npm - @kya-os/agentshield-nextjs - Versions diffs - 0.3.3 → 0.3.5 - Mend

@kya-os/agentshield-nextjs 0.3.3 → 0.3.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (110) hide show

package/README.md +21 -369
package/index.js +9 -0
package/package.json +7 -141
package/EDGE_RUNTIME_WASM_SETUP.md +0 -348
package/bin/setup-edge-wasm.js +0 -525
package/dist/.tsbuildinfo +0 -1
package/dist/api-client.d.mts +0 -196
package/dist/api-client.d.ts +0 -196
package/dist/api-client.js +0 -200
package/dist/api-client.js.map +0 -1
package/dist/api-client.mjs +0 -196
package/dist/api-client.mjs.map +0 -1
package/dist/api-middleware.d.mts +0 -140
package/dist/api-middleware.d.ts +0 -140
package/dist/api-middleware.js +0 -511
package/dist/api-middleware.js.map +0 -1
package/dist/api-middleware.mjs +0 -508
package/dist/api-middleware.mjs.map +0 -1
package/dist/create-middleware.d.mts +0 -17
package/dist/create-middleware.d.ts +0 -17
package/dist/create-middleware.js +0 -1381
package/dist/create-middleware.js.map +0 -1
package/dist/create-middleware.mjs +0 -1358
package/dist/create-middleware.mjs.map +0 -1
package/dist/edge/index.d.mts +0 -110
package/dist/edge/index.d.ts +0 -110
package/dist/edge/index.js +0 -277
package/dist/edge/index.js.map +0 -1
package/dist/edge/index.mjs +0 -275
package/dist/edge/index.mjs.map +0 -1
package/dist/edge-detector-wrapper.d.mts +0 -34
package/dist/edge-detector-wrapper.d.ts +0 -34
package/dist/edge-detector-wrapper.js +0 -596
package/dist/edge-detector-wrapper.js.map +0 -1
package/dist/edge-detector-wrapper.mjs +0 -574
package/dist/edge-detector-wrapper.mjs.map +0 -1
package/dist/edge-runtime-loader.d.mts +0 -50
package/dist/edge-runtime-loader.d.ts +0 -50
package/dist/edge-runtime-loader.js +0 -204
package/dist/edge-runtime-loader.js.map +0 -1
package/dist/edge-runtime-loader.mjs +0 -201
package/dist/edge-runtime-loader.mjs.map +0 -1
package/dist/edge-wasm-middleware.d.mts +0 -68
package/dist/edge-wasm-middleware.d.ts +0 -68
package/dist/edge-wasm-middleware.js +0 -318
package/dist/edge-wasm-middleware.js.map +0 -1
package/dist/edge-wasm-middleware.mjs +0 -315
package/dist/edge-wasm-middleware.mjs.map +0 -1
package/dist/enhanced-middleware.d.mts +0 -153
package/dist/enhanced-middleware.d.ts +0 -153
package/dist/enhanced-middleware.js +0 -1082
package/dist/enhanced-middleware.js.map +0 -1
package/dist/enhanced-middleware.mjs +0 -1080
package/dist/enhanced-middleware.mjs.map +0 -1
package/dist/index.d.mts +0 -24
package/dist/index.d.ts +0 -24
package/dist/index.js +0 -2717
package/dist/index.js.map +0 -1
package/dist/index.mjs +0 -2662
package/dist/index.mjs.map +0 -1
package/dist/middleware.d.mts +0 -21
package/dist/middleware.d.ts +0 -21
package/dist/middleware.js +0 -1362
package/dist/middleware.js.map +0 -1
package/dist/middleware.mjs +0 -1339
package/dist/middleware.mjs.map +0 -1
package/dist/nodejs-wasm-loader.d.mts +0 -25
package/dist/nodejs-wasm-loader.d.ts +0 -25
package/dist/nodejs-wasm-loader.js +0 -78
package/dist/nodejs-wasm-loader.js.map +0 -1
package/dist/nodejs-wasm-loader.mjs +0 -68
package/dist/nodejs-wasm-loader.mjs.map +0 -1
package/dist/policy.d.mts +0 -162
package/dist/policy.d.ts +0 -162
package/dist/policy.js +0 -189
package/dist/policy.js.map +0 -1
package/dist/policy.mjs +0 -165
package/dist/policy.mjs.map +0 -1
package/dist/session-tracker.d.mts +0 -55
package/dist/session-tracker.d.ts +0 -55
package/dist/session-tracker.js +0 -170
package/dist/session-tracker.js.map +0 -1
package/dist/session-tracker.mjs +0 -167
package/dist/session-tracker.mjs.map +0 -1
package/dist/signature-verifier.d.mts +0 -33
package/dist/signature-verifier.d.ts +0 -33
package/dist/signature-verifier.js +0 -386
package/dist/signature-verifier.js.map +0 -1
package/dist/signature-verifier.mjs +0 -362
package/dist/signature-verifier.mjs.map +0 -1
package/dist/types-DVmy9NE3.d.mts +0 -105
package/dist/types-DVmy9NE3.d.ts +0 -105
package/dist/wasm-middleware.d.mts +0 -63
package/dist/wasm-middleware.d.ts +0 -63
package/dist/wasm-middleware.js +0 -98
package/dist/wasm-middleware.js.map +0 -1
package/dist/wasm-middleware.mjs +0 -95
package/dist/wasm-middleware.mjs.map +0 -1
package/dist/wasm-setup.d.mts +0 -46
package/dist/wasm-setup.d.ts +0 -46
package/dist/wasm-setup.js +0 -157
package/dist/wasm-setup.js.map +0 -1
package/dist/wasm-setup.mjs +0 -148
package/dist/wasm-setup.mjs.map +0 -1
package/templates/middleware-wasm-100.ts +0 -151
package/wasm/agentshield_wasm.d.ts +0 -479
package/wasm/agentshield_wasm.js +0 -1536
package/wasm/agentshield_wasm_bg.wasm +0 -0
package/wasm/package.json +0 -30
package/wasm.d.ts +0 -21

package/dist/session-tracker.mjs DELETED Viewed

@@ -1,167 +0,0 @@
-import { shouldEnforce } from '@kya-os/agentshield-shared';
-// src/session-tracker.ts
-var EdgeSessionTracker = class {
-  config;
-  constructor(config) {
-    this.config = {
-      enabled: config.enabled,
-      cookieName: config.cookieName || "__agentshield_session",
-      cookieMaxAge: config.cookieMaxAge || 3600,
-      // 1 hour default
-      encryptionKey: config.encryptionKey || process.env.AGENTSHIELD_SECRET || "agentshield-default-key"
-    };
-  }
-  /**
-   * Track a new AI agent session
-   */
-  async track(_request, response, result) {
-    try {
-      if (!this.config.enabled || !shouldEnforce(result)) {
-        return response;
-      }
-      const sessionData = {
-        id: crypto.randomUUID(),
-        agent: result.detectedAgent?.name || "unknown",
-        confidence: result.confidence,
-        detectedAt: Date.now(),
-        expires: Date.now() + this.config.cookieMaxAge * 1e3
-      };
-      const encrypted = await this.encrypt(JSON.stringify(sessionData));
-      response.cookies.set(this.config.cookieName, encrypted, {
-        httpOnly: true,
-        secure: process.env.NODE_ENV === "production",
-        sameSite: "lax",
-        maxAge: this.config.cookieMaxAge,
-        path: "/"
-      });
-      return response;
-    } catch (error) {
-      if (process.env.DEBUG_AGENTSHIELD) {
-        console.warn("AgentShield: Failed to track session:", error);
-      }
-      return response;
-    }
-  }
-  /**
-   * Check for existing AI agent session
-   */
-  async check(request) {
-    try {
-      if (!this.config.enabled) {
-        return null;
-      }
-      const cookie = request.cookies.get(this.config.cookieName);
-      if (!cookie?.value) {
-        return null;
-      }
-      const decrypted = await this.decrypt(cookie.value);
-      const session = JSON.parse(decrypted);
-      if (session.expires < Date.now()) {
-        return null;
-      }
-      return session;
-    } catch (error) {
-      if (process.env.DEBUG_AGENTSHIELD) {
-        console.warn("AgentShield: Failed to check session:", error);
-      }
-      return null;
-    }
-  }
-  /**
-   * Clear an existing session
-   */
-  clear(response) {
-    try {
-      response.cookies.delete(this.config.cookieName);
-    } catch (error) {
-      if (process.env.DEBUG_AGENTSHIELD) {
-        console.warn("AgentShield: Failed to clear session:", error);
-      }
-    }
-    return response;
-  }
-  /**
-   * Simple encryption using Web Crypto API (Edge-compatible)
-   */
-  async encrypt(data) {
-    try {
-      const key = this.config.encryptionKey;
-      const encoded = new TextEncoder().encode(data);
-      const obfuscated = new Uint8Array(encoded.length);
-      for (let i = 0; i < encoded.length; i++) {
-        obfuscated[i] = (encoded[i] || 0) ^ key.charCodeAt(i % key.length);
-      }
-      return btoa(Array.from(obfuscated, (byte) => String.fromCharCode(byte)).join(""));
-    } catch (error) {
-      return btoa(data);
-    }
-  }
-  /**
-   * Simple decryption (Edge-compatible)
-   */
-  async decrypt(data) {
-    try {
-      const key = this.config.encryptionKey;
-      const decoded = Uint8Array.from(atob(data), (c) => c.charCodeAt(0));
-      const deobfuscated = new Uint8Array(decoded.length);
-      for (let i = 0; i < decoded.length; i++) {
-        deobfuscated[i] = (decoded[i] || 0) ^ key.charCodeAt(i % key.length);
-      }
-      return new TextDecoder().decode(deobfuscated);
-    } catch (error) {
-      return atob(data);
-    }
-  }
-};
-var StatelessSessionChecker = class {
-  static check(headers) {
-    try {
-      const agent = headers["kya-session-agent"];
-      const confidence = headers["kya-session-confidence"];
-      const sessionId = headers["kya-session-id"];
-      if (agent && confidence && sessionId) {
-        return {
-          id: sessionId,
-          agent,
-          confidence: parseFloat(confidence),
-          detectedAt: Date.now(),
-          expires: Date.now() + 36e5
-          // 1 hour
-        };
-      }
-      const cookieHeader = headers["cookie"];
-      if (cookieHeader && cookieHeader.includes("__agentshield_session=")) {
-        const match = cookieHeader.match(/__agentshield_session=([^;]+)/);
-        if (match && match[1]) {
-          try {
-            const decoded = atob(match[1]);
-            return JSON.parse(decoded);
-          } catch {
-          }
-        }
-      }
-      return null;
-    } catch {
-      return null;
-    }
-  }
-  static setHeaders(response, session) {
-    try {
-      if (response.setHeader) {
-        response.setHeader("KYA-Session-Agent", session.agent);
-        response.setHeader("KYA-Session-Confidence", session.confidence.toString());
-        response.setHeader("KYA-Session-Id", session.id);
-      } else if (response.headers && response.headers.set) {
-        response.headers.set("kya-session-agent", session.agent);
-        response.headers.set("kya-session-confidence", session.confidence.toString());
-        response.headers.set("kya-session-id", session.id);
-      }
-    } catch {
-    }
-  }
-};
-export { EdgeSessionTracker, StatelessSessionChecker };
-//# sourceMappingURL=session-tracker.mjs.map
-//# sourceMappingURL=session-tracker.mjs.map

package/dist/session-tracker.mjs.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"sources":["../src/session-tracker.ts"],"names":[],"mappings":";;;AAwBO,IAAM,qBAAN,MAAyB;AAAA,EACb,MAAA;AAAA,EAEjB,YAAY,MAAA,EAA+B;AACzC,IAAA,IAAA,CAAK,MAAA,GAAS;AAAA,MACZ,SAAS,MAAA,CAAO,OAAA;AAAA,MAChB,UAAA,EAAY,OAAO,UAAA,IAAc,uBAAA;AAAA,MACjC,YAAA,EAAc,OAAO,YAAA,IAAgB,IAAA;AAAA;AAAA,MACrC,aAAA,EACE,MAAA,CAAO,aAAA,IAAiB,OAAA,CAAQ,IAAI,kBAAA,IAAsB;AAAA,KAC9D;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,KAAA,CACJ,QAAA,EACA,QAAA,EACA,MAAA,EACuB;AACvB,IAAA,IAAI;AACF,MAAA,IAAI,CAAC,IAAA,CAAK,MAAA,CAAO,WAAW,CAAC,aAAA,CAAc,MAAM,CAAA,EAAG;AAClD,QAAA,OAAO,QAAA;AAAA,MACT;AAEA,MAAA,MAAM,WAAA,GAA2B;AAAA,QAC/B,EAAA,EAAI,OAAO,UAAA,EAAW;AAAA,QACtB,KAAA,EAAO,MAAA,CAAO,aAAA,EAAe,IAAA,IAAQ,SAAA;AAAA,QACrC,YAAY,MAAA,CAAO,UAAA;AAAA,QACnB,UAAA,EAAY,KAAK,GAAA,EAAI;AAAA,QACrB,SAAS,IAAA,CAAK,GAAA,EAAI,GAAI,IAAA,CAAK,OAAO,YAAA,GAAe;AAAA,OACnD;AAGA,MAAA,MAAM,YAAY,MAAM,IAAA,CAAK,QAAQ,IAAA,CAAK,SAAA,CAAU,WAAW,CAAC,CAAA;AAGhE,MAAA,QAAA,CAAS,OAAA,CAAQ,GAAA,CAAI,IAAA,CAAK,MAAA,CAAO,YAAY,SAAA,EAAW;AAAA,QACtD,QAAA,EAAU,IAAA;AAAA,QACV,MAAA,EAAQ,OAAA,CAAQ,GAAA,CAAI,QAAA,KAAa,YAAA;AAAA,QACjC,QAAA,EAAU,KAAA;AAAA,QACV,MAAA,EAAQ,KAAK,MAAA,CAAO,YAAA;AAAA,QACpB,IAAA,EAAM;AAAA,OACP,CAAA;AAED,MAAA,OAAO,QAAA;AAAA,IACT,SAAS,KAAA,EAAO;AAEd,MAAA,IAAI,OAAA,CAAQ,IAAI,iBAAA,EAAmB;AACjC,QAAA,OAAA,CAAQ,IAAA,CAAK,yCAAyC,KAAK,CAAA;AAAA,MAC7D;AACA,MAAA,OAAO,QAAA;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,MAAM,OAAA,EAAmD;AAC7D,IAAA,IAAI;AACF,MAAA,IAAI,CAAC,IAAA,CAAK,MAAA,CAAO,OAAA,EAAS;AACxB,QAAA,OAAO,IAAA;AAAA,MACT;AAEA,MAAA,MAAM,SAAS,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,IAAA,CAAK,OAAO,UAAU,CAAA;AACzD,MAAA,IAAI,CAAC,QAAQ,KAAA,EAAO;AAClB,QAAA,OAAO,IAAA;AAAA,MACT;AAGA,MAAA,MAAM,SAAA,GAAY,MAAM,IAAA,CAAK,OAAA,CAAQ,OAAO,KAAK,CAAA;AACjD,MAAA,MAAM,OAAA,GAAuB,IAAA,CAAK,KAAA,CAAM,SAAS,CAAA;AAGjD,MAAA,IAAI,OAAA,CAAQ,OAAA,GAAU,IAAA,CAAK,GAAA,EAAI,EAAG;AAChC,QAAA,OAAO,IAAA;AAAA,MACT;AAEA,MAAA,OAAO,OAAA;AAAA,IACT,SAAS,KAAA,EAAO;AAEd,MAAA,IAAI,OAAA,CAAQ,IAAI,iBAAA,EAAmB;AACjC,QAAA,OAAA,CAAQ,IAAA,CAAK,yCAAyC,KAAK,CAAA;AAAA,MAC7D;AACA,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,QAAA,EAAsC;AAC1C,IAAA,IAAI;AACF,MAAA,QAAA,CAAS,OAAA,CAAQ,MAAA,CAAO,IAAA,CAAK,MAAA,CAAO,UAAU,CAAA;AAAA,IAChD,SAAS,KAAA,EAAO;AAEd,MAAA,IAAI,OAAA,CAAQ,IAAI,iBAAA,EAAmB;AACjC,QAAA,OAAA,CAAQ,IAAA,CAAK,yCAAyC,KAAK,CAAA;AAAA,MAC7D;AAAA,IACF;AACA,IAAA,OAAO,QAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,QAAQ,IAAA,EAA+B;AACnD,IAAA,IAAI;AAGF,MAAA,MAAM,GAAA,GAAM,KAAK,MAAA,CAAO,aAAA;AACxB,MAAA,MAAM,OAAA,GAAU,IAAI,WAAA,EAAY,CAAE,OAAO,IAAI,CAAA;AAG7C,MAAA,MAAM,UAAA,GAAa,IAAI,UAAA,CAAW,OAAA,CAAQ,MAAM,CAAA;AAChD,MAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,OAAA,CAAQ,QAAQ,CAAA,EAAA,EAAK;AACvC,QAAA,UAAA,CAAW,CAAC,CAAA,GAAA,CAAK,OAAA,CAAQ,CAAC,CAAA,IAAK,KAAK,GAAA,CAAI,UAAA,CAAW,CAAA,GAAI,GAAA,CAAI,MAAM,CAAA;AAAA,MACnE;AAGA,MAAA,OAAO,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,UAAA,EAAY,CAAC,IAAA,KAAS,MAAA,CAAO,YAAA,CAAa,IAAI,CAAC,CAAA,CAAE,IAAA,CAAK,EAAE,CAAC,CAAA;AAAA,IAClF,SAAS,KAAA,EAAO;AAEd,MAAA,OAAO,KAAK,IAAI,CAAA;AAAA,IAClB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,QAAQ,IAAA,EAA+B;AACnD,IAAA,IAAI;AACF,MAAA,MAAM,GAAA,GAAM,KAAK,MAAA,CAAO,aAAA;AACxB,MAAA,MAAM,OAAA,GAAU,UAAA,CAAW,IAAA,CAAK,IAAA,CAAK,IAAI,CAAA,EAAG,CAAC,CAAA,KAAM,CAAA,CAAE,UAAA,CAAW,CAAC,CAAC,CAAA;AAGlE,MAAA,MAAM,YAAA,GAAe,IAAI,UAAA,CAAW,OAAA,CAAQ,MAAM,CAAA;AAClD,MAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,OAAA,CAAQ,QAAQ,CAAA,EAAA,EAAK;AACvC,QAAA,YAAA,CAAa,CAAC,CAAA,GAAA,CAAK,OAAA,CAAQ,CAAC,CAAA,IAAK,KAAK,GAAA,CAAI,UAAA,CAAW,CAAA,GAAI,GAAA,CAAI,MAAM,CAAA;AAAA,MACrE;AAEA,MAAA,OAAO,IAAI,WAAA,EAAY,CAAE,MAAA,CAAO,YAAY,CAAA;AAAA,IAC9C,SAAS,KAAA,EAAO;AAEd,MAAA,OAAO,KAAK,IAAI,CAAA;AAAA,IAClB;AAAA,EACF;AACF;AAMO,IAAM,0BAAN,MAA8B;AAAA,EACnC,OAAO,MAAM,OAAA,EAAqD;AAChE,IAAA,IAAI;AAEF,MAAA,MAAM,KAAA,GAAQ,QAAQ,mBAAmB,CAAA;AACzC,MAAA,MAAM,UAAA,GAAa,QAAQ,wBAAwB,CAAA;AACnD,MAAA,MAAM,SAAA,GAAY,QAAQ,gBAAgB,CAAA;AAE1C,MAAA,IAAI,KAAA,IAAS,cAAc,SAAA,EAAW;AACpC,QAAA,OAAO;AAAA,UACL,EAAA,EAAI,SAAA;AAAA,UACJ,KAAA;AAAA,UACA,UAAA,EAAY,WAAW,UAAU,CAAA;AAAA,UACjC,UAAA,EAAY,KAAK,GAAA,EAAI;AAAA,UACrB,OAAA,EAAS,IAAA,CAAK,GAAA,EAAI,GAAI;AAAA;AAAA,SACxB;AAAA,MACF;AAGA,MAAA,MAAM,YAAA,GAAe,QAAQ,QAAQ,CAAA;AACrC,MAAA,IAAI,YAAA,IAAgB,YAAA,CAAa,QAAA,CAAS,wBAAwB,CAAA,EAAG;AAEnE,QAAA,MAAM,KAAA,GAAQ,YAAA,CAAa,KAAA,CAAM,+BAA+B,CAAA;AAChE,QAAA,IAAI,KAAA,IAAS,KAAA,CAAM,CAAC,CAAA,EAAG;AACrB,UAAA,IAAI;AACF,YAAA,MAAM,OAAA,GAAU,IAAA,CAAK,KAAA,CAAM,CAAC,CAAC,CAAA;AAC7B,YAAA,OAAO,IAAA,CAAK,MAAM,OAAO,CAAA;AAAA,UAC3B,CAAA,CAAA,MAAQ;AAAA,UAER;AAAA,QACF;AAAA,MACF;AAEA,MAAA,OAAO,IAAA;AAAA,IACT,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAAA,EAEA,OAAO,UAAA,CAAW,QAAA,EAAe,OAAA,EAA4B;AAC3D,IAAA,IAAI;AAEF,MAAA,IAAI,SAAS,SAAA,EAAW;AACtB,QAAA,QAAA,CAAS,SAAA,CAAU,mBAAA,EAAqB,OAAA,CAAQ,KAAK,CAAA;AACrD,QAAA,QAAA,CAAS,SAAA,CAAU,wBAAA,EAA0B,OAAA,CAAQ,UAAA,CAAW,UAAU,CAAA;AAC1E,QAAA,QAAA,CAAS,SAAA,CAAU,gBAAA,EAAkB,OAAA,CAAQ,EAAE,CAAA;AAAA,MACjD,CAAA,MAAA,IAAW,QAAA,CAAS,OAAA,IAAW,QAAA,CAAS,QAAQ,GAAA,EAAK;AACnD,QAAA,QAAA,CAAS,OAAA,CAAQ,GAAA,CAAI,mBAAA,EAAqB,OAAA,CAAQ,KAAK,CAAA;AACvD,QAAA,QAAA,CAAS,QAAQ,GAAA,CAAI,wBAAA,EAA0B,OAAA,CAAQ,UAAA,CAAW,UAAU,CAAA;AAC5E,QAAA,QAAA,CAAS,OAAA,CAAQ,GAAA,CAAI,gBAAA,EAAkB,OAAA,CAAQ,EAAE,CAAA;AAAA,MACnD;AAAA,IACF,CAAA,CAAA,MAAQ;AAAA,IAER;AAAA,EACF;AACF","file":"session-tracker.mjs","sourcesContent":["/**\n * Edge-compatible session tracking for AI agents\n * Uses cookie-based storage to work in Edge Runtime\n */\n\nimport type { NextRequest, NextResponse } from 'next/server';\nimport type { DetectionResult } from '@kya-os/agentshield-shared';\nimport { shouldEnforce } from '@kya-os/agentshield-shared';\n\nexport interface SessionData {\n id: string;\n agent: string;\n confidence: number;\n detectedAt: number;\n expires: number;\n}\n\nexport interface SessionTrackingConfig {\n enabled: boolean;\n cookieName?: string;\n cookieMaxAge?: number; // in seconds\n encryptionKey?: string;\n}\n\nexport class EdgeSessionTracker {\n private readonly config: Required<SessionTrackingConfig>;\n\n constructor(config: SessionTrackingConfig) {\n this.config = {\n enabled: config.enabled,\n cookieName: config.cookieName || '__agentshield_session',\n cookieMaxAge: config.cookieMaxAge || 3600, // 1 hour default\n encryptionKey:\n config.encryptionKey || process.env.AGENTSHIELD_SECRET || 'agentshield-default-key',\n };\n }\n\n /**\n * Track a new AI agent session\n */\n async track(\n _request: NextRequest,\n response: NextResponse,\n result: DetectionResult\n ): Promise<NextResponse> {\n try {\n if (!this.config.enabled || !shouldEnforce(result)) {\n return response;\n }\n\n const sessionData: SessionData = {\n id: crypto.randomUUID(),\n agent: result.detectedAgent?.name || 'unknown',\n confidence: result.confidence,\n detectedAt: Date.now(),\n expires: Date.now() + this.config.cookieMaxAge * 1000,\n };\n\n // Encrypt session data for security\n const encrypted = await this.encrypt(JSON.stringify(sessionData));\n\n // Set secure httpOnly cookie\n response.cookies.set(this.config.cookieName, encrypted, {\n httpOnly: true,\n secure: process.env.NODE_ENV === 'production',\n sameSite: 'lax',\n maxAge: this.config.cookieMaxAge,\n path: '/',\n });\n\n return response;\n } catch (error) {\n // Fail gracefully - log error but don't break request\n if (process.env.DEBUG_AGENTSHIELD) {\n console.warn('AgentShield: Failed to track session:', error);\n }\n return response;\n }\n }\n\n /**\n * Check for existing AI agent session\n */\n async check(request: NextRequest): Promise<SessionData | null> {\n try {\n if (!this.config.enabled) {\n return null;\n }\n\n const cookie = request.cookies.get(this.config.cookieName);\n if (!cookie?.value) {\n return null;\n }\n\n // Decrypt and parse session data\n const decrypted = await this.decrypt(cookie.value);\n const session: SessionData = JSON.parse(decrypted);\n\n // Check if session is expired\n if (session.expires < Date.now()) {\n return null;\n }\n\n return session;\n } catch (error) {\n // Fail gracefully - invalid or corrupted session\n if (process.env.DEBUG_AGENTSHIELD) {\n console.warn('AgentShield: Failed to check session:', error);\n }\n return null;\n }\n }\n\n /**\n * Clear an existing session\n */\n clear(response: NextResponse): NextResponse {\n try {\n response.cookies.delete(this.config.cookieName);\n } catch (error) {\n // Fail gracefully\n if (process.env.DEBUG_AGENTSHIELD) {\n console.warn('AgentShield: Failed to clear session:', error);\n }\n }\n return response;\n }\n\n /**\n * Simple encryption using Web Crypto API (Edge-compatible)\n */\n private async encrypt(data: string): Promise<string> {\n try {\n // For Edge Runtime, use simple base64 encoding with obfuscation\n // In production, consider using Web Crypto API subtle.encrypt()\n const key = this.config.encryptionKey;\n const encoded = new TextEncoder().encode(data);\n\n // Simple XOR obfuscation\n const obfuscated = new Uint8Array(encoded.length);\n for (let i = 0; i < encoded.length; i++) {\n obfuscated[i] = (encoded[i] || 0) ^ key.charCodeAt(i % key.length);\n }\n\n // Convert to base64\n return btoa(Array.from(obfuscated, (byte) => String.fromCharCode(byte)).join(''));\n } catch (error) {\n // Fallback to simple base64 if encryption fails\n return btoa(data);\n }\n }\n\n /**\n * Simple decryption (Edge-compatible)\n */\n private async decrypt(data: string): Promise<string> {\n try {\n const key = this.config.encryptionKey;\n const decoded = Uint8Array.from(atob(data), (c) => c.charCodeAt(0));\n\n // Reverse XOR obfuscation\n const deobfuscated = new Uint8Array(decoded.length);\n for (let i = 0; i < decoded.length; i++) {\n deobfuscated[i] = (decoded[i] || 0) ^ key.charCodeAt(i % key.length);\n }\n\n return new TextDecoder().decode(deobfuscated);\n } catch (error) {\n // Fallback to simple base64 if decryption fails\n return atob(data);\n }\n }\n}\n\n/**\n * Stateless session checker for non-Next.js environments (Express, etc.)\n * Uses a combination of headers to identify continued sessions\n */\nexport class StatelessSessionChecker {\n static check(headers: Record<string, string>): SessionData | null {\n try {\n // Check for session headers (set by previous response)\n const agent = headers['kya-session-agent'];\n const confidence = headers['kya-session-confidence'];\n const sessionId = headers['kya-session-id'];\n\n if (agent && confidence && sessionId) {\n return {\n id: sessionId,\n agent,\n confidence: parseFloat(confidence),\n detectedAt: Date.now(),\n expires: Date.now() + 3600000, // 1 hour\n };\n }\n\n // Check for cookie-based session (if cookies are parsed)\n const cookieHeader = headers['cookie'];\n if (cookieHeader && cookieHeader.includes('__agentshield_session=')) {\n // Simple cookie parsing\n const match = cookieHeader.match(/__agentshield_session=([^;]+)/);\n if (match && match[1]) {\n try {\n const decoded = atob(match[1]);\n return JSON.parse(decoded);\n } catch {\n // Invalid session data\n }\n }\n }\n\n return null;\n } catch {\n return null;\n }\n }\n\n static setHeaders(response: any, session: SessionData): void {\n try {\n // Set session headers for stateless tracking\n if (response.setHeader) {\n response.setHeader('KYA-Session-Agent', session.agent);\n response.setHeader('KYA-Session-Confidence', session.confidence.toString());\n response.setHeader('KYA-Session-Id', session.id);\n } else if (response.headers && response.headers.set) {\n response.headers.set('kya-session-agent', session.agent);\n response.headers.set('kya-session-confidence', session.confidence.toString());\n response.headers.set('kya-session-id', session.id);\n }\n } catch {\n // Fail gracefully\n }\n }\n}\n"]}

package/dist/signature-verifier.d.mts DELETED Viewed

@@ -1,33 +0,0 @@
-/**
- * Ed25519 Signature Verification for HTTP Message Signatures
- * Implements proper cryptographic verification for ChatGPT and other agents
- *
- * Based on RFC 9421 (HTTP Message Signatures) and ChatGPT's implementation
- * Reference: https://help.openai.com/en/articles/9785974-chatgpt-user-allowlisting
- */
-/**
- * Signature verification result
- */
-interface SignatureVerificationResult {
-    isValid: boolean;
-    agent?: string;
-    keyid?: string;
-    confidence: number;
-    reason?: string;
-    verificationMethod: 'signature' | 'none';
-}
-/**
- * Verify HTTP Message Signature for AI agents
- */
-declare function verifyAgentSignature(method: string, path: string, headers: Record<string, string>): Promise<SignatureVerificationResult>;
-/**
- * Quick check if signature headers are present (for performance)
- */
-declare function hasSignatureHeaders(headers: Record<string, string>): boolean;
-/**
- * Check if this is a ChatGPT signature based on headers
- * Uses secure URL parsing to prevent spoofing attacks
- */
-declare function isChatGPTSignature(headers: Record<string, string>): boolean;
-export { type SignatureVerificationResult, hasSignatureHeaders, isChatGPTSignature, verifyAgentSignature };

package/dist/signature-verifier.d.ts DELETED Viewed

@@ -1,33 +0,0 @@
-/**
- * Ed25519 Signature Verification for HTTP Message Signatures
- * Implements proper cryptographic verification for ChatGPT and other agents
- *
- * Based on RFC 9421 (HTTP Message Signatures) and ChatGPT's implementation
- * Reference: https://help.openai.com/en/articles/9785974-chatgpt-user-allowlisting
- */
-/**
- * Signature verification result
- */
-interface SignatureVerificationResult {
-    isValid: boolean;
-    agent?: string;
-    keyid?: string;
-    confidence: number;
-    reason?: string;
-    verificationMethod: 'signature' | 'none';
-}
-/**
- * Verify HTTP Message Signature for AI agents
- */
-declare function verifyAgentSignature(method: string, path: string, headers: Record<string, string>): Promise<SignatureVerificationResult>;
-/**
- * Quick check if signature headers are present (for performance)
- */
-declare function hasSignatureHeaders(headers: Record<string, string>): boolean;
-/**
- * Check if this is a ChatGPT signature based on headers
- * Uses secure URL parsing to prevent spoofing attacks
- */
-declare function isChatGPTSignature(headers: Record<string, string>): boolean;
-export { type SignatureVerificationResult, hasSignatureHeaders, isChatGPTSignature, verifyAgentSignature };

package/dist/signature-verifier.js DELETED Viewed

@@ -1,386 +0,0 @@
-'use strict';
-var ed25519 = require('@noble/ed25519');
-var sha2_js = require('@noble/hashes/sha2.js');
-function _interopNamespace(e) {
-  if (e && e.__esModule) return e;
-  var n = Object.create(null);
-  if (e) {
-    Object.keys(e).forEach(function (k) {
-      if (k !== 'default') {
-        var d = Object.getOwnPropertyDescriptor(e, k);
-        Object.defineProperty(n, k, d.get ? d : {
-          enumerable: true,
-          get: function () { return e[k]; }
-        });
-      }
-    });
-  }
-  n.default = e;
-  return Object.freeze(n);
-}
-var ed25519__namespace = /*#__PURE__*/_interopNamespace(ed25519);
-// src/signature-verifier.ts
-ed25519__namespace.etc.sha512Sync = (...m) => sha2_js.sha512(ed25519__namespace.etc.concatBytes(...m));
-var KNOWN_KEYS = {
-  chatgpt: [
-    {
-      kid: "otMqcjr17mGyruktGvJU8oojQTSMHlVm7uO-lrcqbdg",
-      // ChatGPT's current Ed25519 public key (base64)
-      // Source: https://chatgpt.com/.well-known/http-message-signatures-directory
-      publicKey: "7F_3jDlxaquwh291MiACkcS3Opq88NksyHiakzS-Y1g",
-      validFrom: 1735689600,
-      // Jan 1, 2025 (nbf from OpenAI)
-      validUntil: 1769029093
-      // Jan 21, 2026 (exp from OpenAI)
-    }
-  ]
-};
-var keyCache = /* @__PURE__ */ new Map();
-var CACHE_TTL_MS = 5 * 60 * 1e3;
-var CACHE_MAX_SIZE = 100;
-function getApiBaseUrl() {
-  if (typeof window !== "undefined") {
-    return "/api/internal";
-  }
-  const baseUrl = process.env.NEXT_PUBLIC_APP_URL || process.env.NEXT_PUBLIC_API_URL || process.env.API_URL || (process.env.VERCEL_URL ? `https://${process.env.VERCEL_URL}` : null);
-  if (baseUrl) {
-    return baseUrl.replace(/\/$/, "") + "/api/internal";
-  }
-  if (process.env.NODE_ENV !== "production") {
-    console.warn(
-      "[Signature] No base URL configured for server-side fetch. Using localhost fallback."
-    );
-    return "http://localhost:3000/api/internal";
-  }
-  console.error(
-    "[Signature] CRITICAL: No base URL configured for server-side fetch in production!"
-  );
-  return "/api/internal";
-}
-function cleanupExpiredCache() {
-  const now = Date.now();
-  const entriesToDelete = [];
-  for (const [agent, cached] of keyCache.entries()) {
-    if (now - cached.cachedAt > CACHE_TTL_MS) {
-      entriesToDelete.push(agent);
-    }
-  }
-  for (const agent of entriesToDelete) {
-    keyCache.delete(agent);
-  }
-  if (keyCache.size > CACHE_MAX_SIZE) {
-    const entries = Array.from(keyCache.entries()).map(([agent, cached]) => ({
-      agent,
-      cachedAt: cached.cachedAt
-    }));
-    entries.sort((a, b) => a.cachedAt - b.cachedAt);
-    const toRemove = entries.slice(0, keyCache.size - CACHE_MAX_SIZE);
-    for (const entry of toRemove) {
-      keyCache.delete(entry.agent);
-    }
-  }
-}
-async function fetchKeysFromApi(agent) {
-  if (keyCache.size > CACHE_MAX_SIZE) {
-    cleanupExpiredCache();
-  }
-  const cached = keyCache.get(agent);
-  if (cached && Date.now() - cached.cachedAt < CACHE_TTL_MS) {
-    return cached.keys;
-  }
-  if (typeof fetch === "undefined") {
-    console.warn("[Signature] fetch() not available in this environment");
-    return null;
-  }
-  try {
-    const apiBaseUrl = getApiBaseUrl();
-    const url = `${apiBaseUrl}/signature-keys?agent=${encodeURIComponent(agent)}`;
-    const response = await fetch(url, {
-      method: "GET",
-      headers: {
-        "Content-Type": "application/json"
-      },
-      // 5 second timeout
-      signal: AbortSignal.timeout(5e3)
-    });
-    if (!response.ok) {
-      console.warn(`[Signature] Failed to fetch keys from API: ${response.status}`);
-      return null;
-    }
-    const data = await response.json();
-    if (!data.keys || !Array.isArray(data.keys) || data.keys.length === 0) {
-      console.warn(`[Signature] No keys returned from API for agent: ${agent}`);
-      return null;
-    }
-    keyCache.set(agent, {
-      keys: data.keys,
-      cachedAt: Date.now()
-    });
-    return data.keys;
-  } catch (error) {
-    console.warn("[Signature] Error fetching keys from API, using fallback", {
-      error: error instanceof Error ? error.message : "Unknown error",
-      agent
-    });
-    return null;
-  }
-}
-function isValidAgent(agent) {
-  return agent in KNOWN_KEYS;
-}
-async function getKeysForAgent(agent) {
-  const apiKeys = await fetchKeysFromApi(agent);
-  if (apiKeys && apiKeys.length > 0) {
-    return apiKeys;
-  }
-  if (isValidAgent(agent)) {
-    return KNOWN_KEYS[agent];
-  }
-  return [];
-}
-function parseSignatureInput(signatureInput) {
-  try {
-    const match = signatureInput.match(/sig1=\((.*?)\);(.+)/);
-    if (!match) return null;
-    const [, headersList, params] = match;
-    const signedHeaders = headersList ? headersList.split(" ").map((h) => h.replace(/"/g, "").trim()).filter((h) => h.length > 0) : [];
-    const keyidMatch = params ? params.match(/keyid="([^"]+)"/) : null;
-    const createdMatch = params ? params.match(/created=(\d+)/) : null;
-    const expiresMatch = params ? params.match(/expires=(\d+)/) : null;
-    if (!keyidMatch || !keyidMatch[1]) return null;
-    return {
-      keyid: keyidMatch[1],
-      created: createdMatch && createdMatch[1] ? parseInt(createdMatch[1]) : void 0,
-      expires: expiresMatch && expiresMatch[1] ? parseInt(expiresMatch[1]) : void 0,
-      signedHeaders
-    };
-  } catch (error) {
-    console.error("[Signature] Failed to parse Signature-Input:", error);
-    return null;
-  }
-}
-function buildSignatureBase(method, path, headers, signedHeaders) {
-  const components = [];
-  for (const headerName of signedHeaders) {
-    let value;
-    switch (headerName) {
-      case "@method":
-        value = method.toUpperCase();
-        break;
-      case "@path":
-        value = path;
-        break;
-      case "@authority":
-        value = headers["host"] || headers["Host"] || "";
-        break;
-      default: {
-        const key = Object.keys(headers).find((k) => k.toLowerCase() === headerName.toLowerCase());
-        value = key ? headers[key] || "" : "";
-        break;
-      }
-    }
-    components.push(`"${headerName}": ${value}`);
-  }
-  return components.join("\n");
-}
-function base64ToBytes(base64) {
-  let standardBase64 = base64.replace(/-/g, "+").replace(/_/g, "/");
-  const padding = standardBase64.length % 4;
-  if (padding) {
-    standardBase64 += "=".repeat(4 - padding);
-  }
-  const binaryString = atob(standardBase64);
-  return Uint8Array.from(binaryString, (c) => c.charCodeAt(0));
-}
-async function verifyEd25519Signature(publicKeyBase64, signatureBase64, message) {
-  try {
-    const publicKeyBytes = base64ToBytes(publicKeyBase64);
-    const signatureBytes = base64ToBytes(signatureBase64);
-    const messageBytes = new TextEncoder().encode(message);
-    if (publicKeyBytes.length !== 32) {
-      console.error("[Signature] Invalid public key length:", publicKeyBytes.length);
-      return false;
-    }
-    if (signatureBytes.length !== 64) {
-      console.error("[Signature] Invalid signature length:", signatureBytes.length);
-      return false;
-    }
-    return ed25519__namespace.verify(signatureBytes, messageBytes, publicKeyBytes);
-  } catch (nobleError) {
-    console.warn("[Signature] @noble/ed25519 failed, trying Web Crypto fallback:", nobleError);
-    try {
-      const publicKeyBytes = base64ToBytes(publicKeyBase64);
-      const signatureBytes = base64ToBytes(signatureBase64);
-      const messageBytes = new TextEncoder().encode(message);
-      const publicKey = await crypto.subtle.importKey(
-        "raw",
-        publicKeyBytes.buffer,
-        {
-          name: "Ed25519",
-          namedCurve: "Ed25519"
-        },
-        false,
-        ["verify"]
-      );
-      return await crypto.subtle.verify(
-        "Ed25519",
-        publicKey,
-        signatureBytes.buffer,
-        messageBytes
-      );
-    } catch (cryptoError) {
-      console.error("[Signature] Both @noble/ed25519 and Web Crypto failed:", {
-        nobleError: nobleError instanceof Error ? nobleError.message : "Unknown",
-        cryptoError: cryptoError instanceof Error ? cryptoError.message : "Unknown"
-      });
-      return false;
-    }
-  }
-}
-async function verifyAgentSignature(method, path, headers) {
-  const signature = headers["signature"] || headers["Signature"];
-  const signatureInput = headers["signature-input"] || headers["Signature-Input"];
-  const signatureAgent = headers["signature-agent"] || headers["Signature-Agent"];
-  if (!signature || !signatureInput) {
-    return {
-      isValid: false,
-      confidence: 0,
-      reason: "No signature headers present",
-      verificationMethod: "none"
-    };
-  }
-  const parsed = parseSignatureInput(signatureInput);
-  if (!parsed) {
-    return {
-      isValid: false,
-      confidence: 0,
-      reason: "Invalid Signature-Input header",
-      verificationMethod: "none"
-    };
-  }
-  if (parsed.created) {
-    const now2 = Math.floor(Date.now() / 1e3);
-    const age = now2 - parsed.created;
-    if (age > 300) {
-      return {
-        isValid: false,
-        confidence: 0,
-        reason: "Signature expired (older than 5 minutes)",
-        verificationMethod: "none"
-      };
-    }
-    if (age < -30) {
-      return {
-        isValid: false,
-        confidence: 0,
-        reason: "Signature timestamp is in the future",
-        verificationMethod: "none"
-      };
-    }
-  }
-  let agent;
-  let agentKey;
-  const isChatGPT = signatureAgent === '"https://chatgpt.com"' || (() => {
-    try {
-      const url = new URL(signatureAgent?.replace(/^"|"$/g, "") || "");
-      return url.hostname === "chatgpt.com" || url.hostname.endsWith(".chatgpt.com");
-    } catch {
-      return false;
-    }
-  })();
-  if (isChatGPT) {
-    agent = "ChatGPT";
-    agentKey = "chatgpt";
-  }
-  if (!agent || !agentKey) {
-    return {
-      isValid: false,
-      confidence: 0,
-      reason: "Unknown signature agent",
-      verificationMethod: "none"
-    };
-  }
-  const knownKeys = await getKeysForAgent(agentKey);
-  if (knownKeys.length === 0) {
-    return {
-      isValid: false,
-      confidence: 0,
-      reason: "No keys available for agent",
-      verificationMethod: "none"
-    };
-  }
-  const key = knownKeys.find((k) => k.kid === parsed.keyid);
-  if (!key) {
-    return {
-      isValid: false,
-      confidence: 0,
-      reason: `Unknown key ID: ${parsed.keyid}`,
-      verificationMethod: "none"
-    };
-  }
-  const now = Math.floor(Date.now() / 1e3);
-  if (now < key.validFrom || now > key.validUntil) {
-    return {
-      isValid: false,
-      confidence: 0,
-      reason: "Key is not valid at current time",
-      verificationMethod: "none"
-    };
-  }
-  const signatureBase = buildSignatureBase(method, path, headers, parsed.signedHeaders);
-  let signatureValue = signature;
-  if (signatureValue.startsWith("sig1=:")) {
-    signatureValue = signatureValue.substring(6);
-  }
-  if (signatureValue.endsWith(":")) {
-    signatureValue = signatureValue.slice(0, -1);
-  }
-  const isValid = await verifyEd25519Signature(key.publicKey, signatureValue, signatureBase);
-  if (isValid) {
-    return {
-      isValid: true,
-      agent,
-      keyid: parsed.keyid,
-      confidence: 1,
-      // 100% confidence for valid signature
-      verificationMethod: "signature"
-    };
-  } else {
-    return {
-      isValid: false,
-      confidence: 0,
-      reason: "Signature verification failed",
-      verificationMethod: "none"
-    };
-  }
-}
-function hasSignatureHeaders(headers) {
-  return !!((headers["signature"] || headers["Signature"]) && (headers["signature-input"] || headers["Signature-Input"]));
-}
-function isChatGPTSignature(headers) {
-  const signatureAgent = headers["signature-agent"] || headers["Signature-Agent"];
-  if (!signatureAgent) {
-    return false;
-  }
-  const agentUrlStr = signatureAgent.replace(/^"+|"+$/g, "");
-  if (agentUrlStr === "https://chatgpt.com") {
-    return true;
-  }
-  try {
-    const agentUrl = new URL(agentUrlStr);
-    const allowedHosts = ["chatgpt.com", "www.chatgpt.com"];
-    return allowedHosts.includes(agentUrl.host);
-  } catch {
-    return false;
-  }
-}
-exports.hasSignatureHeaders = hasSignatureHeaders;
-exports.isChatGPTSignature = isChatGPTSignature;
-exports.verifyAgentSignature = verifyAgentSignature;
-//# sourceMappingURL=signature-verifier.js.map
-//# sourceMappingURL=signature-verifier.js.map