@astrasyncai/verification-gateway 3.0.0 → 3.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (87) hide show
  1. package/dist/adapter-interface/interface.d.mts +2 -2
  2. package/dist/adapter-interface/interface.d.ts +2 -2
  3. package/dist/adapters/express.d.mts +2 -2
  4. package/dist/adapters/express.d.ts +2 -2
  5. package/dist/adapters/express.js +145 -93
  6. package/dist/adapters/express.js.map +1 -1
  7. package/dist/adapters/express.mjs +145 -93
  8. package/dist/adapters/express.mjs.map +1 -1
  9. package/dist/adapters/mcp.d.mts +29 -11
  10. package/dist/adapters/mcp.d.ts +29 -11
  11. package/dist/adapters/mcp.js +43 -102
  12. package/dist/adapters/mcp.js.map +1 -1
  13. package/dist/adapters/mcp.mjs +43 -102
  14. package/dist/adapters/mcp.mjs.map +1 -1
  15. package/dist/adapters/nextjs.d.mts +2 -2
  16. package/dist/adapters/nextjs.d.ts +2 -2
  17. package/dist/adapters/nextjs.js +126 -56
  18. package/dist/adapters/nextjs.js.map +1 -1
  19. package/dist/adapters/nextjs.mjs +126 -56
  20. package/dist/adapters/nextjs.mjs.map +1 -1
  21. package/dist/adapters/sdk.d.mts +2 -2
  22. package/dist/adapters/sdk.d.ts +2 -2
  23. package/dist/adapters/sdk.js +25 -14
  24. package/dist/adapters/sdk.js.map +1 -1
  25. package/dist/adapters/sdk.mjs +25 -14
  26. package/dist/adapters/sdk.mjs.map +1 -1
  27. package/dist/agent/index.d.mts +2 -2
  28. package/dist/agent/index.d.ts +2 -2
  29. package/dist/agent/index.js +3 -0
  30. package/dist/agent/index.js.map +1 -1
  31. package/dist/agent/index.mjs +3 -0
  32. package/dist/agent/index.mjs.map +1 -1
  33. package/dist/browser/background.js +18 -21
  34. package/dist/browser/background.js.map +1 -1
  35. package/dist/browser/background.mjs +18 -21
  36. package/dist/browser/background.mjs.map +1 -1
  37. package/dist/browser/browser-adapter.d.mts +2 -2
  38. package/dist/browser/browser-adapter.d.ts +2 -2
  39. package/dist/cli/index.d.mts +2 -2
  40. package/dist/cli/index.d.ts +2 -2
  41. package/dist/cursor/cursor-adapter.d.mts +2 -2
  42. package/dist/cursor/cursor-adapter.d.ts +2 -2
  43. package/dist/cursor/extension.d.mts +2 -2
  44. package/dist/cursor/extension.d.ts +2 -2
  45. package/dist/cursor/extension.js +18 -21
  46. package/dist/cursor/extension.js.map +1 -1
  47. package/dist/cursor/extension.mjs +18 -21
  48. package/dist/cursor/extension.mjs.map +1 -1
  49. package/dist/{express-CrfwoNAR.d.ts → express-BowlMHQF.d.ts} +1 -1
  50. package/dist/{express-ienhAXps.d.mts → express-CeoSdOAZ.d.mts} +1 -1
  51. package/dist/gateway/gateway.d.mts +2 -2
  52. package/dist/gateway/gateway.d.ts +2 -2
  53. package/dist/gateway/gateway.js +18 -21
  54. package/dist/gateway/gateway.js.map +1 -1
  55. package/dist/gateway/gateway.mjs +18 -21
  56. package/dist/gateway/gateway.mjs.map +1 -1
  57. package/dist/git-trigger/git-hooks.d.mts +2 -2
  58. package/dist/git-trigger/git-hooks.d.ts +2 -2
  59. package/dist/{index-CEg_WG6y.d.mts → index-B51W8gn8.d.mts} +1 -1
  60. package/dist/{index-DC5f8eoQ.d.ts → index-DBmlycVm.d.ts} +1 -1
  61. package/dist/{index-B5e2IDWU.d.mts → index-DtGziFEm.d.mts} +1 -1
  62. package/dist/{index-CCdZxvAr.d.ts → index-DzXXBuLm.d.ts} +1 -1
  63. package/dist/index.d.mts +7 -7
  64. package/dist/index.d.ts +7 -7
  65. package/dist/index.js +209 -191
  66. package/dist/index.js.map +1 -1
  67. package/dist/index.mjs +209 -191
  68. package/dist/index.mjs.map +1 -1
  69. package/dist/local-evaluator/evaluator.d.mts +2 -2
  70. package/dist/local-evaluator/evaluator.d.ts +2 -2
  71. package/dist/{nextjs-DSpisQst.d.mts → nextjs-BW1rzr1I.d.mts} +1 -1
  72. package/dist/{nextjs-66R1KW8e.d.ts → nextjs-V_K0qlAQ.d.ts} +1 -1
  73. package/dist/{sdk-5U_CBRpr.d.mts → sdk-ZYgI7G9f.d.ts} +14 -3
  74. package/dist/{sdk-Bm8np66n.d.ts → sdk-e5jg7sqW.d.mts} +14 -3
  75. package/dist/transport/index.d.mts +2 -2
  76. package/dist/transport/index.d.ts +2 -2
  77. package/dist/transport/index.js +10 -0
  78. package/dist/transport/index.js.map +1 -1
  79. package/dist/transport/index.mjs +10 -0
  80. package/dist/transport/index.mjs.map +1 -1
  81. package/dist/{types-CgDCUfo8.d.mts → types-BNiLZY0i.d.mts} +1 -1
  82. package/dist/{types-R5N4ET6x.d.ts → types-DJi-u3fz.d.ts} +1 -1
  83. package/dist/{types-B3USs-Kx.d.mts → types-rFh4VMH4.d.mts} +30 -2
  84. package/dist/{types-B3USs-Kx.d.ts → types-rFh4VMH4.d.ts} +30 -2
  85. package/dist/ui/index.d.mts +1 -1
  86. package/dist/ui/index.d.ts +1 -1
  87. package/package.json +1 -1
@@ -3289,14 +3289,6 @@ function verifyLocal(evaluator, context) {
3289
3289
  }
3290
3290
 
3291
3291
  // src/access-levels.ts
3292
- var ACCESS_LEVEL_HIERARCHY = {
3293
- none: 0,
3294
- restricted: 1,
3295
- "read-only": 2,
3296
- standard: 3,
3297
- full: 4,
3298
- internal: 5
3299
- };
3300
3292
  function getTrustLevel(score) {
3301
3293
  if (score >= 80) return "PLATINUM";
3302
3294
  if (score >= 60) return "GOLD";
@@ -3305,7 +3297,7 @@ function getTrustLevel(score) {
3305
3297
  }
3306
3298
 
3307
3299
  // src/version.ts
3308
- var SDK_VERSION = "3.0.0";
3300
+ var SDK_VERSION = "3.2.0";
3309
3301
 
3310
3302
  // src/well-known.ts
3311
3303
  var CACHE_TTL_MS = 60 * 60 * 1e3;
@@ -3358,7 +3350,7 @@ async function performInitCheck(apiBaseUrl, debug, strictInit) {
3358
3350
  }
3359
3351
  }
3360
3352
  var verificationCache = /* @__PURE__ */ new Map();
3361
- function getCacheKey(request) {
3353
+ function getCacheKey(request, counterpartyId) {
3362
3354
  const c = request.credentials;
3363
3355
  return [
3364
3356
  c.astraId || "",
@@ -3371,6 +3363,14 @@ function getCacheKey(request) {
3371
3363
  request.jurisdiction || "",
3372
3364
  request.transactionValue ?? "",
3373
3365
  request.currency || "",
3366
+ // SECURITY (cross-merchant cache leak): the merchant identity is sent via
3367
+ // `config.counterpartyId`, NOT on the request, so it was previously absent
3368
+ // from the key — two verifies for the SAME agent/purpose/action/value but
3369
+ // DIFFERENT merchants collided, and a grant at a permissive merchant (low
3370
+ // trust floor) was served for a stricter one. Same bug class as the
3371
+ // duration omission (F-A1-07). counterpartyId affects the backend verdict
3372
+ // (trust floor / per-route policy), so it MUST key the cache.
3373
+ counterpartyId || "",
3374
3374
  request.counterpartyUrl || "",
3375
3375
  request.counterpartyType || "",
3376
3376
  request.isSubAgentRequest ? "1" : "0",
@@ -3394,8 +3394,8 @@ function getCacheKey(request) {
3394
3394
  request.callerMetadata?.agentCardUrl || ""
3395
3395
  ].join("|");
3396
3396
  }
3397
- function getCachedResult(request) {
3398
- const key = getCacheKey(request);
3397
+ function getCachedResult(request, counterpartyId) {
3398
+ const key = getCacheKey(request, counterpartyId);
3399
3399
  const cached = verificationCache.get(key);
3400
3400
  if (cached && cached.expiresAt > Date.now()) {
3401
3401
  return cached.result;
@@ -3407,9 +3407,9 @@ function getCachedResult(request) {
3407
3407
  }
3408
3408
  var DEFAULT_AUTONOMOUS_TTL_SECONDS = 60;
3409
3409
  var DEFAULT_STEP_UP_TTL_SECONDS = 300;
3410
- function cacheResult(request, result, configuredTtl) {
3410
+ function cacheResult(request, result, configuredTtl, counterpartyId) {
3411
3411
  const ttlSeconds = configuredTtl && configuredTtl > 0 ? configuredTtl : result.requiresStepUp ? DEFAULT_STEP_UP_TTL_SECONDS : DEFAULT_AUTONOMOUS_TTL_SECONDS;
3412
- const key = getCacheKey(request);
3412
+ const key = getCacheKey(request, counterpartyId);
3413
3413
  verificationCache.set(key, {
3414
3414
  result,
3415
3415
  expiresAt: Date.now() + ttlSeconds * 1e3
@@ -3567,7 +3567,7 @@ async function verify(config, request) {
3567
3567
  );
3568
3568
  }
3569
3569
  if (mergedConfig.cacheTtl !== 0) {
3570
- const cached = getCachedResult(request);
3570
+ const cached = getCachedResult(request, mergedConfig.counterpartyId);
3571
3571
  if (cached) {
3572
3572
  if (mergedConfig.debug) {
3573
3573
  console.log("[VerificationGateway] Returning cached result");
@@ -3619,8 +3619,8 @@ async function verify(config, request) {
3619
3619
  verifiedAt: /* @__PURE__ */ new Date(),
3620
3620
  // Extract sessionId so decisions can be recorded for denials too
3621
3621
  sessionId: apiResponse.sessionId,
3622
- // v2.3.10 (defect #34, round-4): anonymous traffic has no session →
3623
- // correlationId is the linking key for paired local_override events.
3622
+ // Anonymous traffic has no session → correlationId is the per-attempt
3623
+ // linking key (the sessionId-equivalent for anonymous callers).
3624
3624
  correlationId: apiResponse.correlationId,
3625
3625
  recommendation: apiResponse.recommendation,
3626
3626
  recommendationReasons: apiResponse.recommendationReasons
@@ -3694,13 +3694,10 @@ async function verify(config, request) {
3694
3694
  };
3695
3695
  } else if (result.recommendation === "step_up_required") {
3696
3696
  result.requiresStepUp = true;
3697
- if (ACCESS_LEVEL_HIERARCHY[result.accessLevel] > ACCESS_LEVEL_HIERARCHY["read-only"]) {
3698
- result.accessLevel = "read-only";
3699
- }
3700
3697
  result.denialReasons = result.recommendationReasons || ["Step-up verification required"];
3701
3698
  }
3702
3699
  if (mergedConfig.cacheTtl !== 0 && result.recommendation !== "deny") {
3703
- cacheResult(request, result, mergedConfig.cacheTtl);
3700
+ cacheResult(request, result, mergedConfig.cacheTtl, mergedConfig.counterpartyId);
3704
3701
  }
3705
3702
  return result;
3706
3703
  }