@astrasyncai/verification-gateway 3.1.0 → 3.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/adapter-interface/interface.d.mts +2 -2
- package/dist/adapter-interface/interface.d.ts +2 -2
- package/dist/adapters/express.d.mts +2 -2
- package/dist/adapters/express.d.ts +2 -2
- package/dist/adapters/express.js +23 -61
- package/dist/adapters/express.js.map +1 -1
- package/dist/adapters/express.mjs +23 -61
- package/dist/adapters/express.mjs.map +1 -1
- package/dist/adapters/mcp.d.mts +12 -7
- package/dist/adapters/mcp.d.ts +12 -7
- package/dist/adapters/mcp.js +38 -100
- package/dist/adapters/mcp.js.map +1 -1
- package/dist/adapters/mcp.mjs +38 -100
- package/dist/adapters/mcp.mjs.map +1 -1
- package/dist/adapters/nextjs.d.mts +2 -2
- package/dist/adapters/nextjs.d.ts +2 -2
- package/dist/adapters/nextjs.js +20 -29
- package/dist/adapters/nextjs.js.map +1 -1
- package/dist/adapters/nextjs.mjs +20 -29
- package/dist/adapters/nextjs.mjs.map +1 -1
- package/dist/adapters/sdk.d.mts +2 -2
- package/dist/adapters/sdk.d.ts +2 -2
- package/dist/adapters/sdk.js +25 -14
- package/dist/adapters/sdk.js.map +1 -1
- package/dist/adapters/sdk.mjs +25 -14
- package/dist/adapters/sdk.mjs.map +1 -1
- package/dist/agent/index.d.mts +2 -2
- package/dist/agent/index.d.ts +2 -2
- package/dist/browser/background.js +18 -21
- package/dist/browser/background.js.map +1 -1
- package/dist/browser/background.mjs +18 -21
- package/dist/browser/background.mjs.map +1 -1
- package/dist/browser/browser-adapter.d.mts +2 -2
- package/dist/browser/browser-adapter.d.ts +2 -2
- package/dist/cli/index.d.mts +2 -2
- package/dist/cli/index.d.ts +2 -2
- package/dist/cursor/cursor-adapter.d.mts +2 -2
- package/dist/cursor/cursor-adapter.d.ts +2 -2
- package/dist/cursor/extension.d.mts +2 -2
- package/dist/cursor/extension.d.ts +2 -2
- package/dist/cursor/extension.js +18 -21
- package/dist/cursor/extension.js.map +1 -1
- package/dist/cursor/extension.mjs +18 -21
- package/dist/cursor/extension.mjs.map +1 -1
- package/dist/{express-DavQ76oF.d.ts → express-BowlMHQF.d.ts} +1 -1
- package/dist/{express-DFVBlXr_.d.mts → express-CeoSdOAZ.d.mts} +1 -1
- package/dist/gateway/gateway.d.mts +2 -2
- package/dist/gateway/gateway.d.ts +2 -2
- package/dist/gateway/gateway.js +18 -21
- package/dist/gateway/gateway.js.map +1 -1
- package/dist/gateway/gateway.mjs +18 -21
- package/dist/gateway/gateway.mjs.map +1 -1
- package/dist/git-trigger/git-hooks.d.mts +2 -2
- package/dist/git-trigger/git-hooks.d.ts +2 -2
- package/dist/{index-BhL2R65s.d.mts → index-B51W8gn8.d.mts} +1 -1
- package/dist/{index-BhEgEiJL.d.ts → index-DBmlycVm.d.ts} +1 -1
- package/dist/{index-BVxantdv.d.mts → index-DtGziFEm.d.mts} +1 -1
- package/dist/{index-Dk2nIA4w.d.ts → index-DzXXBuLm.d.ts} +1 -1
- package/dist/index.d.mts +7 -7
- package/dist/index.d.ts +7 -7
- package/dist/index.js +50 -121
- package/dist/index.js.map +1 -1
- package/dist/index.mjs +50 -121
- package/dist/index.mjs.map +1 -1
- package/dist/local-evaluator/evaluator.d.mts +2 -2
- package/dist/local-evaluator/evaluator.d.ts +2 -2
- package/dist/{nextjs-D-maqrNz.d.mts → nextjs-BW1rzr1I.d.mts} +1 -1
- package/dist/{nextjs-BXLH1hJj.d.ts → nextjs-V_K0qlAQ.d.ts} +1 -1
- package/dist/{sdk-767LaEP8.d.mts → sdk-ZYgI7G9f.d.ts} +14 -3
- package/dist/{sdk-K8IgssHI.d.ts → sdk-e5jg7sqW.d.mts} +14 -3
- package/dist/transport/index.d.mts +2 -2
- package/dist/transport/index.d.ts +2 -2
- package/dist/{types-CyFwZ_Yu.d.mts → types-BNiLZY0i.d.mts} +1 -1
- package/dist/{types-WIRp_BP_.d.ts → types-DJi-u3fz.d.ts} +1 -1
- package/dist/{types-Cuh7ELfr.d.mts → types-rFh4VMH4.d.mts} +5 -2
- package/dist/{types-Cuh7ELfr.d.ts → types-rFh4VMH4.d.ts} +5 -2
- package/dist/ui/index.d.mts +1 -1
- package/dist/ui/index.d.ts +1 -1
- package/package.json +1 -1
|
@@ -3266,14 +3266,6 @@ function verifyLocal(evaluator, context) {
|
|
|
3266
3266
|
}
|
|
3267
3267
|
|
|
3268
3268
|
// src/access-levels.ts
|
|
3269
|
-
var ACCESS_LEVEL_HIERARCHY = {
|
|
3270
|
-
none: 0,
|
|
3271
|
-
restricted: 1,
|
|
3272
|
-
"read-only": 2,
|
|
3273
|
-
standard: 3,
|
|
3274
|
-
full: 4,
|
|
3275
|
-
internal: 5
|
|
3276
|
-
};
|
|
3277
3269
|
function getTrustLevel(score) {
|
|
3278
3270
|
if (score >= 80) return "PLATINUM";
|
|
3279
3271
|
if (score >= 60) return "GOLD";
|
|
@@ -3282,7 +3274,7 @@ function getTrustLevel(score) {
|
|
|
3282
3274
|
}
|
|
3283
3275
|
|
|
3284
3276
|
// src/version.ts
|
|
3285
|
-
var SDK_VERSION = "3.
|
|
3277
|
+
var SDK_VERSION = "3.2.0";
|
|
3286
3278
|
|
|
3287
3279
|
// src/well-known.ts
|
|
3288
3280
|
var CACHE_TTL_MS = 60 * 60 * 1e3;
|
|
@@ -3335,7 +3327,7 @@ async function performInitCheck(apiBaseUrl, debug, strictInit) {
|
|
|
3335
3327
|
}
|
|
3336
3328
|
}
|
|
3337
3329
|
var verificationCache = /* @__PURE__ */ new Map();
|
|
3338
|
-
function getCacheKey(request) {
|
|
3330
|
+
function getCacheKey(request, counterpartyId) {
|
|
3339
3331
|
const c = request.credentials;
|
|
3340
3332
|
return [
|
|
3341
3333
|
c.astraId || "",
|
|
@@ -3348,6 +3340,14 @@ function getCacheKey(request) {
|
|
|
3348
3340
|
request.jurisdiction || "",
|
|
3349
3341
|
request.transactionValue ?? "",
|
|
3350
3342
|
request.currency || "",
|
|
3343
|
+
// SECURITY (cross-merchant cache leak): the merchant identity is sent via
|
|
3344
|
+
// `config.counterpartyId`, NOT on the request, so it was previously absent
|
|
3345
|
+
// from the key — two verifies for the SAME agent/purpose/action/value but
|
|
3346
|
+
// DIFFERENT merchants collided, and a grant at a permissive merchant (low
|
|
3347
|
+
// trust floor) was served for a stricter one. Same bug class as the
|
|
3348
|
+
// duration omission (F-A1-07). counterpartyId affects the backend verdict
|
|
3349
|
+
// (trust floor / per-route policy), so it MUST key the cache.
|
|
3350
|
+
counterpartyId || "",
|
|
3351
3351
|
request.counterpartyUrl || "",
|
|
3352
3352
|
request.counterpartyType || "",
|
|
3353
3353
|
request.isSubAgentRequest ? "1" : "0",
|
|
@@ -3371,8 +3371,8 @@ function getCacheKey(request) {
|
|
|
3371
3371
|
request.callerMetadata?.agentCardUrl || ""
|
|
3372
3372
|
].join("|");
|
|
3373
3373
|
}
|
|
3374
|
-
function getCachedResult(request) {
|
|
3375
|
-
const key = getCacheKey(request);
|
|
3374
|
+
function getCachedResult(request, counterpartyId) {
|
|
3375
|
+
const key = getCacheKey(request, counterpartyId);
|
|
3376
3376
|
const cached = verificationCache.get(key);
|
|
3377
3377
|
if (cached && cached.expiresAt > Date.now()) {
|
|
3378
3378
|
return cached.result;
|
|
@@ -3384,9 +3384,9 @@ function getCachedResult(request) {
|
|
|
3384
3384
|
}
|
|
3385
3385
|
var DEFAULT_AUTONOMOUS_TTL_SECONDS = 60;
|
|
3386
3386
|
var DEFAULT_STEP_UP_TTL_SECONDS = 300;
|
|
3387
|
-
function cacheResult(request, result, configuredTtl) {
|
|
3387
|
+
function cacheResult(request, result, configuredTtl, counterpartyId) {
|
|
3388
3388
|
const ttlSeconds = configuredTtl && configuredTtl > 0 ? configuredTtl : result.requiresStepUp ? DEFAULT_STEP_UP_TTL_SECONDS : DEFAULT_AUTONOMOUS_TTL_SECONDS;
|
|
3389
|
-
const key = getCacheKey(request);
|
|
3389
|
+
const key = getCacheKey(request, counterpartyId);
|
|
3390
3390
|
verificationCache.set(key, {
|
|
3391
3391
|
result,
|
|
3392
3392
|
expiresAt: Date.now() + ttlSeconds * 1e3
|
|
@@ -3544,7 +3544,7 @@ async function verify(config, request) {
|
|
|
3544
3544
|
);
|
|
3545
3545
|
}
|
|
3546
3546
|
if (mergedConfig.cacheTtl !== 0) {
|
|
3547
|
-
const cached = getCachedResult(request);
|
|
3547
|
+
const cached = getCachedResult(request, mergedConfig.counterpartyId);
|
|
3548
3548
|
if (cached) {
|
|
3549
3549
|
if (mergedConfig.debug) {
|
|
3550
3550
|
console.log("[VerificationGateway] Returning cached result");
|
|
@@ -3596,8 +3596,8 @@ async function verify(config, request) {
|
|
|
3596
3596
|
verifiedAt: /* @__PURE__ */ new Date(),
|
|
3597
3597
|
// Extract sessionId so decisions can be recorded for denials too
|
|
3598
3598
|
sessionId: apiResponse.sessionId,
|
|
3599
|
-
//
|
|
3600
|
-
//
|
|
3599
|
+
// Anonymous traffic has no session → correlationId is the per-attempt
|
|
3600
|
+
// linking key (the sessionId-equivalent for anonymous callers).
|
|
3601
3601
|
correlationId: apiResponse.correlationId,
|
|
3602
3602
|
recommendation: apiResponse.recommendation,
|
|
3603
3603
|
recommendationReasons: apiResponse.recommendationReasons
|
|
@@ -3671,13 +3671,10 @@ async function verify(config, request) {
|
|
|
3671
3671
|
};
|
|
3672
3672
|
} else if (result.recommendation === "step_up_required") {
|
|
3673
3673
|
result.requiresStepUp = true;
|
|
3674
|
-
if (ACCESS_LEVEL_HIERARCHY[result.accessLevel] > ACCESS_LEVEL_HIERARCHY["read-only"]) {
|
|
3675
|
-
result.accessLevel = "read-only";
|
|
3676
|
-
}
|
|
3677
3674
|
result.denialReasons = result.recommendationReasons || ["Step-up verification required"];
|
|
3678
3675
|
}
|
|
3679
3676
|
if (mergedConfig.cacheTtl !== 0 && result.recommendation !== "deny") {
|
|
3680
|
-
cacheResult(request, result, mergedConfig.cacheTtl);
|
|
3677
|
+
cacheResult(request, result, mergedConfig.cacheTtl, mergedConfig.counterpartyId);
|
|
3681
3678
|
}
|
|
3682
3679
|
return result;
|
|
3683
3680
|
}
|