@kya-os/checkpoint-express 1.0.0 → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (12) hide show
  1. package/CHANGELOG.md +40 -0
  2. package/dist/index.d.mts +17 -0
  3. package/dist/index.d.ts +17 -0
  4. package/dist/index.js +2 -3
  5. package/dist/index.mjs +2 -3
  6. package/dist/policy.js +0 -2
  7. package/dist/policy.mjs +0 -2
  8. package/package.json +3 -3
  9. package/dist/index.js.map +0 -1
  10. package/dist/index.mjs.map +0 -1
  11. package/dist/policy.js.map +0 -1
  12. package/dist/policy.mjs.map +0 -1
package/CHANGELOG.md CHANGED
@@ -1,5 +1,45 @@
1
1
  # @kya-os/checkpoint-express
2
2
 
3
+ ## 1.1.0 — 2026-05-17
4
+
5
+ Closes [SDK-Envelope-Plumbing-1 (#2594)](https://github.com/Know-That-Ai/agent-shield/issues/2594)
6
+ for Express. Coordinated release with `@kya-os/checkpoint-nextjs@1.1.0` —
7
+ identical config surface across both SDKs.
8
+
9
+ ### New config (additive — no breaking changes)
10
+
11
+ - `CheckpointConfig.legacyEnvelopeFallback?: boolean` (default `false`) — accept
12
+ envelopes via the legacy `KYA-Delegation` HTTP header alongside the canonical
13
+ body form. Use for agents that pre-date Envelope-1 (#2537). Forwarded to
14
+ the orchestrator's `VerifyRequestOpts.legacyEnvelopeFallback`.
15
+
16
+ ### What's NOT in this release (and why)
17
+
18
+ Express's `translate.ts` already forwards `req.body` (as parsed by `body-parser`)
19
+ to the orchestrator, so the canonical `_meta.proof.jws` body transport has worked
20
+ since 1.0.0. No `drainJsonBody` config is needed — express consumers configure
21
+ body parsing via `express.json()` upstream of the middleware.
22
+
23
+ Express has a single middleware factory (`createCheckpointMiddleware` from
24
+ `./create-middleware`) which already calls `verifyRequest` through the
25
+ orchestrator — no factory-clarity migration needed (Next.js had a pattern-only
26
+ twin that competed with `withCheckpoint`; Express does not).
27
+
28
+ ### Migration
29
+
30
+ No code changes required for existing 1.0.x consumers — `legacyEnvelopeFallback`
31
+ is optional and defaults to `false`. Consumers wanting to accept legacy header
32
+ envelopes:
33
+
34
+ ```diff
35
+ app.use(withCheckpoint({
36
+ tenantHost: 'acme.checkpoint.example',
37
+ + legacyEnvelopeFallback: true,
38
+ }));
39
+ ```
40
+
41
+ ---
42
+
3
43
  ## 1.0.0 — 2026-05-16 (Phase E)
4
44
 
5
45
  ### Breaking
package/dist/index.d.mts CHANGED
@@ -83,6 +83,23 @@ interface CheckpointConfig {
83
83
  * response.
84
84
  */
85
85
  onResult?: (result: VerifyResult, req: Request) => void | Promise<void>;
86
+ /**
87
+ * Accept legacy `KYA-Delegation`-header envelope form alongside the
88
+ * canonical `_meta.proof.jws` body form. Default `false`.
89
+ *
90
+ * **When to enable** — customers whose agents pre-date Envelope-1
91
+ * (#2537) and ship MCP-I proofs as `{protected,payload,signature}`
92
+ * JSON in a `KYA-Delegation` HTTP header. Post-Envelope-1 agents
93
+ * ship compact JWS in the request body's `_meta.proof.jws` field;
94
+ * those don't need this flag (Express's body-parser pre-populates
95
+ * `req.body` which `translate.ts` already forwards to the
96
+ * orchestrator).
97
+ *
98
+ * Forwarded to the orchestrator's `VerifyRequestOpts.legacyEnvelopeFallback`.
99
+ *
100
+ * SDK-Envelope-Plumbing-1 (#2594). Added in `@kya-os/checkpoint-express@1.1.0`.
101
+ */
102
+ legacyEnvelopeFallback?: boolean;
86
103
  }
87
104
  /**
88
105
  * Build the Checkpoint middleware. Returns an Express `RequestHandler`
package/dist/index.d.ts CHANGED
@@ -83,6 +83,23 @@ interface CheckpointConfig {
83
83
  * response.
84
84
  */
85
85
  onResult?: (result: VerifyResult, req: Request) => void | Promise<void>;
86
+ /**
87
+ * Accept legacy `KYA-Delegation`-header envelope form alongside the
88
+ * canonical `_meta.proof.jws` body form. Default `false`.
89
+ *
90
+ * **When to enable** — customers whose agents pre-date Envelope-1
91
+ * (#2537) and ship MCP-I proofs as `{protected,payload,signature}`
92
+ * JSON in a `KYA-Delegation` HTTP header. Post-Envelope-1 agents
93
+ * ship compact JWS in the request body's `_meta.proof.jws` field;
94
+ * those don't need this flag (Express's body-parser pre-populates
95
+ * `req.body` which `translate.ts` already forwards to the
96
+ * orchestrator).
97
+ *
98
+ * Forwarded to the orchestrator's `VerifyRequestOpts.legacyEnvelopeFallback`.
99
+ *
100
+ * SDK-Envelope-Plumbing-1 (#2594). Added in `@kya-os/checkpoint-express@1.1.0`.
101
+ */
102
+ legacyEnvelopeFallback?: boolean;
86
103
  }
87
104
  /**
88
105
  * Build the Checkpoint middleware. Returns an Express `RequestHandler`
package/dist/index.js CHANGED
@@ -7075,7 +7075,8 @@ function buildVerifyOpts(config) {
7075
7075
  tenantHost: config.tenantHost,
7076
7076
  enforcementMode: config.enforcementMode ?? "enforce",
7077
7077
  reputationBaseline: config.reputationBaseline,
7078
- argusUrl: config.argusUrl
7078
+ argusUrl: config.argusUrl,
7079
+ legacyEnvelopeFallback: config.legacyEnvelopeFallback ?? false
7079
7080
  };
7080
7081
  }
7081
7082
  async function dispatchOnResult(config, result, req) {
@@ -7516,5 +7517,3 @@ exports.sendBlockedResponse = sendBlockedResponse;
7516
7517
  exports.sendRedirectResponse = sendRedirectResponse;
7517
7518
  exports.withCheckpoint = withCheckpoint;
7518
7519
  exports.withSessionTracking = withSessionTracking;
7519
- //# sourceMappingURL=index.js.map
7520
- //# sourceMappingURL=index.js.map
package/dist/index.mjs CHANGED
@@ -7070,7 +7070,8 @@ function buildVerifyOpts(config) {
7070
7070
  tenantHost: config.tenantHost,
7071
7071
  enforcementMode: config.enforcementMode ?? "enforce",
7072
7072
  reputationBaseline: config.reputationBaseline,
7073
- argusUrl: config.argusUrl
7073
+ argusUrl: config.argusUrl,
7074
+ legacyEnvelopeFallback: config.legacyEnvelopeFallback ?? false
7074
7075
  };
7075
7076
  }
7076
7077
  async function dispatchOnResult(config, result, req) {
@@ -7479,5 +7480,3 @@ var VERSION2 = "1.0.0";
7479
7480
  */
7480
7481
 
7481
7482
  export { ExpressSessionTracker, MemoryStorageAdapter, RedisStorageAdapter, VERSION2 as VERSION, agentShield, applyPolicy, createAgentShieldMiddleware, createContextFromDetection, createEnhancedAgentShieldMiddleware, createStorageAdapter, evaluatePolicyForDetection, getPolicy, handlePolicyDecision, sendBlockedResponse, sendRedirectResponse, withCheckpoint, withSessionTracking };
7482
- //# sourceMappingURL=index.mjs.map
7483
- //# sourceMappingURL=index.mjs.map
package/dist/policy.js CHANGED
@@ -70,5 +70,3 @@ exports.handlePolicyDecision = handlePolicyDecision;
70
70
  exports.sendBlockedResponse = sendBlockedResponse;
71
71
  exports.sendChallengeResponse = sendChallengeResponse;
72
72
  exports.sendRedirectResponse = sendRedirectResponse;
73
- //# sourceMappingURL=policy.js.map
74
- //# sourceMappingURL=policy.js.map
package/dist/policy.mjs CHANGED
@@ -45,5 +45,3 @@ async function applyPolicy(_req, _res, _detection, _config) {
45
45
  }
46
46
 
47
47
  export { applyPolicy, createContextFromDetection, evaluatePolicyForDetection, getPolicy, handlePolicyDecision, sendBlockedResponse, sendChallengeResponse, sendRedirectResponse };
48
- //# sourceMappingURL=policy.mjs.map
49
- //# sourceMappingURL=policy.mjs.map
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@kya-os/checkpoint-express",
3
- "version": "1.0.0",
3
+ "version": "1.1.0",
4
4
  "description": "Express.js middleware for Checkpoint — engine-backed AI agent detection and MCP-I verification",
5
5
  "keywords": [
6
6
  "express",
@@ -68,8 +68,8 @@
68
68
  },
69
69
  "sideEffects": false,
70
70
  "dependencies": {
71
- "@kya-os/checkpoint-shared": "1.0.0",
72
- "@kya-os/checkpoint": "1.0.0"
71
+ "@kya-os/checkpoint": "1.0.0",
72
+ "@kya-os/checkpoint-shared": "1.0.0"
73
73
  },
74
74
  "optionalDependencies": {
75
75
  "@upstash/redis": "^1.35.0",