@astrasyncai/verification-gateway 2.2.0 → 2.3.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (84) hide show
  1. package/README.md +64 -30
  2. package/dist/adapter-interface/interface.d.mts +2 -2
  3. package/dist/adapter-interface/interface.d.ts +2 -2
  4. package/dist/adapters/express.d.mts +2 -2
  5. package/dist/adapters/express.d.ts +2 -2
  6. package/dist/adapters/express.js +40 -89
  7. package/dist/adapters/express.js.map +1 -1
  8. package/dist/adapters/express.mjs +40 -89
  9. package/dist/adapters/express.mjs.map +1 -1
  10. package/dist/adapters/nextjs.d.mts +2 -2
  11. package/dist/adapters/nextjs.d.ts +2 -2
  12. package/dist/adapters/nextjs.js +39 -109
  13. package/dist/adapters/nextjs.js.map +1 -1
  14. package/dist/adapters/nextjs.mjs +39 -109
  15. package/dist/adapters/nextjs.mjs.map +1 -1
  16. package/dist/adapters/sdk.d.mts +2 -2
  17. package/dist/adapters/sdk.d.ts +2 -2
  18. package/dist/adapters/sdk.js +39 -53
  19. package/dist/adapters/sdk.js.map +1 -1
  20. package/dist/adapters/sdk.mjs +39 -53
  21. package/dist/adapters/sdk.mjs.map +1 -1
  22. package/dist/agent/index.d.mts +2 -2
  23. package/dist/agent/index.d.ts +2 -2
  24. package/dist/agent/index.js +2 -2
  25. package/dist/agent/index.js.map +1 -1
  26. package/dist/agent/index.mjs +2 -2
  27. package/dist/agent/index.mjs.map +1 -1
  28. package/dist/browser/background.js +39 -53
  29. package/dist/browser/background.js.map +1 -1
  30. package/dist/browser/background.mjs +39 -53
  31. package/dist/browser/background.mjs.map +1 -1
  32. package/dist/browser/browser-adapter.d.mts +2 -2
  33. package/dist/browser/browser-adapter.d.ts +2 -2
  34. package/dist/cli/index.d.mts +2 -2
  35. package/dist/cli/index.d.ts +2 -2
  36. package/dist/cursor/cursor-adapter.d.mts +2 -2
  37. package/dist/cursor/cursor-adapter.d.ts +2 -2
  38. package/dist/cursor/extension.d.mts +2 -2
  39. package/dist/cursor/extension.d.ts +2 -2
  40. package/dist/cursor/extension.js +39 -53
  41. package/dist/cursor/extension.js.map +1 -1
  42. package/dist/cursor/extension.mjs +39 -53
  43. package/dist/cursor/extension.mjs.map +1 -1
  44. package/dist/{express-DpwYW08E.d.ts → express-CraCA8_t.d.ts} +2 -2
  45. package/dist/{express-C9KqJNWV.d.mts → express-DtvJ6BGt.d.mts} +2 -2
  46. package/dist/gateway/gateway.d.mts +2 -2
  47. package/dist/gateway/gateway.d.ts +2 -2
  48. package/dist/gateway/gateway.js +39 -53
  49. package/dist/gateway/gateway.js.map +1 -1
  50. package/dist/gateway/gateway.mjs +39 -53
  51. package/dist/gateway/gateway.mjs.map +1 -1
  52. package/dist/git-trigger/git-hooks.d.mts +2 -2
  53. package/dist/git-trigger/git-hooks.d.ts +2 -2
  54. package/dist/{index-gM-lgX_X.d.ts → index--KzVRa32.d.ts} +1 -1
  55. package/dist/{index-BMZdjGT4.d.mts → index-BZ85CeEr.d.mts} +2 -2
  56. package/dist/{index-Dm2xA6j1.d.ts → index-BzAFmemy.d.ts} +2 -2
  57. package/dist/{index-DlsYN3Et.d.mts → index-SEgnWzkf.d.mts} +1 -1
  58. package/dist/index.d.mts +7 -7
  59. package/dist/index.d.ts +7 -7
  60. package/dist/index.js +42 -107
  61. package/dist/index.js.map +1 -1
  62. package/dist/index.mjs +42 -107
  63. package/dist/index.mjs.map +1 -1
  64. package/dist/local-evaluator/evaluator.d.mts +2 -2
  65. package/dist/local-evaluator/evaluator.d.ts +2 -2
  66. package/dist/{nextjs-yNzimC3a.d.ts → nextjs-B8o9C0t6.d.ts} +1 -1
  67. package/dist/{nextjs-BEqidT0U.d.mts → nextjs-DZHAn9j-.d.mts} +1 -1
  68. package/dist/{sdk-CP9C9Qu0.d.ts → sdk-BQ3olp3v.d.ts} +2 -2
  69. package/dist/{sdk-7fa9H0qa.d.mts → sdk-CRSUFQH2.d.mts} +2 -2
  70. package/dist/transport/index.d.mts +2 -2
  71. package/dist/transport/index.d.ts +2 -2
  72. package/dist/{types-CrVMq_Td.d.mts → types-JMgPake9.d.mts} +135 -28
  73. package/dist/{types-CrVMq_Td.d.ts → types-JMgPake9.d.ts} +135 -28
  74. package/dist/{types-DE0ooQJ6.d.mts → types-aN1UHhyy.d.mts} +1 -1
  75. package/dist/{types-rigu2bH3.d.ts → types-osMd_dpT.d.ts} +1 -1
  76. package/dist/ui/index.d.mts +1 -1
  77. package/dist/ui/index.d.ts +1 -1
  78. package/dist/webhooks.d.mts +59 -0
  79. package/dist/webhooks.d.ts +59 -0
  80. package/dist/webhooks.js +81 -0
  81. package/dist/webhooks.js.map +1 -0
  82. package/dist/webhooks.mjs +55 -0
  83. package/dist/webhooks.mjs.map +1 -0
  84. package/package.json +6 -1
package/dist/index.mjs CHANGED
@@ -127,14 +127,36 @@ function getCapabilities(accessLevel) {
127
127
 
128
128
  // src/verify.ts
129
129
  var DEFAULT_CONFIG = {
130
- apiBaseUrl: "https://api.astrasync.ai",
130
+ apiBaseUrl: "https://astrasync.ai/api",
131
131
  defaultAccessLevel: "guidance",
132
- minTrustScore: 40,
133
- minTrustScoreForFull: 70,
132
+ // minTrustScore + minTrustScoreForFull deprecated in v2.3.0 — server decides.
134
133
  cacheTtl: 300,
135
134
  // 5 minutes
136
135
  debug: false
137
136
  };
137
+ var initCheckPerformed = false;
138
+ var deprecationWarningShown = false;
139
+ async function performInitCheck(apiBaseUrl, debug) {
140
+ initCheckPerformed = true;
141
+ try {
142
+ const probeUrl = `${apiBaseUrl}/agents/verify-access`;
143
+ const response = await fetch(probeUrl, { method: "HEAD" });
144
+ const contentType = response.headers.get("content-type") ?? "";
145
+ if (contentType.startsWith("text/html")) {
146
+ console.warn(
147
+ `[VerificationGateway] apiBaseUrl '${apiBaseUrl}' returned HTML (content-type: ${contentType}). This usually means apiBaseUrl is pointing at a marketing site instead of the API. Expected: 'https://astrasync.ai/api' (prod) or 'https://staging.astrasync.ai/api' (staging). Set disableInitChecks: true on GatewayConfig to silence this warning.`
148
+ );
149
+ } else if (debug) {
150
+ console.log(
151
+ `[VerificationGateway] init check passed for ${apiBaseUrl} (content-type: ${contentType})`
152
+ );
153
+ }
154
+ } catch (err) {
155
+ if (debug) {
156
+ console.log(`[VerificationGateway] init check failed (non-blocking): ${String(err)}`);
157
+ }
158
+ }
159
+ }
138
160
  var verificationCache = /* @__PURE__ */ new Map();
139
161
  function getCacheKey(credentials) {
140
162
  return `${credentials.astraId || ""}-${credentials.apiKey || ""}-${credentials.jwt || ""}`;
@@ -162,7 +184,7 @@ function clearCache() {
162
184
  }
163
185
  function extractCredentials(headers, query) {
164
186
  const credentials = {};
165
- const astraIdHeader = headers["x-astra-id"] || headers["X-Astra-Id"] || headers["X-ASTRA-ID"];
187
+ const astraIdHeader = headers["x-astra-id"] || headers["X-Astra-Id"] || headers["X-ASTRA-ID"] || headers["x-astra-agentid"] || headers["X-Astra-AgentId"] || headers["x-astra-agent-id"] || headers["X-Astra-Agent-Id"] || headers["X-ASTRA-AGENT-ID"];
166
188
  if (astraIdHeader) {
167
189
  credentials.astraId = Array.isArray(astraIdHeader) ? astraIdHeader[0] : astraIdHeader;
168
190
  }
@@ -214,7 +236,7 @@ function createGuidanceResponse(config, reason) {
214
236
  async function callVerifyAccessAPI(config, request) {
215
237
  const { credentials, ...requestData } = request;
216
238
  const body = {
217
- agentId: credentials.astraId,
239
+ ...credentials.astraId && { agentId: credentials.astraId },
218
240
  purpose: requestData.purpose || "general"
219
241
  };
220
242
  if (requestData.action) body.action = requestData.action;
@@ -232,6 +254,7 @@ async function callVerifyAccessAPI(config, request) {
232
254
  if (requestData.durationRequired) body.durationRequired = requestData.durationRequired;
233
255
  if (requestData.counterpartyType) body.counterpartyType = requestData.counterpartyType;
234
256
  if (requestData.counterpartyUrl) body.counterpartyUrl = requestData.counterpartyUrl;
257
+ if (config.counterpartyId) body.counterpartyId = config.counterpartyId;
235
258
  if (requestData.runtimeChallengeOptions)
236
259
  body.runtimeChallengeOptions = requestData.runtimeChallengeOptions;
237
260
  if (requestData.callerMetadata || requestData.clientIp || requestData.userAgent) {
@@ -278,8 +301,14 @@ async function callVerifyAccessAPI(config, request) {
278
301
  }
279
302
  async function verify(config, request) {
280
303
  const mergedConfig = { ...DEFAULT_CONFIG, ...config };
281
- if (!hasCredentials(request.credentials)) {
282
- return createGuidanceResponse(mergedConfig, "No agent credentials provided");
304
+ if (!initCheckPerformed && !mergedConfig.disableInitChecks && mergedConfig.apiBaseUrl) {
305
+ void performInitCheck(mergedConfig.apiBaseUrl, mergedConfig.debug);
306
+ }
307
+ if (!deprecationWarningShown && (config.minTrustScore !== void 0 || config.minTrustScoreForFull !== void 0)) {
308
+ deprecationWarningShown = true;
309
+ console.warn(
310
+ "[VerificationGateway] minTrustScore / minTrustScoreForFull are deprecated in v2.3.0 and have no effect. Server is now the single source of truth for access-level decisions (the SDK reads access.accessLevel from the verify-access response). To gate access to an endpoint, configure the endpoint's trust_score_requirement server-side."
311
+ );
283
312
  }
284
313
  if (mergedConfig.cacheTtl && mergedConfig.cacheTtl > 0) {
285
314
  const cached = getCachedResult(request.credentials);
@@ -343,28 +372,16 @@ async function verify(config, request) {
343
372
  verified: apiResponse.organization.verified,
344
373
  trustScore: apiResponse.organization.trustScore
345
374
  } : void 0;
346
- const pdlss = apiResponse.access?.pdlss ? {
347
- purposeAllowed: apiResponse.access.pdlss.purposeAllowed,
348
- withinDuration: apiResponse.access.pdlss.withinDuration,
349
- withinLimits: apiResponse.access.pdlss.withinLimits,
350
- scopeAllowed: apiResponse.access.pdlss.scopeAllowed,
351
- selfInstantiationAllowed: apiResponse.access.pdlss.selfInstantiationAllowed,
352
- appliedPolicy: apiResponse.access.appliedPolicy
353
- } : void 0;
354
- const trustScore = agent?.trustScore || 0;
355
- const isOrgMember = false;
356
- const accessLevel = determineAccessLevel(true, trustScore, isOrgMember, {
357
- "read-only": 20,
358
- standard: mergedConfig.minTrustScore || 40,
359
- full: mergedConfig.minTrustScoreForFull || 70
360
- });
375
+ const verificationContext = apiResponse.verificationContext;
376
+ const accessLevel = apiResponse.access?.accessLevel ?? "standard";
361
377
  const result = {
362
378
  verified: true,
363
379
  accessLevel,
364
380
  agent,
365
381
  developer,
366
382
  organization,
367
- pdlss,
383
+ appliedPolicy: apiResponse.access?.appliedPolicy,
384
+ verificationContext,
368
385
  requiresStepUp: apiResponse.access?.requiresStepUp,
369
386
  requiresApproval: apiResponse.access?.requiresApproval,
370
387
  verifiedAt: /* @__PURE__ */ new Date(),
@@ -414,15 +431,6 @@ async function recordDecision(config, sessionId, decision, reason) {
414
431
  }).catch(() => {
415
432
  });
416
433
  }
417
- async function reportUnregisteredAttempt(config, data) {
418
- const apiBaseUrl = config.apiBaseUrl || DEFAULT_CONFIG.apiBaseUrl;
419
- await fetch(`${apiBaseUrl}/verification-activity/unregistered-attempt`, {
420
- method: "POST",
421
- headers: { "Content-Type": "application/json" },
422
- body: JSON.stringify(data)
423
- }).catch(() => {
424
- });
425
- }
426
434
  async function reportCounterpartyPreCheckFailure(config, data) {
427
435
  const apiBaseUrl = config.apiBaseUrl || DEFAULT_CONFIG.apiBaseUrl;
428
436
  await fetch(`${apiBaseUrl}/verification-activity/counterparty-pre-check-failure`, {
@@ -648,32 +656,6 @@ function createMiddleware(options) {
648
656
  return next();
649
657
  }
650
658
  const credentials = customExtractCredentials ? customExtractCredentials(req) : defaultExtractCredentials(req);
651
- if (!hasCredentials(credentials) && routeConfig.minAccessLevel !== "guidance") {
652
- const counterpartyUrl2 = config.counterpartyUrl || `${req.protocol}://${req.get("host")}`;
653
- reportUnregisteredAttempt(config, {
654
- counterpartyUrl: counterpartyUrl2,
655
- counterpartyType: config.counterpartyType || "api",
656
- sourceIp: req.ip,
657
- userAgent: req.headers["user-agent"],
658
- requestPath: req.path,
659
- requestMethod: req.method
660
- }).catch(() => {
661
- });
662
- const result2 = {
663
- verified: false,
664
- accessLevel: "none",
665
- denialReasons: ["No agent credentials provided"],
666
- guidance: {
667
- message: "This endpoint requires agent verification. Please provide your ASTRA-ID.",
668
- registrationUrl: `${config.apiBaseUrl?.replace("/api", "")}/register`,
669
- documentationUrl: `${config.apiBaseUrl?.replace("/api", "")}/docs/agent-access`
670
- },
671
- verifiedAt: /* @__PURE__ */ new Date()
672
- };
673
- req.agentVerification = result2;
674
- onDenied(result2, req, res);
675
- return;
676
- }
677
659
  const purpose = customExtractPurpose ? customExtractPurpose(req) : defaultExtractPurpose(req);
678
660
  const astraCreds = extractAstraSyncCredentials(req);
679
661
  const counterpartyUrl = config.counterpartyUrl || `${req.protocol}://${req.get("host")}`;
@@ -1019,53 +1001,6 @@ function createMiddleware2(options) {
1019
1001
  return NextResponse.next();
1020
1002
  }
1021
1003
  const credentials = extractCredentialsFromNextRequest(request);
1022
- if (!hasCredentials(credentials) && routeConfig.minAccessLevel !== "guidance") {
1023
- const counterpartyUrl2 = config.counterpartyUrl || request.nextUrl.origin;
1024
- reportUnregisteredAttempt(config, {
1025
- counterpartyUrl: counterpartyUrl2,
1026
- counterpartyType: config.counterpartyType || "website",
1027
- sourceIp: request.headers.get("x-forwarded-for") || request.headers.get("x-real-ip") || void 0,
1028
- userAgent: request.headers.get("user-agent") || void 0,
1029
- requestPath: pathname,
1030
- requestMethod: request.method
1031
- }).catch(() => {
1032
- });
1033
- const result2 = {
1034
- verified: false,
1035
- accessLevel: "none",
1036
- denialReasons: ["No agent credentials provided"],
1037
- guidance: {
1038
- message: "This page requires agent verification.",
1039
- registrationUrl: `${config.apiBaseUrl?.replace("/api", "")}/register`,
1040
- documentationUrl: `${config.apiBaseUrl?.replace("/api", "")}/docs/agent-access`
1041
- },
1042
- verifiedAt: /* @__PURE__ */ new Date()
1043
- };
1044
- if (pathname.startsWith("/api/")) {
1045
- return NextResponse.json(
1046
- {
1047
- success: false,
1048
- error: {
1049
- code: "UNAUTHORIZED",
1050
- message: "No agent credentials provided",
1051
- guidance: result2.guidance
1052
- }
1053
- },
1054
- { status: 401 }
1055
- );
1056
- }
1057
- if (showCommerceShield) {
1058
- return new NextResponse(generateCommerceShieldHtml(result2, options), {
1059
- status: 200,
1060
- headers: {
1061
- "Content-Type": "text/html",
1062
- "X-AstraSync-Verification": "commerce-shield"
1063
- }
1064
- });
1065
- }
1066
- const registerUrl = result2.guidance?.registrationUrl || "/register";
1067
- return NextResponse.redirect(new URL(registerUrl, request.url));
1068
- }
1069
1004
  const counterpartyUrl = config.counterpartyUrl || request.nextUrl.origin;
1070
1005
  const purpose = extractPurpose(request);
1071
1006
  const astraCreds = extractAstraSyncCredentialsFromNextRequest(request);
@@ -3790,11 +3725,11 @@ var AgentClient = class _AgentClient {
3790
3725
  constructor(config) {
3791
3726
  this.credentials = {
3792
3727
  agentId: config.agentId,
3793
- verifyUrl: config.verifyUrl ?? "https://api.astrasync.ai/agents/verify-access",
3728
+ verifyUrl: config.verifyUrl ?? "https://astrasync.ai/api/agents/verify-access",
3794
3729
  challengeUrl: config.challengeUrl,
3795
3730
  pdlss: config.pdlss
3796
3731
  };
3797
- this.apiBaseUrl = config.apiBaseUrl ?? "https://api.astrasync.ai";
3732
+ this.apiBaseUrl = config.apiBaseUrl ?? "https://astrasync.ai/api";
3798
3733
  this.apiKey = config.apiKey;
3799
3734
  }
3800
3735
  /**