@astrasyncai/verification-gateway 2.4.9 → 2.4.10
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/adapters/express.js +53 -17
- package/dist/adapters/express.js.map +1 -1
- package/dist/adapters/express.mjs +53 -17
- package/dist/adapters/express.mjs.map +1 -1
- package/dist/adapters/mcp.js +35 -13
- package/dist/adapters/mcp.js.map +1 -1
- package/dist/adapters/mcp.mjs +35 -13
- package/dist/adapters/mcp.mjs.map +1 -1
- package/dist/adapters/nextjs.js +53 -17
- package/dist/adapters/nextjs.js.map +1 -1
- package/dist/adapters/nextjs.mjs +53 -17
- package/dist/adapters/nextjs.mjs.map +1 -1
- package/dist/adapters/sdk.js +35 -13
- package/dist/adapters/sdk.js.map +1 -1
- package/dist/adapters/sdk.mjs +35 -13
- package/dist/adapters/sdk.mjs.map +1 -1
- package/dist/browser/background.js +36 -14
- package/dist/browser/background.js.map +1 -1
- package/dist/browser/background.mjs +36 -14
- package/dist/browser/background.mjs.map +1 -1
- package/dist/cursor/extension.js +36 -14
- package/dist/cursor/extension.js.map +1 -1
- package/dist/cursor/extension.mjs +36 -14
- package/dist/cursor/extension.mjs.map +1 -1
- package/dist/gateway/gateway.js +36 -14
- package/dist/gateway/gateway.js.map +1 -1
- package/dist/gateway/gateway.mjs +36 -14
- package/dist/gateway/gateway.mjs.map +1 -1
- package/dist/index.js +54 -18
- package/dist/index.js.map +1 -1
- package/dist/index.mjs +54 -18
- package/dist/index.mjs.map +1 -1
- package/package.json +1 -1
package/dist/index.mjs
CHANGED
|
@@ -126,7 +126,7 @@ function getCapabilities(accessLevel) {
|
|
|
126
126
|
}
|
|
127
127
|
|
|
128
128
|
// src/version.ts
|
|
129
|
-
var SDK_VERSION = "2.4.
|
|
129
|
+
var SDK_VERSION = "2.4.10";
|
|
130
130
|
|
|
131
131
|
// src/verify.ts
|
|
132
132
|
var DEFAULT_CONFIG = {
|
|
@@ -137,8 +137,10 @@ var DEFAULT_CONFIG = {
|
|
|
137
137
|
// through (`hasMinimumAccess('guidance', 'guidance') === true`).
|
|
138
138
|
defaultAccessLevel: "none",
|
|
139
139
|
// minTrustScore + minTrustScoreForFull deprecated in v2.3.0 — server decides.
|
|
140
|
-
|
|
141
|
-
//
|
|
140
|
+
// Round-18.5 F4: cacheTtl deliberately unset. When undefined, cacheResult
|
|
141
|
+
// applies the split default (60s autonomous / 300s step-up). When the
|
|
142
|
+
// caller sets cacheTtl explicitly, that value is honoured uniformly.
|
|
143
|
+
// Set cacheTtl: 0 to disable caching entirely.
|
|
142
144
|
debug: false
|
|
143
145
|
};
|
|
144
146
|
var initCheckPerformed = false;
|
|
@@ -165,11 +167,28 @@ async function performInitCheck(apiBaseUrl, debug) {
|
|
|
165
167
|
}
|
|
166
168
|
}
|
|
167
169
|
var verificationCache = /* @__PURE__ */ new Map();
|
|
168
|
-
function getCacheKey(
|
|
169
|
-
|
|
170
|
-
|
|
171
|
-
|
|
172
|
-
|
|
170
|
+
function getCacheKey(request) {
|
|
171
|
+
const c = request.credentials;
|
|
172
|
+
return [
|
|
173
|
+
c.astraId || "",
|
|
174
|
+
c.apiKey || "",
|
|
175
|
+
c.jwt || "",
|
|
176
|
+
request.purpose || "",
|
|
177
|
+
request.action || "",
|
|
178
|
+
request.resourceType || "",
|
|
179
|
+
request.resource || "",
|
|
180
|
+
request.jurisdiction || "",
|
|
181
|
+
request.transactionValue ?? "",
|
|
182
|
+
request.currency || "",
|
|
183
|
+
request.counterpartyUrl || "",
|
|
184
|
+
request.counterpartyType || "",
|
|
185
|
+
request.isSubAgentRequest ? "1" : "0",
|
|
186
|
+
request.parentAgentId || "",
|
|
187
|
+
request.subAgentDepth ?? ""
|
|
188
|
+
].join("|");
|
|
189
|
+
}
|
|
190
|
+
function getCachedResult(request) {
|
|
191
|
+
const key = getCacheKey(request);
|
|
173
192
|
const cached = verificationCache.get(key);
|
|
174
193
|
if (cached && cached.expiresAt > Date.now()) {
|
|
175
194
|
return cached.result;
|
|
@@ -179,8 +198,11 @@ function getCachedResult(credentials) {
|
|
|
179
198
|
}
|
|
180
199
|
return null;
|
|
181
200
|
}
|
|
182
|
-
|
|
183
|
-
|
|
201
|
+
var DEFAULT_AUTONOMOUS_TTL_SECONDS = 60;
|
|
202
|
+
var DEFAULT_STEP_UP_TTL_SECONDS = 300;
|
|
203
|
+
function cacheResult(request, result, configuredTtl) {
|
|
204
|
+
const ttlSeconds = configuredTtl && configuredTtl > 0 ? configuredTtl : result.requiresStepUp ? DEFAULT_STEP_UP_TTL_SECONDS : DEFAULT_AUTONOMOUS_TTL_SECONDS;
|
|
205
|
+
const key = getCacheKey(request);
|
|
184
206
|
verificationCache.set(key, {
|
|
185
207
|
result,
|
|
186
208
|
expiresAt: Date.now() + ttlSeconds * 1e3
|
|
@@ -369,8 +391,8 @@ async function verify(config, request) {
|
|
|
369
391
|
"[VerificationGateway] minTrustScore / minTrustScoreForFull are deprecated in v2.3.0 and have no effect. Server is now the single source of truth for access-level decisions (the SDK reads access.accessLevel from the verify-access response). To gate access to an endpoint, configure the endpoint's trust_score_requirement server-side."
|
|
370
392
|
);
|
|
371
393
|
}
|
|
372
|
-
if (mergedConfig.cacheTtl
|
|
373
|
-
const cached = getCachedResult(request
|
|
394
|
+
if (mergedConfig.cacheTtl !== 0) {
|
|
395
|
+
const cached = getCachedResult(request);
|
|
374
396
|
if (cached) {
|
|
375
397
|
if (mergedConfig.debug) {
|
|
376
398
|
console.log("[VerificationGateway] Returning cached result");
|
|
@@ -499,8 +521,8 @@ async function verify(config, request) {
|
|
|
499
521
|
}
|
|
500
522
|
result.denialReasons = result.recommendationReasons || ["Step-up verification required"];
|
|
501
523
|
}
|
|
502
|
-
if (mergedConfig.cacheTtl
|
|
503
|
-
cacheResult(request
|
|
524
|
+
if (mergedConfig.cacheTtl !== 0 && result.recommendation !== "deny") {
|
|
525
|
+
cacheResult(request, result, mergedConfig.cacheTtl);
|
|
504
526
|
}
|
|
505
527
|
return result;
|
|
506
528
|
}
|
|
@@ -657,8 +679,15 @@ function extractHttpCredentials(headers) {
|
|
|
657
679
|
// src/pdlss-pre-check.ts
|
|
658
680
|
function performCounterpartyPreCheck(routeConfig, astraCreds, purpose) {
|
|
659
681
|
const failures = [];
|
|
660
|
-
if (
|
|
661
|
-
if (!routeConfig.allowedPurposes.
|
|
682
|
+
if (purpose) {
|
|
683
|
+
if (!routeConfig.allowedPurposes || routeConfig.allowedPurposes.length === 0) {
|
|
684
|
+
failures.push({
|
|
685
|
+
field: "purpose",
|
|
686
|
+
requested: purpose,
|
|
687
|
+
limit: [],
|
|
688
|
+
message: `Purpose "${purpose}" not allowed: route declares no allowedPurposes. The endpoint owner must enumerate allowedPurposes on the route config to authorise specific purposes.`
|
|
689
|
+
});
|
|
690
|
+
} else if (!routeConfig.allowedPurposes.includes(purpose)) {
|
|
662
691
|
failures.push({
|
|
663
692
|
field: "purpose",
|
|
664
693
|
requested: purpose,
|
|
@@ -688,9 +717,16 @@ function performCounterpartyPreCheck(routeConfig, astraCreds, purpose) {
|
|
|
688
717
|
});
|
|
689
718
|
}
|
|
690
719
|
}
|
|
691
|
-
if (
|
|
720
|
+
if (astraCreds?.pdlss?.scope?.jurisdiction) {
|
|
692
721
|
const requested = astraCreds.pdlss.scope.jurisdiction;
|
|
693
|
-
if (!routeConfig.allowedJurisdictions.
|
|
722
|
+
if (!routeConfig.allowedJurisdictions || routeConfig.allowedJurisdictions.length === 0) {
|
|
723
|
+
failures.push({
|
|
724
|
+
field: "jurisdiction",
|
|
725
|
+
requested,
|
|
726
|
+
limit: [],
|
|
727
|
+
message: `Jurisdiction "${requested}" not allowed: route declares no allowedJurisdictions. The endpoint owner must enumerate allowedJurisdictions on the route config to authorise specific jurisdictions.`
|
|
728
|
+
});
|
|
729
|
+
} else if (!routeConfig.allowedJurisdictions.includes(requested)) {
|
|
694
730
|
failures.push({
|
|
695
731
|
field: "jurisdiction",
|
|
696
732
|
requested,
|