@astrasyncai/verification-gateway 1.1.0 → 2.0.1

package/dist/index.mjs

@@ -228,6 +228,7 @@ async function callVerifyAccessAPI(config, request) {
   if (requestData.subAgentDepth !== void 0) body.subAgentDepth = requestData.subAgentDepth;
   if (requestData.enableRuntimeChallenge) body.enableRuntimeChallenge = requestData.enableRuntimeChallenge;
   if (requestData.createSession) body.createSession = requestData.createSession;
+  if (requestData.durationRequired) body.durationRequired = requestData.durationRequired;
   if (requestData.counterpartyType) body.counterpartyType = requestData.counterpartyType;
   if (requestData.counterpartyUrl) body.counterpartyUrl = requestData.counterpartyUrl;
   if (requestData.runtimeChallengeOptions) body.runtimeChallengeOptions = requestData.runtimeChallengeOptions;
@@ -401,6 +402,24 @@ async function recordDecision(config, sessionId, decision, reason) {
   }).catch(() => {
   });
 }
+async function reportUnregisteredAttempt(config, data) {
+  const apiBaseUrl = config.apiBaseUrl || DEFAULT_CONFIG.apiBaseUrl;
+  await fetch(`${apiBaseUrl}/verification-activity/unregistered-attempt`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify(data)
+  }).catch(() => {
+  });
+}
+async function reportCounterpartyPreCheckFailure(config, data) {
+  const apiBaseUrl = config.apiBaseUrl || DEFAULT_CONFIG.apiBaseUrl;
+  await fetch(`${apiBaseUrl}/verification-activity/counterparty-pre-check-failure`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify(data)
+  }).catch(() => {
+  });
+}
 async function quickVerify(config, credentials) {
   const result = await verify(config, {
     credentials,
@@ -482,6 +501,54 @@ function extractHttpCredentials(headers) {
   return credentials;
 }
 
+// src/pdlss-pre-check.ts
+function performCounterpartyPreCheck(routeConfig, astraCreds, purpose) {
+  const failures = [];
+  if (routeConfig.allowedPurposes && routeConfig.allowedPurposes.length > 0 && purpose) {
+    if (!routeConfig.allowedPurposes.includes(purpose)) {
+      failures.push({
+        field: "purpose",
+        requested: purpose,
+        limit: routeConfig.allowedPurposes,
+        message: `Purpose "${purpose}" is not in the allowed list: [${routeConfig.allowedPurposes.join(", ")}]`
+      });
+    }
+  }
+  if (routeConfig.requiredPurposes && routeConfig.requiredPurposes.length > 0 && purpose) {
+    if (!routeConfig.requiredPurposes.includes(purpose)) {
+      failures.push({
+        field: "purpose",
+        requested: purpose,
+        limit: routeConfig.requiredPurposes,
+        message: `Purpose "${purpose}" is not in the required list: [${routeConfig.requiredPurposes.join(", ")}]`
+      });
+    }
+  }
+  if (routeConfig.maxDuration && astraCreds?.pdlss?.duration?.maxSessionDuration) {
+    const requested = astraCreds.pdlss.duration.maxSessionDuration;
+    if (requested > routeConfig.maxDuration) {
+      failures.push({
+        field: "duration",
+        requested,
+        limit: routeConfig.maxDuration,
+        message: `Requested duration ${requested}s exceeds maximum ${routeConfig.maxDuration}s`
+      });
+    }
+  }
+  if (routeConfig.allowedJurisdictions && routeConfig.allowedJurisdictions.length > 0 && astraCreds?.pdlss?.scope?.jurisdiction) {
+    const requested = astraCreds.pdlss.scope.jurisdiction;
+    if (!routeConfig.allowedJurisdictions.includes(requested)) {
+      failures.push({
+        field: "jurisdiction",
+        requested,
+        limit: routeConfig.allowedJurisdictions,
+        message: `Jurisdiction "${requested}" is not in the allowed list: [${routeConfig.allowedJurisdictions.join(", ")}]`
+      });
+    }
+  }
+  return failures;
+}
+
 // src/adapters/express.ts
 function defaultExtractCredentials(req) {
   return extractCredentials(
@@ -493,6 +560,12 @@ function extractAstraSyncCredentials(req) {
   return extractHttpCredentials(req.headers);
 }
 function defaultExtractPurpose(req) {
+  const astraPurpose = req.headers["x-astra-purpose"];
+  if (astraPurpose) {
+    const value = Array.isArray(astraPurpose) ? astraPurpose[0] : astraPurpose;
+    const category = value.split(":")[0];
+    return category;
+  }
   const purposeHeader = req.headers["x-purpose"] || req.headers["X-Purpose"];
   if (purposeHeader) {
     return Array.isArray(purposeHeader) ? purposeHeader[0] : purposeHeader;
@@ -502,14 +575,14 @@ function defaultExtractPurpose(req) {
   }
   switch (req.method) {
     case "GET":
-      return "read";
+      return "read_data";
     case "POST":
-      return "create";
+      return "write_data";
     case "PUT":
     case "PATCH":
-      return "update";
+      return "write_data";
     case "DELETE":
-      return "delete";
+      return "delete_data";
     default:
       return "general";
   }
@@ -546,6 +619,7 @@ function createMiddleware(options) {
     skipPaths = [],
     onDenied = defaultOnDenied,
     recordDecisions,
+    enableRuntimeChallenge = true,
     ...config
   } = options;
   return async (req, res, next) => {
@@ -563,6 +637,16 @@ function createMiddleware(options) {
       }
       const credentials = customExtractCredentials ? customExtractCredentials(req) : defaultExtractCredentials(req);
       if (!hasCredentials(credentials) && routeConfig.minAccessLevel !== "guidance") {
+        const counterpartyUrl2 = config.counterpartyUrl || `${req.protocol}://${req.get("host")}`;
+        reportUnregisteredAttempt(config, {
+          counterpartyUrl: counterpartyUrl2,
+          counterpartyType: config.counterpartyType || "api",
+          sourceIp: req.ip,
+          userAgent: req.headers["user-agent"],
+          requestPath: req.path,
+          requestMethod: req.method
+        }).catch(() => {
+        });
         const result2 = {
           verified: false,
           accessLevel: "none",
@@ -579,6 +663,34 @@ function createMiddleware(options) {
         return;
       }
       const purpose = customExtractPurpose ? customExtractPurpose(req) : defaultExtractPurpose(req);
+      const astraCreds = extractAstraSyncCredentials(req);
+      const counterpartyUrl = config.counterpartyUrl || `${req.protocol}://${req.get("host")}`;
+      const preCheckFailures = performCounterpartyPreCheck(routeConfig, astraCreds, purpose);
+      if (preCheckFailures.length > 0) {
+        const result2 = {
+          verified: false,
+          accessLevel: "none",
+          denialReasons: preCheckFailures.map((f) => f.message),
+          guidance: {
+            message: "Request exceeds counterparty-defined PDLSS limits.",
+            registrationUrl: `${config.apiBaseUrl?.replace("/api", "")}/register`,
+            documentationUrl: `${config.apiBaseUrl?.replace("/api", "")}/docs/pdlss`
+          },
+          verifiedAt: /* @__PURE__ */ new Date()
+        };
+        req.agentVerification = result2;
+        reportCounterpartyPreCheckFailure(config, {
+          agentId: astraCreds?.agentId || credentials.astraId || "unknown",
+          counterpartyUrl,
+          counterpartyType: config.counterpartyType || "api",
+          failures: preCheckFailures,
+          requestPath: req.path,
+          requestMethod: req.method
+        }).catch(() => {
+        });
+        onDenied(result2, req, res);
+        return;
+      }
       const shouldRecordDecisions = recordDecisions !== false;
       const result = await verify(config, {
         credentials,
@@ -587,7 +699,11 @@ function createMiddleware(options) {
         resource: req.path,
         clientIp: req.ip,
         userAgent: req.headers["user-agent"],
-        createSession: shouldRecordDecisions
+        createSession: shouldRecordDecisions,
+        counterpartyUrl,
+        counterpartyType: config.counterpartyType || "api",
+        enableRuntimeChallenge,
+        durationRequired: astraCreds?.pdlss?.duration?.maxSessionDuration
       });
       req.agentVerification = result;
       const sessionId = result.sessionId;
@@ -626,17 +742,13 @@ function createMiddleware(options) {
 function requireAccess(minAccessLevel, options) {
   return createMiddleware({
     ...options,
-    routes: [
-      { pattern: "*", method: "*", minAccessLevel }
-    ]
+    routes: [{ pattern: "*", method: "*", minAccessLevel }]
   });
 }
 function verifyOnly(options) {
   return createMiddleware({
     ...options,
-    routes: [
-      { pattern: "*", method: "*", minAccessLevel: "none" }
-    ]
+    routes: [{ pattern: "*", method: "*", minAccessLevel: "none" }]
   });
 }
 
@@ -686,17 +798,32 @@ function findRouteConfig2(routes, path, method) {
     return methodMatches && pathMatches;
   });
 }
-function inferPurpose(method) {
-  switch (method.toUpperCase()) {
+function extractAstraSyncCredentialsFromNextRequest(request) {
+  const headers = {};
+  request.headers.forEach((value, key) => {
+    headers[key] = value;
+  });
+  return extractHttpCredentials(headers);
+}
+function extractPurpose(request) {
+  const astraPurpose = request.headers.get("x-astra-purpose");
+  if (astraPurpose) {
+    return astraPurpose.split(":")[0];
+  }
+  const purposeHeader = request.headers.get("x-purpose");
+  if (purposeHeader) {
+    return purposeHeader;
+  }
+  switch (request.method.toUpperCase()) {
     case "GET":
-      return "read";
+      return "read_data";
     case "POST":
-      return "create";
+      return "write_data";
     case "PUT":
     case "PATCH":
-      return "update";
+      return "write_data";
     case "DELETE":
-      return "delete";
+      return "delete_data";
     default:
       return "general";
   }
@@ -848,12 +975,7 @@ function generateCommerceShieldHtml(result, options) {
   `.trim();
 }
 function createMiddleware2(options) {
-  const {
-    routes = [],
-    skipPaths = [],
-    showCommerceShield = true,
-    ...config
-  } = options;
+  const { routes = [], skipPaths = [], showCommerceShield = true, enableRuntimeChallenge = true, ...config } = options;
   return async function middleware(request) {
     const { NextResponse } = await import("next/server");
     const pathname = request.nextUrl.pathname;
@@ -870,6 +992,16 @@ function createMiddleware2(options) {
     }
     const credentials = extractCredentialsFromNextRequest(request);
     if (!hasCredentials(credentials) && routeConfig.minAccessLevel !== "guidance") {
+      const counterpartyUrl2 = config.counterpartyUrl || request.nextUrl.origin;
+      reportUnregisteredAttempt(config, {
+        counterpartyUrl: counterpartyUrl2,
+        counterpartyType: config.counterpartyType || "website",
+        sourceIp: request.headers.get("x-forwarded-for") || request.headers.get("x-real-ip") || void 0,
+        userAgent: request.headers.get("user-agent") || void 0,
+        requestPath: pathname,
+        requestMethod: request.method
+      }).catch(() => {
+      });
       const result2 = {
         verified: false,
         accessLevel: "none",
@@ -906,14 +1038,66 @@ function createMiddleware2(options) {
       const registerUrl = result2.guidance?.registrationUrl || "/register";
       return NextResponse.redirect(new URL(registerUrl, request.url));
     }
-    const purpose = request.headers.get("x-purpose") || inferPurpose(request.method);
+    const counterpartyUrl = config.counterpartyUrl || request.nextUrl.origin;
+    const purpose = extractPurpose(request);
+    const astraCreds = extractAstraSyncCredentialsFromNextRequest(request);
+    const preCheckFailures = performCounterpartyPreCheck(routeConfig, astraCreds, purpose);
+    if (preCheckFailures.length > 0) {
+      const preCheckResult = {
+        verified: false,
+        accessLevel: "none",
+        denialReasons: preCheckFailures.map((f) => f.message),
+        guidance: {
+          message: "Request exceeds counterparty-defined PDLSS limits.",
+          registrationUrl: `${config.apiBaseUrl?.replace("/api", "")}/register`,
+          documentationUrl: `${config.apiBaseUrl?.replace("/api", "")}/docs/pdlss`
+        },
+        verifiedAt: /* @__PURE__ */ new Date()
+      };
+      reportCounterpartyPreCheckFailure(config, {
+        agentId: astraCreds?.agentId || credentials.astraId || "unknown",
+        counterpartyUrl,
+        counterpartyType: config.counterpartyType || "website",
+        failures: preCheckFailures,
+        requestPath: pathname,
+        requestMethod: request.method
+      }).catch(() => {
+      });
+      if (pathname.startsWith("/api/")) {
+        return NextResponse.json(
+          {
+            success: false,
+            error: {
+              code: "PDLSS_PRE_CHECK_FAILED",
+              message: preCheckResult.denialReasons?.[0] || "PDLSS pre-check failed",
+              guidance: preCheckResult.guidance
+            }
+          },
+          { status: 403 }
+        );
+      }
+      if (showCommerceShield) {
+        return new NextResponse(generateCommerceShieldHtml(preCheckResult, options), {
+          status: 200,
+          headers: {
+            "Content-Type": "text/html",
+            "X-AstraSync-Verification": "commerce-shield"
+          }
+        });
+      }
+      return NextResponse.redirect(new URL("/unauthorized", request.url));
+    }
     const result = await verify(config, {
       credentials,
       purpose,
       action: request.method.toLowerCase(),
       resource: pathname,
       clientIp: request.headers.get("x-forwarded-for")?.split(",")[0]?.trim() || void 0,
-      userAgent: request.headers.get("user-agent") || void 0
+      userAgent: request.headers.get("user-agent") || void 0,
+      counterpartyUrl,
+      counterpartyType: config.counterpartyType || "website",
+      enableRuntimeChallenge,
+      durationRequired: astraCreds?.pdlss?.duration?.maxSessionDuration
     });
     if (!hasMinimumAccess(result.accessLevel, routeConfig.minAccessLevel)) {
       if (pathname.startsWith("/api/")) {
@@ -976,7 +1160,9 @@ var VerificationGatewayClient = class {
       minTrustScoreForFull: options.minTrustScoreForFull,
       cacheTtl: options.cacheTtl,
       debug: options.debug,
-      customHeaders: options.customHeaders
+      customHeaders: options.customHeaders,
+      counterpartyUrl: options.counterpartyUrl,
+      counterpartyType: options.counterpartyType
     };
     this.timeout = options.timeout || 1e4;
     this.retryConfig = options.retry || { maxRetries: 3, backoffMs: 1e3 };
@@ -1002,7 +1188,9 @@ var VerificationGatewayClient = class {
         currency: options.currency,
         isSubAgentRequest: options.isSubAgentRequest,
         parentAgentId: options.parentAgentId,
-        subAgentDepth: options.subAgentDepth
+        subAgentDepth: options.subAgentDepth,
+        counterpartyUrl: options.counterpartyUrl,
+        counterpartyType: options.counterpartyType
       })
     );
   }