@astrasyncai/verification-gateway 2.4.8 → 2.4.9

package/dist/adapters/mcp.mjs

@@ -18,7 +18,7 @@ function hasMinimumAccess(actual, required) {
 }
 
 // src/version.ts
-var SDK_VERSION = "2.4.7";
+var SDK_VERSION = "2.4.9";
 
 // src/verify.ts
 var DEFAULT_CONFIG = {
@@ -129,12 +129,17 @@ function createGuidanceResponse(config, reason, options = {}) {
     ]
   };
   return {
-    verified: false,
+    // Round-18 G4: createGuidanceResponse fires for unverified-agent path or
+    // API-error fallback. Identity is not verified (no agent resolved);
+    // policy is not evaluated (we never reached the gate).
+    identityVerified: false,
+    policyAllowed: false,
     // v2.3.9 (defect #30): denials grant `'none'`, NEVER a positive band.
-    // Adapters additionally short-circuit on `verified === false` before
-    // the gate check, but the access level still has to be honest at the
-    // data layer so downstream consumers (SDK adapters in other languages,
-    // custom integrations) inherit the correct semantics.
+    // Adapters additionally short-circuit on `!identityVerified ||
+    // !policyAllowed` before the gate check, but the access level still has
+    // to be honest at the data layer so downstream consumers (SDK adapters
+    // in other languages, custom integrations) inherit the correct
+    // semantics.
     accessLevel: "none",
     guidance,
     denialReasons: reason ? [reason] : ["No valid agent credentials provided"],
@@ -278,15 +283,17 @@ async function verify(config, request) {
   }
   if (!apiResponse.access?.allowed) {
     const aggregatedFailures = apiResponse.access?.failures;
+    const idVerifiedFromBackend = apiResponse.verificationContext?.idVerified === true;
     const result2 = {
-      verified: false,
+      identityVerified: idVerifiedFromBackend,
+      policyAllowed: false,
       // v2.3.9 (defect #30): denials grant `'none'`, NEVER a positive band.
       // Pre-rename this hardcoded `'guidance'`, which conflated with the
       // colocated `guidance: {...}` help-payload object below and let
       // denied requests pass any route gated at `'guidance'` because
       // `hasMinimumAccess('guidance', 'guidance') === true`. Adapters now
-      // ALSO short-circuit on `verified === false` before the gate check —
-      // belt-and-braces.
+      // ALSO short-circuit on `!identityVerified || !policyAllowed` before
+      // the gate check — belt-and-braces.
       accessLevel: "none",
       denialReasons: aggregatedFailures && aggregatedFailures.length > 0 ? aggregatedFailures.map((f) => f.message) : apiResponse.access?.reason ? [apiResponse.access.reason] : ["Access denied"],
       failures: aggregatedFailures,
@@ -330,7 +337,13 @@ async function verify(config, request) {
   const verificationContext = apiResponse.verificationContext;
   const accessLevel = apiResponse.access?.accessLevel ?? "standard";
   const result = {
-    verified: true,
+    // Round-18 G4: backend allowed access. Identity is verified (we resolved
+    // the caller to an agent) and policy passed all gates. Read idVerified
+    // from verificationContext for symmetry with the deny branch; default true
+    // on success path since `access.allowed === true` implies identity was
+    // resolvable (anonymous-allow paths flow through createGuidanceResponse).
+    identityVerified: apiResponse.verificationContext?.idVerified !== false,
+    policyAllowed: true,
     accessLevel,
     agent,
     developer,
@@ -353,7 +366,7 @@ async function verify(config, request) {
     warningHeader: apiResponse.warningHeader
   };
   if (result.recommendation === "deny") {
-    result.verified = false;
+    result.policyAllowed = false;
     result.accessLevel = "none";
     result.denialReasons = result.recommendationReasons || [
       "Access denied by AstraSync recommendation"
@@ -543,13 +556,16 @@ function readSingleHeader(value) {
 }
 function defaultMcpDenied(result, req, res) {
   const id = req.body?.id ?? null;
-  const status = result.verified ? 403 : 401;
+  const status = !result.identityVerified ? 401 : 403;
   res.setHeader("X-Astra-Gateway-Mode", "enforced");
   res.status(status).json({
     jsonrpc: "2.0",
     id,
     error: {
-      code: result.verified ? -32001 : -32e3,
+      // JSON-RPC error codes:
+      //   -32000 → unauthorized (no identity resolved)
+      //   -32001 → insufficient access (identity OK, policy denied)
+      code: !result.identityVerified ? -32e3 : -32001,
       message: result.denialReasons?.[0] ?? "Access denied",
       data: {
         accessLevel: result.accessLevel,
@@ -683,7 +699,7 @@ function createMcpMiddleware(options) {
       req.agentVerification = result;
       const sessionId = result.sessionId;
       const correlationId = result.correlationId;
-      if (!result.verified) {
+      if (!result.identityVerified || !result.policyAllowed) {
         if (shouldRecordDecisions && sessionId) {
           recordDecision(config, sessionId, "denied", result.denialReasons?.[0]).catch(() => {
           });