@astrasyncai/verification-gateway 2.3.4 → 2.3.8

package/dist/local-evaluator/evaluator.d.mts

@@ -1,5 +1,5 @@
-import { L as LocalPolicy, P as PDLSSContext, V as VerificationDecision, a as LocalPurposeRule } from '../types-aN1UHhyy.mjs';
-import '../types-JMgPake9.mjs';
+import { L as LocalPolicy, P as PDLSSContext, V as VerificationDecision, a as LocalPurposeRule } from '../types-z-QVnG4b.mjs';
+import '../types-D_tmbDA_.mjs';
 
 /**
  * Local PDLSS Evaluator

package/dist/local-evaluator/evaluator.d.ts

@@ -1,5 +1,5 @@
-import { L as LocalPolicy, P as PDLSSContext, V as VerificationDecision, a as LocalPurposeRule } from '../types-osMd_dpT.js';
-import '../types-JMgPake9.js';
+import { L as LocalPolicy, P as PDLSSContext, V as VerificationDecision, a as LocalPurposeRule } from '../types-Bzp1SMaD.js';
+import '../types-D_tmbDA_.js';
 
 /**
  * Local PDLSS Evaluator

package/dist/{nextjs-DZHAn9j-.d.mts → nextjs-Bzdfu8Eg.d.mts}

@@ -1,9 +1,15 @@
 import * as next_server from 'next/server';
 import { NextRequest } from 'next/server';
-import { N as NextJsMiddlewareOptions } from './types-JMgPake9.mjs';
+import { N as NextJsMiddlewareOptions } from './types-D_tmbDA_.mjs';
 
 /**
- * Create Next.js middleware for agent verification
+ * Create Next.js middleware for agent verification.
+ *
+ * v2.9.7 moved per-route policy out of merchant-side source code into the
+ * AstraSync dashboard. The middleware fetches its routes from the backend
+ * via `GET /endpoints/:counterpartyId/routes` on init and refreshes
+ * periodically — see `ExpressMiddlewareOptions` for the rationale (defect
+ * 24, dual-config silent-conflict).
  */
 declare function createMiddleware(options: NextJsMiddlewareOptions): (request: NextRequest) => Promise<next_server.NextResponse<unknown>>;
 /**

package/dist/{nextjs-B8o9C0t6.d.ts → nextjs-C4h_MpgK.d.ts}

@@ -1,9 +1,15 @@
 import * as next_server from 'next/server';
 import { NextRequest } from 'next/server';
-import { N as NextJsMiddlewareOptions } from './types-JMgPake9.js';
+import { N as NextJsMiddlewareOptions } from './types-D_tmbDA_.js';
 
 /**
- * Create Next.js middleware for agent verification
+ * Create Next.js middleware for agent verification.
+ *
+ * v2.9.7 moved per-route policy out of merchant-side source code into the
+ * AstraSync dashboard. The middleware fetches its routes from the backend
+ * via `GET /endpoints/:counterpartyId/routes` on init and refreshes
+ * periodically — see `ExpressMiddlewareOptions` for the rationale (defect
+ * 24, dual-config silent-conflict).
  */
 declare function createMiddleware(options: NextJsMiddlewareOptions): (request: NextRequest) => Promise<next_server.NextResponse<unknown>>;
 /**

package/dist/{sdk-CRSUFQH2.d.mts → sdk-CDdD7EcJ.d.mts}

@@ -1,4 +1,4 @@
-import { a as AccessLevel, i as TrustLevel, S as SDKOptions, V as VerificationResult } from './types-JMgPake9.mjs';
+import { a as AccessLevel, i as TrustLevel, S as SDKOptions, V as VerificationResult } from './types-D_tmbDA_.mjs';
 
 /**
  * AstraSync Universal Verification Gateway - Access Level Definitions

package/dist/{sdk-BQ3olp3v.d.ts → sdk-Tzsn6s-O.d.ts}

@@ -1,4 +1,4 @@
-import { a as AccessLevel, i as TrustLevel, S as SDKOptions, V as VerificationResult } from './types-JMgPake9.js';
+import { a as AccessLevel, i as TrustLevel, S as SDKOptions, V as VerificationResult } from './types-D_tmbDA_.js';
 
 /**
  * AstraSync Universal Verification Gateway - Access Level Definitions

package/dist/transport/index.d.mts

@@ -1,3 +1,3 @@
-import '../types-JMgPake9.mjs';
-export { A as ACPEndpoint, a as ACPPaymentTokenType, b as ACPRequestContext, c as ACPRequestLike, d as ACPSignatureAlgorithm, e as ACPTotal, f as ACPVerifyInput, g as ACPVerifyResult, h as AP2CartMandateClaims, j as AP2ChainResult, k as AP2IntentMandateClaims, l as AP2MandateClaims, m as AP2MandateTriple, n as AP2MandateTripleInput, o as AP2MandateType, p as AP2PaymentDetailsTotal, q as AP2PaymentMandateClaims, r as AP2PaymentMandateForValue, s as AP2VerifyInput, C as CommerceContext, t as CommercePipelineInput, u as CommerceProtocol, v as CommercePurpose, w as CommerceSignatureStack, x as ConstraintEvalResult, y as ConstraintKey, z as ConstraintResult, E as ExtractorRequestLike, I as IdentityBindingResult, B as IdentityClaim, D as IdentityResolver, M as MPPChallengeForValue, F as MPPChallengeSummary, G as MPPCredentialSummary, H as MPPIntent, J as MPPKind, K as MPPReceiptSummary, L as MPPRequestContext, N as MPPRequestLike, O as MPPResponseLike, P as MPPVerifyInput, Q as MPPVerifyResult, R as ParsedRFC9421, S as PaymentMethodAllowlistInput, T as RFC9421SignatureParams, U as RFC9421Tag, V as RFC9421VerifyOptions, W as RFC9421VerifyRequest, X as RFC9421VerifyResult, Y as RegistryName, Z as RegistryResolver, _ as ResolveContext, $ as STRIPE_WEBHOOK_INFORMATIONAL_EVENTS, a0 as SpendingLimitInput, a1 as StripeWebhookInformationalEvent, a2 as TransactionContext, a3 as TransactionValueContext, a4 as TransportExtractor, a5 as UCPCheckoutContext, a6 as UCPManifestValidationResult, a7 as UCPRequestLike, a8 as UCPTotal, a9 as VIAllowedParty, aa as VIBudgetLimit, ab as VIClaimsForValue, ac as VIConstraintEvalInput, ad as VIConstraints, ae as VIExecutionMode, af as VIExtractedClaims, ag as VILayer, ah as VILineItem, ai as VIMandateType, aj as VIPaymentAmount, ak as VIRecurrence, al as VIVerifyInput, am as VIVerifyResult, an as VerifyStripeWebhookOptions, ao as VerifyStripeWebhookResult, ap as X402Kind, aq as X402RequestContext, ar as X402RequestForValue, as as X402RequestLike, at as X402RequirementsSummary, au as X402ResponseLike, av as applyCredentials, aw as bindIdentity, ax as claim, ay as clearTransportExtractors, az as createMastercardRegistry, aA as createVisaRegistry, aB as createWebBotAuthRegistry, aC as detectProtocol, aD as evaluatePaymentMethodAllowlist, aE as evaluateSpendingLimit, aF as evaluateVIConstraints, aG as extractA2ACredentials, aH as extractACPContext, aI as extractACPTransactionValue, aJ as extractAP2Mandate, aK as extractAP2Mandates, aL as extractAP2TransactionValue, aM as extractCredentialsFromProtocol, aN as extractHttpCredentials, aO as extractMPPContext, aP as extractMPPFromRequest, aQ as extractMPPFromResponse, aR as extractMPPTransactionValue, aS as extractMcpCredentials, aT as extractUCPContext, aU as extractUCPTransactionValue, aV as extractVIClaims, aW as extractVITransactionValue, aX as extractX402Context, aY as extractX402FromRequest, aZ as extractX402FromResponse, a_ as extractX402TransactionValue, a$ as fetchUCPManifest, b0 as getTransportExtractor, b1 as getTransportExtractors, b2 as isStripeWebhookInformational, b3 as mapACPRequestToPurpose, b4 as mapAP2MandateToPurpose, b5 as mapMPPRequestToPurpose, b6 as mapRFC9421TagToPurpose, b7 as mapUCPRequestToPurpose, b8 as mapVIMandateToPurpose, b9 as mapX402RequestToPurpose, ba as parseRFC9421, bb as registerTransportExtractor, bc as runCommercePipeline, bd as runMatchingExtractors, be as setA2AMetadata, bf as setHttpHeaders, bg as setMcpMeta, bh as validateUCPManifest, bi as verifyACPSignature, bj as verifyAP2Chain, bk as verifyMPP, bl as verifyRFC9421, bm as verifyStripeWebhook, bn as verifyVIChain } from '../index-SEgnWzkf.mjs';
+import '../types-D_tmbDA_.mjs';
+export { A as ACPEndpoint, a as ACPPaymentTokenType, b as ACPRequestContext, c as ACPRequestLike, d as ACPSignatureAlgorithm, e as ACPTotal, f as ACPVerifyInput, g as ACPVerifyResult, h as AP2CartMandateClaims, j as AP2ChainResult, k as AP2IntentMandateClaims, l as AP2MandateClaims, m as AP2MandateTriple, n as AP2MandateTripleInput, o as AP2MandateType, p as AP2PaymentDetailsTotal, q as AP2PaymentMandateClaims, r as AP2PaymentMandateForValue, s as AP2VerifyInput, C as CommerceContext, t as CommercePipelineInput, u as CommerceProtocol, v as CommercePurpose, w as CommerceSignatureStack, x as ConstraintEvalResult, y as ConstraintKey, z as ConstraintResult, E as ExtractorRequestLike, I as IdentityBindingResult, B as IdentityClaim, D as IdentityResolver, M as MPPChallengeForValue, F as MPPChallengeSummary, G as MPPCredentialSummary, H as MPPIntent, J as MPPKind, K as MPPReceiptSummary, L as MPPRequestContext, N as MPPRequestLike, O as MPPResponseLike, P as MPPVerifyInput, Q as MPPVerifyResult, R as ParsedRFC9421, S as PaymentMethodAllowlistInput, T as RFC9421SignatureParams, U as RFC9421Tag, V as RFC9421VerifyOptions, W as RFC9421VerifyRequest, X as RFC9421VerifyResult, Y as RegistryName, Z as RegistryResolver, _ as ResolveContext, $ as STRIPE_WEBHOOK_INFORMATIONAL_EVENTS, a0 as SpendingLimitInput, a1 as StripeWebhookInformationalEvent, a2 as TransactionContext, a3 as TransactionValueContext, a4 as TransportExtractor, a5 as UCPCheckoutContext, a6 as UCPManifestValidationResult, a7 as UCPRequestLike, a8 as UCPTotal, a9 as VIAllowedParty, aa as VIBudgetLimit, ab as VIClaimsForValue, ac as VIConstraintEvalInput, ad as VIConstraints, ae as VIExecutionMode, af as VIExtractedClaims, ag as VILayer, ah as VILineItem, ai as VIMandateType, aj as VIPaymentAmount, ak as VIRecurrence, al as VIVerifyInput, am as VIVerifyResult, an as VerifyStripeWebhookOptions, ao as VerifyStripeWebhookResult, ap as X402Kind, aq as X402RequestContext, ar as X402RequestForValue, as as X402RequestLike, at as X402RequirementsSummary, au as X402ResponseLike, av as applyCredentials, aw as bindIdentity, ax as claim, ay as clearTransportExtractors, az as createMastercardRegistry, aA as createVisaRegistry, aB as createWebBotAuthRegistry, aC as detectProtocol, aD as evaluatePaymentMethodAllowlist, aE as evaluateSpendingLimit, aF as evaluateVIConstraints, aG as extractA2ACredentials, aH as extractACPContext, aI as extractACPTransactionValue, aJ as extractAP2Mandate, aK as extractAP2Mandates, aL as extractAP2TransactionValue, aM as extractCredentialsFromProtocol, aN as extractHttpCredentials, aO as extractMPPContext, aP as extractMPPFromRequest, aQ as extractMPPFromResponse, aR as extractMPPTransactionValue, aS as extractMcpCredentials, aT as extractUCPContext, aU as extractUCPTransactionValue, aV as extractVIClaims, aW as extractVITransactionValue, aX as extractX402Context, aY as extractX402FromRequest, aZ as extractX402FromResponse, a_ as extractX402TransactionValue, a$ as fetchUCPManifest, b0 as getTransportExtractor, b1 as getTransportExtractors, b2 as isStripeWebhookInformational, b3 as mapACPRequestToPurpose, b4 as mapAP2MandateToPurpose, b5 as mapMPPRequestToPurpose, b6 as mapRFC9421TagToPurpose, b7 as mapUCPRequestToPurpose, b8 as mapVIMandateToPurpose, b9 as mapX402RequestToPurpose, ba as parseRFC9421, bb as registerTransportExtractor, bc as runCommercePipeline, bd as runMatchingExtractors, be as setA2AMetadata, bf as setHttpHeaders, bg as setMcpMeta, bh as validateUCPManifest, bi as verifyACPSignature, bj as verifyAP2Chain, bk as verifyMPP, bl as verifyRFC9421, bm as verifyStripeWebhook, bn as verifyVIChain } from '../index-BHXa2WTO.mjs';
 import 'jose';

package/dist/transport/index.d.ts

@@ -1,3 +1,3 @@
-import '../types-JMgPake9.js';
-export { A as ACPEndpoint, a as ACPPaymentTokenType, b as ACPRequestContext, c as ACPRequestLike, d as ACPSignatureAlgorithm, e as ACPTotal, f as ACPVerifyInput, g as ACPVerifyResult, h as AP2CartMandateClaims, j as AP2ChainResult, k as AP2IntentMandateClaims, l as AP2MandateClaims, m as AP2MandateTriple, n as AP2MandateTripleInput, o as AP2MandateType, p as AP2PaymentDetailsTotal, q as AP2PaymentMandateClaims, r as AP2PaymentMandateForValue, s as AP2VerifyInput, C as CommerceContext, t as CommercePipelineInput, u as CommerceProtocol, v as CommercePurpose, w as CommerceSignatureStack, x as ConstraintEvalResult, y as ConstraintKey, z as ConstraintResult, E as ExtractorRequestLike, I as IdentityBindingResult, B as IdentityClaim, D as IdentityResolver, M as MPPChallengeForValue, F as MPPChallengeSummary, G as MPPCredentialSummary, H as MPPIntent, J as MPPKind, K as MPPReceiptSummary, L as MPPRequestContext, N as MPPRequestLike, O as MPPResponseLike, P as MPPVerifyInput, Q as MPPVerifyResult, R as ParsedRFC9421, S as PaymentMethodAllowlistInput, T as RFC9421SignatureParams, U as RFC9421Tag, V as RFC9421VerifyOptions, W as RFC9421VerifyRequest, X as RFC9421VerifyResult, Y as RegistryName, Z as RegistryResolver, _ as ResolveContext, $ as STRIPE_WEBHOOK_INFORMATIONAL_EVENTS, a0 as SpendingLimitInput, a1 as StripeWebhookInformationalEvent, a2 as TransactionContext, a3 as TransactionValueContext, a4 as TransportExtractor, a5 as UCPCheckoutContext, a6 as UCPManifestValidationResult, a7 as UCPRequestLike, a8 as UCPTotal, a9 as VIAllowedParty, aa as VIBudgetLimit, ab as VIClaimsForValue, ac as VIConstraintEvalInput, ad as VIConstraints, ae as VIExecutionMode, af as VIExtractedClaims, ag as VILayer, ah as VILineItem, ai as VIMandateType, aj as VIPaymentAmount, ak as VIRecurrence, al as VIVerifyInput, am as VIVerifyResult, an as VerifyStripeWebhookOptions, ao as VerifyStripeWebhookResult, ap as X402Kind, aq as X402RequestContext, ar as X402RequestForValue, as as X402RequestLike, at as X402RequirementsSummary, au as X402ResponseLike, av as applyCredentials, aw as bindIdentity, ax as claim, ay as clearTransportExtractors, az as createMastercardRegistry, aA as createVisaRegistry, aB as createWebBotAuthRegistry, aC as detectProtocol, aD as evaluatePaymentMethodAllowlist, aE as evaluateSpendingLimit, aF as evaluateVIConstraints, aG as extractA2ACredentials, aH as extractACPContext, aI as extractACPTransactionValue, aJ as extractAP2Mandate, aK as extractAP2Mandates, aL as extractAP2TransactionValue, aM as extractCredentialsFromProtocol, aN as extractHttpCredentials, aO as extractMPPContext, aP as extractMPPFromRequest, aQ as extractMPPFromResponse, aR as extractMPPTransactionValue, aS as extractMcpCredentials, aT as extractUCPContext, aU as extractUCPTransactionValue, aV as extractVIClaims, aW as extractVITransactionValue, aX as extractX402Context, aY as extractX402FromRequest, aZ as extractX402FromResponse, a_ as extractX402TransactionValue, a$ as fetchUCPManifest, b0 as getTransportExtractor, b1 as getTransportExtractors, b2 as isStripeWebhookInformational, b3 as mapACPRequestToPurpose, b4 as mapAP2MandateToPurpose, b5 as mapMPPRequestToPurpose, b6 as mapRFC9421TagToPurpose, b7 as mapUCPRequestToPurpose, b8 as mapVIMandateToPurpose, b9 as mapX402RequestToPurpose, ba as parseRFC9421, bb as registerTransportExtractor, bc as runCommercePipeline, bd as runMatchingExtractors, be as setA2AMetadata, bf as setHttpHeaders, bg as setMcpMeta, bh as validateUCPManifest, bi as verifyACPSignature, bj as verifyAP2Chain, bk as verifyMPP, bl as verifyRFC9421, bm as verifyStripeWebhook, bn as verifyVIChain } from '../index--KzVRa32.js';
+import '../types-D_tmbDA_.js';
+export { A as ACPEndpoint, a as ACPPaymentTokenType, b as ACPRequestContext, c as ACPRequestLike, d as ACPSignatureAlgorithm, e as ACPTotal, f as ACPVerifyInput, g as ACPVerifyResult, h as AP2CartMandateClaims, j as AP2ChainResult, k as AP2IntentMandateClaims, l as AP2MandateClaims, m as AP2MandateTriple, n as AP2MandateTripleInput, o as AP2MandateType, p as AP2PaymentDetailsTotal, q as AP2PaymentMandateClaims, r as AP2PaymentMandateForValue, s as AP2VerifyInput, C as CommerceContext, t as CommercePipelineInput, u as CommerceProtocol, v as CommercePurpose, w as CommerceSignatureStack, x as ConstraintEvalResult, y as ConstraintKey, z as ConstraintResult, E as ExtractorRequestLike, I as IdentityBindingResult, B as IdentityClaim, D as IdentityResolver, M as MPPChallengeForValue, F as MPPChallengeSummary, G as MPPCredentialSummary, H as MPPIntent, J as MPPKind, K as MPPReceiptSummary, L as MPPRequestContext, N as MPPRequestLike, O as MPPResponseLike, P as MPPVerifyInput, Q as MPPVerifyResult, R as ParsedRFC9421, S as PaymentMethodAllowlistInput, T as RFC9421SignatureParams, U as RFC9421Tag, V as RFC9421VerifyOptions, W as RFC9421VerifyRequest, X as RFC9421VerifyResult, Y as RegistryName, Z as RegistryResolver, _ as ResolveContext, $ as STRIPE_WEBHOOK_INFORMATIONAL_EVENTS, a0 as SpendingLimitInput, a1 as StripeWebhookInformationalEvent, a2 as TransactionContext, a3 as TransactionValueContext, a4 as TransportExtractor, a5 as UCPCheckoutContext, a6 as UCPManifestValidationResult, a7 as UCPRequestLike, a8 as UCPTotal, a9 as VIAllowedParty, aa as VIBudgetLimit, ab as VIClaimsForValue, ac as VIConstraintEvalInput, ad as VIConstraints, ae as VIExecutionMode, af as VIExtractedClaims, ag as VILayer, ah as VILineItem, ai as VIMandateType, aj as VIPaymentAmount, ak as VIRecurrence, al as VIVerifyInput, am as VIVerifyResult, an as VerifyStripeWebhookOptions, ao as VerifyStripeWebhookResult, ap as X402Kind, aq as X402RequestContext, ar as X402RequestForValue, as as X402RequestLike, at as X402RequirementsSummary, au as X402ResponseLike, av as applyCredentials, aw as bindIdentity, ax as claim, ay as clearTransportExtractors, az as createMastercardRegistry, aA as createVisaRegistry, aB as createWebBotAuthRegistry, aC as detectProtocol, aD as evaluatePaymentMethodAllowlist, aE as evaluateSpendingLimit, aF as evaluateVIConstraints, aG as extractA2ACredentials, aH as extractACPContext, aI as extractACPTransactionValue, aJ as extractAP2Mandate, aK as extractAP2Mandates, aL as extractAP2TransactionValue, aM as extractCredentialsFromProtocol, aN as extractHttpCredentials, aO as extractMPPContext, aP as extractMPPFromRequest, aQ as extractMPPFromResponse, aR as extractMPPTransactionValue, aS as extractMcpCredentials, aT as extractUCPContext, aU as extractUCPTransactionValue, aV as extractVIClaims, aW as extractVITransactionValue, aX as extractX402Context, aY as extractX402FromRequest, aZ as extractX402FromResponse, a_ as extractX402TransactionValue, a$ as fetchUCPManifest, b0 as getTransportExtractor, b1 as getTransportExtractors, b2 as isStripeWebhookInformational, b3 as mapACPRequestToPurpose, b4 as mapAP2MandateToPurpose, b5 as mapMPPRequestToPurpose, b6 as mapRFC9421TagToPurpose, b7 as mapUCPRequestToPurpose, b8 as mapVIMandateToPurpose, b9 as mapX402RequestToPurpose, ba as parseRFC9421, bb as registerTransportExtractor, bc as runCommercePipeline, bd as runMatchingExtractors, be as setA2AMetadata, bf as setHttpHeaders, bg as setMcpMeta, bh as validateUCPManifest, bi as verifyACPSignature, bj as verifyAP2Chain, bk as verifyMPP, bl as verifyRFC9421, bm as verifyStripeWebhook, bn as verifyVIChain } from '../index-CSMpOcxV.js';
 import 'jose';

package/dist/{types-osMd_dpT.d.ts → types-Bzp1SMaD.d.ts}

@@ -1,4 +1,4 @@
-import { a as AccessLevel, C as CounterpartyType, T as TokenGuidance } from './types-JMgPake9.js';
+import { a as AccessLevel, C as CounterpartyType, T as TokenGuidance } from './types-D_tmbDA_.js';
 
 /**
  * AstraSync Gateway - Types for gateway modes, local evaluation, and adapter interface.

package/dist/{types-JMgPake9.d.mts → types-D_tmbDA_.d.mts}

@@ -97,6 +97,20 @@ interface GatewayConfig {
      * extra request is undesirable.
      */
     disableInitChecks?: boolean;
+    /**
+     * v2.3.8: emit `X-Astra-Gateway-Mode: pass-through` (with
+     * `X-Astra-Gateway-Reason: no-policy | no-match`) on responses where the
+     * middleware fell through without consulting verify-access. Lets integration
+     * tests assert "this endpoint should be gated; if it falls through, fail
+     * loudly". Default off; opt-in.
+     */
+    setPassThroughHeader?: boolean;
+    /**
+     * v2.3.8: dashboard origin used to construct configuration links in
+     * boot-time warnings (e.g. when no per-route policy is configured).
+     * Defaults to `https://app.astrasync.ai`.
+     */
+    dashboardUrl?: string;
 }
 /**
  * Verified agent information
@@ -237,6 +251,25 @@ interface GuidanceInfo {
 /**
  * Complete verification result
  */
+/**
+ * Single failed gate on a verify-access denial. Aggregated into
+ * `VerificationResult.failures[]` so partners can see every blocker in one
+ * response. v2.9.8 (defect M1) — pre-fix the response was fail-fast on the
+ * first failed gate, forcing a fix-and-retry cascade through PDLSS
+ * dimensions, counterparty allowlist, trust score, and attestations.
+ *
+ * `dimension` is namespaced so receivers can group by gate family:
+ *   - `agent.<lookup|status>`                  (hard prereqs)
+ *   - `pdlss.<purpose|duration|limits|scope|selfInstantiation>`
+ *   - `counterparty.<allowlist|trust>`
+ *   - `attestation.<type>` (e.g. `attestation.verified_human_party`)
+ *   - `endpoint.<deactivated|trust|policy>`
+ */
+interface AccessFailure {
+    dimension: string;
+    message: string;
+    guidance?: string;
+}
 interface VerificationResult {
     /** Whether the agent is verified */
     verified: boolean;
@@ -254,6 +287,13 @@ interface VerificationResult {
     guidance?: GuidanceInfo;
     /** Reasons for denial (if not allowed) */
     denialReasons?: string[];
+    /**
+     * All policy / gate failures detected on this verify-access call.
+     * v2.9.8+ — empty when allowed. Iterate this for the full debug picture
+     * instead of consuming `denialReasons` (which only carries the headline
+     * message of each failure).
+     */
+    failures?: AccessFailure[];
     /** Whether step-up authentication is required */
     requiresStepUp?: boolean;
     /** Whether approval is required */
@@ -360,11 +400,18 @@ interface RouteAccessConfig {
     maxTransactionValue?: number;
 }
 /**
- * Express middleware options
+ * Express middleware options.
+ *
+ * v2.9.7 removed the `routes` field — per-route policy now lives in the
+ * AstraSync dashboard (gated by team.role admin auth + audit + alerts).
+ * The middleware fetches routes from the backend via
+ * `GET /endpoints/:counterpartyId/routes` on init and refreshes
+ * periodically (override interval via `routesRefreshMs`). Set
+ * `counterpartyId` on `GatewayConfig` so the middleware knows which
+ * endpoint to fetch policy for; without it, the middleware logs a warning
+ * and falls through (allows all) — useful for local dev only.
  */
 interface ExpressMiddlewareOptions extends GatewayConfig {
-    /** Route access configurations */
-    routes?: RouteAccessConfig[];
     /** Function to extract credentials from request */
     extractCredentials?: (req: unknown) => AgentCredentials;
     /** Function to extract purpose from request */
@@ -377,15 +424,24 @@ interface ExpressMiddlewareOptions extends GatewayConfig {
     recordDecisions?: boolean;
     /** Enable runtime challenge for all verify-access calls (default: true) */
     enableRuntimeChallenge?: boolean;
+    /**
+     * Refresh interval (ms) for the remote-fetched route policy. Default:
+     * 5 minutes. Operators can shorten this to test policy edits faster, or
+     * lengthen it to reduce network chatter.
+     */
+    routesRefreshMs?: number;
 }
 /**
- * Next.js middleware options
+ * Next.js middleware options.
+ *
+ * v2.9.7 removed the `routes` field — see `ExpressMiddlewareOptions` for
+ * the rationale. Same fetch-from-backend model applies here.
  */
 interface NextJsMiddlewareOptions extends GatewayConfig {
-    /** Route access configurations */
-    routes?: RouteAccessConfig[];
     /** Paths to skip verification */
     skipPaths?: string[];
+    /** Refresh interval (ms) for the remote-fetched route policy. Default: 5 minutes. */
+    routesRefreshMs?: number;
     /** Whether to show Commerce Shield overlay for unverified */
     showCommerceShield?: boolean;
     /** Commerce Shield configuration */
@@ -462,8 +518,20 @@ interface EnhancedVerificationResult extends VerificationResult {
     tokenGuidance?: TokenGuidance;
     appliedPolicy?: AppliedPolicy;
     verificationContext?: VerificationContext;
-    recommendation?: 'grant' | 'deny' | 'step_up_required';
+    recommendation?: 'grant' | 'deny' | 'step_up_required' | 'audit';
     recommendationReasons?: string[];
+    /**
+     * v2.3.8: when an endpoint's `unverifiedAgentPolicy` is `'audit'`, the
+     * server returns the warning header to relay to the merchant's response.
+     * The Express + MCP middleware lift this into `res.setHeader(name, value)`
+     * before calling `next()`. Distinct vocabulary from the PDLSS-scope
+     * outbound `unverifiedCounterpartyPolicy: 'warn'` so raw JSON config can't
+     * conflate the two.
+     */
+    warningHeader?: {
+        name: string;
+        value: string;
+    };
 }
 /**
  * Cross-protocol credential config

package/dist/{types-JMgPake9.d.ts → types-D_tmbDA_.d.ts}

@@ -97,6 +97,20 @@ interface GatewayConfig {
      * extra request is undesirable.
      */
     disableInitChecks?: boolean;
+    /**
+     * v2.3.8: emit `X-Astra-Gateway-Mode: pass-through` (with
+     * `X-Astra-Gateway-Reason: no-policy | no-match`) on responses where the
+     * middleware fell through without consulting verify-access. Lets integration
+     * tests assert "this endpoint should be gated; if it falls through, fail
+     * loudly". Default off; opt-in.
+     */
+    setPassThroughHeader?: boolean;
+    /**
+     * v2.3.8: dashboard origin used to construct configuration links in
+     * boot-time warnings (e.g. when no per-route policy is configured).
+     * Defaults to `https://app.astrasync.ai`.
+     */
+    dashboardUrl?: string;
 }
 /**
  * Verified agent information
@@ -237,6 +251,25 @@ interface GuidanceInfo {
 /**
  * Complete verification result
  */
+/**
+ * Single failed gate on a verify-access denial. Aggregated into
+ * `VerificationResult.failures[]` so partners can see every blocker in one
+ * response. v2.9.8 (defect M1) — pre-fix the response was fail-fast on the
+ * first failed gate, forcing a fix-and-retry cascade through PDLSS
+ * dimensions, counterparty allowlist, trust score, and attestations.
+ *
+ * `dimension` is namespaced so receivers can group by gate family:
+ *   - `agent.<lookup|status>`                  (hard prereqs)
+ *   - `pdlss.<purpose|duration|limits|scope|selfInstantiation>`
+ *   - `counterparty.<allowlist|trust>`
+ *   - `attestation.<type>` (e.g. `attestation.verified_human_party`)
+ *   - `endpoint.<deactivated|trust|policy>`
+ */
+interface AccessFailure {
+    dimension: string;
+    message: string;
+    guidance?: string;
+}
 interface VerificationResult {
     /** Whether the agent is verified */
     verified: boolean;
@@ -254,6 +287,13 @@ interface VerificationResult {
     guidance?: GuidanceInfo;
     /** Reasons for denial (if not allowed) */
     denialReasons?: string[];
+    /**
+     * All policy / gate failures detected on this verify-access call.
+     * v2.9.8+ — empty when allowed. Iterate this for the full debug picture
+     * instead of consuming `denialReasons` (which only carries the headline
+     * message of each failure).
+     */
+    failures?: AccessFailure[];
     /** Whether step-up authentication is required */
     requiresStepUp?: boolean;
     /** Whether approval is required */
@@ -360,11 +400,18 @@ interface RouteAccessConfig {
     maxTransactionValue?: number;
 }
 /**
- * Express middleware options
+ * Express middleware options.
+ *
+ * v2.9.7 removed the `routes` field — per-route policy now lives in the
+ * AstraSync dashboard (gated by team.role admin auth + audit + alerts).
+ * The middleware fetches routes from the backend via
+ * `GET /endpoints/:counterpartyId/routes` on init and refreshes
+ * periodically (override interval via `routesRefreshMs`). Set
+ * `counterpartyId` on `GatewayConfig` so the middleware knows which
+ * endpoint to fetch policy for; without it, the middleware logs a warning
+ * and falls through (allows all) — useful for local dev only.
  */
 interface ExpressMiddlewareOptions extends GatewayConfig {
-    /** Route access configurations */
-    routes?: RouteAccessConfig[];
     /** Function to extract credentials from request */
     extractCredentials?: (req: unknown) => AgentCredentials;
     /** Function to extract purpose from request */
@@ -377,15 +424,24 @@ interface ExpressMiddlewareOptions extends GatewayConfig {
     recordDecisions?: boolean;
     /** Enable runtime challenge for all verify-access calls (default: true) */
     enableRuntimeChallenge?: boolean;
+    /**
+     * Refresh interval (ms) for the remote-fetched route policy. Default:
+     * 5 minutes. Operators can shorten this to test policy edits faster, or
+     * lengthen it to reduce network chatter.
+     */
+    routesRefreshMs?: number;
 }
 /**
- * Next.js middleware options
+ * Next.js middleware options.
+ *
+ * v2.9.7 removed the `routes` field — see `ExpressMiddlewareOptions` for
+ * the rationale. Same fetch-from-backend model applies here.
  */
 interface NextJsMiddlewareOptions extends GatewayConfig {
-    /** Route access configurations */
-    routes?: RouteAccessConfig[];
     /** Paths to skip verification */
     skipPaths?: string[];
+    /** Refresh interval (ms) for the remote-fetched route policy. Default: 5 minutes. */
+    routesRefreshMs?: number;
     /** Whether to show Commerce Shield overlay for unverified */
     showCommerceShield?: boolean;
     /** Commerce Shield configuration */
@@ -462,8 +518,20 @@ interface EnhancedVerificationResult extends VerificationResult {
     tokenGuidance?: TokenGuidance;
     appliedPolicy?: AppliedPolicy;
     verificationContext?: VerificationContext;
-    recommendation?: 'grant' | 'deny' | 'step_up_required';
+    recommendation?: 'grant' | 'deny' | 'step_up_required' | 'audit';
     recommendationReasons?: string[];
+    /**
+     * v2.3.8: when an endpoint's `unverifiedAgentPolicy` is `'audit'`, the
+     * server returns the warning header to relay to the merchant's response.
+     * The Express + MCP middleware lift this into `res.setHeader(name, value)`
+     * before calling `next()`. Distinct vocabulary from the PDLSS-scope
+     * outbound `unverifiedCounterpartyPolicy: 'warn'` so raw JSON config can't
+     * conflate the two.
+     */
+    warningHeader?: {
+        name: string;
+        value: string;
+    };
 }
 /**
  * Cross-protocol credential config

package/dist/{types-aN1UHhyy.d.mts → types-z-QVnG4b.d.mts}

@@ -1,4 +1,4 @@
-import { a as AccessLevel, C as CounterpartyType, T as TokenGuidance } from './types-JMgPake9.mjs';
+import { a as AccessLevel, C as CounterpartyType, T as TokenGuidance } from './types-D_tmbDA_.mjs';
 
 /**
  * AstraSync Gateway - Types for gateway modes, local evaluation, and adapter interface.

package/dist/ui/index.d.mts

@@ -1,4 +1,4 @@
-import { d as CommerceShieldProps, V as VerificationResult, b as AgentCredentials, f as GuidanceInfo, i as TrustLevel } from '../types-JMgPake9.mjs';
+import { d as CommerceShieldProps, V as VerificationResult, b as AgentCredentials, f as GuidanceInfo, i as TrustLevel } from '../types-D_tmbDA_.mjs';
 
 /**
  * AstraSync Commerce Shield Component

package/dist/ui/index.d.ts

@@ -1,4 +1,4 @@
-import { d as CommerceShieldProps, V as VerificationResult, b as AgentCredentials, f as GuidanceInfo, i as TrustLevel } from '../types-JMgPake9.js';
+import { d as CommerceShieldProps, V as VerificationResult, b as AgentCredentials, f as GuidanceInfo, i as TrustLevel } from '../types-D_tmbDA_.js';
 
 /**
  * AstraSync Commerce Shield Component

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@astrasyncai/verification-gateway",
-  "version": "2.3.4",
+  "version": "2.3.8",
   "description": "Universal Verification Gateway for AstraSync KYA Platform - verify AI agents across any counterparty type",
   "main": "./dist/index.js",
   "module": "./dist/index.mjs",
@@ -16,6 +16,11 @@
       "import": "./dist/adapters/express.mjs",
       "require": "./dist/adapters/express.js"
     },
+    "./mcp": {
+      "types": "./dist/adapters/mcp.d.ts",
+      "import": "./dist/adapters/mcp.mjs",
+      "require": "./dist/adapters/mcp.js"
+    },
     "./nextjs": {
       "types": "./dist/adapters/nextjs.d.ts",
       "import": "./dist/adapters/nextjs.mjs",