@kya-os/checkpoint-wasm-runtime 1.0.0

package/dist/edge.js

@@ -0,0 +1,1403 @@
+'use strict';
+
+var checkpointShared = require('@kya-os/checkpoint-shared');
+
+// src/types.ts
+var CONFIDENCE = {
+  /** Minimum confidence for isAgent=true */
+  THRESHOLD_AGENT: 30,
+  /** Cryptographic signature verified */
+  SIGNATURE_VERIFIED: 100,
+  /** Signature header present but not verified */
+  SIGNATURE_PRESENT: 85,
+  /** Strong pattern match */
+  PATTERN_HIGH: 85,
+  /** Moderate pattern match */
+  PATTERN_MEDIUM: 60,
+  /** Weak pattern match */
+  PATTERN_LOW: 40,
+  /** Cloud IP detection only */
+  CLOUD_IP: 30
+};
+
+// src/wasm-detector.ts
+function parseVerificationMethod(method) {
+  switch (method.toLowerCase()) {
+    case "signature":
+      return "signature";
+    case "pattern":
+      return "pattern";
+    case "behavioral":
+      return "behavioral";
+    case "network":
+      return "network";
+    case "mcp_i_handshake":
+      return "mcp_i_handshake";
+    default:
+      return "none";
+  }
+}
+function determineForgeabilityRisk(method, confidence) {
+  if (method === "signature" && confidence >= 90) {
+    return "low";
+  }
+  if (confidence >= 80) {
+    return "medium";
+  }
+  return "high";
+}
+function determineDetectionClass(isAgent, agentName, confidence) {
+  if (!isAgent || confidence < CONFIDENCE.THRESHOLD_AGENT) {
+    return { type: "Human" };
+  }
+  if (agentName) {
+    const aiAgentPatterns = [
+      "chatgpt",
+      "gpt",
+      "openai",
+      "claude",
+      "anthropic",
+      "perplexity",
+      "gemini",
+      "google ai",
+      "copilot",
+      "bing chat"
+    ];
+    const lowerName = agentName.toLowerCase();
+    if (aiAgentPatterns.some((pattern) => lowerName.includes(pattern))) {
+      return { type: "AiAgent", agentType: agentName };
+    }
+    const botPatterns = ["bot", "crawler", "spider", "scraper"];
+    if (botPatterns.some((pattern) => lowerName.includes(pattern))) {
+      return { type: "Bot", botType: agentName };
+    }
+    const automationPatterns = ["selenium", "puppeteer", "playwright", "cypress"];
+    if (automationPatterns.some((pattern) => lowerName.includes(pattern))) {
+      return { type: "Automation", toolType: agentName };
+    }
+    return { type: "AiAgent", agentType: agentName };
+  }
+  return { type: "Unknown" };
+}
+var WasmDetector = class {
+  /**
+   * Create a new WasmDetector
+   * @param loader - WASM loader (static for Edge, dynamic for Node.js)
+   * @param policyLoader - Optional policy loader for API key support
+   * @param options - Detector configuration options
+   */
+  constructor(loader, policyLoader, options = {}) {
+    this.loader = loader;
+    this.policyLoader = policyLoader;
+    this.options = options;
+  }
+  ready = false;
+  loadPromise = null;
+  /**
+   * Analyze a request and detect if it's from an agent
+   */
+  async detect(input) {
+    await this.ensureReady();
+    try {
+      const bindings = this.loader.getBindings();
+      const metadata = {
+        user_agent: input.userAgent || null,
+        ip_address: input.ipAddress || null,
+        headers: JSON.stringify(input.headers || {}),
+        timestamp: (input.timestamp || /* @__PURE__ */ new Date()).toISOString(),
+        url: input.url || null,
+        method: input.method || null,
+        client_fingerprint: input.clientFingerprint || null,
+        free: () => {
+        }
+        // No-op for JS
+      };
+      const wasmResult = bindings.detect_agent(metadata);
+      const verificationMethod = parseVerificationMethod(wasmResult.verification_method);
+      const forgeabilityRisk = determineForgeabilityRisk(verificationMethod, wasmResult.confidence);
+      const detectionClass = determineDetectionClass(
+        wasmResult.is_agent,
+        wasmResult.agent,
+        wasmResult.confidence
+      );
+      let result = {
+        isAgent: wasmResult.is_agent,
+        confidence: wasmResult.confidence,
+        // Already 0-100, no conversion!
+        detectionClass,
+        detectedAgent: wasmResult.agent ? {
+          type: this.inferAgentType(wasmResult.agent),
+          name: wasmResult.agent
+        } : void 0,
+        verificationMethod,
+        forgeabilityRisk,
+        reasons: this.extractReasons(wasmResult),
+        timestamp: /* @__PURE__ */ new Date()
+      };
+      if (this.policyLoader && this.options.apiKey) {
+        result = await this.applyPolicy(result);
+      }
+      return result;
+    } catch (error) {
+      if (this.options.debug) {
+        console.error("[WasmDetector] Detection error:", error);
+      }
+      return this.createDefaultResult();
+    }
+  }
+  /**
+   * Check if the detector is ready
+   */
+  isReady() {
+    return this.ready;
+  }
+  /**
+   * Ensure the detector is initialized
+   */
+  async ensureReady() {
+    if (this.ready) {
+      return;
+    }
+    if (this.loadPromise) {
+      return this.loadPromise;
+    }
+    this.loadPromise = this.initialize();
+    return this.loadPromise;
+  }
+  /**
+   * Get detector version
+   */
+  async getVersion() {
+    await this.ensureReady();
+    return this.loader.getBindings().get_version();
+  }
+  /**
+   * Initialize the detector
+   */
+  async initialize() {
+    try {
+      await this.loader.load();
+      this.ready = true;
+      if (this.options.debug) {
+        const version2 = this.loader.getBindings().get_version();
+        console.log(
+          `[WasmDetector] Initialized with WASM v${version2} (${this.loader.getStrategy()})`
+        );
+      }
+    } catch (error) {
+      this.loadPromise = null;
+      throw error;
+    }
+  }
+  /**
+   * Apply customer policy to detection result
+   */
+  async applyPolicy(result) {
+    if (!this.policyLoader || !this.options.apiKey) {
+      return result;
+    }
+    try {
+      let policy = this.policyLoader.getCachedPolicy(this.options.apiKey);
+      if (!policy) {
+        policy = await this.policyLoader.loadPolicy(this.options.apiKey);
+      }
+      return this.applyPolicyRules(result, policy);
+    } catch (error) {
+      if (this.options.debug) {
+        console.warn("[WasmDetector] Failed to load policy:", error);
+      }
+      return result;
+    }
+  }
+  /**
+   * Check if agent name matches a policy list entry
+   * Uses exact match or word-boundary prefix match to avoid false positives
+   * e.g., "gpt" matches "ChatGPT" and "GPT-4" but not "EgyptBot"
+   */
+  matchesPolicyEntry(agentName, policyEntry) {
+    const lowerAgent = agentName.toLowerCase();
+    const lowerEntry = policyEntry.toLowerCase();
+    if (lowerAgent === lowerEntry) {
+      return true;
+    }
+    const wordBoundaryRegex = new RegExp(
+      `(^|[^a-z0-9])${this.escapeRegex(lowerEntry)}($|[^a-z0-9])`,
+      "i"
+    );
+    return wordBoundaryRegex.test(lowerAgent);
+  }
+  /**
+   * Escape special regex characters in a string
+   */
+  escapeRegex(str) {
+    return str.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+  }
+  /**
+   * Apply policy rules to detection result
+   */
+  applyPolicyRules(result, policy) {
+    if (policy.denyList && result.detectedAgent) {
+      const agentName = result.detectedAgent.name;
+      const isDenied = policy.denyList.some((denied) => this.matchesPolicyEntry(agentName, denied));
+      if (isDenied) {
+        return {
+          ...result,
+          shouldBlock: true,
+          blockReason: "deny_list"
+        };
+      }
+    }
+    if (policy.allowList && policy.allowList.length > 0 && result.isAgent) {
+      const agentName = result.detectedAgent?.name;
+      if (!agentName) ; else {
+        const isAllowed = policy.allowList.some(
+          (allowed) => this.matchesPolicyEntry(agentName, allowed)
+        );
+        if (!isAllowed) {
+          return {
+            ...result,
+            shouldBlock: true,
+            blockReason: "not_in_allow_list"
+          };
+        }
+        return {
+          ...result,
+          shouldBlock: false
+        };
+      }
+    }
+    if (policy.blockThreshold !== void 0 && result.isAgent && result.confidence >= policy.blockThreshold) {
+      return {
+        ...result,
+        shouldBlock: true,
+        blockReason: "threshold"
+      };
+    }
+    return result;
+  }
+  /**
+   * Infer agent type from name
+   */
+  inferAgentType(agentName) {
+    const lowerName = agentName.toLowerCase();
+    if (lowerName.includes("chatgpt") || lowerName.includes("openai") || lowerName.includes("gpt")) {
+      return "openai";
+    }
+    if (lowerName.includes("claude") || lowerName.includes("anthropic")) {
+      return "anthropic";
+    }
+    if (lowerName.includes("perplexity")) {
+      return "perplexity";
+    }
+    if (lowerName.includes("gemini") || lowerName.includes("google")) {
+      return "google";
+    }
+    if (lowerName.includes("copilot") || lowerName.includes("bing")) {
+      return "microsoft";
+    }
+    return "unknown";
+  }
+  /**
+   * Extract reasons from WASM result
+   */
+  extractReasons(wasmResult) {
+    const reasons = [];
+    if (wasmResult.verification_method) {
+      reasons.push(`method:${wasmResult.verification_method}`);
+    }
+    if (wasmResult.agent) {
+      reasons.push(`agent:${wasmResult.agent.toLowerCase()}`);
+    }
+    return reasons;
+  }
+  /**
+   * Create default result (assumed human)
+   */
+  createDefaultResult() {
+    return {
+      isAgent: false,
+      confidence: 0,
+      detectionClass: { type: "Human" },
+      verificationMethod: "none",
+      forgeabilityRisk: "high",
+      reasons: ["detection_failed"],
+      timestamp: /* @__PURE__ */ new Date()
+    };
+  }
+};
+
+// src/wasm-bindgen/agentshield_wasm.js
+var wasm;
+var cachedTextDecoder = typeof TextDecoder !== "undefined" ? new TextDecoder("utf-8", { ignoreBOM: true, fatal: true }) : {
+  decode: () => {
+    throw Error("TextDecoder not available");
+  }
+};
+if (typeof TextDecoder !== "undefined") {
+  cachedTextDecoder.decode();
+}
+var cachedUint8ArrayMemory0 = null;
+function getUint8ArrayMemory0() {
+  if (cachedUint8ArrayMemory0 === null || cachedUint8ArrayMemory0.byteLength === 0) {
+    cachedUint8ArrayMemory0 = new Uint8Array(wasm.memory.buffer);
+  }
+  return cachedUint8ArrayMemory0;
+}
+function getStringFromWasm0(ptr, len) {
+  ptr = ptr >>> 0;
+  return cachedTextDecoder.decode(getUint8ArrayMemory0().subarray(ptr, ptr + len));
+}
+function logError(f, args) {
+  try {
+    return f.apply(this, args);
+  } catch (e) {
+    let error = (function() {
+      try {
+        return e instanceof Error ? `${e.message}
+
+Stack:
+${e.stack}` : e.toString();
+      } catch (_) {
+        return "<failed to stringify thrown value>";
+      }
+    })();
+    console.error(
+      "wasm-bindgen: imported JS function that was not marked as `catch` threw an error:",
+      error
+    );
+    throw e;
+  }
+}
+var WASM_VECTOR_LEN = 0;
+var cachedTextEncoder = typeof TextEncoder !== "undefined" ? new TextEncoder("utf-8") : {
+  encode: () => {
+    throw Error("TextEncoder not available");
+  }
+};
+var encodeString = typeof cachedTextEncoder.encodeInto === "function" ? function(arg, view) {
+  return cachedTextEncoder.encodeInto(arg, view);
+} : function(arg, view) {
+  const buf = cachedTextEncoder.encode(arg);
+  view.set(buf);
+  return {
+    read: arg.length,
+    written: buf.length
+  };
+};
+function passStringToWasm0(arg, malloc, realloc) {
+  if (typeof arg !== "string") throw new Error(`expected a string argument, found ${typeof arg}`);
+  if (realloc === void 0) {
+    const buf = cachedTextEncoder.encode(arg);
+    const ptr2 = malloc(buf.length, 1) >>> 0;
+    getUint8ArrayMemory0().subarray(ptr2, ptr2 + buf.length).set(buf);
+    WASM_VECTOR_LEN = buf.length;
+    return ptr2;
+  }
+  let len = arg.length;
+  let ptr = malloc(len, 1) >>> 0;
+  const mem = getUint8ArrayMemory0();
+  let offset = 0;
+  for (; offset < len; offset++) {
+    const code = arg.charCodeAt(offset);
+    if (code > 127) break;
+    mem[ptr + offset] = code;
+  }
+  if (offset !== len) {
+    if (offset !== 0) {
+      arg = arg.slice(offset);
+    }
+    ptr = realloc(ptr, len, len = offset + arg.length * 3, 1) >>> 0;
+    const view = getUint8ArrayMemory0().subarray(ptr + offset, ptr + len);
+    const ret = encodeString(arg, view);
+    if (ret.read !== arg.length) throw new Error("failed to pass whole string");
+    offset += ret.written;
+    ptr = realloc(ptr, len, offset, 1) >>> 0;
+  }
+  WASM_VECTOR_LEN = offset;
+  return ptr;
+}
+var cachedDataViewMemory0 = null;
+function getDataViewMemory0() {
+  if (cachedDataViewMemory0 === null || cachedDataViewMemory0.buffer.detached === true || cachedDataViewMemory0.buffer.detached === void 0 && cachedDataViewMemory0.buffer !== wasm.memory.buffer) {
+    cachedDataViewMemory0 = new DataView(wasm.memory.buffer);
+  }
+  return cachedDataViewMemory0;
+}
+function _assertNum(n) {
+  if (typeof n !== "number") throw new Error(`expected a number argument, found ${typeof n}`);
+}
+function _assertBoolean(n) {
+  if (typeof n !== "boolean") {
+    throw new Error(`expected a boolean argument, found ${typeof n}`);
+  }
+}
+function isLikeNone(x) {
+  return x === void 0 || x === null;
+}
+function _assertClass(instance, klass) {
+  if (!(instance instanceof klass)) {
+    throw new Error(`expected instance of ${klass.name}`);
+  }
+}
+function takeFromExternrefTable0(idx) {
+  const value = wasm.__wbindgen_export_3.get(idx);
+  wasm.__externref_table_dealloc(idx);
+  return value;
+}
+function detect_agent(metadata) {
+  _assertClass(metadata, JsRequestMetadata);
+  if (metadata.__wbg_ptr === 0) {
+    throw new Error("Attempt to use a moved value");
+  }
+  const ret = wasm.detect_agent(metadata.__wbg_ptr);
+  if (ret[2]) {
+    throw takeFromExternrefTable0(ret[1]);
+  }
+  return JsDetectionResult.__wrap(ret[0]);
+}
+function version() {
+  let deferred1_0;
+  let deferred1_1;
+  try {
+    const ret = wasm.version();
+    deferred1_0 = ret[0];
+    deferred1_1 = ret[1];
+    return getStringFromWasm0(ret[0], ret[1]);
+  } finally {
+    wasm.__wbindgen_free(deferred1_0, deferred1_1, 1);
+  }
+}
+var JsDetectionResultFinalization = typeof FinalizationRegistry === "undefined" ? { register: () => {
+}, unregister: () => {
+} } : new FinalizationRegistry((ptr) => wasm.__wbg_jsdetectionresult_free(ptr >>> 0, 1));
+var JsDetectionResult = class _JsDetectionResult {
+  constructor() {
+    throw new Error("cannot invoke `new` directly");
+  }
+  static __wrap(ptr) {
+    ptr = ptr >>> 0;
+    const obj = Object.create(_JsDetectionResult.prototype);
+    obj.__wbg_ptr = ptr;
+    JsDetectionResultFinalization.register(obj, obj.__wbg_ptr, obj);
+    return obj;
+  }
+  __destroy_into_raw() {
+    const ptr = this.__wbg_ptr;
+    this.__wbg_ptr = 0;
+    JsDetectionResultFinalization.unregister(this);
+    return ptr;
+  }
+  free() {
+    const ptr = this.__destroy_into_raw();
+    wasm.__wbg_jsdetectionresult_free(ptr, 0);
+  }
+  /**
+   * Whether the request was identified as coming from an agent
+   * @returns {boolean}
+   */
+  get is_agent() {
+    if (this.__wbg_ptr == 0) throw new Error("Attempt to use a moved value");
+    _assertNum(this.__wbg_ptr);
+    const ret = wasm.__wbg_get_jsdetectionresult_is_agent(this.__wbg_ptr);
+    return ret !== 0;
+  }
+  /**
+   * Whether the request was identified as coming from an agent
+   * @param {boolean} arg0
+   */
+  set is_agent(arg0) {
+    if (this.__wbg_ptr == 0) throw new Error("Attempt to use a moved value");
+    _assertNum(this.__wbg_ptr);
+    _assertBoolean(arg0);
+    wasm.__wbg_set_jsdetectionresult_is_agent(this.__wbg_ptr, arg0);
+  }
+  /**
+   * Confidence score (0.0 to 1.0)
+   * @returns {number}
+   */
+  get confidence() {
+    if (this.__wbg_ptr == 0) throw new Error("Attempt to use a moved value");
+    _assertNum(this.__wbg_ptr);
+    const ret = wasm.__wbg_get_jsdetectionresult_confidence(this.__wbg_ptr);
+    return ret;
+  }
+  /**
+   * Confidence score (0.0 to 1.0)
+   * @param {number} arg0
+   */
+  set confidence(arg0) {
+    if (this.__wbg_ptr == 0) throw new Error("Attempt to use a moved value");
+    _assertNum(this.__wbg_ptr);
+    wasm.__wbg_set_jsdetectionresult_confidence(this.__wbg_ptr, arg0);
+  }
+  /**
+   * Get the detected agent name
+   * @returns {string | undefined}
+   */
+  get agent() {
+    if (this.__wbg_ptr == 0) throw new Error("Attempt to use a moved value");
+    _assertNum(this.__wbg_ptr);
+    const ret = wasm.jsdetectionresult_agent(this.__wbg_ptr);
+    let v1;
+    if (ret[0] !== 0) {
+      v1 = getStringFromWasm0(ret[0], ret[1]).slice();
+      wasm.__wbindgen_free(ret[0], ret[1] * 1, 1);
+    }
+    return v1;
+  }
+  /**
+   * Get the verification method as a string
+   * @returns {string}
+   */
+  get verification_method() {
+    let deferred1_0;
+    let deferred1_1;
+    try {
+      if (this.__wbg_ptr == 0) throw new Error("Attempt to use a moved value");
+      _assertNum(this.__wbg_ptr);
+      const ret = wasm.jsdetectionresult_verification_method(this.__wbg_ptr);
+      deferred1_0 = ret[0];
+      deferred1_1 = ret[1];
+      return getStringFromWasm0(ret[0], ret[1]);
+    } finally {
+      wasm.__wbindgen_free(deferred1_0, deferred1_1, 1);
+    }
+  }
+  /**
+   * Get the risk level as a string
+   * @returns {string}
+   */
+  get risk_level() {
+    let deferred1_0;
+    let deferred1_1;
+    try {
+      if (this.__wbg_ptr == 0) throw new Error("Attempt to use a moved value");
+      _assertNum(this.__wbg_ptr);
+      const ret = wasm.jsdetectionresult_risk_level(this.__wbg_ptr);
+      deferred1_0 = ret[0];
+      deferred1_1 = ret[1];
+      return getStringFromWasm0(ret[0], ret[1]);
+    } finally {
+      wasm.__wbindgen_free(deferred1_0, deferred1_1, 1);
+    }
+  }
+  /**
+   * Get the timestamp as a string
+   * @returns {string}
+   */
+  get timestamp() {
+    let deferred1_0;
+    let deferred1_1;
+    try {
+      if (this.__wbg_ptr == 0) throw new Error("Attempt to use a moved value");
+      _assertNum(this.__wbg_ptr);
+      const ret = wasm.jsdetectionresult_timestamp(this.__wbg_ptr);
+      deferred1_0 = ret[0];
+      deferred1_1 = ret[1];
+      return getStringFromWasm0(ret[0], ret[1]);
+    } finally {
+      wasm.__wbindgen_free(deferred1_0, deferred1_1, 1);
+    }
+  }
+};
+var JsRequestMetadataFinalization = typeof FinalizationRegistry === "undefined" ? { register: () => {
+}, unregister: () => {
+} } : new FinalizationRegistry((ptr) => wasm.__wbg_jsrequestmetadata_free(ptr >>> 0, 1));
+var JsRequestMetadata = class {
+  __destroy_into_raw() {
+    const ptr = this.__wbg_ptr;
+    this.__wbg_ptr = 0;
+    JsRequestMetadataFinalization.unregister(this);
+    return ptr;
+  }
+  free() {
+    const ptr = this.__destroy_into_raw();
+    wasm.__wbg_jsrequestmetadata_free(ptr, 0);
+  }
+  /**
+   * Constructor for JsRequestMetadata
+   * @param {string | null | undefined} user_agent
+   * @param {string | null | undefined} ip_address
+   * @param {string} headers
+   * @param {string} timestamp
+   * @param {string | null} [url]
+   * @param {string | null} [method]
+   * @param {string | null} [client_fingerprint]
+   */
+  constructor(user_agent, ip_address, headers, timestamp, url, method, client_fingerprint) {
+    var ptr0 = isLikeNone(user_agent) ? 0 : passStringToWasm0(user_agent, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+    var len0 = WASM_VECTOR_LEN;
+    var ptr1 = isLikeNone(ip_address) ? 0 : passStringToWasm0(ip_address, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+    var len1 = WASM_VECTOR_LEN;
+    const ptr2 = passStringToWasm0(headers, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+    const len2 = WASM_VECTOR_LEN;
+    const ptr3 = passStringToWasm0(timestamp, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+    const len3 = WASM_VECTOR_LEN;
+    var ptr4 = isLikeNone(url) ? 0 : passStringToWasm0(url, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+    var len4 = WASM_VECTOR_LEN;
+    var ptr5 = isLikeNone(method) ? 0 : passStringToWasm0(method, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+    var len5 = WASM_VECTOR_LEN;
+    var ptr6 = isLikeNone(client_fingerprint) ? 0 : passStringToWasm0(client_fingerprint, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+    var len6 = WASM_VECTOR_LEN;
+    const ret = wasm.jsrequestmetadata_new(
+      ptr0,
+      len0,
+      ptr1,
+      len1,
+      ptr2,
+      len2,
+      ptr3,
+      len3,
+      ptr4,
+      len4,
+      ptr5,
+      len5,
+      ptr6,
+      len6
+    );
+    this.__wbg_ptr = ret >>> 0;
+    JsRequestMetadataFinalization.register(this, this.__wbg_ptr, this);
+    return this;
+  }
+  /**
+   * Get the user agent
+   * @returns {string | undefined}
+   */
+  get user_agent() {
+    if (this.__wbg_ptr == 0) throw new Error("Attempt to use a moved value");
+    _assertNum(this.__wbg_ptr);
+    const ret = wasm.jsrequestmetadata_user_agent(this.__wbg_ptr);
+    let v1;
+    if (ret[0] !== 0) {
+      v1 = getStringFromWasm0(ret[0], ret[1]).slice();
+      wasm.__wbindgen_free(ret[0], ret[1] * 1, 1);
+    }
+    return v1;
+  }
+  /**
+   * Get the IP address
+   * @returns {string | undefined}
+   */
+  get ip_address() {
+    if (this.__wbg_ptr == 0) throw new Error("Attempt to use a moved value");
+    _assertNum(this.__wbg_ptr);
+    const ret = wasm.jsrequestmetadata_ip_address(this.__wbg_ptr);
+    let v1;
+    if (ret[0] !== 0) {
+      v1 = getStringFromWasm0(ret[0], ret[1]).slice();
+      wasm.__wbindgen_free(ret[0], ret[1] * 1, 1);
+    }
+    return v1;
+  }
+  /**
+   * Get the headers as JSON string
+   * @returns {string}
+   */
+  get headers() {
+    let deferred1_0;
+    let deferred1_1;
+    try {
+      if (this.__wbg_ptr == 0) throw new Error("Attempt to use a moved value");
+      _assertNum(this.__wbg_ptr);
+      const ret = wasm.jsrequestmetadata_headers(this.__wbg_ptr);
+      deferred1_0 = ret[0];
+      deferred1_1 = ret[1];
+      return getStringFromWasm0(ret[0], ret[1]);
+    } finally {
+      wasm.__wbindgen_free(deferred1_0, deferred1_1, 1);
+    }
+  }
+  /**
+   * Get the timestamp
+   * @returns {string}
+   */
+  get timestamp() {
+    let deferred1_0;
+    let deferred1_1;
+    try {
+      if (this.__wbg_ptr == 0) throw new Error("Attempt to use a moved value");
+      _assertNum(this.__wbg_ptr);
+      const ret = wasm.jsrequestmetadata_timestamp(this.__wbg_ptr);
+      deferred1_0 = ret[0];
+      deferred1_1 = ret[1];
+      return getStringFromWasm0(ret[0], ret[1]);
+    } finally {
+      wasm.__wbindgen_free(deferred1_0, deferred1_1, 1);
+    }
+  }
+  /**
+   * Get the URL
+   * @returns {string | undefined}
+   */
+  get url() {
+    if (this.__wbg_ptr == 0) throw new Error("Attempt to use a moved value");
+    _assertNum(this.__wbg_ptr);
+    const ret = wasm.jsrequestmetadata_url(this.__wbg_ptr);
+    let v1;
+    if (ret[0] !== 0) {
+      v1 = getStringFromWasm0(ret[0], ret[1]).slice();
+      wasm.__wbindgen_free(ret[0], ret[1] * 1, 1);
+    }
+    return v1;
+  }
+  /**
+   * Get the method
+   * @returns {string | undefined}
+   */
+  get method() {
+    if (this.__wbg_ptr == 0) throw new Error("Attempt to use a moved value");
+    _assertNum(this.__wbg_ptr);
+    const ret = wasm.jsrequestmetadata_method(this.__wbg_ptr);
+    let v1;
+    if (ret[0] !== 0) {
+      v1 = getStringFromWasm0(ret[0], ret[1]).slice();
+      wasm.__wbindgen_free(ret[0], ret[1] * 1, 1);
+    }
+    return v1;
+  }
+  /**
+   * Get the client fingerprint
+   * @returns {string | undefined}
+   */
+  get client_fingerprint() {
+    if (this.__wbg_ptr == 0) throw new Error("Attempt to use a moved value");
+    _assertNum(this.__wbg_ptr);
+    const ret = wasm.jsrequestmetadata_client_fingerprint(this.__wbg_ptr);
+    let v1;
+    if (ret[0] !== 0) {
+      v1 = getStringFromWasm0(ret[0], ret[1]).slice();
+      wasm.__wbindgen_free(ret[0], ret[1] * 1, 1);
+    }
+    return v1;
+  }
+};
+function __wbg_get_imports() {
+  const imports = {};
+  imports.wbg = {};
+  imports.wbg.__wbg_error_7534b8e9a36f1ab4 = function() {
+    return logError(function(arg0, arg1) {
+      let deferred0_0;
+      let deferred0_1;
+      try {
+        deferred0_0 = arg0;
+        deferred0_1 = arg1;
+        console.error(getStringFromWasm0(arg0, arg1));
+      } finally {
+        wasm.__wbindgen_free(deferred0_0, deferred0_1, 1);
+      }
+    }, arguments);
+  };
+  imports.wbg.__wbg_getTime_46267b1c24877e30 = function() {
+    return logError(function(arg0) {
+      const ret = arg0.getTime();
+      return ret;
+    }, arguments);
+  };
+  imports.wbg.__wbg_log_c222819a41e063d3 = function() {
+    return logError(function(arg0) {
+      console.log(arg0);
+    }, arguments);
+  };
+  imports.wbg.__wbg_new_31a97dac4f10fab7 = function() {
+    return logError(function(arg0) {
+      const ret = new Date(arg0);
+      return ret;
+    }, arguments);
+  };
+  imports.wbg.__wbg_new_8a6f238a6ece86ea = function() {
+    return logError(function() {
+      const ret = new Error();
+      return ret;
+    }, arguments);
+  };
+  imports.wbg.__wbg_now_807e54c39636c349 = function() {
+    return logError(function() {
+      const ret = Date.now();
+      return ret;
+    }, arguments);
+  };
+  imports.wbg.__wbg_stack_0ed75d68575b0f3c = function() {
+    return logError(function(arg0, arg1) {
+      const ret = arg1.stack;
+      const ptr1 = passStringToWasm0(ret, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+      const len1 = WASM_VECTOR_LEN;
+      getDataViewMemory0().setInt32(arg0 + 4 * 1, len1, true);
+      getDataViewMemory0().setInt32(arg0 + 4 * 0, ptr1, true);
+    }, arguments);
+  };
+  imports.wbg.__wbindgen_init_externref_table = function() {
+    const table = wasm.__wbindgen_export_3;
+    const offset = table.grow(4);
+    table.set(0, void 0);
+    table.set(offset + 0, void 0);
+    table.set(offset + 1, null);
+    table.set(offset + 2, true);
+    table.set(offset + 3, false);
+  };
+  imports.wbg.__wbindgen_string_new = function(arg0, arg1) {
+    const ret = getStringFromWasm0(arg0, arg1);
+    return ret;
+  };
+  imports.wbg.__wbindgen_throw = function(arg0, arg1) {
+    throw new Error(getStringFromWasm0(arg0, arg1));
+  };
+  return imports;
+}
+function __wbg_finalize_init(instance, module) {
+  wasm = instance.exports;
+  cachedDataViewMemory0 = null;
+  cachedUint8ArrayMemory0 = null;
+  wasm.__wbindgen_start();
+  return wasm;
+}
+function initSync(module) {
+  if (wasm !== void 0) return wasm;
+  if (typeof module !== "undefined") {
+    if (Object.getPrototypeOf(module) === Object.prototype) {
+      ({ module } = module);
+    } else {
+      console.warn("using deprecated parameters for `initSync()`; pass a single object instead");
+    }
+  }
+  const imports = __wbg_get_imports();
+  if (!(module instanceof WebAssembly.Module)) {
+    module = new WebAssembly.Module(module);
+  }
+  const instance = new WebAssembly.Instance(module, imports);
+  return __wbg_finalize_init(instance);
+}
+
+// src/loaders/static-loader.ts
+var StaticWasmLoader = class {
+  /**
+   * Create a new StaticWasmLoader
+   * @param wasmModule - Pre-compiled WebAssembly.Module from static import
+   */
+  constructor(wasmModule) {
+    this.wasmModule = wasmModule;
+    if (!wasmModule) {
+      throw new Error(
+        "StaticWasmLoader requires a WebAssembly.Module. Import with: import wasmModule from './wasm.wasm?module'"
+      );
+    }
+  }
+  bindings = null;
+  loadPromise = null;
+  wasmExports = null;
+  /**
+   * Load and instantiate the WASM module
+   */
+  async load() {
+    if (this.bindings) {
+      return;
+    }
+    if (this.loadPromise) {
+      return this.loadPromise;
+    }
+    this.loadPromise = this.doLoad();
+    return this.loadPromise;
+  }
+  /**
+   * Internal load implementation using wasm-bindgen initSync
+   */
+  async doLoad() {
+    try {
+      this.wasmExports = initSync({ module: this.wasmModule });
+      this.bindings = this.createBindings();
+    } catch (error) {
+      this.loadPromise = null;
+      throw new Error(
+        `Failed to instantiate WASM module: ${error instanceof Error ? error.message : String(error)}`
+      );
+    }
+  }
+  /**
+   * Get the WASM bindings after loading
+   */
+  getBindings() {
+    if (!this.bindings) {
+      throw new Error("WASM not loaded. Call load() first.");
+    }
+    return this.bindings;
+  }
+  /**
+   * Check if WASM is loaded
+   */
+  isLoaded() {
+    return this.bindings !== null;
+  }
+  /**
+   * Get the loading strategy name
+   */
+  getStrategy() {
+    return "static-import";
+  }
+  /**
+   * Create bindings wrapper using wasm-bindgen exports
+   */
+  createBindings() {
+    return {
+      detect_agent: (metadata) => {
+        const wasmMetadata = new JsRequestMetadata(
+          metadata.user_agent,
+          metadata.ip_address,
+          metadata.headers,
+          metadata.timestamp,
+          metadata.url,
+          metadata.method,
+          metadata.client_fingerprint
+        );
+        let result = null;
+        try {
+          result = detect_agent(wasmMetadata);
+          return {
+            is_agent: result.is_agent,
+            confidence: result.confidence,
+            agent: result.agent ?? null,
+            // Convert undefined to null
+            verification_method: result.verification_method,
+            risk_level: result.risk_level,
+            timestamp: result.timestamp
+          };
+        } finally {
+          result?.free();
+          wasmMetadata.free();
+        }
+      },
+      get_version: () => {
+        try {
+          return version();
+        } catch {
+          return "0.1.0-static";
+        }
+      },
+      get_build_info: () => {
+        return JSON.stringify({ version: "0.1.0", strategy: "static-import" });
+      }
+    };
+  }
+};
+function createStaticLoader(wasmModule) {
+  return new StaticWasmLoader(wasmModule);
+}
+
+// src/policy/policy-loader.ts
+var DEFAULT_CONFIG = {
+  apiUrl: "https://api.agentshield.io",
+  cacheTTL: 5 * 60 * 1e3,
+  // 5 minutes
+  maxCacheSize: 100,
+  backgroundRefresh: true,
+  timeout: 5e3
+};
+var PolicyLoader = class {
+  cache = /* @__PURE__ */ new Map();
+  config;
+  constructor(config = {}) {
+    this.config = { ...DEFAULT_CONFIG, ...config };
+  }
+  /**
+   * Load policy for an API key
+   */
+  async loadPolicy(apiKey) {
+    const cached = this.getCachedPolicy(apiKey);
+    if (cached) {
+      if (this.config.backgroundRefresh && this.shouldRefresh(apiKey)) {
+        this.refreshInBackground(apiKey);
+      }
+      return cached;
+    }
+    return this.fetchPolicy(apiKey);
+  }
+  /**
+   * Get cached policy if available and not expired
+   */
+  getCachedPolicy(apiKey) {
+    const entry = this.cache.get(apiKey);
+    if (!entry) {
+      return null;
+    }
+    if (this.isExpired(entry)) {
+      this.cache.delete(apiKey);
+      return null;
+    }
+    return entry.policy;
+  }
+  /**
+   * Invalidate cached policy
+   */
+  invalidateCache(apiKey) {
+    this.cache.delete(apiKey);
+  }
+  /**
+   * Fetch policy from API and cache it
+   */
+  async fetchPolicy(apiKey) {
+    const policy = await this.fetchPolicyFromApi(apiKey);
+    this.cachePolicy(apiKey, policy);
+    return policy;
+  }
+  /**
+   * Fetch policy from API without caching
+   * Used internally for both direct fetches and background refreshes
+   */
+  async fetchPolicyFromApi(apiKey) {
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), this.config.timeout);
+    try {
+      const response = await fetch(`${this.config.apiUrl}/api/v1/policy`, {
+        method: "GET",
+        headers: {
+          Authorization: `Bearer ${apiKey}`,
+          "Content-Type": "application/json",
+          "User-Agent": "agentshield-wasm-runtime/0.1.0"
+        },
+        signal: controller.signal
+      });
+      clearTimeout(timeoutId);
+      if (!response.ok) {
+        if (response.status === 401) {
+          throw new PolicyLoadError("Invalid API key", "INVALID_API_KEY");
+        }
+        if (response.status === 404) {
+          return this.getDefaultPolicy(apiKey);
+        }
+        throw new PolicyLoadError(`Failed to load policy: ${response.status}`, "API_ERROR");
+      }
+      return await response.json();
+    } catch (error) {
+      clearTimeout(timeoutId);
+      if (error instanceof PolicyLoadError) {
+        throw error;
+      }
+      if (error instanceof Error && error.name === "AbortError") {
+        throw new PolicyLoadError("Policy request timeout", "TIMEOUT");
+      }
+      throw new PolicyLoadError(
+        `Failed to load policy: ${error instanceof Error ? error.message : "Unknown error"}`,
+        "NETWORK_ERROR"
+      );
+    }
+  }
+  /**
+   * Cache a policy
+   */
+  cachePolicy(apiKey, policy) {
+    if (this.cache.size >= this.config.maxCacheSize) {
+      const oldestKey = this.cache.keys().next().value;
+      if (oldestKey) {
+        this.cache.delete(oldestKey);
+      }
+    }
+    this.cache.set(apiKey, {
+      policy,
+      loadedAt: Date.now(),
+      refreshing: false
+    });
+  }
+  /**
+   * Check if cached entry is expired
+   */
+  isExpired(entry) {
+    return Date.now() - entry.loadedAt > this.config.cacheTTL;
+  }
+  /**
+   * Check if cache entry should be refreshed
+   */
+  shouldRefresh(apiKey) {
+    const entry = this.cache.get(apiKey);
+    if (!entry) {
+      return false;
+    }
+    const refreshThreshold = this.config.cacheTTL * 0.8;
+    return Date.now() - entry.loadedAt > refreshThreshold && !entry.refreshing;
+  }
+  /**
+   * Refresh policy in background
+   */
+  async refreshInBackground(apiKey) {
+    const entry = this.cache.get(apiKey);
+    if (!entry || entry.refreshing) {
+      return;
+    }
+    entry.refreshing = true;
+    try {
+      const policy = await this.fetchPolicyFromApi(apiKey);
+      this.cachePolicy(apiKey, policy);
+    } catch {
+    } finally {
+      const currentEntry = this.cache.get(apiKey);
+      if (currentEntry && currentEntry.refreshing) {
+        currentEntry.refreshing = false;
+      }
+    }
+  }
+  /**
+   * Get default policy for a project
+   */
+  getDefaultPolicy(apiKey) {
+    return {
+      projectId: apiKey.split("_")[1] || "unknown",
+      blockThreshold: 90
+    };
+  }
+};
+var PolicyLoadError = class extends Error {
+  constructor(message, code) {
+    super(message);
+    this.code = code;
+    this.name = "PolicyLoadError";
+  }
+};
+function createPolicyLoader(config) {
+  return new PolicyLoader(config);
+}
+var RulesDetector = class {
+  rules = null;
+  ready = false;
+  /**
+   * Analyze a request and detect if it's from an agent
+   */
+  async detect(input) {
+    await this.ensureReady();
+    const reasons = [];
+    let confidence = 0;
+    let detectedAgentName = null;
+    let verificationMethod = "none";
+    const userAgent = input.userAgent || input.headers["user-agent"] || "";
+    const normalizedHeaders = this.normalizeHeaders(input.headers);
+    if (userAgent && this.rules) {
+      const uaMatch = this.matchUserAgent(userAgent);
+      if (uaMatch) {
+        confidence = Math.max(confidence, uaMatch.confidence);
+        detectedAgentName = uaMatch.agentName;
+        verificationMethod = "pattern";
+        reasons.push(`pattern:${uaMatch.agentKey}`);
+      }
+    }
+    if (this.rules) {
+      const headerMatch = this.matchHeaders(normalizedHeaders);
+      if (headerMatch.confidence > 0) {
+        confidence = Math.max(confidence, headerMatch.confidence);
+        reasons.push(`headers:${headerMatch.count}`);
+      }
+    }
+    if (this.hasSignatureHeaders(normalizedHeaders)) {
+      confidence = Math.max(confidence, CONFIDENCE.SIGNATURE_PRESENT);
+      reasons.push("signature_headers_present");
+      verificationMethod = "pattern";
+    }
+    const isAgent = confidence > CONFIDENCE.THRESHOLD_AGENT;
+    const detectionClass = this.determineDetectionClass(isAgent, detectedAgentName, confidence);
+    return {
+      isAgent,
+      confidence,
+      detectionClass,
+      detectedAgent: detectedAgentName ? {
+        type: this.inferAgentType(detectedAgentName),
+        name: detectedAgentName
+      } : void 0,
+      verificationMethod,
+      forgeabilityRisk: "high",
+      // JS fallback is always high risk
+      reasons,
+      timestamp: /* @__PURE__ */ new Date()
+    };
+  }
+  /**
+   * Check if the detector is ready
+   */
+  isReady() {
+    return this.ready;
+  }
+  /**
+   * Ensure the detector is initialized
+   */
+  async ensureReady() {
+    if (this.ready) {
+      return;
+    }
+    try {
+      this.rules = checkpointShared.loadRulesSync();
+      this.ready = true;
+    } catch (error) {
+      console.warn("[RulesDetector] Failed to load rules:", error);
+      this.ready = true;
+    }
+  }
+  /**
+   * Get detector version
+   */
+  async getVersion() {
+    return "0.1.0-js-fallback";
+  }
+  /**
+   * Normalize headers to lowercase keys
+   */
+  normalizeHeaders(headers) {
+    const normalized = {};
+    for (const [key, value] of Object.entries(headers)) {
+      normalized[key.toLowerCase()] = value;
+    }
+    return normalized;
+  }
+  /**
+   * Match user agent against rules
+   */
+  matchUserAgent(userAgent) {
+    if (!this.rules) {
+      return null;
+    }
+    const userAgents = this.rules.rules.userAgents;
+    const genericKeys = ["generic_bot", "dev_tools", "automation_tools"];
+    const entries = Object.entries(userAgents).sort((a, b) => {
+      const aIsGeneric = genericKeys.includes(a[0]);
+      const bIsGeneric = genericKeys.includes(b[0]);
+      if (aIsGeneric && !bIsGeneric) return 1;
+      if (!aIsGeneric && bIsGeneric) return -1;
+      return 0;
+    });
+    for (const [agentKey, rule] of entries) {
+      for (const pattern of rule.patterns) {
+        try {
+          const regex = new RegExp(pattern, "i");
+          if (regex.test(userAgent)) {
+            return {
+              // Convert 0-1 rule confidence to 0-100 scale
+              confidence: rule.confidence * 100,
+              agentName: this.getAgentName(agentKey),
+              agentKey
+            };
+          }
+        } catch {
+        }
+      }
+    }
+    return null;
+  }
+  /**
+   * Match headers against suspicious header rules
+   */
+  matchHeaders(headers) {
+    if (!this.rules) {
+      return { confidence: 0, count: 0 };
+    }
+    const suspicious = this.rules.rules.headers.suspicious || [];
+    let maxConfidence = 0;
+    let count = 0;
+    for (const headerRule of suspicious) {
+      if (headers[headerRule.name.toLowerCase()]) {
+        maxConfidence = Math.max(maxConfidence, headerRule.confidence * 100);
+        count++;
+      }
+    }
+    return { confidence: maxConfidence, count };
+  }
+  /**
+   * Check if signature headers are present
+   */
+  hasSignatureHeaders(headers) {
+    return !!(headers["signature"] || headers["signature-input"] || headers["signature-agent"]);
+  }
+  /**
+   * Get human-readable agent name from rule key
+   */
+  getAgentName(agentKey) {
+    const nameMap = {
+      openai_gptbot: "ChatGPT/GPTBot",
+      anthropic_claude: "Claude",
+      perplexity_bot: "Perplexity",
+      google_ai: "Google AI",
+      microsoft_ai: "Microsoft Copilot",
+      meta_ai: "Meta AI",
+      cohere_bot: "Cohere",
+      huggingface_bot: "HuggingFace",
+      generic_bot: "Generic Bot",
+      dev_tools: "Development Tool",
+      automation_tools: "Automation Tool"
+    };
+    return nameMap[agentKey] || agentKey;
+  }
+  /**
+   * Infer agent type from name
+   */
+  inferAgentType(agentName) {
+    const lowerName = agentName.toLowerCase();
+    if (lowerName.includes("chatgpt") || lowerName.includes("gpt")) return "openai";
+    if (lowerName.includes("claude")) return "anthropic";
+    if (lowerName.includes("perplexity")) return "perplexity";
+    if (lowerName.includes("google")) return "google";
+    if (lowerName.includes("copilot") || lowerName.includes("bing")) return "microsoft";
+    return "unknown";
+  }
+  /**
+   * Determine detection class
+   */
+  determineDetectionClass(isAgent, agentName, confidence) {
+    if (!isAgent || confidence < CONFIDENCE.THRESHOLD_AGENT) {
+      return { type: "Human" };
+    }
+    if (agentName) {
+      const lowerName = agentName.toLowerCase();
+      const aiPatterns = ["chatgpt", "gpt", "claude", "perplexity", "gemini", "copilot"];
+      if (aiPatterns.some((p) => lowerName.includes(p))) {
+        return { type: "AiAgent", agentType: agentName };
+      }
+      if (lowerName.includes("bot") || lowerName.includes("crawler")) {
+        return { type: "Bot", botType: agentName };
+      }
+      if (lowerName.includes("automation") || lowerName.includes("tool")) {
+        return { type: "Automation", toolType: agentName };
+      }
+      return { type: "AiAgent", agentType: agentName };
+    }
+    return { type: "Unknown" };
+  }
+};
+function createRulesDetector() {
+  return new RulesDetector();
+}
+
+// src/edge.ts
+function createEdgeDetector(wasmModule, options = {}) {
+  const loader = new StaticWasmLoader(wasmModule);
+  let policyLoader;
+  if (options.apiKey) {
+    policyLoader = new PolicyLoader({
+      apiUrl: options.policyApiUrl,
+      cacheTTL: options.policyTTL
+    });
+  }
+  return new WasmDetector(loader, policyLoader, options);
+}
+function createFallbackDetector() {
+  return new RulesDetector();
+}
+function extractInputFromRequest(request) {
+  const headers = {};
+  request.headers.forEach((value, key) => {
+    headers[key] = value;
+  });
+  const url = new URL(request.url);
+  return {
+    userAgent: request.headers.get("user-agent") || void 0,
+    ipAddress: request.headers.get("x-forwarded-for")?.split(",")[0]?.trim() || request.headers.get("x-real-ip") || void 0,
+    headers,
+    url: url.pathname + url.search,
+    method: request.method
+  };
+}
+
+exports.CONFIDENCE = CONFIDENCE;
+exports.PolicyLoader = PolicyLoader;
+exports.RulesDetector = RulesDetector;
+exports.StaticWasmLoader = StaticWasmLoader;
+exports.WasmDetector = WasmDetector;
+exports.createEdgeDetector = createEdgeDetector;
+exports.createFallbackDetector = createFallbackDetector;
+exports.createPolicyLoader = createPolicyLoader;
+exports.createRulesDetector = createRulesDetector;
+exports.createStaticLoader = createStaticLoader;
+exports.extractInputFromRequest = extractInputFromRequest;
+//# sourceMappingURL=edge.js.map
+//# sourceMappingURL=edge.js.map