@astrasyncai/verification-gateway 2.2.0 → 2.3.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +64 -30
- package/dist/adapter-interface/interface.d.mts +2 -2
- package/dist/adapter-interface/interface.d.ts +2 -2
- package/dist/adapters/express.d.mts +2 -2
- package/dist/adapters/express.d.ts +2 -2
- package/dist/adapters/express.js +40 -89
- package/dist/adapters/express.js.map +1 -1
- package/dist/adapters/express.mjs +40 -89
- package/dist/adapters/express.mjs.map +1 -1
- package/dist/adapters/nextjs.d.mts +2 -2
- package/dist/adapters/nextjs.d.ts +2 -2
- package/dist/adapters/nextjs.js +39 -109
- package/dist/adapters/nextjs.js.map +1 -1
- package/dist/adapters/nextjs.mjs +39 -109
- package/dist/adapters/nextjs.mjs.map +1 -1
- package/dist/adapters/sdk.d.mts +2 -2
- package/dist/adapters/sdk.d.ts +2 -2
- package/dist/adapters/sdk.js +39 -53
- package/dist/adapters/sdk.js.map +1 -1
- package/dist/adapters/sdk.mjs +39 -53
- package/dist/adapters/sdk.mjs.map +1 -1
- package/dist/agent/index.d.mts +2 -2
- package/dist/agent/index.d.ts +2 -2
- package/dist/agent/index.js +2 -2
- package/dist/agent/index.js.map +1 -1
- package/dist/agent/index.mjs +2 -2
- package/dist/agent/index.mjs.map +1 -1
- package/dist/browser/background.js +39 -53
- package/dist/browser/background.js.map +1 -1
- package/dist/browser/background.mjs +39 -53
- package/dist/browser/background.mjs.map +1 -1
- package/dist/browser/browser-adapter.d.mts +2 -2
- package/dist/browser/browser-adapter.d.ts +2 -2
- package/dist/cli/index.d.mts +2 -2
- package/dist/cli/index.d.ts +2 -2
- package/dist/cursor/cursor-adapter.d.mts +2 -2
- package/dist/cursor/cursor-adapter.d.ts +2 -2
- package/dist/cursor/extension.d.mts +2 -2
- package/dist/cursor/extension.d.ts +2 -2
- package/dist/cursor/extension.js +39 -53
- package/dist/cursor/extension.js.map +1 -1
- package/dist/cursor/extension.mjs +39 -53
- package/dist/cursor/extension.mjs.map +1 -1
- package/dist/{express-DpwYW08E.d.ts → express-CraCA8_t.d.ts} +2 -2
- package/dist/{express-C9KqJNWV.d.mts → express-DtvJ6BGt.d.mts} +2 -2
- package/dist/gateway/gateway.d.mts +2 -2
- package/dist/gateway/gateway.d.ts +2 -2
- package/dist/gateway/gateway.js +39 -53
- package/dist/gateway/gateway.js.map +1 -1
- package/dist/gateway/gateway.mjs +39 -53
- package/dist/gateway/gateway.mjs.map +1 -1
- package/dist/git-trigger/git-hooks.d.mts +2 -2
- package/dist/git-trigger/git-hooks.d.ts +2 -2
- package/dist/{index-gM-lgX_X.d.ts → index--KzVRa32.d.ts} +1 -1
- package/dist/{index-BMZdjGT4.d.mts → index-BZ85CeEr.d.mts} +2 -2
- package/dist/{index-Dm2xA6j1.d.ts → index-BzAFmemy.d.ts} +2 -2
- package/dist/{index-DlsYN3Et.d.mts → index-SEgnWzkf.d.mts} +1 -1
- package/dist/index.d.mts +7 -7
- package/dist/index.d.ts +7 -7
- package/dist/index.js +42 -107
- package/dist/index.js.map +1 -1
- package/dist/index.mjs +42 -107
- package/dist/index.mjs.map +1 -1
- package/dist/local-evaluator/evaluator.d.mts +2 -2
- package/dist/local-evaluator/evaluator.d.ts +2 -2
- package/dist/{nextjs-yNzimC3a.d.ts → nextjs-B8o9C0t6.d.ts} +1 -1
- package/dist/{nextjs-BEqidT0U.d.mts → nextjs-DZHAn9j-.d.mts} +1 -1
- package/dist/{sdk-CP9C9Qu0.d.ts → sdk-BQ3olp3v.d.ts} +2 -2
- package/dist/{sdk-7fa9H0qa.d.mts → sdk-CRSUFQH2.d.mts} +2 -2
- package/dist/transport/index.d.mts +2 -2
- package/dist/transport/index.d.ts +2 -2
- package/dist/{types-CrVMq_Td.d.mts → types-JMgPake9.d.mts} +135 -28
- package/dist/{types-CrVMq_Td.d.ts → types-JMgPake9.d.ts} +135 -28
- package/dist/{types-DE0ooQJ6.d.mts → types-aN1UHhyy.d.mts} +1 -1
- package/dist/{types-rigu2bH3.d.ts → types-osMd_dpT.d.ts} +1 -1
- package/dist/ui/index.d.mts +1 -1
- package/dist/ui/index.d.ts +1 -1
- package/dist/webhooks.d.mts +59 -0
- package/dist/webhooks.d.ts +59 -0
- package/dist/webhooks.js +81 -0
- package/dist/webhooks.js.map +1 -0
- package/dist/webhooks.mjs +55 -0
- package/dist/webhooks.mjs.map +1 -0
- package/package.json +6 -1
|
@@ -3285,51 +3285,45 @@ var ACCESS_LEVEL_HIERARCHY = {
|
|
|
3285
3285
|
full: 4,
|
|
3286
3286
|
internal: 5
|
|
3287
3287
|
};
|
|
3288
|
-
var DEFAULT_TRUST_THRESHOLDS = {
|
|
3289
|
-
none: 0,
|
|
3290
|
-
guidance: 0,
|
|
3291
|
-
"read-only": 20,
|
|
3292
|
-
standard: 40,
|
|
3293
|
-
full: 70,
|
|
3294
|
-
internal: 0
|
|
3295
|
-
// Internal is based on org membership, not score
|
|
3296
|
-
};
|
|
3297
3288
|
function getTrustLevel(score) {
|
|
3298
3289
|
if (score >= 80) return "PLATINUM";
|
|
3299
3290
|
if (score >= 60) return "GOLD";
|
|
3300
3291
|
if (score >= 40) return "SILVER";
|
|
3301
3292
|
return "BRONZE";
|
|
3302
3293
|
}
|
|
3303
|
-
function getAccessLevelForScore(trustScore, thresholds = DEFAULT_TRUST_THRESHOLDS) {
|
|
3304
|
-
if (trustScore >= thresholds.full) return "full";
|
|
3305
|
-
if (trustScore >= thresholds.standard) return "standard";
|
|
3306
|
-
if (trustScore >= thresholds["read-only"]) return "read-only";
|
|
3307
|
-
return "guidance";
|
|
3308
|
-
}
|
|
3309
|
-
function determineAccessLevel(verified, trustScore, isOrgMember, customThresholds) {
|
|
3310
|
-
if (!verified) {
|
|
3311
|
-
return "guidance";
|
|
3312
|
-
}
|
|
3313
|
-
if (isOrgMember) {
|
|
3314
|
-
return "internal";
|
|
3315
|
-
}
|
|
3316
|
-
const thresholds = {
|
|
3317
|
-
...DEFAULT_TRUST_THRESHOLDS,
|
|
3318
|
-
...customThresholds
|
|
3319
|
-
};
|
|
3320
|
-
return getAccessLevelForScore(trustScore, thresholds);
|
|
3321
|
-
}
|
|
3322
3294
|
|
|
3323
3295
|
// src/verify.ts
|
|
3324
3296
|
var DEFAULT_CONFIG = {
|
|
3325
|
-
apiBaseUrl: "https://
|
|
3297
|
+
apiBaseUrl: "https://astrasync.ai/api",
|
|
3326
3298
|
defaultAccessLevel: "guidance",
|
|
3327
|
-
minTrustScore
|
|
3328
|
-
minTrustScoreForFull: 70,
|
|
3299
|
+
// minTrustScore + minTrustScoreForFull deprecated in v2.3.0 — server decides.
|
|
3329
3300
|
cacheTtl: 300,
|
|
3330
3301
|
// 5 minutes
|
|
3331
3302
|
debug: false
|
|
3332
3303
|
};
|
|
3304
|
+
var initCheckPerformed = false;
|
|
3305
|
+
var deprecationWarningShown = false;
|
|
3306
|
+
async function performInitCheck(apiBaseUrl, debug) {
|
|
3307
|
+
initCheckPerformed = true;
|
|
3308
|
+
try {
|
|
3309
|
+
const probeUrl = `${apiBaseUrl}/agents/verify-access`;
|
|
3310
|
+
const response = await fetch(probeUrl, { method: "HEAD" });
|
|
3311
|
+
const contentType = response.headers.get("content-type") ?? "";
|
|
3312
|
+
if (contentType.startsWith("text/html")) {
|
|
3313
|
+
console.warn(
|
|
3314
|
+
`[VerificationGateway] apiBaseUrl '${apiBaseUrl}' returned HTML (content-type: ${contentType}). This usually means apiBaseUrl is pointing at a marketing site instead of the API. Expected: 'https://astrasync.ai/api' (prod) or 'https://staging.astrasync.ai/api' (staging). Set disableInitChecks: true on GatewayConfig to silence this warning.`
|
|
3315
|
+
);
|
|
3316
|
+
} else if (debug) {
|
|
3317
|
+
console.log(
|
|
3318
|
+
`[VerificationGateway] init check passed for ${apiBaseUrl} (content-type: ${contentType})`
|
|
3319
|
+
);
|
|
3320
|
+
}
|
|
3321
|
+
} catch (err) {
|
|
3322
|
+
if (debug) {
|
|
3323
|
+
console.log(`[VerificationGateway] init check failed (non-blocking): ${String(err)}`);
|
|
3324
|
+
}
|
|
3325
|
+
}
|
|
3326
|
+
}
|
|
3333
3327
|
var verificationCache = /* @__PURE__ */ new Map();
|
|
3334
3328
|
function getCacheKey(credentials) {
|
|
3335
3329
|
return `${credentials.astraId || ""}-${credentials.apiKey || ""}-${credentials.jwt || ""}`;
|
|
@@ -3352,9 +3346,6 @@ function cacheResult(credentials, result, ttlSeconds) {
|
|
|
3352
3346
|
expiresAt: Date.now() + ttlSeconds * 1e3
|
|
3353
3347
|
});
|
|
3354
3348
|
}
|
|
3355
|
-
function hasCredentials(credentials) {
|
|
3356
|
-
return !!(credentials.astraId || credentials.apiKey || credentials.jwt);
|
|
3357
|
-
}
|
|
3358
3349
|
function createGuidanceResponse(config, reason) {
|
|
3359
3350
|
const guidance = {
|
|
3360
3351
|
message: "This service verifies AI agents before granting access. Please register your agent with AstraSync.",
|
|
@@ -3378,7 +3369,7 @@ function createGuidanceResponse(config, reason) {
|
|
|
3378
3369
|
async function callVerifyAccessAPI(config, request) {
|
|
3379
3370
|
const { credentials, ...requestData } = request;
|
|
3380
3371
|
const body = {
|
|
3381
|
-
agentId: credentials.astraId,
|
|
3372
|
+
...credentials.astraId && { agentId: credentials.astraId },
|
|
3382
3373
|
purpose: requestData.purpose || "general"
|
|
3383
3374
|
};
|
|
3384
3375
|
if (requestData.action) body.action = requestData.action;
|
|
@@ -3396,6 +3387,7 @@ async function callVerifyAccessAPI(config, request) {
|
|
|
3396
3387
|
if (requestData.durationRequired) body.durationRequired = requestData.durationRequired;
|
|
3397
3388
|
if (requestData.counterpartyType) body.counterpartyType = requestData.counterpartyType;
|
|
3398
3389
|
if (requestData.counterpartyUrl) body.counterpartyUrl = requestData.counterpartyUrl;
|
|
3390
|
+
if (config.counterpartyId) body.counterpartyId = config.counterpartyId;
|
|
3399
3391
|
if (requestData.runtimeChallengeOptions)
|
|
3400
3392
|
body.runtimeChallengeOptions = requestData.runtimeChallengeOptions;
|
|
3401
3393
|
if (requestData.callerMetadata || requestData.clientIp || requestData.userAgent) {
|
|
@@ -3442,8 +3434,14 @@ async function callVerifyAccessAPI(config, request) {
|
|
|
3442
3434
|
}
|
|
3443
3435
|
async function verify(config, request) {
|
|
3444
3436
|
const mergedConfig = { ...DEFAULT_CONFIG, ...config };
|
|
3445
|
-
if (!
|
|
3446
|
-
|
|
3437
|
+
if (!initCheckPerformed && !mergedConfig.disableInitChecks && mergedConfig.apiBaseUrl) {
|
|
3438
|
+
void performInitCheck(mergedConfig.apiBaseUrl, mergedConfig.debug);
|
|
3439
|
+
}
|
|
3440
|
+
if (!deprecationWarningShown && (config.minTrustScore !== void 0 || config.minTrustScoreForFull !== void 0)) {
|
|
3441
|
+
deprecationWarningShown = true;
|
|
3442
|
+
console.warn(
|
|
3443
|
+
"[VerificationGateway] minTrustScore / minTrustScoreForFull are deprecated in v2.3.0 and have no effect. Server is now the single source of truth for access-level decisions (the SDK reads access.accessLevel from the verify-access response). To gate access to an endpoint, configure the endpoint's trust_score_requirement server-side."
|
|
3444
|
+
);
|
|
3447
3445
|
}
|
|
3448
3446
|
if (mergedConfig.cacheTtl && mergedConfig.cacheTtl > 0) {
|
|
3449
3447
|
const cached = getCachedResult(request.credentials);
|
|
@@ -3507,28 +3505,16 @@ async function verify(config, request) {
|
|
|
3507
3505
|
verified: apiResponse.organization.verified,
|
|
3508
3506
|
trustScore: apiResponse.organization.trustScore
|
|
3509
3507
|
} : void 0;
|
|
3510
|
-
const
|
|
3511
|
-
|
|
3512
|
-
withinDuration: apiResponse.access.pdlss.withinDuration,
|
|
3513
|
-
withinLimits: apiResponse.access.pdlss.withinLimits,
|
|
3514
|
-
scopeAllowed: apiResponse.access.pdlss.scopeAllowed,
|
|
3515
|
-
selfInstantiationAllowed: apiResponse.access.pdlss.selfInstantiationAllowed,
|
|
3516
|
-
appliedPolicy: apiResponse.access.appliedPolicy
|
|
3517
|
-
} : void 0;
|
|
3518
|
-
const trustScore = agent?.trustScore || 0;
|
|
3519
|
-
const isOrgMember = false;
|
|
3520
|
-
const accessLevel = determineAccessLevel(true, trustScore, isOrgMember, {
|
|
3521
|
-
"read-only": 20,
|
|
3522
|
-
standard: mergedConfig.minTrustScore || 40,
|
|
3523
|
-
full: mergedConfig.minTrustScoreForFull || 70
|
|
3524
|
-
});
|
|
3508
|
+
const verificationContext = apiResponse.verificationContext;
|
|
3509
|
+
const accessLevel = apiResponse.access?.accessLevel ?? "standard";
|
|
3525
3510
|
const result = {
|
|
3526
3511
|
verified: true,
|
|
3527
3512
|
accessLevel,
|
|
3528
3513
|
agent,
|
|
3529
3514
|
developer,
|
|
3530
3515
|
organization,
|
|
3531
|
-
|
|
3516
|
+
appliedPolicy: apiResponse.access?.appliedPolicy,
|
|
3517
|
+
verificationContext,
|
|
3532
3518
|
requiresStepUp: apiResponse.access?.requiresStepUp,
|
|
3533
3519
|
requiresApproval: apiResponse.access?.requiresApproval,
|
|
3534
3520
|
verifiedAt: /* @__PURE__ */ new Date(),
|