@astrasyncai/verification-gateway 3.1.0 → 3.2.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/adapter-interface/interface.d.mts +2 -2
- package/dist/adapter-interface/interface.d.ts +2 -2
- package/dist/adapters/express.d.mts +2 -2
- package/dist/adapters/express.d.ts +2 -2
- package/dist/adapters/express.js +46 -61
- package/dist/adapters/express.js.map +1 -1
- package/dist/adapters/express.mjs +46 -61
- package/dist/adapters/express.mjs.map +1 -1
- package/dist/adapters/mcp.d.mts +12 -7
- package/dist/adapters/mcp.d.ts +12 -7
- package/dist/adapters/mcp.js +60 -99
- package/dist/adapters/mcp.js.map +1 -1
- package/dist/adapters/mcp.mjs +60 -99
- package/dist/adapters/mcp.mjs.map +1 -1
- package/dist/adapters/nextjs.d.mts +2 -2
- package/dist/adapters/nextjs.d.ts +2 -2
- package/dist/adapters/nextjs.js +37 -30
- package/dist/adapters/nextjs.js.map +1 -1
- package/dist/adapters/nextjs.mjs +37 -30
- package/dist/adapters/nextjs.mjs.map +1 -1
- package/dist/adapters/sdk.d.mts +2 -2
- package/dist/adapters/sdk.d.ts +2 -2
- package/dist/adapters/sdk.js +25 -14
- package/dist/adapters/sdk.js.map +1 -1
- package/dist/adapters/sdk.mjs +25 -14
- package/dist/adapters/sdk.mjs.map +1 -1
- package/dist/agent/index.d.mts +2 -2
- package/dist/agent/index.d.ts +2 -2
- package/dist/browser/background.js +18 -21
- package/dist/browser/background.js.map +1 -1
- package/dist/browser/background.mjs +18 -21
- package/dist/browser/background.mjs.map +1 -1
- package/dist/browser/browser-adapter.d.mts +2 -2
- package/dist/browser/browser-adapter.d.ts +2 -2
- package/dist/cli/index.d.mts +2 -2
- package/dist/cli/index.d.ts +2 -2
- package/dist/cursor/cursor-adapter.d.mts +2 -2
- package/dist/cursor/cursor-adapter.d.ts +2 -2
- package/dist/cursor/extension.d.mts +2 -2
- package/dist/cursor/extension.d.ts +2 -2
- package/dist/cursor/extension.js +18 -21
- package/dist/cursor/extension.js.map +1 -1
- package/dist/cursor/extension.mjs +18 -21
- package/dist/cursor/extension.mjs.map +1 -1
- package/dist/{express-DavQ76oF.d.ts → express-BowlMHQF.d.ts} +1 -1
- package/dist/{express-DFVBlXr_.d.mts → express-CeoSdOAZ.d.mts} +1 -1
- package/dist/gateway/gateway.d.mts +2 -2
- package/dist/gateway/gateway.d.ts +2 -2
- package/dist/gateway/gateway.js +18 -21
- package/dist/gateway/gateway.js.map +1 -1
- package/dist/gateway/gateway.mjs +18 -21
- package/dist/gateway/gateway.mjs.map +1 -1
- package/dist/git-trigger/git-hooks.d.mts +2 -2
- package/dist/git-trigger/git-hooks.d.ts +2 -2
- package/dist/{index-BhL2R65s.d.mts → index-B51W8gn8.d.mts} +1 -1
- package/dist/{index-BhEgEiJL.d.ts → index-DBmlycVm.d.ts} +1 -1
- package/dist/{index-BVxantdv.d.mts → index-DtGziFEm.d.mts} +1 -1
- package/dist/{index-Dk2nIA4w.d.ts → index-DzXXBuLm.d.ts} +1 -1
- package/dist/index.d.mts +7 -7
- package/dist/index.d.ts +7 -7
- package/dist/index.js +87 -122
- package/dist/index.js.map +1 -1
- package/dist/index.mjs +87 -122
- package/dist/index.mjs.map +1 -1
- package/dist/local-evaluator/evaluator.d.mts +2 -2
- package/dist/local-evaluator/evaluator.d.ts +2 -2
- package/dist/{nextjs-D-maqrNz.d.mts → nextjs-BW1rzr1I.d.mts} +1 -1
- package/dist/{nextjs-BXLH1hJj.d.ts → nextjs-V_K0qlAQ.d.ts} +1 -1
- package/dist/{sdk-767LaEP8.d.mts → sdk-ZYgI7G9f.d.ts} +14 -3
- package/dist/{sdk-K8IgssHI.d.ts → sdk-e5jg7sqW.d.mts} +14 -3
- package/dist/transport/index.d.mts +2 -2
- package/dist/transport/index.d.ts +2 -2
- package/dist/{types-CyFwZ_Yu.d.mts → types-BNiLZY0i.d.mts} +1 -1
- package/dist/{types-WIRp_BP_.d.ts → types-DJi-u3fz.d.ts} +1 -1
- package/dist/{types-Cuh7ELfr.d.mts → types-rFh4VMH4.d.mts} +5 -2
- package/dist/{types-Cuh7ELfr.d.ts → types-rFh4VMH4.d.ts} +5 -2
- package/dist/ui/index.d.mts +1 -1
- package/dist/ui/index.d.ts +1 -1
- package/package.json +1 -1
|
@@ -1,3 +1,3 @@
|
|
|
1
1
|
import 'next/server';
|
|
2
|
-
import '../types-
|
|
3
|
-
export { c as createMatcherConfig, a as createMiddleware } from '../nextjs-
|
|
2
|
+
import '../types-rFh4VMH4.mjs';
|
|
3
|
+
export { c as createMatcherConfig, a as createMiddleware } from '../nextjs-BW1rzr1I.mjs';
|
|
@@ -1,3 +1,3 @@
|
|
|
1
1
|
import 'next/server';
|
|
2
|
-
import '../types-
|
|
3
|
-
export { c as createMatcherConfig, a as createMiddleware } from '../nextjs-
|
|
2
|
+
import '../types-rFh4VMH4.js';
|
|
3
|
+
export { c as createMatcherConfig, a as createMiddleware } from '../nextjs-V_K0qlAQ.js';
|
package/dist/adapters/nextjs.js
CHANGED
|
@@ -36,26 +36,15 @@ __export(nextjs_exports, {
|
|
|
36
36
|
module.exports = __toCommonJS(nextjs_exports);
|
|
37
37
|
|
|
38
38
|
// src/access-levels.ts
|
|
39
|
-
var ACCESS_LEVEL_HIERARCHY = {
|
|
40
|
-
none: 0,
|
|
41
|
-
restricted: 1,
|
|
42
|
-
"read-only": 2,
|
|
43
|
-
standard: 3,
|
|
44
|
-
full: 4,
|
|
45
|
-
internal: 5
|
|
46
|
-
};
|
|
47
39
|
function getTrustLevel(score) {
|
|
48
40
|
if (score >= 80) return "PLATINUM";
|
|
49
41
|
if (score >= 60) return "GOLD";
|
|
50
42
|
if (score >= 40) return "SILVER";
|
|
51
43
|
return "BRONZE";
|
|
52
44
|
}
|
|
53
|
-
function hasMinimumAccess(actual, required) {
|
|
54
|
-
return ACCESS_LEVEL_HIERARCHY[actual] >= ACCESS_LEVEL_HIERARCHY[required];
|
|
55
|
-
}
|
|
56
45
|
|
|
57
46
|
// src/version.ts
|
|
58
|
-
var SDK_VERSION = "3.1
|
|
47
|
+
var SDK_VERSION = "3.2.1";
|
|
59
48
|
|
|
60
49
|
// src/well-known.ts
|
|
61
50
|
var CACHE_TTL_MS = 60 * 60 * 1e3;
|
|
@@ -108,7 +97,7 @@ async function performInitCheck(apiBaseUrl, debug, strictInit) {
|
|
|
108
97
|
}
|
|
109
98
|
}
|
|
110
99
|
var verificationCache = /* @__PURE__ */ new Map();
|
|
111
|
-
function getCacheKey(request) {
|
|
100
|
+
function getCacheKey(request, counterpartyId) {
|
|
112
101
|
const c = request.credentials;
|
|
113
102
|
return [
|
|
114
103
|
c.astraId || "",
|
|
@@ -121,6 +110,14 @@ function getCacheKey(request) {
|
|
|
121
110
|
request.jurisdiction || "",
|
|
122
111
|
request.transactionValue ?? "",
|
|
123
112
|
request.currency || "",
|
|
113
|
+
// SECURITY (cross-merchant cache leak): the merchant identity is sent via
|
|
114
|
+
// `config.counterpartyId`, NOT on the request, so it was previously absent
|
|
115
|
+
// from the key — two verifies for the SAME agent/purpose/action/value but
|
|
116
|
+
// DIFFERENT merchants collided, and a grant at a permissive merchant (low
|
|
117
|
+
// trust floor) was served for a stricter one. Same bug class as the
|
|
118
|
+
// duration omission (F-A1-07). counterpartyId affects the backend verdict
|
|
119
|
+
// (trust floor / per-route policy), so it MUST key the cache.
|
|
120
|
+
counterpartyId || "",
|
|
124
121
|
request.counterpartyUrl || "",
|
|
125
122
|
request.counterpartyType || "",
|
|
126
123
|
request.isSubAgentRequest ? "1" : "0",
|
|
@@ -144,8 +141,8 @@ function getCacheKey(request) {
|
|
|
144
141
|
request.callerMetadata?.agentCardUrl || ""
|
|
145
142
|
].join("|");
|
|
146
143
|
}
|
|
147
|
-
function getCachedResult(request) {
|
|
148
|
-
const key = getCacheKey(request);
|
|
144
|
+
function getCachedResult(request, counterpartyId) {
|
|
145
|
+
const key = getCacheKey(request, counterpartyId);
|
|
149
146
|
const cached = verificationCache.get(key);
|
|
150
147
|
if (cached && cached.expiresAt > Date.now()) {
|
|
151
148
|
return cached.result;
|
|
@@ -157,9 +154,9 @@ function getCachedResult(request) {
|
|
|
157
154
|
}
|
|
158
155
|
var DEFAULT_AUTONOMOUS_TTL_SECONDS = 60;
|
|
159
156
|
var DEFAULT_STEP_UP_TTL_SECONDS = 300;
|
|
160
|
-
function cacheResult(request, result, configuredTtl) {
|
|
157
|
+
function cacheResult(request, result, configuredTtl, counterpartyId) {
|
|
161
158
|
const ttlSeconds = configuredTtl && configuredTtl > 0 ? configuredTtl : result.requiresStepUp ? DEFAULT_STEP_UP_TTL_SECONDS : DEFAULT_AUTONOMOUS_TTL_SECONDS;
|
|
162
|
-
const key = getCacheKey(request);
|
|
159
|
+
const key = getCacheKey(request, counterpartyId);
|
|
163
160
|
verificationCache.set(key, {
|
|
164
161
|
result,
|
|
165
162
|
expiresAt: Date.now() + ttlSeconds * 1e3
|
|
@@ -317,7 +314,7 @@ async function verify(config, request) {
|
|
|
317
314
|
);
|
|
318
315
|
}
|
|
319
316
|
if (mergedConfig.cacheTtl !== 0) {
|
|
320
|
-
const cached = getCachedResult(request);
|
|
317
|
+
const cached = getCachedResult(request, mergedConfig.counterpartyId);
|
|
321
318
|
if (cached) {
|
|
322
319
|
if (mergedConfig.debug) {
|
|
323
320
|
console.log("[VerificationGateway] Returning cached result");
|
|
@@ -369,8 +366,8 @@ async function verify(config, request) {
|
|
|
369
366
|
verifiedAt: /* @__PURE__ */ new Date(),
|
|
370
367
|
// Extract sessionId so decisions can be recorded for denials too
|
|
371
368
|
sessionId: apiResponse.sessionId,
|
|
372
|
-
//
|
|
373
|
-
//
|
|
369
|
+
// Anonymous traffic has no session → correlationId is the per-attempt
|
|
370
|
+
// linking key (the sessionId-equivalent for anonymous callers).
|
|
374
371
|
correlationId: apiResponse.correlationId,
|
|
375
372
|
recommendation: apiResponse.recommendation,
|
|
376
373
|
recommendationReasons: apiResponse.recommendationReasons
|
|
@@ -444,13 +441,10 @@ async function verify(config, request) {
|
|
|
444
441
|
};
|
|
445
442
|
} else if (result.recommendation === "step_up_required") {
|
|
446
443
|
result.requiresStepUp = true;
|
|
447
|
-
if (ACCESS_LEVEL_HIERARCHY[result.accessLevel] > ACCESS_LEVEL_HIERARCHY["read-only"]) {
|
|
448
|
-
result.accessLevel = "read-only";
|
|
449
|
-
}
|
|
450
444
|
result.denialReasons = result.recommendationReasons || ["Step-up verification required"];
|
|
451
445
|
}
|
|
452
446
|
if (mergedConfig.cacheTtl !== 0 && result.recommendation !== "deny") {
|
|
453
|
-
cacheResult(request, result, mergedConfig.cacheTtl);
|
|
447
|
+
cacheResult(request, result, mergedConfig.cacheTtl, mergedConfig.counterpartyId);
|
|
454
448
|
}
|
|
455
449
|
return result;
|
|
456
450
|
}
|
|
@@ -656,6 +650,19 @@ function resolveHttpPdlss(input) {
|
|
|
656
650
|
return { purpose, action, purposeSource, actionSource };
|
|
657
651
|
}
|
|
658
652
|
|
|
653
|
+
// src/adapters/approval-gate.ts
|
|
654
|
+
var APPROVAL_REASON = "Transaction is above the autonomous limit and requires human approval, which is not yet available \u2014 it cannot be completed automatically.";
|
|
655
|
+
function requiresHumanApproval(result) {
|
|
656
|
+
return result.requiresStepUp === true || result.requiresApproval === true;
|
|
657
|
+
}
|
|
658
|
+
function annotateApprovalRequired(result) {
|
|
659
|
+
result.failures = [
|
|
660
|
+
...result.failures ?? [],
|
|
661
|
+
{ dimension: "commerce.intent.approval_required", message: APPROVAL_REASON }
|
|
662
|
+
];
|
|
663
|
+
result.denialReasons = [APPROVAL_REASON, ...result.denialReasons ?? []];
|
|
664
|
+
}
|
|
665
|
+
|
|
659
666
|
// src/adapters/nextjs.ts
|
|
660
667
|
function escapeHtml(value) {
|
|
661
668
|
return value.replace(/&/g, "&").replace(/</g, "<").replace(/>/g, ">").replace(/"/g, """).replace(/'/g, "'");
|
|
@@ -1015,7 +1022,9 @@ function createMiddleware(options) {
|
|
|
1015
1022
|
agentCardUrl: request.headers.get("x-astrasync-agent-card") || void 0
|
|
1016
1023
|
}
|
|
1017
1024
|
});
|
|
1018
|
-
|
|
1025
|
+
const approvalRequired = result.identityVerified && result.policyAllowed && requiresHumanApproval(result);
|
|
1026
|
+
if (approvalRequired) annotateApprovalRequired(result);
|
|
1027
|
+
if (!result.identityVerified || !result.policyAllowed || approvalRequired) {
|
|
1019
1028
|
if (pathname.startsWith("/api/")) {
|
|
1020
1029
|
return NextResponse.json(
|
|
1021
1030
|
{
|
|
@@ -1023,11 +1032,10 @@ function createMiddleware(options) {
|
|
|
1023
1032
|
error: {
|
|
1024
1033
|
// Round-18 G4: 401 → identity missing (re-auth); 403 → identity
|
|
1025
1034
|
// OK, policy denied (update PDLSS / step up).
|
|
1026
|
-
code: !result.identityVerified ? "UNAUTHORIZED" : "
|
|
1035
|
+
code: !result.identityVerified ? "UNAUTHORIZED" : "POLICY_DENIED",
|
|
1027
1036
|
message: result.denialReasons?.[0] || "Access denied",
|
|
1028
|
-
|
|
1029
|
-
|
|
1030
|
-
guidance: result.guidance
|
|
1037
|
+
guidance: result.guidance,
|
|
1038
|
+
failures: result.failures
|
|
1031
1039
|
}
|
|
1032
1040
|
},
|
|
1033
1041
|
{ status: !result.identityVerified ? 401 : 403 }
|
|
@@ -1054,7 +1062,6 @@ function createMiddleware(options) {
|
|
|
1054
1062
|
response.headers.set("X-AstraSync-Access-Level", result.accessLevel);
|
|
1055
1063
|
if (result.agent) {
|
|
1056
1064
|
response.headers.set("X-AstraSync-Agent-Id", result.agent.astraId);
|
|
1057
|
-
response.headers.set("X-AstraSync-Trust-Score", result.agent.trustScore.toString());
|
|
1058
1065
|
}
|
|
1059
1066
|
return response;
|
|
1060
1067
|
};
|