@astrasyncai/verification-gateway 3.1.0 → 3.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (79) hide show
  1. package/dist/adapter-interface/interface.d.mts +2 -2
  2. package/dist/adapter-interface/interface.d.ts +2 -2
  3. package/dist/adapters/express.d.mts +2 -2
  4. package/dist/adapters/express.d.ts +2 -2
  5. package/dist/adapters/express.js +23 -61
  6. package/dist/adapters/express.js.map +1 -1
  7. package/dist/adapters/express.mjs +23 -61
  8. package/dist/adapters/express.mjs.map +1 -1
  9. package/dist/adapters/mcp.d.mts +12 -7
  10. package/dist/adapters/mcp.d.ts +12 -7
  11. package/dist/adapters/mcp.js +38 -100
  12. package/dist/adapters/mcp.js.map +1 -1
  13. package/dist/adapters/mcp.mjs +38 -100
  14. package/dist/adapters/mcp.mjs.map +1 -1
  15. package/dist/adapters/nextjs.d.mts +2 -2
  16. package/dist/adapters/nextjs.d.ts +2 -2
  17. package/dist/adapters/nextjs.js +20 -29
  18. package/dist/adapters/nextjs.js.map +1 -1
  19. package/dist/adapters/nextjs.mjs +20 -29
  20. package/dist/adapters/nextjs.mjs.map +1 -1
  21. package/dist/adapters/sdk.d.mts +2 -2
  22. package/dist/adapters/sdk.d.ts +2 -2
  23. package/dist/adapters/sdk.js +25 -14
  24. package/dist/adapters/sdk.js.map +1 -1
  25. package/dist/adapters/sdk.mjs +25 -14
  26. package/dist/adapters/sdk.mjs.map +1 -1
  27. package/dist/agent/index.d.mts +2 -2
  28. package/dist/agent/index.d.ts +2 -2
  29. package/dist/browser/background.js +18 -21
  30. package/dist/browser/background.js.map +1 -1
  31. package/dist/browser/background.mjs +18 -21
  32. package/dist/browser/background.mjs.map +1 -1
  33. package/dist/browser/browser-adapter.d.mts +2 -2
  34. package/dist/browser/browser-adapter.d.ts +2 -2
  35. package/dist/cli/index.d.mts +2 -2
  36. package/dist/cli/index.d.ts +2 -2
  37. package/dist/cursor/cursor-adapter.d.mts +2 -2
  38. package/dist/cursor/cursor-adapter.d.ts +2 -2
  39. package/dist/cursor/extension.d.mts +2 -2
  40. package/dist/cursor/extension.d.ts +2 -2
  41. package/dist/cursor/extension.js +18 -21
  42. package/dist/cursor/extension.js.map +1 -1
  43. package/dist/cursor/extension.mjs +18 -21
  44. package/dist/cursor/extension.mjs.map +1 -1
  45. package/dist/{express-DavQ76oF.d.ts → express-BowlMHQF.d.ts} +1 -1
  46. package/dist/{express-DFVBlXr_.d.mts → express-CeoSdOAZ.d.mts} +1 -1
  47. package/dist/gateway/gateway.d.mts +2 -2
  48. package/dist/gateway/gateway.d.ts +2 -2
  49. package/dist/gateway/gateway.js +18 -21
  50. package/dist/gateway/gateway.js.map +1 -1
  51. package/dist/gateway/gateway.mjs +18 -21
  52. package/dist/gateway/gateway.mjs.map +1 -1
  53. package/dist/git-trigger/git-hooks.d.mts +2 -2
  54. package/dist/git-trigger/git-hooks.d.ts +2 -2
  55. package/dist/{index-BhL2R65s.d.mts → index-B51W8gn8.d.mts} +1 -1
  56. package/dist/{index-BhEgEiJL.d.ts → index-DBmlycVm.d.ts} +1 -1
  57. package/dist/{index-BVxantdv.d.mts → index-DtGziFEm.d.mts} +1 -1
  58. package/dist/{index-Dk2nIA4w.d.ts → index-DzXXBuLm.d.ts} +1 -1
  59. package/dist/index.d.mts +7 -7
  60. package/dist/index.d.ts +7 -7
  61. package/dist/index.js +50 -121
  62. package/dist/index.js.map +1 -1
  63. package/dist/index.mjs +50 -121
  64. package/dist/index.mjs.map +1 -1
  65. package/dist/local-evaluator/evaluator.d.mts +2 -2
  66. package/dist/local-evaluator/evaluator.d.ts +2 -2
  67. package/dist/{nextjs-D-maqrNz.d.mts → nextjs-BW1rzr1I.d.mts} +1 -1
  68. package/dist/{nextjs-BXLH1hJj.d.ts → nextjs-V_K0qlAQ.d.ts} +1 -1
  69. package/dist/{sdk-767LaEP8.d.mts → sdk-ZYgI7G9f.d.ts} +14 -3
  70. package/dist/{sdk-K8IgssHI.d.ts → sdk-e5jg7sqW.d.mts} +14 -3
  71. package/dist/transport/index.d.mts +2 -2
  72. package/dist/transport/index.d.ts +2 -2
  73. package/dist/{types-CyFwZ_Yu.d.mts → types-BNiLZY0i.d.mts} +1 -1
  74. package/dist/{types-WIRp_BP_.d.ts → types-DJi-u3fz.d.ts} +1 -1
  75. package/dist/{types-Cuh7ELfr.d.mts → types-rFh4VMH4.d.mts} +5 -2
  76. package/dist/{types-Cuh7ELfr.d.ts → types-rFh4VMH4.d.ts} +5 -2
  77. package/dist/ui/index.d.mts +1 -1
  78. package/dist/ui/index.d.ts +1 -1
  79. package/package.json +1 -1
@@ -1,3 +1,3 @@
1
1
  import 'next/server';
2
- import '../types-Cuh7ELfr.mjs';
3
- export { c as createMatcherConfig, a as createMiddleware } from '../nextjs-D-maqrNz.mjs';
2
+ import '../types-rFh4VMH4.mjs';
3
+ export { c as createMatcherConfig, a as createMiddleware } from '../nextjs-BW1rzr1I.mjs';
@@ -1,3 +1,3 @@
1
1
  import 'next/server';
2
- import '../types-Cuh7ELfr.js';
3
- export { c as createMatcherConfig, a as createMiddleware } from '../nextjs-BXLH1hJj.js';
2
+ import '../types-rFh4VMH4.js';
3
+ export { c as createMatcherConfig, a as createMiddleware } from '../nextjs-V_K0qlAQ.js';
@@ -36,26 +36,15 @@ __export(nextjs_exports, {
36
36
  module.exports = __toCommonJS(nextjs_exports);
37
37
 
38
38
  // src/access-levels.ts
39
- var ACCESS_LEVEL_HIERARCHY = {
40
- none: 0,
41
- restricted: 1,
42
- "read-only": 2,
43
- standard: 3,
44
- full: 4,
45
- internal: 5
46
- };
47
39
  function getTrustLevel(score) {
48
40
  if (score >= 80) return "PLATINUM";
49
41
  if (score >= 60) return "GOLD";
50
42
  if (score >= 40) return "SILVER";
51
43
  return "BRONZE";
52
44
  }
53
- function hasMinimumAccess(actual, required) {
54
- return ACCESS_LEVEL_HIERARCHY[actual] >= ACCESS_LEVEL_HIERARCHY[required];
55
- }
56
45
 
57
46
  // src/version.ts
58
- var SDK_VERSION = "3.1.0";
47
+ var SDK_VERSION = "3.2.0";
59
48
 
60
49
  // src/well-known.ts
61
50
  var CACHE_TTL_MS = 60 * 60 * 1e3;
@@ -108,7 +97,7 @@ async function performInitCheck(apiBaseUrl, debug, strictInit) {
108
97
  }
109
98
  }
110
99
  var verificationCache = /* @__PURE__ */ new Map();
111
- function getCacheKey(request) {
100
+ function getCacheKey(request, counterpartyId) {
112
101
  const c = request.credentials;
113
102
  return [
114
103
  c.astraId || "",
@@ -121,6 +110,14 @@ function getCacheKey(request) {
121
110
  request.jurisdiction || "",
122
111
  request.transactionValue ?? "",
123
112
  request.currency || "",
113
+ // SECURITY (cross-merchant cache leak): the merchant identity is sent via
114
+ // `config.counterpartyId`, NOT on the request, so it was previously absent
115
+ // from the key — two verifies for the SAME agent/purpose/action/value but
116
+ // DIFFERENT merchants collided, and a grant at a permissive merchant (low
117
+ // trust floor) was served for a stricter one. Same bug class as the
118
+ // duration omission (F-A1-07). counterpartyId affects the backend verdict
119
+ // (trust floor / per-route policy), so it MUST key the cache.
120
+ counterpartyId || "",
124
121
  request.counterpartyUrl || "",
125
122
  request.counterpartyType || "",
126
123
  request.isSubAgentRequest ? "1" : "0",
@@ -144,8 +141,8 @@ function getCacheKey(request) {
144
141
  request.callerMetadata?.agentCardUrl || ""
145
142
  ].join("|");
146
143
  }
147
- function getCachedResult(request) {
148
- const key = getCacheKey(request);
144
+ function getCachedResult(request, counterpartyId) {
145
+ const key = getCacheKey(request, counterpartyId);
149
146
  const cached = verificationCache.get(key);
150
147
  if (cached && cached.expiresAt > Date.now()) {
151
148
  return cached.result;
@@ -157,9 +154,9 @@ function getCachedResult(request) {
157
154
  }
158
155
  var DEFAULT_AUTONOMOUS_TTL_SECONDS = 60;
159
156
  var DEFAULT_STEP_UP_TTL_SECONDS = 300;
160
- function cacheResult(request, result, configuredTtl) {
157
+ function cacheResult(request, result, configuredTtl, counterpartyId) {
161
158
  const ttlSeconds = configuredTtl && configuredTtl > 0 ? configuredTtl : result.requiresStepUp ? DEFAULT_STEP_UP_TTL_SECONDS : DEFAULT_AUTONOMOUS_TTL_SECONDS;
162
- const key = getCacheKey(request);
159
+ const key = getCacheKey(request, counterpartyId);
163
160
  verificationCache.set(key, {
164
161
  result,
165
162
  expiresAt: Date.now() + ttlSeconds * 1e3
@@ -317,7 +314,7 @@ async function verify(config, request) {
317
314
  );
318
315
  }
319
316
  if (mergedConfig.cacheTtl !== 0) {
320
- const cached = getCachedResult(request);
317
+ const cached = getCachedResult(request, mergedConfig.counterpartyId);
321
318
  if (cached) {
322
319
  if (mergedConfig.debug) {
323
320
  console.log("[VerificationGateway] Returning cached result");
@@ -369,8 +366,8 @@ async function verify(config, request) {
369
366
  verifiedAt: /* @__PURE__ */ new Date(),
370
367
  // Extract sessionId so decisions can be recorded for denials too
371
368
  sessionId: apiResponse.sessionId,
372
- // v2.3.10 (defect #34, round-4): anonymous traffic has no session →
373
- // correlationId is the linking key for paired local_override events.
369
+ // Anonymous traffic has no session → correlationId is the per-attempt
370
+ // linking key (the sessionId-equivalent for anonymous callers).
374
371
  correlationId: apiResponse.correlationId,
375
372
  recommendation: apiResponse.recommendation,
376
373
  recommendationReasons: apiResponse.recommendationReasons
@@ -444,13 +441,10 @@ async function verify(config, request) {
444
441
  };
445
442
  } else if (result.recommendation === "step_up_required") {
446
443
  result.requiresStepUp = true;
447
- if (ACCESS_LEVEL_HIERARCHY[result.accessLevel] > ACCESS_LEVEL_HIERARCHY["read-only"]) {
448
- result.accessLevel = "read-only";
449
- }
450
444
  result.denialReasons = result.recommendationReasons || ["Step-up verification required"];
451
445
  }
452
446
  if (mergedConfig.cacheTtl !== 0 && result.recommendation !== "deny") {
453
- cacheResult(request, result, mergedConfig.cacheTtl);
447
+ cacheResult(request, result, mergedConfig.cacheTtl, mergedConfig.counterpartyId);
454
448
  }
455
449
  return result;
456
450
  }
@@ -1015,7 +1009,7 @@ function createMiddleware(options) {
1015
1009
  agentCardUrl: request.headers.get("x-astrasync-agent-card") || void 0
1016
1010
  }
1017
1011
  });
1018
- if (!result.identityVerified || !result.policyAllowed || !hasMinimumAccess(result.accessLevel, routeConfig.minAccessLevel)) {
1012
+ if (!result.identityVerified || !result.policyAllowed) {
1019
1013
  if (pathname.startsWith("/api/")) {
1020
1014
  return NextResponse.json(
1021
1015
  {
@@ -1023,10 +1017,8 @@ function createMiddleware(options) {
1023
1017
  error: {
1024
1018
  // Round-18 G4: 401 → identity missing (re-auth); 403 → identity
1025
1019
  // OK, policy denied (update PDLSS / step up).
1026
- code: !result.identityVerified ? "UNAUTHORIZED" : "INSUFFICIENT_ACCESS",
1020
+ code: !result.identityVerified ? "UNAUTHORIZED" : "POLICY_DENIED",
1027
1021
  message: result.denialReasons?.[0] || "Access denied",
1028
- accessLevel: result.accessLevel,
1029
- required: routeConfig.minAccessLevel,
1030
1022
  guidance: result.guidance
1031
1023
  }
1032
1024
  },
@@ -1054,7 +1046,6 @@ function createMiddleware(options) {
1054
1046
  response.headers.set("X-AstraSync-Access-Level", result.accessLevel);
1055
1047
  if (result.agent) {
1056
1048
  response.headers.set("X-AstraSync-Agent-Id", result.agent.astraId);
1057
- response.headers.set("X-AstraSync-Trust-Score", result.agent.trustScore.toString());
1058
1049
  }
1059
1050
  return response;
1060
1051
  };