@astrasyncai/verification-gateway 3.1.0 → 3.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/adapter-interface/interface.d.mts +2 -2
- package/dist/adapter-interface/interface.d.ts +2 -2
- package/dist/adapters/express.d.mts +2 -2
- package/dist/adapters/express.d.ts +2 -2
- package/dist/adapters/express.js +23 -61
- package/dist/adapters/express.js.map +1 -1
- package/dist/adapters/express.mjs +23 -61
- package/dist/adapters/express.mjs.map +1 -1
- package/dist/adapters/mcp.d.mts +12 -7
- package/dist/adapters/mcp.d.ts +12 -7
- package/dist/adapters/mcp.js +38 -100
- package/dist/adapters/mcp.js.map +1 -1
- package/dist/adapters/mcp.mjs +38 -100
- package/dist/adapters/mcp.mjs.map +1 -1
- package/dist/adapters/nextjs.d.mts +2 -2
- package/dist/adapters/nextjs.d.ts +2 -2
- package/dist/adapters/nextjs.js +20 -29
- package/dist/adapters/nextjs.js.map +1 -1
- package/dist/adapters/nextjs.mjs +20 -29
- package/dist/adapters/nextjs.mjs.map +1 -1
- package/dist/adapters/sdk.d.mts +2 -2
- package/dist/adapters/sdk.d.ts +2 -2
- package/dist/adapters/sdk.js +25 -14
- package/dist/adapters/sdk.js.map +1 -1
- package/dist/adapters/sdk.mjs +25 -14
- package/dist/adapters/sdk.mjs.map +1 -1
- package/dist/agent/index.d.mts +2 -2
- package/dist/agent/index.d.ts +2 -2
- package/dist/browser/background.js +18 -21
- package/dist/browser/background.js.map +1 -1
- package/dist/browser/background.mjs +18 -21
- package/dist/browser/background.mjs.map +1 -1
- package/dist/browser/browser-adapter.d.mts +2 -2
- package/dist/browser/browser-adapter.d.ts +2 -2
- package/dist/cli/index.d.mts +2 -2
- package/dist/cli/index.d.ts +2 -2
- package/dist/cursor/cursor-adapter.d.mts +2 -2
- package/dist/cursor/cursor-adapter.d.ts +2 -2
- package/dist/cursor/extension.d.mts +2 -2
- package/dist/cursor/extension.d.ts +2 -2
- package/dist/cursor/extension.js +18 -21
- package/dist/cursor/extension.js.map +1 -1
- package/dist/cursor/extension.mjs +18 -21
- package/dist/cursor/extension.mjs.map +1 -1
- package/dist/{express-DavQ76oF.d.ts → express-BowlMHQF.d.ts} +1 -1
- package/dist/{express-DFVBlXr_.d.mts → express-CeoSdOAZ.d.mts} +1 -1
- package/dist/gateway/gateway.d.mts +2 -2
- package/dist/gateway/gateway.d.ts +2 -2
- package/dist/gateway/gateway.js +18 -21
- package/dist/gateway/gateway.js.map +1 -1
- package/dist/gateway/gateway.mjs +18 -21
- package/dist/gateway/gateway.mjs.map +1 -1
- package/dist/git-trigger/git-hooks.d.mts +2 -2
- package/dist/git-trigger/git-hooks.d.ts +2 -2
- package/dist/{index-BhL2R65s.d.mts → index-B51W8gn8.d.mts} +1 -1
- package/dist/{index-BhEgEiJL.d.ts → index-DBmlycVm.d.ts} +1 -1
- package/dist/{index-BVxantdv.d.mts → index-DtGziFEm.d.mts} +1 -1
- package/dist/{index-Dk2nIA4w.d.ts → index-DzXXBuLm.d.ts} +1 -1
- package/dist/index.d.mts +7 -7
- package/dist/index.d.ts +7 -7
- package/dist/index.js +50 -121
- package/dist/index.js.map +1 -1
- package/dist/index.mjs +50 -121
- package/dist/index.mjs.map +1 -1
- package/dist/local-evaluator/evaluator.d.mts +2 -2
- package/dist/local-evaluator/evaluator.d.ts +2 -2
- package/dist/{nextjs-D-maqrNz.d.mts → nextjs-BW1rzr1I.d.mts} +1 -1
- package/dist/{nextjs-BXLH1hJj.d.ts → nextjs-V_K0qlAQ.d.ts} +1 -1
- package/dist/{sdk-767LaEP8.d.mts → sdk-ZYgI7G9f.d.ts} +14 -3
- package/dist/{sdk-K8IgssHI.d.ts → sdk-e5jg7sqW.d.mts} +14 -3
- package/dist/transport/index.d.mts +2 -2
- package/dist/transport/index.d.ts +2 -2
- package/dist/{types-CyFwZ_Yu.d.mts → types-BNiLZY0i.d.mts} +1 -1
- package/dist/{types-WIRp_BP_.d.ts → types-DJi-u3fz.d.ts} +1 -1
- package/dist/{types-Cuh7ELfr.d.mts → types-rFh4VMH4.d.mts} +5 -2
- package/dist/{types-Cuh7ELfr.d.ts → types-rFh4VMH4.d.ts} +5 -2
- package/dist/ui/index.d.mts +1 -1
- package/dist/ui/index.d.ts +1 -1
- package/package.json +1 -1
package/dist/adapters/nextjs.mjs
CHANGED
|
@@ -1,24 +1,13 @@
|
|
|
1
1
|
// src/access-levels.ts
|
|
2
|
-
var ACCESS_LEVEL_HIERARCHY = {
|
|
3
|
-
none: 0,
|
|
4
|
-
restricted: 1,
|
|
5
|
-
"read-only": 2,
|
|
6
|
-
standard: 3,
|
|
7
|
-
full: 4,
|
|
8
|
-
internal: 5
|
|
9
|
-
};
|
|
10
2
|
function getTrustLevel(score) {
|
|
11
3
|
if (score >= 80) return "PLATINUM";
|
|
12
4
|
if (score >= 60) return "GOLD";
|
|
13
5
|
if (score >= 40) return "SILVER";
|
|
14
6
|
return "BRONZE";
|
|
15
7
|
}
|
|
16
|
-
function hasMinimumAccess(actual, required) {
|
|
17
|
-
return ACCESS_LEVEL_HIERARCHY[actual] >= ACCESS_LEVEL_HIERARCHY[required];
|
|
18
|
-
}
|
|
19
8
|
|
|
20
9
|
// src/version.ts
|
|
21
|
-
var SDK_VERSION = "3.
|
|
10
|
+
var SDK_VERSION = "3.2.0";
|
|
22
11
|
|
|
23
12
|
// src/well-known.ts
|
|
24
13
|
var CACHE_TTL_MS = 60 * 60 * 1e3;
|
|
@@ -71,7 +60,7 @@ async function performInitCheck(apiBaseUrl, debug, strictInit) {
|
|
|
71
60
|
}
|
|
72
61
|
}
|
|
73
62
|
var verificationCache = /* @__PURE__ */ new Map();
|
|
74
|
-
function getCacheKey(request) {
|
|
63
|
+
function getCacheKey(request, counterpartyId) {
|
|
75
64
|
const c = request.credentials;
|
|
76
65
|
return [
|
|
77
66
|
c.astraId || "",
|
|
@@ -84,6 +73,14 @@ function getCacheKey(request) {
|
|
|
84
73
|
request.jurisdiction || "",
|
|
85
74
|
request.transactionValue ?? "",
|
|
86
75
|
request.currency || "",
|
|
76
|
+
// SECURITY (cross-merchant cache leak): the merchant identity is sent via
|
|
77
|
+
// `config.counterpartyId`, NOT on the request, so it was previously absent
|
|
78
|
+
// from the key — two verifies for the SAME agent/purpose/action/value but
|
|
79
|
+
// DIFFERENT merchants collided, and a grant at a permissive merchant (low
|
|
80
|
+
// trust floor) was served for a stricter one. Same bug class as the
|
|
81
|
+
// duration omission (F-A1-07). counterpartyId affects the backend verdict
|
|
82
|
+
// (trust floor / per-route policy), so it MUST key the cache.
|
|
83
|
+
counterpartyId || "",
|
|
87
84
|
request.counterpartyUrl || "",
|
|
88
85
|
request.counterpartyType || "",
|
|
89
86
|
request.isSubAgentRequest ? "1" : "0",
|
|
@@ -107,8 +104,8 @@ function getCacheKey(request) {
|
|
|
107
104
|
request.callerMetadata?.agentCardUrl || ""
|
|
108
105
|
].join("|");
|
|
109
106
|
}
|
|
110
|
-
function getCachedResult(request) {
|
|
111
|
-
const key = getCacheKey(request);
|
|
107
|
+
function getCachedResult(request, counterpartyId) {
|
|
108
|
+
const key = getCacheKey(request, counterpartyId);
|
|
112
109
|
const cached = verificationCache.get(key);
|
|
113
110
|
if (cached && cached.expiresAt > Date.now()) {
|
|
114
111
|
return cached.result;
|
|
@@ -120,9 +117,9 @@ function getCachedResult(request) {
|
|
|
120
117
|
}
|
|
121
118
|
var DEFAULT_AUTONOMOUS_TTL_SECONDS = 60;
|
|
122
119
|
var DEFAULT_STEP_UP_TTL_SECONDS = 300;
|
|
123
|
-
function cacheResult(request, result, configuredTtl) {
|
|
120
|
+
function cacheResult(request, result, configuredTtl, counterpartyId) {
|
|
124
121
|
const ttlSeconds = configuredTtl && configuredTtl > 0 ? configuredTtl : result.requiresStepUp ? DEFAULT_STEP_UP_TTL_SECONDS : DEFAULT_AUTONOMOUS_TTL_SECONDS;
|
|
125
|
-
const key = getCacheKey(request);
|
|
122
|
+
const key = getCacheKey(request, counterpartyId);
|
|
126
123
|
verificationCache.set(key, {
|
|
127
124
|
result,
|
|
128
125
|
expiresAt: Date.now() + ttlSeconds * 1e3
|
|
@@ -280,7 +277,7 @@ async function verify(config, request) {
|
|
|
280
277
|
);
|
|
281
278
|
}
|
|
282
279
|
if (mergedConfig.cacheTtl !== 0) {
|
|
283
|
-
const cached = getCachedResult(request);
|
|
280
|
+
const cached = getCachedResult(request, mergedConfig.counterpartyId);
|
|
284
281
|
if (cached) {
|
|
285
282
|
if (mergedConfig.debug) {
|
|
286
283
|
console.log("[VerificationGateway] Returning cached result");
|
|
@@ -332,8 +329,8 @@ async function verify(config, request) {
|
|
|
332
329
|
verifiedAt: /* @__PURE__ */ new Date(),
|
|
333
330
|
// Extract sessionId so decisions can be recorded for denials too
|
|
334
331
|
sessionId: apiResponse.sessionId,
|
|
335
|
-
//
|
|
336
|
-
//
|
|
332
|
+
// Anonymous traffic has no session → correlationId is the per-attempt
|
|
333
|
+
// linking key (the sessionId-equivalent for anonymous callers).
|
|
337
334
|
correlationId: apiResponse.correlationId,
|
|
338
335
|
recommendation: apiResponse.recommendation,
|
|
339
336
|
recommendationReasons: apiResponse.recommendationReasons
|
|
@@ -407,13 +404,10 @@ async function verify(config, request) {
|
|
|
407
404
|
};
|
|
408
405
|
} else if (result.recommendation === "step_up_required") {
|
|
409
406
|
result.requiresStepUp = true;
|
|
410
|
-
if (ACCESS_LEVEL_HIERARCHY[result.accessLevel] > ACCESS_LEVEL_HIERARCHY["read-only"]) {
|
|
411
|
-
result.accessLevel = "read-only";
|
|
412
|
-
}
|
|
413
407
|
result.denialReasons = result.recommendationReasons || ["Step-up verification required"];
|
|
414
408
|
}
|
|
415
409
|
if (mergedConfig.cacheTtl !== 0 && result.recommendation !== "deny") {
|
|
416
|
-
cacheResult(request, result, mergedConfig.cacheTtl);
|
|
410
|
+
cacheResult(request, result, mergedConfig.cacheTtl, mergedConfig.counterpartyId);
|
|
417
411
|
}
|
|
418
412
|
return result;
|
|
419
413
|
}
|
|
@@ -978,7 +972,7 @@ function createMiddleware(options) {
|
|
|
978
972
|
agentCardUrl: request.headers.get("x-astrasync-agent-card") || void 0
|
|
979
973
|
}
|
|
980
974
|
});
|
|
981
|
-
if (!result.identityVerified || !result.policyAllowed
|
|
975
|
+
if (!result.identityVerified || !result.policyAllowed) {
|
|
982
976
|
if (pathname.startsWith("/api/")) {
|
|
983
977
|
return NextResponse.json(
|
|
984
978
|
{
|
|
@@ -986,10 +980,8 @@ function createMiddleware(options) {
|
|
|
986
980
|
error: {
|
|
987
981
|
// Round-18 G4: 401 → identity missing (re-auth); 403 → identity
|
|
988
982
|
// OK, policy denied (update PDLSS / step up).
|
|
989
|
-
code: !result.identityVerified ? "UNAUTHORIZED" : "
|
|
983
|
+
code: !result.identityVerified ? "UNAUTHORIZED" : "POLICY_DENIED",
|
|
990
984
|
message: result.denialReasons?.[0] || "Access denied",
|
|
991
|
-
accessLevel: result.accessLevel,
|
|
992
|
-
required: routeConfig.minAccessLevel,
|
|
993
985
|
guidance: result.guidance
|
|
994
986
|
}
|
|
995
987
|
},
|
|
@@ -1017,7 +1009,6 @@ function createMiddleware(options) {
|
|
|
1017
1009
|
response.headers.set("X-AstraSync-Access-Level", result.accessLevel);
|
|
1018
1010
|
if (result.agent) {
|
|
1019
1011
|
response.headers.set("X-AstraSync-Agent-Id", result.agent.astraId);
|
|
1020
|
-
response.headers.set("X-AstraSync-Trust-Score", result.agent.trustScore.toString());
|
|
1021
1012
|
}
|
|
1022
1013
|
return response;
|
|
1023
1014
|
};
|