@astrasyncai/verification-gateway 3.1.0 → 3.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (79) hide show
  1. package/dist/adapter-interface/interface.d.mts +2 -2
  2. package/dist/adapter-interface/interface.d.ts +2 -2
  3. package/dist/adapters/express.d.mts +2 -2
  4. package/dist/adapters/express.d.ts +2 -2
  5. package/dist/adapters/express.js +23 -61
  6. package/dist/adapters/express.js.map +1 -1
  7. package/dist/adapters/express.mjs +23 -61
  8. package/dist/adapters/express.mjs.map +1 -1
  9. package/dist/adapters/mcp.d.mts +12 -7
  10. package/dist/adapters/mcp.d.ts +12 -7
  11. package/dist/adapters/mcp.js +38 -100
  12. package/dist/adapters/mcp.js.map +1 -1
  13. package/dist/adapters/mcp.mjs +38 -100
  14. package/dist/adapters/mcp.mjs.map +1 -1
  15. package/dist/adapters/nextjs.d.mts +2 -2
  16. package/dist/adapters/nextjs.d.ts +2 -2
  17. package/dist/adapters/nextjs.js +20 -29
  18. package/dist/adapters/nextjs.js.map +1 -1
  19. package/dist/adapters/nextjs.mjs +20 -29
  20. package/dist/adapters/nextjs.mjs.map +1 -1
  21. package/dist/adapters/sdk.d.mts +2 -2
  22. package/dist/adapters/sdk.d.ts +2 -2
  23. package/dist/adapters/sdk.js +25 -14
  24. package/dist/adapters/sdk.js.map +1 -1
  25. package/dist/adapters/sdk.mjs +25 -14
  26. package/dist/adapters/sdk.mjs.map +1 -1
  27. package/dist/agent/index.d.mts +2 -2
  28. package/dist/agent/index.d.ts +2 -2
  29. package/dist/browser/background.js +18 -21
  30. package/dist/browser/background.js.map +1 -1
  31. package/dist/browser/background.mjs +18 -21
  32. package/dist/browser/background.mjs.map +1 -1
  33. package/dist/browser/browser-adapter.d.mts +2 -2
  34. package/dist/browser/browser-adapter.d.ts +2 -2
  35. package/dist/cli/index.d.mts +2 -2
  36. package/dist/cli/index.d.ts +2 -2
  37. package/dist/cursor/cursor-adapter.d.mts +2 -2
  38. package/dist/cursor/cursor-adapter.d.ts +2 -2
  39. package/dist/cursor/extension.d.mts +2 -2
  40. package/dist/cursor/extension.d.ts +2 -2
  41. package/dist/cursor/extension.js +18 -21
  42. package/dist/cursor/extension.js.map +1 -1
  43. package/dist/cursor/extension.mjs +18 -21
  44. package/dist/cursor/extension.mjs.map +1 -1
  45. package/dist/{express-DavQ76oF.d.ts → express-BowlMHQF.d.ts} +1 -1
  46. package/dist/{express-DFVBlXr_.d.mts → express-CeoSdOAZ.d.mts} +1 -1
  47. package/dist/gateway/gateway.d.mts +2 -2
  48. package/dist/gateway/gateway.d.ts +2 -2
  49. package/dist/gateway/gateway.js +18 -21
  50. package/dist/gateway/gateway.js.map +1 -1
  51. package/dist/gateway/gateway.mjs +18 -21
  52. package/dist/gateway/gateway.mjs.map +1 -1
  53. package/dist/git-trigger/git-hooks.d.mts +2 -2
  54. package/dist/git-trigger/git-hooks.d.ts +2 -2
  55. package/dist/{index-BhL2R65s.d.mts → index-B51W8gn8.d.mts} +1 -1
  56. package/dist/{index-BhEgEiJL.d.ts → index-DBmlycVm.d.ts} +1 -1
  57. package/dist/{index-BVxantdv.d.mts → index-DtGziFEm.d.mts} +1 -1
  58. package/dist/{index-Dk2nIA4w.d.ts → index-DzXXBuLm.d.ts} +1 -1
  59. package/dist/index.d.mts +7 -7
  60. package/dist/index.d.ts +7 -7
  61. package/dist/index.js +50 -121
  62. package/dist/index.js.map +1 -1
  63. package/dist/index.mjs +50 -121
  64. package/dist/index.mjs.map +1 -1
  65. package/dist/local-evaluator/evaluator.d.mts +2 -2
  66. package/dist/local-evaluator/evaluator.d.ts +2 -2
  67. package/dist/{nextjs-D-maqrNz.d.mts → nextjs-BW1rzr1I.d.mts} +1 -1
  68. package/dist/{nextjs-BXLH1hJj.d.ts → nextjs-V_K0qlAQ.d.ts} +1 -1
  69. package/dist/{sdk-767LaEP8.d.mts → sdk-ZYgI7G9f.d.ts} +14 -3
  70. package/dist/{sdk-K8IgssHI.d.ts → sdk-e5jg7sqW.d.mts} +14 -3
  71. package/dist/transport/index.d.mts +2 -2
  72. package/dist/transport/index.d.ts +2 -2
  73. package/dist/{types-CyFwZ_Yu.d.mts → types-BNiLZY0i.d.mts} +1 -1
  74. package/dist/{types-WIRp_BP_.d.ts → types-DJi-u3fz.d.ts} +1 -1
  75. package/dist/{types-Cuh7ELfr.d.mts → types-rFh4VMH4.d.mts} +5 -2
  76. package/dist/{types-Cuh7ELfr.d.ts → types-rFh4VMH4.d.ts} +5 -2
  77. package/dist/ui/index.d.mts +1 -1
  78. package/dist/ui/index.d.ts +1 -1
  79. package/package.json +1 -1
@@ -3266,14 +3266,6 @@ function verifyLocal(evaluator, context) {
3266
3266
  }
3267
3267
 
3268
3268
  // src/access-levels.ts
3269
- var ACCESS_LEVEL_HIERARCHY = {
3270
- none: 0,
3271
- restricted: 1,
3272
- "read-only": 2,
3273
- standard: 3,
3274
- full: 4,
3275
- internal: 5
3276
- };
3277
3269
  function getTrustLevel(score) {
3278
3270
  if (score >= 80) return "PLATINUM";
3279
3271
  if (score >= 60) return "GOLD";
@@ -3282,7 +3274,7 @@ function getTrustLevel(score) {
3282
3274
  }
3283
3275
 
3284
3276
  // src/version.ts
3285
- var SDK_VERSION = "3.1.0";
3277
+ var SDK_VERSION = "3.2.0";
3286
3278
 
3287
3279
  // src/well-known.ts
3288
3280
  var CACHE_TTL_MS = 60 * 60 * 1e3;
@@ -3335,7 +3327,7 @@ async function performInitCheck(apiBaseUrl, debug, strictInit) {
3335
3327
  }
3336
3328
  }
3337
3329
  var verificationCache = /* @__PURE__ */ new Map();
3338
- function getCacheKey(request) {
3330
+ function getCacheKey(request, counterpartyId) {
3339
3331
  const c = request.credentials;
3340
3332
  return [
3341
3333
  c.astraId || "",
@@ -3348,6 +3340,14 @@ function getCacheKey(request) {
3348
3340
  request.jurisdiction || "",
3349
3341
  request.transactionValue ?? "",
3350
3342
  request.currency || "",
3343
+ // SECURITY (cross-merchant cache leak): the merchant identity is sent via
3344
+ // `config.counterpartyId`, NOT on the request, so it was previously absent
3345
+ // from the key — two verifies for the SAME agent/purpose/action/value but
3346
+ // DIFFERENT merchants collided, and a grant at a permissive merchant (low
3347
+ // trust floor) was served for a stricter one. Same bug class as the
3348
+ // duration omission (F-A1-07). counterpartyId affects the backend verdict
3349
+ // (trust floor / per-route policy), so it MUST key the cache.
3350
+ counterpartyId || "",
3351
3351
  request.counterpartyUrl || "",
3352
3352
  request.counterpartyType || "",
3353
3353
  request.isSubAgentRequest ? "1" : "0",
@@ -3371,8 +3371,8 @@ function getCacheKey(request) {
3371
3371
  request.callerMetadata?.agentCardUrl || ""
3372
3372
  ].join("|");
3373
3373
  }
3374
- function getCachedResult(request) {
3375
- const key = getCacheKey(request);
3374
+ function getCachedResult(request, counterpartyId) {
3375
+ const key = getCacheKey(request, counterpartyId);
3376
3376
  const cached = verificationCache.get(key);
3377
3377
  if (cached && cached.expiresAt > Date.now()) {
3378
3378
  return cached.result;
@@ -3384,9 +3384,9 @@ function getCachedResult(request) {
3384
3384
  }
3385
3385
  var DEFAULT_AUTONOMOUS_TTL_SECONDS = 60;
3386
3386
  var DEFAULT_STEP_UP_TTL_SECONDS = 300;
3387
- function cacheResult(request, result, configuredTtl) {
3387
+ function cacheResult(request, result, configuredTtl, counterpartyId) {
3388
3388
  const ttlSeconds = configuredTtl && configuredTtl > 0 ? configuredTtl : result.requiresStepUp ? DEFAULT_STEP_UP_TTL_SECONDS : DEFAULT_AUTONOMOUS_TTL_SECONDS;
3389
- const key = getCacheKey(request);
3389
+ const key = getCacheKey(request, counterpartyId);
3390
3390
  verificationCache.set(key, {
3391
3391
  result,
3392
3392
  expiresAt: Date.now() + ttlSeconds * 1e3
@@ -3544,7 +3544,7 @@ async function verify(config, request) {
3544
3544
  );
3545
3545
  }
3546
3546
  if (mergedConfig.cacheTtl !== 0) {
3547
- const cached = getCachedResult(request);
3547
+ const cached = getCachedResult(request, mergedConfig.counterpartyId);
3548
3548
  if (cached) {
3549
3549
  if (mergedConfig.debug) {
3550
3550
  console.log("[VerificationGateway] Returning cached result");
@@ -3596,8 +3596,8 @@ async function verify(config, request) {
3596
3596
  verifiedAt: /* @__PURE__ */ new Date(),
3597
3597
  // Extract sessionId so decisions can be recorded for denials too
3598
3598
  sessionId: apiResponse.sessionId,
3599
- // v2.3.10 (defect #34, round-4): anonymous traffic has no session →
3600
- // correlationId is the linking key for paired local_override events.
3599
+ // Anonymous traffic has no session → correlationId is the per-attempt
3600
+ // linking key (the sessionId-equivalent for anonymous callers).
3601
3601
  correlationId: apiResponse.correlationId,
3602
3602
  recommendation: apiResponse.recommendation,
3603
3603
  recommendationReasons: apiResponse.recommendationReasons
@@ -3671,13 +3671,10 @@ async function verify(config, request) {
3671
3671
  };
3672
3672
  } else if (result.recommendation === "step_up_required") {
3673
3673
  result.requiresStepUp = true;
3674
- if (ACCESS_LEVEL_HIERARCHY[result.accessLevel] > ACCESS_LEVEL_HIERARCHY["read-only"]) {
3675
- result.accessLevel = "read-only";
3676
- }
3677
3674
  result.denialReasons = result.recommendationReasons || ["Step-up verification required"];
3678
3675
  }
3679
3676
  if (mergedConfig.cacheTtl !== 0 && result.recommendation !== "deny") {
3680
- cacheResult(request, result, mergedConfig.cacheTtl);
3677
+ cacheResult(request, result, mergedConfig.cacheTtl, mergedConfig.counterpartyId);
3681
3678
  }
3682
3679
  return result;
3683
3680
  }