@astrasyncai/verification-gateway 2.3.4 → 2.3.7

package/dist/{express-DtvJ6BGt.d.mts → express-D9oRsseg.d.mts}

@@ -1,5 +1,5 @@
 import { RequestHandler, Request } from 'express';
-import { V as VerificationResult, E as ExpressMiddlewareOptions, A as AstraSyncCredentials, a as AccessLevel } from './types-JMgPake9.mjs';
+import { V as VerificationResult, E as ExpressMiddlewareOptions, A as AstraSyncCredentials } from './types-Bxqj1sKY.mjs';
 
 /**
  * AstraSync Universal Verification Gateway - Express Middleware
@@ -41,24 +41,27 @@ declare global {
  */
 declare function extractAstraSyncCredentials(req: Request): AstraSyncCredentials | null;
 /**
- * Create Express middleware for agent verification
+ * Create Express middleware for agent verification.
+ *
+ * v2.9.7 moved per-route policy authority out of merchant-side source code
+ * into the AstraSync dashboard. `createMiddleware` no longer accepts a
+ * `routes` array — it fetches the endpoint's stored policy via
+ * `GET /endpoints/:counterpartyId/routes` on init and refreshes
+ * periodically. Policy edits in the dashboard take effect on the next
+ * refresh (or sooner if the operator manually restarts the SDK).
+ *
+ * `counterpartyId` is required: the SDK can't know which endpoint's policy
+ * to fetch without it. Local-development workflows that don't have an
+ * AstraSync endpoint registered can omit it — the middleware logs a
+ * one-time warning and falls through (allows all) until a policy is
+ * fetchable.
  */
 declare function createMiddleware(options: ExpressMiddlewareOptions): RequestHandler;
-/**
- * Create a middleware that requires a specific access level
- */
-declare function requireAccess(minAccessLevel: AccessLevel, options: ExpressMiddlewareOptions): RequestHandler;
-/**
- * Create a middleware that only verifies (doesn't block)
- */
-declare function verifyOnly(options: Omit<ExpressMiddlewareOptions, 'routes' | 'onDenied'>): RequestHandler;
 
 declare const express_createMiddleware: typeof createMiddleware;
 declare const express_extractAstraSyncCredentials: typeof extractAstraSyncCredentials;
-declare const express_requireAccess: typeof requireAccess;
-declare const express_verifyOnly: typeof verifyOnly;
 declare namespace express {
-  export { express_createMiddleware as createMiddleware, express_extractAstraSyncCredentials as extractAstraSyncCredentials, express_requireAccess as requireAccess, express_verifyOnly as verifyOnly };
+  export { express_createMiddleware as createMiddleware, express_extractAstraSyncCredentials as extractAstraSyncCredentials };
 }
 
-export { extractAstraSyncCredentials as a, createMiddleware as c, express as e, requireAccess as r, verifyOnly as v };
+export { extractAstraSyncCredentials as a, createMiddleware as c, express as e };

package/dist/{express-CraCA8_t.d.ts → express-DMSIl20m.d.ts}

@@ -1,5 +1,5 @@
 import { RequestHandler, Request } from 'express';
-import { V as VerificationResult, E as ExpressMiddlewareOptions, A as AstraSyncCredentials, a as AccessLevel } from './types-JMgPake9.js';
+import { V as VerificationResult, E as ExpressMiddlewareOptions, A as AstraSyncCredentials } from './types-Bxqj1sKY.js';
 
 /**
  * AstraSync Universal Verification Gateway - Express Middleware
@@ -41,24 +41,27 @@ declare global {
  */
 declare function extractAstraSyncCredentials(req: Request): AstraSyncCredentials | null;
 /**
- * Create Express middleware for agent verification
+ * Create Express middleware for agent verification.
+ *
+ * v2.9.7 moved per-route policy authority out of merchant-side source code
+ * into the AstraSync dashboard. `createMiddleware` no longer accepts a
+ * `routes` array — it fetches the endpoint's stored policy via
+ * `GET /endpoints/:counterpartyId/routes` on init and refreshes
+ * periodically. Policy edits in the dashboard take effect on the next
+ * refresh (or sooner if the operator manually restarts the SDK).
+ *
+ * `counterpartyId` is required: the SDK can't know which endpoint's policy
+ * to fetch without it. Local-development workflows that don't have an
+ * AstraSync endpoint registered can omit it — the middleware logs a
+ * one-time warning and falls through (allows all) until a policy is
+ * fetchable.
  */
 declare function createMiddleware(options: ExpressMiddlewareOptions): RequestHandler;
-/**
- * Create a middleware that requires a specific access level
- */
-declare function requireAccess(minAccessLevel: AccessLevel, options: ExpressMiddlewareOptions): RequestHandler;
-/**
- * Create a middleware that only verifies (doesn't block)
- */
-declare function verifyOnly(options: Omit<ExpressMiddlewareOptions, 'routes' | 'onDenied'>): RequestHandler;
 
 declare const express_createMiddleware: typeof createMiddleware;
 declare const express_extractAstraSyncCredentials: typeof extractAstraSyncCredentials;
-declare const express_requireAccess: typeof requireAccess;
-declare const express_verifyOnly: typeof verifyOnly;
 declare namespace express {
-  export { express_createMiddleware as createMiddleware, express_extractAstraSyncCredentials as extractAstraSyncCredentials, express_requireAccess as requireAccess, express_verifyOnly as verifyOnly };
+  export { express_createMiddleware as createMiddleware, express_extractAstraSyncCredentials as extractAstraSyncCredentials };
 }
 
-export { extractAstraSyncCredentials as a, createMiddleware as c, express as e, requireAccess as r, verifyOnly as v };
+export { extractAstraSyncCredentials as a, createMiddleware as c, express as e };

package/dist/gateway/gateway.d.mts

@@ -1,5 +1,5 @@
-import { b as AstraSyncGatewayConfig, P as PDLSSContext, V as VerificationDecision } from '../types-aN1UHhyy.mjs';
-import '../types-JMgPake9.mjs';
+import { b as AstraSyncGatewayConfig, P as PDLSSContext, V as VerificationDecision } from '../types-DxY5zt4z.mjs';
+import '../types-Bxqj1sKY.mjs';
 
 /**
  * AstraSyncGateway — Primary API surface for agent verification.

package/dist/gateway/gateway.d.ts

@@ -1,5 +1,5 @@
-import { b as AstraSyncGatewayConfig, P as PDLSSContext, V as VerificationDecision } from '../types-osMd_dpT.js';
-import '../types-JMgPake9.js';
+import { b as AstraSyncGatewayConfig, P as PDLSSContext, V as VerificationDecision } from '../types-BecRpozv.js';
+import '../types-Bxqj1sKY.js';
 
 /**
  * AstraSyncGateway — Primary API surface for agent verification.

package/dist/gateway/gateway.js

@@ -3229,10 +3229,12 @@ async function verify(config, request) {
     return createGuidanceResponse(mergedConfig, apiResponse.error);
   }
   if (!apiResponse.access?.allowed) {
+    const aggregatedFailures = apiResponse.access?.failures;
     const result2 = {
       verified: false,
       accessLevel: "guidance",
-      denialReasons: apiResponse.access?.reason ? [apiResponse.access.reason] : ["Access denied"],
+      denialReasons: aggregatedFailures && aggregatedFailures.length > 0 ? aggregatedFailures.map((f) => f.message) : apiResponse.access?.reason ? [apiResponse.access.reason] : ["Access denied"],
+      failures: aggregatedFailures,
       requiresStepUp: apiResponse.access?.requiresStepUp,
       requiresApproval: apiResponse.access?.requiresApproval,
       guidance: {
@@ -3314,6 +3316,12 @@ async function verify(config, request) {
   return result;
 }
 
+// src/adapters/express.ts
+var DEFAULT_ROUTES_REFRESH_MS = 5 * 60 * 1e3;
+
+// src/adapters/nextjs.ts
+var DEFAULT_ROUTES_REFRESH_MS2 = 5 * 60 * 1e3;
+
 // src/transport/rfc9421.ts
 var import_structured_headers = require("structured-headers");