@kya-os/checkpoint-nextjs 1.1.0 → 1.1.1

package/CHANGELOG.md

@@ -1,5 +1,40 @@
 # @kya-os/checkpoint-nextjs
 
+## 1.1.1 — 2026-05-17
+
+Companion patch to `@kya-os/checkpoint-wasm-runtime@1.1.0`'s
+SDK-WASM-Bundler-Loader-1 fix. **All 1.1.0 users running under Next.js
+Node runtime should upgrade** — `withCheckpoint` couldn't actually be
+deployed under Next.js Node runtime in 1.1.0 due to a Turbopack-
+incompatible URL trick in the wasm-runtime's orchestrator bundle.
+
+### Internal change
+
+- `@kya-os/checkpoint-wasm-runtime` dep changed from exact `1.0.0`
+  pin (the `workspace:*` default) to `^1.1.0` range (via `workspace:^`).
+  Fresh installs now pull `wasm-runtime@1.1.0+`, which adds the
+  `"node"` export condition routing Next.js Node-runtime bundlers to
+  the bundler-clean `orchestrator-node.mjs` entry.
+
+### No code or config changes
+
+Customer middleware.ts call site is unchanged. Verifying envelopes
+under Next.js Node runtime now works end-to-end:
+
+```typescript
+import { withCheckpoint } from '@kya-os/checkpoint-nextjs';
+
+export default withCheckpoint({
+  tenantHost: 'acme.checkpoint.example',
+  legacyEnvelopeFallback: true,
+});
+```
+
+See `@kya-os/checkpoint-wasm-runtime@1.1.0` CHANGELOG for the
+architectural detail.
+
+---
+
 ## 1.1.0 — 2026-05-17
 
 Closes [SDK-Envelope-Plumbing-1 (#2594)](https://github.com/Know-That-Ai/agent-shield/issues/2594).

package/dist/edge-runtime-loader.d.mts

@@ -1,10 +1,37 @@
 import { NextRequest } from 'next/server';
 
 /**
- * Edge Runtime Compatible WASM Loader for AgentShield
+ * Edge Runtime Compatible WASM Loader for Checkpoint
  *
  * This module provides a pre-built solution for loading WASM in Edge Runtime.
  * It requires the WASM file to be manually placed in the project.
+ *
+ * ## SSOT for pattern detection
+ *
+ * The fallback `patternDetection` path imports BOTH pattern arrays
+ * from `@kya-os/checkpoint-shared/constants/agents`:
+ *
+ *   - `KNOWN_AGENT_PATTERNS` — strict SSOT carved for the server-side
+ *     classifier (per-agent rows with category + isLegitimate fields).
+ *   - `INTERACTIVE_AGENT_PATTERNS` — supplement holding interactive-
+ *     session tokens, generic vendor fallbacks, and the GPT-Crawler
+ *     entry that lives in seed-agent-types-data.ts (NOT in the strict
+ *     SSOT).
+ *
+ * Pre-#2599 this file had a 15-pattern inline subset that diverged
+ * from the shared SSOT — the you.com regex was tightened in agents.ts
+ * but reverted here. SSOT-Fallback-Drift-1 (this PR) collapsed the
+ * inline duplication and moved the supplement into checkpoint-shared
+ * so both layers reference the same source. EPIC #2573 (PDM-2) is the
+ * future unified-SSOT consolidation that folds the two arrays into
+ * one canonical table.
+ *
+ * ## Naming
+ *
+ * Old `AgentShield`-prefixed exports are kept as `@deprecated` aliases
+ * for one release (`createEdgeAgentShield`, `EdgeRuntimeAgentShield`,
+ * `AgentShieldConfig`, `getDefaultAgentShield`). New code should import
+ * the `Checkpoint`-prefixed names directly.
  */
 
 interface WasmModule {
@@ -19,7 +46,7 @@ interface DetectionResult {
     riskLevel?: 'low' | 'medium' | 'high' | 'critical';
     timestamp: string;
 }
-interface AgentShieldConfig {
+interface EdgeCheckpointConfig {
     wasmModule?: WebAssembly.Module;
     enableWasm?: boolean;
     onAgentDetected?: (result: DetectionResult) => void;
@@ -27,12 +54,12 @@ interface AgentShieldConfig {
     allowedAgents?: string[];
     debug?: boolean;
 }
-declare class EdgeRuntimeAgentShield {
+declare class EdgeRuntimeCheckpoint {
     private wasmInstance;
     private wasmMemory;
     private config;
     private initialized;
-    constructor(config?: AgentShieldConfig);
+    constructor(config?: EdgeCheckpointConfig);
     init(wasmModule?: WebAssembly.Module): Promise<void>;
     private readString;
     private writeString;
@@ -42,9 +69,18 @@ declare class EdgeRuntimeAgentShield {
     getVerificationMethod(): 'cryptographic' | 'pattern';
 }
 /**
- * Factory function to create an AgentShield instance for Edge Runtime
+ * Factory function to create a Checkpoint instance for Edge Runtime.
  */
-declare function createEdgeAgentShield(config?: AgentShieldConfig): EdgeRuntimeAgentShield;
-declare function getDefaultAgentShield(config?: AgentShieldConfig): EdgeRuntimeAgentShield;
+declare function createEdgeCheckpoint(config?: EdgeCheckpointConfig): EdgeRuntimeCheckpoint;
+declare function getDefaultEdgeCheckpoint(config?: EdgeCheckpointConfig): EdgeRuntimeCheckpoint;
+
+/** @deprecated Renamed to {@link EdgeCheckpointConfig}. */
+type AgentShieldConfig = EdgeCheckpointConfig;
+/** @deprecated Renamed to {@link EdgeRuntimeCheckpoint}. */
+declare const EdgeRuntimeAgentShield: typeof EdgeRuntimeCheckpoint;
+/** @deprecated Renamed to {@link createEdgeCheckpoint}. */
+declare const createEdgeAgentShield: typeof createEdgeCheckpoint;
+/** @deprecated Renamed to {@link getDefaultEdgeCheckpoint}. */
+declare const getDefaultAgentShield: typeof getDefaultEdgeCheckpoint;
 
-export { type AgentShieldConfig, type DetectionResult, type WasmModule, createEdgeAgentShield, getDefaultAgentShield };
+export { type AgentShieldConfig, type DetectionResult, type EdgeCheckpointConfig, EdgeRuntimeAgentShield, EdgeRuntimeCheckpoint, type WasmModule, createEdgeAgentShield, createEdgeCheckpoint, getDefaultAgentShield, getDefaultEdgeCheckpoint };

package/dist/edge-runtime-loader.d.ts

@@ -1,10 +1,37 @@
 import { NextRequest } from 'next/server';
 
 /**
- * Edge Runtime Compatible WASM Loader for AgentShield
+ * Edge Runtime Compatible WASM Loader for Checkpoint
  *
  * This module provides a pre-built solution for loading WASM in Edge Runtime.
  * It requires the WASM file to be manually placed in the project.
+ *
+ * ## SSOT for pattern detection
+ *
+ * The fallback `patternDetection` path imports BOTH pattern arrays
+ * from `@kya-os/checkpoint-shared/constants/agents`:
+ *
+ *   - `KNOWN_AGENT_PATTERNS` — strict SSOT carved for the server-side
+ *     classifier (per-agent rows with category + isLegitimate fields).
+ *   - `INTERACTIVE_AGENT_PATTERNS` — supplement holding interactive-
+ *     session tokens, generic vendor fallbacks, and the GPT-Crawler
+ *     entry that lives in seed-agent-types-data.ts (NOT in the strict
+ *     SSOT).
+ *
+ * Pre-#2599 this file had a 15-pattern inline subset that diverged
+ * from the shared SSOT — the you.com regex was tightened in agents.ts
+ * but reverted here. SSOT-Fallback-Drift-1 (this PR) collapsed the
+ * inline duplication and moved the supplement into checkpoint-shared
+ * so both layers reference the same source. EPIC #2573 (PDM-2) is the
+ * future unified-SSOT consolidation that folds the two arrays into
+ * one canonical table.
+ *
+ * ## Naming
+ *
+ * Old `AgentShield`-prefixed exports are kept as `@deprecated` aliases
+ * for one release (`createEdgeAgentShield`, `EdgeRuntimeAgentShield`,
+ * `AgentShieldConfig`, `getDefaultAgentShield`). New code should import
+ * the `Checkpoint`-prefixed names directly.
  */
 
 interface WasmModule {
@@ -19,7 +46,7 @@ interface DetectionResult {
     riskLevel?: 'low' | 'medium' | 'high' | 'critical';
     timestamp: string;
 }
-interface AgentShieldConfig {
+interface EdgeCheckpointConfig {
     wasmModule?: WebAssembly.Module;
     enableWasm?: boolean;
     onAgentDetected?: (result: DetectionResult) => void;
@@ -27,12 +54,12 @@ interface AgentShieldConfig {
     allowedAgents?: string[];
     debug?: boolean;
 }
-declare class EdgeRuntimeAgentShield {
+declare class EdgeRuntimeCheckpoint {
     private wasmInstance;
     private wasmMemory;
     private config;
     private initialized;
-    constructor(config?: AgentShieldConfig);
+    constructor(config?: EdgeCheckpointConfig);
     init(wasmModule?: WebAssembly.Module): Promise<void>;
     private readString;
     private writeString;
@@ -42,9 +69,18 @@ declare class EdgeRuntimeAgentShield {
     getVerificationMethod(): 'cryptographic' | 'pattern';
 }
 /**
- * Factory function to create an AgentShield instance for Edge Runtime
+ * Factory function to create a Checkpoint instance for Edge Runtime.
  */
-declare function createEdgeAgentShield(config?: AgentShieldConfig): EdgeRuntimeAgentShield;
-declare function getDefaultAgentShield(config?: AgentShieldConfig): EdgeRuntimeAgentShield;
+declare function createEdgeCheckpoint(config?: EdgeCheckpointConfig): EdgeRuntimeCheckpoint;
+declare function getDefaultEdgeCheckpoint(config?: EdgeCheckpointConfig): EdgeRuntimeCheckpoint;
+
+/** @deprecated Renamed to {@link EdgeCheckpointConfig}. */
+type AgentShieldConfig = EdgeCheckpointConfig;
+/** @deprecated Renamed to {@link EdgeRuntimeCheckpoint}. */
+declare const EdgeRuntimeAgentShield: typeof EdgeRuntimeCheckpoint;
+/** @deprecated Renamed to {@link createEdgeCheckpoint}. */
+declare const createEdgeAgentShield: typeof createEdgeCheckpoint;
+/** @deprecated Renamed to {@link getDefaultEdgeCheckpoint}. */
+declare const getDefaultAgentShield: typeof getDefaultEdgeCheckpoint;
 
-export { type AgentShieldConfig, type DetectionResult, type WasmModule, createEdgeAgentShield, getDefaultAgentShield };
+export { type AgentShieldConfig, type DetectionResult, type EdgeCheckpointConfig, EdgeRuntimeAgentShield, EdgeRuntimeCheckpoint, type WasmModule, createEdgeAgentShield, createEdgeCheckpoint, getDefaultAgentShield, getDefaultEdgeCheckpoint };

package/dist/edge-runtime-loader.js

@@ -1,5 +1,9 @@
 'use strict';
 
+var checkpointShared = require('@kya-os/checkpoint-shared');
+
+// src/edge-runtime-loader.ts
+
 // src/utils.ts
 function getClientIp(request) {
   const forwardedFor = request.headers.get("x-forwarded-for");
@@ -17,7 +21,40 @@ function getClientIp(request) {
 }
 
 // src/edge-runtime-loader.ts
-var EdgeRuntimeAgentShield = class {
+var SUSPICIOUS_HEADER_PREFIXES = ["x-openai-", "x-anthropic-", "x-ai-", "x-llm-", "x-gpt-"];
+function escapeRegex(s) {
+  return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+var TOKEN_REGEX_CACHE = /* @__PURE__ */ new Map();
+function tokenRegex(token) {
+  const cached = TOKEN_REGEX_CACHE.get(token);
+  if (cached) return cached;
+  const regex = new RegExp(`\\b${escapeRegex(token)}\\b`, "i");
+  TOKEN_REGEX_CACHE.set(token, regex);
+  return regex;
+}
+function matchKnownAgent(lowercasedUa) {
+  let best = null;
+  for (const entry of checkpointShared.KNOWN_AGENT_PATTERNS) {
+    for (const pattern of entry.patterns) {
+      if (tokenRegex(pattern).test(lowercasedUa)) {
+        if (!best || entry.confidence > best.confidence) {
+          best = { name: entry.name, confidence: entry.confidence };
+        }
+        break;
+      }
+    }
+  }
+  for (const { pattern, name, confidence } of checkpointShared.INTERACTIVE_AGENT_PATTERNS) {
+    if (pattern.test(lowercasedUa)) {
+      if (!best || confidence > best.confidence) {
+        best = { name, confidence };
+      }
+    }
+  }
+  return best;
+}
+var EdgeRuntimeCheckpoint = class {
   wasmInstance = null;
   wasmMemory = null;
   config;
@@ -49,7 +86,7 @@ var EdgeRuntimeAgentShield = class {
         this.wasmInstance = await WebAssembly.instantiate(module, imports);
         this.initialized = true;
         if (this.config.debug) {
-          console.log("\u2705 AgentShield WASM initialized in Edge Runtime");
+          console.log("\u2705 Checkpoint WASM initialized in Edge Runtime");
         }
       } catch (error) {
         console.warn("\u26A0\uFE0F WASM initialization failed, using pattern detection:", error);
@@ -126,59 +163,29 @@ var EdgeRuntimeAgentShield = class {
     return this.patternDetection(metadata);
   }
   patternDetection(metadata) {
-    const userAgent = metadata.userAgent.toLowerCase();
-    const patterns = [
-      // High confidence - explicit AI identifiers
-      { pattern: /chatgpt-user/i, name: "ChatGPT", confidence: 0.95 },
-      { pattern: /claude-web/i, name: "Claude", confidence: 0.95 },
-      { pattern: /claude-user/i, name: "Claude", confidence: 0.95 },
-      { pattern: /gpt-crawler/i, name: "GPT Crawler", confidence: 0.95 },
-      { pattern: /perplexitybot/i, name: "Perplexity", confidence: 0.95 },
-      { pattern: /perplexity-user/i, name: "Perplexity", confidence: 0.95 },
-      { pattern: /perplexity-ai/i, name: "Perplexity", confidence: 0.95 },
-      // Medium-high confidence - company identifiers
-      { pattern: /anthropic/i, name: "Anthropic", confidence: 0.9 },
-      { pattern: /openai/i, name: "OpenAI", confidence: 0.9 },
-      // Medium confidence - product names
-      { pattern: /copilot/i, name: "GitHub Copilot", confidence: 0.85 },
-      { pattern: /bard/i, name: "Google Bard", confidence: 0.85 },
-      { pattern: /gemini/i, name: "Google Gemini", confidence: 0.85 },
-      { pattern: /perplexity/i, name: "Perplexity", confidence: 0.85 },
-      // Fallback
-      // UA-context-only pattern — `\b` is the correct anchor for UA
-      // substring matching. PR #2591's tightened `[\s;()]` form
-      // dropped `/`, which broke legit UA shapes like `you.com/1.0`
-      // and `+https://you.com)` (cursor catch on the same PR — see
-      // sibling agents.ts comment for the full rationale + UA shapes).
-      // CodeQL js/regex/missing-regexp-anchor speculates about URL
-      // misuse; this codebase only applies the pattern to UA strings.
-      { pattern: /\byou\.com\b/i, name: "You.com", confidence: 0.8 },
-      { pattern: /\bphind\b/i, name: "Phind", confidence: 0.8 }
-    ];
-    const suspiciousHeaders = ["x-openai-", "x-anthropic-", "x-ai-", "x-llm-", "x-gpt-"];
+    const lowercasedUa = metadata.userAgent.toLowerCase();
     let headerBoost = 0;
-    for (const [key] of Object.entries(metadata.headers)) {
-      if (suspiciousHeaders.some((prefix) => key.toLowerCase().startsWith(prefix))) {
+    for (const key of Object.keys(metadata.headers)) {
+      if (SUSPICIOUS_HEADER_PREFIXES.some((prefix) => key.toLowerCase().startsWith(prefix))) {
         headerBoost = 0.1;
         break;
       }
     }
-    for (const { pattern, name, confidence } of patterns) {
-      if (pattern.test(userAgent)) {
-        const finalConfidence = Math.min(confidence + headerBoost, 1);
-        const result = {
-          isAgent: true,
-          confidence: finalConfidence,
-          agent: name,
-          verificationMethod: "pattern",
-          riskLevel: finalConfidence > 0.9 ? "high" : "medium",
-          timestamp: (/* @__PURE__ */ new Date()).toISOString()
-        };
-        if (this.config.onAgentDetected) {
-          this.config.onAgentDetected(result);
-        }
-        return result;
+    const match = matchKnownAgent(lowercasedUa);
+    if (match) {
+      const finalConfidence = Math.min(match.confidence + headerBoost, 1);
+      const result = {
+        isAgent: true,
+        confidence: finalConfidence,
+        agent: match.name,
+        verificationMethod: "pattern",
+        riskLevel: finalConfidence > 0.9 ? "high" : "medium",
+        timestamp: (/* @__PURE__ */ new Date()).toISOString()
+      };
+      if (this.config.onAgentDetected) {
+        this.config.onAgentDetected(result);
       }
+      return result;
     }
     return {
       isAgent: false,
@@ -194,16 +201,23 @@ var EdgeRuntimeAgentShield = class {
     return this.wasmInstance ? "cryptographic" : "pattern";
   }
 };
-function createEdgeAgentShield(config) {
-  return new EdgeRuntimeAgentShield(config);
+function createEdgeCheckpoint(config) {
+  return new EdgeRuntimeCheckpoint(config);
 }
 var defaultInstance = null;
-function getDefaultAgentShield(config) {
+function getDefaultEdgeCheckpoint(config) {
   if (!defaultInstance) {
-    defaultInstance = new EdgeRuntimeAgentShield(config);
+    defaultInstance = new EdgeRuntimeCheckpoint(config);
   }
   return defaultInstance;
 }
+var EdgeRuntimeAgentShield = EdgeRuntimeCheckpoint;
+var createEdgeAgentShield = createEdgeCheckpoint;
+var getDefaultAgentShield = getDefaultEdgeCheckpoint;
 
+exports.EdgeRuntimeAgentShield = EdgeRuntimeAgentShield;
+exports.EdgeRuntimeCheckpoint = EdgeRuntimeCheckpoint;
 exports.createEdgeAgentShield = createEdgeAgentShield;
+exports.createEdgeCheckpoint = createEdgeCheckpoint;
 exports.getDefaultAgentShield = getDefaultAgentShield;
+exports.getDefaultEdgeCheckpoint = getDefaultEdgeCheckpoint;

package/dist/edge-runtime-loader.mjs

@@ -1,3 +1,7 @@
+import { KNOWN_AGENT_PATTERNS, INTERACTIVE_AGENT_PATTERNS } from '@kya-os/checkpoint-shared';
+
+// src/edge-runtime-loader.ts
+
 // src/utils.ts
 function getClientIp(request) {
   const forwardedFor = request.headers.get("x-forwarded-for");
@@ -15,7 +19,40 @@ function getClientIp(request) {
 }
 
 // src/edge-runtime-loader.ts
-var EdgeRuntimeAgentShield = class {
+var SUSPICIOUS_HEADER_PREFIXES = ["x-openai-", "x-anthropic-", "x-ai-", "x-llm-", "x-gpt-"];
+function escapeRegex(s) {
+  return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+var TOKEN_REGEX_CACHE = /* @__PURE__ */ new Map();
+function tokenRegex(token) {
+  const cached = TOKEN_REGEX_CACHE.get(token);
+  if (cached) return cached;
+  const regex = new RegExp(`\\b${escapeRegex(token)}\\b`, "i");
+  TOKEN_REGEX_CACHE.set(token, regex);
+  return regex;
+}
+function matchKnownAgent(lowercasedUa) {
+  let best = null;
+  for (const entry of KNOWN_AGENT_PATTERNS) {
+    for (const pattern of entry.patterns) {
+      if (tokenRegex(pattern).test(lowercasedUa)) {
+        if (!best || entry.confidence > best.confidence) {
+          best = { name: entry.name, confidence: entry.confidence };
+        }
+        break;
+      }
+    }
+  }
+  for (const { pattern, name, confidence } of INTERACTIVE_AGENT_PATTERNS) {
+    if (pattern.test(lowercasedUa)) {
+      if (!best || confidence > best.confidence) {
+        best = { name, confidence };
+      }
+    }
+  }
+  return best;
+}
+var EdgeRuntimeCheckpoint = class {
   wasmInstance = null;
   wasmMemory = null;
   config;
@@ -47,7 +84,7 @@ var EdgeRuntimeAgentShield = class {
         this.wasmInstance = await WebAssembly.instantiate(module, imports);
         this.initialized = true;
         if (this.config.debug) {
-          console.log("\u2705 AgentShield WASM initialized in Edge Runtime");
+          console.log("\u2705 Checkpoint WASM initialized in Edge Runtime");
         }
       } catch (error) {
         console.warn("\u26A0\uFE0F WASM initialization failed, using pattern detection:", error);
@@ -124,59 +161,29 @@ var EdgeRuntimeAgentShield = class {
     return this.patternDetection(metadata);
   }
   patternDetection(metadata) {
-    const userAgent = metadata.userAgent.toLowerCase();
-    const patterns = [
-      // High confidence - explicit AI identifiers
-      { pattern: /chatgpt-user/i, name: "ChatGPT", confidence: 0.95 },
-      { pattern: /claude-web/i, name: "Claude", confidence: 0.95 },
-      { pattern: /claude-user/i, name: "Claude", confidence: 0.95 },
-      { pattern: /gpt-crawler/i, name: "GPT Crawler", confidence: 0.95 },
-      { pattern: /perplexitybot/i, name: "Perplexity", confidence: 0.95 },
-      { pattern: /perplexity-user/i, name: "Perplexity", confidence: 0.95 },
-      { pattern: /perplexity-ai/i, name: "Perplexity", confidence: 0.95 },
-      // Medium-high confidence - company identifiers
-      { pattern: /anthropic/i, name: "Anthropic", confidence: 0.9 },
-      { pattern: /openai/i, name: "OpenAI", confidence: 0.9 },
-      // Medium confidence - product names
-      { pattern: /copilot/i, name: "GitHub Copilot", confidence: 0.85 },
-      { pattern: /bard/i, name: "Google Bard", confidence: 0.85 },
-      { pattern: /gemini/i, name: "Google Gemini", confidence: 0.85 },
-      { pattern: /perplexity/i, name: "Perplexity", confidence: 0.85 },
-      // Fallback
-      // UA-context-only pattern — `\b` is the correct anchor for UA
-      // substring matching. PR #2591's tightened `[\s;()]` form
-      // dropped `/`, which broke legit UA shapes like `you.com/1.0`
-      // and `+https://you.com)` (cursor catch on the same PR — see
-      // sibling agents.ts comment for the full rationale + UA shapes).
-      // CodeQL js/regex/missing-regexp-anchor speculates about URL
-      // misuse; this codebase only applies the pattern to UA strings.
-      { pattern: /\byou\.com\b/i, name: "You.com", confidence: 0.8 },
-      { pattern: /\bphind\b/i, name: "Phind", confidence: 0.8 }
-    ];
-    const suspiciousHeaders = ["x-openai-", "x-anthropic-", "x-ai-", "x-llm-", "x-gpt-"];
+    const lowercasedUa = metadata.userAgent.toLowerCase();
     let headerBoost = 0;
-    for (const [key] of Object.entries(metadata.headers)) {
-      if (suspiciousHeaders.some((prefix) => key.toLowerCase().startsWith(prefix))) {
+    for (const key of Object.keys(metadata.headers)) {
+      if (SUSPICIOUS_HEADER_PREFIXES.some((prefix) => key.toLowerCase().startsWith(prefix))) {
         headerBoost = 0.1;
         break;
       }
     }
-    for (const { pattern, name, confidence } of patterns) {
-      if (pattern.test(userAgent)) {
-        const finalConfidence = Math.min(confidence + headerBoost, 1);
-        const result = {
-          isAgent: true,
-          confidence: finalConfidence,
-          agent: name,
-          verificationMethod: "pattern",
-          riskLevel: finalConfidence > 0.9 ? "high" : "medium",
-          timestamp: (/* @__PURE__ */ new Date()).toISOString()
-        };
-        if (this.config.onAgentDetected) {
-          this.config.onAgentDetected(result);
-        }
-        return result;
+    const match = matchKnownAgent(lowercasedUa);
+    if (match) {
+      const finalConfidence = Math.min(match.confidence + headerBoost, 1);
+      const result = {
+        isAgent: true,
+        confidence: finalConfidence,
+        agent: match.name,
+        verificationMethod: "pattern",
+        riskLevel: finalConfidence > 0.9 ? "high" : "medium",
+        timestamp: (/* @__PURE__ */ new Date()).toISOString()
+      };
+      if (this.config.onAgentDetected) {
+        this.config.onAgentDetected(result);
       }
+      return result;
     }
     return {
       isAgent: false,
@@ -192,15 +199,18 @@ var EdgeRuntimeAgentShield = class {
     return this.wasmInstance ? "cryptographic" : "pattern";
   }
 };
-function createEdgeAgentShield(config) {
-  return new EdgeRuntimeAgentShield(config);
+function createEdgeCheckpoint(config) {
+  return new EdgeRuntimeCheckpoint(config);
 }
 var defaultInstance = null;
-function getDefaultAgentShield(config) {
+function getDefaultEdgeCheckpoint(config) {
   if (!defaultInstance) {
-    defaultInstance = new EdgeRuntimeAgentShield(config);
+    defaultInstance = new EdgeRuntimeCheckpoint(config);
   }
   return defaultInstance;
 }
+var EdgeRuntimeAgentShield = EdgeRuntimeCheckpoint;
+var createEdgeAgentShield = createEdgeCheckpoint;
+var getDefaultAgentShield = getDefaultEdgeCheckpoint;
 
-export { createEdgeAgentShield, getDefaultAgentShield };
+export { EdgeRuntimeAgentShield, EdgeRuntimeCheckpoint, createEdgeAgentShield, createEdgeCheckpoint, getDefaultAgentShield, getDefaultEdgeCheckpoint };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kya-os/checkpoint-nextjs",
-  "version": "1.1.0",
+  "version": "1.1.1",
   "description": "Checkpoint Next.js middleware for AI agent detection (formerly @kya-os/agentshield-nextjs)",
   "keywords": [
     "nextjs",
@@ -135,8 +135,8 @@
     "@noble/ed25519": "^2.2.3",
     "@noble/hashes": "^2.0.1",
     "@kya-os/checkpoint": "1.0.0",
-    "@kya-os/checkpoint-wasm-runtime": "1.0.0",
-    "@kya-os/checkpoint-shared": "1.0.0"
+    "@kya-os/checkpoint-shared": "1.0.0",
+    "@kya-os/checkpoint-wasm-runtime": "^1.1.0"
   },
   "scripts": {
     "build": "tsup",