@kya-os/checkpoint-nextjs 1.0.1 → 1.1.0

package/dist/translate.js

@@ -1,21 +1,28 @@
 'use strict';
 
 // src/translate.ts
-function nextRequestToHttpLike(req) {
+async function nextRequestToHttpLike(req, opts = {}) {
   const url = new URL(req.url);
+  const body = await tryDrainJsonBody(req, opts);
   return {
     method: req.method,
     // Path + query only — orchestrator's URL parsing expects no scheme/host.
     url: url.pathname + url.search,
     headers: headersToRecord(req.headers),
-    // NextRequest.body is a ReadableStream; we don't drain it here.
-    // The orchestrator routes to PlainHttp when body is falsy, which
-    // is the right call for streaming middlewares that don't want to
-    // buffer the request body just to detect agents.
-    body: null,
+    body,
     remoteAddress: extractRemoteAddress(req)
   };
 }
+async function tryDrainJsonBody(req, opts) {
+  if (opts.drainJsonBody === false) return null;
+  const contentType = req.headers.get("content-type") ?? "";
+  if (!contentType.toLowerCase().includes("application/json")) return null;
+  try {
+    return await req.clone().text();
+  } catch {
+    return null;
+  }
+}
 function headersToRecord(headers) {
   const out = {};
   headers.forEach((value, key) => {

package/dist/translate.mjs

@@ -1,19 +1,26 @@
 // src/translate.ts
-function nextRequestToHttpLike(req) {
+async function nextRequestToHttpLike(req, opts = {}) {
   const url = new URL(req.url);
+  const body = await tryDrainJsonBody(req, opts);
   return {
     method: req.method,
     // Path + query only — orchestrator's URL parsing expects no scheme/host.
     url: url.pathname + url.search,
     headers: headersToRecord(req.headers),
-    // NextRequest.body is a ReadableStream; we don't drain it here.
-    // The orchestrator routes to PlainHttp when body is falsy, which
-    // is the right call for streaming middlewares that don't want to
-    // buffer the request body just to detect agents.
-    body: null,
+    body,
     remoteAddress: extractRemoteAddress(req)
   };
 }
+async function tryDrainJsonBody(req, opts) {
+  if (opts.drainJsonBody === false) return null;
+  const contentType = req.headers.get("content-type") ?? "";
+  if (!contentType.toLowerCase().includes("application/json")) return null;
+  try {
+    return await req.clone().text();
+  } catch {
+    return null;
+  }
+}
 function headersToRecord(headers) {
   const out = {};
   headers.forEach((value, key) => {

package/dist/wasm-middleware.d.mts

@@ -26,22 +26,41 @@ interface AgentShieldConfig {
     };
 }
 /**
- * Create a WASM-enabled AgentShield middleware
- * This must be used with proper WASM module import at the top of middleware.ts
+ * Create a WASM-enabled Checkpoint middleware (**pattern-detection only**).
  *
- * @example
+ * **This factory runs UA/header pattern matching only.** It does NOT
+ * verify MCP-I signed envelopes — no JWS verification, no DID
+ * resolution, no orchestrator stages. Use it when your only enforcement
+ * concern is "is this request from a known bot pattern."
+ *
+ * **For envelope verification, use {@link withCheckpoint} instead** —
+ * exported from `@kya-os/checkpoint-nextjs` (Node runtime) or
+ * `@kya-os/checkpoint-nextjs/edge` (Edge runtime). `withCheckpoint`
+ * routes every request through the kya-os-engine via WASM and supports
+ * both `_meta.proof.jws` body envelopes (default) and the legacy
+ * `KYA-Delegation` header form (opt-in via `legacyEnvelopeFallback`).
+ * See SDK-Envelope-Plumbing-1 (#2594) for the migration context.
+ *
+ * @example pattern-only (this factory)
  * ```typescript
- * // middleware.ts
  * import wasmModule from '@kya-os/checkpoint/wasm?module';
- * import { createWasmAgentShieldMiddleware } from '@kya-os/checkpoint-nextjs';
+ * import { createCheckpointWasmMiddleware } from '@kya-os/checkpoint-nextjs';
  *
  * const wasmInstance = await WebAssembly.instantiate(wasmModule);
- *
- * export const middleware = createWasmAgentShieldMiddleware({
+ * export const middleware = createCheckpointWasmMiddleware({
  *   wasmInstance,
- *   onAgentDetected: (result) => {
- *     console.log(`Detected ${result.agent} with ${result.confidence * 100}% confidence`);
- *   }
+ *   confidenceThreshold: 80,
+ * });
+ * ```
+ *
+ * @example envelope verification (use `withCheckpoint` instead)
+ * ```typescript
+ * import { withCheckpoint } from '@kya-os/checkpoint-nextjs';
+ *
+ * export default withCheckpoint({
+ *   tenantHost: 'acme.checkpoint.example',
+ *   legacyEnvelopeFallback: true, // accept `KYA-Delegation` header form
+ *   // drainJsonBody defaults to true; spec-form `_meta.proof.jws` works out of the box
  * });
  * ```
  */

package/dist/wasm-middleware.d.ts

@@ -26,22 +26,41 @@ interface AgentShieldConfig {
     };
 }
 /**
- * Create a WASM-enabled AgentShield middleware
- * This must be used with proper WASM module import at the top of middleware.ts
+ * Create a WASM-enabled Checkpoint middleware (**pattern-detection only**).
  *
- * @example
+ * **This factory runs UA/header pattern matching only.** It does NOT
+ * verify MCP-I signed envelopes — no JWS verification, no DID
+ * resolution, no orchestrator stages. Use it when your only enforcement
+ * concern is "is this request from a known bot pattern."
+ *
+ * **For envelope verification, use {@link withCheckpoint} instead** —
+ * exported from `@kya-os/checkpoint-nextjs` (Node runtime) or
+ * `@kya-os/checkpoint-nextjs/edge` (Edge runtime). `withCheckpoint`
+ * routes every request through the kya-os-engine via WASM and supports
+ * both `_meta.proof.jws` body envelopes (default) and the legacy
+ * `KYA-Delegation` header form (opt-in via `legacyEnvelopeFallback`).
+ * See SDK-Envelope-Plumbing-1 (#2594) for the migration context.
+ *
+ * @example pattern-only (this factory)
  * ```typescript
- * // middleware.ts
  * import wasmModule from '@kya-os/checkpoint/wasm?module';
- * import { createWasmAgentShieldMiddleware } from '@kya-os/checkpoint-nextjs';
+ * import { createCheckpointWasmMiddleware } from '@kya-os/checkpoint-nextjs';
  *
  * const wasmInstance = await WebAssembly.instantiate(wasmModule);
- *
- * export const middleware = createWasmAgentShieldMiddleware({
+ * export const middleware = createCheckpointWasmMiddleware({
  *   wasmInstance,
- *   onAgentDetected: (result) => {
- *     console.log(`Detected ${result.agent} with ${result.confidence * 100}% confidence`);
- *   }
+ *   confidenceThreshold: 80,
+ * });
+ * ```
+ *
+ * @example envelope verification (use `withCheckpoint` instead)
+ * ```typescript
+ * import { withCheckpoint } from '@kya-os/checkpoint-nextjs';
+ *
+ * export default withCheckpoint({
+ *   tenantHost: 'acme.checkpoint.example',
+ *   legacyEnvelopeFallback: true, // accept `KYA-Delegation` header form
+ *   // drainJsonBody defaults to true; spec-form `_meta.proof.jws` works out of the box
  * });
  * ```
  */

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kya-os/checkpoint-nextjs",
-  "version": "1.0.1",
+  "version": "1.1.0",
   "description": "Checkpoint Next.js middleware for AI agent detection (formerly @kya-os/agentshield-nextjs)",
   "keywords": [
     "nextjs",