@astrasyncai/verification-gateway 3.0.0 → 3.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (87) hide show
  1. package/dist/adapter-interface/interface.d.mts +2 -2
  2. package/dist/adapter-interface/interface.d.ts +2 -2
  3. package/dist/adapters/express.d.mts +2 -2
  4. package/dist/adapters/express.d.ts +2 -2
  5. package/dist/adapters/express.js +123 -33
  6. package/dist/adapters/express.js.map +1 -1
  7. package/dist/adapters/express.mjs +123 -33
  8. package/dist/adapters/express.mjs.map +1 -1
  9. package/dist/adapters/mcp.d.mts +20 -7
  10. package/dist/adapters/mcp.d.ts +20 -7
  11. package/dist/adapters/mcp.js +6 -3
  12. package/dist/adapters/mcp.js.map +1 -1
  13. package/dist/adapters/mcp.mjs +6 -3
  14. package/dist/adapters/mcp.mjs.map +1 -1
  15. package/dist/adapters/nextjs.d.mts +2 -2
  16. package/dist/adapters/nextjs.d.ts +2 -2
  17. package/dist/adapters/nextjs.js +107 -28
  18. package/dist/adapters/nextjs.js.map +1 -1
  19. package/dist/adapters/nextjs.mjs +107 -28
  20. package/dist/adapters/nextjs.mjs.map +1 -1
  21. package/dist/adapters/sdk.d.mts +2 -2
  22. package/dist/adapters/sdk.d.ts +2 -2
  23. package/dist/adapters/sdk.js +1 -1
  24. package/dist/adapters/sdk.js.map +1 -1
  25. package/dist/adapters/sdk.mjs +1 -1
  26. package/dist/adapters/sdk.mjs.map +1 -1
  27. package/dist/agent/index.d.mts +2 -2
  28. package/dist/agent/index.d.ts +2 -2
  29. package/dist/agent/index.js +3 -0
  30. package/dist/agent/index.js.map +1 -1
  31. package/dist/agent/index.mjs +3 -0
  32. package/dist/agent/index.mjs.map +1 -1
  33. package/dist/browser/background.js +1 -1
  34. package/dist/browser/background.js.map +1 -1
  35. package/dist/browser/background.mjs +1 -1
  36. package/dist/browser/background.mjs.map +1 -1
  37. package/dist/browser/browser-adapter.d.mts +2 -2
  38. package/dist/browser/browser-adapter.d.ts +2 -2
  39. package/dist/cli/index.d.mts +2 -2
  40. package/dist/cli/index.d.ts +2 -2
  41. package/dist/cursor/cursor-adapter.d.mts +2 -2
  42. package/dist/cursor/cursor-adapter.d.ts +2 -2
  43. package/dist/cursor/extension.d.mts +2 -2
  44. package/dist/cursor/extension.d.ts +2 -2
  45. package/dist/cursor/extension.js +1 -1
  46. package/dist/cursor/extension.js.map +1 -1
  47. package/dist/cursor/extension.mjs +1 -1
  48. package/dist/cursor/extension.mjs.map +1 -1
  49. package/dist/{express-ienhAXps.d.mts → express-DFVBlXr_.d.mts} +1 -1
  50. package/dist/{express-CrfwoNAR.d.ts → express-DavQ76oF.d.ts} +1 -1
  51. package/dist/gateway/gateway.d.mts +2 -2
  52. package/dist/gateway/gateway.d.ts +2 -2
  53. package/dist/gateway/gateway.js +1 -1
  54. package/dist/gateway/gateway.js.map +1 -1
  55. package/dist/gateway/gateway.mjs +1 -1
  56. package/dist/gateway/gateway.mjs.map +1 -1
  57. package/dist/git-trigger/git-hooks.d.mts +2 -2
  58. package/dist/git-trigger/git-hooks.d.ts +2 -2
  59. package/dist/{index-B5e2IDWU.d.mts → index-BVxantdv.d.mts} +1 -1
  60. package/dist/{index-DC5f8eoQ.d.ts → index-BhEgEiJL.d.ts} +1 -1
  61. package/dist/{index-CEg_WG6y.d.mts → index-BhL2R65s.d.mts} +1 -1
  62. package/dist/{index-CCdZxvAr.d.ts → index-Dk2nIA4w.d.ts} +1 -1
  63. package/dist/index.d.mts +7 -7
  64. package/dist/index.d.ts +7 -7
  65. package/dist/index.js +160 -71
  66. package/dist/index.js.map +1 -1
  67. package/dist/index.mjs +160 -71
  68. package/dist/index.mjs.map +1 -1
  69. package/dist/local-evaluator/evaluator.d.mts +2 -2
  70. package/dist/local-evaluator/evaluator.d.ts +2 -2
  71. package/dist/{nextjs-66R1KW8e.d.ts → nextjs-BXLH1hJj.d.ts} +1 -1
  72. package/dist/{nextjs-DSpisQst.d.mts → nextjs-D-maqrNz.d.mts} +1 -1
  73. package/dist/{sdk-5U_CBRpr.d.mts → sdk-767LaEP8.d.mts} +1 -1
  74. package/dist/{sdk-Bm8np66n.d.ts → sdk-K8IgssHI.d.ts} +1 -1
  75. package/dist/transport/index.d.mts +2 -2
  76. package/dist/transport/index.d.ts +2 -2
  77. package/dist/transport/index.js +10 -0
  78. package/dist/transport/index.js.map +1 -1
  79. package/dist/transport/index.mjs +10 -0
  80. package/dist/transport/index.mjs.map +1 -1
  81. package/dist/{types-B3USs-Kx.d.mts → types-Cuh7ELfr.d.mts} +25 -0
  82. package/dist/{types-B3USs-Kx.d.ts → types-Cuh7ELfr.d.ts} +25 -0
  83. package/dist/{types-CgDCUfo8.d.mts → types-CyFwZ_Yu.d.mts} +1 -1
  84. package/dist/{types-R5N4ET6x.d.ts → types-WIRp_BP_.d.ts} +1 -1
  85. package/dist/ui/index.d.mts +1 -1
  86. package/dist/ui/index.d.ts +1 -1
  87. package/package.json +1 -1
@@ -1,6 +1,6 @@
1
1
  import { AstraSyncGateway } from '../gateway/gateway.mjs';
2
- import { V as VerificationDecision, P as PDLSSContext } from '../types-CgDCUfo8.mjs';
3
- import '../types-B3USs-Kx.mjs';
2
+ import { V as VerificationDecision, P as PDLSSContext } from '../types-CyFwZ_Yu.mjs';
3
+ import '../types-Cuh7ELfr.mjs';
4
4
 
5
5
  /**
6
6
  * Git Trigger — Enterprise git push / PR verification
@@ -1,6 +1,6 @@
1
1
  import { AstraSyncGateway } from '../gateway/gateway.js';
2
- import { V as VerificationDecision, P as PDLSSContext } from '../types-R5N4ET6x.js';
3
- import '../types-B3USs-Kx.js';
2
+ import { V as VerificationDecision, P as PDLSSContext } from '../types-WIRp_BP_.js';
3
+ import '../types-Cuh7ELfr.js';
4
4
 
5
5
  /**
6
6
  * Git Trigger — Enterprise git push / PR verification
@@ -1,4 +1,4 @@
1
- import { b as AstraSyncCredentials, f as ProtocolTransport, G as GatewayConfig } from './types-B3USs-Kx.mjs';
1
+ import { b as AstraSyncCredentials, f as ProtocolTransport, G as GatewayConfig } from './types-Cuh7ELfr.mjs';
2
2
 
3
3
  /**
4
4
  * AgentClient — Credential Presentation
@@ -1,4 +1,4 @@
1
- import { b as AstraSyncCredentials, f as ProtocolTransport, G as GatewayConfig } from './types-B3USs-Kx.js';
1
+ import { b as AstraSyncCredentials, f as ProtocolTransport, G as GatewayConfig } from './types-Cuh7ELfr.js';
2
2
 
3
3
  /**
4
4
  * AgentClient — Credential Presentation
@@ -1,4 +1,4 @@
1
- import { b as AstraSyncCredentials, f as ProtocolTransport } from './types-B3USs-Kx.mjs';
1
+ import { b as AstraSyncCredentials, f as ProtocolTransport } from './types-Cuh7ELfr.mjs';
2
2
  import { JWK } from 'jose';
3
3
 
4
4
  /**
@@ -1,4 +1,4 @@
1
- import { b as AstraSyncCredentials, f as ProtocolTransport } from './types-B3USs-Kx.js';
1
+ import { b as AstraSyncCredentials, f as ProtocolTransport } from './types-Cuh7ELfr.js';
2
2
  import { JWK } from 'jose';
3
3
 
4
4
  /**
package/dist/index.d.mts CHANGED
@@ -1,12 +1,12 @@
1
- import { a as AgentCredentials, G as GatewayConfig, A as AccessLevel, V as VerificationRequest, i as VerificationResult } from './types-B3USs-Kx.mjs';
2
- export { b as AstraSyncCredentials, C as CommerceShieldProps, c as CounterpartyType, E as EnhancedVerificationResult, d as ExpressMiddlewareOptions, e as GuidanceInfo, N as NextJsMiddlewareOptions, P as PDLSSInfo, f as ProtocolTransport, R as RouteAccessConfig, g as RuntimeChallengeResult, S as SDKOptions, T as TokenGuidance, h as TrustLevel, j as VerifiedAgent, k as VerifiedDeveloper, l as VerifiedOrganization } from './types-B3USs-Kx.mjs';
3
- export { A as ACCESS_LEVEL_DESCRIPTIONS, a as ACCESS_LEVEL_HIERARCHY, b as AccessCapabilities, D as DEFAULT_TRUST_THRESHOLDS, T as TRUST_LEVEL_RANGES, d as determineAccessLevel, g as getAccessLevelForScore, e as getCapabilities, f as getTrustLevel, h as hasMinimumAccess, s as sdk } from './sdk-5U_CBRpr.mjs';
4
- export { e as express } from './express-ienhAXps.mjs';
5
- export { n as nextjs } from './nextjs-DSpisQst.mjs';
6
- export { aR as extractMcpCredentials, bg as setMcpMeta, b1 as transport } from './index-CEg_WG6y.mjs';
1
+ import { a as AgentCredentials, G as GatewayConfig, A as AccessLevel, V as VerificationRequest, i as VerificationResult } from './types-Cuh7ELfr.mjs';
2
+ export { b as AstraSyncCredentials, C as CommerceShieldProps, c as CounterpartyType, E as EnhancedVerificationResult, d as ExpressMiddlewareOptions, e as GuidanceInfo, N as NextJsMiddlewareOptions, P as PDLSSInfo, f as ProtocolTransport, R as RouteAccessConfig, g as RuntimeChallengeResult, S as SDKOptions, T as TokenGuidance, h as TrustLevel, j as VerifiedAgent, k as VerifiedDeveloper, l as VerifiedOrganization } from './types-Cuh7ELfr.mjs';
3
+ export { A as ACCESS_LEVEL_DESCRIPTIONS, a as ACCESS_LEVEL_HIERARCHY, b as AccessCapabilities, D as DEFAULT_TRUST_THRESHOLDS, T as TRUST_LEVEL_RANGES, d as determineAccessLevel, g as getAccessLevelForScore, e as getCapabilities, f as getTrustLevel, h as hasMinimumAccess, s as sdk } from './sdk-767LaEP8.mjs';
4
+ export { e as express } from './express-DFVBlXr_.mjs';
5
+ export { n as nextjs } from './nextjs-D-maqrNz.mjs';
6
+ export { aR as extractMcpCredentials, bg as setMcpMeta, b1 as transport } from './index-BhL2R65s.mjs';
7
7
  export { McpMiddlewareOptions, ToolGateConfig, createMcpMiddleware } from './adapters/mcp.mjs';
8
8
  export { AgentProtocol, AgentRecord, AstraSync, AstraSyncConfig, AstraSyncError, AuthenticationError, BuildGuidanceParams, FrameworkConfig, GuidanceEnvelope, HealthResponse, KYDRequiredError, ModelConfig, PDLSSConfig, PDLSSDuration, PDLSSLimits, PDLSSPurpose, PDLSSScope, PDLSSSelfInstantiation, PendingRegistrationResponse, PollRegistrationResult, RegisterOptions, RegisterResult, RegistrationDeniedError, RegistrationExpiredError, RegistrationResponse, RegistrationTimeoutError, VerifyResponse, WaitForApprovalOptions, buildGuidance } from './registration/index.mjs';
9
- export { A as AgentClient, C as ChallengeHandler, i as agent, r as recordDecision } from './index-B5e2IDWU.mjs';
9
+ export { A as AgentClient, C as ChallengeHandler, i as agent, r as recordDecision } from './index-BVxantdv.mjs';
10
10
  import 'express';
11
11
  import 'next/server';
12
12
  import 'jose';
package/dist/index.d.ts CHANGED
@@ -1,12 +1,12 @@
1
- import { a as AgentCredentials, G as GatewayConfig, A as AccessLevel, V as VerificationRequest, i as VerificationResult } from './types-B3USs-Kx.js';
2
- export { b as AstraSyncCredentials, C as CommerceShieldProps, c as CounterpartyType, E as EnhancedVerificationResult, d as ExpressMiddlewareOptions, e as GuidanceInfo, N as NextJsMiddlewareOptions, P as PDLSSInfo, f as ProtocolTransport, R as RouteAccessConfig, g as RuntimeChallengeResult, S as SDKOptions, T as TokenGuidance, h as TrustLevel, j as VerifiedAgent, k as VerifiedDeveloper, l as VerifiedOrganization } from './types-B3USs-Kx.js';
3
- export { A as ACCESS_LEVEL_DESCRIPTIONS, a as ACCESS_LEVEL_HIERARCHY, b as AccessCapabilities, D as DEFAULT_TRUST_THRESHOLDS, T as TRUST_LEVEL_RANGES, d as determineAccessLevel, g as getAccessLevelForScore, e as getCapabilities, f as getTrustLevel, h as hasMinimumAccess, s as sdk } from './sdk-Bm8np66n.js';
4
- export { e as express } from './express-CrfwoNAR.js';
5
- export { n as nextjs } from './nextjs-66R1KW8e.js';
6
- export { aR as extractMcpCredentials, bg as setMcpMeta, b1 as transport } from './index-CCdZxvAr.js';
1
+ import { a as AgentCredentials, G as GatewayConfig, A as AccessLevel, V as VerificationRequest, i as VerificationResult } from './types-Cuh7ELfr.js';
2
+ export { b as AstraSyncCredentials, C as CommerceShieldProps, c as CounterpartyType, E as EnhancedVerificationResult, d as ExpressMiddlewareOptions, e as GuidanceInfo, N as NextJsMiddlewareOptions, P as PDLSSInfo, f as ProtocolTransport, R as RouteAccessConfig, g as RuntimeChallengeResult, S as SDKOptions, T as TokenGuidance, h as TrustLevel, j as VerifiedAgent, k as VerifiedDeveloper, l as VerifiedOrganization } from './types-Cuh7ELfr.js';
3
+ export { A as ACCESS_LEVEL_DESCRIPTIONS, a as ACCESS_LEVEL_HIERARCHY, b as AccessCapabilities, D as DEFAULT_TRUST_THRESHOLDS, T as TRUST_LEVEL_RANGES, d as determineAccessLevel, g as getAccessLevelForScore, e as getCapabilities, f as getTrustLevel, h as hasMinimumAccess, s as sdk } from './sdk-K8IgssHI.js';
4
+ export { e as express } from './express-DavQ76oF.js';
5
+ export { n as nextjs } from './nextjs-BXLH1hJj.js';
6
+ export { aR as extractMcpCredentials, bg as setMcpMeta, b1 as transport } from './index-Dk2nIA4w.js';
7
7
  export { McpMiddlewareOptions, ToolGateConfig, createMcpMiddleware } from './adapters/mcp.js';
8
8
  export { AgentProtocol, AgentRecord, AstraSync, AstraSyncConfig, AstraSyncError, AuthenticationError, BuildGuidanceParams, FrameworkConfig, GuidanceEnvelope, HealthResponse, KYDRequiredError, ModelConfig, PDLSSConfig, PDLSSDuration, PDLSSLimits, PDLSSPurpose, PDLSSScope, PDLSSSelfInstantiation, PendingRegistrationResponse, PollRegistrationResult, RegisterOptions, RegisterResult, RegistrationDeniedError, RegistrationExpiredError, RegistrationResponse, RegistrationTimeoutError, VerifyResponse, WaitForApprovalOptions, buildGuidance } from './registration/index.js';
9
- export { A as AgentClient, C as ChallengeHandler, i as agent, r as recordDecision } from './index-DC5f8eoQ.js';
9
+ export { A as AgentClient, C as ChallengeHandler, i as agent, r as recordDecision } from './index-BhEgEiJL.js';
10
10
  import 'express';
11
11
  import 'next/server';
12
12
  import 'jose';
package/dist/index.js CHANGED
@@ -192,7 +192,7 @@ function getCapabilities(accessLevel) {
192
192
  }
193
193
 
194
194
  // src/version.ts
195
- var SDK_VERSION = "3.0.0";
195
+ var SDK_VERSION = "3.1.0";
196
196
 
197
197
  // src/well-known.ts
198
198
  var CACHE_TTL_MS = 60 * 60 * 1e3;
@@ -787,6 +787,9 @@ function setHttpHeaders(headers, credentials) {
787
787
  if (credentials.pdlss?.purpose) {
788
788
  const purposeValue = credentials.pdlss.purpose.action ? `${credentials.pdlss.purpose.category}:${credentials.pdlss.purpose.action}` : credentials.pdlss.purpose.category;
789
789
  result[`${HEADER_PREFIX}Purpose`] = purposeValue;
790
+ if (credentials.pdlss.purpose.action) {
791
+ result[`${HEADER_PREFIX}Action`] = credentials.pdlss.purpose.action;
792
+ }
790
793
  }
791
794
  if (credentials.pdlss?.duration?.maxSessionDuration) {
792
795
  result[`${HEADER_PREFIX}Duration`] = String(credentials.pdlss.duration.maxSessionDuration);
@@ -816,6 +819,13 @@ function extractHttpCredentials(headers) {
816
819
  purpose: { category, action }
817
820
  };
818
821
  }
822
+ const astraAction = getValue(`${HEADER_PREFIX}Action`) ?? getValue("x-astra-action");
823
+ if (astraAction) {
824
+ credentials.pdlss = {
825
+ ...credentials.pdlss,
826
+ purpose: { category: credentials.pdlss?.purpose?.category ?? "", action: astraAction }
827
+ };
828
+ }
819
829
  const duration = getValue(`${HEADER_PREFIX}Duration`) ?? getValue("x-astra-duration");
820
830
  if (duration) {
821
831
  credentials.pdlss = {
@@ -833,6 +843,85 @@ function extractHttpCredentials(headers) {
833
843
  return credentials;
834
844
  }
835
845
 
846
+ // src/adapters/http-pdlss.ts
847
+ var HTTP_METHOD_ACTION_TABLE = {
848
+ GET: "data.read",
849
+ HEAD: "data.read",
850
+ OPTIONS: "data.read",
851
+ POST: "data.write",
852
+ PUT: "data.write",
853
+ PATCH: "data.write",
854
+ DELETE: "data.delete"
855
+ };
856
+ var DEFAULT_HTTP_ACTION = "data.write";
857
+ var DEFAULT_HTTP_PURPOSE = "data";
858
+ function actionForHttpMethod(method) {
859
+ return HTTP_METHOD_ACTION_TABLE[method.toUpperCase()] ?? DEFAULT_HTTP_ACTION;
860
+ }
861
+ function normalizePurposeHeader(value) {
862
+ const colon = value.indexOf(":");
863
+ if (colon >= 0) {
864
+ return { purpose: value.slice(0, colon) };
865
+ }
866
+ const dot = value.indexOf(".");
867
+ if (dot > 0 && dot < value.length - 1) {
868
+ return { purpose: value.slice(0, dot), actionCandidate: value };
869
+ }
870
+ return { purpose: value };
871
+ }
872
+ function resolveHttpPdlss(input) {
873
+ const fromHeader = input.astraPurpose ? normalizePurposeHeader(input.astraPurpose) : void 0;
874
+ let action;
875
+ let actionSource;
876
+ if (input.routeAction) {
877
+ action = input.routeAction;
878
+ actionSource = "route_config";
879
+ } else if (input.hasCustomActionExtractor && input.customAction) {
880
+ action = input.customAction;
881
+ actionSource = "custom_extractor";
882
+ } else if (!input.hasCustomActionExtractor && input.astraAction) {
883
+ action = input.astraAction;
884
+ actionSource = "header";
885
+ } else if (!input.hasCustomActionExtractor && fromHeader?.actionCandidate) {
886
+ action = fromHeader.actionCandidate;
887
+ actionSource = "purpose_header_derived";
888
+ } else {
889
+ action = actionForHttpMethod(input.method);
890
+ actionSource = "method_table";
891
+ }
892
+ let purpose;
893
+ let purposeSource;
894
+ if (input.routePurpose) {
895
+ purpose = input.routePurpose;
896
+ purposeSource = "route_config";
897
+ } else if (input.hasCustomPurposeExtractor) {
898
+ if (input.customPurpose) {
899
+ purpose = input.customPurpose;
900
+ purposeSource = "custom_extractor";
901
+ }
902
+ } else if (fromHeader) {
903
+ purpose = fromHeader.purpose;
904
+ purposeSource = "header";
905
+ } else if (input.legacyPurpose) {
906
+ purpose = input.legacyPurpose;
907
+ purposeSource = "legacy_header";
908
+ } else if (input.queryPurpose) {
909
+ purpose = input.queryPurpose;
910
+ purposeSource = "query";
911
+ }
912
+ if (!purpose) {
913
+ const dot = action.indexOf(".");
914
+ if (dot > 0) {
915
+ purpose = action.slice(0, dot);
916
+ purposeSource = "action_derived";
917
+ } else {
918
+ purpose = DEFAULT_HTTP_PURPOSE;
919
+ purposeSource = "transport_default";
920
+ }
921
+ }
922
+ return { purpose, action, purposeSource, actionSource };
923
+ }
924
+
836
925
  // src/pdlss-pre-check.ts
837
926
  function performCounterpartyPreCheck(routeConfig, astraCreds, purpose) {
838
927
  const failures = [];
@@ -891,33 +980,25 @@ function defaultExtractCredentials(req) {
891
980
  function extractAstraSyncCredentials(req) {
892
981
  return extractHttpCredentials(req.headers);
893
982
  }
894
- function defaultExtractPurpose(req) {
895
- const astraPurpose = req.headers["x-astra-purpose"];
896
- if (astraPurpose) {
897
- const value = Array.isArray(astraPurpose) ? astraPurpose[0] : astraPurpose;
898
- const category = value.split(":")[0];
899
- return category;
900
- }
901
- const purposeHeader = req.headers["x-purpose"] || req.headers["X-Purpose"];
902
- if (purposeHeader) {
903
- return Array.isArray(purposeHeader) ? purposeHeader[0] : purposeHeader;
904
- }
905
- if (req.query.purpose && typeof req.query.purpose === "string") {
906
- return req.query.purpose;
907
- }
908
- switch (req.method) {
909
- case "GET":
910
- return "read_data";
911
- case "POST":
912
- return "write_data";
913
- case "PUT":
914
- case "PATCH":
915
- return "write_data";
916
- case "DELETE":
917
- return "delete_data";
918
- default:
919
- return "general";
920
- }
983
+ function headerValue(value) {
984
+ if (typeof value === "string") return value;
985
+ if (Array.isArray(value)) return value[0];
986
+ return void 0;
987
+ }
988
+ function resolveRequestPdlss(req, routeConfig, customExtractPurpose, customExtractAction) {
989
+ return resolveHttpPdlss({
990
+ method: req.method,
991
+ astraPurpose: headerValue(req.headers["x-astra-purpose"]),
992
+ astraAction: headerValue(req.headers["x-astra-action"]),
993
+ legacyPurpose: headerValue(req.headers["x-purpose"] ?? req.headers["X-Purpose"]),
994
+ queryPurpose: typeof req.query.purpose === "string" ? req.query.purpose : void 0,
995
+ routePurpose: routeConfig?.purpose,
996
+ routeAction: routeConfig?.action,
997
+ hasCustomPurposeExtractor: !!customExtractPurpose,
998
+ customPurpose: customExtractPurpose?.(req),
999
+ hasCustomActionExtractor: !!customExtractAction,
1000
+ customAction: customExtractAction?.(req)
1001
+ });
921
1002
  }
922
1003
  function matchRoute(pattern, path, opts) {
923
1004
  const regexPattern = pattern.replace(/\*/g, ".*").replace(/\//g, "\\/");
@@ -977,6 +1058,7 @@ function createMiddleware(options) {
977
1058
  const {
978
1059
  extractCredentials: customExtractCredentials,
979
1060
  extractPurpose: customExtractPurpose,
1061
+ extractAction: customExtractAction,
980
1062
  skipPaths = [],
981
1063
  onDenied = defaultOnDenied,
982
1064
  recordDecisions,
@@ -1062,7 +1144,21 @@ function createMiddleware(options) {
1062
1144
  }
1063
1145
  return next();
1064
1146
  }
1065
- const purpose = customExtractPurpose ? customExtractPurpose(req) : defaultExtractPurpose(req);
1147
+ const pdlssPair = resolveRequestPdlss(
1148
+ req,
1149
+ routeConfig,
1150
+ customExtractPurpose,
1151
+ customExtractAction
1152
+ );
1153
+ const purpose = pdlssPair.purpose;
1154
+ if (config.debug) {
1155
+ console.debug("[express-middleware] pdlss resolved", {
1156
+ purpose_source: pdlssPair.purposeSource,
1157
+ resolved_purpose: pdlssPair.purpose,
1158
+ action_source: pdlssPair.actionSource,
1159
+ resolved_action: pdlssPair.action
1160
+ });
1161
+ }
1066
1162
  const astraCreds = extractAstraSyncCredentials(req);
1067
1163
  const counterpartyUrl = config.counterpartyUrl || `${req.protocol}://${req.get("host")}`;
1068
1164
  const preCheckFailures = performCounterpartyPreCheck(routeConfig, astraCreds, purpose);
@@ -1106,10 +1202,7 @@ function createMiddleware(options) {
1106
1202
  const result = await verify(config, {
1107
1203
  credentials,
1108
1204
  purpose,
1109
- // RFC 7230 § 3.1.1 — HTTP method tokens uppercase by IANA convention.
1110
- // Backend evaluator tolerates either case as defense-in-depth
1111
- // (round-18.6 batch 2); SDK emits canonical form.
1112
- action: req.method.toUpperCase(),
1205
+ action: pdlssPair.action,
1113
1206
  resource: req.path,
1114
1207
  createSession: shouldRecordDecisions,
1115
1208
  counterpartyUrl,
@@ -1307,28 +1400,15 @@ function extractAstraSyncCredentialsFromNextRequest(request) {
1307
1400
  });
1308
1401
  return extractHttpCredentials(headers);
1309
1402
  }
1310
- function extractPurpose(request) {
1311
- const astraPurpose = request.headers.get("x-astra-purpose");
1312
- if (astraPurpose) {
1313
- return astraPurpose.split(":")[0];
1314
- }
1315
- const purposeHeader = request.headers.get("x-purpose");
1316
- if (purposeHeader) {
1317
- return purposeHeader;
1318
- }
1319
- switch (request.method.toUpperCase()) {
1320
- case "GET":
1321
- return "read_data";
1322
- case "POST":
1323
- return "write_data";
1324
- case "PUT":
1325
- case "PATCH":
1326
- return "write_data";
1327
- case "DELETE":
1328
- return "delete_data";
1329
- default:
1330
- return "general";
1331
- }
1403
+ function resolveNextPdlss(request, routeConfig) {
1404
+ return resolveHttpPdlss({
1405
+ method: request.method,
1406
+ astraPurpose: request.headers.get("x-astra-purpose") ?? void 0,
1407
+ astraAction: request.headers.get("x-astra-action") ?? void 0,
1408
+ legacyPurpose: request.headers.get("x-purpose") ?? void 0,
1409
+ routePurpose: routeConfig?.purpose,
1410
+ routeAction: routeConfig?.action
1411
+ });
1332
1412
  }
1333
1413
  function generateCommerceShieldHtml(result, options) {
1334
1414
  const title = escapeHtml(options.commerceShield?.title || "AstraSync Agent Verification");
@@ -1541,7 +1621,16 @@ function createMiddleware2(options) {
1541
1621
  }
1542
1622
  const credentials = extractCredentialsFromNextRequest(request);
1543
1623
  const counterpartyUrl = config.counterpartyUrl || request.nextUrl.origin;
1544
- const purpose = extractPurpose(request);
1624
+ const pdlssPair = resolveNextPdlss(request, routeConfig);
1625
+ const purpose = pdlssPair.purpose;
1626
+ if (config.debug) {
1627
+ console.debug("[nextjs-middleware] pdlss resolved", {
1628
+ purpose_source: pdlssPair.purposeSource,
1629
+ resolved_purpose: pdlssPair.purpose,
1630
+ action_source: pdlssPair.actionSource,
1631
+ resolved_action: pdlssPair.action
1632
+ });
1633
+ }
1545
1634
  const astraCreds = extractAstraSyncCredentialsFromNextRequest(request);
1546
1635
  const preCheckFailures = performCounterpartyPreCheck(routeConfig, astraCreds, purpose);
1547
1636
  if (preCheckFailures.length > 0) {
@@ -1595,10 +1684,7 @@ function createMiddleware2(options) {
1595
1684
  const result = await verify(config, {
1596
1685
  credentials,
1597
1686
  purpose,
1598
- // RFC 7230 § 3.1.1 — HTTP method tokens uppercase by IANA convention.
1599
- // Backend evaluator tolerates either case as defense-in-depth
1600
- // (round-18.6 batch 2); SDK emits canonical form.
1601
- action: request.method.toUpperCase(),
1687
+ action: pdlssPair.action,
1602
1688
  resource: pathname,
1603
1689
  counterpartyUrl,
1604
1690
  counterpartyType: config.counterpartyType || "website",
@@ -3353,9 +3439,9 @@ function toBuf(bytes) {
3353
3439
  new Uint8Array(out).set(bytes);
3354
3440
  return out;
3355
3441
  }
3356
- function checkTimestamp(headerValue, toleranceSec, nowFn) {
3357
- if (!headerValue) return { ok: false, error: "missing Timestamp header" };
3358
- const ts = parseTimestamp(headerValue);
3442
+ function checkTimestamp(headerValue2, toleranceSec, nowFn) {
3443
+ if (!headerValue2) return { ok: false, error: "missing Timestamp header" };
3444
+ const ts = parseTimestamp(headerValue2);
3359
3445
  if (ts === null) return { ok: false, error: "unparseable Timestamp header" };
3360
3446
  const now = nowFn ? nowFn() : Math.floor(Date.now() / 1e3);
3361
3447
  if (Math.abs(now - ts) > toleranceSec) {
@@ -3587,14 +3673,14 @@ function verifyMPP(input) {
3587
3673
  var import_schemas = require("@x402/core/schemas");
3588
3674
  var import_utils = require("@x402/core/utils");
3589
3675
  function extractX402FromRequest(request) {
3590
- const headerValue = readHeader4(request.headers, "x-payment");
3676
+ const headerValue2 = readHeader4(request.headers, "x-payment");
3591
3677
  if (request.body && typeof request.body === "object") {
3592
3678
  const parsed = tryParsePayload(request.body);
3593
3679
  if (parsed) return buildPayloadContext(parsed, "body");
3594
3680
  }
3595
- if (headerValue) {
3681
+ if (headerValue2) {
3596
3682
  try {
3597
- const decoded = (0, import_utils.safeBase64Decode)(headerValue);
3683
+ const decoded = (0, import_utils.safeBase64Decode)(headerValue2);
3598
3684
  if (decoded) {
3599
3685
  const json = JSON.parse(decoded);
3600
3686
  const parsed = tryParsePayload(json);
@@ -3617,10 +3703,10 @@ function extractX402FromResponse(response) {
3617
3703
  const parsed = tryParseRequired(response.body);
3618
3704
  if (parsed) return buildRequiredContext(parsed, "body");
3619
3705
  }
3620
- const headerValue = readHeader4(response.headers, "x-payment-required");
3621
- if (headerValue) {
3706
+ const headerValue2 = readHeader4(response.headers, "x-payment-required");
3707
+ if (headerValue2) {
3622
3708
  try {
3623
- const decoded = (0, import_utils.safeBase64Decode)(headerValue);
3709
+ const decoded = (0, import_utils.safeBase64Decode)(headerValue2);
3624
3710
  if (decoded) {
3625
3711
  const json = JSON.parse(decoded);
3626
3712
  const parsed = tryParseRequired(json);
@@ -4456,7 +4542,10 @@ function mcpToPdlss(parsed, requestPath, headerPurpose, headerAction, toolGate)
4456
4542
  }
4457
4543
  let action;
4458
4544
  let actionSource;
4459
- if (headerAction) {
4545
+ if (toolGate?.action !== void 0) {
4546
+ action = toolGate.action;
4547
+ actionSource = "tool_gate";
4548
+ } else if (headerAction) {
4460
4549
  action = headerAction;
4461
4550
  actionSource = "header";
4462
4551
  } else if (parsed.actionFromBody && parsed.actionSourceFromBody) {
@@ -4630,7 +4719,7 @@ function createMcpMiddleware(options) {
4630
4719
  req.path,
4631
4720
  headerPurpose,
4632
4721
  headerAction,
4633
- gate ? { purpose: gate.purpose, resource: gate.resource } : void 0
4722
+ gate ? { purpose: gate.purpose, action: gate.action, resource: gate.resource } : void 0
4634
4723
  );
4635
4724
  if (config.debug) {
4636
4725
  console.debug("[mcp-middleware] pdlss resolved", {