@astrasyncai/verification-gateway 2.3.8 → 2.3.10

package/dist/cursor/extension.mjs

@@ -3258,7 +3258,7 @@ function verifyLocal(evaluator, context) {
 // src/access-levels.ts
 var ACCESS_LEVEL_HIERARCHY = {
   none: 0,
-  guidance: 1,
+  restricted: 1,
   "read-only": 2,
   standard: 3,
   full: 4,
@@ -3274,7 +3274,11 @@ function getTrustLevel(score) {
 // src/verify.ts
 var DEFAULT_CONFIG = {
   apiBaseUrl: "https://astrasync.ai/api",
-  defaultAccessLevel: "guidance",
+  // v2.3.9 (defect #30): default for unconfigured callers is `'none'` (no
+  // access). Pre-rename this defaulted to `'guidance'`, which combined with
+  // a route gated at `'guidance'` to silently let unverified traffic
+  // through (`hasMinimumAccess('guidance', 'guidance') === true`).
+  defaultAccessLevel: "none",
   // minTrustScore + minTrustScoreForFull deprecated in v2.3.0 — server decides.
   cacheTtl: 300,
   // 5 minutes
@@ -3339,7 +3343,12 @@ function createGuidanceResponse(config, reason) {
   };
   return {
     verified: false,
-    accessLevel: "guidance",
+    // v2.3.9 (defect #30): denials grant `'none'`, NEVER a positive band.
+    // Adapters additionally short-circuit on `verified === false` before
+    // the gate check, but the access level still has to be honest at the
+    // data layer so downstream consumers (SDK adapters in other languages,
+    // custom integrations) inherit the correct semantics.
+    accessLevel: "none",
     guidance,
     denialReasons: reason ? [reason] : ["No valid agent credentials provided"],
     verifiedAt: /* @__PURE__ */ new Date()
@@ -3466,7 +3475,14 @@ async function verify(config, request) {
     const aggregatedFailures = apiResponse.access?.failures;
     const result2 = {
       verified: false,
-      accessLevel: "guidance",
+      // v2.3.9 (defect #30): denials grant `'none'`, NEVER a positive band.
+      // Pre-rename this hardcoded `'guidance'`, which conflated with the
+      // colocated `guidance: {...}` help-payload object below and let
+      // denied requests pass any route gated at `'guidance'` because
+      // `hasMinimumAccess('guidance', 'guidance') === true`. Adapters now
+      // ALSO short-circuit on `verified === false` before the gate check —
+      // belt-and-braces.
+      accessLevel: "none",
       denialReasons: aggregatedFailures && aggregatedFailures.length > 0 ? aggregatedFailures.map((f) => f.message) : apiResponse.access?.reason ? [apiResponse.access.reason] : ["Access denied"],
       failures: aggregatedFailures,
       requiresStepUp: apiResponse.access?.requiresStepUp,
@@ -3479,6 +3495,9 @@ async function verify(config, request) {
       verifiedAt: /* @__PURE__ */ new Date(),
       // Extract sessionId so decisions can be recorded for denials too
       sessionId: apiResponse.sessionId,
+      // v2.3.10 (defect #34, round-4): anonymous traffic has no session →
+      // correlationId is the linking key for paired local_override events.
+      correlationId: apiResponse.correlationId,
       recommendation: apiResponse.recommendation,
       recommendationReasons: apiResponse.recommendationReasons
     };
@@ -3519,6 +3538,9 @@ async function verify(config, request) {
     cacheTtl: mergedConfig.cacheTtl,
     // Handshake Protocol v10 enhanced fields (present when backend returns them)
     sessionId: apiResponse.sessionId,
+    // v2.3.10 (defect #34, round-4): anonymous responses surface correlationId
+    // (no session row exists for unverified callers).
+    correlationId: apiResponse.correlationId,
     runtimeChallenge: apiResponse.runtimeChallenge,
     tokenGuidance: apiResponse.tokenGuidance,
     recommendation: apiResponse.recommendation,