@astrasyncai/verification-gateway 3.1.0 → 3.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (79) hide show
  1. package/dist/adapter-interface/interface.d.mts +2 -2
  2. package/dist/adapter-interface/interface.d.ts +2 -2
  3. package/dist/adapters/express.d.mts +2 -2
  4. package/dist/adapters/express.d.ts +2 -2
  5. package/dist/adapters/express.js +46 -61
  6. package/dist/adapters/express.js.map +1 -1
  7. package/dist/adapters/express.mjs +46 -61
  8. package/dist/adapters/express.mjs.map +1 -1
  9. package/dist/adapters/mcp.d.mts +12 -7
  10. package/dist/adapters/mcp.d.ts +12 -7
  11. package/dist/adapters/mcp.js +60 -99
  12. package/dist/adapters/mcp.js.map +1 -1
  13. package/dist/adapters/mcp.mjs +60 -99
  14. package/dist/adapters/mcp.mjs.map +1 -1
  15. package/dist/adapters/nextjs.d.mts +2 -2
  16. package/dist/adapters/nextjs.d.ts +2 -2
  17. package/dist/adapters/nextjs.js +37 -30
  18. package/dist/adapters/nextjs.js.map +1 -1
  19. package/dist/adapters/nextjs.mjs +37 -30
  20. package/dist/adapters/nextjs.mjs.map +1 -1
  21. package/dist/adapters/sdk.d.mts +2 -2
  22. package/dist/adapters/sdk.d.ts +2 -2
  23. package/dist/adapters/sdk.js +25 -14
  24. package/dist/adapters/sdk.js.map +1 -1
  25. package/dist/adapters/sdk.mjs +25 -14
  26. package/dist/adapters/sdk.mjs.map +1 -1
  27. package/dist/agent/index.d.mts +2 -2
  28. package/dist/agent/index.d.ts +2 -2
  29. package/dist/browser/background.js +18 -21
  30. package/dist/browser/background.js.map +1 -1
  31. package/dist/browser/background.mjs +18 -21
  32. package/dist/browser/background.mjs.map +1 -1
  33. package/dist/browser/browser-adapter.d.mts +2 -2
  34. package/dist/browser/browser-adapter.d.ts +2 -2
  35. package/dist/cli/index.d.mts +2 -2
  36. package/dist/cli/index.d.ts +2 -2
  37. package/dist/cursor/cursor-adapter.d.mts +2 -2
  38. package/dist/cursor/cursor-adapter.d.ts +2 -2
  39. package/dist/cursor/extension.d.mts +2 -2
  40. package/dist/cursor/extension.d.ts +2 -2
  41. package/dist/cursor/extension.js +18 -21
  42. package/dist/cursor/extension.js.map +1 -1
  43. package/dist/cursor/extension.mjs +18 -21
  44. package/dist/cursor/extension.mjs.map +1 -1
  45. package/dist/{express-DavQ76oF.d.ts → express-BowlMHQF.d.ts} +1 -1
  46. package/dist/{express-DFVBlXr_.d.mts → express-CeoSdOAZ.d.mts} +1 -1
  47. package/dist/gateway/gateway.d.mts +2 -2
  48. package/dist/gateway/gateway.d.ts +2 -2
  49. package/dist/gateway/gateway.js +18 -21
  50. package/dist/gateway/gateway.js.map +1 -1
  51. package/dist/gateway/gateway.mjs +18 -21
  52. package/dist/gateway/gateway.mjs.map +1 -1
  53. package/dist/git-trigger/git-hooks.d.mts +2 -2
  54. package/dist/git-trigger/git-hooks.d.ts +2 -2
  55. package/dist/{index-BhL2R65s.d.mts → index-B51W8gn8.d.mts} +1 -1
  56. package/dist/{index-BhEgEiJL.d.ts → index-DBmlycVm.d.ts} +1 -1
  57. package/dist/{index-BVxantdv.d.mts → index-DtGziFEm.d.mts} +1 -1
  58. package/dist/{index-Dk2nIA4w.d.ts → index-DzXXBuLm.d.ts} +1 -1
  59. package/dist/index.d.mts +7 -7
  60. package/dist/index.d.ts +7 -7
  61. package/dist/index.js +87 -122
  62. package/dist/index.js.map +1 -1
  63. package/dist/index.mjs +87 -122
  64. package/dist/index.mjs.map +1 -1
  65. package/dist/local-evaluator/evaluator.d.mts +2 -2
  66. package/dist/local-evaluator/evaluator.d.ts +2 -2
  67. package/dist/{nextjs-D-maqrNz.d.mts → nextjs-BW1rzr1I.d.mts} +1 -1
  68. package/dist/{nextjs-BXLH1hJj.d.ts → nextjs-V_K0qlAQ.d.ts} +1 -1
  69. package/dist/{sdk-767LaEP8.d.mts → sdk-ZYgI7G9f.d.ts} +14 -3
  70. package/dist/{sdk-K8IgssHI.d.ts → sdk-e5jg7sqW.d.mts} +14 -3
  71. package/dist/transport/index.d.mts +2 -2
  72. package/dist/transport/index.d.ts +2 -2
  73. package/dist/{types-CyFwZ_Yu.d.mts → types-BNiLZY0i.d.mts} +1 -1
  74. package/dist/{types-WIRp_BP_.d.ts → types-DJi-u3fz.d.ts} +1 -1
  75. package/dist/{types-Cuh7ELfr.d.mts → types-rFh4VMH4.d.mts} +5 -2
  76. package/dist/{types-Cuh7ELfr.d.ts → types-rFh4VMH4.d.ts} +5 -2
  77. package/dist/ui/index.d.mts +1 -1
  78. package/dist/ui/index.d.ts +1 -1
  79. package/package.json +1 -1
@@ -3287,14 +3287,6 @@ function verifyLocal(evaluator, context) {
3287
3287
  }
3288
3288
 
3289
3289
  // src/access-levels.ts
3290
- var ACCESS_LEVEL_HIERARCHY = {
3291
- none: 0,
3292
- restricted: 1,
3293
- "read-only": 2,
3294
- standard: 3,
3295
- full: 4,
3296
- internal: 5
3297
- };
3298
3290
  function getTrustLevel(score) {
3299
3291
  if (score >= 80) return "PLATINUM";
3300
3292
  if (score >= 60) return "GOLD";
@@ -3303,7 +3295,7 @@ function getTrustLevel(score) {
3303
3295
  }
3304
3296
 
3305
3297
  // src/version.ts
3306
- var SDK_VERSION = "3.1.0";
3298
+ var SDK_VERSION = "3.2.1";
3307
3299
 
3308
3300
  // src/well-known.ts
3309
3301
  var CACHE_TTL_MS = 60 * 60 * 1e3;
@@ -3356,7 +3348,7 @@ async function performInitCheck(apiBaseUrl, debug, strictInit) {
3356
3348
  }
3357
3349
  }
3358
3350
  var verificationCache = /* @__PURE__ */ new Map();
3359
- function getCacheKey(request) {
3351
+ function getCacheKey(request, counterpartyId) {
3360
3352
  const c = request.credentials;
3361
3353
  return [
3362
3354
  c.astraId || "",
@@ -3369,6 +3361,14 @@ function getCacheKey(request) {
3369
3361
  request.jurisdiction || "",
3370
3362
  request.transactionValue ?? "",
3371
3363
  request.currency || "",
3364
+ // SECURITY (cross-merchant cache leak): the merchant identity is sent via
3365
+ // `config.counterpartyId`, NOT on the request, so it was previously absent
3366
+ // from the key — two verifies for the SAME agent/purpose/action/value but
3367
+ // DIFFERENT merchants collided, and a grant at a permissive merchant (low
3368
+ // trust floor) was served for a stricter one. Same bug class as the
3369
+ // duration omission (F-A1-07). counterpartyId affects the backend verdict
3370
+ // (trust floor / per-route policy), so it MUST key the cache.
3371
+ counterpartyId || "",
3372
3372
  request.counterpartyUrl || "",
3373
3373
  request.counterpartyType || "",
3374
3374
  request.isSubAgentRequest ? "1" : "0",
@@ -3392,8 +3392,8 @@ function getCacheKey(request) {
3392
3392
  request.callerMetadata?.agentCardUrl || ""
3393
3393
  ].join("|");
3394
3394
  }
3395
- function getCachedResult(request) {
3396
- const key = getCacheKey(request);
3395
+ function getCachedResult(request, counterpartyId) {
3396
+ const key = getCacheKey(request, counterpartyId);
3397
3397
  const cached = verificationCache.get(key);
3398
3398
  if (cached && cached.expiresAt > Date.now()) {
3399
3399
  return cached.result;
@@ -3405,9 +3405,9 @@ function getCachedResult(request) {
3405
3405
  }
3406
3406
  var DEFAULT_AUTONOMOUS_TTL_SECONDS = 60;
3407
3407
  var DEFAULT_STEP_UP_TTL_SECONDS = 300;
3408
- function cacheResult(request, result, configuredTtl) {
3408
+ function cacheResult(request, result, configuredTtl, counterpartyId) {
3409
3409
  const ttlSeconds = configuredTtl && configuredTtl > 0 ? configuredTtl : result.requiresStepUp ? DEFAULT_STEP_UP_TTL_SECONDS : DEFAULT_AUTONOMOUS_TTL_SECONDS;
3410
- const key = getCacheKey(request);
3410
+ const key = getCacheKey(request, counterpartyId);
3411
3411
  verificationCache.set(key, {
3412
3412
  result,
3413
3413
  expiresAt: Date.now() + ttlSeconds * 1e3
@@ -3565,7 +3565,7 @@ async function verify(config, request) {
3565
3565
  );
3566
3566
  }
3567
3567
  if (mergedConfig.cacheTtl !== 0) {
3568
- const cached = getCachedResult(request);
3568
+ const cached = getCachedResult(request, mergedConfig.counterpartyId);
3569
3569
  if (cached) {
3570
3570
  if (mergedConfig.debug) {
3571
3571
  console.log("[VerificationGateway] Returning cached result");
@@ -3617,8 +3617,8 @@ async function verify(config, request) {
3617
3617
  verifiedAt: /* @__PURE__ */ new Date(),
3618
3618
  // Extract sessionId so decisions can be recorded for denials too
3619
3619
  sessionId: apiResponse.sessionId,
3620
- // v2.3.10 (defect #34, round-4): anonymous traffic has no session →
3621
- // correlationId is the linking key for paired local_override events.
3620
+ // Anonymous traffic has no session → correlationId is the per-attempt
3621
+ // linking key (the sessionId-equivalent for anonymous callers).
3622
3622
  correlationId: apiResponse.correlationId,
3623
3623
  recommendation: apiResponse.recommendation,
3624
3624
  recommendationReasons: apiResponse.recommendationReasons
@@ -3692,13 +3692,10 @@ async function verify(config, request) {
3692
3692
  };
3693
3693
  } else if (result.recommendation === "step_up_required") {
3694
3694
  result.requiresStepUp = true;
3695
- if (ACCESS_LEVEL_HIERARCHY[result.accessLevel] > ACCESS_LEVEL_HIERARCHY["read-only"]) {
3696
- result.accessLevel = "read-only";
3697
- }
3698
3695
  result.denialReasons = result.recommendationReasons || ["Step-up verification required"];
3699
3696
  }
3700
3697
  if (mergedConfig.cacheTtl !== 0 && result.recommendation !== "deny") {
3701
- cacheResult(request, result, mergedConfig.cacheTtl);
3698
+ cacheResult(request, result, mergedConfig.cacheTtl, mergedConfig.counterpartyId);
3702
3699
  }
3703
3700
  return result;
3704
3701
  }