@astrasyncai/verification-gateway 2.4.12 → 2.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/adapter-interface/interface.d.mts +2 -2
- package/dist/adapter-interface/interface.d.ts +2 -2
- package/dist/adapters/express.d.mts +2 -2
- package/dist/adapters/express.d.ts +2 -2
- package/dist/adapters/express.js +224 -42
- package/dist/adapters/express.js.map +1 -1
- package/dist/adapters/express.mjs +224 -42
- package/dist/adapters/express.mjs.map +1 -1
- package/dist/adapters/mcp.d.mts +101 -57
- package/dist/adapters/mcp.d.ts +101 -57
- package/dist/adapters/mcp.js +215 -44
- package/dist/adapters/mcp.js.map +1 -1
- package/dist/adapters/mcp.mjs +215 -44
- package/dist/adapters/mcp.mjs.map +1 -1
- package/dist/adapters/nextjs.d.mts +2 -2
- package/dist/adapters/nextjs.d.ts +2 -2
- package/dist/adapters/nextjs.js +87 -34
- package/dist/adapters/nextjs.js.map +1 -1
- package/dist/adapters/nextjs.mjs +87 -34
- package/dist/adapters/nextjs.mjs.map +1 -1
- package/dist/adapters/sdk.d.mts +2 -2
- package/dist/adapters/sdk.d.ts +2 -2
- package/dist/adapters/sdk.js +61 -28
- package/dist/adapters/sdk.js.map +1 -1
- package/dist/adapters/sdk.mjs +61 -28
- package/dist/adapters/sdk.mjs.map +1 -1
- package/dist/agent/index.d.mts +2 -2
- package/dist/agent/index.d.ts +2 -2
- package/dist/agent/index.js +29 -0
- package/dist/agent/index.js.map +1 -1
- package/dist/agent/index.mjs +29 -0
- package/dist/agent/index.mjs.map +1 -1
- package/dist/browser/background.js +102 -30
- package/dist/browser/background.js.map +1 -1
- package/dist/browser/background.mjs +102 -30
- package/dist/browser/background.mjs.map +1 -1
- package/dist/browser/browser-adapter.d.mts +2 -2
- package/dist/browser/browser-adapter.d.ts +2 -2
- package/dist/cli/index.d.mts +2 -2
- package/dist/cli/index.d.ts +2 -2
- package/dist/cursor/cursor-adapter.d.mts +2 -2
- package/dist/cursor/cursor-adapter.d.ts +2 -2
- package/dist/cursor/extension.d.mts +2 -2
- package/dist/cursor/extension.d.ts +2 -2
- package/dist/cursor/extension.js +102 -30
- package/dist/cursor/extension.js.map +1 -1
- package/dist/cursor/extension.mjs +102 -30
- package/dist/cursor/extension.mjs.map +1 -1
- package/dist/{express-C1ePFB7n.d.ts → express-CrfwoNAR.d.ts} +1 -1
- package/dist/{express-4WStX3PV.d.mts → express-ienhAXps.d.mts} +1 -1
- package/dist/gateway/gateway.d.mts +2 -2
- package/dist/gateway/gateway.d.ts +2 -2
- package/dist/gateway/gateway.js +102 -30
- package/dist/gateway/gateway.js.map +1 -1
- package/dist/gateway/gateway.mjs +102 -30
- package/dist/gateway/gateway.mjs.map +1 -1
- package/dist/git-trigger/git-hooks.d.mts +2 -2
- package/dist/git-trigger/git-hooks.d.ts +2 -2
- package/dist/{index-ChPX4WHl.d.mts → index-B5e2IDWU.d.mts} +1 -1
- package/dist/{index-CzJMCgEy.d.ts → index-CCdZxvAr.d.ts} +71 -6
- package/dist/{index-D8IEntil.d.mts → index-CEg_WG6y.d.mts} +71 -6
- package/dist/{index-Cjm-zBeZ.d.ts → index-DC5f8eoQ.d.ts} +1 -1
- package/dist/index.d.mts +39 -9
- package/dist/index.d.ts +39 -9
- package/dist/index.js +500 -94
- package/dist/index.js.map +1 -1
- package/dist/index.mjs +497 -94
- package/dist/index.mjs.map +1 -1
- package/dist/local-evaluator/evaluator.d.mts +2 -2
- package/dist/local-evaluator/evaluator.d.ts +2 -2
- package/dist/local-evaluator/evaluator.js +12 -2
- package/dist/local-evaluator/evaluator.js.map +1 -1
- package/dist/local-evaluator/evaluator.mjs +12 -2
- package/dist/local-evaluator/evaluator.mjs.map +1 -1
- package/dist/{nextjs-BIORS__0.d.ts → nextjs-66R1KW8e.d.ts} +1 -1
- package/dist/{nextjs-CjzHdaXA.d.mts → nextjs-DSpisQst.d.mts} +1 -1
- package/dist/{sdk-Chhz-FcT.d.mts → sdk-5U_CBRpr.d.mts} +1 -1
- package/dist/{sdk-CqTEQAc6.d.ts → sdk-Bm8np66n.d.ts} +1 -1
- package/dist/transport/index.d.mts +2 -2
- package/dist/transport/index.d.ts +2 -2
- package/dist/transport/index.js +146 -28
- package/dist/transport/index.js.map +1 -1
- package/dist/transport/index.mjs +146 -28
- package/dist/transport/index.mjs.map +1 -1
- package/dist/{types-L15pYd2c.d.mts → types-B3USs-Kx.d.mts} +42 -1
- package/dist/{types-L15pYd2c.d.ts → types-B3USs-Kx.d.ts} +42 -1
- package/dist/{types-DNK2BgIf.d.mts → types-CgDCUfo8.d.mts} +1 -1
- package/dist/{types-DoWIuzfj.d.ts → types-R5N4ET6x.d.ts} +1 -1
- package/dist/ui/index.d.mts +1 -1
- package/dist/ui/index.d.ts +1 -1
- package/package.json +1 -1
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
import { PlatformAdapter, AdapterConfig } from '../adapter-interface/interface.mjs';
|
|
2
|
-
import { P as PDLSSContext, V as VerificationDecision, A as AgentAction, I as InterceptResult } from '../types-
|
|
2
|
+
import { P as PDLSSContext, V as VerificationDecision, A as AgentAction, I as InterceptResult } from '../types-CgDCUfo8.mjs';
|
|
3
3
|
import '../gateway/gateway.mjs';
|
|
4
|
-
import '../types-
|
|
4
|
+
import '../types-B3USs-Kx.mjs';
|
|
5
5
|
|
|
6
6
|
/**
|
|
7
7
|
* @astrasyncai/adapter-openclaw-browser
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
import { PlatformAdapter, AdapterConfig } from '../adapter-interface/interface.js';
|
|
2
|
-
import { P as PDLSSContext, V as VerificationDecision, A as AgentAction, I as InterceptResult } from '../types-
|
|
2
|
+
import { P as PDLSSContext, V as VerificationDecision, A as AgentAction, I as InterceptResult } from '../types-R5N4ET6x.js';
|
|
3
3
|
import '../gateway/gateway.js';
|
|
4
|
-
import '../types-
|
|
4
|
+
import '../types-B3USs-Kx.js';
|
|
5
5
|
|
|
6
6
|
/**
|
|
7
7
|
* @astrasyncai/adapter-openclaw-browser
|
package/dist/cli/index.d.mts
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
|
-
import { b as LocalPurposeRule, d as LocalScope, c as LocalRiskThresholds, L as LocalPolicy, P as PDLSSContext, V as VerificationDecision, A as AgentAction, I as InterceptResult } from '../types-
|
|
1
|
+
import { b as LocalPurposeRule, d as LocalScope, c as LocalRiskThresholds, L as LocalPolicy, P as PDLSSContext, V as VerificationDecision, A as AgentAction, I as InterceptResult } from '../types-CgDCUfo8.mjs';
|
|
2
2
|
import { PlatformAdapter, AdapterConfig } from '../adapter-interface/interface.mjs';
|
|
3
|
-
import '../types-
|
|
3
|
+
import '../types-B3USs-Kx.mjs';
|
|
4
4
|
import '../gateway/gateway.mjs';
|
|
5
5
|
|
|
6
6
|
/**
|
package/dist/cli/index.d.ts
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
|
-
import { b as LocalPurposeRule, d as LocalScope, c as LocalRiskThresholds, L as LocalPolicy, P as PDLSSContext, V as VerificationDecision, A as AgentAction, I as InterceptResult } from '../types-
|
|
1
|
+
import { b as LocalPurposeRule, d as LocalScope, c as LocalRiskThresholds, L as LocalPolicy, P as PDLSSContext, V as VerificationDecision, A as AgentAction, I as InterceptResult } from '../types-R5N4ET6x.js';
|
|
2
2
|
import { PlatformAdapter, AdapterConfig } from '../adapter-interface/interface.js';
|
|
3
|
-
import '../types-
|
|
3
|
+
import '../types-B3USs-Kx.js';
|
|
4
4
|
import '../gateway/gateway.js';
|
|
5
5
|
|
|
6
6
|
/**
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
import { PlatformAdapter, AdapterConfig } from '../adapter-interface/interface.mjs';
|
|
2
|
-
import { P as PDLSSContext, V as VerificationDecision, A as AgentAction, I as InterceptResult } from '../types-
|
|
2
|
+
import { P as PDLSSContext, V as VerificationDecision, A as AgentAction, I as InterceptResult } from '../types-CgDCUfo8.mjs';
|
|
3
3
|
import '../gateway/gateway.mjs';
|
|
4
|
-
import '../types-
|
|
4
|
+
import '../types-B3USs-Kx.mjs';
|
|
5
5
|
|
|
6
6
|
/**
|
|
7
7
|
* @astrasyncai/adapter-cursor
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
import { PlatformAdapter, AdapterConfig } from '../adapter-interface/interface.js';
|
|
2
|
-
import { P as PDLSSContext, V as VerificationDecision, A as AgentAction, I as InterceptResult } from '../types-
|
|
2
|
+
import { P as PDLSSContext, V as VerificationDecision, A as AgentAction, I as InterceptResult } from '../types-R5N4ET6x.js';
|
|
3
3
|
import '../gateway/gateway.js';
|
|
4
|
-
import '../types-
|
|
4
|
+
import '../types-B3USs-Kx.js';
|
|
5
5
|
|
|
6
6
|
/**
|
|
7
7
|
* @astrasyncai/adapter-cursor
|
|
@@ -1,8 +1,8 @@
|
|
|
1
1
|
import { VSCodeAPI } from './cursor-adapter.mjs';
|
|
2
2
|
import '../adapter-interface/interface.mjs';
|
|
3
3
|
import '../gateway/gateway.mjs';
|
|
4
|
-
import '../types-
|
|
5
|
-
import '../types-
|
|
4
|
+
import '../types-CgDCUfo8.mjs';
|
|
5
|
+
import '../types-B3USs-Kx.mjs';
|
|
6
6
|
|
|
7
7
|
/**
|
|
8
8
|
* VS Code Extension entry point for AstraSync Local Guard (Cursor/VS Code).
|
|
@@ -1,8 +1,8 @@
|
|
|
1
1
|
import { VSCodeAPI } from './cursor-adapter.js';
|
|
2
2
|
import '../adapter-interface/interface.js';
|
|
3
3
|
import '../gateway/gateway.js';
|
|
4
|
-
import '../types-
|
|
5
|
-
import '../types-
|
|
4
|
+
import '../types-R5N4ET6x.js';
|
|
5
|
+
import '../types-B3USs-Kx.js';
|
|
6
6
|
|
|
7
7
|
/**
|
|
8
8
|
* VS Code Extension entry point for AstraSync Local Guard (Cursor/VS Code).
|
package/dist/cursor/extension.js
CHANGED
|
@@ -350,7 +350,10 @@ var LocalEvaluator = class {
|
|
|
350
350
|
}
|
|
351
351
|
const depth = context.metadata?.subAgentDepth || 0;
|
|
352
352
|
if (this.policy.selfInstantiation.maxDepth !== void 0 && depth >= this.policy.selfInstantiation.maxDepth) {
|
|
353
|
-
return {
|
|
353
|
+
return {
|
|
354
|
+
recommendation: "DENY",
|
|
355
|
+
reason: `Sub-agent depth ${depth} exceeds max depth ${this.policy.selfInstantiation.maxDepth}`
|
|
356
|
+
};
|
|
354
357
|
}
|
|
355
358
|
}
|
|
356
359
|
if (purposeRule.requiresApproval) {
|
|
@@ -431,7 +434,10 @@ var LocalEvaluator = class {
|
|
|
431
434
|
return { recommendation: "DENY", reason: `Risk score ${riskScore} exceeds block threshold` };
|
|
432
435
|
}
|
|
433
436
|
if (riskScore >= thresholds.requireApproval.min) {
|
|
434
|
-
return {
|
|
437
|
+
return {
|
|
438
|
+
recommendation: "MANUAL_REVIEW",
|
|
439
|
+
reason: `Risk score ${riskScore} requires approval`
|
|
440
|
+
};
|
|
435
441
|
}
|
|
436
442
|
return null;
|
|
437
443
|
}
|
|
@@ -496,6 +502,10 @@ var LocalEvaluator = class {
|
|
|
496
502
|
*/
|
|
497
503
|
matchGlob(value, pattern) {
|
|
498
504
|
if (pattern === value) return true;
|
|
505
|
+
const starCount = (pattern.match(/\*/g) ?? []).length;
|
|
506
|
+
if (starCount > 8) {
|
|
507
|
+
return false;
|
|
508
|
+
}
|
|
499
509
|
const regexStr = pattern.replace(/[.+^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*").replace(/\?/g, ".");
|
|
500
510
|
try {
|
|
501
511
|
return new RegExp(`^${regexStr}$`, "i").test(value);
|
|
@@ -3299,7 +3309,14 @@ function getTrustLevel(score) {
|
|
|
3299
3309
|
}
|
|
3300
3310
|
|
|
3301
3311
|
// src/version.ts
|
|
3302
|
-
var SDK_VERSION = "2.4.
|
|
3312
|
+
var SDK_VERSION = "2.4.13";
|
|
3313
|
+
|
|
3314
|
+
// src/well-known.ts
|
|
3315
|
+
var CACHE_TTL_MS = 60 * 60 * 1e3;
|
|
3316
|
+
var cache = /* @__PURE__ */ new Map();
|
|
3317
|
+
function getCachedWellKnownUrls(apiBaseUrl) {
|
|
3318
|
+
return cache.get(apiBaseUrl)?.data;
|
|
3319
|
+
}
|
|
3303
3320
|
|
|
3304
3321
|
// src/verify.ts
|
|
3305
3322
|
var DEFAULT_CONFIG = {
|
|
@@ -3318,22 +3335,27 @@ var DEFAULT_CONFIG = {
|
|
|
3318
3335
|
};
|
|
3319
3336
|
var initCheckPerformed = false;
|
|
3320
3337
|
var deprecationWarningShown = false;
|
|
3321
|
-
async function performInitCheck(apiBaseUrl, debug) {
|
|
3338
|
+
async function performInitCheck(apiBaseUrl, debug, strictInit) {
|
|
3322
3339
|
initCheckPerformed = true;
|
|
3323
3340
|
try {
|
|
3324
3341
|
const probeUrl = `${apiBaseUrl}/agents/verify-access`;
|
|
3325
3342
|
const response = await fetch(probeUrl, { method: "HEAD" });
|
|
3326
3343
|
const contentType = response.headers.get("content-type") ?? "";
|
|
3327
3344
|
if (contentType.startsWith("text/html")) {
|
|
3328
|
-
|
|
3329
|
-
|
|
3330
|
-
|
|
3345
|
+
const message = `[VerificationGateway] apiBaseUrl '${apiBaseUrl}' returned HTML (content-type: ${contentType}). This usually means apiBaseUrl is pointing at a marketing site instead of the API. Expected: 'https://astrasync.ai/api' (prod) or 'https://staging.astrasync.ai/api' (staging).`;
|
|
3346
|
+
if (strictInit) {
|
|
3347
|
+
throw new Error(`${message} (strictInit=true)`);
|
|
3348
|
+
}
|
|
3349
|
+
console.warn(`${message} Set disableInitChecks: true on GatewayConfig to silence.`);
|
|
3331
3350
|
} else if (debug) {
|
|
3332
3351
|
console.log(
|
|
3333
3352
|
`[VerificationGateway] init check passed for ${apiBaseUrl} (content-type: ${contentType})`
|
|
3334
3353
|
);
|
|
3335
3354
|
}
|
|
3336
3355
|
} catch (err) {
|
|
3356
|
+
if (strictInit) {
|
|
3357
|
+
throw err;
|
|
3358
|
+
}
|
|
3337
3359
|
if (debug) {
|
|
3338
3360
|
console.log(`[VerificationGateway] init check failed (non-blocking): ${String(err)}`);
|
|
3339
3361
|
}
|
|
@@ -3357,7 +3379,23 @@ function getCacheKey(request) {
|
|
|
3357
3379
|
request.counterpartyType || "",
|
|
3358
3380
|
request.isSubAgentRequest ? "1" : "0",
|
|
3359
3381
|
request.parentAgentId || "",
|
|
3360
|
-
request.subAgentDepth ?? ""
|
|
3382
|
+
request.subAgentDepth ?? "",
|
|
3383
|
+
// Audit F-A1-07: previously-missing dimensions that DO affect the
|
|
3384
|
+
// backend verdict. Without these, two requests with different
|
|
3385
|
+
// durations (e.g. 60s vs 86400s) collided on the same cache key and
|
|
3386
|
+
// the shorter-duration allow served the longer-duration request.
|
|
3387
|
+
request.durationRequired ?? "",
|
|
3388
|
+
request.invocationProtocol || "",
|
|
3389
|
+
request.enableRuntimeChallenge ? "1" : "0",
|
|
3390
|
+
// callerMetadata fields contribute to risk model; include the ones
|
|
3391
|
+
// backend reads. sourceIp/userAgent/forwardedFor change per-request
|
|
3392
|
+
// so their inclusion effectively forces a re-check for any varying
|
|
3393
|
+
// client (the right behavior — IP-driven anomaly scoring shouldn't
|
|
3394
|
+
// be cached across IPs).
|
|
3395
|
+
request.callerMetadata?.sourceIp || "",
|
|
3396
|
+
request.callerMetadata?.userAgent || "",
|
|
3397
|
+
request.callerMetadata?.forwardedFor || "",
|
|
3398
|
+
request.callerMetadata?.agentCardUrl || ""
|
|
3361
3399
|
].join("|");
|
|
3362
3400
|
}
|
|
3363
3401
|
function getCachedResult(request) {
|
|
@@ -3381,21 +3419,22 @@ function cacheResult(request, result, configuredTtl) {
|
|
|
3381
3419
|
expiresAt: Date.now() + ttlSeconds * 1e3
|
|
3382
3420
|
});
|
|
3383
3421
|
}
|
|
3384
|
-
function createGuidanceResponse(
|
|
3422
|
+
function createGuidanceResponse(_config, reason, options = {}) {
|
|
3385
3423
|
const source = options.source ?? "no_credentials";
|
|
3386
3424
|
const isApiError = source === "api_error";
|
|
3425
|
+
const urls = options.urls;
|
|
3387
3426
|
const guidance = isApiError ? {
|
|
3388
3427
|
message: "Verification is temporarily unavailable. Retry with exponential backoff; if the issue persists, contact support with the correlationId.",
|
|
3389
|
-
registrationUrl:
|
|
3390
|
-
documentationUrl:
|
|
3428
|
+
registrationUrl: urls?.registrationUrl ?? "",
|
|
3429
|
+
documentationUrl: urls?.documentationUrl ?? "",
|
|
3391
3430
|
steps: [
|
|
3392
3431
|
"Retry the request with exponential backoff",
|
|
3393
3432
|
"If failures persist, share the correlationId with support"
|
|
3394
3433
|
]
|
|
3395
3434
|
} : {
|
|
3396
3435
|
message: "This service verifies AI agents before granting access. Please register your agent with AstraSync.",
|
|
3397
|
-
registrationUrl:
|
|
3398
|
-
documentationUrl:
|
|
3436
|
+
registrationUrl: urls?.registrationUrl ?? "",
|
|
3437
|
+
documentationUrl: urls?.documentationUrl ?? "",
|
|
3399
3438
|
steps: [
|
|
3400
3439
|
"Register for an AstraSync account",
|
|
3401
3440
|
"Create and register your agent",
|
|
@@ -3437,7 +3476,7 @@ async function callVerifyAccessAPI(config, request) {
|
|
|
3437
3476
|
const { credentials, ...requestData } = request;
|
|
3438
3477
|
const body = {
|
|
3439
3478
|
...credentials.astraId && { agentId: credentials.astraId },
|
|
3440
|
-
purpose: requestData.purpose
|
|
3479
|
+
...requestData.purpose && { purpose: requestData.purpose }
|
|
3441
3480
|
};
|
|
3442
3481
|
if (requestData.action) body.action = requestData.action;
|
|
3443
3482
|
if (requestData.resourceType) body.resourceType = requestData.resourceType;
|
|
@@ -3471,12 +3510,8 @@ async function callVerifyAccessAPI(config, request) {
|
|
|
3471
3510
|
"Content-Type": "application/json",
|
|
3472
3511
|
...config.customHeaders
|
|
3473
3512
|
};
|
|
3474
|
-
if (credentials.authorizationHeader) {
|
|
3475
|
-
headers["Authorization"] = credentials.authorizationHeader;
|
|
3476
|
-
} else if (config.apiKey) {
|
|
3477
|
-
headers["Authorization"] = `Bearer ${config.apiKey}`;
|
|
3478
|
-
}
|
|
3479
3513
|
if (config.apiKey) {
|
|
3514
|
+
headers["Authorization"] = `Bearer ${config.apiKey}`;
|
|
3480
3515
|
headers["X-API-Key"] = config.apiKey;
|
|
3481
3516
|
}
|
|
3482
3517
|
try {
|
|
@@ -3521,8 +3556,13 @@ async function callVerifyAccessAPI(config, request) {
|
|
|
3521
3556
|
}
|
|
3522
3557
|
async function verify(config, request) {
|
|
3523
3558
|
const mergedConfig = { ...DEFAULT_CONFIG, ...config };
|
|
3559
|
+
const urls = mergedConfig.apiBaseUrl ? getCachedWellKnownUrls(mergedConfig.apiBaseUrl) : void 0;
|
|
3524
3560
|
if (!initCheckPerformed && !mergedConfig.disableInitChecks && mergedConfig.apiBaseUrl) {
|
|
3525
|
-
|
|
3561
|
+
if (mergedConfig.strictInit) {
|
|
3562
|
+
await performInitCheck(mergedConfig.apiBaseUrl, mergedConfig.debug, true);
|
|
3563
|
+
} else {
|
|
3564
|
+
void performInitCheck(mergedConfig.apiBaseUrl, mergedConfig.debug, false);
|
|
3565
|
+
}
|
|
3526
3566
|
}
|
|
3527
3567
|
if (!deprecationWarningShown && (config.minTrustScore !== void 0 || config.minTrustScoreForFull !== void 0)) {
|
|
3528
3568
|
deprecationWarningShown = true;
|
|
@@ -3553,7 +3593,8 @@ async function verify(config, request) {
|
|
|
3553
3593
|
if (!apiResponse.success) {
|
|
3554
3594
|
return createGuidanceResponse(mergedConfig, apiResponse.error, {
|
|
3555
3595
|
source: "api_error",
|
|
3556
|
-
correlationId: apiResponse.correlationId
|
|
3596
|
+
correlationId: apiResponse.correlationId,
|
|
3597
|
+
urls
|
|
3557
3598
|
});
|
|
3558
3599
|
}
|
|
3559
3600
|
if (!apiResponse.access?.allowed) {
|
|
@@ -3576,8 +3617,8 @@ async function verify(config, request) {
|
|
|
3576
3617
|
requiresApproval: apiResponse.access?.requiresApproval,
|
|
3577
3618
|
guidance: {
|
|
3578
3619
|
message: apiResponse.access?.reason || "Access denied by PDLSS policy",
|
|
3579
|
-
registrationUrl:
|
|
3580
|
-
documentationUrl:
|
|
3620
|
+
registrationUrl: urls?.registrationUrl ?? "",
|
|
3621
|
+
documentationUrl: urls?.documentationUrl ?? ""
|
|
3581
3622
|
},
|
|
3582
3623
|
verifiedAt: /* @__PURE__ */ new Date(),
|
|
3583
3624
|
// Extract sessionId so decisions can be recorded for denials too
|
|
@@ -3646,13 +3687,15 @@ async function verify(config, request) {
|
|
|
3646
3687
|
result.denialReasons = result.recommendationReasons || [
|
|
3647
3688
|
"Access denied by AstraSync recommendation"
|
|
3648
3689
|
];
|
|
3649
|
-
|
|
3650
|
-
result.
|
|
3651
|
-
|
|
3652
|
-
|
|
3653
|
-
|
|
3654
|
-
|
|
3655
|
-
|
|
3690
|
+
result.guidance = result.runtimeChallenge ? {
|
|
3691
|
+
message: `Verification failed: ${result.runtimeChallenge.reason || "runtime challenge failed"}`,
|
|
3692
|
+
registrationUrl: urls?.registrationUrl ?? "",
|
|
3693
|
+
documentationUrl: urls?.documentationUrl ?? ""
|
|
3694
|
+
} : {
|
|
3695
|
+
message: result.recommendationReasons?.[0] || "Access denied by AstraSync recommendation",
|
|
3696
|
+
registrationUrl: urls?.registrationUrl ?? "",
|
|
3697
|
+
documentationUrl: urls?.documentationUrl ?? ""
|
|
3698
|
+
};
|
|
3656
3699
|
} else if (result.recommendation === "step_up_required") {
|
|
3657
3700
|
result.requiresStepUp = true;
|
|
3658
3701
|
if (ACCESS_LEVEL_HIERARCHY[result.accessLevel] > ACCESS_LEVEL_HIERARCHY["read-only"]) {
|
|
@@ -3678,6 +3721,35 @@ var import_structured_headers = require("structured-headers");
|
|
|
3678
3721
|
// src/transport/rfc9421-verify.ts
|
|
3679
3722
|
var import_http_message_signatures = require("http-message-signatures");
|
|
3680
3723
|
|
|
3724
|
+
// src/transport/nonce-store.ts
|
|
3725
|
+
var InMemoryNonceStore = class {
|
|
3726
|
+
constructor(capacity = 1e4) {
|
|
3727
|
+
this.entries = /* @__PURE__ */ new Map();
|
|
3728
|
+
this.lastSweepMs = 0;
|
|
3729
|
+
this.capacity = capacity;
|
|
3730
|
+
}
|
|
3731
|
+
seen(key, expiresAtMs) {
|
|
3732
|
+
const nowMs = Date.now();
|
|
3733
|
+
if (nowMs - this.lastSweepMs > 1e3) {
|
|
3734
|
+
for (const [k, exp] of this.entries) {
|
|
3735
|
+
if (exp <= nowMs) this.entries.delete(k);
|
|
3736
|
+
}
|
|
3737
|
+
this.lastSweepMs = nowMs;
|
|
3738
|
+
}
|
|
3739
|
+
const existing = this.entries.get(key);
|
|
3740
|
+
if (existing !== void 0 && existing > nowMs) {
|
|
3741
|
+
return true;
|
|
3742
|
+
}
|
|
3743
|
+
if (this.entries.size >= this.capacity) {
|
|
3744
|
+
const oldest = this.entries.keys().next().value;
|
|
3745
|
+
if (oldest !== void 0) this.entries.delete(oldest);
|
|
3746
|
+
}
|
|
3747
|
+
this.entries.set(key, expiresAtMs);
|
|
3748
|
+
return false;
|
|
3749
|
+
}
|
|
3750
|
+
};
|
|
3751
|
+
var defaultNonceStore = new InMemoryNonceStore();
|
|
3752
|
+
|
|
3681
3753
|
// src/transport/vi.ts
|
|
3682
3754
|
var import_decode = require("@sd-jwt/decode");
|
|
3683
3755
|
var import_node_crypto = require("crypto");
|