@astrasyncai/verification-gateway 2.4.0 → 2.4.2

package/dist/git-trigger/git-hooks.d.mts

@@ -1,6 +1,6 @@
 import { AstraSyncGateway } from '../gateway/gateway.mjs';
-import { V as VerificationDecision, P as PDLSSContext } from '../types-pU2O0BFq.mjs';
-import '../types-BVp22KkN.mjs';
+import { V as VerificationDecision, P as PDLSSContext } from '../types-C_e1IZdU.mjs';
+import '../types-DLai3jly.mjs';
 
 /**
  * Git Trigger — Enterprise git push / PR verification

package/dist/git-trigger/git-hooks.d.ts

@@ -1,6 +1,6 @@
 import { AstraSyncGateway } from '../gateway/gateway.js';
-import { V as VerificationDecision, P as PDLSSContext } from '../types-DVCWReEN.js';
-import '../types-BVp22KkN.js';
+import { V as VerificationDecision, P as PDLSSContext } from '../types-IUzu-A4u.js';
+import '../types-DLai3jly.js';
 
 /**
  * Git Trigger — Enterprise git push / PR verification

package/dist/{index-DkyPV14Y.d.mts → index-C9yWlQ2Y.d.mts}

@@ -1,4 +1,4 @@
-import { A as AstraSyncCredentials, g as ProtocolTransport } from './types-BVp22KkN.mjs';
+import { A as AstraSyncCredentials, g as ProtocolTransport } from './types-DLai3jly.mjs';
 import { JWK } from 'jose';
 
 /**

package/dist/{index-DiToN8gh.d.mts → index-DAGm-Sgf.d.mts}

@@ -1,4 +1,4 @@
-import { A as AstraSyncCredentials, g as ProtocolTransport, G as GatewayConfig } from './types-BVp22KkN.mjs';
+import { A as AstraSyncCredentials, g as ProtocolTransport, G as GatewayConfig } from './types-DLai3jly.mjs';
 
 /**
  * AgentClient — Credential Presentation

package/dist/{index-B-EovXnY.d.ts → index-Dd4alF0l.d.ts}

@@ -1,4 +1,4 @@
-import { A as AstraSyncCredentials, g as ProtocolTransport, G as GatewayConfig } from './types-BVp22KkN.js';
+import { A as AstraSyncCredentials, g as ProtocolTransport, G as GatewayConfig } from './types-DLai3jly.js';
 
 /**
  * AgentClient — Credential Presentation

package/dist/{index-CxwCN7AC.d.ts → index-NZiKvrtE.d.ts}

@@ -1,4 +1,4 @@
-import { A as AstraSyncCredentials, g as ProtocolTransport } from './types-BVp22KkN.js';
+import { A as AstraSyncCredentials, g as ProtocolTransport } from './types-DLai3jly.js';
 import { JWK } from 'jose';
 
 /**

package/dist/index.d.mts

@@ -1,10 +1,10 @@
-import { b as AgentCredentials, G as GatewayConfig, a as AccessLevel, c as VerificationRequest, V as VerificationResult } from './types-BVp22KkN.mjs';
-export { A as AstraSyncCredentials, d as CommerceShieldProps, C as CounterpartyType, e as EnhancedVerificationResult, E as ExpressMiddlewareOptions, f as GuidanceInfo, N as NextJsMiddlewareOptions, P as PDLSSInfo, g as ProtocolTransport, R as RouteAccessConfig, h as RuntimeChallengeResult, S as SDKOptions, T as TokenGuidance, i as TrustLevel, j as VerifiedAgent, k as VerifiedDeveloper, l as VerifiedOrganization } from './types-BVp22KkN.mjs';
-export { A as ACCESS_LEVEL_DESCRIPTIONS, a as ACCESS_LEVEL_HIERARCHY, b as AccessCapabilities, D as DEFAULT_TRUST_THRESHOLDS, T as TRUST_LEVEL_RANGES, d as determineAccessLevel, g as getAccessLevelForScore, c as getCapabilities, e as getTrustLevel, h as hasMinimumAccess, s as sdk } from './sdk-DSLCyXIX.mjs';
-export { e as express } from './express-4Vau6x6X.mjs';
-export { n as nextjs } from './nextjs-BTR7Oix-.mjs';
-export { i as transport } from './index-DkyPV14Y.mjs';
-export { A as AgentClient, C as ChallengeHandler, i as agent, r as recordDecision } from './index-DiToN8gh.mjs';
+import { b as AgentCredentials, G as GatewayConfig, a as AccessLevel, c as VerificationRequest, V as VerificationResult } from './types-DLai3jly.mjs';
+export { A as AstraSyncCredentials, d as CommerceShieldProps, C as CounterpartyType, e as EnhancedVerificationResult, E as ExpressMiddlewareOptions, f as GuidanceInfo, N as NextJsMiddlewareOptions, P as PDLSSInfo, g as ProtocolTransport, R as RouteAccessConfig, h as RuntimeChallengeResult, S as SDKOptions, T as TokenGuidance, i as TrustLevel, j as VerifiedAgent, k as VerifiedDeveloper, l as VerifiedOrganization } from './types-DLai3jly.mjs';
+export { A as ACCESS_LEVEL_DESCRIPTIONS, a as ACCESS_LEVEL_HIERARCHY, b as AccessCapabilities, D as DEFAULT_TRUST_THRESHOLDS, T as TRUST_LEVEL_RANGES, d as determineAccessLevel, g as getAccessLevelForScore, c as getCapabilities, e as getTrustLevel, h as hasMinimumAccess, s as sdk } from './sdk-Cixo6pTV.mjs';
+export { e as express } from './express-DneHiMhu.mjs';
+export { n as nextjs } from './nextjs-vUuVCaBP.mjs';
+export { i as transport } from './index-C9yWlQ2Y.mjs';
+export { A as AgentClient, C as ChallengeHandler, i as agent, r as recordDecision } from './index-DAGm-Sgf.mjs';
 import 'express';
 import 'next/server';
 import 'jose';

package/dist/index.d.ts

@@ -1,10 +1,10 @@
-import { b as AgentCredentials, G as GatewayConfig, a as AccessLevel, c as VerificationRequest, V as VerificationResult } from './types-BVp22KkN.js';
-export { A as AstraSyncCredentials, d as CommerceShieldProps, C as CounterpartyType, e as EnhancedVerificationResult, E as ExpressMiddlewareOptions, f as GuidanceInfo, N as NextJsMiddlewareOptions, P as PDLSSInfo, g as ProtocolTransport, R as RouteAccessConfig, h as RuntimeChallengeResult, S as SDKOptions, T as TokenGuidance, i as TrustLevel, j as VerifiedAgent, k as VerifiedDeveloper, l as VerifiedOrganization } from './types-BVp22KkN.js';
-export { A as ACCESS_LEVEL_DESCRIPTIONS, a as ACCESS_LEVEL_HIERARCHY, b as AccessCapabilities, D as DEFAULT_TRUST_THRESHOLDS, T as TRUST_LEVEL_RANGES, d as determineAccessLevel, g as getAccessLevelForScore, c as getCapabilities, e as getTrustLevel, h as hasMinimumAccess, s as sdk } from './sdk-TnHXD-Oh.js';
-export { e as express } from './express-Nq-wWICa.js';
-export { n as nextjs } from './nextjs-DO_4crcp.js';
-export { i as transport } from './index-CxwCN7AC.js';
-export { A as AgentClient, C as ChallengeHandler, i as agent, r as recordDecision } from './index-B-EovXnY.js';
+import { b as AgentCredentials, G as GatewayConfig, a as AccessLevel, c as VerificationRequest, V as VerificationResult } from './types-DLai3jly.js';
+export { A as AstraSyncCredentials, d as CommerceShieldProps, C as CounterpartyType, e as EnhancedVerificationResult, E as ExpressMiddlewareOptions, f as GuidanceInfo, N as NextJsMiddlewareOptions, P as PDLSSInfo, g as ProtocolTransport, R as RouteAccessConfig, h as RuntimeChallengeResult, S as SDKOptions, T as TokenGuidance, i as TrustLevel, j as VerifiedAgent, k as VerifiedDeveloper, l as VerifiedOrganization } from './types-DLai3jly.js';
+export { A as ACCESS_LEVEL_DESCRIPTIONS, a as ACCESS_LEVEL_HIERARCHY, b as AccessCapabilities, D as DEFAULT_TRUST_THRESHOLDS, T as TRUST_LEVEL_RANGES, d as determineAccessLevel, g as getAccessLevelForScore, c as getCapabilities, e as getTrustLevel, h as hasMinimumAccess, s as sdk } from './sdk-BvWp4q2q.js';
+export { e as express } from './express-DsiaQRFt.js';
+export { n as nextjs } from './nextjs-B4WmoiVm.js';
+export { i as transport } from './index-NZiKvrtE.js';
+export { A as AgentClient, C as ChallengeHandler, i as agent, r as recordDecision } from './index-Dd4alF0l.js';
 import 'express';
 import 'next/server';
 import 'jose';

package/dist/index.js

@@ -269,8 +269,18 @@ function extractCredentials(headers, query) {
 function hasCredentials(credentials) {
   return !!(credentials.astraId || credentials.apiKey || credentials.jwt);
 }
-function createGuidanceResponse(config, reason) {
-  const guidance = {
+function createGuidanceResponse(config, reason, options = {}) {
+  const source = options.source ?? "no_credentials";
+  const isApiError = source === "api_error";
+  const guidance = isApiError ? {
+    message: "Verification is temporarily unavailable. Retry with exponential backoff; if the issue persists, contact support with the correlationId.",
+    registrationUrl: `${config.apiBaseUrl.replace("/api", "")}/register`,
+    documentationUrl: `${config.apiBaseUrl.replace("/api", "")}/docs/agent-access`,
+    steps: [
+      "Retry the request with exponential backoff",
+      "If failures persist, share the correlationId with support"
+    ]
+  } : {
     message: "This service verifies AI agents before granting access. Please register your agent with AstraSync.",
     registrationUrl: `${config.apiBaseUrl.replace("/api", "")}/register`,
     documentationUrl: `${config.apiBaseUrl.replace("/api", "")}/docs/agent-access`,
@@ -291,6 +301,18 @@ function createGuidanceResponse(config, reason) {
     accessLevel: "none",
     guidance,
     denialReasons: reason ? [reason] : ["No valid agent credentials provided"],
+    // Round-10 (#47, O5): on API-error fallback, surface a typed failure so
+    // partners (and their custom onDenied handlers) can branch on
+    // dimension. Without this, the synthesised stub was indistinguishable
+    // from a real policy deny.
+    failures: isApiError ? [
+      {
+        dimension: "verify_access.api_error",
+        message: reason ?? "Verification temporarily unavailable",
+        guidance: guidance.message
+      }
+    ] : void 0,
+    correlationId: options.correlationId,
     verifiedAt: /* @__PURE__ */ new Date()
   };
 }
@@ -365,7 +387,8 @@ async function callVerifyAccessAPI(config, request) {
     if (!response.ok) {
       return {
         success: false,
-        error: data.message || data.error || `API returned ${response.status}`
+        error: data.message || data.error || `API returned ${response.status}`,
+        correlationId: typeof data?.correlationId === "string" ? data.correlationId : void 0
       };
     }
     return data;
@@ -409,7 +432,10 @@ async function verify(config, request) {
   }
   const apiResponse = await callVerifyAccessAPI(mergedConfig, enrichedRequest);
   if (!apiResponse.success) {
-    return createGuidanceResponse(mergedConfig, apiResponse.error);
+    return createGuidanceResponse(mergedConfig, apiResponse.error, {
+      source: "api_error",
+      correlationId: apiResponse.correlationId
+    });
   }
   if (!apiResponse.access?.allowed) {
     const aggregatedFailures = apiResponse.access?.failures;
@@ -741,13 +767,17 @@ function findRouteConfig(routes, path, method) {
 }
 function defaultOnDenied(result, _req, res) {
   const statusCode = result.verified ? 403 : 401;
+  res.setHeader("X-Astra-Gateway-Mode", "enforced");
   res.status(statusCode).json({
     success: false,
     error: {
       code: result.verified ? "INSUFFICIENT_ACCESS" : "UNAUTHORIZED",
       message: result.denialReasons?.[0] || "Access denied",
       accessLevel: result.accessLevel,
-      guidance: result.guidance
+      guidance: result.guidance,
+      // Round-10: aggregated per-dimension detail + correlation handle.
+      failures: result.failures,
+      correlationId: result.correlationId
     }
   });
 }
@@ -812,7 +842,7 @@ function createMiddleware(options) {
       const routeConfig = findRouteConfig(cachedRoutes, req.path, req.method);
       if (!routeConfig) {
         if (config.setPassThroughHeader) {
-          res.setHeader("X-Astra-Gateway-Mode", "pass-through");
+          res.setHeader("X-Astra-Gateway-Mode", "unenforced");
           res.setHeader(
             "X-Astra-Gateway-Reason",
             cachedRoutes.length === 0 ? "no-policy" : "no-match"
@@ -822,7 +852,7 @@ function createMiddleware(options) {
       }
       if (routeConfig.minAccessLevel === "none") {
         if (config.setPassThroughHeader) {
-          res.setHeader("X-Astra-Gateway-Mode", "pass-through");
+          res.setHeader("X-Astra-Gateway-Mode", "unenforced");
           res.setHeader("X-Astra-Gateway-Reason", "route-none");
         }
         return next();