@astrasyncai/verification-gateway 3.1.0 → 3.2.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/adapter-interface/interface.d.mts +2 -2
- package/dist/adapter-interface/interface.d.ts +2 -2
- package/dist/adapters/express.d.mts +2 -2
- package/dist/adapters/express.d.ts +2 -2
- package/dist/adapters/express.js +46 -61
- package/dist/adapters/express.js.map +1 -1
- package/dist/adapters/express.mjs +46 -61
- package/dist/adapters/express.mjs.map +1 -1
- package/dist/adapters/mcp.d.mts +12 -7
- package/dist/adapters/mcp.d.ts +12 -7
- package/dist/adapters/mcp.js +60 -99
- package/dist/adapters/mcp.js.map +1 -1
- package/dist/adapters/mcp.mjs +60 -99
- package/dist/adapters/mcp.mjs.map +1 -1
- package/dist/adapters/nextjs.d.mts +2 -2
- package/dist/adapters/nextjs.d.ts +2 -2
- package/dist/adapters/nextjs.js +37 -30
- package/dist/adapters/nextjs.js.map +1 -1
- package/dist/adapters/nextjs.mjs +37 -30
- package/dist/adapters/nextjs.mjs.map +1 -1
- package/dist/adapters/sdk.d.mts +2 -2
- package/dist/adapters/sdk.d.ts +2 -2
- package/dist/adapters/sdk.js +25 -14
- package/dist/adapters/sdk.js.map +1 -1
- package/dist/adapters/sdk.mjs +25 -14
- package/dist/adapters/sdk.mjs.map +1 -1
- package/dist/agent/index.d.mts +2 -2
- package/dist/agent/index.d.ts +2 -2
- package/dist/browser/background.js +18 -21
- package/dist/browser/background.js.map +1 -1
- package/dist/browser/background.mjs +18 -21
- package/dist/browser/background.mjs.map +1 -1
- package/dist/browser/browser-adapter.d.mts +2 -2
- package/dist/browser/browser-adapter.d.ts +2 -2
- package/dist/cli/index.d.mts +2 -2
- package/dist/cli/index.d.ts +2 -2
- package/dist/cursor/cursor-adapter.d.mts +2 -2
- package/dist/cursor/cursor-adapter.d.ts +2 -2
- package/dist/cursor/extension.d.mts +2 -2
- package/dist/cursor/extension.d.ts +2 -2
- package/dist/cursor/extension.js +18 -21
- package/dist/cursor/extension.js.map +1 -1
- package/dist/cursor/extension.mjs +18 -21
- package/dist/cursor/extension.mjs.map +1 -1
- package/dist/{express-DavQ76oF.d.ts → express-BowlMHQF.d.ts} +1 -1
- package/dist/{express-DFVBlXr_.d.mts → express-CeoSdOAZ.d.mts} +1 -1
- package/dist/gateway/gateway.d.mts +2 -2
- package/dist/gateway/gateway.d.ts +2 -2
- package/dist/gateway/gateway.js +18 -21
- package/dist/gateway/gateway.js.map +1 -1
- package/dist/gateway/gateway.mjs +18 -21
- package/dist/gateway/gateway.mjs.map +1 -1
- package/dist/git-trigger/git-hooks.d.mts +2 -2
- package/dist/git-trigger/git-hooks.d.ts +2 -2
- package/dist/{index-BhL2R65s.d.mts → index-B51W8gn8.d.mts} +1 -1
- package/dist/{index-BhEgEiJL.d.ts → index-DBmlycVm.d.ts} +1 -1
- package/dist/{index-BVxantdv.d.mts → index-DtGziFEm.d.mts} +1 -1
- package/dist/{index-Dk2nIA4w.d.ts → index-DzXXBuLm.d.ts} +1 -1
- package/dist/index.d.mts +7 -7
- package/dist/index.d.ts +7 -7
- package/dist/index.js +87 -122
- package/dist/index.js.map +1 -1
- package/dist/index.mjs +87 -122
- package/dist/index.mjs.map +1 -1
- package/dist/local-evaluator/evaluator.d.mts +2 -2
- package/dist/local-evaluator/evaluator.d.ts +2 -2
- package/dist/{nextjs-D-maqrNz.d.mts → nextjs-BW1rzr1I.d.mts} +1 -1
- package/dist/{nextjs-BXLH1hJj.d.ts → nextjs-V_K0qlAQ.d.ts} +1 -1
- package/dist/{sdk-767LaEP8.d.mts → sdk-ZYgI7G9f.d.ts} +14 -3
- package/dist/{sdk-K8IgssHI.d.ts → sdk-e5jg7sqW.d.mts} +14 -3
- package/dist/transport/index.d.mts +2 -2
- package/dist/transport/index.d.ts +2 -2
- package/dist/{types-CyFwZ_Yu.d.mts → types-BNiLZY0i.d.mts} +1 -1
- package/dist/{types-WIRp_BP_.d.ts → types-DJi-u3fz.d.ts} +1 -1
- package/dist/{types-Cuh7ELfr.d.mts → types-rFh4VMH4.d.mts} +5 -2
- package/dist/{types-Cuh7ELfr.d.ts → types-rFh4VMH4.d.ts} +5 -2
- package/dist/ui/index.d.mts +1 -1
- package/dist/ui/index.d.ts +1 -1
- package/package.json +1 -1
package/dist/adapters/nextjs.mjs
CHANGED
|
@@ -1,24 +1,13 @@
|
|
|
1
1
|
// src/access-levels.ts
|
|
2
|
-
var ACCESS_LEVEL_HIERARCHY = {
|
|
3
|
-
none: 0,
|
|
4
|
-
restricted: 1,
|
|
5
|
-
"read-only": 2,
|
|
6
|
-
standard: 3,
|
|
7
|
-
full: 4,
|
|
8
|
-
internal: 5
|
|
9
|
-
};
|
|
10
2
|
function getTrustLevel(score) {
|
|
11
3
|
if (score >= 80) return "PLATINUM";
|
|
12
4
|
if (score >= 60) return "GOLD";
|
|
13
5
|
if (score >= 40) return "SILVER";
|
|
14
6
|
return "BRONZE";
|
|
15
7
|
}
|
|
16
|
-
function hasMinimumAccess(actual, required) {
|
|
17
|
-
return ACCESS_LEVEL_HIERARCHY[actual] >= ACCESS_LEVEL_HIERARCHY[required];
|
|
18
|
-
}
|
|
19
8
|
|
|
20
9
|
// src/version.ts
|
|
21
|
-
var SDK_VERSION = "3.1
|
|
10
|
+
var SDK_VERSION = "3.2.1";
|
|
22
11
|
|
|
23
12
|
// src/well-known.ts
|
|
24
13
|
var CACHE_TTL_MS = 60 * 60 * 1e3;
|
|
@@ -71,7 +60,7 @@ async function performInitCheck(apiBaseUrl, debug, strictInit) {
|
|
|
71
60
|
}
|
|
72
61
|
}
|
|
73
62
|
var verificationCache = /* @__PURE__ */ new Map();
|
|
74
|
-
function getCacheKey(request) {
|
|
63
|
+
function getCacheKey(request, counterpartyId) {
|
|
75
64
|
const c = request.credentials;
|
|
76
65
|
return [
|
|
77
66
|
c.astraId || "",
|
|
@@ -84,6 +73,14 @@ function getCacheKey(request) {
|
|
|
84
73
|
request.jurisdiction || "",
|
|
85
74
|
request.transactionValue ?? "",
|
|
86
75
|
request.currency || "",
|
|
76
|
+
// SECURITY (cross-merchant cache leak): the merchant identity is sent via
|
|
77
|
+
// `config.counterpartyId`, NOT on the request, so it was previously absent
|
|
78
|
+
// from the key — two verifies for the SAME agent/purpose/action/value but
|
|
79
|
+
// DIFFERENT merchants collided, and a grant at a permissive merchant (low
|
|
80
|
+
// trust floor) was served for a stricter one. Same bug class as the
|
|
81
|
+
// duration omission (F-A1-07). counterpartyId affects the backend verdict
|
|
82
|
+
// (trust floor / per-route policy), so it MUST key the cache.
|
|
83
|
+
counterpartyId || "",
|
|
87
84
|
request.counterpartyUrl || "",
|
|
88
85
|
request.counterpartyType || "",
|
|
89
86
|
request.isSubAgentRequest ? "1" : "0",
|
|
@@ -107,8 +104,8 @@ function getCacheKey(request) {
|
|
|
107
104
|
request.callerMetadata?.agentCardUrl || ""
|
|
108
105
|
].join("|");
|
|
109
106
|
}
|
|
110
|
-
function getCachedResult(request) {
|
|
111
|
-
const key = getCacheKey(request);
|
|
107
|
+
function getCachedResult(request, counterpartyId) {
|
|
108
|
+
const key = getCacheKey(request, counterpartyId);
|
|
112
109
|
const cached = verificationCache.get(key);
|
|
113
110
|
if (cached && cached.expiresAt > Date.now()) {
|
|
114
111
|
return cached.result;
|
|
@@ -120,9 +117,9 @@ function getCachedResult(request) {
|
|
|
120
117
|
}
|
|
121
118
|
var DEFAULT_AUTONOMOUS_TTL_SECONDS = 60;
|
|
122
119
|
var DEFAULT_STEP_UP_TTL_SECONDS = 300;
|
|
123
|
-
function cacheResult(request, result, configuredTtl) {
|
|
120
|
+
function cacheResult(request, result, configuredTtl, counterpartyId) {
|
|
124
121
|
const ttlSeconds = configuredTtl && configuredTtl > 0 ? configuredTtl : result.requiresStepUp ? DEFAULT_STEP_UP_TTL_SECONDS : DEFAULT_AUTONOMOUS_TTL_SECONDS;
|
|
125
|
-
const key = getCacheKey(request);
|
|
122
|
+
const key = getCacheKey(request, counterpartyId);
|
|
126
123
|
verificationCache.set(key, {
|
|
127
124
|
result,
|
|
128
125
|
expiresAt: Date.now() + ttlSeconds * 1e3
|
|
@@ -280,7 +277,7 @@ async function verify(config, request) {
|
|
|
280
277
|
);
|
|
281
278
|
}
|
|
282
279
|
if (mergedConfig.cacheTtl !== 0) {
|
|
283
|
-
const cached = getCachedResult(request);
|
|
280
|
+
const cached = getCachedResult(request, mergedConfig.counterpartyId);
|
|
284
281
|
if (cached) {
|
|
285
282
|
if (mergedConfig.debug) {
|
|
286
283
|
console.log("[VerificationGateway] Returning cached result");
|
|
@@ -332,8 +329,8 @@ async function verify(config, request) {
|
|
|
332
329
|
verifiedAt: /* @__PURE__ */ new Date(),
|
|
333
330
|
// Extract sessionId so decisions can be recorded for denials too
|
|
334
331
|
sessionId: apiResponse.sessionId,
|
|
335
|
-
//
|
|
336
|
-
//
|
|
332
|
+
// Anonymous traffic has no session → correlationId is the per-attempt
|
|
333
|
+
// linking key (the sessionId-equivalent for anonymous callers).
|
|
337
334
|
correlationId: apiResponse.correlationId,
|
|
338
335
|
recommendation: apiResponse.recommendation,
|
|
339
336
|
recommendationReasons: apiResponse.recommendationReasons
|
|
@@ -407,13 +404,10 @@ async function verify(config, request) {
|
|
|
407
404
|
};
|
|
408
405
|
} else if (result.recommendation === "step_up_required") {
|
|
409
406
|
result.requiresStepUp = true;
|
|
410
|
-
if (ACCESS_LEVEL_HIERARCHY[result.accessLevel] > ACCESS_LEVEL_HIERARCHY["read-only"]) {
|
|
411
|
-
result.accessLevel = "read-only";
|
|
412
|
-
}
|
|
413
407
|
result.denialReasons = result.recommendationReasons || ["Step-up verification required"];
|
|
414
408
|
}
|
|
415
409
|
if (mergedConfig.cacheTtl !== 0 && result.recommendation !== "deny") {
|
|
416
|
-
cacheResult(request, result, mergedConfig.cacheTtl);
|
|
410
|
+
cacheResult(request, result, mergedConfig.cacheTtl, mergedConfig.counterpartyId);
|
|
417
411
|
}
|
|
418
412
|
return result;
|
|
419
413
|
}
|
|
@@ -619,6 +613,19 @@ function resolveHttpPdlss(input) {
|
|
|
619
613
|
return { purpose, action, purposeSource, actionSource };
|
|
620
614
|
}
|
|
621
615
|
|
|
616
|
+
// src/adapters/approval-gate.ts
|
|
617
|
+
var APPROVAL_REASON = "Transaction is above the autonomous limit and requires human approval, which is not yet available \u2014 it cannot be completed automatically.";
|
|
618
|
+
function requiresHumanApproval(result) {
|
|
619
|
+
return result.requiresStepUp === true || result.requiresApproval === true;
|
|
620
|
+
}
|
|
621
|
+
function annotateApprovalRequired(result) {
|
|
622
|
+
result.failures = [
|
|
623
|
+
...result.failures ?? [],
|
|
624
|
+
{ dimension: "commerce.intent.approval_required", message: APPROVAL_REASON }
|
|
625
|
+
];
|
|
626
|
+
result.denialReasons = [APPROVAL_REASON, ...result.denialReasons ?? []];
|
|
627
|
+
}
|
|
628
|
+
|
|
622
629
|
// src/adapters/nextjs.ts
|
|
623
630
|
function escapeHtml(value) {
|
|
624
631
|
return value.replace(/&/g, "&").replace(/</g, "<").replace(/>/g, ">").replace(/"/g, """).replace(/'/g, "'");
|
|
@@ -978,7 +985,9 @@ function createMiddleware(options) {
|
|
|
978
985
|
agentCardUrl: request.headers.get("x-astrasync-agent-card") || void 0
|
|
979
986
|
}
|
|
980
987
|
});
|
|
981
|
-
|
|
988
|
+
const approvalRequired = result.identityVerified && result.policyAllowed && requiresHumanApproval(result);
|
|
989
|
+
if (approvalRequired) annotateApprovalRequired(result);
|
|
990
|
+
if (!result.identityVerified || !result.policyAllowed || approvalRequired) {
|
|
982
991
|
if (pathname.startsWith("/api/")) {
|
|
983
992
|
return NextResponse.json(
|
|
984
993
|
{
|
|
@@ -986,11 +995,10 @@ function createMiddleware(options) {
|
|
|
986
995
|
error: {
|
|
987
996
|
// Round-18 G4: 401 → identity missing (re-auth); 403 → identity
|
|
988
997
|
// OK, policy denied (update PDLSS / step up).
|
|
989
|
-
code: !result.identityVerified ? "UNAUTHORIZED" : "
|
|
998
|
+
code: !result.identityVerified ? "UNAUTHORIZED" : "POLICY_DENIED",
|
|
990
999
|
message: result.denialReasons?.[0] || "Access denied",
|
|
991
|
-
|
|
992
|
-
|
|
993
|
-
guidance: result.guidance
|
|
1000
|
+
guidance: result.guidance,
|
|
1001
|
+
failures: result.failures
|
|
994
1002
|
}
|
|
995
1003
|
},
|
|
996
1004
|
{ status: !result.identityVerified ? 401 : 403 }
|
|
@@ -1017,7 +1025,6 @@ function createMiddleware(options) {
|
|
|
1017
1025
|
response.headers.set("X-AstraSync-Access-Level", result.accessLevel);
|
|
1018
1026
|
if (result.agent) {
|
|
1019
1027
|
response.headers.set("X-AstraSync-Agent-Id", result.agent.astraId);
|
|
1020
|
-
response.headers.set("X-AstraSync-Trust-Score", result.agent.trustScore.toString());
|
|
1021
1028
|
}
|
|
1022
1029
|
return response;
|
|
1023
1030
|
};
|