@astrasyncai/verification-gateway 2.4.12 → 2.4.14

package/dist/{types-L15pYd2c.d.mts → types-B3USs-Kx.d.mts}

@@ -109,6 +109,15 @@ interface GatewayConfig {
      * extra request is undesirable.
      */
     disableInitChecks?: boolean;
+    /**
+     * Audit F-A6-33: when true, the init self-test runs synchronously on the
+     * first verify() call and THROWS on misconfig (apiBaseUrl returning HTML,
+     * unreachable, etc.) instead of warning + continuing. Recommended for
+     * production deploys where you want a fast-fail startup signal rather
+     * than silent verify-access call failures. Default false for backward
+     * compatibility.
+     */
+    strictInit?: boolean;
     /**
      * v2.3.8: emit `X-Astra-Gateway-Mode: unenforced` (with
      * `X-Astra-Gateway-Reason: no-policy | no-match`) on responses where the
@@ -125,7 +134,9 @@ interface GatewayConfig {
     /**
      * v2.3.8: dashboard origin used to construct configuration links in
      * boot-time warnings (e.g. when no per-route policy is configured).
-     * Defaults to `https://app.astrasync.ai`.
+     * Defaults to `https://astrasync.ai/dashboard` (the `app.astrasync.ai`
+     * subdomain referenced in older docs does not currently resolve —
+     * audit F-PROBE-01).
      */
     dashboardUrl?: string;
     /**
@@ -503,6 +514,36 @@ interface ExpressMiddlewareOptions extends GatewayConfig {
      * lengthen it to reduce network chatter.
      */
     routesRefreshMs?: number;
+    /**
+     * Posture when the middleware itself throws an internal error (header
+     * parsing failure, `fetchRoutes` network error, malformed proxy state,
+     * etc.). Default `'open'` for backward compatibility in SDK 2.4.13 —
+     * legitimate traffic continues to pass through during platform outages.
+     *
+     * In shadow mode (default), the middleware ALWAYS logs a
+     * `[SHADOW] would-have-denied` line on throws including correlationId so
+     * merchants can grep their own logs for impact analysis. SDK 2.4.x reads
+     * the shadow logs across the 1-week observation window; the default
+     * flips to `'closed'` in a follow-up release once <0.1% of throws appear
+     * to be legitimate-traffic regressions.
+     *
+     * Small-value demo merchants can keep `'open'` indefinitely after the
+     * default flip by setting this explicitly (audit F-A1-06).
+     */
+    failOnError?: 'open' | 'closed';
+    /**
+     * When true, route-pattern matching is case-insensitive (audit F-A6-31,
+     * round-18.6.5 Finding #1 from astrasync.shop). Default false in SDK
+     * 2.4.13 for backward compatibility; shadow logs record divergences so
+     * merchants can preview impact before flipping. Follow-up release makes
+     * case-insensitive the default after 1-week observation confirms <5
+     * merchants with divergence-events.
+     *
+     * Recommended: set to true if your Express install uses the default
+     * (case-insensitive) routing AND your policy entries don't deliberately
+     * use case distinctions.
+     */
+    caseInsensitiveRouteMatch?: boolean;
 }
 /**
  * Next.js middleware options.

package/dist/{types-L15pYd2c.d.ts → types-B3USs-Kx.d.ts}

@@ -109,6 +109,15 @@ interface GatewayConfig {
      * extra request is undesirable.
      */
     disableInitChecks?: boolean;
+    /**
+     * Audit F-A6-33: when true, the init self-test runs synchronously on the
+     * first verify() call and THROWS on misconfig (apiBaseUrl returning HTML,
+     * unreachable, etc.) instead of warning + continuing. Recommended for
+     * production deploys where you want a fast-fail startup signal rather
+     * than silent verify-access call failures. Default false for backward
+     * compatibility.
+     */
+    strictInit?: boolean;
     /**
      * v2.3.8: emit `X-Astra-Gateway-Mode: unenforced` (with
      * `X-Astra-Gateway-Reason: no-policy | no-match`) on responses where the
@@ -125,7 +134,9 @@ interface GatewayConfig {
     /**
      * v2.3.8: dashboard origin used to construct configuration links in
      * boot-time warnings (e.g. when no per-route policy is configured).
-     * Defaults to `https://app.astrasync.ai`.
+     * Defaults to `https://astrasync.ai/dashboard` (the `app.astrasync.ai`
+     * subdomain referenced in older docs does not currently resolve —
+     * audit F-PROBE-01).
      */
     dashboardUrl?: string;
     /**
@@ -503,6 +514,36 @@ interface ExpressMiddlewareOptions extends GatewayConfig {
      * lengthen it to reduce network chatter.
      */
     routesRefreshMs?: number;
+    /**
+     * Posture when the middleware itself throws an internal error (header
+     * parsing failure, `fetchRoutes` network error, malformed proxy state,
+     * etc.). Default `'open'` for backward compatibility in SDK 2.4.13 —
+     * legitimate traffic continues to pass through during platform outages.
+     *
+     * In shadow mode (default), the middleware ALWAYS logs a
+     * `[SHADOW] would-have-denied` line on throws including correlationId so
+     * merchants can grep their own logs for impact analysis. SDK 2.4.x reads
+     * the shadow logs across the 1-week observation window; the default
+     * flips to `'closed'` in a follow-up release once <0.1% of throws appear
+     * to be legitimate-traffic regressions.
+     *
+     * Small-value demo merchants can keep `'open'` indefinitely after the
+     * default flip by setting this explicitly (audit F-A1-06).
+     */
+    failOnError?: 'open' | 'closed';
+    /**
+     * When true, route-pattern matching is case-insensitive (audit F-A6-31,
+     * round-18.6.5 Finding #1 from astrasync.shop). Default false in SDK
+     * 2.4.13 for backward compatibility; shadow logs record divergences so
+     * merchants can preview impact before flipping. Follow-up release makes
+     * case-insensitive the default after 1-week observation confirms <5
+     * merchants with divergence-events.
+     *
+     * Recommended: set to true if your Express install uses the default
+     * (case-insensitive) routing AND your policy entries don't deliberately
+     * use case distinctions.
+     */
+    caseInsensitiveRouteMatch?: boolean;
 }
 /**
  * Next.js middleware options.

package/dist/{types-DNK2BgIf.d.mts → types-CgDCUfo8.d.mts}

@@ -1,4 +1,4 @@
-import { A as AccessLevel, c as CounterpartyType, T as TokenGuidance } from './types-L15pYd2c.mjs';
+import { A as AccessLevel, c as CounterpartyType, T as TokenGuidance } from './types-B3USs-Kx.mjs';
 
 /**
  * AstraSync Gateway - Types for gateway modes, local evaluation, and adapter interface.

package/dist/{types-DoWIuzfj.d.ts → types-R5N4ET6x.d.ts}

@@ -1,4 +1,4 @@
-import { A as AccessLevel, c as CounterpartyType, T as TokenGuidance } from './types-L15pYd2c.js';
+import { A as AccessLevel, c as CounterpartyType, T as TokenGuidance } from './types-B3USs-Kx.js';
 
 /**
  * AstraSync Gateway - Types for gateway modes, local evaluation, and adapter interface.

package/dist/ui/index.d.mts

@@ -1,4 +1,4 @@
-import { C as CommerceShieldProps, i as VerificationResult, a as AgentCredentials, e as GuidanceInfo, h as TrustLevel } from '../types-L15pYd2c.mjs';
+import { C as CommerceShieldProps, i as VerificationResult, a as AgentCredentials, e as GuidanceInfo, h as TrustLevel } from '../types-B3USs-Kx.mjs';
 
 /**
  * AstraSync Commerce Shield Component

package/dist/ui/index.d.ts

@@ -1,4 +1,4 @@
-import { C as CommerceShieldProps, i as VerificationResult, a as AgentCredentials, e as GuidanceInfo, h as TrustLevel } from '../types-L15pYd2c.js';
+import { C as CommerceShieldProps, i as VerificationResult, a as AgentCredentials, e as GuidanceInfo, h as TrustLevel } from '../types-B3USs-Kx.js';
 
 /**
  * AstraSync Commerce Shield Component

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@astrasyncai/verification-gateway",
-  "version": "2.4.12",
+  "version": "2.4.14",
   "description": "AstraSync KYA Platform SDK — counterparty verification gateway (verify incoming requests) + agent registration (register AI agents with the KYA backend).",
   "main": "./dist/index.js",
   "module": "./dist/index.mjs",