@astrasyncai/verification-gateway 2.3.7 → 2.3.9

package/dist/index.mjs

@@ -7,7 +7,7 @@ var __export = (target, all) => {
 // src/access-levels.ts
 var ACCESS_LEVEL_HIERARCHY = {
   none: 0,
-  guidance: 1,
+  restricted: 1,
   "read-only": 2,
   standard: 3,
   full: 4,
@@ -15,7 +15,7 @@ var ACCESS_LEVEL_HIERARCHY = {
 };
 var ACCESS_LEVEL_DESCRIPTIONS = {
   none: "No access - credentials required",
-  guidance: "Guidance mode - registration information provided",
+  restricted: "Restricted access - registration prompt only",
   "read-only": "Read-only access - can browse but not modify",
   standard: "Standard access - normal operations per PDLSS policy",
   full: "Full access - all operations for high-trust agents",
@@ -23,7 +23,7 @@ var ACCESS_LEVEL_DESCRIPTIONS = {
 };
 var DEFAULT_TRUST_THRESHOLDS = {
   none: 0,
-  guidance: 0,
+  restricted: 0,
   "read-only": 20,
   standard: 40,
   full: 70,
@@ -49,11 +49,11 @@ function getAccessLevelForScore(trustScore, thresholds = DEFAULT_TRUST_THRESHOLD
   if (trustScore >= thresholds.full) return "full";
   if (trustScore >= thresholds.standard) return "standard";
   if (trustScore >= thresholds["read-only"]) return "read-only";
-  return "guidance";
+  return "restricted";
 }
 function determineAccessLevel(verified, trustScore, isOrgMember, customThresholds) {
   if (!verified) {
-    return "guidance";
+    return "none";
   }
   if (isOrgMember) {
     return "internal";
@@ -74,7 +74,7 @@ function getCapabilities(accessLevel) {
         canAdmin: false,
         canAccessInternal: false
       };
-    case "guidance":
+    case "restricted":
       return {
         canRead: false,
         canWrite: false,
@@ -128,7 +128,11 @@ function getCapabilities(accessLevel) {
 // src/verify.ts
 var DEFAULT_CONFIG = {
   apiBaseUrl: "https://astrasync.ai/api",
-  defaultAccessLevel: "guidance",
+  // v2.3.9 (defect #30): default for unconfigured callers is `'none'` (no
+  // access). Pre-rename this defaulted to `'guidance'`, which combined with
+  // a route gated at `'guidance'` to silently let unverified traffic
+  // through (`hasMinimumAccess('guidance', 'guidance') === true`).
+  defaultAccessLevel: "none",
   // minTrustScore + minTrustScoreForFull deprecated in v2.3.0 — server decides.
   cacheTtl: 300,
   // 5 minutes
@@ -227,7 +231,12 @@ function createGuidanceResponse(config, reason) {
   };
   return {
     verified: false,
-    accessLevel: "guidance",
+    // v2.3.9 (defect #30): denials grant `'none'`, NEVER a positive band.
+    // Adapters additionally short-circuit on `verified === false` before
+    // the gate check, but the access level still has to be honest at the
+    // data layer so downstream consumers (SDK adapters in other languages,
+    // custom integrations) inherit the correct semantics.
+    accessLevel: "none",
     guidance,
     denialReasons: reason ? [reason] : ["No valid agent credentials provided"],
     verifiedAt: /* @__PURE__ */ new Date()
@@ -284,6 +293,23 @@ async function callVerifyAccessAPI(config, request) {
       body: JSON.stringify(body)
     });
     const data = await response.json();
+    if (response.status === 410) {
+      return {
+        success: true,
+        access: {
+          allowed: false,
+          accessLevel: "none",
+          reason: "endpoint_deactivated",
+          failures: [
+            {
+              dimension: "endpoint.deactivated",
+              message: typeof data?.message === "string" ? data.message : "Endpoint has been deactivated",
+              guidance: typeof data?.guidance === "string" ? data.guidance : "Reactivate via POST /api/endpoints/{id}/reactivate, or update the URL on the calling agent."
+            }
+          ]
+        }
+      };
+    }
     if (!response.ok) {
       return {
         success: false,
@@ -337,7 +363,14 @@ async function verify(config, request) {
     const aggregatedFailures = apiResponse.access?.failures;
     const result2 = {
       verified: false,
-      accessLevel: "guidance",
+      // v2.3.9 (defect #30): denials grant `'none'`, NEVER a positive band.
+      // Pre-rename this hardcoded `'guidance'`, which conflated with the
+      // colocated `guidance: {...}` help-payload object below and let
+      // denied requests pass any route gated at `'guidance'` because
+      // `hasMinimumAccess('guidance', 'guidance') === true`. Adapters now
+      // ALSO short-circuit on `verified === false` before the gate check —
+      // belt-and-braces.
+      accessLevel: "none",
       denialReasons: aggregatedFailures && aggregatedFailures.length > 0 ? aggregatedFailures.map((f) => f.message) : apiResponse.access?.reason ? [apiResponse.access.reason] : ["Access denied"],
       failures: aggregatedFailures,
       requiresStepUp: apiResponse.access?.requiresStepUp,
@@ -393,7 +426,8 @@ async function verify(config, request) {
     runtimeChallenge: apiResponse.runtimeChallenge,
     tokenGuidance: apiResponse.tokenGuidance,
     recommendation: apiResponse.recommendation,
-    recommendationReasons: apiResponse.recommendationReasons
+    recommendationReasons: apiResponse.recommendationReasons,
+    warningHeader: apiResponse.warningHeader
   };
   if (result.recommendation === "deny") {
     result.verified = false;
@@ -420,7 +454,7 @@ async function verify(config, request) {
   }
   return result;
 }
-async function recordDecision(config, sessionId, decision, reason) {
+async function recordDecision(config, sessionId, decision, reason, override) {
   const headers = { "Content-Type": "application/json" };
   if (config.apiKey) {
     headers["Authorization"] = `Bearer ${config.apiKey}`;
@@ -429,7 +463,16 @@ async function recordDecision(config, sessionId, decision, reason) {
   await fetch(`${config.apiBaseUrl}/agents/verify-access/${sessionId}/decision`, {
     method: "POST",
     headers,
-    body: JSON.stringify({ decision, reason })
+    body: JSON.stringify({
+      decision,
+      reason,
+      ...override && {
+        overriddenBy: override.overriddenBy,
+        toolName: override.toolName,
+        requestedLevel: override.requestedLevel,
+        grantedLevel: override.grantedLevel
+      }
+    })
   }).catch(() => {
   });
 }
@@ -666,6 +709,7 @@ function createMiddleware(options) {
   let lastFetchAt = 0;
   let refreshing = null;
   let warnedNoCounterparty = false;
+  let warnedEmptyRoutes = false;
   async function refreshRoutes() {
     if (!config.counterpartyId) {
       if (!warnedNoCounterparty) {
@@ -680,6 +724,13 @@ function createMiddleware(options) {
     if (fetched) {
       cachedRoutes = fetched;
       lastFetchAt = Date.now();
+      if (cachedRoutes.length === 0 && !warnedEmptyRoutes) {
+        const dashboard = config.dashboardUrl ?? "https://app.astrasync.ai";
+        console.warn(
+          `[VerificationGateway] No route policy configured for ${config.counterpartyId}. Gateway is in pass-through mode for ALL traffic until you add at least one route. Configure at ${dashboard}/dashboard/endpoints/${config.counterpartyId}/routes`
+        );
+        warnedEmptyRoutes = true;
+      }
     }
   }
   refreshing = refreshRoutes().finally(() => {
@@ -702,9 +753,20 @@ function createMiddleware(options) {
       }
       const routeConfig = findRouteConfig(cachedRoutes, req.path, req.method);
       if (!routeConfig) {
+        if (config.setPassThroughHeader) {
+          res.setHeader("X-Astra-Gateway-Mode", "pass-through");
+          res.setHeader(
+            "X-Astra-Gateway-Reason",
+            cachedRoutes.length === 0 ? "no-policy" : "no-match"
+          );
+        }
         return next();
       }
       if (routeConfig.minAccessLevel === "none") {
+        if (config.setPassThroughHeader) {
+          res.setHeader("X-Astra-Gateway-Mode", "pass-through");
+          res.setHeader("X-Astra-Gateway-Reason", "route-none");
+        }
         return next();
       }
       const credentials = customExtractCredentials ? customExtractCredentials(req) : defaultExtractCredentials(req);
@@ -763,6 +825,14 @@ function createMiddleware(options) {
       });
       req.agentVerification = result;
       const sessionId = result.sessionId;
+      if (!result.verified) {
+        if (shouldRecordDecisions && sessionId) {
+          recordDecision(config, sessionId, "denied", result.denialReasons?.[0]).catch(() => {
+          });
+        }
+        onDenied(result, req, res);
+        return;
+      }
       if (!hasMinimumAccess(result.accessLevel, routeConfig.minAccessLevel)) {
         if (shouldRecordDecisions && sessionId) {
           recordDecision(config, sessionId, "denied", result.denialReasons?.[0]).catch(() => {
@@ -788,6 +858,10 @@ function createMiddleware(options) {
         recordDecision(config, sessionId, "granted").catch(() => {
         });
       }
+      const enhancedResult = result;
+      if (enhancedResult.warningHeader) {
+        res.setHeader(enhancedResult.warningHeader.name, enhancedResult.warningHeader.value);
+      }
       next();
     } catch (error) {
       console.error("[VerificationGateway] Middleware error:", error);
@@ -1143,7 +1217,7 @@ function createMiddleware2(options) {
         agentCardUrl: request.headers.get("x-astrasync-agent-card") || void 0
       }
     });
-    if (!hasMinimumAccess(result.accessLevel, routeConfig.minAccessLevel)) {
+    if (!result.verified || !hasMinimumAccess(result.accessLevel, routeConfig.minAccessLevel)) {
       if (pathname.startsWith("/api/")) {
         return NextResponse.json(
           {