddlewareConfig): Promise<NextResponse | null>;
-
-export { type NextJSPolicyMiddlewareConfig, type PolicyMiddlewareConfig, applyPolicy, buildBlockedResponse, buildChallengeResponse, buildRedirectResponse, createContextFromDetection, evaluatePolicyForDetection, getPolicy, handlePolicyDecision };

package/dist/policy.d.ts

@@ -1,162 +0,0 @@
-import { NextRequest, NextResponse } from 'next/server';
-import { PolicyConfig, PolicyEvaluationResult, PolicyEvaluationContext, DetectionResult } from '@kya-os/agentshield-shared';
-export { DEFAULT_POLICY, ENFORCEMENT_ACTIONS, PolicyConfig, PolicyEvaluationContext, PolicyEvaluationResult, createEvaluationContext, evaluatePolicy } from '@kya-os/agentshield-shared';
-
-/**
- * Policy Integration for agentshield-nextjs
- *
- * This module provides policy evaluation support for the Next.js middleware.
- * It can use:
- * - Local policy configuration (static)
- * - Fetched policy from AgentShield API (dynamic with caching)
- * - Fallback/default policies
- *
- * @example
- * ```typescript
- * import { createPolicyMiddleware } from '@kya-os/agentshield-nextjs/policy';
- *
- * export default createPolicyMiddleware({
- *   policy: {
- *     enabled: true,
- *     defaultAction: 'allow',
- *     thresholds: { confidenceThreshold: 80, confidenceAction: 'block' },
- *     allowList: [{ clientName: 'ChatGPT' }],
- *   },
- * });
- * ```
- */
-
-/**
- * Policy middleware configuration
- */
-interface PolicyMiddlewareConfig {
-    /**
-     * Local policy configuration (static)
-     * If provided, this policy is used instead of fetching from API
-     */
-    policy?: Partial<PolicyConfig>;
-    /**
-     * Fetch policy from AgentShield API
-     * Requires projectId and optionally an apiKey
-     */
-    fetchPolicy?: {
-        /** Project ID to fetch policy for */
-        projectId: string;
-        /** API base URL (defaults to production) */
-        apiUrl?: string;
-        /** API key for authentication */
-        apiKey?: string;
-        /** Cache TTL in seconds (default: 300) */
-        cacheTtlSeconds?: number;
-    };
-    /**
-     * Fallback policy to use when fetch fails
-     * Defaults to DEFAULT_POLICY (allow all)
-     */
-    fallbackPolicy?: Partial<PolicyConfig>;
-    /**
-     * Custom blocked response
-     */
-    blockedResponse?: {
-        status?: number;
-        message?: string;
-        headers?: Record<string, string>;
-    };
-    /**
-     * Default redirect URL for redirect actions
-     */
-    redirectUrl?: string;
-    /**
-     * Callback when policy decision is made
-     */
-    onPolicyDecision?: (request: NextRequest, decision: PolicyEvaluationResult, context: PolicyEvaluationContext) => void | Promise<void>;
-    /**
-     * Custom response builder for blocked requests
-     */
-    customBlockedResponse?: (request: NextRequest, decision: PolicyEvaluationResult) => NextResponse | Promise<NextResponse>;
-    /**
-     * Whether to fail open (allow) on policy evaluation errors
-     * Default: true (recommended for production)
-     */
-    failOpen?: boolean;
-    /**
-     * Enable debug logging
-     */
-    debug?: boolean;
-}
-/**
- * Combined middleware configuration with policy support
- */
-interface NextJSPolicyMiddlewareConfig extends PolicyMiddlewareConfig {
-    /**
-     * Paths to skip (in addition to policy excludedPaths)
-     */
-    skipPaths?: string[];
-    /**
-     * Only enforce on these paths (overrides policy includedPaths)
-     */
-    includePaths?: string[];
-}
-/**
- * Create policy evaluation context from detection result and request
- */
-declare function createContextFromDetection(detection: DetectionResult, request: NextRequest): PolicyEvaluationContext;
-/**
- * Evaluate policy for a detection result
- */
-declare function evaluatePolicyForDetection(detection: DetectionResult, request: NextRequest, policy: PolicyConfig): PolicyEvaluationResult;
-/**
- * Build blocked response based on policy decision
- */
-declare function buildBlockedResponse(decision: PolicyEvaluationResult, config: PolicyMiddlewareConfig): NextResponse;
-/**
- * Build redirect response based on policy decision
- */
-declare function buildRedirectResponse(request: NextRequest, decision: PolicyEvaluationResult, config: PolicyMiddlewareConfig, detection?: {
-    detectedAgent?: {
-        name?: string;
-    };
-}): NextResponse;
-/**
- * Build challenge response (placeholder - future implementation)
- */
-declare function buildChallengeResponse(request: NextRequest, decision: PolicyEvaluationResult, config: PolicyMiddlewareConfig, detection?: {
-    detectedAgent?: {
-        name?: string;
-    };
-}): NextResponse;
-/**
- * Handle policy decision and return appropriate response
- */
-declare function handlePolicyDecision(request: NextRequest, decision: PolicyEvaluationResult, config: PolicyMiddlewareConfig, detection?: {
-    detectedAgent?: {
-        name?: string;
-    };
-}): Promise<NextResponse | null>;
-/**
- * Get policy (local, fetched, or fallback)
- */
-declare function getPolicy(config: PolicyMiddlewareConfig): Promise<PolicyConfig>;
-/**
- * Apply policy to a detection result
- *
- * This function can be used standalone to evaluate policy after detection.
- * Supports extended config with skipPaths and includePaths for path-based filtering.
- *
- * @example
- * ```typescript
- * const result = await detector.analyze(context);
- * const response = await applyPolicy(request, result, {
- *   policy: { thresholds: { confidenceThreshold: 80 } },
- *   skipPaths: ['/health', '/api/public/*'],
- *   includePaths: ['/api/*'],
- * });
- *
- * if (response) {
- *   return response; // Policy blocked the request
- * }
- * ```
- */
-declare function applyPolicy(request: NextRequest, detection: DetectionResult, config: NextJSPolicyMiddlewareConfig): Promise<NextResponse | null>;
-
-export { type NextJSPolicyMiddlewareConfig, type PolicyMiddlewareConfig, applyPolicy, buildBlockedResponse, buildChallengeResponse, buildRedirectResponse, createContextFromDetection, evaluatePolicyForDetection, getPolicy, handlePolicyDecision };

package/dist/policy.js

@@ -1,189 +0,0 @@
-'use strict';
-
-var server = require('next/server');
-var agentshieldShared = require('@kya-os/agentshield-shared');
-
-// src/policy.ts
-function createContextFromDetection(detection, request) {
-  return agentshieldShared.createEvaluationContext({
-    agentType: detection.detectedAgent?.type,
-    agentName: detection.detectedAgent?.name,
-    agentVendor: detection.detectedAgent?.vendor,
-    confidence: detection.confidence,
-    riskLevel: detection.riskLevel,
-    path: request.nextUrl.pathname,
-    method: request.method,
-    signatureVerified: detection.verificationMethod === "signature",
-    isAuthenticated: false,
-    // TODO: integrate with auth
-    userAgent: request.headers.get("user-agent") || void 0
-  });
-}
-function evaluatePolicyForDetection(detection, request, policy) {
-  const context = createContextFromDetection(detection, request);
-  return agentshieldShared.evaluatePolicy(policy, context);
-}
-function buildBlockedResponse(decision, config) {
-  const status = config.blockedResponse?.status ?? 403;
-  const message = config.blockedResponse?.message ?? decision.message ?? "Access denied";
-  const response = server.NextResponse.json(
-    {
-      error: message,
-      code: "POLICY_BLOCKED",
-      reason: decision.reason,
-      ruleId: decision.ruleId,
-      matchType: decision.matchType
-    },
-    { status }
-  );
-  if (config.blockedResponse?.headers) {
-    for (const [key, value] of Object.entries(config.blockedResponse.headers)) {
-      response.headers.set(key, value);
-    }
-  }
-  response.headers.set("KYA-Action", decision.action);
-  response.headers.set("KYA-Reason", decision.reason);
-  response.headers.set("KYA-Match-Type", decision.matchType);
-  return response;
-}
-function buildRedirectResponse(request, decision, config, detection) {
-  const redirectUrl = decision.redirectUrl || config.redirectUrl || "/blocked";
-  const url = new URL(redirectUrl, request.url);
-  url.searchParams.set("reason", decision.reason);
-  if (decision.ruleId) {
-    url.searchParams.set("ruleId", decision.ruleId);
-  }
-  const agentName = detection?.detectedAgent?.name;
-  if (agentName && !url.searchParams.has("agent")) {
-    url.searchParams.set("agent", agentName.toLowerCase());
-  }
-  return server.NextResponse.redirect(url);
-}
-function buildChallengeResponse(request, decision, config, detection) {
-  return buildRedirectResponse(request, decision, config, detection);
-}
-async function handlePolicyDecision(request, decision, config, detection) {
-  switch (decision.action) {
-    case agentshieldShared.ENFORCEMENT_ACTIONS.BLOCK:
-      if (config.customBlockedResponse) {
-        return await config.customBlockedResponse(request, decision);
-      }
-      return buildBlockedResponse(decision, config);
-    case agentshieldShared.ENFORCEMENT_ACTIONS.REDIRECT:
-      return buildRedirectResponse(request, decision, config, detection);
-    case agentshieldShared.ENFORCEMENT_ACTIONS.CHALLENGE:
-      return buildChallengeResponse(request, decision, config, detection);
-    case agentshieldShared.ENFORCEMENT_ACTIONS.LOG:
-      console.log("[AgentShield] Policy decision (log):", {
-        path: request.nextUrl.pathname,
-        action: decision.action,
-        reason: decision.reason,
-        matchType: decision.matchType,
-        ruleId: decision.ruleId
-      });
-      return null;
-    // Continue to allow
-    case agentshieldShared.ENFORCEMENT_ACTIONS.ALLOW:
-    default:
-      return null;
-  }
-}
-var fetcherCache = /* @__PURE__ */ new Map();
-function getFetcherCacheKey(config) {
-  return `${config.apiUrl ?? "default"}:${config.apiKey ?? ""}:${config.cacheTtlSeconds ?? "default"}`;
-}
-function getPolicyFetcher(config) {
-  if (!config) {
-    throw new Error("fetchPolicy config required");
-  }
-  const cacheKey = getFetcherCacheKey(config);
-  let fetcher = fetcherCache.get(cacheKey);
-  if (!fetcher) {
-    const fetcherConfig = {
-      apiBaseUrl: config.apiUrl || "https://kya.vouched.id",
-      apiKey: config.apiKey,
-      cacheTtlSeconds: config.cacheTtlSeconds
-    };
-    fetcher = agentshieldShared.createPolicyFetcher(fetcherConfig);
-    fetcherCache.set(cacheKey, fetcher);
-  }
-  return fetcher;
-}
-async function getPolicy(config) {
-  if (config.policy) {
-    return agentshieldShared.PolicyConfigSchema.parse({ ...agentshieldShared.DEFAULT_POLICY, ...config.policy });
-  }
-  if (config.fetchPolicy) {
-    try {
-      const fetcher = getPolicyFetcher(config.fetchPolicy);
-      return await fetcher.getPolicy(config.fetchPolicy.projectId);
-    } catch (error) {
-      if (config.debug) {
-        console.warn("[AgentShield] Policy fetch failed, using fallback:", error);
-      }
-      return agentshieldShared.PolicyConfigSchema.parse({
-        ...agentshieldShared.DEFAULT_POLICY,
-        ...config.fallbackPolicy || {}
-      });
-    }
-  }
-  return agentshieldShared.PolicyConfigSchema.parse(agentshieldShared.DEFAULT_POLICY);
-}
-async function applyPolicy(request, detection, config) {
-  try {
-    const path = request.nextUrl.pathname;
-    if (config.skipPaths?.some((pattern) => agentshieldShared.matchPath(path, pattern))) {
-      return null;
-    }
-    if (config.includePaths && config.includePaths.length > 0) {
-      if (!config.includePaths.some((pattern) => agentshieldShared.matchPath(path, pattern))) {
-        return null;
-      }
-    }
-    const policy = await getPolicy(config);
-    const context = createContextFromDetection(detection, request);
-    const decision = agentshieldShared.evaluatePolicy(policy, context);
-    if (config.onPolicyDecision) {
-      await config.onPolicyDecision(request, decision, context);
-    }
-    return await handlePolicyDecision(request, decision, config, detection);
-  } catch (error) {
-    if (config.debug) {
-      console.error("[AgentShield] Policy evaluation error:", error);
-    }
-    if (config.failOpen !== false) {
-      return null;
-    }
-    return server.NextResponse.json(
-      { error: "Security check failed", code: "POLICY_ERROR" },
-      { status: 503 }
-    );
-  }
-}
-
-Object.defineProperty(exports, "DEFAULT_POLICY", {
-  enumerable: true,
-  get: function () { return agentshieldShared.DEFAULT_POLICY; }
-});
-Object.defineProperty(exports, "ENFORCEMENT_ACTIONS", {
-  enumerable: true,
-  get: function () { return agentshieldShared.ENFORCEMENT_ACTIONS; }
-});
-Object.defineProperty(exports, "createEvaluationContext", {
-  enumerable: true,
-  get: function () { return agentshieldShared.createEvaluationContext; }
-});
-Object.defineProperty(exports, "evaluatePolicy", {
-  enumerable: true,
-  get: function () { return agentshieldShared.evaluatePolicy; }
-});
-exports.applyPolicy = applyPolicy;
-exports.buildBlockedResponse = buildBlockedResponse;
-exports.buildChallengeResponse = buildChallengeResponse;
-exports.buildRedirectResponse = buildRedirectResponse;
-exports.createContextFromDetection = createContextFromDetection;
-exports.evaluatePolicyForDetection = evaluatePolicyForDetection;
-exports.getPolicy = getPolicy;
-exports.handlePolicyDecision = handlePolicyDecision;
-//# sourceMappingURL=policy.js.map
-//# sourceMappingURL=policy.js.map

package/dist/policy.js.map

@@ -1 +0,0 @@
-{"version":3,"sources":["../src/policy.ts"],"names":["createEvaluationContext","evaluatePolicy","NextResponse","ENFORCEMENT_ACTIONS","createPolicyFetcher","PolicyConfigSchema","DEFAULT_POLICY","matchPath"],"mappings":";;;;;;AAwJO,SAAS,0BAAA,CACd,WACA,OAAA,EACyB;AACzB,EAAA,OAAOA,yCAAA,CAAwB;AAAA,IAC7B,SAAA,EAAW,UAAU,aAAA,EAAe,IAAA;AAAA,IACpC,SAAA,EAAW,UAAU,aAAA,EAAe,IAAA;AAAA,IACpC,WAAA,EAAa,UAAU,aAAA,EAAe,MAAA;AAAA,IACtC,YAAY,SAAA,CAAU,UAAA;AAAA,IACtB,WAAW,SAAA,CAAU,SAAA;AAAA,IACrB,IAAA,EAAM,QAAQ,OAAA,CAAQ,QAAA;AAAA,IACtB,QAAQ,OAAA,CAAQ,MAAA;AAAA,IAChB,iBAAA,EAAmB,UAAU,kBAAA,KAAuB,WAAA;AAAA,IACpD,eAAA,EAAiB,KAAA;AAAA;AAAA,IACjB,SAAA,EAAW,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,YAAY,CAAA,IAAK;AAAA,GACjD,CAAA;AACH;AAKO,SAAS,0BAAA,CACd,SAAA,EACA,OAAA,EACA,MAAA,EACwB;AACxB,EAAA,MAAM,OAAA,GAAU,0BAAA,CAA2B,SAAA,EAAW,OAAO,CAAA;AAC7D,EAAA,OAAOC,gCAAA,CAAe,QAAQ,OAAO,CAAA;AACvC;AASO,SAAS,oBAAA,CACd,UACA,MAAA,EACc;AACd,EAAA,MAAM,MAAA,GAAS,MAAA,CAAO,eAAA,EAAiB,MAAA,IAAU,GAAA;AACjD,EAAA,MAAM,OAAA,GAAU,MAAA,CAAO,eAAA,EAAiB,OAAA,IAAW,SAAS,OAAA,IAAW,eAAA;AAEvE,EAAA,MAAM,WAAWC,mBAAA,CAAa,IAAA;AAAA,IAC5B;AAAA,MACE,KAAA,EAAO,OAAA;AAAA,MACP,IAAA,EAAM,gBAAA;AAAA,MACN,QAAQ,QAAA,CAAS,MAAA;AAAA,MACjB,QAAQ,QAAA,CAAS,MAAA;AAAA,MACjB,WAAW,QAAA,CAAS;AAAA,KACtB;AAAA,IACA,EAAE,MAAA;AAAO,GACX;AAGA,EAAA,IAAI,MAAA,CAAO,iBAAiB,OAAA,EAAS;AACnC,IAAA,KAAA,MAAW,CAAC,KAAK,KAAK,CAAA,IAAK,OAAO,OAAA,CAAQ,MAAA,CAAO,eAAA,CAAgB,OAAO,CAAA,EAAG;AACzE,MAAA,QAAA,CAAS,OAAA,CAAQ,GAAA,CAAI,GAAA,EAAK,KAAK,CAAA;AAAA,IACjC;AAAA,EACF;AAGA,EAAA,QAAA,CAAS,OAAA,CAAQ,GAAA,CAAI,YAAA,EAAc,QAAA,CAAS,MAAM,CAAA;AAClD,EAAA,QAAA,CAAS,OAAA,CAAQ,GAAA,CAAI,YAAA,EAAc,QAAA,CAAS,MAAM,CAAA;AAClD,EAAA,QAAA,CAAS,OAAA,CAAQ,GAAA,CAAI,gBAAA,EAAkB,QAAA,CAAS,SAAS,CAAA;AAEzD,EAAA,OAAO,QAAA;AACT;AAKO,SAAS,qBAAA,CACd,OAAA,EACA,QAAA,EACA,MAAA,EACA,SAAA,EACc;AACd,EAAA,MAAM,WAAA,GAAc,QAAA,CAAS,WAAA,IAAe,MAAA,CAAO,WAAA,IAAe,UAAA;AAClE,EAAA,MAAM,GAAA,GAAM,IAAI,GAAA,CAAI,WAAA,EAAa,QAAQ,GAAG,CAAA;AAG5C,EAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,QAAA,EAAU,QAAA,CAAS,MAAM,CAAA;AAC9C,EAAA,IAAI,SAAS,MAAA,EAAQ;AACnB,IAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,QAAA,EAAU,QAAA,CAAS,MAAM,CAAA;AAAA,EAChD;AACA,EAAA,MAAM,SAAA,GAAY,WAAW,aAAA,EAAe,IAAA;AAC5C,EAAA,IAAI,aAAa,CAAC,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,OAAO,CAAA,EAAG;AAC/C,IAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,OAAA,EAAS,SAAA,CAAU,aAAa,CAAA;AAAA,EACvD;AAEA,EAAA,OAAOA,mBAAA,CAAa,SAAS,GAAG,CAAA;AAClC;AAKO,SAAS,sBAAA,CACd,OAAA,EACA,QAAA,EACA,MAAA,EACA,SAAA,EACc;AAGd,EAAA,OAAO,qBAAA,CAAsB,OAAA,EAAS,QAAA,EAAU,MAAA,EAAQ,SAAS,CAAA;AACnE;AASA,eAAsB,oBAAA,CACpB,OAAA,EACA,QAAA,EACA,MAAA,EACA,SAAA,EAC8B;AAC9B,EAAA,QAAQ,SAAS,MAAA;AAAQ,IACvB,KAAKC,qCAAA,CAAoB,KAAA;AACvB,MAAA,IAAI,OAAO,qBAAA,EAAuB;AAChC,QAAA,OAAO,MAAM,MAAA,CAAO,qBAAA,CAAsB,OAAA,EAAS,QAAQ,CAAA;AAAA,MAC7D;AACA,MAAA,OAAO,oBAAA,CAAqB,UAAU,MAAM,CAAA;AAAA,IAE9C,KAAKA,qCAAA,CAAoB,QAAA;AACvB,MAAA,OAAO,qBAAA,CAAsB,OAAA,EAAS,QAAA,EAAU,MAAA,EAAQ,SAAS,CAAA;AAAA,IAEnE,KAAKA,qCAAA,CAAoB,SAAA;AACvB,MAAA,OAAO,sBAAA,CAAuB,OAAA,EAAS,QAAA,EAAU,MAAA,EAAQ,SAAS,CAAA;AAAA,IAEpE,KAAKA,qCAAA,CAAoB,GAAA;AAGvB,MAAA,OAAA,CAAQ,IAAI,sCAAA,EAAwC;AAAA,QAClD,IAAA,EAAM,QAAQ,OAAA,CAAQ,QAAA;AAAA,QACtB,QAAQ,QAAA,CAAS,MAAA;AAAA,QACjB,QAAQ,QAAA,CAAS,MAAA;AAAA,QACjB,WAAW,QAAA,CAAS,SAAA;AAAA,QACpB,QAAQ,QAAA,CAAS;AAAA,OAClB,CAAA;AACD,MAAA,OAAO,IAAA;AAAA;AAAA,IAET,KAAKA,qCAAA,CAAoB,KAAA;AAAA,IACzB;AACE,MAAA,OAAO,IAAA;AAAA;AAEb;AAQA,IAAM,YAAA,uBAAmB,GAAA,EAA2B;AAMpD,SAAS,mBAAmB,MAAA,EAAoE;AAC9F,EAAA,OAAO,CAAA,EAAG,MAAA,CAAO,MAAA,IAAU,SAAS,CAAA,CAAA,EAAI,MAAA,CAAO,MAAA,IAAU,EAAE,CAAA,CAAA,EAAI,MAAA,CAAO,eAAA,IAAmB,SAAS,CAAA,CAAA;AACpG;AAKA,SAAS,iBAAiB,MAAA,EAA8D;AACtF,EAAA,IAAI,CAAC,MAAA,EAAQ;AACX,IAAA,MAAM,IAAI,MAAM,6BAA6B,CAAA;AAAA,EAC/C;AAEA,EAAA,MAAM,QAAA,GAAW,mBAAmB,MAAM,CAAA;AAC1C,EAAA,IAAI,OAAA,GAAU,YAAA,CAAa,GAAA,CAAI,QAAQ,CAAA;AAEvC,EAAA,IAAI,CAAC,OAAA,EAAS;AACZ,IAAA,MAAM,aAAA,GAAqC;AAAA,MACzC,UAAA,EAAY,OAAO,MAAA,IAAU,wBAAA;AAAA,MAC7B,QAAQ,MAAA,CAAO,MAAA;AAAA,MACf,iBAAiB,MAAA,CAAO;AAAA,KAC1B;AACA,IAAA,OAAA,GAAUC,sCAAoB,aAAa,CAAA;AAC3C,IAAA,YAAA,CAAa,GAAA,CAAI,UAAU,OAAO,CAAA;AAAA,EACpC;AAEA,EAAA,OAAO,OAAA;AACT;AAKA,eAAsB,UAAU,MAAA,EAAuD;AAErF,EAAA,IAAI,OAAO,MAAA,EAAQ;AACjB,IAAA,OAAOC,oCAAA,CAAmB,MAAM,EAAE,GAAGC,kCAAgB,GAAG,MAAA,CAAO,QAAQ,CAAA;AAAA,EACzE;AAGA,EAAA,IAAI,OAAO,WAAA,EAAa;AACtB,IAAA,IAAI;AACF,MAAA,MAAM,OAAA,GAAU,gBAAA,CAAiB,MAAA,CAAO,WAAW,CAAA;AACnD,MAAA,OAAO,MAAM,OAAA,CAAQ,SAAA,CAAU,MAAA,CAAO,YAAY,SAAS,CAAA;AAAA,IAC7D,SAAS,KAAA,EAAO;AACd,MAAA,IAAI,OAAO,KAAA,EAAO;AAChB,QAAA,OAAA,CAAQ,IAAA,CAAK,sDAAsD,KAAK,CAAA;AAAA,MAC1E;AAEA,MAAA,OAAOD,qCAAmB,KAAA,CAAM;AAAA,QAC9B,GAAGC,gCAAA;AAAA,QACH,GAAI,MAAA,CAAO,cAAA,IAAkB;AAAC,OAC/B,CAAA;AAAA,IACH;AAAA,EACF;AAGA,EAAA,OAAOD,oCAAA,CAAmB,MAAMC,gCAAc,CAAA;AAChD;AA0BA,eAAsB,WAAA,CACpB,OAAA,EACA,SAAA,EACA,MAAA,EAC8B;AAC9B,EAAA,IAAI;AACF,IAAA,MAAM,IAAA,GAAO,QAAQ,OAAA,CAAQ,QAAA;AAG7B,IAAA,IAAI,MAAA,CAAO,WAAW,IAAA,CAAK,CAAC,YAAYC,2BAAA,CAAU,IAAA,EAAM,OAAO,CAAC,CAAA,EAAG;AACjE,MAAA,OAAO,IAAA;AAAA,IACT;AAGA,IAAA,IAAI,MAAA,CAAO,YAAA,IAAgB,MAAA,CAAO,YAAA,CAAa,SAAS,CAAA,EAAG;AACzD,MAAA,IAAI,CAAC,MAAA,CAAO,YAAA,CAAa,IAAA,CAAK,CAAC,YAAYA,2BAAA,CAAU,IAAA,EAAM,OAAO,CAAC,CAAA,EAAG;AACpE,QAAA,OAAO,IAAA;AAAA,MACT;AAAA,IACF;AAGA,IAAA,MAAM,MAAA,GAAS,MAAM,SAAA,CAAU,MAAM,CAAA;AAGrC,IAAA,MAAM,OAAA,GAAU,0BAAA,CAA2B,SAAA,EAAW,OAAO,CAAA;AAC7D,IAAA,MAAM,QAAA,GAAWN,gCAAA,CAAe,MAAA,EAAQ,OAAO,CAAA;AAG/C,IAAA,IAAI,OAAO,gBAAA,EAAkB;AAC3B,MAAA,MAAM,MAAA,CAAO,gBAAA,CAAiB,OAAA,EAAS,QAAA,EAAU,OAAO,CAAA;AAAA,IAC1D;AAGA,IAAA,OAAO,MAAM,oBAAA,CAAqB,OAAA,EAAS,QAAA,EAAU,QAAQ,SAAS,CAAA;AAAA,EACxE,SAAS,KAAA,EAAO;AACd,IAAA,IAAI,OAAO,KAAA,EAAO;AAChB,MAAA,OAAA,CAAQ,KAAA,CAAM,0CAA0C,KAAK,CAAA;AAAA,IAC/D;AAEA,IAAA,IAAI,MAAA,CAAO,aAAa,KAAA,EAAO;AAC7B,MAAA,OAAO,IAAA;AAAA,IACT;AAGA,IAAA,OAAOC,mBAAA,CAAa,IAAA;AAAA,MAClB,EAAE,KAAA,EAAO,uBAAA,EAAyB,IAAA,EAAM,cAAA,EAAe;AAAA,MACvD,EAAE,QAAQ,GAAA;AAAI,KAChB;AAAA,EACF;AACF","file":"policy.js","sourcesContent":["/**\n * Policy Integration for agentshield-nextjs\n *\n * This module provides policy evaluation support for the Next.js middleware.\n * It can use:\n * - Local policy configuration (static)\n * - Fetched policy from AgentShield API (dynamic with caching)\n * - Fallback/default policies\n *\n * @example\n * ```typescript\n * import { createPolicyMiddleware } from '@kya-os/agentshield-nextjs/policy';\n *\n * export default createPolicyMiddleware({\n *   policy: {\n *     enabled: true,\n *     defaultAction: 'allow',\n *     thresholds: { confidenceThreshold: 80, confidenceAction: 'block' },\n *     allowList: [{ clientName: 'ChatGPT' }],\n *   },\n * });\n * ```\n */\n\nimport { NextRequest, NextResponse } from 'next/server';\nimport {\n  evaluatePolicy,\n  createEvaluationContext,\n  createPolicyFetcher,\n  matchPath,\n  PolicyFetcher,\n  PolicyConfigSchema,\n  ENFORCEMENT_ACTIONS,\n  DEFAULT_POLICY,\n  type PolicyConfig,\n  type PolicyEvaluationContext,\n  type PolicyEvaluationResult,\n  type PolicyFetcherConfig,\n  type DetectionResult,\n} from '@kya-os/agentshield-shared';\n\n// Re-export shared policy types for convenience\nexport {\n  evaluatePolicy,\n  createEvaluationContext,\n  type PolicyConfig,\n  type PolicyEvaluationContext,\n  type PolicyEvaluationResult,\n  ENFORCEMENT_ACTIONS,\n  DEFAULT_POLICY,\n} from '@kya-os/agentshield-shared';\n\n// ============================================================================\n// Types\n// ============================================================================\n\n/**\n * Policy middleware configuration\n */\nexport interface PolicyMiddlewareConfig {\n  /**\n   * Local policy configuration (static)\n   * If provided, this policy is used instead of fetching from API\n   */\n  policy?: Partial<PolicyConfig>;\n\n  /**\n   * Fetch policy from AgentShield API\n   * Requires projectId and optionally an apiKey\n   */\n  fetchPolicy?: {\n    /** Project ID to fetch policy for */\n    projectId: string;\n    /** API base URL (defaults to production) */\n    apiUrl?: string;\n    /** API key for authentication */\n    apiKey?: string;\n    /** Cache TTL in seconds (default: 300) */\n    cacheTtlSeconds?: number;\n  };\n\n  /**\n   * Fallback policy to use when fetch fails\n   * Defaults to DEFAULT_POLICY (allow all)\n   */\n  fallbackPolicy?: Partial<PolicyConfig>;\n\n  /**\n   * Custom blocked response\n   */\n  blockedResponse?: {\n    status?: number;\n    message?: string;\n    headers?: Record<string, string>;\n  };\n\n  /**\n   * Default redirect URL for redirect actions\n   */\n  redirectUrl?: string;\n\n  /**\n   * Callback when policy decision is made\n   */\n  onPolicyDecision?: (\n    request: NextRequest,\n    decision: PolicyEvaluationResult,\n    context: PolicyEvaluationContext\n  ) => void | Promise<void>;\n\n  /**\n   * Custom response builder for blocked requests\n   */\n  customBlockedResponse?: (\n    request: NextRequest,\n    decision: PolicyEvaluationResult\n  ) => NextResponse | Promise<NextResponse>;\n\n  /**\n   * Whether to fail open (allow) on policy evaluation errors\n   * Default: true (recommended for production)\n   */\n  failOpen?: boolean;\n\n  /**\n   * Enable debug logging\n   */\n  debug?: boolean;\n}\n\n/**\n * Combined middleware configuration with policy support\n */\nexport interface NextJSPolicyMiddlewareConfig extends PolicyMiddlewareConfig {\n  /**\n   * Paths to skip (in addition to policy excludedPaths)\n   */\n  skipPaths?: string[];\n\n  /**\n   * Only enforce on these paths (overrides policy includedPaths)\n   */\n  includePaths?: string[];\n}\n\n// ============================================================================\n// Policy Evaluation Helper\n// ============================================================================\n\n/**\n * Create policy evaluation context from detection result and request\n */\nexport function createContextFromDetection(\n  detection: DetectionResult,\n  request: NextRequest\n): PolicyEvaluationContext {\n  return createEvaluationContext({\n    agentType: detection.detectedAgent?.type,\n    agentName: detection.detectedAgent?.name,\n    agentVendor: detection.detectedAgent?.vendor,\n    confidence: detection.confidence,\n    riskLevel: detection.riskLevel,\n    path: request.nextUrl.pathname,\n    method: request.method,\n    signatureVerified: detection.verificationMethod === 'signature',\n    isAuthenticated: false, // TODO: integrate with auth\n    userAgent: request.headers.get('user-agent') || undefined,\n  });\n}\n\n/**\n * Evaluate policy for a detection result\n */\nexport function evaluatePolicyForDetection(\n  detection: DetectionResult,\n  request: NextRequest,\n  policy: PolicyConfig\n): PolicyEvaluationResult {\n  const context = createContextFromDetection(detection, request);\n  return evaluatePolicy(policy, context);\n}\n\n// ============================================================================\n// Response Builders\n// ============================================================================\n\n/**\n * Build blocked response based on policy decision\n */\nexport function buildBlockedResponse(\n  decision: PolicyEvaluationResult,\n  config: PolicyMiddlewareConfig\n): NextResponse {\n  const status = config.blockedResponse?.status ?? 403;\n  const message = config.blockedResponse?.message ?? decision.message ?? 'Access denied';\n\n  const response = NextResponse.json(\n    {\n      error: message,\n      code: 'POLICY_BLOCKED',\n      reason: decision.reason,\n      ruleId: decision.ruleId,\n      matchType: decision.matchType,\n    },\n    { status }\n  );\n\n  // Add custom headers\n  if (config.blockedResponse?.headers) {\n    for (const [key, value] of Object.entries(config.blockedResponse.headers)) {\n      response.headers.set(key, value);\n    }\n  }\n\n  // Add AgentShield headers\n  response.headers.set('KYA-Action', decision.action);\n  response.headers.set('KYA-Reason', decision.reason);\n  response.headers.set('KYA-Match-Type', decision.matchType);\n\n  return response;\n}\n\n/**\n * Build redirect response based on policy decision\n */\nexport function buildRedirectResponse(\n  request: NextRequest,\n  decision: PolicyEvaluationResult,\n  config: PolicyMiddlewareConfig,\n  detection?: { detectedAgent?: { name?: string } }\n): NextResponse {\n  const redirectUrl = decision.redirectUrl || config.redirectUrl || '/blocked';\n  const url = new URL(redirectUrl, request.url);\n\n  // Add query params with policy info\n  url.searchParams.set('reason', decision.reason);\n  if (decision.ruleId) {\n    url.searchParams.set('ruleId', decision.ruleId);\n  }\n  const agentName = detection?.detectedAgent?.name;\n  if (agentName && !url.searchParams.has('agent')) {\n    url.searchParams.set('agent', agentName.toLowerCase());\n  }\n\n  return NextResponse.redirect(url);\n}\n\n/**\n * Build challenge response (placeholder - future implementation)\n */\nexport function buildChallengeResponse(\n  request: NextRequest,\n  decision: PolicyEvaluationResult,\n  config: PolicyMiddlewareConfig,\n  detection?: { detectedAgent?: { name?: string } }\n): NextResponse {\n  // For now, treat challenge as redirect\n  // Future: implement CAPTCHA, proof-of-work, etc.\n  return buildRedirectResponse(request, decision, config, detection);\n}\n\n// ============================================================================\n// Policy Handler\n// ============================================================================\n\n/**\n * Handle policy decision and return appropriate response\n */\nexport async function handlePolicyDecision(\n  request: NextRequest,\n  decision: PolicyEvaluationResult,\n  config: PolicyMiddlewareConfig,\n  detection?: { detectedAgent?: { name?: string } }\n): Promise<NextResponse | null> {\n  switch (decision.action) {\n    case ENFORCEMENT_ACTIONS.BLOCK:\n      if (config.customBlockedResponse) {\n        return await config.customBlockedResponse(request, decision);\n      }\n      return buildBlockedResponse(decision, config);\n\n    case ENFORCEMENT_ACTIONS.REDIRECT:\n      return buildRedirectResponse(request, decision, config, detection);\n\n    case ENFORCEMENT_ACTIONS.CHALLENGE:\n      return buildChallengeResponse(request, decision, config, detection);\n\n    case ENFORCEMENT_ACTIONS.LOG:\n      // LOG action always logs - that's its purpose\n      // (debug flag controls verbose debugging output, not LOG action behavior)\n      console.log('[AgentShield] Policy decision (log):', {\n        path: request.nextUrl.pathname,\n        action: decision.action,\n        reason: decision.reason,\n        matchType: decision.matchType,\n        ruleId: decision.ruleId,\n      });\n      return null; // Continue to allow\n\n    case ENFORCEMENT_ACTIONS.ALLOW:\n    default:\n      return null; // Continue\n  }\n}\n\n// ============================================================================\n// Policy Fetcher Integration\n// ============================================================================\n\n// Cache fetchers by config to avoid recreating them, but also support\n// different configurations (different apiUrl, apiKey, etc.)\nconst fetcherCache = new Map<string, PolicyFetcher>();\n\n/**\n * Generate a cache key for fetcher config.\n * Uses ?? to distinguish between explicit 0 and undefined values.\n */\nfunction getFetcherCacheKey(config: NonNullable<PolicyMiddlewareConfig['fetchPolicy']>): string {\n  return `${config.apiUrl ?? 'default'}:${config.apiKey ?? ''}:${config.cacheTtlSeconds ?? 'default'}`;\n}\n\n/**\n * Get or create policy fetcher for the given config\n */\nfunction getPolicyFetcher(config: PolicyMiddlewareConfig['fetchPolicy']): PolicyFetcher {\n  if (!config) {\n    throw new Error('fetchPolicy config required');\n  }\n\n  const cacheKey = getFetcherCacheKey(config);\n  let fetcher = fetcherCache.get(cacheKey);\n\n  if (!fetcher) {\n    const fetcherConfig: PolicyFetcherConfig = {\n      apiBaseUrl: config.apiUrl || 'https://kya.vouched.id',\n      apiKey: config.apiKey,\n      cacheTtlSeconds: config.cacheTtlSeconds,\n    };\n    fetcher = createPolicyFetcher(fetcherConfig);\n    fetcherCache.set(cacheKey, fetcher);\n  }\n\n  return fetcher;\n}\n\n/**\n * Get policy (local, fetched, or fallback)\n */\nexport async function getPolicy(config: PolicyMiddlewareConfig): Promise<PolicyConfig> {\n  // Use local policy if provided\n  if (config.policy) {\n    return PolicyConfigSchema.parse({ ...DEFAULT_POLICY, ...config.policy });\n  }\n\n  // Fetch from API if configured\n  if (config.fetchPolicy) {\n    try {\n      const fetcher = getPolicyFetcher(config.fetchPolicy);\n      return await fetcher.getPolicy(config.fetchPolicy.projectId);\n    } catch (error) {\n      if (config.debug) {\n        console.warn('[AgentShield] Policy fetch failed, using fallback:', error);\n      }\n      // Return fallback policy\n      return PolicyConfigSchema.parse({\n        ...DEFAULT_POLICY,\n        ...(config.fallbackPolicy || {}),\n      });\n    }\n  }\n\n  // No policy configured - return default (allow all)\n  return PolicyConfigSchema.parse(DEFAULT_POLICY);\n}\n\n// ============================================================================\n// Standalone Policy Middleware\n// ============================================================================\n\n/**\n * Apply policy to a detection result\n *\n * This function can be used standalone to evaluate policy after detection.\n * Supports extended config with skipPaths and includePaths for path-based filtering.\n *\n * @example\n * ```typescript\n * const result = await detector.analyze(context);\n * const response = await applyPolicy(request, result, {\n *   policy: { thresholds: { confidenceThreshold: 80 } },\n *   skipPaths: ['/health', '/api/public/*'],\n *   includePaths: ['/api/*'],\n * });\n *\n * if (response) {\n *   return response; // Policy blocked the request\n * }\n * ```\n */\nexport async function applyPolicy(\n  request: NextRequest,\n  detection: DetectionResult,\n  config: NextJSPolicyMiddlewareConfig\n): Promise<NextResponse | null> {\n  try {\n    const path = request.nextUrl.pathname;\n\n    // Check skipPaths - if path matches any skip pattern, allow through\n    if (config.skipPaths?.some((pattern) => matchPath(path, pattern))) {\n      return null; // Skip policy enforcement for this path\n    }\n\n    // Check includePaths - if defined, path must match at least one pattern\n    if (config.includePaths && config.includePaths.length > 0) {\n      if (!config.includePaths.some((pattern) => matchPath(path, pattern))) {\n        return null; // Path not in included paths, skip policy enforcement\n      }\n    }\n\n    // Get policy\n    const policy = await getPolicy(config);\n\n    // Create context and evaluate\n    const context = createContextFromDetection(detection, request);\n    const decision = evaluatePolicy(policy, context);\n\n    // Call decision callback if provided\n    if (config.onPolicyDecision) {\n      await config.onPolicyDecision(request, decision, context);\n    }\n\n    // Handle decision — pass detection through so redirect can append ?agent=\n    return await handlePolicyDecision(request, decision, config, detection);\n  } catch (error) {\n    if (config.debug) {\n      console.error('[AgentShield] Policy evaluation error:', error);\n    }\n\n    if (config.failOpen !== false) {\n      return null; // Allow on error\n    }\n\n    // Fail closed\n    return NextResponse.json(\n      { error: 'Security check failed', code: 'POLICY_ERROR' },\n      { status: 503 }\n    );\n  }\n}\n"]}