@astrasyncai/verification-gateway 2.2.0 → 2.3.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +64 -30
- package/dist/adapter-interface/interface.d.mts +2 -2
- package/dist/adapter-interface/interface.d.ts +2 -2
- package/dist/adapters/express.d.mts +2 -2
- package/dist/adapters/express.d.ts +2 -2
- package/dist/adapters/express.js +40 -89
- package/dist/adapters/express.js.map +1 -1
- package/dist/adapters/express.mjs +40 -89
- package/dist/adapters/express.mjs.map +1 -1
- package/dist/adapters/nextjs.d.mts +2 -2
- package/dist/adapters/nextjs.d.ts +2 -2
- package/dist/adapters/nextjs.js +39 -109
- package/dist/adapters/nextjs.js.map +1 -1
- package/dist/adapters/nextjs.mjs +39 -109
- package/dist/adapters/nextjs.mjs.map +1 -1
- package/dist/adapters/sdk.d.mts +2 -2
- package/dist/adapters/sdk.d.ts +2 -2
- package/dist/adapters/sdk.js +39 -53
- package/dist/adapters/sdk.js.map +1 -1
- package/dist/adapters/sdk.mjs +39 -53
- package/dist/adapters/sdk.mjs.map +1 -1
- package/dist/agent/index.d.mts +2 -2
- package/dist/agent/index.d.ts +2 -2
- package/dist/agent/index.js +2 -2
- package/dist/agent/index.js.map +1 -1
- package/dist/agent/index.mjs +2 -2
- package/dist/agent/index.mjs.map +1 -1
- package/dist/browser/background.js +39 -53
- package/dist/browser/background.js.map +1 -1
- package/dist/browser/background.mjs +39 -53
- package/dist/browser/background.mjs.map +1 -1
- package/dist/browser/browser-adapter.d.mts +2 -2
- package/dist/browser/browser-adapter.d.ts +2 -2
- package/dist/cli/index.d.mts +2 -2
- package/dist/cli/index.d.ts +2 -2
- package/dist/cursor/cursor-adapter.d.mts +2 -2
- package/dist/cursor/cursor-adapter.d.ts +2 -2
- package/dist/cursor/extension.d.mts +2 -2
- package/dist/cursor/extension.d.ts +2 -2
- package/dist/cursor/extension.js +39 -53
- package/dist/cursor/extension.js.map +1 -1
- package/dist/cursor/extension.mjs +39 -53
- package/dist/cursor/extension.mjs.map +1 -1
- package/dist/{express-DpwYW08E.d.ts → express-CraCA8_t.d.ts} +2 -2
- package/dist/{express-C9KqJNWV.d.mts → express-DtvJ6BGt.d.mts} +2 -2
- package/dist/gateway/gateway.d.mts +2 -2
- package/dist/gateway/gateway.d.ts +2 -2
- package/dist/gateway/gateway.js +39 -53
- package/dist/gateway/gateway.js.map +1 -1
- package/dist/gateway/gateway.mjs +39 -53
- package/dist/gateway/gateway.mjs.map +1 -1
- package/dist/git-trigger/git-hooks.d.mts +2 -2
- package/dist/git-trigger/git-hooks.d.ts +2 -2
- package/dist/{index-gM-lgX_X.d.ts → index--KzVRa32.d.ts} +1 -1
- package/dist/{index-BMZdjGT4.d.mts → index-BZ85CeEr.d.mts} +2 -2
- package/dist/{index-Dm2xA6j1.d.ts → index-BzAFmemy.d.ts} +2 -2
- package/dist/{index-DlsYN3Et.d.mts → index-SEgnWzkf.d.mts} +1 -1
- package/dist/index.d.mts +7 -7
- package/dist/index.d.ts +7 -7
- package/dist/index.js +42 -107
- package/dist/index.js.map +1 -1
- package/dist/index.mjs +42 -107
- package/dist/index.mjs.map +1 -1
- package/dist/local-evaluator/evaluator.d.mts +2 -2
- package/dist/local-evaluator/evaluator.d.ts +2 -2
- package/dist/{nextjs-yNzimC3a.d.ts → nextjs-B8o9C0t6.d.ts} +1 -1
- package/dist/{nextjs-BEqidT0U.d.mts → nextjs-DZHAn9j-.d.mts} +1 -1
- package/dist/{sdk-CP9C9Qu0.d.ts → sdk-BQ3olp3v.d.ts} +2 -2
- package/dist/{sdk-7fa9H0qa.d.mts → sdk-CRSUFQH2.d.mts} +2 -2
- package/dist/transport/index.d.mts +2 -2
- package/dist/transport/index.d.ts +2 -2
- package/dist/{types-CrVMq_Td.d.mts → types-JMgPake9.d.mts} +135 -28
- package/dist/{types-CrVMq_Td.d.ts → types-JMgPake9.d.ts} +135 -28
- package/dist/{types-DE0ooQJ6.d.mts → types-aN1UHhyy.d.mts} +1 -1
- package/dist/{types-rigu2bH3.d.ts → types-osMd_dpT.d.ts} +1 -1
- package/dist/ui/index.d.mts +1 -1
- package/dist/ui/index.d.ts +1 -1
- package/dist/webhooks.d.mts +59 -0
- package/dist/webhooks.d.ts +59 -0
- package/dist/webhooks.js +81 -0
- package/dist/webhooks.js.map +1 -0
- package/dist/webhooks.mjs +55 -0
- package/dist/webhooks.mjs.map +1 -0
- package/package.json +6 -1
|
@@ -3264,51 +3264,45 @@ var ACCESS_LEVEL_HIERARCHY = {
|
|
|
3264
3264
|
full: 4,
|
|
3265
3265
|
internal: 5
|
|
3266
3266
|
};
|
|
3267
|
-
var DEFAULT_TRUST_THRESHOLDS = {
|
|
3268
|
-
none: 0,
|
|
3269
|
-
guidance: 0,
|
|
3270
|
-
"read-only": 20,
|
|
3271
|
-
standard: 40,
|
|
3272
|
-
full: 70,
|
|
3273
|
-
internal: 0
|
|
3274
|
-
// Internal is based on org membership, not score
|
|
3275
|
-
};
|
|
3276
3267
|
function getTrustLevel(score) {
|
|
3277
3268
|
if (score >= 80) return "PLATINUM";
|
|
3278
3269
|
if (score >= 60) return "GOLD";
|
|
3279
3270
|
if (score >= 40) return "SILVER";
|
|
3280
3271
|
return "BRONZE";
|
|
3281
3272
|
}
|
|
3282
|
-
function getAccessLevelForScore(trustScore, thresholds = DEFAULT_TRUST_THRESHOLDS) {
|
|
3283
|
-
if (trustScore >= thresholds.full) return "full";
|
|
3284
|
-
if (trustScore >= thresholds.standard) return "standard";
|
|
3285
|
-
if (trustScore >= thresholds["read-only"]) return "read-only";
|
|
3286
|
-
return "guidance";
|
|
3287
|
-
}
|
|
3288
|
-
function determineAccessLevel(verified, trustScore, isOrgMember, customThresholds) {
|
|
3289
|
-
if (!verified) {
|
|
3290
|
-
return "guidance";
|
|
3291
|
-
}
|
|
3292
|
-
if (isOrgMember) {
|
|
3293
|
-
return "internal";
|
|
3294
|
-
}
|
|
3295
|
-
const thresholds = {
|
|
3296
|
-
...DEFAULT_TRUST_THRESHOLDS,
|
|
3297
|
-
...customThresholds
|
|
3298
|
-
};
|
|
3299
|
-
return getAccessLevelForScore(trustScore, thresholds);
|
|
3300
|
-
}
|
|
3301
3273
|
|
|
3302
3274
|
// src/verify.ts
|
|
3303
3275
|
var DEFAULT_CONFIG = {
|
|
3304
|
-
apiBaseUrl: "https://
|
|
3276
|
+
apiBaseUrl: "https://astrasync.ai/api",
|
|
3305
3277
|
defaultAccessLevel: "guidance",
|
|
3306
|
-
minTrustScore
|
|
3307
|
-
minTrustScoreForFull: 70,
|
|
3278
|
+
// minTrustScore + minTrustScoreForFull deprecated in v2.3.0 — server decides.
|
|
3308
3279
|
cacheTtl: 300,
|
|
3309
3280
|
// 5 minutes
|
|
3310
3281
|
debug: false
|
|
3311
3282
|
};
|
|
3283
|
+
var initCheckPerformed = false;
|
|
3284
|
+
var deprecationWarningShown = false;
|
|
3285
|
+
async function performInitCheck(apiBaseUrl, debug) {
|
|
3286
|
+
initCheckPerformed = true;
|
|
3287
|
+
try {
|
|
3288
|
+
const probeUrl = `${apiBaseUrl}/agents/verify-access`;
|
|
3289
|
+
const response = await fetch(probeUrl, { method: "HEAD" });
|
|
3290
|
+
const contentType = response.headers.get("content-type") ?? "";
|
|
3291
|
+
if (contentType.startsWith("text/html")) {
|
|
3292
|
+
console.warn(
|
|
3293
|
+
`[VerificationGateway] apiBaseUrl '${apiBaseUrl}' returned HTML (content-type: ${contentType}). This usually means apiBaseUrl is pointing at a marketing site instead of the API. Expected: 'https://astrasync.ai/api' (prod) or 'https://staging.astrasync.ai/api' (staging). Set disableInitChecks: true on GatewayConfig to silence this warning.`
|
|
3294
|
+
);
|
|
3295
|
+
} else if (debug) {
|
|
3296
|
+
console.log(
|
|
3297
|
+
`[VerificationGateway] init check passed for ${apiBaseUrl} (content-type: ${contentType})`
|
|
3298
|
+
);
|
|
3299
|
+
}
|
|
3300
|
+
} catch (err) {
|
|
3301
|
+
if (debug) {
|
|
3302
|
+
console.log(`[VerificationGateway] init check failed (non-blocking): ${String(err)}`);
|
|
3303
|
+
}
|
|
3304
|
+
}
|
|
3305
|
+
}
|
|
3312
3306
|
var verificationCache = /* @__PURE__ */ new Map();
|
|
3313
3307
|
function getCacheKey(credentials) {
|
|
3314
3308
|
return `${credentials.astraId || ""}-${credentials.apiKey || ""}-${credentials.jwt || ""}`;
|
|
@@ -3331,9 +3325,6 @@ function cacheResult(credentials, result, ttlSeconds) {
|
|
|
3331
3325
|
expiresAt: Date.now() + ttlSeconds * 1e3
|
|
3332
3326
|
});
|
|
3333
3327
|
}
|
|
3334
|
-
function hasCredentials(credentials) {
|
|
3335
|
-
return !!(credentials.astraId || credentials.apiKey || credentials.jwt);
|
|
3336
|
-
}
|
|
3337
3328
|
function createGuidanceResponse(config, reason) {
|
|
3338
3329
|
const guidance = {
|
|
3339
3330
|
message: "This service verifies AI agents before granting access. Please register your agent with AstraSync.",
|
|
@@ -3357,7 +3348,7 @@ function createGuidanceResponse(config, reason) {
|
|
|
3357
3348
|
async function callVerifyAccessAPI(config, request) {
|
|
3358
3349
|
const { credentials, ...requestData } = request;
|
|
3359
3350
|
const body = {
|
|
3360
|
-
agentId: credentials.astraId,
|
|
3351
|
+
...credentials.astraId && { agentId: credentials.astraId },
|
|
3361
3352
|
purpose: requestData.purpose || "general"
|
|
3362
3353
|
};
|
|
3363
3354
|
if (requestData.action) body.action = requestData.action;
|
|
@@ -3375,6 +3366,7 @@ async function callVerifyAccessAPI(config, request) {
|
|
|
3375
3366
|
if (requestData.durationRequired) body.durationRequired = requestData.durationRequired;
|
|
3376
3367
|
if (requestData.counterpartyType) body.counterpartyType = requestData.counterpartyType;
|
|
3377
3368
|
if (requestData.counterpartyUrl) body.counterpartyUrl = requestData.counterpartyUrl;
|
|
3369
|
+
if (config.counterpartyId) body.counterpartyId = config.counterpartyId;
|
|
3378
3370
|
if (requestData.runtimeChallengeOptions)
|
|
3379
3371
|
body.runtimeChallengeOptions = requestData.runtimeChallengeOptions;
|
|
3380
3372
|
if (requestData.callerMetadata || requestData.clientIp || requestData.userAgent) {
|
|
@@ -3421,8 +3413,14 @@ async function callVerifyAccessAPI(config, request) {
|
|
|
3421
3413
|
}
|
|
3422
3414
|
async function verify(config, request) {
|
|
3423
3415
|
const mergedConfig = { ...DEFAULT_CONFIG, ...config };
|
|
3424
|
-
if (!
|
|
3425
|
-
|
|
3416
|
+
if (!initCheckPerformed && !mergedConfig.disableInitChecks && mergedConfig.apiBaseUrl) {
|
|
3417
|
+
void performInitCheck(mergedConfig.apiBaseUrl, mergedConfig.debug);
|
|
3418
|
+
}
|
|
3419
|
+
if (!deprecationWarningShown && (config.minTrustScore !== void 0 || config.minTrustScoreForFull !== void 0)) {
|
|
3420
|
+
deprecationWarningShown = true;
|
|
3421
|
+
console.warn(
|
|
3422
|
+
"[VerificationGateway] minTrustScore / minTrustScoreForFull are deprecated in v2.3.0 and have no effect. Server is now the single source of truth for access-level decisions (the SDK reads access.accessLevel from the verify-access response). To gate access to an endpoint, configure the endpoint's trust_score_requirement server-side."
|
|
3423
|
+
);
|
|
3426
3424
|
}
|
|
3427
3425
|
if (mergedConfig.cacheTtl && mergedConfig.cacheTtl > 0) {
|
|
3428
3426
|
const cached = getCachedResult(request.credentials);
|
|
@@ -3486,28 +3484,16 @@ async function verify(config, request) {
|
|
|
3486
3484
|
verified: apiResponse.organization.verified,
|
|
3487
3485
|
trustScore: apiResponse.organization.trustScore
|
|
3488
3486
|
} : void 0;
|
|
3489
|
-
const
|
|
3490
|
-
|
|
3491
|
-
withinDuration: apiResponse.access.pdlss.withinDuration,
|
|
3492
|
-
withinLimits: apiResponse.access.pdlss.withinLimits,
|
|
3493
|
-
scopeAllowed: apiResponse.access.pdlss.scopeAllowed,
|
|
3494
|
-
selfInstantiationAllowed: apiResponse.access.pdlss.selfInstantiationAllowed,
|
|
3495
|
-
appliedPolicy: apiResponse.access.appliedPolicy
|
|
3496
|
-
} : void 0;
|
|
3497
|
-
const trustScore = agent?.trustScore || 0;
|
|
3498
|
-
const isOrgMember = false;
|
|
3499
|
-
const accessLevel = determineAccessLevel(true, trustScore, isOrgMember, {
|
|
3500
|
-
"read-only": 20,
|
|
3501
|
-
standard: mergedConfig.minTrustScore || 40,
|
|
3502
|
-
full: mergedConfig.minTrustScoreForFull || 70
|
|
3503
|
-
});
|
|
3487
|
+
const verificationContext = apiResponse.verificationContext;
|
|
3488
|
+
const accessLevel = apiResponse.access?.accessLevel ?? "standard";
|
|
3504
3489
|
const result = {
|
|
3505
3490
|
verified: true,
|
|
3506
3491
|
accessLevel,
|
|
3507
3492
|
agent,
|
|
3508
3493
|
developer,
|
|
3509
3494
|
organization,
|
|
3510
|
-
|
|
3495
|
+
appliedPolicy: apiResponse.access?.appliedPolicy,
|
|
3496
|
+
verificationContext,
|
|
3511
3497
|
requiresStepUp: apiResponse.access?.requiresStepUp,
|
|
3512
3498
|
requiresApproval: apiResponse.access?.requiresApproval,
|
|
3513
3499
|
verifiedAt: /* @__PURE__ */ new Date(),
|