@astrasyncai/verification-gateway 3.2.0 → 3.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/index.mjs CHANGED
@@ -126,7 +126,7 @@ function getCapabilities(accessLevel) {
126
126
  }
127
127
 
128
128
  // src/version.ts
129
- var SDK_VERSION = "3.2.0";
129
+ var SDK_VERSION = "3.2.1";
130
130
 
131
131
  // src/well-known.ts
132
132
  var CACHE_TTL_MS = 60 * 60 * 1e3;
@@ -832,6 +832,19 @@ function resolveHttpPdlss(input) {
832
832
  return { purpose, action, purposeSource, actionSource };
833
833
  }
834
834
 
835
+ // src/adapters/approval-gate.ts
836
+ var APPROVAL_REASON = "Transaction is above the autonomous limit and requires human approval, which is not yet available \u2014 it cannot be completed automatically.";
837
+ function requiresHumanApproval(result) {
838
+ return result.requiresStepUp === true || result.requiresApproval === true;
839
+ }
840
+ function annotateApprovalRequired(result) {
841
+ result.failures = [
842
+ ...result.failures ?? [],
843
+ { dimension: "commerce.intent.approval_required", message: APPROVAL_REASON }
844
+ ];
845
+ result.denialReasons = [APPROVAL_REASON, ...result.denialReasons ?? []];
846
+ }
847
+
835
848
  // src/pdlss-pre-check.ts
836
849
  function performCounterpartyPreCheck(routeConfig, astraCreds, purpose) {
837
850
  const failures = [];
@@ -1139,6 +1152,16 @@ function createMiddleware(options) {
1139
1152
  onDenied(result, req, res);
1140
1153
  return;
1141
1154
  }
1155
+ if (requiresHumanApproval(result)) {
1156
+ annotateApprovalRequired(result);
1157
+ if (shouldRecordDecisions && sessionId) {
1158
+ recordDecision(config, sessionId, "denied", result.denialReasons?.[0]).catch(() => {
1159
+ });
1160
+ }
1161
+ dedupeFailures(result);
1162
+ onDenied(result, req, res);
1163
+ return;
1164
+ }
1142
1165
  if (!shouldEnforce) {
1143
1166
  if (config.setPassThroughHeader) {
1144
1167
  res.setHeader("X-Astra-Gateway-Mode", "enforced");
@@ -1586,7 +1609,9 @@ function createMiddleware2(options) {
1586
1609
  agentCardUrl: request.headers.get("x-astrasync-agent-card") || void 0
1587
1610
  }
1588
1611
  });
1589
- if (!result.identityVerified || !result.policyAllowed) {
1612
+ const approvalRequired = result.identityVerified && result.policyAllowed && requiresHumanApproval(result);
1613
+ if (approvalRequired) annotateApprovalRequired(result);
1614
+ if (!result.identityVerified || !result.policyAllowed || approvalRequired) {
1590
1615
  if (pathname.startsWith("/api/")) {
1591
1616
  return NextResponse.json(
1592
1617
  {
@@ -1596,7 +1621,8 @@ function createMiddleware2(options) {
1596
1621
  // OK, policy denied (update PDLSS / step up).
1597
1622
  code: !result.identityVerified ? "UNAUTHORIZED" : "POLICY_DENIED",
1598
1623
  message: result.denialReasons?.[0] || "Access denied",
1599
- guidance: result.guidance
1624
+ guidance: result.guidance,
1625
+ failures: result.failures
1600
1626
  }
1601
1627
  },
1602
1628
  { status: !result.identityVerified ? 401 : 403 }
@@ -4670,6 +4696,16 @@ function createMcpMiddleware(options) {
4670
4696
  onDenied(result, req, res);
4671
4697
  return;
4672
4698
  }
4699
+ if (requiresHumanApproval(result)) {
4700
+ annotateApprovalRequired(result);
4701
+ if (shouldRecordDecisions && sessionId) {
4702
+ recordDecision(config, sessionId, "denied", result.denialReasons?.[0]).catch(() => {
4703
+ });
4704
+ }
4705
+ dedupeFailures2(result);
4706
+ onDenied(result, req, res);
4707
+ return;
4708
+ }
4673
4709
  if (!shouldEnforce) {
4674
4710
  if (config.setPassThroughHeader) {
4675
4711
  res.setHeader("X-Astra-Gateway-Mode", "enforced");