@astrasyncai/verification-gateway 2.2.0 → 2.3.4

package/dist/git-trigger/git-hooks.d.mts

@@ -1,6 +1,6 @@
 import { AstraSyncGateway } from '../gateway/gateway.mjs';
-import { V as VerificationDecision, P as PDLSSContext } from '../types-DE0ooQJ6.mjs';
-import '../types-CrVMq_Td.mjs';
+import { V as VerificationDecision, P as PDLSSContext } from '../types-aN1UHhyy.mjs';
+import '../types-JMgPake9.mjs';
 
 /**
  * Git Trigger — Enterprise git push / PR verification

package/dist/git-trigger/git-hooks.d.ts

@@ -1,6 +1,6 @@
 import { AstraSyncGateway } from '../gateway/gateway.js';
-import { V as VerificationDecision, P as PDLSSContext } from '../types-rigu2bH3.js';
-import '../types-CrVMq_Td.js';
+import { V as VerificationDecision, P as PDLSSContext } from '../types-osMd_dpT.js';
+import '../types-JMgPake9.js';
 
 /**
  * Git Trigger — Enterprise git push / PR verification

package/dist/{index-gM-lgX_X.d.ts → index--KzVRa32.d.ts}

@@ -1,4 +1,4 @@
-import { A as AstraSyncCredentials, g as ProtocolTransport } from './types-CrVMq_Td.js';
+import { A as AstraSyncCredentials, g as ProtocolTransport } from './types-JMgPake9.js';
 import { JWK } from 'jose';
 
 /**

package/dist/{index-BMZdjGT4.d.mts → index-BZ85CeEr.d.mts}

@@ -1,4 +1,4 @@
-import { A as AstraSyncCredentials, g as ProtocolTransport, G as GatewayConfig } from './types-CrVMq_Td.mjs';
+import { A as AstraSyncCredentials, g as ProtocolTransport, G as GatewayConfig } from './types-JMgPake9.mjs';
 
 /**
  * AgentClient — Credential Presentation
@@ -12,7 +12,7 @@ interface AgentClientConfig {
     verifyUrl?: string;
     challengeUrl?: string;
     pdlss?: AstraSyncCredentials['pdlss'];
-    /** Base URL for AstraSync API (used for ownership check). Defaults to api.astrasync.ai */
+    /** Base URL for AstraSync API (used for ownership check). Defaults to https://astrasync.ai/api */
     apiBaseUrl?: string;
     /** API key used to authenticate ownership check + other authenticated calls. */
     apiKey?: string;

package/dist/{index-Dm2xA6j1.d.ts → index-BzAFmemy.d.ts}

@@ -1,4 +1,4 @@
-import { A as AstraSyncCredentials, g as ProtocolTransport, G as GatewayConfig } from './types-CrVMq_Td.js';
+import { A as AstraSyncCredentials, g as ProtocolTransport, G as GatewayConfig } from './types-JMgPake9.js';
 
 /**
  * AgentClient — Credential Presentation
@@ -12,7 +12,7 @@ interface AgentClientConfig {
     verifyUrl?: string;
     challengeUrl?: string;
     pdlss?: AstraSyncCredentials['pdlss'];
-    /** Base URL for AstraSync API (used for ownership check). Defaults to api.astrasync.ai */
+    /** Base URL for AstraSync API (used for ownership check). Defaults to https://astrasync.ai/api */
     apiBaseUrl?: string;
     /** API key used to authenticate ownership check + other authenticated calls. */
     apiKey?: string;

package/dist/{index-DlsYN3Et.d.mts → index-SEgnWzkf.d.mts}

@@ -1,4 +1,4 @@
-import { A as AstraSyncCredentials, g as ProtocolTransport } from './types-CrVMq_Td.mjs';
+import { A as AstraSyncCredentials, g as ProtocolTransport } from './types-JMgPake9.mjs';
 import { JWK } from 'jose';
 
 /**

package/dist/index.d.mts

@@ -1,10 +1,10 @@
-import { b as AgentCredentials, G as GatewayConfig, a as AccessLevel, c as VerificationRequest, V as VerificationResult } from './types-CrVMq_Td.mjs';
-export { A as AstraSyncCredentials, d as CommerceShieldProps, C as CounterpartyType, e as EnhancedVerificationResult, E as ExpressMiddlewareOptions, f as GuidanceInfo, N as NextJsMiddlewareOptions, P as PDLSSInfo, g as ProtocolTransport, R as RouteAccessConfig, h as RuntimeChallengeResult, S as SDKOptions, T as TokenGuidance, i as TrustLevel, j as VerifiedAgent, k as VerifiedDeveloper, l as VerifiedOrganization } from './types-CrVMq_Td.mjs';
-export { A as ACCESS_LEVEL_DESCRIPTIONS, a as ACCESS_LEVEL_HIERARCHY, b as AccessCapabilities, D as DEFAULT_TRUST_THRESHOLDS, T as TRUST_LEVEL_RANGES, d as determineAccessLevel, g as getAccessLevelForScore, c as getCapabilities, e as getTrustLevel, h as hasMinimumAccess, s as sdk } from './sdk-7fa9H0qa.mjs';
-export { e as express } from './express-C9KqJNWV.mjs';
-export { n as nextjs } from './nextjs-BEqidT0U.mjs';
-export { i as transport } from './index-DlsYN3Et.mjs';
-export { A as AgentClient, C as ChallengeHandler, i as agent, r as recordDecision } from './index-BMZdjGT4.mjs';
+import { b as AgentCredentials, G as GatewayConfig, a as AccessLevel, c as VerificationRequest, V as VerificationResult } from './types-JMgPake9.mjs';
+export { A as AstraSyncCredentials, d as CommerceShieldProps, C as CounterpartyType, e as EnhancedVerificationResult, E as ExpressMiddlewareOptions, f as GuidanceInfo, N as NextJsMiddlewareOptions, P as PDLSSInfo, g as ProtocolTransport, R as RouteAccessConfig, h as RuntimeChallengeResult, S as SDKOptions, T as TokenGuidance, i as TrustLevel, j as VerifiedAgent, k as VerifiedDeveloper, l as VerifiedOrganization } from './types-JMgPake9.mjs';
+export { A as ACCESS_LEVEL_DESCRIPTIONS, a as ACCESS_LEVEL_HIERARCHY, b as AccessCapabilities, D as DEFAULT_TRUST_THRESHOLDS, T as TRUST_LEVEL_RANGES, d as determineAccessLevel, g as getAccessLevelForScore, c as getCapabilities, e as getTrustLevel, h as hasMinimumAccess, s as sdk } from './sdk-CRSUFQH2.mjs';
+export { e as express } from './express-DtvJ6BGt.mjs';
+export { n as nextjs } from './nextjs-DZHAn9j-.mjs';
+export { i as transport } from './index-SEgnWzkf.mjs';
+export { A as AgentClient, C as ChallengeHandler, i as agent, r as recordDecision } from './index-BZ85CeEr.mjs';
 import 'express';
 import 'next/server';
 import 'jose';

package/dist/index.d.ts

@@ -1,10 +1,10 @@
-import { b as AgentCredentials, G as GatewayConfig, a as AccessLevel, c as VerificationRequest, V as VerificationResult } from './types-CrVMq_Td.js';
-export { A as AstraSyncCredentials, d as CommerceShieldProps, C as CounterpartyType, e as EnhancedVerificationResult, E as ExpressMiddlewareOptions, f as GuidanceInfo, N as NextJsMiddlewareOptions, P as PDLSSInfo, g as ProtocolTransport, R as RouteAccessConfig, h as RuntimeChallengeResult, S as SDKOptions, T as TokenGuidance, i as TrustLevel, j as VerifiedAgent, k as VerifiedDeveloper, l as VerifiedOrganization } from './types-CrVMq_Td.js';
-export { A as ACCESS_LEVEL_DESCRIPTIONS, a as ACCESS_LEVEL_HIERARCHY, b as AccessCapabilities, D as DEFAULT_TRUST_THRESHOLDS, T as TRUST_LEVEL_RANGES, d as determineAccessLevel, g as getAccessLevelForScore, c as getCapabilities, e as getTrustLevel, h as hasMinimumAccess, s as sdk } from './sdk-CP9C9Qu0.js';
-export { e as express } from './express-DpwYW08E.js';
-export { n as nextjs } from './nextjs-yNzimC3a.js';
-export { i as transport } from './index-gM-lgX_X.js';
-export { A as AgentClient, C as ChallengeHandler, i as agent, r as recordDecision } from './index-Dm2xA6j1.js';
+import { b as AgentCredentials, G as GatewayConfig, a as AccessLevel, c as VerificationRequest, V as VerificationResult } from './types-JMgPake9.js';
+export { A as AstraSyncCredentials, d as CommerceShieldProps, C as CounterpartyType, e as EnhancedVerificationResult, E as ExpressMiddlewareOptions, f as GuidanceInfo, N as NextJsMiddlewareOptions, P as PDLSSInfo, g as ProtocolTransport, R as RouteAccessConfig, h as RuntimeChallengeResult, S as SDKOptions, T as TokenGuidance, i as TrustLevel, j as VerifiedAgent, k as VerifiedDeveloper, l as VerifiedOrganization } from './types-JMgPake9.js';
+export { A as ACCESS_LEVEL_DESCRIPTIONS, a as ACCESS_LEVEL_HIERARCHY, b as AccessCapabilities, D as DEFAULT_TRUST_THRESHOLDS, T as TRUST_LEVEL_RANGES, d as determineAccessLevel, g as getAccessLevelForScore, c as getCapabilities, e as getTrustLevel, h as hasMinimumAccess, s as sdk } from './sdk-BQ3olp3v.js';
+export { e as express } from './express-CraCA8_t.js';
+export { n as nextjs } from './nextjs-B8o9C0t6.js';
+export { i as transport } from './index--KzVRa32.js';
+export { A as AgentClient, C as ChallengeHandler, i as agent, r as recordDecision } from './index-BzAFmemy.js';
 import 'express';
 import 'next/server';
 import 'jose';

package/dist/index.js

@@ -179,14 +179,36 @@ function getCapabilities(accessLevel) {
 
 // src/verify.ts
 var DEFAULT_CONFIG = {
-  apiBaseUrl: "https://api.astrasync.ai",
+  apiBaseUrl: "https://astrasync.ai/api",
   defaultAccessLevel: "guidance",
-  minTrustScore: 40,
-  minTrustScoreForFull: 70,
+  // minTrustScore + minTrustScoreForFull deprecated in v2.3.0 — server decides.
   cacheTtl: 300,
   // 5 minutes
   debug: false
 };
+var initCheckPerformed = false;
+var deprecationWarningShown = false;
+async function performInitCheck(apiBaseUrl, debug) {
+  initCheckPerformed = true;
+  try {
+    const probeUrl = `${apiBaseUrl}/agents/verify-access`;
+    const response = await fetch(probeUrl, { method: "HEAD" });
+    const contentType = response.headers.get("content-type") ?? "";
+    if (contentType.startsWith("text/html")) {
+      console.warn(
+        `[VerificationGateway] apiBaseUrl '${apiBaseUrl}' returned HTML (content-type: ${contentType}). This usually means apiBaseUrl is pointing at a marketing site instead of the API. Expected: 'https://astrasync.ai/api' (prod) or 'https://staging.astrasync.ai/api' (staging). Set disableInitChecks: true on GatewayConfig to silence this warning.`
+      );
+    } else if (debug) {
+      console.log(
+        `[VerificationGateway] init check passed for ${apiBaseUrl} (content-type: ${contentType})`
+      );
+    }
+  } catch (err) {
+    if (debug) {
+      console.log(`[VerificationGateway] init check failed (non-blocking): ${String(err)}`);
+    }
+  }
+}
 var verificationCache = /* @__PURE__ */ new Map();
 function getCacheKey(credentials) {
   return `${credentials.astraId || ""}-${credentials.apiKey || ""}-${credentials.jwt || ""}`;
@@ -214,7 +236,7 @@ function clearCache() {
 }
 function extractCredentials(headers, query) {
   const credentials = {};
-  const astraIdHeader = headers["x-astra-id"] || headers["X-Astra-Id"] || headers["X-ASTRA-ID"];
+  const astraIdHeader = headers["x-astra-id"] || headers["X-Astra-Id"] || headers["X-ASTRA-ID"] || headers["x-astra-agentid"] || headers["X-Astra-AgentId"] || headers["x-astra-agent-id"] || headers["X-Astra-Agent-Id"] || headers["X-ASTRA-AGENT-ID"];
   if (astraIdHeader) {
     credentials.astraId = Array.isArray(astraIdHeader) ? astraIdHeader[0] : astraIdHeader;
   }
@@ -266,7 +288,7 @@ function createGuidanceResponse(config, reason) {
 async function callVerifyAccessAPI(config, request) {
   const { credentials, ...requestData } = request;
   const body = {
-    agentId: credentials.astraId,
+    ...credentials.astraId && { agentId: credentials.astraId },
     purpose: requestData.purpose || "general"
   };
   if (requestData.action) body.action = requestData.action;
@@ -284,6 +306,7 @@ async function callVerifyAccessAPI(config, request) {
   if (requestData.durationRequired) body.durationRequired = requestData.durationRequired;
   if (requestData.counterpartyType) body.counterpartyType = requestData.counterpartyType;
   if (requestData.counterpartyUrl) body.counterpartyUrl = requestData.counterpartyUrl;
+  if (config.counterpartyId) body.counterpartyId = config.counterpartyId;
   if (requestData.runtimeChallengeOptions)
     body.runtimeChallengeOptions = requestData.runtimeChallengeOptions;
   if (requestData.callerMetadata || requestData.clientIp || requestData.userAgent) {
@@ -330,8 +353,14 @@ async function callVerifyAccessAPI(config, request) {
 }
 async function verify(config, request) {
   const mergedConfig = { ...DEFAULT_CONFIG, ...config };
-  if (!hasCredentials(request.credentials)) {
-    return createGuidanceResponse(mergedConfig, "No agent credentials provided");
+  if (!initCheckPerformed && !mergedConfig.disableInitChecks && mergedConfig.apiBaseUrl) {
+    void performInitCheck(mergedConfig.apiBaseUrl, mergedConfig.debug);
+  }
+  if (!deprecationWarningShown && (config.minTrustScore !== void 0 || config.minTrustScoreForFull !== void 0)) {
+    deprecationWarningShown = true;
+    console.warn(
+      "[VerificationGateway] minTrustScore / minTrustScoreForFull are deprecated in v2.3.0 and have no effect. Server is now the single source of truth for access-level decisions (the SDK reads access.accessLevel from the verify-access response). To gate access to an endpoint, configure the endpoint's trust_score_requirement server-side."
+    );
   }
   if (mergedConfig.cacheTtl && mergedConfig.cacheTtl > 0) {
     const cached = getCachedResult(request.credentials);
@@ -395,28 +424,16 @@ async function verify(config, request) {
     verified: apiResponse.organization.verified,
     trustScore: apiResponse.organization.trustScore
   } : void 0;
-  const pdlss = apiResponse.access?.pdlss ? {
-    purposeAllowed: apiResponse.access.pdlss.purposeAllowed,
-    withinDuration: apiResponse.access.pdlss.withinDuration,
-    withinLimits: apiResponse.access.pdlss.withinLimits,
-    scopeAllowed: apiResponse.access.pdlss.scopeAllowed,
-    selfInstantiationAllowed: apiResponse.access.pdlss.selfInstantiationAllowed,
-    appliedPolicy: apiResponse.access.appliedPolicy
-  } : void 0;
-  const trustScore = agent?.trustScore || 0;
-  const isOrgMember = false;
-  const accessLevel = determineAccessLevel(true, trustScore, isOrgMember, {
-    "read-only": 20,
-    standard: mergedConfig.minTrustScore || 40,
-    full: mergedConfig.minTrustScoreForFull || 70
-  });
+  const verificationContext = apiResponse.verificationContext;
+  const accessLevel = apiResponse.access?.accessLevel ?? "standard";
   const result = {
     verified: true,
     accessLevel,
     agent,
     developer,
     organization,
-    pdlss,
+    appliedPolicy: apiResponse.access?.appliedPolicy,
+    verificationContext,
     requiresStepUp: apiResponse.access?.requiresStepUp,
     requiresApproval: apiResponse.access?.requiresApproval,
     verifiedAt: /* @__PURE__ */ new Date(),
@@ -466,15 +483,6 @@ async function recordDecision(config, sessionId, decision, reason) {
   }).catch(() => {
   });
 }
-async function reportUnregisteredAttempt(config, data) {
-  const apiBaseUrl = config.apiBaseUrl || DEFAULT_CONFIG.apiBaseUrl;
-  await fetch(`${apiBaseUrl}/verification-activity/unregistered-attempt`, {
-    method: "POST",
-    headers: { "Content-Type": "application/json" },
-    body: JSON.stringify(data)
-  }).catch(() => {
-  });
-}
 async function reportCounterpartyPreCheckFailure(config, data) {
   const apiBaseUrl = config.apiBaseUrl || DEFAULT_CONFIG.apiBaseUrl;
   await fetch(`${apiBaseUrl}/verification-activity/counterparty-pre-check-failure`, {
@@ -700,32 +708,6 @@ function createMiddleware(options) {
         return next();
       }
       const credentials = customExtractCredentials ? customExtractCredentials(req) : defaultExtractCredentials(req);
-      if (!hasCredentials(credentials) && routeConfig.minAccessLevel !== "guidance") {
-        const counterpartyUrl2 = config.counterpartyUrl || `${req.protocol}://${req.get("host")}`;
-        reportUnregisteredAttempt(config, {
-          counterpartyUrl: counterpartyUrl2,
-          counterpartyType: config.counterpartyType || "api",
-          sourceIp: req.ip,
-          userAgent: req.headers["user-agent"],
-          requestPath: req.path,
-          requestMethod: req.method
-        }).catch(() => {
-        });
-        const result2 = {
-          verified: false,
-          accessLevel: "none",
-          denialReasons: ["No agent credentials provided"],
-          guidance: {
-            message: "This endpoint requires agent verification. Please provide your ASTRA-ID.",
-            registrationUrl: `${config.apiBaseUrl?.replace("/api", "")}/register`,
-            documentationUrl: `${config.apiBaseUrl?.replace("/api", "")}/docs/agent-access`
-          },
-          verifiedAt: /* @__PURE__ */ new Date()
-        };
-        req.agentVerification = result2;
-        onDenied(result2, req, res);
-        return;
-      }
       const purpose = customExtractPurpose ? customExtractPurpose(req) : defaultExtractPurpose(req);
       const astraCreds = extractAstraSyncCredentials(req);
       const counterpartyUrl = config.counterpartyUrl || `${req.protocol}://${req.get("host")}`;
@@ -1071,53 +1053,6 @@ function createMiddleware2(options) {
       return NextResponse.next();
     }
     const credentials = extractCredentialsFromNextRequest(request);
-    if (!hasCredentials(credentials) && routeConfig.minAccessLevel !== "guidance") {
-      const counterpartyUrl2 = config.counterpartyUrl || request.nextUrl.origin;
-      reportUnregisteredAttempt(config, {
-        counterpartyUrl: counterpartyUrl2,
-        counterpartyType: config.counterpartyType || "website",
-        sourceIp: request.headers.get("x-forwarded-for") || request.headers.get("x-real-ip") || void 0,
-        userAgent: request.headers.get("user-agent") || void 0,
-        requestPath: pathname,
-        requestMethod: request.method
-      }).catch(() => {
-      });
-      const result2 = {
-        verified: false,
-        accessLevel: "none",
-        denialReasons: ["No agent credentials provided"],
-        guidance: {
-          message: "This page requires agent verification.",
-          registrationUrl: `${config.apiBaseUrl?.replace("/api", "")}/register`,
-          documentationUrl: `${config.apiBaseUrl?.replace("/api", "")}/docs/agent-access`
-        },
-        verifiedAt: /* @__PURE__ */ new Date()
-      };
-      if (pathname.startsWith("/api/")) {
-        return NextResponse.json(
-          {
-            success: false,
-            error: {
-              code: "UNAUTHORIZED",
-              message: "No agent credentials provided",
-              guidance: result2.guidance
-            }
-          },
-          { status: 401 }
-        );
-      }
-      if (showCommerceShield) {
-        return new NextResponse(generateCommerceShieldHtml(result2, options), {
-          status: 200,
-          headers: {
-            "Content-Type": "text/html",
-            "X-AstraSync-Verification": "commerce-shield"
-          }
-        });
-      }
-      const registerUrl = result2.guidance?.registrationUrl || "/register";
-      return NextResponse.redirect(new URL(registerUrl, request.url));
-    }
     const counterpartyUrl = config.counterpartyUrl || request.nextUrl.origin;
     const purpose = extractPurpose(request);
     const astraCreds = extractAstraSyncCredentialsFromNextRequest(request);
@@ -3839,11 +3774,11 @@ var AgentClient = class _AgentClient {
   constructor(config) {
     this.credentials = {
       agentId: config.agentId,
-      verifyUrl: config.verifyUrl ?? "https://api.astrasync.ai/agents/verify-access",
+      verifyUrl: config.verifyUrl ?? "https://astrasync.ai/api/agents/verify-access",
       challengeUrl: config.challengeUrl,
       pdlss: config.pdlss
     };
-    this.apiBaseUrl = config.apiBaseUrl ?? "https://api.astrasync.ai";
+    this.apiBaseUrl = config.apiBaseUrl ?? "https://astrasync.ai/api";
     this.apiKey = config.apiKey;
   }
   /**