@astrasyncai/verification-gateway 3.1.0 → 3.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/adapter-interface/interface.d.mts +2 -2
- package/dist/adapter-interface/interface.d.ts +2 -2
- package/dist/adapters/express.d.mts +2 -2
- package/dist/adapters/express.d.ts +2 -2
- package/dist/adapters/express.js +23 -61
- package/dist/adapters/express.js.map +1 -1
- package/dist/adapters/express.mjs +23 -61
- package/dist/adapters/express.mjs.map +1 -1
- package/dist/adapters/mcp.d.mts +12 -7
- package/dist/adapters/mcp.d.ts +12 -7
- package/dist/adapters/mcp.js +38 -100
- package/dist/adapters/mcp.js.map +1 -1
- package/dist/adapters/mcp.mjs +38 -100
- package/dist/adapters/mcp.mjs.map +1 -1
- package/dist/adapters/nextjs.d.mts +2 -2
- package/dist/adapters/nextjs.d.ts +2 -2
- package/dist/adapters/nextjs.js +20 -29
- package/dist/adapters/nextjs.js.map +1 -1
- package/dist/adapters/nextjs.mjs +20 -29
- package/dist/adapters/nextjs.mjs.map +1 -1
- package/dist/adapters/sdk.d.mts +2 -2
- package/dist/adapters/sdk.d.ts +2 -2
- package/dist/adapters/sdk.js +25 -14
- package/dist/adapters/sdk.js.map +1 -1
- package/dist/adapters/sdk.mjs +25 -14
- package/dist/adapters/sdk.mjs.map +1 -1
- package/dist/agent/index.d.mts +2 -2
- package/dist/agent/index.d.ts +2 -2
- package/dist/browser/background.js +18 -21
- package/dist/browser/background.js.map +1 -1
- package/dist/browser/background.mjs +18 -21
- package/dist/browser/background.mjs.map +1 -1
- package/dist/browser/browser-adapter.d.mts +2 -2
- package/dist/browser/browser-adapter.d.ts +2 -2
- package/dist/cli/index.d.mts +2 -2
- package/dist/cli/index.d.ts +2 -2
- package/dist/cursor/cursor-adapter.d.mts +2 -2
- package/dist/cursor/cursor-adapter.d.ts +2 -2
- package/dist/cursor/extension.d.mts +2 -2
- package/dist/cursor/extension.d.ts +2 -2
- package/dist/cursor/extension.js +18 -21
- package/dist/cursor/extension.js.map +1 -1
- package/dist/cursor/extension.mjs +18 -21
- package/dist/cursor/extension.mjs.map +1 -1
- package/dist/{express-DavQ76oF.d.ts → express-BowlMHQF.d.ts} +1 -1
- package/dist/{express-DFVBlXr_.d.mts → express-CeoSdOAZ.d.mts} +1 -1
- package/dist/gateway/gateway.d.mts +2 -2
- package/dist/gateway/gateway.d.ts +2 -2
- package/dist/gateway/gateway.js +18 -21
- package/dist/gateway/gateway.js.map +1 -1
- package/dist/gateway/gateway.mjs +18 -21
- package/dist/gateway/gateway.mjs.map +1 -1
- package/dist/git-trigger/git-hooks.d.mts +2 -2
- package/dist/git-trigger/git-hooks.d.ts +2 -2
- package/dist/{index-BhL2R65s.d.mts → index-B51W8gn8.d.mts} +1 -1
- package/dist/{index-BhEgEiJL.d.ts → index-DBmlycVm.d.ts} +1 -1
- package/dist/{index-BVxantdv.d.mts → index-DtGziFEm.d.mts} +1 -1
- package/dist/{index-Dk2nIA4w.d.ts → index-DzXXBuLm.d.ts} +1 -1
- package/dist/index.d.mts +7 -7
- package/dist/index.d.ts +7 -7
- package/dist/index.js +50 -121
- package/dist/index.js.map +1 -1
- package/dist/index.mjs +50 -121
- package/dist/index.mjs.map +1 -1
- package/dist/local-evaluator/evaluator.d.mts +2 -2
- package/dist/local-evaluator/evaluator.d.ts +2 -2
- package/dist/{nextjs-D-maqrNz.d.mts → nextjs-BW1rzr1I.d.mts} +1 -1
- package/dist/{nextjs-BXLH1hJj.d.ts → nextjs-V_K0qlAQ.d.ts} +1 -1
- package/dist/{sdk-767LaEP8.d.mts → sdk-ZYgI7G9f.d.ts} +14 -3
- package/dist/{sdk-K8IgssHI.d.ts → sdk-e5jg7sqW.d.mts} +14 -3
- package/dist/transport/index.d.mts +2 -2
- package/dist/transport/index.d.ts +2 -2
- package/dist/{types-CyFwZ_Yu.d.mts → types-BNiLZY0i.d.mts} +1 -1
- package/dist/{types-WIRp_BP_.d.ts → types-DJi-u3fz.d.ts} +1 -1
- package/dist/{types-Cuh7ELfr.d.mts → types-rFh4VMH4.d.mts} +5 -2
- package/dist/{types-Cuh7ELfr.d.ts → types-rFh4VMH4.d.ts} +5 -2
- package/dist/ui/index.d.mts +1 -1
- package/dist/ui/index.d.ts +1 -1
- package/package.json +1 -1
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
import { AstraSyncGateway } from '../gateway/gateway.mjs';
|
|
2
|
-
import { A as AgentAction, I as InterceptResult, P as PDLSSContext, V as VerificationDecision } from '../types-
|
|
3
|
-
import '../types-
|
|
2
|
+
import { A as AgentAction, I as InterceptResult, P as PDLSSContext, V as VerificationDecision } from '../types-BNiLZY0i.mjs';
|
|
3
|
+
import '../types-rFh4VMH4.mjs';
|
|
4
4
|
|
|
5
5
|
/**
|
|
6
6
|
* PlatformAdapter Interface
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
import { AstraSyncGateway } from '../gateway/gateway.js';
|
|
2
|
-
import { A as AgentAction, I as InterceptResult, P as PDLSSContext, V as VerificationDecision } from '../types-
|
|
3
|
-
import '../types-
|
|
2
|
+
import { A as AgentAction, I as InterceptResult, P as PDLSSContext, V as VerificationDecision } from '../types-DJi-u3fz.js';
|
|
3
|
+
import '../types-rFh4VMH4.js';
|
|
4
4
|
|
|
5
5
|
/**
|
|
6
6
|
* PlatformAdapter Interface
|
|
@@ -1,3 +1,3 @@
|
|
|
1
1
|
import 'express';
|
|
2
|
-
import '../types-
|
|
3
|
-
export { c as createMiddleware, a as extractAstraSyncCredentials } from '../express-
|
|
2
|
+
import '../types-rFh4VMH4.mjs';
|
|
3
|
+
export { c as createMiddleware, a as extractAstraSyncCredentials } from '../express-CeoSdOAZ.mjs';
|
|
@@ -1,3 +1,3 @@
|
|
|
1
1
|
import 'express';
|
|
2
|
-
import '../types-
|
|
3
|
-
export { c as createMiddleware, a as extractAstraSyncCredentials } from '../express-
|
|
2
|
+
import '../types-rFh4VMH4.js';
|
|
3
|
+
export { c as createMiddleware, a as extractAstraSyncCredentials } from '../express-BowlMHQF.js';
|
package/dist/adapters/express.js
CHANGED
|
@@ -26,26 +26,15 @@ __export(express_exports, {
|
|
|
26
26
|
module.exports = __toCommonJS(express_exports);
|
|
27
27
|
|
|
28
28
|
// src/access-levels.ts
|
|
29
|
-
var ACCESS_LEVEL_HIERARCHY = {
|
|
30
|
-
none: 0,
|
|
31
|
-
restricted: 1,
|
|
32
|
-
"read-only": 2,
|
|
33
|
-
standard: 3,
|
|
34
|
-
full: 4,
|
|
35
|
-
internal: 5
|
|
36
|
-
};
|
|
37
29
|
function getTrustLevel(score) {
|
|
38
30
|
if (score >= 80) return "PLATINUM";
|
|
39
31
|
if (score >= 60) return "GOLD";
|
|
40
32
|
if (score >= 40) return "SILVER";
|
|
41
33
|
return "BRONZE";
|
|
42
34
|
}
|
|
43
|
-
function hasMinimumAccess(actual, required) {
|
|
44
|
-
return ACCESS_LEVEL_HIERARCHY[actual] >= ACCESS_LEVEL_HIERARCHY[required];
|
|
45
|
-
}
|
|
46
35
|
|
|
47
36
|
// src/version.ts
|
|
48
|
-
var SDK_VERSION = "3.
|
|
37
|
+
var SDK_VERSION = "3.2.0";
|
|
49
38
|
|
|
50
39
|
// src/well-known.ts
|
|
51
40
|
var CACHE_TTL_MS = 60 * 60 * 1e3;
|
|
@@ -150,7 +139,7 @@ async function performInitCheck(apiBaseUrl, debug, strictInit) {
|
|
|
150
139
|
}
|
|
151
140
|
}
|
|
152
141
|
var verificationCache = /* @__PURE__ */ new Map();
|
|
153
|
-
function getCacheKey(request) {
|
|
142
|
+
function getCacheKey(request, counterpartyId) {
|
|
154
143
|
const c = request.credentials;
|
|
155
144
|
return [
|
|
156
145
|
c.astraId || "",
|
|
@@ -163,6 +152,14 @@ function getCacheKey(request) {
|
|
|
163
152
|
request.jurisdiction || "",
|
|
164
153
|
request.transactionValue ?? "",
|
|
165
154
|
request.currency || "",
|
|
155
|
+
// SECURITY (cross-merchant cache leak): the merchant identity is sent via
|
|
156
|
+
// `config.counterpartyId`, NOT on the request, so it was previously absent
|
|
157
|
+
// from the key — two verifies for the SAME agent/purpose/action/value but
|
|
158
|
+
// DIFFERENT merchants collided, and a grant at a permissive merchant (low
|
|
159
|
+
// trust floor) was served for a stricter one. Same bug class as the
|
|
160
|
+
// duration omission (F-A1-07). counterpartyId affects the backend verdict
|
|
161
|
+
// (trust floor / per-route policy), so it MUST key the cache.
|
|
162
|
+
counterpartyId || "",
|
|
166
163
|
request.counterpartyUrl || "",
|
|
167
164
|
request.counterpartyType || "",
|
|
168
165
|
request.isSubAgentRequest ? "1" : "0",
|
|
@@ -186,8 +183,8 @@ function getCacheKey(request) {
|
|
|
186
183
|
request.callerMetadata?.agentCardUrl || ""
|
|
187
184
|
].join("|");
|
|
188
185
|
}
|
|
189
|
-
function getCachedResult(request) {
|
|
190
|
-
const key = getCacheKey(request);
|
|
186
|
+
function getCachedResult(request, counterpartyId) {
|
|
187
|
+
const key = getCacheKey(request, counterpartyId);
|
|
191
188
|
const cached = verificationCache.get(key);
|
|
192
189
|
if (cached && cached.expiresAt > Date.now()) {
|
|
193
190
|
return cached.result;
|
|
@@ -199,9 +196,9 @@ function getCachedResult(request) {
|
|
|
199
196
|
}
|
|
200
197
|
var DEFAULT_AUTONOMOUS_TTL_SECONDS = 60;
|
|
201
198
|
var DEFAULT_STEP_UP_TTL_SECONDS = 300;
|
|
202
|
-
function cacheResult(request, result, configuredTtl) {
|
|
199
|
+
function cacheResult(request, result, configuredTtl, counterpartyId) {
|
|
203
200
|
const ttlSeconds = configuredTtl && configuredTtl > 0 ? configuredTtl : result.requiresStepUp ? DEFAULT_STEP_UP_TTL_SECONDS : DEFAULT_AUTONOMOUS_TTL_SECONDS;
|
|
204
|
-
const key = getCacheKey(request);
|
|
201
|
+
const key = getCacheKey(request, counterpartyId);
|
|
205
202
|
verificationCache.set(key, {
|
|
206
203
|
result,
|
|
207
204
|
expiresAt: Date.now() + ttlSeconds * 1e3
|
|
@@ -393,7 +390,7 @@ async function verify(config, request) {
|
|
|
393
390
|
);
|
|
394
391
|
}
|
|
395
392
|
if (mergedConfig.cacheTtl !== 0) {
|
|
396
|
-
const cached = getCachedResult(request);
|
|
393
|
+
const cached = getCachedResult(request, mergedConfig.counterpartyId);
|
|
397
394
|
if (cached) {
|
|
398
395
|
if (mergedConfig.debug) {
|
|
399
396
|
console.log("[VerificationGateway] Returning cached result");
|
|
@@ -445,8 +442,8 @@ async function verify(config, request) {
|
|
|
445
442
|
verifiedAt: /* @__PURE__ */ new Date(),
|
|
446
443
|
// Extract sessionId so decisions can be recorded for denials too
|
|
447
444
|
sessionId: apiResponse.sessionId,
|
|
448
|
-
//
|
|
449
|
-
//
|
|
445
|
+
// Anonymous traffic has no session → correlationId is the per-attempt
|
|
446
|
+
// linking key (the sessionId-equivalent for anonymous callers).
|
|
450
447
|
correlationId: apiResponse.correlationId,
|
|
451
448
|
recommendation: apiResponse.recommendation,
|
|
452
449
|
recommendationReasons: apiResponse.recommendationReasons
|
|
@@ -520,17 +517,14 @@ async function verify(config, request) {
|
|
|
520
517
|
};
|
|
521
518
|
} else if (result.recommendation === "step_up_required") {
|
|
522
519
|
result.requiresStepUp = true;
|
|
523
|
-
if (ACCESS_LEVEL_HIERARCHY[result.accessLevel] > ACCESS_LEVEL_HIERARCHY["read-only"]) {
|
|
524
|
-
result.accessLevel = "read-only";
|
|
525
|
-
}
|
|
526
520
|
result.denialReasons = result.recommendationReasons || ["Step-up verification required"];
|
|
527
521
|
}
|
|
528
522
|
if (mergedConfig.cacheTtl !== 0 && result.recommendation !== "deny") {
|
|
529
|
-
cacheResult(request, result, mergedConfig.cacheTtl);
|
|
523
|
+
cacheResult(request, result, mergedConfig.cacheTtl, mergedConfig.counterpartyId);
|
|
530
524
|
}
|
|
531
525
|
return result;
|
|
532
526
|
}
|
|
533
|
-
async function recordDecision(config, sessionId, decision, reason
|
|
527
|
+
async function recordDecision(config, sessionId, decision, reason) {
|
|
534
528
|
const headers = { "Content-Type": "application/json" };
|
|
535
529
|
if (config.apiKey) {
|
|
536
530
|
headers["Authorization"] = `Bearer ${config.apiKey}`;
|
|
@@ -539,16 +533,7 @@ async function recordDecision(config, sessionId, decision, reason, override) {
|
|
|
539
533
|
await fetch(`${config.apiBaseUrl}/agents/verify-access/${sessionId}/decision`, {
|
|
540
534
|
method: "POST",
|
|
541
535
|
headers,
|
|
542
|
-
body: JSON.stringify({
|
|
543
|
-
decision,
|
|
544
|
-
reason,
|
|
545
|
-
...override && {
|
|
546
|
-
overriddenBy: override.overriddenBy,
|
|
547
|
-
toolName: override.toolName,
|
|
548
|
-
requestedLevel: override.requestedLevel,
|
|
549
|
-
grantedLevel: override.grantedLevel
|
|
550
|
-
}
|
|
551
|
-
})
|
|
536
|
+
body: JSON.stringify({ decision, reason })
|
|
552
537
|
}).catch(() => {
|
|
553
538
|
});
|
|
554
539
|
}
|
|
@@ -1024,35 +1009,12 @@ function createMiddleware(options) {
|
|
|
1024
1009
|
}
|
|
1025
1010
|
return next();
|
|
1026
1011
|
}
|
|
1027
|
-
if (!hasMinimumAccess(result.accessLevel, routeConfig.minAccessLevel)) {
|
|
1028
|
-
const insufficientFailure = {
|
|
1029
|
-
dimension: "access_level.insufficient",
|
|
1030
|
-
message: `Endpoint requires accessLevel '${routeConfig.minAccessLevel}'; agent has '${result.accessLevel}'.`,
|
|
1031
|
-
guidance: "Request elevated access via step-up verification (coming soon \u2014 ships this month). Step-up lets the agent owner approve a one-time elevation for this specific counterparty + purpose without changing the agent's baseline trust score."
|
|
1032
|
-
};
|
|
1033
|
-
result.failures = [...result.failures ?? [], insufficientFailure];
|
|
1034
|
-
result.denialReasons = [...result.denialReasons ?? [], insufficientFailure.message];
|
|
1035
|
-
if (!result.guidance && wellKnownUrls) {
|
|
1036
|
-
result.guidance = {
|
|
1037
|
-
message: insufficientFailure.message,
|
|
1038
|
-
registrationUrl: wellKnownUrls.registrationUrl,
|
|
1039
|
-
documentationUrl: wellKnownUrls.documentationUrl
|
|
1040
|
-
};
|
|
1041
|
-
}
|
|
1042
|
-
if (shouldRecordDecisions && sessionId) {
|
|
1043
|
-
recordDecision(config, sessionId, "denied", insufficientFailure.message).catch(() => {
|
|
1044
|
-
});
|
|
1045
|
-
}
|
|
1046
|
-
dedupeFailures(result);
|
|
1047
|
-
onDenied(result, req, res);
|
|
1048
|
-
return;
|
|
1049
|
-
}
|
|
1050
1012
|
if (routeConfig.minTrustScore && result.agent) {
|
|
1051
1013
|
if (result.agent.trustScore < routeConfig.minTrustScore) {
|
|
1052
1014
|
const trustFailure = {
|
|
1053
|
-
dimension: "
|
|
1054
|
-
message:
|
|
1055
|
-
guidance: "
|
|
1015
|
+
dimension: "endpoint.trust",
|
|
1016
|
+
message: "Trust below the route requirement for this endpoint.",
|
|
1017
|
+
guidance: "Trust is below this route's floor. Trust is not overridable \u2014 the agent either meets the endpoint's trust policy or it doesn't. Raise the agent's trust via real signals (KYD, blockchain registration, agent-card), or have the operator lower the route's minTrustScore."
|
|
1056
1018
|
};
|
|
1057
1019
|
result.failures = [...result.failures ?? [], trustFailure];
|
|
1058
1020
|
result.denialReasons = [trustFailure.message];
|