@astrasyncai/verification-gateway 2.1.0 → 2.2.3

package/dist/browser/background.mjs

@@ -3285,51 +3285,45 @@ var ACCESS_LEVEL_HIERARCHY = {
   full: 4,
   internal: 5
 };
-var DEFAULT_TRUST_THRESHOLDS = {
-  none: 0,
-  guidance: 0,
-  "read-only": 20,
-  standard: 40,
-  full: 70,
-  internal: 0
-  // Internal is based on org membership, not score
-};
 function getTrustLevel(score) {
   if (score >= 80) return "PLATINUM";
   if (score >= 60) return "GOLD";
   if (score >= 40) return "SILVER";
   return "BRONZE";
 }
-function getAccessLevelForScore(trustScore, thresholds = DEFAULT_TRUST_THRESHOLDS) {
-  if (trustScore >= thresholds.full) return "full";
-  if (trustScore >= thresholds.standard) return "standard";
-  if (trustScore >= thresholds["read-only"]) return "read-only";
-  return "guidance";
-}
-function determineAccessLevel(verified, trustScore, isOrgMember, customThresholds) {
-  if (!verified) {
-    return "guidance";
-  }
-  if (isOrgMember) {
-    return "internal";
-  }
-  const thresholds = {
-    ...DEFAULT_TRUST_THRESHOLDS,
-    ...customThresholds
-  };
-  return getAccessLevelForScore(trustScore, thresholds);
-}
 
 // src/verify.ts
 var DEFAULT_CONFIG = {
-  apiBaseUrl: "https://api.astrasync.ai",
+  apiBaseUrl: "https://astrasync.ai/api",
   defaultAccessLevel: "guidance",
-  minTrustScore: 40,
-  minTrustScoreForFull: 70,
+  // minTrustScore + minTrustScoreForFull deprecated in v2.3.0 — server decides.
   cacheTtl: 300,
   // 5 minutes
   debug: false
 };
+var initCheckPerformed = false;
+var deprecationWarningShown = false;
+async function performInitCheck(apiBaseUrl, debug) {
+  initCheckPerformed = true;
+  try {
+    const probeUrl = `${apiBaseUrl}/agents/verify-access`;
+    const response = await fetch(probeUrl, { method: "HEAD" });
+    const contentType = response.headers.get("content-type") ?? "";
+    if (contentType.startsWith("text/html")) {
+      console.warn(
+        `[VerificationGateway] apiBaseUrl '${apiBaseUrl}' returned HTML (content-type: ${contentType}). This usually means apiBaseUrl is pointing at a marketing site instead of the API. Expected: 'https://astrasync.ai/api' (prod) or 'https://staging.astrasync.ai/api' (staging). Set disableInitChecks: true on GatewayConfig to silence this warning.`
+      );
+    } else if (debug) {
+      console.log(
+        `[VerificationGateway] init check passed for ${apiBaseUrl} (content-type: ${contentType})`
+      );
+    }
+  } catch (err) {
+    if (debug) {
+      console.log(`[VerificationGateway] init check failed (non-blocking): ${String(err)}`);
+    }
+  }
+}
 var verificationCache = /* @__PURE__ */ new Map();
 function getCacheKey(credentials) {
   return `${credentials.astraId || ""}-${credentials.apiKey || ""}-${credentials.jwt || ""}`;
@@ -3352,9 +3346,6 @@ function cacheResult(credentials, result, ttlSeconds) {
     expiresAt: Date.now() + ttlSeconds * 1e3
   });
 }
-function hasCredentials(credentials) {
-  return !!(credentials.astraId || credentials.apiKey || credentials.jwt);
-}
 function createGuidanceResponse(config, reason) {
   const guidance = {
     message: "This service verifies AI agents before granting access. Please register your agent with AstraSync.",
@@ -3378,7 +3369,7 @@ function createGuidanceResponse(config, reason) {
 async function callVerifyAccessAPI(config, request) {
   const { credentials, ...requestData } = request;
   const body = {
-    agentId: credentials.astraId,
+    ...credentials.astraId && { agentId: credentials.astraId },
     purpose: requestData.purpose || "general"
   };
   if (requestData.action) body.action = requestData.action;
@@ -3390,21 +3381,34 @@ async function callVerifyAccessAPI(config, request) {
   if (requestData.isSubAgentRequest) body.isSubAgentRequest = requestData.isSubAgentRequest;
   if (requestData.parentAgentId) body.parentAgentId = requestData.parentAgentId;
   if (requestData.subAgentDepth !== void 0) body.subAgentDepth = requestData.subAgentDepth;
-  if (requestData.enableRuntimeChallenge) body.enableRuntimeChallenge = requestData.enableRuntimeChallenge;
+  if (requestData.enableRuntimeChallenge)
+    body.enableRuntimeChallenge = requestData.enableRuntimeChallenge;
   if (requestData.createSession) body.createSession = requestData.createSession;
   if (requestData.durationRequired) body.durationRequired = requestData.durationRequired;
   if (requestData.counterpartyType) body.counterpartyType = requestData.counterpartyType;
   if (requestData.counterpartyUrl) body.counterpartyUrl = requestData.counterpartyUrl;
-  if (requestData.runtimeChallengeOptions) body.runtimeChallengeOptions = requestData.runtimeChallengeOptions;
+  if (config.counterpartyId) body.counterpartyId = config.counterpartyId;
+  if (requestData.runtimeChallengeOptions)
+    body.runtimeChallengeOptions = requestData.runtimeChallengeOptions;
+  if (requestData.callerMetadata || requestData.clientIp || requestData.userAgent) {
+    const meta = {
+      ...requestData.clientIp && { sourceIp: requestData.clientIp },
+      ...requestData.userAgent && { userAgent: requestData.userAgent },
+      ...requestData.callerMetadata
+    };
+    if (Object.keys(meta).length > 0) body.callerMetadata = meta;
+  }
   const headers = {
     "Content-Type": "application/json",
     ...config.customHeaders
   };
-  if (config.apiKey) {
-    headers["X-API-Key"] = config.apiKey;
-  }
   if (credentials.authorizationHeader) {
     headers["Authorization"] = credentials.authorizationHeader;
+  } else if (config.apiKey) {
+    headers["Authorization"] = `Bearer ${config.apiKey}`;
+  }
+  if (config.apiKey) {
+    headers["X-API-Key"] = config.apiKey;
   }
   try {
     const response = await fetch(`${config.apiBaseUrl}/agents/verify-access`, {
@@ -3430,8 +3434,14 @@ async function callVerifyAccessAPI(config, request) {
 }
 async function verify(config, request) {
   const mergedConfig = { ...DEFAULT_CONFIG, ...config };
-  if (!hasCredentials(request.credentials)) {
-    return createGuidanceResponse(mergedConfig, "No agent credentials provided");
+  if (!initCheckPerformed && !mergedConfig.disableInitChecks && mergedConfig.apiBaseUrl) {
+    void performInitCheck(mergedConfig.apiBaseUrl, mergedConfig.debug);
+  }
+  if (!deprecationWarningShown && (config.minTrustScore !== void 0 || config.minTrustScoreForFull !== void 0)) {
+    deprecationWarningShown = true;
+    console.warn(
+      "[VerificationGateway] minTrustScore / minTrustScoreForFull are deprecated in v2.3.0 and have no effect. Server is now the single source of truth for access-level decisions (the SDK reads access.accessLevel from the verify-access response). To gate access to an endpoint, configure the endpoint's trust_score_requirement server-side."
+    );
   }
   if (mergedConfig.cacheTtl && mergedConfig.cacheTtl > 0) {
     const cached = getCachedResult(request.credentials);
@@ -3503,18 +3513,7 @@ async function verify(config, request) {
     selfInstantiationAllowed: apiResponse.access.pdlss.selfInstantiationAllowed,
     appliedPolicy: apiResponse.access.appliedPolicy
   } : void 0;
-  const trustScore = agent?.trustScore || 0;
-  const isOrgMember = false;
-  const accessLevel = determineAccessLevel(
-    true,
-    trustScore,
-    isOrgMember,
-    {
-      "read-only": 20,
-      standard: mergedConfig.minTrustScore || 40,
-      full: mergedConfig.minTrustScoreForFull || 70
-    }
-  );
+  const accessLevel = apiResponse.access?.accessLevel ?? "standard";
   const result = {
     verified: true,
     accessLevel,
@@ -3536,7 +3535,9 @@ async function verify(config, request) {
   if (result.recommendation === "deny") {
     result.verified = false;
     result.accessLevel = "none";
-    result.denialReasons = result.recommendationReasons || ["Access denied by AstraSync recommendation"];
+    result.denialReasons = result.recommendationReasons || [
+      "Access denied by AstraSync recommendation"
+    ];
     if (result.runtimeChallenge) {
       result.guidance = {
         message: `Verification failed: ${result.runtimeChallenge.reason || "runtime challenge failed"}`,