@astrasyncai/verification-gateway 2.3.7 → 2.3.9

package/dist/git-trigger/git-hooks.d.mts

@@ -1,6 +1,6 @@
 import { AstraSyncGateway } from '../gateway/gateway.mjs';
-import { V as VerificationDecision, P as PDLSSContext } from '../types-DxY5zt4z.mjs';
-import '../types-Bxqj1sKY.mjs';
+import { V as VerificationDecision, P as PDLSSContext } from '../types-CKafuHDn.mjs';
+import '../types-UYT4GdPW.mjs';
 
 /**
  * Git Trigger — Enterprise git push / PR verification

package/dist/git-trigger/git-hooks.d.ts

@@ -1,6 +1,6 @@
 import { AstraSyncGateway } from '../gateway/gateway.js';
-import { V as VerificationDecision, P as PDLSSContext } from '../types-BecRpozv.js';
-import '../types-Bxqj1sKY.js';
+import { V as VerificationDecision, P as PDLSSContext } from '../types-ppkhdldJ.js';
+import '../types-UYT4GdPW.js';
 
 /**
  * Git Trigger — Enterprise git push / PR verification

package/dist/{index-EwUWXC5T.d.ts → index-8DFMpITk.d.ts}

@@ -1,4 +1,4 @@
-import { A as AstraSyncCredentials, g as ProtocolTransport, G as GatewayConfig } from './types-Bxqj1sKY.js';
+import { A as AstraSyncCredentials, g as ProtocolTransport, G as GatewayConfig } from './types-UYT4GdPW.js';
 
 /**
  * AgentClient — Credential Presentation

package/dist/{index-YNPs800Z.d.mts → index-B--6fiDp.d.mts}

@@ -1,4 +1,4 @@
-import { A as AstraSyncCredentials, g as ProtocolTransport } from './types-Bxqj1sKY.mjs';
+import { A as AstraSyncCredentials, g as ProtocolTransport } from './types-UYT4GdPW.mjs';
 import { JWK } from 'jose';
 
 /**

package/dist/{index-Bn_7eGjb.d.mts → index-CAykfMWK.d.mts}

@@ -1,4 +1,4 @@
-import { A as AstraSyncCredentials, g as ProtocolTransport, G as GatewayConfig } from './types-Bxqj1sKY.mjs';
+import { A as AstraSyncCredentials, g as ProtocolTransport, G as GatewayConfig } from './types-UYT4GdPW.mjs';
 
 /**
  * AgentClient — Credential Presentation

package/dist/{index-BtU9yFda.d.ts → index-Yt02MRyu.d.ts}

@@ -1,4 +1,4 @@
-import { A as AstraSyncCredentials, g as ProtocolTransport } from './types-Bxqj1sKY.js';
+import { A as AstraSyncCredentials, g as ProtocolTransport } from './types-UYT4GdPW.js';
 import { JWK } from 'jose';
 
 /**

package/dist/index.d.mts

@@ -1,10 +1,10 @@
-import { b as AgentCredentials, G as GatewayConfig, a as AccessLevel, c as VerificationRequest, V as VerificationResult } from './types-Bxqj1sKY.mjs';
-export { A as AstraSyncCredentials, d as CommerceShieldProps, C as CounterpartyType, e as EnhancedVerificationResult, E as ExpressMiddlewareOptions, f as GuidanceInfo, N as NextJsMiddlewareOptions, P as PDLSSInfo, g as ProtocolTransport, R as RouteAccessConfig, h as RuntimeChallengeResult, S as SDKOptions, T as TokenGuidance, i as TrustLevel, j as VerifiedAgent, k as VerifiedDeveloper, l as VerifiedOrganization } from './types-Bxqj1sKY.mjs';
-export { A as ACCESS_LEVEL_DESCRIPTIONS, a as ACCESS_LEVEL_HIERARCHY, b as AccessCapabilities, D as DEFAULT_TRUST_THRESHOLDS, T as TRUST_LEVEL_RANGES, d as determineAccessLevel, g as getAccessLevelForScore, c as getCapabilities, e as getTrustLevel, h as hasMinimumAccess, s as sdk } from './sdk-BhkxvqnK.mjs';
-export { e as express } from './express-D9oRsseg.mjs';
-export { n as nextjs } from './nextjs-BLtjRbc-.mjs';
-export { i as transport } from './index-YNPs800Z.mjs';
-export { A as AgentClient, C as ChallengeHandler, i as agent, r as recordDecision } from './index-Bn_7eGjb.mjs';
+import { b as AgentCredentials, G as GatewayConfig, a as AccessLevel, c as VerificationRequest, V as VerificationResult } from './types-UYT4GdPW.mjs';
+export { A as AstraSyncCredentials, d as CommerceShieldProps, C as CounterpartyType, e as EnhancedVerificationResult, E as ExpressMiddlewareOptions, f as GuidanceInfo, N as NextJsMiddlewareOptions, P as PDLSSInfo, g as ProtocolTransport, R as RouteAccessConfig, h as RuntimeChallengeResult, S as SDKOptions, T as TokenGuidance, i as TrustLevel, j as VerifiedAgent, k as VerifiedDeveloper, l as VerifiedOrganization } from './types-UYT4GdPW.mjs';
+export { A as ACCESS_LEVEL_DESCRIPTIONS, a as ACCESS_LEVEL_HIERARCHY, b as AccessCapabilities, D as DEFAULT_TRUST_THRESHOLDS, T as TRUST_LEVEL_RANGES, d as determineAccessLevel, g as getAccessLevelForScore, c as getCapabilities, e as getTrustLevel, h as hasMinimumAccess, s as sdk } from './sdk-yJjO7yzn.mjs';
+export { e as express } from './express-BiB51d5t.mjs';
+export { n as nextjs } from './nextjs-CpxqfQqD.mjs';
+export { i as transport } from './index-B--6fiDp.mjs';
+export { A as AgentClient, C as ChallengeHandler, i as agent, r as recordDecision } from './index-CAykfMWK.mjs';
 import 'express';
 import 'next/server';
 import 'jose';

package/dist/index.d.ts

@@ -1,10 +1,10 @@
-import { b as AgentCredentials, G as GatewayConfig, a as AccessLevel, c as VerificationRequest, V as VerificationResult } from './types-Bxqj1sKY.js';
-export { A as AstraSyncCredentials, d as CommerceShieldProps, C as CounterpartyType, e as EnhancedVerificationResult, E as ExpressMiddlewareOptions, f as GuidanceInfo, N as NextJsMiddlewareOptions, P as PDLSSInfo, g as ProtocolTransport, R as RouteAccessConfig, h as RuntimeChallengeResult, S as SDKOptions, T as TokenGuidance, i as TrustLevel, j as VerifiedAgent, k as VerifiedDeveloper, l as VerifiedOrganization } from './types-Bxqj1sKY.js';
-export { A as ACCESS_LEVEL_DESCRIPTIONS, a as ACCESS_LEVEL_HIERARCHY, b as AccessCapabilities, D as DEFAULT_TRUST_THRESHOLDS, T as TRUST_LEVEL_RANGES, d as determineAccessLevel, g as getAccessLevelForScore, c as getCapabilities, e as getTrustLevel, h as hasMinimumAccess, s as sdk } from './sdk-YmE3RG8n.js';
-export { e as express } from './express-DMSIl20m.js';
-export { n as nextjs } from './nextjs-B5ZBpHra.js';
-export { i as transport } from './index-BtU9yFda.js';
-export { A as AgentClient, C as ChallengeHandler, i as agent, r as recordDecision } from './index-EwUWXC5T.js';
+import { b as AgentCredentials, G as GatewayConfig, a as AccessLevel, c as VerificationRequest, V as VerificationResult } from './types-UYT4GdPW.js';
+export { A as AstraSyncCredentials, d as CommerceShieldProps, C as CounterpartyType, e as EnhancedVerificationResult, E as ExpressMiddlewareOptions, f as GuidanceInfo, N as NextJsMiddlewareOptions, P as PDLSSInfo, g as ProtocolTransport, R as RouteAccessConfig, h as RuntimeChallengeResult, S as SDKOptions, T as TokenGuidance, i as TrustLevel, j as VerifiedAgent, k as VerifiedDeveloper, l as VerifiedOrganization } from './types-UYT4GdPW.js';
+export { A as ACCESS_LEVEL_DESCRIPTIONS, a as ACCESS_LEVEL_HIERARCHY, b as AccessCapabilities, D as DEFAULT_TRUST_THRESHOLDS, T as TRUST_LEVEL_RANGES, d as determineAccessLevel, g as getAccessLevelForScore, c as getCapabilities, e as getTrustLevel, h as hasMinimumAccess, s as sdk } from './sdk-BMvauMgP.js';
+export { e as express } from './express-D6tEDU08.js';
+export { n as nextjs } from './nextjs-CK5F_tVZ.js';
+export { i as transport } from './index-Yt02MRyu.js';
+export { A as AgentClient, C as ChallengeHandler, i as agent, r as recordDecision } from './index-8DFMpITk.js';
 import 'express';
 import 'next/server';
 import 'jose';

package/dist/index.js

@@ -59,7 +59,7 @@ module.exports = __toCommonJS(src_exports);
 // src/access-levels.ts
 var ACCESS_LEVEL_HIERARCHY = {
   none: 0,
-  guidance: 1,
+  restricted: 1,
   "read-only": 2,
   standard: 3,
   full: 4,
@@ -67,7 +67,7 @@ var ACCESS_LEVEL_HIERARCHY = {
 };
 var ACCESS_LEVEL_DESCRIPTIONS = {
   none: "No access - credentials required",
-  guidance: "Guidance mode - registration information provided",
+  restricted: "Restricted access - registration prompt only",
   "read-only": "Read-only access - can browse but not modify",
   standard: "Standard access - normal operations per PDLSS policy",
   full: "Full access - all operations for high-trust agents",
@@ -75,7 +75,7 @@ var ACCESS_LEVEL_DESCRIPTIONS = {
 };
 var DEFAULT_TRUST_THRESHOLDS = {
   none: 0,
-  guidance: 0,
+  restricted: 0,
   "read-only": 20,
   standard: 40,
   full: 70,
@@ -101,11 +101,11 @@ function getAccessLevelForScore(trustScore, thresholds = DEFAULT_TRUST_THRESHOLD
   if (trustScore >= thresholds.full) return "full";
   if (trustScore >= thresholds.standard) return "standard";
   if (trustScore >= thresholds["read-only"]) return "read-only";
-  return "guidance";
+  return "restricted";
 }
 function determineAccessLevel(verified, trustScore, isOrgMember, customThresholds) {
   if (!verified) {
-    return "guidance";
+    return "none";
   }
   if (isOrgMember) {
     return "internal";
@@ -126,7 +126,7 @@ function getCapabilities(accessLevel) {
         canAdmin: false,
         canAccessInternal: false
       };
-    case "guidance":
+    case "restricted":
       return {
         canRead: false,
         canWrite: false,
@@ -180,7 +180,11 @@ function getCapabilities(accessLevel) {
 // src/verify.ts
 var DEFAULT_CONFIG = {
   apiBaseUrl: "https://astrasync.ai/api",
-  defaultAccessLevel: "guidance",
+  // v2.3.9 (defect #30): default for unconfigured callers is `'none'` (no
+  // access). Pre-rename this defaulted to `'guidance'`, which combined with
+  // a route gated at `'guidance'` to silently let unverified traffic
+  // through (`hasMinimumAccess('guidance', 'guidance') === true`).
+  defaultAccessLevel: "none",
   // minTrustScore + minTrustScoreForFull deprecated in v2.3.0 — server decides.
   cacheTtl: 300,
   // 5 minutes
@@ -279,7 +283,12 @@ function createGuidanceResponse(config, reason) {
   };
   return {
     verified: false,
-    accessLevel: "guidance",
+    // v2.3.9 (defect #30): denials grant `'none'`, NEVER a positive band.
+    // Adapters additionally short-circuit on `verified === false` before
+    // the gate check, but the access level still has to be honest at the
+    // data layer so downstream consumers (SDK adapters in other languages,
+    // custom integrations) inherit the correct semantics.
+    accessLevel: "none",
     guidance,
     denialReasons: reason ? [reason] : ["No valid agent credentials provided"],
     verifiedAt: /* @__PURE__ */ new Date()
@@ -336,6 +345,23 @@ async function callVerifyAccessAPI(config, request) {
       body: JSON.stringify(body)
     });
     const data = await response.json();
+    if (response.status === 410) {
+      return {
+        success: true,
+        access: {
+          allowed: false,
+          accessLevel: "none",
+          reason: "endpoint_deactivated",
+          failures: [
+            {
+              dimension: "endpoint.deactivated",
+              message: typeof data?.message === "string" ? data.message : "Endpoint has been deactivated",
+              guidance: typeof data?.guidance === "string" ? data.guidance : "Reactivate via POST /api/endpoints/{id}/reactivate, or update the URL on the calling agent."
+            }
+          ]
+        }
+      };
+    }
     if (!response.ok) {
       return {
         success: false,
@@ -389,7 +415,14 @@ async function verify(config, request) {
     const aggregatedFailures = apiResponse.access?.failures;
     const result2 = {
       verified: false,
-      accessLevel: "guidance",
+      // v2.3.9 (defect #30): denials grant `'none'`, NEVER a positive band.
+      // Pre-rename this hardcoded `'guidance'`, which conflated with the
+      // colocated `guidance: {...}` help-payload object below and let
+      // denied requests pass any route gated at `'guidance'` because
+      // `hasMinimumAccess('guidance', 'guidance') === true`. Adapters now
+      // ALSO short-circuit on `verified === false` before the gate check —
+      // belt-and-braces.
+      accessLevel: "none",
       denialReasons: aggregatedFailures && aggregatedFailures.length > 0 ? aggregatedFailures.map((f) => f.message) : apiResponse.access?.reason ? [apiResponse.access.reason] : ["Access denied"],
       failures: aggregatedFailures,
       requiresStepUp: apiResponse.access?.requiresStepUp,
@@ -445,7 +478,8 @@ async function verify(config, request) {
     runtimeChallenge: apiResponse.runtimeChallenge,
     tokenGuidance: apiResponse.tokenGuidance,
     recommendation: apiResponse.recommendation,
-    recommendationReasons: apiResponse.recommendationReasons
+    recommendationReasons: apiResponse.recommendationReasons,
+    warningHeader: apiResponse.warningHeader
   };
   if (result.recommendation === "deny") {
     result.verified = false;
@@ -472,7 +506,7 @@ async function verify(config, request) {
   }
   return result;
 }
-async function recordDecision(config, sessionId, decision, reason) {
+async function recordDecision(config, sessionId, decision, reason, override) {
   const headers = { "Content-Type": "application/json" };
   if (config.apiKey) {
     headers["Authorization"] = `Bearer ${config.apiKey}`;
@@ -481,7 +515,16 @@ async function recordDecision(config, sessionId, decision, reason) {
   await fetch(`${config.apiBaseUrl}/agents/verify-access/${sessionId}/decision`, {
     method: "POST",
     headers,
-    body: JSON.stringify({ decision, reason })
+    body: JSON.stringify({
+      decision,
+      reason,
+      ...override && {
+        overriddenBy: override.overriddenBy,
+        toolName: override.toolName,
+        requestedLevel: override.requestedLevel,
+        grantedLevel: override.grantedLevel
+      }
+    })
   }).catch(() => {
   });
 }
@@ -718,6 +761,7 @@ function createMiddleware(options) {
   let lastFetchAt = 0;
   let refreshing = null;
   let warnedNoCounterparty = false;
+  let warnedEmptyRoutes = false;
   async function refreshRoutes() {
     if (!config.counterpartyId) {
       if (!warnedNoCounterparty) {
@@ -732,6 +776,13 @@ function createMiddleware(options) {
     if (fetched) {
       cachedRoutes = fetched;
       lastFetchAt = Date.now();
+      if (cachedRoutes.length === 0 && !warnedEmptyRoutes) {
+        const dashboard = config.dashboardUrl ?? "https://app.astrasync.ai";
+        console.warn(
+          `[VerificationGateway] No route policy configured for ${config.counterpartyId}. Gateway is in pass-through mode for ALL traffic until you add at least one route. Configure at ${dashboard}/dashboard/endpoints/${config.counterpartyId}/routes`
+        );
+        warnedEmptyRoutes = true;
+      }
     }
   }
   refreshing = refreshRoutes().finally(() => {
@@ -754,9 +805,20 @@ function createMiddleware(options) {
       }
       const routeConfig = findRouteConfig(cachedRoutes, req.path, req.method);
       if (!routeConfig) {
+        if (config.setPassThroughHeader) {
+          res.setHeader("X-Astra-Gateway-Mode", "pass-through");
+          res.setHeader(
+            "X-Astra-Gateway-Reason",
+            cachedRoutes.length === 0 ? "no-policy" : "no-match"
+          );
+        }
         return next();
       }
       if (routeConfig.minAccessLevel === "none") {
+        if (config.setPassThroughHeader) {
+          res.setHeader("X-Astra-Gateway-Mode", "pass-through");
+          res.setHeader("X-Astra-Gateway-Reason", "route-none");
+        }
         return next();
       }
       const credentials = customExtractCredentials ? customExtractCredentials(req) : defaultExtractCredentials(req);
@@ -815,6 +877,14 @@ function createMiddleware(options) {
       });
       req.agentVerification = result;
       const sessionId = result.sessionId;
+      if (!result.verified) {
+        if (shouldRecordDecisions && sessionId) {
+          recordDecision(config, sessionId, "denied", result.denialReasons?.[0]).catch(() => {
+          });
+        }
+        onDenied(result, req, res);
+        return;
+      }
       if (!hasMinimumAccess(result.accessLevel, routeConfig.minAccessLevel)) {
         if (shouldRecordDecisions && sessionId) {
           recordDecision(config, sessionId, "denied", result.denialReasons?.[0]).catch(() => {
@@ -840,6 +910,10 @@ function createMiddleware(options) {
         recordDecision(config, sessionId, "granted").catch(() => {
         });
       }
+      const enhancedResult = result;
+      if (enhancedResult.warningHeader) {
+        res.setHeader(enhancedResult.warningHeader.name, enhancedResult.warningHeader.value);
+      }
       next();
     } catch (error) {
       console.error("[VerificationGateway] Middleware error:", error);
@@ -1195,7 +1269,7 @@ function createMiddleware2(options) {
         agentCardUrl: request.headers.get("x-astrasync-agent-card") || void 0
       }
     });
-    if (!hasMinimumAccess(result.accessLevel, routeConfig.minAccessLevel)) {
+    if (!result.verified || !hasMinimumAccess(result.accessLevel, routeConfig.minAccessLevel)) {
       if (pathname.startsWith("/api/")) {
         return NextResponse.json(
           {