@astrasyncai/verification-gateway 2.3.8 → 2.3.9

package/dist/git-trigger/git-hooks.d.mts

@@ -1,6 +1,6 @@
 import { AstraSyncGateway } from '../gateway/gateway.mjs';
-import { V as VerificationDecision, P as PDLSSContext } from '../types-z-QVnG4b.mjs';
-import '../types-D_tmbDA_.mjs';
+import { V as VerificationDecision, P as PDLSSContext } from '../types-CKafuHDn.mjs';
+import '../types-UYT4GdPW.mjs';
 
 /**
  * Git Trigger — Enterprise git push / PR verification

package/dist/git-trigger/git-hooks.d.ts

@@ -1,6 +1,6 @@
 import { AstraSyncGateway } from '../gateway/gateway.js';
-import { V as VerificationDecision, P as PDLSSContext } from '../types-Bzp1SMaD.js';
-import '../types-D_tmbDA_.js';
+import { V as VerificationDecision, P as PDLSSContext } from '../types-ppkhdldJ.js';
+import '../types-UYT4GdPW.js';
 
 /**
  * Git Trigger — Enterprise git push / PR verification

package/dist/{index-DN3ztP2d.d.ts → index-8DFMpITk.d.ts}

@@ -1,4 +1,4 @@
-import { A as AstraSyncCredentials, g as ProtocolTransport, G as GatewayConfig } from './types-D_tmbDA_.js';
+import { A as AstraSyncCredentials, g as ProtocolTransport, G as GatewayConfig } from './types-UYT4GdPW.js';
 
 /**
  * AgentClient — Credential Presentation

package/dist/{index-BHXa2WTO.d.mts → index-B--6fiDp.d.mts}

@@ -1,4 +1,4 @@
-import { A as AstraSyncCredentials, g as ProtocolTransport } from './types-D_tmbDA_.mjs';
+import { A as AstraSyncCredentials, g as ProtocolTransport } from './types-UYT4GdPW.mjs';
 import { JWK } from 'jose';
 
 /**

package/dist/{index-CK4lNLVn.d.mts → index-CAykfMWK.d.mts}

@@ -1,4 +1,4 @@
-import { A as AstraSyncCredentials, g as ProtocolTransport, G as GatewayConfig } from './types-D_tmbDA_.mjs';
+import { A as AstraSyncCredentials, g as ProtocolTransport, G as GatewayConfig } from './types-UYT4GdPW.mjs';
 
 /**
  * AgentClient — Credential Presentation

package/dist/{index-CSMpOcxV.d.ts → index-Yt02MRyu.d.ts}

@@ -1,4 +1,4 @@
-import { A as AstraSyncCredentials, g as ProtocolTransport } from './types-D_tmbDA_.js';
+import { A as AstraSyncCredentials, g as ProtocolTransport } from './types-UYT4GdPW.js';
 import { JWK } from 'jose';
 
 /**

package/dist/index.d.mts

@@ -1,10 +1,10 @@
-import { b as AgentCredentials, G as GatewayConfig, a as AccessLevel, c as VerificationRequest, V as VerificationResult } from './types-D_tmbDA_.mjs';
-export { A as AstraSyncCredentials, d as CommerceShieldProps, C as CounterpartyType, e as EnhancedVerificationResult, E as ExpressMiddlewareOptions, f as GuidanceInfo, N as NextJsMiddlewareOptions, P as PDLSSInfo, g as ProtocolTransport, R as RouteAccessConfig, h as RuntimeChallengeResult, S as SDKOptions, T as TokenGuidance, i as TrustLevel, j as VerifiedAgent, k as VerifiedDeveloper, l as VerifiedOrganization } from './types-D_tmbDA_.mjs';
-export { A as ACCESS_LEVEL_DESCRIPTIONS, a as ACCESS_LEVEL_HIERARCHY, b as AccessCapabilities, D as DEFAULT_TRUST_THRESHOLDS, T as TRUST_LEVEL_RANGES, d as determineAccessLevel, g as getAccessLevelForScore, c as getCapabilities, e as getTrustLevel, h as hasMinimumAccess, s as sdk } from './sdk-CDdD7EcJ.mjs';
-export { e as express } from './express-BNWqDVIz.mjs';
-export { n as nextjs } from './nextjs-Bzdfu8Eg.mjs';
-export { i as transport } from './index-BHXa2WTO.mjs';
-export { A as AgentClient, C as ChallengeHandler, i as agent, r as recordDecision } from './index-CK4lNLVn.mjs';
+import { b as AgentCredentials, G as GatewayConfig, a as AccessLevel, c as VerificationRequest, V as VerificationResult } from './types-UYT4GdPW.mjs';
+export { A as AstraSyncCredentials, d as CommerceShieldProps, C as CounterpartyType, e as EnhancedVerificationResult, E as ExpressMiddlewareOptions, f as GuidanceInfo, N as NextJsMiddlewareOptions, P as PDLSSInfo, g as ProtocolTransport, R as RouteAccessConfig, h as RuntimeChallengeResult, S as SDKOptions, T as TokenGuidance, i as TrustLevel, j as VerifiedAgent, k as VerifiedDeveloper, l as VerifiedOrganization } from './types-UYT4GdPW.mjs';
+export { A as ACCESS_LEVEL_DESCRIPTIONS, a as ACCESS_LEVEL_HIERARCHY, b as AccessCapabilities, D as DEFAULT_TRUST_THRESHOLDS, T as TRUST_LEVEL_RANGES, d as determineAccessLevel, g as getAccessLevelForScore, c as getCapabilities, e as getTrustLevel, h as hasMinimumAccess, s as sdk } from './sdk-yJjO7yzn.mjs';
+export { e as express } from './express-BiB51d5t.mjs';
+export { n as nextjs } from './nextjs-CpxqfQqD.mjs';
+export { i as transport } from './index-B--6fiDp.mjs';
+export { A as AgentClient, C as ChallengeHandler, i as agent, r as recordDecision } from './index-CAykfMWK.mjs';
 import 'express';
 import 'next/server';
 import 'jose';

package/dist/index.d.ts

@@ -1,10 +1,10 @@
-import { b as AgentCredentials, G as GatewayConfig, a as AccessLevel, c as VerificationRequest, V as VerificationResult } from './types-D_tmbDA_.js';
-export { A as AstraSyncCredentials, d as CommerceShieldProps, C as CounterpartyType, e as EnhancedVerificationResult, E as ExpressMiddlewareOptions, f as GuidanceInfo, N as NextJsMiddlewareOptions, P as PDLSSInfo, g as ProtocolTransport, R as RouteAccessConfig, h as RuntimeChallengeResult, S as SDKOptions, T as TokenGuidance, i as TrustLevel, j as VerifiedAgent, k as VerifiedDeveloper, l as VerifiedOrganization } from './types-D_tmbDA_.js';
-export { A as ACCESS_LEVEL_DESCRIPTIONS, a as ACCESS_LEVEL_HIERARCHY, b as AccessCapabilities, D as DEFAULT_TRUST_THRESHOLDS, T as TRUST_LEVEL_RANGES, d as determineAccessLevel, g as getAccessLevelForScore, c as getCapabilities, e as getTrustLevel, h as hasMinimumAccess, s as sdk } from './sdk-Tzsn6s-O.js';
-export { e as express } from './express-BYup_4Jg.js';
-export { n as nextjs } from './nextjs-C4h_MpgK.js';
-export { i as transport } from './index-CSMpOcxV.js';
-export { A as AgentClient, C as ChallengeHandler, i as agent, r as recordDecision } from './index-DN3ztP2d.js';
+import { b as AgentCredentials, G as GatewayConfig, a as AccessLevel, c as VerificationRequest, V as VerificationResult } from './types-UYT4GdPW.js';
+export { A as AstraSyncCredentials, d as CommerceShieldProps, C as CounterpartyType, e as EnhancedVerificationResult, E as ExpressMiddlewareOptions, f as GuidanceInfo, N as NextJsMiddlewareOptions, P as PDLSSInfo, g as ProtocolTransport, R as RouteAccessConfig, h as RuntimeChallengeResult, S as SDKOptions, T as TokenGuidance, i as TrustLevel, j as VerifiedAgent, k as VerifiedDeveloper, l as VerifiedOrganization } from './types-UYT4GdPW.js';
+export { A as ACCESS_LEVEL_DESCRIPTIONS, a as ACCESS_LEVEL_HIERARCHY, b as AccessCapabilities, D as DEFAULT_TRUST_THRESHOLDS, T as TRUST_LEVEL_RANGES, d as determineAccessLevel, g as getAccessLevelForScore, c as getCapabilities, e as getTrustLevel, h as hasMinimumAccess, s as sdk } from './sdk-BMvauMgP.js';
+export { e as express } from './express-D6tEDU08.js';
+export { n as nextjs } from './nextjs-CK5F_tVZ.js';
+export { i as transport } from './index-Yt02MRyu.js';
+export { A as AgentClient, C as ChallengeHandler, i as agent, r as recordDecision } from './index-8DFMpITk.js';
 import 'express';
 import 'next/server';
 import 'jose';

package/dist/index.js

@@ -59,7 +59,7 @@ module.exports = __toCommonJS(src_exports);
 // src/access-levels.ts
 var ACCESS_LEVEL_HIERARCHY = {
   none: 0,
-  guidance: 1,
+  restricted: 1,
   "read-only": 2,
   standard: 3,
   full: 4,
@@ -67,7 +67,7 @@ var ACCESS_LEVEL_HIERARCHY = {
 };
 var ACCESS_LEVEL_DESCRIPTIONS = {
   none: "No access - credentials required",
-  guidance: "Guidance mode - registration information provided",
+  restricted: "Restricted access - registration prompt only",
   "read-only": "Read-only access - can browse but not modify",
   standard: "Standard access - normal operations per PDLSS policy",
   full: "Full access - all operations for high-trust agents",
@@ -75,7 +75,7 @@ var ACCESS_LEVEL_DESCRIPTIONS = {
 };
 var DEFAULT_TRUST_THRESHOLDS = {
   none: 0,
-  guidance: 0,
+  restricted: 0,
   "read-only": 20,
   standard: 40,
   full: 70,
@@ -101,11 +101,11 @@ function getAccessLevelForScore(trustScore, thresholds = DEFAULT_TRUST_THRESHOLD
   if (trustScore >= thresholds.full) return "full";
   if (trustScore >= thresholds.standard) return "standard";
   if (trustScore >= thresholds["read-only"]) return "read-only";
-  return "guidance";
+  return "restricted";
 }
 function determineAccessLevel(verified, trustScore, isOrgMember, customThresholds) {
   if (!verified) {
-    return "guidance";
+    return "none";
   }
   if (isOrgMember) {
     return "internal";
@@ -126,7 +126,7 @@ function getCapabilities(accessLevel) {
         canAdmin: false,
         canAccessInternal: false
       };
-    case "guidance":
+    case "restricted":
       return {
         canRead: false,
         canWrite: false,
@@ -180,7 +180,11 @@ function getCapabilities(accessLevel) {
 // src/verify.ts
 var DEFAULT_CONFIG = {
   apiBaseUrl: "https://astrasync.ai/api",
-  defaultAccessLevel: "guidance",
+  // v2.3.9 (defect #30): default for unconfigured callers is `'none'` (no
+  // access). Pre-rename this defaulted to `'guidance'`, which combined with
+  // a route gated at `'guidance'` to silently let unverified traffic
+  // through (`hasMinimumAccess('guidance', 'guidance') === true`).
+  defaultAccessLevel: "none",
   // minTrustScore + minTrustScoreForFull deprecated in v2.3.0 — server decides.
   cacheTtl: 300,
   // 5 minutes
@@ -279,7 +283,12 @@ function createGuidanceResponse(config, reason) {
   };
   return {
     verified: false,
-    accessLevel: "guidance",
+    // v2.3.9 (defect #30): denials grant `'none'`, NEVER a positive band.
+    // Adapters additionally short-circuit on `verified === false` before
+    // the gate check, but the access level still has to be honest at the
+    // data layer so downstream consumers (SDK adapters in other languages,
+    // custom integrations) inherit the correct semantics.
+    accessLevel: "none",
     guidance,
     denialReasons: reason ? [reason] : ["No valid agent credentials provided"],
     verifiedAt: /* @__PURE__ */ new Date()
@@ -406,7 +415,14 @@ async function verify(config, request) {
     const aggregatedFailures = apiResponse.access?.failures;
     const result2 = {
       verified: false,
-      accessLevel: "guidance",
+      // v2.3.9 (defect #30): denials grant `'none'`, NEVER a positive band.
+      // Pre-rename this hardcoded `'guidance'`, which conflated with the
+      // colocated `guidance: {...}` help-payload object below and let
+      // denied requests pass any route gated at `'guidance'` because
+      // `hasMinimumAccess('guidance', 'guidance') === true`. Adapters now
+      // ALSO short-circuit on `verified === false` before the gate check —
+      // belt-and-braces.
+      accessLevel: "none",
       denialReasons: aggregatedFailures && aggregatedFailures.length > 0 ? aggregatedFailures.map((f) => f.message) : apiResponse.access?.reason ? [apiResponse.access.reason] : ["Access denied"],
       failures: aggregatedFailures,
       requiresStepUp: apiResponse.access?.requiresStepUp,
@@ -490,7 +506,7 @@ async function verify(config, request) {
   }
   return result;
 }
-async function recordDecision(config, sessionId, decision, reason) {
+async function recordDecision(config, sessionId, decision, reason, override) {
   const headers = { "Content-Type": "application/json" };
   if (config.apiKey) {
     headers["Authorization"] = `Bearer ${config.apiKey}`;
@@ -499,7 +515,16 @@ async function recordDecision(config, sessionId, decision, reason) {
   await fetch(`${config.apiBaseUrl}/agents/verify-access/${sessionId}/decision`, {
     method: "POST",
     headers,
-    body: JSON.stringify({ decision, reason })
+    body: JSON.stringify({
+      decision,
+      reason,
+      ...override && {
+        overriddenBy: override.overriddenBy,
+        toolName: override.toolName,
+        requestedLevel: override.requestedLevel,
+        grantedLevel: override.grantedLevel
+      }
+    })
   }).catch(() => {
   });
 }
@@ -852,6 +877,14 @@ function createMiddleware(options) {
       });
       req.agentVerification = result;
       const sessionId = result.sessionId;
+      if (!result.verified) {
+        if (shouldRecordDecisions && sessionId) {
+          recordDecision(config, sessionId, "denied", result.denialReasons?.[0]).catch(() => {
+          });
+        }
+        onDenied(result, req, res);
+        return;
+      }
       if (!hasMinimumAccess(result.accessLevel, routeConfig.minAccessLevel)) {
         if (shouldRecordDecisions && sessionId) {
           recordDecision(config, sessionId, "denied", result.denialReasons?.[0]).catch(() => {
@@ -1236,7 +1269,7 @@ function createMiddleware2(options) {
         agentCardUrl: request.headers.get("x-astrasync-agent-card") || void 0
       }
     });
-    if (!hasMinimumAccess(result.accessLevel, routeConfig.minAccessLevel)) {
+    if (!result.verified || !hasMinimumAccess(result.accessLevel, routeConfig.minAccessLevel)) {
       if (pathname.startsWith("/api/")) {
         return NextResponse.json(
           {