@astrasyncai/verification-gateway 3.0.0 → 3.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/adapter-interface/interface.d.mts +2 -2
- package/dist/adapter-interface/interface.d.ts +2 -2
- package/dist/adapters/express.d.mts +2 -2
- package/dist/adapters/express.d.ts +2 -2
- package/dist/adapters/express.js +145 -93
- package/dist/adapters/express.js.map +1 -1
- package/dist/adapters/express.mjs +145 -93
- package/dist/adapters/express.mjs.map +1 -1
- package/dist/adapters/mcp.d.mts +29 -11
- package/dist/adapters/mcp.d.ts +29 -11
- package/dist/adapters/mcp.js +43 -102
- package/dist/adapters/mcp.js.map +1 -1
- package/dist/adapters/mcp.mjs +43 -102
- package/dist/adapters/mcp.mjs.map +1 -1
- package/dist/adapters/nextjs.d.mts +2 -2
- package/dist/adapters/nextjs.d.ts +2 -2
- package/dist/adapters/nextjs.js +126 -56
- package/dist/adapters/nextjs.js.map +1 -1
- package/dist/adapters/nextjs.mjs +126 -56
- package/dist/adapters/nextjs.mjs.map +1 -1
- package/dist/adapters/sdk.d.mts +2 -2
- package/dist/adapters/sdk.d.ts +2 -2
- package/dist/adapters/sdk.js +25 -14
- package/dist/adapters/sdk.js.map +1 -1
- package/dist/adapters/sdk.mjs +25 -14
- package/dist/adapters/sdk.mjs.map +1 -1
- package/dist/agent/index.d.mts +2 -2
- package/dist/agent/index.d.ts +2 -2
- package/dist/agent/index.js +3 -0
- package/dist/agent/index.js.map +1 -1
- package/dist/agent/index.mjs +3 -0
- package/dist/agent/index.mjs.map +1 -1
- package/dist/browser/background.js +18 -21
- package/dist/browser/background.js.map +1 -1
- package/dist/browser/background.mjs +18 -21
- package/dist/browser/background.mjs.map +1 -1
- package/dist/browser/browser-adapter.d.mts +2 -2
- package/dist/browser/browser-adapter.d.ts +2 -2
- package/dist/cli/index.d.mts +2 -2
- package/dist/cli/index.d.ts +2 -2
- package/dist/cursor/cursor-adapter.d.mts +2 -2
- package/dist/cursor/cursor-adapter.d.ts +2 -2
- package/dist/cursor/extension.d.mts +2 -2
- package/dist/cursor/extension.d.ts +2 -2
- package/dist/cursor/extension.js +18 -21
- package/dist/cursor/extension.js.map +1 -1
- package/dist/cursor/extension.mjs +18 -21
- package/dist/cursor/extension.mjs.map +1 -1
- package/dist/{express-CrfwoNAR.d.ts → express-BowlMHQF.d.ts} +1 -1
- package/dist/{express-ienhAXps.d.mts → express-CeoSdOAZ.d.mts} +1 -1
- package/dist/gateway/gateway.d.mts +2 -2
- package/dist/gateway/gateway.d.ts +2 -2
- package/dist/gateway/gateway.js +18 -21
- package/dist/gateway/gateway.js.map +1 -1
- package/dist/gateway/gateway.mjs +18 -21
- package/dist/gateway/gateway.mjs.map +1 -1
- package/dist/git-trigger/git-hooks.d.mts +2 -2
- package/dist/git-trigger/git-hooks.d.ts +2 -2
- package/dist/{index-CEg_WG6y.d.mts → index-B51W8gn8.d.mts} +1 -1
- package/dist/{index-DC5f8eoQ.d.ts → index-DBmlycVm.d.ts} +1 -1
- package/dist/{index-B5e2IDWU.d.mts → index-DtGziFEm.d.mts} +1 -1
- package/dist/{index-CCdZxvAr.d.ts → index-DzXXBuLm.d.ts} +1 -1
- package/dist/index.d.mts +7 -7
- package/dist/index.d.ts +7 -7
- package/dist/index.js +209 -191
- package/dist/index.js.map +1 -1
- package/dist/index.mjs +209 -191
- package/dist/index.mjs.map +1 -1
- package/dist/local-evaluator/evaluator.d.mts +2 -2
- package/dist/local-evaluator/evaluator.d.ts +2 -2
- package/dist/{nextjs-DSpisQst.d.mts → nextjs-BW1rzr1I.d.mts} +1 -1
- package/dist/{nextjs-66R1KW8e.d.ts → nextjs-V_K0qlAQ.d.ts} +1 -1
- package/dist/{sdk-5U_CBRpr.d.mts → sdk-ZYgI7G9f.d.ts} +14 -3
- package/dist/{sdk-Bm8np66n.d.ts → sdk-e5jg7sqW.d.mts} +14 -3
- package/dist/transport/index.d.mts +2 -2
- package/dist/transport/index.d.ts +2 -2
- package/dist/transport/index.js +10 -0
- package/dist/transport/index.js.map +1 -1
- package/dist/transport/index.mjs +10 -0
- package/dist/transport/index.mjs.map +1 -1
- package/dist/{types-CgDCUfo8.d.mts → types-BNiLZY0i.d.mts} +1 -1
- package/dist/{types-R5N4ET6x.d.ts → types-DJi-u3fz.d.ts} +1 -1
- package/dist/{types-B3USs-Kx.d.mts → types-rFh4VMH4.d.mts} +30 -2
- package/dist/{types-B3USs-Kx.d.ts → types-rFh4VMH4.d.ts} +30 -2
- package/dist/ui/index.d.mts +1 -1
- package/dist/ui/index.d.ts +1 -1
- package/package.json +1 -1
|
@@ -3289,14 +3289,6 @@ function verifyLocal(evaluator, context) {
|
|
|
3289
3289
|
}
|
|
3290
3290
|
|
|
3291
3291
|
// src/access-levels.ts
|
|
3292
|
-
var ACCESS_LEVEL_HIERARCHY = {
|
|
3293
|
-
none: 0,
|
|
3294
|
-
restricted: 1,
|
|
3295
|
-
"read-only": 2,
|
|
3296
|
-
standard: 3,
|
|
3297
|
-
full: 4,
|
|
3298
|
-
internal: 5
|
|
3299
|
-
};
|
|
3300
3292
|
function getTrustLevel(score) {
|
|
3301
3293
|
if (score >= 80) return "PLATINUM";
|
|
3302
3294
|
if (score >= 60) return "GOLD";
|
|
@@ -3305,7 +3297,7 @@ function getTrustLevel(score) {
|
|
|
3305
3297
|
}
|
|
3306
3298
|
|
|
3307
3299
|
// src/version.ts
|
|
3308
|
-
var SDK_VERSION = "3.
|
|
3300
|
+
var SDK_VERSION = "3.2.0";
|
|
3309
3301
|
|
|
3310
3302
|
// src/well-known.ts
|
|
3311
3303
|
var CACHE_TTL_MS = 60 * 60 * 1e3;
|
|
@@ -3358,7 +3350,7 @@ async function performInitCheck(apiBaseUrl, debug, strictInit) {
|
|
|
3358
3350
|
}
|
|
3359
3351
|
}
|
|
3360
3352
|
var verificationCache = /* @__PURE__ */ new Map();
|
|
3361
|
-
function getCacheKey(request) {
|
|
3353
|
+
function getCacheKey(request, counterpartyId) {
|
|
3362
3354
|
const c = request.credentials;
|
|
3363
3355
|
return [
|
|
3364
3356
|
c.astraId || "",
|
|
@@ -3371,6 +3363,14 @@ function getCacheKey(request) {
|
|
|
3371
3363
|
request.jurisdiction || "",
|
|
3372
3364
|
request.transactionValue ?? "",
|
|
3373
3365
|
request.currency || "",
|
|
3366
|
+
// SECURITY (cross-merchant cache leak): the merchant identity is sent via
|
|
3367
|
+
// `config.counterpartyId`, NOT on the request, so it was previously absent
|
|
3368
|
+
// from the key — two verifies for the SAME agent/purpose/action/value but
|
|
3369
|
+
// DIFFERENT merchants collided, and a grant at a permissive merchant (low
|
|
3370
|
+
// trust floor) was served for a stricter one. Same bug class as the
|
|
3371
|
+
// duration omission (F-A1-07). counterpartyId affects the backend verdict
|
|
3372
|
+
// (trust floor / per-route policy), so it MUST key the cache.
|
|
3373
|
+
counterpartyId || "",
|
|
3374
3374
|
request.counterpartyUrl || "",
|
|
3375
3375
|
request.counterpartyType || "",
|
|
3376
3376
|
request.isSubAgentRequest ? "1" : "0",
|
|
@@ -3394,8 +3394,8 @@ function getCacheKey(request) {
|
|
|
3394
3394
|
request.callerMetadata?.agentCardUrl || ""
|
|
3395
3395
|
].join("|");
|
|
3396
3396
|
}
|
|
3397
|
-
function getCachedResult(request) {
|
|
3398
|
-
const key = getCacheKey(request);
|
|
3397
|
+
function getCachedResult(request, counterpartyId) {
|
|
3398
|
+
const key = getCacheKey(request, counterpartyId);
|
|
3399
3399
|
const cached = verificationCache.get(key);
|
|
3400
3400
|
if (cached && cached.expiresAt > Date.now()) {
|
|
3401
3401
|
return cached.result;
|
|
@@ -3407,9 +3407,9 @@ function getCachedResult(request) {
|
|
|
3407
3407
|
}
|
|
3408
3408
|
var DEFAULT_AUTONOMOUS_TTL_SECONDS = 60;
|
|
3409
3409
|
var DEFAULT_STEP_UP_TTL_SECONDS = 300;
|
|
3410
|
-
function cacheResult(request, result, configuredTtl) {
|
|
3410
|
+
function cacheResult(request, result, configuredTtl, counterpartyId) {
|
|
3411
3411
|
const ttlSeconds = configuredTtl && configuredTtl > 0 ? configuredTtl : result.requiresStepUp ? DEFAULT_STEP_UP_TTL_SECONDS : DEFAULT_AUTONOMOUS_TTL_SECONDS;
|
|
3412
|
-
const key = getCacheKey(request);
|
|
3412
|
+
const key = getCacheKey(request, counterpartyId);
|
|
3413
3413
|
verificationCache.set(key, {
|
|
3414
3414
|
result,
|
|
3415
3415
|
expiresAt: Date.now() + ttlSeconds * 1e3
|
|
@@ -3567,7 +3567,7 @@ async function verify(config, request) {
|
|
|
3567
3567
|
);
|
|
3568
3568
|
}
|
|
3569
3569
|
if (mergedConfig.cacheTtl !== 0) {
|
|
3570
|
-
const cached = getCachedResult(request);
|
|
3570
|
+
const cached = getCachedResult(request, mergedConfig.counterpartyId);
|
|
3571
3571
|
if (cached) {
|
|
3572
3572
|
if (mergedConfig.debug) {
|
|
3573
3573
|
console.log("[VerificationGateway] Returning cached result");
|
|
@@ -3619,8 +3619,8 @@ async function verify(config, request) {
|
|
|
3619
3619
|
verifiedAt: /* @__PURE__ */ new Date(),
|
|
3620
3620
|
// Extract sessionId so decisions can be recorded for denials too
|
|
3621
3621
|
sessionId: apiResponse.sessionId,
|
|
3622
|
-
//
|
|
3623
|
-
//
|
|
3622
|
+
// Anonymous traffic has no session → correlationId is the per-attempt
|
|
3623
|
+
// linking key (the sessionId-equivalent for anonymous callers).
|
|
3624
3624
|
correlationId: apiResponse.correlationId,
|
|
3625
3625
|
recommendation: apiResponse.recommendation,
|
|
3626
3626
|
recommendationReasons: apiResponse.recommendationReasons
|
|
@@ -3694,13 +3694,10 @@ async function verify(config, request) {
|
|
|
3694
3694
|
};
|
|
3695
3695
|
} else if (result.recommendation === "step_up_required") {
|
|
3696
3696
|
result.requiresStepUp = true;
|
|
3697
|
-
if (ACCESS_LEVEL_HIERARCHY[result.accessLevel] > ACCESS_LEVEL_HIERARCHY["read-only"]) {
|
|
3698
|
-
result.accessLevel = "read-only";
|
|
3699
|
-
}
|
|
3700
3697
|
result.denialReasons = result.recommendationReasons || ["Step-up verification required"];
|
|
3701
3698
|
}
|
|
3702
3699
|
if (mergedConfig.cacheTtl !== 0 && result.recommendation !== "deny") {
|
|
3703
|
-
cacheResult(request, result, mergedConfig.cacheTtl);
|
|
3700
|
+
cacheResult(request, result, mergedConfig.cacheTtl, mergedConfig.counterpartyId);
|
|
3704
3701
|
}
|
|
3705
3702
|
return result;
|
|
3706
3703
|
}
|