@astrasyncai/verification-gateway 3.1.0 → 3.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (79) hide show
  1. package/dist/adapter-interface/interface.d.mts +2 -2
  2. package/dist/adapter-interface/interface.d.ts +2 -2
  3. package/dist/adapters/express.d.mts +2 -2
  4. package/dist/adapters/express.d.ts +2 -2
  5. package/dist/adapters/express.js +23 -61
  6. package/dist/adapters/express.js.map +1 -1
  7. package/dist/adapters/express.mjs +23 -61
  8. package/dist/adapters/express.mjs.map +1 -1
  9. package/dist/adapters/mcp.d.mts +12 -7
  10. package/dist/adapters/mcp.d.ts +12 -7
  11. package/dist/adapters/mcp.js +38 -100
  12. package/dist/adapters/mcp.js.map +1 -1
  13. package/dist/adapters/mcp.mjs +38 -100
  14. package/dist/adapters/mcp.mjs.map +1 -1
  15. package/dist/adapters/nextjs.d.mts +2 -2
  16. package/dist/adapters/nextjs.d.ts +2 -2
  17. package/dist/adapters/nextjs.js +20 -29
  18. package/dist/adapters/nextjs.js.map +1 -1
  19. package/dist/adapters/nextjs.mjs +20 -29
  20. package/dist/adapters/nextjs.mjs.map +1 -1
  21. package/dist/adapters/sdk.d.mts +2 -2
  22. package/dist/adapters/sdk.d.ts +2 -2
  23. package/dist/adapters/sdk.js +25 -14
  24. package/dist/adapters/sdk.js.map +1 -1
  25. package/dist/adapters/sdk.mjs +25 -14
  26. package/dist/adapters/sdk.mjs.map +1 -1
  27. package/dist/agent/index.d.mts +2 -2
  28. package/dist/agent/index.d.ts +2 -2
  29. package/dist/browser/background.js +18 -21
  30. package/dist/browser/background.js.map +1 -1
  31. package/dist/browser/background.mjs +18 -21
  32. package/dist/browser/background.mjs.map +1 -1
  33. package/dist/browser/browser-adapter.d.mts +2 -2
  34. package/dist/browser/browser-adapter.d.ts +2 -2
  35. package/dist/cli/index.d.mts +2 -2
  36. package/dist/cli/index.d.ts +2 -2
  37. package/dist/cursor/cursor-adapter.d.mts +2 -2
  38. package/dist/cursor/cursor-adapter.d.ts +2 -2
  39. package/dist/cursor/extension.d.mts +2 -2
  40. package/dist/cursor/extension.d.ts +2 -2
  41. package/dist/cursor/extension.js +18 -21
  42. package/dist/cursor/extension.js.map +1 -1
  43. package/dist/cursor/extension.mjs +18 -21
  44. package/dist/cursor/extension.mjs.map +1 -1
  45. package/dist/{express-DavQ76oF.d.ts → express-BowlMHQF.d.ts} +1 -1
  46. package/dist/{express-DFVBlXr_.d.mts → express-CeoSdOAZ.d.mts} +1 -1
  47. package/dist/gateway/gateway.d.mts +2 -2
  48. package/dist/gateway/gateway.d.ts +2 -2
  49. package/dist/gateway/gateway.js +18 -21
  50. package/dist/gateway/gateway.js.map +1 -1
  51. package/dist/gateway/gateway.mjs +18 -21
  52. package/dist/gateway/gateway.mjs.map +1 -1
  53. package/dist/git-trigger/git-hooks.d.mts +2 -2
  54. package/dist/git-trigger/git-hooks.d.ts +2 -2
  55. package/dist/{index-BhL2R65s.d.mts → index-B51W8gn8.d.mts} +1 -1
  56. package/dist/{index-BhEgEiJL.d.ts → index-DBmlycVm.d.ts} +1 -1
  57. package/dist/{index-BVxantdv.d.mts → index-DtGziFEm.d.mts} +1 -1
  58. package/dist/{index-Dk2nIA4w.d.ts → index-DzXXBuLm.d.ts} +1 -1
  59. package/dist/index.d.mts +7 -7
  60. package/dist/index.d.ts +7 -7
  61. package/dist/index.js +50 -121
  62. package/dist/index.js.map +1 -1
  63. package/dist/index.mjs +50 -121
  64. package/dist/index.mjs.map +1 -1
  65. package/dist/local-evaluator/evaluator.d.mts +2 -2
  66. package/dist/local-evaluator/evaluator.d.ts +2 -2
  67. package/dist/{nextjs-D-maqrNz.d.mts → nextjs-BW1rzr1I.d.mts} +1 -1
  68. package/dist/{nextjs-BXLH1hJj.d.ts → nextjs-V_K0qlAQ.d.ts} +1 -1
  69. package/dist/{sdk-767LaEP8.d.mts → sdk-ZYgI7G9f.d.ts} +14 -3
  70. package/dist/{sdk-K8IgssHI.d.ts → sdk-e5jg7sqW.d.mts} +14 -3
  71. package/dist/transport/index.d.mts +2 -2
  72. package/dist/transport/index.d.ts +2 -2
  73. package/dist/{types-CyFwZ_Yu.d.mts → types-BNiLZY0i.d.mts} +1 -1
  74. package/dist/{types-WIRp_BP_.d.ts → types-DJi-u3fz.d.ts} +1 -1
  75. package/dist/{types-Cuh7ELfr.d.mts → types-rFh4VMH4.d.mts} +5 -2
  76. package/dist/{types-Cuh7ELfr.d.ts → types-rFh4VMH4.d.ts} +5 -2
  77. package/dist/ui/index.d.mts +1 -1
  78. package/dist/ui/index.d.ts +1 -1
  79. package/package.json +1 -1
@@ -1,6 +1,6 @@
1
1
  import { AstraSyncGateway } from '../gateway/gateway.mjs';
2
- import { A as AgentAction, I as InterceptResult, P as PDLSSContext, V as VerificationDecision } from '../types-CyFwZ_Yu.mjs';
3
- import '../types-Cuh7ELfr.mjs';
2
+ import { A as AgentAction, I as InterceptResult, P as PDLSSContext, V as VerificationDecision } from '../types-BNiLZY0i.mjs';
3
+ import '../types-rFh4VMH4.mjs';
4
4
 
5
5
  /**
6
6
  * PlatformAdapter Interface
@@ -1,6 +1,6 @@
1
1
  import { AstraSyncGateway } from '../gateway/gateway.js';
2
- import { A as AgentAction, I as InterceptResult, P as PDLSSContext, V as VerificationDecision } from '../types-WIRp_BP_.js';
3
- import '../types-Cuh7ELfr.js';
2
+ import { A as AgentAction, I as InterceptResult, P as PDLSSContext, V as VerificationDecision } from '../types-DJi-u3fz.js';
3
+ import '../types-rFh4VMH4.js';
4
4
 
5
5
  /**
6
6
  * PlatformAdapter Interface
@@ -1,3 +1,3 @@
1
1
  import 'express';
2
- import '../types-Cuh7ELfr.mjs';
3
- export { c as createMiddleware, a as extractAstraSyncCredentials } from '../express-DFVBlXr_.mjs';
2
+ import '../types-rFh4VMH4.mjs';
3
+ export { c as createMiddleware, a as extractAstraSyncCredentials } from '../express-CeoSdOAZ.mjs';
@@ -1,3 +1,3 @@
1
1
  import 'express';
2
- import '../types-Cuh7ELfr.js';
3
- export { c as createMiddleware, a as extractAstraSyncCredentials } from '../express-DavQ76oF.js';
2
+ import '../types-rFh4VMH4.js';
3
+ export { c as createMiddleware, a as extractAstraSyncCredentials } from '../express-BowlMHQF.js';
@@ -26,26 +26,15 @@ __export(express_exports, {
26
26
  module.exports = __toCommonJS(express_exports);
27
27
 
28
28
  // src/access-levels.ts
29
- var ACCESS_LEVEL_HIERARCHY = {
30
- none: 0,
31
- restricted: 1,
32
- "read-only": 2,
33
- standard: 3,
34
- full: 4,
35
- internal: 5
36
- };
37
29
  function getTrustLevel(score) {
38
30
  if (score >= 80) return "PLATINUM";
39
31
  if (score >= 60) return "GOLD";
40
32
  if (score >= 40) return "SILVER";
41
33
  return "BRONZE";
42
34
  }
43
- function hasMinimumAccess(actual, required) {
44
- return ACCESS_LEVEL_HIERARCHY[actual] >= ACCESS_LEVEL_HIERARCHY[required];
45
- }
46
35
 
47
36
  // src/version.ts
48
- var SDK_VERSION = "3.1.0";
37
+ var SDK_VERSION = "3.2.0";
49
38
 
50
39
  // src/well-known.ts
51
40
  var CACHE_TTL_MS = 60 * 60 * 1e3;
@@ -150,7 +139,7 @@ async function performInitCheck(apiBaseUrl, debug, strictInit) {
150
139
  }
151
140
  }
152
141
  var verificationCache = /* @__PURE__ */ new Map();
153
- function getCacheKey(request) {
142
+ function getCacheKey(request, counterpartyId) {
154
143
  const c = request.credentials;
155
144
  return [
156
145
  c.astraId || "",
@@ -163,6 +152,14 @@ function getCacheKey(request) {
163
152
  request.jurisdiction || "",
164
153
  request.transactionValue ?? "",
165
154
  request.currency || "",
155
+ // SECURITY (cross-merchant cache leak): the merchant identity is sent via
156
+ // `config.counterpartyId`, NOT on the request, so it was previously absent
157
+ // from the key — two verifies for the SAME agent/purpose/action/value but
158
+ // DIFFERENT merchants collided, and a grant at a permissive merchant (low
159
+ // trust floor) was served for a stricter one. Same bug class as the
160
+ // duration omission (F-A1-07). counterpartyId affects the backend verdict
161
+ // (trust floor / per-route policy), so it MUST key the cache.
162
+ counterpartyId || "",
166
163
  request.counterpartyUrl || "",
167
164
  request.counterpartyType || "",
168
165
  request.isSubAgentRequest ? "1" : "0",
@@ -186,8 +183,8 @@ function getCacheKey(request) {
186
183
  request.callerMetadata?.agentCardUrl || ""
187
184
  ].join("|");
188
185
  }
189
- function getCachedResult(request) {
190
- const key = getCacheKey(request);
186
+ function getCachedResult(request, counterpartyId) {
187
+ const key = getCacheKey(request, counterpartyId);
191
188
  const cached = verificationCache.get(key);
192
189
  if (cached && cached.expiresAt > Date.now()) {
193
190
  return cached.result;
@@ -199,9 +196,9 @@ function getCachedResult(request) {
199
196
  }
200
197
  var DEFAULT_AUTONOMOUS_TTL_SECONDS = 60;
201
198
  var DEFAULT_STEP_UP_TTL_SECONDS = 300;
202
- function cacheResult(request, result, configuredTtl) {
199
+ function cacheResult(request, result, configuredTtl, counterpartyId) {
203
200
  const ttlSeconds = configuredTtl && configuredTtl > 0 ? configuredTtl : result.requiresStepUp ? DEFAULT_STEP_UP_TTL_SECONDS : DEFAULT_AUTONOMOUS_TTL_SECONDS;
204
- const key = getCacheKey(request);
201
+ const key = getCacheKey(request, counterpartyId);
205
202
  verificationCache.set(key, {
206
203
  result,
207
204
  expiresAt: Date.now() + ttlSeconds * 1e3
@@ -393,7 +390,7 @@ async function verify(config, request) {
393
390
  );
394
391
  }
395
392
  if (mergedConfig.cacheTtl !== 0) {
396
- const cached = getCachedResult(request);
393
+ const cached = getCachedResult(request, mergedConfig.counterpartyId);
397
394
  if (cached) {
398
395
  if (mergedConfig.debug) {
399
396
  console.log("[VerificationGateway] Returning cached result");
@@ -445,8 +442,8 @@ async function verify(config, request) {
445
442
  verifiedAt: /* @__PURE__ */ new Date(),
446
443
  // Extract sessionId so decisions can be recorded for denials too
447
444
  sessionId: apiResponse.sessionId,
448
- // v2.3.10 (defect #34, round-4): anonymous traffic has no session →
449
- // correlationId is the linking key for paired local_override events.
445
+ // Anonymous traffic has no session → correlationId is the per-attempt
446
+ // linking key (the sessionId-equivalent for anonymous callers).
450
447
  correlationId: apiResponse.correlationId,
451
448
  recommendation: apiResponse.recommendation,
452
449
  recommendationReasons: apiResponse.recommendationReasons
@@ -520,17 +517,14 @@ async function verify(config, request) {
520
517
  };
521
518
  } else if (result.recommendation === "step_up_required") {
522
519
  result.requiresStepUp = true;
523
- if (ACCESS_LEVEL_HIERARCHY[result.accessLevel] > ACCESS_LEVEL_HIERARCHY["read-only"]) {
524
- result.accessLevel = "read-only";
525
- }
526
520
  result.denialReasons = result.recommendationReasons || ["Step-up verification required"];
527
521
  }
528
522
  if (mergedConfig.cacheTtl !== 0 && result.recommendation !== "deny") {
529
- cacheResult(request, result, mergedConfig.cacheTtl);
523
+ cacheResult(request, result, mergedConfig.cacheTtl, mergedConfig.counterpartyId);
530
524
  }
531
525
  return result;
532
526
  }
533
- async function recordDecision(config, sessionId, decision, reason, override) {
527
+ async function recordDecision(config, sessionId, decision, reason) {
534
528
  const headers = { "Content-Type": "application/json" };
535
529
  if (config.apiKey) {
536
530
  headers["Authorization"] = `Bearer ${config.apiKey}`;
@@ -539,16 +533,7 @@ async function recordDecision(config, sessionId, decision, reason, override) {
539
533
  await fetch(`${config.apiBaseUrl}/agents/verify-access/${sessionId}/decision`, {
540
534
  method: "POST",
541
535
  headers,
542
- body: JSON.stringify({
543
- decision,
544
- reason,
545
- ...override && {
546
- overriddenBy: override.overriddenBy,
547
- toolName: override.toolName,
548
- requestedLevel: override.requestedLevel,
549
- grantedLevel: override.grantedLevel
550
- }
551
- })
536
+ body: JSON.stringify({ decision, reason })
552
537
  }).catch(() => {
553
538
  });
554
539
  }
@@ -1024,35 +1009,12 @@ function createMiddleware(options) {
1024
1009
  }
1025
1010
  return next();
1026
1011
  }
1027
- if (!hasMinimumAccess(result.accessLevel, routeConfig.minAccessLevel)) {
1028
- const insufficientFailure = {
1029
- dimension: "access_level.insufficient",
1030
- message: `Endpoint requires accessLevel '${routeConfig.minAccessLevel}'; agent has '${result.accessLevel}'.`,
1031
- guidance: "Request elevated access via step-up verification (coming soon \u2014 ships this month). Step-up lets the agent owner approve a one-time elevation for this specific counterparty + purpose without changing the agent's baseline trust score."
1032
- };
1033
- result.failures = [...result.failures ?? [], insufficientFailure];
1034
- result.denialReasons = [...result.denialReasons ?? [], insufficientFailure.message];
1035
- if (!result.guidance && wellKnownUrls) {
1036
- result.guidance = {
1037
- message: insufficientFailure.message,
1038
- registrationUrl: wellKnownUrls.registrationUrl,
1039
- documentationUrl: wellKnownUrls.documentationUrl
1040
- };
1041
- }
1042
- if (shouldRecordDecisions && sessionId) {
1043
- recordDecision(config, sessionId, "denied", insufficientFailure.message).catch(() => {
1044
- });
1045
- }
1046
- dedupeFailures(result);
1047
- onDenied(result, req, res);
1048
- return;
1049
- }
1050
1012
  if (routeConfig.minTrustScore && result.agent) {
1051
1013
  if (result.agent.trustScore < routeConfig.minTrustScore) {
1052
1014
  const trustFailure = {
1053
- dimension: "access_level.insufficient",
1054
- message: `Trust score ${result.agent.trustScore} is below required ${routeConfig.minTrustScore} for this route.`,
1055
- guidance: "Request elevated access via step-up verification (coming soon \u2014 ships this month). Step-up lets the agent owner approve a one-time elevation for this specific counterparty + purpose without changing the agent's baseline trust score."
1015
+ dimension: "endpoint.trust",
1016
+ message: "Trust below the route requirement for this endpoint.",
1017
+ guidance: "Trust is below this route's floor. Trust is not overridable \u2014 the agent either meets the endpoint's trust policy or it doesn't. Raise the agent's trust via real signals (KYD, blockchain registration, agent-card), or have the operator lower the route's minTrustScore."
1056
1018
  };
1057
1019
  result.failures = [...result.failures ?? [], trustFailure];
1058
1020
  result.denialReasons = [trustFailure.message];