@astrasyncai/verification-gateway 3.1.0 → 3.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/adapter-interface/interface.d.mts +2 -2
- package/dist/adapter-interface/interface.d.ts +2 -2
- package/dist/adapters/express.d.mts +2 -2
- package/dist/adapters/express.d.ts +2 -2
- package/dist/adapters/express.js +23 -61
- package/dist/adapters/express.js.map +1 -1
- package/dist/adapters/express.mjs +23 -61
- package/dist/adapters/express.mjs.map +1 -1
- package/dist/adapters/mcp.d.mts +12 -7
- package/dist/adapters/mcp.d.ts +12 -7
- package/dist/adapters/mcp.js +38 -100
- package/dist/adapters/mcp.js.map +1 -1
- package/dist/adapters/mcp.mjs +38 -100
- package/dist/adapters/mcp.mjs.map +1 -1
- package/dist/adapters/nextjs.d.mts +2 -2
- package/dist/adapters/nextjs.d.ts +2 -2
- package/dist/adapters/nextjs.js +20 -29
- package/dist/adapters/nextjs.js.map +1 -1
- package/dist/adapters/nextjs.mjs +20 -29
- package/dist/adapters/nextjs.mjs.map +1 -1
- package/dist/adapters/sdk.d.mts +2 -2
- package/dist/adapters/sdk.d.ts +2 -2
- package/dist/adapters/sdk.js +25 -14
- package/dist/adapters/sdk.js.map +1 -1
- package/dist/adapters/sdk.mjs +25 -14
- package/dist/adapters/sdk.mjs.map +1 -1
- package/dist/agent/index.d.mts +2 -2
- package/dist/agent/index.d.ts +2 -2
- package/dist/browser/background.js +18 -21
- package/dist/browser/background.js.map +1 -1
- package/dist/browser/background.mjs +18 -21
- package/dist/browser/background.mjs.map +1 -1
- package/dist/browser/browser-adapter.d.mts +2 -2
- package/dist/browser/browser-adapter.d.ts +2 -2
- package/dist/cli/index.d.mts +2 -2
- package/dist/cli/index.d.ts +2 -2
- package/dist/cursor/cursor-adapter.d.mts +2 -2
- package/dist/cursor/cursor-adapter.d.ts +2 -2
- package/dist/cursor/extension.d.mts +2 -2
- package/dist/cursor/extension.d.ts +2 -2
- package/dist/cursor/extension.js +18 -21
- package/dist/cursor/extension.js.map +1 -1
- package/dist/cursor/extension.mjs +18 -21
- package/dist/cursor/extension.mjs.map +1 -1
- package/dist/{express-DavQ76oF.d.ts → express-BowlMHQF.d.ts} +1 -1
- package/dist/{express-DFVBlXr_.d.mts → express-CeoSdOAZ.d.mts} +1 -1
- package/dist/gateway/gateway.d.mts +2 -2
- package/dist/gateway/gateway.d.ts +2 -2
- package/dist/gateway/gateway.js +18 -21
- package/dist/gateway/gateway.js.map +1 -1
- package/dist/gateway/gateway.mjs +18 -21
- package/dist/gateway/gateway.mjs.map +1 -1
- package/dist/git-trigger/git-hooks.d.mts +2 -2
- package/dist/git-trigger/git-hooks.d.ts +2 -2
- package/dist/{index-BhL2R65s.d.mts → index-B51W8gn8.d.mts} +1 -1
- package/dist/{index-BhEgEiJL.d.ts → index-DBmlycVm.d.ts} +1 -1
- package/dist/{index-BVxantdv.d.mts → index-DtGziFEm.d.mts} +1 -1
- package/dist/{index-Dk2nIA4w.d.ts → index-DzXXBuLm.d.ts} +1 -1
- package/dist/index.d.mts +7 -7
- package/dist/index.d.ts +7 -7
- package/dist/index.js +50 -121
- package/dist/index.js.map +1 -1
- package/dist/index.mjs +50 -121
- package/dist/index.mjs.map +1 -1
- package/dist/local-evaluator/evaluator.d.mts +2 -2
- package/dist/local-evaluator/evaluator.d.ts +2 -2
- package/dist/{nextjs-D-maqrNz.d.mts → nextjs-BW1rzr1I.d.mts} +1 -1
- package/dist/{nextjs-BXLH1hJj.d.ts → nextjs-V_K0qlAQ.d.ts} +1 -1
- package/dist/{sdk-767LaEP8.d.mts → sdk-ZYgI7G9f.d.ts} +14 -3
- package/dist/{sdk-K8IgssHI.d.ts → sdk-e5jg7sqW.d.mts} +14 -3
- package/dist/transport/index.d.mts +2 -2
- package/dist/transport/index.d.ts +2 -2
- package/dist/{types-CyFwZ_Yu.d.mts → types-BNiLZY0i.d.mts} +1 -1
- package/dist/{types-WIRp_BP_.d.ts → types-DJi-u3fz.d.ts} +1 -1
- package/dist/{types-Cuh7ELfr.d.mts → types-rFh4VMH4.d.mts} +5 -2
- package/dist/{types-Cuh7ELfr.d.ts → types-rFh4VMH4.d.ts} +5 -2
- package/dist/ui/index.d.mts +1 -1
- package/dist/ui/index.d.ts +1 -1
- package/package.json +1 -1
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
import { RequestHandler, Request } from 'express';
|
|
2
|
-
import { i as VerificationResult, d as ExpressMiddlewareOptions, b as AstraSyncCredentials } from './types-
|
|
2
|
+
import { i as VerificationResult, d as ExpressMiddlewareOptions, b as AstraSyncCredentials } from './types-rFh4VMH4.js';
|
|
3
3
|
|
|
4
4
|
/**
|
|
5
5
|
* AstraSync Universal Verification Gateway - Express Middleware
|
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
import { RequestHandler, Request } from 'express';
|
|
2
|
-
import { i as VerificationResult, d as ExpressMiddlewareOptions, b as AstraSyncCredentials } from './types-
|
|
2
|
+
import { i as VerificationResult, d as ExpressMiddlewareOptions, b as AstraSyncCredentials } from './types-rFh4VMH4.mjs';
|
|
3
3
|
|
|
4
4
|
/**
|
|
5
5
|
* AstraSync Universal Verification Gateway - Express Middleware
|
|
@@ -1,5 +1,5 @@
|
|
|
1
|
-
import { a as AstraSyncGatewayConfig, P as PDLSSContext, V as VerificationDecision } from '../types-
|
|
2
|
-
import '../types-
|
|
1
|
+
import { a as AstraSyncGatewayConfig, P as PDLSSContext, V as VerificationDecision } from '../types-BNiLZY0i.mjs';
|
|
2
|
+
import '../types-rFh4VMH4.mjs';
|
|
3
3
|
|
|
4
4
|
/**
|
|
5
5
|
* AstraSyncGateway — Primary API surface for agent verification.
|
|
@@ -1,5 +1,5 @@
|
|
|
1
|
-
import { a as AstraSyncGatewayConfig, P as PDLSSContext, V as VerificationDecision } from '../types-
|
|
2
|
-
import '../types-
|
|
1
|
+
import { a as AstraSyncGatewayConfig, P as PDLSSContext, V as VerificationDecision } from '../types-DJi-u3fz.js';
|
|
2
|
+
import '../types-rFh4VMH4.js';
|
|
3
3
|
|
|
4
4
|
/**
|
|
5
5
|
* AstraSyncGateway — Primary API surface for agent verification.
|
package/dist/gateway/gateway.js
CHANGED
|
@@ -3049,14 +3049,6 @@ function verifyLocal(evaluator, context) {
|
|
|
3049
3049
|
}
|
|
3050
3050
|
|
|
3051
3051
|
// src/access-levels.ts
|
|
3052
|
-
var ACCESS_LEVEL_HIERARCHY = {
|
|
3053
|
-
none: 0,
|
|
3054
|
-
restricted: 1,
|
|
3055
|
-
"read-only": 2,
|
|
3056
|
-
standard: 3,
|
|
3057
|
-
full: 4,
|
|
3058
|
-
internal: 5
|
|
3059
|
-
};
|
|
3060
3052
|
function getTrustLevel(score) {
|
|
3061
3053
|
if (score >= 80) return "PLATINUM";
|
|
3062
3054
|
if (score >= 60) return "GOLD";
|
|
@@ -3065,7 +3057,7 @@ function getTrustLevel(score) {
|
|
|
3065
3057
|
}
|
|
3066
3058
|
|
|
3067
3059
|
// src/version.ts
|
|
3068
|
-
var SDK_VERSION = "3.
|
|
3060
|
+
var SDK_VERSION = "3.2.0";
|
|
3069
3061
|
|
|
3070
3062
|
// src/well-known.ts
|
|
3071
3063
|
var CACHE_TTL_MS = 60 * 60 * 1e3;
|
|
@@ -3118,7 +3110,7 @@ async function performInitCheck(apiBaseUrl, debug, strictInit) {
|
|
|
3118
3110
|
}
|
|
3119
3111
|
}
|
|
3120
3112
|
var verificationCache = /* @__PURE__ */ new Map();
|
|
3121
|
-
function getCacheKey(request) {
|
|
3113
|
+
function getCacheKey(request, counterpartyId) {
|
|
3122
3114
|
const c = request.credentials;
|
|
3123
3115
|
return [
|
|
3124
3116
|
c.astraId || "",
|
|
@@ -3131,6 +3123,14 @@ function getCacheKey(request) {
|
|
|
3131
3123
|
request.jurisdiction || "",
|
|
3132
3124
|
request.transactionValue ?? "",
|
|
3133
3125
|
request.currency || "",
|
|
3126
|
+
// SECURITY (cross-merchant cache leak): the merchant identity is sent via
|
|
3127
|
+
// `config.counterpartyId`, NOT on the request, so it was previously absent
|
|
3128
|
+
// from the key — two verifies for the SAME agent/purpose/action/value but
|
|
3129
|
+
// DIFFERENT merchants collided, and a grant at a permissive merchant (low
|
|
3130
|
+
// trust floor) was served for a stricter one. Same bug class as the
|
|
3131
|
+
// duration omission (F-A1-07). counterpartyId affects the backend verdict
|
|
3132
|
+
// (trust floor / per-route policy), so it MUST key the cache.
|
|
3133
|
+
counterpartyId || "",
|
|
3134
3134
|
request.counterpartyUrl || "",
|
|
3135
3135
|
request.counterpartyType || "",
|
|
3136
3136
|
request.isSubAgentRequest ? "1" : "0",
|
|
@@ -3154,8 +3154,8 @@ function getCacheKey(request) {
|
|
|
3154
3154
|
request.callerMetadata?.agentCardUrl || ""
|
|
3155
3155
|
].join("|");
|
|
3156
3156
|
}
|
|
3157
|
-
function getCachedResult(request) {
|
|
3158
|
-
const key = getCacheKey(request);
|
|
3157
|
+
function getCachedResult(request, counterpartyId) {
|
|
3158
|
+
const key = getCacheKey(request, counterpartyId);
|
|
3159
3159
|
const cached = verificationCache.get(key);
|
|
3160
3160
|
if (cached && cached.expiresAt > Date.now()) {
|
|
3161
3161
|
return cached.result;
|
|
@@ -3167,9 +3167,9 @@ function getCachedResult(request) {
|
|
|
3167
3167
|
}
|
|
3168
3168
|
var DEFAULT_AUTONOMOUS_TTL_SECONDS = 60;
|
|
3169
3169
|
var DEFAULT_STEP_UP_TTL_SECONDS = 300;
|
|
3170
|
-
function cacheResult(request, result, configuredTtl) {
|
|
3170
|
+
function cacheResult(request, result, configuredTtl, counterpartyId) {
|
|
3171
3171
|
const ttlSeconds = configuredTtl && configuredTtl > 0 ? configuredTtl : result.requiresStepUp ? DEFAULT_STEP_UP_TTL_SECONDS : DEFAULT_AUTONOMOUS_TTL_SECONDS;
|
|
3172
|
-
const key = getCacheKey(request);
|
|
3172
|
+
const key = getCacheKey(request, counterpartyId);
|
|
3173
3173
|
verificationCache.set(key, {
|
|
3174
3174
|
result,
|
|
3175
3175
|
expiresAt: Date.now() + ttlSeconds * 1e3
|
|
@@ -3327,7 +3327,7 @@ async function verify(config, request) {
|
|
|
3327
3327
|
);
|
|
3328
3328
|
}
|
|
3329
3329
|
if (mergedConfig.cacheTtl !== 0) {
|
|
3330
|
-
const cached = getCachedResult(request);
|
|
3330
|
+
const cached = getCachedResult(request, mergedConfig.counterpartyId);
|
|
3331
3331
|
if (cached) {
|
|
3332
3332
|
if (mergedConfig.debug) {
|
|
3333
3333
|
console.log("[VerificationGateway] Returning cached result");
|
|
@@ -3379,8 +3379,8 @@ async function verify(config, request) {
|
|
|
3379
3379
|
verifiedAt: /* @__PURE__ */ new Date(),
|
|
3380
3380
|
// Extract sessionId so decisions can be recorded for denials too
|
|
3381
3381
|
sessionId: apiResponse.sessionId,
|
|
3382
|
-
//
|
|
3383
|
-
//
|
|
3382
|
+
// Anonymous traffic has no session → correlationId is the per-attempt
|
|
3383
|
+
// linking key (the sessionId-equivalent for anonymous callers).
|
|
3384
3384
|
correlationId: apiResponse.correlationId,
|
|
3385
3385
|
recommendation: apiResponse.recommendation,
|
|
3386
3386
|
recommendationReasons: apiResponse.recommendationReasons
|
|
@@ -3454,13 +3454,10 @@ async function verify(config, request) {
|
|
|
3454
3454
|
};
|
|
3455
3455
|
} else if (result.recommendation === "step_up_required") {
|
|
3456
3456
|
result.requiresStepUp = true;
|
|
3457
|
-
if (ACCESS_LEVEL_HIERARCHY[result.accessLevel] > ACCESS_LEVEL_HIERARCHY["read-only"]) {
|
|
3458
|
-
result.accessLevel = "read-only";
|
|
3459
|
-
}
|
|
3460
3457
|
result.denialReasons = result.recommendationReasons || ["Step-up verification required"];
|
|
3461
3458
|
}
|
|
3462
3459
|
if (mergedConfig.cacheTtl !== 0 && result.recommendation !== "deny") {
|
|
3463
|
-
cacheResult(request, result, mergedConfig.cacheTtl);
|
|
3460
|
+
cacheResult(request, result, mergedConfig.cacheTtl, mergedConfig.counterpartyId);
|
|
3464
3461
|
}
|
|
3465
3462
|
return result;
|
|
3466
3463
|
}
|