@kya-os/checkpoint-nextjs 1.1.1 → 1.2.0

package/dist/index.mjs

@@ -1,7 +1,7 @@
 import { verifyRequest, renderDecisionAsResponse } from '@kya-os/checkpoint-wasm-runtime/orchestrator';
 import { makeSystemClock, makePolicyEvaluator, makeReputationOracle, makeStatusListCache, makeDidResolver } from '@kya-os/checkpoint-wasm-runtime/adapters';
 import { NextResponse } from 'next/server';
-import { shouldEnforce, createEvaluationContext, evaluatePolicy, ENFORCEMENT_ACTIONS, PolicyConfigSchema, DEFAULT_POLICY, matchPath, acceptsHtml, encodeVerdictCookie, classifyResponseShape, BLOCKED_PATH, createPolicyFetcher, VERDICT_COOKIE_NAME } from '@kya-os/checkpoint-shared';
+import { isKnownAiCrawler, createEvaluationContext, evaluatePolicy, ENFORCEMENT_ACTIONS, PolicyConfigSchema, DEFAULT_POLICY, matchPath, acceptsHtml, encodeVerdictCookie, classifyResponseShape, BLOCKED_PATH, createPolicyFetcher, VERDICT_COOKIE_NAME } from '@kya-os/checkpoint-shared';
 export { DEFAULT_POLICY, ENFORCEMENT_ACTIONS, createEvaluationContext, evaluatePolicy } from '@kya-os/checkpoint-shared';
 
 // src/middleware-node.ts
@@ -118,7 +118,8 @@ function buildVerifyOpts(config) {
     enforcementMode: config.enforcementMode ?? "enforce",
     reputationBaseline: config.reputationBaseline,
     argusUrl: config.argusUrl,
-    legacyEnvelopeFallback: config.legacyEnvelopeFallback ?? false
+    legacyEnvelopeFallback: config.legacyEnvelopeFallback ?? false,
+    engineConfig: config.engineConfig
   };
 }
 async function dispatchOnResult(config, result, req) {
@@ -697,7 +698,9 @@ var EdgeSessionTracker = class {
    */
   async track(_request, response, result) {
     try {
-      if (!this.config.enabled || !shouldEnforce(result)) {
+      const detectedName = result.detectedAgent?.name;
+      const isEnforceable = result.isAgent || result.isAiCrawler || isKnownAiCrawler(detectedName);
+      if (!this.config.enabled || !isEnforceable) {
         return response;
       }
       const sessionData = {

package/dist/middleware-edge.js

@@ -109,7 +109,8 @@ function buildVerifyOpts(config) {
     enforcementMode: config.enforcementMode ?? "enforce",
     reputationBaseline: config.reputationBaseline,
     argusUrl: config.argusUrl,
-    legacyEnvelopeFallback: config.legacyEnvelopeFallback ?? false
+    legacyEnvelopeFallback: config.legacyEnvelopeFallback ?? false,
+    engineConfig: config.engineConfig
   };
 }
 

package/dist/middleware-edge.mjs

@@ -108,7 +108,8 @@ function buildVerifyOpts(config) {
     enforcementMode: config.enforcementMode ?? "enforce",
     reputationBaseline: config.reputationBaseline,
     argusUrl: config.argusUrl,
-    legacyEnvelopeFallback: config.legacyEnvelopeFallback ?? false
+    legacyEnvelopeFallback: config.legacyEnvelopeFallback ?? false,
+    engineConfig: config.engineConfig
   };
 }
 

package/dist/middleware-node.d.mts

@@ -1,7 +1,7 @@
 import * as _kya_os_checkpoint_wasm_runtime_adapters from '@kya-os/checkpoint-wasm-runtime/adapters';
 import { DidResolverAdapter, StatusListCacheAdapter, ReputationOracleAdapter, PolicyEvaluatorAdapter } from '@kya-os/checkpoint-wasm-runtime/adapters';
 import { NextRequest, NextResponse } from 'next/server';
-import { EnforcementMode, VerifyResult } from '@kya-os/checkpoint-wasm-runtime/engine';
+import { EnforcementMode, VerifyResult, EngineConfig } from '@kya-os/checkpoint-wasm-runtime/engine';
 
 /**
  * Configuration for `withCheckpoint`.
@@ -93,6 +93,20 @@ interface CheckpointConfig {
      * SDK-Envelope-Plumbing-1 (#2594). Added in `@kya-os/checkpoint-nextjs@1.1.0`.
      */
     drainJsonBody?: boolean;
+    /**
+     * Engine-default behaviour knobs forwarded to every composed
+     * `ContextSpec`. Defaults to `{ tier3Action: 'monitor' }` —
+     * customer-onboarding-safe (tenant policy decides; engine doesn't
+     * short-circuit known-agent UAs with an engine-default Block).
+     *
+     * Opt into `{ tier3Action: 'block' }` when the host wants the
+     * calibrated engine-default block for KnownAiAgent / AiCrawler /
+     * HeadlessBrowser classifications BEFORE the tenant policy seam.
+     *
+     * Added in `@kya-os/checkpoint-nextjs@1.2.0` (Engine-Tier3-Monitor-
+     * Default, #2653 + this PR's plumbing follow-up).
+     */
+    engineConfig?: EngineConfig;
 }
 /**
  * Build the Checkpoint middleware. Returns a function `(req) => NextResponse`
@@ -120,6 +134,7 @@ declare function buildVerifyOpts(config: CheckpointConfig): {
     reputationBaseline: number | undefined;
     argusUrl: string | undefined;
     legacyEnvelopeFallback: boolean;
+    engineConfig: EngineConfig | undefined;
 };
 
 export { type CheckpointConfig, buildVerifyOpts as _buildVerifyOpts, withCheckpoint };

package/dist/middleware-node.d.ts

@@ -1,7 +1,7 @@
 import * as _kya_os_checkpoint_wasm_runtime_adapters from '@kya-os/checkpoint-wasm-runtime/adapters';
 import { DidResolverAdapter, StatusListCacheAdapter, ReputationOracleAdapter, PolicyEvaluatorAdapter } from '@kya-os/checkpoint-wasm-runtime/adapters';
 import { NextRequest, NextResponse } from 'next/server';
-import { EnforcementMode, VerifyResult } from '@kya-os/checkpoint-wasm-runtime/engine';
+import { EnforcementMode, VerifyResult, EngineConfig } from '@kya-os/checkpoint-wasm-runtime/engine';
 
 /**
  * Configuration for `withCheckpoint`.
@@ -93,6 +93,20 @@ interface CheckpointConfig {
      * SDK-Envelope-Plumbing-1 (#2594). Added in `@kya-os/checkpoint-nextjs@1.1.0`.
      */
     drainJsonBody?: boolean;
+    /**
+     * Engine-default behaviour knobs forwarded to every composed
+     * `ContextSpec`. Defaults to `{ tier3Action: 'monitor' }` —
+     * customer-onboarding-safe (tenant policy decides; engine doesn't
+     * short-circuit known-agent UAs with an engine-default Block).
+     *
+     * Opt into `{ tier3Action: 'block' }` when the host wants the
+     * calibrated engine-default block for KnownAiAgent / AiCrawler /
+     * HeadlessBrowser classifications BEFORE the tenant policy seam.
+     *
+     * Added in `@kya-os/checkpoint-nextjs@1.2.0` (Engine-Tier3-Monitor-
+     * Default, #2653 + this PR's plumbing follow-up).
+     */
+    engineConfig?: EngineConfig;
 }
 /**
  * Build the Checkpoint middleware. Returns a function `(req) => NextResponse`
@@ -120,6 +134,7 @@ declare function buildVerifyOpts(config: CheckpointConfig): {
     reputationBaseline: number | undefined;
     argusUrl: string | undefined;
     legacyEnvelopeFallback: boolean;
+    engineConfig: EngineConfig | undefined;
 };
 
 export { type CheckpointConfig, buildVerifyOpts as _buildVerifyOpts, withCheckpoint };

package/dist/middleware-node.js

@@ -119,7 +119,8 @@ function buildVerifyOpts(config) {
     enforcementMode: config.enforcementMode ?? "enforce",
     reputationBaseline: config.reputationBaseline,
     argusUrl: config.argusUrl,
-    legacyEnvelopeFallback: config.legacyEnvelopeFallback ?? false
+    legacyEnvelopeFallback: config.legacyEnvelopeFallback ?? false,
+    engineConfig: config.engineConfig
   };
 }
 async function dispatchOnResult(config, result, req) {

package/dist/middleware-node.mjs

@@ -117,7 +117,8 @@ function buildVerifyOpts(config) {
     enforcementMode: config.enforcementMode ?? "enforce",
     reputationBaseline: config.reputationBaseline,
     argusUrl: config.argusUrl,
-    legacyEnvelopeFallback: config.legacyEnvelopeFallback ?? false
+    legacyEnvelopeFallback: config.legacyEnvelopeFallback ?? false,
+    engineConfig: config.engineConfig
   };
 }
 async function dispatchOnResult(config, result, req) {

package/dist/nodejs-wasm-loader.d.mts

@@ -1,25 +1,42 @@
 /**
- * Node.js Runtime WASM Loader for AgentShield
+ * @deprecated Phase-D.9a — legacy Node.js WASM loader for the retired
+ * `agentshield-wasm` Rust crate. This file used `fs.readFileSync` to
+ * locate + load the legacy detector's WASM binary into the
+ * `@kya-os/checkpoint` `AgentDetector` class via `setWasmModule`. Both
+ * the WASM crate (Phase-D.9a/D.9b) and the AgentDetector class
+ * (AgentDetector-Deletion-2, next minor) are slated for deletion.
  *
- * This loader uses fs.readFileSync to load WASM in Node.js runtime.
- * It provides full cryptographic verification capabilities.
+ * Migrate to `withCheckpoint` from `@kya-os/checkpoint-nextjs` — it
+ * loads the canonical `kya-os-engine` WASM automatically via
+ * `@kya-os/checkpoint-wasm-runtime`'s loaders. No manual `fs.readFileSync`
+ * needed; the runtime handles bundler resolution across Next.js Node +
+ * Edge runtimes.
  */
+/** @internal — test-only reset for the one-shot warn latch. */
+declare function __resetNodejsWasmWarningForTests(): void;
 /**
- * Load WASM module using Node.js fs module
- * This only works in Node.js runtime, not Edge Runtime
+ * @deprecated Removed in Phase-D.9a. Use `withCheckpoint` from
+ * `@kya-os/checkpoint-nextjs` — it auto-loads `kya-os-engine` WASM
+ * via `@kya-os/checkpoint-wasm-runtime`. Throws on invocation; surface
+ * exists only so static analysis sees the historical export.
  */
 declare function loadWasmNodejs(): Promise<boolean>;
 /**
- * Check if we're in Node.js runtime
+ * @deprecated Removed in Phase-D.9a. The runtime guard is no longer
+ * needed; `@kya-os/checkpoint-wasm-runtime`'s loaders auto-detect
+ * runtime via the `"node"` / `"edge-runtime"` export conditions.
+ * Throws on invocation; surface exists only for export-compatibility.
  */
 declare function isNodejsRuntime(): boolean;
 /**
- * Get the loaded WASM module
+ * @deprecated Removed in Phase-D.9a. Migrate to `withCheckpoint`.
+ * Throws on invocation; surface exists only for export-compatibility.
  */
 declare function getWasmModule(): WebAssembly.Module | null;
 /**
- * Check if WASM is initialized
+ * @deprecated Removed in Phase-D.9a. Migrate to `withCheckpoint`.
+ * Throws on invocation; surface exists only for export-compatibility.
  */
 declare function isWasmInitialized(): boolean;
 
-export { getWasmModule, isNodejsRuntime, isWasmInitialized, loadWasmNodejs };
+export { __resetNodejsWasmWarningForTests, getWasmModule, isNodejsRuntime, isWasmInitialized, loadWasmNodejs };

package/dist/nodejs-wasm-loader.d.ts

@@ -1,25 +1,42 @@
 /**
- * Node.js Runtime WASM Loader for AgentShield
+ * @deprecated Phase-D.9a — legacy Node.js WASM loader for the retired
+ * `agentshield-wasm` Rust crate. This file used `fs.readFileSync` to
+ * locate + load the legacy detector's WASM binary into the
+ * `@kya-os/checkpoint` `AgentDetector` class via `setWasmModule`. Both
+ * the WASM crate (Phase-D.9a/D.9b) and the AgentDetector class
+ * (AgentDetector-Deletion-2, next minor) are slated for deletion.
  *
- * This loader uses fs.readFileSync to load WASM in Node.js runtime.
- * It provides full cryptographic verification capabilities.
+ * Migrate to `withCheckpoint` from `@kya-os/checkpoint-nextjs` — it
+ * loads the canonical `kya-os-engine` WASM automatically via
+ * `@kya-os/checkpoint-wasm-runtime`'s loaders. No manual `fs.readFileSync`
+ * needed; the runtime handles bundler resolution across Next.js Node +
+ * Edge runtimes.
  */
+/** @internal — test-only reset for the one-shot warn latch. */
+declare function __resetNodejsWasmWarningForTests(): void;
 /**
- * Load WASM module using Node.js fs module
- * This only works in Node.js runtime, not Edge Runtime
+ * @deprecated Removed in Phase-D.9a. Use `withCheckpoint` from
+ * `@kya-os/checkpoint-nextjs` — it auto-loads `kya-os-engine` WASM
+ * via `@kya-os/checkpoint-wasm-runtime`. Throws on invocation; surface
+ * exists only so static analysis sees the historical export.
  */
 declare function loadWasmNodejs(): Promise<boolean>;
 /**
- * Check if we're in Node.js runtime
+ * @deprecated Removed in Phase-D.9a. The runtime guard is no longer
+ * needed; `@kya-os/checkpoint-wasm-runtime`'s loaders auto-detect
+ * runtime via the `"node"` / `"edge-runtime"` export conditions.
+ * Throws on invocation; surface exists only for export-compatibility.
  */
 declare function isNodejsRuntime(): boolean;
 /**
- * Get the loaded WASM module
+ * @deprecated Removed in Phase-D.9a. Migrate to `withCheckpoint`.
+ * Throws on invocation; surface exists only for export-compatibility.
  */
 declare function getWasmModule(): WebAssembly.Module | null;
 /**
- * Check if WASM is initialized
+ * @deprecated Removed in Phase-D.9a. Migrate to `withCheckpoint`.
+ * Throws on invocation; surface exists only for export-compatibility.
  */
 declare function isWasmInitialized(): boolean;
 
-export { getWasmModule, isNodejsRuntime, isWasmInitialized, loadWasmNodejs };
+export { __resetNodejsWasmWarningForTests, getWasmModule, isNodejsRuntime, isWasmInitialized, loadWasmNodejs };

package/dist/nodejs-wasm-loader.js

@@ -1,92 +1,35 @@
 'use strict';
 
-var fs = require('fs');
-var path = require('path');
-var checkpoint = require('@kya-os/checkpoint');
-
-function _interopDefault (e) { return e && e.__esModule ? e : { default: e }; }
-
-var fs__default = /*#__PURE__*/_interopDefault(fs);
-var path__default = /*#__PURE__*/_interopDefault(path);
-
-var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
-  get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
-}) : x)(function(x) {
-  if (typeof require !== "undefined") return require.apply(this, arguments);
-  throw Error('Dynamic require of "' + x + '" is not supported');
-});
-var wasmInitialized = false;
-var wasmModule = null;
+// src/nodejs-wasm-loader.ts
+var MIGRATION_ERROR = "`@kya-os/checkpoint-nextjs`'s `loadWasmNodejs` / `isNodejsRuntime` / `getWasmModule` / `isWasmInitialized` were deprecated in Phase-D.9a (legacy `agentshield-wasm` Rust crate retirement). The legacy `AgentDetector` class they fed is slated for deletion in AgentDetector-Deletion-2 (next minor). Migrate to `withCheckpoint` from `@kya-os/checkpoint-nextjs` \u2014 engine-backed via the Rust `kya-os-engine` crate, with automatic WASM loading via `@kya-os/checkpoint-wasm-runtime`. See packages/checkpoint-nextjs/README.md for the canonical recipe.";
+var _nodejsWasmWarned = false;
+function warnNodejsWasmDeprecated() {
+  if (_nodejsWasmWarned) return;
+  _nodejsWasmWarned = true;
+  if (typeof process !== "undefined" && process.env?.NODE_ENV === "production") return;
+  console.warn(`[Checkpoint] ${MIGRATION_ERROR}`);
+}
+function __resetNodejsWasmWarningForTests() {
+  _nodejsWasmWarned = false;
+}
 async function loadWasmNodejs() {
-  if (wasmInitialized) {
-    return true;
-  }
-  try {
-    const possiblePaths = [
-      // In node_modules (most likely)
-      path__default.default.join(
-        process.cwd(),
-        "node_modules",
-        "@kya-os",
-        "agentshield",
-        "dist",
-        "wasm",
-        "agentshield_wasm_bg.wasm"
-      ),
-      // In project root (if user copied it)
-      path__default.default.join(process.cwd(), "agentshield_wasm_bg.wasm"),
-      // Relative to current file
-      path__default.default.join(
-        __dirname,
-        "..",
-        "..",
-        "..",
-        "agentshield",
-        "dist",
-        "wasm",
-        "agentshield_wasm_bg.wasm"
-      )
-    ];
-    let wasmBuffer = null;
-    let loadedPath = null;
-    for (const wasmPath of possiblePaths) {
-      try {
-        if (fs__default.default.existsSync(wasmPath)) {
-          wasmBuffer = fs__default.default.readFileSync(wasmPath);
-          loadedPath = wasmPath;
-          break;
-        }
-      } catch (e) {
-        continue;
-      }
-    }
-    if (!wasmBuffer) {
-      console.warn("AgentShield: WASM file not found in any expected location");
-      return false;
-    }
-    const bytes = new Uint8Array(wasmBuffer);
-    wasmModule = await WebAssembly.compile(bytes);
-    checkpoint.setWasmModule(wasmModule);
-    wasmInitialized = true;
-    console.log(`\u2705 AgentShield: WASM loaded successfully from ${loadedPath} (Node.js runtime)`);
-    console.log("\u{1F510} Cryptographic verification enabled (95-100% confidence)");
-    return true;
-  } catch (error) {
-    console.warn("\u26A0\uFE0F AgentShield: Failed to load WASM in Node.js runtime:", error);
-    console.log("\u{1F4CA} Falling back to pattern detection (85% confidence)");
-    return false;
-  }
+  warnNodejsWasmDeprecated();
+  throw new Error(MIGRATION_ERROR);
 }
 function isNodejsRuntime() {
-  return typeof process !== "undefined" && typeof process.versions !== "undefined" && typeof process.versions.node !== "undefined" && typeof __require !== "undefined";
+  warnNodejsWasmDeprecated();
+  throw new Error(MIGRATION_ERROR);
 }
 function getWasmModule() {
-  return wasmModule;
+  warnNodejsWasmDeprecated();
+  throw new Error(MIGRATION_ERROR);
 }
 function isWasmInitialized() {
-  return wasmInitialized;
+  warnNodejsWasmDeprecated();
+  throw new Error(MIGRATION_ERROR);
 }
 
+exports.__resetNodejsWasmWarningForTests = __resetNodejsWasmWarningForTests;
 exports.getWasmModule = getWasmModule;
 exports.isNodejsRuntime = isNodejsRuntime;
 exports.isWasmInitialized = isWasmInitialized;

package/dist/nodejs-wasm-loader.mjs

@@ -1,83 +1,30 @@
-import fs from 'fs';
-import path from 'path';
-import { setWasmModule } from '@kya-os/checkpoint';
-
-var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
-  get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
-}) : x)(function(x) {
-  if (typeof require !== "undefined") return require.apply(this, arguments);
-  throw Error('Dynamic require of "' + x + '" is not supported');
-});
-var wasmInitialized = false;
-var wasmModule = null;
+// src/nodejs-wasm-loader.ts
+var MIGRATION_ERROR = "`@kya-os/checkpoint-nextjs`'s `loadWasmNodejs` / `isNodejsRuntime` / `getWasmModule` / `isWasmInitialized` were deprecated in Phase-D.9a (legacy `agentshield-wasm` Rust crate retirement). The legacy `AgentDetector` class they fed is slated for deletion in AgentDetector-Deletion-2 (next minor). Migrate to `withCheckpoint` from `@kya-os/checkpoint-nextjs` \u2014 engine-backed via the Rust `kya-os-engine` crate, with automatic WASM loading via `@kya-os/checkpoint-wasm-runtime`. See packages/checkpoint-nextjs/README.md for the canonical recipe.";
+var _nodejsWasmWarned = false;
+function warnNodejsWasmDeprecated() {
+  if (_nodejsWasmWarned) return;
+  _nodejsWasmWarned = true;
+  if (typeof process !== "undefined" && process.env?.NODE_ENV === "production") return;
+  console.warn(`[Checkpoint] ${MIGRATION_ERROR}`);
+}
+function __resetNodejsWasmWarningForTests() {
+  _nodejsWasmWarned = false;
+}
 async function loadWasmNodejs() {
-  if (wasmInitialized) {
-    return true;
-  }
-  try {
-    const possiblePaths = [
-      // In node_modules (most likely)
-      path.join(
-        process.cwd(),
-        "node_modules",
-        "@kya-os",
-        "agentshield",
-        "dist",
-        "wasm",
-        "agentshield_wasm_bg.wasm"
-      ),
-      // In project root (if user copied it)
-      path.join(process.cwd(), "agentshield_wasm_bg.wasm"),
-      // Relative to current file
-      path.join(
-        __dirname,
-        "..",
-        "..",
-        "..",
-        "agentshield",
-        "dist",
-        "wasm",
-        "agentshield_wasm_bg.wasm"
-      )
-    ];
-    let wasmBuffer = null;
-    let loadedPath = null;
-    for (const wasmPath of possiblePaths) {
-      try {
-        if (fs.existsSync(wasmPath)) {
-          wasmBuffer = fs.readFileSync(wasmPath);
-          loadedPath = wasmPath;
-          break;
-        }
-      } catch (e) {
-        continue;
-      }
-    }
-    if (!wasmBuffer) {
-      console.warn("AgentShield: WASM file not found in any expected location");
-      return false;
-    }
-    const bytes = new Uint8Array(wasmBuffer);
-    wasmModule = await WebAssembly.compile(bytes);
-    setWasmModule(wasmModule);
-    wasmInitialized = true;
-    console.log(`\u2705 AgentShield: WASM loaded successfully from ${loadedPath} (Node.js runtime)`);
-    console.log("\u{1F510} Cryptographic verification enabled (95-100% confidence)");
-    return true;
-  } catch (error) {
-    console.warn("\u26A0\uFE0F AgentShield: Failed to load WASM in Node.js runtime:", error);
-    console.log("\u{1F4CA} Falling back to pattern detection (85% confidence)");
-    return false;
-  }
+  warnNodejsWasmDeprecated();
+  throw new Error(MIGRATION_ERROR);
 }
 function isNodejsRuntime() {
-  return typeof process !== "undefined" && typeof process.versions !== "undefined" && typeof process.versions.node !== "undefined" && typeof __require !== "undefined";
+  warnNodejsWasmDeprecated();
+  throw new Error(MIGRATION_ERROR);
 }
 function getWasmModule() {
-  return wasmModule;
+  warnNodejsWasmDeprecated();
+  throw new Error(MIGRATION_ERROR);
 }
 function isWasmInitialized() {
-  return wasmInitialized;
+  warnNodejsWasmDeprecated();
+  throw new Error(MIGRATION_ERROR);
 }
 
-export { getWasmModule, isNodejsRuntime, isWasmInitialized, loadWasmNodejs };
+export { __resetNodejsWasmWarningForTests, getWasmModule, isNodejsRuntime, isWasmInitialized, loadWasmNodejs };

package/dist/session-tracker.d.mts

@@ -1,5 +1,5 @@
 import { NextRequest, NextResponse } from 'next/server';
-import { DetectionResult } from '@kya-os/checkpoint-shared';
+import { DetectionDetail } from '@kya-os/checkpoint-shared';
 
 /**
  * Edge-compatible session tracking for AI agents
@@ -25,7 +25,7 @@ declare class EdgeSessionTracker {
     /**
      * Track a new AI agent session
      */
-    track(_request: NextRequest, response: NextResponse, result: DetectionResult): Promise<NextResponse>;
+    track(_request: NextRequest, response: NextResponse, result: DetectionDetail): Promise<NextResponse>;
     /**
      * Check for existing AI agent session
      */

package/dist/session-tracker.d.ts

@@ -1,5 +1,5 @@
 import { NextRequest, NextResponse } from 'next/server';
-import { DetectionResult } from '@kya-os/checkpoint-shared';
+import { DetectionDetail } from '@kya-os/checkpoint-shared';
 
 /**
  * Edge-compatible session tracking for AI agents
@@ -25,7 +25,7 @@ declare class EdgeSessionTracker {
     /**
      * Track a new AI agent session
      */
-    track(_request: NextRequest, response: NextResponse, result: DetectionResult): Promise<NextResponse>;
+    track(_request: NextRequest, response: NextResponse, result: DetectionDetail): Promise<NextResponse>;
     /**
      * Check for existing AI agent session
      */

package/dist/session-tracker.js

@@ -19,7 +19,9 @@ var EdgeSessionTracker = class {
    */
   async track(_request, response, result) {
     try {
-      if (!this.config.enabled || !checkpointShared.shouldEnforce(result)) {
+      const detectedName = result.detectedAgent?.name;
+      const isEnforceable = result.isAgent || result.isAiCrawler || checkpointShared.isKnownAiCrawler(detectedName);
+      if (!this.config.enabled || !isEnforceable) {
         return response;
       }
       const sessionData = {

package/dist/session-tracker.mjs

@@ -1,4 +1,4 @@
-import { shouldEnforce } from '@kya-os/checkpoint-shared';
+import { isKnownAiCrawler } from '@kya-os/checkpoint-shared';
 
 // src/session-tracker.ts
 var EdgeSessionTracker = class {
@@ -17,7 +17,9 @@ var EdgeSessionTracker = class {
    */
   async track(_request, response, result) {
     try {
-      if (!this.config.enabled || !shouldEnforce(result)) {
+      const detectedName = result.detectedAgent?.name;
+      const isEnforceable = result.isAgent || result.isAiCrawler || isKnownAiCrawler(detectedName);
+      if (!this.config.enabled || !isEnforceable) {
         return response;
       }
       const sessionData = {

package/dist/wasm-middleware.d.mts

@@ -1,10 +1,21 @@
 import { NextRequest, NextResponse } from 'next/server';
 
 /**
- * WASM-enabled middleware for Next.js with AgentShield
- * Following official Next.js documentation for WebAssembly in Edge Runtime
+ * WASM-enabled middleware for Next.js with Checkpoint.
+ *
+ * **Deprecation notice (AgentDetector-Deletion-1):**
+ * `createWasmAgentShieldMiddleware` is deprecated as of this patch and
+ * slated for removal in the next minor. It internally constructs a
+ * legacy `AgentDetector` and never actually uses the WASM instance for
+ * detection (the `wasmInstance` arg only bumps confidence by 15%).
+ * Stage 1 detection now lives in the Rust `kya-os-engine` (PDM-1
+ * #2560). Migrate to `withCheckpoint` from `@kya-os/checkpoint-nextjs`
+ * — engine-backed, runs the orchestrator including envelope
+ * verification.
  */
 
+/** @internal — test-only reset for the one-shot warn latch. */
+declare function __resetCreateWasmAgentShieldWarningForTests(): void;
 interface WasmDetectionResult {
     isAgent: boolean;
     isAiCrawler?: boolean;
@@ -26,6 +37,11 @@ interface AgentShieldConfig {
     };
 }
 /**
+ * @deprecated Wraps the legacy `AgentDetector` class. Will be removed
+ * in the next minor (AgentDetector-Deletion-2). Migrate to
+ * `withCheckpoint` from `@kya-os/checkpoint-nextjs` — engine-backed,
+ * runs the orchestrator including envelope verification.
+ *
  * Create a WASM-enabled Checkpoint middleware (**pattern-detection only**).
  *
  * **This factory runs UA/header pattern matching only.** It does NOT
@@ -79,4 +95,4 @@ declare function createWasmAgentShieldMiddleware(config: AgentShieldConfig & {
  */
 declare function instantiateWasm(wasmModule: WebAssembly.Module): Promise<WebAssembly.Instance>;
 
-export { type AgentShieldConfig, type WasmDetectionResult, createWasmAgentShieldMiddleware, instantiateWasm };
+export { type AgentShieldConfig, type WasmDetectionResult, __resetCreateWasmAgentShieldWarningForTests, createWasmAgentShieldMiddleware, instantiateWasm };

package/dist/wasm-middleware.d.ts

@@ -1,10 +1,21 @@
 import { NextRequest, NextResponse } from 'next/server';
 
 /**
- * WASM-enabled middleware for Next.js with AgentShield
- * Following official Next.js documentation for WebAssembly in Edge Runtime
+ * WASM-enabled middleware for Next.js with Checkpoint.
+ *
+ * **Deprecation notice (AgentDetector-Deletion-1):**
+ * `createWasmAgentShieldMiddleware` is deprecated as of this patch and
+ * slated for removal in the next minor. It internally constructs a
+ * legacy `AgentDetector` and never actually uses the WASM instance for
+ * detection (the `wasmInstance` arg only bumps confidence by 15%).
+ * Stage 1 detection now lives in the Rust `kya-os-engine` (PDM-1
+ * #2560). Migrate to `withCheckpoint` from `@kya-os/checkpoint-nextjs`
+ * — engine-backed, runs the orchestrator including envelope
+ * verification.
  */
 
+/** @internal — test-only reset for the one-shot warn latch. */
+declare function __resetCreateWasmAgentShieldWarningForTests(): void;
 interface WasmDetectionResult {
     isAgent: boolean;
     isAiCrawler?: boolean;
@@ -26,6 +37,11 @@ interface AgentShieldConfig {
     };
 }
 /**
+ * @deprecated Wraps the legacy `AgentDetector` class. Will be removed
+ * in the next minor (AgentDetector-Deletion-2). Migrate to
+ * `withCheckpoint` from `@kya-os/checkpoint-nextjs` — engine-backed,
+ * runs the orchestrator including envelope verification.
+ *
  * Create a WASM-enabled Checkpoint middleware (**pattern-detection only**).
  *
  * **This factory runs UA/header pattern matching only.** It does NOT
@@ -79,4 +95,4 @@ declare function createWasmAgentShieldMiddleware(config: AgentShieldConfig & {
  */
 declare function instantiateWasm(wasmModule: WebAssembly.Module): Promise<WebAssembly.Instance>;
 
-export { type AgentShieldConfig, type WasmDetectionResult, createWasmAgentShieldMiddleware, instantiateWasm };
+export { type AgentShieldConfig, type WasmDetectionResult, __resetCreateWasmAgentShieldWarningForTests, createWasmAgentShieldMiddleware, instantiateWasm };