@astrasyncai/verification-gateway 2.1.0 → 2.2.3

package/dist/index.js

@@ -179,14 +179,36 @@ function getCapabilities(accessLevel) {
 
 // src/verify.ts
 var DEFAULT_CONFIG = {
-  apiBaseUrl: "https://api.astrasync.ai",
+  apiBaseUrl: "https://astrasync.ai/api",
   defaultAccessLevel: "guidance",
-  minTrustScore: 40,
-  minTrustScoreForFull: 70,
+  // minTrustScore + minTrustScoreForFull deprecated in v2.3.0 — server decides.
   cacheTtl: 300,
   // 5 minutes
   debug: false
 };
+var initCheckPerformed = false;
+var deprecationWarningShown = false;
+async function performInitCheck(apiBaseUrl, debug) {
+  initCheckPerformed = true;
+  try {
+    const probeUrl = `${apiBaseUrl}/agents/verify-access`;
+    const response = await fetch(probeUrl, { method: "HEAD" });
+    const contentType = response.headers.get("content-type") ?? "";
+    if (contentType.startsWith("text/html")) {
+      console.warn(
+        `[VerificationGateway] apiBaseUrl '${apiBaseUrl}' returned HTML (content-type: ${contentType}). This usually means apiBaseUrl is pointing at a marketing site instead of the API. Expected: 'https://astrasync.ai/api' (prod) or 'https://staging.astrasync.ai/api' (staging). Set disableInitChecks: true on GatewayConfig to silence this warning.`
+      );
+    } else if (debug) {
+      console.log(
+        `[VerificationGateway] init check passed for ${apiBaseUrl} (content-type: ${contentType})`
+      );
+    }
+  } catch (err) {
+    if (debug) {
+      console.log(`[VerificationGateway] init check failed (non-blocking): ${String(err)}`);
+    }
+  }
+}
 var verificationCache = /* @__PURE__ */ new Map();
 function getCacheKey(credentials) {
   return `${credentials.astraId || ""}-${credentials.apiKey || ""}-${credentials.jwt || ""}`;
@@ -214,7 +236,7 @@ function clearCache() {
 }
 function extractCredentials(headers, query) {
   const credentials = {};
-  const astraIdHeader = headers["x-astra-id"] || headers["X-Astra-Id"] || headers["X-ASTRA-ID"];
+  const astraIdHeader = headers["x-astra-id"] || headers["X-Astra-Id"] || headers["X-ASTRA-ID"] || headers["x-astra-agentid"] || headers["X-Astra-AgentId"] || headers["x-astra-agent-id"] || headers["X-Astra-Agent-Id"] || headers["X-ASTRA-AGENT-ID"];
   if (astraIdHeader) {
     credentials.astraId = Array.isArray(astraIdHeader) ? astraIdHeader[0] : astraIdHeader;
   }
@@ -266,7 +288,7 @@ function createGuidanceResponse(config, reason) {
 async function callVerifyAccessAPI(config, request) {
   const { credentials, ...requestData } = request;
   const body = {
-    agentId: credentials.astraId,
+    ...credentials.astraId && { agentId: credentials.astraId },
     purpose: requestData.purpose || "general"
   };
   if (requestData.action) body.action = requestData.action;
@@ -278,21 +300,34 @@ async function callVerifyAccessAPI(config, request) {
   if (requestData.isSubAgentRequest) body.isSubAgentRequest = requestData.isSubAgentRequest;
   if (requestData.parentAgentId) body.parentAgentId = requestData.parentAgentId;
   if (requestData.subAgentDepth !== void 0) body.subAgentDepth = requestData.subAgentDepth;
-  if (requestData.enableRuntimeChallenge) body.enableRuntimeChallenge = requestData.enableRuntimeChallenge;
+  if (requestData.enableRuntimeChallenge)
+    body.enableRuntimeChallenge = requestData.enableRuntimeChallenge;
   if (requestData.createSession) body.createSession = requestData.createSession;
   if (requestData.durationRequired) body.durationRequired = requestData.durationRequired;
   if (requestData.counterpartyType) body.counterpartyType = requestData.counterpartyType;
   if (requestData.counterpartyUrl) body.counterpartyUrl = requestData.counterpartyUrl;
-  if (requestData.runtimeChallengeOptions) body.runtimeChallengeOptions = requestData.runtimeChallengeOptions;
+  if (config.counterpartyId) body.counterpartyId = config.counterpartyId;
+  if (requestData.runtimeChallengeOptions)
+    body.runtimeChallengeOptions = requestData.runtimeChallengeOptions;
+  if (requestData.callerMetadata || requestData.clientIp || requestData.userAgent) {
+    const meta = {
+      ...requestData.clientIp && { sourceIp: requestData.clientIp },
+      ...requestData.userAgent && { userAgent: requestData.userAgent },
+      ...requestData.callerMetadata
+    };
+    if (Object.keys(meta).length > 0) body.callerMetadata = meta;
+  }
   const headers = {
     "Content-Type": "application/json",
     ...config.customHeaders
   };
-  if (config.apiKey) {
-    headers["X-API-Key"] = config.apiKey;
-  }
   if (credentials.authorizationHeader) {
     headers["Authorization"] = credentials.authorizationHeader;
+  } else if (config.apiKey) {
+    headers["Authorization"] = `Bearer ${config.apiKey}`;
+  }
+  if (config.apiKey) {
+    headers["X-API-Key"] = config.apiKey;
   }
   try {
     const response = await fetch(`${config.apiBaseUrl}/agents/verify-access`, {
@@ -318,8 +353,14 @@ async function callVerifyAccessAPI(config, request) {
 }
 async function verify(config, request) {
   const mergedConfig = { ...DEFAULT_CONFIG, ...config };
-  if (!hasCredentials(request.credentials)) {
-    return createGuidanceResponse(mergedConfig, "No agent credentials provided");
+  if (!initCheckPerformed && !mergedConfig.disableInitChecks && mergedConfig.apiBaseUrl) {
+    void performInitCheck(mergedConfig.apiBaseUrl, mergedConfig.debug);
+  }
+  if (!deprecationWarningShown && (config.minTrustScore !== void 0 || config.minTrustScoreForFull !== void 0)) {
+    deprecationWarningShown = true;
+    console.warn(
+      "[VerificationGateway] minTrustScore / minTrustScoreForFull are deprecated in v2.3.0 and have no effect. Server is now the single source of truth for access-level decisions (the SDK reads access.accessLevel from the verify-access response). To gate access to an endpoint, configure the endpoint's trust_score_requirement server-side."
+    );
   }
   if (mergedConfig.cacheTtl && mergedConfig.cacheTtl > 0) {
     const cached = getCachedResult(request.credentials);
@@ -391,18 +432,7 @@ async function verify(config, request) {
     selfInstantiationAllowed: apiResponse.access.pdlss.selfInstantiationAllowed,
     appliedPolicy: apiResponse.access.appliedPolicy
   } : void 0;
-  const trustScore = agent?.trustScore || 0;
-  const isOrgMember = false;
-  const accessLevel = determineAccessLevel(
-    true,
-    trustScore,
-    isOrgMember,
-    {
-      "read-only": 20,
-      standard: mergedConfig.minTrustScore || 40,
-      full: mergedConfig.minTrustScoreForFull || 70
-    }
-  );
+  const accessLevel = apiResponse.access?.accessLevel ?? "standard";
   const result = {
     verified: true,
     accessLevel,
@@ -424,7 +454,9 @@ async function verify(config, request) {
   if (result.recommendation === "deny") {
     result.verified = false;
     result.accessLevel = "none";
-    result.denialReasons = result.recommendationReasons || ["Access denied by AstraSync recommendation"];
+    result.denialReasons = result.recommendationReasons || [
+      "Access denied by AstraSync recommendation"
+    ];
     if (result.runtimeChallenge) {
       result.guidance = {
         message: `Verification failed: ${result.runtimeChallenge.reason || "runtime challenge failed"}`,
@@ -446,7 +478,10 @@ async function verify(config, request) {
 }
 async function recordDecision(config, sessionId, decision, reason) {
   const headers = { "Content-Type": "application/json" };
-  if (config.apiKey) headers["X-API-Key"] = config.apiKey;
+  if (config.apiKey) {
+    headers["Authorization"] = `Bearer ${config.apiKey}`;
+    headers["X-API-Key"] = config.apiKey;
+  }
   await fetch(`${config.apiBaseUrl}/agents/verify-access/${sessionId}/decision`, {
     method: "POST",
     headers,
@@ -454,15 +489,6 @@ async function recordDecision(config, sessionId, decision, reason) {
   }).catch(() => {
   });
 }
-async function reportUnregisteredAttempt(config, data) {
-  const apiBaseUrl = config.apiBaseUrl || DEFAULT_CONFIG.apiBaseUrl;
-  await fetch(`${apiBaseUrl}/verification-activity/unregistered-attempt`, {
-    method: "POST",
-    headers: { "Content-Type": "application/json" },
-    body: JSON.stringify(data)
-  }).catch(() => {
-  });
-}
 async function reportCounterpartyPreCheckFailure(config, data) {
   const apiBaseUrl = config.apiBaseUrl || DEFAULT_CONFIG.apiBaseUrl;
   await fetch(`${apiBaseUrl}/verification-activity/counterparty-pre-check-failure`, {
@@ -688,32 +714,6 @@ function createMiddleware(options) {
         return next();
       }
       const credentials = customExtractCredentials ? customExtractCredentials(req) : defaultExtractCredentials(req);
-      if (!hasCredentials(credentials) && routeConfig.minAccessLevel !== "guidance") {
-        const counterpartyUrl2 = config.counterpartyUrl || `${req.protocol}://${req.get("host")}`;
-        reportUnregisteredAttempt(config, {
-          counterpartyUrl: counterpartyUrl2,
-          counterpartyType: config.counterpartyType || "api",
-          sourceIp: req.ip,
-          userAgent: req.headers["user-agent"],
-          requestPath: req.path,
-          requestMethod: req.method
-        }).catch(() => {
-        });
-        const result2 = {
-          verified: false,
-          accessLevel: "none",
-          denialReasons: ["No agent credentials provided"],
-          guidance: {
-            message: "This endpoint requires agent verification. Please provide your ASTRA-ID.",
-            registrationUrl: `${config.apiBaseUrl?.replace("/api", "")}/register`,
-            documentationUrl: `${config.apiBaseUrl?.replace("/api", "")}/docs/agent-access`
-          },
-          verifiedAt: /* @__PURE__ */ new Date()
-        };
-        req.agentVerification = result2;
-        onDenied(result2, req, res);
-        return;
-      }
       const purpose = customExtractPurpose ? customExtractPurpose(req) : defaultExtractPurpose(req);
       const astraCreds = extractAstraSyncCredentials(req);
       const counterpartyUrl = config.counterpartyUrl || `${req.protocol}://${req.get("host")}`;
@@ -744,18 +744,28 @@ function createMiddleware(options) {
         return;
       }
       const shouldRecordDecisions = recordDecisions !== false;
+      const forwardedFor = req.headers["x-forwarded-for"];
+      const forwardedForStr = Array.isArray(forwardedFor) ? forwardedFor.join(", ") : forwardedFor;
+      const originalClientIp = forwardedForStr ? forwardedForStr.split(",")[0].trim() : req.ip;
+      const agentCardUrl = typeof req.headers["x-astrasync-agent-card"] === "string" ? req.headers["x-astrasync-agent-card"] : void 0;
       const result = await verify(config, {
         credentials,
         purpose,
         action: req.method.toLowerCase(),
         resource: req.path,
-        clientIp: req.ip,
-        userAgent: req.headers["user-agent"],
         createSession: shouldRecordDecisions,
         counterpartyUrl,
         counterpartyType: config.counterpartyType || "api",
         enableRuntimeChallenge,
-        durationRequired: astraCreds?.pdlss?.duration?.maxSessionDuration
+        durationRequired: astraCreds?.pdlss?.duration?.maxSessionDuration,
+        callerMetadata: {
+          sourceIp: originalClientIp,
+          userAgent: req.headers["user-agent"],
+          referer: req.headers.referer,
+          host: req.headers.host,
+          forwardedFor: forwardedForStr,
+          agentCardUrl
+        }
       });
       req.agentVerification = result;
       const sessionId = result.sessionId;
@@ -1027,7 +1037,13 @@ function generateCommerceShieldHtml(result, options) {
   `.trim();
 }
 function createMiddleware2(options) {
-  const { routes = [], skipPaths = [], showCommerceShield = true, enableRuntimeChallenge = true, ...config } = options;
+  const {
+    routes = [],
+    skipPaths = [],
+    showCommerceShield = true,
+    enableRuntimeChallenge = true,
+    ...config
+  } = options;
   return async function middleware(request) {
     const { NextResponse } = await import("next/server");
     const pathname = request.nextUrl.pathname;
@@ -1043,53 +1059,6 @@ function createMiddleware2(options) {
       return NextResponse.next();
     }
     const credentials = extractCredentialsFromNextRequest(request);
-    if (!hasCredentials(credentials) && routeConfig.minAccessLevel !== "guidance") {
-      const counterpartyUrl2 = config.counterpartyUrl || request.nextUrl.origin;
-      reportUnregisteredAttempt(config, {
-        counterpartyUrl: counterpartyUrl2,
-        counterpartyType: config.counterpartyType || "website",
-        sourceIp: request.headers.get("x-forwarded-for") || request.headers.get("x-real-ip") || void 0,
-        userAgent: request.headers.get("user-agent") || void 0,
-        requestPath: pathname,
-        requestMethod: request.method
-      }).catch(() => {
-      });
-      const result2 = {
-        verified: false,
-        accessLevel: "none",
-        denialReasons: ["No agent credentials provided"],
-        guidance: {
-          message: "This page requires agent verification.",
-          registrationUrl: `${config.apiBaseUrl?.replace("/api", "")}/register`,
-          documentationUrl: `${config.apiBaseUrl?.replace("/api", "")}/docs/agent-access`
-        },
-        verifiedAt: /* @__PURE__ */ new Date()
-      };
-      if (pathname.startsWith("/api/")) {
-        return NextResponse.json(
-          {
-            success: false,
-            error: {
-              code: "UNAUTHORIZED",
-              message: "No agent credentials provided",
-              guidance: result2.guidance
-            }
-          },
-          { status: 401 }
-        );
-      }
-      if (showCommerceShield) {
-        return new NextResponse(generateCommerceShieldHtml(result2, options), {
-          status: 200,
-          headers: {
-            "Content-Type": "text/html",
-            "X-AstraSync-Verification": "commerce-shield"
-          }
-        });
-      }
-      const registerUrl = result2.guidance?.registrationUrl || "/register";
-      return NextResponse.redirect(new URL(registerUrl, request.url));
-    }
     const counterpartyUrl = config.counterpartyUrl || request.nextUrl.origin;
     const purpose = extractPurpose(request);
     const astraCreds = extractAstraSyncCredentialsFromNextRequest(request);
@@ -1139,17 +1108,25 @@ function createMiddleware2(options) {
       }
       return NextResponse.redirect(new URL("/unauthorized", request.url));
     }
+    const forwardedFor = request.headers.get("x-forwarded-for") || void 0;
+    const originalClientIp = forwardedFor?.split(",")[0]?.trim();
     const result = await verify(config, {
       credentials,
       purpose,
       action: request.method.toLowerCase(),
       resource: pathname,
-      clientIp: request.headers.get("x-forwarded-for")?.split(",")[0]?.trim() || void 0,
-      userAgent: request.headers.get("user-agent") || void 0,
       counterpartyUrl,
       counterpartyType: config.counterpartyType || "website",
       enableRuntimeChallenge,
-      durationRequired: astraCreds?.pdlss?.duration?.maxSessionDuration
+      durationRequired: astraCreds?.pdlss?.duration?.maxSessionDuration,
+      callerMetadata: {
+        sourceIp: originalClientIp,
+        userAgent: request.headers.get("user-agent") || void 0,
+        referer: request.headers.get("referer") || void 0,
+        host: request.headers.get("host") || void 0,
+        forwardedFor,
+        agentCardUrl: request.headers.get("x-astrasync-agent-card") || void 0
+      }
     });
     if (!hasMinimumAccess(result.accessLevel, routeConfig.minAccessLevel)) {
       if (pathname.startsWith("/api/")) {
@@ -3771,21 +3748,85 @@ function extractCredentialsFromProtocol(protocol, context) {
 var agent_exports = {};
 __export(agent_exports, {
   AgentClient: () => AgentClient,
+  AstraSyncSdkError: () => AstraSyncSdkError,
   ChallengeHandler: () => ChallengeHandler,
+  OwnershipMismatchError: () => OwnershipMismatchError,
   formatPDLSSForTransport: () => formatPDLSSForTransport,
   parsePDLSSFromTransport: () => parsePDLSSFromTransport,
   recordDecision: () => recordDecision2
 });
 
+// src/agent/errors.ts
+var AstraSyncSdkError = class extends Error {
+  constructor(code, message) {
+    super(message);
+    this.name = "AstraSyncSdkError";
+    this.code = code;
+  }
+};
+var OwnershipMismatchError = class extends AstraSyncSdkError {
+  constructor(astraId) {
+    super(
+      "ownership_mismatch",
+      `The configured API key does not own agent ${astraId}. Refusing to initialise.`
+    );
+    this.name = "OwnershipMismatchError";
+    this.astraId = astraId;
+  }
+};
+
 // src/agent/client.ts
-var AgentClient = class {
+var AgentClient = class _AgentClient {
   constructor(config) {
     this.credentials = {
       agentId: config.agentId,
-      verifyUrl: config.verifyUrl ?? "https://api.astrasync.ai/agents/verify-access",
+      verifyUrl: config.verifyUrl ?? "https://astrasync.ai/api/agents/verify-access",
       challengeUrl: config.challengeUrl,
       pdlss: config.pdlss
     };
+    this.apiBaseUrl = config.apiBaseUrl ?? "https://astrasync.ai/api";
+    this.apiKey = config.apiKey;
+  }
+  /**
+   * Async factory that validates the API key's account owns the configured
+   * ASTRA-id before returning a usable client. Refuses to initialise on
+   * mismatch so a stolen ASTRA-id cannot be paired with a valid (different)
+   * API key.
+   *
+   * Set env `ASTRASYNC_SKIP_OWNERSHIP_CHECK=true` to bypass — intended for
+   * test environments only.
+   */
+  static async create(config) {
+    const client = new _AgentClient(config);
+    const skip = typeof process !== "undefined" && process.env?.ASTRASYNC_SKIP_OWNERSHIP_CHECK === "true";
+    if (skip) return client;
+    if (!config.apiKey) {
+      throw new OwnershipMismatchError(config.agentId);
+    }
+    const owned = await client.verifyOwnership();
+    if (!owned) throw new OwnershipMismatchError(config.agentId);
+    return client;
+  }
+  /**
+   * Calls GET /api/agents/:astraId/ownership with the configured API key.
+   * Returns true only when the backend confirms this API key's account
+   * owns the configured agent.
+   */
+  async verifyOwnership() {
+    if (!this.apiKey) return false;
+    const url = `${this.apiBaseUrl.replace(/\/+$/, "")}/api/agents/${encodeURIComponent(
+      this.credentials.agentId
+    )}/ownership`;
+    const resp = await fetch(url, {
+      method: "GET",
+      headers: {
+        Authorization: `Bearer ${this.apiKey}`,
+        "Content-Type": "application/json"
+      }
+    });
+    if (!resp.ok) return false;
+    const body = await resp.json().catch(() => null);
+    return Boolean(body?.data?.owned);
   }
   /**
    * Make an HTTP request with AstraSync headers automatically injected.