@astrasyncai/verification-gateway 2.3.4 → 2.3.7

package/dist/git-trigger/git-hooks.d.mts

@@ -1,6 +1,6 @@
 import { AstraSyncGateway } from '../gateway/gateway.mjs';
-import { V as VerificationDecision, P as PDLSSContext } from '../types-aN1UHhyy.mjs';
-import '../types-JMgPake9.mjs';
+import { V as VerificationDecision, P as PDLSSContext } from '../types-DxY5zt4z.mjs';
+import '../types-Bxqj1sKY.mjs';
 
 /**
  * Git Trigger — Enterprise git push / PR verification

package/dist/git-trigger/git-hooks.d.ts

@@ -1,6 +1,6 @@
 import { AstraSyncGateway } from '../gateway/gateway.js';
-import { V as VerificationDecision, P as PDLSSContext } from '../types-osMd_dpT.js';
-import '../types-JMgPake9.js';
+import { V as VerificationDecision, P as PDLSSContext } from '../types-BecRpozv.js';
+import '../types-Bxqj1sKY.js';
 
 /**
  * Git Trigger — Enterprise git push / PR verification

package/dist/{index-BZ85CeEr.d.mts → index-Bn_7eGjb.d.mts}

@@ -1,4 +1,4 @@
-import { A as AstraSyncCredentials, g as ProtocolTransport, G as GatewayConfig } from './types-JMgPake9.mjs';
+import { A as AstraSyncCredentials, g as ProtocolTransport, G as GatewayConfig } from './types-Bxqj1sKY.mjs';
 
 /**
  * AgentClient — Credential Presentation

package/dist/{index--KzVRa32.d.ts → index-BtU9yFda.d.ts}

@@ -1,4 +1,4 @@
-import { A as AstraSyncCredentials, g as ProtocolTransport } from './types-JMgPake9.js';
+import { A as AstraSyncCredentials, g as ProtocolTransport } from './types-Bxqj1sKY.js';
 import { JWK } from 'jose';
 
 /**

package/dist/{index-BzAFmemy.d.ts → index-EwUWXC5T.d.ts}

@@ -1,4 +1,4 @@
-import { A as AstraSyncCredentials, g as ProtocolTransport, G as GatewayConfig } from './types-JMgPake9.js';
+import { A as AstraSyncCredentials, g as ProtocolTransport, G as GatewayConfig } from './types-Bxqj1sKY.js';
 
 /**
  * AgentClient — Credential Presentation

package/dist/{index-SEgnWzkf.d.mts → index-YNPs800Z.d.mts}

@@ -1,4 +1,4 @@
-import { A as AstraSyncCredentials, g as ProtocolTransport } from './types-JMgPake9.mjs';
+import { A as AstraSyncCredentials, g as ProtocolTransport } from './types-Bxqj1sKY.mjs';
 import { JWK } from 'jose';
 
 /**

package/dist/index.d.mts

@@ -1,10 +1,10 @@
-import { b as AgentCredentials, G as GatewayConfig, a as AccessLevel, c as VerificationRequest, V as VerificationResult } from './types-JMgPake9.mjs';
-export { A as AstraSyncCredentials, d as CommerceShieldProps, C as CounterpartyType, e as EnhancedVerificationResult, E as ExpressMiddlewareOptions, f as GuidanceInfo, N as NextJsMiddlewareOptions, P as PDLSSInfo, g as ProtocolTransport, R as RouteAccessConfig, h as RuntimeChallengeResult, S as SDKOptions, T as TokenGuidance, i as TrustLevel, j as VerifiedAgent, k as VerifiedDeveloper, l as VerifiedOrganization } from './types-JMgPake9.mjs';
-export { A as ACCESS_LEVEL_DESCRIPTIONS, a as ACCESS_LEVEL_HIERARCHY, b as AccessCapabilities, D as DEFAULT_TRUST_THRESHOLDS, T as TRUST_LEVEL_RANGES, d as determineAccessLevel, g as getAccessLevelForScore, c as getCapabilities, e as getTrustLevel, h as hasMinimumAccess, s as sdk } from './sdk-CRSUFQH2.mjs';
-export { e as express } from './express-DtvJ6BGt.mjs';
-export { n as nextjs } from './nextjs-DZHAn9j-.mjs';
-export { i as transport } from './index-SEgnWzkf.mjs';
-export { A as AgentClient, C as ChallengeHandler, i as agent, r as recordDecision } from './index-BZ85CeEr.mjs';
+import { b as AgentCredentials, G as GatewayConfig, a as AccessLevel, c as VerificationRequest, V as VerificationResult } from './types-Bxqj1sKY.mjs';
+export { A as AstraSyncCredentials, d as CommerceShieldProps, C as CounterpartyType, e as EnhancedVerificationResult, E as ExpressMiddlewareOptions, f as GuidanceInfo, N as NextJsMiddlewareOptions, P as PDLSSInfo, g as ProtocolTransport, R as RouteAccessConfig, h as RuntimeChallengeResult, S as SDKOptions, T as TokenGuidance, i as TrustLevel, j as VerifiedAgent, k as VerifiedDeveloper, l as VerifiedOrganization } from './types-Bxqj1sKY.mjs';
+export { A as ACCESS_LEVEL_DESCRIPTIONS, a as ACCESS_LEVEL_HIERARCHY, b as AccessCapabilities, D as DEFAULT_TRUST_THRESHOLDS, T as TRUST_LEVEL_RANGES, d as determineAccessLevel, g as getAccessLevelForScore, c as getCapabilities, e as getTrustLevel, h as hasMinimumAccess, s as sdk } from './sdk-BhkxvqnK.mjs';
+export { e as express } from './express-D9oRsseg.mjs';
+export { n as nextjs } from './nextjs-BLtjRbc-.mjs';
+export { i as transport } from './index-YNPs800Z.mjs';
+export { A as AgentClient, C as ChallengeHandler, i as agent, r as recordDecision } from './index-Bn_7eGjb.mjs';
 import 'express';
 import 'next/server';
 import 'jose';

package/dist/index.d.ts

@@ -1,10 +1,10 @@
-import { b as AgentCredentials, G as GatewayConfig, a as AccessLevel, c as VerificationRequest, V as VerificationResult } from './types-JMgPake9.js';
-export { A as AstraSyncCredentials, d as CommerceShieldProps, C as CounterpartyType, e as EnhancedVerificationResult, E as ExpressMiddlewareOptions, f as GuidanceInfo, N as NextJsMiddlewareOptions, P as PDLSSInfo, g as ProtocolTransport, R as RouteAccessConfig, h as RuntimeChallengeResult, S as SDKOptions, T as TokenGuidance, i as TrustLevel, j as VerifiedAgent, k as VerifiedDeveloper, l as VerifiedOrganization } from './types-JMgPake9.js';
-export { A as ACCESS_LEVEL_DESCRIPTIONS, a as ACCESS_LEVEL_HIERARCHY, b as AccessCapabilities, D as DEFAULT_TRUST_THRESHOLDS, T as TRUST_LEVEL_RANGES, d as determineAccessLevel, g as getAccessLevelForScore, c as getCapabilities, e as getTrustLevel, h as hasMinimumAccess, s as sdk } from './sdk-BQ3olp3v.js';
-export { e as express } from './express-CraCA8_t.js';
-export { n as nextjs } from './nextjs-B8o9C0t6.js';
-export { i as transport } from './index--KzVRa32.js';
-export { A as AgentClient, C as ChallengeHandler, i as agent, r as recordDecision } from './index-BzAFmemy.js';
+import { b as AgentCredentials, G as GatewayConfig, a as AccessLevel, c as VerificationRequest, V as VerificationResult } from './types-Bxqj1sKY.js';
+export { A as AstraSyncCredentials, d as CommerceShieldProps, C as CounterpartyType, e as EnhancedVerificationResult, E as ExpressMiddlewareOptions, f as GuidanceInfo, N as NextJsMiddlewareOptions, P as PDLSSInfo, g as ProtocolTransport, R as RouteAccessConfig, h as RuntimeChallengeResult, S as SDKOptions, T as TokenGuidance, i as TrustLevel, j as VerifiedAgent, k as VerifiedDeveloper, l as VerifiedOrganization } from './types-Bxqj1sKY.js';
+export { A as ACCESS_LEVEL_DESCRIPTIONS, a as ACCESS_LEVEL_HIERARCHY, b as AccessCapabilities, D as DEFAULT_TRUST_THRESHOLDS, T as TRUST_LEVEL_RANGES, d as determineAccessLevel, g as getAccessLevelForScore, c as getCapabilities, e as getTrustLevel, h as hasMinimumAccess, s as sdk } from './sdk-YmE3RG8n.js';
+export { e as express } from './express-DMSIl20m.js';
+export { n as nextjs } from './nextjs-B5ZBpHra.js';
+export { i as transport } from './index-BtU9yFda.js';
+export { A as AgentClient, C as ChallengeHandler, i as agent, r as recordDecision } from './index-EwUWXC5T.js';
 import 'express';
 import 'next/server';
 import 'jose';

package/dist/index.js

@@ -386,10 +386,12 @@ async function verify(config, request) {
     return createGuidanceResponse(mergedConfig, apiResponse.error);
   }
   if (!apiResponse.access?.allowed) {
+    const aggregatedFailures = apiResponse.access?.failures;
     const result2 = {
       verified: false,
       accessLevel: "guidance",
-      denialReasons: apiResponse.access?.reason ? [apiResponse.access.reason] : ["Access denied"],
+      denialReasons: aggregatedFailures && aggregatedFailures.length > 0 ? aggregatedFailures.map((f) => f.message) : apiResponse.access?.reason ? [apiResponse.access.reason] : ["Access denied"],
+      failures: aggregatedFailures,
       requiresStepUp: apiResponse.access?.requiresStepUp,
       requiresApproval: apiResponse.access?.requiresApproval,
       guidance: {
@@ -483,6 +485,25 @@ async function recordDecision(config, sessionId, decision, reason) {
   }).catch(() => {
   });
 }
+async function fetchRoutes(config, counterpartyId) {
+  if (!counterpartyId) return null;
+  const headers = { "Content-Type": "application/json" };
+  if (config.apiKey) {
+    headers["Authorization"] = `Bearer ${config.apiKey}`;
+    headers["X-API-Key"] = config.apiKey;
+  }
+  try {
+    const response = await fetch(
+      `${config.apiBaseUrl}/endpoints/${encodeURIComponent(counterpartyId)}/routes`,
+      { method: "GET", headers }
+    );
+    if (!response.ok) return null;
+    const body = await response.json();
+    return body.data?.routes ?? [];
+  } catch {
+    return null;
+  }
+}
 async function reportCounterpartyPreCheckFailure(config, data) {
   const apiBaseUrl = config.apiBaseUrl || DEFAULT_CONFIG.apiBaseUrl;
   await fetch(`${apiBaseUrl}/verification-activity/counterparty-pre-check-failure`, {
@@ -508,9 +529,7 @@ async function quickVerify(config, credentials) {
 var express_exports = {};
 __export(express_exports, {
   createMiddleware: () => createMiddleware,
-  extractAstraSyncCredentials: () => extractAstraSyncCredentials,
-  requireAccess: () => requireAccess,
-  verifyOnly: () => verifyOnly
+  extractAstraSyncCredentials: () => extractAstraSyncCredentials
 });
 
 // src/transport/http.ts
@@ -683,24 +702,57 @@ function defaultOnDenied(result, _req, res) {
     }
   });
 }
+var DEFAULT_ROUTES_REFRESH_MS = 5 * 60 * 1e3;
 function createMiddleware(options) {
   const {
-    routes = [],
     extractCredentials: customExtractCredentials,
     extractPurpose: customExtractPurpose,
     skipPaths = [],
     onDenied = defaultOnDenied,
     recordDecisions,
     enableRuntimeChallenge = true,
+    routesRefreshMs = DEFAULT_ROUTES_REFRESH_MS,
     ...config
   } = options;
+  let cachedRoutes = [];
+  let lastFetchAt = 0;
+  let refreshing = null;
+  let warnedNoCounterparty = false;
+  async function refreshRoutes() {
+    if (!config.counterpartyId) {
+      if (!warnedNoCounterparty) {
+        console.warn(
+          "[VerificationGateway] No counterpartyId configured \u2014 falling through (allow all). Per-route policy lives in the AstraSync dashboard now; register the endpoint and set counterpartyId in your middleware config to enforce policy."
+        );
+        warnedNoCounterparty = true;
+      }
+      return;
+    }
+    const fetched = await fetchRoutes(config, config.counterpartyId);
+    if (fetched) {
+      cachedRoutes = fetched;
+      lastFetchAt = Date.now();
+    }
+  }
+  refreshing = refreshRoutes().finally(() => {
+    refreshing = null;
+  });
   return async (req, res, next) => {
     try {
       const shouldSkip = skipPaths.some((pattern) => matchRoute(pattern, req.path));
       if (shouldSkip) {
         return next();
       }
-      const routeConfig = findRouteConfig(routes, req.path, req.method);
+      if (refreshing) {
+        await refreshing.catch(() => {
+        });
+      }
+      if (config.counterpartyId && Date.now() - lastFetchAt > routesRefreshMs) {
+        refreshing = refreshRoutes().finally(() => {
+          refreshing = null;
+        });
+      }
+      const routeConfig = findRouteConfig(cachedRoutes, req.path, req.method);
       if (!routeConfig) {
         return next();
       }
@@ -795,18 +847,6 @@ function createMiddleware(options) {
     }
   };
 }
-function requireAccess(minAccessLevel, options) {
-  return createMiddleware({
-    ...options,
-    routes: [{ pattern: "*", method: "*", minAccessLevel }]
-  });
-}
-function verifyOnly(options) {
-  return createMiddleware({
-    ...options,
-    routes: [{ pattern: "*", method: "*", minAccessLevel: "none" }]
-  });
-}
 
 // src/adapters/nextjs.ts
 var nextjs_exports = {};
@@ -1030,14 +1070,38 @@ function generateCommerceShieldHtml(result, options) {
 </html>
   `.trim();
 }
+var DEFAULT_ROUTES_REFRESH_MS2 = 5 * 60 * 1e3;
 function createMiddleware2(options) {
   const {
-    routes = [],
     skipPaths = [],
     showCommerceShield = true,
     enableRuntimeChallenge = true,
+    routesRefreshMs = DEFAULT_ROUTES_REFRESH_MS2,
     ...config
   } = options;
+  let cachedRoutes = [];
+  let lastFetchAt = 0;
+  let refreshing = null;
+  let warnedNoCounterparty = false;
+  async function refreshRoutes() {
+    if (!config.counterpartyId) {
+      if (!warnedNoCounterparty) {
+        console.warn(
+          "[VerificationGateway/Next.js] No counterpartyId configured \u2014 falling through (allow all). Per-route policy lives in the AstraSync dashboard now; register the endpoint and set counterpartyId in your middleware config to enforce policy."
+        );
+        warnedNoCounterparty = true;
+      }
+      return;
+    }
+    const fetched = await fetchRoutes(config, config.counterpartyId);
+    if (fetched) {
+      cachedRoutes = fetched;
+      lastFetchAt = Date.now();
+    }
+  }
+  refreshing = refreshRoutes().finally(() => {
+    refreshing = null;
+  });
   return async function middleware(request) {
     const { NextResponse } = await import("next/server");
     const pathname = request.nextUrl.pathname;
@@ -1045,7 +1109,16 @@ function createMiddleware2(options) {
     if (shouldSkip) {
       return NextResponse.next();
     }
-    const routeConfig = findRouteConfig2(routes, pathname, request.method);
+    if (refreshing) {
+      await refreshing.catch(() => {
+      });
+    }
+    if (config.counterpartyId && Date.now() - lastFetchAt > routesRefreshMs) {
+      refreshing = refreshRoutes().finally(() => {
+        refreshing = null;
+      });
+    }
+    const routeConfig = findRouteConfig2(cachedRoutes, pathname, request.method);
     if (!routeConfig) {
       return NextResponse.next();
     }