@astrasyncai/verification-gateway 3.2.0 → 3.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/adapter-interface/interface.d.mts +2 -2
- package/dist/adapter-interface/interface.d.ts +2 -2
- package/dist/adapters/express.d.mts +2 -2
- package/dist/adapters/express.d.ts +2 -2
- package/dist/adapters/express.js +24 -1
- package/dist/adapters/express.js.map +1 -1
- package/dist/adapters/express.mjs +24 -1
- package/dist/adapters/express.mjs.map +1 -1
- package/dist/adapters/mcp.d.mts +1 -1
- package/dist/adapters/mcp.d.ts +1 -1
- package/dist/adapters/mcp.js +24 -1
- package/dist/adapters/mcp.js.map +1 -1
- package/dist/adapters/mcp.mjs +24 -1
- package/dist/adapters/mcp.mjs.map +1 -1
- package/dist/adapters/nextjs.d.mts +2 -2
- package/dist/adapters/nextjs.d.ts +2 -2
- package/dist/adapters/nextjs.js +19 -3
- package/dist/adapters/nextjs.js.map +1 -1
- package/dist/adapters/nextjs.mjs +19 -3
- package/dist/adapters/nextjs.mjs.map +1 -1
- package/dist/adapters/sdk.d.mts +2 -2
- package/dist/adapters/sdk.d.ts +2 -2
- package/dist/adapters/sdk.js +1 -1
- package/dist/adapters/sdk.js.map +1 -1
- package/dist/adapters/sdk.mjs +1 -1
- package/dist/adapters/sdk.mjs.map +1 -1
- package/dist/agent/index.d.mts +2 -2
- package/dist/agent/index.d.ts +2 -2
- package/dist/browser/background.js +1 -1
- package/dist/browser/background.js.map +1 -1
- package/dist/browser/background.mjs +1 -1
- package/dist/browser/background.mjs.map +1 -1
- package/dist/browser/browser-adapter.d.mts +2 -2
- package/dist/browser/browser-adapter.d.ts +2 -2
- package/dist/cli/index.d.mts +2 -2
- package/dist/cli/index.d.ts +2 -2
- package/dist/cursor/cursor-adapter.d.mts +2 -2
- package/dist/cursor/cursor-adapter.d.ts +2 -2
- package/dist/cursor/extension.d.mts +2 -2
- package/dist/cursor/extension.d.ts +2 -2
- package/dist/cursor/extension.js +1 -1
- package/dist/cursor/extension.js.map +1 -1
- package/dist/cursor/extension.mjs +1 -1
- package/dist/cursor/extension.mjs.map +1 -1
- package/dist/{express-CeoSdOAZ.d.mts → express-DAOTESQo.d.mts} +1 -1
- package/dist/{express-BowlMHQF.d.ts → express-Lb8-Ybio.d.ts} +1 -1
- package/dist/gateway/gateway.d.mts +2 -2
- package/dist/gateway/gateway.d.ts +2 -2
- package/dist/gateway/gateway.js +1 -1
- package/dist/gateway/gateway.js.map +1 -1
- package/dist/gateway/gateway.mjs +1 -1
- package/dist/gateway/gateway.mjs.map +1 -1
- package/dist/git-trigger/git-hooks.d.mts +2 -2
- package/dist/git-trigger/git-hooks.d.ts +2 -2
- package/dist/{index-DtGziFEm.d.mts → index-BLeiWFLu.d.mts} +1 -1
- package/dist/{index-DBmlycVm.d.ts → index-DFwfHOGj.d.ts} +1 -1
- package/dist/{index-DzXXBuLm.d.ts → index-E3fAidVt.d.ts} +1 -1
- package/dist/{index-B51W8gn8.d.mts → index-kxLJ873R.d.mts} +1 -1
- package/dist/index.d.mts +55 -8
- package/dist/index.d.ts +55 -8
- package/dist/index.js +89 -3
- package/dist/index.js.map +1 -1
- package/dist/index.mjs +88 -3
- package/dist/index.mjs.map +1 -1
- package/dist/local-evaluator/evaluator.d.mts +2 -2
- package/dist/local-evaluator/evaluator.d.ts +2 -2
- package/dist/{nextjs-V_K0qlAQ.d.ts → nextjs-BXK0nD73.d.ts} +1 -1
- package/dist/{nextjs-BW1rzr1I.d.mts → nextjs-CFQ_KDFf.d.mts} +1 -1
- package/dist/{sdk-ZYgI7G9f.d.ts → sdk-C7qAfpGB.d.ts} +1 -1
- package/dist/{sdk-e5jg7sqW.d.mts → sdk-D1MuiiNz.d.mts} +1 -1
- package/dist/transport/index.d.mts +2 -2
- package/dist/transport/index.d.ts +2 -2
- package/dist/{types-DJi-u3fz.d.ts → types-B6uD4jAI.d.ts} +1 -1
- package/dist/{types-rFh4VMH4.d.mts → types-B_wnd7ZX.d.mts} +1 -1
- package/dist/{types-rFh4VMH4.d.ts → types-B_wnd7ZX.d.ts} +1 -1
- package/dist/{types-BNiLZY0i.d.mts → types-ClvUqrEm.d.mts} +1 -1
- package/dist/ui/index.d.mts +1 -1
- package/dist/ui/index.d.ts +1 -1
- package/package.json +1 -1
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
import { AstraSyncGateway } from '../gateway/gateway.mjs';
|
|
2
|
-
import { V as VerificationDecision, P as PDLSSContext } from '../types-
|
|
3
|
-
import '../types-
|
|
2
|
+
import { V as VerificationDecision, P as PDLSSContext } from '../types-ClvUqrEm.mjs';
|
|
3
|
+
import '../types-B_wnd7ZX.mjs';
|
|
4
4
|
|
|
5
5
|
/**
|
|
6
6
|
* Git Trigger — Enterprise git push / PR verification
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
import { AstraSyncGateway } from '../gateway/gateway.js';
|
|
2
|
-
import { V as VerificationDecision, P as PDLSSContext } from '../types-
|
|
3
|
-
import '../types-
|
|
2
|
+
import { V as VerificationDecision, P as PDLSSContext } from '../types-B6uD4jAI.js';
|
|
3
|
+
import '../types-B_wnd7ZX.js';
|
|
4
4
|
|
|
5
5
|
/**
|
|
6
6
|
* Git Trigger — Enterprise git push / PR verification
|
package/dist/index.d.mts
CHANGED
|
@@ -1,12 +1,12 @@
|
|
|
1
|
-
import {
|
|
2
|
-
export {
|
|
3
|
-
export { A as ACCESS_LEVEL_DESCRIPTIONS, a as ACCESS_LEVEL_HIERARCHY, b as AccessCapabilities, D as DEFAULT_TRUST_THRESHOLDS, T as TRUST_LEVEL_RANGES, d as determineAccessLevel, g as getAccessLevelForScore, e as getCapabilities, f as getTrustLevel, h as hasMinimumAccess, s as sdk } from './sdk-
|
|
4
|
-
export { e as express } from './express-
|
|
5
|
-
export { n as nextjs } from './nextjs-
|
|
6
|
-
export { aR as extractMcpCredentials, bg as setMcpMeta, b1 as transport } from './index-
|
|
1
|
+
import { b as AgentCredentials, G as GatewayConfig, a as AccessLevel, V as VerificationRequest, j as VerificationResult, E as EnhancedVerificationResult, A as AccessFailure } from './types-B_wnd7ZX.mjs';
|
|
2
|
+
export { c as AstraSyncCredentials, C as CommerceShieldProps, d as CounterpartyType, e as ExpressMiddlewareOptions, f as GuidanceInfo, N as NextJsMiddlewareOptions, P as PDLSSInfo, g as ProtocolTransport, R as RouteAccessConfig, h as RuntimeChallengeResult, S as SDKOptions, T as TokenGuidance, i as TrustLevel, k as VerifiedAgent, l as VerifiedDeveloper, m as VerifiedOrganization } from './types-B_wnd7ZX.mjs';
|
|
3
|
+
export { A as ACCESS_LEVEL_DESCRIPTIONS, a as ACCESS_LEVEL_HIERARCHY, b as AccessCapabilities, D as DEFAULT_TRUST_THRESHOLDS, T as TRUST_LEVEL_RANGES, d as determineAccessLevel, g as getAccessLevelForScore, e as getCapabilities, f as getTrustLevel, h as hasMinimumAccess, s as sdk } from './sdk-D1MuiiNz.mjs';
|
|
4
|
+
export { e as express } from './express-DAOTESQo.mjs';
|
|
5
|
+
export { n as nextjs } from './nextjs-CFQ_KDFf.mjs';
|
|
6
|
+
export { aR as extractMcpCredentials, bg as setMcpMeta, b1 as transport } from './index-kxLJ873R.mjs';
|
|
7
7
|
export { McpMiddlewareOptions, ToolGateConfig, createMcpMiddleware } from './adapters/mcp.mjs';
|
|
8
8
|
export { AgentProtocol, AgentRecord, AstraSync, AstraSyncConfig, AstraSyncError, AuthenticationError, BuildGuidanceParams, FrameworkConfig, GuidanceEnvelope, HealthResponse, KYDRequiredError, ModelConfig, PDLSSConfig, PDLSSDuration, PDLSSLimits, PDLSSPurpose, PDLSSScope, PDLSSSelfInstantiation, PendingRegistrationResponse, PollRegistrationResult, RegisterOptions, RegisterResult, RegistrationDeniedError, RegistrationExpiredError, RegistrationResponse, RegistrationTimeoutError, VerifyResponse, WaitForApprovalOptions, buildGuidance } from './registration/index.mjs';
|
|
9
|
-
export { A as AgentClient, C as ChallengeHandler, i as agent, r as recordDecision } from './index-
|
|
9
|
+
export { A as AgentClient, C as ChallengeHandler, i as agent, r as recordDecision } from './index-BLeiWFLu.mjs';
|
|
10
10
|
import 'express';
|
|
11
11
|
import 'next/server';
|
|
12
12
|
import 'jose';
|
|
@@ -50,6 +50,53 @@ declare function quickVerify(config: GatewayConfig, credentials: AgentCredential
|
|
|
50
50
|
reason?: string;
|
|
51
51
|
}>;
|
|
52
52
|
|
|
53
|
+
/**
|
|
54
|
+
* Settlement authorization — the value-aware, FAIL-CLOSED gate a direct merchant
|
|
55
|
+
* MUST call before settling a priced cart (post-#447 partner round, finding #1).
|
|
56
|
+
*
|
|
57
|
+
* The bug it closes: the SDK request middleware performs a header-only ACCESS
|
|
58
|
+
* check and never sends the transaction VALUE to verify-access, so the limit
|
|
59
|
+
* engine never evaluates value and returns `grant` — a fully SDK-compliant
|
|
60
|
+
* merchant settles every band, with the agent's PDLSS spend limits silently
|
|
61
|
+
* unenforced. The bridge is safe only because `confirm_purchase` re-verifies
|
|
62
|
+
* with the authoritative session total.
|
|
63
|
+
*
|
|
64
|
+
* The authoritative value exists ONLY after the merchant prices the cart (in the
|
|
65
|
+
* handler, after the middleware), and it must be the MERCHANT's priced total —
|
|
66
|
+
* never an agent-suppliable header (spoofable). So value enforcement is a
|
|
67
|
+
* settlement-time, merchant-invoked call that mirrors the bridge: verify the
|
|
68
|
+
* priced value against the agent's limits and refuse settlement unless it
|
|
69
|
+
* cleanly grants.
|
|
70
|
+
*/
|
|
71
|
+
|
|
72
|
+
interface SettlementRequest {
|
|
73
|
+
/** The agent's ASTRA-id (the caller you are about to settle for). */
|
|
74
|
+
agentId: string;
|
|
75
|
+
/** The MERCHANT's authoritative priced total for the cart. Never an agent-supplied amount. */
|
|
76
|
+
value: number;
|
|
77
|
+
/** ISO-4217 currency of `value`. */
|
|
78
|
+
currency: string;
|
|
79
|
+
/** Defaults to the canonical commerce pair; override for custom categories (e.g. 'trading' / 'trading.execute'). */
|
|
80
|
+
purpose?: string;
|
|
81
|
+
action?: string;
|
|
82
|
+
}
|
|
83
|
+
interface SettlementDecision {
|
|
84
|
+
/** TRUE only on a clean grant. A step-up/approval outcome, any deny, a missing value, or a verify error all → false. */
|
|
85
|
+
authorized: boolean;
|
|
86
|
+
recommendation?: EnhancedVerificationResult['recommendation'];
|
|
87
|
+
reason?: string;
|
|
88
|
+
failures?: AccessFailure[];
|
|
89
|
+
correlationId?: string;
|
|
90
|
+
}
|
|
91
|
+
/**
|
|
92
|
+
* Authorize a settlement of `value` for `agentId` against the agent's PDLSS
|
|
93
|
+
* limits. FAIL-CLOSED: returns `authorized:false` on a missing/invalid value,
|
|
94
|
+
* a verify-access error, a step-up/approval outcome (the value is in the
|
|
95
|
+
* human-approval band and cannot complete autonomously), or any policy deny.
|
|
96
|
+
* Settle ONLY when `authorized === true`.
|
|
97
|
+
*/
|
|
98
|
+
declare function authorizeSettlement(config: GatewayConfig, req: SettlementRequest): Promise<SettlementDecision>;
|
|
99
|
+
|
|
53
100
|
/**
|
|
54
101
|
* SDK-side discovery of canonical platform URLs via `/.well-known/agentic-commerce`.
|
|
55
102
|
*
|
|
@@ -107,4 +154,4 @@ declare function getCachedWellKnownUrls(apiBaseUrl: string): WellKnownAgenticCom
|
|
|
107
154
|
|
|
108
155
|
declare const VERSION = "2.0.0";
|
|
109
156
|
|
|
110
|
-
export { AccessLevel, AgentCredentials, GatewayConfig, VERSION, VerificationRequest, VerificationResult, type WellKnownAgenticCommerce, clearCache, extractCredentials, getCachedWellKnownUrls, getWellKnownUrls, hasCredentials, prefetchWellKnown, quickVerify, verify };
|
|
157
|
+
export { AccessLevel, AgentCredentials, EnhancedVerificationResult, GatewayConfig, type SettlementDecision, type SettlementRequest, VERSION, VerificationRequest, VerificationResult, type WellKnownAgenticCommerce, authorizeSettlement, clearCache, extractCredentials, getCachedWellKnownUrls, getWellKnownUrls, hasCredentials, prefetchWellKnown, quickVerify, verify };
|
package/dist/index.d.ts
CHANGED
|
@@ -1,12 +1,12 @@
|
|
|
1
|
-
import {
|
|
2
|
-
export {
|
|
3
|
-
export { A as ACCESS_LEVEL_DESCRIPTIONS, a as ACCESS_LEVEL_HIERARCHY, b as AccessCapabilities, D as DEFAULT_TRUST_THRESHOLDS, T as TRUST_LEVEL_RANGES, d as determineAccessLevel, g as getAccessLevelForScore, e as getCapabilities, f as getTrustLevel, h as hasMinimumAccess, s as sdk } from './sdk-
|
|
4
|
-
export { e as express } from './express-
|
|
5
|
-
export { n as nextjs } from './nextjs-
|
|
6
|
-
export { aR as extractMcpCredentials, bg as setMcpMeta, b1 as transport } from './index-
|
|
1
|
+
import { b as AgentCredentials, G as GatewayConfig, a as AccessLevel, V as VerificationRequest, j as VerificationResult, E as EnhancedVerificationResult, A as AccessFailure } from './types-B_wnd7ZX.js';
|
|
2
|
+
export { c as AstraSyncCredentials, C as CommerceShieldProps, d as CounterpartyType, e as ExpressMiddlewareOptions, f as GuidanceInfo, N as NextJsMiddlewareOptions, P as PDLSSInfo, g as ProtocolTransport, R as RouteAccessConfig, h as RuntimeChallengeResult, S as SDKOptions, T as TokenGuidance, i as TrustLevel, k as VerifiedAgent, l as VerifiedDeveloper, m as VerifiedOrganization } from './types-B_wnd7ZX.js';
|
|
3
|
+
export { A as ACCESS_LEVEL_DESCRIPTIONS, a as ACCESS_LEVEL_HIERARCHY, b as AccessCapabilities, D as DEFAULT_TRUST_THRESHOLDS, T as TRUST_LEVEL_RANGES, d as determineAccessLevel, g as getAccessLevelForScore, e as getCapabilities, f as getTrustLevel, h as hasMinimumAccess, s as sdk } from './sdk-C7qAfpGB.js';
|
|
4
|
+
export { e as express } from './express-Lb8-Ybio.js';
|
|
5
|
+
export { n as nextjs } from './nextjs-BXK0nD73.js';
|
|
6
|
+
export { aR as extractMcpCredentials, bg as setMcpMeta, b1 as transport } from './index-E3fAidVt.js';
|
|
7
7
|
export { McpMiddlewareOptions, ToolGateConfig, createMcpMiddleware } from './adapters/mcp.js';
|
|
8
8
|
export { AgentProtocol, AgentRecord, AstraSync, AstraSyncConfig, AstraSyncError, AuthenticationError, BuildGuidanceParams, FrameworkConfig, GuidanceEnvelope, HealthResponse, KYDRequiredError, ModelConfig, PDLSSConfig, PDLSSDuration, PDLSSLimits, PDLSSPurpose, PDLSSScope, PDLSSSelfInstantiation, PendingRegistrationResponse, PollRegistrationResult, RegisterOptions, RegisterResult, RegistrationDeniedError, RegistrationExpiredError, RegistrationResponse, RegistrationTimeoutError, VerifyResponse, WaitForApprovalOptions, buildGuidance } from './registration/index.js';
|
|
9
|
-
export { A as AgentClient, C as ChallengeHandler, i as agent, r as recordDecision } from './index-
|
|
9
|
+
export { A as AgentClient, C as ChallengeHandler, i as agent, r as recordDecision } from './index-DFwfHOGj.js';
|
|
10
10
|
import 'express';
|
|
11
11
|
import 'next/server';
|
|
12
12
|
import 'jose';
|
|
@@ -50,6 +50,53 @@ declare function quickVerify(config: GatewayConfig, credentials: AgentCredential
|
|
|
50
50
|
reason?: string;
|
|
51
51
|
}>;
|
|
52
52
|
|
|
53
|
+
/**
|
|
54
|
+
* Settlement authorization — the value-aware, FAIL-CLOSED gate a direct merchant
|
|
55
|
+
* MUST call before settling a priced cart (post-#447 partner round, finding #1).
|
|
56
|
+
*
|
|
57
|
+
* The bug it closes: the SDK request middleware performs a header-only ACCESS
|
|
58
|
+
* check and never sends the transaction VALUE to verify-access, so the limit
|
|
59
|
+
* engine never evaluates value and returns `grant` — a fully SDK-compliant
|
|
60
|
+
* merchant settles every band, with the agent's PDLSS spend limits silently
|
|
61
|
+
* unenforced. The bridge is safe only because `confirm_purchase` re-verifies
|
|
62
|
+
* with the authoritative session total.
|
|
63
|
+
*
|
|
64
|
+
* The authoritative value exists ONLY after the merchant prices the cart (in the
|
|
65
|
+
* handler, after the middleware), and it must be the MERCHANT's priced total —
|
|
66
|
+
* never an agent-suppliable header (spoofable). So value enforcement is a
|
|
67
|
+
* settlement-time, merchant-invoked call that mirrors the bridge: verify the
|
|
68
|
+
* priced value against the agent's limits and refuse settlement unless it
|
|
69
|
+
* cleanly grants.
|
|
70
|
+
*/
|
|
71
|
+
|
|
72
|
+
interface SettlementRequest {
|
|
73
|
+
/** The agent's ASTRA-id (the caller you are about to settle for). */
|
|
74
|
+
agentId: string;
|
|
75
|
+
/** The MERCHANT's authoritative priced total for the cart. Never an agent-supplied amount. */
|
|
76
|
+
value: number;
|
|
77
|
+
/** ISO-4217 currency of `value`. */
|
|
78
|
+
currency: string;
|
|
79
|
+
/** Defaults to the canonical commerce pair; override for custom categories (e.g. 'trading' / 'trading.execute'). */
|
|
80
|
+
purpose?: string;
|
|
81
|
+
action?: string;
|
|
82
|
+
}
|
|
83
|
+
interface SettlementDecision {
|
|
84
|
+
/** TRUE only on a clean grant. A step-up/approval outcome, any deny, a missing value, or a verify error all → false. */
|
|
85
|
+
authorized: boolean;
|
|
86
|
+
recommendation?: EnhancedVerificationResult['recommendation'];
|
|
87
|
+
reason?: string;
|
|
88
|
+
failures?: AccessFailure[];
|
|
89
|
+
correlationId?: string;
|
|
90
|
+
}
|
|
91
|
+
/**
|
|
92
|
+
* Authorize a settlement of `value` for `agentId` against the agent's PDLSS
|
|
93
|
+
* limits. FAIL-CLOSED: returns `authorized:false` on a missing/invalid value,
|
|
94
|
+
* a verify-access error, a step-up/approval outcome (the value is in the
|
|
95
|
+
* human-approval band and cannot complete autonomously), or any policy deny.
|
|
96
|
+
* Settle ONLY when `authorized === true`.
|
|
97
|
+
*/
|
|
98
|
+
declare function authorizeSettlement(config: GatewayConfig, req: SettlementRequest): Promise<SettlementDecision>;
|
|
99
|
+
|
|
53
100
|
/**
|
|
54
101
|
* SDK-side discovery of canonical platform URLs via `/.well-known/agentic-commerce`.
|
|
55
102
|
*
|
|
@@ -107,4 +154,4 @@ declare function getCachedWellKnownUrls(apiBaseUrl: string): WellKnownAgenticCom
|
|
|
107
154
|
|
|
108
155
|
declare const VERSION = "2.0.0";
|
|
109
156
|
|
|
110
|
-
export { AccessLevel, AgentCredentials, GatewayConfig, VERSION, VerificationRequest, VerificationResult, type WellKnownAgenticCommerce, clearCache, extractCredentials, getCachedWellKnownUrls, getWellKnownUrls, hasCredentials, prefetchWellKnown, quickVerify, verify };
|
|
157
|
+
export { AccessLevel, AgentCredentials, EnhancedVerificationResult, GatewayConfig, type SettlementDecision, type SettlementRequest, VERSION, VerificationRequest, VerificationResult, type WellKnownAgenticCommerce, authorizeSettlement, clearCache, extractCredentials, getCachedWellKnownUrls, getWellKnownUrls, hasCredentials, prefetchWellKnown, quickVerify, verify };
|
package/dist/index.js
CHANGED
|
@@ -45,6 +45,7 @@ __export(src_exports, {
|
|
|
45
45
|
TRUST_LEVEL_RANGES: () => TRUST_LEVEL_RANGES,
|
|
46
46
|
VERSION: () => VERSION,
|
|
47
47
|
agent: () => agent_exports,
|
|
48
|
+
authorizeSettlement: () => authorizeSettlement,
|
|
48
49
|
buildGuidance: () => buildGuidance,
|
|
49
50
|
clearCache: () => clearCache,
|
|
50
51
|
createMcpMiddleware: () => createMcpMiddleware,
|
|
@@ -192,7 +193,7 @@ function getCapabilities(accessLevel) {
|
|
|
192
193
|
}
|
|
193
194
|
|
|
194
195
|
// src/version.ts
|
|
195
|
-
var SDK_VERSION = "3.
|
|
196
|
+
var SDK_VERSION = "3.3.0";
|
|
196
197
|
|
|
197
198
|
// src/well-known.ts
|
|
198
199
|
var CACHE_TTL_MS = 60 * 60 * 1e3;
|
|
@@ -742,6 +743,67 @@ async function quickVerify(config, credentials) {
|
|
|
742
743
|
};
|
|
743
744
|
}
|
|
744
745
|
|
|
746
|
+
// src/adapters/approval-gate.ts
|
|
747
|
+
var APPROVAL_REASON = "Transaction is above the autonomous limit and requires human approval, which is not yet available - it cannot be completed automatically.";
|
|
748
|
+
function requiresHumanApproval(result) {
|
|
749
|
+
return result.requiresStepUp === true || result.requiresApproval === true;
|
|
750
|
+
}
|
|
751
|
+
function annotateApprovalRequired(result) {
|
|
752
|
+
result.failures = [
|
|
753
|
+
...result.failures ?? [],
|
|
754
|
+
{ dimension: "commerce.intent.approval_required", message: APPROVAL_REASON }
|
|
755
|
+
];
|
|
756
|
+
result.denialReasons = [APPROVAL_REASON, ...result.denialReasons ?? []];
|
|
757
|
+
}
|
|
758
|
+
|
|
759
|
+
// src/settlement.ts
|
|
760
|
+
async function authorizeSettlement(config, req) {
|
|
761
|
+
if (typeof req.value !== "number" || !Number.isFinite(req.value) || req.value <= 0) {
|
|
762
|
+
return {
|
|
763
|
+
authorized: false,
|
|
764
|
+
recommendation: "deny",
|
|
765
|
+
reason: "No valid transaction value supplied to authorizeSettlement; settlement refused (fail-closed). Pass the merchant-priced cart total as `value`.",
|
|
766
|
+
failures: [
|
|
767
|
+
{
|
|
768
|
+
dimension: "commerce.settlement.value_missing",
|
|
769
|
+
message: "A positive, authoritative transaction value is required to authorize settlement."
|
|
770
|
+
}
|
|
771
|
+
]
|
|
772
|
+
};
|
|
773
|
+
}
|
|
774
|
+
let result;
|
|
775
|
+
try {
|
|
776
|
+
result = await verify(config, {
|
|
777
|
+
credentials: { astraId: req.agentId },
|
|
778
|
+
purpose: req.purpose ?? "shopping",
|
|
779
|
+
action: req.action ?? "shopping.purchase",
|
|
780
|
+
transactionValue: req.value,
|
|
781
|
+
currency: req.currency
|
|
782
|
+
});
|
|
783
|
+
} catch (err) {
|
|
784
|
+
return {
|
|
785
|
+
authorized: false,
|
|
786
|
+
recommendation: "deny",
|
|
787
|
+
reason: `Settlement verification failed (${err instanceof Error ? err.message : String(err)}); settlement refused (fail-closed).`,
|
|
788
|
+
failures: [
|
|
789
|
+
{
|
|
790
|
+
dimension: "commerce.settlement.verify_error",
|
|
791
|
+
message: "verify-access could not be reached or returned an error; settlement is refused."
|
|
792
|
+
}
|
|
793
|
+
]
|
|
794
|
+
};
|
|
795
|
+
}
|
|
796
|
+
const recommendation = result.recommendation;
|
|
797
|
+
const authorized = result.identityVerified === true && result.policyAllowed === true && !requiresHumanApproval(result) && (recommendation === void 0 || recommendation === "grant");
|
|
798
|
+
return {
|
|
799
|
+
authorized,
|
|
800
|
+
recommendation,
|
|
801
|
+
reason: authorized ? void 0 : result.denialReasons?.[0] ?? (requiresHumanApproval(result) ? "Transaction is above the autonomous limit and requires human approval; settlement cannot be authorized automatically." : "Settlement not authorized by the agent's PDLSS limits."),
|
|
802
|
+
failures: result.failures,
|
|
803
|
+
correlationId: result.correlationId
|
|
804
|
+
};
|
|
805
|
+
}
|
|
806
|
+
|
|
745
807
|
// src/adapters/express.ts
|
|
746
808
|
var express_exports = {};
|
|
747
809
|
__export(express_exports, {
|
|
@@ -1205,6 +1267,16 @@ function createMiddleware(options) {
|
|
|
1205
1267
|
onDenied(result, req, res);
|
|
1206
1268
|
return;
|
|
1207
1269
|
}
|
|
1270
|
+
if (requiresHumanApproval(result)) {
|
|
1271
|
+
annotateApprovalRequired(result);
|
|
1272
|
+
if (shouldRecordDecisions && sessionId) {
|
|
1273
|
+
recordDecision(config, sessionId, "denied", result.denialReasons?.[0]).catch(() => {
|
|
1274
|
+
});
|
|
1275
|
+
}
|
|
1276
|
+
dedupeFailures(result);
|
|
1277
|
+
onDenied(result, req, res);
|
|
1278
|
+
return;
|
|
1279
|
+
}
|
|
1208
1280
|
if (!shouldEnforce) {
|
|
1209
1281
|
if (config.setPassThroughHeader) {
|
|
1210
1282
|
res.setHeader("X-Astra-Gateway-Mode", "enforced");
|
|
@@ -1652,7 +1724,9 @@ function createMiddleware2(options) {
|
|
|
1652
1724
|
agentCardUrl: request.headers.get("x-astrasync-agent-card") || void 0
|
|
1653
1725
|
}
|
|
1654
1726
|
});
|
|
1655
|
-
|
|
1727
|
+
const approvalRequired = result.identityVerified && result.policyAllowed && requiresHumanApproval(result);
|
|
1728
|
+
if (approvalRequired) annotateApprovalRequired(result);
|
|
1729
|
+
if (!result.identityVerified || !result.policyAllowed || approvalRequired) {
|
|
1656
1730
|
if (pathname.startsWith("/api/")) {
|
|
1657
1731
|
return NextResponse.json(
|
|
1658
1732
|
{
|
|
@@ -1662,7 +1736,8 @@ function createMiddleware2(options) {
|
|
|
1662
1736
|
// OK, policy denied (update PDLSS / step up).
|
|
1663
1737
|
code: !result.identityVerified ? "UNAUTHORIZED" : "POLICY_DENIED",
|
|
1664
1738
|
message: result.denialReasons?.[0] || "Access denied",
|
|
1665
|
-
guidance: result.guidance
|
|
1739
|
+
guidance: result.guidance,
|
|
1740
|
+
failures: result.failures
|
|
1666
1741
|
}
|
|
1667
1742
|
},
|
|
1668
1743
|
{ status: !result.identityVerified ? 401 : 403 }
|
|
@@ -4733,6 +4808,16 @@ function createMcpMiddleware(options) {
|
|
|
4733
4808
|
onDenied(result, req, res);
|
|
4734
4809
|
return;
|
|
4735
4810
|
}
|
|
4811
|
+
if (requiresHumanApproval(result)) {
|
|
4812
|
+
annotateApprovalRequired(result);
|
|
4813
|
+
if (shouldRecordDecisions && sessionId) {
|
|
4814
|
+
recordDecision(config, sessionId, "denied", result.denialReasons?.[0]).catch(() => {
|
|
4815
|
+
});
|
|
4816
|
+
}
|
|
4817
|
+
dedupeFailures2(result);
|
|
4818
|
+
onDenied(result, req, res);
|
|
4819
|
+
return;
|
|
4820
|
+
}
|
|
4736
4821
|
if (!shouldEnforce) {
|
|
4737
4822
|
if (config.setPassThroughHeader) {
|
|
4738
4823
|
res.setHeader("X-Astra-Gateway-Mode", "enforced");
|
|
@@ -5498,6 +5583,7 @@ var VERSION = "2.0.0";
|
|
|
5498
5583
|
TRUST_LEVEL_RANGES,
|
|
5499
5584
|
VERSION,
|
|
5500
5585
|
agent,
|
|
5586
|
+
authorizeSettlement,
|
|
5501
5587
|
buildGuidance,
|
|
5502
5588
|
clearCache,
|
|
5503
5589
|
createMcpMiddleware,
|