@astrasyncai/verification-gateway 2.2.3 → 2.3.7

package/dist/index.mjs

@@ -334,10 +334,12 @@ async function verify(config, request) {
     return createGuidanceResponse(mergedConfig, apiResponse.error);
   }
   if (!apiResponse.access?.allowed) {
+    const aggregatedFailures = apiResponse.access?.failures;
     const result2 = {
       verified: false,
       accessLevel: "guidance",
-      denialReasons: apiResponse.access?.reason ? [apiResponse.access.reason] : ["Access denied"],
+      denialReasons: aggregatedFailures && aggregatedFailures.length > 0 ? aggregatedFailures.map((f) => f.message) : apiResponse.access?.reason ? [apiResponse.access.reason] : ["Access denied"],
+      failures: aggregatedFailures,
       requiresStepUp: apiResponse.access?.requiresStepUp,
       requiresApproval: apiResponse.access?.requiresApproval,
       guidance: {
@@ -372,14 +374,7 @@ async function verify(config, request) {
     verified: apiResponse.organization.verified,
     trustScore: apiResponse.organization.trustScore
   } : void 0;
-  const pdlss = apiResponse.access?.pdlss ? {
-    purposeAllowed: apiResponse.access.pdlss.purposeAllowed,
-    withinDuration: apiResponse.access.pdlss.withinDuration,
-    withinLimits: apiResponse.access.pdlss.withinLimits,
-    scopeAllowed: apiResponse.access.pdlss.scopeAllowed,
-    selfInstantiationAllowed: apiResponse.access.pdlss.selfInstantiationAllowed,
-    appliedPolicy: apiResponse.access.appliedPolicy
-  } : void 0;
+  const verificationContext = apiResponse.verificationContext;
   const accessLevel = apiResponse.access?.accessLevel ?? "standard";
   const result = {
     verified: true,
@@ -387,7 +382,8 @@ async function verify(config, request) {
     agent,
     developer,
     organization,
-    pdlss,
+    appliedPolicy: apiResponse.access?.appliedPolicy,
+    verificationContext,
     requiresStepUp: apiResponse.access?.requiresStepUp,
     requiresApproval: apiResponse.access?.requiresApproval,
     verifiedAt: /* @__PURE__ */ new Date(),
@@ -437,6 +433,25 @@ async function recordDecision(config, sessionId, decision, reason) {
   }).catch(() => {
   });
 }
+async function fetchRoutes(config, counterpartyId) {
+  if (!counterpartyId) return null;
+  const headers = { "Content-Type": "application/json" };
+  if (config.apiKey) {
+    headers["Authorization"] = `Bearer ${config.apiKey}`;
+    headers["X-API-Key"] = config.apiKey;
+  }
+  try {
+    const response = await fetch(
+      `${config.apiBaseUrl}/endpoints/${encodeURIComponent(counterpartyId)}/routes`,
+      { method: "GET", headers }
+    );
+    if (!response.ok) return null;
+    const body = await response.json();
+    return body.data?.routes ?? [];
+  } catch {
+    return null;
+  }
+}
 async function reportCounterpartyPreCheckFailure(config, data) {
   const apiBaseUrl = config.apiBaseUrl || DEFAULT_CONFIG.apiBaseUrl;
   await fetch(`${apiBaseUrl}/verification-activity/counterparty-pre-check-failure`, {
@@ -462,9 +477,7 @@ async function quickVerify(config, credentials) {
 var express_exports = {};
 __export(express_exports, {
   createMiddleware: () => createMiddleware,
-  extractAstraSyncCredentials: () => extractAstraSyncCredentials,
-  requireAccess: () => requireAccess,
-  verifyOnly: () => verifyOnly
+  extractAstraSyncCredentials: () => extractAstraSyncCredentials
 });
 
 // src/transport/http.ts
@@ -637,24 +650,57 @@ function defaultOnDenied(result, _req, res) {
     }
   });
 }
+var DEFAULT_ROUTES_REFRESH_MS = 5 * 60 * 1e3;
 function createMiddleware(options) {
   const {
-    routes = [],
     extractCredentials: customExtractCredentials,
     extractPurpose: customExtractPurpose,
     skipPaths = [],
     onDenied = defaultOnDenied,
     recordDecisions,
     enableRuntimeChallenge = true,
+    routesRefreshMs = DEFAULT_ROUTES_REFRESH_MS,
     ...config
   } = options;
+  let cachedRoutes = [];
+  let lastFetchAt = 0;
+  let refreshing = null;
+  let warnedNoCounterparty = false;
+  async function refreshRoutes() {
+    if (!config.counterpartyId) {
+      if (!warnedNoCounterparty) {
+        console.warn(
+          "[VerificationGateway] No counterpartyId configured \u2014 falling through (allow all). Per-route policy lives in the AstraSync dashboard now; register the endpoint and set counterpartyId in your middleware config to enforce policy."
+        );
+        warnedNoCounterparty = true;
+      }
+      return;
+    }
+    const fetched = await fetchRoutes(config, config.counterpartyId);
+    if (fetched) {
+      cachedRoutes = fetched;
+      lastFetchAt = Date.now();
+    }
+  }
+  refreshing = refreshRoutes().finally(() => {
+    refreshing = null;
+  });
   return async (req, res, next) => {
     try {
       const shouldSkip = skipPaths.some((pattern) => matchRoute(pattern, req.path));
       if (shouldSkip) {
         return next();
       }
-      const routeConfig = findRouteConfig(routes, req.path, req.method);
+      if (refreshing) {
+        await refreshing.catch(() => {
+        });
+      }
+      if (config.counterpartyId && Date.now() - lastFetchAt > routesRefreshMs) {
+        refreshing = refreshRoutes().finally(() => {
+          refreshing = null;
+        });
+      }
+      const routeConfig = findRouteConfig(cachedRoutes, req.path, req.method);
       if (!routeConfig) {
         return next();
       }
@@ -749,18 +795,6 @@ function createMiddleware(options) {
     }
   };
 }
-function requireAccess(minAccessLevel, options) {
-  return createMiddleware({
-    ...options,
-    routes: [{ pattern: "*", method: "*", minAccessLevel }]
-  });
-}
-function verifyOnly(options) {
-  return createMiddleware({
-    ...options,
-    routes: [{ pattern: "*", method: "*", minAccessLevel: "none" }]
-  });
-}
 
 // src/adapters/nextjs.ts
 var nextjs_exports = {};
@@ -984,14 +1018,38 @@ function generateCommerceShieldHtml(result, options) {
 </html>
   `.trim();
 }
+var DEFAULT_ROUTES_REFRESH_MS2 = 5 * 60 * 1e3;
 function createMiddleware2(options) {
   const {
-    routes = [],
     skipPaths = [],
     showCommerceShield = true,
     enableRuntimeChallenge = true,
+    routesRefreshMs = DEFAULT_ROUTES_REFRESH_MS2,
     ...config
   } = options;
+  let cachedRoutes = [];
+  let lastFetchAt = 0;
+  let refreshing = null;
+  let warnedNoCounterparty = false;
+  async function refreshRoutes() {
+    if (!config.counterpartyId) {
+      if (!warnedNoCounterparty) {
+        console.warn(
+          "[VerificationGateway/Next.js] No counterpartyId configured \u2014 falling through (allow all). Per-route policy lives in the AstraSync dashboard now; register the endpoint and set counterpartyId in your middleware config to enforce policy."
+        );
+        warnedNoCounterparty = true;
+      }
+      return;
+    }
+    const fetched = await fetchRoutes(config, config.counterpartyId);
+    if (fetched) {
+      cachedRoutes = fetched;
+      lastFetchAt = Date.now();
+    }
+  }
+  refreshing = refreshRoutes().finally(() => {
+    refreshing = null;
+  });
   return async function middleware(request) {
     const { NextResponse } = await import("next/server");
     const pathname = request.nextUrl.pathname;
@@ -999,7 +1057,16 @@ function createMiddleware2(options) {
     if (shouldSkip) {
       return NextResponse.next();
     }
-    const routeConfig = findRouteConfig2(routes, pathname, request.method);
+    if (refreshing) {
+      await refreshing.catch(() => {
+      });
+    }
+    if (config.counterpartyId && Date.now() - lastFetchAt > routesRefreshMs) {
+      refreshing = refreshRoutes().finally(() => {
+        refreshing = null;
+      });
+    }
+    const routeConfig = findRouteConfig2(cachedRoutes, pathname, request.method);
     if (!routeConfig) {
       return NextResponse.next();
     }