@kya-os/checkpoint-wasm-runtime 1.1.3 → 1.3.0

package/CHANGELOG.md

@@ -1,5 +1,92 @@
 # @kya-os/checkpoint-wasm-runtime
 
+## 1.3.0 — 2026-05-18
+
+**Engine-Tier3-Ruleset-Wiring-1.** Replaces the
+`phase-1-d-impl-placeholder` ruleset hash with a real Tier 3 UA
+pattern table, wired into the engine's Stage 1b default policy. The
+engine now Blocks known agent UAs even with an empty tenant policy.
+
+Conforms to `dylan-todos/Engine-Tier-Ordering-1.md` contract:
+`Tier 1 (signed) > Tier 2 (IP+UA) > Tier 3 (UA only) > Tier 4 (IP only)`.
+This release ships Tier 3.
+
+### Added
+
+- `BlockReason::Tier3UAMatch { pattern_id, pattern_kind, confidence }`
+  — additive variant, priority 8 (lowest). Fires only on the PlainHttp
+  path when Stage 1 classifies the request as a known agent.
+- Stage 1b default policy in `verify_plain_http`: if Stage 1 classifies
+  the request as `KnownAiAgent`, `AiCrawler`, or `HeadlessBrowser`,
+  the engine short-circuits with `Decision::Block { Tier3UAMatch }`
+  BEFORE handing off to tenant policy. Calibrated defaults that don't
+  expose customers to the threshold-knob footgun.
+- `SearchBot` is **exempted** from Tier 3 default per architect
+  precedent (`tests/cross_runtime_baselines.rs` line 175-178: "search-
+  engine indexing is generally permitted by tenant policy"). Googlebot
+  / Bingbot / Applebot / DuckDuckBot still flow through to tenant
+  policy.
+
+### Changed
+
+- `EngineInfo.ruleset_hash` is now `sha256:<t2>:<t3_sha256>` where
+  `<t3_sha256>` is the SHA-256 of `patterns_generated.rs` (real
+  identity, not placeholder). `<t2>` is `t2-unset` until Engineer A's
+  reputation/IP-feed schema commits its own identity hash.
+- Drift gate: unit test `tier3_pattern_sha_matches_file` recomputes
+  the SHA at test time and fails with a copy-paste-ready new SHA if
+  `patterns_generated.rs` drifts.
+
+### Breaking change in default behavior
+
+Consumers who deployed the engine with an **empty tenant policy** and
+expected permit-by-default for unsigned traffic now get Block on any
+known agent UA. This is the architectural intent — calibrated defaults
+that don't require every customer to write their own bot-blocking
+policy. Mitigation: deploy a tenant policy that explicitly permits the
+agent classes you want to allow.
+
+### Test coverage added
+
+- 5 new tests in `stage1_classification.rs` covering each blocking
+  class + SearchBot allowlist + real-human permit.
+- Existing baseline tests in `cross_runtime_baselines.rs` updated to
+  assert `Tier3UAMatch` instead of the supplanted `PolicyDenied` path.
+- 173/173 TS tests (including cross-runtime parity) still green.
+
+### Followups
+
+- **Engine-Pattern-Codegen-Retirement-1** (filed): replace
+  `patterns_generated.rs` (legacy YAML codegen) with a build-time JSON
+  export of `KNOWN_AGENT_PATTERNS` from `@kya-os/checkpoint-shared`,
+  with the same drift-prevention pattern as #2599. Current PR uses
+  the existing `patterns_generated.rs` data as the Tier 3 source; the
+  followup makes the TS-side `KNOWN_AGENT_PATTERNS` the engine's SSOT.
+- **Tier 2 data version coordination** (Engineer A): substitute
+  `t2-unset` once the reputation/IP-feed schema commits its identity.
+
+---
+
+## 1.2.0 — 2026-05-18
+
+Phase-D.8b engine-surface expansion.
+
+### Added
+
+- `VerifyResult.detectionDetail`, emitted by `kya-os-engine` in the same
+  pass as `decision`. This preserves the rich detection shape (`isAgent`,
+  `detectedAgent`, `agentType`, `verificationMethod`, `riskLevel`,
+  `reasons`) without forcing consumers to reconstruct it from
+  `decision.signals`.
+- Cross-runtime parity now compares `detectionDetail` across Rust,
+  Node-WASM, and Edge-WASM fixtures.
+
+### Changed
+
+- `verifyRequest()` and `verifyRequestEdge()` now return the richer
+  `VerifyResult` shape consistently for normal results and parse-error
+  fallbacks.
+
 ## 1.1.3 — 2026-05-17
 
 **Critical runtime fix for Express on Vercel.** 1.1.2 still failed at

package/dist/adapters.d.mts

@@ -1,4 +1,4 @@
-import { d as DidDocument, D as Decision } from './types-D0j85fF0.mjs';
+import { d as DidDocument, D as Decision } from './types-ByrdPLL2.mjs';
 import '@kya-os/checkpoint-shared';
 
 /**

package/dist/adapters.d.ts

@@ -1,4 +1,4 @@
-import { d as DidDocument, D as Decision } from './types-D0j85fF0.js';
+import { d as DidDocument, D as Decision } from './types-ByrdPLL2.js';
 import '@kya-os/checkpoint-shared';
 
 /**

package/dist/engine-edge.d.mts

@@ -1,6 +1,6 @@
-import { A as AgentRequest, C as ContextSpec, V as VerifyResult } from './types-D0j85fF0.mjs';
-export { a as A2ARequest, b as A2PRequest, B as BlockReason, c as ChallengeParams, D as Decision, d as DidDocument, E as EnforcementMode, e as EngineInfo, H as HttpSignedRequest, I as InstructPayload, K as KeyType, M as McpIRequest, P as PlainHttpRequest, R as RedirectTarget, S as SuggestedAction, f as VerificationMethod } from './types-D0j85fF0.mjs';
-export { McpIPayload } from '@kya-os/checkpoint-shared';
+import { A as AgentRequest, C as ContextSpec, V as VerifyResult } from './types-ByrdPLL2.mjs';
+export { a as A2ARequest, b as A2PRequest, B as BlockReason, c as ChallengeParams, D as Decision, d as DidDocument, E as EnforcementMode, e as EngineInfo, H as HttpSignedRequest, I as InstructPayload, K as KeyType, M as McpIRequest, P as PlainHttpRequest, R as RedirectTarget, S as SuggestedAction, f as VerificationMethod } from './types-ByrdPLL2.mjs';
+export { DetectionDetail, McpIPayload } from '@kya-os/checkpoint-shared';
 
 /**
  * `kya-os-engine` WASM bridge for edge runtimes — Edge-WASM-1.

package/dist/engine-edge.d.ts

@@ -1,6 +1,6 @@
-import { A as AgentRequest, C as ContextSpec, V as VerifyResult } from './types-D0j85fF0.js';
-export { a as A2ARequest, b as A2PRequest, B as BlockReason, c as ChallengeParams, D as Decision, d as DidDocument, E as EnforcementMode, e as EngineInfo, H as HttpSignedRequest, I as InstructPayload, K as KeyType, M as McpIRequest, P as PlainHttpRequest, R as RedirectTarget, S as SuggestedAction, f as VerificationMethod } from './types-D0j85fF0.js';
-export { McpIPayload } from '@kya-os/checkpoint-shared';
+import { A as AgentRequest, C as ContextSpec, V as VerifyResult } from './types-ByrdPLL2.js';
+export { a as A2ARequest, b as A2PRequest, B as BlockReason, c as ChallengeParams, D as Decision, d as DidDocument, E as EnforcementMode, e as EngineInfo, H as HttpSignedRequest, I as InstructPayload, K as KeyType, M as McpIRequest, P as PlainHttpRequest, R as RedirectTarget, S as SuggestedAction, f as VerificationMethod } from './types-ByrdPLL2.js';
+export { DetectionDetail, McpIPayload } from '@kya-os/checkpoint-shared';
 
 /**
  * `kya-os-engine` WASM bridge for edge runtimes — Edge-WASM-1.

package/dist/engine.d.mts

@@ -1,6 +1,6 @@
-import { A as AgentRequest, C as ContextSpec, V as VerifyResult } from './types-D0j85fF0.mjs';
-export { a as A2ARequest, b as A2PRequest, B as BlockReason, c as ChallengeParams, D as Decision, d as DidDocument, E as EnforcementMode, e as EngineInfo, H as HttpSignedRequest, I as InstructPayload, K as KeyType, M as McpIRequest, P as PlainHttpRequest, R as RedirectTarget, S as SuggestedAction, f as VerificationMethod } from './types-D0j85fF0.mjs';
-export { McpIPayload } from '@kya-os/checkpoint-shared';
+import { A as AgentRequest, C as ContextSpec, V as VerifyResult } from './types-ByrdPLL2.mjs';
+export { a as A2ARequest, b as A2PRequest, B as BlockReason, c as ChallengeParams, D as Decision, d as DidDocument, E as EnforcementMode, e as EngineInfo, H as HttpSignedRequest, I as InstructPayload, K as KeyType, M as McpIRequest, P as PlainHttpRequest, R as RedirectTarget, S as SuggestedAction, f as VerificationMethod } from './types-ByrdPLL2.mjs';
+export { DetectionDetail, McpIPayload } from '@kya-os/checkpoint-shared';
 
 /**
  * `kya-os-engine` WASM bridge — E-1 (#2486 follow-up).

package/dist/engine.d.ts

@@ -1,6 +1,6 @@
-import { A as AgentRequest, C as ContextSpec, V as VerifyResult } from './types-D0j85fF0.js';
-export { a as A2ARequest, b as A2PRequest, B as BlockReason, c as ChallengeParams, D as Decision, d as DidDocument, E as EnforcementMode, e as EngineInfo, H as HttpSignedRequest, I as InstructPayload, K as KeyType, M as McpIRequest, P as PlainHttpRequest, R as RedirectTarget, S as SuggestedAction, f as VerificationMethod } from './types-D0j85fF0.js';
-export { McpIPayload } from '@kya-os/checkpoint-shared';
+import { A as AgentRequest, C as ContextSpec, V as VerifyResult } from './types-ByrdPLL2.js';
+export { a as A2ARequest, b as A2PRequest, B as BlockReason, c as ChallengeParams, D as Decision, d as DidDocument, E as EnforcementMode, e as EngineInfo, H as HttpSignedRequest, I as InstructPayload, K as KeyType, M as McpIRequest, P as PlainHttpRequest, R as RedirectTarget, S as SuggestedAction, f as VerificationMethod } from './types-ByrdPLL2.js';
+export { DetectionDetail, McpIPayload } from '@kya-os/checkpoint-shared';
 
 /**
  * `kya-os-engine` WASM bridge — E-1 (#2486 follow-up).

package/dist/orchestrator-edge.d.mts

@@ -1,5 +1,5 @@
 export { initEngineEdge } from './engine-edge.mjs';
-import { E as EnforcementMode, A as AgentRequest, V as VerifyResult } from './types-D0j85fF0.mjs';
+import { E as EnforcementMode, A as AgentRequest, V as VerifyResult } from './types-ByrdPLL2.mjs';
 import { DidResolverAdapter, StatusListCacheAdapter, ReputationOracleAdapter, PolicyEvaluatorAdapter, ClockAdapter } from './adapters.mjs';
 import '@kya-os/checkpoint-shared';
 

package/dist/orchestrator-edge.d.ts

@@ -1,5 +1,5 @@
 export { initEngineEdge } from './engine-edge.js';
-import { E as EnforcementMode, A as AgentRequest, V as VerifyResult } from './types-D0j85fF0.js';
+import { E as EnforcementMode, A as AgentRequest, V as VerifyResult } from './types-ByrdPLL2.js';
 import { DidResolverAdapter, StatusListCacheAdapter, ReputationOracleAdapter, PolicyEvaluatorAdapter, ClockAdapter } from './adapters.js';
 import '@kya-os/checkpoint-shared';
 

package/dist/orchestrator-edge.js

@@ -799,6 +799,32 @@ function bodyAsBytes(body) {
   return [];
 }
 
+// src/engine/orchestrator/synthetic-results.ts
+function hostSynthesizedEngineInfo() {
+  return {
+    name: "checkpoint-engine-wasm",
+    version: "0.0.0-host-synth",
+    rulesetHash: "sha256:host-synthesized",
+    rulesetVersion: "0.0.0-host-synth",
+    extras: { synthesized: true }
+  };
+}
+function parseErrorDetectionDetail(detail) {
+  return {
+    isAgent: false,
+    confidence: 0,
+    detectionClass: { type: "IncompleteData" },
+    confidenceLevel: "low",
+    reasons: [detail],
+    signals: [],
+    verificationMethod: "error",
+    riskLevel: "high",
+    forgeabilityRisk: "high",
+    timestamp: 0,
+    engine: hostSynthesizedEngineInfo()
+  };
+}
+
 // src/engine/orchestrator/render-decision.ts
 function renderDecisionAsResponse(result) {
   const baseHeaders = buildBaseHeaders(result);
@@ -1049,14 +1075,9 @@ function blockWithParseError(detail, enforcementMode) {
         detail
       }
     },
+    detectionDetail: parseErrorDetectionDetail(detail),
     enforcementMode,
-    engineInfo: {
-      name: "checkpoint-engine-wasm",
-      version: "0.0.0-host-synth",
-      rulesetHash: "sha256:host-synthesized",
-      rulesetVersion: "0.0.0-host-synth",
-      extras: { synthesized: true }
-    }
+    engineInfo: hostSynthesizedEngineInfo()
   };
 }
 function defaultLogger(msg) {

package/dist/orchestrator-edge.mjs

@@ -796,6 +796,32 @@ function bodyAsBytes(body) {
   return [];
 }
 
+// src/engine/orchestrator/synthetic-results.ts
+function hostSynthesizedEngineInfo() {
+  return {
+    name: "checkpoint-engine-wasm",
+    version: "0.0.0-host-synth",
+    rulesetHash: "sha256:host-synthesized",
+    rulesetVersion: "0.0.0-host-synth",
+    extras: { synthesized: true }
+  };
+}
+function parseErrorDetectionDetail(detail) {
+  return {
+    isAgent: false,
+    confidence: 0,
+    detectionClass: { type: "IncompleteData" },
+    confidenceLevel: "low",
+    reasons: [detail],
+    signals: [],
+    verificationMethod: "error",
+    riskLevel: "high",
+    forgeabilityRisk: "high",
+    timestamp: 0,
+    engine: hostSynthesizedEngineInfo()
+  };
+}
+
 // src/engine/orchestrator/render-decision.ts
 function renderDecisionAsResponse(result) {
   const baseHeaders = buildBaseHeaders(result);
@@ -1046,14 +1072,9 @@ function blockWithParseError(detail, enforcementMode) {
         detail
       }
     },
+    detectionDetail: parseErrorDetectionDetail(detail),
     enforcementMode,
-    engineInfo: {
-      name: "checkpoint-engine-wasm",
-      version: "0.0.0-host-synth",
-      rulesetHash: "sha256:host-synthesized",
-      rulesetVersion: "0.0.0-host-synth",
-      extras: { synthesized: true }
-    }
+    engineInfo: hostSynthesizedEngineInfo()
   };
 }
 function defaultLogger(msg) {

package/dist/orchestrator-node.d.mts

@@ -1,4 +1,4 @@
-import { d as DidDocument, D as Decision, E as EnforcementMode, V as VerifyResult, A as AgentRequest } from './types-D0j85fF0.mjs';
+import { d as DidDocument, D as Decision, E as EnforcementMode, V as VerifyResult, A as AgentRequest } from './types-ByrdPLL2.mjs';
 import '@kya-os/checkpoint-shared';
 
 /**

package/dist/orchestrator-node.d.ts

@@ -1,4 +1,4 @@
-import { d as DidDocument, D as Decision, E as EnforcementMode, V as VerifyResult, A as AgentRequest } from './types-D0j85fF0.js';
+import { d as DidDocument, D as Decision, E as EnforcementMode, V as VerifyResult, A as AgentRequest } from './types-ByrdPLL2.js';
 import '@kya-os/checkpoint-shared';
 
 /**

package/dist/orchestrator-node.js

@@ -741,6 +741,33 @@ function bodyAsBytes(body) {
   return [];
 }
 
+// src/engine/orchestrator/synthetic-results.ts
+init_cjs_shims();
+function hostSynthesizedEngineInfo() {
+  return {
+    name: "checkpoint-engine-wasm",
+    version: "0.0.0-host-synth",
+    rulesetHash: "sha256:host-synthesized",
+    rulesetVersion: "0.0.0-host-synth",
+    extras: { synthesized: true }
+  };
+}
+function parseErrorDetectionDetail(detail) {
+  return {
+    isAgent: false,
+    confidence: 0,
+    detectionClass: { type: "IncompleteData" },
+    confidenceLevel: "low",
+    reasons: [detail],
+    signals: [],
+    verificationMethod: "error",
+    riskLevel: "high",
+    forgeabilityRisk: "high",
+    timestamp: 0,
+    engine: hostSynthesizedEngineInfo()
+  };
+}
+
 // src/engine/orchestrator/verify-request.ts
 var DEFAULT_REPUTATION_BASELINE = 1;
 function makeVerifyRequest(opts) {
@@ -828,14 +855,9 @@ function blockWithParseError(detail, enforcementMode) {
         detail
       }
     },
+    detectionDetail: parseErrorDetectionDetail(detail),
     enforcementMode,
-    engineInfo: {
-      name: "checkpoint-engine-wasm",
-      version: "0.0.0-host-synth",
-      rulesetHash: "sha256:host-synthesized",
-      rulesetVersion: "0.0.0-host-synth",
-      extras: { synthesized: true }
-    }
+    engineInfo: hostSynthesizedEngineInfo()
   };
 }
 function defaultLogger(msg) {

package/dist/orchestrator-node.mjs

@@ -746,6 +746,33 @@ function bodyAsBytes(body) {
   return [];
 }
 
+// src/engine/orchestrator/synthetic-results.ts
+init_esm_shims();
+function hostSynthesizedEngineInfo() {
+  return {
+    name: "checkpoint-engine-wasm",
+    version: "0.0.0-host-synth",
+    rulesetHash: "sha256:host-synthesized",
+    rulesetVersion: "0.0.0-host-synth",
+    extras: { synthesized: true }
+  };
+}
+function parseErrorDetectionDetail(detail) {
+  return {
+    isAgent: false,
+    confidence: 0,
+    detectionClass: { type: "IncompleteData" },
+    confidenceLevel: "low",
+    reasons: [detail],
+    signals: [],
+    verificationMethod: "error",
+    riskLevel: "high",
+    forgeabilityRisk: "high",
+    timestamp: 0,
+    engine: hostSynthesizedEngineInfo()
+  };
+}
+
 // src/engine/orchestrator/verify-request.ts
 var DEFAULT_REPUTATION_BASELINE = 1;
 function makeVerifyRequest(opts) {
@@ -833,14 +860,9 @@ function blockWithParseError(detail, enforcementMode) {
         detail
       }
     },
+    detectionDetail: parseErrorDetectionDetail(detail),
     enforcementMode,
-    engineInfo: {
-      name: "checkpoint-engine-wasm",
-      version: "0.0.0-host-synth",
-      rulesetHash: "sha256:host-synthesized",
-      rulesetVersion: "0.0.0-host-synth",
-      extras: { synthesized: true }
-    }
+    engineInfo: hostSynthesizedEngineInfo()
   };
 }
 function defaultLogger(msg) {

package/dist/orchestrator.d.mts

@@ -1,6 +1,6 @@
 import { VerifyRequestOpts, IncomingHttpLike } from './orchestrator-node.mjs';
 export { BuildAgentRequestOpts, RenderedResponse, buildAgentRequest, extractAgentDid, extractCredentialStatusUrl, extractIssuer, hasMalformedJwsBody, makeVerifyRequest, renderDecisionAsResponse, verifyRequest } from './orchestrator-node.mjs';
-import { V as VerifyResult } from './types-D0j85fF0.mjs';
+import { V as VerifyResult } from './types-ByrdPLL2.mjs';
 import '@kya-os/checkpoint-shared';
 
 /**

package/dist/orchestrator.d.ts

@@ -1,6 +1,6 @@
 import { VerifyRequestOpts, IncomingHttpLike } from './orchestrator-node.js';
 export { BuildAgentRequestOpts, RenderedResponse, buildAgentRequest, extractAgentDid, extractCredentialStatusUrl, extractIssuer, hasMalformedJwsBody, makeVerifyRequest, renderDecisionAsResponse, verifyRequest } from './orchestrator-node.js';
-import { V as VerifyResult } from './types-D0j85fF0.js';
+import { V as VerifyResult } from './types-ByrdPLL2.js';
 import '@kya-os/checkpoint-shared';
 
 /**

package/dist/orchestrator.js

@@ -1244,6 +1244,33 @@ function bodyAsBytes(body) {
   return [];
 }
 
+// src/engine/orchestrator/synthetic-results.ts
+init_cjs_shims();
+function hostSynthesizedEngineInfo() {
+  return {
+    name: "checkpoint-engine-wasm",
+    version: "0.0.0-host-synth",
+    rulesetHash: "sha256:host-synthesized",
+    rulesetVersion: "0.0.0-host-synth",
+    extras: { synthesized: true }
+  };
+}
+function parseErrorDetectionDetail(detail) {
+  return {
+    isAgent: false,
+    confidence: 0,
+    detectionClass: { type: "IncompleteData" },
+    confidenceLevel: "low",
+    reasons: [detail],
+    signals: [],
+    verificationMethod: "error",
+    riskLevel: "high",
+    forgeabilityRisk: "high",
+    timestamp: 0,
+    engine: hostSynthesizedEngineInfo()
+  };
+}
+
 // src/engine/orchestrator/verify-request.ts
 var DEFAULT_REPUTATION_BASELINE = 1;
 function makeVerifyRequest(opts) {
@@ -1331,14 +1358,9 @@ function blockWithParseError(detail, enforcementMode) {
         detail
       }
     },
+    detectionDetail: parseErrorDetectionDetail(detail),
     enforcementMode,
-    engineInfo: {
-      name: "checkpoint-engine-wasm",
-      version: "0.0.0-host-synth",
-      rulesetHash: "sha256:host-synthesized",
-      rulesetVersion: "0.0.0-host-synth",
-      extras: { synthesized: true }
-    }
+    engineInfo: hostSynthesizedEngineInfo()
   };
 }
 function defaultLogger(msg) {
@@ -1625,14 +1647,9 @@ function blockWithParseError2(detail, enforcementMode) {
         detail
       }
     },
+    detectionDetail: parseErrorDetectionDetail(detail),
     enforcementMode,
-    engineInfo: {
-      name: "checkpoint-engine-wasm",
-      version: "0.0.0-host-synth",
-      rulesetHash: "sha256:host-synthesized",
-      rulesetVersion: "0.0.0-host-synth",
-      extras: { synthesized: true }
-    }
+    engineInfo: hostSynthesizedEngineInfo()
   };
 }
 function defaultLogger2(msg) {

package/dist/orchestrator.mjs

@@ -1246,6 +1246,33 @@ function bodyAsBytes(body) {
   return [];
 }
 
+// src/engine/orchestrator/synthetic-results.ts
+init_esm_shims();
+function hostSynthesizedEngineInfo() {
+  return {
+    name: "checkpoint-engine-wasm",
+    version: "0.0.0-host-synth",
+    rulesetHash: "sha256:host-synthesized",
+    rulesetVersion: "0.0.0-host-synth",
+    extras: { synthesized: true }
+  };
+}
+function parseErrorDetectionDetail(detail) {
+  return {
+    isAgent: false,
+    confidence: 0,
+    detectionClass: { type: "IncompleteData" },
+    confidenceLevel: "low",
+    reasons: [detail],
+    signals: [],
+    verificationMethod: "error",
+    riskLevel: "high",
+    forgeabilityRisk: "high",
+    timestamp: 0,
+    engine: hostSynthesizedEngineInfo()
+  };
+}
+
 // src/engine/orchestrator/verify-request.ts
 var DEFAULT_REPUTATION_BASELINE = 1;
 function makeVerifyRequest(opts) {
@@ -1333,14 +1360,9 @@ function blockWithParseError(detail, enforcementMode) {
         detail
       }
     },
+    detectionDetail: parseErrorDetectionDetail(detail),
     enforcementMode,
-    engineInfo: {
-      name: "checkpoint-engine-wasm",
-      version: "0.0.0-host-synth",
-      rulesetHash: "sha256:host-synthesized",
-      rulesetVersion: "0.0.0-host-synth",
-      extras: { synthesized: true }
-    }
+    engineInfo: hostSynthesizedEngineInfo()
   };
 }
 function defaultLogger(msg) {
@@ -1627,14 +1649,9 @@ function blockWithParseError2(detail, enforcementMode) {
         detail
       }
     },
+    detectionDetail: parseErrorDetectionDetail(detail),
     enforcementMode,
-    engineInfo: {
-      name: "checkpoint-engine-wasm",
-      version: "0.0.0-host-synth",
-      rulesetHash: "sha256:host-synthesized",
-      rulesetVersion: "0.0.0-host-synth",
-      extras: { synthesized: true }
-    }
+    engineInfo: hostSynthesizedEngineInfo()
   };
 }
 function defaultLogger2(msg) {

package/dist/{types-D0j85fF0.d.mts → types-ByrdPLL2.d.mts}

@@ -1,4 +1,4 @@
-import { McpIPayload } from '@kya-os/checkpoint-shared';
+import { McpIPayload, DetectionDetail } from '@kya-os/checkpoint-shared';
 
 /**
  * TypeScript shapes for the `kya-os-engine` WASM `verify` ABI (E-1).
@@ -138,6 +138,7 @@ interface EngineInfo {
 }
 interface VerifyResult {
     decision: Decision;
+    detectionDetail: DetectionDetail;
     enforcementMode: EnforcementMode;
     engineInfo: EngineInfo;
 }

package/dist/{types-D0j85fF0.d.ts → types-ByrdPLL2.d.ts}

@@ -1,4 +1,4 @@
-import { McpIPayload } from '@kya-os/checkpoint-shared';
+import { McpIPayload, DetectionDetail } from '@kya-os/checkpoint-shared';
 
 /**
  * TypeScript shapes for the `kya-os-engine` WASM `verify` ABI (E-1).
@@ -138,6 +138,7 @@ interface EngineInfo {
 }
 interface VerifyResult {
     decision: Decision;
+    detectionDetail: DetectionDetail;
     enforcementMode: EnforcementMode;
     engineInfo: EngineInfo;
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kya-os/checkpoint-wasm-runtime",
-  "version": "1.1.3",
+  "version": "1.3.0",
   "description": "Checkpoint WASM runtime for AI agent detection across all environments (formerly @kya-os/agentshield-wasm-runtime)",
   "keywords": [
     "ai",
@@ -117,7 +117,7 @@
   },
   "dependencies": {
     "multiformats": "^13",
-    "@kya-os/checkpoint-shared": "1.0.0"
+    "@kya-os/checkpoint-shared": "1.1.0"
   },
   "devDependencies": {
     "@types/node": "^20.11.24",