@kya-os/checkpoint-nextjs 1.7.0 → 1.7.1

package/EDGE_RUNTIME_WASM_SETUP.md

@@ -236,7 +236,7 @@ export function createAgentShieldMiddleware(options: {
         { pattern: /openai/i, name: 'OpenAI' },
         { pattern: /gpt-/i, name: 'GPT' },
         { pattern: /copilot/i, name: 'GitHub Copilot' },
-        { pattern: /bard/i, name: 'Google Bard' },
+        { pattern: /bard/i, name: 'Google Gemini' },
         { pattern: /gemini/i, name: 'Google Gemini' },
       ];
 

package/bin/setup-edge-wasm.js

@@ -310,7 +310,7 @@ function patternDetection(
     { pattern: /openai/i, name: 'OpenAI', confidence: 0.90 },
     { pattern: /gpt-crawler/i, name: 'GPT Crawler', confidence: 0.95 },
     { pattern: /copilot/i, name: 'GitHub Copilot', confidence: 0.85 },
-    { pattern: /bard/i, name: 'Google Bard', confidence: 0.85 },
+    { pattern: /bard/i, name: 'Google Gemini', confidence: 0.85 }, // legacy Bard UA → Gemini (brand retired 2024)
     { pattern: /gemini/i, name: 'Google Gemini', confidence: 0.85 },
     { pattern: /perplexity/i, name: 'Perplexity', confidence: 0.85 },
   ];

package/dist/api-middleware.d.mts

@@ -1,6 +1,6 @@
 import { NextRequest, NextResponse } from 'next/server';
+import { ChallengeEnvelopeMode } from '@kya-os/checkpoint-shared';
 import { EnforcementDecision } from './api-client.mjs';
-import '@kya-os/checkpoint-shared';
 
 /**
  * API-based AgentShield Middleware for Next.js
@@ -76,6 +76,14 @@ interface CheckpointApiMiddlewareConfig {
      * @default 'instruct'
      */
     redirectMode?: 'instruct' | 'http';
+    /**
+     * Challenge-emission envelope mode (draft-kya-http-02 §8.1 fetcher-200).
+     * `negotiated` serves a body-readable HTTP 200 instruct response to
+     * cooperative agents (so fetchers that drop 4xx bodies can read it),
+     * keeping the spec 401 for everyone else. Defaults to `spec-401`.
+     * A cooperative-UX bridge, NOT an access control.
+     */
+    delegationChallengeMode?: ChallengeEnvelopeMode;
     /**
      * Custom blocked response
      */

package/dist/api-middleware.d.ts

@@ -1,6 +1,6 @@
 import { NextRequest, NextResponse } from 'next/server';
+import { ChallengeEnvelopeMode } from '@kya-os/checkpoint-shared';
 import { EnforcementDecision } from './api-client.js';
-import '@kya-os/checkpoint-shared';
 
 /**
  * API-based AgentShield Middleware for Next.js
@@ -76,6 +76,14 @@ interface CheckpointApiMiddlewareConfig {
      * @default 'instruct'
      */
     redirectMode?: 'instruct' | 'http';
+    /**
+     * Challenge-emission envelope mode (draft-kya-http-02 §8.1 fetcher-200).
+     * `negotiated` serves a body-readable HTTP 200 instruct response to
+     * cooperative agents (so fetchers that drop 4xx bodies can read it),
+     * keeping the spec 401 for everyone else. Defaults to `spec-401`.
+     * A cooperative-UX bridge, NOT an access control.
+     */
+    delegationChallengeMode?: ChallengeEnvelopeMode;
     /**
      * Custom blocked response
      */

package/dist/api-middleware.js

@@ -237,7 +237,7 @@ function safeHostname(url) {
 // src/responses/agent-instruction.ts
 var MCP_I_DOCS_URL = "https://docs.knowthat.ai/mcp-i/getting-started";
 var DEFAULT_CONNECT_PATH = "/connect";
-function buildAgentInstructionResponse(request, decision, redirectUrl) {
+function buildAgentInstructionResponse(request, decision, redirectUrl, options) {
   const resolved = resolveUrl(redirectUrl ?? DEFAULT_CONNECT_PATH, request.url);
   const agentName = decision.agentName || decision.agentType || "unknown";
   if (!resolved.searchParams.has("agent")) {
@@ -288,8 +288,11 @@ It only takes a moment and you won't need to do it again. Once you're done, ask
       confidence: decision.confidence
     }
   };
-  const response = server.NextResponse.json(body, { status: 401 });
-  response.headers.set("WWW-Authenticate", `KYA realm="api", authorization_uri="${authUrl}"`);
+  const bodyReadable200 = options?.bodyReadable200 ?? false;
+  const response = server.NextResponse.json(body, { status: bodyReadable200 ? 200 : 401 });
+  if (!bodyReadable200) {
+    response.headers.set("WWW-Authenticate", `KYA realm="api", authorization_uri="${authUrl}"`);
+  }
   response.headers.set(
     "Link",
     `<${authUrl}>; rel="kya-authorize", <${MCP_I_DOCS_URL}>; rel="help"`
@@ -482,7 +485,14 @@ function withCheckpointApi(config = {}) {
             return buildRedirectResponse(request, decision, config);
           }
           const targetUrl = config.redirectUrl || decision.redirectUrl;
-          return buildAgentInstructionResponse(request, decision, targetUrl);
+          const bodyReadable200 = checkpointShared.selectBodyReadable200(
+            config.delegationChallengeMode ?? "spec-401",
+            request.headers,
+            result.data.detection?.detectionClass
+          );
+          return buildAgentInstructionResponse(request, decision, targetUrl, {
+            bodyReadable200
+          });
         }
         case "challenge": {
           return buildRedirectResponse(request, decision, config);

package/dist/api-middleware.mjs

@@ -1,5 +1,5 @@
 import { NextResponse } from 'next/server';
-import { matchPath } from '@kya-os/checkpoint-shared';
+import { selectBodyReadable200, matchPath } from '@kya-os/checkpoint-shared';
 
 // src/api-middleware.ts
 
@@ -235,7 +235,7 @@ function safeHostname(url) {
 // src/responses/agent-instruction.ts
 var MCP_I_DOCS_URL = "https://docs.knowthat.ai/mcp-i/getting-started";
 var DEFAULT_CONNECT_PATH = "/connect";
-function buildAgentInstructionResponse(request, decision, redirectUrl) {
+function buildAgentInstructionResponse(request, decision, redirectUrl, options) {
   const resolved = resolveUrl(redirectUrl ?? DEFAULT_CONNECT_PATH, request.url);
   const agentName = decision.agentName || decision.agentType || "unknown";
   if (!resolved.searchParams.has("agent")) {
@@ -286,8 +286,11 @@ It only takes a moment and you won't need to do it again. Once you're done, ask
       confidence: decision.confidence
     }
   };
-  const response = NextResponse.json(body, { status: 401 });
-  response.headers.set("WWW-Authenticate", `KYA realm="api", authorization_uri="${authUrl}"`);
+  const bodyReadable200 = options?.bodyReadable200 ?? false;
+  const response = NextResponse.json(body, { status: bodyReadable200 ? 200 : 401 });
+  if (!bodyReadable200) {
+    response.headers.set("WWW-Authenticate", `KYA realm="api", authorization_uri="${authUrl}"`);
+  }
   response.headers.set(
     "Link",
     `<${authUrl}>; rel="kya-authorize", <${MCP_I_DOCS_URL}>; rel="help"`
@@ -480,7 +483,14 @@ function withCheckpointApi(config = {}) {
             return buildRedirectResponse(request, decision, config);
           }
           const targetUrl = config.redirectUrl || decision.redirectUrl;
-          return buildAgentInstructionResponse(request, decision, targetUrl);
+          const bodyReadable200 = selectBodyReadable200(
+            config.delegationChallengeMode ?? "spec-401",
+            request.headers,
+            result.data.detection?.detectionClass
+          );
+          return buildAgentInstructionResponse(request, decision, targetUrl, {
+            bodyReadable200
+          });
         }
         case "challenge": {
           return buildRedirectResponse(request, decision, config);

package/dist/composed-policy.d.mts

@@ -45,6 +45,13 @@ interface ShadowDivergenceInfo {
 interface ComposedPolicyApplyResult {
     decision: Decision;
     acted: boolean;
+    /**
+     * SSOT-served revision pin (sha256 of the evaluated bundle, byte-identical
+     * to `policy_revisions.composed_blob_hash`) — set ONLY when `acted`, echoed
+     * from `PolicyConfig.policySourceHash` (#3246 PR5). Absent on structured
+     * decisions and when the dashboard predates the field.
+     */
+    composedBlobHash?: string;
 }
 interface ComposedPolicyContext {
     /**

package/dist/composed-policy.d.ts

@@ -45,6 +45,13 @@ interface ShadowDivergenceInfo {
 interface ComposedPolicyApplyResult {
     decision: Decision;
     acted: boolean;
+    /**
+     * SSOT-served revision pin (sha256 of the evaluated bundle, byte-identical
+     * to `policy_revisions.composed_blob_hash`) — set ONLY when `acted`, echoed
+     * from `PolicyConfig.policySourceHash` (#3246 PR5). Absent on structured
+     * decisions and when the dashboard predates the field.
+     */
+    composedBlobHash?: string;
 }
 interface ComposedPolicyContext {
     /**

package/dist/composed-policy.js

@@ -48,7 +48,13 @@ function makeComposedPolicyContext(opts) {
         return structured;
       }
       if (outcome.status === "acting") {
-        return { decision: outcome.engineDecision, acted: true };
+        return {
+          decision: outcome.engineDecision,
+          acted: true,
+          // Echo the SSOT revision pin with the decision it produced (#3246
+          // PR5). Conditional spread: absent upstream stays absent here.
+          ...policy.policySourceHash ? { composedBlobHash: policy.policySourceHash } : {}
+        };
       }
       return structured;
     },
@@ -68,7 +74,12 @@ async function applyComposedPolicy(context, result, path) {
   if (!context) return;
   try {
     const outcome = await context.apply(result, path);
-    if (outcome.acted) result.decision = outcome.decision;
+    if (outcome.acted) {
+      result.decision = outcome.decision;
+      if (outcome.composedBlobHash) {
+        result.composedBlobHash = outcome.composedBlobHash;
+      }
+    }
   } catch {
   }
 }

package/dist/composed-policy.mjs

@@ -46,7 +46,13 @@ function makeComposedPolicyContext(opts) {
         return structured;
       }
       if (outcome.status === "acting") {
-        return { decision: outcome.engineDecision, acted: true };
+        return {
+          decision: outcome.engineDecision,
+          acted: true,
+          // Echo the SSOT revision pin with the decision it produced (#3246
+          // PR5). Conditional spread: absent upstream stays absent here.
+          ...policy.policySourceHash ? { composedBlobHash: policy.policySourceHash } : {}
+        };
       }
       return structured;
     },
@@ -66,7 +72,12 @@ async function applyComposedPolicy(context, result, path) {
   if (!context) return;
   try {
     const outcome = await context.apply(result, path);
-    if (outcome.acted) result.decision = outcome.decision;
+    if (outcome.acted) {
+      result.decision = outcome.decision;
+      if (outcome.composedBlobHash) {
+        result.composedBlobHash = outcome.composedBlobHash;
+      }
+    }
   } catch {
   }
 }

package/dist/{config-_nfPN3E3.d.mts → config-DAwIA4DB.d.mts}

@@ -1,6 +1,7 @@
 import { NextRequest } from 'next/server';
 import { DidResolverAdapter, StatusListCacheAdapter, ReputationOracleAdapter, PolicyEvaluatorAdapter } from '@kya-os/checkpoint-wasm-runtime/adapters';
 import { EnforcementMode, VerifyResult, EngineConfig } from '@kya-os/checkpoint-wasm-runtime/engine';
+import { ChallengeEnvelopeMode } from '@kya-os/checkpoint-shared';
 import { ComposedPolicyContext } from './composed-policy.mjs';
 
 /**
@@ -30,6 +31,14 @@ interface CheckpointConfig {
      * through with `X-Checkpoint-Would-Have-Been` headers. Per Phase 0.2.
      */
     enforcementMode?: EnforcementMode;
+    /**
+     * Challenge-emission envelope mode (draft-kya-http-02 §8.1 fetcher-200).
+     * `negotiated` serves a body-readable HTTP 200 step-up response to
+     * cooperative agents (fetchers that drop 4xx/5xx bodies), keeping the spec
+     * 401/422 for everyone else. Defaults to `spec-401`. A cooperative-UX
+     * bridge, NOT an access control.
+     */
+    delegationChallengeMode?: ChallengeEnvelopeMode;
     /**
      * Argus reputation oracle base URL. Omit to use the trust-by-default
      * baseline (reputation defaults to 1.0; orchestrator logs a one-shot

package/dist/{config-kxFihzR_.d.ts → config-DyU4l5er.d.ts}

@@ -1,6 +1,7 @@
 import { NextRequest } from 'next/server';
 import { DidResolverAdapter, StatusListCacheAdapter, ReputationOracleAdapter, PolicyEvaluatorAdapter } from '@kya-os/checkpoint-wasm-runtime/adapters';
 import { EnforcementMode, VerifyResult, EngineConfig } from '@kya-os/checkpoint-wasm-runtime/engine';
+import { ChallengeEnvelopeMode } from '@kya-os/checkpoint-shared';
 import { ComposedPolicyContext } from './composed-policy.js';
 
 /**
@@ -30,6 +31,14 @@ interface CheckpointConfig {
      * through with `X-Checkpoint-Would-Have-Been` headers. Per Phase 0.2.
      */
     enforcementMode?: EnforcementMode;
+    /**
+     * Challenge-emission envelope mode (draft-kya-http-02 §8.1 fetcher-200).
+     * `negotiated` serves a body-readable HTTP 200 step-up response to
+     * cooperative agents (fetchers that drop 4xx/5xx bodies), keeping the spec
+     * 401/422 for everyone else. Defaults to `spec-401`. A cooperative-UX
+     * bridge, NOT an access control.
+     */
+    delegationChallengeMode?: ChallengeEnvelopeMode;
     /**
      * Argus reputation oracle base URL. Omit to use the trust-by-default
      * baseline (reputation defaults to 1.0; orchestrator logs a one-shot

package/dist/index.d.mts

@@ -6,7 +6,7 @@ export { EdgeSessionTracker, SessionData, SessionTrackingConfig, StatelessSessio
 export { AgentShieldClient, AgentShieldClientConfig, CheckpointApiClient, CheckpointApiClientConfig, EnforceInput, EnforceResponse, EnforcementDecision, LogDetectionInput, getAgentShieldClient, getCheckpointApiClient, resetAgentShieldClient, resetCheckpointApiClient } from './api-client.mjs';
 export { A as AgentShieldRequest, D as DetectionContext, N as NextJSMiddlewareConfig } from './types-D9RQvPNy.mjs';
 export { NextJSPolicyMiddlewareConfig, PolicyMiddlewareConfig, applyPolicy, buildBlockedResponse as buildPolicyBlockedResponse, buildRedirectResponse as buildPolicyRedirectResponse, createContextFromDetection, evaluatePolicyForDetection, getPolicy, handlePolicyDecision } from './policy.mjs';
-export { C as CheckpointConfig } from './config-_nfPN3E3.mjs';
+export { C as CheckpointConfig } from './config-DAwIA4DB.mjs';
 export { DEFAULT_POLICY, ENFORCEMENT_ACTIONS, EnforcementAction, PolicyConfig, PolicyEvaluationContext, PolicyEvaluationResult, createEvaluationContext, evaluatePolicy } from '@kya-os/checkpoint-shared';
 import '@kya-os/checkpoint-wasm-runtime/engine';
 import '@kya-os/checkpoint-wasm-runtime/adapters';

package/dist/index.d.ts

@@ -6,7 +6,7 @@ export { EdgeSessionTracker, SessionData, SessionTrackingConfig, StatelessSessio
 export { AgentShieldClient, AgentShieldClientConfig, CheckpointApiClient, CheckpointApiClientConfig, EnforceInput, EnforceResponse, EnforcementDecision, LogDetectionInput, getAgentShieldClient, getCheckpointApiClient, resetAgentShieldClient, resetCheckpointApiClient } from './api-client.js';
 export { A as AgentShieldRequest, D as DetectionContext, N as NextJSMiddlewareConfig } from './types-D9RQvPNy.js';
 export { NextJSPolicyMiddlewareConfig, PolicyMiddlewareConfig, applyPolicy, buildBlockedResponse as buildPolicyBlockedResponse, buildRedirectResponse as buildPolicyRedirectResponse, createContextFromDetection, evaluatePolicyForDetection, getPolicy, handlePolicyDecision } from './policy.js';
-export { C as CheckpointConfig } from './config-kxFihzR_.js';
+export { C as CheckpointConfig } from './config-DyU4l5er.js';
 export { DEFAULT_POLICY, ENFORCEMENT_ACTIONS, EnforcementAction, PolicyConfig, PolicyEvaluationContext, PolicyEvaluationResult, createEvaluationContext, evaluatePolicy } from '@kya-os/checkpoint-shared';
 import '@kya-os/checkpoint-wasm-runtime/engine';
 import '@kya-os/checkpoint-wasm-runtime/adapters';

package/dist/index.js

@@ -100,7 +100,13 @@ function makeComposedPolicyContext(opts) {
         return structured;
       }
       if (outcome.status === "acting") {
-        return { decision: outcome.engineDecision, acted: true };
+        return {
+          decision: outcome.engineDecision,
+          acted: true,
+          // Echo the SSOT revision pin with the decision it produced (#3246
+          // PR5). Conditional spread: absent upstream stays absent here.
+          ...policy.policySourceHash ? { composedBlobHash: policy.policySourceHash } : {}
+        };
       }
       return structured;
     },
@@ -120,7 +126,12 @@ async function applyComposedPolicy(context, result, path) {
   if (!context) return;
   try {
     const outcome = await context.apply(result, path);
-    if (outcome.acted) result.decision = outcome.decision;
+    if (outcome.acted) {
+      result.decision = outcome.decision;
+      if (outcome.composedBlobHash) {
+        result.composedBlobHash = outcome.composedBlobHash;
+      }
+    }
   } catch {
   }
 }
@@ -201,12 +212,17 @@ function withCheckpoint(config) {
       }
     }
     await dispatchOnResult(config, result, req);
-    const rendered = orchestrator.renderDecisionAsResponse(result);
+    const bodyReadable200 = checkpointShared.selectBodyReadable200(
+      config.delegationChallengeMode ?? "spec-401",
+      req.headers,
+      result.detectionDetail.detectionClass
+    );
+    const rendered = orchestrator.renderDecisionAsResponse(result, { bodyReadable200 });
     return adaptToNextResponse(rendered, req);
   };
 }
 var SDK_NAME = "@kya-os/checkpoint-nextjs";
-var VERSION = "1.7.0";
+var VERSION = "1.7.1";
 function buildReporter(config, runtime = "node") {
   if (!config.apiKey) return null;
   return reporter.makeDetectionReporter({
@@ -552,7 +568,7 @@ function safeHostname(url) {
 // src/responses/agent-instruction.ts
 var MCP_I_DOCS_URL = "https://docs.knowthat.ai/mcp-i/getting-started";
 var DEFAULT_CONNECT_PATH = "/connect";
-function buildAgentInstructionResponse(request, decision, redirectUrl) {
+function buildAgentInstructionResponse(request, decision, redirectUrl, options) {
   const resolved = resolveUrl(redirectUrl ?? DEFAULT_CONNECT_PATH, request.url);
   const agentName = decision.agentName || decision.agentType || "unknown";
   if (!resolved.searchParams.has("agent")) {
@@ -603,8 +619,11 @@ It only takes a moment and you won't need to do it again. Once you're done, ask
       confidence: decision.confidence
     }
   };
-  const response = server.NextResponse.json(body, { status: 401 });
-  response.headers.set("WWW-Authenticate", `KYA realm="api", authorization_uri="${authUrl}"`);
+  const bodyReadable200 = options?.bodyReadable200 ?? false;
+  const response = server.NextResponse.json(body, { status: bodyReadable200 ? 200 : 401 });
+  if (!bodyReadable200) {
+    response.headers.set("WWW-Authenticate", `KYA realm="api", authorization_uri="${authUrl}"`);
+  }
   response.headers.set(
     "Link",
     `<${authUrl}>; rel="kya-authorize", <${MCP_I_DOCS_URL}>; rel="help"`
@@ -797,7 +816,14 @@ function withCheckpointApi(config = {}) {
             return buildRedirectResponse(request, decision, config);
           }
           const targetUrl = config.redirectUrl || decision.redirectUrl;
-          return buildAgentInstructionResponse(request, decision, targetUrl);
+          const bodyReadable200 = checkpointShared.selectBodyReadable200(
+            config.delegationChallengeMode ?? "spec-401",
+            request.headers,
+            result.data.detection?.detectionClass
+          );
+          return buildAgentInstructionResponse(request, decision, targetUrl, {
+            bodyReadable200
+          });
         }
         case "challenge": {
           return buildRedirectResponse(request, decision, config);

package/dist/index.mjs

@@ -1,7 +1,7 @@
 import { verifyRequest, renderDecisionAsResponse } from '@kya-os/checkpoint-wasm-runtime/orchestrator';
 import { makeSystemClock, makePolicyEvaluator, makeReputationOracle, makeStatusListCache, makeDidResolver } from '@kya-os/checkpoint-wasm-runtime/adapters';
 import { makeDetectionReporter } from '@kya-os/checkpoint-wasm-runtime/reporter';
-import { PolicyFetcher, isKnownAiCrawler, createEvaluationContext, evaluatePolicy, ENFORCEMENT_ACTIONS, PolicyConfigSchema, DEFAULT_POLICY, matchPath, requestCarriesDelegationProof, acceptsHtml, encodeVerdictCookie, classifyResponseShape, BLOCKED_PATH, createPolicyFetcher, VERDICT_COOKIE_NAME } from '@kya-os/checkpoint-shared';
+import { selectBodyReadable200, PolicyFetcher, isKnownAiCrawler, createEvaluationContext, evaluatePolicy, ENFORCEMENT_ACTIONS, PolicyConfigSchema, DEFAULT_POLICY, matchPath, requestCarriesDelegationProof, acceptsHtml, encodeVerdictCookie, classifyResponseShape, BLOCKED_PATH, createPolicyFetcher, VERDICT_COOKIE_NAME } from '@kya-os/checkpoint-shared';
 export { DEFAULT_POLICY, ENFORCEMENT_ACTIONS, createEvaluationContext, evaluatePolicy } from '@kya-os/checkpoint-shared';
 import { NextResponse } from 'next/server';
 import { makeComposedPolicyCache, evaluateComposedPolicy, verifyResultToAuthorizeInput } from '@kya-os/checkpoint-wasm-runtime/composed-policy';
@@ -99,7 +99,13 @@ function makeComposedPolicyContext(opts) {
         return structured;
       }
       if (outcome.status === "acting") {
-        return { decision: outcome.engineDecision, acted: true };
+        return {
+          decision: outcome.engineDecision,
+          acted: true,
+          // Echo the SSOT revision pin with the decision it produced (#3246
+          // PR5). Conditional spread: absent upstream stays absent here.
+          ...policy.policySourceHash ? { composedBlobHash: policy.policySourceHash } : {}
+        };
       }
       return structured;
     },
@@ -119,7 +125,12 @@ async function applyComposedPolicy(context, result, path) {
   if (!context) return;
   try {
     const outcome = await context.apply(result, path);
-    if (outcome.acted) result.decision = outcome.decision;
+    if (outcome.acted) {
+      result.decision = outcome.decision;
+      if (outcome.composedBlobHash) {
+        result.composedBlobHash = outcome.composedBlobHash;
+      }
+    }
   } catch {
   }
 }
@@ -200,12 +211,17 @@ function withCheckpoint(config) {
       }
     }
     await dispatchOnResult(config, result, req);
-    const rendered = renderDecisionAsResponse(result);
+    const bodyReadable200 = selectBodyReadable200(
+      config.delegationChallengeMode ?? "spec-401",
+      req.headers,
+      result.detectionDetail.detectionClass
+    );
+    const rendered = renderDecisionAsResponse(result, { bodyReadable200 });
     return adaptToNextResponse(rendered, req);
   };
 }
 var SDK_NAME = "@kya-os/checkpoint-nextjs";
-var VERSION = "1.7.0";
+var VERSION = "1.7.1";
 function buildReporter(config, runtime = "node") {
   if (!config.apiKey) return null;
   return makeDetectionReporter({
@@ -551,7 +567,7 @@ function safeHostname(url) {
 // src/responses/agent-instruction.ts
 var MCP_I_DOCS_URL = "https://docs.knowthat.ai/mcp-i/getting-started";
 var DEFAULT_CONNECT_PATH = "/connect";
-function buildAgentInstructionResponse(request, decision, redirectUrl) {
+function buildAgentInstructionResponse(request, decision, redirectUrl, options) {
   const resolved = resolveUrl(redirectUrl ?? DEFAULT_CONNECT_PATH, request.url);
   const agentName = decision.agentName || decision.agentType || "unknown";
   if (!resolved.searchParams.has("agent")) {
@@ -602,8 +618,11 @@ It only takes a moment and you won't need to do it again. Once you're done, ask
       confidence: decision.confidence
     }
   };
-  const response = NextResponse.json(body, { status: 401 });
-  response.headers.set("WWW-Authenticate", `KYA realm="api", authorization_uri="${authUrl}"`);
+  const bodyReadable200 = options?.bodyReadable200 ?? false;
+  const response = NextResponse.json(body, { status: bodyReadable200 ? 200 : 401 });
+  if (!bodyReadable200) {
+    response.headers.set("WWW-Authenticate", `KYA realm="api", authorization_uri="${authUrl}"`);
+  }
   response.headers.set(
     "Link",
     `<${authUrl}>; rel="kya-authorize", <${MCP_I_DOCS_URL}>; rel="help"`
@@ -796,7 +815,14 @@ function withCheckpointApi(config = {}) {
             return buildRedirectResponse(request, decision, config);
           }
           const targetUrl = config.redirectUrl || decision.redirectUrl;
-          return buildAgentInstructionResponse(request, decision, targetUrl);
+          const bodyReadable200 = selectBodyReadable200(
+            config.delegationChallengeMode ?? "spec-401",
+            request.headers,
+            result.data.detection?.detectionClass
+          );
+          return buildAgentInstructionResponse(request, decision, targetUrl, {
+            bodyReadable200
+          });
         }
         case "challenge": {
           return buildRedirectResponse(request, decision, config);

package/dist/middleware-edge.d.mts

@@ -1,12 +1,12 @@
 import { NextRequest, NextFetchEvent, NextResponse } from 'next/server';
 export { initEngineEdge } from '@kya-os/checkpoint-wasm-runtime/orchestrator/edge';
 export { initPolicyEvaluatorEdge } from '@kya-os/checkpoint-wasm-runtime/policy-edge';
-import { C as CheckpointConfig } from './config-_nfPN3E3.mjs';
+import { C as CheckpointConfig } from './config-DAwIA4DB.mjs';
 import '@kya-os/checkpoint-wasm-runtime/adapters';
 import '@kya-os/checkpoint-wasm-runtime/engine';
+import '@kya-os/checkpoint-shared';
 import './composed-policy.mjs';
 import '@kya-os/checkpoint-wasm-runtime/composed-policy';
-import '@kya-os/checkpoint-shared';
 
 /**
  * D.3 — Edge-runtime Next.js middleware entry.

package/dist/middleware-edge.d.ts

@@ -1,12 +1,12 @@
 import { NextRequest, NextFetchEvent, NextResponse } from 'next/server';
 export { initEngineEdge } from '@kya-os/checkpoint-wasm-runtime/orchestrator/edge';
 export { initPolicyEvaluatorEdge } from '@kya-os/checkpoint-wasm-runtime/policy-edge';
-import { C as CheckpointConfig } from './config-kxFihzR_.js';
+import { C as CheckpointConfig } from './config-DyU4l5er.js';
 import '@kya-os/checkpoint-wasm-runtime/adapters';
 import '@kya-os/checkpoint-wasm-runtime/engine';
+import '@kya-os/checkpoint-shared';
 import './composed-policy.js';
 import '@kya-os/checkpoint-wasm-runtime/composed-policy';
-import '@kya-os/checkpoint-shared';
 
 /**
  * D.3 — Edge-runtime Next.js middleware entry.

package/dist/middleware-edge.js

@@ -102,7 +102,13 @@ function makeComposedPolicyContext(opts) {
         return structured;
       }
       if (outcome.status === "acting") {
-        return { decision: outcome.engineDecision, acted: true };
+        return {
+          decision: outcome.engineDecision,
+          acted: true,
+          // Echo the SSOT revision pin with the decision it produced (#3246
+          // PR5). Conditional spread: absent upstream stays absent here.
+          ...policy.policySourceHash ? { composedBlobHash: policy.policySourceHash } : {}
+        };
       }
       return structured;
     },
@@ -122,7 +128,12 @@ async function applyComposedPolicy(context, result, path) {
   if (!context) return;
   try {
     const outcome = await context.apply(result, path);
-    if (outcome.acted) result.decision = outcome.decision;
+    if (outcome.acted) {
+      result.decision = outcome.decision;
+      if (outcome.composedBlobHash) {
+        result.composedBlobHash = outcome.composedBlobHash;
+      }
+    }
   } catch {
   }
 }
@@ -180,7 +191,7 @@ function extractRemoteAddress(req) {
 
 // src/middleware-node.ts
 var SDK_NAME = "@kya-os/checkpoint-nextjs";
-var VERSION = "1.7.0";
+var VERSION = "1.7.1";
 function buildReporter(config, runtime = "node") {
   if (!config.apiKey) return null;
   return reporter.makeDetectionReporter({
@@ -258,7 +269,12 @@ function withCheckpoint(config) {
       }
     }
     await dispatchOnResult(config, result, req);
-    const rendered = edge.renderDecisionAsResponse(result);
+    const bodyReadable200 = checkpointShared.selectBodyReadable200(
+      config.delegationChallengeMode ?? "spec-401",
+      req.headers,
+      result.detectionDetail.detectionClass
+    );
+    const rendered = edge.renderDecisionAsResponse(result, { bodyReadable200 });
     return adaptToNextResponse(rendered, req);
   };
 }

package/dist/middleware-edge.mjs

@@ -2,7 +2,7 @@ import { initEngineEdge, verifyRequestEdge, renderDecisionAsResponse } from '@ky
 export { initEngineEdge } from '@kya-os/checkpoint-wasm-runtime/orchestrator/edge';
 import { initPolicyEvaluatorEdge, evaluatePolicy } from '@kya-os/checkpoint-wasm-runtime/policy-edge';
 export { initPolicyEvaluatorEdge } from '@kya-os/checkpoint-wasm-runtime/policy-edge';
-import { PolicyFetcher, requestCarriesDelegationProof, acceptsHtml, encodeVerdictCookie, classifyResponseShape, BLOCKED_PATH, VERDICT_COOKIE_NAME } from '@kya-os/checkpoint-shared';
+import { selectBodyReadable200, PolicyFetcher, requestCarriesDelegationProof, acceptsHtml, encodeVerdictCookie, classifyResponseShape, BLOCKED_PATH, VERDICT_COOKIE_NAME } from '@kya-os/checkpoint-shared';
 import { NextResponse } from 'next/server';
 import { makeComposedPolicyCache, evaluateComposedPolicy, verifyResultToAuthorizeInput } from '@kya-os/checkpoint-wasm-runtime/composed-policy';
 import '@kya-os/checkpoint-wasm-runtime/orchestrator';
@@ -102,7 +102,13 @@ function makeComposedPolicyContext(opts) {
         return structured;
       }
       if (outcome.status === "acting") {
-        return { decision: outcome.engineDecision, acted: true };
+        return {
+          decision: outcome.engineDecision,
+          acted: true,
+          // Echo the SSOT revision pin with the decision it produced (#3246
+          // PR5). Conditional spread: absent upstream stays absent here.
+          ...policy.policySourceHash ? { composedBlobHash: policy.policySourceHash } : {}
+        };
       }
       return structured;
     },
@@ -122,7 +128,12 @@ async function applyComposedPolicy(context, result, path) {
   if (!context) return;
   try {
     const outcome = await context.apply(result, path);
-    if (outcome.acted) result.decision = outcome.decision;
+    if (outcome.acted) {
+      result.decision = outcome.decision;
+      if (outcome.composedBlobHash) {
+        result.composedBlobHash = outcome.composedBlobHash;
+      }
+    }
   } catch {
   }
 }
@@ -180,7 +191,7 @@ function extractRemoteAddress(req) {
 
 // src/middleware-node.ts
 var SDK_NAME = "@kya-os/checkpoint-nextjs";
-var VERSION = "1.7.0";
+var VERSION = "1.7.1";
 function buildReporter(config, runtime = "node") {
   if (!config.apiKey) return null;
   return makeDetectionReporter({
@@ -258,7 +269,12 @@ function withCheckpoint(config) {
       }
     }
     await dispatchOnResult(config, result, req);
-    const rendered = renderDecisionAsResponse(result);
+    const bodyReadable200 = selectBodyReadable200(
+      config.delegationChallengeMode ?? "spec-401",
+      req.headers,
+      result.detectionDetail.detectionClass
+    );
+    const rendered = renderDecisionAsResponse(result, { bodyReadable200 });
     return adaptToNextResponse(rendered, req);
   };
 }