@kya-os/checkpoint-nextjs 1.1.0 → 1.1.4

package/dist/edge-runtime-loader.d.mts

@@ -1,50 +1,75 @@
+import { DetectionDetail } from '@kya-os/checkpoint-shared';
 import { NextRequest } from 'next/server';
 
 /**
- * Edge Runtime Compatible WASM Loader for AgentShield
+ * Edge Runtime Compatible WASM Loader for Checkpoint
  *
  * This module provides a pre-built solution for loading WASM in Edge Runtime.
  * It requires the WASM file to be manually placed in the project.
+ *
+ * ## SSOT for pattern detection
+ *
+ * The fallback `patternDetection` path imports the single canonical
+ * pattern table `KNOWN_AGENT_PATTERNS` from
+ * `@kya-os/checkpoint-shared/constants/agents`. PDM-2 (#2573) folded
+ * what was previously a sibling supplement export
+ * (`INTERACTIVE_AGENT_PATTERNS`) into per-agent SSOT rows alongside
+ * the existing entries — interactive-session tokens, generic vendor
+ * fallbacks, and the GPT-Crawler bot are now first-class SSOT rows
+ * with `category`/`isLegitimate` fields. The drift-prevention test
+ * in `checkpoint-shared/__tests__/constants/agents.test.ts` enforces
+ * that no future PR re-introduces a sibling pool.
+ *
+ * ## Naming
+ *
+ * Old `AgentShield`-prefixed exports are kept as `@deprecated` aliases
+ * for one release (`createEdgeAgentShield`, `EdgeRuntimeAgentShield`,
+ * `AgentShieldConfig`, `getDefaultAgentShield`). New code should import
+ * the `Checkpoint`-prefixed names directly.
  */
 
 interface WasmModule {
     default: WebAssembly.Module;
 }
-interface DetectionResult {
-    isAgent: boolean;
-    isAiCrawler?: boolean;
-    confidence: number;
+type EdgeRuntimeDetectionDetail = DetectionDetail & {
     agent?: string;
-    verificationMethod: 'cryptographic' | 'pattern';
-    riskLevel?: 'low' | 'medium' | 'high' | 'critical';
-    timestamp: string;
-}
-interface AgentShieldConfig {
+};
+
+interface EdgeCheckpointConfig {
     wasmModule?: WebAssembly.Module;
     enableWasm?: boolean;
-    onAgentDetected?: (result: DetectionResult) => void;
+    onAgentDetected?: (result: EdgeRuntimeDetectionDetail) => void;
     blockAgents?: boolean;
     allowedAgents?: string[];
     debug?: boolean;
 }
-declare class EdgeRuntimeAgentShield {
+declare class EdgeRuntimeCheckpoint {
     private wasmInstance;
     private wasmMemory;
     private config;
     private initialized;
-    constructor(config?: AgentShieldConfig);
+    constructor(config?: EdgeCheckpointConfig);
     init(wasmModule?: WebAssembly.Module): Promise<void>;
     private readString;
     private writeString;
-    detect(request: NextRequest): Promise<DetectionResult>;
+    detect(request: NextRequest): Promise<EdgeRuntimeDetectionDetail>;
     private patternDetection;
     isInitialized(): boolean;
     getVerificationMethod(): 'cryptographic' | 'pattern';
 }
 /**
- * Factory function to create an AgentShield instance for Edge Runtime
+ * Factory function to create a Checkpoint instance for Edge Runtime.
  */
-declare function createEdgeAgentShield(config?: AgentShieldConfig): EdgeRuntimeAgentShield;
-declare function getDefaultAgentShield(config?: AgentShieldConfig): EdgeRuntimeAgentShield;
+declare function createEdgeCheckpoint(config?: EdgeCheckpointConfig): EdgeRuntimeCheckpoint;
+declare function getDefaultEdgeCheckpoint(config?: EdgeCheckpointConfig): EdgeRuntimeCheckpoint;
+
+/** @deprecated Renamed to {@link EdgeCheckpointConfig}. */
+type AgentShieldConfig = EdgeCheckpointConfig;
+/** @deprecated Renamed to {@link EdgeRuntimeCheckpoint}. */
+declare const EdgeRuntimeAgentShield: typeof EdgeRuntimeCheckpoint;
+/** @deprecated Renamed to {@link createEdgeCheckpoint}. */
+declare const createEdgeAgentShield: typeof createEdgeCheckpoint;
+/** @deprecated Renamed to {@link getDefaultEdgeCheckpoint}. */
+declare const getDefaultAgentShield: typeof getDefaultEdgeCheckpoint;
 
-export { type AgentShieldConfig, type DetectionResult, type WasmModule, createEdgeAgentShield, getDefaultAgentShield };
+export { type AgentShieldConfig, type EdgeRuntimeDetectionDetail as DetectionResult, type EdgeCheckpointConfig, EdgeRuntimeAgentShield, EdgeRuntimeCheckpoint, type EdgeRuntimeDetectionDetail, type WasmModule, createEdgeAgentShield, createEdgeCheckpoint, getDefaultAgentShield, getDefaultEdgeCheckpoint };

package/dist/edge-runtime-loader.d.ts

@@ -1,50 +1,75 @@
+import { DetectionDetail } from '@kya-os/checkpoint-shared';
 import { NextRequest } from 'next/server';
 
 /**
- * Edge Runtime Compatible WASM Loader for AgentShield
+ * Edge Runtime Compatible WASM Loader for Checkpoint
  *
  * This module provides a pre-built solution for loading WASM in Edge Runtime.
  * It requires the WASM file to be manually placed in the project.
+ *
+ * ## SSOT for pattern detection
+ *
+ * The fallback `patternDetection` path imports the single canonical
+ * pattern table `KNOWN_AGENT_PATTERNS` from
+ * `@kya-os/checkpoint-shared/constants/agents`. PDM-2 (#2573) folded
+ * what was previously a sibling supplement export
+ * (`INTERACTIVE_AGENT_PATTERNS`) into per-agent SSOT rows alongside
+ * the existing entries — interactive-session tokens, generic vendor
+ * fallbacks, and the GPT-Crawler bot are now first-class SSOT rows
+ * with `category`/`isLegitimate` fields. The drift-prevention test
+ * in `checkpoint-shared/__tests__/constants/agents.test.ts` enforces
+ * that no future PR re-introduces a sibling pool.
+ *
+ * ## Naming
+ *
+ * Old `AgentShield`-prefixed exports are kept as `@deprecated` aliases
+ * for one release (`createEdgeAgentShield`, `EdgeRuntimeAgentShield`,
+ * `AgentShieldConfig`, `getDefaultAgentShield`). New code should import
+ * the `Checkpoint`-prefixed names directly.
  */
 
 interface WasmModule {
     default: WebAssembly.Module;
 }
-interface DetectionResult {
-    isAgent: boolean;
-    isAiCrawler?: boolean;
-    confidence: number;
+type EdgeRuntimeDetectionDetail = DetectionDetail & {
     agent?: string;
-    verificationMethod: 'cryptographic' | 'pattern';
-    riskLevel?: 'low' | 'medium' | 'high' | 'critical';
-    timestamp: string;
-}
-interface AgentShieldConfig {
+};
+
+interface EdgeCheckpointConfig {
     wasmModule?: WebAssembly.Module;
     enableWasm?: boolean;
-    onAgentDetected?: (result: DetectionResult) => void;
+    onAgentDetected?: (result: EdgeRuntimeDetectionDetail) => void;
     blockAgents?: boolean;
     allowedAgents?: string[];
     debug?: boolean;
 }
-declare class EdgeRuntimeAgentShield {
+declare class EdgeRuntimeCheckpoint {
     private wasmInstance;
     private wasmMemory;
     private config;
     private initialized;
-    constructor(config?: AgentShieldConfig);
+    constructor(config?: EdgeCheckpointConfig);
     init(wasmModule?: WebAssembly.Module): Promise<void>;
     private readString;
     private writeString;
-    detect(request: NextRequest): Promise<DetectionResult>;
+    detect(request: NextRequest): Promise<EdgeRuntimeDetectionDetail>;
     private patternDetection;
     isInitialized(): boolean;
     getVerificationMethod(): 'cryptographic' | 'pattern';
 }
 /**
- * Factory function to create an AgentShield instance for Edge Runtime
+ * Factory function to create a Checkpoint instance for Edge Runtime.
  */
-declare function createEdgeAgentShield(config?: AgentShieldConfig): EdgeRuntimeAgentShield;
-declare function getDefaultAgentShield(config?: AgentShieldConfig): EdgeRuntimeAgentShield;
+declare function createEdgeCheckpoint(config?: EdgeCheckpointConfig): EdgeRuntimeCheckpoint;
+declare function getDefaultEdgeCheckpoint(config?: EdgeCheckpointConfig): EdgeRuntimeCheckpoint;
+
+/** @deprecated Renamed to {@link EdgeCheckpointConfig}. */
+type AgentShieldConfig = EdgeCheckpointConfig;
+/** @deprecated Renamed to {@link EdgeRuntimeCheckpoint}. */
+declare const EdgeRuntimeAgentShield: typeof EdgeRuntimeCheckpoint;
+/** @deprecated Renamed to {@link createEdgeCheckpoint}. */
+declare const createEdgeAgentShield: typeof createEdgeCheckpoint;
+/** @deprecated Renamed to {@link getDefaultEdgeCheckpoint}. */
+declare const getDefaultAgentShield: typeof getDefaultEdgeCheckpoint;
 
-export { type AgentShieldConfig, type DetectionResult, type WasmModule, createEdgeAgentShield, getDefaultAgentShield };
+export { type AgentShieldConfig, type EdgeRuntimeDetectionDetail as DetectionResult, type EdgeCheckpointConfig, EdgeRuntimeAgentShield, EdgeRuntimeCheckpoint, type EdgeRuntimeDetectionDetail, type WasmModule, createEdgeAgentShield, createEdgeCheckpoint, getDefaultAgentShield, getDefaultEdgeCheckpoint };

package/dist/edge-runtime-loader.js

@@ -1,5 +1,9 @@
 'use strict';
 
+var checkpointShared = require('@kya-os/checkpoint-shared');
+
+// src/edge-runtime-loader.ts
+
 // src/utils.ts
 function getClientIp(request) {
   const forwardedFor = request.headers.get("x-forwarded-for");
@@ -17,7 +21,49 @@ function getClientIp(request) {
 }
 
 // src/edge-runtime-loader.ts
-var EdgeRuntimeAgentShield = class {
+var SUSPICIOUS_HEADER_PREFIXES = ["x-openai-", "x-anthropic-", "x-ai-", "x-llm-", "x-gpt-"];
+function escapeRegex(s) {
+  return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+var TOKEN_REGEX_CACHE = /* @__PURE__ */ new Map();
+function tokenRegex(token) {
+  const cached = TOKEN_REGEX_CACHE.get(token);
+  if (cached) return cached;
+  const regex = new RegExp(`\\b${escapeRegex(token)}\\b`, "i");
+  TOKEN_REGEX_CACHE.set(token, regex);
+  return regex;
+}
+function readStringField(value) {
+  return typeof value === "string" && value.length > 0 ? value : void 0;
+}
+function readNumberField(value) {
+  return typeof value === "number" && Number.isFinite(value) ? value : void 0;
+}
+function readBooleanField(value) {
+  return typeof value === "boolean" ? value : void 0;
+}
+function readStringArrayField(value) {
+  return Array.isArray(value) ? value.filter((item) => typeof item === "string") : [];
+}
+function normalizeEngineConfidence(value) {
+  if (value === void 0) return 0;
+  return Math.round(Math.max(0, Math.min(100, value)));
+}
+function matchKnownAgent(lowercasedUa) {
+  let best = null;
+  for (const entry of checkpointShared.KNOWN_AGENT_PATTERNS) {
+    for (const pattern of entry.patterns) {
+      if (tokenRegex(pattern).test(lowercasedUa)) {
+        if (!best || entry.confidence > best.confidence) {
+          best = { name: entry.name, confidence: entry.confidence };
+        }
+        break;
+      }
+    }
+  }
+  return best;
+}
+var EdgeRuntimeCheckpoint = class {
   wasmInstance = null;
   wasmMemory = null;
   config;
@@ -49,7 +95,7 @@ var EdgeRuntimeAgentShield = class {
         this.wasmInstance = await WebAssembly.instantiate(module, imports);
         this.initialized = true;
         if (this.config.debug) {
-          console.log("\u2705 AgentShield WASM initialized in Edge Runtime");
+          console.log("\u2705 Checkpoint WASM initialized in Edge Runtime");
         }
       } catch (error) {
         console.warn("\u26A0\uFE0F WASM initialization failed, using pattern detection:", error);
@@ -108,10 +154,21 @@ var EdgeRuntimeAgentShield = class {
           exports$1.__wbindgen_free(resultPtr, offset);
         }
         const result = JSON.parse(resultStr);
+        const agent = readStringField(result.agent) ?? readStringField(result.agentName);
+        const confidence = normalizeEngineConfidence(readNumberField(result.confidence));
         const detection = {
-          ...result,
-          verificationMethod: "cryptographic",
-          timestamp: (/* @__PURE__ */ new Date()).toISOString()
+          isAgent: readBooleanField(result.isAgent) ?? readBooleanField(result.is_agent) ?? false,
+          isAiCrawler: readBooleanField(result.isAiCrawler) ?? readBooleanField(result.is_ai_crawler),
+          confidence,
+          detectionClass: agent ? { type: "AiAgent", agentType: agent } : { type: confidence > 0 ? "IncompleteData" : "Human" },
+          detectedAgent: agent ? { type: "ai_agent", name: agent } : void 0,
+          agent,
+          agentType: agent,
+          reasons: readStringArrayField(result.reasons),
+          signals: [],
+          verificationMethod: "signature",
+          riskLevel: readStringField(result.riskLevel) ?? readStringField(result.risk_level),
+          timestamp: Date.now()
         };
         if (this.config.onAgentDetected && detection.isAgent) {
           this.config.onAgentDetected(detection);
@@ -126,65 +183,44 @@ var EdgeRuntimeAgentShield = class {
     return this.patternDetection(metadata);
   }
   patternDetection(metadata) {
-    const userAgent = metadata.userAgent.toLowerCase();
-    const patterns = [
-      // High confidence - explicit AI identifiers
-      { pattern: /chatgpt-user/i, name: "ChatGPT", confidence: 0.95 },
-      { pattern: /claude-web/i, name: "Claude", confidence: 0.95 },
-      { pattern: /claude-user/i, name: "Claude", confidence: 0.95 },
-      { pattern: /gpt-crawler/i, name: "GPT Crawler", confidence: 0.95 },
-      { pattern: /perplexitybot/i, name: "Perplexity", confidence: 0.95 },
-      { pattern: /perplexity-user/i, name: "Perplexity", confidence: 0.95 },
-      { pattern: /perplexity-ai/i, name: "Perplexity", confidence: 0.95 },
-      // Medium-high confidence - company identifiers
-      { pattern: /anthropic/i, name: "Anthropic", confidence: 0.9 },
-      { pattern: /openai/i, name: "OpenAI", confidence: 0.9 },
-      // Medium confidence - product names
-      { pattern: /copilot/i, name: "GitHub Copilot", confidence: 0.85 },
-      { pattern: /bard/i, name: "Google Bard", confidence: 0.85 },
-      { pattern: /gemini/i, name: "Google Gemini", confidence: 0.85 },
-      { pattern: /perplexity/i, name: "Perplexity", confidence: 0.85 },
-      // Fallback
-      // UA-context-only pattern — `\b` is the correct anchor for UA
-      // substring matching. PR #2591's tightened `[\s;()]` form
-      // dropped `/`, which broke legit UA shapes like `you.com/1.0`
-      // and `+https://you.com)` (cursor catch on the same PR — see
-      // sibling agents.ts comment for the full rationale + UA shapes).
-      // CodeQL js/regex/missing-regexp-anchor speculates about URL
-      // misuse; this codebase only applies the pattern to UA strings.
-      { pattern: /\byou\.com\b/i, name: "You.com", confidence: 0.8 },
-      { pattern: /\bphind\b/i, name: "Phind", confidence: 0.8 }
-    ];
-    const suspiciousHeaders = ["x-openai-", "x-anthropic-", "x-ai-", "x-llm-", "x-gpt-"];
+    const lowercasedUa = metadata.userAgent.toLowerCase();
     let headerBoost = 0;
-    for (const [key] of Object.entries(metadata.headers)) {
-      if (suspiciousHeaders.some((prefix) => key.toLowerCase().startsWith(prefix))) {
+    for (const key of Object.keys(metadata.headers)) {
+      if (SUSPICIOUS_HEADER_PREFIXES.some((prefix) => key.toLowerCase().startsWith(prefix))) {
         headerBoost = 0.1;
         break;
       }
     }
-    for (const { pattern, name, confidence } of patterns) {
-      if (pattern.test(userAgent)) {
-        const finalConfidence = Math.min(confidence + headerBoost, 1);
-        const result = {
-          isAgent: true,
-          confidence: finalConfidence,
-          agent: name,
-          verificationMethod: "pattern",
-          riskLevel: finalConfidence > 0.9 ? "high" : "medium",
-          timestamp: (/* @__PURE__ */ new Date()).toISOString()
-        };
-        if (this.config.onAgentDetected) {
-          this.config.onAgentDetected(result);
-        }
-        return result;
+    const match = matchKnownAgent(lowercasedUa);
+    if (match) {
+      const finalConfidence = Math.min(match.confidence + headerBoost, 1);
+      const confidence = Math.round(finalConfidence * 100);
+      const result = {
+        isAgent: true,
+        confidence,
+        detectionClass: { type: "AiAgent", agentType: match.name },
+        detectedAgent: { type: "ai_agent", name: match.name },
+        agent: match.name,
+        agentType: match.name,
+        reasons: [`known_pattern:${match.name.toLowerCase()}`],
+        signals: [],
+        verificationMethod: "pattern",
+        riskLevel: finalConfidence > 0.9 ? "high" : "medium",
+        timestamp: Date.now()
+      };
+      if (this.config.onAgentDetected) {
+        this.config.onAgentDetected(result);
       }
+      return result;
     }
     return {
       isAgent: false,
-      confidence: 0.85,
+      confidence: 0,
+      detectionClass: { type: "Human" },
+      reasons: ["No known agent indicators matched"],
+      signals: [],
       verificationMethod: "pattern",
-      timestamp: (/* @__PURE__ */ new Date()).toISOString()
+      timestamp: Date.now()
     };
   }
   isInitialized() {
@@ -194,16 +230,23 @@ var EdgeRuntimeAgentShield = class {
     return this.wasmInstance ? "cryptographic" : "pattern";
   }
 };
-function createEdgeAgentShield(config) {
-  return new EdgeRuntimeAgentShield(config);
+function createEdgeCheckpoint(config) {
+  return new EdgeRuntimeCheckpoint(config);
 }
 var defaultInstance = null;
-function getDefaultAgentShield(config) {
+function getDefaultEdgeCheckpoint(config) {
   if (!defaultInstance) {
-    defaultInstance = new EdgeRuntimeAgentShield(config);
+    defaultInstance = new EdgeRuntimeCheckpoint(config);
   }
   return defaultInstance;
 }
+var EdgeRuntimeAgentShield = EdgeRuntimeCheckpoint;
+var createEdgeAgentShield = createEdgeCheckpoint;
+var getDefaultAgentShield = getDefaultEdgeCheckpoint;
 
+exports.EdgeRuntimeAgentShield = EdgeRuntimeAgentShield;
+exports.EdgeRuntimeCheckpoint = EdgeRuntimeCheckpoint;
 exports.createEdgeAgentShield = createEdgeAgentShield;
+exports.createEdgeCheckpoint = createEdgeCheckpoint;
 exports.getDefaultAgentShield = getDefaultAgentShield;
+exports.getDefaultEdgeCheckpoint = getDefaultEdgeCheckpoint;

package/dist/edge-runtime-loader.mjs

@@ -1,3 +1,7 @@
+import { KNOWN_AGENT_PATTERNS } from '@kya-os/checkpoint-shared';
+
+// src/edge-runtime-loader.ts
+
 // src/utils.ts
 function getClientIp(request) {
   const forwardedFor = request.headers.get("x-forwarded-for");
@@ -15,7 +19,49 @@ function getClientIp(request) {
 }
 
 // src/edge-runtime-loader.ts
-var EdgeRuntimeAgentShield = class {
+var SUSPICIOUS_HEADER_PREFIXES = ["x-openai-", "x-anthropic-", "x-ai-", "x-llm-", "x-gpt-"];
+function escapeRegex(s) {
+  return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+var TOKEN_REGEX_CACHE = /* @__PURE__ */ new Map();
+function tokenRegex(token) {
+  const cached = TOKEN_REGEX_CACHE.get(token);
+  if (cached) return cached;
+  const regex = new RegExp(`\\b${escapeRegex(token)}\\b`, "i");
+  TOKEN_REGEX_CACHE.set(token, regex);
+  return regex;
+}
+function readStringField(value) {
+  return typeof value === "string" && value.length > 0 ? value : void 0;
+}
+function readNumberField(value) {
+  return typeof value === "number" && Number.isFinite(value) ? value : void 0;
+}
+function readBooleanField(value) {
+  return typeof value === "boolean" ? value : void 0;
+}
+function readStringArrayField(value) {
+  return Array.isArray(value) ? value.filter((item) => typeof item === "string") : [];
+}
+function normalizeEngineConfidence(value) {
+  if (value === void 0) return 0;
+  return Math.round(Math.max(0, Math.min(100, value)));
+}
+function matchKnownAgent(lowercasedUa) {
+  let best = null;
+  for (const entry of KNOWN_AGENT_PATTERNS) {
+    for (const pattern of entry.patterns) {
+      if (tokenRegex(pattern).test(lowercasedUa)) {
+        if (!best || entry.confidence > best.confidence) {
+          best = { name: entry.name, confidence: entry.confidence };
+        }
+        break;
+      }
+    }
+  }
+  return best;
+}
+var EdgeRuntimeCheckpoint = class {
   wasmInstance = null;
   wasmMemory = null;
   config;
@@ -47,7 +93,7 @@ var EdgeRuntimeAgentShield = class {
         this.wasmInstance = await WebAssembly.instantiate(module, imports);
         this.initialized = true;
         if (this.config.debug) {
-          console.log("\u2705 AgentShield WASM initialized in Edge Runtime");
+          console.log("\u2705 Checkpoint WASM initialized in Edge Runtime");
         }
       } catch (error) {
         console.warn("\u26A0\uFE0F WASM initialization failed, using pattern detection:", error);
@@ -106,10 +152,21 @@ var EdgeRuntimeAgentShield = class {
           exports$1.__wbindgen_free(resultPtr, offset);
         }
         const result = JSON.parse(resultStr);
+        const agent = readStringField(result.agent) ?? readStringField(result.agentName);
+        const confidence = normalizeEngineConfidence(readNumberField(result.confidence));
         const detection = {
-          ...result,
-          verificationMethod: "cryptographic",
-          timestamp: (/* @__PURE__ */ new Date()).toISOString()
+          isAgent: readBooleanField(result.isAgent) ?? readBooleanField(result.is_agent) ?? false,
+          isAiCrawler: readBooleanField(result.isAiCrawler) ?? readBooleanField(result.is_ai_crawler),
+          confidence,
+          detectionClass: agent ? { type: "AiAgent", agentType: agent } : { type: confidence > 0 ? "IncompleteData" : "Human" },
+          detectedAgent: agent ? { type: "ai_agent", name: agent } : void 0,
+          agent,
+          agentType: agent,
+          reasons: readStringArrayField(result.reasons),
+          signals: [],
+          verificationMethod: "signature",
+          riskLevel: readStringField(result.riskLevel) ?? readStringField(result.risk_level),
+          timestamp: Date.now()
         };
         if (this.config.onAgentDetected && detection.isAgent) {
           this.config.onAgentDetected(detection);
@@ -124,65 +181,44 @@ var EdgeRuntimeAgentShield = class {
     return this.patternDetection(metadata);
   }
   patternDetection(metadata) {
-    const userAgent = metadata.userAgent.toLowerCase();
-    const patterns = [
-      // High confidence - explicit AI identifiers
-      { pattern: /chatgpt-user/i, name: "ChatGPT", confidence: 0.95 },
-      { pattern: /claude-web/i, name: "Claude", confidence: 0.95 },
-      { pattern: /claude-user/i, name: "Claude", confidence: 0.95 },
-      { pattern: /gpt-crawler/i, name: "GPT Crawler", confidence: 0.95 },
-      { pattern: /perplexitybot/i, name: "Perplexity", confidence: 0.95 },
-      { pattern: /perplexity-user/i, name: "Perplexity", confidence: 0.95 },
-      { pattern: /perplexity-ai/i, name: "Perplexity", confidence: 0.95 },
-      // Medium-high confidence - company identifiers
-      { pattern: /anthropic/i, name: "Anthropic", confidence: 0.9 },
-      { pattern: /openai/i, name: "OpenAI", confidence: 0.9 },
-      // Medium confidence - product names
-      { pattern: /copilot/i, name: "GitHub Copilot", confidence: 0.85 },
-      { pattern: /bard/i, name: "Google Bard", confidence: 0.85 },
-      { pattern: /gemini/i, name: "Google Gemini", confidence: 0.85 },
-      { pattern: /perplexity/i, name: "Perplexity", confidence: 0.85 },
-      // Fallback
-      // UA-context-only pattern — `\b` is the correct anchor for UA
-      // substring matching. PR #2591's tightened `[\s;()]` form
-      // dropped `/`, which broke legit UA shapes like `you.com/1.0`
-      // and `+https://you.com)` (cursor catch on the same PR — see
-      // sibling agents.ts comment for the full rationale + UA shapes).
-      // CodeQL js/regex/missing-regexp-anchor speculates about URL
-      // misuse; this codebase only applies the pattern to UA strings.
-      { pattern: /\byou\.com\b/i, name: "You.com", confidence: 0.8 },
-      { pattern: /\bphind\b/i, name: "Phind", confidence: 0.8 }
-    ];
-    const suspiciousHeaders = ["x-openai-", "x-anthropic-", "x-ai-", "x-llm-", "x-gpt-"];
+    const lowercasedUa = metadata.userAgent.toLowerCase();
     let headerBoost = 0;
-    for (const [key] of Object.entries(metadata.headers)) {
-      if (suspiciousHeaders.some((prefix) => key.toLowerCase().startsWith(prefix))) {
+    for (const key of Object.keys(metadata.headers)) {
+      if (SUSPICIOUS_HEADER_PREFIXES.some((prefix) => key.toLowerCase().startsWith(prefix))) {
         headerBoost = 0.1;
         break;
       }
     }
-    for (const { pattern, name, confidence } of patterns) {
-      if (pattern.test(userAgent)) {
-        const finalConfidence = Math.min(confidence + headerBoost, 1);
-        const result = {
-          isAgent: true,
-          confidence: finalConfidence,
-          agent: name,
-          verificationMethod: "pattern",
-          riskLevel: finalConfidence > 0.9 ? "high" : "medium",
-          timestamp: (/* @__PURE__ */ new Date()).toISOString()
-        };
-        if (this.config.onAgentDetected) {
-          this.config.onAgentDetected(result);
-        }
-        return result;
+    const match = matchKnownAgent(lowercasedUa);
+    if (match) {
+      const finalConfidence = Math.min(match.confidence + headerBoost, 1);
+      const confidence = Math.round(finalConfidence * 100);
+      const result = {
+        isAgent: true,
+        confidence,
+        detectionClass: { type: "AiAgent", agentType: match.name },
+        detectedAgent: { type: "ai_agent", name: match.name },
+        agent: match.name,
+        agentType: match.name,
+        reasons: [`known_pattern:${match.name.toLowerCase()}`],
+        signals: [],
+        verificationMethod: "pattern",
+        riskLevel: finalConfidence > 0.9 ? "high" : "medium",
+        timestamp: Date.now()
+      };
+      if (this.config.onAgentDetected) {
+        this.config.onAgentDetected(result);
       }
+      return result;
     }
     return {
       isAgent: false,
-      confidence: 0.85,
+      confidence: 0,
+      detectionClass: { type: "Human" },
+      reasons: ["No known agent indicators matched"],
+      signals: [],
       verificationMethod: "pattern",
-      timestamp: (/* @__PURE__ */ new Date()).toISOString()
+      timestamp: Date.now()
     };
   }
   isInitialized() {
@@ -192,15 +228,18 @@ var EdgeRuntimeAgentShield = class {
     return this.wasmInstance ? "cryptographic" : "pattern";
   }
 };
-function createEdgeAgentShield(config) {
-  return new EdgeRuntimeAgentShield(config);
+function createEdgeCheckpoint(config) {
+  return new EdgeRuntimeCheckpoint(config);
 }
 var defaultInstance = null;
-function getDefaultAgentShield(config) {
+function getDefaultEdgeCheckpoint(config) {
   if (!defaultInstance) {
-    defaultInstance = new EdgeRuntimeAgentShield(config);
+    defaultInstance = new EdgeRuntimeCheckpoint(config);
   }
   return defaultInstance;
 }
+var EdgeRuntimeAgentShield = EdgeRuntimeCheckpoint;
+var createEdgeAgentShield = createEdgeCheckpoint;
+var getDefaultAgentShield = getDefaultEdgeCheckpoint;
 
-export { createEdgeAgentShield, getDefaultAgentShield };
+export { EdgeRuntimeAgentShield, EdgeRuntimeCheckpoint, createEdgeAgentShield, createEdgeCheckpoint, getDefaultAgentShield, getDefaultEdgeCheckpoint };