@astrasyncai/verification-gateway 2.5.1 → 3.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (93) hide show
  1. package/dist/adapter-interface/interface.d.mts +2 -2
  2. package/dist/adapter-interface/interface.d.ts +2 -2
  3. package/dist/adapters/express.d.mts +2 -2
  4. package/dist/adapters/express.d.ts +2 -2
  5. package/dist/adapters/express.js +123 -33
  6. package/dist/adapters/express.js.map +1 -1
  7. package/dist/adapters/express.mjs +123 -33
  8. package/dist/adapters/express.mjs.map +1 -1
  9. package/dist/adapters/mcp.d.mts +20 -7
  10. package/dist/adapters/mcp.d.ts +20 -7
  11. package/dist/adapters/mcp.js +6 -3
  12. package/dist/adapters/mcp.js.map +1 -1
  13. package/dist/adapters/mcp.mjs +6 -3
  14. package/dist/adapters/mcp.mjs.map +1 -1
  15. package/dist/adapters/nextjs.d.mts +2 -2
  16. package/dist/adapters/nextjs.d.ts +2 -2
  17. package/dist/adapters/nextjs.js +107 -28
  18. package/dist/adapters/nextjs.js.map +1 -1
  19. package/dist/adapters/nextjs.mjs +107 -28
  20. package/dist/adapters/nextjs.mjs.map +1 -1
  21. package/dist/adapters/sdk.d.mts +2 -2
  22. package/dist/adapters/sdk.d.ts +2 -2
  23. package/dist/adapters/sdk.js +1 -1
  24. package/dist/adapters/sdk.js.map +1 -1
  25. package/dist/adapters/sdk.mjs +1 -1
  26. package/dist/adapters/sdk.mjs.map +1 -1
  27. package/dist/agent/index.d.mts +2 -2
  28. package/dist/agent/index.d.ts +2 -2
  29. package/dist/agent/index.js +3 -0
  30. package/dist/agent/index.js.map +1 -1
  31. package/dist/agent/index.mjs +3 -0
  32. package/dist/agent/index.mjs.map +1 -1
  33. package/dist/browser/background.js +1 -1
  34. package/dist/browser/background.js.map +1 -1
  35. package/dist/browser/background.mjs +1 -1
  36. package/dist/browser/background.mjs.map +1 -1
  37. package/dist/browser/browser-adapter.d.mts +2 -2
  38. package/dist/browser/browser-adapter.d.ts +2 -2
  39. package/dist/cli/index.d.mts +2 -2
  40. package/dist/cli/index.d.ts +2 -2
  41. package/dist/cursor/cursor-adapter.d.mts +2 -2
  42. package/dist/cursor/cursor-adapter.d.ts +2 -2
  43. package/dist/cursor/extension.d.mts +2 -2
  44. package/dist/cursor/extension.d.ts +2 -2
  45. package/dist/cursor/extension.js +1 -1
  46. package/dist/cursor/extension.js.map +1 -1
  47. package/dist/cursor/extension.mjs +1 -1
  48. package/dist/cursor/extension.mjs.map +1 -1
  49. package/dist/{express-ienhAXps.d.mts → express-DFVBlXr_.d.mts} +1 -1
  50. package/dist/{express-CrfwoNAR.d.ts → express-DavQ76oF.d.ts} +1 -1
  51. package/dist/gateway/gateway.d.mts +2 -2
  52. package/dist/gateway/gateway.d.ts +2 -2
  53. package/dist/gateway/gateway.js +1 -1
  54. package/dist/gateway/gateway.js.map +1 -1
  55. package/dist/gateway/gateway.mjs +1 -1
  56. package/dist/gateway/gateway.mjs.map +1 -1
  57. package/dist/git-trigger/git-hooks.d.mts +2 -2
  58. package/dist/git-trigger/git-hooks.d.ts +2 -2
  59. package/dist/{index-B5e2IDWU.d.mts → index-BVxantdv.d.mts} +1 -1
  60. package/dist/{index-DC5f8eoQ.d.ts → index-BhEgEiJL.d.ts} +1 -1
  61. package/dist/{index-CEg_WG6y.d.mts → index-BhL2R65s.d.mts} +1 -1
  62. package/dist/{index-CCdZxvAr.d.ts → index-Dk2nIA4w.d.ts} +1 -1
  63. package/dist/index.d.mts +7 -7
  64. package/dist/index.d.ts +7 -7
  65. package/dist/index.js +164 -72
  66. package/dist/index.js.map +1 -1
  67. package/dist/index.mjs +164 -72
  68. package/dist/index.mjs.map +1 -1
  69. package/dist/local-evaluator/evaluator.d.mts +2 -2
  70. package/dist/local-evaluator/evaluator.d.ts +2 -2
  71. package/dist/{nextjs-66R1KW8e.d.ts → nextjs-BXLH1hJj.d.ts} +1 -1
  72. package/dist/{nextjs-DSpisQst.d.mts → nextjs-D-maqrNz.d.mts} +1 -1
  73. package/dist/registration/index.d.mts +4 -3
  74. package/dist/registration/index.d.ts +4 -3
  75. package/dist/registration/index.js +4 -1
  76. package/dist/registration/index.js.map +1 -1
  77. package/dist/registration/index.mjs +4 -1
  78. package/dist/registration/index.mjs.map +1 -1
  79. package/dist/{sdk-5U_CBRpr.d.mts → sdk-767LaEP8.d.mts} +1 -1
  80. package/dist/{sdk-Bm8np66n.d.ts → sdk-K8IgssHI.d.ts} +1 -1
  81. package/dist/transport/index.d.mts +2 -2
  82. package/dist/transport/index.d.ts +2 -2
  83. package/dist/transport/index.js +10 -0
  84. package/dist/transport/index.js.map +1 -1
  85. package/dist/transport/index.mjs +10 -0
  86. package/dist/transport/index.mjs.map +1 -1
  87. package/dist/{types-B3USs-Kx.d.mts → types-Cuh7ELfr.d.mts} +25 -0
  88. package/dist/{types-B3USs-Kx.d.ts → types-Cuh7ELfr.d.ts} +25 -0
  89. package/dist/{types-CgDCUfo8.d.mts → types-CyFwZ_Yu.d.mts} +1 -1
  90. package/dist/{types-R5N4ET6x.d.ts → types-WIRp_BP_.d.ts} +1 -1
  91. package/dist/ui/index.d.mts +1 -1
  92. package/dist/ui/index.d.ts +1 -1
  93. package/package.json +1 -1
package/dist/index.mjs CHANGED
@@ -126,7 +126,7 @@ function getCapabilities(accessLevel) {
126
126
  }
127
127
 
128
128
  // src/version.ts
129
- var SDK_VERSION = "2.4.13";
129
+ var SDK_VERSION = "3.1.0";
130
130
 
131
131
  // src/well-known.ts
132
132
  var CACHE_TTL_MS = 60 * 60 * 1e3;
@@ -721,6 +721,9 @@ function setHttpHeaders(headers, credentials) {
721
721
  if (credentials.pdlss?.purpose) {
722
722
  const purposeValue = credentials.pdlss.purpose.action ? `${credentials.pdlss.purpose.category}:${credentials.pdlss.purpose.action}` : credentials.pdlss.purpose.category;
723
723
  result[`${HEADER_PREFIX}Purpose`] = purposeValue;
724
+ if (credentials.pdlss.purpose.action) {
725
+ result[`${HEADER_PREFIX}Action`] = credentials.pdlss.purpose.action;
726
+ }
724
727
  }
725
728
  if (credentials.pdlss?.duration?.maxSessionDuration) {
726
729
  result[`${HEADER_PREFIX}Duration`] = String(credentials.pdlss.duration.maxSessionDuration);
@@ -750,6 +753,13 @@ function extractHttpCredentials(headers) {
750
753
  purpose: { category, action }
751
754
  };
752
755
  }
756
+ const astraAction = getValue(`${HEADER_PREFIX}Action`) ?? getValue("x-astra-action");
757
+ if (astraAction) {
758
+ credentials.pdlss = {
759
+ ...credentials.pdlss,
760
+ purpose: { category: credentials.pdlss?.purpose?.category ?? "", action: astraAction }
761
+ };
762
+ }
753
763
  const duration = getValue(`${HEADER_PREFIX}Duration`) ?? getValue("x-astra-duration");
754
764
  if (duration) {
755
765
  credentials.pdlss = {
@@ -767,6 +777,85 @@ function extractHttpCredentials(headers) {
767
777
  return credentials;
768
778
  }
769
779
 
780
+ // src/adapters/http-pdlss.ts
781
+ var HTTP_METHOD_ACTION_TABLE = {
782
+ GET: "data.read",
783
+ HEAD: "data.read",
784
+ OPTIONS: "data.read",
785
+ POST: "data.write",
786
+ PUT: "data.write",
787
+ PATCH: "data.write",
788
+ DELETE: "data.delete"
789
+ };
790
+ var DEFAULT_HTTP_ACTION = "data.write";
791
+ var DEFAULT_HTTP_PURPOSE = "data";
792
+ function actionForHttpMethod(method) {
793
+ return HTTP_METHOD_ACTION_TABLE[method.toUpperCase()] ?? DEFAULT_HTTP_ACTION;
794
+ }
795
+ function normalizePurposeHeader(value) {
796
+ const colon = value.indexOf(":");
797
+ if (colon >= 0) {
798
+ return { purpose: value.slice(0, colon) };
799
+ }
800
+ const dot = value.indexOf(".");
801
+ if (dot > 0 && dot < value.length - 1) {
802
+ return { purpose: value.slice(0, dot), actionCandidate: value };
803
+ }
804
+ return { purpose: value };
805
+ }
806
+ function resolveHttpPdlss(input) {
807
+ const fromHeader = input.astraPurpose ? normalizePurposeHeader(input.astraPurpose) : void 0;
808
+ let action;
809
+ let actionSource;
810
+ if (input.routeAction) {
811
+ action = input.routeAction;
812
+ actionSource = "route_config";
813
+ } else if (input.hasCustomActionExtractor && input.customAction) {
814
+ action = input.customAction;
815
+ actionSource = "custom_extractor";
816
+ } else if (!input.hasCustomActionExtractor && input.astraAction) {
817
+ action = input.astraAction;
818
+ actionSource = "header";
819
+ } else if (!input.hasCustomActionExtractor && fromHeader?.actionCandidate) {
820
+ action = fromHeader.actionCandidate;
821
+ actionSource = "purpose_header_derived";
822
+ } else {
823
+ action = actionForHttpMethod(input.method);
824
+ actionSource = "method_table";
825
+ }
826
+ let purpose;
827
+ let purposeSource;
828
+ if (input.routePurpose) {
829
+ purpose = input.routePurpose;
830
+ purposeSource = "route_config";
831
+ } else if (input.hasCustomPurposeExtractor) {
832
+ if (input.customPurpose) {
833
+ purpose = input.customPurpose;
834
+ purposeSource = "custom_extractor";
835
+ }
836
+ } else if (fromHeader) {
837
+ purpose = fromHeader.purpose;
838
+ purposeSource = "header";
839
+ } else if (input.legacyPurpose) {
840
+ purpose = input.legacyPurpose;
841
+ purposeSource = "legacy_header";
842
+ } else if (input.queryPurpose) {
843
+ purpose = input.queryPurpose;
844
+ purposeSource = "query";
845
+ }
846
+ if (!purpose) {
847
+ const dot = action.indexOf(".");
848
+ if (dot > 0) {
849
+ purpose = action.slice(0, dot);
850
+ purposeSource = "action_derived";
851
+ } else {
852
+ purpose = DEFAULT_HTTP_PURPOSE;
853
+ purposeSource = "transport_default";
854
+ }
855
+ }
856
+ return { purpose, action, purposeSource, actionSource };
857
+ }
858
+
770
859
  // src/pdlss-pre-check.ts
771
860
  function performCounterpartyPreCheck(routeConfig, astraCreds, purpose) {
772
861
  const failures = [];
@@ -825,33 +914,25 @@ function defaultExtractCredentials(req) {
825
914
  function extractAstraSyncCredentials(req) {
826
915
  return extractHttpCredentials(req.headers);
827
916
  }
828
- function defaultExtractPurpose(req) {
829
- const astraPurpose = req.headers["x-astra-purpose"];
830
- if (astraPurpose) {
831
- const value = Array.isArray(astraPurpose) ? astraPurpose[0] : astraPurpose;
832
- const category = value.split(":")[0];
833
- return category;
834
- }
835
- const purposeHeader = req.headers["x-purpose"] || req.headers["X-Purpose"];
836
- if (purposeHeader) {
837
- return Array.isArray(purposeHeader) ? purposeHeader[0] : purposeHeader;
838
- }
839
- if (req.query.purpose && typeof req.query.purpose === "string") {
840
- return req.query.purpose;
841
- }
842
- switch (req.method) {
843
- case "GET":
844
- return "read_data";
845
- case "POST":
846
- return "write_data";
847
- case "PUT":
848
- case "PATCH":
849
- return "write_data";
850
- case "DELETE":
851
- return "delete_data";
852
- default:
853
- return "general";
854
- }
917
+ function headerValue(value) {
918
+ if (typeof value === "string") return value;
919
+ if (Array.isArray(value)) return value[0];
920
+ return void 0;
921
+ }
922
+ function resolveRequestPdlss(req, routeConfig, customExtractPurpose, customExtractAction) {
923
+ return resolveHttpPdlss({
924
+ method: req.method,
925
+ astraPurpose: headerValue(req.headers["x-astra-purpose"]),
926
+ astraAction: headerValue(req.headers["x-astra-action"]),
927
+ legacyPurpose: headerValue(req.headers["x-purpose"] ?? req.headers["X-Purpose"]),
928
+ queryPurpose: typeof req.query.purpose === "string" ? req.query.purpose : void 0,
929
+ routePurpose: routeConfig?.purpose,
930
+ routeAction: routeConfig?.action,
931
+ hasCustomPurposeExtractor: !!customExtractPurpose,
932
+ customPurpose: customExtractPurpose?.(req),
933
+ hasCustomActionExtractor: !!customExtractAction,
934
+ customAction: customExtractAction?.(req)
935
+ });
855
936
  }
856
937
  function matchRoute(pattern, path, opts) {
857
938
  const regexPattern = pattern.replace(/\*/g, ".*").replace(/\//g, "\\/");
@@ -911,6 +992,7 @@ function createMiddleware(options) {
911
992
  const {
912
993
  extractCredentials: customExtractCredentials,
913
994
  extractPurpose: customExtractPurpose,
995
+ extractAction: customExtractAction,
914
996
  skipPaths = [],
915
997
  onDenied = defaultOnDenied,
916
998
  recordDecisions,
@@ -996,7 +1078,21 @@ function createMiddleware(options) {
996
1078
  }
997
1079
  return next();
998
1080
  }
999
- const purpose = customExtractPurpose ? customExtractPurpose(req) : defaultExtractPurpose(req);
1081
+ const pdlssPair = resolveRequestPdlss(
1082
+ req,
1083
+ routeConfig,
1084
+ customExtractPurpose,
1085
+ customExtractAction
1086
+ );
1087
+ const purpose = pdlssPair.purpose;
1088
+ if (config.debug) {
1089
+ console.debug("[express-middleware] pdlss resolved", {
1090
+ purpose_source: pdlssPair.purposeSource,
1091
+ resolved_purpose: pdlssPair.purpose,
1092
+ action_source: pdlssPair.actionSource,
1093
+ resolved_action: pdlssPair.action
1094
+ });
1095
+ }
1000
1096
  const astraCreds = extractAstraSyncCredentials(req);
1001
1097
  const counterpartyUrl = config.counterpartyUrl || `${req.protocol}://${req.get("host")}`;
1002
1098
  const preCheckFailures = performCounterpartyPreCheck(routeConfig, astraCreds, purpose);
@@ -1040,10 +1136,7 @@ function createMiddleware(options) {
1040
1136
  const result = await verify(config, {
1041
1137
  credentials,
1042
1138
  purpose,
1043
- // RFC 7230 § 3.1.1 — HTTP method tokens uppercase by IANA convention.
1044
- // Backend evaluator tolerates either case as defense-in-depth
1045
- // (round-18.6 batch 2); SDK emits canonical form.
1046
- action: req.method.toUpperCase(),
1139
+ action: pdlssPair.action,
1047
1140
  resource: req.path,
1048
1141
  createSession: shouldRecordDecisions,
1049
1142
  counterpartyUrl,
@@ -1241,28 +1334,15 @@ function extractAstraSyncCredentialsFromNextRequest(request) {
1241
1334
  });
1242
1335
  return extractHttpCredentials(headers);
1243
1336
  }
1244
- function extractPurpose(request) {
1245
- const astraPurpose = request.headers.get("x-astra-purpose");
1246
- if (astraPurpose) {
1247
- return astraPurpose.split(":")[0];
1248
- }
1249
- const purposeHeader = request.headers.get("x-purpose");
1250
- if (purposeHeader) {
1251
- return purposeHeader;
1252
- }
1253
- switch (request.method.toUpperCase()) {
1254
- case "GET":
1255
- return "read_data";
1256
- case "POST":
1257
- return "write_data";
1258
- case "PUT":
1259
- case "PATCH":
1260
- return "write_data";
1261
- case "DELETE":
1262
- return "delete_data";
1263
- default:
1264
- return "general";
1265
- }
1337
+ function resolveNextPdlss(request, routeConfig) {
1338
+ return resolveHttpPdlss({
1339
+ method: request.method,
1340
+ astraPurpose: request.headers.get("x-astra-purpose") ?? void 0,
1341
+ astraAction: request.headers.get("x-astra-action") ?? void 0,
1342
+ legacyPurpose: request.headers.get("x-purpose") ?? void 0,
1343
+ routePurpose: routeConfig?.purpose,
1344
+ routeAction: routeConfig?.action
1345
+ });
1266
1346
  }
1267
1347
  function generateCommerceShieldHtml(result, options) {
1268
1348
  const title = escapeHtml(options.commerceShield?.title || "AstraSync Agent Verification");
@@ -1475,7 +1555,16 @@ function createMiddleware2(options) {
1475
1555
  }
1476
1556
  const credentials = extractCredentialsFromNextRequest(request);
1477
1557
  const counterpartyUrl = config.counterpartyUrl || request.nextUrl.origin;
1478
- const purpose = extractPurpose(request);
1558
+ const pdlssPair = resolveNextPdlss(request, routeConfig);
1559
+ const purpose = pdlssPair.purpose;
1560
+ if (config.debug) {
1561
+ console.debug("[nextjs-middleware] pdlss resolved", {
1562
+ purpose_source: pdlssPair.purposeSource,
1563
+ resolved_purpose: pdlssPair.purpose,
1564
+ action_source: pdlssPair.actionSource,
1565
+ resolved_action: pdlssPair.action
1566
+ });
1567
+ }
1479
1568
  const astraCreds = extractAstraSyncCredentialsFromNextRequest(request);
1480
1569
  const preCheckFailures = performCounterpartyPreCheck(routeConfig, astraCreds, purpose);
1481
1570
  if (preCheckFailures.length > 0) {
@@ -1529,10 +1618,7 @@ function createMiddleware2(options) {
1529
1618
  const result = await verify(config, {
1530
1619
  credentials,
1531
1620
  purpose,
1532
- // RFC 7230 § 3.1.1 — HTTP method tokens uppercase by IANA convention.
1533
- // Backend evaluator tolerates either case as defense-in-depth
1534
- // (round-18.6 batch 2); SDK emits canonical form.
1535
- action: request.method.toUpperCase(),
1621
+ action: pdlssPair.action,
1536
1622
  resource: pathname,
1537
1623
  counterpartyUrl,
1538
1624
  counterpartyType: config.counterpartyType || "website",
@@ -3287,9 +3373,9 @@ function toBuf(bytes) {
3287
3373
  new Uint8Array(out).set(bytes);
3288
3374
  return out;
3289
3375
  }
3290
- function checkTimestamp(headerValue, toleranceSec, nowFn) {
3291
- if (!headerValue) return { ok: false, error: "missing Timestamp header" };
3292
- const ts = parseTimestamp(headerValue);
3376
+ function checkTimestamp(headerValue2, toleranceSec, nowFn) {
3377
+ if (!headerValue2) return { ok: false, error: "missing Timestamp header" };
3378
+ const ts = parseTimestamp(headerValue2);
3293
3379
  if (ts === null) return { ok: false, error: "unparseable Timestamp header" };
3294
3380
  const now = nowFn ? nowFn() : Math.floor(Date.now() / 1e3);
3295
3381
  if (Math.abs(now - ts) > toleranceSec) {
@@ -3524,14 +3610,14 @@ import {
3524
3610
  } from "@x402/core/schemas";
3525
3611
  import { safeBase64Decode } from "@x402/core/utils";
3526
3612
  function extractX402FromRequest(request) {
3527
- const headerValue = readHeader4(request.headers, "x-payment");
3613
+ const headerValue2 = readHeader4(request.headers, "x-payment");
3528
3614
  if (request.body && typeof request.body === "object") {
3529
3615
  const parsed = tryParsePayload(request.body);
3530
3616
  if (parsed) return buildPayloadContext(parsed, "body");
3531
3617
  }
3532
- if (headerValue) {
3618
+ if (headerValue2) {
3533
3619
  try {
3534
- const decoded = safeBase64Decode(headerValue);
3620
+ const decoded = safeBase64Decode(headerValue2);
3535
3621
  if (decoded) {
3536
3622
  const json = JSON.parse(decoded);
3537
3623
  const parsed = tryParsePayload(json);
@@ -3554,10 +3640,10 @@ function extractX402FromResponse(response) {
3554
3640
  const parsed = tryParseRequired(response.body);
3555
3641
  if (parsed) return buildRequiredContext(parsed, "body");
3556
3642
  }
3557
- const headerValue = readHeader4(response.headers, "x-payment-required");
3558
- if (headerValue) {
3643
+ const headerValue2 = readHeader4(response.headers, "x-payment-required");
3644
+ if (headerValue2) {
3559
3645
  try {
3560
- const decoded = safeBase64Decode(headerValue);
3646
+ const decoded = safeBase64Decode(headerValue2);
3561
3647
  if (decoded) {
3562
3648
  const json = JSON.parse(decoded);
3563
3649
  const parsed = tryParseRequired(json);
@@ -4393,7 +4479,10 @@ function mcpToPdlss(parsed, requestPath, headerPurpose, headerAction, toolGate)
4393
4479
  }
4394
4480
  let action;
4395
4481
  let actionSource;
4396
- if (headerAction) {
4482
+ if (toolGate?.action !== void 0) {
4483
+ action = toolGate.action;
4484
+ actionSource = "tool_gate";
4485
+ } else if (headerAction) {
4397
4486
  action = headerAction;
4398
4487
  actionSource = "header";
4399
4488
  } else if (parsed.actionFromBody && parsed.actionSourceFromBody) {
@@ -4567,7 +4656,7 @@ function createMcpMiddleware(options) {
4567
4656
  req.path,
4568
4657
  headerPurpose,
4569
4658
  headerAction,
4570
- gate ? { purpose: gate.purpose, resource: gate.resource } : void 0
4659
+ gate ? { purpose: gate.purpose, action: gate.action, resource: gate.resource } : void 0
4571
4660
  );
4572
4661
  if (config.debug) {
4573
4662
  console.debug("[mcp-middleware] pdlss resolved", {
@@ -5068,7 +5157,10 @@ function buildGuidance(params) {
5068
5157
  message,
5069
5158
  guidance: {
5070
5159
  message: "Register either with an agent-scoped API key (the recommended credentialed path) OR, if you hold no credentials, via the owner's email using request_registration. Never send a password or private key over the wire.",
5071
- registrationUrl: `${origin}/agents/register`,
5160
+ // 3.0.0: registrationUrl is the agent-actionable KEYLESS endpoint, not the
5161
+ // human dashboard `/agents/register` (an auth-walled page an agent can't
5162
+ // use). documentationUrl carries the machine-readable contract.
5163
+ registrationUrl: `${origin}/api/agents/request-registration`,
5072
5164
  documentationUrl: `${origin}${docsPath.startsWith("/") ? docsPath : `/${docsPath}`}`,
5073
5165
  steps: [
5074
5166
  "Credentialed path (recommended): have your human mint an agent-scoped API key at Settings \u2192 API Keys, then re-call register_agent with apiKey set. An agent holding its own scoped kya_ key is fine and intended.",