@kya-os/checkpoint-wasm-runtime 1.1.1 → 1.1.2

package/dist/orchestrator-node.js

@@ -12,6 +12,9 @@ var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require
   if (typeof require !== "undefined") return require.apply(this, arguments);
   throw Error('Dynamic require of "' + x + '" is not supported');
 });
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
 var __commonJS = (cb, mod) => function __require2() {
   return mod || (0, cb[__getOwnPropNames(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports;
 };
@@ -32,9 +35,16 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
   mod
 ));
 
+// ../../node_modules/.pnpm/tsup@8.5.0_@swc+core@1.15.32_jiti@2.6.1_postcss@8.5.8_tsx@4.21.0_typescript@5.9.3_yaml@2.8.3/node_modules/tsup/assets/cjs_shims.js
+var init_cjs_shims = __esm({
+  "../../node_modules/.pnpm/tsup@8.5.0_@swc+core@1.15.32_jiti@2.6.1_postcss@8.5.8_tsx@4.21.0_typescript@5.9.3_yaml@2.8.3/node_modules/tsup/assets/cjs_shims.js"() {
+  }
+});
+
 // wasm/kya-os-engine/kya_os_engine.js
 var require_kya_os_engine = __commonJS({
   "wasm/kya-os-engine/kya_os_engine.js"(exports$1, module) {
+    init_cjs_shims();
     var imports = {};
     imports["__wbindgen_placeholder__"] = module.exports;
     var cachedUint8ArrayMemory0 = null;
@@ -444,7 +454,14 @@ ${val.stack}`;
   }
 });
 
+// src/engine/orchestrator/node.ts
+init_cjs_shims();
+
+// src/engine/orchestrator/verify-request.ts
+init_cjs_shims();
+
 // src/engine/adapters/outbound-url-policy.ts
+init_cjs_shims();
 var BLOCKED_HOSTNAMES = /* @__PURE__ */ new Set(["localhost", "metadata", "metadata.google.internal"]);
 var UnsafeOutboundUrl = class extends Error {
   kind = "UnsafeOutboundUrl";
@@ -520,13 +537,18 @@ function isBlockedIpv6(hostname) {
 }
 
 // src/engine/index.ts
+init_cjs_shims();
 var wasmModule = __toESM(require_kya_os_engine());
 function engineVerify(input, ctx) {
   const verify2 = wasmModule.verify;
   return verify2(input, ctx);
 }
 
+// src/engine/orchestrator/build-agent-request.ts
+init_cjs_shims();
+
 // src/engine/adapters/util.ts
+init_cjs_shims();
 function base64UrlDecode(input) {
   const padded = input.replace(/-/g, "+").replace(/_/g, "/");
   const padding = padded.length % 4 === 0 ? "" : "=".repeat(4 - padded.length % 4);
@@ -821,6 +843,7 @@ function defaultLogger(msg) {
 }
 
 // src/engine/orchestrator/render-decision.ts
+init_cjs_shims();
 function renderDecisionAsResponse(result) {
   const baseHeaders = buildBaseHeaders(result);
   if (result.enforcementMode === "observe") {

package/dist/orchestrator-node.mjs

@@ -1,3 +1,6 @@
+import path from 'path';
+import { fileURLToPath } from 'url';
+
 var __create = Object.create;
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
@@ -10,6 +13,9 @@ var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require
   if (typeof require !== "undefined") return require.apply(this, arguments);
   throw Error('Dynamic require of "' + x + '" is not supported');
 });
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
 var __commonJS = (cb, mod) => function __require2() {
   return mod || (0, cb[__getOwnPropNames(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports;
 };
@@ -29,10 +35,19 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
   !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
   mod
 ));
+var getFilename, getDirname, __dirname$1;
+var init_esm_shims = __esm({
+  "../../node_modules/.pnpm/tsup@8.5.0_@swc+core@1.15.32_jiti@2.6.1_postcss@8.5.8_tsx@4.21.0_typescript@5.9.3_yaml@2.8.3/node_modules/tsup/assets/esm_shims.js"() {
+    getFilename = () => fileURLToPath(import.meta.url);
+    getDirname = () => path.dirname(getFilename());
+    __dirname$1 = /* @__PURE__ */ getDirname();
+  }
+});
 
 // wasm/kya-os-engine/kya_os_engine.js
 var require_kya_os_engine = __commonJS({
   "wasm/kya-os-engine/kya_os_engine.js"(exports$1, module) {
+    init_esm_shims();
     var imports = {};
     imports["__wbindgen_placeholder__"] = module.exports;
     var cachedUint8ArrayMemory0 = null;
@@ -435,14 +450,21 @@ ${val.stack}`;
     exports$1.__wbindgen_object_drop_ref = function(arg0) {
       takeObject(arg0);
     };
-    var wasmPath = `${__dirname}/kya_os_engine_bg.wasm`;
+    var wasmPath = `${__dirname$1}/kya_os_engine_bg.wasm`;
     var wasmBytes = __require("fs").readFileSync(wasmPath);
     var wasmModule2 = new WebAssembly.Module(wasmBytes);
     var wasm = exports$1.__wasm = new WebAssembly.Instance(wasmModule2, imports).exports;
   }
 });
 
+// src/engine/orchestrator/node.ts
+init_esm_shims();
+
+// src/engine/orchestrator/verify-request.ts
+init_esm_shims();
+
 // src/engine/adapters/outbound-url-policy.ts
+init_esm_shims();
 var BLOCKED_HOSTNAMES = /* @__PURE__ */ new Set(["localhost", "metadata", "metadata.google.internal"]);
 var UnsafeOutboundUrl = class extends Error {
   kind = "UnsafeOutboundUrl";
@@ -518,13 +540,18 @@ function isBlockedIpv6(hostname) {
 }
 
 // src/engine/index.ts
+init_esm_shims();
 var wasmModule = __toESM(require_kya_os_engine());
 function engineVerify(input, ctx) {
   const verify2 = wasmModule.verify;
   return verify2(input, ctx);
 }
 
+// src/engine/orchestrator/build-agent-request.ts
+init_esm_shims();
+
 // src/engine/adapters/util.ts
+init_esm_shims();
 function base64UrlDecode(input) {
   const padded = input.replace(/-/g, "+").replace(/_/g, "/");
   const padding = padded.length % 4 === 0 ? "" : "=".repeat(4 - padded.length % 4);
@@ -819,6 +846,7 @@ function defaultLogger(msg) {
 }
 
 // src/engine/orchestrator/render-decision.ts
+init_esm_shims();
 function renderDecisionAsResponse(result) {
   const baseHeaders = buildBaseHeaders(result);
   if (result.enforcementMode === "observe") {

package/dist/orchestrator.d.mts

@@ -1,7 +1,87 @@
-export { makeVerifyRequest, verifyRequest } from './orchestrator-node.mjs';
-export { makeVerifyRequestEdge, verifyRequestEdge } from './orchestrator-edge.mjs';
-export { B as BuildAgentRequestOpts, I as IncomingHttpLike, R as RenderedResponse, V as VerifyRequestOpts, b as buildAgentRequest, e as extractAgentDid, a as extractCredentialStatusUrl, c as extractIssuer, h as hasMalformedJwsBody, r as renderDecisionAsResponse } from './render-decision-C1a-iuiW.mjs';
-export { initEngineEdge } from './engine-edge.mjs';
-import './types-D0j85fF0.mjs';
+import { VerifyRequestOpts, IncomingHttpLike } from './orchestrator-node.mjs';
+export { BuildAgentRequestOpts, RenderedResponse, buildAgentRequest, extractAgentDid, extractCredentialStatusUrl, extractIssuer, hasMalformedJwsBody, makeVerifyRequest, renderDecisionAsResponse, verifyRequest } from './orchestrator-node.mjs';
+import { V as VerifyResult } from './types-D0j85fF0.mjs';
 import '@kya-os/checkpoint-shared';
-import './adapters.mjs';
+
+/**
+ * `kya-os-engine` WASM bridge for edge runtimes — Edge-WASM-1.
+ *
+ * The Node target (`./index.ts`) uses `fs.readFileSync` at module
+ * load and exposes a sync `engineVerify`. That's incompatible with
+ * Vercel Edge / Cloudflare Workers / browser embedding (no `fs`,
+ * no sync wasm load).
+ *
+ * This module loads the `wasm-pack --target web` artifact via the
+ * async `__wbg_init` default export, then exposes the same typed
+ * `engineVerifyEdge(input, ctx) → Promise<VerifyResult>` shape with
+ * a small lazy-init wrapper. First call awaits initialisation;
+ * subsequent calls resolve synchronously on the JS side (the
+ * underlying wasm `verify` is sync).
+ *
+ * **Why this matters for the consolidation narrative.** Phase A
+ * shipped Node-only. Without an edge build, the first Vercel-edge
+ * or Cloudflare-Workers deployment after Phase D would hit the
+ * same wasm-bindgen-on-edge wall the Sites-1 F3 workaround was
+ * created to dodge — and someone would re-introduce the
+ * inline-TS detector that Q10 ratified deleting. Shipping the
+ * edge target alongside the Node target keeps Phase D's
+ * deletion narrative durable.
+ */
+
+/**
+ * Initialise the edge wasm module. Idempotent — subsequent calls
+ * return the same in-flight or resolved promise. Host wrappers can
+ * call this at startup to eagerly load the wasm and avoid first-
+ * request latency, but it's not required: `engineVerifyEdge`
+ * lazily initialises on first call.
+ *
+ * @param moduleOrPath  Optional pre-fetched `WebAssembly.Module` or
+ *                      a URL / Request the wasm-bindgen loader will
+ *                      fetch. Defaults to the bundled artifact via
+ *                      `import.meta.url`. Cloudflare Workers / Vercel
+ *                      Edge typically pass a pre-bundled `Module`.
+ */
+declare function initEngineEdge(moduleOrPath?: WebAssembly.Module | URL | string | Request | BufferSource): Promise<void>;
+
+/**
+ * `verifyRequestEdge` async-init orchestrator — Edge-WASM-2 (folded into
+ * Phase D's PR).
+ *
+ * Mirror of [[./verify-request.ts]] for edge runtimes. Differs in only
+ * three places:
+ *
+ *   1. Imports `engineVerifyEdge` + `initEngineEdge` from `../edge`
+ *      instead of `engineVerify` from `../index` (Node target).
+ *   2. Awaits `initEngineEdge()` before the engine call — async-init
+ *      pattern required by the `--target web` wasm-bindgen build.
+ *   3. The final engine call is `await engineVerifyEdge(...)` rather
+ *      than the synchronous `engineVerify(...)`.
+ *
+ * **The two files MUST stay in sync.** Any change to verify-request.ts
+ * (new adapter, new error-classification rule, new ContextSpec field)
+ * MUST be mirrored here. The cross-target parity test in
+ * [[__tests__/verify-request-parity.test.ts]] guards the verdict-shape
+ * invariant — both orchestrators must produce identical
+ * `VerifyResult.decision` / `engineInfo.name` on identical inputs.
+ *
+ * Cedar-1 forward-compat: same seam as the Node variant — step (5)
+ * (tenant policy eval) is the only place the PolicyEvaluator
+ * interface gets exercised. When Cedar-1 swaps implementations, this
+ * orchestrator does not change.
+ */
+
+/**
+ * Factory — constructs a `verifyRequestEdge` closure that remembers the
+ * one-shot Argus-not-configured warning state. Use this when the
+ * host wrapper wants the startup log; call `verifyRequestEdge` directly
+ * (the loose function below) if you don't.
+ */
+declare function makeVerifyRequestEdge(opts: VerifyRequestOpts): (req: IncomingHttpLike) => Promise<VerifyResult>;
+/**
+ * Single-shot async entry. Use [`makeVerifyRequestEdge`] in long-lived
+ * hosts (so the Argus warning is one-shot per process); use this
+ * loose form in tests + one-off invocations.
+ */
+declare function verifyRequestEdge(req: IncomingHttpLike, opts: VerifyRequestOpts): Promise<VerifyResult>;
+
+export { IncomingHttpLike, VerifyRequestOpts, initEngineEdge, makeVerifyRequestEdge, verifyRequestEdge };

package/dist/orchestrator.d.ts

@@ -1,7 +1,87 @@
-export { makeVerifyRequest, verifyRequest } from './orchestrator-node.js';
-export { makeVerifyRequestEdge, verifyRequestEdge } from './orchestrator-edge.js';
-export { B as BuildAgentRequestOpts, I as IncomingHttpLike, R as RenderedResponse, V as VerifyRequestOpts, b as buildAgentRequest, e as extractAgentDid, a as extractCredentialStatusUrl, c as extractIssuer, h as hasMalformedJwsBody, r as renderDecisionAsResponse } from './render-decision-Dsjwt96g.js';
-export { initEngineEdge } from './engine-edge.js';
-import './types-D0j85fF0.js';
+import { VerifyRequestOpts, IncomingHttpLike } from './orchestrator-node.js';
+export { BuildAgentRequestOpts, RenderedResponse, buildAgentRequest, extractAgentDid, extractCredentialStatusUrl, extractIssuer, hasMalformedJwsBody, makeVerifyRequest, renderDecisionAsResponse, verifyRequest } from './orchestrator-node.js';
+import { V as VerifyResult } from './types-D0j85fF0.js';
 import '@kya-os/checkpoint-shared';
-import './adapters.js';
+
+/**
+ * `kya-os-engine` WASM bridge for edge runtimes — Edge-WASM-1.
+ *
+ * The Node target (`./index.ts`) uses `fs.readFileSync` at module
+ * load and exposes a sync `engineVerify`. That's incompatible with
+ * Vercel Edge / Cloudflare Workers / browser embedding (no `fs`,
+ * no sync wasm load).
+ *
+ * This module loads the `wasm-pack --target web` artifact via the
+ * async `__wbg_init` default export, then exposes the same typed
+ * `engineVerifyEdge(input, ctx) → Promise<VerifyResult>` shape with
+ * a small lazy-init wrapper. First call awaits initialisation;
+ * subsequent calls resolve synchronously on the JS side (the
+ * underlying wasm `verify` is sync).
+ *
+ * **Why this matters for the consolidation narrative.** Phase A
+ * shipped Node-only. Without an edge build, the first Vercel-edge
+ * or Cloudflare-Workers deployment after Phase D would hit the
+ * same wasm-bindgen-on-edge wall the Sites-1 F3 workaround was
+ * created to dodge — and someone would re-introduce the
+ * inline-TS detector that Q10 ratified deleting. Shipping the
+ * edge target alongside the Node target keeps Phase D's
+ * deletion narrative durable.
+ */
+
+/**
+ * Initialise the edge wasm module. Idempotent — subsequent calls
+ * return the same in-flight or resolved promise. Host wrappers can
+ * call this at startup to eagerly load the wasm and avoid first-
+ * request latency, but it's not required: `engineVerifyEdge`
+ * lazily initialises on first call.
+ *
+ * @param moduleOrPath  Optional pre-fetched `WebAssembly.Module` or
+ *                      a URL / Request the wasm-bindgen loader will
+ *                      fetch. Defaults to the bundled artifact via
+ *                      `import.meta.url`. Cloudflare Workers / Vercel
+ *                      Edge typically pass a pre-bundled `Module`.
+ */
+declare function initEngineEdge(moduleOrPath?: WebAssembly.Module | URL | string | Request | BufferSource): Promise<void>;
+
+/**
+ * `verifyRequestEdge` async-init orchestrator — Edge-WASM-2 (folded into
+ * Phase D's PR).
+ *
+ * Mirror of [[./verify-request.ts]] for edge runtimes. Differs in only
+ * three places:
+ *
+ *   1. Imports `engineVerifyEdge` + `initEngineEdge` from `../edge`
+ *      instead of `engineVerify` from `../index` (Node target).
+ *   2. Awaits `initEngineEdge()` before the engine call — async-init
+ *      pattern required by the `--target web` wasm-bindgen build.
+ *   3. The final engine call is `await engineVerifyEdge(...)` rather
+ *      than the synchronous `engineVerify(...)`.
+ *
+ * **The two files MUST stay in sync.** Any change to verify-request.ts
+ * (new adapter, new error-classification rule, new ContextSpec field)
+ * MUST be mirrored here. The cross-target parity test in
+ * [[__tests__/verify-request-parity.test.ts]] guards the verdict-shape
+ * invariant — both orchestrators must produce identical
+ * `VerifyResult.decision` / `engineInfo.name` on identical inputs.
+ *
+ * Cedar-1 forward-compat: same seam as the Node variant — step (5)
+ * (tenant policy eval) is the only place the PolicyEvaluator
+ * interface gets exercised. When Cedar-1 swaps implementations, this
+ * orchestrator does not change.
+ */
+
+/**
+ * Factory — constructs a `verifyRequestEdge` closure that remembers the
+ * one-shot Argus-not-configured warning state. Use this when the
+ * host wrapper wants the startup log; call `verifyRequestEdge` directly
+ * (the loose function below) if you don't.
+ */
+declare function makeVerifyRequestEdge(opts: VerifyRequestOpts): (req: IncomingHttpLike) => Promise<VerifyResult>;
+/**
+ * Single-shot async entry. Use [`makeVerifyRequestEdge`] in long-lived
+ * hosts (so the Argus warning is one-shot per process); use this
+ * loose form in tests + one-off invocations.
+ */
+declare function verifyRequestEdge(req: IncomingHttpLike, opts: VerifyRequestOpts): Promise<VerifyResult>;
+
+export { IncomingHttpLike, VerifyRequestOpts, initEngineEdge, makeVerifyRequestEdge, verifyRequestEdge };

package/dist/orchestrator.js

@@ -1,6 +1,5 @@
 'use strict';
 
-var _documentCurrentScript = typeof document !== 'undefined' ? document.currentScript : null;
 var __create = Object.create;
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
@@ -40,9 +39,19 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
   mod
 ));
 
+// ../../node_modules/.pnpm/tsup@8.5.0_@swc+core@1.15.32_jiti@2.6.1_postcss@8.5.8_tsx@4.21.0_typescript@5.9.3_yaml@2.8.3/node_modules/tsup/assets/cjs_shims.js
+var getImportMetaUrl, importMetaUrl;
+var init_cjs_shims = __esm({
+  "../../node_modules/.pnpm/tsup@8.5.0_@swc+core@1.15.32_jiti@2.6.1_postcss@8.5.8_tsx@4.21.0_typescript@5.9.3_yaml@2.8.3/node_modules/tsup/assets/cjs_shims.js"() {
+    getImportMetaUrl = () => typeof document === "undefined" ? new URL(`file:${__filename}`).href : document.currentScript && document.currentScript.src || new URL("main.js", document.baseURI).href;
+    importMetaUrl = /* @__PURE__ */ getImportMetaUrl();
+  }
+});
+
 // wasm/kya-os-engine/kya_os_engine.js
 var require_kya_os_engine = __commonJS({
   "wasm/kya-os-engine/kya_os_engine.js"(exports$1, module) {
+    init_cjs_shims();
     var imports = {};
     imports["__wbindgen_placeholder__"] = module.exports;
     var cachedUint8ArrayMemory02 = null;
@@ -909,7 +918,7 @@ async function __wbg_init(module_or_path) {
     }
   }
   if (typeof module_or_path === "undefined") {
-    module_or_path = new URL("kya_os_engine_bg.wasm", (typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('orchestrator.js', document.baseURI).href)));
+    module_or_path = new URL("kya_os_engine_bg.wasm", importMetaUrl);
   }
   const imports = __wbg_get_imports();
   if (typeof module_or_path === "string" || typeof Request === "function" && module_or_path instanceof Request || typeof URL === "function" && module_or_path instanceof URL) {
@@ -921,6 +930,7 @@ async function __wbg_init(module_or_path) {
 var wasm, cachedUint8ArrayMemory0, cachedTextDecoder, MAX_SAFARI_DECODE_BYTES, numBytesDecoded, heap, heap_next, WASM_VECTOR_LEN, cachedTextEncoder, cachedDataViewMemory0, EXPECTED_RESPONSE_TYPES, kya_os_engine_default;
 var init_kya_os_engine = __esm({
   "wasm/kya-os-engine-web/kya_os_engine.js"() {
+    init_cjs_shims();
     cachedUint8ArrayMemory0 = null;
     cachedTextDecoder = new TextDecoder("utf-8", { ignoreBOM: true, fatal: true });
     cachedTextDecoder.decode();
@@ -947,7 +957,14 @@ var init_kya_os_engine = __esm({
   }
 });
 
+// src/engine/orchestrator/index.ts
+init_cjs_shims();
+
+// src/engine/orchestrator/verify-request.ts
+init_cjs_shims();
+
 // src/engine/adapters/outbound-url-policy.ts
+init_cjs_shims();
 var BLOCKED_HOSTNAMES = /* @__PURE__ */ new Set(["localhost", "metadata", "metadata.google.internal"]);
 var UnsafeOutboundUrl = class extends Error {
   kind = "UnsafeOutboundUrl";
@@ -1023,13 +1040,18 @@ function isBlockedIpv6(hostname) {
 }
 
 // src/engine/index.ts
+init_cjs_shims();
 var wasmModule = __toESM(require_kya_os_engine());
 function engineVerify(input, ctx) {
   const verify3 = wasmModule.verify;
   return verify3(input, ctx);
 }
 
+// src/engine/orchestrator/build-agent-request.ts
+init_cjs_shims();
+
 // src/engine/adapters/util.ts
+init_cjs_shims();
 function base64UrlDecode(input) {
   const padded = input.replace(/-/g, "+").replace(/_/g, "/");
   const padding = padded.length % 4 === 0 ? "" : "=".repeat(4 - padded.length % 4);
@@ -1323,7 +1345,11 @@ function defaultLogger(msg) {
   console.warn(msg);
 }
 
+// src/engine/orchestrator/verify-request-edge.ts
+init_cjs_shims();
+
 // src/engine/edge.ts
+init_cjs_shims();
 var initialised = null;
 function initEngineEdge(moduleOrPath) {
   return ensureReady(moduleOrPath).then(() => void 0);
@@ -1349,6 +1375,7 @@ async function engineVerifyEdge(input, ctx) {
 }
 
 // src/engine/orchestrator/render-decision.ts
+init_cjs_shims();
 function renderDecisionAsResponse(result) {
   const baseHeaders = buildBaseHeaders(result);
   if (result.enforcementMode === "observe") {

package/dist/orchestrator.mjs

@@ -1,3 +1,6 @@
+import path from 'path';
+import { fileURLToPath } from 'url';
+
 var __create = Object.create;
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
@@ -36,10 +39,19 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
   !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
   mod
 ));
+var getFilename, getDirname, __dirname$1;
+var init_esm_shims = __esm({
+  "../../node_modules/.pnpm/tsup@8.5.0_@swc+core@1.15.32_jiti@2.6.1_postcss@8.5.8_tsx@4.21.0_typescript@5.9.3_yaml@2.8.3/node_modules/tsup/assets/esm_shims.js"() {
+    getFilename = () => fileURLToPath(import.meta.url);
+    getDirname = () => path.dirname(getFilename());
+    __dirname$1 = /* @__PURE__ */ getDirname();
+  }
+});
 
 // wasm/kya-os-engine/kya_os_engine.js
 var require_kya_os_engine = __commonJS({
   "wasm/kya-os-engine/kya_os_engine.js"(exports$1, module) {
+    init_esm_shims();
     var imports = {};
     imports["__wbindgen_placeholder__"] = module.exports;
     var cachedUint8ArrayMemory02 = null;
@@ -442,7 +454,7 @@ ${val.stack}`;
     exports$1.__wbindgen_object_drop_ref = function(arg0) {
       takeObject2(arg0);
     };
-    var wasmPath = `${__dirname}/kya_os_engine_bg.wasm`;
+    var wasmPath = `${__dirname$1}/kya_os_engine_bg.wasm`;
     var wasmBytes = __require("fs").readFileSync(wasmPath);
     var wasmModule2 = new WebAssembly.Module(wasmBytes);
     var wasm2 = exports$1.__wasm = new WebAssembly.Instance(wasmModule2, imports).exports;
@@ -918,6 +930,7 @@ async function __wbg_init(module_or_path) {
 var wasm, cachedUint8ArrayMemory0, cachedTextDecoder, MAX_SAFARI_DECODE_BYTES, numBytesDecoded, heap, heap_next, WASM_VECTOR_LEN, cachedTextEncoder, cachedDataViewMemory0, EXPECTED_RESPONSE_TYPES, kya_os_engine_default;
 var init_kya_os_engine = __esm({
   "wasm/kya-os-engine-web/kya_os_engine.js"() {
+    init_esm_shims();
     cachedUint8ArrayMemory0 = null;
     cachedTextDecoder = new TextDecoder("utf-8", { ignoreBOM: true, fatal: true });
     cachedTextDecoder.decode();
@@ -944,7 +957,14 @@ var init_kya_os_engine = __esm({
   }
 });
 
+// src/engine/orchestrator/index.ts
+init_esm_shims();
+
+// src/engine/orchestrator/verify-request.ts
+init_esm_shims();
+
 // src/engine/adapters/outbound-url-policy.ts
+init_esm_shims();
 var BLOCKED_HOSTNAMES = /* @__PURE__ */ new Set(["localhost", "metadata", "metadata.google.internal"]);
 var UnsafeOutboundUrl = class extends Error {
   kind = "UnsafeOutboundUrl";
@@ -1020,13 +1040,18 @@ function isBlockedIpv6(hostname) {
 }
 
 // src/engine/index.ts
+init_esm_shims();
 var wasmModule = __toESM(require_kya_os_engine());
 function engineVerify(input, ctx) {
   const verify3 = wasmModule.verify;
   return verify3(input, ctx);
 }
 
+// src/engine/orchestrator/build-agent-request.ts
+init_esm_shims();
+
 // src/engine/adapters/util.ts
+init_esm_shims();
 function base64UrlDecode(input) {
   const padded = input.replace(/-/g, "+").replace(/_/g, "/");
   const padding = padded.length % 4 === 0 ? "" : "=".repeat(4 - padded.length % 4);
@@ -1320,7 +1345,11 @@ function defaultLogger(msg) {
   console.warn(msg);
 }
 
+// src/engine/orchestrator/verify-request-edge.ts
+init_esm_shims();
+
 // src/engine/edge.ts
+init_esm_shims();
 var initialised = null;
 function initEngineEdge(moduleOrPath) {
   return ensureReady(moduleOrPath).then(() => void 0);
@@ -1346,6 +1375,7 @@ async function engineVerifyEdge(input, ctx) {
 }
 
 // src/engine/orchestrator/render-decision.ts
+init_esm_shims();
 function renderDecisionAsResponse(result) {
   const baseHeaders = buildBaseHeaders(result);
   if (result.enforcementMode === "observe") {

package/dist/{rules-detector-DjbTJ1-Q.d.mts → rules-detector-ZIKHN-_y.d.mts}

@@ -315,6 +315,68 @@ declare class WasmDetector implements IDetector {
     private createDefaultResult;
 }
 
+/**
+ * Dynamic WASM Loader for Node.js
+ *
+ * This loader dynamically loads and compiles WASM at runtime,
+ * which is supported in Node.js but NOT in Edge Runtime.
+ *
+ * Usage:
+ * ```typescript
+ * import { DynamicWasmLoader, WasmDetector } from '@kya-os/checkpoint-wasm-runtime/node';
+ *
+ * const loader = new DynamicWasmLoader();
+ * const detector = new WasmDetector(loader);
+ * ```
+ */
+
+/**
+ * Dynamic WASM Loader
+ *
+ * For Node.js environments that support dynamic WASM compilation.
+ * Automatically finds and loads the WASM module.
+ */
+declare class DynamicWasmLoader implements IWasmLoader {
+    private readonly wasmPath?;
+    private bindings;
+    private instance;
+    private loadPromise;
+    /**
+     * Create a new DynamicWasmLoader
+     * @param wasmPath - Optional custom path to WASM file
+     */
+    constructor(wasmPath?: string | undefined);
+    /**
+     * Load and compile the WASM module
+     */
+    load(): Promise<void>;
+    private doLoad;
+    /**
+     * Get the WASM bindings after loading
+     */
+    getBindings(): IWasmBindings;
+    /**
+     * Check if WASM is loaded
+     */
+    isLoaded(): boolean;
+    /**
+     * Get the loading strategy name
+     */
+    getStrategy(): string;
+    /**
+     * Create wasm-bindgen required imports
+     */
+    private createWasmBindgenImports;
+    /**
+     * Create bindings wrapper from WASM exports
+     */
+    private createBindings;
+}
+/**
+ * Create a dynamic loader
+ */
+declare function createDynamicLoader(wasmPath?: string): DynamicWasmLoader;
+
 /**
  * Policy Loader
  *
@@ -467,4 +529,4 @@ declare class RulesDetector implements IDetector {
  */
 declare function createRulesDetector(): RulesDetector;
 
-export { CONFIDENCE as C, type DetectionClass as D, type ForgeabilityRisk as F, type IDetectorOptions as I, PolicyLoadError as P, RulesDetector as R, type VerificationMethod as V, WasmDetector as W, type IDetector as a, type ICustomerPolicy as b, type IDetectedAgent as c, type IDetectionInput as d, type IDetectionResult as e, type IPathRule as f, type IPolicyLoader as g, type IWasmBindings as h, type IWasmLoader as i, PolicyLoader as j, type PolicyLoaderConfig as k, createPolicyLoader as l, createRulesDetector as m };
+export { CONFIDENCE as C, type DetectionClass as D, type ForgeabilityRisk as F, type IDetector as I, PolicyLoader as P, RulesDetector as R, type VerificationMethod as V, WasmDetector as W, type IDetectorOptions as a, type IDetectionInput as b, DynamicWasmLoader as c, type ICustomerPolicy as d, type IDetectedAgent as e, type IDetectionResult as f, type IPolicyLoader as g, type IWasmLoader as h, createDynamicLoader as i, createPolicyLoader as j, createRulesDetector as k, type IWasmBindings as l, type IPathRule as m, PolicyLoadError as n, type PolicyLoaderConfig as o };