@astrasyncai/verification-gateway 2.3.8 → 2.3.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (84) hide show
  1. package/README.md +93 -10
  2. package/dist/adapter-interface/interface.d.mts +2 -2
  3. package/dist/adapter-interface/interface.d.ts +2 -2
  4. package/dist/adapters/express.d.mts +2 -2
  5. package/dist/adapters/express.d.ts +2 -2
  6. package/dist/adapters/express.js +45 -6
  7. package/dist/adapters/express.js.map +1 -1
  8. package/dist/adapters/express.mjs +45 -6
  9. package/dist/adapters/express.mjs.map +1 -1
  10. package/dist/adapters/mcp.d.mts +1 -1
  11. package/dist/adapters/mcp.d.ts +1 -1
  12. package/dist/adapters/mcp.js +93 -11
  13. package/dist/adapters/mcp.js.map +1 -1
  14. package/dist/adapters/mcp.mjs +93 -11
  15. package/dist/adapters/mcp.mjs.map +1 -1
  16. package/dist/adapters/nextjs.d.mts +2 -2
  17. package/dist/adapters/nextjs.d.ts +2 -2
  18. package/dist/adapters/nextjs.js +27 -5
  19. package/dist/adapters/nextjs.js.map +1 -1
  20. package/dist/adapters/nextjs.mjs +27 -5
  21. package/dist/adapters/nextjs.mjs.map +1 -1
  22. package/dist/adapters/sdk.d.mts +2 -2
  23. package/dist/adapters/sdk.d.ts +2 -2
  24. package/dist/adapters/sdk.js +27 -5
  25. package/dist/adapters/sdk.js.map +1 -1
  26. package/dist/adapters/sdk.mjs +27 -5
  27. package/dist/adapters/sdk.mjs.map +1 -1
  28. package/dist/agent/index.d.mts +2 -2
  29. package/dist/agent/index.d.ts +2 -2
  30. package/dist/browser/background.js +26 -4
  31. package/dist/browser/background.js.map +1 -1
  32. package/dist/browser/background.mjs +26 -4
  33. package/dist/browser/background.mjs.map +1 -1
  34. package/dist/browser/browser-adapter.d.mts +2 -2
  35. package/dist/browser/browser-adapter.d.ts +2 -2
  36. package/dist/cli/index.d.mts +2 -2
  37. package/dist/cli/index.d.ts +2 -2
  38. package/dist/cursor/cursor-adapter.d.mts +2 -2
  39. package/dist/cursor/cursor-adapter.d.ts +2 -2
  40. package/dist/cursor/extension.d.mts +2 -2
  41. package/dist/cursor/extension.d.ts +2 -2
  42. package/dist/cursor/extension.js +26 -4
  43. package/dist/cursor/extension.js.map +1 -1
  44. package/dist/cursor/extension.mjs +26 -4
  45. package/dist/cursor/extension.mjs.map +1 -1
  46. package/dist/{express-BNWqDVIz.d.mts → express-4Vau6x6X.d.mts} +1 -1
  47. package/dist/{express-BYup_4Jg.d.ts → express-Nq-wWICa.d.ts} +1 -1
  48. package/dist/gateway/gateway.d.mts +2 -2
  49. package/dist/gateway/gateway.d.ts +2 -2
  50. package/dist/gateway/gateway.js +26 -4
  51. package/dist/gateway/gateway.js.map +1 -1
  52. package/dist/gateway/gateway.mjs +26 -4
  53. package/dist/gateway/gateway.mjs.map +1 -1
  54. package/dist/git-trigger/git-hooks.d.mts +2 -2
  55. package/dist/git-trigger/git-hooks.d.ts +2 -2
  56. package/dist/{index-DN3ztP2d.d.ts → index-B-EovXnY.d.ts} +1 -1
  57. package/dist/{index-CSMpOcxV.d.ts → index-CxwCN7AC.d.ts} +1 -1
  58. package/dist/{index-CK4lNLVn.d.mts → index-DiToN8gh.d.mts} +1 -1
  59. package/dist/{index-BHXa2WTO.d.mts → index-DkyPV14Y.d.mts} +1 -1
  60. package/dist/index.d.mts +7 -7
  61. package/dist/index.d.ts +7 -7
  62. package/dist/index.js +51 -12
  63. package/dist/index.js.map +1 -1
  64. package/dist/index.mjs +51 -12
  65. package/dist/index.mjs.map +1 -1
  66. package/dist/local-evaluator/evaluator.d.mts +2 -2
  67. package/dist/local-evaluator/evaluator.d.ts +2 -2
  68. package/dist/{nextjs-Bzdfu8Eg.d.mts → nextjs-BTR7Oix-.d.mts} +1 -1
  69. package/dist/{nextjs-C4h_MpgK.d.ts → nextjs-DO_4crcp.d.ts} +1 -1
  70. package/dist/{sdk-Tzsn6s-O.d.ts → sdk-DSLCyXIX.d.mts} +9 -2
  71. package/dist/{sdk-CDdD7EcJ.d.mts → sdk-TnHXD-Oh.d.ts} +9 -2
  72. package/dist/transport/index.d.mts +2 -2
  73. package/dist/transport/index.d.ts +2 -2
  74. package/dist/{types-D_tmbDA_.d.mts → types-BVp22KkN.d.mts} +27 -3
  75. package/dist/{types-D_tmbDA_.d.ts → types-BVp22KkN.d.ts} +27 -3
  76. package/dist/{types-Bzp1SMaD.d.ts → types-DVCWReEN.d.ts} +1 -1
  77. package/dist/{types-z-QVnG4b.d.mts → types-pU2O0BFq.d.mts} +1 -1
  78. package/dist/ui/index.d.mts +1 -1
  79. package/dist/ui/index.d.ts +1 -1
  80. package/dist/ui/index.js +3 -3
  81. package/dist/ui/index.js.map +1 -1
  82. package/dist/ui/index.mjs +3 -3
  83. package/dist/ui/index.mjs.map +1 -1
  84. package/package.json +1 -1
package/dist/index.mjs CHANGED
@@ -7,7 +7,7 @@ var __export = (target, all) => {
7
7
  // src/access-levels.ts
8
8
  var ACCESS_LEVEL_HIERARCHY = {
9
9
  none: 0,
10
- guidance: 1,
10
+ restricted: 1,
11
11
  "read-only": 2,
12
12
  standard: 3,
13
13
  full: 4,
@@ -15,7 +15,7 @@ var ACCESS_LEVEL_HIERARCHY = {
15
15
  };
16
16
  var ACCESS_LEVEL_DESCRIPTIONS = {
17
17
  none: "No access - credentials required",
18
- guidance: "Guidance mode - registration information provided",
18
+ restricted: "Restricted access - registration prompt only",
19
19
  "read-only": "Read-only access - can browse but not modify",
20
20
  standard: "Standard access - normal operations per PDLSS policy",
21
21
  full: "Full access - all operations for high-trust agents",
@@ -23,7 +23,7 @@ var ACCESS_LEVEL_DESCRIPTIONS = {
23
23
  };
24
24
  var DEFAULT_TRUST_THRESHOLDS = {
25
25
  none: 0,
26
- guidance: 0,
26
+ restricted: 0,
27
27
  "read-only": 20,
28
28
  standard: 40,
29
29
  full: 70,
@@ -49,11 +49,11 @@ function getAccessLevelForScore(trustScore, thresholds = DEFAULT_TRUST_THRESHOLD
49
49
  if (trustScore >= thresholds.full) return "full";
50
50
  if (trustScore >= thresholds.standard) return "standard";
51
51
  if (trustScore >= thresholds["read-only"]) return "read-only";
52
- return "guidance";
52
+ return "restricted";
53
53
  }
54
54
  function determineAccessLevel(verified, trustScore, isOrgMember, customThresholds) {
55
55
  if (!verified) {
56
- return "guidance";
56
+ return "none";
57
57
  }
58
58
  if (isOrgMember) {
59
59
  return "internal";
@@ -74,7 +74,7 @@ function getCapabilities(accessLevel) {
74
74
  canAdmin: false,
75
75
  canAccessInternal: false
76
76
  };
77
- case "guidance":
77
+ case "restricted":
78
78
  return {
79
79
  canRead: false,
80
80
  canWrite: false,
@@ -128,7 +128,11 @@ function getCapabilities(accessLevel) {
128
128
  // src/verify.ts
129
129
  var DEFAULT_CONFIG = {
130
130
  apiBaseUrl: "https://astrasync.ai/api",
131
- defaultAccessLevel: "guidance",
131
+ // v2.3.9 (defect #30): default for unconfigured callers is `'none'` (no
132
+ // access). Pre-rename this defaulted to `'guidance'`, which combined with
133
+ // a route gated at `'guidance'` to silently let unverified traffic
134
+ // through (`hasMinimumAccess('guidance', 'guidance') === true`).
135
+ defaultAccessLevel: "none",
132
136
  // minTrustScore + minTrustScoreForFull deprecated in v2.3.0 — server decides.
133
137
  cacheTtl: 300,
134
138
  // 5 minutes
@@ -227,7 +231,12 @@ function createGuidanceResponse(config, reason) {
227
231
  };
228
232
  return {
229
233
  verified: false,
230
- accessLevel: "guidance",
234
+ // v2.3.9 (defect #30): denials grant `'none'`, NEVER a positive band.
235
+ // Adapters additionally short-circuit on `verified === false` before
236
+ // the gate check, but the access level still has to be honest at the
237
+ // data layer so downstream consumers (SDK adapters in other languages,
238
+ // custom integrations) inherit the correct semantics.
239
+ accessLevel: "none",
231
240
  guidance,
232
241
  denialReasons: reason ? [reason] : ["No valid agent credentials provided"],
233
242
  verifiedAt: /* @__PURE__ */ new Date()
@@ -354,7 +363,14 @@ async function verify(config, request) {
354
363
  const aggregatedFailures = apiResponse.access?.failures;
355
364
  const result2 = {
356
365
  verified: false,
357
- accessLevel: "guidance",
366
+ // v2.3.9 (defect #30): denials grant `'none'`, NEVER a positive band.
367
+ // Pre-rename this hardcoded `'guidance'`, which conflated with the
368
+ // colocated `guidance: {...}` help-payload object below and let
369
+ // denied requests pass any route gated at `'guidance'` because
370
+ // `hasMinimumAccess('guidance', 'guidance') === true`. Adapters now
371
+ // ALSO short-circuit on `verified === false` before the gate check —
372
+ // belt-and-braces.
373
+ accessLevel: "none",
358
374
  denialReasons: aggregatedFailures && aggregatedFailures.length > 0 ? aggregatedFailures.map((f) => f.message) : apiResponse.access?.reason ? [apiResponse.access.reason] : ["Access denied"],
359
375
  failures: aggregatedFailures,
360
376
  requiresStepUp: apiResponse.access?.requiresStepUp,
@@ -367,6 +383,9 @@ async function verify(config, request) {
367
383
  verifiedAt: /* @__PURE__ */ new Date(),
368
384
  // Extract sessionId so decisions can be recorded for denials too
369
385
  sessionId: apiResponse.sessionId,
386
+ // v2.3.10 (defect #34, round-4): anonymous traffic has no session →
387
+ // correlationId is the linking key for paired local_override events.
388
+ correlationId: apiResponse.correlationId,
370
389
  recommendation: apiResponse.recommendation,
371
390
  recommendationReasons: apiResponse.recommendationReasons
372
391
  };
@@ -407,6 +426,9 @@ async function verify(config, request) {
407
426
  cacheTtl: mergedConfig.cacheTtl,
408
427
  // Handshake Protocol v10 enhanced fields (present when backend returns them)
409
428
  sessionId: apiResponse.sessionId,
429
+ // v2.3.10 (defect #34, round-4): anonymous responses surface correlationId
430
+ // (no session row exists for unverified callers).
431
+ correlationId: apiResponse.correlationId,
410
432
  runtimeChallenge: apiResponse.runtimeChallenge,
411
433
  tokenGuidance: apiResponse.tokenGuidance,
412
434
  recommendation: apiResponse.recommendation,
@@ -438,7 +460,7 @@ async function verify(config, request) {
438
460
  }
439
461
  return result;
440
462
  }
441
- async function recordDecision(config, sessionId, decision, reason) {
463
+ async function recordDecision(config, sessionId, decision, reason, override) {
442
464
  const headers = { "Content-Type": "application/json" };
443
465
  if (config.apiKey) {
444
466
  headers["Authorization"] = `Bearer ${config.apiKey}`;
@@ -447,7 +469,16 @@ async function recordDecision(config, sessionId, decision, reason) {
447
469
  await fetch(`${config.apiBaseUrl}/agents/verify-access/${sessionId}/decision`, {
448
470
  method: "POST",
449
471
  headers,
450
- body: JSON.stringify({ decision, reason })
472
+ body: JSON.stringify({
473
+ decision,
474
+ reason,
475
+ ...override && {
476
+ overriddenBy: override.overriddenBy,
477
+ toolName: override.toolName,
478
+ requestedLevel: override.requestedLevel,
479
+ grantedLevel: override.grantedLevel
480
+ }
481
+ })
451
482
  }).catch(() => {
452
483
  });
453
484
  }
@@ -800,6 +831,14 @@ function createMiddleware(options) {
800
831
  });
801
832
  req.agentVerification = result;
802
833
  const sessionId = result.sessionId;
834
+ if (!result.verified) {
835
+ if (shouldRecordDecisions && sessionId) {
836
+ recordDecision(config, sessionId, "denied", result.denialReasons?.[0]).catch(() => {
837
+ });
838
+ }
839
+ onDenied(result, req, res);
840
+ return;
841
+ }
803
842
  if (!hasMinimumAccess(result.accessLevel, routeConfig.minAccessLevel)) {
804
843
  if (shouldRecordDecisions && sessionId) {
805
844
  recordDecision(config, sessionId, "denied", result.denialReasons?.[0]).catch(() => {
@@ -1184,7 +1223,7 @@ function createMiddleware2(options) {
1184
1223
  agentCardUrl: request.headers.get("x-astrasync-agent-card") || void 0
1185
1224
  }
1186
1225
  });
1187
- if (!hasMinimumAccess(result.accessLevel, routeConfig.minAccessLevel)) {
1226
+ if (!result.verified || !hasMinimumAccess(result.accessLevel, routeConfig.minAccessLevel)) {
1188
1227
  if (pathname.startsWith("/api/")) {
1189
1228
  return NextResponse.json(
1190
1229
  {