@astrasyncai/verification-gateway 2.4.11 → 2.4.14

package/dist/adapters/express.mjs

@@ -18,7 +18,7 @@ function hasMinimumAccess(actual, required) {
 }
 
 // src/version.ts
-var SDK_VERSION = "2.4.11";
+var SDK_VERSION = "2.4.13";
 
 // src/verify.ts
 var DEFAULT_CONFIG = {
@@ -37,22 +37,27 @@ var DEFAULT_CONFIG = {
 };
 var initCheckPerformed = false;
 var deprecationWarningShown = false;
-async function performInitCheck(apiBaseUrl, debug) {
+async function performInitCheck(apiBaseUrl, debug, strictInit) {
   initCheckPerformed = true;
   try {
     const probeUrl = `${apiBaseUrl}/agents/verify-access`;
     const response = await fetch(probeUrl, { method: "HEAD" });
     const contentType = response.headers.get("content-type") ?? "";
     if (contentType.startsWith("text/html")) {
-      console.warn(
-        `[VerificationGateway] apiBaseUrl '${apiBaseUrl}' returned HTML (content-type: ${contentType}). This usually means apiBaseUrl is pointing at a marketing site instead of the API. Expected: 'https://astrasync.ai/api' (prod) or 'https://staging.astrasync.ai/api' (staging). Set disableInitChecks: true on GatewayConfig to silence this warning.`
-      );
+      const message = `[VerificationGateway] apiBaseUrl '${apiBaseUrl}' returned HTML (content-type: ${contentType}). This usually means apiBaseUrl is pointing at a marketing site instead of the API. Expected: 'https://astrasync.ai/api' (prod) or 'https://staging.astrasync.ai/api' (staging).`;
+      if (strictInit) {
+        throw new Error(`${message} (strictInit=true)`);
+      }
+      console.warn(`${message} Set disableInitChecks: true on GatewayConfig to silence.`);
     } else if (debug) {
       console.log(
         `[VerificationGateway] init check passed for ${apiBaseUrl} (content-type: ${contentType})`
       );
     }
   } catch (err) {
+    if (strictInit) {
+      throw err;
+    }
     if (debug) {
       console.log(`[VerificationGateway] init check failed (non-blocking): ${String(err)}`);
     }
@@ -76,7 +81,23 @@ function getCacheKey(request) {
     request.counterpartyType || "",
     request.isSubAgentRequest ? "1" : "0",
     request.parentAgentId || "",
-    request.subAgentDepth ?? ""
+    request.subAgentDepth ?? "",
+    // Audit F-A1-07: previously-missing dimensions that DO affect the
+    // backend verdict. Without these, two requests with different
+    // durations (e.g. 60s vs 86400s) collided on the same cache key and
+    // the shorter-duration allow served the longer-duration request.
+    request.durationRequired ?? "",
+    request.invocationProtocol || "",
+    request.enableRuntimeChallenge ? "1" : "0",
+    // callerMetadata fields contribute to risk model; include the ones
+    // backend reads. sourceIp/userAgent/forwardedFor change per-request
+    // so their inclusion effectively forces a re-check for any varying
+    // client (the right behavior — IP-driven anomaly scoring shouldn't
+    // be cached across IPs).
+    request.callerMetadata?.sourceIp || "",
+    request.callerMetadata?.userAgent || "",
+    request.callerMetadata?.forwardedFor || "",
+    request.callerMetadata?.agentCardUrl || ""
   ].join("|");
 }
 function getCachedResult(request) {
@@ -102,9 +123,13 @@ function cacheResult(request, result, configuredTtl) {
 }
 function extractCredentials(headers, query) {
   const credentials = {};
+  const ASTRA_ID_PATTERN = /^ASTRAE?-[A-Za-z0-9_-]{1,64}$/;
   const astraIdHeader = headers["x-astra-id"] || headers["X-Astra-Id"] || headers["X-ASTRA-ID"] || headers["x-astra-agentid"] || headers["X-Astra-AgentId"] || headers["x-astra-agent-id"] || headers["X-Astra-Agent-Id"] || headers["X-ASTRA-AGENT-ID"];
   if (astraIdHeader) {
-    credentials.astraId = Array.isArray(astraIdHeader) ? astraIdHeader[0] : astraIdHeader;
+    const raw = Array.isArray(astraIdHeader) ? astraIdHeader[0] : typeof astraIdHeader === "string" ? astraIdHeader : void 0;
+    if (typeof raw === "string" && ASTRA_ID_PATTERN.test(raw)) {
+      credentials.astraId = raw;
+    }
   }
   const apiKeyHeader = headers["x-api-key"] || headers["X-Api-Key"] || headers["X-API-KEY"];
   if (apiKeyHeader) {
@@ -113,9 +138,11 @@ function extractCredentials(headers, query) {
   const authHeader = headers["authorization"] || headers["Authorization"];
   if (authHeader) {
     const authValue = Array.isArray(authHeader) ? authHeader[0] : authHeader;
-    credentials.authorizationHeader = authValue;
-    if (authValue.startsWith("Bearer ")) {
-      credentials.jwt = authValue.slice(7);
+    if (typeof authValue === "string") {
+      credentials.authorizationHeader = authValue;
+      if (authValue.startsWith("Bearer ")) {
+        credentials.jwt = authValue.slice(7);
+      }
     }
   }
   if (query) {
@@ -133,7 +160,7 @@ function createGuidanceResponse(config, reason, options = {}) {
   const isApiError = source === "api_error";
   const guidance = isApiError ? {
     message: "Verification is temporarily unavailable. Retry with exponential backoff; if the issue persists, contact support with the correlationId.",
-    registrationUrl: `${config.apiBaseUrl.replace("/api", "")}/register`,
+    registrationUrl: `${config.apiBaseUrl.replace("/api", "")}/agents/register`,
     documentationUrl: `${config.apiBaseUrl.replace("/api", "")}/docs/agent-access`,
     steps: [
       "Retry the request with exponential backoff",
@@ -141,7 +168,7 @@ function createGuidanceResponse(config, reason, options = {}) {
     ]
   } : {
     message: "This service verifies AI agents before granting access. Please register your agent with AstraSync.",
-    registrationUrl: `${config.apiBaseUrl.replace("/api", "")}/register`,
+    registrationUrl: `${config.apiBaseUrl.replace("/api", "")}/agents/register`,
     documentationUrl: `${config.apiBaseUrl.replace("/api", "")}/docs/agent-access`,
     steps: [
       "Register for an AstraSync account",
@@ -218,12 +245,8 @@ async function callVerifyAccessAPI(config, request) {
     "Content-Type": "application/json",
     ...config.customHeaders
   };
-  if (credentials.authorizationHeader) {
-    headers["Authorization"] = credentials.authorizationHeader;
-  } else if (config.apiKey) {
-    headers["Authorization"] = `Bearer ${config.apiKey}`;
-  }
   if (config.apiKey) {
+    headers["Authorization"] = `Bearer ${config.apiKey}`;
     headers["X-API-Key"] = config.apiKey;
   }
   try {
@@ -269,7 +292,11 @@ async function callVerifyAccessAPI(config, request) {
 async function verify(config, request) {
   const mergedConfig = { ...DEFAULT_CONFIG, ...config };
   if (!initCheckPerformed && !mergedConfig.disableInitChecks && mergedConfig.apiBaseUrl) {
-    void performInitCheck(mergedConfig.apiBaseUrl, mergedConfig.debug);
+    if (mergedConfig.strictInit) {
+      await performInitCheck(mergedConfig.apiBaseUrl, mergedConfig.debug, true);
+    } else {
+      void performInitCheck(mergedConfig.apiBaseUrl, mergedConfig.debug, false);
+    }
   }
   if (!deprecationWarningShown && (config.minTrustScore !== void 0 || config.minTrustScoreForFull !== void 0)) {
     deprecationWarningShown = true;
@@ -323,7 +350,7 @@ async function verify(config, request) {
       requiresApproval: apiResponse.access?.requiresApproval,
       guidance: {
         message: apiResponse.access?.reason || "Access denied by PDLSS policy",
-        registrationUrl: `${mergedConfig.apiBaseUrl?.replace("/api", "")}/register`,
+        registrationUrl: `${mergedConfig.apiBaseUrl?.replace("/api", "")}/agents/register`,
         documentationUrl: `${mergedConfig.apiBaseUrl?.replace("/api", "")}/docs/pdlss`
       },
       verifiedAt: /* @__PURE__ */ new Date(),
@@ -393,13 +420,15 @@ async function verify(config, request) {
     result.denialReasons = result.recommendationReasons || [
       "Access denied by AstraSync recommendation"
     ];
-    if (result.runtimeChallenge) {
-      result.guidance = {
-        message: `Verification failed: ${result.runtimeChallenge.reason || "runtime challenge failed"}`,
-        registrationUrl: `${mergedConfig.apiBaseUrl?.replace("/api", "")}/register`,
-        documentationUrl: `${mergedConfig.apiBaseUrl?.replace("/api", "")}/docs/runtime-challenge`
-      };
-    }
+    result.guidance = result.runtimeChallenge ? {
+      message: `Verification failed: ${result.runtimeChallenge.reason || "runtime challenge failed"}`,
+      registrationUrl: `${mergedConfig.apiBaseUrl?.replace("/api", "")}/agents/register`,
+      documentationUrl: `${mergedConfig.apiBaseUrl?.replace("/api", "")}/docs/runtime-challenge`
+    } : {
+      message: result.recommendationReasons?.[0] || "Access denied by AstraSync recommendation",
+      registrationUrl: `${mergedConfig.apiBaseUrl?.replace("/api", "")}/agents/register`,
+      documentationUrl: `${mergedConfig.apiBaseUrl?.replace("/api", "")}/docs/pdlss`
+    };
   } else if (result.recommendation === "step_up_required") {
     result.requiresStepUp = true;
     if (ACCESS_LEVEL_HIERARCHY[result.accessLevel] > ACCESS_LEVEL_HIERARCHY["read-only"]) {
@@ -588,18 +617,40 @@ function defaultExtractPurpose(req) {
       return "general";
   }
 }
-function matchRoute(pattern, path) {
+function matchRoute(pattern, path, opts) {
   const regexPattern = pattern.replace(/\*/g, ".*").replace(/\//g, "\\/");
-  const regex = new RegExp(`^${regexPattern}$`);
-  return regex.test(path);
+  const caseSensitiveRegex = new RegExp(`^${regexPattern}$`);
+  const caseSensitiveResult = caseSensitiveRegex.test(path);
+  if (!opts?.caseInsensitive && !opts?.logShadowDivergence) {
+    return caseSensitiveResult;
+  }
+  const caseInsensitiveRegex = new RegExp(`^${regexPattern}$`, "i");
+  const caseInsensitiveResult = caseInsensitiveRegex.test(path);
+  if (opts?.logShadowDivergence && caseSensitiveResult !== caseInsensitiveResult) {
+    console.warn(
+      `[SHADOW] matchRoute case-insensitive would change result: pattern=${pattern} path=${path} caseSensitive=${caseSensitiveResult} caseInsensitive=${caseInsensitiveResult} correlationId=${opts.correlationId ?? "unknown"}`
+    );
+  }
+  return opts?.caseInsensitive ? caseInsensitiveResult : caseSensitiveResult;
 }
-function findRouteConfig(routes, path, method) {
+function findRouteConfig(routes, path, method, opts) {
   return routes.find((route) => {
     const methodMatches = route.method === "*" || route.method.toUpperCase() === method.toUpperCase();
-    const pathMatches = matchRoute(route.pattern, path);
+    const pathMatches = matchRoute(route.pattern, path, opts);
     return methodMatches && pathMatches;
   });
 }
+function dedupeFailures(result) {
+  if (result.failures && result.failures.length > 1) {
+    const seen = /* @__PURE__ */ new Set();
+    result.failures = result.failures.filter((f) => {
+      const key = `${f.dimension}|${f.message}|${f.guidance ?? ""}`;
+      if (seen.has(key)) return false;
+      seen.add(key);
+      return true;
+    });
+  }
+}
 function defaultOnDenied(result, _req, res) {
   const statusCode = !result.identityVerified ? 401 : 403;
   res.setHeader("X-Astra-Gateway-Mode", "enforced");
@@ -626,6 +677,8 @@ function createMiddleware(options) {
     recordDecisions,
     enableRuntimeChallenge = true,
     routesRefreshMs = DEFAULT_ROUTES_REFRESH_MS,
+    failOnError = "open",
+    caseInsensitiveRouteMatch = false,
     ...config
   } = options;
   let cachedRoutes = [];
@@ -648,7 +701,7 @@ function createMiddleware(options) {
       cachedRoutes = fetched;
       lastFetchAt = Date.now();
       if (cachedRoutes.length === 0 && !warnedEmptyRoutes) {
-        const dashboard = config.dashboardUrl ?? "https://app.astrasync.ai";
+        const dashboard = config.dashboardUrl ?? "https://astrasync.ai/dashboard";
         console.warn(
           `[VerificationGateway] No route policy configured for ${config.counterpartyId}. Gateway is in pass-through mode for ALL traffic until you add at least one route. Configure at ${dashboard}/dashboard/endpoints/${config.counterpartyId}/routes`
         );
@@ -674,7 +727,12 @@ function createMiddleware(options) {
           refreshing = null;
         });
       }
-      const routeConfig = findRouteConfig(cachedRoutes, req.path, req.method);
+      const correlationId = req.headers["x-request-id"] || req.headers["x-correlation-id"];
+      const routeConfig = findRouteConfig(cachedRoutes, req.path, req.method, {
+        caseInsensitive: caseInsensitiveRouteMatch,
+        logShadowDivergence: true,
+        correlationId
+      });
       if (!routeConfig) {
         if (config.setPassThroughHeader) {
           res.setHeader("X-Astra-Gateway-Mode", "unenforced");
@@ -706,7 +764,7 @@ function createMiddleware(options) {
           denialReasons: preCheckFailures.map((f) => f.message),
           guidance: {
             message: "Request exceeds counterparty-defined PDLSS limits.",
-            registrationUrl: `${config.apiBaseUrl?.replace("/api", "")}/register`,
+            registrationUrl: `${config.apiBaseUrl?.replace("/api", "")}/agents/register`,
             documentationUrl: `${config.apiBaseUrl?.replace("/api", "")}/docs/pdlss`
           },
           verifiedAt: /* @__PURE__ */ new Date()
@@ -721,18 +779,27 @@ function createMiddleware(options) {
           requestMethod: req.method
         }).catch(() => {
         });
+        dedupeFailures(result2);
         onDenied(result2, req, res);
         return;
       }
       const shouldRecordDecisions = recordDecisions !== false;
       const forwardedFor = req.headers["x-forwarded-for"];
       const forwardedForStr = Array.isArray(forwardedFor) ? forwardedFor.join(", ") : forwardedFor;
-      const originalClientIp = forwardedForStr ? forwardedForStr.split(",")[0].trim() : req.ip;
+      const originalClientIp = req.ip ?? (forwardedForStr ? forwardedForStr.split(",")[0].trim() : void 0);
+      if (!req.ip && forwardedForStr) {
+        console.warn(
+          "[VerificationGateway] req.ip unset \u2014 falling back to leftmost X-Forwarded-For. Configure Express trust proxy correctly to avoid spoofable client IPs in audit logs."
+        );
+      }
       const agentCardUrl = typeof req.headers["x-astrasync-agent-card"] === "string" ? req.headers["x-astrasync-agent-card"] : void 0;
       const result = await verify(config, {
         credentials,
         purpose,
-        action: req.method.toLowerCase(),
+        // RFC 7230 § 3.1.1 — HTTP method tokens uppercase by IANA convention.
+        // Backend evaluator tolerates either case as defense-in-depth
+        // (round-18.6 batch 2); SDK emits canonical form.
+        action: req.method.toUpperCase(),
         resource: req.path,
         createSession: shouldRecordDecisions,
         counterpartyUrl,
@@ -755,6 +822,7 @@ function createMiddleware(options) {
           recordDecision(config, sessionId, "denied", result.denialReasons?.[0]).catch(() => {
           });
         }
+        dedupeFailures(result);
         onDenied(result, req, res);
         return;
       }
@@ -781,6 +849,7 @@ function createMiddleware(options) {
           recordDecision(config, sessionId, "denied", insufficientFailure.message).catch(() => {
           });
         }
+        dedupeFailures(result);
         onDenied(result, req, res);
         return;
       }
@@ -797,6 +866,7 @@ function createMiddleware(options) {
             recordDecision(config, sessionId, "denied", trustFailure.message).catch(() => {
             });
           }
+          dedupeFailures(result);
           onDenied(result, req, res);
           return;
         }
@@ -811,7 +881,30 @@ function createMiddleware(options) {
       }
       next();
     } catch (error) {
+      const errorClass = error instanceof Error ? error.constructor.name : typeof error;
+      const correlationId = req.headers["x-request-id"] || req.headers["x-correlation-id"] || `gen-${Date.now().toString(36)}-${Math.random().toString(36).slice(2, 8)}`;
       console.error("[VerificationGateway] Middleware error:", error);
+      console.warn(
+        `[SHADOW] would-have-denied: errorClass=${errorClass} route=${req.method}:${req.path} merchantId=${config.counterpartyId ?? "unknown"} correlationId=${correlationId}`
+      );
+      if (failOnError === "closed") {
+        const result = {
+          identityVerified: false,
+          policyAllowed: false,
+          accessLevel: "none",
+          denialReasons: [`Verification middleware internal error: ${errorClass}`],
+          failures: [
+            {
+              dimension: "middleware.internal_error",
+              message: `Middleware threw ${errorClass} \u2014 failing closed`
+            }
+          ],
+          verifiedAt: /* @__PURE__ */ new Date(),
+          correlationId
+        };
+        dedupeFailures(result);
+        return onDenied(result, req, res);
+      }
       next();
     }
   };