@astrasyncai/verification-gateway 2.1.0 → 2.2.3

package/dist/local-evaluator/evaluator.d.mts

@@ -1,5 +1,5 @@
-import { L as LocalPolicy, P as PDLSSContext, V as VerificationDecision, a as LocalPurposeRule } from '../types-jJnPXStc.mjs';
-import '../types-CxQwJKbd.mjs';
+import { L as LocalPolicy, P as PDLSSContext, V as VerificationDecision, a as LocalPurposeRule } from '../types-CgXPKUwi.mjs';
+import '../types-DOrqNMgy.mjs';
 
 /**
  * Local PDLSS Evaluator

package/dist/local-evaluator/evaluator.d.ts

@@ -1,5 +1,5 @@
-import { L as LocalPolicy, P as PDLSSContext, V as VerificationDecision, a as LocalPurposeRule } from '../types-79qS7aON.js';
-import '../types-CxQwJKbd.js';
+import { L as LocalPolicy, P as PDLSSContext, V as VerificationDecision, a as LocalPurposeRule } from '../types-BYKAY6Cc.js';
+import '../types-DOrqNMgy.js';
 
 /**
  * Local PDLSS Evaluator

package/dist/{nextjs-CEldnIJ9.d.ts → nextjs-B2kg19c1.d.ts}

@@ -1,6 +1,6 @@
 import * as next_server from 'next/server';
 import { NextRequest } from 'next/server';
-import { N as NextJsMiddlewareOptions } from './types-CxQwJKbd.js';
+import { N as NextJsMiddlewareOptions } from './types-DOrqNMgy.js';
 
 /**
  * Create Next.js middleware for agent verification

package/dist/{nextjs-BQyMCSx_.d.mts → nextjs-ZymQ8jDh.d.mts}

@@ -1,6 +1,6 @@
 import * as next_server from 'next/server';
 import { NextRequest } from 'next/server';
-import { N as NextJsMiddlewareOptions } from './types-CxQwJKbd.mjs';
+import { N as NextJsMiddlewareOptions } from './types-DOrqNMgy.mjs';
 
 /**
  * Create Next.js middleware for agent verification

package/dist/{sdk-BhvuJSrH.d.mts → sdk-B7id0VFS.d.mts}

@@ -1,4 +1,4 @@
-import { a as AccessLevel, i as TrustLevel, S as SDKOptions, V as VerificationResult } from './types-CxQwJKbd.mjs';
+import { a as AccessLevel, i as TrustLevel, S as SDKOptions, V as VerificationResult } from './types-DOrqNMgy.mjs';
 
 /**
  * AstraSync Universal Verification Gateway - Access Level Definitions
@@ -69,7 +69,7 @@ declare function getCapabilities(accessLevel: AccessLevel): AccessCapabilities;
  * import { createClient } from '@astrasyncai/verification-gateway/sdk';
  *
  * const gateway = createClient({
- *   apiBaseUrl: 'https://api.astrasync.ai',
+ *   apiBaseUrl: 'https://astrasync.ai/api',
  * });
  *
  * // Verify another agent before interacting

package/dist/{sdk-BlyVSC_S.d.ts → sdk-Bso0FSI0.d.ts}

@@ -1,4 +1,4 @@
-import { a as AccessLevel, i as TrustLevel, S as SDKOptions, V as VerificationResult } from './types-CxQwJKbd.js';
+import { a as AccessLevel, i as TrustLevel, S as SDKOptions, V as VerificationResult } from './types-DOrqNMgy.js';
 
 /**
  * AstraSync Universal Verification Gateway - Access Level Definitions
@@ -69,7 +69,7 @@ declare function getCapabilities(accessLevel: AccessLevel): AccessCapabilities;
  * import { createClient } from '@astrasyncai/verification-gateway/sdk';
  *
  * const gateway = createClient({
- *   apiBaseUrl: 'https://api.astrasync.ai',
+ *   apiBaseUrl: 'https://astrasync.ai/api',
  * });
  *
  * // Verify another agent before interacting

package/dist/transport/index.d.mts

@@ -1,3 +1,3 @@
-import '../types-CxQwJKbd.mjs';
-export { A as ACPEndpoint, a as ACPPaymentTokenType, b as ACPRequestContext, c as ACPRequestLike, d as ACPSignatureAlgorithm, e as ACPTotal, f as ACPVerifyInput, g as ACPVerifyResult, h as AP2CartMandateClaims, j as AP2ChainResult, k as AP2IntentMandateClaims, l as AP2MandateClaims, m as AP2MandateTriple, n as AP2MandateTripleInput, o as AP2MandateType, p as AP2PaymentDetailsTotal, q as AP2PaymentMandateClaims, r as AP2PaymentMandateForValue, s as AP2VerifyInput, C as CommerceContext, t as CommercePipelineInput, u as CommerceProtocol, v as CommercePurpose, w as CommerceSignatureStack, x as ConstraintEvalResult, y as ConstraintKey, z as ConstraintResult, E as ExtractorRequestLike, I as IdentityBindingResult, B as IdentityClaim, D as IdentityResolver, M as MPPChallengeForValue, F as MPPChallengeSummary, G as MPPCredentialSummary, H as MPPIntent, J as MPPKind, K as MPPReceiptSummary, L as MPPRequestContext, N as MPPRequestLike, O as MPPResponseLike, P as MPPVerifyInput, Q as MPPVerifyResult, R as ParsedRFC9421, S as PaymentMethodAllowlistInput, T as RFC9421SignatureParams, U as RFC9421Tag, V as RFC9421VerifyOptions, W as RFC9421VerifyRequest, X as RFC9421VerifyResult, Y as RegistryName, Z as RegistryResolver, _ as ResolveContext, $ as STRIPE_WEBHOOK_INFORMATIONAL_EVENTS, a0 as SpendingLimitInput, a1 as StripeWebhookInformationalEvent, a2 as TransactionContext, a3 as TransactionValueContext, a4 as TransportExtractor, a5 as UCPCheckoutContext, a6 as UCPManifestValidationResult, a7 as UCPRequestLike, a8 as UCPTotal, a9 as VIAllowedParty, aa as VIBudgetLimit, ab as VIClaimsForValue, ac as VIConstraintEvalInput, ad as VIConstraints, ae as VIExecutionMode, af as VIExtractedClaims, ag as VILayer, ah as VILineItem, ai as VIMandateType, aj as VIPaymentAmount, ak as VIRecurrence, al as VIVerifyInput, am as VIVerifyResult, an as VerifyStripeWebhookOptions, ao as VerifyStripeWebhookResult, ap as X402Kind, aq as X402RequestContext, ar as X402RequestForValue, as as X402RequestLike, at as X402RequirementsSummary, au as X402ResponseLike, av as applyCredentials, aw as bindIdentity, ax as claim, ay as clearTransportExtractors, az as createMastercardRegistry, aA as createVisaRegistry, aB as createWebBotAuthRegistry, aC as detectProtocol, aD as evaluatePaymentMethodAllowlist, aE as evaluateSpendingLimit, aF as evaluateVIConstraints, aG as extractA2ACredentials, aH as extractACPContext, aI as extractACPTransactionValue, aJ as extractAP2Mandate, aK as extractAP2Mandates, aL as extractAP2TransactionValue, aM as extractCredentialsFromProtocol, aN as extractHttpCredentials, aO as extractMPPContext, aP as extractMPPFromRequest, aQ as extractMPPFromResponse, aR as extractMPPTransactionValue, aS as extractMcpCredentials, aT as extractUCPContext, aU as extractUCPTransactionValue, aV as extractVIClaims, aW as extractVITransactionValue, aX as extractX402Context, aY as extractX402FromRequest, aZ as extractX402FromResponse, a_ as extractX402TransactionValue, a$ as fetchUCPManifest, b0 as getTransportExtractor, b1 as getTransportExtractors, b2 as isStripeWebhookInformational, b3 as mapACPRequestToPurpose, b4 as mapAP2MandateToPurpose, b5 as mapMPPRequestToPurpose, b6 as mapRFC9421TagToPurpose, b7 as mapUCPRequestToPurpose, b8 as mapVIMandateToPurpose, b9 as mapX402RequestToPurpose, ba as parseRFC9421, bb as registerTransportExtractor, bc as runCommercePipeline, bd as runMatchingExtractors, be as setA2AMetadata, bf as setHttpHeaders, bg as setMcpMeta, bh as validateUCPManifest, bi as verifyACPSignature, bj as verifyAP2Chain, bk as verifyMPP, bl as verifyRFC9421, bm as verifyStripeWebhook, bn as verifyVIChain } from '../index-3NRaBNvp.mjs';
+import '../types-DOrqNMgy.mjs';
+export { A as ACPEndpoint, a as ACPPaymentTokenType, b as ACPRequestContext, c as ACPRequestLike, d as ACPSignatureAlgorithm, e as ACPTotal, f as ACPVerifyInput, g as ACPVerifyResult, h as AP2CartMandateClaims, j as AP2ChainResult, k as AP2IntentMandateClaims, l as AP2MandateClaims, m as AP2MandateTriple, n as AP2MandateTripleInput, o as AP2MandateType, p as AP2PaymentDetailsTotal, q as AP2PaymentMandateClaims, r as AP2PaymentMandateForValue, s as AP2VerifyInput, C as CommerceContext, t as CommercePipelineInput, u as CommerceProtocol, v as CommercePurpose, w as CommerceSignatureStack, x as ConstraintEvalResult, y as ConstraintKey, z as ConstraintResult, E as ExtractorRequestLike, I as IdentityBindingResult, B as IdentityClaim, D as IdentityResolver, M as MPPChallengeForValue, F as MPPChallengeSummary, G as MPPCredentialSummary, H as MPPIntent, J as MPPKind, K as MPPReceiptSummary, L as MPPRequestContext, N as MPPRequestLike, O as MPPResponseLike, P as MPPVerifyInput, Q as MPPVerifyResult, R as ParsedRFC9421, S as PaymentMethodAllowlistInput, T as RFC9421SignatureParams, U as RFC9421Tag, V as RFC9421VerifyOptions, W as RFC9421VerifyRequest, X as RFC9421VerifyResult, Y as RegistryName, Z as RegistryResolver, _ as ResolveContext, $ as STRIPE_WEBHOOK_INFORMATIONAL_EVENTS, a0 as SpendingLimitInput, a1 as StripeWebhookInformationalEvent, a2 as TransactionContext, a3 as TransactionValueContext, a4 as TransportExtractor, a5 as UCPCheckoutContext, a6 as UCPManifestValidationResult, a7 as UCPRequestLike, a8 as UCPTotal, a9 as VIAllowedParty, aa as VIBudgetLimit, ab as VIClaimsForValue, ac as VIConstraintEvalInput, ad as VIConstraints, ae as VIExecutionMode, af as VIExtractedClaims, ag as VILayer, ah as VILineItem, ai as VIMandateType, aj as VIPaymentAmount, ak as VIRecurrence, al as VIVerifyInput, am as VIVerifyResult, an as VerifyStripeWebhookOptions, ao as VerifyStripeWebhookResult, ap as X402Kind, aq as X402RequestContext, ar as X402RequestForValue, as as X402RequestLike, at as X402RequirementsSummary, au as X402ResponseLike, av as applyCredentials, aw as bindIdentity, ax as claim, ay as clearTransportExtractors, az as createMastercardRegistry, aA as createVisaRegistry, aB as createWebBotAuthRegistry, aC as detectProtocol, aD as evaluatePaymentMethodAllowlist, aE as evaluateSpendingLimit, aF as evaluateVIConstraints, aG as extractA2ACredentials, aH as extractACPContext, aI as extractACPTransactionValue, aJ as extractAP2Mandate, aK as extractAP2Mandates, aL as extractAP2TransactionValue, aM as extractCredentialsFromProtocol, aN as extractHttpCredentials, aO as extractMPPContext, aP as extractMPPFromRequest, aQ as extractMPPFromResponse, aR as extractMPPTransactionValue, aS as extractMcpCredentials, aT as extractUCPContext, aU as extractUCPTransactionValue, aV as extractVIClaims, aW as extractVITransactionValue, aX as extractX402Context, aY as extractX402FromRequest, aZ as extractX402FromResponse, a_ as extractX402TransactionValue, a$ as fetchUCPManifest, b0 as getTransportExtractor, b1 as getTransportExtractors, b2 as isStripeWebhookInformational, b3 as mapACPRequestToPurpose, b4 as mapAP2MandateToPurpose, b5 as mapMPPRequestToPurpose, b6 as mapRFC9421TagToPurpose, b7 as mapUCPRequestToPurpose, b8 as mapVIMandateToPurpose, b9 as mapX402RequestToPurpose, ba as parseRFC9421, bb as registerTransportExtractor, bc as runCommercePipeline, bd as runMatchingExtractors, be as setA2AMetadata, bf as setHttpHeaders, bg as setMcpMeta, bh as validateUCPManifest, bi as verifyACPSignature, bj as verifyAP2Chain, bk as verifyMPP, bl as verifyRFC9421, bm as verifyStripeWebhook, bn as verifyVIChain } from '../index-BaxpmTGA.mjs';
 import 'jose';

package/dist/transport/index.d.ts

@@ -1,3 +1,3 @@
-import '../types-CxQwJKbd.js';
-export { A as ACPEndpoint, a as ACPPaymentTokenType, b as ACPRequestContext, c as ACPRequestLike, d as ACPSignatureAlgorithm, e as ACPTotal, f as ACPVerifyInput, g as ACPVerifyResult, h as AP2CartMandateClaims, j as AP2ChainResult, k as AP2IntentMandateClaims, l as AP2MandateClaims, m as AP2MandateTriple, n as AP2MandateTripleInput, o as AP2MandateType, p as AP2PaymentDetailsTotal, q as AP2PaymentMandateClaims, r as AP2PaymentMandateForValue, s as AP2VerifyInput, C as CommerceContext, t as CommercePipelineInput, u as CommerceProtocol, v as CommercePurpose, w as CommerceSignatureStack, x as ConstraintEvalResult, y as ConstraintKey, z as ConstraintResult, E as ExtractorRequestLike, I as IdentityBindingResult, B as IdentityClaim, D as IdentityResolver, M as MPPChallengeForValue, F as MPPChallengeSummary, G as MPPCredentialSummary, H as MPPIntent, J as MPPKind, K as MPPReceiptSummary, L as MPPRequestContext, N as MPPRequestLike, O as MPPResponseLike, P as MPPVerifyInput, Q as MPPVerifyResult, R as ParsedRFC9421, S as PaymentMethodAllowlistInput, T as RFC9421SignatureParams, U as RFC9421Tag, V as RFC9421VerifyOptions, W as RFC9421VerifyRequest, X as RFC9421VerifyResult, Y as RegistryName, Z as RegistryResolver, _ as ResolveContext, $ as STRIPE_WEBHOOK_INFORMATIONAL_EVENTS, a0 as SpendingLimitInput, a1 as StripeWebhookInformationalEvent, a2 as TransactionContext, a3 as TransactionValueContext, a4 as TransportExtractor, a5 as UCPCheckoutContext, a6 as UCPManifestValidationResult, a7 as UCPRequestLike, a8 as UCPTotal, a9 as VIAllowedParty, aa as VIBudgetLimit, ab as VIClaimsForValue, ac as VIConstraintEvalInput, ad as VIConstraints, ae as VIExecutionMode, af as VIExtractedClaims, ag as VILayer, ah as VILineItem, ai as VIMandateType, aj as VIPaymentAmount, ak as VIRecurrence, al as VIVerifyInput, am as VIVerifyResult, an as VerifyStripeWebhookOptions, ao as VerifyStripeWebhookResult, ap as X402Kind, aq as X402RequestContext, ar as X402RequestForValue, as as X402RequestLike, at as X402RequirementsSummary, au as X402ResponseLike, av as applyCredentials, aw as bindIdentity, ax as claim, ay as clearTransportExtractors, az as createMastercardRegistry, aA as createVisaRegistry, aB as createWebBotAuthRegistry, aC as detectProtocol, aD as evaluatePaymentMethodAllowlist, aE as evaluateSpendingLimit, aF as evaluateVIConstraints, aG as extractA2ACredentials, aH as extractACPContext, aI as extractACPTransactionValue, aJ as extractAP2Mandate, aK as extractAP2Mandates, aL as extractAP2TransactionValue, aM as extractCredentialsFromProtocol, aN as extractHttpCredentials, aO as extractMPPContext, aP as extractMPPFromRequest, aQ as extractMPPFromResponse, aR as extractMPPTransactionValue, aS as extractMcpCredentials, aT as extractUCPContext, aU as extractUCPTransactionValue, aV as extractVIClaims, aW as extractVITransactionValue, aX as extractX402Context, aY as extractX402FromRequest, aZ as extractX402FromResponse, a_ as extractX402TransactionValue, a$ as fetchUCPManifest, b0 as getTransportExtractor, b1 as getTransportExtractors, b2 as isStripeWebhookInformational, b3 as mapACPRequestToPurpose, b4 as mapAP2MandateToPurpose, b5 as mapMPPRequestToPurpose, b6 as mapRFC9421TagToPurpose, b7 as mapUCPRequestToPurpose, b8 as mapVIMandateToPurpose, b9 as mapX402RequestToPurpose, ba as parseRFC9421, bb as registerTransportExtractor, bc as runCommercePipeline, bd as runMatchingExtractors, be as setA2AMetadata, bf as setHttpHeaders, bg as setMcpMeta, bh as validateUCPManifest, bi as verifyACPSignature, bj as verifyAP2Chain, bk as verifyMPP, bl as verifyRFC9421, bm as verifyStripeWebhook, bn as verifyVIChain } from '../index-CME6r4uH.js';
+import '../types-DOrqNMgy.js';
+export { A as ACPEndpoint, a as ACPPaymentTokenType, b as ACPRequestContext, c as ACPRequestLike, d as ACPSignatureAlgorithm, e as ACPTotal, f as ACPVerifyInput, g as ACPVerifyResult, h as AP2CartMandateClaims, j as AP2ChainResult, k as AP2IntentMandateClaims, l as AP2MandateClaims, m as AP2MandateTriple, n as AP2MandateTripleInput, o as AP2MandateType, p as AP2PaymentDetailsTotal, q as AP2PaymentMandateClaims, r as AP2PaymentMandateForValue, s as AP2VerifyInput, C as CommerceContext, t as CommercePipelineInput, u as CommerceProtocol, v as CommercePurpose, w as CommerceSignatureStack, x as ConstraintEvalResult, y as ConstraintKey, z as ConstraintResult, E as ExtractorRequestLike, I as IdentityBindingResult, B as IdentityClaim, D as IdentityResolver, M as MPPChallengeForValue, F as MPPChallengeSummary, G as MPPCredentialSummary, H as MPPIntent, J as MPPKind, K as MPPReceiptSummary, L as MPPRequestContext, N as MPPRequestLike, O as MPPResponseLike, P as MPPVerifyInput, Q as MPPVerifyResult, R as ParsedRFC9421, S as PaymentMethodAllowlistInput, T as RFC9421SignatureParams, U as RFC9421Tag, V as RFC9421VerifyOptions, W as RFC9421VerifyRequest, X as RFC9421VerifyResult, Y as RegistryName, Z as RegistryResolver, _ as ResolveContext, $ as STRIPE_WEBHOOK_INFORMATIONAL_EVENTS, a0 as SpendingLimitInput, a1 as StripeWebhookInformationalEvent, a2 as TransactionContext, a3 as TransactionValueContext, a4 as TransportExtractor, a5 as UCPCheckoutContext, a6 as UCPManifestValidationResult, a7 as UCPRequestLike, a8 as UCPTotal, a9 as VIAllowedParty, aa as VIBudgetLimit, ab as VIClaimsForValue, ac as VIConstraintEvalInput, ad as VIConstraints, ae as VIExecutionMode, af as VIExtractedClaims, ag as VILayer, ah as VILineItem, ai as VIMandateType, aj as VIPaymentAmount, ak as VIRecurrence, al as VIVerifyInput, am as VIVerifyResult, an as VerifyStripeWebhookOptions, ao as VerifyStripeWebhookResult, ap as X402Kind, aq as X402RequestContext, ar as X402RequestForValue, as as X402RequestLike, at as X402RequirementsSummary, au as X402ResponseLike, av as applyCredentials, aw as bindIdentity, ax as claim, ay as clearTransportExtractors, az as createMastercardRegistry, aA as createVisaRegistry, aB as createWebBotAuthRegistry, aC as detectProtocol, aD as evaluatePaymentMethodAllowlist, aE as evaluateSpendingLimit, aF as evaluateVIConstraints, aG as extractA2ACredentials, aH as extractACPContext, aI as extractACPTransactionValue, aJ as extractAP2Mandate, aK as extractAP2Mandates, aL as extractAP2TransactionValue, aM as extractCredentialsFromProtocol, aN as extractHttpCredentials, aO as extractMPPContext, aP as extractMPPFromRequest, aQ as extractMPPFromResponse, aR as extractMPPTransactionValue, aS as extractMcpCredentials, aT as extractUCPContext, aU as extractUCPTransactionValue, aV as extractVIClaims, aW as extractVITransactionValue, aX as extractX402Context, aY as extractX402FromRequest, aZ as extractX402FromResponse, a_ as extractX402TransactionValue, a$ as fetchUCPManifest, b0 as getTransportExtractor, b1 as getTransportExtractors, b2 as isStripeWebhookInformational, b3 as mapACPRequestToPurpose, b4 as mapAP2MandateToPurpose, b5 as mapMPPRequestToPurpose, b6 as mapRFC9421TagToPurpose, b7 as mapUCPRequestToPurpose, b8 as mapVIMandateToPurpose, b9 as mapX402RequestToPurpose, ba as parseRFC9421, bb as registerTransportExtractor, bc as runCommercePipeline, bd as runMatchingExtractors, be as setA2AMetadata, bf as setHttpHeaders, bg as setMcpMeta, bh as validateUCPManifest, bi as verifyACPSignature, bj as verifyAP2Chain, bk as verifyMPP, bl as verifyRFC9421, bm as verifyStripeWebhook, bn as verifyVIChain } from '../index-Ba0Lvsjo.js';
 import 'jose';

package/dist/{types-79qS7aON.d.ts → types-BYKAY6Cc.d.ts}

@@ -1,4 +1,4 @@
-import { a as AccessLevel, C as CounterpartyType, T as TokenGuidance } from './types-CxQwJKbd.js';
+import { a as AccessLevel, C as CounterpartyType, T as TokenGuidance } from './types-DOrqNMgy.js';
 
 /**
  * AstraSync Gateway - Types for gateway modes, local evaluation, and adapter interface.

package/dist/{types-jJnPXStc.d.mts → types-CgXPKUwi.d.mts}

@@ -1,4 +1,4 @@
-import { a as AccessLevel, C as CounterpartyType, T as TokenGuidance } from './types-CxQwJKbd.mjs';
+import { a as AccessLevel, C as CounterpartyType, T as TokenGuidance } from './types-DOrqNMgy.mjs';
 
 /**
  * AstraSync Gateway - Types for gateway modes, local evaluation, and adapter interface.

package/dist/{types-CxQwJKbd.d.mts → types-DOrqNMgy.d.mts}

@@ -8,19 +8,32 @@
  */
 type TrustLevel = 'BRONZE' | 'SILVER' | 'GOLD' | 'PLATINUM';
 /**
- * Access levels granted based on verification result
- * - none: No credentials provided, show guidance
- * - guidance: Commerce Shield overlay with registration info
- * - read-only: Can browse, no mutations
- * - standard: Normal access per PDLSS
- * - full: Full access for high-trust agents
- * - internal: Internal org access (same organization)
+ * Access levels granted based on verification result. Server is the single
+ * source of truth — these values are the resolved decision the server returns
+ * in `access.accessLevel`. SDK reads them verbatim (no client-side remap).
+ *
+ * For ANONYMOUS / unverified callers, the level is determined by the
+ * endpoint's `unverifiedAgentPolicy` per the verify-access canonical flow
+ * (see `docs/research/adapter-architecture-technical-requirements.md` §21):
+ * - Branch A (deny): `none` — caller is denied + advised to register
+ * - Branch B (allow_partial): `guidance` — reduced/browse-only access + advised
+ * - Branch C (allow_full): `standard` — unrestricted + advised to register for next time
+ * Every branch ALWAYS emits a verification event + queues a blockchain record.
+ *
+ * For VERIFIED callers (Branch D), the level is resolved server-side from the
+ * agent's live trust score plus the endpoint's `trust_score_requirement`:
+ * - none: agent below endpoint gate (denied; access.allowed=false)
+ * - guidance: 0–19 trust score
+ * - read-only: 20–39 trust score (browse, no mutations)
+ * - standard: 40–69 trust score (PDLSS-scoped operations)
+ * - full: 70+ trust score (PDLSS-scoped, high-trust)
+ * - internal: same-org membership, regardless of score
  */
 type AccessLevel = 'none' | 'guidance' | 'read-only' | 'standard' | 'full' | 'internal';
 /**
  * Types of counterparties that can integrate the gateway
  */
-type CounterpartyType = 'agent' | 'api' | 'mcp_server' | 'website' | 'other';
+type CounterpartyType = 'agent' | 'api' | 'mcp_server' | 'website' | 'other' | 'unknown';
 /**
  * Agent credentials extracted from request
  */
@@ -40,13 +53,21 @@ interface AgentCredentials {
 interface GatewayConfig {
     /** AstraSync API base URL */
     apiBaseUrl: string;
-    /** API key for authenticating with AstraSync (optional for public endpoints) */
+    /** API key for authenticating with AstraSync. */
     apiKey?: string;
     /** Default access level for unverified requests */
     defaultAccessLevel?: AccessLevel;
-    /** Minimum trust score required for standard access */
+    /**
+     * @deprecated Removed in v2.3.0 — server is the single source of truth for
+     * access-level decisions. Setting this no longer affects access decisions
+     * (the SDK reads `access.accessLevel` from the verify-access response).
+     * If you need a higher gate for an endpoint, configure it server-side via
+     * the endpoint's `trust_score_requirement`.
+     */
     minTrustScore?: number;
-    /** Minimum trust score required for full access */
+    /**
+     * @deprecated Removed in v2.3.0 — see `minTrustScore` above.
+     */
     minTrustScoreForFull?: number;
     /** Cache verification results (TTL in seconds) */
     cacheTtl?: number;
@@ -58,6 +79,24 @@ interface GatewayConfig {
     counterpartyUrl?: string;
     /** This counterparty's type (sent with verify-access requests for analytics) */
     counterpartyType?: CounterpartyType;
+    /**
+     * This counterparty's ASTRAE-id (issued at endpoint registration). When set,
+     * the SDK forwards it on verify-access calls so the server attributes traffic
+     * directly to this endpoint rather than resolving by URL. Useful when:
+     *  - The merchant has multiple endpoints under the same origin (each running
+     *    its own SDK instance with its own counterpartyId)
+     *  - The endpoint URL might be served behind a proxy / different host than
+     *    the registered origin
+     */
+    counterpartyId?: string;
+    /**
+     * Disable the one-time init self-test. The SDK normally fires a HEAD/OPTIONS
+     * to `${apiBaseUrl}/agents/verify-access` on first verify() call and warns
+     * if the response is HTML (indicating apiBaseUrl is pointing at a marketing
+     * site rather than the API). Set true for tests or environments where the
+     * extra request is undesirable.
+     */
+    disableInitChecks?: boolean;
 }
 /**
  * Verified agent information
@@ -173,6 +212,26 @@ interface VerificationResult {
 /**
  * Request context for verification
  */
+/**
+ * Caller metadata forwarded from the agent's original HTTP request so the
+ * endpoint owner can see the real agent-side fingerprint in activity views.
+ * Without this, IP/UA recorded on platform_events would be the counterparty
+ * server's (useless for endpoint-side forensics).
+ */
+interface CallerMetadata {
+    /** Agent-side source IP (honours X-Forwarded-For if set). */
+    sourceIp?: string;
+    /** Agent's User-Agent header. */
+    userAgent?: string;
+    /** Referer header (where the agent navigated from, if applicable). */
+    referer?: string;
+    /** Host the agent called (this counterparty's public hostname). */
+    host?: string;
+    /** Raw X-Forwarded-For chain for audit. */
+    forwardedFor?: string;
+    /** Published agent card URL, if the agent advertised one (future: from agent headers). */
+    agentCardUrl?: string;
+}
 interface VerificationRequest {
     /** Agent credentials */
     credentials: AgentCredentials;
@@ -196,10 +255,17 @@ interface VerificationRequest {
     parentAgentId?: string;
     /** Depth of sub-agent chain */
     subAgentDepth?: number;
-    /** Client IP address */
+    /** Client IP address (deprecated — use callerMetadata.sourceIp) */
     clientIp?: string;
-    /** User agent string */
+    /** User agent string (deprecated — use callerMetadata.userAgent) */
     userAgent?: string;
+    /**
+     * Forwarded request metadata from the agent's original call.
+     * When the SDK is embedded in a counterparty server, these describe
+     * the agent-side fingerprint — not the counterparty server itself.
+     * The express/nextjs adapters auto-populate these from `req`.
+     */
+    callerMetadata?: CallerMetadata;
     /** Enable runtime challenge for this request */
     enableRuntimeChallenge?: boolean;
     /** Create a verification session (returns sessionId) */

package/dist/{types-CxQwJKbd.d.ts → types-DOrqNMgy.d.ts}

@@ -8,19 +8,32 @@
  */
 type TrustLevel = 'BRONZE' | 'SILVER' | 'GOLD' | 'PLATINUM';
 /**
- * Access levels granted based on verification result
- * - none: No credentials provided, show guidance
- * - guidance: Commerce Shield overlay with registration info
- * - read-only: Can browse, no mutations
- * - standard: Normal access per PDLSS
- * - full: Full access for high-trust agents
- * - internal: Internal org access (same organization)
+ * Access levels granted based on verification result. Server is the single
+ * source of truth — these values are the resolved decision the server returns
+ * in `access.accessLevel`. SDK reads them verbatim (no client-side remap).
+ *
+ * For ANONYMOUS / unverified callers, the level is determined by the
+ * endpoint's `unverifiedAgentPolicy` per the verify-access canonical flow
+ * (see `docs/research/adapter-architecture-technical-requirements.md` §21):
+ * - Branch A (deny): `none` — caller is denied + advised to register
+ * - Branch B (allow_partial): `guidance` — reduced/browse-only access + advised
+ * - Branch C (allow_full): `standard` — unrestricted + advised to register for next time
+ * Every branch ALWAYS emits a verification event + queues a blockchain record.
+ *
+ * For VERIFIED callers (Branch D), the level is resolved server-side from the
+ * agent's live trust score plus the endpoint's `trust_score_requirement`:
+ * - none: agent below endpoint gate (denied; access.allowed=false)
+ * - guidance: 0–19 trust score
+ * - read-only: 20–39 trust score (browse, no mutations)
+ * - standard: 40–69 trust score (PDLSS-scoped operations)
+ * - full: 70+ trust score (PDLSS-scoped, high-trust)
+ * - internal: same-org membership, regardless of score
  */
 type AccessLevel = 'none' | 'guidance' | 'read-only' | 'standard' | 'full' | 'internal';
 /**
  * Types of counterparties that can integrate the gateway
  */
-type CounterpartyType = 'agent' | 'api' | 'mcp_server' | 'website' | 'other';
+type CounterpartyType = 'agent' | 'api' | 'mcp_server' | 'website' | 'other' | 'unknown';
 /**
  * Agent credentials extracted from request
  */
@@ -40,13 +53,21 @@ interface AgentCredentials {
 interface GatewayConfig {
     /** AstraSync API base URL */
     apiBaseUrl: string;
-    /** API key for authenticating with AstraSync (optional for public endpoints) */
+    /** API key for authenticating with AstraSync. */
     apiKey?: string;
     /** Default access level for unverified requests */
     defaultAccessLevel?: AccessLevel;
-    /** Minimum trust score required for standard access */
+    /**
+     * @deprecated Removed in v2.3.0 — server is the single source of truth for
+     * access-level decisions. Setting this no longer affects access decisions
+     * (the SDK reads `access.accessLevel` from the verify-access response).
+     * If you need a higher gate for an endpoint, configure it server-side via
+     * the endpoint's `trust_score_requirement`.
+     */
     minTrustScore?: number;
-    /** Minimum trust score required for full access */
+    /**
+     * @deprecated Removed in v2.3.0 — see `minTrustScore` above.
+     */
     minTrustScoreForFull?: number;
     /** Cache verification results (TTL in seconds) */
     cacheTtl?: number;
@@ -58,6 +79,24 @@ interface GatewayConfig {
     counterpartyUrl?: string;
     /** This counterparty's type (sent with verify-access requests for analytics) */
     counterpartyType?: CounterpartyType;
+    /**
+     * This counterparty's ASTRAE-id (issued at endpoint registration). When set,
+     * the SDK forwards it on verify-access calls so the server attributes traffic
+     * directly to this endpoint rather than resolving by URL. Useful when:
+     *  - The merchant has multiple endpoints under the same origin (each running
+     *    its own SDK instance with its own counterpartyId)
+     *  - The endpoint URL might be served behind a proxy / different host than
+     *    the registered origin
+     */
+    counterpartyId?: string;
+    /**
+     * Disable the one-time init self-test. The SDK normally fires a HEAD/OPTIONS
+     * to `${apiBaseUrl}/agents/verify-access` on first verify() call and warns
+     * if the response is HTML (indicating apiBaseUrl is pointing at a marketing
+     * site rather than the API). Set true for tests or environments where the
+     * extra request is undesirable.
+     */
+    disableInitChecks?: boolean;
 }
 /**
  * Verified agent information
@@ -173,6 +212,26 @@ interface VerificationResult {
 /**
  * Request context for verification
  */
+/**
+ * Caller metadata forwarded from the agent's original HTTP request so the
+ * endpoint owner can see the real agent-side fingerprint in activity views.
+ * Without this, IP/UA recorded on platform_events would be the counterparty
+ * server's (useless for endpoint-side forensics).
+ */
+interface CallerMetadata {
+    /** Agent-side source IP (honours X-Forwarded-For if set). */
+    sourceIp?: string;
+    /** Agent's User-Agent header. */
+    userAgent?: string;
+    /** Referer header (where the agent navigated from, if applicable). */
+    referer?: string;
+    /** Host the agent called (this counterparty's public hostname). */
+    host?: string;
+    /** Raw X-Forwarded-For chain for audit. */
+    forwardedFor?: string;
+    /** Published agent card URL, if the agent advertised one (future: from agent headers). */
+    agentCardUrl?: string;
+}
 interface VerificationRequest {
     /** Agent credentials */
     credentials: AgentCredentials;
@@ -196,10 +255,17 @@ interface VerificationRequest {
     parentAgentId?: string;
     /** Depth of sub-agent chain */
     subAgentDepth?: number;
-    /** Client IP address */
+    /** Client IP address (deprecated — use callerMetadata.sourceIp) */
     clientIp?: string;
-    /** User agent string */
+    /** User agent string (deprecated — use callerMetadata.userAgent) */
     userAgent?: string;
+    /**
+     * Forwarded request metadata from the agent's original call.
+     * When the SDK is embedded in a counterparty server, these describe
+     * the agent-side fingerprint — not the counterparty server itself.
+     * The express/nextjs adapters auto-populate these from `req`.
+     */
+    callerMetadata?: CallerMetadata;
     /** Enable runtime challenge for this request */
     enableRuntimeChallenge?: boolean;
     /** Create a verification session (returns sessionId) */

package/dist/ui/index.d.mts

@@ -1,4 +1,4 @@
-import { d as CommerceShieldProps, V as VerificationResult, b as AgentCredentials, f as GuidanceInfo, i as TrustLevel } from '../types-CxQwJKbd.mjs';
+import { d as CommerceShieldProps, V as VerificationResult, b as AgentCredentials, f as GuidanceInfo, i as TrustLevel } from '../types-DOrqNMgy.mjs';
 
 /**
  * AstraSync Commerce Shield Component

package/dist/ui/index.d.ts

@@ -1,4 +1,4 @@
-import { d as CommerceShieldProps, V as VerificationResult, b as AgentCredentials, f as GuidanceInfo, i as TrustLevel } from '../types-CxQwJKbd.js';
+import { d as CommerceShieldProps, V as VerificationResult, b as AgentCredentials, f as GuidanceInfo, i as TrustLevel } from '../types-DOrqNMgy.js';
 
 /**
  * AstraSync Commerce Shield Component

package/dist/webhooks.d.mts

@@ -0,0 +1,59 @@
+/**
+ * AstraSync webhook signature verification.
+ *
+ * AstraSync signs every webhook delivery with HMAC-SHA256 over
+ * `${unix_timestamp}.${rawBody}` using the merchant's webhook secret
+ * (returned ONCE at endpoint registration). The signature is sent in
+ * the `X-AstraSync-Signature` header in the form:
+ *
+ *   X-AstraSync-Signature: t=<unix-ts>,v1=<hex-hmac>
+ *
+ * This pattern mirrors Stripe's `Stripe-Signature` to ease adoption.
+ *
+ * Usage:
+ *   import { verifyAstraSyncWebhook } from '@astrasyncai/verification-gateway/webhooks';
+ *
+ *   app.post('/webhooks/astrasync', express.raw({type:'application/json'}), (req, res) => {
+ *     const result = verifyAstraSyncWebhook(req.body.toString('utf8'), req.headers, secret);
+ *     if (!result.ok) return res.status(401).json({error: result.reason});
+ *     // ... process event
+ *   });
+ */
+interface VerifyWebhookOptions {
+    /**
+     * Maximum age (seconds) for the signature timestamp. Older deliveries
+     * are rejected as replays. Default 300 (5 minutes) — matches Stripe.
+     */
+    toleranceSeconds?: number;
+    /**
+     * Override "now" for tests. Defaults to Date.now().
+     */
+    nowMs?: number;
+}
+interface VerifyWebhookResult {
+    ok: boolean;
+    reason?: string;
+}
+/**
+ * Verify an AstraSync-issued webhook delivery.
+ *
+ * @param rawBody - The raw request body as a string (NOT the parsed JSON).
+ *                  Use `express.raw({type:'application/json'})` to preserve bytes.
+ * @param headers - Incoming request headers (case-insensitive).
+ * @param secret  - The merchant's webhook secret from endpoint registration.
+ * @param options - Optional tolerance overrides.
+ * @returns       - `{ok: true}` on success, `{ok: false, reason}` on failure.
+ */
+declare function verifyAstraSyncWebhook(rawBody: string, headers: Record<string, string | string[] | undefined>, secret: string, options?: VerifyWebhookOptions): VerifyWebhookResult;
+/**
+ * Server-side companion: produce an `X-AstraSync-Signature` header value for
+ * an outbound webhook delivery. Exposed for completeness and for test
+ * harnesses that want to verify the verifier; the AstraSync platform itself
+ * uses an internal version of the same logic.
+ */
+declare function signAstraSyncWebhook(rawBody: string, secret: string, nowMs?: number): {
+    header: string;
+    timestamp: number;
+};
+
+export { type VerifyWebhookOptions, type VerifyWebhookResult, signAstraSyncWebhook, verifyAstraSyncWebhook };

package/dist/webhooks.d.ts

@@ -0,0 +1,59 @@
+/**
+ * AstraSync webhook signature verification.
+ *
+ * AstraSync signs every webhook delivery with HMAC-SHA256 over
+ * `${unix_timestamp}.${rawBody}` using the merchant's webhook secret
+ * (returned ONCE at endpoint registration). The signature is sent in
+ * the `X-AstraSync-Signature` header in the form:
+ *
+ *   X-AstraSync-Signature: t=<unix-ts>,v1=<hex-hmac>
+ *
+ * This pattern mirrors Stripe's `Stripe-Signature` to ease adoption.
+ *
+ * Usage:
+ *   import { verifyAstraSyncWebhook } from '@astrasyncai/verification-gateway/webhooks';
+ *
+ *   app.post('/webhooks/astrasync', express.raw({type:'application/json'}), (req, res) => {
+ *     const result = verifyAstraSyncWebhook(req.body.toString('utf8'), req.headers, secret);
+ *     if (!result.ok) return res.status(401).json({error: result.reason});
+ *     // ... process event
+ *   });
+ */
+interface VerifyWebhookOptions {
+    /**
+     * Maximum age (seconds) for the signature timestamp. Older deliveries
+     * are rejected as replays. Default 300 (5 minutes) — matches Stripe.
+     */
+    toleranceSeconds?: number;
+    /**
+     * Override "now" for tests. Defaults to Date.now().
+     */
+    nowMs?: number;
+}
+interface VerifyWebhookResult {
+    ok: boolean;
+    reason?: string;
+}
+/**
+ * Verify an AstraSync-issued webhook delivery.
+ *
+ * @param rawBody - The raw request body as a string (NOT the parsed JSON).
+ *                  Use `express.raw({type:'application/json'})` to preserve bytes.
+ * @param headers - Incoming request headers (case-insensitive).
+ * @param secret  - The merchant's webhook secret from endpoint registration.
+ * @param options - Optional tolerance overrides.
+ * @returns       - `{ok: true}` on success, `{ok: false, reason}` on failure.
+ */
+declare function verifyAstraSyncWebhook(rawBody: string, headers: Record<string, string | string[] | undefined>, secret: string, options?: VerifyWebhookOptions): VerifyWebhookResult;
+/**
+ * Server-side companion: produce an `X-AstraSync-Signature` header value for
+ * an outbound webhook delivery. Exposed for completeness and for test
+ * harnesses that want to verify the verifier; the AstraSync platform itself
+ * uses an internal version of the same logic.
+ */
+declare function signAstraSyncWebhook(rawBody: string, secret: string, nowMs?: number): {
+    header: string;
+    timestamp: number;
+};
+
+export { type VerifyWebhookOptions, type VerifyWebhookResult, signAstraSyncWebhook, verifyAstraSyncWebhook };

package/dist/webhooks.js

@@ -0,0 +1,81 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/webhooks.ts
+var webhooks_exports = {};
+__export(webhooks_exports, {
+  signAstraSyncWebhook: () => signAstraSyncWebhook,
+  verifyAstraSyncWebhook: () => verifyAstraSyncWebhook
+});
+module.exports = __toCommonJS(webhooks_exports);
+var import_crypto = require("crypto");
+var DEFAULT_TOLERANCE_SECONDS = 300;
+function parseSignatureHeader(header) {
+  const parts = {};
+  for (const segment of header.split(",")) {
+    const [k, v] = segment.split("=");
+    if (k === "t" || k === "v1") parts[k] = v;
+  }
+  return parts;
+}
+function computeHmac(secret, signedPayload) {
+  return (0, import_crypto.createHmac)("sha256", secret).update(signedPayload, "utf8").digest("hex");
+}
+function constantTimeEquals(a, b) {
+  const aBuf = Buffer.from(a, "utf8");
+  const bBuf = Buffer.from(b, "utf8");
+  if (aBuf.length !== bBuf.length) return false;
+  return (0, import_crypto.timingSafeEqual)(aBuf, bBuf);
+}
+function verifyAstraSyncWebhook(rawBody, headers, secret, options = {}) {
+  if (!secret) return { ok: false, reason: "no_secret_provided" };
+  const rawHeader = headers["x-astrasync-signature"] ?? headers["X-Astrasync-Signature"] ?? headers["X-AstraSync-Signature"] ?? headers["X-ASTRASYNC-SIGNATURE"];
+  if (!rawHeader) return { ok: false, reason: "missing_signature_header" };
+  const headerValue = Array.isArray(rawHeader) ? rawHeader[0] : rawHeader;
+  const { t: timestamp, v1: receivedSignature } = parseSignatureHeader(headerValue);
+  if (!timestamp || !receivedSignature) {
+    return { ok: false, reason: "malformed_signature_header" };
+  }
+  const tolerance = options.toleranceSeconds ?? DEFAULT_TOLERANCE_SECONDS;
+  const now = options.nowMs ?? Date.now();
+  const tsSeconds = Number(timestamp);
+  if (!Number.isFinite(tsSeconds)) {
+    return { ok: false, reason: "invalid_timestamp" };
+  }
+  const ageSeconds = Math.abs(now / 1e3 - tsSeconds);
+  if (ageSeconds > tolerance) {
+    return { ok: false, reason: "timestamp_outside_tolerance" };
+  }
+  const expectedSignature = computeHmac(secret, `${timestamp}.${rawBody}`);
+  if (!constantTimeEquals(expectedSignature, receivedSignature)) {
+    return { ok: false, reason: "signature_mismatch" };
+  }
+  return { ok: true };
+}
+function signAstraSyncWebhook(rawBody, secret, nowMs = Date.now()) {
+  const timestamp = Math.floor(nowMs / 1e3);
+  const v1 = computeHmac(secret, `${timestamp}.${rawBody}`);
+  return { header: `t=${timestamp},v1=${v1}`, timestamp };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  signAstraSyncWebhook,
+  verifyAstraSyncWebhook
+});
+//# sourceMappingURL=webhooks.js.map

package/dist/webhooks.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/webhooks.ts"],"sourcesContent":["/**\n * AstraSync webhook signature verification.\n *\n * AstraSync signs every webhook delivery with HMAC-SHA256 over\n * `${unix_timestamp}.${rawBody}` using the merchant's webhook secret\n * (returned ONCE at endpoint registration). The signature is sent in\n * the `X-AstraSync-Signature` header in the form:\n *\n *   X-AstraSync-Signature: t=<unix-ts>,v1=<hex-hmac>\n *\n * This pattern mirrors Stripe's `Stripe-Signature` to ease adoption.\n *\n * Usage:\n *   import { verifyAstraSyncWebhook } from '@astrasyncai/verification-gateway/webhooks';\n *\n *   app.post('/webhooks/astrasync', express.raw({type:'application/json'}), (req, res) => {\n *     const result = verifyAstraSyncWebhook(req.body.toString('utf8'), req.headers, secret);\n *     if (!result.ok) return res.status(401).json({error: result.reason});\n *     // ... process event\n *   });\n */\n\nimport { createHmac, timingSafeEqual } from 'crypto';\n\nexport interface VerifyWebhookOptions {\n  /**\n   * Maximum age (seconds) for the signature timestamp. Older deliveries\n   * are rejected as replays. Default 300 (5 minutes) — matches Stripe.\n   */\n  toleranceSeconds?: number;\n  /**\n   * Override \"now\" for tests. Defaults to Date.now().\n   */\n  nowMs?: number;\n}\n\nexport interface VerifyWebhookResult {\n  ok: boolean;\n  reason?: string;\n}\n\nconst DEFAULT_TOLERANCE_SECONDS = 300;\n\nfunction parseSignatureHeader(header: string): { t?: string; v1?: string } {\n  const parts: { t?: string; v1?: string } = {};\n  for (const segment of header.split(',')) {\n    const [k, v] = segment.split('=');\n    if (k === 't' || k === 'v1') parts[k] = v;\n  }\n  return parts;\n}\n\nfunction computeHmac(secret: string, signedPayload: string): string {\n  return createHmac('sha256', secret).update(signedPayload, 'utf8').digest('hex');\n}\n\nfunction constantTimeEquals(a: string, b: string): boolean {\n  const aBuf = Buffer.from(a, 'utf8');\n  const bBuf = Buffer.from(b, 'utf8');\n  if (aBuf.length !== bBuf.length) return false;\n  return timingSafeEqual(aBuf, bBuf);\n}\n\n/**\n * Verify an AstraSync-issued webhook delivery.\n *\n * @param rawBody - The raw request body as a string (NOT the parsed JSON).\n *                  Use `express.raw({type:'application/json'})` to preserve bytes.\n * @param headers - Incoming request headers (case-insensitive).\n * @param secret  - The merchant's webhook secret from endpoint registration.\n * @param options - Optional tolerance overrides.\n * @returns       - `{ok: true}` on success, `{ok: false, reason}` on failure.\n */\nexport function verifyAstraSyncWebhook(\n  rawBody: string,\n  headers: Record<string, string | string[] | undefined>,\n  secret: string,\n  options: VerifyWebhookOptions = {}\n): VerifyWebhookResult {\n  if (!secret) return { ok: false, reason: 'no_secret_provided' };\n\n  // Header lookup is case-insensitive — support common variants.\n  const rawHeader =\n    headers['x-astrasync-signature'] ??\n    headers['X-Astrasync-Signature'] ??\n    headers['X-AstraSync-Signature'] ??\n    headers['X-ASTRASYNC-SIGNATURE'];\n  if (!rawHeader) return { ok: false, reason: 'missing_signature_header' };\n\n  const headerValue = Array.isArray(rawHeader) ? rawHeader[0] : rawHeader;\n  const { t: timestamp, v1: receivedSignature } = parseSignatureHeader(headerValue);\n  if (!timestamp || !receivedSignature) {\n    return { ok: false, reason: 'malformed_signature_header' };\n  }\n\n  const tolerance = options.toleranceSeconds ?? DEFAULT_TOLERANCE_SECONDS;\n  const now = options.nowMs ?? Date.now();\n  const tsSeconds = Number(timestamp);\n  if (!Number.isFinite(tsSeconds)) {\n    return { ok: false, reason: 'invalid_timestamp' };\n  }\n  const ageSeconds = Math.abs(now / 1000 - tsSeconds);\n  if (ageSeconds > tolerance) {\n    return { ok: false, reason: 'timestamp_outside_tolerance' };\n  }\n\n  const expectedSignature = computeHmac(secret, `${timestamp}.${rawBody}`);\n  if (!constantTimeEquals(expectedSignature, receivedSignature)) {\n    return { ok: false, reason: 'signature_mismatch' };\n  }\n\n  return { ok: true };\n}\n\n/**\n * Server-side companion: produce an `X-AstraSync-Signature` header value for\n * an outbound webhook delivery. Exposed for completeness and for test\n * harnesses that want to verify the verifier; the AstraSync platform itself\n * uses an internal version of the same logic.\n */\nexport function signAstraSyncWebhook(\n  rawBody: string,\n  secret: string,\n  nowMs: number = Date.now()\n): { header: string; timestamp: number } {\n  const timestamp = Math.floor(nowMs / 1000);\n  const v1 = computeHmac(secret, `${timestamp}.${rawBody}`);\n  return { header: `t=${timestamp},v1=${v1}`, timestamp };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAsBA,oBAA4C;AAmB5C,IAAM,4BAA4B;AAElC,SAAS,qBAAqB,QAA6C;AACzE,QAAM,QAAqC,CAAC;AAC5C,aAAW,WAAW,OAAO,MAAM,GAAG,GAAG;AACvC,UAAM,CAAC,GAAG,CAAC,IAAI,QAAQ,MAAM,GAAG;AAChC,QAAI,MAAM,OAAO,MAAM,KAAM,OAAM,CAAC,IAAI;AAAA,EAC1C;AACA,SAAO;AACT;AAEA,SAAS,YAAY,QAAgB,eAA+B;AAClE,aAAO,0BAAW,UAAU,MAAM,EAAE,OAAO,eAAe,MAAM,EAAE,OAAO,KAAK;AAChF;AAEA,SAAS,mBAAmB,GAAW,GAAoB;AACzD,QAAM,OAAO,OAAO,KAAK,GAAG,MAAM;AAClC,QAAM,OAAO,OAAO,KAAK,GAAG,MAAM;AAClC,MAAI,KAAK,WAAW,KAAK,OAAQ,QAAO;AACxC,aAAO,+BAAgB,MAAM,IAAI;AACnC;AAYO,SAAS,uBACd,SACA,SACA,QACA,UAAgC,CAAC,GACZ;AACrB,MAAI,CAAC,OAAQ,QAAO,EAAE,IAAI,OAAO,QAAQ,qBAAqB;AAG9D,QAAM,YACJ,QAAQ,uBAAuB,KAC/B,QAAQ,uBAAuB,KAC/B,QAAQ,uBAAuB,KAC/B,QAAQ,uBAAuB;AACjC,MAAI,CAAC,UAAW,QAAO,EAAE,IAAI,OAAO,QAAQ,2BAA2B;AAEvE,QAAM,cAAc,MAAM,QAAQ,SAAS,IAAI,UAAU,CAAC,IAAI;AAC9D,QAAM,EAAE,GAAG,WAAW,IAAI,kBAAkB,IAAI,qBAAqB,WAAW;AAChF,MAAI,CAAC,aAAa,CAAC,mBAAmB;AACpC,WAAO,EAAE,IAAI,OAAO,QAAQ,6BAA6B;AAAA,EAC3D;AAEA,QAAM,YAAY,QAAQ,oBAAoB;AAC9C,QAAM,MAAM,QAAQ,SAAS,KAAK,IAAI;AACtC,QAAM,YAAY,OAAO,SAAS;AAClC,MAAI,CAAC,OAAO,SAAS,SAAS,GAAG;AAC/B,WAAO,EAAE,IAAI,OAAO,QAAQ,oBAAoB;AAAA,EAClD;AACA,QAAM,aAAa,KAAK,IAAI,MAAM,MAAO,SAAS;AAClD,MAAI,aAAa,WAAW;AAC1B,WAAO,EAAE,IAAI,OAAO,QAAQ,8BAA8B;AAAA,EAC5D;AAEA,QAAM,oBAAoB,YAAY,QAAQ,GAAG,SAAS,IAAI,OAAO,EAAE;AACvE,MAAI,CAAC,mBAAmB,mBAAmB,iBAAiB,GAAG;AAC7D,WAAO,EAAE,IAAI,OAAO,QAAQ,qBAAqB;AAAA,EACnD;AAEA,SAAO,EAAE,IAAI,KAAK;AACpB;AAQO,SAAS,qBACd,SACA,QACA,QAAgB,KAAK,IAAI,GACc;AACvC,QAAM,YAAY,KAAK,MAAM,QAAQ,GAAI;AACzC,QAAM,KAAK,YAAY,QAAQ,GAAG,SAAS,IAAI,OAAO,EAAE;AACxD,SAAO,EAAE,QAAQ,KAAK,SAAS,OAAO,EAAE,IAAI,UAAU;AACxD;","names":[]}