@astrasyncai/verification-gateway 2.2.0 → 2.3.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +64 -30
- package/dist/adapter-interface/interface.d.mts +2 -2
- package/dist/adapter-interface/interface.d.ts +2 -2
- package/dist/adapters/express.d.mts +2 -2
- package/dist/adapters/express.d.ts +2 -2
- package/dist/adapters/express.js +40 -89
- package/dist/adapters/express.js.map +1 -1
- package/dist/adapters/express.mjs +40 -89
- package/dist/adapters/express.mjs.map +1 -1
- package/dist/adapters/nextjs.d.mts +2 -2
- package/dist/adapters/nextjs.d.ts +2 -2
- package/dist/adapters/nextjs.js +39 -109
- package/dist/adapters/nextjs.js.map +1 -1
- package/dist/adapters/nextjs.mjs +39 -109
- package/dist/adapters/nextjs.mjs.map +1 -1
- package/dist/adapters/sdk.d.mts +2 -2
- package/dist/adapters/sdk.d.ts +2 -2
- package/dist/adapters/sdk.js +39 -53
- package/dist/adapters/sdk.js.map +1 -1
- package/dist/adapters/sdk.mjs +39 -53
- package/dist/adapters/sdk.mjs.map +1 -1
- package/dist/agent/index.d.mts +2 -2
- package/dist/agent/index.d.ts +2 -2
- package/dist/agent/index.js +2 -2
- package/dist/agent/index.js.map +1 -1
- package/dist/agent/index.mjs +2 -2
- package/dist/agent/index.mjs.map +1 -1
- package/dist/browser/background.js +39 -53
- package/dist/browser/background.js.map +1 -1
- package/dist/browser/background.mjs +39 -53
- package/dist/browser/background.mjs.map +1 -1
- package/dist/browser/browser-adapter.d.mts +2 -2
- package/dist/browser/browser-adapter.d.ts +2 -2
- package/dist/cli/index.d.mts +2 -2
- package/dist/cli/index.d.ts +2 -2
- package/dist/cursor/cursor-adapter.d.mts +2 -2
- package/dist/cursor/cursor-adapter.d.ts +2 -2
- package/dist/cursor/extension.d.mts +2 -2
- package/dist/cursor/extension.d.ts +2 -2
- package/dist/cursor/extension.js +39 -53
- package/dist/cursor/extension.js.map +1 -1
- package/dist/cursor/extension.mjs +39 -53
- package/dist/cursor/extension.mjs.map +1 -1
- package/dist/{express-DpwYW08E.d.ts → express-CraCA8_t.d.ts} +2 -2
- package/dist/{express-C9KqJNWV.d.mts → express-DtvJ6BGt.d.mts} +2 -2
- package/dist/gateway/gateway.d.mts +2 -2
- package/dist/gateway/gateway.d.ts +2 -2
- package/dist/gateway/gateway.js +39 -53
- package/dist/gateway/gateway.js.map +1 -1
- package/dist/gateway/gateway.mjs +39 -53
- package/dist/gateway/gateway.mjs.map +1 -1
- package/dist/git-trigger/git-hooks.d.mts +2 -2
- package/dist/git-trigger/git-hooks.d.ts +2 -2
- package/dist/{index-gM-lgX_X.d.ts → index--KzVRa32.d.ts} +1 -1
- package/dist/{index-BMZdjGT4.d.mts → index-BZ85CeEr.d.mts} +2 -2
- package/dist/{index-Dm2xA6j1.d.ts → index-BzAFmemy.d.ts} +2 -2
- package/dist/{index-DlsYN3Et.d.mts → index-SEgnWzkf.d.mts} +1 -1
- package/dist/index.d.mts +7 -7
- package/dist/index.d.ts +7 -7
- package/dist/index.js +42 -107
- package/dist/index.js.map +1 -1
- package/dist/index.mjs +42 -107
- package/dist/index.mjs.map +1 -1
- package/dist/local-evaluator/evaluator.d.mts +2 -2
- package/dist/local-evaluator/evaluator.d.ts +2 -2
- package/dist/{nextjs-yNzimC3a.d.ts → nextjs-B8o9C0t6.d.ts} +1 -1
- package/dist/{nextjs-BEqidT0U.d.mts → nextjs-DZHAn9j-.d.mts} +1 -1
- package/dist/{sdk-CP9C9Qu0.d.ts → sdk-BQ3olp3v.d.ts} +2 -2
- package/dist/{sdk-7fa9H0qa.d.mts → sdk-CRSUFQH2.d.mts} +2 -2
- package/dist/transport/index.d.mts +2 -2
- package/dist/transport/index.d.ts +2 -2
- package/dist/{types-CrVMq_Td.d.mts → types-JMgPake9.d.mts} +135 -28
- package/dist/{types-CrVMq_Td.d.ts → types-JMgPake9.d.ts} +135 -28
- package/dist/{types-DE0ooQJ6.d.mts → types-aN1UHhyy.d.mts} +1 -1
- package/dist/{types-rigu2bH3.d.ts → types-osMd_dpT.d.ts} +1 -1
- package/dist/ui/index.d.mts +1 -1
- package/dist/ui/index.d.ts +1 -1
- package/dist/webhooks.d.mts +59 -0
- package/dist/webhooks.d.ts +59 -0
- package/dist/webhooks.js +81 -0
- package/dist/webhooks.js.map +1 -0
- package/dist/webhooks.mjs +55 -0
- package/dist/webhooks.mjs.map +1 -0
- package/package.json +6 -1
|
@@ -3287,51 +3287,45 @@ var ACCESS_LEVEL_HIERARCHY = {
|
|
|
3287
3287
|
full: 4,
|
|
3288
3288
|
internal: 5
|
|
3289
3289
|
};
|
|
3290
|
-
var DEFAULT_TRUST_THRESHOLDS = {
|
|
3291
|
-
none: 0,
|
|
3292
|
-
guidance: 0,
|
|
3293
|
-
"read-only": 20,
|
|
3294
|
-
standard: 40,
|
|
3295
|
-
full: 70,
|
|
3296
|
-
internal: 0
|
|
3297
|
-
// Internal is based on org membership, not score
|
|
3298
|
-
};
|
|
3299
3290
|
function getTrustLevel(score) {
|
|
3300
3291
|
if (score >= 80) return "PLATINUM";
|
|
3301
3292
|
if (score >= 60) return "GOLD";
|
|
3302
3293
|
if (score >= 40) return "SILVER";
|
|
3303
3294
|
return "BRONZE";
|
|
3304
3295
|
}
|
|
3305
|
-
function getAccessLevelForScore(trustScore, thresholds = DEFAULT_TRUST_THRESHOLDS) {
|
|
3306
|
-
if (trustScore >= thresholds.full) return "full";
|
|
3307
|
-
if (trustScore >= thresholds.standard) return "standard";
|
|
3308
|
-
if (trustScore >= thresholds["read-only"]) return "read-only";
|
|
3309
|
-
return "guidance";
|
|
3310
|
-
}
|
|
3311
|
-
function determineAccessLevel(verified, trustScore, isOrgMember, customThresholds) {
|
|
3312
|
-
if (!verified) {
|
|
3313
|
-
return "guidance";
|
|
3314
|
-
}
|
|
3315
|
-
if (isOrgMember) {
|
|
3316
|
-
return "internal";
|
|
3317
|
-
}
|
|
3318
|
-
const thresholds = {
|
|
3319
|
-
...DEFAULT_TRUST_THRESHOLDS,
|
|
3320
|
-
...customThresholds
|
|
3321
|
-
};
|
|
3322
|
-
return getAccessLevelForScore(trustScore, thresholds);
|
|
3323
|
-
}
|
|
3324
3296
|
|
|
3325
3297
|
// src/verify.ts
|
|
3326
3298
|
var DEFAULT_CONFIG = {
|
|
3327
|
-
apiBaseUrl: "https://
|
|
3299
|
+
apiBaseUrl: "https://astrasync.ai/api",
|
|
3328
3300
|
defaultAccessLevel: "guidance",
|
|
3329
|
-
minTrustScore
|
|
3330
|
-
minTrustScoreForFull: 70,
|
|
3301
|
+
// minTrustScore + minTrustScoreForFull deprecated in v2.3.0 — server decides.
|
|
3331
3302
|
cacheTtl: 300,
|
|
3332
3303
|
// 5 minutes
|
|
3333
3304
|
debug: false
|
|
3334
3305
|
};
|
|
3306
|
+
var initCheckPerformed = false;
|
|
3307
|
+
var deprecationWarningShown = false;
|
|
3308
|
+
async function performInitCheck(apiBaseUrl, debug) {
|
|
3309
|
+
initCheckPerformed = true;
|
|
3310
|
+
try {
|
|
3311
|
+
const probeUrl = `${apiBaseUrl}/agents/verify-access`;
|
|
3312
|
+
const response = await fetch(probeUrl, { method: "HEAD" });
|
|
3313
|
+
const contentType = response.headers.get("content-type") ?? "";
|
|
3314
|
+
if (contentType.startsWith("text/html")) {
|
|
3315
|
+
console.warn(
|
|
3316
|
+
`[VerificationGateway] apiBaseUrl '${apiBaseUrl}' returned HTML (content-type: ${contentType}). This usually means apiBaseUrl is pointing at a marketing site instead of the API. Expected: 'https://astrasync.ai/api' (prod) or 'https://staging.astrasync.ai/api' (staging). Set disableInitChecks: true on GatewayConfig to silence this warning.`
|
|
3317
|
+
);
|
|
3318
|
+
} else if (debug) {
|
|
3319
|
+
console.log(
|
|
3320
|
+
`[VerificationGateway] init check passed for ${apiBaseUrl} (content-type: ${contentType})`
|
|
3321
|
+
);
|
|
3322
|
+
}
|
|
3323
|
+
} catch (err) {
|
|
3324
|
+
if (debug) {
|
|
3325
|
+
console.log(`[VerificationGateway] init check failed (non-blocking): ${String(err)}`);
|
|
3326
|
+
}
|
|
3327
|
+
}
|
|
3328
|
+
}
|
|
3335
3329
|
var verificationCache = /* @__PURE__ */ new Map();
|
|
3336
3330
|
function getCacheKey(credentials) {
|
|
3337
3331
|
return `${credentials.astraId || ""}-${credentials.apiKey || ""}-${credentials.jwt || ""}`;
|
|
@@ -3354,9 +3348,6 @@ function cacheResult(credentials, result, ttlSeconds) {
|
|
|
3354
3348
|
expiresAt: Date.now() + ttlSeconds * 1e3
|
|
3355
3349
|
});
|
|
3356
3350
|
}
|
|
3357
|
-
function hasCredentials(credentials) {
|
|
3358
|
-
return !!(credentials.astraId || credentials.apiKey || credentials.jwt);
|
|
3359
|
-
}
|
|
3360
3351
|
function createGuidanceResponse(config, reason) {
|
|
3361
3352
|
const guidance = {
|
|
3362
3353
|
message: "This service verifies AI agents before granting access. Please register your agent with AstraSync.",
|
|
@@ -3380,7 +3371,7 @@ function createGuidanceResponse(config, reason) {
|
|
|
3380
3371
|
async function callVerifyAccessAPI(config, request) {
|
|
3381
3372
|
const { credentials, ...requestData } = request;
|
|
3382
3373
|
const body = {
|
|
3383
|
-
agentId: credentials.astraId,
|
|
3374
|
+
...credentials.astraId && { agentId: credentials.astraId },
|
|
3384
3375
|
purpose: requestData.purpose || "general"
|
|
3385
3376
|
};
|
|
3386
3377
|
if (requestData.action) body.action = requestData.action;
|
|
@@ -3398,6 +3389,7 @@ async function callVerifyAccessAPI(config, request) {
|
|
|
3398
3389
|
if (requestData.durationRequired) body.durationRequired = requestData.durationRequired;
|
|
3399
3390
|
if (requestData.counterpartyType) body.counterpartyType = requestData.counterpartyType;
|
|
3400
3391
|
if (requestData.counterpartyUrl) body.counterpartyUrl = requestData.counterpartyUrl;
|
|
3392
|
+
if (config.counterpartyId) body.counterpartyId = config.counterpartyId;
|
|
3401
3393
|
if (requestData.runtimeChallengeOptions)
|
|
3402
3394
|
body.runtimeChallengeOptions = requestData.runtimeChallengeOptions;
|
|
3403
3395
|
if (requestData.callerMetadata || requestData.clientIp || requestData.userAgent) {
|
|
@@ -3444,8 +3436,14 @@ async function callVerifyAccessAPI(config, request) {
|
|
|
3444
3436
|
}
|
|
3445
3437
|
async function verify(config, request) {
|
|
3446
3438
|
const mergedConfig = { ...DEFAULT_CONFIG, ...config };
|
|
3447
|
-
if (!
|
|
3448
|
-
|
|
3439
|
+
if (!initCheckPerformed && !mergedConfig.disableInitChecks && mergedConfig.apiBaseUrl) {
|
|
3440
|
+
void performInitCheck(mergedConfig.apiBaseUrl, mergedConfig.debug);
|
|
3441
|
+
}
|
|
3442
|
+
if (!deprecationWarningShown && (config.minTrustScore !== void 0 || config.minTrustScoreForFull !== void 0)) {
|
|
3443
|
+
deprecationWarningShown = true;
|
|
3444
|
+
console.warn(
|
|
3445
|
+
"[VerificationGateway] minTrustScore / minTrustScoreForFull are deprecated in v2.3.0 and have no effect. Server is now the single source of truth for access-level decisions (the SDK reads access.accessLevel from the verify-access response). To gate access to an endpoint, configure the endpoint's trust_score_requirement server-side."
|
|
3446
|
+
);
|
|
3449
3447
|
}
|
|
3450
3448
|
if (mergedConfig.cacheTtl && mergedConfig.cacheTtl > 0) {
|
|
3451
3449
|
const cached = getCachedResult(request.credentials);
|
|
@@ -3509,28 +3507,16 @@ async function verify(config, request) {
|
|
|
3509
3507
|
verified: apiResponse.organization.verified,
|
|
3510
3508
|
trustScore: apiResponse.organization.trustScore
|
|
3511
3509
|
} : void 0;
|
|
3512
|
-
const
|
|
3513
|
-
|
|
3514
|
-
withinDuration: apiResponse.access.pdlss.withinDuration,
|
|
3515
|
-
withinLimits: apiResponse.access.pdlss.withinLimits,
|
|
3516
|
-
scopeAllowed: apiResponse.access.pdlss.scopeAllowed,
|
|
3517
|
-
selfInstantiationAllowed: apiResponse.access.pdlss.selfInstantiationAllowed,
|
|
3518
|
-
appliedPolicy: apiResponse.access.appliedPolicy
|
|
3519
|
-
} : void 0;
|
|
3520
|
-
const trustScore = agent?.trustScore || 0;
|
|
3521
|
-
const isOrgMember = false;
|
|
3522
|
-
const accessLevel = determineAccessLevel(true, trustScore, isOrgMember, {
|
|
3523
|
-
"read-only": 20,
|
|
3524
|
-
standard: mergedConfig.minTrustScore || 40,
|
|
3525
|
-
full: mergedConfig.minTrustScoreForFull || 70
|
|
3526
|
-
});
|
|
3510
|
+
const verificationContext = apiResponse.verificationContext;
|
|
3511
|
+
const accessLevel = apiResponse.access?.accessLevel ?? "standard";
|
|
3527
3512
|
const result = {
|
|
3528
3513
|
verified: true,
|
|
3529
3514
|
accessLevel,
|
|
3530
3515
|
agent,
|
|
3531
3516
|
developer,
|
|
3532
3517
|
organization,
|
|
3533
|
-
|
|
3518
|
+
appliedPolicy: apiResponse.access?.appliedPolicy,
|
|
3519
|
+
verificationContext,
|
|
3534
3520
|
requiresStepUp: apiResponse.access?.requiresStepUp,
|
|
3535
3521
|
requiresApproval: apiResponse.access?.requiresApproval,
|
|
3536
3522
|
verifiedAt: /* @__PURE__ */ new Date(),
|