@astrasyncai/verification-gateway 2.4.11 → 2.4.14

package/dist/adapters/nextjs.js

@@ -55,7 +55,7 @@ function hasMinimumAccess(actual, required) {
 }
 
 // src/version.ts
-var SDK_VERSION = "2.4.11";
+var SDK_VERSION = "2.4.13";
 
 // src/verify.ts
 var DEFAULT_CONFIG = {
@@ -74,22 +74,27 @@ var DEFAULT_CONFIG = {
 };
 var initCheckPerformed = false;
 var deprecationWarningShown = false;
-async function performInitCheck(apiBaseUrl, debug) {
+async function performInitCheck(apiBaseUrl, debug, strictInit) {
   initCheckPerformed = true;
   try {
     const probeUrl = `${apiBaseUrl}/agents/verify-access`;
     const response = await fetch(probeUrl, { method: "HEAD" });
     const contentType = response.headers.get("content-type") ?? "";
     if (contentType.startsWith("text/html")) {
-      console.warn(
-        `[VerificationGateway] apiBaseUrl '${apiBaseUrl}' returned HTML (content-type: ${contentType}). This usually means apiBaseUrl is pointing at a marketing site instead of the API. Expected: 'https://astrasync.ai/api' (prod) or 'https://staging.astrasync.ai/api' (staging). Set disableInitChecks: true on GatewayConfig to silence this warning.`
-      );
+      const message = `[VerificationGateway] apiBaseUrl '${apiBaseUrl}' returned HTML (content-type: ${contentType}). This usually means apiBaseUrl is pointing at a marketing site instead of the API. Expected: 'https://astrasync.ai/api' (prod) or 'https://staging.astrasync.ai/api' (staging).`;
+      if (strictInit) {
+        throw new Error(`${message} (strictInit=true)`);
+      }
+      console.warn(`${message} Set disableInitChecks: true on GatewayConfig to silence.`);
     } else if (debug) {
       console.log(
         `[VerificationGateway] init check passed for ${apiBaseUrl} (content-type: ${contentType})`
       );
     }
   } catch (err) {
+    if (strictInit) {
+      throw err;
+    }
     if (debug) {
       console.log(`[VerificationGateway] init check failed (non-blocking): ${String(err)}`);
     }
@@ -113,7 +118,23 @@ function getCacheKey(request) {
     request.counterpartyType || "",
     request.isSubAgentRequest ? "1" : "0",
     request.parentAgentId || "",
-    request.subAgentDepth ?? ""
+    request.subAgentDepth ?? "",
+    // Audit F-A1-07: previously-missing dimensions that DO affect the
+    // backend verdict. Without these, two requests with different
+    // durations (e.g. 60s vs 86400s) collided on the same cache key and
+    // the shorter-duration allow served the longer-duration request.
+    request.durationRequired ?? "",
+    request.invocationProtocol || "",
+    request.enableRuntimeChallenge ? "1" : "0",
+    // callerMetadata fields contribute to risk model; include the ones
+    // backend reads. sourceIp/userAgent/forwardedFor change per-request
+    // so their inclusion effectively forces a re-check for any varying
+    // client (the right behavior — IP-driven anomaly scoring shouldn't
+    // be cached across IPs).
+    request.callerMetadata?.sourceIp || "",
+    request.callerMetadata?.userAgent || "",
+    request.callerMetadata?.forwardedFor || "",
+    request.callerMetadata?.agentCardUrl || ""
   ].join("|");
 }
 function getCachedResult(request) {
@@ -142,7 +163,7 @@ function createGuidanceResponse(config, reason, options = {}) {
   const isApiError = source === "api_error";
   const guidance = isApiError ? {
     message: "Verification is temporarily unavailable. Retry with exponential backoff; if the issue persists, contact support with the correlationId.",
-    registrationUrl: `${config.apiBaseUrl.replace("/api", "")}/register`,
+    registrationUrl: `${config.apiBaseUrl.replace("/api", "")}/agents/register`,
     documentationUrl: `${config.apiBaseUrl.replace("/api", "")}/docs/agent-access`,
     steps: [
       "Retry the request with exponential backoff",
@@ -150,7 +171,7 @@ function createGuidanceResponse(config, reason, options = {}) {
     ]
   } : {
     message: "This service verifies AI agents before granting access. Please register your agent with AstraSync.",
-    registrationUrl: `${config.apiBaseUrl.replace("/api", "")}/register`,
+    registrationUrl: `${config.apiBaseUrl.replace("/api", "")}/agents/register`,
     documentationUrl: `${config.apiBaseUrl.replace("/api", "")}/docs/agent-access`,
     steps: [
       "Register for an AstraSync account",
@@ -227,12 +248,8 @@ async function callVerifyAccessAPI(config, request) {
     "Content-Type": "application/json",
     ...config.customHeaders
   };
-  if (credentials.authorizationHeader) {
-    headers["Authorization"] = credentials.authorizationHeader;
-  } else if (config.apiKey) {
-    headers["Authorization"] = `Bearer ${config.apiKey}`;
-  }
   if (config.apiKey) {
+    headers["Authorization"] = `Bearer ${config.apiKey}`;
     headers["X-API-Key"] = config.apiKey;
   }
   try {
@@ -278,7 +295,11 @@ async function callVerifyAccessAPI(config, request) {
 async function verify(config, request) {
   const mergedConfig = { ...DEFAULT_CONFIG, ...config };
   if (!initCheckPerformed && !mergedConfig.disableInitChecks && mergedConfig.apiBaseUrl) {
-    void performInitCheck(mergedConfig.apiBaseUrl, mergedConfig.debug);
+    if (mergedConfig.strictInit) {
+      await performInitCheck(mergedConfig.apiBaseUrl, mergedConfig.debug, true);
+    } else {
+      void performInitCheck(mergedConfig.apiBaseUrl, mergedConfig.debug, false);
+    }
   }
   if (!deprecationWarningShown && (config.minTrustScore !== void 0 || config.minTrustScoreForFull !== void 0)) {
     deprecationWarningShown = true;
@@ -332,7 +353,7 @@ async function verify(config, request) {
       requiresApproval: apiResponse.access?.requiresApproval,
       guidance: {
         message: apiResponse.access?.reason || "Access denied by PDLSS policy",
-        registrationUrl: `${mergedConfig.apiBaseUrl?.replace("/api", "")}/register`,
+        registrationUrl: `${mergedConfig.apiBaseUrl?.replace("/api", "")}/agents/register`,
         documentationUrl: `${mergedConfig.apiBaseUrl?.replace("/api", "")}/docs/pdlss`
       },
       verifiedAt: /* @__PURE__ */ new Date(),
@@ -402,13 +423,15 @@ async function verify(config, request) {
     result.denialReasons = result.recommendationReasons || [
       "Access denied by AstraSync recommendation"
     ];
-    if (result.runtimeChallenge) {
-      result.guidance = {
-        message: `Verification failed: ${result.runtimeChallenge.reason || "runtime challenge failed"}`,
-        registrationUrl: `${mergedConfig.apiBaseUrl?.replace("/api", "")}/register`,
-        documentationUrl: `${mergedConfig.apiBaseUrl?.replace("/api", "")}/docs/runtime-challenge`
-      };
-    }
+    result.guidance = result.runtimeChallenge ? {
+      message: `Verification failed: ${result.runtimeChallenge.reason || "runtime challenge failed"}`,
+      registrationUrl: `${mergedConfig.apiBaseUrl?.replace("/api", "")}/agents/register`,
+      documentationUrl: `${mergedConfig.apiBaseUrl?.replace("/api", "")}/docs/runtime-challenge`
+    } : {
+      message: result.recommendationReasons?.[0] || "Access denied by AstraSync recommendation",
+      registrationUrl: `${mergedConfig.apiBaseUrl?.replace("/api", "")}/agents/register`,
+      documentationUrl: `${mergedConfig.apiBaseUrl?.replace("/api", "")}/docs/pdlss`
+    };
   } else if (result.recommendation === "step_up_required") {
     result.requiresStepUp = true;
     if (ACCESS_LEVEL_HIERARCHY[result.accessLevel] > ACCESS_LEVEL_HIERARCHY["read-only"]) {
@@ -538,6 +561,18 @@ function performCounterpartyPreCheck(routeConfig, astraCreds, purpose) {
 }
 
 // src/adapters/nextjs.ts
+function escapeHtml(value) {
+  return value.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#39;");
+}
+function sanitizeUrl(value, fallback) {
+  if (typeof value !== "string" || value.length === 0) return escapeHtml(fallback);
+  const trimmed = value.trim();
+  if (/^javascript:|^data:|^vbscript:/i.test(trimmed)) return escapeHtml(fallback);
+  if (/^https?:\/\//i.test(trimmed) || trimmed.startsWith("/")) {
+    return escapeHtml(trimmed);
+  }
+  return escapeHtml(fallback);
+}
 function extractCredentialsFromNextRequest(request) {
   const credentials = {};
   const astraId = request.headers.get("x-astra-id") || request.headers.get("X-Astra-Id");
@@ -609,10 +644,18 @@ function extractPurpose(request) {
   }
 }
 function generateCommerceShieldHtml(result, options) {
-  const title = options.commerceShield?.title || "AstraSync Agent Verification";
-  const message = options.commerceShield?.message || result.guidance?.message || "This site verifies AI agents before granting access. We noticed you're visiting without AstraSync credentials.";
-  const registrationUrl = result.guidance?.registrationUrl || "https://astrasync.ai/register";
-  const docsUrl = result.guidance?.documentationUrl || "https://astrasync.ai/docs/agent-access";
+  const title = escapeHtml(options.commerceShield?.title || "AstraSync Agent Verification");
+  const message = escapeHtml(
+    options.commerceShield?.message || result.guidance?.message || "This site verifies AI agents before granting access. We noticed you're visiting without AstraSync credentials."
+  );
+  const registrationUrl = sanitizeUrl(
+    result.guidance?.registrationUrl,
+    "https://astrasync.ai/register"
+  );
+  const docsUrl = sanitizeUrl(
+    result.guidance?.documentationUrl,
+    "https://astrasync.ai/docs/agent-access"
+  );
   const allowGuest = options.commerceShield?.allowGuestAccess ?? true;
   return `
 <!DOCTYPE html>
@@ -734,7 +777,7 @@ function generateCommerceShieldHtml(result, options) {
     <div class="shield-steps">
       <h3>To get verified access:</h3>
       <ol>
-        <li>Register at <a href="${registrationUrl}">astrasync.ai/register</a></li>
+        <li>Register at <a href="${registrationUrl}">astrasync.ai/agents/register</a></li>
         <li>Create and register your agent</li>
         <li>Add your ASTRA-ID to request headers</li>
         <li>Refresh this page</li>
@@ -822,7 +865,7 @@ function createMiddleware(options) {
         denialReasons: preCheckFailures.map((f) => f.message),
         guidance: {
           message: "Request exceeds counterparty-defined PDLSS limits.",
-          registrationUrl: `${config.apiBaseUrl?.replace("/api", "")}/register`,
+          registrationUrl: `${config.apiBaseUrl?.replace("/api", "")}/agents/register`,
           documentationUrl: `${config.apiBaseUrl?.replace("/api", "")}/docs/pdlss`
         },
         verifiedAt: /* @__PURE__ */ new Date()
@@ -865,7 +908,10 @@ function createMiddleware(options) {
     const result = await verify(config, {
       credentials,
       purpose,
-      action: request.method.toLowerCase(),
+      // RFC 7230 § 3.1.1 — HTTP method tokens uppercase by IANA convention.
+      // Backend evaluator tolerates either case as defense-in-depth
+      // (round-18.6 batch 2); SDK emits canonical form.
+      action: request.method.toUpperCase(),
       resource: pathname,
       counterpartyUrl,
       counterpartyType: config.counterpartyType || "website",