npm - @astrasyncai/verification-gateway - Versions diffs - 2.4.8 → 2.4.9 - Mend

@astrasyncai/verification-gateway 2.4.8 → 2.4.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (89) hide show

package/dist/adapter-interface/interface.d.mts +2 -2
package/dist/adapter-interface/interface.d.ts +2 -2
package/dist/adapters/express.d.mts +2 -2
package/dist/adapters/express.d.ts +2 -2
package/dist/adapters/express.js +29 -15
package/dist/adapters/express.js.map +1 -1
package/dist/adapters/express.mjs +29 -15
package/dist/adapters/express.mjs.map +1 -1
package/dist/adapters/mcp.d.mts +1 -1
package/dist/adapters/mcp.d.ts +1 -1
package/dist/adapters/mcp.js +30 -14
package/dist/adapters/mcp.js.map +1 -1
package/dist/adapters/mcp.mjs +30 -14
package/dist/adapters/mcp.mjs.map +1 -1
package/dist/adapters/nextjs.d.mts +2 -2
package/dist/adapters/nextjs.d.ts +2 -2
package/dist/adapters/nextjs.js +37 -16
package/dist/adapters/nextjs.js.map +1 -1
package/dist/adapters/nextjs.mjs +37 -16
package/dist/adapters/nextjs.mjs.map +1 -1
package/dist/adapters/sdk.d.mts +2 -2
package/dist/adapters/sdk.d.ts +2 -2
package/dist/adapters/sdk.js +31 -13
package/dist/adapters/sdk.js.map +1 -1
package/dist/adapters/sdk.mjs +31 -13
package/dist/adapters/sdk.mjs.map +1 -1
package/dist/agent/index.d.mts +2 -2
package/dist/agent/index.d.ts +2 -2
package/dist/browser/background.js +25 -12
package/dist/browser/background.js.map +1 -1
package/dist/browser/background.mjs +25 -12
package/dist/browser/background.mjs.map +1 -1
package/dist/browser/browser-adapter.d.mts +2 -2
package/dist/browser/browser-adapter.d.ts +2 -2
package/dist/cli/index.d.mts +2 -2
package/dist/cli/index.d.ts +2 -2
package/dist/cursor/cursor-adapter.d.mts +2 -2
package/dist/cursor/cursor-adapter.d.ts +2 -2
package/dist/cursor/extension.d.mts +2 -2
package/dist/cursor/extension.d.ts +2 -2
package/dist/cursor/extension.js +25 -12
package/dist/cursor/extension.js.map +1 -1
package/dist/cursor/extension.mjs +25 -12
package/dist/cursor/extension.mjs.map +1 -1
package/dist/{express-DvVjR2H4.d.mts → express-4WStX3PV.d.mts} +1 -1
package/dist/{express-714gJbaW.d.ts → express-C1ePFB7n.d.ts} +1 -1
package/dist/gateway/gateway.d.mts +2 -2
package/dist/gateway/gateway.d.ts +2 -2
package/dist/gateway/gateway.js +25 -12
package/dist/gateway/gateway.js.map +1 -1
package/dist/gateway/gateway.mjs +25 -12
package/dist/gateway/gateway.mjs.map +1 -1
package/dist/git-trigger/git-hooks.d.mts +2 -2
package/dist/git-trigger/git-hooks.d.ts +2 -2
package/dist/{index-DYFS9QVb.d.mts → index-ChPX4WHl.d.mts} +1 -1
package/dist/{index-DO0oG8ED.d.ts → index-Cjm-zBeZ.d.ts} +1 -1
package/dist/{index-2WAlxs2G.d.ts → index-CzJMCgEy.d.ts} +1 -1
package/dist/{index-P9t7M_dJ.d.mts → index-D8IEntil.d.mts} +1 -1
package/dist/index.d.mts +22 -11
package/dist/index.d.ts +22 -11
package/dist/index.js +80 -25
package/dist/index.js.map +1 -1
package/dist/index.mjs +79 -25
package/dist/index.mjs.map +1 -1
package/dist/local-evaluator/evaluator.d.mts +2 -2
package/dist/local-evaluator/evaluator.d.ts +2 -2
package/dist/{nextjs-CZ-MwSOT.d.ts → nextjs-BIORS__0.d.ts} +1 -1
package/dist/{nextjs-BCoH7EqF.d.mts → nextjs-CjzHdaXA.d.mts} +1 -1
package/dist/registration/index.d.mts +76 -1
package/dist/registration/index.d.ts +76 -1
package/dist/registration/index.js +27 -2
package/dist/registration/index.js.map +1 -1
package/dist/registration/index.mjs +25 -1
package/dist/registration/index.mjs.map +1 -1
package/dist/{sdk-wwhFDXWX.d.mts → sdk-Chhz-FcT.d.mts} +9 -4
package/dist/{sdk-kiA49vqJ.d.ts → sdk-CqTEQAc6.d.ts} +9 -4
package/dist/transport/index.d.mts +2 -2
package/dist/transport/index.d.ts +2 -2
package/dist/{types-DOAb89cm.d.mts → types-DNK2BgIf.d.mts} +1 -1
package/dist/{types-aucqzfUa.d.ts → types-DoWIuzfj.d.ts} +1 -1
package/dist/{types-BwDmjIdr.d.mts → types-L15pYd2c.d.mts} +21 -4
package/dist/{types-BwDmjIdr.d.ts → types-L15pYd2c.d.ts} +21 -4
package/dist/ui/index.d.mts +1 -1
package/dist/ui/index.d.ts +1 -1
package/dist/ui/index.js +1 -1
package/dist/ui/index.js.map +1 -1
package/dist/ui/index.mjs +1 -1
package/dist/ui/index.mjs.map +1 -1
package/package.json +1 -1

package/dist/adapters/mcp.js CHANGED Viewed

@@ -51,7 +51,7 @@ function hasMinimumAccess(actual, required) {
 }
 // src/version.ts
-var SDK_VERSION = "2.4.7";
+var SDK_VERSION = "2.4.9";
 // src/verify.ts
 var DEFAULT_CONFIG = {
@@ -162,12 +162,17 @@ function createGuidanceResponse(config, reason, options = {}) {
     ]
   };
   return {
-    verified: false,
+    // Round-18 G4: createGuidanceResponse fires for unverified-agent path or
+    // API-error fallback. Identity is not verified (no agent resolved);
+    // policy is not evaluated (we never reached the gate).
+    identityVerified: false,
+    policyAllowed: false,
     // v2.3.9 (defect #30): denials grant `'none'`, NEVER a positive band.
-    // Adapters additionally short-circuit on `verified === false` before
-    // the gate check, but the access level still has to be honest at the
-    // data layer so downstream consumers (SDK adapters in other languages,
-    // custom integrations) inherit the correct semantics.
+    // Adapters additionally short-circuit on `!identityVerified ||
+    // !policyAllowed` before the gate check, but the access level still has
+    // to be honest at the data layer so downstream consumers (SDK adapters
+    // in other languages, custom integrations) inherit the correct
+    // semantics.
     accessLevel: "none",
     guidance,
     denialReasons: reason ? [reason] : ["No valid agent credentials provided"],
@@ -311,15 +316,17 @@ async function verify(config, request) {
   }
   if (!apiResponse.access?.allowed) {
     const aggregatedFailures = apiResponse.access?.failures;
+    const idVerifiedFromBackend = apiResponse.verificationContext?.idVerified === true;
     const result2 = {
-      verified: false,
+      identityVerified: idVerifiedFromBackend,
+      policyAllowed: false,
       // v2.3.9 (defect #30): denials grant `'none'`, NEVER a positive band.
       // Pre-rename this hardcoded `'guidance'`, which conflated with the
       // colocated `guidance: {...}` help-payload object below and let
       // denied requests pass any route gated at `'guidance'` because
       // `hasMinimumAccess('guidance', 'guidance') === true`. Adapters now
-      // ALSO short-circuit on `verified === false` before the gate check —
-      // belt-and-braces.
+      // ALSO short-circuit on `!identityVerified || !policyAllowed` before
+      // the gate check — belt-and-braces.
       accessLevel: "none",
       denialReasons: aggregatedFailures && aggregatedFailures.length > 0 ? aggregatedFailures.map((f) => f.message) : apiResponse.access?.reason ? [apiResponse.access.reason] : ["Access denied"],
       failures: aggregatedFailures,
@@ -363,7 +370,13 @@ async function verify(config, request) {
   const verificationContext = apiResponse.verificationContext;
   const accessLevel = apiResponse.access?.accessLevel ?? "standard";
   const result = {
-    verified: true,
+    // Round-18 G4: backend allowed access. Identity is verified (we resolved
+    // the caller to an agent) and policy passed all gates. Read idVerified
+    // from verificationContext for symmetry with the deny branch; default true
+    // on success path since `access.allowed === true` implies identity was
+    // resolvable (anonymous-allow paths flow through createGuidanceResponse).
+    identityVerified: apiResponse.verificationContext?.idVerified !== false,
+    policyAllowed: true,
     accessLevel,
     agent,
     developer,
@@ -386,7 +399,7 @@ async function verify(config, request) {
     warningHeader: apiResponse.warningHeader
   };
   if (result.recommendation === "deny") {
-    result.verified = false;
+    result.policyAllowed = false;
     result.accessLevel = "none";
     result.denialReasons = result.recommendationReasons || [
       "Access denied by AstraSync recommendation"
@@ -576,13 +589,16 @@ function readSingleHeader(value) {
 }
 function defaultMcpDenied(result, req, res) {
   const id = req.body?.id ?? null;
-  const status = result.verified ? 403 : 401;
+  const status = !result.identityVerified ? 401 : 403;
   res.setHeader("X-Astra-Gateway-Mode", "enforced");
   res.status(status).json({
     jsonrpc: "2.0",
     id,
     error: {
-      code: result.verified ? -32001 : -32e3,
+      // JSON-RPC error codes:
+      //   -32000 → unauthorized (no identity resolved)
+      //   -32001 → insufficient access (identity OK, policy denied)
+      code: !result.identityVerified ? -32e3 : -32001,
       message: result.denialReasons?.[0] ?? "Access denied",
       data: {
         accessLevel: result.accessLevel,
@@ -716,7 +732,7 @@ function createMcpMiddleware(options) {
       req.agentVerification = result;
       const sessionId = result.sessionId;
       const correlationId = result.correlationId;
-      if (!result.verified) {
+      if (!result.identityVerified || !result.policyAllowed) {
         if (shouldRecordDecisions && sessionId) {
           recordDecision(config, sessionId, "denied", result.denialReasons?.[0]).catch(() => {
           });