npm - @naylence/runtime - Versions diffs - 0.3.12 → 0.3.13 - Mend

@naylence/runtime 0.3.12 → 0.3.13

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (94) hide show

package/dist/cjs/naylence/fame/node/rpc-client-manager.js CHANGED Viewed

@@ -102,6 +102,8 @@ class RPCClientManager {
         this.rpcBound = false;
         this.trackerEventHandler = null;
         this.trackerWithEvents = null;
+        this.boundPhysicalPath = null;
+        this.rpcRecipient = null;
         this.setupTrackerEventHandler();
     }
     setupTrackerEventHandler() {
@@ -253,6 +255,8 @@ class RPCClientManager {
         this.rpcBound = false;
         this.rpcReplyAddress = null;
         this.rpcListenerAddress = null;
+        this.boundPhysicalPath = null;
+        this.rpcRecipient = null;
         for (const [requestId, pending] of Array.from(this.pending.entries())) {
             if (pending.timer) {
                 clearTimeout(pending.timer);
@@ -270,17 +274,20 @@ class RPCClientManager {
         this.pendingByEnvelopeId.clear();
     }
     async ensureReplyListener() {
-        if (this.rpcBound) {
+        const currentPhysicalPath = this.getPhysicalPath();
+        if (this.rpcBound && this.boundPhysicalPath === currentPhysicalPath) {
             return;
         }
-        const recipient = `__rpc__${(0, core_1.generateId)()}`;
-        this.rpcReplyAddress = (0, core_1.formatAddress)(recipient, this.getPhysicalPath());
+        const recipient = this.rpcRecipient || `__rpc__${(0, core_1.generateId)()}`;
+        this.rpcRecipient = recipient;
+        this.rpcReplyAddress = (0, core_1.formatAddress)(recipient, currentPhysicalPath);
         const handler = async (envelope, _context) => {
             await this.handleReplyEnvelope(envelope);
             return null;
         };
         this.rpcListenerAddress = await this.listenCallback(recipient, handler);
         this.rpcBound = true;
+        this.boundPhysicalPath = currentPhysicalPath;
         logger.debug('rpc_reply_listener_bound', {
             reply_recipient: recipient,
             reply_address: this.rpcReplyAddress?.toString(),

package/dist/cjs/naylence/fame/node/token-subject-node-identity-policy-factory.js ADDED Viewed

@@ -0,0 +1,55 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TokenSubjectNodeIdentityPolicyFactory = exports.FACTORY_META = void 0;
+const node_identity_policy_factory_js_1 = require("./node-identity-policy-factory.js");
+exports.FACTORY_META = {
+    base: node_identity_policy_factory_js_1.NODE_IDENTITY_POLICY_FACTORY_BASE_TYPE,
+    key: 'TokenSubjectNodeIdentityPolicy',
+};
+class TokenSubjectNodeIdentityPolicyFactory extends node_identity_policy_factory_js_1.NodeIdentityPolicyFactory {
+    constructor() {
+        super(...arguments);
+        this.type = 'TokenSubjectNodeIdentityPolicy';
+    }
+    async create(
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+    _config) {
+        const { TokenSubjectNodeIdentityPolicy } = await Promise.resolve().then(() => __importStar(require('./token-subject-node-identity-policy.js')));
+        return new TokenSubjectNodeIdentityPolicy();
+    }
+}
+exports.TokenSubjectNodeIdentityPolicyFactory = TokenSubjectNodeIdentityPolicyFactory;
+exports.default = TokenSubjectNodeIdentityPolicyFactory;

package/dist/cjs/naylence/fame/node/token-subject-node-identity-policy.js ADDED Viewed

@@ -0,0 +1,84 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TokenSubjectNodeIdentityPolicy = void 0;
+const core_1 = require("@naylence/core");
+const token_provider_factory_js_1 = require("../security/auth/token-provider-factory.js");
+const token_provider_js_1 = require("../security/auth/token-provider.js");
+const logging_js_1 = require("../util/logging.js");
+const logger = (0, logging_js_1.getLogger)('naylence.fame.node.token_subject_node_identity_policy');
+class TokenSubjectNodeIdentityPolicy {
+    async resolveInitialNodeId(context) {
+        if (context.configuredId) {
+            return context.configuredId;
+        }
+        if (context.persistedId) {
+            return context.persistedId;
+        }
+        return (0, core_1.generateIdAsync)();
+    }
+    async resolveAdmissionNodeId(context) {
+        logger.debug('resolve_admission_node_id_start', {
+            grantsCount: context.grants?.length ?? 0,
+            currentNodeId: context.currentNodeId,
+        });
+        if (context.grants && context.grants.length > 0) {
+            for (const grant of context.grants) {
+                try {
+                    const auth = grant.auth;
+                    if (!auth) {
+                        logger.debug('skipping_grant_no_auth', { grantType: grant.type });
+                        continue;
+                    }
+                    const tokenProviderConfig = (auth.tokenProvider ??
+                        auth.token_provider);
+                    if (!tokenProviderConfig ||
+                        typeof tokenProviderConfig.type !== 'string') {
+                        logger.debug('skipping_grant_invalid_token_provider_config', {
+                            grantType: grant.type,
+                            config: tokenProviderConfig,
+                        });
+                        continue;
+                    }
+                    logger.debug('creating_token_provider', {
+                        type: tokenProviderConfig.type,
+                    });
+                    const provider = await token_provider_factory_js_1.TokenProviderFactory.createTokenProvider(tokenProviderConfig);
+                    const isExposing = (0, token_provider_js_1.isIdentityExposingTokenProvider)(provider);
+                    logger.debug('token_provider_created', {
+                        type: tokenProviderConfig.type,
+                        isIdentityExposing: isExposing,
+                    });
+                    if (isExposing) {
+                        const identity = await provider.getIdentity();
+                        logger.debug('retrieved_identity', { identity });
+                        if (identity && identity.subject) {
+                            const hashedSubject = await (0, core_1.generateIdAsync)({
+                                mode: 'fingerprint',
+                                material: identity.subject,
+                                length: 8,
+                            });
+                            const newNodeId = `${hashedSubject}-${context.currentNodeId}`;
+                            logger.info('resolved_identity_from_token', {
+                                subject: identity.subject,
+                                hashedSubject,
+                                newNodeId,
+                            });
+                            return newNodeId;
+                        }
+                        else {
+                            logger.debug('identity_missing_subject', { identity });
+                        }
+                    }
+                }
+                catch (err) {
+                    logger.warning('failed_to_extract_identity_from_grant', { error: err });
+                }
+            }
+        }
+        else {
+            logger.debug('no_grants_available');
+        }
+        return context.currentNodeId;
+    }
+}
+exports.TokenSubjectNodeIdentityPolicy = TokenSubjectNodeIdentityPolicy;

package/dist/cjs/naylence/fame/node/upstream-session-manager.js CHANGED Viewed

@@ -103,6 +103,7 @@ class UpstreamSessionManager extends task_spawner_js_1.TaskSpawner {
         super();
         this.readyEvent = new async_event_js_1.AsyncEvent();
         this.stopEvent = new async_event_js_1.AsyncEvent();
+        this.wakeEvent = new async_event_js_1.AsyncEvent();
         this.queueEvent = new async_event_js_1.AsyncEvent();
         this.currentStopSubtasks = null;
         this.messageQueue = [];
@@ -114,6 +115,7 @@ class UpstreamSessionManager extends task_spawner_js_1.TaskSpawner {
         this.hadSuccessfulAttach = false;
         this.lastConnectorState = null;
         this.connectEpoch = 0;
+        this._visibilityHandler = null;
         const options = normalizeOptions(optionsInput);
         this.node = options.node;
         this.attachClient = options.attachClient;
@@ -133,6 +135,34 @@ class UpstreamSessionManager extends task_spawner_js_1.TaskSpawner {
     get systemId() {
         return this.targetSystemId;
     }
+    setupVisibilityListener() {
+        logger.debug('setup_visibility_listener_called', {
+            has_document: typeof document !== 'undefined',
+        });
+        if (typeof document !== 'undefined' && document.addEventListener) {
+            this._visibilityHandler = () => {
+                logger.debug('visibility_change_event_fired', {
+                    state: document.visibilityState,
+                });
+                if (document.visibilityState === 'visible') {
+                    logger.debug('visibility_change_detected_waking_up');
+                    this.wakeEvent.set();
+                }
+            };
+            document.addEventListener('visibilitychange', this._visibilityHandler);
+        }
+        else {
+            logger.debug('setup_visibility_listener_skipped_no_document');
+        }
+    }
+    teardownVisibilityListener() {
+        if (this._visibilityHandler &&
+            typeof document !== 'undefined' &&
+            document.removeEventListener) {
+            document.removeEventListener('visibilitychange', this._visibilityHandler);
+            this._visibilityHandler = null;
+        }
+    }
     async start(options = {}) {
         const { waitUntilReady = true } = options;
         if (this.fsmTask) {
@@ -140,6 +170,8 @@ class UpstreamSessionManager extends task_spawner_js_1.TaskSpawner {
         }
         this.stopEvent.clear();
         this.readyEvent.clear();
+        this.wakeEvent.clear();
+        this.setupVisibilityListener();
         const taskName = `upstream-fsm-${this.connectEpoch}`;
         this.fsmTask = this.spawn(() => this.fsmLoop(), { name: taskName });
         if (!waitUntilReady) {
@@ -160,6 +192,7 @@ class UpstreamSessionManager extends task_spawner_js_1.TaskSpawner {
     }
     async stop() {
         logger.debug('upstream_session_manager_stopping');
+        this.teardownVisibilityListener();
         this.stopEvent.set();
         this.currentStopSubtasks?.set();
         if (this.fsmTask) {
@@ -213,11 +246,16 @@ class UpstreamSessionManager extends task_spawner_js_1.TaskSpawner {
     async fsmLoop() {
         let delay = UpstreamSessionManager.BACKOFF_INITIAL;
         while (!this.stopEvent.isSet()) {
+            const startTime = Date.now();
             try {
                 await this.connectCycle();
                 delay = UpstreamSessionManager.BACKOFF_INITIAL;
             }
             catch (error) {
+                // Reset backoff if the connection was alive for more than 10 seconds
+                if (Date.now() - startTime > 10000) {
+                    delay = UpstreamSessionManager.BACKOFF_INITIAL;
+                }
                 if (error instanceof task_types_js_1.TaskCancelledError) {
                     throw error;
                 }
@@ -232,11 +270,20 @@ class UpstreamSessionManager extends task_spawner_js_1.TaskSpawner {
                     }
                 }
                 else {
-                    logger.warning('upstream_link_closed', {
-                        error: error.message,
-                        will_retry: true,
-                        exc_info: true,
-                    });
+                    const err = error;
+                    if (err.name === 'OAuth2PkceRedirectInitiatedError') {
+                        logger.info('upstream_link_redirecting', {
+                            error: err.message,
+                            will_retry: true,
+                        });
+                    }
+                    else {
+                        logger.warning('upstream_link_closed', {
+                            error: err.message,
+                            will_retry: true,
+                            exc_info: true,
+                        });
+                    }
                     if (!this.hadSuccessfulAttach) {
                         throw error;
                     }
@@ -254,14 +301,40 @@ class UpstreamSessionManager extends task_spawner_js_1.TaskSpawner {
         if (delaySeconds <= 0) {
             return;
         }
+        // If the document is visible, cap the backoff delay to improve UX
+        // This ensures that if the user is watching, we retry quickly (e.g. 1s)
+        // instead of waiting for the full exponential backoff (up to 30s).
+        let effectiveDelay = delaySeconds;
+        if (typeof document !== 'undefined' &&
+            document.visibilityState === 'visible') {
+            effectiveDelay = Math.min(delaySeconds, 1.0);
+            if (effectiveDelay < delaySeconds) {
+                logger.debug('sleep_reduced_document_visible', {
+                    original: delaySeconds,
+                    new: effectiveDelay,
+                });
+            }
+        }
+        if (this.wakeEvent.isSet()) {
+            this.wakeEvent.clear();
+            return;
+        }
         let timeout;
         const sleepPromise = new Promise((resolve) => {
             timeout = setTimeout(() => {
                 timeout = undefined;
                 resolve();
-            }, delaySeconds * 1000);
+            }, effectiveDelay * 1000);
         });
-        await Promise.race([sleepPromise, this.stopEvent.wait()]);
+        await Promise.race([
+            sleepPromise,
+            this.stopEvent.wait(),
+            this.wakeEvent.wait(),
+        ]);
+        if (this.wakeEvent.isSet()) {
+            logger.debug('sleep_interrupted_by_wake_event');
+            this.wakeEvent.clear();
+        }
         if (timeout !== undefined) {
             clearTimeout(timeout);
         }
@@ -281,7 +354,7 @@ class UpstreamSessionManager extends task_spawner_js_1.TaskSpawner {
         return signal ? event.wait({ signal }) : event.wait();
     }
     _getLocalNodeId() {
-        const normalized = this._normalizeNodeId(this.node.id);
+        const normalized = this._normalizeNodeId(this.node.provisionalId);
         if (!normalized) {
             throw new Error('UpstreamSessionManager requires node with a stable identifier');
         }
@@ -299,7 +372,7 @@ class UpstreamSessionManager extends task_spawner_js_1.TaskSpawner {
             throw new errors_js_1.FameConnectError('Admission client is required to attach upstream');
         }
         this.connectEpoch += 1;
-        const welcome = await this.admissionClient.hello(this.node.id, (0, core_1.generateId)(), this.requestedLogicals);
+        const welcome = await this.admissionClient.hello(this.node.provisionalId, (0, core_1.generateId)(), this.requestedLogicals);
         const connectionGrants = welcome.frame.connectionGrants;
         if (!connectionGrants?.length) {
             throw new Error('Welcome frame missing connection grants');
@@ -341,6 +414,11 @@ class UpstreamSessionManager extends task_spawner_js_1.TaskSpawner {
             Array.isArray(welcome.frame.connectionGrants)) {
             for (const grant of welcome.frame.connectionGrants) {
                 if (grant && typeof grant === 'object') {
+                    const grantType = grant.type;
+                    if (grantType === 'WebSocketConnectionGrant' ||
+                        grantType === 'HttpConnectionGrant') {
+                        continue;
+                    }
                     // Avoid duplicates by checking if grant already exists
                     const isDuplicate = callbackGrants.some((existing) => JSON.stringify(existing) === JSON.stringify(grant));
                     if (!isDuplicate) {

package/dist/cjs/naylence/fame/security/auth/auth-identity.js ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ "use strict";
2	+ Object.defineProperty(exports, "__esModule", { value: true });

package/dist/cjs/naylence/fame/security/auth/materializable-token-provider.js ADDED Viewed

@@ -0,0 +1,9 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isMaterializableTokenProvider = isMaterializableTokenProvider;
+function isMaterializableTokenProvider(candidate) {
+    return (typeof candidate === 'object' &&
+        candidate !== null &&
+        typeof candidate.materialize ===
+            'function');
+}

package/dist/cjs/naylence/fame/security/auth/oauth2-pkce-token-provider.js CHANGED Viewed

@@ -275,6 +275,15 @@ class OAuth2PkceTokenProvider {
     constructor(rawOptions) {
         this.options = normalizeOptions(rawOptions);
     }
+    async materialize() {
+        const token = await this.getToken();
+        return {
+            type: 'StaticTokenProvider',
+            token: token.value,
+            expiresAt: token.expiresAt,
+            expires_at: token.expiresAt,
+        };
+    }
     async getToken() {
         if (!isBrowserEnvironment()) {
             throw new Error('OAuth2PkceTokenProvider requires a browser environment with sessionStorage support');

package/dist/cjs/naylence/fame/security/auth/static-token-provider.js CHANGED Viewed

@@ -44,6 +44,50 @@ class StaticTokenProvider {
     async getToken() {
         return { ...this.token };
     }
+    async getIdentity() {
+        const tokenValue = this.token.value;
+        const parts = tokenValue.split('.');
+        if (parts.length !== 3) {
+            return undefined;
+        }
+        try {
+            const payloadSegment = parts[1];
+            // Fix padding for base64url
+            const padding = '='.repeat((4 - (payloadSegment.length % 4)) % 4);
+            const base64 = (payloadSegment + padding)
+                .replace(/-/g, '+')
+                .replace(/_/g, '/');
+            let jsonString;
+            if (typeof Buffer !== 'undefined') {
+                jsonString = Buffer.from(base64, 'base64').toString('utf-8');
+            }
+            else if (typeof atob === 'function') {
+                jsonString = atob(base64);
+                try {
+                    jsonString = decodeURIComponent(jsonString
+                        .split('')
+                        .map(function (c) {
+                        return '%' + ('00' + c.charCodeAt(0).toString(16)).slice(-2);
+                    })
+                        .join(''));
+                }
+                catch {
+                    // ignore
+                }
+            }
+            else {
+                return undefined;
+            }
+            const payload = JSON.parse(jsonString);
+            if (payload && typeof payload.sub === 'string') {
+                return { subject: payload.sub, claims: payload };
+            }
+        }
+        catch {
+            // ignore decoding errors
+        }
+        return undefined;
+    }
 }
 exports.StaticTokenProvider = StaticTokenProvider;
 function normalizeOptions(input) {

package/dist/cjs/naylence/fame/security/auth/token-provider.js CHANGED Viewed

@@ -1,8 +1,14 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.isTokenProvider = isTokenProvider;
+exports.isIdentityExposingTokenProvider = isIdentityExposingTokenProvider;
 function isTokenProvider(candidate) {
     return (typeof candidate === 'object' &&
         candidate !== null &&
         typeof candidate.getToken === 'function');
 }
+function isIdentityExposingTokenProvider(candidate) {
+    return (isTokenProvider(candidate) &&
+        typeof candidate.getIdentity ===
+            'function');
+}

package/dist/cjs/naylence/fame/security/default-security-manager.js CHANGED Viewed

@@ -380,7 +380,7 @@ class DefaultSecurityManager {
     async onNodeInitialized(node) {
         this._node = node;
         logger.debug('security_manager_node_initialized', {
-            node_id: node.id,
+            node_id: node.provisionalId,
             has_node_crypto_provider: Boolean(node.cryptoProvider),
             provider_type: node.cryptoProvider
                 ? (node.cryptoProvider.constructor?.name ?? 'unknown')
@@ -404,7 +404,9 @@ class DefaultSecurityManager {
         if (encryption && hasNodeListenerMethod(encryption, 'onNodeInitialized')) {
             await encryption.onNodeInitialized(node);
         }
-        logger.debug('node_security_initialization_complete', { node_id: node.id });
+        logger.debug('node_security_initialization_complete', {
+            node_id: node.provisionalId,
+        });
     }
     async onNodeAttachToPeer(node, attachInfo, connector) {
         const attachRecord = attachInfo;

package/dist/cjs/naylence/fame/security/index.js CHANGED Viewed

@@ -3,6 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.PROFILE_NAME_OPEN = exports.PROFILE_NAME_GATED_CALLBACK = exports.PROFILE_NAME_GATED = exports.PROFILE_NAME_OVERLAY_CALLBACK = exports.PROFILE_NAME_OVERLAY = exports.PROFILE_NAME_STRICT_OVERLAY = exports.ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = exports.ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER = exports.ENV_VAR_HMAC_SECRET = exports.ENV_VAR_DEFAULT_ENCRYPTION_LEVEL = exports.ENV_VAR_JWKS_URL = exports.ENV_VAR_JWT_AUDIENCE = exports.ENV_VAR_JWT_ALGORITHM = exports.ENV_VAR_JWT_TRUSTED_ISSUER = exports.CREDENTIAL_PROVIDER_FACTORY_BASE_TYPE = exports.EdDSAEnvelopeSigner = exports.encodeUtf8 = exports.immutableHeaders = exports.frameDigest = exports.decodeBase64Url = exports.canonicalJson = exports.SigningConfigClass = exports.SECURITY_MANAGER_FACTORY_BASE_TYPE = exports.SECURITY_POLICY_FACTORY_BASE_TYPE = exports.KEY_STORE_FACTORY_BASE_TYPE = exports.ATTACHMENT_KEY_VALIDATOR_FACTORY_BASE_TYPE = exports.KEY_MANAGER_FACTORY_BASE_TYPE = exports.SecureChannelManagerFactory = exports.SECURE_CHANNEL_MANAGER_FACTORY_BASE_TYPE = exports.ENCRYPTION_MANAGER_FACTORY_BASE_TYPE = exports.NoopTrustStoreProvider = exports.TrustStoreProviderFactory = exports.TRUST_STORE_PROVIDER_FACTORY_BASE_TYPE = exports.CertificateManagerFactory = exports.CERTIFICATE_MANAGER_FACTORY_BASE_TYPE = exports.TokenProviderFactory = exports.TOKEN_PROVIDER_FACTORY_BASE_TYPE = exports.TokenVerifierFactory = exports.TOKEN_VERIFIER_FACTORY_BASE_TYPE = exports.TokenIssuerFactory = exports.TOKEN_ISSUER_FACTORY_BASE_TYPE = exports.AuthInjectionStrategyFactory = exports.AUTH_INJECTION_STRATEGY_FACTORY_BASE_TYPE = exports.AuthorizerFactory = exports.AUTHORIZER_FACTORY_BASE_TYPE = void 0;
 const tslib_1 = require("tslib");
 tslib_1.__exportStar(require("./auth/authorizer.js"), exports);
+tslib_1.__exportStar(require("./auth/auth-identity.js"), exports);
 var authorizer_factory_js_1 = require("./auth/authorizer-factory.js");
 Object.defineProperty(exports, "AUTHORIZER_FACTORY_BASE_TYPE", { enumerable: true, get: function () { return authorizer_factory_js_1.AUTHORIZER_FACTORY_BASE_TYPE; } });
 Object.defineProperty(exports, "AuthorizerFactory", { enumerable: true, get: function () { return authorizer_factory_js_1.AuthorizerFactory; } });

package/dist/cjs/naylence/fame/security/keys/default-key-manager.js CHANGED Viewed

@@ -95,7 +95,7 @@ class DefaultKeyManager {
         this.node = node;
         this.routingNode = isRoutingNode(node) ? node : null;
         logger.debug('key_manager_started', {
-            node_id: this.nodeId,
+            node_id: node.provisionalId,
             physical_path: this.physicalPath,
             has_upstream: this.hasUpstream,
         });

package/dist/cjs/naylence/fame/util/task-spawner.js CHANGED Viewed

@@ -278,6 +278,14 @@ class TaskSpawner {
             });
             return;
         }
+        // Handle PKCE redirect "errors" as info
+        if (error.name === 'OAuth2PkceRedirectInitiatedError') {
+            logger.debug('background_task_redirecting', {
+                task_name: taskName,
+                note: 'Task interrupted for PKCE redirect',
+            });
+            return;
+        }
         // Check if this is a retriable connection error (will be logged and retried by FSM)
         const isRetriableError = error.name === 'FameConnectError' ||
             error.message.includes('missed heartbeat') ||

package/dist/cjs/version.js CHANGED Viewed

@@ -1,10 +1,10 @@
 "use strict";
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.3.12
+// Generated from package.json version: 0.3.13
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.VERSION = void 0;
 /**
  * The package version, injected at build time.
  * @internal
  */
-exports.VERSION = '0.3.12';
+exports.VERSION = '0.3.13';

package/dist/esm/naylence/fame/connector/broadcast-channel-connector.browser.js CHANGED Viewed

@@ -239,7 +239,7 @@ export class BroadcastChannelConnector extends BaseAsyncConnector {
             // Track page lifecycle events to detect browser unload/discard
             if (typeof window !== 'undefined') {
                 const lifecycleLogger = (event) => {
-                    logger.info('broadcast_channel_page_lifecycle', {
+                    logger.debug('broadcast_channel_page_lifecycle', {
                         channel: this.channelName,
                         connector_id: this.connectorId,
                         event_type: event.type,

package/dist/esm/naylence/fame/factory-manifest.js CHANGED Viewed

@@ -21,7 +21,10 @@ export const MODULES = [
     "./node/admission/direct-admission-client-factory.js",
     "./node/admission/noop-admission-client-factory.js",
     "./node/admission/welcome-service-client-factory.js",
+    "./node/default-node-identity-policy-factory.js",
     "./node/node-factory.js",
+    "./node/node-identity-policy-profile-factory.js",
+    "./node/token-subject-node-identity-policy-factory.js",
     "./placement/static-node-placement-strategy-factory.js",
     "./security/auth/bearer-token-header-auth-injection-strategy-factory.js",
     "./security/auth/default-authorizer-factory.js",
@@ -96,7 +99,10 @@ export const MODULE_LOADERS = {
     "./node/admission/direct-admission-client-factory.js": () => import("./node/admission/direct-admission-client-factory.js"),
     "./node/admission/noop-admission-client-factory.js": () => import("./node/admission/noop-admission-client-factory.js"),
     "./node/admission/welcome-service-client-factory.js": () => import("./node/admission/welcome-service-client-factory.js"),
+    "./node/default-node-identity-policy-factory.js": () => import("./node/default-node-identity-policy-factory.js"),
     "./node/node-factory.js": () => import("./node/node-factory.js"),
+    "./node/node-identity-policy-profile-factory.js": () => import("./node/node-identity-policy-profile-factory.js"),
+    "./node/token-subject-node-identity-policy-factory.js": () => import("./node/token-subject-node-identity-policy-factory.js"),
     "./placement/static-node-placement-strategy-factory.js": () => import("./placement/static-node-placement-strategy-factory.js"),
     "./security/auth/bearer-token-header-auth-injection-strategy-factory.js": () => import("./security/auth/bearer-token-header-auth-injection-strategy-factory.js"),
     "./security/auth/default-authorizer-factory.js": () => import("./security/auth/default-authorizer-factory.js"),

package/dist/esm/naylence/fame/grants/grant-materializer.js ADDED Viewed

@@ -0,0 +1,55 @@
+import { TokenProviderFactory } from '../security/auth/token-provider-factory.js';
+import { isMaterializableTokenProvider } from '../security/auth/materializable-token-provider.js';
+import { getLogger } from '../util/logging.js';
+const logger = getLogger('naylence.fame.grants.grant_materializer');
+export class GrantMaterializer {
+    static async materialize(grant) {
+        const candidate = grant;
+        const auth = candidate.auth;
+        if (!auth) {
+            return grant;
+        }
+        const tokenProviderConfig = (auth.tokenProvider ??
+            auth.token_provider);
+        if (!tokenProviderConfig || typeof tokenProviderConfig.type !== 'string') {
+            return grant;
+        }
+        try {
+            const provider = await TokenProviderFactory.createTokenProvider(tokenProviderConfig);
+            if (isMaterializableTokenProvider(provider)) {
+                const materializedConfig = await provider.materialize();
+                if (materializedConfig) {
+                    logger.debug('grant_materialized', {
+                        grantType: candidate.type,
+                        providerType: tokenProviderConfig.type,
+                    });
+                    const newAuth = { ...auth };
+                    if ('tokenProvider' in newAuth) {
+                        newAuth.tokenProvider = materializedConfig;
+                    }
+                    if ('token_provider' in newAuth) {
+                        newAuth.token_provider = materializedConfig;
+                    }
+                    return {
+                        ...grant,
+                        auth: newAuth,
+                    };
+                }
+            }
+        }
+        catch (error) {
+            if (error &&
+                error.name === 'OAuth2PkceRedirectInitiatedError') {
+                logger.info('grant_materialization_redirecting', {
+                    grantType: candidate.type,
+                });
+                throw error;
+            }
+            logger.warning('grant_materialization_failed', {
+                error: error instanceof Error ? error.message : String(error),
+                grantType: candidate.type,
+            });
+        }
+        return grant;
+    }
+}

package/dist/esm/naylence/fame/node/admission/admission-profile-factory.js CHANGED Viewed

@@ -234,11 +234,13 @@ export class AdmissionProfileFactory extends AdmissionClientFactory {
         super(...arguments);
         this.type = 'AdmissionProfile';
     }
-    async create(config) {
+    async create(config, ...factoryArgs) {
         const normalized = normalizeConfig(config);
         const profileConfig = resolveProfileConfig(normalized.profile);
         logger.debug('enabling_admission_profile', { profile: normalized.profile });
-        return AdmissionClientFactory.createAdmissionClient(profileConfig);
+        return AdmissionClientFactory.createAdmissionClient(profileConfig, {
+            factoryArgs,
+        });
     }
 }
 function normalizeConfig(config) {