npm - @naylence/advanced-security - Versions diffs - 0.3.7-test.114 → 0.3.7-test.115 - Mend

@naylence/advanced-security 0.3.7-test.114 → 0.3.7-test.115

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (421) hide show

package/dist/esm/naylence/fame/stickiness/aft-verifier.js ADDED Viewed

@@ -0,0 +1,290 @@
+import { compactVerify, importJWK, importSPKI } from "jose";
+import { getLogger } from "@naylence/runtime";
+import { base64UrlDecode, utf8Decode } from "./aft-utils.js";
+import { StickinessMode } from "./stickiness-mode.js";
+const logger = getLogger("naylence.fame.stickiness.aft_verifier");
+function decodeToken(token) {
+    const parts = token.split(".");
+    if (parts.length !== 3) {
+        return null;
+    }
+    const [headerB64, payloadB64] = parts;
+    if (!headerB64 || !payloadB64) {
+        return null;
+    }
+    try {
+        const headerJson = utf8Decode(base64UrlDecode(headerB64));
+        const payloadJson = utf8Decode(base64UrlDecode(payloadB64));
+        const headerData = JSON.parse(headerJson);
+        const payloadData = JSON.parse(payloadJson);
+        const header = {
+            alg: String(headerData.alg ?? ""),
+            kid: String(headerData.kid ?? ""),
+        };
+        const claims = {
+            sid: String(payloadData.sid ?? ""),
+            exp: Number(payloadData.exp ?? 0),
+        };
+        if (typeof payloadData.scp === "string" && payloadData.scp.length > 0) {
+            claims.scp = payloadData.scp;
+        }
+        if (typeof payloadData.client_sid === "string" &&
+            payloadData.client_sid.length > 0) {
+            claims.client_sid = payloadData.client_sid;
+        }
+        return { header, claims };
+    }
+    catch (error) {
+        logger.debug("aft_decoding_failed", {
+            error: error instanceof Error ? error.message : String(error),
+        });
+        return null;
+    }
+}
+class BaseAFTVerifier {
+    constructor(defaultTtlSec = 30) {
+        this.defaultTtlSec = defaultTtlSec;
+    }
+    async verify(token, expectedSid) {
+        const decoded = decodeToken(token);
+        if (!decoded) {
+            return {
+                valid: false,
+                trustLevel: "untrusted",
+                error: "Invalid token format - expected 3 parts",
+            };
+        }
+        const { header, claims } = decoded;
+        if (!header.alg || !header.kid) {
+            return {
+                valid: false,
+                trustLevel: "untrusted",
+                error: "Missing algorithm or key ID",
+            };
+        }
+        if (!claims.sid || !Number.isFinite(claims.exp)) {
+            return {
+                valid: false,
+                trustLevel: "untrusted",
+                error: "Token missing required claims",
+            };
+        }
+        const currentTime = Math.floor(Date.now() / 1000);
+        if (claims.exp <= currentTime) {
+            return {
+                valid: false,
+                sid: claims.sid,
+                exp: claims.exp,
+                scope: claims.scp ?? undefined,
+                clientSid: claims.client_sid ?? undefined,
+                trustLevel: "untrusted",
+                error: "Token expired",
+            };
+        }
+        if (expectedSid && claims.sid !== expectedSid) {
+            return {
+                valid: false,
+                sid: claims.sid,
+                exp: claims.exp,
+                scope: claims.scp ?? undefined,
+                clientSid: claims.client_sid ?? undefined,
+                trustLevel: "untrusted",
+                error: `SID mismatch: expected ${expectedSid}, got ${claims.sid}`,
+            };
+        }
+        let signatureValid = false;
+        try {
+            signatureValid = await this.verifySignature(token, header, claims);
+        }
+        catch (error) {
+            logger.debug("aft_signature_verification_failed", {
+                kid: header.kid,
+                algorithm: header.alg,
+                error: error instanceof Error ? error.message : String(error),
+            });
+            signatureValid = false;
+        }
+        if (!signatureValid) {
+            return {
+                valid: false,
+                sid: claims.sid,
+                exp: claims.exp,
+                scope: claims.scp ?? undefined,
+                clientSid: claims.client_sid ?? undefined,
+                trustLevel: "untrusted",
+                error: "Invalid signature",
+            };
+        }
+        const trustLevel = header.alg === "none" ? "low-trust" : "trusted";
+        return {
+            valid: true,
+            sid: claims.sid,
+            exp: claims.exp,
+            scope: claims.scp ?? undefined,
+            clientSid: claims.client_sid ?? undefined,
+            trustLevel,
+        };
+    }
+}
+export class StrictAFTVerifier extends BaseAFTVerifier {
+    constructor(keyProvider, defaultTtlSec = 30) {
+        super(defaultTtlSec);
+        this.keyProvider = keyProvider;
+    }
+    get securityLevel() {
+        return StickinessMode.STRICT;
+    }
+    async verifySignature(token, header) {
+        if (header.alg === "none") {
+            return false;
+        }
+        let keyRecord;
+        try {
+            keyRecord = await this.keyProvider.getKey(header.kid);
+        }
+        catch (error) {
+            logger.debug("aft_public_key_missing", {
+                kid: header.kid,
+                error: error instanceof Error ? error.message : String(error),
+            });
+            return false;
+        }
+        const key = await resolveVerificationKey(keyRecord, header.alg);
+        if (!key) {
+            return false;
+        }
+        try {
+            const { protectedHeader } = await compactVerify(token, key);
+            return protectedHeader.alg === header.alg;
+        }
+        catch (error) {
+            logger.debug("aft_jws_verification_failed", {
+                kid: header.kid,
+                algorithm: header.alg,
+                error: error instanceof Error ? error.message : String(error),
+            });
+            return false;
+        }
+    }
+}
+export class SignedOptionalAFTVerifier extends BaseAFTVerifier {
+    constructor(keyProvider, defaultTtlSec = 30) {
+        super(defaultTtlSec);
+        this.keyProvider = keyProvider;
+    }
+    get securityLevel() {
+        return StickinessMode.SIGNED_OPTIONAL;
+    }
+    async verifySignature(token, header) {
+        if (header.alg === "none") {
+            return true;
+        }
+        if (!this.keyProvider) {
+            return false;
+        }
+        let keyRecord;
+        try {
+            keyRecord = await this.keyProvider.getKey(header.kid);
+        }
+        catch (error) {
+            logger.debug("aft_public_key_missing", {
+                kid: header.kid,
+                error: error instanceof Error ? error.message : String(error),
+            });
+            return false;
+        }
+        const key = await resolveVerificationKey(keyRecord, header.alg);
+        if (!key) {
+            return false;
+        }
+        try {
+            const { protectedHeader } = await compactVerify(token, key);
+            return protectedHeader.alg === header.alg;
+        }
+        catch (error) {
+            logger.debug("aft_jws_verification_failed", {
+                kid: header.kid,
+                algorithm: header.alg,
+                error: error instanceof Error ? error.message : String(error),
+            });
+            return false;
+        }
+    }
+}
+export class SidOnlyAFTVerifier extends BaseAFTVerifier {
+    constructor(defaultTtlSec = 30) {
+        super(defaultTtlSec);
+    }
+    get securityLevel() {
+        return StickinessMode.SID_ONLY;
+    }
+    async verify(_token, _expectedSid) {
+        return {
+            valid: false,
+            trustLevel: "untrusted",
+            error: "SID-only mode ignores AFTs",
+        };
+    }
+    async verifySignature() {
+        return false;
+    }
+}
+async function resolveVerificationKey(keyRecord, algorithm) {
+    const jwkCandidate = keyRecord;
+    if (typeof jwkCandidate.kty === "string") {
+        try {
+            const key = await importJWK(jwkCandidate, algorithm);
+            return key;
+        }
+        catch (error) {
+            logger.debug("aft_jwk_import_failed", {
+                kid: keyRecord.kid,
+                algorithm,
+                error: error instanceof Error ? error.message : String(error),
+            });
+        }
+    }
+    let pem = null;
+    const record = keyRecord;
+    if (typeof record.public_key_pem === "string") {
+        pem = record.public_key_pem;
+    }
+    else if (typeof record.publicKeyPem === "string") {
+        pem = record.publicKeyPem;
+    }
+    if (typeof pem === "string" && pem.length > 0) {
+        try {
+            const key = await importSPKI(pem, algorithm);
+            return key;
+        }
+        catch (error) {
+            logger.debug("aft_spki_import_failed", {
+                kid: keyRecord.kid,
+                algorithm,
+                error: error instanceof Error ? error.message : String(error),
+            });
+        }
+    }
+    logger.debug("aft_verification_key_unavailable", {
+        kid: keyRecord.kid,
+        algorithm,
+    });
+    return null;
+}
+export function createAftVerifier(options) {
+    const { securityLevel, keyProvider, defaultTtlSec = 30 } = options;
+    switch (securityLevel) {
+        case StickinessMode.STRICT:
+            if (!keyProvider) {
+                throw new Error("StrictAFTVerifier requires a KeyProvider instance");
+            }
+            return new StrictAFTVerifier(keyProvider, defaultTtlSec);
+        case StickinessMode.SIGNED_OPTIONAL:
+            return new SignedOptionalAFTVerifier(keyProvider, defaultTtlSec);
+        case StickinessMode.SID_ONLY:
+            return new SidOnlyAFTVerifier(defaultTtlSec);
+        default:
+            throw new Error(`Unknown security level: ${securityLevel}`);
+    }
+}
+//# sourceMappingURL=aft-verifier.js.map

package/dist/esm/naylence/fame/stickiness/aft-verifier.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"aft-verifier.js","sourceRoot":"","sources":["../../../../../src/naylence/fame/stickiness/aft-verifier.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,MAAM,CAAC;AAG5D,OAAO,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAG9C,OAAO,EAAE,eAAe,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAC;AAC7D,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAEtD,MAAM,MAAM,GAAG,SAAS,CAAC,uCAAuC,CAAC,CAAC;AA+BlE,SAAS,WAAW,CAAC,KAAa;IAChC,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,CAAC,SAAS,EAAE,UAAU,CAAC,GAAG,KAAK,CAAC;IACtC,IAAI,CAAC,SAAS,IAAI,CAAC,UAAU,EAAE,CAAC;QAC9B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CAAC;QACH,MAAM,UAAU,GAAG,UAAU,CAAC,eAAe,CAAC,SAAS,CAAC,CAAC,CAAC;QAC1D,MAAM,WAAW,GAAG,UAAU,CAAC,eAAe,CAAC,UAAU,CAAC,CAAC,CAAC;QAE5D,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,CAA4B,CAAC;QACrE,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,CAA4B,CAAC;QAEvE,MAAM,MAAM,GAAc;YACxB,GAAG,EAAE,MAAM,CAAC,UAAU,CAAC,GAAG,IAAI,EAAE,CAAC;YACjC,GAAG,EAAE,MAAM,CAAC,UAAU,CAAC,GAAG,IAAI,EAAE,CAAC;SAClC,CAAC;QAEF,MAAM,MAAM,GAAc;YACxB,GAAG,EAAE,MAAM,CAAC,WAAW,CAAC,GAAG,IAAI,EAAE,CAAC;YAClC,GAAG,EAAE,MAAM,CAAC,WAAW,CAAC,GAAG,IAAI,CAAC,CAAC;SAClC,CAAC;QAEF,IAAI,OAAO,WAAW,CAAC,GAAG,KAAK,QAAQ,IAAI,WAAW,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACtE,MAAM,CAAC,GAAG,GAAG,WAAW,CAAC,GAAG,CAAC;QAC/B,CAAC;QAED,IACE,OAAO,WAAW,CAAC,UAAU,KAAK,QAAQ;YAC1C,WAAW,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,EACjC,CAAC;YACD,MAAM,CAAC,UAAU,GAAG,WAAW,CAAC,UAAU,CAAC;QAC7C,CAAC;QAED,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC;IAC5B,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,KAAK,CAAC,qBAAqB,EAAE;YAClC,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;SAC9D,CAAC,CAAC;QACH,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,MAAe,eAAe;IAG5B,YAAsB,gBAAwB,EAAE;QAC9C,IAAI,CAAC,aAAa,GAAG,aAAa,CAAC;IACrC,CAAC;IAUM,KAAK,CAAC,MAAM,CACjB,KAAa,EACb,WAA2B;QAE3B,MAAM,OAAO,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC;QACnC,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,UAAU,EAAE,WAAW;gBACvB,KAAK,EAAE,yCAAyC;aACjD,CAAC;QACJ,CAAC;QAED,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC;QAEnC,IAAI,CAAC,MAAM,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC;YAC/B,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,UAAU,EAAE,WAAW;gBACvB,KAAK,EAAE,6BAA6B;aACrC,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;YAChD,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,UAAU,EAAE,WAAW;gBACvB,KAAK,EAAE,+BAA+B;aACvC,CAAC;QACJ,CAAC;QAED,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAClD,IAAI,MAAM,CAAC,GAAG,IAAI,WAAW,EAAE,CAAC;YAC9B,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,GAAG,EAAE,MAAM,CAAC,GAAG;gBACf,GAAG,EAAE,MAAM,CAAC,GAAG;gBACf,KAAK,EAAE,MAAM,CAAC,GAAG,IAAI,SAAS;gBAC9B,SAAS,EAAE,MAAM,CAAC,UAAU,IAAI,SAAS;gBACzC,UAAU,EAAE,WAAW;gBACvB,KAAK,EAAE,eAAe;aACvB,CAAC;QACJ,CAAC;QAED,IAAI,WAAW,IAAI,MAAM,CAAC,GAAG,KAAK,WAAW,EAAE,CAAC;YAC9C,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,GAAG,EAAE,MAAM,CAAC,GAAG;gBACf,GAAG,EAAE,MAAM,CAAC,GAAG;gBACf,KAAK,EAAE,MAAM,CAAC,GAAG,IAAI,SAAS;gBAC9B,SAAS,EAAE,MAAM,CAAC,UAAU,IAAI,SAAS;gBACzC,UAAU,EAAE,WAAW;gBACvB,KAAK,EAAE,0BAA0B,WAAW,SAAS,MAAM,CAAC,GAAG,EAAE;aAClE,CAAC;QACJ,CAAC;QAED,IAAI,cAAc,GAAG,KAAK,CAAC;QAC3B,IAAI,CAAC;YACH,cAAc,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;QACrE,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,KAAK,CAAC,mCAAmC,EAAE;gBAChD,GAAG,EAAE,MAAM,CAAC,GAAG;gBACf,SAAS,EAAE,MAAM,CAAC,GAAG;gBACrB,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;aAC9D,CAAC,CAAC;YACH,cAAc,GAAG,KAAK,CAAC;QACzB,CAAC;QAED,IAAI,CAAC,cAAc,EAAE,CAAC;YACpB,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,GAAG,EAAE,MAAM,CAAC,GAAG;gBACf,GAAG,EAAE,MAAM,CAAC,GAAG;gBACf,KAAK,EAAE,MAAM,CAAC,GAAG,IAAI,SAAS;gBAC9B,SAAS,EAAE,MAAM,CAAC,UAAU,IAAI,SAAS;gBACzC,UAAU,EAAE,WAAW;gBACvB,KAAK,EAAE,mBAAmB;aAC3B,CAAC;QACJ,CAAC;QAED,MAAM,UAAU,GACd,MAAM,CAAC,GAAG,KAAK,MAAM,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,SAAS,CAAC;QAElD,OAAO;YACL,KAAK,EAAE,IAAI;YACX,GAAG,EAAE,MAAM,CAAC,GAAG;YACf,GAAG,EAAE,MAAM,CAAC,GAAG;YACf,KAAK,EAAE,MAAM,CAAC,GAAG,IAAI,SAAS;YAC9B,SAAS,EAAE,MAAM,CAAC,UAAU,IAAI,SAAS;YACzC,UAAU;SACX,CAAC;IACJ,CAAC;CACF;AAED,MAAM,OAAO,iBAAkB,SAAQ,eAAe;IAGpD,YAAmB,WAAwB,EAAE,gBAAwB,EAAE;QACrE,KAAK,CAAC,aAAa,CAAC,CAAC;QACrB,IAAI,CAAC,WAAW,GAAG,WAAW,CAAC;IACjC,CAAC;IAED,IAAW,aAAa;QACtB,OAAO,cAAc,CAAC,MAAM,CAAC;IAC/B,CAAC;IAES,KAAK,CAAC,eAAe,CAC7B,KAAa,EACb,MAAiB;QAEjB,IAAI,MAAM,CAAC,GAAG,KAAK,MAAM,EAAE,CAAC;YAC1B,OAAO,KAAK,CAAC;QACf,CAAC;QAED,IAAI,SAAoB,CAAC;QACzB,IAAI,CAAC;YACH,SAAS,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACxD,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,KAAK,CAAC,wBAAwB,EAAE;gBACrC,GAAG,EAAE,MAAM,CAAC,GAAG;gBACf,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;aAC9D,CAAC,CAAC;YACH,OAAO,KAAK,CAAC;QACf,CAAC;QAED,MAAM,GAAG,GAAG,MAAM,sBAAsB,CAAC,SAAS,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC;QAChE,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,OAAO,KAAK,CAAC;QACf,CAAC;QAED,IAAI,CAAC;YACH,MAAM,EAAE,eAAe,EAAE,GAAG,MAAM,aAAa,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC5D,OAAO,eAAe,CAAC,GAAG,KAAK,MAAM,CAAC,GAAG,CAAC;QAC5C,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,KAAK,CAAC,6BAA6B,EAAE;gBAC1C,GAAG,EAAE,MAAM,CAAC,GAAG;gBACf,SAAS,EAAE,MAAM,CAAC,GAAG;gBACrB,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;aAC9D,CAAC,CAAC;YACH,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;CACF;AAED,MAAM,OAAO,yBAA0B,SAAQ,eAAe;IAG5D,YACE,WAA+B,EAC/B,gBAAwB,EAAE;QAE1B,KAAK,CAAC,aAAa,CAAC,CAAC;QACrB,IAAI,CAAC,WAAW,GAAG,WAAW,CAAC;IACjC,CAAC;IAED,IAAW,aAAa;QACtB,OAAO,cAAc,CAAC,eAAe,CAAC;IACxC,CAAC;IAES,KAAK,CAAC,eAAe,CAC7B,KAAa,EACb,MAAiB;QAEjB,IAAI,MAAM,CAAC,GAAG,KAAK,MAAM,EAAE,CAAC;YAC1B,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;YACtB,OAAO,KAAK,CAAC;QACf,CAAC;QAED,IAAI,SAAoB,CAAC;QACzB,IAAI,CAAC;YACH,SAAS,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACxD,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,KAAK,CAAC,wBAAwB,EAAE;gBACrC,GAAG,EAAE,MAAM,CAAC,GAAG;gBACf,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;aAC9D,CAAC,CAAC;YACH,OAAO,KAAK,CAAC;QACf,CAAC;QAED,MAAM,GAAG,GAAG,MAAM,sBAAsB,CAAC,SAAS,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC;QAChE,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,OAAO,KAAK,CAAC;QACf,CAAC;QAED,IAAI,CAAC;YACH,MAAM,EAAE,eAAe,EAAE,GAAG,MAAM,aAAa,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC5D,OAAO,eAAe,CAAC,GAAG,KAAK,MAAM,CAAC,GAAG,CAAC;QAC5C,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,KAAK,CAAC,6BAA6B,EAAE;gBAC1C,GAAG,EAAE,MAAM,CAAC,GAAG;gBACf,SAAS,EAAE,MAAM,CAAC,GAAG;gBACrB,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;aAC9D,CAAC,CAAC;YACH,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;CACF;AAED,MAAM,OAAO,kBAAmB,SAAQ,eAAe;IACrD,YAAmB,gBAAwB,EAAE;QAC3C,KAAK,CAAC,aAAa,CAAC,CAAC;IACvB,CAAC;IAED,IAAW,aAAa;QACtB,OAAO,cAAc,CAAC,QAAQ,CAAC;IACjC,CAAC;IAEM,KAAK,CAAC,MAAM,CACjB,MAAc,EACd,YAA4B;QAE5B,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,UAAU,EAAE,WAAW;YACvB,KAAK,EAAE,4BAA4B;SACpC,CAAC;IACJ,CAAC;IAES,KAAK,CAAC,eAAe;QAC7B,OAAO,KAAK,CAAC;IACf,CAAC;CACF;AAED,KAAK,UAAU,sBAAsB,CACnC,SAAoB,EACpB,SAAiB;IAEjB,MAAM,YAAY,GAAG,SAA+C,CAAC;IAErE,IAAI,OAAO,YAAY,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;QACzC,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,SAAS,CACzB,YAAqC,EACrC,SAAS,CACV,CAAC;YACF,OAAO,GAAsB,CAAC;QAChC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,KAAK,CAAC,uBAAuB,EAAE;gBACpC,GAAG,EAAE,SAAS,CAAC,GAAG;gBAClB,SAAS;gBACT,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;aAC9D,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,IAAI,GAAG,GAAkB,IAAI,CAAC;IAC9B,MAAM,MAAM,GAAG,SAAoC,CAAC;IACpD,IAAI,OAAO,MAAM,CAAC,cAAc,KAAK,QAAQ,EAAE,CAAC;QAC9C,GAAG,GAAG,MAAM,CAAC,cAAc,CAAC;IAC9B,CAAC;SAAM,IAAI,OAAO,MAAM,CAAC,YAAY,KAAK,QAAQ,EAAE,CAAC;QACnD,GAAG,GAAG,MAAM,CAAC,YAAY,CAAC;IAC5B,CAAC;IAED,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9C,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,UAAU,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;YAC7C,OAAO,GAAsB,CAAC;QAChC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,KAAK,CAAC,wBAAwB,EAAE;gBACrC,GAAG,EAAE,SAAS,CAAC,GAAG;gBAClB,SAAS;gBACT,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;aAC9D,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,kCAAkC,EAAE;QAC/C,GAAG,EAAE,SAAS,CAAC,GAAG;QAClB,SAAS;KACV,CAAC,CAAC;IACH,OAAO,IAAI,CAAC;AACd,CAAC;AAQD,MAAM,UAAU,iBAAiB,CAC/B,OAAiC;IAEjC,MAAM,EAAE,aAAa,EAAE,WAAW,EAAE,aAAa,GAAG,EAAE,EAAE,GAAG,OAAO,CAAC;IAEnE,QAAQ,aAAa,EAAE,CAAC;QACtB,KAAK,cAAc,CAAC,MAAM;YACxB,IAAI,CAAC,WAAW,EAAE,CAAC;gBACjB,MAAM,IAAI,KAAK,CAAC,mDAAmD,CAAC,CAAC;YACvE,CAAC;YACD,OAAO,IAAI,iBAAiB,CAAC,WAAW,EAAE,aAAa,CAAC,CAAC;QAC3D,KAAK,cAAc,CAAC,eAAe;YACjC,OAAO,IAAI,yBAAyB,CAAC,WAAW,EAAE,aAAa,CAAC,CAAC;QACnE,KAAK,cAAc,CAAC,QAAQ;YAC1B,OAAO,IAAI,kBAAkB,CAAC,aAAa,CAAC,CAAC;QAC/C;YACE,MAAM,IAAI,KAAK,CAAC,2BAA2B,aAAa,EAAE,CAAC,CAAC;IAChE,CAAC;AACH,CAAC"}

package/dist/esm/naylence/fame/stickiness/index.js ADDED Viewed

@@ -0,0 +1,11 @@
+export { StickinessMode, normalizeStickinessMode } from "./stickiness-mode.js";
+export { createAftPayload, serializeAftClaims, serializeAftHeader, } from "./aft-model.js";
+export { base64UrlEncode, base64UrlDecode, utf8Decode } from "./aft-utils.js";
+export { createAftSigner, UnsignedAFTSigner, SignedAFTSigner, NoAFTSigner, } from "./aft-signer.js";
+export { AFTHelper, createAftHelper, DEFAULT_STICKINESS_SECURITY_LEVEL, } from "./aft-helper.js";
+export { createAftVerifier, StrictAFTVerifier, SignedOptionalAFTVerifier, SidOnlyAFTVerifier, } from "./aft-verifier.js";
+export { AFTLoadBalancerStickinessManager } from "./aft-load-balancer-stickiness-manager.js";
+export { AFTLoadBalancerStickinessManagerFactory, FACTORY_META as AFT_LOAD_BALANCER_FACTORY_META, } from "./aft-load-balancer-stickiness-manager-factory.js";
+export { AFTReplicaStickinessManager, createAftReplicaStickinessManager, } from "./aft-replica-stickiness-manager.js";
+export { AFTReplicaStickinessManagerFactory, FACTORY_META as AFT_REPLICA_FACTORY_META, } from "./aft-replica-stickiness-manager-factory.js";
+//# sourceMappingURL=index.js.map

package/dist/esm/naylence/fame/stickiness/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../src/naylence/fame/stickiness/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,uBAAuB,EAAE,MAAM,sBAAsB,CAAC;AAE/E,OAAO,EACL,gBAAgB,EAChB,kBAAkB,EAClB,kBAAkB,GACnB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAC;AAE9E,OAAO,EACL,eAAe,EACf,iBAAiB,EACjB,eAAe,EACf,WAAW,GACZ,MAAM,iBAAiB,CAAC;AAEzB,OAAO,EACL,SAAS,EACT,eAAe,EACf,iCAAiC,GAClC,MAAM,iBAAiB,CAAC;AAEzB,OAAO,EACL,iBAAiB,EACjB,iBAAiB,EACjB,yBAAyB,EACzB,kBAAkB,GACnB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,gCAAgC,EAAE,MAAM,2CAA2C,CAAC;AAC7F,OAAO,EACL,uCAAuC,EACvC,YAAY,IAAI,8BAA8B,GAC/C,MAAM,mDAAmD,CAAC;AAC3D,OAAO,EACL,2BAA2B,EAC3B,iCAAiC,GAClC,MAAM,qCAAqC,CAAC;AAC7C,OAAO,EACL,kCAAkC,EAClC,YAAY,IAAI,wBAAwB,GACzC,MAAM,6CAA6C,CAAC"}

package/dist/esm/naylence/fame/stickiness/stickiness-mode.js ADDED Viewed

@@ -0,0 +1,24 @@
+export var StickinessMode;
+(function (StickinessMode) {
+    StickinessMode["STRICT"] = "strict";
+    StickinessMode["SIGNED_OPTIONAL"] = "signed-optional";
+    StickinessMode["SID_ONLY"] = "sid-only";
+})(StickinessMode || (StickinessMode = {}));
+export function normalizeStickinessMode(value) {
+    switch (value) {
+        case StickinessMode.STRICT:
+        case "strict":
+            return StickinessMode.STRICT;
+        case StickinessMode.SIGNED_OPTIONAL:
+        case "signed-optional":
+        case "signed_optional":
+            return StickinessMode.SIGNED_OPTIONAL;
+        case StickinessMode.SID_ONLY:
+        case "sid-only":
+        case "sid_only":
+            return StickinessMode.SID_ONLY;
+        default:
+            throw new Error(`Unknown stickiness mode: ${value}`);
+    }
+}
+//# sourceMappingURL=stickiness-mode.js.map

package/dist/esm/naylence/fame/stickiness/stickiness-mode.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"stickiness-mode.js","sourceRoot":"","sources":["../../../../../src/naylence/fame/stickiness/stickiness-mode.ts"],"names":[],"mappings":"AAAA,MAAM,CAAN,IAAY,cAIX;AAJD,WAAY,cAAc;IACxB,mCAAiB,CAAA;IACjB,qDAAmC,CAAA;IACnC,uCAAqB,CAAA;AACvB,CAAC,EAJW,cAAc,KAAd,cAAc,QAIzB;AAED,MAAM,UAAU,uBAAuB,CACrC,KAA8B;IAE9B,QAAQ,KAAK,EAAE,CAAC;QACd,KAAK,cAAc,CAAC,MAAM,CAAC;QAC3B,KAAK,QAAQ;YACX,OAAO,cAAc,CAAC,MAAM,CAAC;QAC/B,KAAK,cAAc,CAAC,eAAe,CAAC;QACpC,KAAK,iBAAiB,CAAC;QACvB,KAAK,iBAAiB;YACpB,OAAO,cAAc,CAAC,eAAe,CAAC;QACxC,KAAK,cAAc,CAAC,QAAQ,CAAC;QAC7B,KAAK,UAAU,CAAC;QAChB,KAAK,UAAU;YACb,OAAO,cAAc,CAAC,QAAQ,CAAC;QACjC;YACE,MAAM,IAAI,KAAK,CAAC,4BAA4B,KAAK,EAAE,CAAC,CAAC;IACzD,CAAC;AACH,CAAC"}

package/dist/esm/naylence/fame/welcome/advanced-welcome-service-factory.js ADDED Viewed

@@ -0,0 +1,93 @@
+import { AuthorizerFactory, TokenIssuerFactory, NodePlacementStrategyFactory, TransportProvisionerFactory, WelcomeServiceFactory, WELCOME_SERVICE_FACTORY_BASE_TYPE, } from "@naylence/runtime";
+import { AdvancedWelcomeService, } from "./advanced-welcome-service.js";
+export const FACTORY_META = {
+    base: WELCOME_SERVICE_FACTORY_BASE_TYPE,
+    key: "AdvancedWelcomeService",
+    priority: 100,
+    isDefault: true,
+};
+export class AdvancedWelcomeServiceFactory extends WelcomeServiceFactory {
+    constructor() {
+        super(...arguments);
+        this.type = FACTORY_META.key;
+        this.isDefault = FACTORY_META.isDefault;
+        this.priority = FACTORY_META.priority;
+    }
+    async create(config, ...factoryArgs) {
+        const normalized = normalizeConfig(config);
+        // Crypto provider should be passed from upstream (node-welcome-server)
+        // Do not create it here - downstream components should use what's passed in factoryArgs
+        const placementStrategy = await NodePlacementStrategyFactory.createNodePlacementStrategy(normalized.placementConfig ?? null, factoryArgs.length > 0 ? { factoryArgs } : undefined);
+        const transportProvisioner = await TransportProvisionerFactory.createTransportProvisioner(normalized.transportConfig ?? null, factoryArgs.length > 0 ? { factoryArgs } : undefined);
+        const tokenIssuer = await TokenIssuerFactory.createTokenIssuer(normalized.tokenIssuerConfig ?? null, factoryArgs.length > 0 ? { factoryArgs } : undefined);
+        let authorizer = null;
+        if (normalized.authorizerConfig) {
+            authorizer =
+                (await AuthorizerFactory.createAuthorizer(normalized.authorizerConfig, {
+                    factoryArgs,
+                })) ?? null;
+        }
+        const options = {
+            placementStrategy,
+            transportProvisioner,
+            tokenIssuer,
+            authorizer,
+            caServiceUrl: normalized.caServiceUrl,
+        };
+        if (normalized.ttlSec !== undefined) {
+            options.ttlSec = normalized.ttlSec;
+        }
+        return new AdvancedWelcomeService(options);
+    }
+}
+function normalizeConfig(config) {
+    if (!config) {
+        throw new Error("AdvancedWelcomeService requires configuration");
+    }
+    const source = config;
+    const ttlCandidate = typeof source.ttlSec === "number"
+        ? source.ttlSec
+        : typeof source.ttl_sec === "number"
+            ? source.ttl_sec
+            : undefined;
+    const caServiceUrlCandidate = typeof source.caServiceUrl === "string" &&
+        source.caServiceUrl.trim().length > 0
+        ? source.caServiceUrl.trim()
+        : typeof source.ca_service_url === "string" &&
+            source.ca_service_url.trim().length > 0
+            ? source.ca_service_url.trim()
+            : undefined;
+    if (!caServiceUrlCandidate) {
+        throw new Error("AdvancedWelcomeService configuration requires caServiceUrl");
+    }
+    const normalized = {
+        caServiceUrl: caServiceUrlCandidate,
+    };
+    if (source.placement !== undefined) {
+        normalized.placementConfig =
+            source.placement ?? null;
+    }
+    if (source.transport !== undefined) {
+        normalized.transportConfig =
+            source.transport ?? null;
+    }
+    const tokenIssuerConfig = source.tokenIssuer !== undefined
+        ? source.tokenIssuer
+        : source.token_issuer !== undefined
+            ? source.token_issuer
+            : undefined;
+    if (tokenIssuerConfig !== undefined) {
+        normalized.tokenIssuerConfig =
+            tokenIssuerConfig ?? null;
+    }
+    if (source.authorizer !== undefined) {
+        normalized.authorizerConfig =
+            source.authorizer ?? null;
+    }
+    if (ttlCandidate !== undefined && Number.isFinite(ttlCandidate)) {
+        normalized.ttlSec = ttlCandidate;
+    }
+    return normalized;
+}
+export default AdvancedWelcomeServiceFactory;
+//# sourceMappingURL=advanced-welcome-service-factory.js.map

package/dist/esm/naylence/fame/welcome/advanced-welcome-service-factory.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"advanced-welcome-service-factory.js","sourceRoot":"","sources":["../../../../../src/naylence/fame/welcome/advanced-welcome-service-factory.ts"],"names":[],"mappings":"AAOA,OAAO,EACL,iBAAiB,EACjB,kBAAkB,EAClB,4BAA4B,EAC5B,2BAA2B,EAC3B,qBAAqB,EACrB,iCAAiC,GAElC,MAAM,mBAAmB,CAAC;AAE3B,OAAO,EACL,sBAAsB,GAEvB,MAAM,+BAA+B,CAAC;AAkBvC,MAAM,CAAC,MAAM,YAAY,GAAG;IAC1B,IAAI,EAAE,iCAAiC;IACvC,GAAG,EAAE,wBAAwB;IAC7B,QAAQ,EAAE,GAAG;IACb,SAAS,EAAE,IAAI;CACP,CAAC;AAEX,MAAM,OAAO,6BAA8B,SAAQ,qBAAmD;IAAtG;;QACkB,SAAI,GAAG,YAAY,CAAC,GAAG,CAAC;QACxB,cAAS,GAAG,YAAY,CAAC,SAAS,CAAC;QACnC,aAAQ,GAAG,YAAY,CAAC,QAAQ,CAAC;IAkDnD,CAAC;IAhDQ,KAAK,CAAC,MAAM,CACjB,MAAsE,EACtE,GAAG,WAAsB;QAEzB,MAAM,UAAU,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC;QAE3C,uEAAuE;QACvE,wFAAwF;QAExF,MAAM,iBAAiB,GACrB,MAAM,4BAA4B,CAAC,2BAA2B,CAC5D,UAAU,CAAC,eAAe,IAAI,IAAI,EAClC,WAAW,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,SAAS,CACrD,CAAC;QAEJ,MAAM,oBAAoB,GACxB,MAAM,2BAA2B,CAAC,0BAA0B,CAC1D,UAAU,CAAC,eAAe,IAAI,IAAI,EAClC,WAAW,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,SAAS,CACrD,CAAC;QAEJ,MAAM,WAAW,GAAG,MAAM,kBAAkB,CAAC,iBAAiB,CAC5D,UAAU,CAAC,iBAAiB,IAAI,IAAI,EACpC,WAAW,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,SAAS,CACrD,CAAC;QAEF,IAAI,UAAU,GAAG,IAAI,CAAC;QACtB,IAAI,UAAU,CAAC,gBAAgB,EAAE,CAAC;YAChC,UAAU;gBACR,CAAC,MAAM,iBAAiB,CAAC,gBAAgB,CAAC,UAAU,CAAC,gBAAgB,EAAE;oBACrE,WAAW;iBACZ,CAAC,CAAC,IAAI,IAAI,CAAC;QAChB,CAAC;QAED,MAAM,OAAO,GAAkC;YAC7C,iBAAiB;YACjB,oBAAoB;YACpB,WAAW;YACX,UAAU;YACV,YAAY,EAAE,UAAU,CAAC,YAAY;SACtC,CAAC;QAEF,IAAI,UAAU,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;YACpC,OAAO,CAAC,MAAM,GAAG,UAAU,CAAC,MAAM,CAAC;QACrC,CAAC;QAED,OAAO,IAAI,sBAAsB,CAAC,OAAO,CAAC,CAAC;IAC7C,CAAC;CACF;AAED,SAAS,eAAe,CACtB,MAAsE;IAEtE,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;IACnE,CAAC;IAED,MAAM,MAAM,GAAG,MACU,CAAC;IAE1B,MAAM,YAAY,GAChB,OAAO,MAAM,CAAC,MAAM,KAAK,QAAQ;QAC/B,CAAC,CAAC,MAAM,CAAC,MAAM;QACf,CAAC,CAAC,OAAO,MAAM,CAAC,OAAO,KAAK,QAAQ;YAClC,CAAC,CAAC,MAAM,CAAC,OAAO;YAChB,CAAC,CAAC,SAAS,CAAC;IAElB,MAAM,qBAAqB,GACzB,OAAO,MAAM,CAAC,YAAY,KAAK,QAAQ;QACvC,MAAM,CAAC,YAAY,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC;QACnC,CAAC,CAAC,MAAM,CAAC,YAAY,CAAC,IAAI,EAAE;QAC5B,CAAC,CAAC,OAAO,MAAM,CAAC,cAAc,KAAK,QAAQ;YACvC,MAAM,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC;YACzC,CAAC,CAAC,MAAM,CAAC,cAAc,CAAC,IAAI,EAAE;YAC9B,CAAC,CAAC,SAAS,CAAC;IAElB,IAAI,CAAC,qBAAqB,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CACb,4DAA4D,CAC7D,CAAC;IACJ,CAAC;IAED,MAAM,UAAU,GAAoC;QAClD,YAAY,EAAE,qBAAqB;KACpC,CAAC;IAEF,IAAI,MAAM,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;QACnC,UAAU,CAAC,eAAe;YACvB,MAAM,CAAC,SAGC,IAAI,IAAI,CAAC;IACtB,CAAC;IAED,IAAI,MAAM,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;QACnC,UAAU,CAAC,eAAe;YACvB,MAAM,CAAC,SAGC,IAAI,IAAI,CAAC;IACtB,CAAC;IAED,MAAM,iBAAiB,GACrB,MAAM,CAAC,WAAW,KAAK,SAAS;QAC9B,CAAC,CAAC,MAAM,CAAC,WAAW;QACpB,CAAC,CAAC,MAAM,CAAC,YAAY,KAAK,SAAS;YACjC,CAAC,CAAC,MAAM,CAAC,YAAY;YACrB,CAAC,CAAC,SAAS,CAAC;IAElB,IAAI,iBAAiB,KAAK,SAAS,EAAE,CAAC;QACpC,UAAU,CAAC,iBAAiB;YACzB,iBAGQ,IAAI,IAAI,CAAC;IACtB,CAAC;IAED,IAAI,MAAM,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;QACpC,UAAU,CAAC,gBAAgB;YACxB,MAAM,CAAC,UAGC,IAAI,IAAI,CAAC;IACtB,CAAC;IAED,IAAI,YAAY,KAAK,SAAS,IAAI,MAAM,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;QAChE,UAAU,CAAC,MAAM,GAAG,YAAY,CAAC;IACnC,CAAC;IAED,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,eAAe,6BAA6B,CAAC"}

package/dist/esm/naylence/fame/welcome/advanced-welcome-service.js ADDED Viewed

@@ -0,0 +1,212 @@
+import { generateId, } from "@naylence/core";
+import { HTTP_CONNECTION_GRANT_TYPE, color, AnsiColor, formatTimestamp, jsonDumps, validateHostLogicals, getLogger, } from "@naylence/runtime";
+import { GRANT_PURPOSE_CA_SIGN } from "../security/cert/grants.js";
+const logger = getLogger("naylence.fame.welcome.advanced_welcome_service");
+const ENV_VAR_SHOW_ENVELOPES = "FAME_SHOW_ENVELOPES";
+const DEFAULT_TTL_SEC = 3600;
+const showEnvelopes = typeof process !== "undefined" &&
+    process.env?.[ENV_VAR_SHOW_ENVELOPES] === "true";
+function nowUtc() {
+    return new Date();
+}
+function formatTimestampForConsole() {
+    return color(formatTimestamp(), AnsiColor.GRAY);
+}
+function prettyModel(value) {
+    try {
+        return jsonDumps(value);
+    }
+    catch (error) {
+        return String(error);
+    }
+}
+function coercePlacementMetadataValue(metadata, camelCaseKey, snakeCaseKey) {
+    if (!metadata) {
+        return undefined;
+    }
+    const record = metadata;
+    if (record[camelCaseKey] !== undefined) {
+        return record[camelCaseKey];
+    }
+    if (record[snakeCaseKey] !== undefined) {
+        return record[snakeCaseKey];
+    }
+    return undefined;
+}
+export class AdvancedWelcomeService {
+    constructor(options) {
+        this.placementStrategy = options.placementStrategy;
+        this.transportProvisioner = options.transportProvisioner;
+        this.tokenIssuer = options.tokenIssuer;
+        this.authorizer = options.authorizer ?? null;
+        this.caServiceUrl = options.caServiceUrl;
+        this.ttlSec =
+            typeof options.ttlSec === "number" && Number.isFinite(options.ttlSec)
+                ? Math.max(0, options.ttlSec)
+                : DEFAULT_TTL_SEC;
+        logger.debug("initialized_advanced_welcome_service", {
+            ca_service_url: this.caServiceUrl,
+            ttl_sec: this.ttlSec,
+        });
+    }
+    async handleHello(hello, metadata) {
+        const fullMetadata = metadata
+            ? { ...metadata }
+            : {};
+        const trimmedSystemId = typeof hello.systemId === "string" ? hello.systemId.trim() : "";
+        const systemId = trimmedSystemId.length > 0 ? trimmedSystemId : generateId();
+        const wasAssigned = trimmedSystemId.length === 0;
+        const normalizedHello = {
+            ...hello,
+            systemId,
+        };
+        if (showEnvelopes) {
+            // eslint-disable-next-line no-console
+            console.log(`\n${formatTimestampForConsole()} - ${color("Received envelope 📨", AnsiColor.BLUE)}\n${prettyModel(normalizedHello)}`);
+        }
+        logger.debug("starting_hello_frame_processing", {
+            instanceId: normalizedHello.instanceId,
+            systemId,
+            logicals: normalizedHello.logicals,
+            capabilities: normalizedHello.capabilities,
+            ttlSec: this.ttlSec,
+        });
+        const now = nowUtc();
+        const expiry = new Date(now.getTime() + this.ttlSec * 1000);
+        if (normalizedHello.instanceId) {
+            if (fullMetadata.instanceId === undefined) {
+                fullMetadata.instanceId = normalizedHello.instanceId;
+            }
+            if (fullMetadata.instance_id === undefined) {
+                fullMetadata.instance_id = normalizedHello.instanceId;
+            }
+        }
+        logger.debug("system_id_assignment_completed", {
+            systemId,
+            wasAssigned,
+        });
+        if (normalizedHello.logicals?.length) {
+            logger.debug("validating_logicals_for_dns_compatibility", {
+                logicals: normalizedHello.logicals,
+            });
+            const [pathsValid, pathError] = validateHostLogicals(normalizedHello.logicals);
+            if (!pathsValid) {
+                logger.error("logical_validation_failed", {
+                    error: pathError,
+                    logicals: normalizedHello.logicals,
+                });
+                throw new Error(`Invalid logical format: ${pathError}`);
+            }
+            logger.debug("logicals_validation_successful");
+        }
+        logger.debug("requesting_node_placement", { systemId });
+        const placementResult = await this.placementStrategy.place(normalizedHello);
+        if (!placementResult.accept) {
+            logger.error("node_placement_rejected", {
+                systemId,
+                reason: placementResult.reason,
+            });
+            throw new Error(placementResult.reason || "Node not accepted");
+        }
+        const assignedPath = placementResult.assignedPath;
+        logger.debug("node_placement_accepted", {
+            systemId,
+            assignedPath,
+            targetPhysicalPath: placementResult.targetPhysicalPath ?? null,
+            targetSystemId: placementResult.targetSystemId ?? null,
+        });
+        const acceptedCapabilities = coercePlacementMetadataValue(placementResult.metadata, "acceptedCapabilities", "accepted_capabilities") ??
+            normalizedHello.capabilities ??
+            null;
+        const acceptedLogicals = coercePlacementMetadataValue(placementResult.metadata, "acceptedLogicals", "accepted_logicals") ??
+            normalizedHello.logicals ??
+            null;
+        logger.debug("processing_placement_result_metadata", {
+            acceptedCapabilities,
+            acceptedLogicals,
+            hasPlacementMetadata: placementResult.metadata !== undefined &&
+                placementResult.metadata !== null,
+        });
+        const connectionGrants = [];
+        const metadataInstanceId = (typeof fullMetadata.instanceId === "string" &&
+            fullMetadata.instanceId) ||
+            (typeof fullMetadata.instance_id === "string" &&
+                fullMetadata.instance_id) ||
+            normalizedHello.instanceId ||
+            generateId();
+        if (placementResult.targetSystemId) {
+            logger.debug("issuing_node_attach_token", {
+                systemId,
+                assignedPath,
+            });
+            const nodeAttachToken = await this.tokenIssuer.issue({
+                aud: placementResult.targetPhysicalPath,
+                system_id: systemId,
+                parent_path: placementResult.targetPhysicalPath,
+                assigned_path: placementResult.assignedPath,
+                accepted_logicals: acceptedLogicals,
+                instance_id: metadataInstanceId,
+            });
+            logger.debug("token_issued_successfully");
+            logger.debug("provisioning_transport", { systemId });
+            const transportInfo = await this.transportProvisioner.provision(placementResult, normalizedHello, fullMetadata, nodeAttachToken);
+            logger.debug("transport_provisioned_successfully", {
+                systemId,
+                directiveType: transportInfo.connectionGrant &&
+                    typeof transportInfo.connectionGrant === "object"
+                    ? (transportInfo.connectionGrant.type ??
+                        "Unknown")
+                    : "Unknown",
+            });
+            connectionGrants.push(transportInfo.connectionGrant);
+        }
+        const caSignToken = await this.tokenIssuer.issue({
+            aud: "ca",
+            system_id: systemId,
+            assigned_path: assignedPath,
+            accepted_logicals: acceptedLogicals,
+            instance_id: metadataInstanceId,
+        });
+        const caGrant = {
+            type: HTTP_CONNECTION_GRANT_TYPE,
+            purpose: GRANT_PURPOSE_CA_SIGN,
+            url: this.caServiceUrl,
+            auth: {
+                type: "BearerTokenHeaderAuth",
+                tokenProvider: {
+                    type: "StaticTokenProvider",
+                    token: caSignToken,
+                },
+            },
+        };
+        connectionGrants.push(caGrant);
+        const welcomeFrame = {
+            type: "NodeWelcome",
+            systemId,
+            targetSystemId: placementResult.targetSystemId ?? undefined,
+            targetPhysicalPath: placementResult.targetPhysicalPath ?? undefined,
+            instanceId: normalizedHello.instanceId,
+            assignedPath,
+            acceptedCapabilities: acceptedCapabilities ?? undefined,
+            acceptedLogicals: acceptedLogicals ?? undefined,
+            rejectedLogicals: undefined,
+            connectionGrants,
+            metadata: Object.keys(fullMetadata).length > 0 ? fullMetadata : undefined,
+            expiresAt: expiry.toISOString(),
+        };
+        logger.debug("hello_frame_processing_completed_successfully", {
+            systemId,
+            assignedPath,
+            acceptedLogicals,
+            acceptedCapabilities,
+            expiresAt: welcomeFrame.expiresAt,
+            instanceId: normalizedHello.instanceId,
+        });
+        if (showEnvelopes) {
+            // eslint-disable-next-line no-console
+            console.log(`\n${formatTimestampForConsole()} - ${color("Sent envelope", AnsiColor.BLUE)} 🚀\n${prettyModel(welcomeFrame)}`);
+        }
+        return welcomeFrame;
+    }
+}
+//# sourceMappingURL=advanced-welcome-service.js.map