@astrasyncai/verification-gateway 3.0.0 → 3.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/adapter-interface/interface.d.mts +2 -2
- package/dist/adapter-interface/interface.d.ts +2 -2
- package/dist/adapters/express.d.mts +2 -2
- package/dist/adapters/express.d.ts +2 -2
- package/dist/adapters/express.js +145 -93
- package/dist/adapters/express.js.map +1 -1
- package/dist/adapters/express.mjs +145 -93
- package/dist/adapters/express.mjs.map +1 -1
- package/dist/adapters/mcp.d.mts +29 -11
- package/dist/adapters/mcp.d.ts +29 -11
- package/dist/adapters/mcp.js +43 -102
- package/dist/adapters/mcp.js.map +1 -1
- package/dist/adapters/mcp.mjs +43 -102
- package/dist/adapters/mcp.mjs.map +1 -1
- package/dist/adapters/nextjs.d.mts +2 -2
- package/dist/adapters/nextjs.d.ts +2 -2
- package/dist/adapters/nextjs.js +126 -56
- package/dist/adapters/nextjs.js.map +1 -1
- package/dist/adapters/nextjs.mjs +126 -56
- package/dist/adapters/nextjs.mjs.map +1 -1
- package/dist/adapters/sdk.d.mts +2 -2
- package/dist/adapters/sdk.d.ts +2 -2
- package/dist/adapters/sdk.js +25 -14
- package/dist/adapters/sdk.js.map +1 -1
- package/dist/adapters/sdk.mjs +25 -14
- package/dist/adapters/sdk.mjs.map +1 -1
- package/dist/agent/index.d.mts +2 -2
- package/dist/agent/index.d.ts +2 -2
- package/dist/agent/index.js +3 -0
- package/dist/agent/index.js.map +1 -1
- package/dist/agent/index.mjs +3 -0
- package/dist/agent/index.mjs.map +1 -1
- package/dist/browser/background.js +18 -21
- package/dist/browser/background.js.map +1 -1
- package/dist/browser/background.mjs +18 -21
- package/dist/browser/background.mjs.map +1 -1
- package/dist/browser/browser-adapter.d.mts +2 -2
- package/dist/browser/browser-adapter.d.ts +2 -2
- package/dist/cli/index.d.mts +2 -2
- package/dist/cli/index.d.ts +2 -2
- package/dist/cursor/cursor-adapter.d.mts +2 -2
- package/dist/cursor/cursor-adapter.d.ts +2 -2
- package/dist/cursor/extension.d.mts +2 -2
- package/dist/cursor/extension.d.ts +2 -2
- package/dist/cursor/extension.js +18 -21
- package/dist/cursor/extension.js.map +1 -1
- package/dist/cursor/extension.mjs +18 -21
- package/dist/cursor/extension.mjs.map +1 -1
- package/dist/{express-CrfwoNAR.d.ts → express-BowlMHQF.d.ts} +1 -1
- package/dist/{express-ienhAXps.d.mts → express-CeoSdOAZ.d.mts} +1 -1
- package/dist/gateway/gateway.d.mts +2 -2
- package/dist/gateway/gateway.d.ts +2 -2
- package/dist/gateway/gateway.js +18 -21
- package/dist/gateway/gateway.js.map +1 -1
- package/dist/gateway/gateway.mjs +18 -21
- package/dist/gateway/gateway.mjs.map +1 -1
- package/dist/git-trigger/git-hooks.d.mts +2 -2
- package/dist/git-trigger/git-hooks.d.ts +2 -2
- package/dist/{index-CEg_WG6y.d.mts → index-B51W8gn8.d.mts} +1 -1
- package/dist/{index-DC5f8eoQ.d.ts → index-DBmlycVm.d.ts} +1 -1
- package/dist/{index-B5e2IDWU.d.mts → index-DtGziFEm.d.mts} +1 -1
- package/dist/{index-CCdZxvAr.d.ts → index-DzXXBuLm.d.ts} +1 -1
- package/dist/index.d.mts +7 -7
- package/dist/index.d.ts +7 -7
- package/dist/index.js +209 -191
- package/dist/index.js.map +1 -1
- package/dist/index.mjs +209 -191
- package/dist/index.mjs.map +1 -1
- package/dist/local-evaluator/evaluator.d.mts +2 -2
- package/dist/local-evaluator/evaluator.d.ts +2 -2
- package/dist/{nextjs-DSpisQst.d.mts → nextjs-BW1rzr1I.d.mts} +1 -1
- package/dist/{nextjs-66R1KW8e.d.ts → nextjs-V_K0qlAQ.d.ts} +1 -1
- package/dist/{sdk-5U_CBRpr.d.mts → sdk-ZYgI7G9f.d.ts} +14 -3
- package/dist/{sdk-Bm8np66n.d.ts → sdk-e5jg7sqW.d.mts} +14 -3
- package/dist/transport/index.d.mts +2 -2
- package/dist/transport/index.d.ts +2 -2
- package/dist/transport/index.js +10 -0
- package/dist/transport/index.js.map +1 -1
- package/dist/transport/index.mjs +10 -0
- package/dist/transport/index.mjs.map +1 -1
- package/dist/{types-CgDCUfo8.d.mts → types-BNiLZY0i.d.mts} +1 -1
- package/dist/{types-R5N4ET6x.d.ts → types-DJi-u3fz.d.ts} +1 -1
- package/dist/{types-B3USs-Kx.d.mts → types-rFh4VMH4.d.mts} +30 -2
- package/dist/{types-B3USs-Kx.d.ts → types-rFh4VMH4.d.ts} +30 -2
- package/dist/ui/index.d.mts +1 -1
- package/dist/ui/index.d.ts +1 -1
- package/package.json +1 -1
|
@@ -3287,14 +3287,6 @@ function verifyLocal(evaluator, context) {
|
|
|
3287
3287
|
}
|
|
3288
3288
|
|
|
3289
3289
|
// src/access-levels.ts
|
|
3290
|
-
var ACCESS_LEVEL_HIERARCHY = {
|
|
3291
|
-
none: 0,
|
|
3292
|
-
restricted: 1,
|
|
3293
|
-
"read-only": 2,
|
|
3294
|
-
standard: 3,
|
|
3295
|
-
full: 4,
|
|
3296
|
-
internal: 5
|
|
3297
|
-
};
|
|
3298
3290
|
function getTrustLevel(score) {
|
|
3299
3291
|
if (score >= 80) return "PLATINUM";
|
|
3300
3292
|
if (score >= 60) return "GOLD";
|
|
@@ -3303,7 +3295,7 @@ function getTrustLevel(score) {
|
|
|
3303
3295
|
}
|
|
3304
3296
|
|
|
3305
3297
|
// src/version.ts
|
|
3306
|
-
var SDK_VERSION = "3.
|
|
3298
|
+
var SDK_VERSION = "3.2.0";
|
|
3307
3299
|
|
|
3308
3300
|
// src/well-known.ts
|
|
3309
3301
|
var CACHE_TTL_MS = 60 * 60 * 1e3;
|
|
@@ -3356,7 +3348,7 @@ async function performInitCheck(apiBaseUrl, debug, strictInit) {
|
|
|
3356
3348
|
}
|
|
3357
3349
|
}
|
|
3358
3350
|
var verificationCache = /* @__PURE__ */ new Map();
|
|
3359
|
-
function getCacheKey(request) {
|
|
3351
|
+
function getCacheKey(request, counterpartyId) {
|
|
3360
3352
|
const c = request.credentials;
|
|
3361
3353
|
return [
|
|
3362
3354
|
c.astraId || "",
|
|
@@ -3369,6 +3361,14 @@ function getCacheKey(request) {
|
|
|
3369
3361
|
request.jurisdiction || "",
|
|
3370
3362
|
request.transactionValue ?? "",
|
|
3371
3363
|
request.currency || "",
|
|
3364
|
+
// SECURITY (cross-merchant cache leak): the merchant identity is sent via
|
|
3365
|
+
// `config.counterpartyId`, NOT on the request, so it was previously absent
|
|
3366
|
+
// from the key — two verifies for the SAME agent/purpose/action/value but
|
|
3367
|
+
// DIFFERENT merchants collided, and a grant at a permissive merchant (low
|
|
3368
|
+
// trust floor) was served for a stricter one. Same bug class as the
|
|
3369
|
+
// duration omission (F-A1-07). counterpartyId affects the backend verdict
|
|
3370
|
+
// (trust floor / per-route policy), so it MUST key the cache.
|
|
3371
|
+
counterpartyId || "",
|
|
3372
3372
|
request.counterpartyUrl || "",
|
|
3373
3373
|
request.counterpartyType || "",
|
|
3374
3374
|
request.isSubAgentRequest ? "1" : "0",
|
|
@@ -3392,8 +3392,8 @@ function getCacheKey(request) {
|
|
|
3392
3392
|
request.callerMetadata?.agentCardUrl || ""
|
|
3393
3393
|
].join("|");
|
|
3394
3394
|
}
|
|
3395
|
-
function getCachedResult(request) {
|
|
3396
|
-
const key = getCacheKey(request);
|
|
3395
|
+
function getCachedResult(request, counterpartyId) {
|
|
3396
|
+
const key = getCacheKey(request, counterpartyId);
|
|
3397
3397
|
const cached = verificationCache.get(key);
|
|
3398
3398
|
if (cached && cached.expiresAt > Date.now()) {
|
|
3399
3399
|
return cached.result;
|
|
@@ -3405,9 +3405,9 @@ function getCachedResult(request) {
|
|
|
3405
3405
|
}
|
|
3406
3406
|
var DEFAULT_AUTONOMOUS_TTL_SECONDS = 60;
|
|
3407
3407
|
var DEFAULT_STEP_UP_TTL_SECONDS = 300;
|
|
3408
|
-
function cacheResult(request, result, configuredTtl) {
|
|
3408
|
+
function cacheResult(request, result, configuredTtl, counterpartyId) {
|
|
3409
3409
|
const ttlSeconds = configuredTtl && configuredTtl > 0 ? configuredTtl : result.requiresStepUp ? DEFAULT_STEP_UP_TTL_SECONDS : DEFAULT_AUTONOMOUS_TTL_SECONDS;
|
|
3410
|
-
const key = getCacheKey(request);
|
|
3410
|
+
const key = getCacheKey(request, counterpartyId);
|
|
3411
3411
|
verificationCache.set(key, {
|
|
3412
3412
|
result,
|
|
3413
3413
|
expiresAt: Date.now() + ttlSeconds * 1e3
|
|
@@ -3565,7 +3565,7 @@ async function verify(config, request) {
|
|
|
3565
3565
|
);
|
|
3566
3566
|
}
|
|
3567
3567
|
if (mergedConfig.cacheTtl !== 0) {
|
|
3568
|
-
const cached = getCachedResult(request);
|
|
3568
|
+
const cached = getCachedResult(request, mergedConfig.counterpartyId);
|
|
3569
3569
|
if (cached) {
|
|
3570
3570
|
if (mergedConfig.debug) {
|
|
3571
3571
|
console.log("[VerificationGateway] Returning cached result");
|
|
@@ -3617,8 +3617,8 @@ async function verify(config, request) {
|
|
|
3617
3617
|
verifiedAt: /* @__PURE__ */ new Date(),
|
|
3618
3618
|
// Extract sessionId so decisions can be recorded for denials too
|
|
3619
3619
|
sessionId: apiResponse.sessionId,
|
|
3620
|
-
//
|
|
3621
|
-
//
|
|
3620
|
+
// Anonymous traffic has no session → correlationId is the per-attempt
|
|
3621
|
+
// linking key (the sessionId-equivalent for anonymous callers).
|
|
3622
3622
|
correlationId: apiResponse.correlationId,
|
|
3623
3623
|
recommendation: apiResponse.recommendation,
|
|
3624
3624
|
recommendationReasons: apiResponse.recommendationReasons
|
|
@@ -3692,13 +3692,10 @@ async function verify(config, request) {
|
|
|
3692
3692
|
};
|
|
3693
3693
|
} else if (result.recommendation === "step_up_required") {
|
|
3694
3694
|
result.requiresStepUp = true;
|
|
3695
|
-
if (ACCESS_LEVEL_HIERARCHY[result.accessLevel] > ACCESS_LEVEL_HIERARCHY["read-only"]) {
|
|
3696
|
-
result.accessLevel = "read-only";
|
|
3697
|
-
}
|
|
3698
3695
|
result.denialReasons = result.recommendationReasons || ["Step-up verification required"];
|
|
3699
3696
|
}
|
|
3700
3697
|
if (mergedConfig.cacheTtl !== 0 && result.recommendation !== "deny") {
|
|
3701
|
-
cacheResult(request, result, mergedConfig.cacheTtl);
|
|
3698
|
+
cacheResult(request, result, mergedConfig.cacheTtl, mergedConfig.counterpartyId);
|
|
3702
3699
|
}
|
|
3703
3700
|
return result;
|
|
3704
3701
|
}
|