npm - @astrasyncai/verification-gateway - Versions diffs - 2.1.0 → 2.2.0 - Mend

@astrasyncai/verification-gateway 2.1.0 → 2.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (77) hide show

package/dist/adapter-interface/interface.d.mts +2 -2
package/dist/adapter-interface/interface.d.ts +2 -2
package/dist/adapters/express.d.mts +2 -2
package/dist/adapters/express.d.ts +2 -2
package/dist/adapters/express.js +42 -20
package/dist/adapters/express.js.map +1 -1
package/dist/adapters/express.mjs +42 -20
package/dist/adapters/express.mjs.map +1 -1
package/dist/adapters/nextjs.d.mts +2 -2
package/dist/adapters/nextjs.d.ts +2 -2
package/dist/adapters/nextjs.js +43 -20
package/dist/adapters/nextjs.js.map +1 -1
package/dist/adapters/nextjs.mjs +43 -20
package/dist/adapters/nextjs.mjs.map +1 -1
package/dist/adapters/sdk.d.mts +2 -2
package/dist/adapters/sdk.d.ts +2 -2
package/dist/adapters/sdk.js +25 -16
package/dist/adapters/sdk.js.map +1 -1
package/dist/adapters/sdk.mjs +25 -16
package/dist/adapters/sdk.mjs.map +1 -1
package/dist/agent/index.d.mts +2 -2
package/dist/agent/index.d.ts +2 -2
package/dist/agent/index.js +67 -1
package/dist/agent/index.js.map +1 -1
package/dist/agent/index.mjs +65 -1
package/dist/agent/index.mjs.map +1 -1
package/dist/browser/background.js +25 -16
package/dist/browser/background.js.map +1 -1
package/dist/browser/background.mjs +25 -16
package/dist/browser/background.mjs.map +1 -1
package/dist/browser/browser-adapter.d.mts +2 -2
package/dist/browser/browser-adapter.d.ts +2 -2
package/dist/cli/index.d.mts +2 -2
package/dist/cli/index.d.ts +2 -2
package/dist/cursor/cursor-adapter.d.mts +2 -2
package/dist/cursor/cursor-adapter.d.ts +2 -2
package/dist/cursor/extension.d.mts +2 -2
package/dist/cursor/extension.d.ts +2 -2
package/dist/cursor/extension.js +25 -16
package/dist/cursor/extension.js.map +1 -1
package/dist/cursor/extension.mjs +25 -16
package/dist/cursor/extension.mjs.map +1 -1
package/dist/{express-CtwDIZyF.d.mts → express-C9KqJNWV.d.mts} +1 -1
package/dist/{express-Bcl-uBUE.d.ts → express-DpwYW08E.d.ts} +1 -1
package/dist/gateway/gateway.d.mts +2 -2
package/dist/gateway/gateway.d.ts +2 -2
package/dist/gateway/gateway.js +25 -16
package/dist/gateway/gateway.js.map +1 -1
package/dist/gateway/gateway.mjs +25 -16
package/dist/gateway/gateway.mjs.map +1 -1
package/dist/git-trigger/git-hooks.d.mts +2 -2
package/dist/git-trigger/git-hooks.d.ts +2 -2
package/dist/{index-BY8yQ8N8.d.mts → index-BMZdjGT4.d.mts} +46 -3
package/dist/{index-3NRaBNvp.d.mts → index-DlsYN3Et.d.mts} +1 -1
package/dist/{index-CtYSYwn3.d.ts → index-Dm2xA6j1.d.ts} +46 -3
package/dist/{index-CME6r4uH.d.ts → index-gM-lgX_X.d.ts} +1 -1
package/dist/index.d.mts +7 -7
package/dist/index.d.ts +7 -7
package/dist/index.js +125 -25
package/dist/index.js.map +1 -1
package/dist/index.mjs +125 -25
package/dist/index.mjs.map +1 -1
package/dist/local-evaluator/evaluator.d.mts +2 -2
package/dist/local-evaluator/evaluator.d.ts +2 -2
package/dist/{nextjs-BQyMCSx_.d.mts → nextjs-BEqidT0U.d.mts} +1 -1
package/dist/{nextjs-CEldnIJ9.d.ts → nextjs-yNzimC3a.d.ts} +1 -1
package/dist/{sdk-BhvuJSrH.d.mts → sdk-7fa9H0qa.d.mts} +1 -1
package/dist/{sdk-BlyVSC_S.d.ts → sdk-CP9C9Qu0.d.ts} +1 -1
package/dist/transport/index.d.mts +2 -2
package/dist/transport/index.d.ts +2 -2
package/dist/{types-CxQwJKbd.d.mts → types-CrVMq_Td.d.mts} +30 -3
package/dist/{types-CxQwJKbd.d.ts → types-CrVMq_Td.d.ts} +30 -3
package/dist/{types-jJnPXStc.d.mts → types-DE0ooQJ6.d.mts} +1 -1
package/dist/{types-79qS7aON.d.ts → types-rigu2bH3.d.ts} +1 -1
package/dist/ui/index.d.mts +1 -1
package/dist/ui/index.d.ts +1 -1
package/package.json +3 -3

package/dist/index.mjs CHANGED Viewed

@@ -226,21 +226,33 @@ async function callVerifyAccessAPI(config, request) {
   if (requestData.isSubAgentRequest) body.isSubAgentRequest = requestData.isSubAgentRequest;
   if (requestData.parentAgentId) body.parentAgentId = requestData.parentAgentId;
   if (requestData.subAgentDepth !== void 0) body.subAgentDepth = requestData.subAgentDepth;
-  if (requestData.enableRuntimeChallenge) body.enableRuntimeChallenge = requestData.enableRuntimeChallenge;
+  if (requestData.enableRuntimeChallenge)
+    body.enableRuntimeChallenge = requestData.enableRuntimeChallenge;
   if (requestData.createSession) body.createSession = requestData.createSession;
   if (requestData.durationRequired) body.durationRequired = requestData.durationRequired;
   if (requestData.counterpartyType) body.counterpartyType = requestData.counterpartyType;
   if (requestData.counterpartyUrl) body.counterpartyUrl = requestData.counterpartyUrl;
-  if (requestData.runtimeChallengeOptions) body.runtimeChallengeOptions = requestData.runtimeChallengeOptions;
+  if (requestData.runtimeChallengeOptions)
+    body.runtimeChallengeOptions = requestData.runtimeChallengeOptions;
+  if (requestData.callerMetadata || requestData.clientIp || requestData.userAgent) {
+    const meta = {
+      ...requestData.clientIp && { sourceIp: requestData.clientIp },
+      ...requestData.userAgent && { userAgent: requestData.userAgent },
+      ...requestData.callerMetadata
+    };
+    if (Object.keys(meta).length > 0) body.callerMetadata = meta;
+  }
   const headers = {
     "Content-Type": "application/json",
     ...config.customHeaders
   };
-  if (config.apiKey) {
-    headers["X-API-Key"] = config.apiKey;
-  }
   if (credentials.authorizationHeader) {
     headers["Authorization"] = credentials.authorizationHeader;
+  } else if (config.apiKey) {
+    headers["Authorization"] = `Bearer ${config.apiKey}`;
+  }
+  if (config.apiKey) {
+    headers["X-API-Key"] = config.apiKey;
   }
   try {
     const response = await fetch(`${config.apiBaseUrl}/agents/verify-access`, {
@@ -341,16 +353,11 @@ async function verify(config, request) {
   } : void 0;
   const trustScore = agent?.trustScore || 0;
   const isOrgMember = false;
-  const accessLevel = determineAccessLevel(
-    true,
-    trustScore,
-    isOrgMember,
-    {
-      "read-only": 20,
-      standard: mergedConfig.minTrustScore || 40,
-      full: mergedConfig.minTrustScoreForFull || 70
-    }
-  );
+  const accessLevel = determineAccessLevel(true, trustScore, isOrgMember, {
+    "read-only": 20,
+    standard: mergedConfig.minTrustScore || 40,
+    full: mergedConfig.minTrustScoreForFull || 70
+  });
   const result = {
     verified: true,
     accessLevel,
@@ -372,7 +379,9 @@ async function verify(config, request) {
   if (result.recommendation === "deny") {
     result.verified = false;
     result.accessLevel = "none";
-    result.denialReasons = result.recommendationReasons || ["Access denied by AstraSync recommendation"];
+    result.denialReasons = result.recommendationReasons || [
+      "Access denied by AstraSync recommendation"
+    ];
     if (result.runtimeChallenge) {
       result.guidance = {
         message: `Verification failed: ${result.runtimeChallenge.reason || "runtime challenge failed"}`,
@@ -394,7 +403,10 @@ async function verify(config, request) {
 }
 async function recordDecision(config, sessionId, decision, reason) {
   const headers = { "Content-Type": "application/json" };
-  if (config.apiKey) headers["X-API-Key"] = config.apiKey;
+  if (config.apiKey) {
+    headers["Authorization"] = `Bearer ${config.apiKey}`;
+    headers["X-API-Key"] = config.apiKey;
+  }
   await fetch(`${config.apiBaseUrl}/agents/verify-access/${sessionId}/decision`, {
     method: "POST",
     headers,
@@ -692,18 +704,28 @@ function createMiddleware(options) {
         return;
       }
       const shouldRecordDecisions = recordDecisions !== false;
+      const forwardedFor = req.headers["x-forwarded-for"];
+      const forwardedForStr = Array.isArray(forwardedFor) ? forwardedFor.join(", ") : forwardedFor;
+      const originalClientIp = forwardedForStr ? forwardedForStr.split(",")[0].trim() : req.ip;
+      const agentCardUrl = typeof req.headers["x-astrasync-agent-card"] === "string" ? req.headers["x-astrasync-agent-card"] : void 0;
       const result = await verify(config, {
         credentials,
         purpose,
         action: req.method.toLowerCase(),
         resource: req.path,
-        clientIp: req.ip,
-        userAgent: req.headers["user-agent"],
         createSession: shouldRecordDecisions,
         counterpartyUrl,
         counterpartyType: config.counterpartyType || "api",
         enableRuntimeChallenge,
-        durationRequired: astraCreds?.pdlss?.duration?.maxSessionDuration
+        durationRequired: astraCreds?.pdlss?.duration?.maxSessionDuration,
+        callerMetadata: {
+          sourceIp: originalClientIp,
+          userAgent: req.headers["user-agent"],
+          referer: req.headers.referer,
+          host: req.headers.host,
+          forwardedFor: forwardedForStr,
+          agentCardUrl
+        }
       });
       req.agentVerification = result;
       const sessionId = result.sessionId;
@@ -975,7 +997,13 @@ function generateCommerceShieldHtml(result, options) {
   `.trim();
 }
 function createMiddleware2(options) {
-  const { routes = [], skipPaths = [], showCommerceShield = true, enableRuntimeChallenge = true, ...config } = options;
+  const {
+    routes = [],
+    skipPaths = [],
+    showCommerceShield = true,
+    enableRuntimeChallenge = true,
+    ...config
+  } = options;
   return async function middleware(request) {
     const { NextResponse } = await import("next/server");
     const pathname = request.nextUrl.pathname;
@@ -1087,17 +1115,25 @@ function createMiddleware2(options) {
       }
       return NextResponse.redirect(new URL("/unauthorized", request.url));
     }
+    const forwardedFor = request.headers.get("x-forwarded-for") || void 0;
+    const originalClientIp = forwardedFor?.split(",")[0]?.trim();
     const result = await verify(config, {
       credentials,
       purpose,
       action: request.method.toLowerCase(),
       resource: pathname,
-      clientIp: request.headers.get("x-forwarded-for")?.split(",")[0]?.trim() || void 0,
-      userAgent: request.headers.get("user-agent") || void 0,
       counterpartyUrl,
       counterpartyType: config.counterpartyType || "website",
       enableRuntimeChallenge,
-      durationRequired: astraCreds?.pdlss?.duration?.maxSessionDuration
+      durationRequired: astraCreds?.pdlss?.duration?.maxSessionDuration,
+      callerMetadata: {
+        sourceIp: originalClientIp,
+        userAgent: request.headers.get("user-agent") || void 0,
+        referer: request.headers.get("referer") || void 0,
+        host: request.headers.get("host") || void 0,
+        forwardedFor,
+        agentCardUrl: request.headers.get("x-astrasync-agent-card") || void 0
+      }
     });
     if (!hasMinimumAccess(result.accessLevel, routeConfig.minAccessLevel)) {
       if (pathname.startsWith("/api/")) {
@@ -3722,14 +3758,35 @@ function extractCredentialsFromProtocol(protocol, context) {
 var agent_exports = {};
 __export(agent_exports, {
   AgentClient: () => AgentClient,
+  AstraSyncSdkError: () => AstraSyncSdkError,
   ChallengeHandler: () => ChallengeHandler,
+  OwnershipMismatchError: () => OwnershipMismatchError,
   formatPDLSSForTransport: () => formatPDLSSForTransport,
   parsePDLSSFromTransport: () => parsePDLSSFromTransport,
   recordDecision: () => recordDecision2
 });
+// src/agent/errors.ts
+var AstraSyncSdkError = class extends Error {
+  constructor(code, message) {
+    super(message);
+    this.name = "AstraSyncSdkError";
+    this.code = code;
+  }
+};
+var OwnershipMismatchError = class extends AstraSyncSdkError {
+  constructor(astraId) {
+    super(
+      "ownership_mismatch",
+      `The configured API key does not own agent ${astraId}. Refusing to initialise.`
+    );
+    this.name = "OwnershipMismatchError";
+    this.astraId = astraId;
+  }
+};
 // src/agent/client.ts
-var AgentClient = class {
+var AgentClient = class _AgentClient {
   constructor(config) {
     this.credentials = {
       agentId: config.agentId,
@@ -3737,6 +3794,49 @@ var AgentClient = class {
       challengeUrl: config.challengeUrl,
       pdlss: config.pdlss
     };
+    this.apiBaseUrl = config.apiBaseUrl ?? "https://api.astrasync.ai";
+    this.apiKey = config.apiKey;
+  }
+  /**
+   * Async factory that validates the API key's account owns the configured
+   * ASTRA-id before returning a usable client. Refuses to initialise on
+   * mismatch so a stolen ASTRA-id cannot be paired with a valid (different)
+   * API key.
+   *
+   * Set env `ASTRASYNC_SKIP_OWNERSHIP_CHECK=true` to bypass — intended for
+   * test environments only.
+   */
+  static async create(config) {
+    const client = new _AgentClient(config);
+    const skip = typeof process !== "undefined" && process.env?.ASTRASYNC_SKIP_OWNERSHIP_CHECK === "true";
+    if (skip) return client;
+    if (!config.apiKey) {
+      throw new OwnershipMismatchError(config.agentId);
+    }
+    const owned = await client.verifyOwnership();
+    if (!owned) throw new OwnershipMismatchError(config.agentId);
+    return client;
+  }
+  /**
+   * Calls GET /api/agents/:astraId/ownership with the configured API key.
+   * Returns true only when the backend confirms this API key's account
+   * owns the configured agent.
+   */
+  async verifyOwnership() {
+    if (!this.apiKey) return false;
+    const url = `${this.apiBaseUrl.replace(/\/+$/, "")}/api/agents/${encodeURIComponent(
+      this.credentials.agentId
+    )}/ownership`;
+    const resp = await fetch(url, {
+      method: "GET",
+      headers: {
+        Authorization: `Bearer ${this.apiKey}`,
+        "Content-Type": "application/json"
+      }
+    });
+    if (!resp.ok) return false;
+    const body = await resp.json().catch(() => null);
+    return Boolean(body?.data?.owned);
   }
   /**
    * Make an HTTP request with AstraSync headers automatically injected.