@astrasyncai/verification-gateway 1.0.0

package/dist/index.js

@@ -0,0 +1,1499 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var src_exports = {};
+__export(src_exports, {
+  ACCESS_LEVEL_DESCRIPTIONS: () => ACCESS_LEVEL_DESCRIPTIONS,
+  ACCESS_LEVEL_HIERARCHY: () => ACCESS_LEVEL_HIERARCHY,
+  AgentClient: () => AgentClient,
+  ChallengeHandler: () => ChallengeHandler,
+  DEFAULT_TRUST_THRESHOLDS: () => DEFAULT_TRUST_THRESHOLDS,
+  TRUST_LEVEL_RANGES: () => TRUST_LEVEL_RANGES,
+  VERSION: () => VERSION,
+  agent: () => agent_exports,
+  clearCache: () => clearCache,
+  determineAccessLevel: () => determineAccessLevel,
+  express: () => express_exports,
+  extractCredentials: () => extractCredentials,
+  getAccessLevelForScore: () => getAccessLevelForScore,
+  getCapabilities: () => getCapabilities,
+  getTrustLevel: () => getTrustLevel,
+  hasCredentials: () => hasCredentials,
+  hasMinimumAccess: () => hasMinimumAccess,
+  nextjs: () => nextjs_exports,
+  quickVerify: () => quickVerify,
+  recordDecision: () => recordDecision,
+  sdk: () => sdk_exports,
+  transport: () => transport_exports,
+  verify: () => verify
+});
+module.exports = __toCommonJS(src_exports);
+
+// src/access-levels.ts
+var ACCESS_LEVEL_HIERARCHY = {
+  none: 0,
+  guidance: 1,
+  "read-only": 2,
+  standard: 3,
+  full: 4,
+  internal: 5
+};
+var ACCESS_LEVEL_DESCRIPTIONS = {
+  none: "No access - credentials required",
+  guidance: "Guidance mode - registration information provided",
+  "read-only": "Read-only access - can browse but not modify",
+  standard: "Standard access - normal operations per PDLSS policy",
+  full: "Full access - all operations for high-trust agents",
+  internal: "Internal access - organization member privileges"
+};
+var DEFAULT_TRUST_THRESHOLDS = {
+  none: 0,
+  guidance: 0,
+  "read-only": 20,
+  standard: 40,
+  full: 70,
+  internal: 0
+  // Internal is based on org membership, not score
+};
+var TRUST_LEVEL_RANGES = {
+  BRONZE: { min: 0, max: 39 },
+  SILVER: { min: 40, max: 59 },
+  GOLD: { min: 60, max: 79 },
+  PLATINUM: { min: 80, max: 100 }
+};
+function getTrustLevel(score) {
+  if (score >= 80) return "PLATINUM";
+  if (score >= 60) return "GOLD";
+  if (score >= 40) return "SILVER";
+  return "BRONZE";
+}
+function hasMinimumAccess(actual, required) {
+  return ACCESS_LEVEL_HIERARCHY[actual] >= ACCESS_LEVEL_HIERARCHY[required];
+}
+function getAccessLevelForScore(trustScore, thresholds = DEFAULT_TRUST_THRESHOLDS) {
+  if (trustScore >= thresholds.full) return "full";
+  if (trustScore >= thresholds.standard) return "standard";
+  if (trustScore >= thresholds["read-only"]) return "read-only";
+  return "guidance";
+}
+function determineAccessLevel(verified, trustScore, isOrgMember, customThresholds) {
+  if (!verified) {
+    return "guidance";
+  }
+  if (isOrgMember) {
+    return "internal";
+  }
+  const thresholds = {
+    ...DEFAULT_TRUST_THRESHOLDS,
+    ...customThresholds
+  };
+  return getAccessLevelForScore(trustScore, thresholds);
+}
+function getCapabilities(accessLevel) {
+  switch (accessLevel) {
+    case "none":
+      return {
+        canRead: false,
+        canWrite: false,
+        canDelete: false,
+        canAdmin: false,
+        canAccessInternal: false
+      };
+    case "guidance":
+      return {
+        canRead: false,
+        canWrite: false,
+        canDelete: false,
+        canAdmin: false,
+        canAccessInternal: false
+      };
+    case "read-only":
+      return {
+        canRead: true,
+        canWrite: false,
+        canDelete: false,
+        canAdmin: false,
+        canAccessInternal: false
+      };
+    case "standard":
+      return {
+        canRead: true,
+        canWrite: true,
+        canDelete: false,
+        canAdmin: false,
+        canAccessInternal: false
+      };
+    case "full":
+      return {
+        canRead: true,
+        canWrite: true,
+        canDelete: true,
+        canAdmin: false,
+        canAccessInternal: false
+      };
+    case "internal":
+      return {
+        canRead: true,
+        canWrite: true,
+        canDelete: true,
+        canAdmin: true,
+        canAccessInternal: true
+      };
+    default:
+      return {
+        canRead: false,
+        canWrite: false,
+        canDelete: false,
+        canAdmin: false,
+        canAccessInternal: false
+      };
+  }
+}
+
+// src/verify.ts
+var DEFAULT_CONFIG = {
+  apiBaseUrl: "https://api.astrasync.ai",
+  defaultAccessLevel: "guidance",
+  minTrustScore: 40,
+  minTrustScoreForFull: 70,
+  cacheTtl: 300,
+  // 5 minutes
+  debug: false
+};
+var verificationCache = /* @__PURE__ */ new Map();
+function getCacheKey(credentials) {
+  return `${credentials.astraId || ""}-${credentials.apiKey || ""}-${credentials.jwt || ""}`;
+}
+function getCachedResult(credentials) {
+  const key = getCacheKey(credentials);
+  const cached = verificationCache.get(key);
+  if (cached && cached.expiresAt > Date.now()) {
+    return cached.result;
+  }
+  if (cached) {
+    verificationCache.delete(key);
+  }
+  return null;
+}
+function cacheResult(credentials, result, ttlSeconds) {
+  const key = getCacheKey(credentials);
+  verificationCache.set(key, {
+    result,
+    expiresAt: Date.now() + ttlSeconds * 1e3
+  });
+}
+function clearCache() {
+  verificationCache.clear();
+}
+function extractCredentials(headers, query) {
+  const credentials = {};
+  const astraIdHeader = headers["x-astra-id"] || headers["X-Astra-Id"] || headers["X-ASTRA-ID"];
+  if (astraIdHeader) {
+    credentials.astraId = Array.isArray(astraIdHeader) ? astraIdHeader[0] : astraIdHeader;
+  }
+  const apiKeyHeader = headers["x-api-key"] || headers["X-Api-Key"] || headers["X-API-KEY"];
+  if (apiKeyHeader) {
+    credentials.apiKey = Array.isArray(apiKeyHeader) ? apiKeyHeader[0] : apiKeyHeader;
+  }
+  const authHeader = headers["authorization"] || headers["Authorization"];
+  if (authHeader) {
+    const authValue = Array.isArray(authHeader) ? authHeader[0] : authHeader;
+    credentials.authorizationHeader = authValue;
+    if (authValue.startsWith("Bearer ")) {
+      credentials.jwt = authValue.slice(7);
+    }
+  }
+  if (query) {
+    if (query.astraId && !credentials.astraId) {
+      credentials.astraId = query.astraId;
+    }
+    if (query.apiKey && !credentials.apiKey) {
+      credentials.apiKey = query.apiKey;
+    }
+  }
+  return credentials;
+}
+function hasCredentials(credentials) {
+  return !!(credentials.astraId || credentials.apiKey || credentials.jwt);
+}
+function createGuidanceResponse(config, reason) {
+  const guidance = {
+    message: "This service verifies AI agents before granting access. Please register your agent with AstraSync.",
+    registrationUrl: `${config.apiBaseUrl.replace("/api", "")}/register`,
+    documentationUrl: `${config.apiBaseUrl.replace("/api", "")}/docs/agent-access`,
+    steps: [
+      "Register for an AstraSync account",
+      "Create and register your agent",
+      "Add your ASTRA-ID to request headers",
+      "Retry your request"
+    ]
+  };
+  return {
+    verified: false,
+    accessLevel: "guidance",
+    guidance,
+    denialReasons: reason ? [reason] : ["No valid agent credentials provided"],
+    verifiedAt: /* @__PURE__ */ new Date()
+  };
+}
+async function callVerifyAccessAPI(config, request) {
+  const { credentials, ...requestData } = request;
+  const body = {
+    agentId: credentials.astraId,
+    purpose: requestData.purpose || "general"
+  };
+  if (requestData.action) body.action = requestData.action;
+  if (requestData.resourceType) body.resourceType = requestData.resourceType;
+  if (requestData.resource) body.resource = requestData.resource;
+  if (requestData.jurisdiction) body.jurisdiction = requestData.jurisdiction;
+  if (requestData.transactionValue) body.transactionValue = requestData.transactionValue;
+  if (requestData.currency) body.currency = requestData.currency;
+  if (requestData.isSubAgentRequest) body.isSubAgentRequest = requestData.isSubAgentRequest;
+  if (requestData.parentAgentId) body.parentAgentId = requestData.parentAgentId;
+  if (requestData.subAgentDepth !== void 0) body.subAgentDepth = requestData.subAgentDepth;
+  if (requestData.enableRuntimeChallenge) body.enableRuntimeChallenge = requestData.enableRuntimeChallenge;
+  if (requestData.createSession) body.createSession = requestData.createSession;
+  if (requestData.counterpartyType) body.counterpartyType = requestData.counterpartyType;
+  if (requestData.runtimeChallengeOptions) body.runtimeChallengeOptions = requestData.runtimeChallengeOptions;
+  const headers = {
+    "Content-Type": "application/json",
+    ...config.customHeaders
+  };
+  if (config.apiKey) {
+    headers["X-API-Key"] = config.apiKey;
+  }
+  if (credentials.authorizationHeader) {
+    headers["Authorization"] = credentials.authorizationHeader;
+  }
+  try {
+    const response = await fetch(`${config.apiBaseUrl}/agents/verify-access`, {
+      method: "POST",
+      headers,
+      body: JSON.stringify(body)
+    });
+    const data = await response.json();
+    if (!response.ok) {
+      return {
+        success: false,
+        error: data.message || data.error || `API returned ${response.status}`
+      };
+    }
+    return data;
+  } catch (error) {
+    const message = error instanceof Error ? error.message : "Unknown error";
+    return {
+      success: false,
+      error: `Failed to call verify-access API: ${message}`
+    };
+  }
+}
+async function verify(config, request) {
+  const mergedConfig = { ...DEFAULT_CONFIG, ...config };
+  if (!hasCredentials(request.credentials)) {
+    return createGuidanceResponse(mergedConfig, "No agent credentials provided");
+  }
+  if (mergedConfig.cacheTtl && mergedConfig.cacheTtl > 0) {
+    const cached = getCachedResult(request.credentials);
+    if (cached) {
+      if (mergedConfig.debug) {
+        console.log("[VerificationGateway] Returning cached result");
+      }
+      return cached;
+    }
+  }
+  if (mergedConfig.debug) {
+    console.log("[VerificationGateway] Calling verify-access API");
+  }
+  const apiResponse = await callVerifyAccessAPI(mergedConfig, request);
+  if (!apiResponse.success) {
+    return createGuidanceResponse(mergedConfig, apiResponse.error);
+  }
+  if (!apiResponse.access?.allowed) {
+    const result2 = {
+      verified: false,
+      accessLevel: "guidance",
+      denialReasons: apiResponse.access?.reason ? [apiResponse.access.reason] : ["Access denied"],
+      requiresStepUp: apiResponse.access?.requiresStepUp,
+      requiresApproval: apiResponse.access?.requiresApproval,
+      guidance: {
+        message: apiResponse.access?.reason || "Access denied by PDLSS policy",
+        registrationUrl: `${mergedConfig.apiBaseUrl?.replace("/api", "")}/register`,
+        documentationUrl: `${mergedConfig.apiBaseUrl?.replace("/api", "")}/docs/pdlss`
+      },
+      verifiedAt: /* @__PURE__ */ new Date()
+    };
+    return result2;
+  }
+  const agent = apiResponse.agent ? {
+    astraId: apiResponse.agent.astraId,
+    name: apiResponse.agent.name,
+    trustScore: apiResponse.agent.trustScore,
+    trustLevel: getTrustLevel(apiResponse.agent.trustScore),
+    blockchainVerified: apiResponse.agent.blockchainStatus === "verified",
+    status: apiResponse.agent.agentStatus
+  } : void 0;
+  const developer = apiResponse.developer ? {
+    astradId: apiResponse.developer.kyaOwnerId,
+    name: apiResponse.developer.fullName,
+    trustScore: apiResponse.developer.trustScore || 0,
+    verified: apiResponse.developer.identityVerified
+  } : void 0;
+  const organization = apiResponse.organization ? {
+    name: apiResponse.organization.name,
+    verified: apiResponse.organization.verified,
+    trustScore: apiResponse.organization.trustScore
+  } : void 0;
+  const pdlss = apiResponse.access?.pdlss ? {
+    purposeAllowed: apiResponse.access.pdlss.purposeAllowed,
+    withinDuration: apiResponse.access.pdlss.withinDuration,
+    withinLimits: apiResponse.access.pdlss.withinLimits,
+    scopeAllowed: apiResponse.access.pdlss.scopeAllowed,
+    selfInstantiationAllowed: apiResponse.access.pdlss.selfInstantiationAllowed,
+    appliedPolicy: apiResponse.access.appliedPolicy
+  } : void 0;
+  const trustScore = agent?.trustScore || 0;
+  const isOrgMember = false;
+  const accessLevel = determineAccessLevel(
+    true,
+    trustScore,
+    isOrgMember,
+    {
+      "read-only": 20,
+      standard: mergedConfig.minTrustScore || 40,
+      full: mergedConfig.minTrustScoreForFull || 70
+    }
+  );
+  const result = {
+    verified: true,
+    accessLevel,
+    agent,
+    developer,
+    organization,
+    pdlss,
+    requiresStepUp: apiResponse.access?.requiresStepUp,
+    requiresApproval: apiResponse.access?.requiresApproval,
+    verifiedAt: /* @__PURE__ */ new Date(),
+    cacheTtl: mergedConfig.cacheTtl,
+    // Handshake Protocol v10 enhanced fields (present when backend returns them)
+    sessionId: apiResponse.sessionId,
+    runtimeChallenge: apiResponse.runtimeChallenge,
+    tokenGuidance: apiResponse.tokenGuidance,
+    recommendation: apiResponse.recommendation,
+    recommendationReasons: apiResponse.recommendationReasons
+  };
+  if (result.recommendation === "deny") {
+    result.verified = false;
+    result.accessLevel = "none";
+    result.denialReasons = result.recommendationReasons || ["Access denied by AstraSync recommendation"];
+    if (result.runtimeChallenge) {
+      result.guidance = {
+        message: `Verification failed: ${result.runtimeChallenge.reason || "runtime challenge failed"}`,
+        registrationUrl: `${mergedConfig.apiBaseUrl?.replace("/api", "")}/register`,
+        documentationUrl: `${mergedConfig.apiBaseUrl?.replace("/api", "")}/docs/runtime-challenge`
+      };
+    }
+  } else if (result.recommendation === "step_up_required") {
+    result.requiresStepUp = true;
+    if (ACCESS_LEVEL_HIERARCHY[result.accessLevel] > ACCESS_LEVEL_HIERARCHY["read-only"]) {
+      result.accessLevel = "read-only";
+    }
+    result.denialReasons = result.recommendationReasons || ["Step-up verification required"];
+  }
+  if (mergedConfig.cacheTtl && mergedConfig.cacheTtl > 0 && result.recommendation !== "deny") {
+    cacheResult(request.credentials, result, mergedConfig.cacheTtl);
+  }
+  return result;
+}
+async function quickVerify(config, credentials) {
+  const result = await verify(config, {
+    credentials,
+    purpose: "verification"
+  });
+  return {
+    verified: result.verified,
+    accessLevel: result.accessLevel,
+    reason: result.denialReasons?.[0]
+  };
+}
+
+// src/adapters/express.ts
+var express_exports = {};
+__export(express_exports, {
+  createMiddleware: () => createMiddleware,
+  extractAstraSyncCredentials: () => extractAstraSyncCredentials,
+  requireAccess: () => requireAccess,
+  verifyOnly: () => verifyOnly
+});
+
+// src/transport/http.ts
+var HEADER_PREFIX = "X-Astra-";
+function setHttpHeaders(headers, credentials) {
+  const result = { ...headers };
+  result[`${HEADER_PREFIX}ID`] = credentials.agentId;
+  if (credentials.verifyUrl) {
+    result[`${HEADER_PREFIX}Verify`] = credentials.verifyUrl;
+  }
+  if (credentials.challengeUrl) {
+    result[`${HEADER_PREFIX}Challenge`] = credentials.challengeUrl;
+  }
+  if (credentials.pdlss?.purpose) {
+    const purposeValue = credentials.pdlss.purpose.action ? `${credentials.pdlss.purpose.category}:${credentials.pdlss.purpose.action}` : credentials.pdlss.purpose.category;
+    result[`${HEADER_PREFIX}Purpose`] = purposeValue;
+  }
+  if (credentials.pdlss?.duration?.maxSessionDuration) {
+    result[`${HEADER_PREFIX}Duration`] = String(credentials.pdlss.duration.maxSessionDuration);
+  }
+  if (credentials.pdlss?.scope?.jurisdiction) {
+    result[`${HEADER_PREFIX}Scope`] = credentials.pdlss.scope.jurisdiction;
+  }
+  return result;
+}
+function extractHttpCredentials(headers) {
+  const getValue = (key) => {
+    const v = headers[key] ?? headers[key.toLowerCase()];
+    return Array.isArray(v) ? v[0] : v;
+  };
+  const agentId = getValue(`${HEADER_PREFIX}ID`) ?? getValue("x-astra-id");
+  if (!agentId) return null;
+  const credentials = { agentId };
+  const verifyUrl = getValue(`${HEADER_PREFIX}Verify`) ?? getValue("x-astra-verify");
+  if (verifyUrl) credentials.verifyUrl = verifyUrl;
+  const challengeUrl = getValue(`${HEADER_PREFIX}Challenge`) ?? getValue("x-astra-challenge");
+  if (challengeUrl) credentials.challengeUrl = challengeUrl;
+  const purpose = getValue(`${HEADER_PREFIX}Purpose`) ?? getValue("x-astra-purpose");
+  if (purpose) {
+    const [category, action] = purpose.split(":");
+    credentials.pdlss = {
+      ...credentials.pdlss,
+      purpose: { category, action }
+    };
+  }
+  const duration = getValue(`${HEADER_PREFIX}Duration`) ?? getValue("x-astra-duration");
+  if (duration) {
+    credentials.pdlss = {
+      ...credentials.pdlss,
+      duration: { maxSessionDuration: parseInt(duration, 10) }
+    };
+  }
+  const scope = getValue(`${HEADER_PREFIX}Scope`) ?? getValue("x-astra-scope");
+  if (scope) {
+    credentials.pdlss = {
+      ...credentials.pdlss,
+      scope: { jurisdiction: scope }
+    };
+  }
+  return credentials;
+}
+
+// src/adapters/express.ts
+function defaultExtractCredentials(req) {
+  return extractCredentials(
+    req.headers,
+    req.query
+  );
+}
+function extractAstraSyncCredentials(req) {
+  return extractHttpCredentials(req.headers);
+}
+function defaultExtractPurpose(req) {
+  const purposeHeader = req.headers["x-purpose"] || req.headers["X-Purpose"];
+  if (purposeHeader) {
+    return Array.isArray(purposeHeader) ? purposeHeader[0] : purposeHeader;
+  }
+  if (req.query.purpose && typeof req.query.purpose === "string") {
+    return req.query.purpose;
+  }
+  switch (req.method) {
+    case "GET":
+      return "read";
+    case "POST":
+      return "create";
+    case "PUT":
+    case "PATCH":
+      return "update";
+    case "DELETE":
+      return "delete";
+    default:
+      return "general";
+  }
+}
+function matchRoute(pattern, path) {
+  const regexPattern = pattern.replace(/\*/g, ".*").replace(/\//g, "\\/");
+  const regex = new RegExp(`^${regexPattern}$`);
+  return regex.test(path);
+}
+function findRouteConfig(routes, path, method) {
+  return routes.find((route) => {
+    const methodMatches = route.method === "*" || route.method.toUpperCase() === method.toUpperCase();
+    const pathMatches = matchRoute(route.pattern, path);
+    return methodMatches && pathMatches;
+  });
+}
+function defaultOnDenied(result, _req, res) {
+  const statusCode = result.verified ? 403 : 401;
+  res.status(statusCode).json({
+    success: false,
+    error: {
+      code: result.verified ? "INSUFFICIENT_ACCESS" : "UNAUTHORIZED",
+      message: result.denialReasons?.[0] || "Access denied",
+      accessLevel: result.accessLevel,
+      guidance: result.guidance
+    }
+  });
+}
+function createMiddleware(options) {
+  const {
+    routes = [],
+    extractCredentials: customExtractCredentials,
+    extractPurpose: customExtractPurpose,
+    skipPaths = [],
+    onDenied = defaultOnDenied,
+    ...config
+  } = options;
+  return async (req, res, next) => {
+    try {
+      const shouldSkip = skipPaths.some((pattern) => matchRoute(pattern, req.path));
+      if (shouldSkip) {
+        return next();
+      }
+      const routeConfig = findRouteConfig(routes, req.path, req.method);
+      if (!routeConfig) {
+        return next();
+      }
+      if (routeConfig.minAccessLevel === "none") {
+        return next();
+      }
+      const credentials = customExtractCredentials ? customExtractCredentials(req) : defaultExtractCredentials(req);
+      if (!hasCredentials(credentials) && routeConfig.minAccessLevel !== "guidance") {
+        const result2 = {
+          verified: false,
+          accessLevel: "none",
+          denialReasons: ["No agent credentials provided"],
+          guidance: {
+            message: "This endpoint requires agent verification. Please provide your ASTRA-ID.",
+            registrationUrl: `${config.apiBaseUrl?.replace("/api", "")}/register`,
+            documentationUrl: `${config.apiBaseUrl?.replace("/api", "")}/docs/agent-access`
+          },
+          verifiedAt: /* @__PURE__ */ new Date()
+        };
+        req.agentVerification = result2;
+        onDenied(result2, req, res);
+        return;
+      }
+      const purpose = customExtractPurpose ? customExtractPurpose(req) : defaultExtractPurpose(req);
+      const result = await verify(config, {
+        credentials,
+        purpose,
+        action: req.method.toLowerCase(),
+        resource: req.path,
+        clientIp: req.ip,
+        userAgent: req.headers["user-agent"]
+      });
+      req.agentVerification = result;
+      if (!hasMinimumAccess(result.accessLevel, routeConfig.minAccessLevel)) {
+        onDenied(result, req, res);
+        return;
+      }
+      if (routeConfig.minTrustScore && result.agent) {
+        if (result.agent.trustScore < routeConfig.minTrustScore) {
+          result.denialReasons = [
+            `Trust score ${result.agent.trustScore} is below required ${routeConfig.minTrustScore}`
+          ];
+          onDenied(result, req, res);
+          return;
+        }
+      }
+      next();
+    } catch (error) {
+      console.error("[VerificationGateway] Middleware error:", error);
+      next();
+    }
+  };
+}
+function requireAccess(minAccessLevel, options) {
+  return createMiddleware({
+    ...options,
+    routes: [
+      { pattern: "*", method: "*", minAccessLevel }
+    ]
+  });
+}
+function verifyOnly(options) {
+  return createMiddleware({
+    ...options,
+    routes: [
+      { pattern: "*", method: "*", minAccessLevel: "none" }
+    ]
+  });
+}
+
+// src/adapters/nextjs.ts
+var nextjs_exports = {};
+__export(nextjs_exports, {
+  createMatcherConfig: () => createMatcherConfig,
+  createMiddleware: () => createMiddleware2
+});
+function extractCredentialsFromNextRequest(request) {
+  const credentials = {};
+  const astraId = request.headers.get("x-astra-id") || request.headers.get("X-Astra-Id");
+  if (astraId) {
+    credentials.astraId = astraId;
+  }
+  const apiKey = request.headers.get("x-api-key") || request.headers.get("X-Api-Key");
+  if (apiKey) {
+    credentials.apiKey = apiKey;
+  }
+  const authHeader = request.headers.get("authorization");
+  if (authHeader) {
+    credentials.authorizationHeader = authHeader;
+    if (authHeader.startsWith("Bearer ")) {
+      credentials.jwt = authHeader.slice(7);
+    }
+  }
+  const url = new URL(request.url);
+  const astraIdParam = url.searchParams.get("astraId");
+  const apiKeyParam = url.searchParams.get("apiKey");
+  if (astraIdParam && !credentials.astraId) {
+    credentials.astraId = astraIdParam;
+  }
+  if (apiKeyParam && !credentials.apiKey) {
+    credentials.apiKey = apiKeyParam;
+  }
+  return credentials;
+}
+function matchRoute2(pattern, path) {
+  const regexPattern = pattern.replace(/\*/g, ".*").replace(/\//g, "\\/");
+  const regex = new RegExp(`^${regexPattern}$`);
+  return regex.test(path);
+}
+function findRouteConfig2(routes, path, method) {
+  return routes.find((route) => {
+    const methodMatches = route.method === "*" || route.method.toUpperCase() === method.toUpperCase();
+    const pathMatches = matchRoute2(route.pattern, path);
+    return methodMatches && pathMatches;
+  });
+}
+function inferPurpose(method) {
+  switch (method.toUpperCase()) {
+    case "GET":
+      return "read";
+    case "POST":
+      return "create";
+    case "PUT":
+    case "PATCH":
+      return "update";
+    case "DELETE":
+      return "delete";
+    default:
+      return "general";
+  }
+}
+function generateCommerceShieldHtml(result, options) {
+  const title = options.commerceShield?.title || "AstraSync Agent Verification";
+  const message = options.commerceShield?.message || result.guidance?.message || "This site verifies AI agents before granting access. We noticed you're visiting without AstraSync credentials.";
+  const registrationUrl = result.guidance?.registrationUrl || "https://astrasync.ai/register";
+  const docsUrl = result.guidance?.documentationUrl || "https://astrasync.ai/docs/agent-access";
+  const allowGuest = options.commerceShield?.allowGuestAccess ?? true;
+  return `
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>${title}</title>
+  <style>
+    * {
+      box-sizing: border-box;
+      margin: 0;
+      padding: 0;
+    }
+    body {
+      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Oxygen, Ubuntu, sans-serif;
+      background: linear-gradient(135deg, #1a1a2e 0%, #16213e 100%);
+      min-height: 100vh;
+      display: flex;
+      align-items: center;
+      justify-content: center;
+      padding: 20px;
+    }
+    .shield-container {
+      background: rgba(255, 255, 255, 0.95);
+      border-radius: 16px;
+      box-shadow: 0 25px 50px -12px rgba(0, 0, 0, 0.5);
+      max-width: 480px;
+      width: 100%;
+      padding: 40px;
+      text-align: center;
+    }
+    .shield-icon {
+      font-size: 48px;
+      margin-bottom: 20px;
+    }
+    .shield-title {
+      font-size: 24px;
+      font-weight: 700;
+      color: #1a1a2e;
+      margin-bottom: 16px;
+    }
+    .shield-message {
+      color: #4a5568;
+      line-height: 1.6;
+      margin-bottom: 24px;
+    }
+    .shield-steps {
+      text-align: left;
+      background: #f7fafc;
+      border-radius: 8px;
+      padding: 20px;
+      margin-bottom: 24px;
+    }
+    .shield-steps h3 {
+      font-size: 14px;
+      font-weight: 600;
+      color: #2d3748;
+      margin-bottom: 12px;
+    }
+    .shield-steps ol {
+      padding-left: 20px;
+      color: #4a5568;
+    }
+    .shield-steps li {
+      margin-bottom: 8px;
+    }
+    .shield-buttons {
+      display: flex;
+      flex-direction: column;
+      gap: 12px;
+    }
+    .btn {
+      display: inline-block;
+      padding: 14px 24px;
+      border-radius: 8px;
+      font-weight: 600;
+      text-decoration: none;
+      transition: all 0.2s;
+      cursor: pointer;
+      border: none;
+      font-size: 16px;
+    }
+    .btn-primary {
+      background: linear-gradient(135deg, #6366f1 0%, #4f46e5 100%);
+      color: white;
+    }
+    .btn-primary:hover {
+      transform: translateY(-2px);
+      box-shadow: 0 4px 12px rgba(99, 102, 241, 0.4);
+    }
+    .btn-secondary {
+      background: #e2e8f0;
+      color: #4a5568;
+    }
+    .btn-secondary:hover {
+      background: #cbd5e0;
+    }
+    .shield-footer {
+      margin-top: 24px;
+      font-size: 14px;
+      color: #718096;
+    }
+    .shield-footer a {
+      color: #6366f1;
+      text-decoration: none;
+    }
+    .shield-footer a:hover {
+      text-decoration: underline;
+    }
+  </style>
+</head>
+<body>
+  <div class="shield-container">
+    <div class="shield-icon">\u{1F6E1}\uFE0F</div>
+    <h1 class="shield-title">${title}</h1>
+    <p class="shield-message">${message}</p>
+
+    <div class="shield-steps">
+      <h3>To get verified access:</h3>
+      <ol>
+        <li>Register at <a href="${registrationUrl}">astrasync.ai/register</a></li>
+        <li>Create and register your agent</li>
+        <li>Add your ASTRA-ID to request headers</li>
+        <li>Refresh this page</li>
+      </ol>
+    </div>
+
+    <div class="shield-buttons">
+      <a href="${registrationUrl}" class="btn btn-primary">Register Now</a>
+      ${allowGuest ? '<button onclick="window.location.reload()" class="btn btn-secondary">Continue as Guest (Limited)</button>' : ""}
+    </div>
+
+    <p class="shield-footer">
+      Learn more: <a href="${docsUrl}">Agent Access Documentation</a>
+    </p>
+  </div>
+</body>
+</html>
+  `.trim();
+}
+function createMiddleware2(options) {
+  const {
+    routes = [],
+    skipPaths = [],
+    showCommerceShield = true,
+    ...config
+  } = options;
+  return async function middleware(request) {
+    const { NextResponse } = await import("next/server");
+    const pathname = request.nextUrl.pathname;
+    const shouldSkip = skipPaths.some((pattern) => matchRoute2(pattern, pathname));
+    if (shouldSkip) {
+      return NextResponse.next();
+    }
+    const routeConfig = findRouteConfig2(routes, pathname, request.method);
+    if (!routeConfig) {
+      return NextResponse.next();
+    }
+    if (routeConfig.minAccessLevel === "none") {
+      return NextResponse.next();
+    }
+    const credentials = extractCredentialsFromNextRequest(request);
+    if (!hasCredentials(credentials) && routeConfig.minAccessLevel !== "guidance") {
+      const result2 = {
+        verified: false,
+        accessLevel: "none",
+        denialReasons: ["No agent credentials provided"],
+        guidance: {
+          message: "This page requires agent verification.",
+          registrationUrl: `${config.apiBaseUrl?.replace("/api", "")}/register`,
+          documentationUrl: `${config.apiBaseUrl?.replace("/api", "")}/docs/agent-access`
+        },
+        verifiedAt: /* @__PURE__ */ new Date()
+      };
+      if (pathname.startsWith("/api/")) {
+        return NextResponse.json(
+          {
+            success: false,
+            error: {
+              code: "UNAUTHORIZED",
+              message: "No agent credentials provided",
+              guidance: result2.guidance
+            }
+          },
+          { status: 401 }
+        );
+      }
+      if (showCommerceShield) {
+        return new NextResponse(generateCommerceShieldHtml(result2, options), {
+          status: 200,
+          headers: {
+            "Content-Type": "text/html",
+            "X-AstraSync-Verification": "commerce-shield"
+          }
+        });
+      }
+      const registerUrl = result2.guidance?.registrationUrl || "/register";
+      return NextResponse.redirect(new URL(registerUrl, request.url));
+    }
+    const purpose = request.headers.get("x-purpose") || inferPurpose(request.method);
+    const result = await verify(config, {
+      credentials,
+      purpose,
+      action: request.method.toLowerCase(),
+      resource: pathname,
+      clientIp: request.headers.get("x-forwarded-for")?.split(",")[0]?.trim() || void 0,
+      userAgent: request.headers.get("user-agent") || void 0
+    });
+    if (!hasMinimumAccess(result.accessLevel, routeConfig.minAccessLevel)) {
+      if (pathname.startsWith("/api/")) {
+        return NextResponse.json(
+          {
+            success: false,
+            error: {
+              code: result.verified ? "INSUFFICIENT_ACCESS" : "UNAUTHORIZED",
+              message: result.denialReasons?.[0] || "Access denied",
+              accessLevel: result.accessLevel,
+              required: routeConfig.minAccessLevel,
+              guidance: result.guidance
+            }
+          },
+          { status: result.verified ? 403 : 401 }
+        );
+      }
+      if (showCommerceShield) {
+        return new NextResponse(generateCommerceShieldHtml(result, options), {
+          status: 200,
+          headers: {
+            "Content-Type": "text/html",
+            "X-AstraSync-Verification": "commerce-shield"
+          }
+        });
+      }
+      return NextResponse.redirect(new URL("/unauthorized", request.url));
+    }
+    const response = NextResponse.next();
+    response.headers.set("X-AstraSync-Verified", result.verified.toString());
+    response.headers.set("X-AstraSync-Access-Level", result.accessLevel);
+    if (result.agent) {
+      response.headers.set("X-AstraSync-Agent-Id", result.agent.astraId);
+      response.headers.set("X-AstraSync-Trust-Score", result.agent.trustScore.toString());
+    }
+    return response;
+  };
+}
+function createMatcherConfig(paths) {
+  return { matcher: paths };
+}
+
+// src/adapters/sdk.ts
+var sdk_exports = {};
+__export(sdk_exports, {
+  VerificationGatewayClient: () => VerificationGatewayClient,
+  createClient: () => createClient,
+  getCapabilities: () => getCapabilities,
+  getTrustLevel: () => getTrustLevel,
+  hasMinimumAccess: () => hasMinimumAccess,
+  verifyOnce: () => verifyOnce
+});
+var VerificationGatewayClient = class {
+  constructor(options) {
+    this.config = {
+      apiBaseUrl: options.apiBaseUrl,
+      apiKey: options.apiKey,
+      defaultAccessLevel: options.defaultAccessLevel,
+      minTrustScore: options.minTrustScore,
+      minTrustScoreForFull: options.minTrustScoreForFull,
+      cacheTtl: options.cacheTtl,
+      debug: options.debug,
+      customHeaders: options.customHeaders
+    };
+    this.timeout = options.timeout || 1e4;
+    this.retryConfig = options.retry || { maxRetries: 3, backoffMs: 1e3 };
+  }
+  /**
+   * Full verification with all details
+   */
+  async verify(options) {
+    const credentials = {
+      astraId: options.astraId,
+      apiKey: options.apiKey,
+      jwt: options.jwt
+    };
+    return this.executeWithRetry(
+      () => verify(this.config, {
+        credentials,
+        purpose: options.purpose,
+        action: options.action,
+        resourceType: options.resourceType,
+        resource: options.resource,
+        jurisdiction: options.jurisdiction,
+        transactionValue: options.transactionValue,
+        currency: options.currency,
+        isSubAgentRequest: options.isSubAgentRequest,
+        parentAgentId: options.parentAgentId,
+        subAgentDepth: options.subAgentDepth
+      })
+    );
+  }
+  /**
+   * Quick verification - just check if credentials are valid
+   */
+  async quickVerify(credentials) {
+    return this.executeWithRetry(() => quickVerify(this.config, credentials));
+  }
+  /**
+   * Check if an agent has a specific access level
+   */
+  async hasAccess(credentials, requiredLevel) {
+    const result = await this.quickVerify(credentials);
+    return hasMinimumAccess(result.accessLevel, requiredLevel);
+  }
+  /**
+   * Get capabilities for a verified agent
+   */
+  async getCapabilities(credentials) {
+    const result = await this.quickVerify(credentials);
+    return getCapabilities(result.accessLevel);
+  }
+  /**
+   * Verify a specific ASTRA-ID
+   */
+  async verifyAstraId(astraId, options) {
+    return this.verify({
+      astraId,
+      purpose: options?.purpose,
+      action: options?.action
+    });
+  }
+  /**
+   * Verify using an API key
+   */
+  async verifyApiKey(apiKey, options) {
+    return this.verify({
+      apiKey,
+      purpose: options?.purpose,
+      action: options?.action
+    });
+  }
+  /**
+   * Clear the verification cache
+   */
+  clearCache() {
+    clearCache();
+  }
+  /**
+   * Execute a function with retry logic
+   */
+  async executeWithRetry(fn) {
+    let lastError = null;
+    for (let attempt = 0; attempt <= this.retryConfig.maxRetries; attempt++) {
+      try {
+        const result = await Promise.race([
+          fn(),
+          new Promise(
+            (_, reject) => setTimeout(() => reject(new Error("Request timeout")), this.timeout)
+          )
+        ]);
+        return result;
+      } catch (error) {
+        lastError = error instanceof Error ? error : new Error(String(error));
+        if (attempt < this.retryConfig.maxRetries) {
+          const backoff = this.retryConfig.backoffMs * Math.pow(2, attempt);
+          await new Promise((resolve) => setTimeout(resolve, backoff));
+        }
+      }
+    }
+    throw lastError || new Error("Verification failed after retries");
+  }
+};
+function createClient(options) {
+  return new VerificationGatewayClient(options);
+}
+async function verifyOnce(options) {
+  const client = createClient(options);
+  return client.verify(options);
+}
+
+// src/transport/index.ts
+var transport_exports = {};
+__export(transport_exports, {
+  applyCredentials: () => applyCredentials,
+  detectProtocol: () => detectProtocol,
+  extractA2ACredentials: () => extractA2ACredentials,
+  extractCredentialsFromProtocol: () => extractCredentialsFromProtocol,
+  extractHttpCredentials: () => extractHttpCredentials,
+  extractMcpCredentials: () => extractMcpCredentials,
+  setA2AMetadata: () => setA2AMetadata,
+  setHttpHeaders: () => setHttpHeaders,
+  setMcpMeta: () => setMcpMeta
+});
+
+// src/transport/a2a.ts
+function setA2AMetadata(task, credentials) {
+  const astrasync = {
+    agentId: credentials.agentId
+  };
+  if (credentials.verifyUrl) astrasync.verifyUrl = credentials.verifyUrl;
+  if (credentials.challengeUrl) astrasync.challengeUrl = credentials.challengeUrl;
+  if (credentials.pdlss?.purpose) astrasync.purpose = credentials.pdlss.purpose;
+  if (credentials.pdlss?.duration) astrasync.duration = credentials.pdlss.duration;
+  if (credentials.pdlss?.scope) astrasync.scope = credentials.pdlss.scope;
+  return {
+    ...task,
+    metadata: {
+      ...task.metadata,
+      astrasync
+    }
+  };
+}
+function extractA2ACredentials(task) {
+  const meta = task.metadata?.astrasync;
+  if (!meta?.agentId) return null;
+  const credentials = {
+    agentId: meta.agentId
+  };
+  if (meta.verifyUrl) credentials.verifyUrl = meta.verifyUrl;
+  if (meta.challengeUrl) credentials.challengeUrl = meta.challengeUrl;
+  if (meta.purpose || meta.duration || meta.scope) {
+    credentials.pdlss = {};
+    if (meta.purpose) credentials.pdlss.purpose = meta.purpose;
+    if (meta.duration) credentials.pdlss.duration = meta.duration;
+    if (meta.scope) credentials.pdlss.scope = meta.scope;
+  }
+  return credentials;
+}
+
+// src/transport/mcp.ts
+function setMcpMeta(params, credentials) {
+  const astrasync = {
+    agentId: credentials.agentId
+  };
+  if (credentials.verifyUrl) astrasync.verifyUrl = credentials.verifyUrl;
+  if (credentials.challengeUrl) astrasync.challengeUrl = credentials.challengeUrl;
+  if (credentials.pdlss?.purpose) astrasync.purpose = credentials.pdlss.purpose;
+  if (credentials.pdlss?.duration) astrasync.duration = credentials.pdlss.duration;
+  if (credentials.pdlss?.scope) astrasync.scope = credentials.pdlss.scope;
+  return {
+    ...params,
+    _meta: {
+      ...params._meta,
+      astrasync
+    }
+  };
+}
+function extractMcpCredentials(params) {
+  const meta = params._meta?.astrasync;
+  if (!meta?.agentId) return null;
+  const credentials = {
+    agentId: meta.agentId
+  };
+  if (meta.verifyUrl) credentials.verifyUrl = meta.verifyUrl;
+  if (meta.challengeUrl) credentials.challengeUrl = meta.challengeUrl;
+  if (meta.purpose || meta.duration || meta.scope) {
+    credentials.pdlss = {};
+    if (meta.purpose) credentials.pdlss.purpose = meta.purpose;
+    if (meta.duration) credentials.pdlss.duration = meta.duration;
+    if (meta.scope) credentials.pdlss.scope = meta.scope;
+  }
+  return credentials;
+}
+
+// src/transport/index.ts
+function detectProtocol(context) {
+  if (context.metadata && typeof context.metadata === "object") {
+    return "a2a";
+  }
+  if (context._meta && typeof context._meta === "object") {
+    return "mcp";
+  }
+  return "http";
+}
+function applyCredentials(protocol, target, credentials) {
+  switch (protocol) {
+    case "http":
+      return setHttpHeaders(target, credentials);
+    case "a2a":
+      return setA2AMetadata(target, credentials);
+    case "mcp":
+      return setMcpMeta(target, credentials);
+    default:
+      return target;
+  }
+}
+function extractCredentialsFromProtocol(protocol, context) {
+  switch (protocol) {
+    case "http":
+      return extractHttpCredentials(context);
+    case "a2a":
+      return extractA2ACredentials(context);
+    case "mcp":
+      return extractMcpCredentials(context);
+    default:
+      return null;
+  }
+}
+
+// src/agent/index.ts
+var agent_exports = {};
+__export(agent_exports, {
+  AgentClient: () => AgentClient,
+  ChallengeHandler: () => ChallengeHandler,
+  formatPDLSSForTransport: () => formatPDLSSForTransport,
+  parsePDLSSFromTransport: () => parsePDLSSFromTransport,
+  recordDecision: () => recordDecision
+});
+
+// src/agent/client.ts
+var AgentClient = class {
+  constructor(config) {
+    this.credentials = {
+      agentId: config.agentId,
+      verifyUrl: config.verifyUrl ?? "https://api.astrasync.ai/agents/verify-access",
+      challengeUrl: config.challengeUrl,
+      pdlss: config.pdlss
+    };
+  }
+  /**
+   * Make an HTTP request with AstraSync headers automatically injected.
+   */
+  async fetch(url, options) {
+    const { purpose, action, ...fetchOptions } = options ?? {};
+    const creds = { ...this.credentials };
+    if (purpose) {
+      creds.pdlss = {
+        ...creds.pdlss,
+        purpose: { category: purpose, action }
+      };
+    }
+    const existingHeaders = {};
+    if (fetchOptions.headers) {
+      if (fetchOptions.headers instanceof Headers) {
+        fetchOptions.headers.forEach((value, key) => {
+          existingHeaders[key] = value;
+        });
+      } else if (Array.isArray(fetchOptions.headers)) {
+        for (const [key, value] of fetchOptions.headers) {
+          existingHeaders[key] = value;
+        }
+      } else {
+        Object.assign(existingHeaders, fetchOptions.headers);
+      }
+    }
+    const enrichedHeaders = setHttpHeaders(existingHeaders, creds);
+    return fetch(url, {
+      ...fetchOptions,
+      headers: enrichedHeaders
+    });
+  }
+  /**
+   * Prepare A2A task metadata with AstraSync credentials.
+   */
+  prepareA2AMetadata(task, overrides) {
+    const creds = this.buildCredentials(overrides);
+    return setA2AMetadata(task, creds);
+  }
+  /**
+   * Prepare MCP params with AstraSync _meta.
+   */
+  prepareMcpMeta(params, overrides) {
+    const creds = this.buildCredentials(overrides);
+    return setMcpMeta(params, creds);
+  }
+  /**
+   * Generic: apply credentials to any protocol.
+   */
+  applyCredentials(protocol, target, overrides) {
+    const creds = this.buildCredentials(overrides);
+    return applyCredentials(protocol, target, creds);
+  }
+  buildCredentials(overrides) {
+    if (!overrides?.purpose) return this.credentials;
+    return {
+      ...this.credentials,
+      pdlss: {
+        ...this.credentials.pdlss,
+        purpose: { category: overrides.purpose, action: overrides.action }
+      }
+    };
+  }
+};
+
+// src/agent/challenge-handler.ts
+var ChallengeHandler = class {
+  constructor(config) {
+    this.pendingCounterparties = /* @__PURE__ */ new Set();
+    this.agentId = config.agentId;
+  }
+  /**
+   * Register a counterparty as pending (before initiating contact).
+   */
+  registerPending(counterpartyId) {
+    this.pendingCounterparties.add(counterpartyId);
+  }
+  /**
+   * Remove a counterparty from pending list (after interaction complete).
+   */
+  removePending(counterpartyId) {
+    this.pendingCounterparties.delete(counterpartyId);
+  }
+  /**
+   * Get current pending counterparties list.
+   */
+  getPendingList() {
+    return [...this.pendingCounterparties];
+  }
+  /**
+   * Express middleware for the challenge endpoint.
+   * Mount at: app.post('/astrasync/challenge', handler.expressMiddleware())
+   */
+  expressMiddleware() {
+    return (req, res) => {
+      const result = this.handleChallenge(req.body);
+      res.status(result.status).json(result.body);
+    };
+  }
+  /**
+   * Generic handler (framework-agnostic).
+   * Returns { status, body } for the caller to send.
+   */
+  handleChallenge(body) {
+    if (!body || typeof body !== "object") {
+      return {
+        status: 400,
+        body: {
+          challengeId: "",
+          acknowledged: false,
+          pendingCounterparties: [],
+          respondedAt: (/* @__PURE__ */ new Date()).toISOString(),
+          error: "Invalid challenge payload"
+        }
+      };
+    }
+    const payload = body;
+    if (!payload.challengeId || !payload.issuedAt || !payload.expiresAt) {
+      return {
+        status: 400,
+        body: {
+          challengeId: payload.challengeId ?? "",
+          acknowledged: false,
+          pendingCounterparties: [],
+          respondedAt: (/* @__PURE__ */ new Date()).toISOString(),
+          error: "Missing required challenge fields"
+        }
+      };
+    }
+    const now = /* @__PURE__ */ new Date();
+    const expiresAt = new Date(payload.expiresAt);
+    if (now > expiresAt) {
+      return {
+        status: 410,
+        body: {
+          challengeId: payload.challengeId,
+          acknowledged: false,
+          pendingCounterparties: [],
+          respondedAt: now.toISOString(),
+          error: "Challenge has expired"
+        }
+      };
+    }
+    return {
+      status: 200,
+      body: {
+        challengeId: payload.challengeId,
+        acknowledged: true,
+        pendingCounterparties: this.getPendingList(),
+        respondedAt: now.toISOString()
+      }
+    };
+  }
+};
+
+// src/agent/pdlss-formatter.ts
+function formatPDLSSForTransport(pdlss) {
+  const transport = {};
+  if (pdlss.purpose?.categories?.length) {
+    transport.purpose = {
+      category: pdlss.purpose.categories[0],
+      action: pdlss.purpose.allowedActions?.[0]
+    };
+  }
+  if (pdlss.duration) {
+    const candidates = [];
+    if (pdlss.duration.maxSessionDuration) candidates.push(pdlss.duration.maxSessionDuration);
+    if (pdlss.duration.ttl) candidates.push(pdlss.duration.ttl);
+    if (candidates.length > 0) {
+      transport.duration = { maxSessionDuration: Math.min(...candidates) };
+    }
+  }
+  if (pdlss.scope?.jurisdictions?.length) {
+    transport.scope = { jurisdiction: pdlss.scope.jurisdictions[0] };
+  }
+  return transport;
+}
+function parsePDLSSFromTransport(transport) {
+  const pdlss = {};
+  if (transport.purpose) {
+    pdlss.purpose = {
+      categories: [transport.purpose.category],
+      allowedActions: transport.purpose.action ? [transport.purpose.action] : void 0
+    };
+  }
+  if (transport.duration) {
+    pdlss.duration = {
+      maxSessionDuration: transport.duration.maxSessionDuration
+    };
+  }
+  if (transport.scope) {
+    pdlss.scope = {
+      jurisdictions: transport.scope.jurisdiction ? [transport.scope.jurisdiction] : void 0
+    };
+  }
+  return pdlss;
+}
+
+// src/agent/decision-client.ts
+async function recordDecision(config, params) {
+  const { sessionId, ...body } = params;
+  const baseUrl = config.apiBaseUrl.replace(/\/$/, "");
+  const url = `${baseUrl}/agents/verify-access/${encodeURIComponent(sessionId)}/decision`;
+  const headers = {
+    "Content-Type": "application/json"
+  };
+  if (config.apiKey) {
+    headers["Authorization"] = `Bearer ${config.apiKey}`;
+  }
+  if (config.customHeaders) {
+    Object.assign(headers, config.customHeaders);
+  }
+  const response = await fetch(url, {
+    method: "POST",
+    headers,
+    body: JSON.stringify(body)
+  });
+  if (!response.ok) {
+    const errorText = await response.text().catch(() => "Unknown error");
+    throw new Error(
+      `Failed to record decision for session ${sessionId}: ${response.status} ${errorText}`
+    );
+  }
+  const result = await response.json();
+  return {
+    recorded: result.recorded ?? true,
+    blockchainTxHash: result.blockchainTxHash
+  };
+}
+
+// src/index.ts
+var VERSION = "2.0.0";
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  ACCESS_LEVEL_DESCRIPTIONS,
+  ACCESS_LEVEL_HIERARCHY,
+  AgentClient,
+  ChallengeHandler,
+  DEFAULT_TRUST_THRESHOLDS,
+  TRUST_LEVEL_RANGES,
+  VERSION,
+  agent,
+  clearCache,
+  determineAccessLevel,
+  express,
+  extractCredentials,
+  getAccessLevelForScore,
+  getCapabilities,
+  getTrustLevel,
+  hasCredentials,
+  hasMinimumAccess,
+  nextjs,
+  quickVerify,
+  recordDecision,
+  sdk,
+  transport,
+  verify
+});
+//# sourceMappingURL=index.js.map