@astrasyncai/verification-gateway 3.0.0 → 3.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (87) hide show
  1. package/dist/adapter-interface/interface.d.mts +2 -2
  2. package/dist/adapter-interface/interface.d.ts +2 -2
  3. package/dist/adapters/express.d.mts +2 -2
  4. package/dist/adapters/express.d.ts +2 -2
  5. package/dist/adapters/express.js +145 -93
  6. package/dist/adapters/express.js.map +1 -1
  7. package/dist/adapters/express.mjs +145 -93
  8. package/dist/adapters/express.mjs.map +1 -1
  9. package/dist/adapters/mcp.d.mts +29 -11
  10. package/dist/adapters/mcp.d.ts +29 -11
  11. package/dist/adapters/mcp.js +43 -102
  12. package/dist/adapters/mcp.js.map +1 -1
  13. package/dist/adapters/mcp.mjs +43 -102
  14. package/dist/adapters/mcp.mjs.map +1 -1
  15. package/dist/adapters/nextjs.d.mts +2 -2
  16. package/dist/adapters/nextjs.d.ts +2 -2
  17. package/dist/adapters/nextjs.js +126 -56
  18. package/dist/adapters/nextjs.js.map +1 -1
  19. package/dist/adapters/nextjs.mjs +126 -56
  20. package/dist/adapters/nextjs.mjs.map +1 -1
  21. package/dist/adapters/sdk.d.mts +2 -2
  22. package/dist/adapters/sdk.d.ts +2 -2
  23. package/dist/adapters/sdk.js +25 -14
  24. package/dist/adapters/sdk.js.map +1 -1
  25. package/dist/adapters/sdk.mjs +25 -14
  26. package/dist/adapters/sdk.mjs.map +1 -1
  27. package/dist/agent/index.d.mts +2 -2
  28. package/dist/agent/index.d.ts +2 -2
  29. package/dist/agent/index.js +3 -0
  30. package/dist/agent/index.js.map +1 -1
  31. package/dist/agent/index.mjs +3 -0
  32. package/dist/agent/index.mjs.map +1 -1
  33. package/dist/browser/background.js +18 -21
  34. package/dist/browser/background.js.map +1 -1
  35. package/dist/browser/background.mjs +18 -21
  36. package/dist/browser/background.mjs.map +1 -1
  37. package/dist/browser/browser-adapter.d.mts +2 -2
  38. package/dist/browser/browser-adapter.d.ts +2 -2
  39. package/dist/cli/index.d.mts +2 -2
  40. package/dist/cli/index.d.ts +2 -2
  41. package/dist/cursor/cursor-adapter.d.mts +2 -2
  42. package/dist/cursor/cursor-adapter.d.ts +2 -2
  43. package/dist/cursor/extension.d.mts +2 -2
  44. package/dist/cursor/extension.d.ts +2 -2
  45. package/dist/cursor/extension.js +18 -21
  46. package/dist/cursor/extension.js.map +1 -1
  47. package/dist/cursor/extension.mjs +18 -21
  48. package/dist/cursor/extension.mjs.map +1 -1
  49. package/dist/{express-CrfwoNAR.d.ts → express-BowlMHQF.d.ts} +1 -1
  50. package/dist/{express-ienhAXps.d.mts → express-CeoSdOAZ.d.mts} +1 -1
  51. package/dist/gateway/gateway.d.mts +2 -2
  52. package/dist/gateway/gateway.d.ts +2 -2
  53. package/dist/gateway/gateway.js +18 -21
  54. package/dist/gateway/gateway.js.map +1 -1
  55. package/dist/gateway/gateway.mjs +18 -21
  56. package/dist/gateway/gateway.mjs.map +1 -1
  57. package/dist/git-trigger/git-hooks.d.mts +2 -2
  58. package/dist/git-trigger/git-hooks.d.ts +2 -2
  59. package/dist/{index-CEg_WG6y.d.mts → index-B51W8gn8.d.mts} +1 -1
  60. package/dist/{index-DC5f8eoQ.d.ts → index-DBmlycVm.d.ts} +1 -1
  61. package/dist/{index-B5e2IDWU.d.mts → index-DtGziFEm.d.mts} +1 -1
  62. package/dist/{index-CCdZxvAr.d.ts → index-DzXXBuLm.d.ts} +1 -1
  63. package/dist/index.d.mts +7 -7
  64. package/dist/index.d.ts +7 -7
  65. package/dist/index.js +209 -191
  66. package/dist/index.js.map +1 -1
  67. package/dist/index.mjs +209 -191
  68. package/dist/index.mjs.map +1 -1
  69. package/dist/local-evaluator/evaluator.d.mts +2 -2
  70. package/dist/local-evaluator/evaluator.d.ts +2 -2
  71. package/dist/{nextjs-DSpisQst.d.mts → nextjs-BW1rzr1I.d.mts} +1 -1
  72. package/dist/{nextjs-66R1KW8e.d.ts → nextjs-V_K0qlAQ.d.ts} +1 -1
  73. package/dist/{sdk-5U_CBRpr.d.mts → sdk-ZYgI7G9f.d.ts} +14 -3
  74. package/dist/{sdk-Bm8np66n.d.ts → sdk-e5jg7sqW.d.mts} +14 -3
  75. package/dist/transport/index.d.mts +2 -2
  76. package/dist/transport/index.d.ts +2 -2
  77. package/dist/transport/index.js +10 -0
  78. package/dist/transport/index.js.map +1 -1
  79. package/dist/transport/index.mjs +10 -0
  80. package/dist/transport/index.mjs.map +1 -1
  81. package/dist/{types-CgDCUfo8.d.mts → types-BNiLZY0i.d.mts} +1 -1
  82. package/dist/{types-R5N4ET6x.d.ts → types-DJi-u3fz.d.ts} +1 -1
  83. package/dist/{types-B3USs-Kx.d.mts → types-rFh4VMH4.d.mts} +30 -2
  84. package/dist/{types-B3USs-Kx.d.ts → types-rFh4VMH4.d.ts} +30 -2
  85. package/dist/ui/index.d.mts +1 -1
  86. package/dist/ui/index.d.ts +1 -1
  87. package/package.json +1 -1
@@ -1,5 +1,5 @@
1
1
  import { RequestHandler, Request } from 'express';
2
- import { i as VerificationResult, d as ExpressMiddlewareOptions, b as AstraSyncCredentials } from './types-B3USs-Kx.js';
2
+ import { i as VerificationResult, d as ExpressMiddlewareOptions, b as AstraSyncCredentials } from './types-rFh4VMH4.js';
3
3
 
4
4
  /**
5
5
  * AstraSync Universal Verification Gateway - Express Middleware
@@ -1,5 +1,5 @@
1
1
  import { RequestHandler, Request } from 'express';
2
- import { i as VerificationResult, d as ExpressMiddlewareOptions, b as AstraSyncCredentials } from './types-B3USs-Kx.mjs';
2
+ import { i as VerificationResult, d as ExpressMiddlewareOptions, b as AstraSyncCredentials } from './types-rFh4VMH4.mjs';
3
3
 
4
4
  /**
5
5
  * AstraSync Universal Verification Gateway - Express Middleware
@@ -1,5 +1,5 @@
1
- import { a as AstraSyncGatewayConfig, P as PDLSSContext, V as VerificationDecision } from '../types-CgDCUfo8.mjs';
2
- import '../types-B3USs-Kx.mjs';
1
+ import { a as AstraSyncGatewayConfig, P as PDLSSContext, V as VerificationDecision } from '../types-BNiLZY0i.mjs';
2
+ import '../types-rFh4VMH4.mjs';
3
3
 
4
4
  /**
5
5
  * AstraSyncGateway — Primary API surface for agent verification.
@@ -1,5 +1,5 @@
1
- import { a as AstraSyncGatewayConfig, P as PDLSSContext, V as VerificationDecision } from '../types-R5N4ET6x.js';
2
- import '../types-B3USs-Kx.js';
1
+ import { a as AstraSyncGatewayConfig, P as PDLSSContext, V as VerificationDecision } from '../types-DJi-u3fz.js';
2
+ import '../types-rFh4VMH4.js';
3
3
 
4
4
  /**
5
5
  * AstraSyncGateway — Primary API surface for agent verification.
@@ -3049,14 +3049,6 @@ function verifyLocal(evaluator, context) {
3049
3049
  }
3050
3050
 
3051
3051
  // src/access-levels.ts
3052
- var ACCESS_LEVEL_HIERARCHY = {
3053
- none: 0,
3054
- restricted: 1,
3055
- "read-only": 2,
3056
- standard: 3,
3057
- full: 4,
3058
- internal: 5
3059
- };
3060
3052
  function getTrustLevel(score) {
3061
3053
  if (score >= 80) return "PLATINUM";
3062
3054
  if (score >= 60) return "GOLD";
@@ -3065,7 +3057,7 @@ function getTrustLevel(score) {
3065
3057
  }
3066
3058
 
3067
3059
  // src/version.ts
3068
- var SDK_VERSION = "3.0.0";
3060
+ var SDK_VERSION = "3.2.0";
3069
3061
 
3070
3062
  // src/well-known.ts
3071
3063
  var CACHE_TTL_MS = 60 * 60 * 1e3;
@@ -3118,7 +3110,7 @@ async function performInitCheck(apiBaseUrl, debug, strictInit) {
3118
3110
  }
3119
3111
  }
3120
3112
  var verificationCache = /* @__PURE__ */ new Map();
3121
- function getCacheKey(request) {
3113
+ function getCacheKey(request, counterpartyId) {
3122
3114
  const c = request.credentials;
3123
3115
  return [
3124
3116
  c.astraId || "",
@@ -3131,6 +3123,14 @@ function getCacheKey(request) {
3131
3123
  request.jurisdiction || "",
3132
3124
  request.transactionValue ?? "",
3133
3125
  request.currency || "",
3126
+ // SECURITY (cross-merchant cache leak): the merchant identity is sent via
3127
+ // `config.counterpartyId`, NOT on the request, so it was previously absent
3128
+ // from the key — two verifies for the SAME agent/purpose/action/value but
3129
+ // DIFFERENT merchants collided, and a grant at a permissive merchant (low
3130
+ // trust floor) was served for a stricter one. Same bug class as the
3131
+ // duration omission (F-A1-07). counterpartyId affects the backend verdict
3132
+ // (trust floor / per-route policy), so it MUST key the cache.
3133
+ counterpartyId || "",
3134
3134
  request.counterpartyUrl || "",
3135
3135
  request.counterpartyType || "",
3136
3136
  request.isSubAgentRequest ? "1" : "0",
@@ -3154,8 +3154,8 @@ function getCacheKey(request) {
3154
3154
  request.callerMetadata?.agentCardUrl || ""
3155
3155
  ].join("|");
3156
3156
  }
3157
- function getCachedResult(request) {
3158
- const key = getCacheKey(request);
3157
+ function getCachedResult(request, counterpartyId) {
3158
+ const key = getCacheKey(request, counterpartyId);
3159
3159
  const cached = verificationCache.get(key);
3160
3160
  if (cached && cached.expiresAt > Date.now()) {
3161
3161
  return cached.result;
@@ -3167,9 +3167,9 @@ function getCachedResult(request) {
3167
3167
  }
3168
3168
  var DEFAULT_AUTONOMOUS_TTL_SECONDS = 60;
3169
3169
  var DEFAULT_STEP_UP_TTL_SECONDS = 300;
3170
- function cacheResult(request, result, configuredTtl) {
3170
+ function cacheResult(request, result, configuredTtl, counterpartyId) {
3171
3171
  const ttlSeconds = configuredTtl && configuredTtl > 0 ? configuredTtl : result.requiresStepUp ? DEFAULT_STEP_UP_TTL_SECONDS : DEFAULT_AUTONOMOUS_TTL_SECONDS;
3172
- const key = getCacheKey(request);
3172
+ const key = getCacheKey(request, counterpartyId);
3173
3173
  verificationCache.set(key, {
3174
3174
  result,
3175
3175
  expiresAt: Date.now() + ttlSeconds * 1e3
@@ -3327,7 +3327,7 @@ async function verify(config, request) {
3327
3327
  );
3328
3328
  }
3329
3329
  if (mergedConfig.cacheTtl !== 0) {
3330
- const cached = getCachedResult(request);
3330
+ const cached = getCachedResult(request, mergedConfig.counterpartyId);
3331
3331
  if (cached) {
3332
3332
  if (mergedConfig.debug) {
3333
3333
  console.log("[VerificationGateway] Returning cached result");
@@ -3379,8 +3379,8 @@ async function verify(config, request) {
3379
3379
  verifiedAt: /* @__PURE__ */ new Date(),
3380
3380
  // Extract sessionId so decisions can be recorded for denials too
3381
3381
  sessionId: apiResponse.sessionId,
3382
- // v2.3.10 (defect #34, round-4): anonymous traffic has no session →
3383
- // correlationId is the linking key for paired local_override events.
3382
+ // Anonymous traffic has no session → correlationId is the per-attempt
3383
+ // linking key (the sessionId-equivalent for anonymous callers).
3384
3384
  correlationId: apiResponse.correlationId,
3385
3385
  recommendation: apiResponse.recommendation,
3386
3386
  recommendationReasons: apiResponse.recommendationReasons
@@ -3454,13 +3454,10 @@ async function verify(config, request) {
3454
3454
  };
3455
3455
  } else if (result.recommendation === "step_up_required") {
3456
3456
  result.requiresStepUp = true;
3457
- if (ACCESS_LEVEL_HIERARCHY[result.accessLevel] > ACCESS_LEVEL_HIERARCHY["read-only"]) {
3458
- result.accessLevel = "read-only";
3459
- }
3460
3457
  result.denialReasons = result.recommendationReasons || ["Step-up verification required"];
3461
3458
  }
3462
3459
  if (mergedConfig.cacheTtl !== 0 && result.recommendation !== "deny") {
3463
- cacheResult(request, result, mergedConfig.cacheTtl);
3460
+ cacheResult(request, result, mergedConfig.cacheTtl, mergedConfig.counterpartyId);
3464
3461
  }
3465
3462
  return result;
3466
3463
  }