@kya-os/checkpoint-nextjs 1.1.1 → 1.1.4

package/dist/nodejs-wasm-loader.d.mts

@@ -1,25 +1,42 @@
 /**
- * Node.js Runtime WASM Loader for AgentShield
+ * @deprecated Phase-D.9a — legacy Node.js WASM loader for the retired
+ * `agentshield-wasm` Rust crate. This file used `fs.readFileSync` to
+ * locate + load the legacy detector's WASM binary into the
+ * `@kya-os/checkpoint` `AgentDetector` class via `setWasmModule`. Both
+ * the WASM crate (Phase-D.9a/D.9b) and the AgentDetector class
+ * (AgentDetector-Deletion-2, next minor) are slated for deletion.
  *
- * This loader uses fs.readFileSync to load WASM in Node.js runtime.
- * It provides full cryptographic verification capabilities.
+ * Migrate to `withCheckpoint` from `@kya-os/checkpoint-nextjs` — it
+ * loads the canonical `kya-os-engine` WASM automatically via
+ * `@kya-os/checkpoint-wasm-runtime`'s loaders. No manual `fs.readFileSync`
+ * needed; the runtime handles bundler resolution across Next.js Node +
+ * Edge runtimes.
  */
+/** @internal — test-only reset for the one-shot warn latch. */
+declare function __resetNodejsWasmWarningForTests(): void;
 /**
- * Load WASM module using Node.js fs module
- * This only works in Node.js runtime, not Edge Runtime
+ * @deprecated Removed in Phase-D.9a. Use `withCheckpoint` from
+ * `@kya-os/checkpoint-nextjs` — it auto-loads `kya-os-engine` WASM
+ * via `@kya-os/checkpoint-wasm-runtime`. Throws on invocation; surface
+ * exists only so static analysis sees the historical export.
  */
 declare function loadWasmNodejs(): Promise<boolean>;
 /**
- * Check if we're in Node.js runtime
+ * @deprecated Removed in Phase-D.9a. The runtime guard is no longer
+ * needed; `@kya-os/checkpoint-wasm-runtime`'s loaders auto-detect
+ * runtime via the `"node"` / `"edge-runtime"` export conditions.
+ * Throws on invocation; surface exists only for export-compatibility.
  */
 declare function isNodejsRuntime(): boolean;
 /**
- * Get the loaded WASM module
+ * @deprecated Removed in Phase-D.9a. Migrate to `withCheckpoint`.
+ * Throws on invocation; surface exists only for export-compatibility.
  */
 declare function getWasmModule(): WebAssembly.Module | null;
 /**
- * Check if WASM is initialized
+ * @deprecated Removed in Phase-D.9a. Migrate to `withCheckpoint`.
+ * Throws on invocation; surface exists only for export-compatibility.
  */
 declare function isWasmInitialized(): boolean;
 
-export { getWasmModule, isNodejsRuntime, isWasmInitialized, loadWasmNodejs };
+export { __resetNodejsWasmWarningForTests, getWasmModule, isNodejsRuntime, isWasmInitialized, loadWasmNodejs };

package/dist/nodejs-wasm-loader.d.ts

@@ -1,25 +1,42 @@
 /**
- * Node.js Runtime WASM Loader for AgentShield
+ * @deprecated Phase-D.9a — legacy Node.js WASM loader for the retired
+ * `agentshield-wasm` Rust crate. This file used `fs.readFileSync` to
+ * locate + load the legacy detector's WASM binary into the
+ * `@kya-os/checkpoint` `AgentDetector` class via `setWasmModule`. Both
+ * the WASM crate (Phase-D.9a/D.9b) and the AgentDetector class
+ * (AgentDetector-Deletion-2, next minor) are slated for deletion.
  *
- * This loader uses fs.readFileSync to load WASM in Node.js runtime.
- * It provides full cryptographic verification capabilities.
+ * Migrate to `withCheckpoint` from `@kya-os/checkpoint-nextjs` — it
+ * loads the canonical `kya-os-engine` WASM automatically via
+ * `@kya-os/checkpoint-wasm-runtime`'s loaders. No manual `fs.readFileSync`
+ * needed; the runtime handles bundler resolution across Next.js Node +
+ * Edge runtimes.
  */
+/** @internal — test-only reset for the one-shot warn latch. */
+declare function __resetNodejsWasmWarningForTests(): void;
 /**
- * Load WASM module using Node.js fs module
- * This only works in Node.js runtime, not Edge Runtime
+ * @deprecated Removed in Phase-D.9a. Use `withCheckpoint` from
+ * `@kya-os/checkpoint-nextjs` — it auto-loads `kya-os-engine` WASM
+ * via `@kya-os/checkpoint-wasm-runtime`. Throws on invocation; surface
+ * exists only so static analysis sees the historical export.
  */
 declare function loadWasmNodejs(): Promise<boolean>;
 /**
- * Check if we're in Node.js runtime
+ * @deprecated Removed in Phase-D.9a. The runtime guard is no longer
+ * needed; `@kya-os/checkpoint-wasm-runtime`'s loaders auto-detect
+ * runtime via the `"node"` / `"edge-runtime"` export conditions.
+ * Throws on invocation; surface exists only for export-compatibility.
  */
 declare function isNodejsRuntime(): boolean;
 /**
- * Get the loaded WASM module
+ * @deprecated Removed in Phase-D.9a. Migrate to `withCheckpoint`.
+ * Throws on invocation; surface exists only for export-compatibility.
  */
 declare function getWasmModule(): WebAssembly.Module | null;
 /**
- * Check if WASM is initialized
+ * @deprecated Removed in Phase-D.9a. Migrate to `withCheckpoint`.
+ * Throws on invocation; surface exists only for export-compatibility.
  */
 declare function isWasmInitialized(): boolean;
 
-export { getWasmModule, isNodejsRuntime, isWasmInitialized, loadWasmNodejs };
+export { __resetNodejsWasmWarningForTests, getWasmModule, isNodejsRuntime, isWasmInitialized, loadWasmNodejs };

package/dist/nodejs-wasm-loader.js

@@ -1,92 +1,35 @@
 'use strict';
 
-var fs = require('fs');
-var path = require('path');
-var checkpoint = require('@kya-os/checkpoint');
-
-function _interopDefault (e) { return e && e.__esModule ? e : { default: e }; }
-
-var fs__default = /*#__PURE__*/_interopDefault(fs);
-var path__default = /*#__PURE__*/_interopDefault(path);
-
-var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
-  get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
-}) : x)(function(x) {
-  if (typeof require !== "undefined") return require.apply(this, arguments);
-  throw Error('Dynamic require of "' + x + '" is not supported');
-});
-var wasmInitialized = false;
-var wasmModule = null;
+// src/nodejs-wasm-loader.ts
+var MIGRATION_ERROR = "`@kya-os/checkpoint-nextjs`'s `loadWasmNodejs` / `isNodejsRuntime` / `getWasmModule` / `isWasmInitialized` were deprecated in Phase-D.9a (legacy `agentshield-wasm` Rust crate retirement). The legacy `AgentDetector` class they fed is slated for deletion in AgentDetector-Deletion-2 (next minor). Migrate to `withCheckpoint` from `@kya-os/checkpoint-nextjs` \u2014 engine-backed via the Rust `kya-os-engine` crate, with automatic WASM loading via `@kya-os/checkpoint-wasm-runtime`. See packages/checkpoint-nextjs/README.md for the canonical recipe.";
+var _nodejsWasmWarned = false;
+function warnNodejsWasmDeprecated() {
+  if (_nodejsWasmWarned) return;
+  _nodejsWasmWarned = true;
+  if (typeof process !== "undefined" && process.env?.NODE_ENV === "production") return;
+  console.warn(`[Checkpoint] ${MIGRATION_ERROR}`);
+}
+function __resetNodejsWasmWarningForTests() {
+  _nodejsWasmWarned = false;
+}
 async function loadWasmNodejs() {
-  if (wasmInitialized) {
-    return true;
-  }
-  try {
-    const possiblePaths = [
-      // In node_modules (most likely)
-      path__default.default.join(
-        process.cwd(),
-        "node_modules",
-        "@kya-os",
-        "agentshield",
-        "dist",
-        "wasm",
-        "agentshield_wasm_bg.wasm"
-      ),
-      // In project root (if user copied it)
-      path__default.default.join(process.cwd(), "agentshield_wasm_bg.wasm"),
-      // Relative to current file
-      path__default.default.join(
-        __dirname,
-        "..",
-        "..",
-        "..",
-        "agentshield",
-        "dist",
-        "wasm",
-        "agentshield_wasm_bg.wasm"
-      )
-    ];
-    let wasmBuffer = null;
-    let loadedPath = null;
-    for (const wasmPath of possiblePaths) {
-      try {
-        if (fs__default.default.existsSync(wasmPath)) {
-          wasmBuffer = fs__default.default.readFileSync(wasmPath);
-          loadedPath = wasmPath;
-          break;
-        }
-      } catch (e) {
-        continue;
-      }
-    }
-    if (!wasmBuffer) {
-      console.warn("AgentShield: WASM file not found in any expected location");
-      return false;
-    }
-    const bytes = new Uint8Array(wasmBuffer);
-    wasmModule = await WebAssembly.compile(bytes);
-    checkpoint.setWasmModule(wasmModule);
-    wasmInitialized = true;
-    console.log(`\u2705 AgentShield: WASM loaded successfully from ${loadedPath} (Node.js runtime)`);
-    console.log("\u{1F510} Cryptographic verification enabled (95-100% confidence)");
-    return true;
-  } catch (error) {
-    console.warn("\u26A0\uFE0F AgentShield: Failed to load WASM in Node.js runtime:", error);
-    console.log("\u{1F4CA} Falling back to pattern detection (85% confidence)");
-    return false;
-  }
+  warnNodejsWasmDeprecated();
+  throw new Error(MIGRATION_ERROR);
 }
 function isNodejsRuntime() {
-  return typeof process !== "undefined" && typeof process.versions !== "undefined" && typeof process.versions.node !== "undefined" && typeof __require !== "undefined";
+  warnNodejsWasmDeprecated();
+  throw new Error(MIGRATION_ERROR);
 }
 function getWasmModule() {
-  return wasmModule;
+  warnNodejsWasmDeprecated();
+  throw new Error(MIGRATION_ERROR);
 }
 function isWasmInitialized() {
-  return wasmInitialized;
+  warnNodejsWasmDeprecated();
+  throw new Error(MIGRATION_ERROR);
 }
 
+exports.__resetNodejsWasmWarningForTests = __resetNodejsWasmWarningForTests;
 exports.getWasmModule = getWasmModule;
 exports.isNodejsRuntime = isNodejsRuntime;
 exports.isWasmInitialized = isWasmInitialized;

package/dist/nodejs-wasm-loader.mjs

@@ -1,83 +1,30 @@
-import fs from 'fs';
-import path from 'path';
-import { setWasmModule } from '@kya-os/checkpoint';
-
-var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
-  get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
-}) : x)(function(x) {
-  if (typeof require !== "undefined") return require.apply(this, arguments);
-  throw Error('Dynamic require of "' + x + '" is not supported');
-});
-var wasmInitialized = false;
-var wasmModule = null;
+// src/nodejs-wasm-loader.ts
+var MIGRATION_ERROR = "`@kya-os/checkpoint-nextjs`'s `loadWasmNodejs` / `isNodejsRuntime` / `getWasmModule` / `isWasmInitialized` were deprecated in Phase-D.9a (legacy `agentshield-wasm` Rust crate retirement). The legacy `AgentDetector` class they fed is slated for deletion in AgentDetector-Deletion-2 (next minor). Migrate to `withCheckpoint` from `@kya-os/checkpoint-nextjs` \u2014 engine-backed via the Rust `kya-os-engine` crate, with automatic WASM loading via `@kya-os/checkpoint-wasm-runtime`. See packages/checkpoint-nextjs/README.md for the canonical recipe.";
+var _nodejsWasmWarned = false;
+function warnNodejsWasmDeprecated() {
+  if (_nodejsWasmWarned) return;
+  _nodejsWasmWarned = true;
+  if (typeof process !== "undefined" && process.env?.NODE_ENV === "production") return;
+  console.warn(`[Checkpoint] ${MIGRATION_ERROR}`);
+}
+function __resetNodejsWasmWarningForTests() {
+  _nodejsWasmWarned = false;
+}
 async function loadWasmNodejs() {
-  if (wasmInitialized) {
-    return true;
-  }
-  try {
-    const possiblePaths = [
-      // In node_modules (most likely)
-      path.join(
-        process.cwd(),
-        "node_modules",
-        "@kya-os",
-        "agentshield",
-        "dist",
-        "wasm",
-        "agentshield_wasm_bg.wasm"
-      ),
-      // In project root (if user copied it)
-      path.join(process.cwd(), "agentshield_wasm_bg.wasm"),
-      // Relative to current file
-      path.join(
-        __dirname,
-        "..",
-        "..",
-        "..",
-        "agentshield",
-        "dist",
-        "wasm",
-        "agentshield_wasm_bg.wasm"
-      )
-    ];
-    let wasmBuffer = null;
-    let loadedPath = null;
-    for (const wasmPath of possiblePaths) {
-      try {
-        if (fs.existsSync(wasmPath)) {
-          wasmBuffer = fs.readFileSync(wasmPath);
-          loadedPath = wasmPath;
-          break;
-        }
-      } catch (e) {
-        continue;
-      }
-    }
-    if (!wasmBuffer) {
-      console.warn("AgentShield: WASM file not found in any expected location");
-      return false;
-    }
-    const bytes = new Uint8Array(wasmBuffer);
-    wasmModule = await WebAssembly.compile(bytes);
-    setWasmModule(wasmModule);
-    wasmInitialized = true;
-    console.log(`\u2705 AgentShield: WASM loaded successfully from ${loadedPath} (Node.js runtime)`);
-    console.log("\u{1F510} Cryptographic verification enabled (95-100% confidence)");
-    return true;
-  } catch (error) {
-    console.warn("\u26A0\uFE0F AgentShield: Failed to load WASM in Node.js runtime:", error);
-    console.log("\u{1F4CA} Falling back to pattern detection (85% confidence)");
-    return false;
-  }
+  warnNodejsWasmDeprecated();
+  throw new Error(MIGRATION_ERROR);
 }
 function isNodejsRuntime() {
-  return typeof process !== "undefined" && typeof process.versions !== "undefined" && typeof process.versions.node !== "undefined" && typeof __require !== "undefined";
+  warnNodejsWasmDeprecated();
+  throw new Error(MIGRATION_ERROR);
 }
 function getWasmModule() {
-  return wasmModule;
+  warnNodejsWasmDeprecated();
+  throw new Error(MIGRATION_ERROR);
 }
 function isWasmInitialized() {
-  return wasmInitialized;
+  warnNodejsWasmDeprecated();
+  throw new Error(MIGRATION_ERROR);
 }
 
-export { getWasmModule, isNodejsRuntime, isWasmInitialized, loadWasmNodejs };
+export { __resetNodejsWasmWarningForTests, getWasmModule, isNodejsRuntime, isWasmInitialized, loadWasmNodejs };

package/dist/session-tracker.d.mts

@@ -1,5 +1,5 @@
 import { NextRequest, NextResponse } from 'next/server';
-import { DetectionResult } from '@kya-os/checkpoint-shared';
+import { DetectionDetail } from '@kya-os/checkpoint-shared';
 
 /**
  * Edge-compatible session tracking for AI agents
@@ -25,7 +25,7 @@ declare class EdgeSessionTracker {
     /**
      * Track a new AI agent session
      */
-    track(_request: NextRequest, response: NextResponse, result: DetectionResult): Promise<NextResponse>;
+    track(_request: NextRequest, response: NextResponse, result: DetectionDetail): Promise<NextResponse>;
     /**
      * Check for existing AI agent session
      */

package/dist/session-tracker.d.ts

@@ -1,5 +1,5 @@
 import { NextRequest, NextResponse } from 'next/server';
-import { DetectionResult } from '@kya-os/checkpoint-shared';
+import { DetectionDetail } from '@kya-os/checkpoint-shared';
 
 /**
  * Edge-compatible session tracking for AI agents
@@ -25,7 +25,7 @@ declare class EdgeSessionTracker {
     /**
      * Track a new AI agent session
      */
-    track(_request: NextRequest, response: NextResponse, result: DetectionResult): Promise<NextResponse>;
+    track(_request: NextRequest, response: NextResponse, result: DetectionDetail): Promise<NextResponse>;
     /**
      * Check for existing AI agent session
      */

package/dist/session-tracker.js

@@ -19,7 +19,9 @@ var EdgeSessionTracker = class {
    */
   async track(_request, response, result) {
     try {
-      if (!this.config.enabled || !checkpointShared.shouldEnforce(result)) {
+      const detectedName = result.detectedAgent?.name;
+      const isEnforceable = result.isAgent || result.isAiCrawler || checkpointShared.isKnownAiCrawler(detectedName);
+      if (!this.config.enabled || !isEnforceable) {
         return response;
       }
       const sessionData = {

package/dist/session-tracker.mjs

@@ -1,4 +1,4 @@
-import { shouldEnforce } from '@kya-os/checkpoint-shared';
+import { isKnownAiCrawler } from '@kya-os/checkpoint-shared';
 
 // src/session-tracker.ts
 var EdgeSessionTracker = class {
@@ -17,7 +17,9 @@ var EdgeSessionTracker = class {
    */
   async track(_request, response, result) {
     try {
-      if (!this.config.enabled || !shouldEnforce(result)) {
+      const detectedName = result.detectedAgent?.name;
+      const isEnforceable = result.isAgent || result.isAiCrawler || isKnownAiCrawler(detectedName);
+      if (!this.config.enabled || !isEnforceable) {
         return response;
       }
       const sessionData = {

package/dist/wasm-middleware.d.mts

@@ -1,10 +1,21 @@
 import { NextRequest, NextResponse } from 'next/server';
 
 /**
- * WASM-enabled middleware for Next.js with AgentShield
- * Following official Next.js documentation for WebAssembly in Edge Runtime
+ * WASM-enabled middleware for Next.js with Checkpoint.
+ *
+ * **Deprecation notice (AgentDetector-Deletion-1):**
+ * `createWasmAgentShieldMiddleware` is deprecated as of this patch and
+ * slated for removal in the next minor. It internally constructs a
+ * legacy `AgentDetector` and never actually uses the WASM instance for
+ * detection (the `wasmInstance` arg only bumps confidence by 15%).
+ * Stage 1 detection now lives in the Rust `kya-os-engine` (PDM-1
+ * #2560). Migrate to `withCheckpoint` from `@kya-os/checkpoint-nextjs`
+ * — engine-backed, runs the orchestrator including envelope
+ * verification.
  */
 
+/** @internal — test-only reset for the one-shot warn latch. */
+declare function __resetCreateWasmAgentShieldWarningForTests(): void;
 interface WasmDetectionResult {
     isAgent: boolean;
     isAiCrawler?: boolean;
@@ -26,6 +37,11 @@ interface AgentShieldConfig {
     };
 }
 /**
+ * @deprecated Wraps the legacy `AgentDetector` class. Will be removed
+ * in the next minor (AgentDetector-Deletion-2). Migrate to
+ * `withCheckpoint` from `@kya-os/checkpoint-nextjs` — engine-backed,
+ * runs the orchestrator including envelope verification.
+ *
  * Create a WASM-enabled Checkpoint middleware (**pattern-detection only**).
  *
  * **This factory runs UA/header pattern matching only.** It does NOT
@@ -79,4 +95,4 @@ declare function createWasmAgentShieldMiddleware(config: AgentShieldConfig & {
  */
 declare function instantiateWasm(wasmModule: WebAssembly.Module): Promise<WebAssembly.Instance>;
 
-export { type AgentShieldConfig, type WasmDetectionResult, createWasmAgentShieldMiddleware, instantiateWasm };
+export { type AgentShieldConfig, type WasmDetectionResult, __resetCreateWasmAgentShieldWarningForTests, createWasmAgentShieldMiddleware, instantiateWasm };

package/dist/wasm-middleware.d.ts

@@ -1,10 +1,21 @@
 import { NextRequest, NextResponse } from 'next/server';
 
 /**
- * WASM-enabled middleware for Next.js with AgentShield
- * Following official Next.js documentation for WebAssembly in Edge Runtime
+ * WASM-enabled middleware for Next.js with Checkpoint.
+ *
+ * **Deprecation notice (AgentDetector-Deletion-1):**
+ * `createWasmAgentShieldMiddleware` is deprecated as of this patch and
+ * slated for removal in the next minor. It internally constructs a
+ * legacy `AgentDetector` and never actually uses the WASM instance for
+ * detection (the `wasmInstance` arg only bumps confidence by 15%).
+ * Stage 1 detection now lives in the Rust `kya-os-engine` (PDM-1
+ * #2560). Migrate to `withCheckpoint` from `@kya-os/checkpoint-nextjs`
+ * — engine-backed, runs the orchestrator including envelope
+ * verification.
  */
 
+/** @internal — test-only reset for the one-shot warn latch. */
+declare function __resetCreateWasmAgentShieldWarningForTests(): void;
 interface WasmDetectionResult {
     isAgent: boolean;
     isAiCrawler?: boolean;
@@ -26,6 +37,11 @@ interface AgentShieldConfig {
     };
 }
 /**
+ * @deprecated Wraps the legacy `AgentDetector` class. Will be removed
+ * in the next minor (AgentDetector-Deletion-2). Migrate to
+ * `withCheckpoint` from `@kya-os/checkpoint-nextjs` — engine-backed,
+ * runs the orchestrator including envelope verification.
+ *
  * Create a WASM-enabled Checkpoint middleware (**pattern-detection only**).
  *
  * **This factory runs UA/header pattern matching only.** It does NOT
@@ -79,4 +95,4 @@ declare function createWasmAgentShieldMiddleware(config: AgentShieldConfig & {
  */
 declare function instantiateWasm(wasmModule: WebAssembly.Module): Promise<WebAssembly.Instance>;
 
-export { type AgentShieldConfig, type WasmDetectionResult, createWasmAgentShieldMiddleware, instantiateWasm };
+export { type AgentShieldConfig, type WasmDetectionResult, __resetCreateWasmAgentShieldWarningForTests, createWasmAgentShieldMiddleware, instantiateWasm };

package/dist/wasm-middleware.js

@@ -2,10 +2,38 @@
 
 var server = require('next/server');
 var checkpoint = require('@kya-os/checkpoint');
-var checkpointShared = require('@kya-os/checkpoint-shared');
 
 // src/wasm-middleware.ts
+
+// src/local-detection-gate.ts
+function isDetectedAgentForLocalGate(result) {
+  return result.isAgent === true;
+}
+function evaluateLocalDetectionGate(result, config) {
+  if (!isDetectedAgentForLocalGate(result)) {
+    return { action: "allow", shouldNotify: false };
+  }
+  if ((result.confidence ?? 0) >= config.confidenceThreshold) {
+    return { action: config.defaultAction, shouldNotify: true };
+  }
+  return { action: "allow", shouldNotify: false };
+}
+
+// src/wasm-middleware.ts
+var _createWasmAgentShieldWarned = false;
+function warnCreateWasmAgentShieldDeprecated() {
+  if (_createWasmAgentShieldWarned) return;
+  _createWasmAgentShieldWarned = true;
+  if (typeof process !== "undefined" && process.env?.NODE_ENV === "production") return;
+  console.warn(
+    "[Checkpoint] createWasmAgentShieldMiddleware is deprecated and will be removed in the next minor. It wraps the legacy AgentDetector class; Stage 1 detection now lives in the Rust kya-os-engine (PDM-1). Migrate to `withCheckpoint` from @kya-os/checkpoint-nextjs \u2014 engine-backed and runs envelope verification. See packages/checkpoint-nextjs/CHANGELOG.md for the recipe."
+  );
+}
+function __resetCreateWasmAgentShieldWarningForTests() {
+  _createWasmAgentShieldWarned = false;
+}
 function createWasmAgentShieldMiddleware(config) {
+  warnCreateWasmAgentShieldDeprecated();
   const {
     onAgentDetected,
     blockOnHighConfidence = false,
@@ -45,11 +73,11 @@ function createWasmAgentShieldMiddleware(config) {
         // Updated to 0-100 scale (was 0.7)
         timestamp: result.timestamp instanceof Date ? result.timestamp.toISOString() : new Date(result.timestamp).toISOString()
       };
-      const decision = checkpointShared.evaluateEnforcement(enhancedResult, {
+      const decision = evaluateLocalDetectionGate(enhancedResult, {
         confidenceThreshold,
         defaultAction: blockOnHighConfidence ? "block" : "allow"
       });
-      if (onAgentDetected && checkpointShared.shouldEnforce(enhancedResult)) {
+      if (onAgentDetected && isDetectedAgentForLocalGate(enhancedResult)) {
         await onAgentDetected(enhancedResult);
       }
       if (decision.action === "block") {
@@ -92,5 +120,6 @@ async function instantiateWasm(wasmModule) {
   }
 }
 
+exports.__resetCreateWasmAgentShieldWarningForTests = __resetCreateWasmAgentShieldWarningForTests;
 exports.createWasmAgentShieldMiddleware = createWasmAgentShieldMiddleware;
 exports.instantiateWasm = instantiateWasm;

package/dist/wasm-middleware.mjs

@@ -1,9 +1,37 @@
 import { NextResponse } from 'next/server';
 import { AgentDetector } from '@kya-os/checkpoint';
-import { evaluateEnforcement, shouldEnforce } from '@kya-os/checkpoint-shared';
 
 // src/wasm-middleware.ts
+
+// src/local-detection-gate.ts
+function isDetectedAgentForLocalGate(result) {
+  return result.isAgent === true;
+}
+function evaluateLocalDetectionGate(result, config) {
+  if (!isDetectedAgentForLocalGate(result)) {
+    return { action: "allow", shouldNotify: false };
+  }
+  if ((result.confidence ?? 0) >= config.confidenceThreshold) {
+    return { action: config.defaultAction, shouldNotify: true };
+  }
+  return { action: "allow", shouldNotify: false };
+}
+
+// src/wasm-middleware.ts
+var _createWasmAgentShieldWarned = false;
+function warnCreateWasmAgentShieldDeprecated() {
+  if (_createWasmAgentShieldWarned) return;
+  _createWasmAgentShieldWarned = true;
+  if (typeof process !== "undefined" && process.env?.NODE_ENV === "production") return;
+  console.warn(
+    "[Checkpoint] createWasmAgentShieldMiddleware is deprecated and will be removed in the next minor. It wraps the legacy AgentDetector class; Stage 1 detection now lives in the Rust kya-os-engine (PDM-1). Migrate to `withCheckpoint` from @kya-os/checkpoint-nextjs \u2014 engine-backed and runs envelope verification. See packages/checkpoint-nextjs/CHANGELOG.md for the recipe."
+  );
+}
+function __resetCreateWasmAgentShieldWarningForTests() {
+  _createWasmAgentShieldWarned = false;
+}
 function createWasmAgentShieldMiddleware(config) {
+  warnCreateWasmAgentShieldDeprecated();
   const {
     onAgentDetected,
     blockOnHighConfidence = false,
@@ -43,11 +71,11 @@ function createWasmAgentShieldMiddleware(config) {
         // Updated to 0-100 scale (was 0.7)
         timestamp: result.timestamp instanceof Date ? result.timestamp.toISOString() : new Date(result.timestamp).toISOString()
       };
-      const decision = evaluateEnforcement(enhancedResult, {
+      const decision = evaluateLocalDetectionGate(enhancedResult, {
         confidenceThreshold,
         defaultAction: blockOnHighConfidence ? "block" : "allow"
       });
-      if (onAgentDetected && shouldEnforce(enhancedResult)) {
+      if (onAgentDetected && isDetectedAgentForLocalGate(enhancedResult)) {
         await onAgentDetected(enhancedResult);
       }
       if (decision.action === "block") {
@@ -90,4 +118,4 @@ async function instantiateWasm(wasmModule) {
   }
 }
 
-export { createWasmAgentShieldMiddleware, instantiateWasm };
+export { __resetCreateWasmAgentShieldWarningForTests, createWasmAgentShieldMiddleware, instantiateWasm };