@astrasyncai/verification-gateway 3.0.0 → 3.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (87) hide show
  1. package/dist/adapter-interface/interface.d.mts +2 -2
  2. package/dist/adapter-interface/interface.d.ts +2 -2
  3. package/dist/adapters/express.d.mts +2 -2
  4. package/dist/adapters/express.d.ts +2 -2
  5. package/dist/adapters/express.js +145 -93
  6. package/dist/adapters/express.js.map +1 -1
  7. package/dist/adapters/express.mjs +145 -93
  8. package/dist/adapters/express.mjs.map +1 -1
  9. package/dist/adapters/mcp.d.mts +29 -11
  10. package/dist/adapters/mcp.d.ts +29 -11
  11. package/dist/adapters/mcp.js +43 -102
  12. package/dist/adapters/mcp.js.map +1 -1
  13. package/dist/adapters/mcp.mjs +43 -102
  14. package/dist/adapters/mcp.mjs.map +1 -1
  15. package/dist/adapters/nextjs.d.mts +2 -2
  16. package/dist/adapters/nextjs.d.ts +2 -2
  17. package/dist/adapters/nextjs.js +126 -56
  18. package/dist/adapters/nextjs.js.map +1 -1
  19. package/dist/adapters/nextjs.mjs +126 -56
  20. package/dist/adapters/nextjs.mjs.map +1 -1
  21. package/dist/adapters/sdk.d.mts +2 -2
  22. package/dist/adapters/sdk.d.ts +2 -2
  23. package/dist/adapters/sdk.js +25 -14
  24. package/dist/adapters/sdk.js.map +1 -1
  25. package/dist/adapters/sdk.mjs +25 -14
  26. package/dist/adapters/sdk.mjs.map +1 -1
  27. package/dist/agent/index.d.mts +2 -2
  28. package/dist/agent/index.d.ts +2 -2
  29. package/dist/agent/index.js +3 -0
  30. package/dist/agent/index.js.map +1 -1
  31. package/dist/agent/index.mjs +3 -0
  32. package/dist/agent/index.mjs.map +1 -1
  33. package/dist/browser/background.js +18 -21
  34. package/dist/browser/background.js.map +1 -1
  35. package/dist/browser/background.mjs +18 -21
  36. package/dist/browser/background.mjs.map +1 -1
  37. package/dist/browser/browser-adapter.d.mts +2 -2
  38. package/dist/browser/browser-adapter.d.ts +2 -2
  39. package/dist/cli/index.d.mts +2 -2
  40. package/dist/cli/index.d.ts +2 -2
  41. package/dist/cursor/cursor-adapter.d.mts +2 -2
  42. package/dist/cursor/cursor-adapter.d.ts +2 -2
  43. package/dist/cursor/extension.d.mts +2 -2
  44. package/dist/cursor/extension.d.ts +2 -2
  45. package/dist/cursor/extension.js +18 -21
  46. package/dist/cursor/extension.js.map +1 -1
  47. package/dist/cursor/extension.mjs +18 -21
  48. package/dist/cursor/extension.mjs.map +1 -1
  49. package/dist/{express-CrfwoNAR.d.ts → express-BowlMHQF.d.ts} +1 -1
  50. package/dist/{express-ienhAXps.d.mts → express-CeoSdOAZ.d.mts} +1 -1
  51. package/dist/gateway/gateway.d.mts +2 -2
  52. package/dist/gateway/gateway.d.ts +2 -2
  53. package/dist/gateway/gateway.js +18 -21
  54. package/dist/gateway/gateway.js.map +1 -1
  55. package/dist/gateway/gateway.mjs +18 -21
  56. package/dist/gateway/gateway.mjs.map +1 -1
  57. package/dist/git-trigger/git-hooks.d.mts +2 -2
  58. package/dist/git-trigger/git-hooks.d.ts +2 -2
  59. package/dist/{index-CEg_WG6y.d.mts → index-B51W8gn8.d.mts} +1 -1
  60. package/dist/{index-DC5f8eoQ.d.ts → index-DBmlycVm.d.ts} +1 -1
  61. package/dist/{index-B5e2IDWU.d.mts → index-DtGziFEm.d.mts} +1 -1
  62. package/dist/{index-CCdZxvAr.d.ts → index-DzXXBuLm.d.ts} +1 -1
  63. package/dist/index.d.mts +7 -7
  64. package/dist/index.d.ts +7 -7
  65. package/dist/index.js +209 -191
  66. package/dist/index.js.map +1 -1
  67. package/dist/index.mjs +209 -191
  68. package/dist/index.mjs.map +1 -1
  69. package/dist/local-evaluator/evaluator.d.mts +2 -2
  70. package/dist/local-evaluator/evaluator.d.ts +2 -2
  71. package/dist/{nextjs-DSpisQst.d.mts → nextjs-BW1rzr1I.d.mts} +1 -1
  72. package/dist/{nextjs-66R1KW8e.d.ts → nextjs-V_K0qlAQ.d.ts} +1 -1
  73. package/dist/{sdk-5U_CBRpr.d.mts → sdk-ZYgI7G9f.d.ts} +14 -3
  74. package/dist/{sdk-Bm8np66n.d.ts → sdk-e5jg7sqW.d.mts} +14 -3
  75. package/dist/transport/index.d.mts +2 -2
  76. package/dist/transport/index.d.ts +2 -2
  77. package/dist/transport/index.js +10 -0
  78. package/dist/transport/index.js.map +1 -1
  79. package/dist/transport/index.mjs +10 -0
  80. package/dist/transport/index.mjs.map +1 -1
  81. package/dist/{types-CgDCUfo8.d.mts → types-BNiLZY0i.d.mts} +1 -1
  82. package/dist/{types-R5N4ET6x.d.ts → types-DJi-u3fz.d.ts} +1 -1
  83. package/dist/{types-B3USs-Kx.d.mts → types-rFh4VMH4.d.mts} +30 -2
  84. package/dist/{types-B3USs-Kx.d.ts → types-rFh4VMH4.d.ts} +30 -2
  85. package/dist/ui/index.d.mts +1 -1
  86. package/dist/ui/index.d.ts +1 -1
  87. package/package.json +1 -1
@@ -3023,14 +3023,6 @@ function verifyLocal(evaluator, context) {
3023
3023
  }
3024
3024
 
3025
3025
  // src/access-levels.ts
3026
- var ACCESS_LEVEL_HIERARCHY = {
3027
- none: 0,
3028
- restricted: 1,
3029
- "read-only": 2,
3030
- standard: 3,
3031
- full: 4,
3032
- internal: 5
3033
- };
3034
3026
  function getTrustLevel(score) {
3035
3027
  if (score >= 80) return "PLATINUM";
3036
3028
  if (score >= 60) return "GOLD";
@@ -3039,7 +3031,7 @@ function getTrustLevel(score) {
3039
3031
  }
3040
3032
 
3041
3033
  // src/version.ts
3042
- var SDK_VERSION = "3.0.0";
3034
+ var SDK_VERSION = "3.2.0";
3043
3035
 
3044
3036
  // src/well-known.ts
3045
3037
  var CACHE_TTL_MS = 60 * 60 * 1e3;
@@ -3092,7 +3084,7 @@ async function performInitCheck(apiBaseUrl, debug, strictInit) {
3092
3084
  }
3093
3085
  }
3094
3086
  var verificationCache = /* @__PURE__ */ new Map();
3095
- function getCacheKey(request) {
3087
+ function getCacheKey(request, counterpartyId) {
3096
3088
  const c = request.credentials;
3097
3089
  return [
3098
3090
  c.astraId || "",
@@ -3105,6 +3097,14 @@ function getCacheKey(request) {
3105
3097
  request.jurisdiction || "",
3106
3098
  request.transactionValue ?? "",
3107
3099
  request.currency || "",
3100
+ // SECURITY (cross-merchant cache leak): the merchant identity is sent via
3101
+ // `config.counterpartyId`, NOT on the request, so it was previously absent
3102
+ // from the key — two verifies for the SAME agent/purpose/action/value but
3103
+ // DIFFERENT merchants collided, and a grant at a permissive merchant (low
3104
+ // trust floor) was served for a stricter one. Same bug class as the
3105
+ // duration omission (F-A1-07). counterpartyId affects the backend verdict
3106
+ // (trust floor / per-route policy), so it MUST key the cache.
3107
+ counterpartyId || "",
3108
3108
  request.counterpartyUrl || "",
3109
3109
  request.counterpartyType || "",
3110
3110
  request.isSubAgentRequest ? "1" : "0",
@@ -3128,8 +3128,8 @@ function getCacheKey(request) {
3128
3128
  request.callerMetadata?.agentCardUrl || ""
3129
3129
  ].join("|");
3130
3130
  }
3131
- function getCachedResult(request) {
3132
- const key = getCacheKey(request);
3131
+ function getCachedResult(request, counterpartyId) {
3132
+ const key = getCacheKey(request, counterpartyId);
3133
3133
  const cached = verificationCache.get(key);
3134
3134
  if (cached && cached.expiresAt > Date.now()) {
3135
3135
  return cached.result;
@@ -3141,9 +3141,9 @@ function getCachedResult(request) {
3141
3141
  }
3142
3142
  var DEFAULT_AUTONOMOUS_TTL_SECONDS = 60;
3143
3143
  var DEFAULT_STEP_UP_TTL_SECONDS = 300;
3144
- function cacheResult(request, result, configuredTtl) {
3144
+ function cacheResult(request, result, configuredTtl, counterpartyId) {
3145
3145
  const ttlSeconds = configuredTtl && configuredTtl > 0 ? configuredTtl : result.requiresStepUp ? DEFAULT_STEP_UP_TTL_SECONDS : DEFAULT_AUTONOMOUS_TTL_SECONDS;
3146
- const key = getCacheKey(request);
3146
+ const key = getCacheKey(request, counterpartyId);
3147
3147
  verificationCache.set(key, {
3148
3148
  result,
3149
3149
  expiresAt: Date.now() + ttlSeconds * 1e3
@@ -3301,7 +3301,7 @@ async function verify(config, request) {
3301
3301
  );
3302
3302
  }
3303
3303
  if (mergedConfig.cacheTtl !== 0) {
3304
- const cached = getCachedResult(request);
3304
+ const cached = getCachedResult(request, mergedConfig.counterpartyId);
3305
3305
  if (cached) {
3306
3306
  if (mergedConfig.debug) {
3307
3307
  console.log("[VerificationGateway] Returning cached result");
@@ -3353,8 +3353,8 @@ async function verify(config, request) {
3353
3353
  verifiedAt: /* @__PURE__ */ new Date(),
3354
3354
  // Extract sessionId so decisions can be recorded for denials too
3355
3355
  sessionId: apiResponse.sessionId,
3356
- // v2.3.10 (defect #34, round-4): anonymous traffic has no session →
3357
- // correlationId is the linking key for paired local_override events.
3356
+ // Anonymous traffic has no session → correlationId is the per-attempt
3357
+ // linking key (the sessionId-equivalent for anonymous callers).
3358
3358
  correlationId: apiResponse.correlationId,
3359
3359
  recommendation: apiResponse.recommendation,
3360
3360
  recommendationReasons: apiResponse.recommendationReasons
@@ -3428,13 +3428,10 @@ async function verify(config, request) {
3428
3428
  };
3429
3429
  } else if (result.recommendation === "step_up_required") {
3430
3430
  result.requiresStepUp = true;
3431
- if (ACCESS_LEVEL_HIERARCHY[result.accessLevel] > ACCESS_LEVEL_HIERARCHY["read-only"]) {
3432
- result.accessLevel = "read-only";
3433
- }
3434
3431
  result.denialReasons = result.recommendationReasons || ["Step-up verification required"];
3435
3432
  }
3436
3433
  if (mergedConfig.cacheTtl !== 0 && result.recommendation !== "deny") {
3437
- cacheResult(request, result, mergedConfig.cacheTtl);
3434
+ cacheResult(request, result, mergedConfig.cacheTtl, mergedConfig.counterpartyId);
3438
3435
  }
3439
3436
  return result;
3440
3437
  }