@kya-os/checkpoint-nextjs 1.0.1 → 1.1.1

package/CHANGELOG.md

@@ -1,5 +1,110 @@
 # @kya-os/checkpoint-nextjs
 
+## 1.1.1 — 2026-05-17
+
+Companion patch to `@kya-os/checkpoint-wasm-runtime@1.1.0`'s
+SDK-WASM-Bundler-Loader-1 fix. **All 1.1.0 users running under Next.js
+Node runtime should upgrade** — `withCheckpoint` couldn't actually be
+deployed under Next.js Node runtime in 1.1.0 due to a Turbopack-
+incompatible URL trick in the wasm-runtime's orchestrator bundle.
+
+### Internal change
+
+- `@kya-os/checkpoint-wasm-runtime` dep changed from exact `1.0.0`
+  pin (the `workspace:*` default) to `^1.1.0` range (via `workspace:^`).
+  Fresh installs now pull `wasm-runtime@1.1.0+`, which adds the
+  `"node"` export condition routing Next.js Node-runtime bundlers to
+  the bundler-clean `orchestrator-node.mjs` entry.
+
+### No code or config changes
+
+Customer middleware.ts call site is unchanged. Verifying envelopes
+under Next.js Node runtime now works end-to-end:
+
+```typescript
+import { withCheckpoint } from '@kya-os/checkpoint-nextjs';
+
+export default withCheckpoint({
+  tenantHost: 'acme.checkpoint.example',
+  legacyEnvelopeFallback: true,
+});
+```
+
+See `@kya-os/checkpoint-wasm-runtime@1.1.0` CHANGELOG for the
+architectural detail.
+
+---
+
+## 1.1.0 — 2026-05-17
+
+Closes [SDK-Envelope-Plumbing-1 (#2594)](https://github.com/Know-That-Ai/agent-shield/issues/2594).
+Wires MCP-I envelope verification through Next.js middleware — Bench-Before-After-1's
+`verified_mcp_i` traffic case was provably blocked by SDK glue (not engine
+capability — the engine verifies at 47µs Criterion local p50). All three transports
+the orchestrator supports now work from a Next.js consumer.
+
+### New config (additive — no breaking changes)
+
+- `CheckpointConfig.legacyEnvelopeFallback?: boolean` (default `false`) — accept
+  envelopes via the legacy `KYA-Delegation` HTTP header alongside the canonical
+  body form. Use for agents that pre-date Envelope-1 (#2537).
+- `CheckpointConfig.drainJsonBody?: boolean` (default `true`) — read the request
+  body when `content-type` is `application/json` so the orchestrator can extract
+  `_meta.proof.jws`. The translator uses `req.clone()` to preserve the original
+  stream for downstream handlers. Set `false` for streaming-sensitive routes
+  that can't tolerate the clone overhead; in that case route envelopes through
+  the `KYA-Delegation` header transport instead.
+
+### New supported transports
+
+| Transport                             | Form                                              | Config required                           |
+| ------------------------------------- | ------------------------------------------------- | ----------------------------------------- |
+| Canonical body (spec form)            | `_meta.proof.jws` field in a JSON request body    | none — `drainJsonBody` defaults to `true` |
+| Legacy header (Envelope-1 transition) | `KYA-Delegation` HTTP header carrying compact JWS | `legacyEnvelopeFallback: true`            |
+
+Both transports work end-to-end against the Rust `kya-os-engine` via WASM,
+including DID resolution (did:web + did:key), Ed25519 signature verification,
+JCS canonicalization, policy + reputation checks. See the engine's Criterion
+suite at `rust/crates/kya-os-engine/benches/bouncer_verify.rs` for the per-stage
+cost breakdown.
+
+### Factory clarity
+
+`createCheckpointWasmMiddleware` JSDoc updated to clearly document it as
+**pattern-detection only** (no envelope verification). Customers needing
+verification are pointed to `withCheckpoint` (the orchestrator-capable factory)
+in the JSDoc + example block.
+
+### Bench-Before-After-1 follow-up
+
+This release unblocks the verified_mcp_i measurement deferred in
+`docs/benchmarks/bench-before-after-1.md` §3.7. After upgrading
+`sites/nextjs-checkpoint/` to 1.1.0 and redeploying bench-new, sub-phase 3 will
+be re-run with the actual verify-success path exercised. The §3.8 "Verify-success
+measurement" section will then be appended to the report.
+
+### Migration
+
+No code changes required for existing 1.0.x consumers — both new fields are
+optional with safe defaults. Consumers wanting envelope verification should:
+
+```diff
+  export default withCheckpoint({
+    tenantHost: 'acme.checkpoint.example',
++   // Accept legacy KYA-Delegation-header envelopes (Envelope-1 transition)
++   legacyEnvelopeFallback: true,
+    // drainJsonBody defaults to true; canonical _meta.proof.jws body works out of the box
+  });
+```
+
+The body-drain default of `true` is a meaningful behavior change for streaming
+middlewares — those should explicitly set `drainJsonBody: false`. Reason for
+defaulting on: the alternative (silent fall-through to PlainHttp for every JSON
+request) is the bug `#2594` was filed to fix; a config default that preserves
+the bug isn't a fix.
+
+---
+
 ## 1.0.1 — 2026-05-17
 
 Security + rename-completeness patch on top of 1.0.0. **All 1.0.0 users