@astrasyncai/verification-gateway 3.1.0 → 3.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (79) hide show
  1. package/dist/adapter-interface/interface.d.mts +2 -2
  2. package/dist/adapter-interface/interface.d.ts +2 -2
  3. package/dist/adapters/express.d.mts +2 -2
  4. package/dist/adapters/express.d.ts +2 -2
  5. package/dist/adapters/express.js +46 -61
  6. package/dist/adapters/express.js.map +1 -1
  7. package/dist/adapters/express.mjs +46 -61
  8. package/dist/adapters/express.mjs.map +1 -1
  9. package/dist/adapters/mcp.d.mts +12 -7
  10. package/dist/adapters/mcp.d.ts +12 -7
  11. package/dist/adapters/mcp.js +60 -99
  12. package/dist/adapters/mcp.js.map +1 -1
  13. package/dist/adapters/mcp.mjs +60 -99
  14. package/dist/adapters/mcp.mjs.map +1 -1
  15. package/dist/adapters/nextjs.d.mts +2 -2
  16. package/dist/adapters/nextjs.d.ts +2 -2
  17. package/dist/adapters/nextjs.js +37 -30
  18. package/dist/adapters/nextjs.js.map +1 -1
  19. package/dist/adapters/nextjs.mjs +37 -30
  20. package/dist/adapters/nextjs.mjs.map +1 -1
  21. package/dist/adapters/sdk.d.mts +2 -2
  22. package/dist/adapters/sdk.d.ts +2 -2
  23. package/dist/adapters/sdk.js +25 -14
  24. package/dist/adapters/sdk.js.map +1 -1
  25. package/dist/adapters/sdk.mjs +25 -14
  26. package/dist/adapters/sdk.mjs.map +1 -1
  27. package/dist/agent/index.d.mts +2 -2
  28. package/dist/agent/index.d.ts +2 -2
  29. package/dist/browser/background.js +18 -21
  30. package/dist/browser/background.js.map +1 -1
  31. package/dist/browser/background.mjs +18 -21
  32. package/dist/browser/background.mjs.map +1 -1
  33. package/dist/browser/browser-adapter.d.mts +2 -2
  34. package/dist/browser/browser-adapter.d.ts +2 -2
  35. package/dist/cli/index.d.mts +2 -2
  36. package/dist/cli/index.d.ts +2 -2
  37. package/dist/cursor/cursor-adapter.d.mts +2 -2
  38. package/dist/cursor/cursor-adapter.d.ts +2 -2
  39. package/dist/cursor/extension.d.mts +2 -2
  40. package/dist/cursor/extension.d.ts +2 -2
  41. package/dist/cursor/extension.js +18 -21
  42. package/dist/cursor/extension.js.map +1 -1
  43. package/dist/cursor/extension.mjs +18 -21
  44. package/dist/cursor/extension.mjs.map +1 -1
  45. package/dist/{express-DavQ76oF.d.ts → express-BowlMHQF.d.ts} +1 -1
  46. package/dist/{express-DFVBlXr_.d.mts → express-CeoSdOAZ.d.mts} +1 -1
  47. package/dist/gateway/gateway.d.mts +2 -2
  48. package/dist/gateway/gateway.d.ts +2 -2
  49. package/dist/gateway/gateway.js +18 -21
  50. package/dist/gateway/gateway.js.map +1 -1
  51. package/dist/gateway/gateway.mjs +18 -21
  52. package/dist/gateway/gateway.mjs.map +1 -1
  53. package/dist/git-trigger/git-hooks.d.mts +2 -2
  54. package/dist/git-trigger/git-hooks.d.ts +2 -2
  55. package/dist/{index-BhL2R65s.d.mts → index-B51W8gn8.d.mts} +1 -1
  56. package/dist/{index-BhEgEiJL.d.ts → index-DBmlycVm.d.ts} +1 -1
  57. package/dist/{index-BVxantdv.d.mts → index-DtGziFEm.d.mts} +1 -1
  58. package/dist/{index-Dk2nIA4w.d.ts → index-DzXXBuLm.d.ts} +1 -1
  59. package/dist/index.d.mts +7 -7
  60. package/dist/index.d.ts +7 -7
  61. package/dist/index.js +87 -122
  62. package/dist/index.js.map +1 -1
  63. package/dist/index.mjs +87 -122
  64. package/dist/index.mjs.map +1 -1
  65. package/dist/local-evaluator/evaluator.d.mts +2 -2
  66. package/dist/local-evaluator/evaluator.d.ts +2 -2
  67. package/dist/{nextjs-D-maqrNz.d.mts → nextjs-BW1rzr1I.d.mts} +1 -1
  68. package/dist/{nextjs-BXLH1hJj.d.ts → nextjs-V_K0qlAQ.d.ts} +1 -1
  69. package/dist/{sdk-767LaEP8.d.mts → sdk-ZYgI7G9f.d.ts} +14 -3
  70. package/dist/{sdk-K8IgssHI.d.ts → sdk-e5jg7sqW.d.mts} +14 -3
  71. package/dist/transport/index.d.mts +2 -2
  72. package/dist/transport/index.d.ts +2 -2
  73. package/dist/{types-CyFwZ_Yu.d.mts → types-BNiLZY0i.d.mts} +1 -1
  74. package/dist/{types-WIRp_BP_.d.ts → types-DJi-u3fz.d.ts} +1 -1
  75. package/dist/{types-Cuh7ELfr.d.mts → types-rFh4VMH4.d.mts} +5 -2
  76. package/dist/{types-Cuh7ELfr.d.ts → types-rFh4VMH4.d.ts} +5 -2
  77. package/dist/ui/index.d.mts +1 -1
  78. package/dist/ui/index.d.ts +1 -1
  79. package/package.json +1 -1
@@ -1,7 +1,7 @@
1
1
  import { PlatformAdapter, AdapterConfig } from '../adapter-interface/interface.mjs';
2
- import { P as PDLSSContext, V as VerificationDecision, A as AgentAction, I as InterceptResult } from '../types-CyFwZ_Yu.mjs';
2
+ import { P as PDLSSContext, V as VerificationDecision, A as AgentAction, I as InterceptResult } from '../types-BNiLZY0i.mjs';
3
3
  import '../gateway/gateway.mjs';
4
- import '../types-Cuh7ELfr.mjs';
4
+ import '../types-rFh4VMH4.mjs';
5
5
 
6
6
  /**
7
7
  * @astrasyncai/adapter-openclaw-browser
@@ -1,7 +1,7 @@
1
1
  import { PlatformAdapter, AdapterConfig } from '../adapter-interface/interface.js';
2
- import { P as PDLSSContext, V as VerificationDecision, A as AgentAction, I as InterceptResult } from '../types-WIRp_BP_.js';
2
+ import { P as PDLSSContext, V as VerificationDecision, A as AgentAction, I as InterceptResult } from '../types-DJi-u3fz.js';
3
3
  import '../gateway/gateway.js';
4
- import '../types-Cuh7ELfr.js';
4
+ import '../types-rFh4VMH4.js';
5
5
 
6
6
  /**
7
7
  * @astrasyncai/adapter-openclaw-browser
@@ -1,6 +1,6 @@
1
- import { b as LocalPurposeRule, d as LocalScope, c as LocalRiskThresholds, L as LocalPolicy, P as PDLSSContext, V as VerificationDecision, A as AgentAction, I as InterceptResult } from '../types-CyFwZ_Yu.mjs';
1
+ import { b as LocalPurposeRule, d as LocalScope, c as LocalRiskThresholds, L as LocalPolicy, P as PDLSSContext, V as VerificationDecision, A as AgentAction, I as InterceptResult } from '../types-BNiLZY0i.mjs';
2
2
  import { PlatformAdapter, AdapterConfig } from '../adapter-interface/interface.mjs';
3
- import '../types-Cuh7ELfr.mjs';
3
+ import '../types-rFh4VMH4.mjs';
4
4
  import '../gateway/gateway.mjs';
5
5
 
6
6
  /**
@@ -1,6 +1,6 @@
1
- import { b as LocalPurposeRule, d as LocalScope, c as LocalRiskThresholds, L as LocalPolicy, P as PDLSSContext, V as VerificationDecision, A as AgentAction, I as InterceptResult } from '../types-WIRp_BP_.js';
1
+ import { b as LocalPurposeRule, d as LocalScope, c as LocalRiskThresholds, L as LocalPolicy, P as PDLSSContext, V as VerificationDecision, A as AgentAction, I as InterceptResult } from '../types-DJi-u3fz.js';
2
2
  import { PlatformAdapter, AdapterConfig } from '../adapter-interface/interface.js';
3
- import '../types-Cuh7ELfr.js';
3
+ import '../types-rFh4VMH4.js';
4
4
  import '../gateway/gateway.js';
5
5
 
6
6
  /**
@@ -1,7 +1,7 @@
1
1
  import { PlatformAdapter, AdapterConfig } from '../adapter-interface/interface.mjs';
2
- import { P as PDLSSContext, V as VerificationDecision, A as AgentAction, I as InterceptResult } from '../types-CyFwZ_Yu.mjs';
2
+ import { P as PDLSSContext, V as VerificationDecision, A as AgentAction, I as InterceptResult } from '../types-BNiLZY0i.mjs';
3
3
  import '../gateway/gateway.mjs';
4
- import '../types-Cuh7ELfr.mjs';
4
+ import '../types-rFh4VMH4.mjs';
5
5
 
6
6
  /**
7
7
  * @astrasyncai/adapter-cursor
@@ -1,7 +1,7 @@
1
1
  import { PlatformAdapter, AdapterConfig } from '../adapter-interface/interface.js';
2
- import { P as PDLSSContext, V as VerificationDecision, A as AgentAction, I as InterceptResult } from '../types-WIRp_BP_.js';
2
+ import { P as PDLSSContext, V as VerificationDecision, A as AgentAction, I as InterceptResult } from '../types-DJi-u3fz.js';
3
3
  import '../gateway/gateway.js';
4
- import '../types-Cuh7ELfr.js';
4
+ import '../types-rFh4VMH4.js';
5
5
 
6
6
  /**
7
7
  * @astrasyncai/adapter-cursor
@@ -1,8 +1,8 @@
1
1
  import { VSCodeAPI } from './cursor-adapter.mjs';
2
2
  import '../adapter-interface/interface.mjs';
3
3
  import '../gateway/gateway.mjs';
4
- import '../types-CyFwZ_Yu.mjs';
5
- import '../types-Cuh7ELfr.mjs';
4
+ import '../types-BNiLZY0i.mjs';
5
+ import '../types-rFh4VMH4.mjs';
6
6
 
7
7
  /**
8
8
  * VS Code Extension entry point for AstraSync Local Guard (Cursor/VS Code).
@@ -1,8 +1,8 @@
1
1
  import { VSCodeAPI } from './cursor-adapter.js';
2
2
  import '../adapter-interface/interface.js';
3
3
  import '../gateway/gateway.js';
4
- import '../types-WIRp_BP_.js';
5
- import '../types-Cuh7ELfr.js';
4
+ import '../types-DJi-u3fz.js';
5
+ import '../types-rFh4VMH4.js';
6
6
 
7
7
  /**
8
8
  * VS Code Extension entry point for AstraSync Local Guard (Cursor/VS Code).
@@ -3293,14 +3293,6 @@ function verifyLocal(evaluator, context) {
3293
3293
  }
3294
3294
 
3295
3295
  // src/access-levels.ts
3296
- var ACCESS_LEVEL_HIERARCHY = {
3297
- none: 0,
3298
- restricted: 1,
3299
- "read-only": 2,
3300
- standard: 3,
3301
- full: 4,
3302
- internal: 5
3303
- };
3304
3296
  function getTrustLevel(score) {
3305
3297
  if (score >= 80) return "PLATINUM";
3306
3298
  if (score >= 60) return "GOLD";
@@ -3309,7 +3301,7 @@ function getTrustLevel(score) {
3309
3301
  }
3310
3302
 
3311
3303
  // src/version.ts
3312
- var SDK_VERSION = "3.1.0";
3304
+ var SDK_VERSION = "3.2.1";
3313
3305
 
3314
3306
  // src/well-known.ts
3315
3307
  var CACHE_TTL_MS = 60 * 60 * 1e3;
@@ -3362,7 +3354,7 @@ async function performInitCheck(apiBaseUrl, debug, strictInit) {
3362
3354
  }
3363
3355
  }
3364
3356
  var verificationCache = /* @__PURE__ */ new Map();
3365
- function getCacheKey(request) {
3357
+ function getCacheKey(request, counterpartyId) {
3366
3358
  const c = request.credentials;
3367
3359
  return [
3368
3360
  c.astraId || "",
@@ -3375,6 +3367,14 @@ function getCacheKey(request) {
3375
3367
  request.jurisdiction || "",
3376
3368
  request.transactionValue ?? "",
3377
3369
  request.currency || "",
3370
+ // SECURITY (cross-merchant cache leak): the merchant identity is sent via
3371
+ // `config.counterpartyId`, NOT on the request, so it was previously absent
3372
+ // from the key — two verifies for the SAME agent/purpose/action/value but
3373
+ // DIFFERENT merchants collided, and a grant at a permissive merchant (low
3374
+ // trust floor) was served for a stricter one. Same bug class as the
3375
+ // duration omission (F-A1-07). counterpartyId affects the backend verdict
3376
+ // (trust floor / per-route policy), so it MUST key the cache.
3377
+ counterpartyId || "",
3378
3378
  request.counterpartyUrl || "",
3379
3379
  request.counterpartyType || "",
3380
3380
  request.isSubAgentRequest ? "1" : "0",
@@ -3398,8 +3398,8 @@ function getCacheKey(request) {
3398
3398
  request.callerMetadata?.agentCardUrl || ""
3399
3399
  ].join("|");
3400
3400
  }
3401
- function getCachedResult(request) {
3402
- const key = getCacheKey(request);
3401
+ function getCachedResult(request, counterpartyId) {
3402
+ const key = getCacheKey(request, counterpartyId);
3403
3403
  const cached = verificationCache.get(key);
3404
3404
  if (cached && cached.expiresAt > Date.now()) {
3405
3405
  return cached.result;
@@ -3411,9 +3411,9 @@ function getCachedResult(request) {
3411
3411
  }
3412
3412
  var DEFAULT_AUTONOMOUS_TTL_SECONDS = 60;
3413
3413
  var DEFAULT_STEP_UP_TTL_SECONDS = 300;
3414
- function cacheResult(request, result, configuredTtl) {
3414
+ function cacheResult(request, result, configuredTtl, counterpartyId) {
3415
3415
  const ttlSeconds = configuredTtl && configuredTtl > 0 ? configuredTtl : result.requiresStepUp ? DEFAULT_STEP_UP_TTL_SECONDS : DEFAULT_AUTONOMOUS_TTL_SECONDS;
3416
- const key = getCacheKey(request);
3416
+ const key = getCacheKey(request, counterpartyId);
3417
3417
  verificationCache.set(key, {
3418
3418
  result,
3419
3419
  expiresAt: Date.now() + ttlSeconds * 1e3
@@ -3571,7 +3571,7 @@ async function verify(config, request) {
3571
3571
  );
3572
3572
  }
3573
3573
  if (mergedConfig.cacheTtl !== 0) {
3574
- const cached = getCachedResult(request);
3574
+ const cached = getCachedResult(request, mergedConfig.counterpartyId);
3575
3575
  if (cached) {
3576
3576
  if (mergedConfig.debug) {
3577
3577
  console.log("[VerificationGateway] Returning cached result");
@@ -3623,8 +3623,8 @@ async function verify(config, request) {
3623
3623
  verifiedAt: /* @__PURE__ */ new Date(),
3624
3624
  // Extract sessionId so decisions can be recorded for denials too
3625
3625
  sessionId: apiResponse.sessionId,
3626
- // v2.3.10 (defect #34, round-4): anonymous traffic has no session →
3627
- // correlationId is the linking key for paired local_override events.
3626
+ // Anonymous traffic has no session → correlationId is the per-attempt
3627
+ // linking key (the sessionId-equivalent for anonymous callers).
3628
3628
  correlationId: apiResponse.correlationId,
3629
3629
  recommendation: apiResponse.recommendation,
3630
3630
  recommendationReasons: apiResponse.recommendationReasons
@@ -3698,13 +3698,10 @@ async function verify(config, request) {
3698
3698
  };
3699
3699
  } else if (result.recommendation === "step_up_required") {
3700
3700
  result.requiresStepUp = true;
3701
- if (ACCESS_LEVEL_HIERARCHY[result.accessLevel] > ACCESS_LEVEL_HIERARCHY["read-only"]) {
3702
- result.accessLevel = "read-only";
3703
- }
3704
3701
  result.denialReasons = result.recommendationReasons || ["Step-up verification required"];
3705
3702
  }
3706
3703
  if (mergedConfig.cacheTtl !== 0 && result.recommendation !== "deny") {
3707
- cacheResult(request, result, mergedConfig.cacheTtl);
3704
+ cacheResult(request, result, mergedConfig.cacheTtl, mergedConfig.counterpartyId);
3708
3705
  }
3709
3706
  return result;
3710
3707
  }