@astrasyncai/verification-gateway 3.1.0 → 3.2.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/adapter-interface/interface.d.mts +2 -2
- package/dist/adapter-interface/interface.d.ts +2 -2
- package/dist/adapters/express.d.mts +2 -2
- package/dist/adapters/express.d.ts +2 -2
- package/dist/adapters/express.js +46 -61
- package/dist/adapters/express.js.map +1 -1
- package/dist/adapters/express.mjs +46 -61
- package/dist/adapters/express.mjs.map +1 -1
- package/dist/adapters/mcp.d.mts +12 -7
- package/dist/adapters/mcp.d.ts +12 -7
- package/dist/adapters/mcp.js +60 -99
- package/dist/adapters/mcp.js.map +1 -1
- package/dist/adapters/mcp.mjs +60 -99
- package/dist/adapters/mcp.mjs.map +1 -1
- package/dist/adapters/nextjs.d.mts +2 -2
- package/dist/adapters/nextjs.d.ts +2 -2
- package/dist/adapters/nextjs.js +37 -30
- package/dist/adapters/nextjs.js.map +1 -1
- package/dist/adapters/nextjs.mjs +37 -30
- package/dist/adapters/nextjs.mjs.map +1 -1
- package/dist/adapters/sdk.d.mts +2 -2
- package/dist/adapters/sdk.d.ts +2 -2
- package/dist/adapters/sdk.js +25 -14
- package/dist/adapters/sdk.js.map +1 -1
- package/dist/adapters/sdk.mjs +25 -14
- package/dist/adapters/sdk.mjs.map +1 -1
- package/dist/agent/index.d.mts +2 -2
- package/dist/agent/index.d.ts +2 -2
- package/dist/browser/background.js +18 -21
- package/dist/browser/background.js.map +1 -1
- package/dist/browser/background.mjs +18 -21
- package/dist/browser/background.mjs.map +1 -1
- package/dist/browser/browser-adapter.d.mts +2 -2
- package/dist/browser/browser-adapter.d.ts +2 -2
- package/dist/cli/index.d.mts +2 -2
- package/dist/cli/index.d.ts +2 -2
- package/dist/cursor/cursor-adapter.d.mts +2 -2
- package/dist/cursor/cursor-adapter.d.ts +2 -2
- package/dist/cursor/extension.d.mts +2 -2
- package/dist/cursor/extension.d.ts +2 -2
- package/dist/cursor/extension.js +18 -21
- package/dist/cursor/extension.js.map +1 -1
- package/dist/cursor/extension.mjs +18 -21
- package/dist/cursor/extension.mjs.map +1 -1
- package/dist/{express-DavQ76oF.d.ts → express-BowlMHQF.d.ts} +1 -1
- package/dist/{express-DFVBlXr_.d.mts → express-CeoSdOAZ.d.mts} +1 -1
- package/dist/gateway/gateway.d.mts +2 -2
- package/dist/gateway/gateway.d.ts +2 -2
- package/dist/gateway/gateway.js +18 -21
- package/dist/gateway/gateway.js.map +1 -1
- package/dist/gateway/gateway.mjs +18 -21
- package/dist/gateway/gateway.mjs.map +1 -1
- package/dist/git-trigger/git-hooks.d.mts +2 -2
- package/dist/git-trigger/git-hooks.d.ts +2 -2
- package/dist/{index-BhL2R65s.d.mts → index-B51W8gn8.d.mts} +1 -1
- package/dist/{index-BhEgEiJL.d.ts → index-DBmlycVm.d.ts} +1 -1
- package/dist/{index-BVxantdv.d.mts → index-DtGziFEm.d.mts} +1 -1
- package/dist/{index-Dk2nIA4w.d.ts → index-DzXXBuLm.d.ts} +1 -1
- package/dist/index.d.mts +7 -7
- package/dist/index.d.ts +7 -7
- package/dist/index.js +87 -122
- package/dist/index.js.map +1 -1
- package/dist/index.mjs +87 -122
- package/dist/index.mjs.map +1 -1
- package/dist/local-evaluator/evaluator.d.mts +2 -2
- package/dist/local-evaluator/evaluator.d.ts +2 -2
- package/dist/{nextjs-D-maqrNz.d.mts → nextjs-BW1rzr1I.d.mts} +1 -1
- package/dist/{nextjs-BXLH1hJj.d.ts → nextjs-V_K0qlAQ.d.ts} +1 -1
- package/dist/{sdk-767LaEP8.d.mts → sdk-ZYgI7G9f.d.ts} +14 -3
- package/dist/{sdk-K8IgssHI.d.ts → sdk-e5jg7sqW.d.mts} +14 -3
- package/dist/transport/index.d.mts +2 -2
- package/dist/transport/index.d.ts +2 -2
- package/dist/{types-CyFwZ_Yu.d.mts → types-BNiLZY0i.d.mts} +1 -1
- package/dist/{types-WIRp_BP_.d.ts → types-DJi-u3fz.d.ts} +1 -1
- package/dist/{types-Cuh7ELfr.d.mts → types-rFh4VMH4.d.mts} +5 -2
- package/dist/{types-Cuh7ELfr.d.ts → types-rFh4VMH4.d.ts} +5 -2
- package/dist/ui/index.d.mts +1 -1
- package/dist/ui/index.d.ts +1 -1
- package/package.json +1 -1
package/dist/gateway/gateway.mjs
CHANGED
|
@@ -3023,14 +3023,6 @@ function verifyLocal(evaluator, context) {
|
|
|
3023
3023
|
}
|
|
3024
3024
|
|
|
3025
3025
|
// src/access-levels.ts
|
|
3026
|
-
var ACCESS_LEVEL_HIERARCHY = {
|
|
3027
|
-
none: 0,
|
|
3028
|
-
restricted: 1,
|
|
3029
|
-
"read-only": 2,
|
|
3030
|
-
standard: 3,
|
|
3031
|
-
full: 4,
|
|
3032
|
-
internal: 5
|
|
3033
|
-
};
|
|
3034
3026
|
function getTrustLevel(score) {
|
|
3035
3027
|
if (score >= 80) return "PLATINUM";
|
|
3036
3028
|
if (score >= 60) return "GOLD";
|
|
@@ -3039,7 +3031,7 @@ function getTrustLevel(score) {
|
|
|
3039
3031
|
}
|
|
3040
3032
|
|
|
3041
3033
|
// src/version.ts
|
|
3042
|
-
var SDK_VERSION = "3.1
|
|
3034
|
+
var SDK_VERSION = "3.2.1";
|
|
3043
3035
|
|
|
3044
3036
|
// src/well-known.ts
|
|
3045
3037
|
var CACHE_TTL_MS = 60 * 60 * 1e3;
|
|
@@ -3092,7 +3084,7 @@ async function performInitCheck(apiBaseUrl, debug, strictInit) {
|
|
|
3092
3084
|
}
|
|
3093
3085
|
}
|
|
3094
3086
|
var verificationCache = /* @__PURE__ */ new Map();
|
|
3095
|
-
function getCacheKey(request) {
|
|
3087
|
+
function getCacheKey(request, counterpartyId) {
|
|
3096
3088
|
const c = request.credentials;
|
|
3097
3089
|
return [
|
|
3098
3090
|
c.astraId || "",
|
|
@@ -3105,6 +3097,14 @@ function getCacheKey(request) {
|
|
|
3105
3097
|
request.jurisdiction || "",
|
|
3106
3098
|
request.transactionValue ?? "",
|
|
3107
3099
|
request.currency || "",
|
|
3100
|
+
// SECURITY (cross-merchant cache leak): the merchant identity is sent via
|
|
3101
|
+
// `config.counterpartyId`, NOT on the request, so it was previously absent
|
|
3102
|
+
// from the key — two verifies for the SAME agent/purpose/action/value but
|
|
3103
|
+
// DIFFERENT merchants collided, and a grant at a permissive merchant (low
|
|
3104
|
+
// trust floor) was served for a stricter one. Same bug class as the
|
|
3105
|
+
// duration omission (F-A1-07). counterpartyId affects the backend verdict
|
|
3106
|
+
// (trust floor / per-route policy), so it MUST key the cache.
|
|
3107
|
+
counterpartyId || "",
|
|
3108
3108
|
request.counterpartyUrl || "",
|
|
3109
3109
|
request.counterpartyType || "",
|
|
3110
3110
|
request.isSubAgentRequest ? "1" : "0",
|
|
@@ -3128,8 +3128,8 @@ function getCacheKey(request) {
|
|
|
3128
3128
|
request.callerMetadata?.agentCardUrl || ""
|
|
3129
3129
|
].join("|");
|
|
3130
3130
|
}
|
|
3131
|
-
function getCachedResult(request) {
|
|
3132
|
-
const key = getCacheKey(request);
|
|
3131
|
+
function getCachedResult(request, counterpartyId) {
|
|
3132
|
+
const key = getCacheKey(request, counterpartyId);
|
|
3133
3133
|
const cached = verificationCache.get(key);
|
|
3134
3134
|
if (cached && cached.expiresAt > Date.now()) {
|
|
3135
3135
|
return cached.result;
|
|
@@ -3141,9 +3141,9 @@ function getCachedResult(request) {
|
|
|
3141
3141
|
}
|
|
3142
3142
|
var DEFAULT_AUTONOMOUS_TTL_SECONDS = 60;
|
|
3143
3143
|
var DEFAULT_STEP_UP_TTL_SECONDS = 300;
|
|
3144
|
-
function cacheResult(request, result, configuredTtl) {
|
|
3144
|
+
function cacheResult(request, result, configuredTtl, counterpartyId) {
|
|
3145
3145
|
const ttlSeconds = configuredTtl && configuredTtl > 0 ? configuredTtl : result.requiresStepUp ? DEFAULT_STEP_UP_TTL_SECONDS : DEFAULT_AUTONOMOUS_TTL_SECONDS;
|
|
3146
|
-
const key = getCacheKey(request);
|
|
3146
|
+
const key = getCacheKey(request, counterpartyId);
|
|
3147
3147
|
verificationCache.set(key, {
|
|
3148
3148
|
result,
|
|
3149
3149
|
expiresAt: Date.now() + ttlSeconds * 1e3
|
|
@@ -3301,7 +3301,7 @@ async function verify(config, request) {
|
|
|
3301
3301
|
);
|
|
3302
3302
|
}
|
|
3303
3303
|
if (mergedConfig.cacheTtl !== 0) {
|
|
3304
|
-
const cached = getCachedResult(request);
|
|
3304
|
+
const cached = getCachedResult(request, mergedConfig.counterpartyId);
|
|
3305
3305
|
if (cached) {
|
|
3306
3306
|
if (mergedConfig.debug) {
|
|
3307
3307
|
console.log("[VerificationGateway] Returning cached result");
|
|
@@ -3353,8 +3353,8 @@ async function verify(config, request) {
|
|
|
3353
3353
|
verifiedAt: /* @__PURE__ */ new Date(),
|
|
3354
3354
|
// Extract sessionId so decisions can be recorded for denials too
|
|
3355
3355
|
sessionId: apiResponse.sessionId,
|
|
3356
|
-
//
|
|
3357
|
-
//
|
|
3356
|
+
// Anonymous traffic has no session → correlationId is the per-attempt
|
|
3357
|
+
// linking key (the sessionId-equivalent for anonymous callers).
|
|
3358
3358
|
correlationId: apiResponse.correlationId,
|
|
3359
3359
|
recommendation: apiResponse.recommendation,
|
|
3360
3360
|
recommendationReasons: apiResponse.recommendationReasons
|
|
@@ -3428,13 +3428,10 @@ async function verify(config, request) {
|
|
|
3428
3428
|
};
|
|
3429
3429
|
} else if (result.recommendation === "step_up_required") {
|
|
3430
3430
|
result.requiresStepUp = true;
|
|
3431
|
-
if (ACCESS_LEVEL_HIERARCHY[result.accessLevel] > ACCESS_LEVEL_HIERARCHY["read-only"]) {
|
|
3432
|
-
result.accessLevel = "read-only";
|
|
3433
|
-
}
|
|
3434
3431
|
result.denialReasons = result.recommendationReasons || ["Step-up verification required"];
|
|
3435
3432
|
}
|
|
3436
3433
|
if (mergedConfig.cacheTtl !== 0 && result.recommendation !== "deny") {
|
|
3437
|
-
cacheResult(request, result, mergedConfig.cacheTtl);
|
|
3434
|
+
cacheResult(request, result, mergedConfig.cacheTtl, mergedConfig.counterpartyId);
|
|
3438
3435
|
}
|
|
3439
3436
|
return result;
|
|
3440
3437
|
}
|