npm - @kya-os/checkpoint-express - Versions diffs - 1.0.0 - Mend

@kya-os/checkpoint-express 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

package/dist/policy.d.mts ADDED Viewed

@@ -0,0 +1,88 @@
+import { Request, Response } from 'express';
+import { PolicyConfig, PolicyEvaluationResult, PolicyEvaluationContext, DetectionResult } from '@kya-os/checkpoint-shared';
+export { DEFAULT_POLICY, ENFORCEMENT_ACTIONS, PolicyConfig, PolicyEvaluationContext, PolicyEvaluationResult, createEvaluationContext, evaluatePolicy } from '@kya-os/checkpoint-shared';
+/**
+ * Legacy policy module — Phase E throw-stub.
+ *
+ * Local policy evaluation (deny lists, allow lists, threshold checks)
+ * was the JS-side enforcement path; per the architect's no-JS-verify
+ * pin (Phase 1 review § Q4) it dies. The engine's `Decision` is now
+ * the single authoritative policy output — the orchestrator builds it
+ * from the customer's tenant policy (loaded via `PolicyEvaluator`
+ * adapter), and `withCheckpoint`'s response adapter renders it.
+ *
+ * Type exports (`PolicyMiddlewareConfig`, `PolicyConfig`, etc.) and
+ * shared-package re-exports (`evaluatePolicy`, `ENFORCEMENT_ACTIONS`,
+ * `DEFAULT_POLICY`) remain so customers' config types keep
+ * type-checking through the migration window. Function exports throw
+ * with a migration message at runtime.
+ *
+ * @deprecated Use `withCheckpoint` from `@kya-os/checkpoint-express`.
+ *   Tenant policy is loaded by the engine's PolicyEvaluator adapter.
+ */
+/**
+ * Policy middleware configuration (legacy type). Preserved so customer
+ * config types keep type-checking; the factories that consumed it now
+ * throw.
+ */
+interface PolicyMiddlewareConfig {
+    /** Local policy configuration (static). */
+    policy?: Partial<PolicyConfig>;
+    /** Fetch policy from AgentShield API. */
+    fetchPolicy?: {
+        projectId: string;
+        apiUrl?: string;
+        apiKey?: string;
+        cacheTtlSeconds?: number;
+    };
+    /** Fallback policy to use when fetch fails. */
+    fallbackPolicy?: Partial<PolicyConfig>;
+    /** Custom blocked response. */
+    blockedResponse?: {
+        status?: number;
+        message?: string;
+        headers?: Record<string, string>;
+    };
+    /** Default redirect URL for redirect actions. */
+    redirectUrl?: string;
+    /** Callback when policy decision is made. */
+    onPolicyDecision?: (req: Request, res: Response, decision: PolicyEvaluationResult, context: PolicyEvaluationContext) => void | Promise<void>;
+    /** Custom response handler for blocked requests. */
+    customBlockedResponse?: (req: Request, res: Response, decision: PolicyEvaluationResult) => void | Promise<void>;
+    /** Whether to fail open (allow) on policy evaluation errors. */
+    failOpen?: boolean;
+    /** Enable debug logging. */
+    debug?: boolean;
+}
+/** @deprecated Use `withCheckpoint` — engine PolicyEvaluator owns this. */
+declare function createContextFromDetection(_detection: DetectionResult, _req: Request): PolicyEvaluationContext;
+/** @deprecated Use `withCheckpoint` — engine PolicyEvaluator owns this. */
+declare function evaluatePolicyForDetection(_detection: DetectionResult, _req: Request, _policy: PolicyConfig): PolicyEvaluationResult;
+/** @deprecated Use `withCheckpoint` — its response adapter owns this. */
+declare function sendBlockedResponse(_res: Response, _decision: PolicyEvaluationResult, _config: PolicyMiddlewareConfig): void;
+/** @deprecated Use `withCheckpoint` — its response adapter owns this. */
+declare function sendRedirectResponse(_req: Request, _res: Response, _decision: PolicyEvaluationResult, _config: PolicyMiddlewareConfig, _detection?: {
+    detectedAgent?: {
+        name?: string;
+    };
+}): void;
+/** @deprecated Use `withCheckpoint` — its response adapter owns this. */
+declare function sendChallengeResponse(_req: Request, _res: Response, _decision: PolicyEvaluationResult, _config: PolicyMiddlewareConfig, _detection?: {
+    detectedAgent?: {
+        name?: string;
+    };
+}): void;
+/** @deprecated Use `withCheckpoint` — engine + adapter compose this. */
+declare function handlePolicyDecision(_req: Request, _res: Response, _decision: PolicyEvaluationResult, _config: PolicyMiddlewareConfig, _detection?: {
+    detectedAgent?: {
+        name?: string;
+    };
+}): Promise<boolean>;
+/** @deprecated Tenant policy now loads via the engine PolicyEvaluator. */
+declare function getPolicy(_config: PolicyMiddlewareConfig): Promise<PolicyConfig>;
+/** @deprecated Use `withCheckpoint` — engine + adapter compose this. */
+declare function applyPolicy(_req: Request, _res: Response, _detection: DetectionResult, _config: PolicyMiddlewareConfig): Promise<boolean>;
+export { type PolicyMiddlewareConfig, applyPolicy, createContextFromDetection, evaluatePolicyForDetection, getPolicy, handlePolicyDecision, sendBlockedResponse, sendChallengeResponse, sendRedirectResponse };

package/dist/policy.d.ts ADDED Viewed

@@ -0,0 +1,88 @@
+import { Request, Response } from 'express';
+import { PolicyConfig, PolicyEvaluationResult, PolicyEvaluationContext, DetectionResult } from '@kya-os/checkpoint-shared';
+export { DEFAULT_POLICY, ENFORCEMENT_ACTIONS, PolicyConfig, PolicyEvaluationContext, PolicyEvaluationResult, createEvaluationContext, evaluatePolicy } from '@kya-os/checkpoint-shared';
+/**
+ * Legacy policy module — Phase E throw-stub.
+ *
+ * Local policy evaluation (deny lists, allow lists, threshold checks)
+ * was the JS-side enforcement path; per the architect's no-JS-verify
+ * pin (Phase 1 review § Q4) it dies. The engine's `Decision` is now
+ * the single authoritative policy output — the orchestrator builds it
+ * from the customer's tenant policy (loaded via `PolicyEvaluator`
+ * adapter), and `withCheckpoint`'s response adapter renders it.
+ *
+ * Type exports (`PolicyMiddlewareConfig`, `PolicyConfig`, etc.) and
+ * shared-package re-exports (`evaluatePolicy`, `ENFORCEMENT_ACTIONS`,
+ * `DEFAULT_POLICY`) remain so customers' config types keep
+ * type-checking through the migration window. Function exports throw
+ * with a migration message at runtime.
+ *
+ * @deprecated Use `withCheckpoint` from `@kya-os/checkpoint-express`.
+ *   Tenant policy is loaded by the engine's PolicyEvaluator adapter.
+ */
+/**
+ * Policy middleware configuration (legacy type). Preserved so customer
+ * config types keep type-checking; the factories that consumed it now
+ * throw.
+ */
+interface PolicyMiddlewareConfig {
+    /** Local policy configuration (static). */
+    policy?: Partial<PolicyConfig>;
+    /** Fetch policy from AgentShield API. */
+    fetchPolicy?: {
+        projectId: string;
+        apiUrl?: string;
+        apiKey?: string;
+        cacheTtlSeconds?: number;
+    };
+    /** Fallback policy to use when fetch fails. */
+    fallbackPolicy?: Partial<PolicyConfig>;
+    /** Custom blocked response. */
+    blockedResponse?: {
+        status?: number;
+        message?: string;
+        headers?: Record<string, string>;
+    };
+    /** Default redirect URL for redirect actions. */
+    redirectUrl?: string;
+    /** Callback when policy decision is made. */
+    onPolicyDecision?: (req: Request, res: Response, decision: PolicyEvaluationResult, context: PolicyEvaluationContext) => void | Promise<void>;
+    /** Custom response handler for blocked requests. */
+    customBlockedResponse?: (req: Request, res: Response, decision: PolicyEvaluationResult) => void | Promise<void>;
+    /** Whether to fail open (allow) on policy evaluation errors. */
+    failOpen?: boolean;
+    /** Enable debug logging. */
+    debug?: boolean;
+}
+/** @deprecated Use `withCheckpoint` — engine PolicyEvaluator owns this. */
+declare function createContextFromDetection(_detection: DetectionResult, _req: Request): PolicyEvaluationContext;
+/** @deprecated Use `withCheckpoint` — engine PolicyEvaluator owns this. */
+declare function evaluatePolicyForDetection(_detection: DetectionResult, _req: Request, _policy: PolicyConfig): PolicyEvaluationResult;
+/** @deprecated Use `withCheckpoint` — its response adapter owns this. */
+declare function sendBlockedResponse(_res: Response, _decision: PolicyEvaluationResult, _config: PolicyMiddlewareConfig): void;
+/** @deprecated Use `withCheckpoint` — its response adapter owns this. */
+declare function sendRedirectResponse(_req: Request, _res: Response, _decision: PolicyEvaluationResult, _config: PolicyMiddlewareConfig, _detection?: {
+    detectedAgent?: {
+        name?: string;
+    };
+}): void;
+/** @deprecated Use `withCheckpoint` — its response adapter owns this. */
+declare function sendChallengeResponse(_req: Request, _res: Response, _decision: PolicyEvaluationResult, _config: PolicyMiddlewareConfig, _detection?: {
+    detectedAgent?: {
+        name?: string;
+    };
+}): void;
+/** @deprecated Use `withCheckpoint` — engine + adapter compose this. */
+declare function handlePolicyDecision(_req: Request, _res: Response, _decision: PolicyEvaluationResult, _config: PolicyMiddlewareConfig, _detection?: {
+    detectedAgent?: {
+        name?: string;
+    };
+}): Promise<boolean>;
+/** @deprecated Tenant policy now loads via the engine PolicyEvaluator. */
+declare function getPolicy(_config: PolicyMiddlewareConfig): Promise<PolicyConfig>;
+/** @deprecated Use `withCheckpoint` — engine + adapter compose this. */
+declare function applyPolicy(_req: Request, _res: Response, _detection: DetectionResult, _config: PolicyMiddlewareConfig): Promise<boolean>;
+export { type PolicyMiddlewareConfig, applyPolicy, createContextFromDetection, evaluatePolicyForDetection, getPolicy, handlePolicyDecision, sendBlockedResponse, sendChallengeResponse, sendRedirectResponse };

package/dist/policy.js ADDED Viewed

@@ -0,0 +1,74 @@
+'use strict';
+var checkpointShared = require('@kya-os/checkpoint-shared');
+// src/policy.ts
+var MIGRATION_MESSAGE = [
+  "[checkpoint-express] Local policy evaluation has been retired.",
+  "",
+  "Tenant policy now flows through the engine PolicyEvaluator adapter.",
+  "Configure it via withCheckpoint's `dashboardUrl` option:",
+  "",
+  "  import { withCheckpoint } from '@kya-os/checkpoint-express';",
+  "",
+  "  app.use(withCheckpoint({",
+  "    tenantHost: 'your.tenant.example',",
+  "    dashboardUrl: 'https://dashboard.checkpoint.example',",
+  "  }));",
+  "",
+  "The engine`s `Decision` (Permit / Block / Redirect / Challenge / Instruct)",
+  "is the single authoritative policy output \u2014 the response adapter inside",
+  "`withCheckpoint` renders it. Custom block-response shapes belong in the",
+  "dashboard policy itself, not in middleware code."
+].join("\n");
+function createContextFromDetection(_detection, _req) {
+  throw new Error(MIGRATION_MESSAGE);
+}
+function evaluatePolicyForDetection(_detection, _req, _policy) {
+  throw new Error(MIGRATION_MESSAGE);
+}
+function sendBlockedResponse(_res, _decision, _config) {
+  throw new Error(MIGRATION_MESSAGE);
+}
+function sendRedirectResponse(_req, _res, _decision, _config, _detection) {
+  throw new Error(MIGRATION_MESSAGE);
+}
+function sendChallengeResponse(_req, _res, _decision, _config, _detection) {
+  throw new Error(MIGRATION_MESSAGE);
+}
+async function handlePolicyDecision(_req, _res, _decision, _config, _detection) {
+  throw new Error(MIGRATION_MESSAGE);
+}
+async function getPolicy(_config) {
+  throw new Error(MIGRATION_MESSAGE);
+}
+async function applyPolicy(_req, _res, _detection, _config) {
+  throw new Error(MIGRATION_MESSAGE);
+}
+Object.defineProperty(exports, "DEFAULT_POLICY", {
+  enumerable: true,
+  get: function () { return checkpointShared.DEFAULT_POLICY; }
+});
+Object.defineProperty(exports, "ENFORCEMENT_ACTIONS", {
+  enumerable: true,
+  get: function () { return checkpointShared.ENFORCEMENT_ACTIONS; }
+});
+Object.defineProperty(exports, "createEvaluationContext", {
+  enumerable: true,
+  get: function () { return checkpointShared.createEvaluationContext; }
+});
+Object.defineProperty(exports, "evaluatePolicy", {
+  enumerable: true,
+  get: function () { return checkpointShared.evaluatePolicy; }
+});
+exports.applyPolicy = applyPolicy;
+exports.createContextFromDetection = createContextFromDetection;
+exports.evaluatePolicyForDetection = evaluatePolicyForDetection;
+exports.getPolicy = getPolicy;
+exports.handlePolicyDecision = handlePolicyDecision;
+exports.sendBlockedResponse = sendBlockedResponse;
+exports.sendChallengeResponse = sendChallengeResponse;
+exports.sendRedirectResponse = sendRedirectResponse;
+//# sourceMappingURL=policy.js.map
+//# sourceMappingURL=policy.js.map

package/dist/policy.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/policy.ts"],"names":[],"mappings":";;;;;AAsFA,IAAM,iBAAA,GAAoB;AAAA,EACxB,gEAAA;AAAA,EACA,EAAA;AAAA,EACA,qEAAA;AAAA,EACA,0DAAA;AAAA,EACA,EAAA;AAAA,EACA,gEAAA;AAAA,EACA,EAAA;AAAA,EACA,4BAAA;AAAA,EACA,wCAAA;AAAA,EACA,2DAAA;AAAA,EACA,QAAA;AAAA,EACA,EAAA;AAAA,EACA,4EAAA;AAAA,EACA,8EAAA;AAAA,EACA,yEAAA;AAAA,EACA;AACF,CAAA,CAAE,KAAK,IAAI,CAAA;AAOJ,SAAS,0BAAA,CACd,YACA,IAAA,EACyB;AACzB,EAAA,MAAM,IAAI,MAAM,iBAAiB,CAAA;AACnC;AAGO,SAAS,0BAAA,CACd,UAAA,EACA,IAAA,EACA,OAAA,EACwB;AACxB,EAAA,MAAM,IAAI,MAAM,iBAAiB,CAAA;AACnC;AAGO,SAAS,mBAAA,CACd,IAAA,EACA,SAAA,EACA,OAAA,EACM;AACN,EAAA,MAAM,IAAI,MAAM,iBAAiB,CAAA;AACnC;AAGO,SAAS,oBAAA,CACd,IAAA,EACA,IAAA,EACA,SAAA,EACA,SACA,UAAA,EACM;AACN,EAAA,MAAM,IAAI,MAAM,iBAAiB,CAAA;AACnC;AAGO,SAAS,qBAAA,CACd,IAAA,EACA,IAAA,EACA,SAAA,EACA,SACA,UAAA,EACM;AACN,EAAA,MAAM,IAAI,MAAM,iBAAiB,CAAA;AACnC;AAGA,eAAsB,oBAAA,CACpB,IAAA,EACA,IAAA,EACA,SAAA,EACA,SACA,UAAA,EACkB;AAClB,EAAA,MAAM,IAAI,MAAM,iBAAiB,CAAA;AACnC;AAGA,eAAsB,UAAU,OAAA,EAAwD;AACtF,EAAA,MAAM,IAAI,MAAM,iBAAiB,CAAA;AACnC;AAGA,eAAsB,WAAA,CACpB,IAAA,EACA,IAAA,EACA,UAAA,EACA,OAAA,EACkB;AAClB,EAAA,MAAM,IAAI,MAAM,iBAAiB,CAAA;AACnC","file":"policy.js","sourcesContent":["/**\n * Legacy policy module — Phase E throw-stub.\n *\n * Local policy evaluation (deny lists, allow lists, threshold checks)\n * was the JS-side enforcement path; per the architect's no-JS-verify\n * pin (Phase 1 review § Q4) it dies. The engine's `Decision` is now\n * the single authoritative policy output — the orchestrator builds it\n * from the customer's tenant policy (loaded via `PolicyEvaluator`\n * adapter), and `withCheckpoint`'s response adapter renders it.\n *\n * Type exports (`PolicyMiddlewareConfig`, `PolicyConfig`, etc.) and\n * shared-package re-exports (`evaluatePolicy`, `ENFORCEMENT_ACTIONS`,\n * `DEFAULT_POLICY`) remain so customers' config types keep\n * type-checking through the migration window. Function exports throw\n * with a migration message at runtime.\n *\n * @deprecated Use `withCheckpoint` from `@kya-os/checkpoint-express`.\n * Tenant policy is loaded by the engine's PolicyEvaluator adapter.\n */\n\nimport type { Request, Response } from 'express';\n\nimport type {\n PolicyConfig,\n PolicyEvaluationContext,\n PolicyEvaluationResult,\n DetectionResult,\n} from '@kya-os/checkpoint-shared';\n\n// Re-export shared policy types + helpers for convenience. Call sites\n// that destructure these continue to type-check; only the function-body\n// invocations of the legacy local-policy helpers (below) throw.\nexport {\n evaluatePolicy,\n createEvaluationContext,\n type PolicyConfig,\n type PolicyEvaluationContext,\n type PolicyEvaluationResult,\n ENFORCEMENT_ACTIONS,\n DEFAULT_POLICY,\n} from '@kya-os/checkpoint-shared';\n\n/**\n * Policy middleware configuration (legacy type). Preserved so customer\n * config types keep type-checking; the factories that consumed it now\n * throw.\n */\nexport interface PolicyMiddlewareConfig {\n /** Local policy configuration (static). */\n policy?: Partial<PolicyConfig>;\n /** Fetch policy from AgentShield API. */\n fetchPolicy?: {\n projectId: string;\n apiUrl?: string;\n apiKey?: string;\n cacheTtlSeconds?: number;\n };\n /** Fallback policy to use when fetch fails. */\n fallbackPolicy?: Partial<PolicyConfig>;\n /** Custom blocked response. */\n blockedResponse?: {\n status?: number;\n message?: string;\n headers?: Record<string, string>;\n };\n /** Default redirect URL for redirect actions. */\n redirectUrl?: string;\n /** Callback when policy decision is made. */\n onPolicyDecision?: (\n req: Request,\n res: Response,\n decision: PolicyEvaluationResult,\n context: PolicyEvaluationContext\n ) => void | Promise<void>;\n /** Custom response handler for blocked requests. */\n customBlockedResponse?: (\n req: Request,\n res: Response,\n decision: PolicyEvaluationResult\n ) => void | Promise<void>;\n /** Whether to fail open (allow) on policy evaluation errors. */\n failOpen?: boolean;\n /** Enable debug logging. */\n debug?: boolean;\n}\n\nconst MIGRATION_MESSAGE = [\n '[checkpoint-express] Local policy evaluation has been retired.',\n '',\n 'Tenant policy now flows through the engine PolicyEvaluator adapter.',\n \"Configure it via withCheckpoint's `dashboardUrl` option:\",\n '',\n \" import { withCheckpoint } from '@kya-os/checkpoint-express';\",\n '',\n ' app.use(withCheckpoint({',\n \" tenantHost: 'your.tenant.example',\",\n \" dashboardUrl: 'https://dashboard.checkpoint.example',\",\n ' }));',\n '',\n 'The engine`s `Decision` (Permit / Block / Redirect / Challenge / Instruct)',\n 'is the single authoritative policy output — the response adapter inside',\n '`withCheckpoint` renders it. Custom block-response shapes belong in the',\n 'dashboard policy itself, not in middleware code.',\n].join('\\n');\n\n// ---------------------------------------------------------------------------\n// Throw-stub function exports — names preserved, bodies retired.\n// ---------------------------------------------------------------------------\n\n/** @deprecated Use `withCheckpoint` — engine PolicyEvaluator owns this. */\nexport function createContextFromDetection(\n _detection: DetectionResult,\n _req: Request\n): PolicyEvaluationContext {\n throw new Error(MIGRATION_MESSAGE);\n}\n\n/** @deprecated Use `withCheckpoint` — engine PolicyEvaluator owns this. */\nexport function evaluatePolicyForDetection(\n _detection: DetectionResult,\n _req: Request,\n _policy: PolicyConfig\n): PolicyEvaluationResult {\n throw new Error(MIGRATION_MESSAGE);\n}\n\n/** @deprecated Use `withCheckpoint` — its response adapter owns this. */\nexport function sendBlockedResponse(\n _res: Response,\n _decision: PolicyEvaluationResult,\n _config: PolicyMiddlewareConfig\n): void {\n throw new Error(MIGRATION_MESSAGE);\n}\n\n/** @deprecated Use `withCheckpoint` — its response adapter owns this. */\nexport function sendRedirectResponse(\n _req: Request,\n _res: Response,\n _decision: PolicyEvaluationResult,\n _config: PolicyMiddlewareConfig,\n _detection?: { detectedAgent?: { name?: string } }\n): void {\n throw new Error(MIGRATION_MESSAGE);\n}\n\n/** @deprecated Use `withCheckpoint` — its response adapter owns this. */\nexport function sendChallengeResponse(\n _req: Request,\n _res: Response,\n _decision: PolicyEvaluationResult,\n _config: PolicyMiddlewareConfig,\n _detection?: { detectedAgent?: { name?: string } }\n): void {\n throw new Error(MIGRATION_MESSAGE);\n}\n\n/** @deprecated Use `withCheckpoint` — engine + adapter compose this. */\nexport async function handlePolicyDecision(\n _req: Request,\n _res: Response,\n _decision: PolicyEvaluationResult,\n _config: PolicyMiddlewareConfig,\n _detection?: { detectedAgent?: { name?: string } }\n): Promise<boolean> {\n throw new Error(MIGRATION_MESSAGE);\n}\n\n/** @deprecated Tenant policy now loads via the engine PolicyEvaluator. */\nexport async function getPolicy(_config: PolicyMiddlewareConfig): Promise<PolicyConfig> {\n throw new Error(MIGRATION_MESSAGE);\n}\n\n/** @deprecated Use `withCheckpoint` — engine + adapter compose this. */\nexport async function applyPolicy(\n _req: Request,\n _res: Response,\n _detection: DetectionResult,\n _config: PolicyMiddlewareConfig\n): Promise<boolean> {\n throw new Error(MIGRATION_MESSAGE);\n}\n"]}

package/dist/policy.mjs ADDED Viewed

@@ -0,0 +1,49 @@
+export { DEFAULT_POLICY, ENFORCEMENT_ACTIONS, createEvaluationContext, evaluatePolicy } from '@kya-os/checkpoint-shared';
+// src/policy.ts
+var MIGRATION_MESSAGE = [
+  "[checkpoint-express] Local policy evaluation has been retired.",
+  "",
+  "Tenant policy now flows through the engine PolicyEvaluator adapter.",
+  "Configure it via withCheckpoint's `dashboardUrl` option:",
+  "",
+  "  import { withCheckpoint } from '@kya-os/checkpoint-express';",
+  "",
+  "  app.use(withCheckpoint({",
+  "    tenantHost: 'your.tenant.example',",
+  "    dashboardUrl: 'https://dashboard.checkpoint.example',",
+  "  }));",
+  "",
+  "The engine`s `Decision` (Permit / Block / Redirect / Challenge / Instruct)",
+  "is the single authoritative policy output \u2014 the response adapter inside",
+  "`withCheckpoint` renders it. Custom block-response shapes belong in the",
+  "dashboard policy itself, not in middleware code."
+].join("\n");
+function createContextFromDetection(_detection, _req) {
+  throw new Error(MIGRATION_MESSAGE);
+}
+function evaluatePolicyForDetection(_detection, _req, _policy) {
+  throw new Error(MIGRATION_MESSAGE);
+}
+function sendBlockedResponse(_res, _decision, _config) {
+  throw new Error(MIGRATION_MESSAGE);
+}
+function sendRedirectResponse(_req, _res, _decision, _config, _detection) {
+  throw new Error(MIGRATION_MESSAGE);
+}
+function sendChallengeResponse(_req, _res, _decision, _config, _detection) {
+  throw new Error(MIGRATION_MESSAGE);
+}
+async function handlePolicyDecision(_req, _res, _decision, _config, _detection) {
+  throw new Error(MIGRATION_MESSAGE);
+}
+async function getPolicy(_config) {
+  throw new Error(MIGRATION_MESSAGE);
+}
+async function applyPolicy(_req, _res, _detection, _config) {
+  throw new Error(MIGRATION_MESSAGE);
+}
+export { applyPolicy, createContextFromDetection, evaluatePolicyForDetection, getPolicy, handlePolicyDecision, sendBlockedResponse, sendChallengeResponse, sendRedirectResponse };
+//# sourceMappingURL=policy.mjs.map
+//# sourceMappingURL=policy.mjs.map

package/dist/policy.mjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/policy.ts"],"names":[],"mappings":";;;AAsFA,IAAM,iBAAA,GAAoB;AAAA,EACxB,gEAAA;AAAA,EACA,EAAA;AAAA,EACA,qEAAA;AAAA,EACA,0DAAA;AAAA,EACA,EAAA;AAAA,EACA,gEAAA;AAAA,EACA,EAAA;AAAA,EACA,4BAAA;AAAA,EACA,wCAAA;AAAA,EACA,2DAAA;AAAA,EACA,QAAA;AAAA,EACA,EAAA;AAAA,EACA,4EAAA;AAAA,EACA,8EAAA;AAAA,EACA,yEAAA;AAAA,EACA;AACF,CAAA,CAAE,KAAK,IAAI,CAAA;AAOJ,SAAS,0BAAA,CACd,YACA,IAAA,EACyB;AACzB,EAAA,MAAM,IAAI,MAAM,iBAAiB,CAAA;AACnC;AAGO,SAAS,0BAAA,CACd,UAAA,EACA,IAAA,EACA,OAAA,EACwB;AACxB,EAAA,MAAM,IAAI,MAAM,iBAAiB,CAAA;AACnC;AAGO,SAAS,mBAAA,CACd,IAAA,EACA,SAAA,EACA,OAAA,EACM;AACN,EAAA,MAAM,IAAI,MAAM,iBAAiB,CAAA;AACnC;AAGO,SAAS,oBAAA,CACd,IAAA,EACA,IAAA,EACA,SAAA,EACA,SACA,UAAA,EACM;AACN,EAAA,MAAM,IAAI,MAAM,iBAAiB,CAAA;AACnC;AAGO,SAAS,qBAAA,CACd,IAAA,EACA,IAAA,EACA,SAAA,EACA,SACA,UAAA,EACM;AACN,EAAA,MAAM,IAAI,MAAM,iBAAiB,CAAA;AACnC;AAGA,eAAsB,oBAAA,CACpB,IAAA,EACA,IAAA,EACA,SAAA,EACA,SACA,UAAA,EACkB;AAClB,EAAA,MAAM,IAAI,MAAM,iBAAiB,CAAA;AACnC;AAGA,eAAsB,UAAU,OAAA,EAAwD;AACtF,EAAA,MAAM,IAAI,MAAM,iBAAiB,CAAA;AACnC;AAGA,eAAsB,WAAA,CACpB,IAAA,EACA,IAAA,EACA,UAAA,EACA,OAAA,EACkB;AAClB,EAAA,MAAM,IAAI,MAAM,iBAAiB,CAAA;AACnC","file":"policy.mjs","sourcesContent":["/**\n * Legacy policy module — Phase E throw-stub.\n *\n * Local policy evaluation (deny lists, allow lists, threshold checks)\n * was the JS-side enforcement path; per the architect's no-JS-verify\n * pin (Phase 1 review § Q4) it dies. The engine's `Decision` is now\n * the single authoritative policy output — the orchestrator builds it\n * from the customer's tenant policy (loaded via `PolicyEvaluator`\n * adapter), and `withCheckpoint`'s response adapter renders it.\n *\n * Type exports (`PolicyMiddlewareConfig`, `PolicyConfig`, etc.) and\n * shared-package re-exports (`evaluatePolicy`, `ENFORCEMENT_ACTIONS`,\n * `DEFAULT_POLICY`) remain so customers' config types keep\n * type-checking through the migration window. Function exports throw\n * with a migration message at runtime.\n *\n * @deprecated Use `withCheckpoint` from `@kya-os/checkpoint-express`.\n * Tenant policy is loaded by the engine's PolicyEvaluator adapter.\n */\n\nimport type { Request, Response } from 'express';\n\nimport type {\n PolicyConfig,\n PolicyEvaluationContext,\n PolicyEvaluationResult,\n DetectionResult,\n} from '@kya-os/checkpoint-shared';\n\n// Re-export shared policy types + helpers for convenience. Call sites\n// that destructure these continue to type-check; only the function-body\n// invocations of the legacy local-policy helpers (below) throw.\nexport {\n evaluatePolicy,\n createEvaluationContext,\n type PolicyConfig,\n type PolicyEvaluationContext,\n type PolicyEvaluationResult,\n ENFORCEMENT_ACTIONS,\n DEFAULT_POLICY,\n} from '@kya-os/checkpoint-shared';\n\n/**\n * Policy middleware configuration (legacy type). Preserved so customer\n * config types keep type-checking; the factories that consumed it now\n * throw.\n */\nexport interface PolicyMiddlewareConfig {\n /** Local policy configuration (static). */\n policy?: Partial<PolicyConfig>;\n /** Fetch policy from AgentShield API. */\n fetchPolicy?: {\n projectId: string;\n apiUrl?: string;\n apiKey?: string;\n cacheTtlSeconds?: number;\n };\n /** Fallback policy to use when fetch fails. */\n fallbackPolicy?: Partial<PolicyConfig>;\n /** Custom blocked response. */\n blockedResponse?: {\n status?: number;\n message?: string;\n headers?: Record<string, string>;\n };\n /** Default redirect URL for redirect actions. */\n redirectUrl?: string;\n /** Callback when policy decision is made. */\n onPolicyDecision?: (\n req: Request,\n res: Response,\n decision: PolicyEvaluationResult,\n context: PolicyEvaluationContext\n ) => void | Promise<void>;\n /** Custom response handler for blocked requests. */\n customBlockedResponse?: (\n req: Request,\n res: Response,\n decision: PolicyEvaluationResult\n ) => void | Promise<void>;\n /** Whether to fail open (allow) on policy evaluation errors. */\n failOpen?: boolean;\n /** Enable debug logging. */\n debug?: boolean;\n}\n\nconst MIGRATION_MESSAGE = [\n '[checkpoint-express] Local policy evaluation has been retired.',\n '',\n 'Tenant policy now flows through the engine PolicyEvaluator adapter.',\n \"Configure it via withCheckpoint's `dashboardUrl` option:\",\n '',\n \" import { withCheckpoint } from '@kya-os/checkpoint-express';\",\n '',\n ' app.use(withCheckpoint({',\n \" tenantHost: 'your.tenant.example',\",\n \" dashboardUrl: 'https://dashboard.checkpoint.example',\",\n ' }));',\n '',\n 'The engine`s `Decision` (Permit / Block / Redirect / Challenge / Instruct)',\n 'is the single authoritative policy output — the response adapter inside',\n '`withCheckpoint` renders it. Custom block-response shapes belong in the',\n 'dashboard policy itself, not in middleware code.',\n].join('\\n');\n\n// ---------------------------------------------------------------------------\n// Throw-stub function exports — names preserved, bodies retired.\n// ---------------------------------------------------------------------------\n\n/** @deprecated Use `withCheckpoint` — engine PolicyEvaluator owns this. */\nexport function createContextFromDetection(\n _detection: DetectionResult,\n _req: Request\n): PolicyEvaluationContext {\n throw new Error(MIGRATION_MESSAGE);\n}\n\n/** @deprecated Use `withCheckpoint` — engine PolicyEvaluator owns this. */\nexport function evaluatePolicyForDetection(\n _detection: DetectionResult,\n _req: Request,\n _policy: PolicyConfig\n): PolicyEvaluationResult {\n throw new Error(MIGRATION_MESSAGE);\n}\n\n/** @deprecated Use `withCheckpoint` — its response adapter owns this. */\nexport function sendBlockedResponse(\n _res: Response,\n _decision: PolicyEvaluationResult,\n _config: PolicyMiddlewareConfig\n): void {\n throw new Error(MIGRATION_MESSAGE);\n}\n\n/** @deprecated Use `withCheckpoint` — its response adapter owns this. */\nexport function sendRedirectResponse(\n _req: Request,\n _res: Response,\n _decision: PolicyEvaluationResult,\n _config: PolicyMiddlewareConfig,\n _detection?: { detectedAgent?: { name?: string } }\n): void {\n throw new Error(MIGRATION_MESSAGE);\n}\n\n/** @deprecated Use `withCheckpoint` — its response adapter owns this. */\nexport function sendChallengeResponse(\n _req: Request,\n _res: Response,\n _decision: PolicyEvaluationResult,\n _config: PolicyMiddlewareConfig,\n _detection?: { detectedAgent?: { name?: string } }\n): void {\n throw new Error(MIGRATION_MESSAGE);\n}\n\n/** @deprecated Use `withCheckpoint` — engine + adapter compose this. */\nexport async function handlePolicyDecision(\n _req: Request,\n _res: Response,\n _decision: PolicyEvaluationResult,\n _config: PolicyMiddlewareConfig,\n _detection?: { detectedAgent?: { name?: string } }\n): Promise<boolean> {\n throw new Error(MIGRATION_MESSAGE);\n}\n\n/** @deprecated Tenant policy now loads via the engine PolicyEvaluator. */\nexport async function getPolicy(_config: PolicyMiddlewareConfig): Promise<PolicyConfig> {\n throw new Error(MIGRATION_MESSAGE);\n}\n\n/** @deprecated Use `withCheckpoint` — engine + adapter compose this. */\nexport async function applyPolicy(\n _req: Request,\n _res: Response,\n _detection: DetectionResult,\n _config: PolicyMiddlewareConfig\n): Promise<boolean> {\n throw new Error(MIGRATION_MESSAGE);\n}\n"]}

package/package.json ADDED Viewed

@@ -0,0 +1,92 @@
+{
+  "name": "@kya-os/checkpoint-express",
+  "version": "1.0.0",
+  "description": "Express.js middleware for Checkpoint — engine-backed AI agent detection and MCP-I verification",
+  "keywords": [
+    "express",
+    "middleware",
+    "ai",
+    "agent",
+    "detection",
+    "security"
+  ],
+  "license": "MIT OR Apache-2.0",
+  "author": "KnowThat.ai",
+  "homepage": "https://github.com/Know-That-Ai/agent-shield#readme",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/Know-That-Ai/agent-shield.git",
+    "directory": "packages/checkpoint-express"
+  },
+  "bugs": {
+    "url": "https://github.com/Know-That-Ai/agent-shield/issues"
+  },
+  "main": "./dist/index.js",
+  "module": "./dist/index.mjs",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.mjs",
+      "require": "./dist/index.js"
+    },
+    "./policy": {
+      "types": "./dist/policy.d.ts",
+      "import": "./dist/policy.mjs",
+      "require": "./dist/policy.js"
+    },
+    "./package.json": "./package.json"
+  },
+  "files": [
+    "dist",
+    "README.md",
+    "CHANGELOG.md"
+  ],
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "devDependencies": {
+    "@types/express": "^4.17.21",
+    "@types/node": "^20.11.24",
+    "@vitest/coverage-v8": "^1.3.1",
+    "express": "^4.18.3",
+    "rimraf": "^5.0.5",
+    "tsup": "^8.0.2",
+    "typescript": "^5.4.2",
+    "vitest": "^1.3.1"
+  },
+  "peerDependencies": {
+    "express": "^4.18.0"
+  },
+  "peerDependenciesMeta": {
+    "@upstash/redis": {
+      "optional": true
+    }
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "sideEffects": false,
+  "dependencies": {
+    "@kya-os/checkpoint-shared": "1.0.0",
+    "@kya-os/checkpoint": "1.0.0"
+  },
+  "optionalDependencies": {
+    "@upstash/redis": "^1.35.0",
+    "@kya-os/checkpoint-wasm-runtime": "1.0.0"
+  },
+  "scripts": {
+    "build": "tsup",
+    "build:watch": "tsup --watch",
+    "dev": "tsup --watch",
+    "clean": "rimraf dist .tsbuildinfo",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "test:coverage": "vitest run --coverage",
+    "type-check": "tsc --noEmit",
+    "lint": "eslint src --ext .ts,.tsx",
+    "lint:fix": "eslint src --ext .ts,.tsx --fix",
+    "format": "prettier --write \"src/**/*.{ts,tsx,json,md}\"",
+    "format:check": "prettier --check \"src/**/*.{ts,tsx,json,md}\""
+  }
+}