npm - @astrasyncai/verification-gateway - Versions diffs - 2.4.4 → 2.4.5 - Mend

@astrasyncai/verification-gateway 2.4.4 → 2.4.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (80) hide show

package/README.md +82 -0
package/dist/adapter-interface/interface.d.mts +2 -2
package/dist/adapter-interface/interface.d.ts +2 -2
package/dist/adapters/express.d.mts +2 -2
package/dist/adapters/express.d.ts +2 -2
package/dist/adapters/express.js +4 -0
package/dist/adapters/express.js.map +1 -1
package/dist/adapters/express.mjs +4 -0
package/dist/adapters/express.mjs.map +1 -1
package/dist/adapters/mcp.d.mts +54 -18
package/dist/adapters/mcp.d.ts +54 -18
package/dist/adapters/mcp.js +76 -23
package/dist/adapters/mcp.js.map +1 -1
package/dist/adapters/mcp.mjs +76 -23
package/dist/adapters/mcp.mjs.map +1 -1
package/dist/adapters/nextjs.d.mts +2 -2
package/dist/adapters/nextjs.d.ts +2 -2
package/dist/adapters/nextjs.js +4 -0
package/dist/adapters/nextjs.js.map +1 -1
package/dist/adapters/nextjs.mjs +4 -0
package/dist/adapters/nextjs.mjs.map +1 -1
package/dist/adapters/sdk.d.mts +2 -2
package/dist/adapters/sdk.d.ts +2 -2
package/dist/adapters/sdk.js +4 -0
package/dist/adapters/sdk.js.map +1 -1
package/dist/adapters/sdk.mjs +4 -0
package/dist/adapters/sdk.mjs.map +1 -1
package/dist/agent/index.d.mts +2 -2
package/dist/agent/index.d.ts +2 -2
package/dist/browser/background.js +4 -0
package/dist/browser/background.js.map +1 -1
package/dist/browser/background.mjs +4 -0
package/dist/browser/background.mjs.map +1 -1
package/dist/browser/browser-adapter.d.mts +2 -2
package/dist/browser/browser-adapter.d.ts +2 -2
package/dist/cli/index.d.mts +2 -2
package/dist/cli/index.d.ts +2 -2
package/dist/cursor/cursor-adapter.d.mts +2 -2
package/dist/cursor/cursor-adapter.d.ts +2 -2
package/dist/cursor/extension.d.mts +2 -2
package/dist/cursor/extension.d.ts +2 -2
package/dist/cursor/extension.js +4 -0
package/dist/cursor/extension.js.map +1 -1
package/dist/cursor/extension.mjs +4 -0
package/dist/cursor/extension.mjs.map +1 -1
package/dist/{express-Ck2RHZLT.d.mts → express-D5hAJ2Gv.d.mts} +1 -1
package/dist/{express-DZmEzCgo.d.ts → express-XCkk7BsJ.d.ts} +1 -1
package/dist/gateway/gateway.d.mts +2 -2
package/dist/gateway/gateway.d.ts +2 -2
package/dist/gateway/gateway.js +4 -0
package/dist/gateway/gateway.js.map +1 -1
package/dist/gateway/gateway.mjs +4 -0
package/dist/gateway/gateway.mjs.map +1 -1
package/dist/git-trigger/git-hooks.d.mts +2 -2
package/dist/git-trigger/git-hooks.d.ts +2 -2
package/dist/{index-6Jus6yWU.d.ts → index-Bstl43HI.d.ts} +1 -1
package/dist/{index-BgKghi19.d.ts → index-CH4TfcbL.d.ts} +1 -1
package/dist/{index-D698fDOk.d.mts → index-TS4SGvf4.d.mts} +1 -1
package/dist/{index-BZZTOfrI.d.mts → index-u08qcXq9.d.mts} +1 -1
package/dist/index.d.mts +7 -7
package/dist/index.d.ts +7 -7
package/dist/index.js +4 -0
package/dist/index.js.map +1 -1
package/dist/index.mjs +4 -0
package/dist/index.mjs.map +1 -1
package/dist/local-evaluator/evaluator.d.mts +2 -2
package/dist/local-evaluator/evaluator.d.ts +2 -2
package/dist/{nextjs-93PHcE-i.d.mts → nextjs-CFA0J_4x.d.mts} +1 -1
package/dist/{nextjs-t_ix2zQZ.d.ts → nextjs-DP2EpI-4.d.ts} +1 -1
package/dist/{sdk-BFwzjYjl.d.mts → sdk-C8W54WZS.d.mts} +1 -1
package/dist/{sdk-Chq02d82.d.ts → sdk-CwwCGDzK.d.ts} +1 -1
package/dist/transport/index.d.mts +2 -2
package/dist/transport/index.d.ts +2 -2
package/dist/{types-CVT-sorC.d.mts → types-CbZOkIr-.d.mts} +21 -15
package/dist/{types-CVT-sorC.d.ts → types-CbZOkIr-.d.ts} +21 -15
package/dist/{types-CLP_TDu5.d.ts → types-DXNkr61h.d.ts} +1 -1
package/dist/{types-y13mmzbA.d.mts → types-tBNFSbw_.d.mts} +1 -1
package/dist/ui/index.d.mts +1 -1
package/dist/ui/index.d.ts +1 -1
package/package.json +1 -1

package/dist/adapters/mcp.mjs CHANGED Viewed

@@ -17,6 +17,9 @@ function hasMinimumAccess(actual, required) {
   return ACCESS_LEVEL_HIERARCHY[actual] >= ACCESS_LEVEL_HIERARCHY[required];
 }
+// src/version.ts
+var SDK_VERSION = "2.4.5";
 // src/verify.ts
 var DEFAULT_CONFIG = {
   apiBaseUrl: "https://astrasync.ai/api",
@@ -175,6 +178,7 @@ async function callVerifyAccessAPI(config, request) {
   if (requestData.runtimeChallengeOptions)
     body.runtimeChallengeOptions = requestData.runtimeChallengeOptions;
   if (requestData.invocationProtocol) body.invocationProtocol = requestData.invocationProtocol;
+  body.sdkVersion = SDK_VERSION;
   if (requestData.callerMetadata || requestData.clientIp || requestData.userAgent) {
     const meta = {
       ...requestData.clientIp && { sourceIp: requestData.clientIp },
@@ -458,16 +462,17 @@ function parseMcpJsonRpc(body) {
   if (method === "initialize" && params && typeof params.protocolVersion === "string") {
     protocolVersion = params.protocolVersion;
   }
-  let agentIdFromBody;
   const meta = params?._meta;
   const astrasyncMeta = meta?.astrasync;
+  const args = params?.arguments;
+  let agentIdFromBody;
   if (astrasyncMeta && typeof astrasyncMeta.agentId === "string") {
     agentIdFromBody = astrasyncMeta.agentId;
-  } else {
-    const args = params?.arguments;
-    if (args && typeof args.agent_id === "string") agentIdFromBody = args.agent_id;
+  } else if (args && typeof args.agent_id === "string") {
+    agentIdFromBody = args.agent_id;
   }
-  const purposeFromBody = astrasyncMeta && typeof astrasyncMeta.purpose === "string" ? astrasyncMeta.purpose : void 0;
+  const purposeBodyResult = extractFromMcpBody(astrasyncMeta, args, "purpose");
+  const actionBodyResult = extractFromMcpBody(astrasyncMeta, args, "action");
   const isInitialize = method === "initialize";
   const isToolCall = method === "tools/call";
   const isIntrospection = method === "tools/list" || method === "prompts/list" || method === "resources/list" || method === "ping" || method === "notifications/initialized";
@@ -476,22 +481,51 @@ function parseMcpJsonRpc(body) {
     ...toolName ? { toolName } : {},
     ...protocolVersion ? { protocolVersion } : {},
     ...agentIdFromBody ? { agentIdFromBody } : {},
-    ...purposeFromBody ? { purposeFromBody } : {},
+    ...purposeBodyResult.value ? { purposeFromBody: purposeBodyResult.value } : {},
+    ...purposeBodyResult.source ? { purposeSourceFromBody: purposeBodyResult.source } : {},
+    ...actionBodyResult.value ? { actionFromBody: actionBodyResult.value } : {},
+    ...actionBodyResult.source ? { actionSourceFromBody: actionBodyResult.source } : {},
     isInitialize,
     isToolCall,
     isIntrospection
   };
 }
-function mcpToPdlss(parsed, headerPurpose, toolArgumentPurpose) {
-  const action = parsed.toolName ? `${parsed.method}:${parsed.toolName}` : parsed.method;
+function extractFromMcpBody(astrasyncMeta, args, key) {
+  if (astrasyncMeta && typeof astrasyncMeta[key] === "string") {
+    return { value: astrasyncMeta[key], source: "meta" };
+  }
+  if (args && typeof args[key] === "string") {
+    return { value: args[key], source: "tool_argument" };
+  }
+  return { value: void 0, source: void 0 };
+}
+function mcpToPdlss(parsed, headerPurpose, headerAction) {
   const resource = parsed.toolName ? `mcp:tool/${parsed.toolName}` : `mcp:method/${parsed.method}`;
+  let purpose;
+  let purposeSource;
   if (headerPurpose) {
-    return { purpose: headerPurpose, action, resource, purposeSource: "header" };
+    purpose = headerPurpose;
+    purposeSource = "header";
+  } else if (parsed.purposeFromBody && parsed.purposeSourceFromBody) {
+    purpose = parsed.purposeFromBody;
+    purposeSource = parsed.purposeSourceFromBody;
+  } else {
+    purpose = "mcp_invoke";
+    purposeSource = "default_mcp_invoke";
   }
-  if (toolArgumentPurpose) {
-    return { purpose: toolArgumentPurpose, action, resource, purposeSource: "tool_argument" };
+  let action;
+  let actionSource;
+  if (headerAction) {
+    action = headerAction;
+    actionSource = "header";
+  } else if (parsed.actionFromBody && parsed.actionSourceFromBody) {
+    action = parsed.actionFromBody;
+    actionSource = parsed.actionSourceFromBody;
+  } else {
+    action = parsed.toolName ? `${parsed.method}:${parsed.toolName}` : parsed.method;
+    actionSource = "transport_layer";
   }
-  return { purpose: "mcp_invoke", action, resource, purposeSource: "default_mcp_invoke" };
+  return { purpose, action, resource, purposeSource, actionSource };
 }
 function mcpRiskTier(parsed) {
   if (parsed.isInitialize || parsed.method === "notifications/initialized") return "none";
@@ -502,6 +536,11 @@ function mcpRiskTier(parsed) {
 }
 // src/adapters/mcp.ts
+function readSingleHeader(value) {
+  if (typeof value === "string") return value;
+  if (Array.isArray(value)) return value[0];
+  return void 0;
+}
 function defaultMcpDenied(result, req, res) {
   const id = req.body?.id ?? null;
   const status = result.verified ? 403 : 401;
@@ -596,25 +635,28 @@ function createMcpMiddleware(options) {
         toolGates,
         methodGates
       });
-      if (minAccessLevel === "none") {
+      const credentials = extractCredentials(
+        req.headers,
+        req.query
+      );
+      if (effectiveAstraId) credentials.astraId = effectiveAstraId;
+      const shouldEnforce = minAccessLevel !== "none";
+      if (minAccessLevel === "none" && (!config.evaluateAlwaysIfCredentialed || !credentials.astraId)) {
         if (config.setPassThroughHeader) {
           res.setHeader("X-Astra-Gateway-Mode", "unenforced");
           res.setHeader("X-Astra-Gateway-Reason", "mcp-tier-none");
         }
         return next();
       }
-      const credentials = extractCredentials(
-        req.headers,
-        req.query
-      );
-      if (effectiveAstraId) credentials.astraId = effectiveAstraId;
-      const headerPurposeRaw = req.headers["x-astra-purpose"];
-      const headerPurpose = typeof headerPurposeRaw === "string" ? headerPurposeRaw : Array.isArray(headerPurposeRaw) ? headerPurposeRaw[0] : void 0;
-      const pdlss = mcpToPdlss(parsed, headerPurpose, parsed.purposeFromBody);
+      const headerPurpose = readSingleHeader(req.headers["x-astra-purpose"]);
+      const headerAction = readSingleHeader(req.headers["x-astra-action"]);
+      const pdlss = mcpToPdlss(parsed, headerPurpose, headerAction);
       if (config.debug) {
-        console.debug("[mcp-middleware] purpose resolved", {
+        console.debug("[mcp-middleware] pdlss resolved", {
           purpose_source: pdlss.purposeSource,
-          resolved_purpose: pdlss.purpose
+          resolved_purpose: pdlss.purpose,
+          action_source: pdlss.actionSource,
+          resolved_action: pdlss.action
         });
       }
       const counterpartyUrl = config.counterpartyUrl || `${req.protocol}://${req.get("host")}${req.path}`;
@@ -649,6 +691,17 @@ function createMcpMiddleware(options) {
         onDenied(result, req, res);
         return;
       }
+      if (!shouldEnforce) {
+        if (config.setPassThroughHeader) {
+          res.setHeader("X-Astra-Gateway-Mode", "enforced");
+          res.setHeader("X-Astra-Gateway-Reason", "evaluated-not-enforced");
+        }
+        if (shouldRecordDecisions && sessionId) {
+          recordDecision(config, sessionId, "granted").catch(() => {
+          });
+        }
+        return next();
+      }
       if (!hasMinimumAccess(result.accessLevel, minAccessLevel)) {
         const insufficientFailure = {
           dimension: "access_level.insufficient",