@astrasyncai/verification-gateway 2.4.9 → 2.4.10
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/adapters/express.js +53 -17
- package/dist/adapters/express.js.map +1 -1
- package/dist/adapters/express.mjs +53 -17
- package/dist/adapters/express.mjs.map +1 -1
- package/dist/adapters/mcp.js +35 -13
- package/dist/adapters/mcp.js.map +1 -1
- package/dist/adapters/mcp.mjs +35 -13
- package/dist/adapters/mcp.mjs.map +1 -1
- package/dist/adapters/nextjs.js +53 -17
- package/dist/adapters/nextjs.js.map +1 -1
- package/dist/adapters/nextjs.mjs +53 -17
- package/dist/adapters/nextjs.mjs.map +1 -1
- package/dist/adapters/sdk.js +35 -13
- package/dist/adapters/sdk.js.map +1 -1
- package/dist/adapters/sdk.mjs +35 -13
- package/dist/adapters/sdk.mjs.map +1 -1
- package/dist/browser/background.js +36 -14
- package/dist/browser/background.js.map +1 -1
- package/dist/browser/background.mjs +36 -14
- package/dist/browser/background.mjs.map +1 -1
- package/dist/cursor/extension.js +36 -14
- package/dist/cursor/extension.js.map +1 -1
- package/dist/cursor/extension.mjs +36 -14
- package/dist/cursor/extension.mjs.map +1 -1
- package/dist/gateway/gateway.js +36 -14
- package/dist/gateway/gateway.js.map +1 -1
- package/dist/gateway/gateway.mjs +36 -14
- package/dist/gateway/gateway.mjs.map +1 -1
- package/dist/index.js +54 -18
- package/dist/index.js.map +1 -1
- package/dist/index.mjs +54 -18
- package/dist/index.mjs.map +1 -1
- package/package.json +1 -1
package/dist/index.js
CHANGED
|
@@ -189,7 +189,7 @@ function getCapabilities(accessLevel) {
|
|
|
189
189
|
}
|
|
190
190
|
|
|
191
191
|
// src/version.ts
|
|
192
|
-
var SDK_VERSION = "2.4.
|
|
192
|
+
var SDK_VERSION = "2.4.10";
|
|
193
193
|
|
|
194
194
|
// src/verify.ts
|
|
195
195
|
var DEFAULT_CONFIG = {
|
|
@@ -200,8 +200,10 @@ var DEFAULT_CONFIG = {
|
|
|
200
200
|
// through (`hasMinimumAccess('guidance', 'guidance') === true`).
|
|
201
201
|
defaultAccessLevel: "none",
|
|
202
202
|
// minTrustScore + minTrustScoreForFull deprecated in v2.3.0 — server decides.
|
|
203
|
-
|
|
204
|
-
//
|
|
203
|
+
// Round-18.5 F4: cacheTtl deliberately unset. When undefined, cacheResult
|
|
204
|
+
// applies the split default (60s autonomous / 300s step-up). When the
|
|
205
|
+
// caller sets cacheTtl explicitly, that value is honoured uniformly.
|
|
206
|
+
// Set cacheTtl: 0 to disable caching entirely.
|
|
205
207
|
debug: false
|
|
206
208
|
};
|
|
207
209
|
var initCheckPerformed = false;
|
|
@@ -228,11 +230,28 @@ async function performInitCheck(apiBaseUrl, debug) {
|
|
|
228
230
|
}
|
|
229
231
|
}
|
|
230
232
|
var verificationCache = /* @__PURE__ */ new Map();
|
|
231
|
-
function getCacheKey(
|
|
232
|
-
|
|
233
|
-
|
|
234
|
-
|
|
235
|
-
|
|
233
|
+
function getCacheKey(request) {
|
|
234
|
+
const c = request.credentials;
|
|
235
|
+
return [
|
|
236
|
+
c.astraId || "",
|
|
237
|
+
c.apiKey || "",
|
|
238
|
+
c.jwt || "",
|
|
239
|
+
request.purpose || "",
|
|
240
|
+
request.action || "",
|
|
241
|
+
request.resourceType || "",
|
|
242
|
+
request.resource || "",
|
|
243
|
+
request.jurisdiction || "",
|
|
244
|
+
request.transactionValue ?? "",
|
|
245
|
+
request.currency || "",
|
|
246
|
+
request.counterpartyUrl || "",
|
|
247
|
+
request.counterpartyType || "",
|
|
248
|
+
request.isSubAgentRequest ? "1" : "0",
|
|
249
|
+
request.parentAgentId || "",
|
|
250
|
+
request.subAgentDepth ?? ""
|
|
251
|
+
].join("|");
|
|
252
|
+
}
|
|
253
|
+
function getCachedResult(request) {
|
|
254
|
+
const key = getCacheKey(request);
|
|
236
255
|
const cached = verificationCache.get(key);
|
|
237
256
|
if (cached && cached.expiresAt > Date.now()) {
|
|
238
257
|
return cached.result;
|
|
@@ -242,8 +261,11 @@ function getCachedResult(credentials) {
|
|
|
242
261
|
}
|
|
243
262
|
return null;
|
|
244
263
|
}
|
|
245
|
-
|
|
246
|
-
|
|
264
|
+
var DEFAULT_AUTONOMOUS_TTL_SECONDS = 60;
|
|
265
|
+
var DEFAULT_STEP_UP_TTL_SECONDS = 300;
|
|
266
|
+
function cacheResult(request, result, configuredTtl) {
|
|
267
|
+
const ttlSeconds = configuredTtl && configuredTtl > 0 ? configuredTtl : result.requiresStepUp ? DEFAULT_STEP_UP_TTL_SECONDS : DEFAULT_AUTONOMOUS_TTL_SECONDS;
|
|
268
|
+
const key = getCacheKey(request);
|
|
247
269
|
verificationCache.set(key, {
|
|
248
270
|
result,
|
|
249
271
|
expiresAt: Date.now() + ttlSeconds * 1e3
|
|
@@ -432,8 +454,8 @@ async function verify(config, request) {
|
|
|
432
454
|
"[VerificationGateway] minTrustScore / minTrustScoreForFull are deprecated in v2.3.0 and have no effect. Server is now the single source of truth for access-level decisions (the SDK reads access.accessLevel from the verify-access response). To gate access to an endpoint, configure the endpoint's trust_score_requirement server-side."
|
|
433
455
|
);
|
|
434
456
|
}
|
|
435
|
-
if (mergedConfig.cacheTtl
|
|
436
|
-
const cached = getCachedResult(request
|
|
457
|
+
if (mergedConfig.cacheTtl !== 0) {
|
|
458
|
+
const cached = getCachedResult(request);
|
|
437
459
|
if (cached) {
|
|
438
460
|
if (mergedConfig.debug) {
|
|
439
461
|
console.log("[VerificationGateway] Returning cached result");
|
|
@@ -562,8 +584,8 @@ async function verify(config, request) {
|
|
|
562
584
|
}
|
|
563
585
|
result.denialReasons = result.recommendationReasons || ["Step-up verification required"];
|
|
564
586
|
}
|
|
565
|
-
if (mergedConfig.cacheTtl
|
|
566
|
-
cacheResult(request
|
|
587
|
+
if (mergedConfig.cacheTtl !== 0 && result.recommendation !== "deny") {
|
|
588
|
+
cacheResult(request, result, mergedConfig.cacheTtl);
|
|
567
589
|
}
|
|
568
590
|
return result;
|
|
569
591
|
}
|
|
@@ -720,8 +742,15 @@ function extractHttpCredentials(headers) {
|
|
|
720
742
|
// src/pdlss-pre-check.ts
|
|
721
743
|
function performCounterpartyPreCheck(routeConfig, astraCreds, purpose) {
|
|
722
744
|
const failures = [];
|
|
723
|
-
if (
|
|
724
|
-
if (!routeConfig.allowedPurposes.
|
|
745
|
+
if (purpose) {
|
|
746
|
+
if (!routeConfig.allowedPurposes || routeConfig.allowedPurposes.length === 0) {
|
|
747
|
+
failures.push({
|
|
748
|
+
field: "purpose",
|
|
749
|
+
requested: purpose,
|
|
750
|
+
limit: [],
|
|
751
|
+
message: `Purpose "${purpose}" not allowed: route declares no allowedPurposes. The endpoint owner must enumerate allowedPurposes on the route config to authorise specific purposes.`
|
|
752
|
+
});
|
|
753
|
+
} else if (!routeConfig.allowedPurposes.includes(purpose)) {
|
|
725
754
|
failures.push({
|
|
726
755
|
field: "purpose",
|
|
727
756
|
requested: purpose,
|
|
@@ -751,9 +780,16 @@ function performCounterpartyPreCheck(routeConfig, astraCreds, purpose) {
|
|
|
751
780
|
});
|
|
752
781
|
}
|
|
753
782
|
}
|
|
754
|
-
if (
|
|
783
|
+
if (astraCreds?.pdlss?.scope?.jurisdiction) {
|
|
755
784
|
const requested = astraCreds.pdlss.scope.jurisdiction;
|
|
756
|
-
if (!routeConfig.allowedJurisdictions.
|
|
785
|
+
if (!routeConfig.allowedJurisdictions || routeConfig.allowedJurisdictions.length === 0) {
|
|
786
|
+
failures.push({
|
|
787
|
+
field: "jurisdiction",
|
|
788
|
+
requested,
|
|
789
|
+
limit: [],
|
|
790
|
+
message: `Jurisdiction "${requested}" not allowed: route declares no allowedJurisdictions. The endpoint owner must enumerate allowedJurisdictions on the route config to authorise specific jurisdictions.`
|
|
791
|
+
});
|
|
792
|
+
} else if (!routeConfig.allowedJurisdictions.includes(requested)) {
|
|
757
793
|
failures.push({
|
|
758
794
|
field: "jurisdiction",
|
|
759
795
|
requested,
|