@astrasyncai/verification-gateway 2.2.0 → 2.2.3

package/dist/index.mjs

@@ -127,14 +127,36 @@ function getCapabilities(accessLevel) {
 
 // src/verify.ts
 var DEFAULT_CONFIG = {
-  apiBaseUrl: "https://api.astrasync.ai",
+  apiBaseUrl: "https://astrasync.ai/api",
   defaultAccessLevel: "guidance",
-  minTrustScore: 40,
-  minTrustScoreForFull: 70,
+  // minTrustScore + minTrustScoreForFull deprecated in v2.3.0 — server decides.
   cacheTtl: 300,
   // 5 minutes
   debug: false
 };
+var initCheckPerformed = false;
+var deprecationWarningShown = false;
+async function performInitCheck(apiBaseUrl, debug) {
+  initCheckPerformed = true;
+  try {
+    const probeUrl = `${apiBaseUrl}/agents/verify-access`;
+    const response = await fetch(probeUrl, { method: "HEAD" });
+    const contentType = response.headers.get("content-type") ?? "";
+    if (contentType.startsWith("text/html")) {
+      console.warn(
+        `[VerificationGateway] apiBaseUrl '${apiBaseUrl}' returned HTML (content-type: ${contentType}). This usually means apiBaseUrl is pointing at a marketing site instead of the API. Expected: 'https://astrasync.ai/api' (prod) or 'https://staging.astrasync.ai/api' (staging). Set disableInitChecks: true on GatewayConfig to silence this warning.`
+      );
+    } else if (debug) {
+      console.log(
+        `[VerificationGateway] init check passed for ${apiBaseUrl} (content-type: ${contentType})`
+      );
+    }
+  } catch (err) {
+    if (debug) {
+      console.log(`[VerificationGateway] init check failed (non-blocking): ${String(err)}`);
+    }
+  }
+}
 var verificationCache = /* @__PURE__ */ new Map();
 function getCacheKey(credentials) {
   return `${credentials.astraId || ""}-${credentials.apiKey || ""}-${credentials.jwt || ""}`;
@@ -162,7 +184,7 @@ function clearCache() {
 }
 function extractCredentials(headers, query) {
   const credentials = {};
-  const astraIdHeader = headers["x-astra-id"] || headers["X-Astra-Id"] || headers["X-ASTRA-ID"];
+  const astraIdHeader = headers["x-astra-id"] || headers["X-Astra-Id"] || headers["X-ASTRA-ID"] || headers["x-astra-agentid"] || headers["X-Astra-AgentId"] || headers["x-astra-agent-id"] || headers["X-Astra-Agent-Id"] || headers["X-ASTRA-AGENT-ID"];
   if (astraIdHeader) {
     credentials.astraId = Array.isArray(astraIdHeader) ? astraIdHeader[0] : astraIdHeader;
   }
@@ -214,7 +236,7 @@ function createGuidanceResponse(config, reason) {
 async function callVerifyAccessAPI(config, request) {
   const { credentials, ...requestData } = request;
   const body = {
-    agentId: credentials.astraId,
+    ...credentials.astraId && { agentId: credentials.astraId },
     purpose: requestData.purpose || "general"
   };
   if (requestData.action) body.action = requestData.action;
@@ -232,6 +254,7 @@ async function callVerifyAccessAPI(config, request) {
   if (requestData.durationRequired) body.durationRequired = requestData.durationRequired;
   if (requestData.counterpartyType) body.counterpartyType = requestData.counterpartyType;
   if (requestData.counterpartyUrl) body.counterpartyUrl = requestData.counterpartyUrl;
+  if (config.counterpartyId) body.counterpartyId = config.counterpartyId;
   if (requestData.runtimeChallengeOptions)
     body.runtimeChallengeOptions = requestData.runtimeChallengeOptions;
   if (requestData.callerMetadata || requestData.clientIp || requestData.userAgent) {
@@ -278,8 +301,14 @@ async function callVerifyAccessAPI(config, request) {
 }
 async function verify(config, request) {
   const mergedConfig = { ...DEFAULT_CONFIG, ...config };
-  if (!hasCredentials(request.credentials)) {
-    return createGuidanceResponse(mergedConfig, "No agent credentials provided");
+  if (!initCheckPerformed && !mergedConfig.disableInitChecks && mergedConfig.apiBaseUrl) {
+    void performInitCheck(mergedConfig.apiBaseUrl, mergedConfig.debug);
+  }
+  if (!deprecationWarningShown && (config.minTrustScore !== void 0 || config.minTrustScoreForFull !== void 0)) {
+    deprecationWarningShown = true;
+    console.warn(
+      "[VerificationGateway] minTrustScore / minTrustScoreForFull are deprecated in v2.3.0 and have no effect. Server is now the single source of truth for access-level decisions (the SDK reads access.accessLevel from the verify-access response). To gate access to an endpoint, configure the endpoint's trust_score_requirement server-side."
+    );
   }
   if (mergedConfig.cacheTtl && mergedConfig.cacheTtl > 0) {
     const cached = getCachedResult(request.credentials);
@@ -351,13 +380,7 @@ async function verify(config, request) {
     selfInstantiationAllowed: apiResponse.access.pdlss.selfInstantiationAllowed,
     appliedPolicy: apiResponse.access.appliedPolicy
   } : void 0;
-  const trustScore = agent?.trustScore || 0;
-  const isOrgMember = false;
-  const accessLevel = determineAccessLevel(true, trustScore, isOrgMember, {
-    "read-only": 20,
-    standard: mergedConfig.minTrustScore || 40,
-    full: mergedConfig.minTrustScoreForFull || 70
-  });
+  const accessLevel = apiResponse.access?.accessLevel ?? "standard";
   const result = {
     verified: true,
     accessLevel,
@@ -414,15 +437,6 @@ async function recordDecision(config, sessionId, decision, reason) {
   }).catch(() => {
   });
 }
-async function reportUnregisteredAttempt(config, data) {
-  const apiBaseUrl = config.apiBaseUrl || DEFAULT_CONFIG.apiBaseUrl;
-  await fetch(`${apiBaseUrl}/verification-activity/unregistered-attempt`, {
-    method: "POST",
-    headers: { "Content-Type": "application/json" },
-    body: JSON.stringify(data)
-  }).catch(() => {
-  });
-}
 async function reportCounterpartyPreCheckFailure(config, data) {
   const apiBaseUrl = config.apiBaseUrl || DEFAULT_CONFIG.apiBaseUrl;
   await fetch(`${apiBaseUrl}/verification-activity/counterparty-pre-check-failure`, {
@@ -648,32 +662,6 @@ function createMiddleware(options) {
         return next();
       }
       const credentials = customExtractCredentials ? customExtractCredentials(req) : defaultExtractCredentials(req);
-      if (!hasCredentials(credentials) && routeConfig.minAccessLevel !== "guidance") {
-        const counterpartyUrl2 = config.counterpartyUrl || `${req.protocol}://${req.get("host")}`;
-        reportUnregisteredAttempt(config, {
-          counterpartyUrl: counterpartyUrl2,
-          counterpartyType: config.counterpartyType || "api",
-          sourceIp: req.ip,
-          userAgent: req.headers["user-agent"],
-          requestPath: req.path,
-          requestMethod: req.method
-        }).catch(() => {
-        });
-        const result2 = {
-          verified: false,
-          accessLevel: "none",
-          denialReasons: ["No agent credentials provided"],
-          guidance: {
-            message: "This endpoint requires agent verification. Please provide your ASTRA-ID.",
-            registrationUrl: `${config.apiBaseUrl?.replace("/api", "")}/register`,
-            documentationUrl: `${config.apiBaseUrl?.replace("/api", "")}/docs/agent-access`
-          },
-          verifiedAt: /* @__PURE__ */ new Date()
-        };
-        req.agentVerification = result2;
-        onDenied(result2, req, res);
-        return;
-      }
       const purpose = customExtractPurpose ? customExtractPurpose(req) : defaultExtractPurpose(req);
       const astraCreds = extractAstraSyncCredentials(req);
       const counterpartyUrl = config.counterpartyUrl || `${req.protocol}://${req.get("host")}`;
@@ -1019,53 +1007,6 @@ function createMiddleware2(options) {
       return NextResponse.next();
     }
     const credentials = extractCredentialsFromNextRequest(request);
-    if (!hasCredentials(credentials) && routeConfig.minAccessLevel !== "guidance") {
-      const counterpartyUrl2 = config.counterpartyUrl || request.nextUrl.origin;
-      reportUnregisteredAttempt(config, {
-        counterpartyUrl: counterpartyUrl2,
-        counterpartyType: config.counterpartyType || "website",
-        sourceIp: request.headers.get("x-forwarded-for") || request.headers.get("x-real-ip") || void 0,
-        userAgent: request.headers.get("user-agent") || void 0,
-        requestPath: pathname,
-        requestMethod: request.method
-      }).catch(() => {
-      });
-      const result2 = {
-        verified: false,
-        accessLevel: "none",
-        denialReasons: ["No agent credentials provided"],
-        guidance: {
-          message: "This page requires agent verification.",
-          registrationUrl: `${config.apiBaseUrl?.replace("/api", "")}/register`,
-          documentationUrl: `${config.apiBaseUrl?.replace("/api", "")}/docs/agent-access`
-        },
-        verifiedAt: /* @__PURE__ */ new Date()
-      };
-      if (pathname.startsWith("/api/")) {
-        return NextResponse.json(
-          {
-            success: false,
-            error: {
-              code: "UNAUTHORIZED",
-              message: "No agent credentials provided",
-              guidance: result2.guidance
-            }
-          },
-          { status: 401 }
-        );
-      }
-      if (showCommerceShield) {
-        return new NextResponse(generateCommerceShieldHtml(result2, options), {
-          status: 200,
-          headers: {
-            "Content-Type": "text/html",
-            "X-AstraSync-Verification": "commerce-shield"
-          }
-        });
-      }
-      const registerUrl = result2.guidance?.registrationUrl || "/register";
-      return NextResponse.redirect(new URL(registerUrl, request.url));
-    }
     const counterpartyUrl = config.counterpartyUrl || request.nextUrl.origin;
     const purpose = extractPurpose(request);
     const astraCreds = extractAstraSyncCredentialsFromNextRequest(request);
@@ -3790,11 +3731,11 @@ var AgentClient = class _AgentClient {
   constructor(config) {
     this.credentials = {
       agentId: config.agentId,
-      verifyUrl: config.verifyUrl ?? "https://api.astrasync.ai/agents/verify-access",
+      verifyUrl: config.verifyUrl ?? "https://astrasync.ai/api/agents/verify-access",
       challengeUrl: config.challengeUrl,
       pdlss: config.pdlss
     };
-    this.apiBaseUrl = config.apiBaseUrl ?? "https://api.astrasync.ai";
+    this.apiBaseUrl = config.apiBaseUrl ?? "https://astrasync.ai/api";
     this.apiKey = config.apiKey;
   }
   /**