@kya-os/checkpoint-nextjs 1.1.4 → 1.7.0

package/dist/nodejs-wasm-loader.d.ts

@@ -1,10 +1,9 @@
 /**
  * @deprecated Phase-D.9a — legacy Node.js WASM loader for the retired
  * `agentshield-wasm` Rust crate. This file used `fs.readFileSync` to
- * locate + load the legacy detector's WASM binary into the
- * `@kya-os/checkpoint` `AgentDetector` class via `setWasmModule`. Both
- * the WASM crate (Phase-D.9a/D.9b) and the AgentDetector class
- * (AgentDetector-Deletion-2, next minor) are slated for deletion.
+ * locate + load the legacy detector's WASM binary into the legacy
+ * detection class. Both the WASM crate (Phase-D.9a/D.9b) and the
+ * detection class (removed in AgentDetector-Deletion-2) are retired.
  *
  * Migrate to `withCheckpoint` from `@kya-os/checkpoint-nextjs` — it
  * loads the canonical `kya-os-engine` WASM automatically via

package/dist/nodejs-wasm-loader.js

@@ -1,7 +1,7 @@
 'use strict';
 
 // src/nodejs-wasm-loader.ts
-var MIGRATION_ERROR = "`@kya-os/checkpoint-nextjs`'s `loadWasmNodejs` / `isNodejsRuntime` / `getWasmModule` / `isWasmInitialized` were deprecated in Phase-D.9a (legacy `agentshield-wasm` Rust crate retirement). The legacy `AgentDetector` class they fed is slated for deletion in AgentDetector-Deletion-2 (next minor). Migrate to `withCheckpoint` from `@kya-os/checkpoint-nextjs` \u2014 engine-backed via the Rust `kya-os-engine` crate, with automatic WASM loading via `@kya-os/checkpoint-wasm-runtime`. See packages/checkpoint-nextjs/README.md for the canonical recipe.";
+var MIGRATION_ERROR = "`@kya-os/checkpoint-nextjs`'s `loadWasmNodejs` / `isNodejsRuntime` / `getWasmModule` / `isWasmInitialized` were deprecated in Phase-D.9a (legacy `agentshield-wasm` Rust crate retirement). The legacy detection class they fed was removed in AgentDetector-Deletion-2. Migrate to `withCheckpoint` from `@kya-os/checkpoint-nextjs` \u2014 engine-backed via the Rust `kya-os-engine` crate, with automatic WASM loading via `@kya-os/checkpoint-wasm-runtime`. See packages/checkpoint-nextjs/README.md for the canonical recipe.";
 var _nodejsWasmWarned = false;
 function warnNodejsWasmDeprecated() {
   if (_nodejsWasmWarned) return;

package/dist/nodejs-wasm-loader.mjs

@@ -1,5 +1,5 @@
 // src/nodejs-wasm-loader.ts
-var MIGRATION_ERROR = "`@kya-os/checkpoint-nextjs`'s `loadWasmNodejs` / `isNodejsRuntime` / `getWasmModule` / `isWasmInitialized` were deprecated in Phase-D.9a (legacy `agentshield-wasm` Rust crate retirement). The legacy `AgentDetector` class they fed is slated for deletion in AgentDetector-Deletion-2 (next minor). Migrate to `withCheckpoint` from `@kya-os/checkpoint-nextjs` \u2014 engine-backed via the Rust `kya-os-engine` crate, with automatic WASM loading via `@kya-os/checkpoint-wasm-runtime`. See packages/checkpoint-nextjs/README.md for the canonical recipe.";
+var MIGRATION_ERROR = "`@kya-os/checkpoint-nextjs`'s `loadWasmNodejs` / `isNodejsRuntime` / `getWasmModule` / `isWasmInitialized` were deprecated in Phase-D.9a (legacy `agentshield-wasm` Rust crate retirement). The legacy detection class they fed was removed in AgentDetector-Deletion-2. Migrate to `withCheckpoint` from `@kya-os/checkpoint-nextjs` \u2014 engine-backed via the Rust `kya-os-engine` crate, with automatic WASM loading via `@kya-os/checkpoint-wasm-runtime`. See packages/checkpoint-nextjs/README.md for the canonical recipe.";
 var _nodejsWasmWarned = false;
 function warnNodejsWasmDeprecated() {
   if (_nodejsWasmWarned) return;

package/dist/signature-verifier.js

@@ -34,8 +34,8 @@ var KNOWN_KEYS = {
       publicKey: "7F_3jDlxaquwh291MiACkcS3Opq88NksyHiakzS-Y1g",
       validFrom: 1735689600,
       // Jan 1, 2025 (nbf from OpenAI)
-      validUntil: 1769029093
-      // Jan 21, 2026 (exp from OpenAI)
+      validUntil: 1780362143
+      // Jun 1, 2026 (exp from OpenAI live directory 2026-05-25)
     }
   ]
 };

package/dist/signature-verifier.mjs

@@ -12,8 +12,8 @@ var KNOWN_KEYS = {
       publicKey: "7F_3jDlxaquwh291MiACkcS3Opq88NksyHiakzS-Y1g",
       validFrom: 1735689600,
       // Jan 1, 2025 (nbf from OpenAI)
-      validUntil: 1769029093
-      // Jan 21, 2026 (exp from OpenAI)
+      validUntil: 1780362143
+      // Jun 1, 2026 (exp from OpenAI live directory 2026-05-25)
     }
   ]
 };

package/dist/wasm-setup.js

@@ -53,7 +53,7 @@ function isWasmInitialized() {
 var MIGRATION_ERROR, _nodejsWasmWarned;
 var init_nodejs_wasm_loader = __esm({
   "src/nodejs-wasm-loader.ts"() {
-    MIGRATION_ERROR = "`@kya-os/checkpoint-nextjs`'s `loadWasmNodejs` / `isNodejsRuntime` / `getWasmModule` / `isWasmInitialized` were deprecated in Phase-D.9a (legacy `agentshield-wasm` Rust crate retirement). The legacy `AgentDetector` class they fed is slated for deletion in AgentDetector-Deletion-2 (next minor). Migrate to `withCheckpoint` from `@kya-os/checkpoint-nextjs` \u2014 engine-backed via the Rust `kya-os-engine` crate, with automatic WASM loading via `@kya-os/checkpoint-wasm-runtime`. See packages/checkpoint-nextjs/README.md for the canonical recipe.";
+    MIGRATION_ERROR = "`@kya-os/checkpoint-nextjs`'s `loadWasmNodejs` / `isNodejsRuntime` / `getWasmModule` / `isWasmInitialized` were deprecated in Phase-D.9a (legacy `agentshield-wasm` Rust crate retirement). The legacy detection class they fed was removed in AgentDetector-Deletion-2. Migrate to `withCheckpoint` from `@kya-os/checkpoint-nextjs` \u2014 engine-backed via the Rust `kya-os-engine` crate, with automatic WASM loading via `@kya-os/checkpoint-wasm-runtime`. See packages/checkpoint-nextjs/README.md for the canonical recipe.";
     _nodejsWasmWarned = false;
   }
 });

package/dist/wasm-setup.mjs

@@ -51,7 +51,7 @@ function isWasmInitialized() {
 var MIGRATION_ERROR, _nodejsWasmWarned;
 var init_nodejs_wasm_loader = __esm({
   "src/nodejs-wasm-loader.ts"() {
-    MIGRATION_ERROR = "`@kya-os/checkpoint-nextjs`'s `loadWasmNodejs` / `isNodejsRuntime` / `getWasmModule` / `isWasmInitialized` were deprecated in Phase-D.9a (legacy `agentshield-wasm` Rust crate retirement). The legacy `AgentDetector` class they fed is slated for deletion in AgentDetector-Deletion-2 (next minor). Migrate to `withCheckpoint` from `@kya-os/checkpoint-nextjs` \u2014 engine-backed via the Rust `kya-os-engine` crate, with automatic WASM loading via `@kya-os/checkpoint-wasm-runtime`. See packages/checkpoint-nextjs/README.md for the canonical recipe.";
+    MIGRATION_ERROR = "`@kya-os/checkpoint-nextjs`'s `loadWasmNodejs` / `isNodejsRuntime` / `getWasmModule` / `isWasmInitialized` were deprecated in Phase-D.9a (legacy `agentshield-wasm` Rust crate retirement). The legacy detection class they fed was removed in AgentDetector-Deletion-2. Migrate to `withCheckpoint` from `@kya-os/checkpoint-nextjs` \u2014 engine-backed via the Rust `kya-os-engine` crate, with automatic WASM loading via `@kya-os/checkpoint-wasm-runtime`. See packages/checkpoint-nextjs/README.md for the canonical recipe.";
     _nodejsWasmWarned = false;
   }
 });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kya-os/checkpoint-nextjs",
-  "version": "1.1.4",
+  "version": "1.7.0",
   "description": "Checkpoint Next.js middleware for AI agent detection (formerly @kya-os/agentshield-nextjs)",
   "keywords": [
     "nextjs",
@@ -62,11 +62,6 @@
       "import": "./dist/wasm-setup.mjs",
       "require": "./dist/wasm-setup.js"
     },
-    "./wasm-middleware": {
-      "types": "./dist/wasm-middleware.d.ts",
-      "import": "./dist/wasm-middleware.mjs",
-      "require": "./dist/wasm-middleware.js"
-    },
     "./edge-wasm-middleware": {
       "types": "./dist/edge-wasm-middleware.d.ts",
       "import": "./dist/edge-wasm-middleware.mjs",
@@ -115,12 +110,14 @@
     "rimraf": "^5.0.5",
     "tsup": "^8.0.2",
     "typescript": "^5.4.2",
+    "vite-plugin-top-level-await": "^1.6.0",
+    "vite-plugin-wasm": "^3.6.0",
     "vitest": "^1.3.1"
   },
   "peerDependencies": {
+    "@upstash/redis": ">=1.0.0",
     "next": ">=13.0.0",
-    "react": ">=18.0.0",
-    "@upstash/redis": ">=1.0.0"
+    "react": ">=18.0.0"
   },
   "peerDependenciesMeta": {
     "@upstash/redis": {
@@ -134,9 +131,9 @@
   "dependencies": {
     "@noble/ed25519": "^2.2.3",
     "@noble/hashes": "^2.0.1",
-    "@kya-os/checkpoint": "1.0.1",
-    "@kya-os/checkpoint-shared": "1.1.0",
-    "@kya-os/checkpoint-wasm-runtime": "^1.2.0"
+    "@kya-os/checkpoint": "1.2.0",
+    "@kya-os/checkpoint-shared": "1.2.0",
+    "@kya-os/checkpoint-wasm-runtime": "^1.8.0"
   },
   "scripts": {
     "build": "tsup",

package/dist/wasm-middleware.d.mts

@@ -1,98 +0,0 @@
-import { NextRequest, NextResponse } from 'next/server';
-
-/**
- * WASM-enabled middleware for Next.js with Checkpoint.
- *
- * **Deprecation notice (AgentDetector-Deletion-1):**
- * `createWasmAgentShieldMiddleware` is deprecated as of this patch and
- * slated for removal in the next minor. It internally constructs a
- * legacy `AgentDetector` and never actually uses the WASM instance for
- * detection (the `wasmInstance` arg only bumps confidence by 15%).
- * Stage 1 detection now lives in the Rust `kya-os-engine` (PDM-1
- * #2560). Migrate to `withCheckpoint` from `@kya-os/checkpoint-nextjs`
- * — engine-backed, runs the orchestrator including envelope
- * verification.
- */
-
-/** @internal — test-only reset for the one-shot warn latch. */
-declare function __resetCreateWasmAgentShieldWarningForTests(): void;
-interface WasmDetectionResult {
-    isAgent: boolean;
-    isAiCrawler?: boolean;
-    confidence: number;
-    agent?: string | undefined;
-    verificationMethod: 'signature' | 'pattern' | 'none';
-    riskLevel: 'low' | 'medium' | 'high';
-    timestamp: string;
-}
-interface AgentShieldConfig {
-    onAgentDetected?: (result: WasmDetectionResult) => void | Promise<void>;
-    blockOnHighConfidence?: boolean;
-    confidenceThreshold?: number;
-    skipPaths?: string[];
-    blockedResponse?: {
-        status?: number;
-        message?: string;
-        headers?: Record<string, string>;
-    };
-}
-/**
- * @deprecated Wraps the legacy `AgentDetector` class. Will be removed
- * in the next minor (AgentDetector-Deletion-2). Migrate to
- * `withCheckpoint` from `@kya-os/checkpoint-nextjs` — engine-backed,
- * runs the orchestrator including envelope verification.
- *
- * Create a WASM-enabled Checkpoint middleware (**pattern-detection only**).
- *
- * **This factory runs UA/header pattern matching only.** It does NOT
- * verify MCP-I signed envelopes — no JWS verification, no DID
- * resolution, no orchestrator stages. Use it when your only enforcement
- * concern is "is this request from a known bot pattern."
- *
- * **For envelope verification, use {@link withCheckpoint} instead** —
- * exported from `@kya-os/checkpoint-nextjs` (Node runtime) or
- * `@kya-os/checkpoint-nextjs/edge` (Edge runtime). `withCheckpoint`
- * routes every request through the kya-os-engine via WASM and supports
- * both `_meta.proof.jws` body envelopes (default) and the legacy
- * `KYA-Delegation` header form (opt-in via `legacyEnvelopeFallback`).
- * See SDK-Envelope-Plumbing-1 (#2594) for the migration context.
- *
- * @example pattern-only (this factory)
- * ```typescript
- * import wasmModule from '@kya-os/checkpoint/wasm?module';
- * import { createCheckpointWasmMiddleware } from '@kya-os/checkpoint-nextjs';
- *
- * const wasmInstance = await WebAssembly.instantiate(wasmModule);
- * export const middleware = createCheckpointWasmMiddleware({
- *   wasmInstance,
- *   confidenceThreshold: 80,
- * });
- * ```
- *
- * @example envelope verification (use `withCheckpoint` instead)
- * ```typescript
- * import { withCheckpoint } from '@kya-os/checkpoint-nextjs';
- *
- * export default withCheckpoint({
- *   tenantHost: 'acme.checkpoint.example',
- *   legacyEnvelopeFallback: true, // accept `KYA-Delegation` header form
- *   // drainJsonBody defaults to true; spec-form `_meta.proof.jws` works out of the box
- * });
- * ```
- */
-declare function createWasmAgentShieldMiddleware(config: AgentShieldConfig & {
-    wasmInstance?: WebAssembly.Instance;
-}): (request: NextRequest) => Promise<NextResponse<unknown>>;
-/**
- * Helper to load and instantiate WASM module
- * This should be called at the top of your middleware.ts file
- *
- * @example
- * ```typescript
- * import wasmModule from '@kya-os/checkpoint/wasm?module';
- * const wasmInstance = await instantiateWasm(wasmModule);
- * ```
- */
-declare function instantiateWasm(wasmModule: WebAssembly.Module): Promise<WebAssembly.Instance>;
-
-export { type AgentShieldConfig, type WasmDetectionResult, __resetCreateWasmAgentShieldWarningForTests, createWasmAgentShieldMiddleware, instantiateWasm };

package/dist/wasm-middleware.d.ts

@@ -1,98 +0,0 @@
-import { NextRequest, NextResponse } from 'next/server';
-
-/**
- * WASM-enabled middleware for Next.js with Checkpoint.
- *
- * **Deprecation notice (AgentDetector-Deletion-1):**
- * `createWasmAgentShieldMiddleware` is deprecated as of this patch and
- * slated for removal in the next minor. It internally constructs a
- * legacy `AgentDetector` and never actually uses the WASM instance for
- * detection (the `wasmInstance` arg only bumps confidence by 15%).
- * Stage 1 detection now lives in the Rust `kya-os-engine` (PDM-1
- * #2560). Migrate to `withCheckpoint` from `@kya-os/checkpoint-nextjs`
- * — engine-backed, runs the orchestrator including envelope
- * verification.
- */
-
-/** @internal — test-only reset for the one-shot warn latch. */
-declare function __resetCreateWasmAgentShieldWarningForTests(): void;
-interface WasmDetectionResult {
-    isAgent: boolean;
-    isAiCrawler?: boolean;
-    confidence: number;
-    agent?: string | undefined;
-    verificationMethod: 'signature' | 'pattern' | 'none';
-    riskLevel: 'low' | 'medium' | 'high';
-    timestamp: string;
-}
-interface AgentShieldConfig {
-    onAgentDetected?: (result: WasmDetectionResult) => void | Promise<void>;
-    blockOnHighConfidence?: boolean;
-    confidenceThreshold?: number;
-    skipPaths?: string[];
-    blockedResponse?: {
-        status?: number;
-        message?: string;
-        headers?: Record<string, string>;
-    };
-}
-/**
- * @deprecated Wraps the legacy `AgentDetector` class. Will be removed
- * in the next minor (AgentDetector-Deletion-2). Migrate to
- * `withCheckpoint` from `@kya-os/checkpoint-nextjs` — engine-backed,
- * runs the orchestrator including envelope verification.
- *
- * Create a WASM-enabled Checkpoint middleware (**pattern-detection only**).
- *
- * **This factory runs UA/header pattern matching only.** It does NOT
- * verify MCP-I signed envelopes — no JWS verification, no DID
- * resolution, no orchestrator stages. Use it when your only enforcement
- * concern is "is this request from a known bot pattern."
- *
- * **For envelope verification, use {@link withCheckpoint} instead** —
- * exported from `@kya-os/checkpoint-nextjs` (Node runtime) or
- * `@kya-os/checkpoint-nextjs/edge` (Edge runtime). `withCheckpoint`
- * routes every request through the kya-os-engine via WASM and supports
- * both `_meta.proof.jws` body envelopes (default) and the legacy
- * `KYA-Delegation` header form (opt-in via `legacyEnvelopeFallback`).
- * See SDK-Envelope-Plumbing-1 (#2594) for the migration context.
- *
- * @example pattern-only (this factory)
- * ```typescript
- * import wasmModule from '@kya-os/checkpoint/wasm?module';
- * import { createCheckpointWasmMiddleware } from '@kya-os/checkpoint-nextjs';
- *
- * const wasmInstance = await WebAssembly.instantiate(wasmModule);
- * export const middleware = createCheckpointWasmMiddleware({
- *   wasmInstance,
- *   confidenceThreshold: 80,
- * });
- * ```
- *
- * @example envelope verification (use `withCheckpoint` instead)
- * ```typescript
- * import { withCheckpoint } from '@kya-os/checkpoint-nextjs';
- *
- * export default withCheckpoint({
- *   tenantHost: 'acme.checkpoint.example',
- *   legacyEnvelopeFallback: true, // accept `KYA-Delegation` header form
- *   // drainJsonBody defaults to true; spec-form `_meta.proof.jws` works out of the box
- * });
- * ```
- */
-declare function createWasmAgentShieldMiddleware(config: AgentShieldConfig & {
-    wasmInstance?: WebAssembly.Instance;
-}): (request: NextRequest) => Promise<NextResponse<unknown>>;
-/**
- * Helper to load and instantiate WASM module
- * This should be called at the top of your middleware.ts file
- *
- * @example
- * ```typescript
- * import wasmModule from '@kya-os/checkpoint/wasm?module';
- * const wasmInstance = await instantiateWasm(wasmModule);
- * ```
- */
-declare function instantiateWasm(wasmModule: WebAssembly.Module): Promise<WebAssembly.Instance>;
-
-export { type AgentShieldConfig, type WasmDetectionResult, __resetCreateWasmAgentShieldWarningForTests, createWasmAgentShieldMiddleware, instantiateWasm };

package/dist/wasm-middleware.js

@@ -1,125 +0,0 @@
-'use strict';
-
-var server = require('next/server');
-var checkpoint = require('@kya-os/checkpoint');
-
-// src/wasm-middleware.ts
-
-// src/local-detection-gate.ts
-function isDetectedAgentForLocalGate(result) {
-  return result.isAgent === true;
-}
-function evaluateLocalDetectionGate(result, config) {
-  if (!isDetectedAgentForLocalGate(result)) {
-    return { action: "allow", shouldNotify: false };
-  }
-  if ((result.confidence ?? 0) >= config.confidenceThreshold) {
-    return { action: config.defaultAction, shouldNotify: true };
-  }
-  return { action: "allow", shouldNotify: false };
-}
-
-// src/wasm-middleware.ts
-var _createWasmAgentShieldWarned = false;
-function warnCreateWasmAgentShieldDeprecated() {
-  if (_createWasmAgentShieldWarned) return;
-  _createWasmAgentShieldWarned = true;
-  if (typeof process !== "undefined" && process.env?.NODE_ENV === "production") return;
-  console.warn(
-    "[Checkpoint] createWasmAgentShieldMiddleware is deprecated and will be removed in the next minor. It wraps the legacy AgentDetector class; Stage 1 detection now lives in the Rust kya-os-engine (PDM-1). Migrate to `withCheckpoint` from @kya-os/checkpoint-nextjs \u2014 engine-backed and runs envelope verification. See packages/checkpoint-nextjs/CHANGELOG.md for the recipe."
-  );
-}
-function __resetCreateWasmAgentShieldWarningForTests() {
-  _createWasmAgentShieldWarned = false;
-}
-function createWasmAgentShieldMiddleware(config) {
-  warnCreateWasmAgentShieldDeprecated();
-  const {
-    onAgentDetected,
-    blockOnHighConfidence = false,
-    confidenceThreshold = 80,
-    // Updated to 0-100 scale (was 0.8)
-    skipPaths = [],
-    blockedResponse = {
-      status: 403,
-      message: "Access denied: AI agent detected",
-      headers: { "Content-Type": "application/json" }
-    },
-    wasmInstance
-  } = config;
-  return async function middleware(request) {
-    const path = request.nextUrl.pathname;
-    if (skipPaths.some((skip) => path.startsWith(skip))) {
-      return server.NextResponse.next();
-    }
-    try {
-      const detector = new checkpoint.AgentDetector();
-      const hasWasm = !!wasmInstance;
-      const metadata = {
-        userAgent: request.headers.get("user-agent") || void 0,
-        ipAddress: request.headers.get("x-forwarded-for") || request.headers.get("x-real-ip") || void 0,
-        headers: Object.fromEntries(request.headers.entries()),
-        timestamp: /* @__PURE__ */ new Date()
-      };
-      const result = await detector.analyze(metadata);
-      const enhancedResult = {
-        isAgent: result.isAgent,
-        isAiCrawler: result.isAiCrawler,
-        confidence: hasWasm && result.confidence > 85 ? Math.min(result.confidence * 1.15, 100) : result.confidence,
-        agent: result.detectedAgent?.name || void 0,
-        verificationMethod: hasWasm && result.confidence > 85 ? "signature" : "pattern",
-        // Updated to 0-100 scale
-        riskLevel: result.confidence > 90 ? "high" : result.confidence > 70 ? "medium" : "low",
-        // Updated to 0-100 scale (was 0.7)
-        timestamp: result.timestamp instanceof Date ? result.timestamp.toISOString() : new Date(result.timestamp).toISOString()
-      };
-      const decision = evaluateLocalDetectionGate(enhancedResult, {
-        confidenceThreshold,
-        defaultAction: blockOnHighConfidence ? "block" : "allow"
-      });
-      if (onAgentDetected && isDetectedAgentForLocalGate(enhancedResult)) {
-        await onAgentDetected(enhancedResult);
-      }
-      if (decision.action === "block") {
-        return server.NextResponse.json(
-          {
-            error: blockedResponse.message,
-            agent: enhancedResult.agent,
-            confidence: Math.round(enhancedResult.confidence)
-          },
-          {
-            status: blockedResponse.status || 403,
-            headers: blockedResponse.headers || {}
-          }
-        );
-      }
-      const response = server.NextResponse.next();
-      if (enhancedResult.isAgent) {
-        response.headers.set("X-Agent-Detected", enhancedResult.agent || "unknown");
-        response.headers.set(
-          "X-Agent-Confidence",
-          String(Math.round(enhancedResult.confidence * 100))
-        );
-        response.headers.set("X-Agent-Verification", enhancedResult.verificationMethod);
-      }
-      return response;
-    } catch (error) {
-      console.error("AgentShield middleware error:", error);
-      return server.NextResponse.next();
-    }
-  };
-}
-async function instantiateWasm(wasmModule) {
-  try {
-    const instance = await WebAssembly.instantiate(wasmModule);
-    console.log("\u2705 AgentShield: WASM module loaded for cryptographic verification");
-    return instance;
-  } catch (error) {
-    console.warn("\u26A0\uFE0F AgentShield: Failed to instantiate WASM module", error);
-    throw error;
-  }
-}
-
-exports.__resetCreateWasmAgentShieldWarningForTests = __resetCreateWasmAgentShieldWarningForTests;
-exports.createWasmAgentShieldMiddleware = createWasmAgentShieldMiddleware;
-exports.instantiateWasm = instantiateWasm;

package/dist/wasm-middleware.mjs

@@ -1,121 +0,0 @@
-import { NextResponse } from 'next/server';
-import { AgentDetector } from '@kya-os/checkpoint';
-
-// src/wasm-middleware.ts
-
-// src/local-detection-gate.ts
-function isDetectedAgentForLocalGate(result) {
-  return result.isAgent === true;
-}
-function evaluateLocalDetectionGate(result, config) {
-  if (!isDetectedAgentForLocalGate(result)) {
-    return { action: "allow", shouldNotify: false };
-  }
-  if ((result.confidence ?? 0) >= config.confidenceThreshold) {
-    return { action: config.defaultAction, shouldNotify: true };
-  }
-  return { action: "allow", shouldNotify: false };
-}
-
-// src/wasm-middleware.ts
-var _createWasmAgentShieldWarned = false;
-function warnCreateWasmAgentShieldDeprecated() {
-  if (_createWasmAgentShieldWarned) return;
-  _createWasmAgentShieldWarned = true;
-  if (typeof process !== "undefined" && process.env?.NODE_ENV === "production") return;
-  console.warn(
-    "[Checkpoint] createWasmAgentShieldMiddleware is deprecated and will be removed in the next minor. It wraps the legacy AgentDetector class; Stage 1 detection now lives in the Rust kya-os-engine (PDM-1). Migrate to `withCheckpoint` from @kya-os/checkpoint-nextjs \u2014 engine-backed and runs envelope verification. See packages/checkpoint-nextjs/CHANGELOG.md for the recipe."
-  );
-}
-function __resetCreateWasmAgentShieldWarningForTests() {
-  _createWasmAgentShieldWarned = false;
-}
-function createWasmAgentShieldMiddleware(config) {
-  warnCreateWasmAgentShieldDeprecated();
-  const {
-    onAgentDetected,
-    blockOnHighConfidence = false,
-    confidenceThreshold = 80,
-    // Updated to 0-100 scale (was 0.8)
-    skipPaths = [],
-    blockedResponse = {
-      status: 403,
-      message: "Access denied: AI agent detected",
-      headers: { "Content-Type": "application/json" }
-    },
-    wasmInstance
-  } = config;
-  return async function middleware(request) {
-    const path = request.nextUrl.pathname;
-    if (skipPaths.some((skip) => path.startsWith(skip))) {
-      return NextResponse.next();
-    }
-    try {
-      const detector = new AgentDetector();
-      const hasWasm = !!wasmInstance;
-      const metadata = {
-        userAgent: request.headers.get("user-agent") || void 0,
-        ipAddress: request.headers.get("x-forwarded-for") || request.headers.get("x-real-ip") || void 0,
-        headers: Object.fromEntries(request.headers.entries()),
-        timestamp: /* @__PURE__ */ new Date()
-      };
-      const result = await detector.analyze(metadata);
-      const enhancedResult = {
-        isAgent: result.isAgent,
-        isAiCrawler: result.isAiCrawler,
-        confidence: hasWasm && result.confidence > 85 ? Math.min(result.confidence * 1.15, 100) : result.confidence,
-        agent: result.detectedAgent?.name || void 0,
-        verificationMethod: hasWasm && result.confidence > 85 ? "signature" : "pattern",
-        // Updated to 0-100 scale
-        riskLevel: result.confidence > 90 ? "high" : result.confidence > 70 ? "medium" : "low",
-        // Updated to 0-100 scale (was 0.7)
-        timestamp: result.timestamp instanceof Date ? result.timestamp.toISOString() : new Date(result.timestamp).toISOString()
-      };
-      const decision = evaluateLocalDetectionGate(enhancedResult, {
-        confidenceThreshold,
-        defaultAction: blockOnHighConfidence ? "block" : "allow"
-      });
-      if (onAgentDetected && isDetectedAgentForLocalGate(enhancedResult)) {
-        await onAgentDetected(enhancedResult);
-      }
-      if (decision.action === "block") {
-        return NextResponse.json(
-          {
-            error: blockedResponse.message,
-            agent: enhancedResult.agent,
-            confidence: Math.round(enhancedResult.confidence)
-          },
-          {
-            status: blockedResponse.status || 403,
-            headers: blockedResponse.headers || {}
-          }
-        );
-      }
-      const response = NextResponse.next();
-      if (enhancedResult.isAgent) {
-        response.headers.set("X-Agent-Detected", enhancedResult.agent || "unknown");
-        response.headers.set(
-          "X-Agent-Confidence",
-          String(Math.round(enhancedResult.confidence * 100))
-        );
-        response.headers.set("X-Agent-Verification", enhancedResult.verificationMethod);
-      }
-      return response;
-    } catch (error) {
-      console.error("AgentShield middleware error:", error);
-      return NextResponse.next();
-    }
-  };
-}
-async function instantiateWasm(wasmModule) {
-  try {
-    const instance = await WebAssembly.instantiate(wasmModule);
-    console.log("\u2705 AgentShield: WASM module loaded for cryptographic verification");
-    return instance;
-  } catch (error) {
-    console.warn("\u26A0\uFE0F AgentShield: Failed to instantiate WASM module", error);
-    throw error;
-  }
-}
-
-export { __resetCreateWasmAgentShieldWarningForTests, createWasmAgentShieldMiddleware, instantiateWasm };