@astrasyncai/verification-gateway 2.3.4 → 2.3.8

package/dist/git-trigger/git-hooks.d.mts

@@ -1,6 +1,6 @@
 import { AstraSyncGateway } from '../gateway/gateway.mjs';
-import { V as VerificationDecision, P as PDLSSContext } from '../types-aN1UHhyy.mjs';
-import '../types-JMgPake9.mjs';
+import { V as VerificationDecision, P as PDLSSContext } from '../types-z-QVnG4b.mjs';
+import '../types-D_tmbDA_.mjs';
 
 /**
  * Git Trigger — Enterprise git push / PR verification

package/dist/git-trigger/git-hooks.d.ts

@@ -1,6 +1,6 @@
 import { AstraSyncGateway } from '../gateway/gateway.js';
-import { V as VerificationDecision, P as PDLSSContext } from '../types-osMd_dpT.js';
-import '../types-JMgPake9.js';
+import { V as VerificationDecision, P as PDLSSContext } from '../types-Bzp1SMaD.js';
+import '../types-D_tmbDA_.js';
 
 /**
  * Git Trigger — Enterprise git push / PR verification

package/dist/{index-SEgnWzkf.d.mts → index-BHXa2WTO.d.mts}

@@ -1,4 +1,4 @@
-import { A as AstraSyncCredentials, g as ProtocolTransport } from './types-JMgPake9.mjs';
+import { A as AstraSyncCredentials, g as ProtocolTransport } from './types-D_tmbDA_.mjs';
 import { JWK } from 'jose';
 
 /**

package/dist/{index-BZ85CeEr.d.mts → index-CK4lNLVn.d.mts}

@@ -1,4 +1,4 @@
-import { A as AstraSyncCredentials, g as ProtocolTransport, G as GatewayConfig } from './types-JMgPake9.mjs';
+import { A as AstraSyncCredentials, g as ProtocolTransport, G as GatewayConfig } from './types-D_tmbDA_.mjs';
 
 /**
  * AgentClient — Credential Presentation

package/dist/{index--KzVRa32.d.ts → index-CSMpOcxV.d.ts}

@@ -1,4 +1,4 @@
-import { A as AstraSyncCredentials, g as ProtocolTransport } from './types-JMgPake9.js';
+import { A as AstraSyncCredentials, g as ProtocolTransport } from './types-D_tmbDA_.js';
 import { JWK } from 'jose';
 
 /**

package/dist/{index-BzAFmemy.d.ts → index-DN3ztP2d.d.ts}

@@ -1,4 +1,4 @@
-import { A as AstraSyncCredentials, g as ProtocolTransport, G as GatewayConfig } from './types-JMgPake9.js';
+import { A as AstraSyncCredentials, g as ProtocolTransport, G as GatewayConfig } from './types-D_tmbDA_.js';
 
 /**
  * AgentClient — Credential Presentation

package/dist/index.d.mts

@@ -1,10 +1,10 @@
-import { b as AgentCredentials, G as GatewayConfig, a as AccessLevel, c as VerificationRequest, V as VerificationResult } from './types-JMgPake9.mjs';
-export { A as AstraSyncCredentials, d as CommerceShieldProps, C as CounterpartyType, e as EnhancedVerificationResult, E as ExpressMiddlewareOptions, f as GuidanceInfo, N as NextJsMiddlewareOptions, P as PDLSSInfo, g as ProtocolTransport, R as RouteAccessConfig, h as RuntimeChallengeResult, S as SDKOptions, T as TokenGuidance, i as TrustLevel, j as VerifiedAgent, k as VerifiedDeveloper, l as VerifiedOrganization } from './types-JMgPake9.mjs';
-export { A as ACCESS_LEVEL_DESCRIPTIONS, a as ACCESS_LEVEL_HIERARCHY, b as AccessCapabilities, D as DEFAULT_TRUST_THRESHOLDS, T as TRUST_LEVEL_RANGES, d as determineAccessLevel, g as getAccessLevelForScore, c as getCapabilities, e as getTrustLevel, h as hasMinimumAccess, s as sdk } from './sdk-CRSUFQH2.mjs';
-export { e as express } from './express-DtvJ6BGt.mjs';
-export { n as nextjs } from './nextjs-DZHAn9j-.mjs';
-export { i as transport } from './index-SEgnWzkf.mjs';
-export { A as AgentClient, C as ChallengeHandler, i as agent, r as recordDecision } from './index-BZ85CeEr.mjs';
+import { b as AgentCredentials, G as GatewayConfig, a as AccessLevel, c as VerificationRequest, V as VerificationResult } from './types-D_tmbDA_.mjs';
+export { A as AstraSyncCredentials, d as CommerceShieldProps, C as CounterpartyType, e as EnhancedVerificationResult, E as ExpressMiddlewareOptions, f as GuidanceInfo, N as NextJsMiddlewareOptions, P as PDLSSInfo, g as ProtocolTransport, R as RouteAccessConfig, h as RuntimeChallengeResult, S as SDKOptions, T as TokenGuidance, i as TrustLevel, j as VerifiedAgent, k as VerifiedDeveloper, l as VerifiedOrganization } from './types-D_tmbDA_.mjs';
+export { A as ACCESS_LEVEL_DESCRIPTIONS, a as ACCESS_LEVEL_HIERARCHY, b as AccessCapabilities, D as DEFAULT_TRUST_THRESHOLDS, T as TRUST_LEVEL_RANGES, d as determineAccessLevel, g as getAccessLevelForScore, c as getCapabilities, e as getTrustLevel, h as hasMinimumAccess, s as sdk } from './sdk-CDdD7EcJ.mjs';
+export { e as express } from './express-BNWqDVIz.mjs';
+export { n as nextjs } from './nextjs-Bzdfu8Eg.mjs';
+export { i as transport } from './index-BHXa2WTO.mjs';
+export { A as AgentClient, C as ChallengeHandler, i as agent, r as recordDecision } from './index-CK4lNLVn.mjs';
 import 'express';
 import 'next/server';
 import 'jose';

package/dist/index.d.ts

@@ -1,10 +1,10 @@
-import { b as AgentCredentials, G as GatewayConfig, a as AccessLevel, c as VerificationRequest, V as VerificationResult } from './types-JMgPake9.js';
-export { A as AstraSyncCredentials, d as CommerceShieldProps, C as CounterpartyType, e as EnhancedVerificationResult, E as ExpressMiddlewareOptions, f as GuidanceInfo, N as NextJsMiddlewareOptions, P as PDLSSInfo, g as ProtocolTransport, R as RouteAccessConfig, h as RuntimeChallengeResult, S as SDKOptions, T as TokenGuidance, i as TrustLevel, j as VerifiedAgent, k as VerifiedDeveloper, l as VerifiedOrganization } from './types-JMgPake9.js';
-export { A as ACCESS_LEVEL_DESCRIPTIONS, a as ACCESS_LEVEL_HIERARCHY, b as AccessCapabilities, D as DEFAULT_TRUST_THRESHOLDS, T as TRUST_LEVEL_RANGES, d as determineAccessLevel, g as getAccessLevelForScore, c as getCapabilities, e as getTrustLevel, h as hasMinimumAccess, s as sdk } from './sdk-BQ3olp3v.js';
-export { e as express } from './express-CraCA8_t.js';
-export { n as nextjs } from './nextjs-B8o9C0t6.js';
-export { i as transport } from './index--KzVRa32.js';
-export { A as AgentClient, C as ChallengeHandler, i as agent, r as recordDecision } from './index-BzAFmemy.js';
+import { b as AgentCredentials, G as GatewayConfig, a as AccessLevel, c as VerificationRequest, V as VerificationResult } from './types-D_tmbDA_.js';
+export { A as AstraSyncCredentials, d as CommerceShieldProps, C as CounterpartyType, e as EnhancedVerificationResult, E as ExpressMiddlewareOptions, f as GuidanceInfo, N as NextJsMiddlewareOptions, P as PDLSSInfo, g as ProtocolTransport, R as RouteAccessConfig, h as RuntimeChallengeResult, S as SDKOptions, T as TokenGuidance, i as TrustLevel, j as VerifiedAgent, k as VerifiedDeveloper, l as VerifiedOrganization } from './types-D_tmbDA_.js';
+export { A as ACCESS_LEVEL_DESCRIPTIONS, a as ACCESS_LEVEL_HIERARCHY, b as AccessCapabilities, D as DEFAULT_TRUST_THRESHOLDS, T as TRUST_LEVEL_RANGES, d as determineAccessLevel, g as getAccessLevelForScore, c as getCapabilities, e as getTrustLevel, h as hasMinimumAccess, s as sdk } from './sdk-Tzsn6s-O.js';
+export { e as express } from './express-BYup_4Jg.js';
+export { n as nextjs } from './nextjs-C4h_MpgK.js';
+export { i as transport } from './index-CSMpOcxV.js';
+export { A as AgentClient, C as ChallengeHandler, i as agent, r as recordDecision } from './index-DN3ztP2d.js';
 import 'express';
 import 'next/server';
 import 'jose';

package/dist/index.js

@@ -336,6 +336,23 @@ async function callVerifyAccessAPI(config, request) {
       body: JSON.stringify(body)
     });
     const data = await response.json();
+    if (response.status === 410) {
+      return {
+        success: true,
+        access: {
+          allowed: false,
+          accessLevel: "none",
+          reason: "endpoint_deactivated",
+          failures: [
+            {
+              dimension: "endpoint.deactivated",
+              message: typeof data?.message === "string" ? data.message : "Endpoint has been deactivated",
+              guidance: typeof data?.guidance === "string" ? data.guidance : "Reactivate via POST /api/endpoints/{id}/reactivate, or update the URL on the calling agent."
+            }
+          ]
+        }
+      };
+    }
     if (!response.ok) {
       return {
         success: false,
@@ -386,10 +403,12 @@ async function verify(config, request) {
     return createGuidanceResponse(mergedConfig, apiResponse.error);
   }
   if (!apiResponse.access?.allowed) {
+    const aggregatedFailures = apiResponse.access?.failures;
     const result2 = {
       verified: false,
       accessLevel: "guidance",
-      denialReasons: apiResponse.access?.reason ? [apiResponse.access.reason] : ["Access denied"],
+      denialReasons: aggregatedFailures && aggregatedFailures.length > 0 ? aggregatedFailures.map((f) => f.message) : apiResponse.access?.reason ? [apiResponse.access.reason] : ["Access denied"],
+      failures: aggregatedFailures,
       requiresStepUp: apiResponse.access?.requiresStepUp,
       requiresApproval: apiResponse.access?.requiresApproval,
       guidance: {
@@ -443,7 +462,8 @@ async function verify(config, request) {
     runtimeChallenge: apiResponse.runtimeChallenge,
     tokenGuidance: apiResponse.tokenGuidance,
     recommendation: apiResponse.recommendation,
-    recommendationReasons: apiResponse.recommendationReasons
+    recommendationReasons: apiResponse.recommendationReasons,
+    warningHeader: apiResponse.warningHeader
   };
   if (result.recommendation === "deny") {
     result.verified = false;
@@ -483,6 +503,25 @@ async function recordDecision(config, sessionId, decision, reason) {
   }).catch(() => {
   });
 }
+async function fetchRoutes(config, counterpartyId) {
+  if (!counterpartyId) return null;
+  const headers = { "Content-Type": "application/json" };
+  if (config.apiKey) {
+    headers["Authorization"] = `Bearer ${config.apiKey}`;
+    headers["X-API-Key"] = config.apiKey;
+  }
+  try {
+    const response = await fetch(
+      `${config.apiBaseUrl}/endpoints/${encodeURIComponent(counterpartyId)}/routes`,
+      { method: "GET", headers }
+    );
+    if (!response.ok) return null;
+    const body = await response.json();
+    return body.data?.routes ?? [];
+  } catch {
+    return null;
+  }
+}
 async function reportCounterpartyPreCheckFailure(config, data) {
   const apiBaseUrl = config.apiBaseUrl || DEFAULT_CONFIG.apiBaseUrl;
   await fetch(`${apiBaseUrl}/verification-activity/counterparty-pre-check-failure`, {
@@ -508,9 +547,7 @@ async function quickVerify(config, credentials) {
 var express_exports = {};
 __export(express_exports, {
   createMiddleware: () => createMiddleware,
-  extractAstraSyncCredentials: () => extractAstraSyncCredentials,
-  requireAccess: () => requireAccess,
-  verifyOnly: () => verifyOnly
+  extractAstraSyncCredentials: () => extractAstraSyncCredentials
 });
 
 // src/transport/http.ts
@@ -683,28 +720,80 @@ function defaultOnDenied(result, _req, res) {
     }
   });
 }
+var DEFAULT_ROUTES_REFRESH_MS = 5 * 60 * 1e3;
 function createMiddleware(options) {
   const {
-    routes = [],
     extractCredentials: customExtractCredentials,
     extractPurpose: customExtractPurpose,
     skipPaths = [],
     onDenied = defaultOnDenied,
     recordDecisions,
     enableRuntimeChallenge = true,
+    routesRefreshMs = DEFAULT_ROUTES_REFRESH_MS,
     ...config
   } = options;
+  let cachedRoutes = [];
+  let lastFetchAt = 0;
+  let refreshing = null;
+  let warnedNoCounterparty = false;
+  let warnedEmptyRoutes = false;
+  async function refreshRoutes() {
+    if (!config.counterpartyId) {
+      if (!warnedNoCounterparty) {
+        console.warn(
+          "[VerificationGateway] No counterpartyId configured \u2014 falling through (allow all). Per-route policy lives in the AstraSync dashboard now; register the endpoint and set counterpartyId in your middleware config to enforce policy."
+        );
+        warnedNoCounterparty = true;
+      }
+      return;
+    }
+    const fetched = await fetchRoutes(config, config.counterpartyId);
+    if (fetched) {
+      cachedRoutes = fetched;
+      lastFetchAt = Date.now();
+      if (cachedRoutes.length === 0 && !warnedEmptyRoutes) {
+        const dashboard = config.dashboardUrl ?? "https://app.astrasync.ai";
+        console.warn(
+          `[VerificationGateway] No route policy configured for ${config.counterpartyId}. Gateway is in pass-through mode for ALL traffic until you add at least one route. Configure at ${dashboard}/dashboard/endpoints/${config.counterpartyId}/routes`
+        );
+        warnedEmptyRoutes = true;
+      }
+    }
+  }
+  refreshing = refreshRoutes().finally(() => {
+    refreshing = null;
+  });
   return async (req, res, next) => {
     try {
       const shouldSkip = skipPaths.some((pattern) => matchRoute(pattern, req.path));
       if (shouldSkip) {
         return next();
       }
-      const routeConfig = findRouteConfig(routes, req.path, req.method);
+      if (refreshing) {
+        await refreshing.catch(() => {
+        });
+      }
+      if (config.counterpartyId && Date.now() - lastFetchAt > routesRefreshMs) {
+        refreshing = refreshRoutes().finally(() => {
+          refreshing = null;
+        });
+      }
+      const routeConfig = findRouteConfig(cachedRoutes, req.path, req.method);
       if (!routeConfig) {
+        if (config.setPassThroughHeader) {
+          res.setHeader("X-Astra-Gateway-Mode", "pass-through");
+          res.setHeader(
+            "X-Astra-Gateway-Reason",
+            cachedRoutes.length === 0 ? "no-policy" : "no-match"
+          );
+        }
         return next();
       }
       if (routeConfig.minAccessLevel === "none") {
+        if (config.setPassThroughHeader) {
+          res.setHeader("X-Astra-Gateway-Mode", "pass-through");
+          res.setHeader("X-Astra-Gateway-Reason", "route-none");
+        }
         return next();
       }
       const credentials = customExtractCredentials ? customExtractCredentials(req) : defaultExtractCredentials(req);
@@ -788,6 +877,10 @@ function createMiddleware(options) {
         recordDecision(config, sessionId, "granted").catch(() => {
         });
       }
+      const enhancedResult = result;
+      if (enhancedResult.warningHeader) {
+        res.setHeader(enhancedResult.warningHeader.name, enhancedResult.warningHeader.value);
+      }
       next();
     } catch (error) {
       console.error("[VerificationGateway] Middleware error:", error);
@@ -795,18 +888,6 @@ function createMiddleware(options) {
     }
   };
 }
-function requireAccess(minAccessLevel, options) {
-  return createMiddleware({
-    ...options,
-    routes: [{ pattern: "*", method: "*", minAccessLevel }]
-  });
-}
-function verifyOnly(options) {
-  return createMiddleware({
-    ...options,
-    routes: [{ pattern: "*", method: "*", minAccessLevel: "none" }]
-  });
-}
 
 // src/adapters/nextjs.ts
 var nextjs_exports = {};
@@ -1030,14 +1111,38 @@ function generateCommerceShieldHtml(result, options) {
 </html>
   `.trim();
 }
+var DEFAULT_ROUTES_REFRESH_MS2 = 5 * 60 * 1e3;
 function createMiddleware2(options) {
   const {
-    routes = [],
     skipPaths = [],
     showCommerceShield = true,
     enableRuntimeChallenge = true,
+    routesRefreshMs = DEFAULT_ROUTES_REFRESH_MS2,
     ...config
   } = options;
+  let cachedRoutes = [];
+  let lastFetchAt = 0;
+  let refreshing = null;
+  let warnedNoCounterparty = false;
+  async function refreshRoutes() {
+    if (!config.counterpartyId) {
+      if (!warnedNoCounterparty) {
+        console.warn(
+          "[VerificationGateway/Next.js] No counterpartyId configured \u2014 falling through (allow all). Per-route policy lives in the AstraSync dashboard now; register the endpoint and set counterpartyId in your middleware config to enforce policy."
+        );
+        warnedNoCounterparty = true;
+      }
+      return;
+    }
+    const fetched = await fetchRoutes(config, config.counterpartyId);
+    if (fetched) {
+      cachedRoutes = fetched;
+      lastFetchAt = Date.now();
+    }
+  }
+  refreshing = refreshRoutes().finally(() => {
+    refreshing = null;
+  });
   return async function middleware(request) {
     const { NextResponse } = await import("next/server");
     const pathname = request.nextUrl.pathname;
@@ -1045,7 +1150,16 @@ function createMiddleware2(options) {
     if (shouldSkip) {
       return NextResponse.next();
     }
-    const routeConfig = findRouteConfig2(routes, pathname, request.method);
+    if (refreshing) {
+      await refreshing.catch(() => {
+      });
+    }
+    if (config.counterpartyId && Date.now() - lastFetchAt > routesRefreshMs) {
+      refreshing = refreshRoutes().finally(() => {
+        refreshing = null;
+      });
+    }
+    const routeConfig = findRouteConfig2(cachedRoutes, pathname, request.method);
     if (!routeConfig) {
       return NextResponse.next();
     }