@kya-os/checkpoint-nextjs 1.2.0 → 1.7.0

package/dist/middleware-node.js

@@ -2,8 +2,10 @@
 
 var orchestrator = require('@kya-os/checkpoint-wasm-runtime/orchestrator');
 var adapters = require('@kya-os/checkpoint-wasm-runtime/adapters');
-var server = require('next/server');
+var reporter = require('@kya-os/checkpoint-wasm-runtime/reporter');
 var checkpointShared = require('@kya-os/checkpoint-shared');
+var server = require('next/server');
+var composedPolicy = require('@kya-os/checkpoint-wasm-runtime/composed-policy');
 
 // src/middleware-node.ts
 function adaptToNextResponse(rendered, req) {
@@ -54,6 +56,85 @@ function applyHeaders(res, headers) {
     res.headers.set(key, value);
   }
 }
+var DEFAULT_DASHBOARD_URL = "https://kya.vouched.id";
+var NOOP_LOGGER = {
+  shadowDivergence: () => {
+  },
+  evaluationError: () => {
+  }
+};
+function makeComposedPolicyContext(opts) {
+  const { projectId, fetcher } = opts;
+  const cache = composedPolicy.makeComposedPolicyCache({ compile: opts.compile, cacheMax: opts.cacheMax });
+  const logger = opts.logger ?? NOOP_LOGGER;
+  return {
+    async apply(result, path) {
+      const structured = { decision: result.decision, acted: false };
+      const policy = await fetcher.getPolicy(projectId);
+      const outcome = await composedPolicy.evaluateComposedPolicy({
+        cache,
+        projectId,
+        flags: {
+          policyLanguage: policy.policyLanguage,
+          policySourceText: policy.policySourceText,
+          engineEnforcementEnabled: policy.engineEnforcementEnabled,
+          enabled: policy.enabled
+        },
+        authorizeInput: composedPolicy.verifyResultToAuthorizeInput(result, { tenantId: projectId, path }),
+        baselineDecisionKind: result.decision.kind
+      });
+      if ((outcome.status === "acting" || outcome.status === "shadow") && outcome.diverged) {
+        logger.shadowDivergence({
+          projectId,
+          path,
+          engineDecision: outcome.engineDecision.kind,
+          structuredDecision: result.decision.kind,
+          detectionClass: result.detectionDetail.detectionClass.type,
+          verificationMethod: result.detectionDetail.verificationMethod,
+          confidence: result.detectionDetail.confidence,
+          agentName: result.detectionDetail.detectedAgent?.name
+        });
+      }
+      if (outcome.status === "error") {
+        logger.evaluationError(projectId, outcome.error);
+        return structured;
+      }
+      if (outcome.status === "acting") {
+        return { decision: outcome.engineDecision, acted: true };
+      }
+      return structured;
+    },
+    async trustedDelegationRoots() {
+      const policy = await fetcher.getPolicy(projectId);
+      return policy.trustedDelegationRoots ?? [];
+    }
+  };
+}
+async function resolveTrustedDelegationRootsForRequest(resolver, headers) {
+  if (!resolver) return void 0;
+  if (!checkpointShared.requestCarriesDelegationProof(headers)) return void 0;
+  const roots = await resolver();
+  return roots.length > 0 ? roots : void 0;
+}
+async function applyComposedPolicy(context, result, path) {
+  if (!context) return;
+  try {
+    const outcome = await context.apply(result, path);
+    if (outcome.acted) result.decision = outcome.decision;
+  } catch {
+  }
+}
+var consoleComposedPolicyLogger = {
+  shadowDivergence(info) {
+    console.warn("[checkpoint/composed-policy] shadow-divergence", info);
+  },
+  evaluationError(projectId, error) {
+    console.error(
+      `[checkpoint/composed-policy] evaluation failed for ${projectId}; using structured decision:`,
+      error
+    );
+  }
+};
 
 // src/translate.ts
 async function nextRequestToHttpLike(req, opts = {}) {
@@ -98,15 +179,91 @@ function extractRemoteAddress(req) {
 // src/middleware-node.ts
 function withCheckpoint(config) {
   const opts = buildVerifyOpts(config);
+  const reporter = buildReporter(config);
+  const composed = buildComposedContext(config);
+  const trustedRootsResolver = buildTrustedRootsResolver(config, composed);
   const translateOpts = { drainJsonBody: config.drainJsonBody };
-  return async function checkpointMiddleware(req) {
+  return async function checkpointMiddleware(req, event) {
     const httpLike = await nextRequestToHttpLike(req, translateOpts);
-    const result = await orchestrator.verifyRequest(httpLike, opts);
+    const trustedDelegationRoots = await resolveTrustedDelegationRootsForRequest(
+      trustedRootsResolver,
+      req.headers
+    );
+    const result = await orchestrator.verifyRequest(
+      httpLike,
+      trustedDelegationRoots ? { ...opts, trustedDelegationRoots } : opts
+    );
+    await applyComposedPolicy(composed, result, req.nextUrl.pathname);
+    if (reporter) {
+      const reportPromise = reporter(result, extractReporterContext(req));
+      if (event) {
+        event.waitUntil(reportPromise);
+      }
+    }
     await dispatchOnResult(config, result, req);
     const rendered = orchestrator.renderDecisionAsResponse(result);
     return adaptToNextResponse(rendered, req);
   };
 }
+var SDK_NAME = "@kya-os/checkpoint-nextjs";
+var VERSION = "1.7.0";
+function buildReporter(config, runtime = "node") {
+  if (!config.apiKey) return null;
+  return reporter.makeDetectionReporter({
+    apiKey: config.apiKey,
+    baseUrl: config.baseUrl,
+    debug: config.debug,
+    // Self-identify (incl. node-vs-edge) so the dashboard can version-gate
+    // enforcement. Next.js EDGE composed enforcement is opt-in (needs
+    // `cedarWasmModule`), so the dashboard shows it as opt-in, never "Enforcing".
+    sdk: { name: SDK_NAME, version: VERSION, runtime }
+  });
+}
+function buildTrustedRootsResolver(config, composed) {
+  if (composed?.trustedDelegationRoots) {
+    return () => composed.trustedDelegationRoots();
+  }
+  if (!config.projectId) return null;
+  const fetcher = new checkpointShared.PolicyFetcher({
+    apiBaseUrl: config.dashboardUrl ?? config.baseUrl ?? DEFAULT_DASHBOARD_URL,
+    apiKey: config.apiKey,
+    cacheTtlSeconds: config.policyCacheTtlSeconds
+  });
+  const projectId = config.projectId;
+  return async () => (await fetcher.getPolicy(projectId)).trustedDelegationRoots ?? [];
+}
+function buildComposedContext(config) {
+  if (config.composedPolicyEnforcer) return config.composedPolicyEnforcer;
+  if (!config.projectId) return null;
+  return makeComposedPolicyContext({
+    projectId: config.projectId,
+    fetcher: new checkpointShared.PolicyFetcher({
+      apiBaseUrl: config.dashboardUrl ?? config.baseUrl ?? DEFAULT_DASHBOARD_URL,
+      apiKey: config.apiKey,
+      cacheTtlSeconds: config.policyCacheTtlSeconds
+    }),
+    // LAZY dynamic import — NOT a top-level `import` — so the node-only
+    // `./policy` glue (`createRequire`/`fs` at module load) is never pulled into
+    // the Edge bundle. `middleware-edge.ts` imports helpers from this file, so a
+    // top-level `./policy` import would surface as a side-effect import in the
+    // edge bundle and boot-fail on Vercel edge. The import is cached after first
+    // call; the core's single-flight cache wraps the (now async) compile.
+    compile: async (_language, source) => {
+      const { createPolicyEvaluator } = await import('@kya-os/checkpoint-wasm-runtime/policy');
+      return createPolicyEvaluator(source);
+    },
+    logger: config.debug ? consoleComposedPolicyLogger : void 0
+  });
+}
+function extractReporterContext(req) {
+  return {
+    userAgent: req.headers.get("user-agent") ?? void 0,
+    ipAddress: req.headers.get("x-forwarded-for")?.split(",")[0]?.trim() ?? req.headers.get("x-real-ip") ?? void 0,
+    path: req.nextUrl.pathname,
+    url: req.nextUrl.href,
+    method: req.method
+  };
+}
 function buildVerifyOpts(config) {
   const overrides = config.adapters ?? {};
   return {
@@ -131,5 +288,9 @@ async function dispatchOnResult(config, result, req) {
   }
 }
 
+exports.VERSION = VERSION;
+exports._buildReporter = buildReporter;
+exports._buildTrustedRootsResolver = buildTrustedRootsResolver;
 exports._buildVerifyOpts = buildVerifyOpts;
+exports._extractReporterContext = extractReporterContext;
 exports.withCheckpoint = withCheckpoint;

package/dist/middleware-node.mjs

@@ -1,7 +1,9 @@
 import { verifyRequest, renderDecisionAsResponse } from '@kya-os/checkpoint-wasm-runtime/orchestrator';
 import { makeSystemClock, makePolicyEvaluator, makeReputationOracle, makeStatusListCache, makeDidResolver } from '@kya-os/checkpoint-wasm-runtime/adapters';
+import { makeDetectionReporter } from '@kya-os/checkpoint-wasm-runtime/reporter';
+import { PolicyFetcher, requestCarriesDelegationProof, acceptsHtml, encodeVerdictCookie, classifyResponseShape, BLOCKED_PATH, VERDICT_COOKIE_NAME } from '@kya-os/checkpoint-shared';
 import { NextResponse } from 'next/server';
-import { acceptsHtml, encodeVerdictCookie, classifyResponseShape, BLOCKED_PATH, VERDICT_COOKIE_NAME } from '@kya-os/checkpoint-shared';
+import { makeComposedPolicyCache, evaluateComposedPolicy, verifyResultToAuthorizeInput } from '@kya-os/checkpoint-wasm-runtime/composed-policy';
 
 // src/middleware-node.ts
 function adaptToNextResponse(rendered, req) {
@@ -52,6 +54,85 @@ function applyHeaders(res, headers) {
     res.headers.set(key, value);
   }
 }
+var DEFAULT_DASHBOARD_URL = "https://kya.vouched.id";
+var NOOP_LOGGER = {
+  shadowDivergence: () => {
+  },
+  evaluationError: () => {
+  }
+};
+function makeComposedPolicyContext(opts) {
+  const { projectId, fetcher } = opts;
+  const cache = makeComposedPolicyCache({ compile: opts.compile, cacheMax: opts.cacheMax });
+  const logger = opts.logger ?? NOOP_LOGGER;
+  return {
+    async apply(result, path) {
+      const structured = { decision: result.decision, acted: false };
+      const policy = await fetcher.getPolicy(projectId);
+      const outcome = await evaluateComposedPolicy({
+        cache,
+        projectId,
+        flags: {
+          policyLanguage: policy.policyLanguage,
+          policySourceText: policy.policySourceText,
+          engineEnforcementEnabled: policy.engineEnforcementEnabled,
+          enabled: policy.enabled
+        },
+        authorizeInput: verifyResultToAuthorizeInput(result, { tenantId: projectId, path }),
+        baselineDecisionKind: result.decision.kind
+      });
+      if ((outcome.status === "acting" || outcome.status === "shadow") && outcome.diverged) {
+        logger.shadowDivergence({
+          projectId,
+          path,
+          engineDecision: outcome.engineDecision.kind,
+          structuredDecision: result.decision.kind,
+          detectionClass: result.detectionDetail.detectionClass.type,
+          verificationMethod: result.detectionDetail.verificationMethod,
+          confidence: result.detectionDetail.confidence,
+          agentName: result.detectionDetail.detectedAgent?.name
+        });
+      }
+      if (outcome.status === "error") {
+        logger.evaluationError(projectId, outcome.error);
+        return structured;
+      }
+      if (outcome.status === "acting") {
+        return { decision: outcome.engineDecision, acted: true };
+      }
+      return structured;
+    },
+    async trustedDelegationRoots() {
+      const policy = await fetcher.getPolicy(projectId);
+      return policy.trustedDelegationRoots ?? [];
+    }
+  };
+}
+async function resolveTrustedDelegationRootsForRequest(resolver, headers) {
+  if (!resolver) return void 0;
+  if (!requestCarriesDelegationProof(headers)) return void 0;
+  const roots = await resolver();
+  return roots.length > 0 ? roots : void 0;
+}
+async function applyComposedPolicy(context, result, path) {
+  if (!context) return;
+  try {
+    const outcome = await context.apply(result, path);
+    if (outcome.acted) result.decision = outcome.decision;
+  } catch {
+  }
+}
+var consoleComposedPolicyLogger = {
+  shadowDivergence(info) {
+    console.warn("[checkpoint/composed-policy] shadow-divergence", info);
+  },
+  evaluationError(projectId, error) {
+    console.error(
+      `[checkpoint/composed-policy] evaluation failed for ${projectId}; using structured decision:`,
+      error
+    );
+  }
+};
 
 // src/translate.ts
 async function nextRequestToHttpLike(req, opts = {}) {
@@ -96,15 +177,91 @@ function extractRemoteAddress(req) {
 // src/middleware-node.ts
 function withCheckpoint(config) {
   const opts = buildVerifyOpts(config);
+  const reporter = buildReporter(config);
+  const composed = buildComposedContext(config);
+  const trustedRootsResolver = buildTrustedRootsResolver(config, composed);
   const translateOpts = { drainJsonBody: config.drainJsonBody };
-  return async function checkpointMiddleware(req) {
+  return async function checkpointMiddleware(req, event) {
     const httpLike = await nextRequestToHttpLike(req, translateOpts);
-    const result = await verifyRequest(httpLike, opts);
+    const trustedDelegationRoots = await resolveTrustedDelegationRootsForRequest(
+      trustedRootsResolver,
+      req.headers
+    );
+    const result = await verifyRequest(
+      httpLike,
+      trustedDelegationRoots ? { ...opts, trustedDelegationRoots } : opts
+    );
+    await applyComposedPolicy(composed, result, req.nextUrl.pathname);
+    if (reporter) {
+      const reportPromise = reporter(result, extractReporterContext(req));
+      if (event) {
+        event.waitUntil(reportPromise);
+      }
+    }
     await dispatchOnResult(config, result, req);
     const rendered = renderDecisionAsResponse(result);
     return adaptToNextResponse(rendered, req);
   };
 }
+var SDK_NAME = "@kya-os/checkpoint-nextjs";
+var VERSION = "1.7.0";
+function buildReporter(config, runtime = "node") {
+  if (!config.apiKey) return null;
+  return makeDetectionReporter({
+    apiKey: config.apiKey,
+    baseUrl: config.baseUrl,
+    debug: config.debug,
+    // Self-identify (incl. node-vs-edge) so the dashboard can version-gate
+    // enforcement. Next.js EDGE composed enforcement is opt-in (needs
+    // `cedarWasmModule`), so the dashboard shows it as opt-in, never "Enforcing".
+    sdk: { name: SDK_NAME, version: VERSION, runtime }
+  });
+}
+function buildTrustedRootsResolver(config, composed) {
+  if (composed?.trustedDelegationRoots) {
+    return () => composed.trustedDelegationRoots();
+  }
+  if (!config.projectId) return null;
+  const fetcher = new PolicyFetcher({
+    apiBaseUrl: config.dashboardUrl ?? config.baseUrl ?? DEFAULT_DASHBOARD_URL,
+    apiKey: config.apiKey,
+    cacheTtlSeconds: config.policyCacheTtlSeconds
+  });
+  const projectId = config.projectId;
+  return async () => (await fetcher.getPolicy(projectId)).trustedDelegationRoots ?? [];
+}
+function buildComposedContext(config) {
+  if (config.composedPolicyEnforcer) return config.composedPolicyEnforcer;
+  if (!config.projectId) return null;
+  return makeComposedPolicyContext({
+    projectId: config.projectId,
+    fetcher: new PolicyFetcher({
+      apiBaseUrl: config.dashboardUrl ?? config.baseUrl ?? DEFAULT_DASHBOARD_URL,
+      apiKey: config.apiKey,
+      cacheTtlSeconds: config.policyCacheTtlSeconds
+    }),
+    // LAZY dynamic import — NOT a top-level `import` — so the node-only
+    // `./policy` glue (`createRequire`/`fs` at module load) is never pulled into
+    // the Edge bundle. `middleware-edge.ts` imports helpers from this file, so a
+    // top-level `./policy` import would surface as a side-effect import in the
+    // edge bundle and boot-fail on Vercel edge. The import is cached after first
+    // call; the core's single-flight cache wraps the (now async) compile.
+    compile: async (_language, source) => {
+      const { createPolicyEvaluator } = await import('@kya-os/checkpoint-wasm-runtime/policy');
+      return createPolicyEvaluator(source);
+    },
+    logger: config.debug ? consoleComposedPolicyLogger : void 0
+  });
+}
+function extractReporterContext(req) {
+  return {
+    userAgent: req.headers.get("user-agent") ?? void 0,
+    ipAddress: req.headers.get("x-forwarded-for")?.split(",")[0]?.trim() ?? req.headers.get("x-real-ip") ?? void 0,
+    path: req.nextUrl.pathname,
+    url: req.nextUrl.href,
+    method: req.method
+  };
+}
 function buildVerifyOpts(config) {
   const overrides = config.adapters ?? {};
   return {
@@ -129,4 +286,4 @@ async function dispatchOnResult(config, result, req) {
   }
 }
 
-export { buildVerifyOpts as _buildVerifyOpts, withCheckpoint };
+export { VERSION, buildReporter as _buildReporter, buildTrustedRootsResolver as _buildTrustedRootsResolver, buildVerifyOpts as _buildVerifyOpts, extractReporterContext as _extractReporterContext, withCheckpoint };

package/dist/middleware.d.mts

@@ -32,5 +32,14 @@ declare function createAgentShieldMiddleware(_config?: Partial<NextJSMiddlewareC
  * Migrate to `withCheckpoint`.
  */
 declare function agentShield(config?: Partial<NextJSMiddlewareConfig>): (request: NextRequest) => Promise<NextResponse>;
+/**
+ * Pass-through export required by Next.js 16+ middleware file validation.
+ * Next.js requires any file named `middleware.ts` to export a function named
+ * `middleware` or a default function. This stub satisfies that constraint so
+ * consumers that still reference the `./middleware` subpath can build.
+ *
+ * @deprecated Migrate to `withCheckpoint` from `@kya-os/checkpoint-nextjs`.
+ */
+declare function middleware(_request: NextRequest): NextResponse<unknown>;
 
-export { agentShield, createAgentShieldMiddleware };
+export { agentShield, createAgentShieldMiddleware, middleware };

package/dist/middleware.d.ts

@@ -32,5 +32,14 @@ declare function createAgentShieldMiddleware(_config?: Partial<NextJSMiddlewareC
  * Migrate to `withCheckpoint`.
  */
 declare function agentShield(config?: Partial<NextJSMiddlewareConfig>): (request: NextRequest) => Promise<NextResponse>;
+/**
+ * Pass-through export required by Next.js 16+ middleware file validation.
+ * Next.js requires any file named `middleware.ts` to export a function named
+ * `middleware` or a default function. This stub satisfies that constraint so
+ * consumers that still reference the `./middleware` subpath can build.
+ *
+ * @deprecated Migrate to `withCheckpoint` from `@kya-os/checkpoint-nextjs`.
+ */
+declare function middleware(_request: NextRequest): NextResponse<unknown>;
 
-export { agentShield, createAgentShieldMiddleware };
+export { agentShield, createAgentShieldMiddleware, middleware };

package/dist/middleware.js

@@ -1,5 +1,7 @@
 'use strict';
 
+var server = require('next/server');
+
 // src/middleware.ts
 var MIGRATION_ERROR = "@kya-os/checkpoint-nextjs's `createAgentShieldMiddleware` / `agentShield` were deleted in Phase D (engine consolidation). The 600-line TS pattern matcher that backed them is gone. Migrate to `withCheckpoint` from `@kya-os/checkpoint-nextjs` (Node runtime) or `@kya-os/checkpoint-nextjs/edge` (Edge runtime). See packages/checkpoint-nextjs/CHANGELOG.md (1.0.0) for the recipe.";
 function createAgentShieldMiddleware(_config = {}) {
@@ -8,6 +10,10 @@ function createAgentShieldMiddleware(_config = {}) {
 function agentShield(config = {}) {
   return createAgentShieldMiddleware(config);
 }
+function middleware(_request) {
+  return server.NextResponse.next();
+}
 
 exports.agentShield = agentShield;
 exports.createAgentShieldMiddleware = createAgentShieldMiddleware;
+exports.middleware = middleware;

package/dist/middleware.mjs

@@ -1,3 +1,5 @@
+import { NextResponse } from 'next/server';
+
 // src/middleware.ts
 var MIGRATION_ERROR = "@kya-os/checkpoint-nextjs's `createAgentShieldMiddleware` / `agentShield` were deleted in Phase D (engine consolidation). The 600-line TS pattern matcher that backed them is gone. Migrate to `withCheckpoint` from `@kya-os/checkpoint-nextjs` (Node runtime) or `@kya-os/checkpoint-nextjs/edge` (Edge runtime). See packages/checkpoint-nextjs/CHANGELOG.md (1.0.0) for the recipe.";
 function createAgentShieldMiddleware(_config = {}) {
@@ -6,5 +8,8 @@ function createAgentShieldMiddleware(_config = {}) {
 function agentShield(config = {}) {
   return createAgentShieldMiddleware(config);
 }
+function middleware(_request) {
+  return NextResponse.next();
+}
 
-export { agentShield, createAgentShieldMiddleware };
+export { agentShield, createAgentShieldMiddleware, middleware };

package/dist/nodejs-wasm-loader.d.mts

@@ -1,10 +1,9 @@
 /**
  * @deprecated Phase-D.9a — legacy Node.js WASM loader for the retired
  * `agentshield-wasm` Rust crate. This file used `fs.readFileSync` to
- * locate + load the legacy detector's WASM binary into the
- * `@kya-os/checkpoint` `AgentDetector` class via `setWasmModule`. Both
- * the WASM crate (Phase-D.9a/D.9b) and the AgentDetector class
- * (AgentDetector-Deletion-2, next minor) are slated for deletion.
+ * locate + load the legacy detector's WASM binary into the legacy
+ * detection class. Both the WASM crate (Phase-D.9a/D.9b) and the
+ * detection class (removed in AgentDetector-Deletion-2) are retired.
  *
  * Migrate to `withCheckpoint` from `@kya-os/checkpoint-nextjs` — it
  * loads the canonical `kya-os-engine` WASM automatically via

package/dist/nodejs-wasm-loader.d.ts

@@ -1,10 +1,9 @@
 /**
  * @deprecated Phase-D.9a — legacy Node.js WASM loader for the retired
  * `agentshield-wasm` Rust crate. This file used `fs.readFileSync` to
- * locate + load the legacy detector's WASM binary into the
- * `@kya-os/checkpoint` `AgentDetector` class via `setWasmModule`. Both
- * the WASM crate (Phase-D.9a/D.9b) and the AgentDetector class
- * (AgentDetector-Deletion-2, next minor) are slated for deletion.
+ * locate + load the legacy detector's WASM binary into the legacy
+ * detection class. Both the WASM crate (Phase-D.9a/D.9b) and the
+ * detection class (removed in AgentDetector-Deletion-2) are retired.
  *
  * Migrate to `withCheckpoint` from `@kya-os/checkpoint-nextjs` — it
  * loads the canonical `kya-os-engine` WASM automatically via

package/dist/nodejs-wasm-loader.js

@@ -1,7 +1,7 @@
 'use strict';
 
 // src/nodejs-wasm-loader.ts
-var MIGRATION_ERROR = "`@kya-os/checkpoint-nextjs`'s `loadWasmNodejs` / `isNodejsRuntime` / `getWasmModule` / `isWasmInitialized` were deprecated in Phase-D.9a (legacy `agentshield-wasm` Rust crate retirement). The legacy `AgentDetector` class they fed is slated for deletion in AgentDetector-Deletion-2 (next minor). Migrate to `withCheckpoint` from `@kya-os/checkpoint-nextjs` \u2014 engine-backed via the Rust `kya-os-engine` crate, with automatic WASM loading via `@kya-os/checkpoint-wasm-runtime`. See packages/checkpoint-nextjs/README.md for the canonical recipe.";
+var MIGRATION_ERROR = "`@kya-os/checkpoint-nextjs`'s `loadWasmNodejs` / `isNodejsRuntime` / `getWasmModule` / `isWasmInitialized` were deprecated in Phase-D.9a (legacy `agentshield-wasm` Rust crate retirement). The legacy detection class they fed was removed in AgentDetector-Deletion-2. Migrate to `withCheckpoint` from `@kya-os/checkpoint-nextjs` \u2014 engine-backed via the Rust `kya-os-engine` crate, with automatic WASM loading via `@kya-os/checkpoint-wasm-runtime`. See packages/checkpoint-nextjs/README.md for the canonical recipe.";
 var _nodejsWasmWarned = false;
 function warnNodejsWasmDeprecated() {
   if (_nodejsWasmWarned) return;

package/dist/nodejs-wasm-loader.mjs

@@ -1,5 +1,5 @@
 // src/nodejs-wasm-loader.ts
-var MIGRATION_ERROR = "`@kya-os/checkpoint-nextjs`'s `loadWasmNodejs` / `isNodejsRuntime` / `getWasmModule` / `isWasmInitialized` were deprecated in Phase-D.9a (legacy `agentshield-wasm` Rust crate retirement). The legacy `AgentDetector` class they fed is slated for deletion in AgentDetector-Deletion-2 (next minor). Migrate to `withCheckpoint` from `@kya-os/checkpoint-nextjs` \u2014 engine-backed via the Rust `kya-os-engine` crate, with automatic WASM loading via `@kya-os/checkpoint-wasm-runtime`. See packages/checkpoint-nextjs/README.md for the canonical recipe.";
+var MIGRATION_ERROR = "`@kya-os/checkpoint-nextjs`'s `loadWasmNodejs` / `isNodejsRuntime` / `getWasmModule` / `isWasmInitialized` were deprecated in Phase-D.9a (legacy `agentshield-wasm` Rust crate retirement). The legacy detection class they fed was removed in AgentDetector-Deletion-2. Migrate to `withCheckpoint` from `@kya-os/checkpoint-nextjs` \u2014 engine-backed via the Rust `kya-os-engine` crate, with automatic WASM loading via `@kya-os/checkpoint-wasm-runtime`. See packages/checkpoint-nextjs/README.md for the canonical recipe.";
 var _nodejsWasmWarned = false;
 function warnNodejsWasmDeprecated() {
   if (_nodejsWasmWarned) return;

package/dist/signature-verifier.js

@@ -34,8 +34,8 @@ var KNOWN_KEYS = {
       publicKey: "7F_3jDlxaquwh291MiACkcS3Opq88NksyHiakzS-Y1g",
       validFrom: 1735689600,
       // Jan 1, 2025 (nbf from OpenAI)
-      validUntil: 1769029093
-      // Jan 21, 2026 (exp from OpenAI)
+      validUntil: 1780362143
+      // Jun 1, 2026 (exp from OpenAI live directory 2026-05-25)
     }
   ]
 };

package/dist/signature-verifier.mjs

@@ -12,8 +12,8 @@ var KNOWN_KEYS = {
       publicKey: "7F_3jDlxaquwh291MiACkcS3Opq88NksyHiakzS-Y1g",
       validFrom: 1735689600,
       // Jan 1, 2025 (nbf from OpenAI)
-      validUntil: 1769029093
-      // Jan 21, 2026 (exp from OpenAI)
+      validUntil: 1780362143
+      // Jun 1, 2026 (exp from OpenAI live directory 2026-05-25)
     }
   ]
 };

package/dist/wasm-setup.js

@@ -53,7 +53,7 @@ function isWasmInitialized() {
 var MIGRATION_ERROR, _nodejsWasmWarned;
 var init_nodejs_wasm_loader = __esm({
   "src/nodejs-wasm-loader.ts"() {
-    MIGRATION_ERROR = "`@kya-os/checkpoint-nextjs`'s `loadWasmNodejs` / `isNodejsRuntime` / `getWasmModule` / `isWasmInitialized` were deprecated in Phase-D.9a (legacy `agentshield-wasm` Rust crate retirement). The legacy `AgentDetector` class they fed is slated for deletion in AgentDetector-Deletion-2 (next minor). Migrate to `withCheckpoint` from `@kya-os/checkpoint-nextjs` \u2014 engine-backed via the Rust `kya-os-engine` crate, with automatic WASM loading via `@kya-os/checkpoint-wasm-runtime`. See packages/checkpoint-nextjs/README.md for the canonical recipe.";
+    MIGRATION_ERROR = "`@kya-os/checkpoint-nextjs`'s `loadWasmNodejs` / `isNodejsRuntime` / `getWasmModule` / `isWasmInitialized` were deprecated in Phase-D.9a (legacy `agentshield-wasm` Rust crate retirement). The legacy detection class they fed was removed in AgentDetector-Deletion-2. Migrate to `withCheckpoint` from `@kya-os/checkpoint-nextjs` \u2014 engine-backed via the Rust `kya-os-engine` crate, with automatic WASM loading via `@kya-os/checkpoint-wasm-runtime`. See packages/checkpoint-nextjs/README.md for the canonical recipe.";
     _nodejsWasmWarned = false;
   }
 });

package/dist/wasm-setup.mjs

@@ -51,7 +51,7 @@ function isWasmInitialized() {
 var MIGRATION_ERROR, _nodejsWasmWarned;
 var init_nodejs_wasm_loader = __esm({
   "src/nodejs-wasm-loader.ts"() {
-    MIGRATION_ERROR = "`@kya-os/checkpoint-nextjs`'s `loadWasmNodejs` / `isNodejsRuntime` / `getWasmModule` / `isWasmInitialized` were deprecated in Phase-D.9a (legacy `agentshield-wasm` Rust crate retirement). The legacy `AgentDetector` class they fed is slated for deletion in AgentDetector-Deletion-2 (next minor). Migrate to `withCheckpoint` from `@kya-os/checkpoint-nextjs` \u2014 engine-backed via the Rust `kya-os-engine` crate, with automatic WASM loading via `@kya-os/checkpoint-wasm-runtime`. See packages/checkpoint-nextjs/README.md for the canonical recipe.";
+    MIGRATION_ERROR = "`@kya-os/checkpoint-nextjs`'s `loadWasmNodejs` / `isNodejsRuntime` / `getWasmModule` / `isWasmInitialized` were deprecated in Phase-D.9a (legacy `agentshield-wasm` Rust crate retirement). The legacy detection class they fed was removed in AgentDetector-Deletion-2. Migrate to `withCheckpoint` from `@kya-os/checkpoint-nextjs` \u2014 engine-backed via the Rust `kya-os-engine` crate, with automatic WASM loading via `@kya-os/checkpoint-wasm-runtime`. See packages/checkpoint-nextjs/README.md for the canonical recipe.";
     _nodejsWasmWarned = false;
   }
 });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kya-os/checkpoint-nextjs",
-  "version": "1.2.0",
+  "version": "1.7.0",
   "description": "Checkpoint Next.js middleware for AI agent detection (formerly @kya-os/agentshield-nextjs)",
   "keywords": [
     "nextjs",
@@ -62,11 +62,6 @@
       "import": "./dist/wasm-setup.mjs",
       "require": "./dist/wasm-setup.js"
     },
-    "./wasm-middleware": {
-      "types": "./dist/wasm-middleware.d.ts",
-      "import": "./dist/wasm-middleware.mjs",
-      "require": "./dist/wasm-middleware.js"
-    },
     "./edge-wasm-middleware": {
       "types": "./dist/edge-wasm-middleware.d.ts",
       "import": "./dist/edge-wasm-middleware.mjs",
@@ -136,9 +131,9 @@
   "dependencies": {
     "@noble/ed25519": "^2.2.3",
     "@noble/hashes": "^2.0.1",
-    "@kya-os/checkpoint": "1.0.1",
-    "@kya-os/checkpoint-shared": "1.1.0",
-    "@kya-os/checkpoint-wasm-runtime": "^1.4.0"
+    "@kya-os/checkpoint": "1.2.0",
+    "@kya-os/checkpoint-shared": "1.2.0",
+    "@kya-os/checkpoint-wasm-runtime": "^1.8.0"
   },
   "scripts": {
     "build": "tsup",