@naylence/advanced-security 0.3.0

package/dist/cjs/naylence/fame/security/signing/eddsa-envelope-signer-factory.js

@@ -0,0 +1,71 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AdvancedEdDSAEnvelopeSignerFactory = exports.FACTORY_META = void 0;
+const runtime_1 = require("@naylence/runtime");
+exports.FACTORY_META = {
+    base: runtime_1.ENVELOPE_SIGNER_FACTORY_BASE_TYPE,
+    key: "EdDSAEnvelopeSigner",
+    isDefault: true,
+    priority: 100,
+};
+let eddsaEnvelopeSignerModulePromise = null;
+async function getEdDSAEnvelopeSignerModule() {
+    if (!eddsaEnvelopeSignerModulePromise) {
+        eddsaEnvelopeSignerModulePromise = Promise.resolve().then(() => __importStar(require("naylence-runtime/naylence/fame/security/signing/eddsa-envelope-signer.js")));
+    }
+    return eddsaEnvelopeSignerModulePromise;
+}
+class AdvancedEdDSAEnvelopeSignerFactory extends runtime_1.EnvelopeSignerFactory {
+    constructor() {
+        super(...arguments);
+        this.type = "EdDSAEnvelopeSigner";
+        this.isDefault = true;
+        this.priority = 100;
+    }
+    async create(_config, options) {
+        const resolved = {
+            cryptoProvider: options?.cryptoProvider ?? null,
+            signingConfig: options?.signingConfig ?? null,
+            privateKeyPem: options?.privateKeyPem,
+            keyId: options?.keyId,
+        };
+        const { EdDSAEnvelopeSigner } = await getEdDSAEnvelopeSignerModule();
+        return new EdDSAEnvelopeSigner(resolved);
+    }
+}
+exports.AdvancedEdDSAEnvelopeSignerFactory = AdvancedEdDSAEnvelopeSignerFactory;
+exports.default = AdvancedEdDSAEnvelopeSignerFactory;
+//# sourceMappingURL=eddsa-envelope-signer-factory.js.map

package/dist/cjs/naylence/fame/security/signing/eddsa-envelope-signer-factory.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"eddsa-envelope-signer-factory.js","sourceRoot":"","sources":["../../../../../../src/naylence/fame/security/signing/eddsa-envelope-signer-factory.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AACA,+CAI2B;AAQd,QAAA,YAAY,GAAG;IAC1B,IAAI,EAAE,2CAAiC;IACvC,GAAG,EAAE,qBAAqB;IAC1B,SAAS,EAAE,IAAI;IACf,QAAQ,EAAE,GAAG;CACL,CAAC;AAKX,IAAI,gCAAgC,GAClC,IAAI,CAAC;AAEP,KAAK,UAAU,4BAA4B;IACzC,IAAI,CAAC,gCAAgC,EAAE,CAAC;QACtC,gCAAgC,qDAC9B,0EAA0E,GAC3E,CAAC;IACJ,CAAC;IAED,OAAO,gCAAgC,CAAC;AAC1C,CAAC;AAED,MAAa,kCAAmC,SAAQ,+BAAgD;IAAxG;;QACkB,SAAI,GAAG,qBAAqB,CAAC;QAC7B,cAAS,GAAG,IAAI,CAAC;QACjB,aAAQ,GAAG,GAAG,CAAC;IAiBjC,CAAC;IAfQ,KAAK,CAAC,MAAM,CACjB,OAAoE,EACpE,OAA2C;QAE3C,MAAM,QAAQ,GAA+B;YAC3C,cAAc,EAAE,OAAO,EAAE,cAAc,IAAI,IAAI;YAC/C,aAAa,EAAE,OAAO,EAAE,aAAa,IAAI,IAAI;YAC7C,aAAa,EAAE,OAAO,EAAE,aAAa;YACrC,KAAK,EAAE,OAAO,EAAE,KAAK;SACtB,CAAC;QAEF,MAAM,EAAE,mBAAmB,EAAE,GAAG,MAAM,4BAA4B,EAAE,CAAC;QAErE,OAAO,IAAI,mBAAmB,CAAC,QAAQ,CAAC,CAAC;IAC3C,CAAC;CACF;AApBD,gFAoBC;AAED,kBAAe,kCAAkC,CAAC"}

package/dist/cjs/naylence/fame/security/signing/eddsa-envelope-verifier-factory.js

@@ -0,0 +1,31 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AdvancedEdDSAEnvelopeVerifierFactory = exports.FACTORY_META = void 0;
+const runtime_1 = require("@naylence/runtime");
+const eddsa_envelope_verifier_js_1 = require("./eddsa-envelope-verifier.js");
+exports.FACTORY_META = {
+    base: runtime_1.ENVELOPE_VERIFIER_FACTORY_BASE_TYPE,
+    key: "EdDSAEnvelopeVerifier",
+    isDefault: true,
+    priority: 100,
+};
+class AdvancedEdDSAEnvelopeVerifierFactory extends runtime_1.EnvelopeVerifierFactory {
+    constructor() {
+        super(...arguments);
+        this.type = "EdDSAEnvelopeVerifier";
+        this.isDefault = true;
+        this.priority = 100;
+    }
+    async create(_config, keyProvider, signingConfig, options = {}) {
+        if (!keyProvider) {
+            throw new Error("EdDSAEnvelopeVerifierFactory requires a key provider");
+        }
+        const resolved = {
+            signingConfig: options.signingConfig ?? signingConfig ?? new runtime_1.SigningConfigClass(),
+        };
+        return new eddsa_envelope_verifier_js_1.EdDSAEnvelopeVerifier(keyProvider, resolved);
+    }
+}
+exports.AdvancedEdDSAEnvelopeVerifierFactory = AdvancedEdDSAEnvelopeVerifierFactory;
+exports.default = AdvancedEdDSAEnvelopeVerifierFactory;
+//# sourceMappingURL=eddsa-envelope-verifier-factory.js.map

package/dist/cjs/naylence/fame/security/signing/eddsa-envelope-verifier-factory.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"eddsa-envelope-verifier-factory.js","sourceRoot":"","sources":["../../../../../../src/naylence/fame/security/signing/eddsa-envelope-verifier-factory.ts"],"names":[],"mappings":";;;AACA,+CAM2B;AAE3B,6EAIsC;AAMzB,QAAA,YAAY,GAAG;IAC1B,IAAI,EAAE,6CAAmC;IACzC,GAAG,EAAE,uBAAuB;IAC5B,SAAS,EAAE,IAAI;IACf,QAAQ,EAAE,GAAG;CACL,CAAC;AAIX,MAAa,oCAAqC,SAAQ,iCAAoD;IAA9G;;QACkB,SAAI,GAAG,uBAAuB,CAAC;QAC/B,cAAS,GAAG,IAAI,CAAC;QACjB,aAAQ,GAAG,GAAG,CAAC;IAmBjC,CAAC;IAjBQ,KAAK,CAAC,MAAM,CACjB,OAAsE,EACtE,WAAgC,EAChC,aAAoC,EACpC,UAAwC,EAAE;QAE1C,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,sDAAsD,CAAC,CAAC;QAC1E,CAAC;QAED,MAAM,QAAQ,GAAiC;YAC7C,aAAa,EACX,OAAO,CAAC,aAAa,IAAI,aAAa,IAAI,IAAI,4BAAkB,EAAE;SACrE,CAAC;QAEF,OAAO,IAAI,kDAAqB,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;IAC1D,CAAC;CACF;AAtBD,oFAsBC;AAED,kBAAe,oCAAoC,CAAC"}

package/dist/cjs/naylence/fame/security/signing/eddsa-envelope-verifier.js

@@ -0,0 +1,176 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.EdDSAEnvelopeVerifier = void 0;
+const ed25519_1 = require("@noble/ed25519");
+const sha2_js_1 = require("@noble/hashes/sha2.js");
+const core_1 = require("@naylence/core");
+const runtime_1 = require("@naylence/runtime");
+const eddsa_signer_verifier_js_1 = require("naylence-runtime/naylence/fame/security/signing/eddsa-signer-verifier.js");
+const eddsa_utils_js_1 = require("naylence-runtime/naylence/fame/security/signing/eddsa-utils.js");
+const runtime_2 = require("@naylence/runtime");
+const util_js_1 = require("../cert/util.js");
+function assertString(value, field) {
+    if (typeof value !== "string" || value.length === 0) {
+        throw new Error(`${field} must be a non-empty string`);
+    }
+    return value;
+}
+function isDataFrame(frame) {
+    return frame.type === "Data";
+}
+function encodeBase64Url(value) {
+    if (typeof Buffer !== "undefined") {
+        return Buffer.from(value)
+            .toString("base64")
+            .replace(/\+/gu, "-")
+            .replace(/\//gu, "_")
+            .replace(/=+$/u, "");
+    }
+    let binary = "";
+    for (const byte of value) {
+        binary += String.fromCharCode(byte);
+    }
+    if (typeof btoa === "function") {
+        return btoa(binary)
+            .replace(/\+/gu, "-")
+            .replace(/\//gu, "_")
+            .replace(/=+$/u, "");
+    }
+    throw new Error("No base64 encoder available in this environment");
+}
+function ensureNobleSha512Fallback() {
+    const etcPatch = ed25519_1.etc;
+    if (!etcPatch.sha512) {
+        etcPatch.sha512 = (message) => (0, sha2_js_1.sha512)(message);
+    }
+    if (!etcPatch.sha512Sync) {
+        etcPatch.sha512Sync = (...messages) => {
+            if (messages.length === 1) {
+                return (0, sha2_js_1.sha512)(messages[0]);
+            }
+            const combined = ed25519_1.etc.concatBytes(...messages);
+            return (0, sha2_js_1.sha512)(combined);
+        };
+    }
+}
+function normalizeCertificateKey(jwk, signingConfig) {
+    if (!Array.isArray(jwk.x5c) || jwk.x5c.length === 0) {
+        return null;
+    }
+    if (signingConfig.signingMaterial !== core_1.SigningMaterial.X509_CHAIN) {
+        throw new Error("Certificate keys are disabled by signing policy");
+    }
+    const trustStorePem = process.env.FAME_CA_CERTS;
+    if (!trustStorePem) {
+        throw new Error("FAME_CA_CERTS environment variable must be set to a PEM file containing trusted CA certs when using certificate-based verification");
+    }
+    const publicKey = (0, util_js_1.publicKeyFromX5c)(jwk.x5c, {
+        enforceNameConstraints: signingConfig.validateCertNameConstraints,
+        trustStorePem,
+    });
+    if (publicKey.length !== 32) {
+        throw new Error("Certificate public key must be 32 bytes for Ed25519");
+    }
+    return encodeBase64Url(publicKey);
+}
+async function loadPublicKey(jwk, signingConfig) {
+    const certificateKey = normalizeCertificateKey(jwk, signingConfig);
+    const candidate = certificateKey ??
+        (typeof jwk.x === "string"
+            ? jwk.x
+            : typeof jwk.crv_x === "string"
+                ? jwk.crv_x
+                : jwk.pub);
+    if (typeof candidate !== "string") {
+        throw new Error("JWK missing public key material");
+    }
+    return (0, eddsa_signer_verifier_js_1.decodeBase64Url)(candidate);
+}
+class EdDSAEnvelopeVerifier {
+    constructor(keyProvider, options = {}) {
+        this.keyProvider = keyProvider;
+        this.signingConfig = options.signingConfig ?? new runtime_1.SigningConfigClass();
+        ensureNobleSha512Fallback();
+    }
+    async verifyEnvelope(envelope, options = {}) {
+        const signatureHeader = envelope.sec?.sig;
+        if (!signatureHeader) {
+            throw new Error("Missing envelope.sec.sig header");
+        }
+        const kid = assertString(signatureHeader.kid, "Signature header missing 'kid'");
+        const signatureValue = assertString(signatureHeader.val, "Signature header missing 'val'");
+        const jwk = (await this.keyProvider.getKey(kid));
+        if (!jwk) {
+            throw new Error(`Unknown key id: ${kid}`);
+        }
+        try {
+            (0, runtime_2.validateSigningKey)(jwk);
+        }
+        catch (error) {
+            if (error instanceof runtime_2.JWKValidationError) {
+                throw new Error(`Key ${kid} is not valid for signing: ${error.message}`);
+            }
+            throw error;
+        }
+        const checkPayload = options.checkPayload ?? true;
+        let trustedDigest;
+        if (isDataFrame(envelope.frame)) {
+            if (checkPayload) {
+                if (!envelope.frame.pd) {
+                    throw new Error("DataFrame missing payload digest (pd field)");
+                }
+                const payload = envelope.frame.payload ?? "";
+                const payloadString = payload === "" ? "" : (0, eddsa_signer_verifier_js_1.canonicalJson)(payload);
+                const actualDigest = (0, runtime_1.secureDigest)(payloadString);
+                if (actualDigest !== envelope.frame.pd) {
+                    throw new Error("Payload digest mismatch in DataFrame");
+                }
+                trustedDigest = actualDigest;
+            }
+            else {
+                if (!envelope.frame.pd) {
+                    throw new Error("DataFrame missing payload digest (pd field) for intermediate verification");
+                }
+                trustedDigest = envelope.frame.pd;
+            }
+        }
+        else {
+            trustedDigest = (0, eddsa_signer_verifier_js_1.frameDigest)(envelope.frame);
+        }
+        const sid = assertString(jwk.sid, "Signing key missing sid");
+        const immutable = (0, eddsa_signer_verifier_js_1.canonicalJson)((0, eddsa_signer_verifier_js_1.immutableHeaders)(envelope));
+        const tbs = new Uint8Array((0, eddsa_utils_js_1.encodeUtf8)(sid).length +
+            1 +
+            (0, eddsa_utils_js_1.encodeUtf8)(immutable).length +
+            1 +
+            (0, eddsa_utils_js_1.encodeUtf8)(trustedDigest).length);
+        const sidBytes = (0, eddsa_utils_js_1.encodeUtf8)(sid);
+        const immBytes = (0, eddsa_utils_js_1.encodeUtf8)(immutable);
+        const digestBytes = (0, eddsa_utils_js_1.encodeUtf8)(trustedDigest);
+        let offset = 0;
+        tbs.set(sidBytes, offset);
+        offset += sidBytes.length;
+        tbs[offset] = 0x1f;
+        offset += 1;
+        tbs.set(immBytes, offset);
+        offset += immBytes.length;
+        tbs[offset] = 0x1f;
+        offset += 1;
+        tbs.set(digestBytes, offset);
+        const signatureBytes = (0, eddsa_signer_verifier_js_1.decodeBase64Url)(signatureValue);
+        if (signatureBytes.length !== 64) {
+            throw new Error("Signature must be 64 bytes for Ed25519");
+        }
+        const publicKey = await loadPublicKey(jwk, this.signingConfig);
+        if (publicKey.length !== 32) {
+            throw new Error("Ed25519 public key must be 32 bytes");
+        }
+        const valid = await (0, ed25519_1.verify)(signatureBytes, tbs, publicKey);
+        if (!valid) {
+            throw new Error("Envelope signature verification failed");
+        }
+        return true;
+    }
+}
+exports.EdDSAEnvelopeVerifier = EdDSAEnvelopeVerifier;
+//# sourceMappingURL=eddsa-envelope-verifier.js.map

package/dist/cjs/naylence/fame/security/signing/eddsa-envelope-verifier.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"eddsa-envelope-verifier.js","sourceRoot":"","sources":["../../../../../../src/naylence/fame/security/signing/eddsa-envelope-verifier.ts"],"names":[],"mappings":";;;AAAA,4CAAsD;AACtD,mDAA+C;AAE/C,yCAAiD;AACjD,+CAI2B;AAC3B,uHAKkF;AAClF,mGAA4F;AAC5F,+CAA2E;AAC3E,6CAAmD;AAanD,SAAS,YAAY,CAAC,KAAc,EAAE,KAAa;IACjD,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACpD,MAAM,IAAI,KAAK,CAAC,GAAG,KAAK,6BAA6B,CAAC,CAAC;IACzD,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,WAAW,CAAC,KAA4B;IAC/C,OAAQ,KAA2B,CAAC,IAAI,KAAK,MAAM,CAAC;AACtD,CAAC;AAED,SAAS,eAAe,CAAC,KAAiB;IACxC,IAAI,OAAO,MAAM,KAAK,WAAW,EAAE,CAAC;QAClC,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC;aACtB,QAAQ,CAAC,QAAQ,CAAC;aAClB,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC;aACpB,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC;aACpB,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IACzB,CAAC;IAED,IAAI,MAAM,GAAG,EAAE,CAAC;IAChB,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,IAAI,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;IACtC,CAAC;IAED,IAAI,OAAO,IAAI,KAAK,UAAU,EAAE,CAAC;QAC/B,OAAO,IAAI,CAAC,MAAM,CAAC;aAChB,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC;aACpB,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC;aACpB,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IACzB,CAAC;IAED,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC;AACrE,CAAC;AAED,SAAS,yBAAyB;IAChC,MAAM,QAAQ,GAAG,aAGhB,CAAC;IAEF,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC;QACrB,QAAQ,CAAC,MAAM,GAAG,CAAC,OAAmB,EAAE,EAAE,CAAC,IAAA,gBAAM,EAAC,OAAO,CAAC,CAAC;IAC7D,CAAC;IAED,IAAI,CAAC,QAAQ,CAAC,UAAU,EAAE,CAAC;QACzB,QAAQ,CAAC,UAAU,GAAG,CAAC,GAAG,QAAsB,EAAc,EAAE;YAC9D,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC1B,OAAO,IAAA,gBAAM,EAAC,QAAQ,CAAC,CAAC,CAAE,CAAC,CAAC;YAC9B,CAAC;YAED,MAAM,QAAQ,GAAG,aAAK,CAAC,WAAW,CAAC,GAAG,QAAQ,CAAC,CAAC;YAChD,OAAO,IAAA,gBAAM,EAAC,QAAQ,CAAC,CAAC;QAC1B,CAAC,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,uBAAuB,CAC9B,GAAgB,EAChB,aAA4B;IAE5B,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,GAAG,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACpD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,aAAa,CAAC,eAAe,KAAK,sBAAe,CAAC,UAAU,EAAE,CAAC;QACjE,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC;IACrE,CAAC;IAED,MAAM,aAAa,GAAG,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC;IAChD,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,MAAM,IAAI,KAAK,CACb,oIAAoI,CACrI,CAAC;IACJ,CAAC;IAED,MAAM,SAAS,GAAG,IAAA,0BAAgB,EAAC,GAAG,CAAC,GAAe,EAAE;QACtD,sBAAsB,EAAE,aAAa,CAAC,2BAA2B;QACjE,aAAa;KACd,CAAC,CAAC;IAEH,IAAI,SAAS,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CAAC,qDAAqD,CAAC,CAAC;IACzE,CAAC;IAED,OAAO,eAAe,CAAC,SAAS,CAAC,CAAC;AACpC,CAAC;AAED,KAAK,UAAU,aAAa,CAC1B,GAAgB,EAChB,aAA4B;IAE5B,MAAM,cAAc,GAAG,uBAAuB,CAAC,GAAG,EAAE,aAAa,CAAC,CAAC;IAEnE,MAAM,SAAS,GACb,cAAc;QACd,CAAC,OAAO,GAAG,CAAC,CAAC,KAAK,QAAQ;YACxB,CAAC,CAAC,GAAG,CAAC,CAAC;YACP,CAAC,CAAC,OAAO,GAAG,CAAC,KAAK,KAAK,QAAQ;gBAC7B,CAAC,CAAC,GAAG,CAAC,KAAK;gBACX,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAEjB,IAAI,OAAO,SAAS,KAAK,QAAQ,EAAE,CAAC;QAClC,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;IACrD,CAAC;IAED,OAAO,IAAA,0CAAe,EAAC,SAAS,CAAC,CAAC;AACpC,CAAC;AAMD,MAAa,qBAAqB;IAKhC,YACE,WAAwB,EACxB,UAAwC,EAAE;QAE1C,IAAI,CAAC,WAAW,GAAG,WAAW,CAAC;QAC/B,IAAI,CAAC,aAAa,GAAG,OAAO,CAAC,aAAa,IAAI,IAAI,4BAAkB,EAAE,CAAC;QACvE,yBAAyB,EAAE,CAAC;IAC9B,CAAC;IAEM,KAAK,CAAC,cAAc,CACzB,QAAsB,EACtB,UAAwD,EAAE;QAE1D,MAAM,eAAe,GAAG,QAAQ,CAAC,GAAG,EAAE,GAAG,CAAC;QAC1C,IAAI,CAAC,eAAe,EAAE,CAAC;YACrB,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;QACrD,CAAC;QAED,MAAM,GAAG,GAAG,YAAY,CACtB,eAAe,CAAC,GAAG,EACnB,gCAAgC,CACjC,CAAC;QACF,MAAM,cAAc,GAAG,YAAY,CACjC,eAAe,CAAC,GAAG,EACnB,gCAAgC,CACjC,CAAC;QAEF,MAAM,GAAG,GAAG,CAAC,MAAM,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,GAAG,CAAC,CAAuB,CAAC;QACvE,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,MAAM,IAAI,KAAK,CAAC,mBAAmB,GAAG,EAAE,CAAC,CAAC;QAC5C,CAAC;QAED,IAAI,CAAC;YACH,IAAA,4BAAkB,EAAC,GAAG,CAAC,CAAC;QAC1B,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,4BAAkB,EAAE,CAAC;gBACxC,MAAM,IAAI,KAAK,CACb,OAAO,GAAG,8BAA8B,KAAK,CAAC,OAAO,EAAE,CACxD,CAAC;YACJ,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;QAED,MAAM,YAAY,GAAG,OAAO,CAAC,YAAY,IAAI,IAAI,CAAC;QAElD,IAAI,aAAqB,CAAC;QAC1B,IAAI,WAAW,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YAChC,IAAI,YAAY,EAAE,CAAC;gBACjB,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,EAAE,CAAC;oBACvB,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;gBACjE,CAAC;gBACD,MAAM,OAAO,GAAG,QAAQ,CAAC,KAAK,CAAC,OAAO,IAAI,EAAE,CAAC;gBAC7C,MAAM,aAAa,GAAG,OAAO,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAA,wCAAa,EAAC,OAAO,CAAC,CAAC;gBACnE,MAAM,YAAY,GAAG,IAAA,sBAAY,EAAC,aAAa,CAAC,CAAC;gBACjD,IAAI,YAAY,KAAK,QAAQ,CAAC,KAAK,CAAC,EAAE,EAAE,CAAC;oBACvC,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;gBAC1D,CAAC;gBACD,aAAa,GAAG,YAAY,CAAC;YAC/B,CAAC;iBAAM,CAAC;gBACN,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,EAAE,CAAC;oBACvB,MAAM,IAAI,KAAK,CACb,2EAA2E,CAC5E,CAAC;gBACJ,CAAC;gBACD,aAAa,GAAG,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YACpC,CAAC;QACH,CAAC;aAAM,CAAC;YACN,aAAa,GAAG,IAAA,sCAAW,EAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAC9C,CAAC;QAED,MAAM,GAAG,GAAG,YAAY,CAAC,GAAG,CAAC,GAAG,EAAE,yBAAyB,CAAC,CAAC;QAC7D,MAAM,SAAS,GAAG,IAAA,wCAAa,EAAC,IAAA,2CAAgB,EAAC,QAAQ,CAAC,CAAC,CAAC;QAC5D,MAAM,GAAG,GAAG,IAAI,UAAU,CACxB,IAAA,2BAAU,EAAC,GAAG,CAAC,CAAC,MAAM;YACpB,CAAC;YACD,IAAA,2BAAU,EAAC,SAAS,CAAC,CAAC,MAAM;YAC5B,CAAC;YACD,IAAA,2BAAU,EAAC,aAAa,CAAC,CAAC,MAAM,CACnC,CAAC;QAEF,MAAM,QAAQ,GAAG,IAAA,2BAAU,EAAC,GAAG,CAAC,CAAC;QACjC,MAAM,QAAQ,GAAG,IAAA,2BAAU,EAAC,SAAS,CAAC,CAAC;QACvC,MAAM,WAAW,GAAG,IAAA,2BAAU,EAAC,aAAa,CAAC,CAAC;QAC9C,IAAI,MAAM,GAAG,CAAC,CAAC;QAEf,GAAG,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QAC1B,MAAM,IAAI,QAAQ,CAAC,MAAM,CAAC;QAC1B,GAAG,CAAC,MAAM,CAAC,GAAG,IAAI,CAAC;QACnB,MAAM,IAAI,CAAC,CAAC;QAEZ,GAAG,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QAC1B,MAAM,IAAI,QAAQ,CAAC,MAAM,CAAC;QAC1B,GAAG,CAAC,MAAM,CAAC,GAAG,IAAI,CAAC;QACnB,MAAM,IAAI,CAAC,CAAC;QAEZ,GAAG,CAAC,GAAG,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;QAE7B,MAAM,cAAc,GAAG,IAAA,0CAAe,EAAC,cAAc,CAAC,CAAC;QACvD,IAAI,cAAc,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;YACjC,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;QAC5D,CAAC;QAED,MAAM,SAAS,GAAG,MAAM,aAAa,CAAC,GAAG,EAAE,IAAI,CAAC,aAAa,CAAC,CAAC;QAC/D,IAAI,SAAS,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;YAC5B,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;QACzD,CAAC;QAED,MAAM,KAAK,GAAG,MAAM,IAAA,gBAAM,EAAC,cAAc,EAAE,GAAG,EAAE,SAAS,CAAC,CAAC;QAC3D,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;QAC5D,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;CACF;AAvHD,sDAuHC"}

package/dist/cjs/naylence/fame/stickiness/aft-helper.js

@@ -0,0 +1,77 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DEFAULT_STICKINESS_SECURITY_LEVEL = exports.AFTHelper = void 0;
+exports.createAftHelper = createAftHelper;
+const runtime_1 = require("@naylence/runtime");
+const aft_signer_js_1 = require("./aft-signer.js");
+const stickiness_mode_js_1 = require("./stickiness-mode.js");
+const logger = (0, runtime_1.getLogger)("naylence.fame.stickiness.aft_helper");
+class AFTHelper {
+    constructor(options) {
+        this.signer = options.signer;
+        this.nodeSid = options.nodeSid;
+        this.maxTtlSec = options.maxTtlSec;
+    }
+    async requestStickiness(envelope, options = {}) {
+        const ttlSec = options.ttlSec ?? this.maxTtlSec;
+        const scope = options.scope ?? null;
+        const context = options.context ?? null;
+        let clientSid;
+        if (context?.stickySid) {
+            clientSid = context.stickySid;
+            logger.debug("client_sticky_sid_extracted", { client_sid: clientSid });
+        }
+        const signOptions = {
+            sid: this.nodeSid,
+            ttlSec,
+            scope,
+            clientSid: clientSid ?? null,
+        };
+        try {
+            const aftToken = await this.signer.signAft(signOptions);
+            if (!aftToken) {
+                return false;
+            }
+            if (!envelope.meta) {
+                envelope.meta = {};
+            }
+            let setMeta = envelope.meta.set;
+            if (!setMeta || typeof setMeta !== "object") {
+                setMeta = {};
+                envelope.meta.set = setMeta;
+            }
+            setMeta.aft = aftToken;
+            logger.debug("aft_instruction_added", {
+                envelope_id: envelope.id,
+                ttl_sec: ttlSec,
+                scope,
+                security_level: this.signer.securityLevel,
+            });
+            return true;
+        }
+        catch (error) {
+            logger.error("aft_generation_failed", {
+                envelope_id: envelope.id,
+                error: error instanceof Error ? error.message : String(error),
+            });
+            return false;
+        }
+    }
+    requestNodeStickiness(envelope, options = {}) {
+        return this.requestStickiness(envelope, { ...options, scope: "node" });
+    }
+    requestFlowStickiness(envelope, options = {}) {
+        return this.requestStickiness(envelope, { ...options, scope: "flow" });
+    }
+    requestSessionStickiness(envelope, options = {}) {
+        return this.requestStickiness(envelope, { ...options, scope: "sess" });
+    }
+}
+exports.AFTHelper = AFTHelper;
+function createAftHelper(options) {
+    const { nodeSid, maxTtlSec = 7200 } = options;
+    const signer = (0, aft_signer_js_1.createAftSigner)(options);
+    return new AFTHelper({ signer, nodeSid, maxTtlSec });
+}
+exports.DEFAULT_STICKINESS_SECURITY_LEVEL = stickiness_mode_js_1.StickinessMode.SIGNED_OPTIONAL;
+//# sourceMappingURL=aft-helper.js.map

package/dist/cjs/naylence/fame/stickiness/aft-helper.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"aft-helper.js","sourceRoot":"","sources":["../../../../../src/naylence/fame/stickiness/aft-helper.ts"],"names":[],"mappings":";;;AAoHA,0CAIC;AAvHD,+CAA8C;AAG9C,mDAA+E;AAC/E,6DAAsD;AAEtD,MAAM,MAAM,GAAG,IAAA,mBAAS,EAAC,qCAAqC,CAAC,CAAC;AAQhE,MAAa,SAAS;IAKpB,YAAmB,OAIlB;QACC,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;QAC7B,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;QAC/B,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,CAAC;IACrC,CAAC;IAEM,KAAK,CAAC,iBAAiB,CAC5B,QAAsB,EACtB,UAAoC,EAAE;QAEtC,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,IAAI,CAAC,SAAS,CAAC;QAChD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,IAAI,IAAI,CAAC;QACpC,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,IAAI,CAAC;QAExC,IAAI,SAA6B,CAAC;QAClC,IAAI,OAAO,EAAE,SAAS,EAAE,CAAC;YACvB,SAAS,GAAG,OAAO,CAAC,SAAS,CAAC;YAC9B,MAAM,CAAC,KAAK,CAAC,6BAA6B,EAAE,EAAE,UAAU,EAAE,SAAS,EAAE,CAAC,CAAC;QACzE,CAAC;QAED,MAAM,WAAW,GAAmB;YAClC,GAAG,EAAE,IAAI,CAAC,OAAO;YACjB,MAAM;YACN,KAAK;YACL,SAAS,EAAE,SAAS,IAAI,IAAI;SAC7B,CAAC;QAEF,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;YAExD,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACd,OAAO,KAAK,CAAC;YACf,CAAC;YAED,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;gBACnB,QAAQ,CAAC,IAAI,GAAG,EAAE,CAAC;YACrB,CAAC;YAED,IAAI,OAAO,GAAG,QAAQ,CAAC,IAAI,CAAC,GAA0C,CAAC;YACvE,IAAI,CAAC,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;gBAC5C,OAAO,GAAG,EAAE,CAAC;gBACb,QAAQ,CAAC,IAAI,CAAC,GAAG,GAAG,OAGnB,CAAC;YACJ,CAAC;YAEA,OAAmC,CAAC,GAAG,GAAG,QAAQ,CAAC;YAEpD,MAAM,CAAC,KAAK,CAAC,uBAAuB,EAAE;gBACpC,WAAW,EAAE,QAAQ,CAAC,EAAE;gBACxB,OAAO,EAAE,MAAM;gBACf,KAAK;gBACL,cAAc,EAAE,IAAI,CAAC,MAAM,CAAC,aAAa;aAC1C,CAAC,CAAC;YAEH,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,KAAK,CAAC,uBAAuB,EAAE;gBACpC,WAAW,EAAE,QAAQ,CAAC,EAAE;gBACxB,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;aAC9D,CAAC,CAAC;YACH,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAEM,qBAAqB,CAC1B,QAAsB,EACtB,UAAmD,EAAE;QAErD,OAAO,IAAI,CAAC,iBAAiB,CAAC,QAAQ,EAAE,EAAE,GAAG,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;IACzE,CAAC;IAEM,qBAAqB,CAC1B,QAAsB,EACtB,UAAmD,EAAE;QAErD,OAAO,IAAI,CAAC,iBAAiB,CAAC,QAAQ,EAAE,EAAE,GAAG,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;IACzE,CAAC;IAEM,wBAAwB,CAC7B,QAAsB,EACtB,UAAmD,EAAE;QAErD,OAAO,IAAI,CAAC,iBAAiB,CAAC,QAAQ,EAAE,EAAE,GAAG,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;IACzE,CAAC;CACF;AA/FD,8BA+FC;AAMD,SAAgB,eAAe,CAAC,OAA+B;IAC7D,MAAM,EAAE,OAAO,EAAE,SAAS,GAAG,IAAI,EAAE,GAAG,OAAO,CAAC;IAC9C,MAAM,MAAM,GAAG,IAAA,+BAAe,EAAC,OAAO,CAAC,CAAC;IACxC,OAAO,IAAI,SAAS,CAAC,EAAE,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,CAAC,CAAC;AACvD,CAAC;AAEY,QAAA,iCAAiC,GAAG,mCAAc,CAAC,eAAe,CAAC"}

package/dist/cjs/naylence/fame/stickiness/aft-load-balancer-stickiness-manager-factory.js

@@ -0,0 +1,69 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AFTLoadBalancerStickinessManagerFactory = exports.FACTORY_META = void 0;
+const runtime_1 = require("@naylence/runtime");
+const aft_load_balancer_stickiness_manager_js_1 = require("./aft-load-balancer-stickiness-manager.js");
+const aft_verifier_js_1 = require("./aft-verifier.js");
+const stickiness_mode_js_1 = require("./stickiness-mode.js");
+exports.FACTORY_META = {
+    base: runtime_1.LOAD_BALANCER_STICKINESS_MANAGER_FACTORY_BASE_TYPE,
+    key: "AFTLoadBalancerStickinessManager",
+};
+const DEFAULT_VALUES = {
+    enabled: true,
+    clientEcho: false,
+    defaultTtlSec: 30,
+    cacheMax: 100000,
+    securityLevel: stickiness_mode_js_1.StickinessMode.SIGNED_OPTIONAL,
+    maxTtlSec: 7200,
+};
+function toBoolean(value, fallback) {
+    return typeof value === "boolean" ? value : fallback;
+}
+function toNumber(value, fallback) {
+    if (typeof value === "number" && Number.isFinite(value)) {
+        return value;
+    }
+    return fallback;
+}
+function normalizeConfig(config) {
+    const record = (config ?? {});
+    const normalizedSecurity = record.securityLevel
+        ? (0, stickiness_mode_js_1.normalizeStickinessMode)(record.securityLevel)
+        : DEFAULT_VALUES.securityLevel;
+    return {
+        ...record,
+        type: "AFTLoadBalancerStickinessManager",
+        enabled: toBoolean(record.enabled, DEFAULT_VALUES.enabled),
+        clientEcho: toBoolean(record.clientEcho, DEFAULT_VALUES.clientEcho),
+        defaultTtlSec: toNumber(record.defaultTtlSec, DEFAULT_VALUES.defaultTtlSec),
+        cacheMax: toNumber(record.cacheMax, DEFAULT_VALUES.cacheMax),
+        securityLevel: normalizedSecurity,
+        maxTtlSec: toNumber(record.maxTtlSec, DEFAULT_VALUES.maxTtlSec),
+    };
+}
+class AFTLoadBalancerStickinessManagerFactory extends runtime_1.LoadBalancerStickinessManagerFactory {
+    constructor() {
+        super(...arguments);
+        this.type = "AFTLoadBalancerStickinessManager";
+        this.isDefault = false;
+    }
+    async create(config, keyProvider, verifier) {
+        const resolvedConfig = normalizeConfig(config);
+        let effectiveVerifier = verifier ?? null;
+        if (!effectiveVerifier && keyProvider) {
+            effectiveVerifier = (0, aft_verifier_js_1.createAftVerifier)({
+                securityLevel: resolvedConfig.securityLevel ?? DEFAULT_VALUES.securityLevel,
+                keyProvider,
+                defaultTtlSec: resolvedConfig.defaultTtlSec ?? DEFAULT_VALUES.defaultTtlSec,
+            });
+        }
+        if (!effectiveVerifier) {
+            throw new Error("AFTLoadBalancerStickinessManagerFactory requires an AFT verifier or key provider");
+        }
+        return new aft_load_balancer_stickiness_manager_js_1.AFTLoadBalancerStickinessManager(resolvedConfig, effectiveVerifier);
+    }
+}
+exports.AFTLoadBalancerStickinessManagerFactory = AFTLoadBalancerStickinessManagerFactory;
+exports.default = AFTLoadBalancerStickinessManagerFactory;
+//# sourceMappingURL=aft-load-balancer-stickiness-manager-factory.js.map

package/dist/cjs/naylence/fame/stickiness/aft-load-balancer-stickiness-manager-factory.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"aft-load-balancer-stickiness-manager-factory.js","sourceRoot":"","sources":["../../../../../src/naylence/fame/stickiness/aft-load-balancer-stickiness-manager-factory.ts"],"names":[],"mappings":";;;AACA,+CAI2B;AAG3B,uGAA6F;AAC7F,uDAAsD;AAEtD,6DAA+E;AAalE,QAAA,YAAY,GAAG;IAC1B,IAAI,EAAE,4DAAkD;IACxD,GAAG,EAAE,kCAAkC;CAC/B,CAAC;AAEX,MAAM,cAAc,GAAG;IACrB,OAAO,EAAE,IAAI;IACb,UAAU,EAAE,KAAK;IACjB,aAAa,EAAE,EAAE;IACjB,QAAQ,EAAE,MAAO;IACjB,aAAa,EAAE,mCAAc,CAAC,eAAe;IAC7C,SAAS,EAAE,IAAI;CACP,CAAC;AAEX,SAAS,SAAS,CAAC,KAAc,EAAE,QAAiB;IAClD,OAAO,OAAO,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,QAAQ,CAAC;AACvD,CAAC;AAED,SAAS,QAAQ,CAAC,KAAc,EAAE,QAAgB;IAChD,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QACxD,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,eAAe,CACtB,MAGQ;IAER,MAAM,MAAM,GAAG,CAAC,MAAM,IAAI,EAAE,CAA4B,CAAC;IAEzD,MAAM,kBAAkB,GAAG,MAAM,CAAC,aAAa;QAC7C,CAAC,CAAC,IAAA,4CAAuB,EAAC,MAAM,CAAC,aAAwC,CAAC;QAC1E,CAAC,CAAC,cAAc,CAAC,aAAa,CAAC;IAEjC,OAAO;QACL,GAAG,MAAM;QACT,IAAI,EAAE,kCAAkC;QACxC,OAAO,EAAE,SAAS,CAAC,MAAM,CAAC,OAAO,EAAE,cAAc,CAAC,OAAO,CAAC;QAC1D,UAAU,EAAE,SAAS,CAAC,MAAM,CAAC,UAAU,EAAE,cAAc,CAAC,UAAU,CAAC;QACnE,aAAa,EAAE,QAAQ,CAAC,MAAM,CAAC,aAAa,EAAE,cAAc,CAAC,aAAa,CAAC;QAC3E,QAAQ,EAAE,QAAQ,CAAC,MAAM,CAAC,QAAQ,EAAE,cAAc,CAAC,QAAQ,CAAC;QAC5D,aAAa,EAAE,kBAAkB;QACjC,SAAS,EAAE,QAAQ,CAAC,MAAM,CAAC,SAAS,EAAE,cAAc,CAAC,SAAS,CAAC;KACtB,CAAC;AAC9C,CAAC;AAED,MAAa,uCAAwC,SAAQ,8CAA4E;IAAzI;;QACkB,SAAI,GAAG,kCAAkC,CAAC;QAC1C,cAAS,GAAG,KAAK,CAAC;IAkCpC,CAAC;IAhCQ,KAAK,CAAC,MAAM,CACjB,MAGQ,EACR,WAAgC,EAChC,QAA6B;QAE7B,MAAM,cAAc,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC;QAE/C,IAAI,iBAAiB,GAAG,QAAQ,IAAI,IAAI,CAAC;QACzC,IAAI,CAAC,iBAAiB,IAAI,WAAW,EAAE,CAAC;YACtC,iBAAiB,GAAG,IAAA,mCAAiB,EAAC;gBACpC,aAAa,EACX,cAAc,CAAC,aAAa,IAAI,cAAc,CAAC,aAAa;gBAC9D,WAAW;gBACX,aAAa,EACX,cAAc,CAAC,aAAa,IAAI,cAAc,CAAC,aAAa;aAC/D,CAAC,CAAC;QACL,CAAC;QAED,IAAI,CAAC,iBAAiB,EAAE,CAAC;YACvB,MAAM,IAAI,KAAK,CACb,kFAAkF,CACnF,CAAC;QACJ,CAAC;QAED,OAAO,IAAI,0EAAgC,CACzC,cAAc,EACd,iBAAiB,CAClB,CAAC;IACJ,CAAC;CACF;AApCD,0FAoCC;AAED,kBAAe,uCAAuC,CAAC"}