@astrasyncai/verification-gateway 3.2.0 → 3.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (79) hide show
  1. package/dist/adapter-interface/interface.d.mts +2 -2
  2. package/dist/adapter-interface/interface.d.ts +2 -2
  3. package/dist/adapters/express.d.mts +2 -2
  4. package/dist/adapters/express.d.ts +2 -2
  5. package/dist/adapters/express.js +24 -1
  6. package/dist/adapters/express.js.map +1 -1
  7. package/dist/adapters/express.mjs +24 -1
  8. package/dist/adapters/express.mjs.map +1 -1
  9. package/dist/adapters/mcp.d.mts +1 -1
  10. package/dist/adapters/mcp.d.ts +1 -1
  11. package/dist/adapters/mcp.js +24 -1
  12. package/dist/adapters/mcp.js.map +1 -1
  13. package/dist/adapters/mcp.mjs +24 -1
  14. package/dist/adapters/mcp.mjs.map +1 -1
  15. package/dist/adapters/nextjs.d.mts +2 -2
  16. package/dist/adapters/nextjs.d.ts +2 -2
  17. package/dist/adapters/nextjs.js +19 -3
  18. package/dist/adapters/nextjs.js.map +1 -1
  19. package/dist/adapters/nextjs.mjs +19 -3
  20. package/dist/adapters/nextjs.mjs.map +1 -1
  21. package/dist/adapters/sdk.d.mts +2 -2
  22. package/dist/adapters/sdk.d.ts +2 -2
  23. package/dist/adapters/sdk.js +1 -1
  24. package/dist/adapters/sdk.js.map +1 -1
  25. package/dist/adapters/sdk.mjs +1 -1
  26. package/dist/adapters/sdk.mjs.map +1 -1
  27. package/dist/agent/index.d.mts +2 -2
  28. package/dist/agent/index.d.ts +2 -2
  29. package/dist/browser/background.js +1 -1
  30. package/dist/browser/background.js.map +1 -1
  31. package/dist/browser/background.mjs +1 -1
  32. package/dist/browser/background.mjs.map +1 -1
  33. package/dist/browser/browser-adapter.d.mts +2 -2
  34. package/dist/browser/browser-adapter.d.ts +2 -2
  35. package/dist/cli/index.d.mts +2 -2
  36. package/dist/cli/index.d.ts +2 -2
  37. package/dist/cursor/cursor-adapter.d.mts +2 -2
  38. package/dist/cursor/cursor-adapter.d.ts +2 -2
  39. package/dist/cursor/extension.d.mts +2 -2
  40. package/dist/cursor/extension.d.ts +2 -2
  41. package/dist/cursor/extension.js +1 -1
  42. package/dist/cursor/extension.js.map +1 -1
  43. package/dist/cursor/extension.mjs +1 -1
  44. package/dist/cursor/extension.mjs.map +1 -1
  45. package/dist/{express-CeoSdOAZ.d.mts → express-DAOTESQo.d.mts} +1 -1
  46. package/dist/{express-BowlMHQF.d.ts → express-Lb8-Ybio.d.ts} +1 -1
  47. package/dist/gateway/gateway.d.mts +2 -2
  48. package/dist/gateway/gateway.d.ts +2 -2
  49. package/dist/gateway/gateway.js +1 -1
  50. package/dist/gateway/gateway.js.map +1 -1
  51. package/dist/gateway/gateway.mjs +1 -1
  52. package/dist/gateway/gateway.mjs.map +1 -1
  53. package/dist/git-trigger/git-hooks.d.mts +2 -2
  54. package/dist/git-trigger/git-hooks.d.ts +2 -2
  55. package/dist/{index-DtGziFEm.d.mts → index-BLeiWFLu.d.mts} +1 -1
  56. package/dist/{index-DBmlycVm.d.ts → index-DFwfHOGj.d.ts} +1 -1
  57. package/dist/{index-DzXXBuLm.d.ts → index-E3fAidVt.d.ts} +1 -1
  58. package/dist/{index-B51W8gn8.d.mts → index-kxLJ873R.d.mts} +1 -1
  59. package/dist/index.d.mts +55 -8
  60. package/dist/index.d.ts +55 -8
  61. package/dist/index.js +89 -3
  62. package/dist/index.js.map +1 -1
  63. package/dist/index.mjs +88 -3
  64. package/dist/index.mjs.map +1 -1
  65. package/dist/local-evaluator/evaluator.d.mts +2 -2
  66. package/dist/local-evaluator/evaluator.d.ts +2 -2
  67. package/dist/{nextjs-V_K0qlAQ.d.ts → nextjs-BXK0nD73.d.ts} +1 -1
  68. package/dist/{nextjs-BW1rzr1I.d.mts → nextjs-CFQ_KDFf.d.mts} +1 -1
  69. package/dist/{sdk-ZYgI7G9f.d.ts → sdk-C7qAfpGB.d.ts} +1 -1
  70. package/dist/{sdk-e5jg7sqW.d.mts → sdk-D1MuiiNz.d.mts} +1 -1
  71. package/dist/transport/index.d.mts +2 -2
  72. package/dist/transport/index.d.ts +2 -2
  73. package/dist/{types-DJi-u3fz.d.ts → types-B6uD4jAI.d.ts} +1 -1
  74. package/dist/{types-rFh4VMH4.d.mts → types-B_wnd7ZX.d.mts} +1 -1
  75. package/dist/{types-rFh4VMH4.d.ts → types-B_wnd7ZX.d.ts} +1 -1
  76. package/dist/{types-BNiLZY0i.d.mts → types-ClvUqrEm.d.mts} +1 -1
  77. package/dist/ui/index.d.mts +1 -1
  78. package/dist/ui/index.d.ts +1 -1
  79. package/package.json +1 -1
@@ -1,6 +1,6 @@
1
1
  import { AstraSyncGateway } from '../gateway/gateway.mjs';
2
- import { V as VerificationDecision, P as PDLSSContext } from '../types-BNiLZY0i.mjs';
3
- import '../types-rFh4VMH4.mjs';
2
+ import { V as VerificationDecision, P as PDLSSContext } from '../types-ClvUqrEm.mjs';
3
+ import '../types-B_wnd7ZX.mjs';
4
4
 
5
5
  /**
6
6
  * Git Trigger — Enterprise git push / PR verification
@@ -1,6 +1,6 @@
1
1
  import { AstraSyncGateway } from '../gateway/gateway.js';
2
- import { V as VerificationDecision, P as PDLSSContext } from '../types-DJi-u3fz.js';
3
- import '../types-rFh4VMH4.js';
2
+ import { V as VerificationDecision, P as PDLSSContext } from '../types-B6uD4jAI.js';
3
+ import '../types-B_wnd7ZX.js';
4
4
 
5
5
  /**
6
6
  * Git Trigger — Enterprise git push / PR verification
@@ -1,4 +1,4 @@
1
- import { b as AstraSyncCredentials, f as ProtocolTransport, G as GatewayConfig } from './types-rFh4VMH4.mjs';
1
+ import { c as AstraSyncCredentials, g as ProtocolTransport, G as GatewayConfig } from './types-B_wnd7ZX.mjs';
2
2
 
3
3
  /**
4
4
  * AgentClient — Credential Presentation
@@ -1,4 +1,4 @@
1
- import { b as AstraSyncCredentials, f as ProtocolTransport, G as GatewayConfig } from './types-rFh4VMH4.js';
1
+ import { c as AstraSyncCredentials, g as ProtocolTransport, G as GatewayConfig } from './types-B_wnd7ZX.js';
2
2
 
3
3
  /**
4
4
  * AgentClient — Credential Presentation
@@ -1,4 +1,4 @@
1
- import { b as AstraSyncCredentials, f as ProtocolTransport } from './types-rFh4VMH4.js';
1
+ import { c as AstraSyncCredentials, g as ProtocolTransport } from './types-B_wnd7ZX.js';
2
2
  import { JWK } from 'jose';
3
3
 
4
4
  /**
@@ -1,4 +1,4 @@
1
- import { b as AstraSyncCredentials, f as ProtocolTransport } from './types-rFh4VMH4.mjs';
1
+ import { c as AstraSyncCredentials, g as ProtocolTransport } from './types-B_wnd7ZX.mjs';
2
2
  import { JWK } from 'jose';
3
3
 
4
4
  /**
package/dist/index.d.mts CHANGED
@@ -1,12 +1,12 @@
1
- import { a as AgentCredentials, G as GatewayConfig, A as AccessLevel, V as VerificationRequest, i as VerificationResult } from './types-rFh4VMH4.mjs';
2
- export { b as AstraSyncCredentials, C as CommerceShieldProps, c as CounterpartyType, E as EnhancedVerificationResult, d as ExpressMiddlewareOptions, e as GuidanceInfo, N as NextJsMiddlewareOptions, P as PDLSSInfo, f as ProtocolTransport, R as RouteAccessConfig, g as RuntimeChallengeResult, S as SDKOptions, T as TokenGuidance, h as TrustLevel, j as VerifiedAgent, k as VerifiedDeveloper, l as VerifiedOrganization } from './types-rFh4VMH4.mjs';
3
- export { A as ACCESS_LEVEL_DESCRIPTIONS, a as ACCESS_LEVEL_HIERARCHY, b as AccessCapabilities, D as DEFAULT_TRUST_THRESHOLDS, T as TRUST_LEVEL_RANGES, d as determineAccessLevel, g as getAccessLevelForScore, e as getCapabilities, f as getTrustLevel, h as hasMinimumAccess, s as sdk } from './sdk-e5jg7sqW.mjs';
4
- export { e as express } from './express-CeoSdOAZ.mjs';
5
- export { n as nextjs } from './nextjs-BW1rzr1I.mjs';
6
- export { aR as extractMcpCredentials, bg as setMcpMeta, b1 as transport } from './index-B51W8gn8.mjs';
1
+ import { b as AgentCredentials, G as GatewayConfig, a as AccessLevel, V as VerificationRequest, j as VerificationResult, E as EnhancedVerificationResult, A as AccessFailure } from './types-B_wnd7ZX.mjs';
2
+ export { c as AstraSyncCredentials, C as CommerceShieldProps, d as CounterpartyType, e as ExpressMiddlewareOptions, f as GuidanceInfo, N as NextJsMiddlewareOptions, P as PDLSSInfo, g as ProtocolTransport, R as RouteAccessConfig, h as RuntimeChallengeResult, S as SDKOptions, T as TokenGuidance, i as TrustLevel, k as VerifiedAgent, l as VerifiedDeveloper, m as VerifiedOrganization } from './types-B_wnd7ZX.mjs';
3
+ export { A as ACCESS_LEVEL_DESCRIPTIONS, a as ACCESS_LEVEL_HIERARCHY, b as AccessCapabilities, D as DEFAULT_TRUST_THRESHOLDS, T as TRUST_LEVEL_RANGES, d as determineAccessLevel, g as getAccessLevelForScore, e as getCapabilities, f as getTrustLevel, h as hasMinimumAccess, s as sdk } from './sdk-D1MuiiNz.mjs';
4
+ export { e as express } from './express-DAOTESQo.mjs';
5
+ export { n as nextjs } from './nextjs-CFQ_KDFf.mjs';
6
+ export { aR as extractMcpCredentials, bg as setMcpMeta, b1 as transport } from './index-kxLJ873R.mjs';
7
7
  export { McpMiddlewareOptions, ToolGateConfig, createMcpMiddleware } from './adapters/mcp.mjs';
8
8
  export { AgentProtocol, AgentRecord, AstraSync, AstraSyncConfig, AstraSyncError, AuthenticationError, BuildGuidanceParams, FrameworkConfig, GuidanceEnvelope, HealthResponse, KYDRequiredError, ModelConfig, PDLSSConfig, PDLSSDuration, PDLSSLimits, PDLSSPurpose, PDLSSScope, PDLSSSelfInstantiation, PendingRegistrationResponse, PollRegistrationResult, RegisterOptions, RegisterResult, RegistrationDeniedError, RegistrationExpiredError, RegistrationResponse, RegistrationTimeoutError, VerifyResponse, WaitForApprovalOptions, buildGuidance } from './registration/index.mjs';
9
- export { A as AgentClient, C as ChallengeHandler, i as agent, r as recordDecision } from './index-DtGziFEm.mjs';
9
+ export { A as AgentClient, C as ChallengeHandler, i as agent, r as recordDecision } from './index-BLeiWFLu.mjs';
10
10
  import 'express';
11
11
  import 'next/server';
12
12
  import 'jose';
@@ -50,6 +50,53 @@ declare function quickVerify(config: GatewayConfig, credentials: AgentCredential
50
50
  reason?: string;
51
51
  }>;
52
52
 
53
+ /**
54
+ * Settlement authorization — the value-aware, FAIL-CLOSED gate a direct merchant
55
+ * MUST call before settling a priced cart (post-#447 partner round, finding #1).
56
+ *
57
+ * The bug it closes: the SDK request middleware performs a header-only ACCESS
58
+ * check and never sends the transaction VALUE to verify-access, so the limit
59
+ * engine never evaluates value and returns `grant` — a fully SDK-compliant
60
+ * merchant settles every band, with the agent's PDLSS spend limits silently
61
+ * unenforced. The bridge is safe only because `confirm_purchase` re-verifies
62
+ * with the authoritative session total.
63
+ *
64
+ * The authoritative value exists ONLY after the merchant prices the cart (in the
65
+ * handler, after the middleware), and it must be the MERCHANT's priced total —
66
+ * never an agent-suppliable header (spoofable). So value enforcement is a
67
+ * settlement-time, merchant-invoked call that mirrors the bridge: verify the
68
+ * priced value against the agent's limits and refuse settlement unless it
69
+ * cleanly grants.
70
+ */
71
+
72
+ interface SettlementRequest {
73
+ /** The agent's ASTRA-id (the caller you are about to settle for). */
74
+ agentId: string;
75
+ /** The MERCHANT's authoritative priced total for the cart. Never an agent-supplied amount. */
76
+ value: number;
77
+ /** ISO-4217 currency of `value`. */
78
+ currency: string;
79
+ /** Defaults to the canonical commerce pair; override for custom categories (e.g. 'trading' / 'trading.execute'). */
80
+ purpose?: string;
81
+ action?: string;
82
+ }
83
+ interface SettlementDecision {
84
+ /** TRUE only on a clean grant. A step-up/approval outcome, any deny, a missing value, or a verify error all → false. */
85
+ authorized: boolean;
86
+ recommendation?: EnhancedVerificationResult['recommendation'];
87
+ reason?: string;
88
+ failures?: AccessFailure[];
89
+ correlationId?: string;
90
+ }
91
+ /**
92
+ * Authorize a settlement of `value` for `agentId` against the agent's PDLSS
93
+ * limits. FAIL-CLOSED: returns `authorized:false` on a missing/invalid value,
94
+ * a verify-access error, a step-up/approval outcome (the value is in the
95
+ * human-approval band and cannot complete autonomously), or any policy deny.
96
+ * Settle ONLY when `authorized === true`.
97
+ */
98
+ declare function authorizeSettlement(config: GatewayConfig, req: SettlementRequest): Promise<SettlementDecision>;
99
+
53
100
  /**
54
101
  * SDK-side discovery of canonical platform URLs via `/.well-known/agentic-commerce`.
55
102
  *
@@ -107,4 +154,4 @@ declare function getCachedWellKnownUrls(apiBaseUrl: string): WellKnownAgenticCom
107
154
 
108
155
  declare const VERSION = "2.0.0";
109
156
 
110
- export { AccessLevel, AgentCredentials, GatewayConfig, VERSION, VerificationRequest, VerificationResult, type WellKnownAgenticCommerce, clearCache, extractCredentials, getCachedWellKnownUrls, getWellKnownUrls, hasCredentials, prefetchWellKnown, quickVerify, verify };
157
+ export { AccessLevel, AgentCredentials, EnhancedVerificationResult, GatewayConfig, type SettlementDecision, type SettlementRequest, VERSION, VerificationRequest, VerificationResult, type WellKnownAgenticCommerce, authorizeSettlement, clearCache, extractCredentials, getCachedWellKnownUrls, getWellKnownUrls, hasCredentials, prefetchWellKnown, quickVerify, verify };
package/dist/index.d.ts CHANGED
@@ -1,12 +1,12 @@
1
- import { a as AgentCredentials, G as GatewayConfig, A as AccessLevel, V as VerificationRequest, i as VerificationResult } from './types-rFh4VMH4.js';
2
- export { b as AstraSyncCredentials, C as CommerceShieldProps, c as CounterpartyType, E as EnhancedVerificationResult, d as ExpressMiddlewareOptions, e as GuidanceInfo, N as NextJsMiddlewareOptions, P as PDLSSInfo, f as ProtocolTransport, R as RouteAccessConfig, g as RuntimeChallengeResult, S as SDKOptions, T as TokenGuidance, h as TrustLevel, j as VerifiedAgent, k as VerifiedDeveloper, l as VerifiedOrganization } from './types-rFh4VMH4.js';
3
- export { A as ACCESS_LEVEL_DESCRIPTIONS, a as ACCESS_LEVEL_HIERARCHY, b as AccessCapabilities, D as DEFAULT_TRUST_THRESHOLDS, T as TRUST_LEVEL_RANGES, d as determineAccessLevel, g as getAccessLevelForScore, e as getCapabilities, f as getTrustLevel, h as hasMinimumAccess, s as sdk } from './sdk-ZYgI7G9f.js';
4
- export { e as express } from './express-BowlMHQF.js';
5
- export { n as nextjs } from './nextjs-V_K0qlAQ.js';
6
- export { aR as extractMcpCredentials, bg as setMcpMeta, b1 as transport } from './index-DzXXBuLm.js';
1
+ import { b as AgentCredentials, G as GatewayConfig, a as AccessLevel, V as VerificationRequest, j as VerificationResult, E as EnhancedVerificationResult, A as AccessFailure } from './types-B_wnd7ZX.js';
2
+ export { c as AstraSyncCredentials, C as CommerceShieldProps, d as CounterpartyType, e as ExpressMiddlewareOptions, f as GuidanceInfo, N as NextJsMiddlewareOptions, P as PDLSSInfo, g as ProtocolTransport, R as RouteAccessConfig, h as RuntimeChallengeResult, S as SDKOptions, T as TokenGuidance, i as TrustLevel, k as VerifiedAgent, l as VerifiedDeveloper, m as VerifiedOrganization } from './types-B_wnd7ZX.js';
3
+ export { A as ACCESS_LEVEL_DESCRIPTIONS, a as ACCESS_LEVEL_HIERARCHY, b as AccessCapabilities, D as DEFAULT_TRUST_THRESHOLDS, T as TRUST_LEVEL_RANGES, d as determineAccessLevel, g as getAccessLevelForScore, e as getCapabilities, f as getTrustLevel, h as hasMinimumAccess, s as sdk } from './sdk-C7qAfpGB.js';
4
+ export { e as express } from './express-Lb8-Ybio.js';
5
+ export { n as nextjs } from './nextjs-BXK0nD73.js';
6
+ export { aR as extractMcpCredentials, bg as setMcpMeta, b1 as transport } from './index-E3fAidVt.js';
7
7
  export { McpMiddlewareOptions, ToolGateConfig, createMcpMiddleware } from './adapters/mcp.js';
8
8
  export { AgentProtocol, AgentRecord, AstraSync, AstraSyncConfig, AstraSyncError, AuthenticationError, BuildGuidanceParams, FrameworkConfig, GuidanceEnvelope, HealthResponse, KYDRequiredError, ModelConfig, PDLSSConfig, PDLSSDuration, PDLSSLimits, PDLSSPurpose, PDLSSScope, PDLSSSelfInstantiation, PendingRegistrationResponse, PollRegistrationResult, RegisterOptions, RegisterResult, RegistrationDeniedError, RegistrationExpiredError, RegistrationResponse, RegistrationTimeoutError, VerifyResponse, WaitForApprovalOptions, buildGuidance } from './registration/index.js';
9
- export { A as AgentClient, C as ChallengeHandler, i as agent, r as recordDecision } from './index-DBmlycVm.js';
9
+ export { A as AgentClient, C as ChallengeHandler, i as agent, r as recordDecision } from './index-DFwfHOGj.js';
10
10
  import 'express';
11
11
  import 'next/server';
12
12
  import 'jose';
@@ -50,6 +50,53 @@ declare function quickVerify(config: GatewayConfig, credentials: AgentCredential
50
50
  reason?: string;
51
51
  }>;
52
52
 
53
+ /**
54
+ * Settlement authorization — the value-aware, FAIL-CLOSED gate a direct merchant
55
+ * MUST call before settling a priced cart (post-#447 partner round, finding #1).
56
+ *
57
+ * The bug it closes: the SDK request middleware performs a header-only ACCESS
58
+ * check and never sends the transaction VALUE to verify-access, so the limit
59
+ * engine never evaluates value and returns `grant` — a fully SDK-compliant
60
+ * merchant settles every band, with the agent's PDLSS spend limits silently
61
+ * unenforced. The bridge is safe only because `confirm_purchase` re-verifies
62
+ * with the authoritative session total.
63
+ *
64
+ * The authoritative value exists ONLY after the merchant prices the cart (in the
65
+ * handler, after the middleware), and it must be the MERCHANT's priced total —
66
+ * never an agent-suppliable header (spoofable). So value enforcement is a
67
+ * settlement-time, merchant-invoked call that mirrors the bridge: verify the
68
+ * priced value against the agent's limits and refuse settlement unless it
69
+ * cleanly grants.
70
+ */
71
+
72
+ interface SettlementRequest {
73
+ /** The agent's ASTRA-id (the caller you are about to settle for). */
74
+ agentId: string;
75
+ /** The MERCHANT's authoritative priced total for the cart. Never an agent-supplied amount. */
76
+ value: number;
77
+ /** ISO-4217 currency of `value`. */
78
+ currency: string;
79
+ /** Defaults to the canonical commerce pair; override for custom categories (e.g. 'trading' / 'trading.execute'). */
80
+ purpose?: string;
81
+ action?: string;
82
+ }
83
+ interface SettlementDecision {
84
+ /** TRUE only on a clean grant. A step-up/approval outcome, any deny, a missing value, or a verify error all → false. */
85
+ authorized: boolean;
86
+ recommendation?: EnhancedVerificationResult['recommendation'];
87
+ reason?: string;
88
+ failures?: AccessFailure[];
89
+ correlationId?: string;
90
+ }
91
+ /**
92
+ * Authorize a settlement of `value` for `agentId` against the agent's PDLSS
93
+ * limits. FAIL-CLOSED: returns `authorized:false` on a missing/invalid value,
94
+ * a verify-access error, a step-up/approval outcome (the value is in the
95
+ * human-approval band and cannot complete autonomously), or any policy deny.
96
+ * Settle ONLY when `authorized === true`.
97
+ */
98
+ declare function authorizeSettlement(config: GatewayConfig, req: SettlementRequest): Promise<SettlementDecision>;
99
+
53
100
  /**
54
101
  * SDK-side discovery of canonical platform URLs via `/.well-known/agentic-commerce`.
55
102
  *
@@ -107,4 +154,4 @@ declare function getCachedWellKnownUrls(apiBaseUrl: string): WellKnownAgenticCom
107
154
 
108
155
  declare const VERSION = "2.0.0";
109
156
 
110
- export { AccessLevel, AgentCredentials, GatewayConfig, VERSION, VerificationRequest, VerificationResult, type WellKnownAgenticCommerce, clearCache, extractCredentials, getCachedWellKnownUrls, getWellKnownUrls, hasCredentials, prefetchWellKnown, quickVerify, verify };
157
+ export { AccessLevel, AgentCredentials, EnhancedVerificationResult, GatewayConfig, type SettlementDecision, type SettlementRequest, VERSION, VerificationRequest, VerificationResult, type WellKnownAgenticCommerce, authorizeSettlement, clearCache, extractCredentials, getCachedWellKnownUrls, getWellKnownUrls, hasCredentials, prefetchWellKnown, quickVerify, verify };
package/dist/index.js CHANGED
@@ -45,6 +45,7 @@ __export(src_exports, {
45
45
  TRUST_LEVEL_RANGES: () => TRUST_LEVEL_RANGES,
46
46
  VERSION: () => VERSION,
47
47
  agent: () => agent_exports,
48
+ authorizeSettlement: () => authorizeSettlement,
48
49
  buildGuidance: () => buildGuidance,
49
50
  clearCache: () => clearCache,
50
51
  createMcpMiddleware: () => createMcpMiddleware,
@@ -192,7 +193,7 @@ function getCapabilities(accessLevel) {
192
193
  }
193
194
 
194
195
  // src/version.ts
195
- var SDK_VERSION = "3.2.0";
196
+ var SDK_VERSION = "3.3.0";
196
197
 
197
198
  // src/well-known.ts
198
199
  var CACHE_TTL_MS = 60 * 60 * 1e3;
@@ -742,6 +743,67 @@ async function quickVerify(config, credentials) {
742
743
  };
743
744
  }
744
745
 
746
+ // src/adapters/approval-gate.ts
747
+ var APPROVAL_REASON = "Transaction is above the autonomous limit and requires human approval, which is not yet available - it cannot be completed automatically.";
748
+ function requiresHumanApproval(result) {
749
+ return result.requiresStepUp === true || result.requiresApproval === true;
750
+ }
751
+ function annotateApprovalRequired(result) {
752
+ result.failures = [
753
+ ...result.failures ?? [],
754
+ { dimension: "commerce.intent.approval_required", message: APPROVAL_REASON }
755
+ ];
756
+ result.denialReasons = [APPROVAL_REASON, ...result.denialReasons ?? []];
757
+ }
758
+
759
+ // src/settlement.ts
760
+ async function authorizeSettlement(config, req) {
761
+ if (typeof req.value !== "number" || !Number.isFinite(req.value) || req.value <= 0) {
762
+ return {
763
+ authorized: false,
764
+ recommendation: "deny",
765
+ reason: "No valid transaction value supplied to authorizeSettlement; settlement refused (fail-closed). Pass the merchant-priced cart total as `value`.",
766
+ failures: [
767
+ {
768
+ dimension: "commerce.settlement.value_missing",
769
+ message: "A positive, authoritative transaction value is required to authorize settlement."
770
+ }
771
+ ]
772
+ };
773
+ }
774
+ let result;
775
+ try {
776
+ result = await verify(config, {
777
+ credentials: { astraId: req.agentId },
778
+ purpose: req.purpose ?? "shopping",
779
+ action: req.action ?? "shopping.purchase",
780
+ transactionValue: req.value,
781
+ currency: req.currency
782
+ });
783
+ } catch (err) {
784
+ return {
785
+ authorized: false,
786
+ recommendation: "deny",
787
+ reason: `Settlement verification failed (${err instanceof Error ? err.message : String(err)}); settlement refused (fail-closed).`,
788
+ failures: [
789
+ {
790
+ dimension: "commerce.settlement.verify_error",
791
+ message: "verify-access could not be reached or returned an error; settlement is refused."
792
+ }
793
+ ]
794
+ };
795
+ }
796
+ const recommendation = result.recommendation;
797
+ const authorized = result.identityVerified === true && result.policyAllowed === true && !requiresHumanApproval(result) && (recommendation === void 0 || recommendation === "grant");
798
+ return {
799
+ authorized,
800
+ recommendation,
801
+ reason: authorized ? void 0 : result.denialReasons?.[0] ?? (requiresHumanApproval(result) ? "Transaction is above the autonomous limit and requires human approval; settlement cannot be authorized automatically." : "Settlement not authorized by the agent's PDLSS limits."),
802
+ failures: result.failures,
803
+ correlationId: result.correlationId
804
+ };
805
+ }
806
+
745
807
  // src/adapters/express.ts
746
808
  var express_exports = {};
747
809
  __export(express_exports, {
@@ -1205,6 +1267,16 @@ function createMiddleware(options) {
1205
1267
  onDenied(result, req, res);
1206
1268
  return;
1207
1269
  }
1270
+ if (requiresHumanApproval(result)) {
1271
+ annotateApprovalRequired(result);
1272
+ if (shouldRecordDecisions && sessionId) {
1273
+ recordDecision(config, sessionId, "denied", result.denialReasons?.[0]).catch(() => {
1274
+ });
1275
+ }
1276
+ dedupeFailures(result);
1277
+ onDenied(result, req, res);
1278
+ return;
1279
+ }
1208
1280
  if (!shouldEnforce) {
1209
1281
  if (config.setPassThroughHeader) {
1210
1282
  res.setHeader("X-Astra-Gateway-Mode", "enforced");
@@ -1652,7 +1724,9 @@ function createMiddleware2(options) {
1652
1724
  agentCardUrl: request.headers.get("x-astrasync-agent-card") || void 0
1653
1725
  }
1654
1726
  });
1655
- if (!result.identityVerified || !result.policyAllowed) {
1727
+ const approvalRequired = result.identityVerified && result.policyAllowed && requiresHumanApproval(result);
1728
+ if (approvalRequired) annotateApprovalRequired(result);
1729
+ if (!result.identityVerified || !result.policyAllowed || approvalRequired) {
1656
1730
  if (pathname.startsWith("/api/")) {
1657
1731
  return NextResponse.json(
1658
1732
  {
@@ -1662,7 +1736,8 @@ function createMiddleware2(options) {
1662
1736
  // OK, policy denied (update PDLSS / step up).
1663
1737
  code: !result.identityVerified ? "UNAUTHORIZED" : "POLICY_DENIED",
1664
1738
  message: result.denialReasons?.[0] || "Access denied",
1665
- guidance: result.guidance
1739
+ guidance: result.guidance,
1740
+ failures: result.failures
1666
1741
  }
1667
1742
  },
1668
1743
  { status: !result.identityVerified ? 401 : 403 }
@@ -4733,6 +4808,16 @@ function createMcpMiddleware(options) {
4733
4808
  onDenied(result, req, res);
4734
4809
  return;
4735
4810
  }
4811
+ if (requiresHumanApproval(result)) {
4812
+ annotateApprovalRequired(result);
4813
+ if (shouldRecordDecisions && sessionId) {
4814
+ recordDecision(config, sessionId, "denied", result.denialReasons?.[0]).catch(() => {
4815
+ });
4816
+ }
4817
+ dedupeFailures2(result);
4818
+ onDenied(result, req, res);
4819
+ return;
4820
+ }
4736
4821
  if (!shouldEnforce) {
4737
4822
  if (config.setPassThroughHeader) {
4738
4823
  res.setHeader("X-Astra-Gateway-Mode", "enforced");
@@ -5498,6 +5583,7 @@ var VERSION = "2.0.0";
5498
5583
  TRUST_LEVEL_RANGES,
5499
5584
  VERSION,
5500
5585
  agent,
5586
+ authorizeSettlement,
5501
5587
  buildGuidance,
5502
5588
  clearCache,
5503
5589
  createMcpMiddleware,