@astrasyncai/verification-gateway 2.1.0 → 2.2.0

package/dist/local-evaluator/evaluator.d.mts

@@ -1,5 +1,5 @@
-import { L as LocalPolicy, P as PDLSSContext, V as VerificationDecision, a as LocalPurposeRule } from '../types-jJnPXStc.mjs';
-import '../types-CxQwJKbd.mjs';
+import { L as LocalPolicy, P as PDLSSContext, V as VerificationDecision, a as LocalPurposeRule } from '../types-DE0ooQJ6.mjs';
+import '../types-CrVMq_Td.mjs';
 
 /**
  * Local PDLSS Evaluator

package/dist/local-evaluator/evaluator.d.ts

@@ -1,5 +1,5 @@
-import { L as LocalPolicy, P as PDLSSContext, V as VerificationDecision, a as LocalPurposeRule } from '../types-79qS7aON.js';
-import '../types-CxQwJKbd.js';
+import { L as LocalPolicy, P as PDLSSContext, V as VerificationDecision, a as LocalPurposeRule } from '../types-rigu2bH3.js';
+import '../types-CrVMq_Td.js';
 
 /**
  * Local PDLSS Evaluator

package/dist/{nextjs-BQyMCSx_.d.mts → nextjs-BEqidT0U.d.mts}

@@ -1,6 +1,6 @@
 import * as next_server from 'next/server';
 import { NextRequest } from 'next/server';
-import { N as NextJsMiddlewareOptions } from './types-CxQwJKbd.mjs';
+import { N as NextJsMiddlewareOptions } from './types-CrVMq_Td.mjs';
 
 /**
  * Create Next.js middleware for agent verification

package/dist/{nextjs-CEldnIJ9.d.ts → nextjs-yNzimC3a.d.ts}

@@ -1,6 +1,6 @@
 import * as next_server from 'next/server';
 import { NextRequest } from 'next/server';
-import { N as NextJsMiddlewareOptions } from './types-CxQwJKbd.js';
+import { N as NextJsMiddlewareOptions } from './types-CrVMq_Td.js';
 
 /**
  * Create Next.js middleware for agent verification

package/dist/{sdk-BhvuJSrH.d.mts → sdk-7fa9H0qa.d.mts}

@@ -1,4 +1,4 @@
-import { a as AccessLevel, i as TrustLevel, S as SDKOptions, V as VerificationResult } from './types-CxQwJKbd.mjs';
+import { a as AccessLevel, i as TrustLevel, S as SDKOptions, V as VerificationResult } from './types-CrVMq_Td.mjs';
 
 /**
  * AstraSync Universal Verification Gateway - Access Level Definitions

package/dist/{sdk-BlyVSC_S.d.ts → sdk-CP9C9Qu0.d.ts}

@@ -1,4 +1,4 @@
-import { a as AccessLevel, i as TrustLevel, S as SDKOptions, V as VerificationResult } from './types-CxQwJKbd.js';
+import { a as AccessLevel, i as TrustLevel, S as SDKOptions, V as VerificationResult } from './types-CrVMq_Td.js';
 
 /**
  * AstraSync Universal Verification Gateway - Access Level Definitions

package/dist/transport/index.d.mts

@@ -1,3 +1,3 @@
-import '../types-CxQwJKbd.mjs';
-export { A as ACPEndpoint, a as ACPPaymentTokenType, b as ACPRequestContext, c as ACPRequestLike, d as ACPSignatureAlgorithm, e as ACPTotal, f as ACPVerifyInput, g as ACPVerifyResult, h as AP2CartMandateClaims, j as AP2ChainResult, k as AP2IntentMandateClaims, l as AP2MandateClaims, m as AP2MandateTriple, n as AP2MandateTripleInput, o as AP2MandateType, p as AP2PaymentDetailsTotal, q as AP2PaymentMandateClaims, r as AP2PaymentMandateForValue, s as AP2VerifyInput, C as CommerceContext, t as CommercePipelineInput, u as CommerceProtocol, v as CommercePurpose, w as CommerceSignatureStack, x as ConstraintEvalResult, y as ConstraintKey, z as ConstraintResult, E as ExtractorRequestLike, I as IdentityBindingResult, B as IdentityClaim, D as IdentityResolver, M as MPPChallengeForValue, F as MPPChallengeSummary, G as MPPCredentialSummary, H as MPPIntent, J as MPPKind, K as MPPReceiptSummary, L as MPPRequestContext, N as MPPRequestLike, O as MPPResponseLike, P as MPPVerifyInput, Q as MPPVerifyResult, R as ParsedRFC9421, S as PaymentMethodAllowlistInput, T as RFC9421SignatureParams, U as RFC9421Tag, V as RFC9421VerifyOptions, W as RFC9421VerifyRequest, X as RFC9421VerifyResult, Y as RegistryName, Z as RegistryResolver, _ as ResolveContext, $ as STRIPE_WEBHOOK_INFORMATIONAL_EVENTS, a0 as SpendingLimitInput, a1 as StripeWebhookInformationalEvent, a2 as TransactionContext, a3 as TransactionValueContext, a4 as TransportExtractor, a5 as UCPCheckoutContext, a6 as UCPManifestValidationResult, a7 as UCPRequestLike, a8 as UCPTotal, a9 as VIAllowedParty, aa as VIBudgetLimit, ab as VIClaimsForValue, ac as VIConstraintEvalInput, ad as VIConstraints, ae as VIExecutionMode, af as VIExtractedClaims, ag as VILayer, ah as VILineItem, ai as VIMandateType, aj as VIPaymentAmount, ak as VIRecurrence, al as VIVerifyInput, am as VIVerifyResult, an as VerifyStripeWebhookOptions, ao as VerifyStripeWebhookResult, ap as X402Kind, aq as X402RequestContext, ar as X402RequestForValue, as as X402RequestLike, at as X402RequirementsSummary, au as X402ResponseLike, av as applyCredentials, aw as bindIdentity, ax as claim, ay as clearTransportExtractors, az as createMastercardRegistry, aA as createVisaRegistry, aB as createWebBotAuthRegistry, aC as detectProtocol, aD as evaluatePaymentMethodAllowlist, aE as evaluateSpendingLimit, aF as evaluateVIConstraints, aG as extractA2ACredentials, aH as extractACPContext, aI as extractACPTransactionValue, aJ as extractAP2Mandate, aK as extractAP2Mandates, aL as extractAP2TransactionValue, aM as extractCredentialsFromProtocol, aN as extractHttpCredentials, aO as extractMPPContext, aP as extractMPPFromRequest, aQ as extractMPPFromResponse, aR as extractMPPTransactionValue, aS as extractMcpCredentials, aT as extractUCPContext, aU as extractUCPTransactionValue, aV as extractVIClaims, aW as extractVITransactionValue, aX as extractX402Context, aY as extractX402FromRequest, aZ as extractX402FromResponse, a_ as extractX402TransactionValue, a$ as fetchUCPManifest, b0 as getTransportExtractor, b1 as getTransportExtractors, b2 as isStripeWebhookInformational, b3 as mapACPRequestToPurpose, b4 as mapAP2MandateToPurpose, b5 as mapMPPRequestToPurpose, b6 as mapRFC9421TagToPurpose, b7 as mapUCPRequestToPurpose, b8 as mapVIMandateToPurpose, b9 as mapX402RequestToPurpose, ba as parseRFC9421, bb as registerTransportExtractor, bc as runCommercePipeline, bd as runMatchingExtractors, be as setA2AMetadata, bf as setHttpHeaders, bg as setMcpMeta, bh as validateUCPManifest, bi as verifyACPSignature, bj as verifyAP2Chain, bk as verifyMPP, bl as verifyRFC9421, bm as verifyStripeWebhook, bn as verifyVIChain } from '../index-3NRaBNvp.mjs';
+import '../types-CrVMq_Td.mjs';
+export { A as ACPEndpoint, a as ACPPaymentTokenType, b as ACPRequestContext, c as ACPRequestLike, d as ACPSignatureAlgorithm, e as ACPTotal, f as ACPVerifyInput, g as ACPVerifyResult, h as AP2CartMandateClaims, j as AP2ChainResult, k as AP2IntentMandateClaims, l as AP2MandateClaims, m as AP2MandateTriple, n as AP2MandateTripleInput, o as AP2MandateType, p as AP2PaymentDetailsTotal, q as AP2PaymentMandateClaims, r as AP2PaymentMandateForValue, s as AP2VerifyInput, C as CommerceContext, t as CommercePipelineInput, u as CommerceProtocol, v as CommercePurpose, w as CommerceSignatureStack, x as ConstraintEvalResult, y as ConstraintKey, z as ConstraintResult, E as ExtractorRequestLike, I as IdentityBindingResult, B as IdentityClaim, D as IdentityResolver, M as MPPChallengeForValue, F as MPPChallengeSummary, G as MPPCredentialSummary, H as MPPIntent, J as MPPKind, K as MPPReceiptSummary, L as MPPRequestContext, N as MPPRequestLike, O as MPPResponseLike, P as MPPVerifyInput, Q as MPPVerifyResult, R as ParsedRFC9421, S as PaymentMethodAllowlistInput, T as RFC9421SignatureParams, U as RFC9421Tag, V as RFC9421VerifyOptions, W as RFC9421VerifyRequest, X as RFC9421VerifyResult, Y as RegistryName, Z as RegistryResolver, _ as ResolveContext, $ as STRIPE_WEBHOOK_INFORMATIONAL_EVENTS, a0 as SpendingLimitInput, a1 as StripeWebhookInformationalEvent, a2 as TransactionContext, a3 as TransactionValueContext, a4 as TransportExtractor, a5 as UCPCheckoutContext, a6 as UCPManifestValidationResult, a7 as UCPRequestLike, a8 as UCPTotal, a9 as VIAllowedParty, aa as VIBudgetLimit, ab as VIClaimsForValue, ac as VIConstraintEvalInput, ad as VIConstraints, ae as VIExecutionMode, af as VIExtractedClaims, ag as VILayer, ah as VILineItem, ai as VIMandateType, aj as VIPaymentAmount, ak as VIRecurrence, al as VIVerifyInput, am as VIVerifyResult, an as VerifyStripeWebhookOptions, ao as VerifyStripeWebhookResult, ap as X402Kind, aq as X402RequestContext, ar as X402RequestForValue, as as X402RequestLike, at as X402RequirementsSummary, au as X402ResponseLike, av as applyCredentials, aw as bindIdentity, ax as claim, ay as clearTransportExtractors, az as createMastercardRegistry, aA as createVisaRegistry, aB as createWebBotAuthRegistry, aC as detectProtocol, aD as evaluatePaymentMethodAllowlist, aE as evaluateSpendingLimit, aF as evaluateVIConstraints, aG as extractA2ACredentials, aH as extractACPContext, aI as extractACPTransactionValue, aJ as extractAP2Mandate, aK as extractAP2Mandates, aL as extractAP2TransactionValue, aM as extractCredentialsFromProtocol, aN as extractHttpCredentials, aO as extractMPPContext, aP as extractMPPFromRequest, aQ as extractMPPFromResponse, aR as extractMPPTransactionValue, aS as extractMcpCredentials, aT as extractUCPContext, aU as extractUCPTransactionValue, aV as extractVIClaims, aW as extractVITransactionValue, aX as extractX402Context, aY as extractX402FromRequest, aZ as extractX402FromResponse, a_ as extractX402TransactionValue, a$ as fetchUCPManifest, b0 as getTransportExtractor, b1 as getTransportExtractors, b2 as isStripeWebhookInformational, b3 as mapACPRequestToPurpose, b4 as mapAP2MandateToPurpose, b5 as mapMPPRequestToPurpose, b6 as mapRFC9421TagToPurpose, b7 as mapUCPRequestToPurpose, b8 as mapVIMandateToPurpose, b9 as mapX402RequestToPurpose, ba as parseRFC9421, bb as registerTransportExtractor, bc as runCommercePipeline, bd as runMatchingExtractors, be as setA2AMetadata, bf as setHttpHeaders, bg as setMcpMeta, bh as validateUCPManifest, bi as verifyACPSignature, bj as verifyAP2Chain, bk as verifyMPP, bl as verifyRFC9421, bm as verifyStripeWebhook, bn as verifyVIChain } from '../index-DlsYN3Et.mjs';
 import 'jose';

package/dist/transport/index.d.ts

@@ -1,3 +1,3 @@
-import '../types-CxQwJKbd.js';
-export { A as ACPEndpoint, a as ACPPaymentTokenType, b as ACPRequestContext, c as ACPRequestLike, d as ACPSignatureAlgorithm, e as ACPTotal, f as ACPVerifyInput, g as ACPVerifyResult, h as AP2CartMandateClaims, j as AP2ChainResult, k as AP2IntentMandateClaims, l as AP2MandateClaims, m as AP2MandateTriple, n as AP2MandateTripleInput, o as AP2MandateType, p as AP2PaymentDetailsTotal, q as AP2PaymentMandateClaims, r as AP2PaymentMandateForValue, s as AP2VerifyInput, C as CommerceContext, t as CommercePipelineInput, u as CommerceProtocol, v as CommercePurpose, w as CommerceSignatureStack, x as ConstraintEvalResult, y as ConstraintKey, z as ConstraintResult, E as ExtractorRequestLike, I as IdentityBindingResult, B as IdentityClaim, D as IdentityResolver, M as MPPChallengeForValue, F as MPPChallengeSummary, G as MPPCredentialSummary, H as MPPIntent, J as MPPKind, K as MPPReceiptSummary, L as MPPRequestContext, N as MPPRequestLike, O as MPPResponseLike, P as MPPVerifyInput, Q as MPPVerifyResult, R as ParsedRFC9421, S as PaymentMethodAllowlistInput, T as RFC9421SignatureParams, U as RFC9421Tag, V as RFC9421VerifyOptions, W as RFC9421VerifyRequest, X as RFC9421VerifyResult, Y as RegistryName, Z as RegistryResolver, _ as ResolveContext, $ as STRIPE_WEBHOOK_INFORMATIONAL_EVENTS, a0 as SpendingLimitInput, a1 as StripeWebhookInformationalEvent, a2 as TransactionContext, a3 as TransactionValueContext, a4 as TransportExtractor, a5 as UCPCheckoutContext, a6 as UCPManifestValidationResult, a7 as UCPRequestLike, a8 as UCPTotal, a9 as VIAllowedParty, aa as VIBudgetLimit, ab as VIClaimsForValue, ac as VIConstraintEvalInput, ad as VIConstraints, ae as VIExecutionMode, af as VIExtractedClaims, ag as VILayer, ah as VILineItem, ai as VIMandateType, aj as VIPaymentAmount, ak as VIRecurrence, al as VIVerifyInput, am as VIVerifyResult, an as VerifyStripeWebhookOptions, ao as VerifyStripeWebhookResult, ap as X402Kind, aq as X402RequestContext, ar as X402RequestForValue, as as X402RequestLike, at as X402RequirementsSummary, au as X402ResponseLike, av as applyCredentials, aw as bindIdentity, ax as claim, ay as clearTransportExtractors, az as createMastercardRegistry, aA as createVisaRegistry, aB as createWebBotAuthRegistry, aC as detectProtocol, aD as evaluatePaymentMethodAllowlist, aE as evaluateSpendingLimit, aF as evaluateVIConstraints, aG as extractA2ACredentials, aH as extractACPContext, aI as extractACPTransactionValue, aJ as extractAP2Mandate, aK as extractAP2Mandates, aL as extractAP2TransactionValue, aM as extractCredentialsFromProtocol, aN as extractHttpCredentials, aO as extractMPPContext, aP as extractMPPFromRequest, aQ as extractMPPFromResponse, aR as extractMPPTransactionValue, aS as extractMcpCredentials, aT as extractUCPContext, aU as extractUCPTransactionValue, aV as extractVIClaims, aW as extractVITransactionValue, aX as extractX402Context, aY as extractX402FromRequest, aZ as extractX402FromResponse, a_ as extractX402TransactionValue, a$ as fetchUCPManifest, b0 as getTransportExtractor, b1 as getTransportExtractors, b2 as isStripeWebhookInformational, b3 as mapACPRequestToPurpose, b4 as mapAP2MandateToPurpose, b5 as mapMPPRequestToPurpose, b6 as mapRFC9421TagToPurpose, b7 as mapUCPRequestToPurpose, b8 as mapVIMandateToPurpose, b9 as mapX402RequestToPurpose, ba as parseRFC9421, bb as registerTransportExtractor, bc as runCommercePipeline, bd as runMatchingExtractors, be as setA2AMetadata, bf as setHttpHeaders, bg as setMcpMeta, bh as validateUCPManifest, bi as verifyACPSignature, bj as verifyAP2Chain, bk as verifyMPP, bl as verifyRFC9421, bm as verifyStripeWebhook, bn as verifyVIChain } from '../index-CME6r4uH.js';
+import '../types-CrVMq_Td.js';
+export { A as ACPEndpoint, a as ACPPaymentTokenType, b as ACPRequestContext, c as ACPRequestLike, d as ACPSignatureAlgorithm, e as ACPTotal, f as ACPVerifyInput, g as ACPVerifyResult, h as AP2CartMandateClaims, j as AP2ChainResult, k as AP2IntentMandateClaims, l as AP2MandateClaims, m as AP2MandateTriple, n as AP2MandateTripleInput, o as AP2MandateType, p as AP2PaymentDetailsTotal, q as AP2PaymentMandateClaims, r as AP2PaymentMandateForValue, s as AP2VerifyInput, C as CommerceContext, t as CommercePipelineInput, u as CommerceProtocol, v as CommercePurpose, w as CommerceSignatureStack, x as ConstraintEvalResult, y as ConstraintKey, z as ConstraintResult, E as ExtractorRequestLike, I as IdentityBindingResult, B as IdentityClaim, D as IdentityResolver, M as MPPChallengeForValue, F as MPPChallengeSummary, G as MPPCredentialSummary, H as MPPIntent, J as MPPKind, K as MPPReceiptSummary, L as MPPRequestContext, N as MPPRequestLike, O as MPPResponseLike, P as MPPVerifyInput, Q as MPPVerifyResult, R as ParsedRFC9421, S as PaymentMethodAllowlistInput, T as RFC9421SignatureParams, U as RFC9421Tag, V as RFC9421VerifyOptions, W as RFC9421VerifyRequest, X as RFC9421VerifyResult, Y as RegistryName, Z as RegistryResolver, _ as ResolveContext, $ as STRIPE_WEBHOOK_INFORMATIONAL_EVENTS, a0 as SpendingLimitInput, a1 as StripeWebhookInformationalEvent, a2 as TransactionContext, a3 as TransactionValueContext, a4 as TransportExtractor, a5 as UCPCheckoutContext, a6 as UCPManifestValidationResult, a7 as UCPRequestLike, a8 as UCPTotal, a9 as VIAllowedParty, aa as VIBudgetLimit, ab as VIClaimsForValue, ac as VIConstraintEvalInput, ad as VIConstraints, ae as VIExecutionMode, af as VIExtractedClaims, ag as VILayer, ah as VILineItem, ai as VIMandateType, aj as VIPaymentAmount, ak as VIRecurrence, al as VIVerifyInput, am as VIVerifyResult, an as VerifyStripeWebhookOptions, ao as VerifyStripeWebhookResult, ap as X402Kind, aq as X402RequestContext, ar as X402RequestForValue, as as X402RequestLike, at as X402RequirementsSummary, au as X402ResponseLike, av as applyCredentials, aw as bindIdentity, ax as claim, ay as clearTransportExtractors, az as createMastercardRegistry, aA as createVisaRegistry, aB as createWebBotAuthRegistry, aC as detectProtocol, aD as evaluatePaymentMethodAllowlist, aE as evaluateSpendingLimit, aF as evaluateVIConstraints, aG as extractA2ACredentials, aH as extractACPContext, aI as extractACPTransactionValue, aJ as extractAP2Mandate, aK as extractAP2Mandates, aL as extractAP2TransactionValue, aM as extractCredentialsFromProtocol, aN as extractHttpCredentials, aO as extractMPPContext, aP as extractMPPFromRequest, aQ as extractMPPFromResponse, aR as extractMPPTransactionValue, aS as extractMcpCredentials, aT as extractUCPContext, aU as extractUCPTransactionValue, aV as extractVIClaims, aW as extractVITransactionValue, aX as extractX402Context, aY as extractX402FromRequest, aZ as extractX402FromResponse, a_ as extractX402TransactionValue, a$ as fetchUCPManifest, b0 as getTransportExtractor, b1 as getTransportExtractors, b2 as isStripeWebhookInformational, b3 as mapACPRequestToPurpose, b4 as mapAP2MandateToPurpose, b5 as mapMPPRequestToPurpose, b6 as mapRFC9421TagToPurpose, b7 as mapUCPRequestToPurpose, b8 as mapVIMandateToPurpose, b9 as mapX402RequestToPurpose, ba as parseRFC9421, bb as registerTransportExtractor, bc as runCommercePipeline, bd as runMatchingExtractors, be as setA2AMetadata, bf as setHttpHeaders, bg as setMcpMeta, bh as validateUCPManifest, bi as verifyACPSignature, bj as verifyAP2Chain, bk as verifyMPP, bl as verifyRFC9421, bm as verifyStripeWebhook, bn as verifyVIChain } from '../index-gM-lgX_X.js';
 import 'jose';

package/dist/{types-CxQwJKbd.d.mts → types-CrVMq_Td.d.mts}

@@ -40,7 +40,7 @@ interface AgentCredentials {
 interface GatewayConfig {
     /** AstraSync API base URL */
     apiBaseUrl: string;
-    /** API key for authenticating with AstraSync (optional for public endpoints) */
+    /** API key for authenticating with AstraSync. */
     apiKey?: string;
     /** Default access level for unverified requests */
     defaultAccessLevel?: AccessLevel;
@@ -173,6 +173,26 @@ interface VerificationResult {
 /**
  * Request context for verification
  */
+/**
+ * Caller metadata forwarded from the agent's original HTTP request so the
+ * endpoint owner can see the real agent-side fingerprint in activity views.
+ * Without this, IP/UA recorded on platform_events would be the counterparty
+ * server's (useless for endpoint-side forensics).
+ */
+interface CallerMetadata {
+    /** Agent-side source IP (honours X-Forwarded-For if set). */
+    sourceIp?: string;
+    /** Agent's User-Agent header. */
+    userAgent?: string;
+    /** Referer header (where the agent navigated from, if applicable). */
+    referer?: string;
+    /** Host the agent called (this counterparty's public hostname). */
+    host?: string;
+    /** Raw X-Forwarded-For chain for audit. */
+    forwardedFor?: string;
+    /** Published agent card URL, if the agent advertised one (future: from agent headers). */
+    agentCardUrl?: string;
+}
 interface VerificationRequest {
     /** Agent credentials */
     credentials: AgentCredentials;
@@ -196,10 +216,17 @@ interface VerificationRequest {
     parentAgentId?: string;
     /** Depth of sub-agent chain */
     subAgentDepth?: number;
-    /** Client IP address */
+    /** Client IP address (deprecated — use callerMetadata.sourceIp) */
     clientIp?: string;
-    /** User agent string */
+    /** User agent string (deprecated — use callerMetadata.userAgent) */
     userAgent?: string;
+    /**
+     * Forwarded request metadata from the agent's original call.
+     * When the SDK is embedded in a counterparty server, these describe
+     * the agent-side fingerprint — not the counterparty server itself.
+     * The express/nextjs adapters auto-populate these from `req`.
+     */
+    callerMetadata?: CallerMetadata;
     /** Enable runtime challenge for this request */
     enableRuntimeChallenge?: boolean;
     /** Create a verification session (returns sessionId) */

package/dist/{types-CxQwJKbd.d.ts → types-CrVMq_Td.d.ts}

@@ -40,7 +40,7 @@ interface AgentCredentials {
 interface GatewayConfig {
     /** AstraSync API base URL */
     apiBaseUrl: string;
-    /** API key for authenticating with AstraSync (optional for public endpoints) */
+    /** API key for authenticating with AstraSync. */
     apiKey?: string;
     /** Default access level for unverified requests */
     defaultAccessLevel?: AccessLevel;
@@ -173,6 +173,26 @@ interface VerificationResult {
 /**
  * Request context for verification
  */
+/**
+ * Caller metadata forwarded from the agent's original HTTP request so the
+ * endpoint owner can see the real agent-side fingerprint in activity views.
+ * Without this, IP/UA recorded on platform_events would be the counterparty
+ * server's (useless for endpoint-side forensics).
+ */
+interface CallerMetadata {
+    /** Agent-side source IP (honours X-Forwarded-For if set). */
+    sourceIp?: string;
+    /** Agent's User-Agent header. */
+    userAgent?: string;
+    /** Referer header (where the agent navigated from, if applicable). */
+    referer?: string;
+    /** Host the agent called (this counterparty's public hostname). */
+    host?: string;
+    /** Raw X-Forwarded-For chain for audit. */
+    forwardedFor?: string;
+    /** Published agent card URL, if the agent advertised one (future: from agent headers). */
+    agentCardUrl?: string;
+}
 interface VerificationRequest {
     /** Agent credentials */
     credentials: AgentCredentials;
@@ -196,10 +216,17 @@ interface VerificationRequest {
     parentAgentId?: string;
     /** Depth of sub-agent chain */
     subAgentDepth?: number;
-    /** Client IP address */
+    /** Client IP address (deprecated — use callerMetadata.sourceIp) */
     clientIp?: string;
-    /** User agent string */
+    /** User agent string (deprecated — use callerMetadata.userAgent) */
     userAgent?: string;
+    /**
+     * Forwarded request metadata from the agent's original call.
+     * When the SDK is embedded in a counterparty server, these describe
+     * the agent-side fingerprint — not the counterparty server itself.
+     * The express/nextjs adapters auto-populate these from `req`.
+     */
+    callerMetadata?: CallerMetadata;
     /** Enable runtime challenge for this request */
     enableRuntimeChallenge?: boolean;
     /** Create a verification session (returns sessionId) */

package/dist/{types-jJnPXStc.d.mts → types-DE0ooQJ6.d.mts}

@@ -1,4 +1,4 @@
-import { a as AccessLevel, C as CounterpartyType, T as TokenGuidance } from './types-CxQwJKbd.mjs';
+import { a as AccessLevel, C as CounterpartyType, T as TokenGuidance } from './types-CrVMq_Td.mjs';
 
 /**
  * AstraSync Gateway - Types for gateway modes, local evaluation, and adapter interface.

package/dist/{types-79qS7aON.d.ts → types-rigu2bH3.d.ts}

@@ -1,4 +1,4 @@
-import { a as AccessLevel, C as CounterpartyType, T as TokenGuidance } from './types-CxQwJKbd.js';
+import { a as AccessLevel, C as CounterpartyType, T as TokenGuidance } from './types-CrVMq_Td.js';
 
 /**
  * AstraSync Gateway - Types for gateway modes, local evaluation, and adapter interface.

package/dist/ui/index.d.mts

@@ -1,4 +1,4 @@
-import { d as CommerceShieldProps, V as VerificationResult, b as AgentCredentials, f as GuidanceInfo, i as TrustLevel } from '../types-CxQwJKbd.mjs';
+import { d as CommerceShieldProps, V as VerificationResult, b as AgentCredentials, f as GuidanceInfo, i as TrustLevel } from '../types-CrVMq_Td.mjs';
 
 /**
  * AstraSync Commerce Shield Component

package/dist/ui/index.d.ts

@@ -1,4 +1,4 @@
-import { d as CommerceShieldProps, V as VerificationResult, b as AgentCredentials, f as GuidanceInfo, i as TrustLevel } from '../types-CxQwJKbd.js';
+import { d as CommerceShieldProps, V as VerificationResult, b as AgentCredentials, f as GuidanceInfo, i as TrustLevel } from '../types-CrVMq_Td.js';
 
 /**
  * AstraSync Commerce Shield Component

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@astrasyncai/verification-gateway",
-  "version": "2.1.0",
+  "version": "2.2.0",
   "description": "Universal Verification Gateway for AstraSync KYA Platform - verify AI agents across any counterparty type",
   "main": "./dist/index.js",
   "module": "./dist/index.mjs",
@@ -112,12 +112,12 @@
     "@sd-jwt/core": "^0.19.0",
     "@sd-jwt/decode": "^0.19.0",
     "@sd-jwt/utils": "^0.19.0",
+    "@x402/core": "^2.10.0",
     "ajv": "^8.17.1",
     "http-message-signatures": "^1.0.5",
-    "structured-headers": "^2.0.1",
     "jose": "^5.9.6",
     "mppx": "0.5.13",
-    "@x402/core": "^2.10.0",
+    "structured-headers": "^2.0.1",
     "web-bot-auth": "^0.1.3"
   },
   "peerDependencies": {