@astrasyncai/verification-gateway 2.3.4 → 2.3.8

package/dist/index.mjs

@@ -284,6 +284,23 @@ async function callVerifyAccessAPI(config, request) {
       body: JSON.stringify(body)
     });
     const data = await response.json();
+    if (response.status === 410) {
+      return {
+        success: true,
+        access: {
+          allowed: false,
+          accessLevel: "none",
+          reason: "endpoint_deactivated",
+          failures: [
+            {
+              dimension: "endpoint.deactivated",
+              message: typeof data?.message === "string" ? data.message : "Endpoint has been deactivated",
+              guidance: typeof data?.guidance === "string" ? data.guidance : "Reactivate via POST /api/endpoints/{id}/reactivate, or update the URL on the calling agent."
+            }
+          ]
+        }
+      };
+    }
     if (!response.ok) {
       return {
         success: false,
@@ -334,10 +351,12 @@ async function verify(config, request) {
     return createGuidanceResponse(mergedConfig, apiResponse.error);
   }
   if (!apiResponse.access?.allowed) {
+    const aggregatedFailures = apiResponse.access?.failures;
     const result2 = {
       verified: false,
       accessLevel: "guidance",
-      denialReasons: apiResponse.access?.reason ? [apiResponse.access.reason] : ["Access denied"],
+      denialReasons: aggregatedFailures && aggregatedFailures.length > 0 ? aggregatedFailures.map((f) => f.message) : apiResponse.access?.reason ? [apiResponse.access.reason] : ["Access denied"],
+      failures: aggregatedFailures,
       requiresStepUp: apiResponse.access?.requiresStepUp,
       requiresApproval: apiResponse.access?.requiresApproval,
       guidance: {
@@ -391,7 +410,8 @@ async function verify(config, request) {
     runtimeChallenge: apiResponse.runtimeChallenge,
     tokenGuidance: apiResponse.tokenGuidance,
     recommendation: apiResponse.recommendation,
-    recommendationReasons: apiResponse.recommendationReasons
+    recommendationReasons: apiResponse.recommendationReasons,
+    warningHeader: apiResponse.warningHeader
   };
   if (result.recommendation === "deny") {
     result.verified = false;
@@ -431,6 +451,25 @@ async function recordDecision(config, sessionId, decision, reason) {
   }).catch(() => {
   });
 }
+async function fetchRoutes(config, counterpartyId) {
+  if (!counterpartyId) return null;
+  const headers = { "Content-Type": "application/json" };
+  if (config.apiKey) {
+    headers["Authorization"] = `Bearer ${config.apiKey}`;
+    headers["X-API-Key"] = config.apiKey;
+  }
+  try {
+    const response = await fetch(
+      `${config.apiBaseUrl}/endpoints/${encodeURIComponent(counterpartyId)}/routes`,
+      { method: "GET", headers }
+    );
+    if (!response.ok) return null;
+    const body = await response.json();
+    return body.data?.routes ?? [];
+  } catch {
+    return null;
+  }
+}
 async function reportCounterpartyPreCheckFailure(config, data) {
   const apiBaseUrl = config.apiBaseUrl || DEFAULT_CONFIG.apiBaseUrl;
   await fetch(`${apiBaseUrl}/verification-activity/counterparty-pre-check-failure`, {
@@ -456,9 +495,7 @@ async function quickVerify(config, credentials) {
 var express_exports = {};
 __export(express_exports, {
   createMiddleware: () => createMiddleware,
-  extractAstraSyncCredentials: () => extractAstraSyncCredentials,
-  requireAccess: () => requireAccess,
-  verifyOnly: () => verifyOnly
+  extractAstraSyncCredentials: () => extractAstraSyncCredentials
 });
 
 // src/transport/http.ts
@@ -631,28 +668,80 @@ function defaultOnDenied(result, _req, res) {
     }
   });
 }
+var DEFAULT_ROUTES_REFRESH_MS = 5 * 60 * 1e3;
 function createMiddleware(options) {
   const {
-    routes = [],
     extractCredentials: customExtractCredentials,
     extractPurpose: customExtractPurpose,
     skipPaths = [],
     onDenied = defaultOnDenied,
     recordDecisions,
     enableRuntimeChallenge = true,
+    routesRefreshMs = DEFAULT_ROUTES_REFRESH_MS,
     ...config
   } = options;
+  let cachedRoutes = [];
+  let lastFetchAt = 0;
+  let refreshing = null;
+  let warnedNoCounterparty = false;
+  let warnedEmptyRoutes = false;
+  async function refreshRoutes() {
+    if (!config.counterpartyId) {
+      if (!warnedNoCounterparty) {
+        console.warn(
+          "[VerificationGateway] No counterpartyId configured \u2014 falling through (allow all). Per-route policy lives in the AstraSync dashboard now; register the endpoint and set counterpartyId in your middleware config to enforce policy."
+        );
+        warnedNoCounterparty = true;
+      }
+      return;
+    }
+    const fetched = await fetchRoutes(config, config.counterpartyId);
+    if (fetched) {
+      cachedRoutes = fetched;
+      lastFetchAt = Date.now();
+      if (cachedRoutes.length === 0 && !warnedEmptyRoutes) {
+        const dashboard = config.dashboardUrl ?? "https://app.astrasync.ai";
+        console.warn(
+          `[VerificationGateway] No route policy configured for ${config.counterpartyId}. Gateway is in pass-through mode for ALL traffic until you add at least one route. Configure at ${dashboard}/dashboard/endpoints/${config.counterpartyId}/routes`
+        );
+        warnedEmptyRoutes = true;
+      }
+    }
+  }
+  refreshing = refreshRoutes().finally(() => {
+    refreshing = null;
+  });
   return async (req, res, next) => {
     try {
       const shouldSkip = skipPaths.some((pattern) => matchRoute(pattern, req.path));
       if (shouldSkip) {
         return next();
       }
-      const routeConfig = findRouteConfig(routes, req.path, req.method);
+      if (refreshing) {
+        await refreshing.catch(() => {
+        });
+      }
+      if (config.counterpartyId && Date.now() - lastFetchAt > routesRefreshMs) {
+        refreshing = refreshRoutes().finally(() => {
+          refreshing = null;
+        });
+      }
+      const routeConfig = findRouteConfig(cachedRoutes, req.path, req.method);
       if (!routeConfig) {
+        if (config.setPassThroughHeader) {
+          res.setHeader("X-Astra-Gateway-Mode", "pass-through");
+          res.setHeader(
+            "X-Astra-Gateway-Reason",
+            cachedRoutes.length === 0 ? "no-policy" : "no-match"
+          );
+        }
         return next();
       }
       if (routeConfig.minAccessLevel === "none") {
+        if (config.setPassThroughHeader) {
+          res.setHeader("X-Astra-Gateway-Mode", "pass-through");
+          res.setHeader("X-Astra-Gateway-Reason", "route-none");
+        }
         return next();
       }
       const credentials = customExtractCredentials ? customExtractCredentials(req) : defaultExtractCredentials(req);
@@ -736,6 +825,10 @@ function createMiddleware(options) {
         recordDecision(config, sessionId, "granted").catch(() => {
         });
       }
+      const enhancedResult = result;
+      if (enhancedResult.warningHeader) {
+        res.setHeader(enhancedResult.warningHeader.name, enhancedResult.warningHeader.value);
+      }
       next();
     } catch (error) {
       console.error("[VerificationGateway] Middleware error:", error);
@@ -743,18 +836,6 @@ function createMiddleware(options) {
     }
   };
 }
-function requireAccess(minAccessLevel, options) {
-  return createMiddleware({
-    ...options,
-    routes: [{ pattern: "*", method: "*", minAccessLevel }]
-  });
-}
-function verifyOnly(options) {
-  return createMiddleware({
-    ...options,
-    routes: [{ pattern: "*", method: "*", minAccessLevel: "none" }]
-  });
-}
 
 // src/adapters/nextjs.ts
 var nextjs_exports = {};
@@ -978,14 +1059,38 @@ function generateCommerceShieldHtml(result, options) {
 </html>
   `.trim();
 }
+var DEFAULT_ROUTES_REFRESH_MS2 = 5 * 60 * 1e3;
 function createMiddleware2(options) {
   const {
-    routes = [],
     skipPaths = [],
     showCommerceShield = true,
     enableRuntimeChallenge = true,
+    routesRefreshMs = DEFAULT_ROUTES_REFRESH_MS2,
     ...config
   } = options;
+  let cachedRoutes = [];
+  let lastFetchAt = 0;
+  let refreshing = null;
+  let warnedNoCounterparty = false;
+  async function refreshRoutes() {
+    if (!config.counterpartyId) {
+      if (!warnedNoCounterparty) {
+        console.warn(
+          "[VerificationGateway/Next.js] No counterpartyId configured \u2014 falling through (allow all). Per-route policy lives in the AstraSync dashboard now; register the endpoint and set counterpartyId in your middleware config to enforce policy."
+        );
+        warnedNoCounterparty = true;
+      }
+      return;
+    }
+    const fetched = await fetchRoutes(config, config.counterpartyId);
+    if (fetched) {
+      cachedRoutes = fetched;
+      lastFetchAt = Date.now();
+    }
+  }
+  refreshing = refreshRoutes().finally(() => {
+    refreshing = null;
+  });
   return async function middleware(request) {
     const { NextResponse } = await import("next/server");
     const pathname = request.nextUrl.pathname;
@@ -993,7 +1098,16 @@ function createMiddleware2(options) {
     if (shouldSkip) {
       return NextResponse.next();
     }
-    const routeConfig = findRouteConfig2(routes, pathname, request.method);
+    if (refreshing) {
+      await refreshing.catch(() => {
+      });
+    }
+    if (config.counterpartyId && Date.now() - lastFetchAt > routesRefreshMs) {
+      refreshing = refreshRoutes().finally(() => {
+        refreshing = null;
+      });
+    }
+    const routeConfig = findRouteConfig2(cachedRoutes, pathname, request.method);
     if (!routeConfig) {
       return NextResponse.next();
     }