@kya-os/checkpoint-nextjs 1.0.0 → 1.1.0

package/dist/edge/index.mjs

@@ -91,7 +91,7 @@ async function createDetector(config) {
       });
       await wasmDetector.ensureReady();
       if (config.debug) {
-        console.debug("[AgentShield] WASM detector initialized in Edge Runtime", {
+        console.debug("[Checkpoint] WASM detector initialized in Edge Runtime", {
           policyEnabled: !!config.apiKey
         });
       }
@@ -118,7 +118,7 @@ async function createDetector(config) {
       };
     } catch (error) {
       if (config.debug) {
-        console.warn("[AgentShield] WASM runtime not available, using pattern detection:", error);
+        console.warn("[Checkpoint] WASM runtime not available, using pattern detection:", error);
       }
       detector = {
         detect: patternDetect,
@@ -127,7 +127,7 @@ async function createDetector(config) {
     }
   } else {
     if (config.debug) {
-      console.debug("[AgentShield] No WASM module provided, using pattern detection");
+      console.debug("[Checkpoint] No WASM module provided, using pattern detection");
     }
     detector = {
       detect: patternDetect,
@@ -178,7 +178,7 @@ function createEdgeMiddleware(config = {}) {
       const result = await detector.detect(input);
       if (result.shouldBlock) {
         if (debug) {
-          console.debug("[AgentShield] Blocked by policy", {
+          console.debug("[Checkpoint] Blocked by policy", {
             reason: result.blockReason,
             agent: result.detectedAgent?.name,
             confidence: result.confidence,
@@ -271,5 +271,3 @@ function createEdgeMiddleware(config = {}) {
 }
 
 export { createEdgeMiddleware };
-//# sourceMappingURL=index.mjs.map
-//# sourceMappingURL=index.mjs.map

package/dist/edge-runtime-loader.js

@@ -145,6 +145,13 @@ var EdgeRuntimeAgentShield = class {
       { pattern: /gemini/i, name: "Google Gemini", confidence: 0.85 },
       { pattern: /perplexity/i, name: "Perplexity", confidence: 0.85 },
       // Fallback
+      // UA-context-only pattern — `\b` is the correct anchor for UA
+      // substring matching. PR #2591's tightened `[\s;()]` form
+      // dropped `/`, which broke legit UA shapes like `you.com/1.0`
+      // and `+https://you.com)` (cursor catch on the same PR — see
+      // sibling agents.ts comment for the full rationale + UA shapes).
+      // CodeQL js/regex/missing-regexp-anchor speculates about URL
+      // misuse; this codebase only applies the pattern to UA strings.
       { pattern: /\byou\.com\b/i, name: "You.com", confidence: 0.8 },
       { pattern: /\bphind\b/i, name: "Phind", confidence: 0.8 }
     ];
@@ -200,5 +207,3 @@ function getDefaultAgentShield(config) {
 
 exports.createEdgeAgentShield = createEdgeAgentShield;
 exports.getDefaultAgentShield = getDefaultAgentShield;
-//# sourceMappingURL=edge-runtime-loader.js.map
-//# sourceMappingURL=edge-runtime-loader.js.map

package/dist/edge-runtime-loader.mjs

@@ -143,6 +143,13 @@ var EdgeRuntimeAgentShield = class {
       { pattern: /gemini/i, name: "Google Gemini", confidence: 0.85 },
       { pattern: /perplexity/i, name: "Perplexity", confidence: 0.85 },
       // Fallback
+      // UA-context-only pattern — `\b` is the correct anchor for UA
+      // substring matching. PR #2591's tightened `[\s;()]` form
+      // dropped `/`, which broke legit UA shapes like `you.com/1.0`
+      // and `+https://you.com)` (cursor catch on the same PR — see
+      // sibling agents.ts comment for the full rationale + UA shapes).
+      // CodeQL js/regex/missing-regexp-anchor speculates about URL
+      // misuse; this codebase only applies the pattern to UA strings.
       { pattern: /\byou\.com\b/i, name: "You.com", confidence: 0.8 },
       { pattern: /\bphind\b/i, name: "Phind", confidence: 0.8 }
     ];
@@ -197,5 +204,3 @@ function getDefaultAgentShield(config) {
 }
 
 export { createEdgeAgentShield, getDefaultAgentShield };
-//# sourceMappingURL=edge-runtime-loader.mjs.map
-//# sourceMappingURL=edge-runtime-loader.mjs.map

package/dist/edge-wasm-middleware.js

@@ -314,5 +314,3 @@ function createEdgeWasmMiddleware(config) {
 
 exports.createEdgeWasmMiddleware = createEdgeWasmMiddleware;
 exports.initializeEdgeWasm = initializeEdgeWasm;
-//# sourceMappingURL=edge-wasm-middleware.js.map
-//# sourceMappingURL=edge-wasm-middleware.js.map

package/dist/edge-wasm-middleware.mjs

@@ -311,5 +311,3 @@ function createEdgeWasmMiddleware(config) {
 }
 
 export { createEdgeWasmMiddleware, initializeEdgeWasm };
-//# sourceMappingURL=edge-wasm-middleware.mjs.map
-//# sourceMappingURL=edge-wasm-middleware.mjs.map

package/dist/index.d.mts

@@ -4,7 +4,7 @@ export { AgentDetectionEvent, AgentSession, AgentShieldMiddlewareConfig, Checkpo
 export { createAgentShieldMiddleware as createAgentShieldMiddlewareBase } from './middleware.mjs';
 export { EdgeSessionTracker, SessionData, SessionTrackingConfig, StatelessSessionChecker } from './session-tracker.mjs';
 export { AgentShieldClient, AgentShieldClientConfig, CheckpointApiClient, CheckpointApiClientConfig, EnforceInput, EnforceResponse, EnforcementDecision, LogDetectionInput, getAgentShieldClient, getCheckpointApiClient, resetAgentShieldClient, resetCheckpointApiClient } from './api-client.mjs';
-export { A as AgentShieldRequest, D as DetectionContext, N as NextJSMiddlewareConfig } from './types-C-xCUNTr.mjs';
+export { A as AgentShieldRequest, D as DetectionContext, N as NextJSMiddlewareConfig } from './types-D9RQvPNy.mjs';
 export { NextJSPolicyMiddlewareConfig, PolicyMiddlewareConfig, applyPolicy, buildBlockedResponse as buildPolicyBlockedResponse, buildRedirectResponse as buildPolicyRedirectResponse, createContextFromDetection, evaluatePolicyForDetection, getPolicy, handlePolicyDecision } from './policy.mjs';
 export { DEFAULT_POLICY, ENFORCEMENT_ACTIONS, EnforcementAction, PolicyConfig, PolicyEvaluationContext, PolicyEvaluationResult, createEvaluationContext, evaluatePolicy } from '@kya-os/checkpoint-shared';
 import '@kya-os/checkpoint-wasm-runtime/adapters';

package/dist/index.d.ts

@@ -4,7 +4,7 @@ export { AgentDetectionEvent, AgentSession, AgentShieldMiddlewareConfig, Checkpo
 export { createAgentShieldMiddleware as createAgentShieldMiddlewareBase } from './middleware.js';
 export { EdgeSessionTracker, SessionData, SessionTrackingConfig, StatelessSessionChecker } from './session-tracker.js';
 export { AgentShieldClient, AgentShieldClientConfig, CheckpointApiClient, CheckpointApiClientConfig, EnforceInput, EnforceResponse, EnforcementDecision, LogDetectionInput, getAgentShieldClient, getCheckpointApiClient, resetAgentShieldClient, resetCheckpointApiClient } from './api-client.js';
-export { A as AgentShieldRequest, D as DetectionContext, N as NextJSMiddlewareConfig } from './types-C-xCUNTr.js';
+export { A as AgentShieldRequest, D as DetectionContext, N as NextJSMiddlewareConfig } from './types-D9RQvPNy.js';
 export { NextJSPolicyMiddlewareConfig, PolicyMiddlewareConfig, applyPolicy, buildBlockedResponse as buildPolicyBlockedResponse, buildRedirectResponse as buildPolicyRedirectResponse, createContextFromDetection, evaluatePolicyForDetection, getPolicy, handlePolicyDecision } from './policy.js';
 export { DEFAULT_POLICY, ENFORCEMENT_ACTIONS, EnforcementAction, PolicyConfig, PolicyEvaluationContext, PolicyEvaluationResult, createEvaluationContext, evaluatePolicy } from '@kya-os/checkpoint-shared';
 import '@kya-os/checkpoint-wasm-runtime/adapters';

package/dist/index.js

@@ -56,21 +56,28 @@ function applyHeaders(res, headers) {
 }
 
 // src/translate.ts
-function nextRequestToHttpLike(req) {
+async function nextRequestToHttpLike(req, opts = {}) {
   const url = new URL(req.url);
+  const body = await tryDrainJsonBody(req, opts);
   return {
     method: req.method,
     // Path + query only — orchestrator's URL parsing expects no scheme/host.
     url: url.pathname + url.search,
     headers: headersToRecord(req.headers),
-    // NextRequest.body is a ReadableStream; we don't drain it here.
-    // The orchestrator routes to PlainHttp when body is falsy, which
-    // is the right call for streaming middlewares that don't want to
-    // buffer the request body just to detect agents.
-    body: null,
+    body,
     remoteAddress: extractRemoteAddress(req)
   };
 }
+async function tryDrainJsonBody(req, opts) {
+  if (opts.drainJsonBody === false) return null;
+  const contentType = req.headers.get("content-type") ?? "";
+  if (!contentType.toLowerCase().includes("application/json")) return null;
+  try {
+    return await req.clone().text();
+  } catch {
+    return null;
+  }
+}
 function headersToRecord(headers) {
   const out = {};
   headers.forEach((value, key) => {
@@ -91,8 +98,9 @@ function extractRemoteAddress(req) {
 // src/middleware-node.ts
 function withCheckpoint(config) {
   const opts = buildVerifyOpts(config);
+  const translateOpts = { drainJsonBody: config.drainJsonBody };
   return async function checkpointMiddleware(req) {
-    const httpLike = nextRequestToHttpLike(req);
+    const httpLike = await nextRequestToHttpLike(req, translateOpts);
     const result = await orchestrator.verifyRequest(httpLike, opts);
     await dispatchOnResult(config, result, req);
     const rendered = orchestrator.renderDecisionAsResponse(result);
@@ -110,7 +118,8 @@ function buildVerifyOpts(config) {
     tenantHost: config.tenantHost,
     enforcementMode: config.enforcementMode ?? "enforce",
     reputationBaseline: config.reputationBaseline,
-    argusUrl: config.argusUrl
+    argusUrl: config.argusUrl,
+    legacyEnvelopeFallback: config.legacyEnvelopeFallback ?? false
   };
 }
 async function dispatchOnResult(config, result, req) {
@@ -161,7 +170,7 @@ var CheckpointApiClient = class {
   debug;
   constructor(config) {
     if (!config.apiKey) {
-      throw new Error("AgentShield API key is required");
+      throw new Error("Checkpoint API key is required");
     }
     this.apiKey = config.apiKey;
     this.useEdge = config.useEdge !== false;
@@ -192,7 +201,7 @@ var CheckpointApiClient = class {
         clearTimeout(timeoutId);
         const data = await response.json();
         if (this.debug) {
-          console.log("[AgentShield] Enforce response:", {
+          console.log("[Checkpoint] Enforce response:", {
             status: response.status,
             action: data.data?.decision.action,
             processingTimeMs: Date.now() - startTime
@@ -215,7 +224,7 @@ var CheckpointApiClient = class {
     } catch (error) {
       if (error instanceof Error && error.name === "AbortError") {
         if (this.debug) {
-          console.warn("[AgentShield] Request timed out");
+          console.warn("[Checkpoint] Request timed out");
         }
         return {
           success: false,
@@ -226,7 +235,7 @@ var CheckpointApiClient = class {
         };
       }
       if (this.debug) {
-        console.error("[AgentShield] Request failed:", error);
+        console.error("[Checkpoint] Request failed:", error);
       }
       return {
         success: false,
@@ -304,7 +313,7 @@ var CheckpointApiClient = class {
         });
         clearTimeout(timeoutId);
         if (!response.ok && this.debug) {
-          console.warn("[AgentShield] Log detection returned non-2xx:", response.status);
+          console.warn("[Checkpoint] Log detection returned non-2xx:", response.status);
         }
       } catch (error) {
         clearTimeout(timeoutId);
@@ -312,34 +321,50 @@ var CheckpointApiClient = class {
       }
     } catch (error) {
       if (this.debug) {
-        console.error("[AgentShield] Log detection failed:", error);
+        console.error("[Checkpoint] Log detection failed:", error);
       }
       throw error;
     }
   }
 };
-var clientInstance = null;
+var clientInstances = /* @__PURE__ */ new Map();
+function resolveClientConfig(config) {
+  const apiKey = config?.apiKey || process.env.CHECKPOINT_API_KEY;
+  if (!apiKey) {
+    throw new Error(
+      "Checkpoint API key is required. Set CHECKPOINT_API_KEY environment variable or pass apiKey in config."
+    );
+  }
+  return {
+    apiKey,
+    baseUrl: config?.baseUrl || process.env.CHECKPOINT_API_URL,
+    // Default to edge detection unless explicitly disabled
+    useEdge: config?.useEdge ?? process.env.CHECKPOINT_USE_EDGE !== "false",
+    timeout: config?.timeout,
+    debug: config?.debug || process.env.CHECKPOINT_DEBUG === "true"
+  };
+}
+function clientCacheKey(config) {
+  return JSON.stringify([
+    config.apiKey,
+    config.baseUrl ?? "",
+    config.useEdge ?? true,
+    config.timeout ?? DEFAULT_TIMEOUT,
+    config.debug ?? false
+  ]);
+}
 function getCheckpointApiClient(config) {
+  const resolvedConfig = resolveClientConfig(config);
+  const key = clientCacheKey(resolvedConfig);
+  let clientInstance = clientInstances.get(key);
   if (!clientInstance) {
-    const apiKey = config?.apiKey || process.env.CHECKPOINT_API_KEY;
-    if (!apiKey) {
-      throw new Error(
-        "AgentShield API key is required. Set CHECKPOINT_API_KEY environment variable or pass apiKey in config."
-      );
-    }
-    clientInstance = new CheckpointApiClient({
-      apiKey,
-      baseUrl: config?.baseUrl || process.env.AGENTSHIELD_API_URL,
-      // Default to edge detection unless explicitly disabled
-      useEdge: config?.useEdge ?? process.env.AGENTSHIELD_USE_EDGE !== "false",
-      timeout: config?.timeout,
-      debug: config?.debug || process.env.AGENTSHIELD_DEBUG === "true"
-    });
+    clientInstance = new CheckpointApiClient(resolvedConfig);
+    clientInstances.set(key, clientInstance);
   }
   return clientInstance;
 }
 function resetCheckpointApiClient() {
-  clientInstance = null;
+  clientInstances.clear();
 }
 var AgentShieldClient = CheckpointApiClient;
 var getAgentShieldClient = getCheckpointApiClient;
@@ -558,7 +583,7 @@ function withCheckpointApi(config = {}) {
       });
       if (!result.success || !result.data) {
         if (config.debug) {
-          console.warn("[AgentShield] API error:", result.error);
+          console.warn("[Checkpoint] API error:", result.error);
         }
         if (failOpen) {
           return server.NextResponse.next();
@@ -570,7 +595,7 @@ function withCheckpointApi(config = {}) {
       }
       const decision = result.data.decision;
       if (config.debug) {
-        console.log("[AgentShield] Decision:", {
+        console.log("[Checkpoint] Decision:", {
           path,
           action: decision.action,
           isAgent: decision.isAgent,
@@ -586,12 +611,18 @@ function withCheckpointApi(config = {}) {
           context: { userAgent, ipAddress, path, url: request.url, method: request.method }
         }).catch((err) => {
           if (config.debug) {
-            console.error("[AgentShield] Log detection failed:", err);
+            console.error("[Checkpoint] Log detection failed:", err);
           }
         });
       }
       if (decision.isAgent && config.onAgentDetected) {
-        await config.onAgentDetected(request, decision);
+        try {
+          await config.onAgentDetected(request, decision);
+        } catch (error) {
+          if (config.debug) {
+            console.error("[Checkpoint] onAgentDetected callback failed:", error);
+          }
+        }
       }
       const redirectMode = config.redirectMode ?? "instruct";
       switch (decision.action) {
@@ -631,7 +662,7 @@ function withCheckpointApi(config = {}) {
       }
     } catch (error) {
       if (config.debug) {
-        console.error("[AgentShield] Middleware error:", error);
+        console.error("[Checkpoint] Middleware error:", error);
       }
       if (failOpen) {
         return server.NextResponse.next();
@@ -659,7 +690,7 @@ var EdgeSessionTracker = class {
       cookieName: config.cookieName || "__agentshield_session",
       cookieMaxAge: config.cookieMaxAge || 3600,
       // 1 hour default
-      encryptionKey: config.encryptionKey || process.env.AGENTSHIELD_SECRET || "agentshield-default-key"
+      encryptionKey: config.encryptionKey || process.env.CHECKPOINT_SECRET || "agentshield-default-key"
     };
   }
   /**
@@ -881,7 +912,7 @@ async function handlePolicyDecision(request, decision, config, detection) {
     case checkpointShared.ENFORCEMENT_ACTIONS.CHALLENGE:
       return buildChallengeResponse(request, decision, config, detection);
     case checkpointShared.ENFORCEMENT_ACTIONS.LOG:
-      console.log("[AgentShield] Policy decision (log):", {
+      console.log("[Checkpoint] Policy decision (log):", {
         path: request.nextUrl.pathname,
         action: decision.action,
         reason: decision.reason,
@@ -926,7 +957,7 @@ async function getPolicy(config) {
       return await fetcher.getPolicy(config.fetchPolicy.projectId);
     } catch (error) {
       if (config.debug) {
-        console.warn("[AgentShield] Policy fetch failed, using fallback:", error);
+        console.warn("[Checkpoint] Policy fetch failed, using fallback:", error);
       }
       return checkpointShared.PolicyConfigSchema.parse({
         ...checkpointShared.DEFAULT_POLICY,
@@ -951,12 +982,18 @@ async function applyPolicy(request, detection, config) {
     const context = createContextFromDetection(detection, request);
     const decision = checkpointShared.evaluatePolicy(policy, context);
     if (config.onPolicyDecision) {
-      await config.onPolicyDecision(request, decision, context);
+      try {
+        await config.onPolicyDecision(request, decision, context);
+      } catch (error) {
+        if (config.debug) {
+          console.error("[Checkpoint] onPolicyDecision callback failed:", error);
+        }
+      }
     }
     return await handlePolicyDecision(request, decision, config, detection);
   } catch (error) {
     if (config.debug) {
-      console.error("[AgentShield] Policy evaluation error:", error);
+      console.error("[Checkpoint] Policy evaluation error:", error);
     }
     if (config.failOpen !== false) {
       return null;
@@ -1015,5 +1052,3 @@ exports.resetCheckpointApiClient = resetCheckpointApiClient;
 exports.withAgentShield = withAgentShield;
 exports.withCheckpoint = withCheckpoint;
 exports.withCheckpointApi = withCheckpointApi;
-//# sourceMappingURL=index.js.map
-//# sourceMappingURL=index.js.map

package/dist/index.mjs

@@ -55,21 +55,28 @@ function applyHeaders(res, headers) {
 }
 
 // src/translate.ts
-function nextRequestToHttpLike(req) {
+async function nextRequestToHttpLike(req, opts = {}) {
   const url = new URL(req.url);
+  const body = await tryDrainJsonBody(req, opts);
   return {
     method: req.method,
     // Path + query only — orchestrator's URL parsing expects no scheme/host.
     url: url.pathname + url.search,
     headers: headersToRecord(req.headers),
-    // NextRequest.body is a ReadableStream; we don't drain it here.
-    // The orchestrator routes to PlainHttp when body is falsy, which
-    // is the right call for streaming middlewares that don't want to
-    // buffer the request body just to detect agents.
-    body: null,
+    body,
     remoteAddress: extractRemoteAddress(req)
   };
 }
+async function tryDrainJsonBody(req, opts) {
+  if (opts.drainJsonBody === false) return null;
+  const contentType = req.headers.get("content-type") ?? "";
+  if (!contentType.toLowerCase().includes("application/json")) return null;
+  try {
+    return await req.clone().text();
+  } catch {
+    return null;
+  }
+}
 function headersToRecord(headers) {
   const out = {};
   headers.forEach((value, key) => {
@@ -90,8 +97,9 @@ function extractRemoteAddress(req) {
 // src/middleware-node.ts
 function withCheckpoint(config) {
   const opts = buildVerifyOpts(config);
+  const translateOpts = { drainJsonBody: config.drainJsonBody };
   return async function checkpointMiddleware(req) {
-    const httpLike = nextRequestToHttpLike(req);
+    const httpLike = await nextRequestToHttpLike(req, translateOpts);
     const result = await verifyRequest(httpLike, opts);
     await dispatchOnResult(config, result, req);
     const rendered = renderDecisionAsResponse(result);
@@ -109,7 +117,8 @@ function buildVerifyOpts(config) {
     tenantHost: config.tenantHost,
     enforcementMode: config.enforcementMode ?? "enforce",
     reputationBaseline: config.reputationBaseline,
-    argusUrl: config.argusUrl
+    argusUrl: config.argusUrl,
+    legacyEnvelopeFallback: config.legacyEnvelopeFallback ?? false
   };
 }
 async function dispatchOnResult(config, result, req) {
@@ -160,7 +169,7 @@ var CheckpointApiClient = class {
   debug;
   constructor(config) {
     if (!config.apiKey) {
-      throw new Error("AgentShield API key is required");
+      throw new Error("Checkpoint API key is required");
     }
     this.apiKey = config.apiKey;
     this.useEdge = config.useEdge !== false;
@@ -191,7 +200,7 @@ var CheckpointApiClient = class {
         clearTimeout(timeoutId);
         const data = await response.json();
         if (this.debug) {
-          console.log("[AgentShield] Enforce response:", {
+          console.log("[Checkpoint] Enforce response:", {
             status: response.status,
             action: data.data?.decision.action,
             processingTimeMs: Date.now() - startTime
@@ -214,7 +223,7 @@ var CheckpointApiClient = class {
     } catch (error) {
       if (error instanceof Error && error.name === "AbortError") {
         if (this.debug) {
-          console.warn("[AgentShield] Request timed out");
+          console.warn("[Checkpoint] Request timed out");
         }
         return {
           success: false,
@@ -225,7 +234,7 @@ var CheckpointApiClient = class {
         };
       }
       if (this.debug) {
-        console.error("[AgentShield] Request failed:", error);
+        console.error("[Checkpoint] Request failed:", error);
       }
       return {
         success: false,
@@ -303,7 +312,7 @@ var CheckpointApiClient = class {
         });
         clearTimeout(timeoutId);
         if (!response.ok && this.debug) {
-          console.warn("[AgentShield] Log detection returned non-2xx:", response.status);
+          console.warn("[Checkpoint] Log detection returned non-2xx:", response.status);
         }
       } catch (error) {
         clearTimeout(timeoutId);
@@ -311,34 +320,50 @@ var CheckpointApiClient = class {
       }
     } catch (error) {
       if (this.debug) {
-        console.error("[AgentShield] Log detection failed:", error);
+        console.error("[Checkpoint] Log detection failed:", error);
       }
       throw error;
     }
   }
 };
-var clientInstance = null;
+var clientInstances = /* @__PURE__ */ new Map();
+function resolveClientConfig(config) {
+  const apiKey = config?.apiKey || process.env.CHECKPOINT_API_KEY;
+  if (!apiKey) {
+    throw new Error(
+      "Checkpoint API key is required. Set CHECKPOINT_API_KEY environment variable or pass apiKey in config."
+    );
+  }
+  return {
+    apiKey,
+    baseUrl: config?.baseUrl || process.env.CHECKPOINT_API_URL,
+    // Default to edge detection unless explicitly disabled
+    useEdge: config?.useEdge ?? process.env.CHECKPOINT_USE_EDGE !== "false",
+    timeout: config?.timeout,
+    debug: config?.debug || process.env.CHECKPOINT_DEBUG === "true"
+  };
+}
+function clientCacheKey(config) {
+  return JSON.stringify([
+    config.apiKey,
+    config.baseUrl ?? "",
+    config.useEdge ?? true,
+    config.timeout ?? DEFAULT_TIMEOUT,
+    config.debug ?? false
+  ]);
+}
 function getCheckpointApiClient(config) {
+  const resolvedConfig = resolveClientConfig(config);
+  const key = clientCacheKey(resolvedConfig);
+  let clientInstance = clientInstances.get(key);
   if (!clientInstance) {
-    const apiKey = config?.apiKey || process.env.CHECKPOINT_API_KEY;
-    if (!apiKey) {
-      throw new Error(
-        "AgentShield API key is required. Set CHECKPOINT_API_KEY environment variable or pass apiKey in config."
-      );
-    }
-    clientInstance = new CheckpointApiClient({
-      apiKey,
-      baseUrl: config?.baseUrl || process.env.AGENTSHIELD_API_URL,
-      // Default to edge detection unless explicitly disabled
-      useEdge: config?.useEdge ?? process.env.AGENTSHIELD_USE_EDGE !== "false",
-      timeout: config?.timeout,
-      debug: config?.debug || process.env.AGENTSHIELD_DEBUG === "true"
-    });
+    clientInstance = new CheckpointApiClient(resolvedConfig);
+    clientInstances.set(key, clientInstance);
   }
   return clientInstance;
 }
 function resetCheckpointApiClient() {
-  clientInstance = null;
+  clientInstances.clear();
 }
 var AgentShieldClient = CheckpointApiClient;
 var getAgentShieldClient = getCheckpointApiClient;
@@ -557,7 +582,7 @@ function withCheckpointApi(config = {}) {
       });
       if (!result.success || !result.data) {
         if (config.debug) {
-          console.warn("[AgentShield] API error:", result.error);
+          console.warn("[Checkpoint] API error:", result.error);
         }
         if (failOpen) {
           return NextResponse.next();
@@ -569,7 +594,7 @@ function withCheckpointApi(config = {}) {
       }
       const decision = result.data.decision;
       if (config.debug) {
-        console.log("[AgentShield] Decision:", {
+        console.log("[Checkpoint] Decision:", {
           path,
           action: decision.action,
           isAgent: decision.isAgent,
@@ -585,12 +610,18 @@ function withCheckpointApi(config = {}) {
           context: { userAgent, ipAddress, path, url: request.url, method: request.method }
         }).catch((err) => {
           if (config.debug) {
-            console.error("[AgentShield] Log detection failed:", err);
+            console.error("[Checkpoint] Log detection failed:", err);
           }
         });
       }
       if (decision.isAgent && config.onAgentDetected) {
-        await config.onAgentDetected(request, decision);
+        try {
+          await config.onAgentDetected(request, decision);
+        } catch (error) {
+          if (config.debug) {
+            console.error("[Checkpoint] onAgentDetected callback failed:", error);
+          }
+        }
       }
       const redirectMode = config.redirectMode ?? "instruct";
       switch (decision.action) {
@@ -630,7 +661,7 @@ function withCheckpointApi(config = {}) {
       }
     } catch (error) {
       if (config.debug) {
-        console.error("[AgentShield] Middleware error:", error);
+        console.error("[Checkpoint] Middleware error:", error);
       }
       if (failOpen) {
         return NextResponse.next();
@@ -658,7 +689,7 @@ var EdgeSessionTracker = class {
       cookieName: config.cookieName || "__agentshield_session",
       cookieMaxAge: config.cookieMaxAge || 3600,
       // 1 hour default
-      encryptionKey: config.encryptionKey || process.env.AGENTSHIELD_SECRET || "agentshield-default-key"
+      encryptionKey: config.encryptionKey || process.env.CHECKPOINT_SECRET || "agentshield-default-key"
     };
   }
   /**
@@ -880,7 +911,7 @@ async function handlePolicyDecision(request, decision, config, detection) {
     case ENFORCEMENT_ACTIONS.CHALLENGE:
       return buildChallengeResponse(request, decision, config, detection);
     case ENFORCEMENT_ACTIONS.LOG:
-      console.log("[AgentShield] Policy decision (log):", {
+      console.log("[Checkpoint] Policy decision (log):", {
         path: request.nextUrl.pathname,
         action: decision.action,
         reason: decision.reason,
@@ -925,7 +956,7 @@ async function getPolicy(config) {
       return await fetcher.getPolicy(config.fetchPolicy.projectId);
     } catch (error) {
       if (config.debug) {
-        console.warn("[AgentShield] Policy fetch failed, using fallback:", error);
+        console.warn("[Checkpoint] Policy fetch failed, using fallback:", error);
       }
       return PolicyConfigSchema.parse({
         ...DEFAULT_POLICY,
@@ -950,12 +981,18 @@ async function applyPolicy(request, detection, config) {
     const context = createContextFromDetection(detection, request);
     const decision = evaluatePolicy(policy, context);
     if (config.onPolicyDecision) {
-      await config.onPolicyDecision(request, decision, context);
+      try {
+        await config.onPolicyDecision(request, decision, context);
+      } catch (error) {
+        if (config.debug) {
+          console.error("[Checkpoint] onPolicyDecision callback failed:", error);
+        }
+      }
     }
     return await handlePolicyDecision(request, decision, config, detection);
   } catch (error) {
     if (config.debug) {
-      console.error("[AgentShield] Policy evaluation error:", error);
+      console.error("[Checkpoint] Policy evaluation error:", error);
     }
     if (config.failOpen !== false) {
       return null;
@@ -975,5 +1012,3 @@ var VERSION = "0.1.0";
  */
 
 export { AgentShieldClient, CheckpointApiClient, EdgeSessionTracker, StatelessSessionChecker, VERSION, agentShieldMiddleware, applyPolicy, buildBlockedResponse2 as buildPolicyBlockedResponse, buildRedirectResponse2 as buildPolicyRedirectResponse, createAgentShieldMiddleware2 as createAgentShieldMiddleware, createAgentShieldMiddleware as createAgentShieldMiddlewareBase, createContextFromDetection, createEnhancedAgentShieldMiddleware, createAgentShieldMiddleware2 as createMiddleware, evaluatePolicyForDetection, getAgentShieldClient, getCheckpointApiClient, getPolicy, handlePolicyDecision, resetAgentShieldClient, resetCheckpointApiClient, withAgentShield, withCheckpoint, withCheckpointApi };
-//# sourceMappingURL=index.mjs.map
-//# sourceMappingURL=index.mjs.map