npm - @astrasyncai/verification-gateway - Versions diffs - 2.4.11 → 2.4.14 - Mend

@astrasyncai/verification-gateway 2.4.11 → 2.4.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (91) hide show

package/dist/adapter-interface/interface.d.mts +2 -2
package/dist/adapter-interface/interface.d.ts +2 -2
package/dist/adapters/express.d.mts +2 -2
package/dist/adapters/express.d.ts +2 -2
package/dist/adapters/express.js +129 -36
package/dist/adapters/express.js.map +1 -1
package/dist/adapters/express.mjs +129 -36
package/dist/adapters/express.mjs.map +1 -1
package/dist/adapters/mcp.d.mts +26 -4
package/dist/adapters/mcp.d.ts +26 -4
package/dist/adapters/mcp.js +94 -28
package/dist/adapters/mcp.js.map +1 -1
package/dist/adapters/mcp.mjs +94 -28
package/dist/adapters/mcp.mjs.map +1 -1
package/dist/adapters/nextjs.d.mts +2 -2
package/dist/adapters/nextjs.d.ts +2 -2
package/dist/adapters/nextjs.js +75 -29
package/dist/adapters/nextjs.js.map +1 -1
package/dist/adapters/nextjs.mjs +75 -29
package/dist/adapters/nextjs.mjs.map +1 -1
package/dist/adapters/sdk.d.mts +2 -2
package/dist/adapters/sdk.d.ts +2 -2
package/dist/adapters/sdk.js +45 -22
package/dist/adapters/sdk.js.map +1 -1
package/dist/adapters/sdk.mjs +45 -22
package/dist/adapters/sdk.mjs.map +1 -1
package/dist/agent/index.d.mts +2 -2
package/dist/agent/index.d.ts +2 -2
package/dist/agent/index.js +29 -0
package/dist/agent/index.js.map +1 -1
package/dist/agent/index.mjs +29 -0
package/dist/agent/index.mjs.map +1 -1
package/dist/browser/background.js +86 -24
package/dist/browser/background.js.map +1 -1
package/dist/browser/background.mjs +86 -24
package/dist/browser/background.mjs.map +1 -1
package/dist/browser/browser-adapter.d.mts +2 -2
package/dist/browser/browser-adapter.d.ts +2 -2
package/dist/cli/index.d.mts +2 -2
package/dist/cli/index.d.ts +2 -2
package/dist/cursor/cursor-adapter.d.mts +2 -2
package/dist/cursor/cursor-adapter.d.ts +2 -2
package/dist/cursor/extension.d.mts +2 -2
package/dist/cursor/extension.d.ts +2 -2
package/dist/cursor/extension.js +86 -24
package/dist/cursor/extension.js.map +1 -1
package/dist/cursor/extension.mjs +86 -24
package/dist/cursor/extension.mjs.map +1 -1
package/dist/{express-C1ePFB7n.d.ts → express-CrfwoNAR.d.ts} +1 -1
package/dist/{express-4WStX3PV.d.mts → express-ienhAXps.d.mts} +1 -1
package/dist/gateway/gateway.d.mts +2 -2
package/dist/gateway/gateway.d.ts +2 -2
package/dist/gateway/gateway.js +86 -24
package/dist/gateway/gateway.js.map +1 -1
package/dist/gateway/gateway.mjs +86 -24
package/dist/gateway/gateway.mjs.map +1 -1
package/dist/git-trigger/git-hooks.d.mts +2 -2
package/dist/git-trigger/git-hooks.d.ts +2 -2
package/dist/{index-ChPX4WHl.d.mts → index-B5e2IDWU.d.mts} +1 -1
package/dist/{index-CzJMCgEy.d.ts → index-CCdZxvAr.d.ts} +71 -6
package/dist/{index-D8IEntil.d.mts → index-CEg_WG6y.d.mts} +71 -6
package/dist/{index-Cjm-zBeZ.d.ts → index-DC5f8eoQ.d.ts} +1 -1
package/dist/index.d.mts +7 -7
package/dist/index.d.ts +7 -7
package/dist/index.js +344 -73
package/dist/index.js.map +1 -1
package/dist/index.mjs +344 -73
package/dist/index.mjs.map +1 -1
package/dist/local-evaluator/evaluator.d.mts +2 -2
package/dist/local-evaluator/evaluator.d.ts +2 -2
package/dist/local-evaluator/evaluator.js +12 -2
package/dist/local-evaluator/evaluator.js.map +1 -1
package/dist/local-evaluator/evaluator.mjs +12 -2
package/dist/local-evaluator/evaluator.mjs.map +1 -1
package/dist/{nextjs-BIORS__0.d.ts → nextjs-66R1KW8e.d.ts} +1 -1
package/dist/{nextjs-CjzHdaXA.d.mts → nextjs-DSpisQst.d.mts} +1 -1
package/dist/{sdk-Chhz-FcT.d.mts → sdk-5U_CBRpr.d.mts} +1 -1
package/dist/{sdk-CqTEQAc6.d.ts → sdk-Bm8np66n.d.ts} +1 -1
package/dist/transport/index.d.mts +2 -2
package/dist/transport/index.d.ts +2 -2
package/dist/transport/index.js +146 -28
package/dist/transport/index.js.map +1 -1
package/dist/transport/index.mjs +146 -28
package/dist/transport/index.mjs.map +1 -1
package/dist/{types-L15pYd2c.d.mts → types-B3USs-Kx.d.mts} +42 -1
package/dist/{types-L15pYd2c.d.ts → types-B3USs-Kx.d.ts} +42 -1
package/dist/{types-DNK2BgIf.d.mts → types-CgDCUfo8.d.mts} +1 -1
package/dist/{types-DoWIuzfj.d.ts → types-R5N4ET6x.d.ts} +1 -1
package/dist/ui/index.d.mts +1 -1
package/dist/ui/index.d.ts +1 -1
package/package.json +1 -1

package/dist/adapters/nextjs.mjs CHANGED Viewed

@@ -18,7 +18,7 @@ function hasMinimumAccess(actual, required) {
 }
 // src/version.ts
-var SDK_VERSION = "2.4.11";
+var SDK_VERSION = "2.4.13";
 // src/verify.ts
 var DEFAULT_CONFIG = {
@@ -37,22 +37,27 @@ var DEFAULT_CONFIG = {
 };
 var initCheckPerformed = false;
 var deprecationWarningShown = false;
-async function performInitCheck(apiBaseUrl, debug) {
+async function performInitCheck(apiBaseUrl, debug, strictInit) {
   initCheckPerformed = true;
   try {
     const probeUrl = `${apiBaseUrl}/agents/verify-access`;
     const response = await fetch(probeUrl, { method: "HEAD" });
     const contentType = response.headers.get("content-type") ?? "";
     if (contentType.startsWith("text/html")) {
-      console.warn(
-        `[VerificationGateway] apiBaseUrl '${apiBaseUrl}' returned HTML (content-type: ${contentType}). This usually means apiBaseUrl is pointing at a marketing site instead of the API. Expected: 'https://astrasync.ai/api' (prod) or 'https://staging.astrasync.ai/api' (staging). Set disableInitChecks: true on GatewayConfig to silence this warning.`
-      );
+      const message = `[VerificationGateway] apiBaseUrl '${apiBaseUrl}' returned HTML (content-type: ${contentType}). This usually means apiBaseUrl is pointing at a marketing site instead of the API. Expected: 'https://astrasync.ai/api' (prod) or 'https://staging.astrasync.ai/api' (staging).`;
+      if (strictInit) {
+        throw new Error(`${message} (strictInit=true)`);
+      }
+      console.warn(`${message} Set disableInitChecks: true on GatewayConfig to silence.`);
     } else if (debug) {
       console.log(
         `[VerificationGateway] init check passed for ${apiBaseUrl} (content-type: ${contentType})`
       );
     }
   } catch (err) {
+    if (strictInit) {
+      throw err;
+    }
     if (debug) {
       console.log(`[VerificationGateway] init check failed (non-blocking): ${String(err)}`);
     }
@@ -76,7 +81,23 @@ function getCacheKey(request) {
     request.counterpartyType || "",
     request.isSubAgentRequest ? "1" : "0",
     request.parentAgentId || "",
-    request.subAgentDepth ?? ""
+    request.subAgentDepth ?? "",
+    // Audit F-A1-07: previously-missing dimensions that DO affect the
+    // backend verdict. Without these, two requests with different
+    // durations (e.g. 60s vs 86400s) collided on the same cache key and
+    // the shorter-duration allow served the longer-duration request.
+    request.durationRequired ?? "",
+    request.invocationProtocol || "",
+    request.enableRuntimeChallenge ? "1" : "0",
+    // callerMetadata fields contribute to risk model; include the ones
+    // backend reads. sourceIp/userAgent/forwardedFor change per-request
+    // so their inclusion effectively forces a re-check for any varying
+    // client (the right behavior — IP-driven anomaly scoring shouldn't
+    // be cached across IPs).
+    request.callerMetadata?.sourceIp || "",
+    request.callerMetadata?.userAgent || "",
+    request.callerMetadata?.forwardedFor || "",
+    request.callerMetadata?.agentCardUrl || ""
   ].join("|");
 }
 function getCachedResult(request) {
@@ -105,7 +126,7 @@ function createGuidanceResponse(config, reason, options = {}) {
   const isApiError = source === "api_error";
   const guidance = isApiError ? {
     message: "Verification is temporarily unavailable. Retry with exponential backoff; if the issue persists, contact support with the correlationId.",
-    registrationUrl: `${config.apiBaseUrl.replace("/api", "")}/register`,
+    registrationUrl: `${config.apiBaseUrl.replace("/api", "")}/agents/register`,
     documentationUrl: `${config.apiBaseUrl.replace("/api", "")}/docs/agent-access`,
     steps: [
       "Retry the request with exponential backoff",
@@ -113,7 +134,7 @@ function createGuidanceResponse(config, reason, options = {}) {
     ]
   } : {
     message: "This service verifies AI agents before granting access. Please register your agent with AstraSync.",
-    registrationUrl: `${config.apiBaseUrl.replace("/api", "")}/register`,
+    registrationUrl: `${config.apiBaseUrl.replace("/api", "")}/agents/register`,
     documentationUrl: `${config.apiBaseUrl.replace("/api", "")}/docs/agent-access`,
     steps: [
       "Register for an AstraSync account",
@@ -190,12 +211,8 @@ async function callVerifyAccessAPI(config, request) {
     "Content-Type": "application/json",
     ...config.customHeaders
   };
-  if (credentials.authorizationHeader) {
-    headers["Authorization"] = credentials.authorizationHeader;
-  } else if (config.apiKey) {
-    headers["Authorization"] = `Bearer ${config.apiKey}`;
-  }
   if (config.apiKey) {
+    headers["Authorization"] = `Bearer ${config.apiKey}`;
     headers["X-API-Key"] = config.apiKey;
   }
   try {
@@ -241,7 +258,11 @@ async function callVerifyAccessAPI(config, request) {
 async function verify(config, request) {
   const mergedConfig = { ...DEFAULT_CONFIG, ...config };
   if (!initCheckPerformed && !mergedConfig.disableInitChecks && mergedConfig.apiBaseUrl) {
-    void performInitCheck(mergedConfig.apiBaseUrl, mergedConfig.debug);
+    if (mergedConfig.strictInit) {
+      await performInitCheck(mergedConfig.apiBaseUrl, mergedConfig.debug, true);
+    } else {
+      void performInitCheck(mergedConfig.apiBaseUrl, mergedConfig.debug, false);
+    }
   }
   if (!deprecationWarningShown && (config.minTrustScore !== void 0 || config.minTrustScoreForFull !== void 0)) {
     deprecationWarningShown = true;
@@ -295,7 +316,7 @@ async function verify(config, request) {
       requiresApproval: apiResponse.access?.requiresApproval,
       guidance: {
         message: apiResponse.access?.reason || "Access denied by PDLSS policy",
-        registrationUrl: `${mergedConfig.apiBaseUrl?.replace("/api", "")}/register`,
+        registrationUrl: `${mergedConfig.apiBaseUrl?.replace("/api", "")}/agents/register`,
         documentationUrl: `${mergedConfig.apiBaseUrl?.replace("/api", "")}/docs/pdlss`
       },
       verifiedAt: /* @__PURE__ */ new Date(),
@@ -365,13 +386,15 @@ async function verify(config, request) {
     result.denialReasons = result.recommendationReasons || [
       "Access denied by AstraSync recommendation"
     ];
-    if (result.runtimeChallenge) {
-      result.guidance = {
-        message: `Verification failed: ${result.runtimeChallenge.reason || "runtime challenge failed"}`,
-        registrationUrl: `${mergedConfig.apiBaseUrl?.replace("/api", "")}/register`,
-        documentationUrl: `${mergedConfig.apiBaseUrl?.replace("/api", "")}/docs/runtime-challenge`
-      };
-    }
+    result.guidance = result.runtimeChallenge ? {
+      message: `Verification failed: ${result.runtimeChallenge.reason || "runtime challenge failed"}`,
+      registrationUrl: `${mergedConfig.apiBaseUrl?.replace("/api", "")}/agents/register`,
+      documentationUrl: `${mergedConfig.apiBaseUrl?.replace("/api", "")}/docs/runtime-challenge`
+    } : {
+      message: result.recommendationReasons?.[0] || "Access denied by AstraSync recommendation",
+      registrationUrl: `${mergedConfig.apiBaseUrl?.replace("/api", "")}/agents/register`,
+      documentationUrl: `${mergedConfig.apiBaseUrl?.replace("/api", "")}/docs/pdlss`
+    };
   } else if (result.recommendation === "step_up_required") {
     result.requiresStepUp = true;
     if (ACCESS_LEVEL_HIERARCHY[result.accessLevel] > ACCESS_LEVEL_HIERARCHY["read-only"]) {
@@ -501,6 +524,18 @@ function performCounterpartyPreCheck(routeConfig, astraCreds, purpose) {
 }
 // src/adapters/nextjs.ts
+function escapeHtml(value) {
+  return value.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#39;");
+}
+function sanitizeUrl(value, fallback) {
+  if (typeof value !== "string" || value.length === 0) return escapeHtml(fallback);
+  const trimmed = value.trim();
+  if (/^javascript:|^data:|^vbscript:/i.test(trimmed)) return escapeHtml(fallback);
+  if (/^https?:\/\//i.test(trimmed) || trimmed.startsWith("/")) {
+    return escapeHtml(trimmed);
+  }
+  return escapeHtml(fallback);
+}
 function extractCredentialsFromNextRequest(request) {
   const credentials = {};
   const astraId = request.headers.get("x-astra-id") || request.headers.get("X-Astra-Id");
@@ -572,10 +607,18 @@ function extractPurpose(request) {
   }
 }
 function generateCommerceShieldHtml(result, options) {
-  const title = options.commerceShield?.title || "AstraSync Agent Verification";
-  const message = options.commerceShield?.message || result.guidance?.message || "This site verifies AI agents before granting access. We noticed you're visiting without AstraSync credentials.";
-  const registrationUrl = result.guidance?.registrationUrl || "https://astrasync.ai/register";
-  const docsUrl = result.guidance?.documentationUrl || "https://astrasync.ai/docs/agent-access";
+  const title = escapeHtml(options.commerceShield?.title || "AstraSync Agent Verification");
+  const message = escapeHtml(
+    options.commerceShield?.message || result.guidance?.message || "This site verifies AI agents before granting access. We noticed you're visiting without AstraSync credentials."
+  );
+  const registrationUrl = sanitizeUrl(
+    result.guidance?.registrationUrl,
+    "https://astrasync.ai/register"
+  );
+  const docsUrl = sanitizeUrl(
+    result.guidance?.documentationUrl,
+    "https://astrasync.ai/docs/agent-access"
+  );
   const allowGuest = options.commerceShield?.allowGuestAccess ?? true;
   return `
 <!DOCTYPE html>
@@ -697,7 +740,7 @@ function generateCommerceShieldHtml(result, options) {
     <div class="shield-steps">
       <h3>To get verified access:</h3>
       <ol>
-        <li>Register at <a href="${registrationUrl}">astrasync.ai/register</a></li>
+        <li>Register at <a href="${registrationUrl}">astrasync.ai/agents/register</a></li>
         <li>Create and register your agent</li>
         <li>Add your ASTRA-ID to request headers</li>
         <li>Refresh this page</li>
@@ -785,7 +828,7 @@ function createMiddleware(options) {
         denialReasons: preCheckFailures.map((f) => f.message),
         guidance: {
           message: "Request exceeds counterparty-defined PDLSS limits.",
-          registrationUrl: `${config.apiBaseUrl?.replace("/api", "")}/register`,
+          registrationUrl: `${config.apiBaseUrl?.replace("/api", "")}/agents/register`,
           documentationUrl: `${config.apiBaseUrl?.replace("/api", "")}/docs/pdlss`
         },
         verifiedAt: /* @__PURE__ */ new Date()
@@ -828,7 +871,10 @@ function createMiddleware(options) {
     const result = await verify(config, {
       credentials,
       purpose,
-      action: request.method.toLowerCase(),
+      // RFC 7230 § 3.1.1 — HTTP method tokens uppercase by IANA convention.
+      // Backend evaluator tolerates either case as defense-in-depth
+      // (round-18.6 batch 2); SDK emits canonical form.
+      action: request.method.toUpperCase(),
       resource: pathname,
       counterpartyUrl,
       counterpartyType: config.counterpartyType || "website",