@astrasyncai/verification-gateway 2.4.8 → 2.4.10

package/dist/{express-DvVjR2H4.d.mts → express-4WStX3PV.d.mts}

@@ -1,5 +1,5 @@
 import { RequestHandler, Request } from 'express';
-import { i as VerificationResult, d as ExpressMiddlewareOptions, b as AstraSyncCredentials } from './types-BwDmjIdr.mjs';
+import { i as VerificationResult, d as ExpressMiddlewareOptions, b as AstraSyncCredentials } from './types-L15pYd2c.mjs';
 
 /**
  * AstraSync Universal Verification Gateway - Express Middleware

package/dist/{express-714gJbaW.d.ts → express-C1ePFB7n.d.ts}

@@ -1,5 +1,5 @@
 import { RequestHandler, Request } from 'express';
-import { i as VerificationResult, d as ExpressMiddlewareOptions, b as AstraSyncCredentials } from './types-BwDmjIdr.js';
+import { i as VerificationResult, d as ExpressMiddlewareOptions, b as AstraSyncCredentials } from './types-L15pYd2c.js';
 
 /**
  * AstraSync Universal Verification Gateway - Express Middleware

package/dist/gateway/gateway.d.mts

@@ -1,5 +1,5 @@
-import { a as AstraSyncGatewayConfig, P as PDLSSContext, V as VerificationDecision } from '../types-DOAb89cm.mjs';
-import '../types-BwDmjIdr.mjs';
+import { a as AstraSyncGatewayConfig, P as PDLSSContext, V as VerificationDecision } from '../types-DNK2BgIf.mjs';
+import '../types-L15pYd2c.mjs';
 
 /**
  * AstraSyncGateway — Primary API surface for agent verification.

package/dist/gateway/gateway.d.ts

@@ -1,5 +1,5 @@
-import { a as AstraSyncGatewayConfig, P as PDLSSContext, V as VerificationDecision } from '../types-aucqzfUa.js';
-import '../types-BwDmjIdr.js';
+import { a as AstraSyncGatewayConfig, P as PDLSSContext, V as VerificationDecision } from '../types-DoWIuzfj.js';
+import '../types-L15pYd2c.js';
 
 /**
  * AstraSyncGateway — Primary API surface for agent verification.

package/dist/gateway/gateway.js

@@ -3055,7 +3055,7 @@ function getTrustLevel(score) {
 }
 
 // src/version.ts
-var SDK_VERSION = "2.4.7";
+var SDK_VERSION = "2.4.10";
 
 // src/verify.ts
 var DEFAULT_CONFIG = {
@@ -3066,8 +3066,10 @@ var DEFAULT_CONFIG = {
   // through (`hasMinimumAccess('guidance', 'guidance') === true`).
   defaultAccessLevel: "none",
   // minTrustScore + minTrustScoreForFull deprecated in v2.3.0 — server decides.
-  cacheTtl: 300,
-  // 5 minutes
+  // Round-18.5 F4: cacheTtl deliberately unset. When undefined, cacheResult
+  // applies the split default (60s autonomous / 300s step-up). When the
+  // caller sets cacheTtl explicitly, that value is honoured uniformly.
+  // Set cacheTtl: 0 to disable caching entirely.
   debug: false
 };
 var initCheckPerformed = false;
@@ -3094,11 +3096,28 @@ async function performInitCheck(apiBaseUrl, debug) {
   }
 }
 var verificationCache = /* @__PURE__ */ new Map();
-function getCacheKey(credentials) {
-  return `${credentials.astraId || ""}-${credentials.apiKey || ""}-${credentials.jwt || ""}`;
-}
-function getCachedResult(credentials) {
-  const key = getCacheKey(credentials);
+function getCacheKey(request) {
+  const c = request.credentials;
+  return [
+    c.astraId || "",
+    c.apiKey || "",
+    c.jwt || "",
+    request.purpose || "",
+    request.action || "",
+    request.resourceType || "",
+    request.resource || "",
+    request.jurisdiction || "",
+    request.transactionValue ?? "",
+    request.currency || "",
+    request.counterpartyUrl || "",
+    request.counterpartyType || "",
+    request.isSubAgentRequest ? "1" : "0",
+    request.parentAgentId || "",
+    request.subAgentDepth ?? ""
+  ].join("|");
+}
+function getCachedResult(request) {
+  const key = getCacheKey(request);
   const cached = verificationCache.get(key);
   if (cached && cached.expiresAt > Date.now()) {
     return cached.result;
@@ -3108,8 +3127,11 @@ function getCachedResult(credentials) {
   }
   return null;
 }
-function cacheResult(credentials, result, ttlSeconds) {
-  const key = getCacheKey(credentials);
+var DEFAULT_AUTONOMOUS_TTL_SECONDS = 60;
+var DEFAULT_STEP_UP_TTL_SECONDS = 300;
+function cacheResult(request, result, configuredTtl) {
+  const ttlSeconds = configuredTtl && configuredTtl > 0 ? configuredTtl : result.requiresStepUp ? DEFAULT_STEP_UP_TTL_SECONDS : DEFAULT_AUTONOMOUS_TTL_SECONDS;
+  const key = getCacheKey(request);
   verificationCache.set(key, {
     result,
     expiresAt: Date.now() + ttlSeconds * 1e3
@@ -3138,12 +3160,17 @@ function createGuidanceResponse(config, reason, options = {}) {
     ]
   };
   return {
-    verified: false,
+    // Round-18 G4: createGuidanceResponse fires for unverified-agent path or
+    // API-error fallback. Identity is not verified (no agent resolved);
+    // policy is not evaluated (we never reached the gate).
+    identityVerified: false,
+    policyAllowed: false,
     // v2.3.9 (defect #30): denials grant `'none'`, NEVER a positive band.
-    // Adapters additionally short-circuit on `verified === false` before
-    // the gate check, but the access level still has to be honest at the
-    // data layer so downstream consumers (SDK adapters in other languages,
-    // custom integrations) inherit the correct semantics.
+    // Adapters additionally short-circuit on `!identityVerified ||
+    // !policyAllowed` before the gate check, but the access level still has
+    // to be honest at the data layer so downstream consumers (SDK adapters
+    // in other languages, custom integrations) inherit the correct
+    // semantics.
     accessLevel: "none",
     guidance,
     denialReasons: reason ? [reason] : ["No valid agent credentials provided"],
@@ -3259,8 +3286,8 @@ async function verify(config, request) {
       "[VerificationGateway] minTrustScore / minTrustScoreForFull are deprecated in v2.3.0 and have no effect. Server is now the single source of truth for access-level decisions (the SDK reads access.accessLevel from the verify-access response). To gate access to an endpoint, configure the endpoint's trust_score_requirement server-side."
     );
   }
-  if (mergedConfig.cacheTtl && mergedConfig.cacheTtl > 0) {
-    const cached = getCachedResult(request.credentials);
+  if (mergedConfig.cacheTtl !== 0) {
+    const cached = getCachedResult(request);
     if (cached) {
       if (mergedConfig.debug) {
         console.log("[VerificationGateway] Returning cached result");
@@ -3287,15 +3314,17 @@ async function verify(config, request) {
   }
   if (!apiResponse.access?.allowed) {
     const aggregatedFailures = apiResponse.access?.failures;
+    const idVerifiedFromBackend = apiResponse.verificationContext?.idVerified === true;
     const result2 = {
-      verified: false,
+      identityVerified: idVerifiedFromBackend,
+      policyAllowed: false,
       // v2.3.9 (defect #30): denials grant `'none'`, NEVER a positive band.
       // Pre-rename this hardcoded `'guidance'`, which conflated with the
       // colocated `guidance: {...}` help-payload object below and let
       // denied requests pass any route gated at `'guidance'` because
       // `hasMinimumAccess('guidance', 'guidance') === true`. Adapters now
-      // ALSO short-circuit on `verified === false` before the gate check —
-      // belt-and-braces.
+      // ALSO short-circuit on `!identityVerified || !policyAllowed` before
+      // the gate check — belt-and-braces.
       accessLevel: "none",
       denialReasons: aggregatedFailures && aggregatedFailures.length > 0 ? aggregatedFailures.map((f) => f.message) : apiResponse.access?.reason ? [apiResponse.access.reason] : ["Access denied"],
       failures: aggregatedFailures,
@@ -3339,7 +3368,13 @@ async function verify(config, request) {
   const verificationContext = apiResponse.verificationContext;
   const accessLevel = apiResponse.access?.accessLevel ?? "standard";
   const result = {
-    verified: true,
+    // Round-18 G4: backend allowed access. Identity is verified (we resolved
+    // the caller to an agent) and policy passed all gates. Read idVerified
+    // from verificationContext for symmetry with the deny branch; default true
+    // on success path since `access.allowed === true` implies identity was
+    // resolvable (anonymous-allow paths flow through createGuidanceResponse).
+    identityVerified: apiResponse.verificationContext?.idVerified !== false,
+    policyAllowed: true,
     accessLevel,
     agent,
     developer,
@@ -3362,7 +3397,7 @@ async function verify(config, request) {
     warningHeader: apiResponse.warningHeader
   };
   if (result.recommendation === "deny") {
-    result.verified = false;
+    result.policyAllowed = false;
     result.accessLevel = "none";
     result.denialReasons = result.recommendationReasons || [
       "Access denied by AstraSync recommendation"
@@ -3381,8 +3416,8 @@ async function verify(config, request) {
     }
     result.denialReasons = result.recommendationReasons || ["Step-up verification required"];
   }
-  if (mergedConfig.cacheTtl && mergedConfig.cacheTtl > 0 && result.recommendation !== "deny") {
-    cacheResult(request.credentials, result, mergedConfig.cacheTtl);
+  if (mergedConfig.cacheTtl !== 0 && result.recommendation !== "deny") {
+    cacheResult(request, result, mergedConfig.cacheTtl);
   }
   return result;
 }
@@ -3454,7 +3489,7 @@ function toVerificationRequest(context, astraId) {
   };
 }
 function toDecision(result) {
-  if (result.verified) {
+  if (result.identityVerified && result.policyAllowed) {
     return {
       recommendation: "ALLOW",
       reason: `Verified with access level: ${result.accessLevel}`,