@kya-os/checkpoint-nextjs 1.2.0 → 1.7.1

package/dist/signature-verifier.mjs

@@ -1,360 +0,0 @@
-import * as ed25519 from '@noble/ed25519';
-import { sha512 } from '@noble/hashes/sha2.js';
-
-// src/signature-verifier.ts
-ed25519.etc.sha512Sync = (...m) => sha512(ed25519.etc.concatBytes(...m));
-var KNOWN_KEYS = {
-  chatgpt: [
-    {
-      kid: "otMqcjr17mGyruktGvJU8oojQTSMHlVm7uO-lrcqbdg",
-      // ChatGPT's current Ed25519 public key (base64)
-      // Source: https://chatgpt.com/.well-known/http-message-signatures-directory
-      publicKey: "7F_3jDlxaquwh291MiACkcS3Opq88NksyHiakzS-Y1g",
-      validFrom: 1735689600,
-      // Jan 1, 2025 (nbf from OpenAI)
-      validUntil: 1769029093
-      // Jan 21, 2026 (exp from OpenAI)
-    }
-  ]
-};
-var keyCache = /* @__PURE__ */ new Map();
-var CACHE_TTL_MS = 5 * 60 * 1e3;
-var CACHE_MAX_SIZE = 100;
-function getApiBaseUrl() {
-  if (typeof window !== "undefined") {
-    return "/api/internal";
-  }
-  const baseUrl = process.env.NEXT_PUBLIC_APP_URL || process.env.NEXT_PUBLIC_API_URL || process.env.API_URL || (process.env.VERCEL_URL ? `https://${process.env.VERCEL_URL}` : null);
-  if (baseUrl) {
-    return baseUrl.replace(/\/$/, "") + "/api/internal";
-  }
-  if (process.env.NODE_ENV !== "production") {
-    console.warn(
-      "[Signature] No base URL configured for server-side fetch. Using localhost fallback."
-    );
-    return "http://localhost:3000/api/internal";
-  }
-  console.error(
-    "[Signature] CRITICAL: No base URL configured for server-side fetch in production!"
-  );
-  return "/api/internal";
-}
-function cleanupExpiredCache() {
-  const now = Date.now();
-  const entriesToDelete = [];
-  for (const [agent, cached] of keyCache.entries()) {
-    if (now - cached.cachedAt > CACHE_TTL_MS) {
-      entriesToDelete.push(agent);
-    }
-  }
-  for (const agent of entriesToDelete) {
-    keyCache.delete(agent);
-  }
-  if (keyCache.size > CACHE_MAX_SIZE) {
-    const entries = Array.from(keyCache.entries()).map(([agent, cached]) => ({
-      agent,
-      cachedAt: cached.cachedAt
-    }));
-    entries.sort((a, b) => a.cachedAt - b.cachedAt);
-    const toRemove = entries.slice(0, keyCache.size - CACHE_MAX_SIZE);
-    for (const entry of toRemove) {
-      keyCache.delete(entry.agent);
-    }
-  }
-}
-async function fetchKeysFromApi(agent) {
-  if (keyCache.size > CACHE_MAX_SIZE) {
-    cleanupExpiredCache();
-  }
-  const cached = keyCache.get(agent);
-  if (cached && Date.now() - cached.cachedAt < CACHE_TTL_MS) {
-    return cached.keys;
-  }
-  if (typeof fetch === "undefined") {
-    console.warn("[Signature] fetch() not available in this environment");
-    return null;
-  }
-  try {
-    const apiBaseUrl = getApiBaseUrl();
-    const url = `${apiBaseUrl}/signature-keys?agent=${encodeURIComponent(agent)}`;
-    const response = await fetch(url, {
-      method: "GET",
-      headers: {
-        "Content-Type": "application/json"
-      },
-      // 5 second timeout
-      signal: AbortSignal.timeout(5e3)
-    });
-    if (!response.ok) {
-      console.warn(`[Signature] Failed to fetch keys from API: ${response.status}`);
-      return null;
-    }
-    const data = await response.json();
-    if (!data.keys || !Array.isArray(data.keys) || data.keys.length === 0) {
-      console.warn(`[Signature] No keys returned from API for agent: ${agent}`);
-      return null;
-    }
-    keyCache.set(agent, {
-      keys: data.keys,
-      cachedAt: Date.now()
-    });
-    return data.keys;
-  } catch (error) {
-    console.warn("[Signature] Error fetching keys from API, using fallback", {
-      error: error instanceof Error ? error.message : "Unknown error",
-      agent
-    });
-    return null;
-  }
-}
-function isValidAgent(agent) {
-  return agent in KNOWN_KEYS;
-}
-async function getKeysForAgent(agent) {
-  const apiKeys = await fetchKeysFromApi(agent);
-  if (apiKeys && apiKeys.length > 0) {
-    return apiKeys;
-  }
-  if (isValidAgent(agent)) {
-    return KNOWN_KEYS[agent];
-  }
-  return [];
-}
-function parseSignatureInput(signatureInput) {
-  try {
-    const match = signatureInput.match(/sig1=\((.*?)\);(.+)/);
-    if (!match) return null;
-    const [, headersList, params] = match;
-    const signedHeaders = headersList ? headersList.split(" ").map((h) => h.replace(/"/g, "").trim()).filter((h) => h.length > 0) : [];
-    const keyidMatch = params ? params.match(/keyid="([^"]+)"/) : null;
-    const createdMatch = params ? params.match(/created=(\d+)/) : null;
-    const expiresMatch = params ? params.match(/expires=(\d+)/) : null;
-    if (!keyidMatch || !keyidMatch[1]) return null;
-    return {
-      keyid: keyidMatch[1],
-      created: createdMatch && createdMatch[1] ? parseInt(createdMatch[1]) : void 0,
-      expires: expiresMatch && expiresMatch[1] ? parseInt(expiresMatch[1]) : void 0,
-      signedHeaders
-    };
-  } catch (error) {
-    console.error("[Signature] Failed to parse Signature-Input:", error);
-    return null;
-  }
-}
-function buildSignatureBase(method, path, headers, signedHeaders) {
-  const components = [];
-  for (const headerName of signedHeaders) {
-    let value;
-    switch (headerName) {
-      case "@method":
-        value = method.toUpperCase();
-        break;
-      case "@path":
-        value = path;
-        break;
-      case "@authority":
-        value = headers["host"] || headers["Host"] || "";
-        break;
-      default: {
-        const key = Object.keys(headers).find((k) => k.toLowerCase() === headerName.toLowerCase());
-        value = key ? headers[key] || "" : "";
-        break;
-      }
-    }
-    components.push(`"${headerName}": ${value}`);
-  }
-  return components.join("\n");
-}
-function base64ToBytes(base64) {
-  let standardBase64 = base64.replace(/-/g, "+").replace(/_/g, "/");
-  const padding = standardBase64.length % 4;
-  if (padding) {
-    standardBase64 += "=".repeat(4 - padding);
-  }
-  const binaryString = atob(standardBase64);
-  return Uint8Array.from(binaryString, (c) => c.charCodeAt(0));
-}
-async function verifyEd25519Signature(publicKeyBase64, signatureBase64, message) {
-  try {
-    const publicKeyBytes = base64ToBytes(publicKeyBase64);
-    const signatureBytes = base64ToBytes(signatureBase64);
-    const messageBytes = new TextEncoder().encode(message);
-    if (publicKeyBytes.length !== 32) {
-      console.error("[Signature] Invalid public key length:", publicKeyBytes.length);
-      return false;
-    }
-    if (signatureBytes.length !== 64) {
-      console.error("[Signature] Invalid signature length:", signatureBytes.length);
-      return false;
-    }
-    return ed25519.verify(signatureBytes, messageBytes, publicKeyBytes);
-  } catch (nobleError) {
-    console.warn("[Signature] @noble/ed25519 failed, trying Web Crypto fallback:", nobleError);
-    try {
-      const publicKeyBytes = base64ToBytes(publicKeyBase64);
-      const signatureBytes = base64ToBytes(signatureBase64);
-      const messageBytes = new TextEncoder().encode(message);
-      const publicKey = await crypto.subtle.importKey(
-        "raw",
-        publicKeyBytes.buffer,
-        {
-          name: "Ed25519",
-          namedCurve: "Ed25519"
-        },
-        false,
-        ["verify"]
-      );
-      return await crypto.subtle.verify(
-        "Ed25519",
-        publicKey,
-        signatureBytes.buffer,
-        messageBytes
-      );
-    } catch (cryptoError) {
-      console.error("[Signature] Both @noble/ed25519 and Web Crypto failed:", {
-        nobleError: nobleError instanceof Error ? nobleError.message : "Unknown",
-        cryptoError: cryptoError instanceof Error ? cryptoError.message : "Unknown"
-      });
-      return false;
-    }
-  }
-}
-async function verifyAgentSignature(method, path, headers) {
-  const signature = headers["signature"] || headers["Signature"];
-  const signatureInput = headers["signature-input"] || headers["Signature-Input"];
-  const signatureAgent = headers["signature-agent"] || headers["Signature-Agent"];
-  if (!signature || !signatureInput) {
-    return {
-      isValid: false,
-      confidence: 0,
-      reason: "No signature headers present",
-      verificationMethod: "none"
-    };
-  }
-  const parsed = parseSignatureInput(signatureInput);
-  if (!parsed) {
-    return {
-      isValid: false,
-      confidence: 0,
-      reason: "Invalid Signature-Input header",
-      verificationMethod: "none"
-    };
-  }
-  if (parsed.created) {
-    const now2 = Math.floor(Date.now() / 1e3);
-    const age = now2 - parsed.created;
-    if (age > 300) {
-      return {
-        isValid: false,
-        confidence: 0,
-        reason: "Signature expired (older than 5 minutes)",
-        verificationMethod: "none"
-      };
-    }
-    if (age < -30) {
-      return {
-        isValid: false,
-        confidence: 0,
-        reason: "Signature timestamp is in the future",
-        verificationMethod: "none"
-      };
-    }
-  }
-  let agent;
-  let agentKey;
-  const isChatGPT = signatureAgent === '"https://chatgpt.com"' || (() => {
-    try {
-      const url = new URL(signatureAgent?.replace(/^"|"$/g, "") || "");
-      return url.hostname === "chatgpt.com" || url.hostname.endsWith(".chatgpt.com");
-    } catch {
-      return false;
-    }
-  })();
-  if (isChatGPT) {
-    agent = "ChatGPT";
-    agentKey = "chatgpt";
-  }
-  if (!agent || !agentKey) {
-    return {
-      isValid: false,
-      confidence: 0,
-      reason: "Unknown signature agent",
-      verificationMethod: "none"
-    };
-  }
-  const knownKeys = await getKeysForAgent(agentKey);
-  if (knownKeys.length === 0) {
-    return {
-      isValid: false,
-      confidence: 0,
-      reason: "No keys available for agent",
-      verificationMethod: "none"
-    };
-  }
-  const key = knownKeys.find((k) => k.kid === parsed.keyid);
-  if (!key) {
-    return {
-      isValid: false,
-      confidence: 0,
-      reason: `Unknown key ID: ${parsed.keyid}`,
-      verificationMethod: "none"
-    };
-  }
-  const now = Math.floor(Date.now() / 1e3);
-  if (now < key.validFrom || now > key.validUntil) {
-    return {
-      isValid: false,
-      confidence: 0,
-      reason: "Key is not valid at current time",
-      verificationMethod: "none"
-    };
-  }
-  const signatureBase = buildSignatureBase(method, path, headers, parsed.signedHeaders);
-  let signatureValue = signature;
-  if (signatureValue.startsWith("sig1=:")) {
-    signatureValue = signatureValue.substring(6);
-  }
-  if (signatureValue.endsWith(":")) {
-    signatureValue = signatureValue.slice(0, -1);
-  }
-  const isValid = await verifyEd25519Signature(key.publicKey, signatureValue, signatureBase);
-  if (isValid) {
-    return {
-      isValid: true,
-      agent,
-      keyid: parsed.keyid,
-      confidence: 1,
-      // 100% confidence for valid signature
-      verificationMethod: "signature"
-    };
-  } else {
-    return {
-      isValid: false,
-      confidence: 0,
-      reason: "Signature verification failed",
-      verificationMethod: "none"
-    };
-  }
-}
-function hasSignatureHeaders(headers) {
-  return !!((headers["signature"] || headers["Signature"]) && (headers["signature-input"] || headers["Signature-Input"]));
-}
-function isChatGPTSignature(headers) {
-  const signatureAgent = headers["signature-agent"] || headers["Signature-Agent"];
-  if (!signatureAgent) {
-    return false;
-  }
-  const agentUrlStr = signatureAgent.replace(/^"+|"+$/g, "");
-  if (agentUrlStr === "https://chatgpt.com") {
-    return true;
-  }
-  try {
-    const agentUrl = new URL(agentUrlStr);
-    const allowedHosts = ["chatgpt.com", "www.chatgpt.com"];
-    return allowedHosts.includes(agentUrl.host);
-  } catch {
-    return false;
-  }
-}
-
-export { hasSignatureHeaders, isChatGPTSignature, verifyAgentSignature };

package/dist/wasm-middleware.d.mts

@@ -1,98 +0,0 @@
-import { NextRequest, NextResponse } from 'next/server';
-
-/**
- * WASM-enabled middleware for Next.js with Checkpoint.
- *
- * **Deprecation notice (AgentDetector-Deletion-1):**
- * `createWasmAgentShieldMiddleware` is deprecated as of this patch and
- * slated for removal in the next minor. It internally constructs a
- * legacy `AgentDetector` and never actually uses the WASM instance for
- * detection (the `wasmInstance` arg only bumps confidence by 15%).
- * Stage 1 detection now lives in the Rust `kya-os-engine` (PDM-1
- * #2560). Migrate to `withCheckpoint` from `@kya-os/checkpoint-nextjs`
- * — engine-backed, runs the orchestrator including envelope
- * verification.
- */
-
-/** @internal — test-only reset for the one-shot warn latch. */
-declare function __resetCreateWasmAgentShieldWarningForTests(): void;
-interface WasmDetectionResult {
-    isAgent: boolean;
-    isAiCrawler?: boolean;
-    confidence: number;
-    agent?: string | undefined;
-    verificationMethod: 'signature' | 'pattern' | 'none';
-    riskLevel: 'low' | 'medium' | 'high';
-    timestamp: string;
-}
-interface AgentShieldConfig {
-    onAgentDetected?: (result: WasmDetectionResult) => void | Promise<void>;
-    blockOnHighConfidence?: boolean;
-    confidenceThreshold?: number;
-    skipPaths?: string[];
-    blockedResponse?: {
-        status?: number;
-        message?: string;
-        headers?: Record<string, string>;
-    };
-}
-/**
- * @deprecated Wraps the legacy `AgentDetector` class. Will be removed
- * in the next minor (AgentDetector-Deletion-2). Migrate to
- * `withCheckpoint` from `@kya-os/checkpoint-nextjs` — engine-backed,
- * runs the orchestrator including envelope verification.
- *
- * Create a WASM-enabled Checkpoint middleware (**pattern-detection only**).
- *
- * **This factory runs UA/header pattern matching only.** It does NOT
- * verify MCP-I signed envelopes — no JWS verification, no DID
- * resolution, no orchestrator stages. Use it when your only enforcement
- * concern is "is this request from a known bot pattern."
- *
- * **For envelope verification, use {@link withCheckpoint} instead** —
- * exported from `@kya-os/checkpoint-nextjs` (Node runtime) or
- * `@kya-os/checkpoint-nextjs/edge` (Edge runtime). `withCheckpoint`
- * routes every request through the kya-os-engine via WASM and supports
- * both `_meta.proof.jws` body envelopes (default) and the legacy
- * `KYA-Delegation` header form (opt-in via `legacyEnvelopeFallback`).
- * See SDK-Envelope-Plumbing-1 (#2594) for the migration context.
- *
- * @example pattern-only (this factory)
- * ```typescript
- * import wasmModule from '@kya-os/checkpoint/wasm?module';
- * import { createCheckpointWasmMiddleware } from '@kya-os/checkpoint-nextjs';
- *
- * const wasmInstance = await WebAssembly.instantiate(wasmModule);
- * export const middleware = createCheckpointWasmMiddleware({
- *   wasmInstance,
- *   confidenceThreshold: 80,
- * });
- * ```
- *
- * @example envelope verification (use `withCheckpoint` instead)
- * ```typescript
- * import { withCheckpoint } from '@kya-os/checkpoint-nextjs';
- *
- * export default withCheckpoint({
- *   tenantHost: 'acme.checkpoint.example',
- *   legacyEnvelopeFallback: true, // accept `KYA-Delegation` header form
- *   // drainJsonBody defaults to true; spec-form `_meta.proof.jws` works out of the box
- * });
- * ```
- */
-declare function createWasmAgentShieldMiddleware(config: AgentShieldConfig & {
-    wasmInstance?: WebAssembly.Instance;
-}): (request: NextRequest) => Promise<NextResponse<unknown>>;
-/**
- * Helper to load and instantiate WASM module
- * This should be called at the top of your middleware.ts file
- *
- * @example
- * ```typescript
- * import wasmModule from '@kya-os/checkpoint/wasm?module';
- * const wasmInstance = await instantiateWasm(wasmModule);
- * ```
- */
-declare function instantiateWasm(wasmModule: WebAssembly.Module): Promise<WebAssembly.Instance>;
-
-export { type AgentShieldConfig, type WasmDetectionResult, __resetCreateWasmAgentShieldWarningForTests, createWasmAgentShieldMiddleware, instantiateWasm };

package/dist/wasm-middleware.d.ts

@@ -1,98 +0,0 @@
-import { NextRequest, NextResponse } from 'next/server';
-
-/**
- * WASM-enabled middleware for Next.js with Checkpoint.
- *
- * **Deprecation notice (AgentDetector-Deletion-1):**
- * `createWasmAgentShieldMiddleware` is deprecated as of this patch and
- * slated for removal in the next minor. It internally constructs a
- * legacy `AgentDetector` and never actually uses the WASM instance for
- * detection (the `wasmInstance` arg only bumps confidence by 15%).
- * Stage 1 detection now lives in the Rust `kya-os-engine` (PDM-1
- * #2560). Migrate to `withCheckpoint` from `@kya-os/checkpoint-nextjs`
- * — engine-backed, runs the orchestrator including envelope
- * verification.
- */
-
-/** @internal — test-only reset for the one-shot warn latch. */
-declare function __resetCreateWasmAgentShieldWarningForTests(): void;
-interface WasmDetectionResult {
-    isAgent: boolean;
-    isAiCrawler?: boolean;
-    confidence: number;
-    agent?: string | undefined;
-    verificationMethod: 'signature' | 'pattern' | 'none';
-    riskLevel: 'low' | 'medium' | 'high';
-    timestamp: string;
-}
-interface AgentShieldConfig {
-    onAgentDetected?: (result: WasmDetectionResult) => void | Promise<void>;
-    blockOnHighConfidence?: boolean;
-    confidenceThreshold?: number;
-    skipPaths?: string[];
-    blockedResponse?: {
-        status?: number;
-        message?: string;
-        headers?: Record<string, string>;
-    };
-}
-/**
- * @deprecated Wraps the legacy `AgentDetector` class. Will be removed
- * in the next minor (AgentDetector-Deletion-2). Migrate to
- * `withCheckpoint` from `@kya-os/checkpoint-nextjs` — engine-backed,
- * runs the orchestrator including envelope verification.
- *
- * Create a WASM-enabled Checkpoint middleware (**pattern-detection only**).
- *
- * **This factory runs UA/header pattern matching only.** It does NOT
- * verify MCP-I signed envelopes — no JWS verification, no DID
- * resolution, no orchestrator stages. Use it when your only enforcement
- * concern is "is this request from a known bot pattern."
- *
- * **For envelope verification, use {@link withCheckpoint} instead** —
- * exported from `@kya-os/checkpoint-nextjs` (Node runtime) or
- * `@kya-os/checkpoint-nextjs/edge` (Edge runtime). `withCheckpoint`
- * routes every request through the kya-os-engine via WASM and supports
- * both `_meta.proof.jws` body envelopes (default) and the legacy
- * `KYA-Delegation` header form (opt-in via `legacyEnvelopeFallback`).
- * See SDK-Envelope-Plumbing-1 (#2594) for the migration context.
- *
- * @example pattern-only (this factory)
- * ```typescript
- * import wasmModule from '@kya-os/checkpoint/wasm?module';
- * import { createCheckpointWasmMiddleware } from '@kya-os/checkpoint-nextjs';
- *
- * const wasmInstance = await WebAssembly.instantiate(wasmModule);
- * export const middleware = createCheckpointWasmMiddleware({
- *   wasmInstance,
- *   confidenceThreshold: 80,
- * });
- * ```
- *
- * @example envelope verification (use `withCheckpoint` instead)
- * ```typescript
- * import { withCheckpoint } from '@kya-os/checkpoint-nextjs';
- *
- * export default withCheckpoint({
- *   tenantHost: 'acme.checkpoint.example',
- *   legacyEnvelopeFallback: true, // accept `KYA-Delegation` header form
- *   // drainJsonBody defaults to true; spec-form `_meta.proof.jws` works out of the box
- * });
- * ```
- */
-declare function createWasmAgentShieldMiddleware(config: AgentShieldConfig & {
-    wasmInstance?: WebAssembly.Instance;
-}): (request: NextRequest) => Promise<NextResponse<unknown>>;
-/**
- * Helper to load and instantiate WASM module
- * This should be called at the top of your middleware.ts file
- *
- * @example
- * ```typescript
- * import wasmModule from '@kya-os/checkpoint/wasm?module';
- * const wasmInstance = await instantiateWasm(wasmModule);
- * ```
- */
-declare function instantiateWasm(wasmModule: WebAssembly.Module): Promise<WebAssembly.Instance>;
-
-export { type AgentShieldConfig, type WasmDetectionResult, __resetCreateWasmAgentShieldWarningForTests, createWasmAgentShieldMiddleware, instantiateWasm };

package/dist/wasm-middleware.js

@@ -1,125 +0,0 @@
-'use strict';
-
-var server = require('next/server');
-var checkpoint = require('@kya-os/checkpoint');
-
-// src/wasm-middleware.ts
-
-// src/local-detection-gate.ts
-function isDetectedAgentForLocalGate(result) {
-  return result.isAgent === true;
-}
-function evaluateLocalDetectionGate(result, config) {
-  if (!isDetectedAgentForLocalGate(result)) {
-    return { action: "allow", shouldNotify: false };
-  }
-  if ((result.confidence ?? 0) >= config.confidenceThreshold) {
-    return { action: config.defaultAction, shouldNotify: true };
-  }
-  return { action: "allow", shouldNotify: false };
-}
-
-// src/wasm-middleware.ts
-var _createWasmAgentShieldWarned = false;
-function warnCreateWasmAgentShieldDeprecated() {
-  if (_createWasmAgentShieldWarned) return;
-  _createWasmAgentShieldWarned = true;
-  if (typeof process !== "undefined" && process.env?.NODE_ENV === "production") return;
-  console.warn(
-    "[Checkpoint] createWasmAgentShieldMiddleware is deprecated and will be removed in the next minor. It wraps the legacy AgentDetector class; Stage 1 detection now lives in the Rust kya-os-engine (PDM-1). Migrate to `withCheckpoint` from @kya-os/checkpoint-nextjs \u2014 engine-backed and runs envelope verification. See packages/checkpoint-nextjs/CHANGELOG.md for the recipe."
-  );
-}
-function __resetCreateWasmAgentShieldWarningForTests() {
-  _createWasmAgentShieldWarned = false;
-}
-function createWasmAgentShieldMiddleware(config) {
-  warnCreateWasmAgentShieldDeprecated();
-  const {
-    onAgentDetected,
-    blockOnHighConfidence = false,
-    confidenceThreshold = 80,
-    // Updated to 0-100 scale (was 0.8)
-    skipPaths = [],
-    blockedResponse = {
-      status: 403,
-      message: "Access denied: AI agent detected",
-      headers: { "Content-Type": "application/json" }
-    },
-    wasmInstance
-  } = config;
-  return async function middleware(request) {
-    const path = request.nextUrl.pathname;
-    if (skipPaths.some((skip) => path.startsWith(skip))) {
-      return server.NextResponse.next();
-    }
-    try {
-      const detector = new checkpoint.AgentDetector();
-      const hasWasm = !!wasmInstance;
-      const metadata = {
-        userAgent: request.headers.get("user-agent") || void 0,
-        ipAddress: request.headers.get("x-forwarded-for") || request.headers.get("x-real-ip") || void 0,
-        headers: Object.fromEntries(request.headers.entries()),
-        timestamp: /* @__PURE__ */ new Date()
-      };
-      const result = await detector.analyze(metadata);
-      const enhancedResult = {
-        isAgent: result.isAgent,
-        isAiCrawler: result.isAiCrawler,
-        confidence: hasWasm && result.confidence > 85 ? Math.min(result.confidence * 1.15, 100) : result.confidence,
-        agent: result.detectedAgent?.name || void 0,
-        verificationMethod: hasWasm && result.confidence > 85 ? "signature" : "pattern",
-        // Updated to 0-100 scale
-        riskLevel: result.confidence > 90 ? "high" : result.confidence > 70 ? "medium" : "low",
-        // Updated to 0-100 scale (was 0.7)
-        timestamp: result.timestamp instanceof Date ? result.timestamp.toISOString() : new Date(result.timestamp).toISOString()
-      };
-      const decision = evaluateLocalDetectionGate(enhancedResult, {
-        confidenceThreshold,
-        defaultAction: blockOnHighConfidence ? "block" : "allow"
-      });
-      if (onAgentDetected && isDetectedAgentForLocalGate(enhancedResult)) {
-        await onAgentDetected(enhancedResult);
-      }
-      if (decision.action === "block") {
-        return server.NextResponse.json(
-          {
-            error: blockedResponse.message,
-            agent: enhancedResult.agent,
-            confidence: Math.round(enhancedResult.confidence)
-          },
-          {
-            status: blockedResponse.status || 403,
-            headers: blockedResponse.headers || {}
-          }
-        );
-      }
-      const response = server.NextResponse.next();
-      if (enhancedResult.isAgent) {
-        response.headers.set("X-Agent-Detected", enhancedResult.agent || "unknown");
-        response.headers.set(
-          "X-Agent-Confidence",
-          String(Math.round(enhancedResult.confidence * 100))
-        );
-        response.headers.set("X-Agent-Verification", enhancedResult.verificationMethod);
-      }
-      return response;
-    } catch (error) {
-      console.error("AgentShield middleware error:", error);
-      return server.NextResponse.next();
-    }
-  };
-}
-async function instantiateWasm(wasmModule) {
-  try {
-    const instance = await WebAssembly.instantiate(wasmModule);
-    console.log("\u2705 AgentShield: WASM module loaded for cryptographic verification");
-    return instance;
-  } catch (error) {
-    console.warn("\u26A0\uFE0F AgentShield: Failed to instantiate WASM module", error);
-    throw error;
-  }
-}
-
-exports.__resetCreateWasmAgentShieldWarningForTests = __resetCreateWasmAgentShieldWarningForTests;
-exports.createWasmAgentShieldMiddleware = createWasmAgentShieldMiddleware;
-exports.instantiateWasm = instantiateWasm;