@astrasyncai/verification-gateway 2.4.12 → 2.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (91) hide show
  1. package/dist/adapter-interface/interface.d.mts +2 -2
  2. package/dist/adapter-interface/interface.d.ts +2 -2
  3. package/dist/adapters/express.d.mts +2 -2
  4. package/dist/adapters/express.d.ts +2 -2
  5. package/dist/adapters/express.js +224 -42
  6. package/dist/adapters/express.js.map +1 -1
  7. package/dist/adapters/express.mjs +224 -42
  8. package/dist/adapters/express.mjs.map +1 -1
  9. package/dist/adapters/mcp.d.mts +101 -57
  10. package/dist/adapters/mcp.d.ts +101 -57
  11. package/dist/adapters/mcp.js +215 -44
  12. package/dist/adapters/mcp.js.map +1 -1
  13. package/dist/adapters/mcp.mjs +215 -44
  14. package/dist/adapters/mcp.mjs.map +1 -1
  15. package/dist/adapters/nextjs.d.mts +2 -2
  16. package/dist/adapters/nextjs.d.ts +2 -2
  17. package/dist/adapters/nextjs.js +87 -34
  18. package/dist/adapters/nextjs.js.map +1 -1
  19. package/dist/adapters/nextjs.mjs +87 -34
  20. package/dist/adapters/nextjs.mjs.map +1 -1
  21. package/dist/adapters/sdk.d.mts +2 -2
  22. package/dist/adapters/sdk.d.ts +2 -2
  23. package/dist/adapters/sdk.js +61 -28
  24. package/dist/adapters/sdk.js.map +1 -1
  25. package/dist/adapters/sdk.mjs +61 -28
  26. package/dist/adapters/sdk.mjs.map +1 -1
  27. package/dist/agent/index.d.mts +2 -2
  28. package/dist/agent/index.d.ts +2 -2
  29. package/dist/agent/index.js +29 -0
  30. package/dist/agent/index.js.map +1 -1
  31. package/dist/agent/index.mjs +29 -0
  32. package/dist/agent/index.mjs.map +1 -1
  33. package/dist/browser/background.js +102 -30
  34. package/dist/browser/background.js.map +1 -1
  35. package/dist/browser/background.mjs +102 -30
  36. package/dist/browser/background.mjs.map +1 -1
  37. package/dist/browser/browser-adapter.d.mts +2 -2
  38. package/dist/browser/browser-adapter.d.ts +2 -2
  39. package/dist/cli/index.d.mts +2 -2
  40. package/dist/cli/index.d.ts +2 -2
  41. package/dist/cursor/cursor-adapter.d.mts +2 -2
  42. package/dist/cursor/cursor-adapter.d.ts +2 -2
  43. package/dist/cursor/extension.d.mts +2 -2
  44. package/dist/cursor/extension.d.ts +2 -2
  45. package/dist/cursor/extension.js +102 -30
  46. package/dist/cursor/extension.js.map +1 -1
  47. package/dist/cursor/extension.mjs +102 -30
  48. package/dist/cursor/extension.mjs.map +1 -1
  49. package/dist/{express-C1ePFB7n.d.ts → express-CrfwoNAR.d.ts} +1 -1
  50. package/dist/{express-4WStX3PV.d.mts → express-ienhAXps.d.mts} +1 -1
  51. package/dist/gateway/gateway.d.mts +2 -2
  52. package/dist/gateway/gateway.d.ts +2 -2
  53. package/dist/gateway/gateway.js +102 -30
  54. package/dist/gateway/gateway.js.map +1 -1
  55. package/dist/gateway/gateway.mjs +102 -30
  56. package/dist/gateway/gateway.mjs.map +1 -1
  57. package/dist/git-trigger/git-hooks.d.mts +2 -2
  58. package/dist/git-trigger/git-hooks.d.ts +2 -2
  59. package/dist/{index-ChPX4WHl.d.mts → index-B5e2IDWU.d.mts} +1 -1
  60. package/dist/{index-CzJMCgEy.d.ts → index-CCdZxvAr.d.ts} +71 -6
  61. package/dist/{index-D8IEntil.d.mts → index-CEg_WG6y.d.mts} +71 -6
  62. package/dist/{index-Cjm-zBeZ.d.ts → index-DC5f8eoQ.d.ts} +1 -1
  63. package/dist/index.d.mts +39 -9
  64. package/dist/index.d.ts +39 -9
  65. package/dist/index.js +500 -94
  66. package/dist/index.js.map +1 -1
  67. package/dist/index.mjs +497 -94
  68. package/dist/index.mjs.map +1 -1
  69. package/dist/local-evaluator/evaluator.d.mts +2 -2
  70. package/dist/local-evaluator/evaluator.d.ts +2 -2
  71. package/dist/local-evaluator/evaluator.js +12 -2
  72. package/dist/local-evaluator/evaluator.js.map +1 -1
  73. package/dist/local-evaluator/evaluator.mjs +12 -2
  74. package/dist/local-evaluator/evaluator.mjs.map +1 -1
  75. package/dist/{nextjs-BIORS__0.d.ts → nextjs-66R1KW8e.d.ts} +1 -1
  76. package/dist/{nextjs-CjzHdaXA.d.mts → nextjs-DSpisQst.d.mts} +1 -1
  77. package/dist/{sdk-Chhz-FcT.d.mts → sdk-5U_CBRpr.d.mts} +1 -1
  78. package/dist/{sdk-CqTEQAc6.d.ts → sdk-Bm8np66n.d.ts} +1 -1
  79. package/dist/transport/index.d.mts +2 -2
  80. package/dist/transport/index.d.ts +2 -2
  81. package/dist/transport/index.js +146 -28
  82. package/dist/transport/index.js.map +1 -1
  83. package/dist/transport/index.mjs +146 -28
  84. package/dist/transport/index.mjs.map +1 -1
  85. package/dist/{types-L15pYd2c.d.mts → types-B3USs-Kx.d.mts} +42 -1
  86. package/dist/{types-L15pYd2c.d.ts → types-B3USs-Kx.d.ts} +42 -1
  87. package/dist/{types-DNK2BgIf.d.mts → types-CgDCUfo8.d.mts} +1 -1
  88. package/dist/{types-DoWIuzfj.d.ts → types-R5N4ET6x.d.ts} +1 -1
  89. package/dist/ui/index.d.mts +1 -1
  90. package/dist/ui/index.d.ts +1 -1
  91. package/package.json +1 -1
@@ -1,7 +1,7 @@
1
1
  import { PlatformAdapter, AdapterConfig } from '../adapter-interface/interface.mjs';
2
- import { P as PDLSSContext, V as VerificationDecision, A as AgentAction, I as InterceptResult } from '../types-DNK2BgIf.mjs';
2
+ import { P as PDLSSContext, V as VerificationDecision, A as AgentAction, I as InterceptResult } from '../types-CgDCUfo8.mjs';
3
3
  import '../gateway/gateway.mjs';
4
- import '../types-L15pYd2c.mjs';
4
+ import '../types-B3USs-Kx.mjs';
5
5
 
6
6
  /**
7
7
  * @astrasyncai/adapter-openclaw-browser
@@ -1,7 +1,7 @@
1
1
  import { PlatformAdapter, AdapterConfig } from '../adapter-interface/interface.js';
2
- import { P as PDLSSContext, V as VerificationDecision, A as AgentAction, I as InterceptResult } from '../types-DoWIuzfj.js';
2
+ import { P as PDLSSContext, V as VerificationDecision, A as AgentAction, I as InterceptResult } from '../types-R5N4ET6x.js';
3
3
  import '../gateway/gateway.js';
4
- import '../types-L15pYd2c.js';
4
+ import '../types-B3USs-Kx.js';
5
5
 
6
6
  /**
7
7
  * @astrasyncai/adapter-openclaw-browser
@@ -1,6 +1,6 @@
1
- import { b as LocalPurposeRule, d as LocalScope, c as LocalRiskThresholds, L as LocalPolicy, P as PDLSSContext, V as VerificationDecision, A as AgentAction, I as InterceptResult } from '../types-DNK2BgIf.mjs';
1
+ import { b as LocalPurposeRule, d as LocalScope, c as LocalRiskThresholds, L as LocalPolicy, P as PDLSSContext, V as VerificationDecision, A as AgentAction, I as InterceptResult } from '../types-CgDCUfo8.mjs';
2
2
  import { PlatformAdapter, AdapterConfig } from '../adapter-interface/interface.mjs';
3
- import '../types-L15pYd2c.mjs';
3
+ import '../types-B3USs-Kx.mjs';
4
4
  import '../gateway/gateway.mjs';
5
5
 
6
6
  /**
@@ -1,6 +1,6 @@
1
- import { b as LocalPurposeRule, d as LocalScope, c as LocalRiskThresholds, L as LocalPolicy, P as PDLSSContext, V as VerificationDecision, A as AgentAction, I as InterceptResult } from '../types-DoWIuzfj.js';
1
+ import { b as LocalPurposeRule, d as LocalScope, c as LocalRiskThresholds, L as LocalPolicy, P as PDLSSContext, V as VerificationDecision, A as AgentAction, I as InterceptResult } from '../types-R5N4ET6x.js';
2
2
  import { PlatformAdapter, AdapterConfig } from '../adapter-interface/interface.js';
3
- import '../types-L15pYd2c.js';
3
+ import '../types-B3USs-Kx.js';
4
4
  import '../gateway/gateway.js';
5
5
 
6
6
  /**
@@ -1,7 +1,7 @@
1
1
  import { PlatformAdapter, AdapterConfig } from '../adapter-interface/interface.mjs';
2
- import { P as PDLSSContext, V as VerificationDecision, A as AgentAction, I as InterceptResult } from '../types-DNK2BgIf.mjs';
2
+ import { P as PDLSSContext, V as VerificationDecision, A as AgentAction, I as InterceptResult } from '../types-CgDCUfo8.mjs';
3
3
  import '../gateway/gateway.mjs';
4
- import '../types-L15pYd2c.mjs';
4
+ import '../types-B3USs-Kx.mjs';
5
5
 
6
6
  /**
7
7
  * @astrasyncai/adapter-cursor
@@ -1,7 +1,7 @@
1
1
  import { PlatformAdapter, AdapterConfig } from '../adapter-interface/interface.js';
2
- import { P as PDLSSContext, V as VerificationDecision, A as AgentAction, I as InterceptResult } from '../types-DoWIuzfj.js';
2
+ import { P as PDLSSContext, V as VerificationDecision, A as AgentAction, I as InterceptResult } from '../types-R5N4ET6x.js';
3
3
  import '../gateway/gateway.js';
4
- import '../types-L15pYd2c.js';
4
+ import '../types-B3USs-Kx.js';
5
5
 
6
6
  /**
7
7
  * @astrasyncai/adapter-cursor
@@ -1,8 +1,8 @@
1
1
  import { VSCodeAPI } from './cursor-adapter.mjs';
2
2
  import '../adapter-interface/interface.mjs';
3
3
  import '../gateway/gateway.mjs';
4
- import '../types-DNK2BgIf.mjs';
5
- import '../types-L15pYd2c.mjs';
4
+ import '../types-CgDCUfo8.mjs';
5
+ import '../types-B3USs-Kx.mjs';
6
6
 
7
7
  /**
8
8
  * VS Code Extension entry point for AstraSync Local Guard (Cursor/VS Code).
@@ -1,8 +1,8 @@
1
1
  import { VSCodeAPI } from './cursor-adapter.js';
2
2
  import '../adapter-interface/interface.js';
3
3
  import '../gateway/gateway.js';
4
- import '../types-DoWIuzfj.js';
5
- import '../types-L15pYd2c.js';
4
+ import '../types-R5N4ET6x.js';
5
+ import '../types-B3USs-Kx.js';
6
6
 
7
7
  /**
8
8
  * VS Code Extension entry point for AstraSync Local Guard (Cursor/VS Code).
@@ -350,7 +350,10 @@ var LocalEvaluator = class {
350
350
  }
351
351
  const depth = context.metadata?.subAgentDepth || 0;
352
352
  if (this.policy.selfInstantiation.maxDepth !== void 0 && depth >= this.policy.selfInstantiation.maxDepth) {
353
- return { recommendation: "DENY", reason: `Sub-agent depth ${depth} exceeds max depth ${this.policy.selfInstantiation.maxDepth}` };
353
+ return {
354
+ recommendation: "DENY",
355
+ reason: `Sub-agent depth ${depth} exceeds max depth ${this.policy.selfInstantiation.maxDepth}`
356
+ };
354
357
  }
355
358
  }
356
359
  if (purposeRule.requiresApproval) {
@@ -431,7 +434,10 @@ var LocalEvaluator = class {
431
434
  return { recommendation: "DENY", reason: `Risk score ${riskScore} exceeds block threshold` };
432
435
  }
433
436
  if (riskScore >= thresholds.requireApproval.min) {
434
- return { recommendation: "MANUAL_REVIEW", reason: `Risk score ${riskScore} requires approval` };
437
+ return {
438
+ recommendation: "MANUAL_REVIEW",
439
+ reason: `Risk score ${riskScore} requires approval`
440
+ };
435
441
  }
436
442
  return null;
437
443
  }
@@ -496,6 +502,10 @@ var LocalEvaluator = class {
496
502
  */
497
503
  matchGlob(value, pattern) {
498
504
  if (pattern === value) return true;
505
+ const starCount = (pattern.match(/\*/g) ?? []).length;
506
+ if (starCount > 8) {
507
+ return false;
508
+ }
499
509
  const regexStr = pattern.replace(/[.+^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*").replace(/\?/g, ".");
500
510
  try {
501
511
  return new RegExp(`^${regexStr}$`, "i").test(value);
@@ -3299,7 +3309,14 @@ function getTrustLevel(score) {
3299
3309
  }
3300
3310
 
3301
3311
  // src/version.ts
3302
- var SDK_VERSION = "2.4.12";
3312
+ var SDK_VERSION = "2.4.13";
3313
+
3314
+ // src/well-known.ts
3315
+ var CACHE_TTL_MS = 60 * 60 * 1e3;
3316
+ var cache = /* @__PURE__ */ new Map();
3317
+ function getCachedWellKnownUrls(apiBaseUrl) {
3318
+ return cache.get(apiBaseUrl)?.data;
3319
+ }
3303
3320
 
3304
3321
  // src/verify.ts
3305
3322
  var DEFAULT_CONFIG = {
@@ -3318,22 +3335,27 @@ var DEFAULT_CONFIG = {
3318
3335
  };
3319
3336
  var initCheckPerformed = false;
3320
3337
  var deprecationWarningShown = false;
3321
- async function performInitCheck(apiBaseUrl, debug) {
3338
+ async function performInitCheck(apiBaseUrl, debug, strictInit) {
3322
3339
  initCheckPerformed = true;
3323
3340
  try {
3324
3341
  const probeUrl = `${apiBaseUrl}/agents/verify-access`;
3325
3342
  const response = await fetch(probeUrl, { method: "HEAD" });
3326
3343
  const contentType = response.headers.get("content-type") ?? "";
3327
3344
  if (contentType.startsWith("text/html")) {
3328
- console.warn(
3329
- `[VerificationGateway] apiBaseUrl '${apiBaseUrl}' returned HTML (content-type: ${contentType}). This usually means apiBaseUrl is pointing at a marketing site instead of the API. Expected: 'https://astrasync.ai/api' (prod) or 'https://staging.astrasync.ai/api' (staging). Set disableInitChecks: true on GatewayConfig to silence this warning.`
3330
- );
3345
+ const message = `[VerificationGateway] apiBaseUrl '${apiBaseUrl}' returned HTML (content-type: ${contentType}). This usually means apiBaseUrl is pointing at a marketing site instead of the API. Expected: 'https://astrasync.ai/api' (prod) or 'https://staging.astrasync.ai/api' (staging).`;
3346
+ if (strictInit) {
3347
+ throw new Error(`${message} (strictInit=true)`);
3348
+ }
3349
+ console.warn(`${message} Set disableInitChecks: true on GatewayConfig to silence.`);
3331
3350
  } else if (debug) {
3332
3351
  console.log(
3333
3352
  `[VerificationGateway] init check passed for ${apiBaseUrl} (content-type: ${contentType})`
3334
3353
  );
3335
3354
  }
3336
3355
  } catch (err) {
3356
+ if (strictInit) {
3357
+ throw err;
3358
+ }
3337
3359
  if (debug) {
3338
3360
  console.log(`[VerificationGateway] init check failed (non-blocking): ${String(err)}`);
3339
3361
  }
@@ -3357,7 +3379,23 @@ function getCacheKey(request) {
3357
3379
  request.counterpartyType || "",
3358
3380
  request.isSubAgentRequest ? "1" : "0",
3359
3381
  request.parentAgentId || "",
3360
- request.subAgentDepth ?? ""
3382
+ request.subAgentDepth ?? "",
3383
+ // Audit F-A1-07: previously-missing dimensions that DO affect the
3384
+ // backend verdict. Without these, two requests with different
3385
+ // durations (e.g. 60s vs 86400s) collided on the same cache key and
3386
+ // the shorter-duration allow served the longer-duration request.
3387
+ request.durationRequired ?? "",
3388
+ request.invocationProtocol || "",
3389
+ request.enableRuntimeChallenge ? "1" : "0",
3390
+ // callerMetadata fields contribute to risk model; include the ones
3391
+ // backend reads. sourceIp/userAgent/forwardedFor change per-request
3392
+ // so their inclusion effectively forces a re-check for any varying
3393
+ // client (the right behavior — IP-driven anomaly scoring shouldn't
3394
+ // be cached across IPs).
3395
+ request.callerMetadata?.sourceIp || "",
3396
+ request.callerMetadata?.userAgent || "",
3397
+ request.callerMetadata?.forwardedFor || "",
3398
+ request.callerMetadata?.agentCardUrl || ""
3361
3399
  ].join("|");
3362
3400
  }
3363
3401
  function getCachedResult(request) {
@@ -3381,21 +3419,22 @@ function cacheResult(request, result, configuredTtl) {
3381
3419
  expiresAt: Date.now() + ttlSeconds * 1e3
3382
3420
  });
3383
3421
  }
3384
- function createGuidanceResponse(config, reason, options = {}) {
3422
+ function createGuidanceResponse(_config, reason, options = {}) {
3385
3423
  const source = options.source ?? "no_credentials";
3386
3424
  const isApiError = source === "api_error";
3425
+ const urls = options.urls;
3387
3426
  const guidance = isApiError ? {
3388
3427
  message: "Verification is temporarily unavailable. Retry with exponential backoff; if the issue persists, contact support with the correlationId.",
3389
- registrationUrl: `${config.apiBaseUrl.replace("/api", "")}/register`,
3390
- documentationUrl: `${config.apiBaseUrl.replace("/api", "")}/docs/agent-access`,
3428
+ registrationUrl: urls?.registrationUrl ?? "",
3429
+ documentationUrl: urls?.documentationUrl ?? "",
3391
3430
  steps: [
3392
3431
  "Retry the request with exponential backoff",
3393
3432
  "If failures persist, share the correlationId with support"
3394
3433
  ]
3395
3434
  } : {
3396
3435
  message: "This service verifies AI agents before granting access. Please register your agent with AstraSync.",
3397
- registrationUrl: `${config.apiBaseUrl.replace("/api", "")}/register`,
3398
- documentationUrl: `${config.apiBaseUrl.replace("/api", "")}/docs/agent-access`,
3436
+ registrationUrl: urls?.registrationUrl ?? "",
3437
+ documentationUrl: urls?.documentationUrl ?? "",
3399
3438
  steps: [
3400
3439
  "Register for an AstraSync account",
3401
3440
  "Create and register your agent",
@@ -3437,7 +3476,7 @@ async function callVerifyAccessAPI(config, request) {
3437
3476
  const { credentials, ...requestData } = request;
3438
3477
  const body = {
3439
3478
  ...credentials.astraId && { agentId: credentials.astraId },
3440
- purpose: requestData.purpose || "general"
3479
+ ...requestData.purpose && { purpose: requestData.purpose }
3441
3480
  };
3442
3481
  if (requestData.action) body.action = requestData.action;
3443
3482
  if (requestData.resourceType) body.resourceType = requestData.resourceType;
@@ -3471,12 +3510,8 @@ async function callVerifyAccessAPI(config, request) {
3471
3510
  "Content-Type": "application/json",
3472
3511
  ...config.customHeaders
3473
3512
  };
3474
- if (credentials.authorizationHeader) {
3475
- headers["Authorization"] = credentials.authorizationHeader;
3476
- } else if (config.apiKey) {
3477
- headers["Authorization"] = `Bearer ${config.apiKey}`;
3478
- }
3479
3513
  if (config.apiKey) {
3514
+ headers["Authorization"] = `Bearer ${config.apiKey}`;
3480
3515
  headers["X-API-Key"] = config.apiKey;
3481
3516
  }
3482
3517
  try {
@@ -3521,8 +3556,13 @@ async function callVerifyAccessAPI(config, request) {
3521
3556
  }
3522
3557
  async function verify(config, request) {
3523
3558
  const mergedConfig = { ...DEFAULT_CONFIG, ...config };
3559
+ const urls = mergedConfig.apiBaseUrl ? getCachedWellKnownUrls(mergedConfig.apiBaseUrl) : void 0;
3524
3560
  if (!initCheckPerformed && !mergedConfig.disableInitChecks && mergedConfig.apiBaseUrl) {
3525
- void performInitCheck(mergedConfig.apiBaseUrl, mergedConfig.debug);
3561
+ if (mergedConfig.strictInit) {
3562
+ await performInitCheck(mergedConfig.apiBaseUrl, mergedConfig.debug, true);
3563
+ } else {
3564
+ void performInitCheck(mergedConfig.apiBaseUrl, mergedConfig.debug, false);
3565
+ }
3526
3566
  }
3527
3567
  if (!deprecationWarningShown && (config.minTrustScore !== void 0 || config.minTrustScoreForFull !== void 0)) {
3528
3568
  deprecationWarningShown = true;
@@ -3553,7 +3593,8 @@ async function verify(config, request) {
3553
3593
  if (!apiResponse.success) {
3554
3594
  return createGuidanceResponse(mergedConfig, apiResponse.error, {
3555
3595
  source: "api_error",
3556
- correlationId: apiResponse.correlationId
3596
+ correlationId: apiResponse.correlationId,
3597
+ urls
3557
3598
  });
3558
3599
  }
3559
3600
  if (!apiResponse.access?.allowed) {
@@ -3576,8 +3617,8 @@ async function verify(config, request) {
3576
3617
  requiresApproval: apiResponse.access?.requiresApproval,
3577
3618
  guidance: {
3578
3619
  message: apiResponse.access?.reason || "Access denied by PDLSS policy",
3579
- registrationUrl: `${mergedConfig.apiBaseUrl?.replace("/api", "")}/register`,
3580
- documentationUrl: `${mergedConfig.apiBaseUrl?.replace("/api", "")}/docs/pdlss`
3620
+ registrationUrl: urls?.registrationUrl ?? "",
3621
+ documentationUrl: urls?.documentationUrl ?? ""
3581
3622
  },
3582
3623
  verifiedAt: /* @__PURE__ */ new Date(),
3583
3624
  // Extract sessionId so decisions can be recorded for denials too
@@ -3646,13 +3687,15 @@ async function verify(config, request) {
3646
3687
  result.denialReasons = result.recommendationReasons || [
3647
3688
  "Access denied by AstraSync recommendation"
3648
3689
  ];
3649
- if (result.runtimeChallenge) {
3650
- result.guidance = {
3651
- message: `Verification failed: ${result.runtimeChallenge.reason || "runtime challenge failed"}`,
3652
- registrationUrl: `${mergedConfig.apiBaseUrl?.replace("/api", "")}/register`,
3653
- documentationUrl: `${mergedConfig.apiBaseUrl?.replace("/api", "")}/docs/runtime-challenge`
3654
- };
3655
- }
3690
+ result.guidance = result.runtimeChallenge ? {
3691
+ message: `Verification failed: ${result.runtimeChallenge.reason || "runtime challenge failed"}`,
3692
+ registrationUrl: urls?.registrationUrl ?? "",
3693
+ documentationUrl: urls?.documentationUrl ?? ""
3694
+ } : {
3695
+ message: result.recommendationReasons?.[0] || "Access denied by AstraSync recommendation",
3696
+ registrationUrl: urls?.registrationUrl ?? "",
3697
+ documentationUrl: urls?.documentationUrl ?? ""
3698
+ };
3656
3699
  } else if (result.recommendation === "step_up_required") {
3657
3700
  result.requiresStepUp = true;
3658
3701
  if (ACCESS_LEVEL_HIERARCHY[result.accessLevel] > ACCESS_LEVEL_HIERARCHY["read-only"]) {
@@ -3678,6 +3721,35 @@ var import_structured_headers = require("structured-headers");
3678
3721
  // src/transport/rfc9421-verify.ts
3679
3722
  var import_http_message_signatures = require("http-message-signatures");
3680
3723
 
3724
+ // src/transport/nonce-store.ts
3725
+ var InMemoryNonceStore = class {
3726
+ constructor(capacity = 1e4) {
3727
+ this.entries = /* @__PURE__ */ new Map();
3728
+ this.lastSweepMs = 0;
3729
+ this.capacity = capacity;
3730
+ }
3731
+ seen(key, expiresAtMs) {
3732
+ const nowMs = Date.now();
3733
+ if (nowMs - this.lastSweepMs > 1e3) {
3734
+ for (const [k, exp] of this.entries) {
3735
+ if (exp <= nowMs) this.entries.delete(k);
3736
+ }
3737
+ this.lastSweepMs = nowMs;
3738
+ }
3739
+ const existing = this.entries.get(key);
3740
+ if (existing !== void 0 && existing > nowMs) {
3741
+ return true;
3742
+ }
3743
+ if (this.entries.size >= this.capacity) {
3744
+ const oldest = this.entries.keys().next().value;
3745
+ if (oldest !== void 0) this.entries.delete(oldest);
3746
+ }
3747
+ this.entries.set(key, expiresAtMs);
3748
+ return false;
3749
+ }
3750
+ };
3751
+ var defaultNonceStore = new InMemoryNonceStore();
3752
+
3681
3753
  // src/transport/vi.ts
3682
3754
  var import_decode = require("@sd-jwt/decode");
3683
3755
  var import_node_crypto = require("crypto");