@naylence/agent-sdk 0.3.13 → 0.3.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. package/dist/browser/index.js +120 -6
  2. package/dist/browser/index.js.map +1 -1
  3. package/dist/cjs/version.d.ts +1 -1
  4. package/dist/cjs/version.js +1 -1
  5. package/dist/esm/version.d.ts +1 -1
  6. package/dist/esm/version.js +2 -2
  7. package/dist/types/version.d.ts +1 -1
  8. package/package.json +2 -2
package/dist/browser/index.js CHANGED
@@ -15667,12 +15667,12 @@
15667
15667
  }
15668
15668
 
15669
15669
  // This file is auto-generated during build - do not edit manually
15670
- // Generated from package.json version: 0.3.16
15670
+ // Generated from package.json version: 0.3.20
15671
15671
  /**
15672
15672
  * The package version, injected at build time.
15673
15673
  * @internal
15674
15674
  */
15675
- const VERSION$2 = '0.3.16';
15675
+ const VERSION$2 = '0.3.20';
15676
15676
 
15677
15677
  let initialized$1 = false;
15678
15678
  const runtimePlugin = {
@@ -39791,9 +39791,15 @@
39791
39791
  hasNodeAttachValidation(authorizer)) {
39792
39792
  try {
39793
39793
  const validated = await authorizer.validateNodeAttachRequest(_node, envelope.frame, authResult);
39794
- if (validated) {
39795
- finalAuthResult = validated;
39794
+ if (validated === undefined) {
39795
+ logger$z.warning('node_attach_validation_rejected', {
39796
+ envp_id: envelope.id,
39797
+ frame_type: envelope.frame.type,
39798
+ origin_type: context.originType ?? 'unknown',
39799
+ });
39800
+ return null;
39796
39801
  }
39802
+ finalAuthResult = validated;
39797
39803
  }
39798
39804
  catch (error) {
39799
39805
  logger$z.error('node_attach_authorization_validation_failed', {
@@ -41889,6 +41895,7 @@
41889
41895
  const ENV_VAR_HMAC_SECRET = 'FAME_HMAC_SECRET';
41890
41896
  const ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER = 'FAME_JWT_REVERSE_AUTH_TRUSTED_ISSUER';
41891
41897
  const ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = 'FAME_JWT_REVERSE_AUTH_AUDIENCE';
41898
+ const ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY = 'FAME_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY';
41892
41899
  const PROFILE_NAME_STRICT_OVERLAY = 'strict-overlay';
41893
41900
  const PROFILE_NAME_OVERLAY = 'overlay';
41894
41901
  const PROFILE_NAME_OVERLAY_CALLBACK = 'overlay-callback';
@@ -42124,6 +42131,7 @@
42124
42131
  max_ttl_sec: 86400,
42125
42132
  algorithm: Expressions.env(ENV_VAR_JWT_ALGORITHM, 'RS256'),
42126
42133
  audience: Expressions.env(ENV_VAR_JWT_AUDIENCE$1),
42134
+ enforce_token_subject_node_identity: Expressions.env(ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY, 'false'),
42127
42135
  },
42128
42136
  };
42129
42137
  const GATED_CALLBACK_PROFILE = {
@@ -42330,6 +42338,7 @@
42330
42338
  var nodeSecurityProfileFactory = /*#__PURE__*/Object.freeze({
42331
42339
  __proto__: null,
42332
42340
  ENV_VAR_DEFAULT_ENCRYPTION_LEVEL: ENV_VAR_DEFAULT_ENCRYPTION_LEVEL,
42341
+ ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY: ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY,
42333
42342
  ENV_VAR_HMAC_SECRET: ENV_VAR_HMAC_SECRET,
42334
42343
  ENV_VAR_JWKS_URL: ENV_VAR_JWKS_URL,
42335
42344
  ENV_VAR_JWT_ALGORITHM: ENV_VAR_JWT_ALGORITHM,
@@ -48244,6 +48253,7 @@
48244
48253
  defaultTtlSec: normalized.defaultTtlSec,
48245
48254
  maxTtlSec: normalized.maxTtlSec,
48246
48255
  reverseAuthTtlSec: normalized.reverseAuthTtlSec,
48256
+ enforceTokenSubjectNodeIdentity: normalized.enforceTokenSubjectNodeIdentity,
48247
48257
  };
48248
48258
  if (tokenIssuer) {
48249
48259
  authorizerOptions.tokenIssuer = tokenIssuer;
@@ -48311,6 +48321,8 @@
48311
48321
  : typeof source.reverse_auth_ttl_sec === 'number'
48312
48322
  ? source.reverse_auth_ttl_sec
48313
48323
  : DEFAULT_REVERSE_AUTH_TTL_SEC;
48324
+ const enforceTokenSubjectNodeIdentity = normalizeBooleanOption(source.enforceTokenSubjectNodeIdentity ??
48325
+ source.enforce_token_subject_node_identity, false);
48314
48326
  const tokenVerifierConfigInput = source.tokenVerifierConfig ?? source.token_verifier_config ?? null;
48315
48327
  const tokenVerifierConfig = normalizeTokenVerifierConfig({
48316
48328
  config: tokenVerifierConfigInput,
@@ -48329,6 +48341,7 @@
48329
48341
  maxTtlSec,
48330
48342
  tokenVerifierConfig,
48331
48343
  reverseAuthTtlSec: reverseAuthCandidate,
48344
+ enforceTokenSubjectNodeIdentity,
48332
48345
  ...(audience ? { audience } : {}),
48333
48346
  };
48334
48347
  if (tokenIssuerConfig) {
@@ -48349,6 +48362,21 @@
48349
48362
  };
48350
48363
  return defaultConfig;
48351
48364
  }
48365
+ function normalizeBooleanOption(value, defaultValue) {
48366
+ if (typeof value === 'boolean') {
48367
+ return value;
48368
+ }
48369
+ if (typeof value === 'string') {
48370
+ const lower = value.toLowerCase().trim();
48371
+ if (lower === 'true' || lower === '1' || lower === 'yes') {
48372
+ return true;
48373
+ }
48374
+ if (lower === 'false' || lower === '0' || lower === 'no') {
48375
+ return false;
48376
+ }
48377
+ }
48378
+ return defaultValue;
48379
+ }
48352
48380
 
48353
48381
  var oauth2AuthorizerFactory = /*#__PURE__*/Object.freeze({
48354
48382
  __proto__: null,
@@ -53366,6 +53394,10 @@
53366
53394
  : typeof snake.aud === 'string'
53367
53395
  ? snake.aud
53368
53396
  : undefined);
53397
+ const enforceTokenSubjectNodeIdentity = camel.enforceTokenSubjectNodeIdentity ??
53398
+ (typeof snake.enforce_token_subject_node_identity === 'boolean'
53399
+ ? snake.enforce_token_subject_node_identity
53400
+ : undefined);
53369
53401
  return {
53370
53402
  tokenVerifier,
53371
53403
  tokenIssuer,
@@ -53375,6 +53407,7 @@
53375
53407
  defaultTtlSec,
53376
53408
  maxTtlSec,
53377
53409
  reverseAuthTtlSec,
53410
+ enforceTokenSubjectNodeIdentity,
53378
53411
  };
53379
53412
  }
53380
53413
  class OAuth2Authorizer {
@@ -53388,6 +53421,8 @@
53388
53421
  this.requireScope = options.requireScope ?? true;
53389
53422
  this.reverseAuthTtlSec =
53390
53423
  options.reverseAuthTtlSec ?? DEFAULT_REVERSE_AUTH_TTL_SEC;
53424
+ this.enforceTokenSubjectNodeIdentity =
53425
+ options.enforceTokenSubjectNodeIdentity ?? false;
53391
53426
  }
53392
53427
  get tokenVerifier() {
53393
53428
  return this.tokenVerifierImpl;
@@ -53517,6 +53552,13 @@
53517
53552
  });
53518
53553
  return undefined;
53519
53554
  }
53555
+ // Enforce token subject node identity if enabled
53556
+ if (this.enforceTokenSubjectNodeIdentity) {
53557
+ const validationResult = await this.validateTokenSubjectNodeIdentity(frame.systemId, claims);
53558
+ if (!validationResult) {
53559
+ return undefined;
53560
+ }
53561
+ }
53520
53562
  claims.instance_id = claims.instance_id ?? frame.instanceId;
53521
53563
  claims.assigned_path = claims.assigned_path ?? frame.assignedPath;
53522
53564
  claims.accepted_capabilities =
@@ -53594,6 +53636,33 @@
53594
53636
  }
53595
53637
  return false;
53596
53638
  }
53639
+ async validateTokenSubjectNodeIdentity(systemId, claims) {
53640
+ const sub = claims.sub;
53641
+ if (typeof sub !== 'string' || sub.trim().length === 0) {
53642
+ logger$3.warning('oauth2_attach_missing_subject_claim', {
53643
+ system_id: systemId,
53644
+ });
53645
+ return false;
53646
+ }
53647
+ const expectedPrefix = await generateIdAsync({
53648
+ mode: 'fingerprint',
53649
+ material: sub,
53650
+ length: 8,
53651
+ });
53652
+ if (!systemId.startsWith(`${expectedPrefix}-`)) {
53653
+ logger$3.warning('oauth2_attach_node_identity_mismatch', {
53654
+ system_id: systemId,
53655
+ expected_prefix: expectedPrefix,
53656
+ subject: sub,
53657
+ });
53658
+ return false;
53659
+ }
53660
+ logger$3.debug('oauth2_attach_node_identity_verified', {
53661
+ system_id: systemId,
53662
+ expected_prefix: expectedPrefix,
53663
+ });
53664
+ return true;
53665
+ }
53597
53666
  }
53598
53667
 
53599
53668
  var oauth2Authorizer = /*#__PURE__*/Object.freeze({
@@ -53750,6 +53819,51 @@
53750
53819
  }
53751
53820
  return DEFAULT_EXPIRY_SECONDS;
53752
53821
  }
53822
+ async getIdentity() {
53823
+ const token = await this.getToken();
53824
+ const tokenValue = token.value;
53825
+ const parts = tokenValue.split('.');
53826
+ if (parts.length !== 3) {
53827
+ return undefined;
53828
+ }
53829
+ try {
53830
+ const payloadSegment = parts[1];
53831
+ // Fix padding for base64url
53832
+ const padding = '='.repeat((4 - (payloadSegment.length % 4)) % 4);
53833
+ const base64 = (payloadSegment + padding)
53834
+ .replace(/-/g, '+')
53835
+ .replace(/_/g, '/');
53836
+ let jsonString;
53837
+ if (typeof Buffer !== 'undefined') {
53838
+ jsonString = Buffer.from(base64, 'base64').toString('utf-8');
53839
+ }
53840
+ else if (typeof atob === 'function') {
53841
+ jsonString = atob(base64);
53842
+ try {
53843
+ jsonString = decodeURIComponent(jsonString
53844
+ .split('')
53845
+ .map(function (c) {
53846
+ return '%' + ('00' + c.charCodeAt(0).toString(16)).slice(-2);
53847
+ })
53848
+ .join(''));
53849
+ }
53850
+ catch {
53851
+ // ignore
53852
+ }
53853
+ }
53854
+ else {
53855
+ return undefined;
53856
+ }
53857
+ const payload = JSON.parse(jsonString);
53858
+ if (payload && typeof payload.sub === 'string') {
53859
+ return { subject: payload.sub, claims: payload };
53860
+ }
53861
+ }
53862
+ catch {
53863
+ // ignore decoding errors
53864
+ }
53865
+ return undefined;
53866
+ }
53753
53867
  }
53754
53868
 
53755
53869
  var oauth2ClientCredentialsTokenProvider = /*#__PURE__*/Object.freeze({
@@ -55223,12 +55337,12 @@
55223
55337
  });
55224
55338
 
55225
55339
  // This file is auto-generated during build - do not edit manually
55226
- // Generated from package.json version: 0.3.13
55340
+ // Generated from package.json version: 0.3.14
55227
55341
  /**
55228
55342
  * The package version, injected at build time.
55229
55343
  * @internal
55230
55344
  */
55231
- const VERSION$1 = '0.3.13';
55345
+ const VERSION$1 = '0.3.14';
55232
55346
 
55233
55347
  let initialized = false;
55234
55348
  const agentSdkPlugin = {