@astrasyncai/verification-gateway 2.4.12 → 2.4.14

package/dist/gateway/gateway.mjs

@@ -80,7 +80,10 @@ var LocalEvaluator = class {
       }
       const depth = context.metadata?.subAgentDepth || 0;
       if (this.policy.selfInstantiation.maxDepth !== void 0 && depth >= this.policy.selfInstantiation.maxDepth) {
-        return { recommendation: "DENY", reason: `Sub-agent depth ${depth} exceeds max depth ${this.policy.selfInstantiation.maxDepth}` };
+        return {
+          recommendation: "DENY",
+          reason: `Sub-agent depth ${depth} exceeds max depth ${this.policy.selfInstantiation.maxDepth}`
+        };
       }
     }
     if (purposeRule.requiresApproval) {
@@ -161,7 +164,10 @@ var LocalEvaluator = class {
       return { recommendation: "DENY", reason: `Risk score ${riskScore} exceeds block threshold` };
     }
     if (riskScore >= thresholds.requireApproval.min) {
-      return { recommendation: "MANUAL_REVIEW", reason: `Risk score ${riskScore} requires approval` };
+      return {
+        recommendation: "MANUAL_REVIEW",
+        reason: `Risk score ${riskScore} requires approval`
+      };
     }
     return null;
   }
@@ -226,6 +232,10 @@ var LocalEvaluator = class {
    */
   matchGlob(value, pattern) {
     if (pattern === value) return true;
+    const starCount = (pattern.match(/\*/g) ?? []).length;
+    if (starCount > 8) {
+      return false;
+    }
     const regexStr = pattern.replace(/[.+^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*").replace(/\?/g, ".");
     try {
       return new RegExp(`^${regexStr}$`, "i").test(value);
@@ -3029,7 +3039,7 @@ function getTrustLevel(score) {
 }
 
 // src/version.ts
-var SDK_VERSION = "2.4.12";
+var SDK_VERSION = "2.4.13";
 
 // src/verify.ts
 var DEFAULT_CONFIG = {
@@ -3048,22 +3058,27 @@ var DEFAULT_CONFIG = {
 };
 var initCheckPerformed = false;
 var deprecationWarningShown = false;
-async function performInitCheck(apiBaseUrl, debug) {
+async function performInitCheck(apiBaseUrl, debug, strictInit) {
   initCheckPerformed = true;
   try {
     const probeUrl = `${apiBaseUrl}/agents/verify-access`;
     const response = await fetch(probeUrl, { method: "HEAD" });
     const contentType = response.headers.get("content-type") ?? "";
     if (contentType.startsWith("text/html")) {
-      console.warn(
-        `[VerificationGateway] apiBaseUrl '${apiBaseUrl}' returned HTML (content-type: ${contentType}). This usually means apiBaseUrl is pointing at a marketing site instead of the API. Expected: 'https://astrasync.ai/api' (prod) or 'https://staging.astrasync.ai/api' (staging). Set disableInitChecks: true on GatewayConfig to silence this warning.`
-      );
+      const message = `[VerificationGateway] apiBaseUrl '${apiBaseUrl}' returned HTML (content-type: ${contentType}). This usually means apiBaseUrl is pointing at a marketing site instead of the API. Expected: 'https://astrasync.ai/api' (prod) or 'https://staging.astrasync.ai/api' (staging).`;
+      if (strictInit) {
+        throw new Error(`${message} (strictInit=true)`);
+      }
+      console.warn(`${message} Set disableInitChecks: true on GatewayConfig to silence.`);
     } else if (debug) {
       console.log(
         `[VerificationGateway] init check passed for ${apiBaseUrl} (content-type: ${contentType})`
       );
     }
   } catch (err) {
+    if (strictInit) {
+      throw err;
+    }
     if (debug) {
       console.log(`[VerificationGateway] init check failed (non-blocking): ${String(err)}`);
     }
@@ -3087,7 +3102,23 @@ function getCacheKey(request) {
     request.counterpartyType || "",
     request.isSubAgentRequest ? "1" : "0",
     request.parentAgentId || "",
-    request.subAgentDepth ?? ""
+    request.subAgentDepth ?? "",
+    // Audit F-A1-07: previously-missing dimensions that DO affect the
+    // backend verdict. Without these, two requests with different
+    // durations (e.g. 60s vs 86400s) collided on the same cache key and
+    // the shorter-duration allow served the longer-duration request.
+    request.durationRequired ?? "",
+    request.invocationProtocol || "",
+    request.enableRuntimeChallenge ? "1" : "0",
+    // callerMetadata fields contribute to risk model; include the ones
+    // backend reads. sourceIp/userAgent/forwardedFor change per-request
+    // so their inclusion effectively forces a re-check for any varying
+    // client (the right behavior — IP-driven anomaly scoring shouldn't
+    // be cached across IPs).
+    request.callerMetadata?.sourceIp || "",
+    request.callerMetadata?.userAgent || "",
+    request.callerMetadata?.forwardedFor || "",
+    request.callerMetadata?.agentCardUrl || ""
   ].join("|");
 }
 function getCachedResult(request) {
@@ -3116,7 +3147,7 @@ function createGuidanceResponse(config, reason, options = {}) {
   const isApiError = source === "api_error";
   const guidance = isApiError ? {
     message: "Verification is temporarily unavailable. Retry with exponential backoff; if the issue persists, contact support with the correlationId.",
-    registrationUrl: `${config.apiBaseUrl.replace("/api", "")}/register`,
+    registrationUrl: `${config.apiBaseUrl.replace("/api", "")}/agents/register`,
     documentationUrl: `${config.apiBaseUrl.replace("/api", "")}/docs/agent-access`,
     steps: [
       "Retry the request with exponential backoff",
@@ -3124,7 +3155,7 @@ function createGuidanceResponse(config, reason, options = {}) {
     ]
   } : {
     message: "This service verifies AI agents before granting access. Please register your agent with AstraSync.",
-    registrationUrl: `${config.apiBaseUrl.replace("/api", "")}/register`,
+    registrationUrl: `${config.apiBaseUrl.replace("/api", "")}/agents/register`,
     documentationUrl: `${config.apiBaseUrl.replace("/api", "")}/docs/agent-access`,
     steps: [
       "Register for an AstraSync account",
@@ -3201,12 +3232,8 @@ async function callVerifyAccessAPI(config, request) {
     "Content-Type": "application/json",
     ...config.customHeaders
   };
-  if (credentials.authorizationHeader) {
-    headers["Authorization"] = credentials.authorizationHeader;
-  } else if (config.apiKey) {
-    headers["Authorization"] = `Bearer ${config.apiKey}`;
-  }
   if (config.apiKey) {
+    headers["Authorization"] = `Bearer ${config.apiKey}`;
     headers["X-API-Key"] = config.apiKey;
   }
   try {
@@ -3252,7 +3279,11 @@ async function callVerifyAccessAPI(config, request) {
 async function verify(config, request) {
   const mergedConfig = { ...DEFAULT_CONFIG, ...config };
   if (!initCheckPerformed && !mergedConfig.disableInitChecks && mergedConfig.apiBaseUrl) {
-    void performInitCheck(mergedConfig.apiBaseUrl, mergedConfig.debug);
+    if (mergedConfig.strictInit) {
+      await performInitCheck(mergedConfig.apiBaseUrl, mergedConfig.debug, true);
+    } else {
+      void performInitCheck(mergedConfig.apiBaseUrl, mergedConfig.debug, false);
+    }
   }
   if (!deprecationWarningShown && (config.minTrustScore !== void 0 || config.minTrustScoreForFull !== void 0)) {
     deprecationWarningShown = true;
@@ -3306,7 +3337,7 @@ async function verify(config, request) {
       requiresApproval: apiResponse.access?.requiresApproval,
       guidance: {
         message: apiResponse.access?.reason || "Access denied by PDLSS policy",
-        registrationUrl: `${mergedConfig.apiBaseUrl?.replace("/api", "")}/register`,
+        registrationUrl: `${mergedConfig.apiBaseUrl?.replace("/api", "")}/agents/register`,
         documentationUrl: `${mergedConfig.apiBaseUrl?.replace("/api", "")}/docs/pdlss`
       },
       verifiedAt: /* @__PURE__ */ new Date(),
@@ -3376,13 +3407,15 @@ async function verify(config, request) {
     result.denialReasons = result.recommendationReasons || [
       "Access denied by AstraSync recommendation"
     ];
-    if (result.runtimeChallenge) {
-      result.guidance = {
-        message: `Verification failed: ${result.runtimeChallenge.reason || "runtime challenge failed"}`,
-        registrationUrl: `${mergedConfig.apiBaseUrl?.replace("/api", "")}/register`,
-        documentationUrl: `${mergedConfig.apiBaseUrl?.replace("/api", "")}/docs/runtime-challenge`
-      };
-    }
+    result.guidance = result.runtimeChallenge ? {
+      message: `Verification failed: ${result.runtimeChallenge.reason || "runtime challenge failed"}`,
+      registrationUrl: `${mergedConfig.apiBaseUrl?.replace("/api", "")}/agents/register`,
+      documentationUrl: `${mergedConfig.apiBaseUrl?.replace("/api", "")}/docs/runtime-challenge`
+    } : {
+      message: result.recommendationReasons?.[0] || "Access denied by AstraSync recommendation",
+      registrationUrl: `${mergedConfig.apiBaseUrl?.replace("/api", "")}/agents/register`,
+      documentationUrl: `${mergedConfig.apiBaseUrl?.replace("/api", "")}/docs/pdlss`
+    };
   } else if (result.recommendation === "step_up_required") {
     result.requiresStepUp = true;
     if (ACCESS_LEVEL_HIERARCHY[result.accessLevel] > ACCESS_LEVEL_HIERARCHY["read-only"]) {
@@ -3408,6 +3441,35 @@ import { parseDictionary } from "structured-headers";
 // src/transport/rfc9421-verify.ts
 import { httpbis } from "http-message-signatures";
 
+// src/transport/nonce-store.ts
+var InMemoryNonceStore = class {
+  constructor(capacity = 1e4) {
+    this.entries = /* @__PURE__ */ new Map();
+    this.lastSweepMs = 0;
+    this.capacity = capacity;
+  }
+  seen(key, expiresAtMs) {
+    const nowMs = Date.now();
+    if (nowMs - this.lastSweepMs > 1e3) {
+      for (const [k, exp] of this.entries) {
+        if (exp <= nowMs) this.entries.delete(k);
+      }
+      this.lastSweepMs = nowMs;
+    }
+    const existing = this.entries.get(key);
+    if (existing !== void 0 && existing > nowMs) {
+      return true;
+    }
+    if (this.entries.size >= this.capacity) {
+      const oldest = this.entries.keys().next().value;
+      if (oldest !== void 0) this.entries.delete(oldest);
+    }
+    this.entries.set(key, expiresAtMs);
+    return false;
+  }
+};
+var defaultNonceStore = new InMemoryNonceStore();
+
 // src/transport/vi.ts
 import { splitSdJwt, decodeSdJwtSync } from "@sd-jwt/decode";
 import { createHash } from "crypto";