npm - @naylence/runtime - Versions diffs - 0.3.16 → 0.3.18 - Mend

@naylence/runtime 0.3.16 → 0.3.18

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (19) hide show

package/dist/browser/index.cjs CHANGED Viewed

@@ -515,12 +515,12 @@ async function ensureRuntimeFactoriesRegistered(registry = factory.Registry) {
 }
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.3.16
+// Generated from package.json version: 0.3.18
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.3.16';
+const VERSION = '0.3.18';
 let initialized = false;
 const runtimePlugin = {
@@ -28228,6 +28228,7 @@ const ENV_VAR_DEFAULT_ENCRYPTION_LEVEL = 'FAME_DEFAULT_ENCRYPTION_LEVEL';
 const ENV_VAR_HMAC_SECRET = 'FAME_HMAC_SECRET';
 const ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER = 'FAME_JWT_REVERSE_AUTH_TRUSTED_ISSUER';
 const ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = 'FAME_JWT_REVERSE_AUTH_AUDIENCE';
+const ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY = 'FAME_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY';
 const PROFILE_NAME_STRICT_OVERLAY = 'strict-overlay';
 const PROFILE_NAME_OVERLAY = 'overlay';
 const PROFILE_NAME_OVERLAY_CALLBACK = 'overlay-callback';
@@ -28463,6 +28464,7 @@ const GATED_PROFILE = {
         max_ttl_sec: 86400,
         algorithm: factory.Expressions.env(ENV_VAR_JWT_ALGORITHM, 'RS256'),
         audience: factory.Expressions.env(ENV_VAR_JWT_AUDIENCE$1),
+        enforce_token_subject_node_identity: factory.Expressions.env(ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY, 'false'),
     },
 };
 const GATED_CALLBACK_PROFILE = {
@@ -28669,6 +28671,7 @@ function deepClone$3(value) {
 var nodeSecurityProfileFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
     ENV_VAR_DEFAULT_ENCRYPTION_LEVEL: ENV_VAR_DEFAULT_ENCRYPTION_LEVEL,
+    ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY: ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY,
     ENV_VAR_HMAC_SECRET: ENV_VAR_HMAC_SECRET,
     ENV_VAR_JWKS_URL: ENV_VAR_JWKS_URL,
     ENV_VAR_JWT_ALGORITHM: ENV_VAR_JWT_ALGORITHM,
@@ -34710,6 +34713,7 @@ class OAuth2AuthorizerFactory extends AuthorizerFactory {
             defaultTtlSec: normalized.defaultTtlSec,
             maxTtlSec: normalized.maxTtlSec,
             reverseAuthTtlSec: normalized.reverseAuthTtlSec,
+            enforceTokenSubjectNodeIdentity: normalized.enforceTokenSubjectNodeIdentity,
         };
         if (tokenIssuer) {
             authorizerOptions.tokenIssuer = tokenIssuer;
@@ -34777,6 +34781,8 @@ function normalizeConfig$c(config) {
         : typeof source.reverse_auth_ttl_sec === 'number'
             ? source.reverse_auth_ttl_sec
             : DEFAULT_REVERSE_AUTH_TTL_SEC;
+    const enforceTokenSubjectNodeIdentity = normalizeBooleanOption(source.enforceTokenSubjectNodeIdentity ??
+        source.enforce_token_subject_node_identity, false);
     const tokenVerifierConfigInput = source.tokenVerifierConfig ?? source.token_verifier_config ?? null;
     const tokenVerifierConfig = normalizeTokenVerifierConfig({
         config: tokenVerifierConfigInput,
@@ -34795,6 +34801,7 @@ function normalizeConfig$c(config) {
         maxTtlSec,
         tokenVerifierConfig,
         reverseAuthTtlSec: reverseAuthCandidate,
+        enforceTokenSubjectNodeIdentity,
         ...(audience ? { audience } : {}),
     };
     if (tokenIssuerConfig) {
@@ -34815,6 +34822,21 @@ function normalizeTokenVerifierConfig({ config, issuer, jwksUrl, algorithm, }) {
     };
     return defaultConfig;
 }
+function normalizeBooleanOption(value, defaultValue) {
+    if (typeof value === 'boolean') {
+        return value;
+    }
+    if (typeof value === 'string') {
+        const lower = value.toLowerCase().trim();
+        if (lower === 'true' || lower === '1' || lower === 'yes') {
+            return true;
+        }
+        if (lower === 'false' || lower === '0' || lower === 'no') {
+            return false;
+        }
+    }
+    return defaultValue;
+}
 var oauth2AuthorizerFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
@@ -39832,6 +39854,10 @@ function normalizeOptions$4(raw) {
             : typeof snake.aud === 'string'
                 ? snake.aud
                 : undefined);
+    const enforceTokenSubjectNodeIdentity = camel.enforceTokenSubjectNodeIdentity ??
+        (typeof snake.enforce_token_subject_node_identity === 'boolean'
+            ? snake.enforce_token_subject_node_identity
+            : undefined);
     return {
         tokenVerifier,
         tokenIssuer,
@@ -39841,6 +39867,7 @@ function normalizeOptions$4(raw) {
         defaultTtlSec,
         maxTtlSec,
         reverseAuthTtlSec,
+        enforceTokenSubjectNodeIdentity,
     };
 }
 class OAuth2Authorizer {
@@ -39854,6 +39881,8 @@ class OAuth2Authorizer {
         this.requireScope = options.requireScope ?? true;
         this.reverseAuthTtlSec =
             options.reverseAuthTtlSec ?? DEFAULT_REVERSE_AUTH_TTL_SEC;
+        this.enforceTokenSubjectNodeIdentity =
+            options.enforceTokenSubjectNodeIdentity ?? false;
     }
     get tokenVerifier() {
         return this.tokenVerifierImpl;
@@ -39983,6 +40012,13 @@ class OAuth2Authorizer {
             });
             return undefined;
         }
+        // Enforce token subject node identity if enabled
+        if (this.enforceTokenSubjectNodeIdentity) {
+            const validationResult = await this.validateTokenSubjectNodeIdentity(frame.systemId, claims);
+            if (!validationResult) {
+                return undefined;
+            }
+        }
         claims.instance_id = claims.instance_id ?? frame.instanceId;
         claims.assigned_path = claims.assigned_path ?? frame.assignedPath;
         claims.accepted_capabilities =
@@ -40060,6 +40096,33 @@ class OAuth2Authorizer {
         }
         return false;
     }
+    async validateTokenSubjectNodeIdentity(systemId, claims) {
+        const sub = claims.sub;
+        if (typeof sub !== 'string' || sub.trim().length === 0) {
+            logger$3.warning('oauth2_attach_missing_subject_claim', {
+                system_id: systemId,
+            });
+            return false;
+        }
+        const expectedPrefix = await core.generateIdAsync({
+            mode: 'fingerprint',
+            material: sub,
+            length: 8,
+        });
+        if (!systemId.startsWith(`${expectedPrefix}-`)) {
+            logger$3.warning('oauth2_attach_node_identity_mismatch', {
+                system_id: systemId,
+                expected_prefix: expectedPrefix,
+                subject: sub,
+            });
+            return false;
+        }
+        logger$3.debug('oauth2_attach_node_identity_verified', {
+            system_id: systemId,
+            expected_prefix: expectedPrefix,
+        });
+        return true;
+    }
 }
 var oauth2Authorizer = /*#__PURE__*/Object.freeze({

package/dist/browser/index.mjs CHANGED Viewed

@@ -513,12 +513,12 @@ async function ensureRuntimeFactoriesRegistered(registry = Registry) {
 }
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.3.16
+// Generated from package.json version: 0.3.18
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.3.16';
+const VERSION = '0.3.18';
 let initialized = false;
 const runtimePlugin = {
@@ -28226,6 +28226,7 @@ const ENV_VAR_DEFAULT_ENCRYPTION_LEVEL = 'FAME_DEFAULT_ENCRYPTION_LEVEL';
 const ENV_VAR_HMAC_SECRET = 'FAME_HMAC_SECRET';
 const ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER = 'FAME_JWT_REVERSE_AUTH_TRUSTED_ISSUER';
 const ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = 'FAME_JWT_REVERSE_AUTH_AUDIENCE';
+const ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY = 'FAME_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY';
 const PROFILE_NAME_STRICT_OVERLAY = 'strict-overlay';
 const PROFILE_NAME_OVERLAY = 'overlay';
 const PROFILE_NAME_OVERLAY_CALLBACK = 'overlay-callback';
@@ -28461,6 +28462,7 @@ const GATED_PROFILE = {
         max_ttl_sec: 86400,
         algorithm: Expressions.env(ENV_VAR_JWT_ALGORITHM, 'RS256'),
         audience: Expressions.env(ENV_VAR_JWT_AUDIENCE$1),
+        enforce_token_subject_node_identity: Expressions.env(ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY, 'false'),
     },
 };
 const GATED_CALLBACK_PROFILE = {
@@ -28667,6 +28669,7 @@ function deepClone$3(value) {
 var nodeSecurityProfileFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
     ENV_VAR_DEFAULT_ENCRYPTION_LEVEL: ENV_VAR_DEFAULT_ENCRYPTION_LEVEL,
+    ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY: ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY,
     ENV_VAR_HMAC_SECRET: ENV_VAR_HMAC_SECRET,
     ENV_VAR_JWKS_URL: ENV_VAR_JWKS_URL,
     ENV_VAR_JWT_ALGORITHM: ENV_VAR_JWT_ALGORITHM,
@@ -34708,6 +34711,7 @@ class OAuth2AuthorizerFactory extends AuthorizerFactory {
             defaultTtlSec: normalized.defaultTtlSec,
             maxTtlSec: normalized.maxTtlSec,
             reverseAuthTtlSec: normalized.reverseAuthTtlSec,
+            enforceTokenSubjectNodeIdentity: normalized.enforceTokenSubjectNodeIdentity,
         };
         if (tokenIssuer) {
             authorizerOptions.tokenIssuer = tokenIssuer;
@@ -34775,6 +34779,8 @@ function normalizeConfig$c(config) {
         : typeof source.reverse_auth_ttl_sec === 'number'
             ? source.reverse_auth_ttl_sec
             : DEFAULT_REVERSE_AUTH_TTL_SEC;
+    const enforceTokenSubjectNodeIdentity = normalizeBooleanOption(source.enforceTokenSubjectNodeIdentity ??
+        source.enforce_token_subject_node_identity, false);
     const tokenVerifierConfigInput = source.tokenVerifierConfig ?? source.token_verifier_config ?? null;
     const tokenVerifierConfig = normalizeTokenVerifierConfig({
         config: tokenVerifierConfigInput,
@@ -34793,6 +34799,7 @@ function normalizeConfig$c(config) {
         maxTtlSec,
         tokenVerifierConfig,
         reverseAuthTtlSec: reverseAuthCandidate,
+        enforceTokenSubjectNodeIdentity,
         ...(audience ? { audience } : {}),
     };
     if (tokenIssuerConfig) {
@@ -34813,6 +34820,21 @@ function normalizeTokenVerifierConfig({ config, issuer, jwksUrl, algorithm, }) {
     };
     return defaultConfig;
 }
+function normalizeBooleanOption(value, defaultValue) {
+    if (typeof value === 'boolean') {
+        return value;
+    }
+    if (typeof value === 'string') {
+        const lower = value.toLowerCase().trim();
+        if (lower === 'true' || lower === '1' || lower === 'yes') {
+            return true;
+        }
+        if (lower === 'false' || lower === '0' || lower === 'no') {
+            return false;
+        }
+    }
+    return defaultValue;
+}
 var oauth2AuthorizerFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
@@ -39830,6 +39852,10 @@ function normalizeOptions$4(raw) {
             : typeof snake.aud === 'string'
                 ? snake.aud
                 : undefined);
+    const enforceTokenSubjectNodeIdentity = camel.enforceTokenSubjectNodeIdentity ??
+        (typeof snake.enforce_token_subject_node_identity === 'boolean'
+            ? snake.enforce_token_subject_node_identity
+            : undefined);
     return {
         tokenVerifier,
         tokenIssuer,
@@ -39839,6 +39865,7 @@ function normalizeOptions$4(raw) {
         defaultTtlSec,
         maxTtlSec,
         reverseAuthTtlSec,
+        enforceTokenSubjectNodeIdentity,
     };
 }
 class OAuth2Authorizer {
@@ -39852,6 +39879,8 @@ class OAuth2Authorizer {
         this.requireScope = options.requireScope ?? true;
         this.reverseAuthTtlSec =
             options.reverseAuthTtlSec ?? DEFAULT_REVERSE_AUTH_TTL_SEC;
+        this.enforceTokenSubjectNodeIdentity =
+            options.enforceTokenSubjectNodeIdentity ?? false;
     }
     get tokenVerifier() {
         return this.tokenVerifierImpl;
@@ -39981,6 +40010,13 @@ class OAuth2Authorizer {
             });
             return undefined;
         }
+        // Enforce token subject node identity if enabled
+        if (this.enforceTokenSubjectNodeIdentity) {
+            const validationResult = await this.validateTokenSubjectNodeIdentity(frame.systemId, claims);
+            if (!validationResult) {
+                return undefined;
+            }
+        }
         claims.instance_id = claims.instance_id ?? frame.instanceId;
         claims.assigned_path = claims.assigned_path ?? frame.assignedPath;
         claims.accepted_capabilities =
@@ -40058,6 +40094,33 @@ class OAuth2Authorizer {
         }
         return false;
     }
+    async validateTokenSubjectNodeIdentity(systemId, claims) {
+        const sub = claims.sub;
+        if (typeof sub !== 'string' || sub.trim().length === 0) {
+            logger$3.warning('oauth2_attach_missing_subject_claim', {
+                system_id: systemId,
+            });
+            return false;
+        }
+        const expectedPrefix = await generateIdAsync({
+            mode: 'fingerprint',
+            material: sub,
+            length: 8,
+        });
+        if (!systemId.startsWith(`${expectedPrefix}-`)) {
+            logger$3.warning('oauth2_attach_node_identity_mismatch', {
+                system_id: systemId,
+                expected_prefix: expectedPrefix,
+                subject: sub,
+            });
+            return false;
+        }
+        logger$3.debug('oauth2_attach_node_identity_verified', {
+            system_id: systemId,
+            expected_prefix: expectedPrefix,
+        });
+        return true;
+    }
 }
 var oauth2Authorizer = /*#__PURE__*/Object.freeze({

package/dist/cjs/naylence/fame/security/auth/oauth2-authorizer-factory.js CHANGED Viewed

@@ -86,6 +86,7 @@ class OAuth2AuthorizerFactory extends authorizer_factory_js_1.AuthorizerFactory
             defaultTtlSec: normalized.defaultTtlSec,
             maxTtlSec: normalized.maxTtlSec,
             reverseAuthTtlSec: normalized.reverseAuthTtlSec,
+            enforceTokenSubjectNodeIdentity: normalized.enforceTokenSubjectNodeIdentity,
         };
         if (tokenIssuer) {
             authorizerOptions.tokenIssuer = tokenIssuer;
@@ -154,6 +155,8 @@ function normalizeConfig(config) {
         : typeof source.reverse_auth_ttl_sec === 'number'
             ? source.reverse_auth_ttl_sec
             : ttl_constants_js_1.DEFAULT_REVERSE_AUTH_TTL_SEC;
+    const enforceTokenSubjectNodeIdentity = normalizeBooleanOption(source.enforceTokenSubjectNodeIdentity ??
+        source.enforce_token_subject_node_identity, false);
     const tokenVerifierConfigInput = source.tokenVerifierConfig ?? source.token_verifier_config ?? null;
     const tokenVerifierConfig = normalizeTokenVerifierConfig({
         config: tokenVerifierConfigInput,
@@ -172,6 +175,7 @@ function normalizeConfig(config) {
         maxTtlSec,
         tokenVerifierConfig,
         reverseAuthTtlSec: reverseAuthCandidate,
+        enforceTokenSubjectNodeIdentity,
         ...(audience ? { audience } : {}),
     };
     if (tokenIssuerConfig) {
@@ -192,4 +196,19 @@ function normalizeTokenVerifierConfig({ config, issuer, jwksUrl, algorithm, }) {
     };
     return defaultConfig;
 }
+function normalizeBooleanOption(value, defaultValue) {
+    if (typeof value === 'boolean') {
+        return value;
+    }
+    if (typeof value === 'string') {
+        const lower = value.toLowerCase().trim();
+        if (lower === 'true' || lower === '1' || lower === 'yes') {
+            return true;
+        }
+        if (lower === 'false' || lower === '0' || lower === 'no') {
+            return false;
+        }
+    }
+    return defaultValue;
+}
 exports.default = OAuth2AuthorizerFactory;

package/dist/cjs/naylence/fame/security/auth/oauth2-authorizer.js CHANGED Viewed

@@ -37,6 +37,10 @@ function normalizeOptions(raw) {
             : typeof snake.aud === 'string'
                 ? snake.aud
                 : undefined);
+    const enforceTokenSubjectNodeIdentity = camel.enforceTokenSubjectNodeIdentity ??
+        (typeof snake.enforce_token_subject_node_identity === 'boolean'
+            ? snake.enforce_token_subject_node_identity
+            : undefined);
     return {
         tokenVerifier,
         tokenIssuer,
@@ -46,6 +50,7 @@ function normalizeOptions(raw) {
         defaultTtlSec,
         maxTtlSec,
         reverseAuthTtlSec,
+        enforceTokenSubjectNodeIdentity,
     };
 }
 class OAuth2Authorizer {
@@ -59,6 +64,8 @@ class OAuth2Authorizer {
         this.requireScope = options.requireScope ?? true;
         this.reverseAuthTtlSec =
             options.reverseAuthTtlSec ?? ttl_constants_js_1.DEFAULT_REVERSE_AUTH_TTL_SEC;
+        this.enforceTokenSubjectNodeIdentity =
+            options.enforceTokenSubjectNodeIdentity ?? false;
     }
     get tokenVerifier() {
         return this.tokenVerifierImpl;
@@ -188,6 +195,13 @@ class OAuth2Authorizer {
             });
             return undefined;
         }
+        // Enforce token subject node identity if enabled
+        if (this.enforceTokenSubjectNodeIdentity) {
+            const validationResult = await this.validateTokenSubjectNodeIdentity(frame.systemId, claims);
+            if (!validationResult) {
+                return undefined;
+            }
+        }
         claims.instance_id = claims.instance_id ?? frame.instanceId;
         claims.assigned_path = claims.assigned_path ?? frame.assignedPath;
         claims.accepted_capabilities =
@@ -265,5 +279,32 @@ class OAuth2Authorizer {
         }
         return false;
     }
+    async validateTokenSubjectNodeIdentity(systemId, claims) {
+        const sub = claims.sub;
+        if (typeof sub !== 'string' || sub.trim().length === 0) {
+            logger.warning('oauth2_attach_missing_subject_claim', {
+                system_id: systemId,
+            });
+            return false;
+        }
+        const expectedPrefix = await (0, core_1.generateIdAsync)({
+            mode: 'fingerprint',
+            material: sub,
+            length: 8,
+        });
+        if (!systemId.startsWith(`${expectedPrefix}-`)) {
+            logger.warning('oauth2_attach_node_identity_mismatch', {
+                system_id: systemId,
+                expected_prefix: expectedPrefix,
+                subject: sub,
+            });
+            return false;
+        }
+        logger.debug('oauth2_attach_node_identity_verified', {
+            system_id: systemId,
+            expected_prefix: expectedPrefix,
+        });
+        return true;
+    }
 }
 exports.OAuth2Authorizer = OAuth2Authorizer;

package/dist/cjs/naylence/fame/security/node-security-profile-factory.js CHANGED Viewed

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.NodeSecurityProfileFactory = exports.FACTORY_META = exports.PROFILE_NAME_OPEN = exports.PROFILE_NAME_GATED_CALLBACK = exports.PROFILE_NAME_GATED = exports.PROFILE_NAME_OVERLAY_CALLBACK = exports.PROFILE_NAME_OVERLAY = exports.PROFILE_NAME_STRICT_OVERLAY = exports.ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = exports.ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER = exports.ENV_VAR_HMAC_SECRET = exports.ENV_VAR_DEFAULT_ENCRYPTION_LEVEL = exports.ENV_VAR_JWKS_URL = exports.ENV_VAR_JWT_AUDIENCE = exports.ENV_VAR_JWT_ALGORITHM = exports.ENV_VAR_JWT_TRUSTED_ISSUER = void 0;
+exports.NodeSecurityProfileFactory = exports.FACTORY_META = exports.PROFILE_NAME_OPEN = exports.PROFILE_NAME_GATED_CALLBACK = exports.PROFILE_NAME_GATED = exports.PROFILE_NAME_OVERLAY_CALLBACK = exports.PROFILE_NAME_OVERLAY = exports.PROFILE_NAME_STRICT_OVERLAY = exports.ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY = exports.ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = exports.ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER = exports.ENV_VAR_HMAC_SECRET = exports.ENV_VAR_DEFAULT_ENCRYPTION_LEVEL = exports.ENV_VAR_JWKS_URL = exports.ENV_VAR_JWT_AUDIENCE = exports.ENV_VAR_JWT_ALGORITHM = exports.ENV_VAR_JWT_TRUSTED_ISSUER = void 0;
 const factory_1 = require("@naylence/factory");
 const security_manager_factory_js_1 = require("./security-manager-factory.js");
 const logging_js_1 = require("../util/logging.js");
@@ -13,6 +13,7 @@ exports.ENV_VAR_DEFAULT_ENCRYPTION_LEVEL = 'FAME_DEFAULT_ENCRYPTION_LEVEL';
 exports.ENV_VAR_HMAC_SECRET = 'FAME_HMAC_SECRET';
 exports.ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER = 'FAME_JWT_REVERSE_AUTH_TRUSTED_ISSUER';
 exports.ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = 'FAME_JWT_REVERSE_AUTH_AUDIENCE';
+exports.ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY = 'FAME_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY';
 exports.PROFILE_NAME_STRICT_OVERLAY = 'strict-overlay';
 exports.PROFILE_NAME_OVERLAY = 'overlay';
 exports.PROFILE_NAME_OVERLAY_CALLBACK = 'overlay-callback';
@@ -248,6 +249,7 @@ const GATED_PROFILE = {
         max_ttl_sec: 86400,
         algorithm: factory_1.Expressions.env(exports.ENV_VAR_JWT_ALGORITHM, 'RS256'),
         audience: factory_1.Expressions.env(exports.ENV_VAR_JWT_AUDIENCE),
+        enforce_token_subject_node_identity: factory_1.Expressions.env(exports.ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY, 'false'),
     },
 };
 const GATED_CALLBACK_PROFILE = {

package/dist/cjs/version.js CHANGED Viewed

@@ -1,10 +1,10 @@
 "use strict";
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.3.16
+// Generated from package.json version: 0.3.18
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.VERSION = void 0;
 /**
  * The package version, injected at build time.
  * @internal
  */
-exports.VERSION = '0.3.16';
+exports.VERSION = '0.3.18';

package/dist/esm/naylence/fame/security/auth/oauth2-authorizer-factory.js CHANGED Viewed

@@ -50,6 +50,7 @@ export class OAuth2AuthorizerFactory extends AuthorizerFactory {
             defaultTtlSec: normalized.defaultTtlSec,
             maxTtlSec: normalized.maxTtlSec,
             reverseAuthTtlSec: normalized.reverseAuthTtlSec,
+            enforceTokenSubjectNodeIdentity: normalized.enforceTokenSubjectNodeIdentity,
         };
         if (tokenIssuer) {
             authorizerOptions.tokenIssuer = tokenIssuer;
@@ -117,6 +118,8 @@ function normalizeConfig(config) {
         : typeof source.reverse_auth_ttl_sec === 'number'
             ? source.reverse_auth_ttl_sec
             : DEFAULT_REVERSE_AUTH_TTL_SEC;
+    const enforceTokenSubjectNodeIdentity = normalizeBooleanOption(source.enforceTokenSubjectNodeIdentity ??
+        source.enforce_token_subject_node_identity, false);
     const tokenVerifierConfigInput = source.tokenVerifierConfig ?? source.token_verifier_config ?? null;
     const tokenVerifierConfig = normalizeTokenVerifierConfig({
         config: tokenVerifierConfigInput,
@@ -135,6 +138,7 @@ function normalizeConfig(config) {
         maxTtlSec,
         tokenVerifierConfig,
         reverseAuthTtlSec: reverseAuthCandidate,
+        enforceTokenSubjectNodeIdentity,
         ...(audience ? { audience } : {}),
     };
     if (tokenIssuerConfig) {
@@ -155,4 +159,19 @@ function normalizeTokenVerifierConfig({ config, issuer, jwksUrl, algorithm, }) {
     };
     return defaultConfig;
 }
+function normalizeBooleanOption(value, defaultValue) {
+    if (typeof value === 'boolean') {
+        return value;
+    }
+    if (typeof value === 'string') {
+        const lower = value.toLowerCase().trim();
+        if (lower === 'true' || lower === '1' || lower === 'yes') {
+            return true;
+        }
+        if (lower === 'false' || lower === '0' || lower === 'no') {
+            return false;
+        }
+    }
+    return defaultValue;
+}
 export default OAuth2AuthorizerFactory;

package/dist/esm/naylence/fame/security/auth/oauth2-authorizer.js CHANGED Viewed

@@ -1,4 +1,4 @@
-import { createAuthorizationContext } from '@naylence/core';
+import { createAuthorizationContext, generateIdAsync } from '@naylence/core';
 import { DEFAULT_REVERSE_AUTH_TTL_SEC } from '../../constants/ttl-constants.js';
 import { getLogger } from '../../util/logging.js';
 const logger = getLogger('naylence.fame.security.auth.oauth2_authorizer');
@@ -34,6 +34,10 @@ function normalizeOptions(raw) {
             : typeof snake.aud === 'string'
                 ? snake.aud
                 : undefined);
+    const enforceTokenSubjectNodeIdentity = camel.enforceTokenSubjectNodeIdentity ??
+        (typeof snake.enforce_token_subject_node_identity === 'boolean'
+            ? snake.enforce_token_subject_node_identity
+            : undefined);
     return {
         tokenVerifier,
         tokenIssuer,
@@ -43,6 +47,7 @@ function normalizeOptions(raw) {
         defaultTtlSec,
         maxTtlSec,
         reverseAuthTtlSec,
+        enforceTokenSubjectNodeIdentity,
     };
 }
 export class OAuth2Authorizer {
@@ -56,6 +61,8 @@ export class OAuth2Authorizer {
         this.requireScope = options.requireScope ?? true;
         this.reverseAuthTtlSec =
             options.reverseAuthTtlSec ?? DEFAULT_REVERSE_AUTH_TTL_SEC;
+        this.enforceTokenSubjectNodeIdentity =
+            options.enforceTokenSubjectNodeIdentity ?? false;
     }
     get tokenVerifier() {
         return this.tokenVerifierImpl;
@@ -185,6 +192,13 @@ export class OAuth2Authorizer {
             });
             return undefined;
         }
+        // Enforce token subject node identity if enabled
+        if (this.enforceTokenSubjectNodeIdentity) {
+            const validationResult = await this.validateTokenSubjectNodeIdentity(frame.systemId, claims);
+            if (!validationResult) {
+                return undefined;
+            }
+        }
         claims.instance_id = claims.instance_id ?? frame.instanceId;
         claims.assigned_path = claims.assigned_path ?? frame.assignedPath;
         claims.accepted_capabilities =
@@ -262,4 +276,31 @@ export class OAuth2Authorizer {
         }
         return false;
     }
+    async validateTokenSubjectNodeIdentity(systemId, claims) {
+        const sub = claims.sub;
+        if (typeof sub !== 'string' || sub.trim().length === 0) {
+            logger.warning('oauth2_attach_missing_subject_claim', {
+                system_id: systemId,
+            });
+            return false;
+        }
+        const expectedPrefix = await generateIdAsync({
+            mode: 'fingerprint',
+            material: sub,
+            length: 8,
+        });
+        if (!systemId.startsWith(`${expectedPrefix}-`)) {
+            logger.warning('oauth2_attach_node_identity_mismatch', {
+                system_id: systemId,
+                expected_prefix: expectedPrefix,
+                subject: sub,
+            });
+            return false;
+        }
+        logger.debug('oauth2_attach_node_identity_verified', {
+            system_id: systemId,
+            expected_prefix: expectedPrefix,
+        });
+        return true;
+    }
 }

package/dist/esm/naylence/fame/security/node-security-profile-factory.js CHANGED Viewed

@@ -10,6 +10,7 @@ export const ENV_VAR_DEFAULT_ENCRYPTION_LEVEL = 'FAME_DEFAULT_ENCRYPTION_LEVEL';
 export const ENV_VAR_HMAC_SECRET = 'FAME_HMAC_SECRET';
 export const ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER = 'FAME_JWT_REVERSE_AUTH_TRUSTED_ISSUER';
 export const ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = 'FAME_JWT_REVERSE_AUTH_AUDIENCE';
+export const ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY = 'FAME_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY';
 export const PROFILE_NAME_STRICT_OVERLAY = 'strict-overlay';
 export const PROFILE_NAME_OVERLAY = 'overlay';
 export const PROFILE_NAME_OVERLAY_CALLBACK = 'overlay-callback';
@@ -245,6 +246,7 @@ const GATED_PROFILE = {
         max_ttl_sec: 86400,
         algorithm: Expressions.env(ENV_VAR_JWT_ALGORITHM, 'RS256'),
         audience: Expressions.env(ENV_VAR_JWT_AUDIENCE),
+        enforce_token_subject_node_identity: Expressions.env(ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY, 'false'),
     },
 };
 const GATED_CALLBACK_PROFILE = {

package/dist/esm/version.js CHANGED Viewed

@@ -1,7 +1,7 @@
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.3.16
+// Generated from package.json version: 0.3.18
 /**
  * The package version, injected at build time.
  * @internal
  */
-export const VERSION = '0.3.16';
+export const VERSION = '0.3.18';

package/dist/node/index.cjs CHANGED Viewed

@@ -14,12 +14,12 @@ var fastify = require('fastify');
 var websocketPlugin = require('@fastify/websocket');
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.3.16
+// Generated from package.json version: 0.3.18
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.3.16';
+const VERSION = '0.3.18';
 /**
  * Fame protocol specific error classes with WebSocket close codes and proper inheritance.
@@ -28115,6 +28115,7 @@ const ENV_VAR_DEFAULT_ENCRYPTION_LEVEL = 'FAME_DEFAULT_ENCRYPTION_LEVEL';
 const ENV_VAR_HMAC_SECRET = 'FAME_HMAC_SECRET';
 const ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER = 'FAME_JWT_REVERSE_AUTH_TRUSTED_ISSUER';
 const ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = 'FAME_JWT_REVERSE_AUTH_AUDIENCE';
+const ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY = 'FAME_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY';
 const PROFILE_NAME_STRICT_OVERLAY = 'strict-overlay';
 const PROFILE_NAME_OVERLAY = 'overlay';
 const PROFILE_NAME_OVERLAY_CALLBACK = 'overlay-callback';
@@ -28350,6 +28351,7 @@ const GATED_PROFILE = {
         max_ttl_sec: 86400,
         algorithm: factory.Expressions.env(ENV_VAR_JWT_ALGORITHM, 'RS256'),
         audience: factory.Expressions.env(ENV_VAR_JWT_AUDIENCE$1),
+        enforce_token_subject_node_identity: factory.Expressions.env(ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY, 'false'),
     },
 };
 const GATED_CALLBACK_PROFILE = {
@@ -28556,6 +28558,7 @@ function deepClone$3(value) {
 var nodeSecurityProfileFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
     ENV_VAR_DEFAULT_ENCRYPTION_LEVEL: ENV_VAR_DEFAULT_ENCRYPTION_LEVEL,
+    ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY: ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY,
     ENV_VAR_HMAC_SECRET: ENV_VAR_HMAC_SECRET,
     ENV_VAR_JWKS_URL: ENV_VAR_JWKS_URL,
     ENV_VAR_JWT_ALGORITHM: ENV_VAR_JWT_ALGORITHM,
@@ -33260,6 +33263,7 @@ class OAuth2AuthorizerFactory extends AuthorizerFactory {
             defaultTtlSec: normalized.defaultTtlSec,
             maxTtlSec: normalized.maxTtlSec,
             reverseAuthTtlSec: normalized.reverseAuthTtlSec,
+            enforceTokenSubjectNodeIdentity: normalized.enforceTokenSubjectNodeIdentity,
         };
         if (tokenIssuer) {
             authorizerOptions.tokenIssuer = tokenIssuer;
@@ -33327,6 +33331,8 @@ function normalizeConfig$c(config) {
         : typeof source.reverse_auth_ttl_sec === 'number'
             ? source.reverse_auth_ttl_sec
             : DEFAULT_REVERSE_AUTH_TTL_SEC;
+    const enforceTokenSubjectNodeIdentity = normalizeBooleanOption(source.enforceTokenSubjectNodeIdentity ??
+        source.enforce_token_subject_node_identity, false);
     const tokenVerifierConfigInput = source.tokenVerifierConfig ?? source.token_verifier_config ?? null;
     const tokenVerifierConfig = normalizeTokenVerifierConfig({
         config: tokenVerifierConfigInput,
@@ -33345,6 +33351,7 @@ function normalizeConfig$c(config) {
         maxTtlSec,
         tokenVerifierConfig,
         reverseAuthTtlSec: reverseAuthCandidate,
+        enforceTokenSubjectNodeIdentity,
         ...(audience ? { audience } : {}),
     };
     if (tokenIssuerConfig) {
@@ -33365,6 +33372,21 @@ function normalizeTokenVerifierConfig({ config, issuer, jwksUrl, algorithm, }) {
     };
     return defaultConfig;
 }
+function normalizeBooleanOption(value, defaultValue) {
+    if (typeof value === 'boolean') {
+        return value;
+    }
+    if (typeof value === 'string') {
+        const lower = value.toLowerCase().trim();
+        if (lower === 'true' || lower === '1' || lower === 'yes') {
+            return true;
+        }
+        if (lower === 'false' || lower === '0' || lower === 'no') {
+            return false;
+        }
+    }
+    return defaultValue;
+}
 var oauth2AuthorizerFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
@@ -39634,6 +39656,10 @@ function normalizeOptions$4(raw) {
             : typeof snake.aud === 'string'
                 ? snake.aud
                 : undefined);
+    const enforceTokenSubjectNodeIdentity = camel.enforceTokenSubjectNodeIdentity ??
+        (typeof snake.enforce_token_subject_node_identity === 'boolean'
+            ? snake.enforce_token_subject_node_identity
+            : undefined);
     return {
         tokenVerifier,
         tokenIssuer,
@@ -39643,6 +39669,7 @@ function normalizeOptions$4(raw) {
         defaultTtlSec,
         maxTtlSec,
         reverseAuthTtlSec,
+        enforceTokenSubjectNodeIdentity,
     };
 }
 class OAuth2Authorizer {
@@ -39656,6 +39683,8 @@ class OAuth2Authorizer {
         this.requireScope = options.requireScope ?? true;
         this.reverseAuthTtlSec =
             options.reverseAuthTtlSec ?? DEFAULT_REVERSE_AUTH_TTL_SEC;
+        this.enforceTokenSubjectNodeIdentity =
+            options.enforceTokenSubjectNodeIdentity ?? false;
     }
     get tokenVerifier() {
         return this.tokenVerifierImpl;
@@ -39785,6 +39814,13 @@ class OAuth2Authorizer {
             });
             return undefined;
         }
+        // Enforce token subject node identity if enabled
+        if (this.enforceTokenSubjectNodeIdentity) {
+            const validationResult = await this.validateTokenSubjectNodeIdentity(frame.systemId, claims);
+            if (!validationResult) {
+                return undefined;
+            }
+        }
         claims.instance_id = claims.instance_id ?? frame.instanceId;
         claims.assigned_path = claims.assigned_path ?? frame.assignedPath;
         claims.accepted_capabilities =
@@ -39862,6 +39898,33 @@ class OAuth2Authorizer {
         }
         return false;
     }
+    async validateTokenSubjectNodeIdentity(systemId, claims) {
+        const sub = claims.sub;
+        if (typeof sub !== 'string' || sub.trim().length === 0) {
+            logger$3.warning('oauth2_attach_missing_subject_claim', {
+                system_id: systemId,
+            });
+            return false;
+        }
+        const expectedPrefix = await core.generateIdAsync({
+            mode: 'fingerprint',
+            material: sub,
+            length: 8,
+        });
+        if (!systemId.startsWith(`${expectedPrefix}-`)) {
+            logger$3.warning('oauth2_attach_node_identity_mismatch', {
+                system_id: systemId,
+                expected_prefix: expectedPrefix,
+                subject: sub,
+            });
+            return false;
+        }
+        logger$3.debug('oauth2_attach_node_identity_verified', {
+            system_id: systemId,
+            expected_prefix: expectedPrefix,
+        });
+        return true;
+    }
 }
 var oauth2Authorizer = /*#__PURE__*/Object.freeze({

package/dist/node/index.mjs CHANGED Viewed

@@ -13,12 +13,12 @@ import fastify from 'fastify';
 import websocketPlugin from '@fastify/websocket';
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.3.16
+// Generated from package.json version: 0.3.18
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.3.16';
+const VERSION = '0.3.18';
 /**
  * Fame protocol specific error classes with WebSocket close codes and proper inheritance.
@@ -28114,6 +28114,7 @@ const ENV_VAR_DEFAULT_ENCRYPTION_LEVEL = 'FAME_DEFAULT_ENCRYPTION_LEVEL';
 const ENV_VAR_HMAC_SECRET = 'FAME_HMAC_SECRET';
 const ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER = 'FAME_JWT_REVERSE_AUTH_TRUSTED_ISSUER';
 const ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = 'FAME_JWT_REVERSE_AUTH_AUDIENCE';
+const ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY = 'FAME_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY';
 const PROFILE_NAME_STRICT_OVERLAY = 'strict-overlay';
 const PROFILE_NAME_OVERLAY = 'overlay';
 const PROFILE_NAME_OVERLAY_CALLBACK = 'overlay-callback';
@@ -28349,6 +28350,7 @@ const GATED_PROFILE = {
         max_ttl_sec: 86400,
         algorithm: Expressions.env(ENV_VAR_JWT_ALGORITHM, 'RS256'),
         audience: Expressions.env(ENV_VAR_JWT_AUDIENCE$1),
+        enforce_token_subject_node_identity: Expressions.env(ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY, 'false'),
     },
 };
 const GATED_CALLBACK_PROFILE = {
@@ -28555,6 +28557,7 @@ function deepClone$3(value) {
 var nodeSecurityProfileFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
     ENV_VAR_DEFAULT_ENCRYPTION_LEVEL: ENV_VAR_DEFAULT_ENCRYPTION_LEVEL,
+    ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY: ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY,
     ENV_VAR_HMAC_SECRET: ENV_VAR_HMAC_SECRET,
     ENV_VAR_JWKS_URL: ENV_VAR_JWKS_URL,
     ENV_VAR_JWT_ALGORITHM: ENV_VAR_JWT_ALGORITHM,
@@ -33259,6 +33262,7 @@ class OAuth2AuthorizerFactory extends AuthorizerFactory {
             defaultTtlSec: normalized.defaultTtlSec,
             maxTtlSec: normalized.maxTtlSec,
             reverseAuthTtlSec: normalized.reverseAuthTtlSec,
+            enforceTokenSubjectNodeIdentity: normalized.enforceTokenSubjectNodeIdentity,
         };
         if (tokenIssuer) {
             authorizerOptions.tokenIssuer = tokenIssuer;
@@ -33326,6 +33330,8 @@ function normalizeConfig$c(config) {
         : typeof source.reverse_auth_ttl_sec === 'number'
             ? source.reverse_auth_ttl_sec
             : DEFAULT_REVERSE_AUTH_TTL_SEC;
+    const enforceTokenSubjectNodeIdentity = normalizeBooleanOption(source.enforceTokenSubjectNodeIdentity ??
+        source.enforce_token_subject_node_identity, false);
     const tokenVerifierConfigInput = source.tokenVerifierConfig ?? source.token_verifier_config ?? null;
     const tokenVerifierConfig = normalizeTokenVerifierConfig({
         config: tokenVerifierConfigInput,
@@ -33344,6 +33350,7 @@ function normalizeConfig$c(config) {
         maxTtlSec,
         tokenVerifierConfig,
         reverseAuthTtlSec: reverseAuthCandidate,
+        enforceTokenSubjectNodeIdentity,
         ...(audience ? { audience } : {}),
     };
     if (tokenIssuerConfig) {
@@ -33364,6 +33371,21 @@ function normalizeTokenVerifierConfig({ config, issuer, jwksUrl, algorithm, }) {
     };
     return defaultConfig;
 }
+function normalizeBooleanOption(value, defaultValue) {
+    if (typeof value === 'boolean') {
+        return value;
+    }
+    if (typeof value === 'string') {
+        const lower = value.toLowerCase().trim();
+        if (lower === 'true' || lower === '1' || lower === 'yes') {
+            return true;
+        }
+        if (lower === 'false' || lower === '0' || lower === 'no') {
+            return false;
+        }
+    }
+    return defaultValue;
+}
 var oauth2AuthorizerFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
@@ -39633,6 +39655,10 @@ function normalizeOptions$4(raw) {
             : typeof snake.aud === 'string'
                 ? snake.aud
                 : undefined);
+    const enforceTokenSubjectNodeIdentity = camel.enforceTokenSubjectNodeIdentity ??
+        (typeof snake.enforce_token_subject_node_identity === 'boolean'
+            ? snake.enforce_token_subject_node_identity
+            : undefined);
     return {
         tokenVerifier,
         tokenIssuer,
@@ -39642,6 +39668,7 @@ function normalizeOptions$4(raw) {
         defaultTtlSec,
         maxTtlSec,
         reverseAuthTtlSec,
+        enforceTokenSubjectNodeIdentity,
     };
 }
 class OAuth2Authorizer {
@@ -39655,6 +39682,8 @@ class OAuth2Authorizer {
         this.requireScope = options.requireScope ?? true;
         this.reverseAuthTtlSec =
             options.reverseAuthTtlSec ?? DEFAULT_REVERSE_AUTH_TTL_SEC;
+        this.enforceTokenSubjectNodeIdentity =
+            options.enforceTokenSubjectNodeIdentity ?? false;
     }
     get tokenVerifier() {
         return this.tokenVerifierImpl;
@@ -39784,6 +39813,13 @@ class OAuth2Authorizer {
             });
             return undefined;
         }
+        // Enforce token subject node identity if enabled
+        if (this.enforceTokenSubjectNodeIdentity) {
+            const validationResult = await this.validateTokenSubjectNodeIdentity(frame.systemId, claims);
+            if (!validationResult) {
+                return undefined;
+            }
+        }
         claims.instance_id = claims.instance_id ?? frame.instanceId;
         claims.assigned_path = claims.assigned_path ?? frame.assignedPath;
         claims.accepted_capabilities =
@@ -39861,6 +39897,33 @@ class OAuth2Authorizer {
         }
         return false;
     }
+    async validateTokenSubjectNodeIdentity(systemId, claims) {
+        const sub = claims.sub;
+        if (typeof sub !== 'string' || sub.trim().length === 0) {
+            logger$3.warning('oauth2_attach_missing_subject_claim', {
+                system_id: systemId,
+            });
+            return false;
+        }
+        const expectedPrefix = await generateIdAsync({
+            mode: 'fingerprint',
+            material: sub,
+            length: 8,
+        });
+        if (!systemId.startsWith(`${expectedPrefix}-`)) {
+            logger$3.warning('oauth2_attach_node_identity_mismatch', {
+                system_id: systemId,
+                expected_prefix: expectedPrefix,
+                subject: sub,
+            });
+            return false;
+        }
+        logger$3.debug('oauth2_attach_node_identity_verified', {
+            system_id: systemId,
+            expected_prefix: expectedPrefix,
+        });
+        return true;
+    }
 }
 var oauth2Authorizer = /*#__PURE__*/Object.freeze({

package/dist/node/node.cjs CHANGED Viewed

@@ -4426,12 +4426,12 @@ async function ensureRuntimeFactoriesRegistered(registry = factory.Registry) {
 }
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.3.16
+// Generated from package.json version: 0.3.18
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.3.16';
+const VERSION = '0.3.18';
 let initialized = false;
 const runtimePlugin = {
@@ -29319,6 +29319,7 @@ const ENV_VAR_DEFAULT_ENCRYPTION_LEVEL = 'FAME_DEFAULT_ENCRYPTION_LEVEL';
 const ENV_VAR_HMAC_SECRET = 'FAME_HMAC_SECRET';
 const ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER = 'FAME_JWT_REVERSE_AUTH_TRUSTED_ISSUER';
 const ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = 'FAME_JWT_REVERSE_AUTH_AUDIENCE';
+const ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY = 'FAME_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY';
 const PROFILE_NAME_STRICT_OVERLAY = 'strict-overlay';
 const PROFILE_NAME_OVERLAY = 'overlay';
 const PROFILE_NAME_OVERLAY_CALLBACK = 'overlay-callback';
@@ -29554,6 +29555,7 @@ const GATED_PROFILE = {
         max_ttl_sec: 86400,
         algorithm: factory.Expressions.env(ENV_VAR_JWT_ALGORITHM$2, 'RS256'),
         audience: factory.Expressions.env(ENV_VAR_JWT_AUDIENCE$2),
+        enforce_token_subject_node_identity: factory.Expressions.env(ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY, 'false'),
     },
 };
 const GATED_CALLBACK_PROFILE = {
@@ -29760,6 +29762,7 @@ function deepClone$3(value) {
 var nodeSecurityProfileFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
     ENV_VAR_DEFAULT_ENCRYPTION_LEVEL: ENV_VAR_DEFAULT_ENCRYPTION_LEVEL,
+    ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY: ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY,
     ENV_VAR_HMAC_SECRET: ENV_VAR_HMAC_SECRET,
     ENV_VAR_JWKS_URL: ENV_VAR_JWKS_URL,
     ENV_VAR_JWT_ALGORITHM: ENV_VAR_JWT_ALGORITHM$2,
@@ -38001,6 +38004,7 @@ class OAuth2AuthorizerFactory extends AuthorizerFactory {
             defaultTtlSec: normalized.defaultTtlSec,
             maxTtlSec: normalized.maxTtlSec,
             reverseAuthTtlSec: normalized.reverseAuthTtlSec,
+            enforceTokenSubjectNodeIdentity: normalized.enforceTokenSubjectNodeIdentity,
         };
         if (tokenIssuer) {
             authorizerOptions.tokenIssuer = tokenIssuer;
@@ -38068,6 +38072,8 @@ function normalizeConfig$c(config) {
         : typeof source.reverse_auth_ttl_sec === 'number'
             ? source.reverse_auth_ttl_sec
             : DEFAULT_REVERSE_AUTH_TTL_SEC;
+    const enforceTokenSubjectNodeIdentity = normalizeBooleanOption(source.enforceTokenSubjectNodeIdentity ??
+        source.enforce_token_subject_node_identity, false);
     const tokenVerifierConfigInput = source.tokenVerifierConfig ?? source.token_verifier_config ?? null;
     const tokenVerifierConfig = normalizeTokenVerifierConfig({
         config: tokenVerifierConfigInput,
@@ -38086,6 +38092,7 @@ function normalizeConfig$c(config) {
         maxTtlSec,
         tokenVerifierConfig,
         reverseAuthTtlSec: reverseAuthCandidate,
+        enforceTokenSubjectNodeIdentity,
         ...(audience ? { audience } : {}),
     };
     if (tokenIssuerConfig) {
@@ -38106,6 +38113,21 @@ function normalizeTokenVerifierConfig({ config, issuer, jwksUrl, algorithm, }) {
     };
     return defaultConfig;
 }
+function normalizeBooleanOption(value, defaultValue) {
+    if (typeof value === 'boolean') {
+        return value;
+    }
+    if (typeof value === 'string') {
+        const lower = value.toLowerCase().trim();
+        if (lower === 'true' || lower === '1' || lower === 'yes') {
+            return true;
+        }
+        if (lower === 'false' || lower === '0' || lower === 'no') {
+            return false;
+        }
+    }
+    return defaultValue;
+}
 var oauth2AuthorizerFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
@@ -41968,6 +41990,10 @@ function normalizeOptions$4(raw) {
             : typeof snake.aud === 'string'
                 ? snake.aud
                 : undefined);
+    const enforceTokenSubjectNodeIdentity = camel.enforceTokenSubjectNodeIdentity ??
+        (typeof snake.enforce_token_subject_node_identity === 'boolean'
+            ? snake.enforce_token_subject_node_identity
+            : undefined);
     return {
         tokenVerifier,
         tokenIssuer,
@@ -41977,6 +42003,7 @@ function normalizeOptions$4(raw) {
         defaultTtlSec,
         maxTtlSec,
         reverseAuthTtlSec,
+        enforceTokenSubjectNodeIdentity,
     };
 }
 class OAuth2Authorizer {
@@ -41990,6 +42017,8 @@ class OAuth2Authorizer {
         this.requireScope = options.requireScope ?? true;
         this.reverseAuthTtlSec =
             options.reverseAuthTtlSec ?? DEFAULT_REVERSE_AUTH_TTL_SEC;
+        this.enforceTokenSubjectNodeIdentity =
+            options.enforceTokenSubjectNodeIdentity ?? false;
     }
     get tokenVerifier() {
         return this.tokenVerifierImpl;
@@ -42119,6 +42148,13 @@ class OAuth2Authorizer {
             });
             return undefined;
         }
+        // Enforce token subject node identity if enabled
+        if (this.enforceTokenSubjectNodeIdentity) {
+            const validationResult = await this.validateTokenSubjectNodeIdentity(frame.systemId, claims);
+            if (!validationResult) {
+                return undefined;
+            }
+        }
         claims.instance_id = claims.instance_id ?? frame.instanceId;
         claims.assigned_path = claims.assigned_path ?? frame.assignedPath;
         claims.accepted_capabilities =
@@ -42196,6 +42232,33 @@ class OAuth2Authorizer {
         }
         return false;
     }
+    async validateTokenSubjectNodeIdentity(systemId, claims) {
+        const sub = claims.sub;
+        if (typeof sub !== 'string' || sub.trim().length === 0) {
+            logger$3.warning('oauth2_attach_missing_subject_claim', {
+                system_id: systemId,
+            });
+            return false;
+        }
+        const expectedPrefix = await core.generateIdAsync({
+            mode: 'fingerprint',
+            material: sub,
+            length: 8,
+        });
+        if (!systemId.startsWith(`${expectedPrefix}-`)) {
+            logger$3.warning('oauth2_attach_node_identity_mismatch', {
+                system_id: systemId,
+                expected_prefix: expectedPrefix,
+                subject: sub,
+            });
+            return false;
+        }
+        logger$3.debug('oauth2_attach_node_identity_verified', {
+            system_id: systemId,
+            expected_prefix: expectedPrefix,
+        });
+        return true;
+    }
 }
 var oauth2Authorizer = /*#__PURE__*/Object.freeze({

package/dist/node/node.mjs CHANGED Viewed

@@ -4425,12 +4425,12 @@ async function ensureRuntimeFactoriesRegistered(registry = Registry) {
 }
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.3.16
+// Generated from package.json version: 0.3.18
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.3.16';
+const VERSION = '0.3.18';
 let initialized = false;
 const runtimePlugin = {
@@ -29318,6 +29318,7 @@ const ENV_VAR_DEFAULT_ENCRYPTION_LEVEL = 'FAME_DEFAULT_ENCRYPTION_LEVEL';
 const ENV_VAR_HMAC_SECRET = 'FAME_HMAC_SECRET';
 const ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER = 'FAME_JWT_REVERSE_AUTH_TRUSTED_ISSUER';
 const ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = 'FAME_JWT_REVERSE_AUTH_AUDIENCE';
+const ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY = 'FAME_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY';
 const PROFILE_NAME_STRICT_OVERLAY = 'strict-overlay';
 const PROFILE_NAME_OVERLAY = 'overlay';
 const PROFILE_NAME_OVERLAY_CALLBACK = 'overlay-callback';
@@ -29553,6 +29554,7 @@ const GATED_PROFILE = {
         max_ttl_sec: 86400,
         algorithm: Expressions.env(ENV_VAR_JWT_ALGORITHM$2, 'RS256'),
         audience: Expressions.env(ENV_VAR_JWT_AUDIENCE$2),
+        enforce_token_subject_node_identity: Expressions.env(ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY, 'false'),
     },
 };
 const GATED_CALLBACK_PROFILE = {
@@ -29759,6 +29761,7 @@ function deepClone$3(value) {
 var nodeSecurityProfileFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
     ENV_VAR_DEFAULT_ENCRYPTION_LEVEL: ENV_VAR_DEFAULT_ENCRYPTION_LEVEL,
+    ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY: ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY,
     ENV_VAR_HMAC_SECRET: ENV_VAR_HMAC_SECRET,
     ENV_VAR_JWKS_URL: ENV_VAR_JWKS_URL,
     ENV_VAR_JWT_ALGORITHM: ENV_VAR_JWT_ALGORITHM$2,
@@ -38000,6 +38003,7 @@ class OAuth2AuthorizerFactory extends AuthorizerFactory {
             defaultTtlSec: normalized.defaultTtlSec,
             maxTtlSec: normalized.maxTtlSec,
             reverseAuthTtlSec: normalized.reverseAuthTtlSec,
+            enforceTokenSubjectNodeIdentity: normalized.enforceTokenSubjectNodeIdentity,
         };
         if (tokenIssuer) {
             authorizerOptions.tokenIssuer = tokenIssuer;
@@ -38067,6 +38071,8 @@ function normalizeConfig$c(config) {
         : typeof source.reverse_auth_ttl_sec === 'number'
             ? source.reverse_auth_ttl_sec
             : DEFAULT_REVERSE_AUTH_TTL_SEC;
+    const enforceTokenSubjectNodeIdentity = normalizeBooleanOption(source.enforceTokenSubjectNodeIdentity ??
+        source.enforce_token_subject_node_identity, false);
     const tokenVerifierConfigInput = source.tokenVerifierConfig ?? source.token_verifier_config ?? null;
     const tokenVerifierConfig = normalizeTokenVerifierConfig({
         config: tokenVerifierConfigInput,
@@ -38085,6 +38091,7 @@ function normalizeConfig$c(config) {
         maxTtlSec,
         tokenVerifierConfig,
         reverseAuthTtlSec: reverseAuthCandidate,
+        enforceTokenSubjectNodeIdentity,
         ...(audience ? { audience } : {}),
     };
     if (tokenIssuerConfig) {
@@ -38105,6 +38112,21 @@ function normalizeTokenVerifierConfig({ config, issuer, jwksUrl, algorithm, }) {
     };
     return defaultConfig;
 }
+function normalizeBooleanOption(value, defaultValue) {
+    if (typeof value === 'boolean') {
+        return value;
+    }
+    if (typeof value === 'string') {
+        const lower = value.toLowerCase().trim();
+        if (lower === 'true' || lower === '1' || lower === 'yes') {
+            return true;
+        }
+        if (lower === 'false' || lower === '0' || lower === 'no') {
+            return false;
+        }
+    }
+    return defaultValue;
+}
 var oauth2AuthorizerFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
@@ -41967,6 +41989,10 @@ function normalizeOptions$4(raw) {
             : typeof snake.aud === 'string'
                 ? snake.aud
                 : undefined);
+    const enforceTokenSubjectNodeIdentity = camel.enforceTokenSubjectNodeIdentity ??
+        (typeof snake.enforce_token_subject_node_identity === 'boolean'
+            ? snake.enforce_token_subject_node_identity
+            : undefined);
     return {
         tokenVerifier,
         tokenIssuer,
@@ -41976,6 +42002,7 @@ function normalizeOptions$4(raw) {
         defaultTtlSec,
         maxTtlSec,
         reverseAuthTtlSec,
+        enforceTokenSubjectNodeIdentity,
     };
 }
 class OAuth2Authorizer {
@@ -41989,6 +42016,8 @@ class OAuth2Authorizer {
         this.requireScope = options.requireScope ?? true;
         this.reverseAuthTtlSec =
             options.reverseAuthTtlSec ?? DEFAULT_REVERSE_AUTH_TTL_SEC;
+        this.enforceTokenSubjectNodeIdentity =
+            options.enforceTokenSubjectNodeIdentity ?? false;
     }
     get tokenVerifier() {
         return this.tokenVerifierImpl;
@@ -42118,6 +42147,13 @@ class OAuth2Authorizer {
             });
             return undefined;
         }
+        // Enforce token subject node identity if enabled
+        if (this.enforceTokenSubjectNodeIdentity) {
+            const validationResult = await this.validateTokenSubjectNodeIdentity(frame.systemId, claims);
+            if (!validationResult) {
+                return undefined;
+            }
+        }
         claims.instance_id = claims.instance_id ?? frame.instanceId;
         claims.assigned_path = claims.assigned_path ?? frame.assignedPath;
         claims.accepted_capabilities =
@@ -42195,6 +42231,33 @@ class OAuth2Authorizer {
         }
         return false;
     }
+    async validateTokenSubjectNodeIdentity(systemId, claims) {
+        const sub = claims.sub;
+        if (typeof sub !== 'string' || sub.trim().length === 0) {
+            logger$3.warning('oauth2_attach_missing_subject_claim', {
+                system_id: systemId,
+            });
+            return false;
+        }
+        const expectedPrefix = await generateIdAsync({
+            mode: 'fingerprint',
+            material: sub,
+            length: 8,
+        });
+        if (!systemId.startsWith(`${expectedPrefix}-`)) {
+            logger$3.warning('oauth2_attach_node_identity_mismatch', {
+                system_id: systemId,
+                expected_prefix: expectedPrefix,
+                subject: sub,
+            });
+            return false;
+        }
+        logger$3.debug('oauth2_attach_node_identity_verified', {
+            system_id: systemId,
+            expected_prefix: expectedPrefix,
+        });
+        return true;
+    }
 }
 var oauth2Authorizer = /*#__PURE__*/Object.freeze({

package/dist/types/naylence/fame/security/auth/oauth2-authorizer-factory.d.ts CHANGED Viewed

@@ -23,6 +23,8 @@ export interface OAuth2AuthorizerConfig extends AuthorizerConfig {
     token_issuer_config?: TokenIssuerConfig;
     reverseAuthTtlSec?: number;
     reverse_auth_ttl_sec?: number;
+    enforceTokenSubjectNodeIdentity?: boolean;
+    enforce_token_subject_node_identity?: boolean;
 }
 export declare const FACTORY_META: {
     readonly base: "AuthorizerFactory";

package/dist/types/naylence/fame/security/auth/oauth2-authorizer.d.ts CHANGED Viewed

@@ -14,6 +14,7 @@ export interface OAuth2AuthorizerOptions {
     defaultTtlSec?: number;
     maxTtlSec?: number;
     reverseAuthTtlSec?: number;
+    enforceTokenSubjectNodeIdentity?: boolean;
 }
 export declare class OAuth2Authorizer implements Authorizer, TokenVerifierProvider, NodeEventListener {
     readonly priority = 1000;
@@ -23,6 +24,7 @@ export declare class OAuth2Authorizer implements Authorizer, TokenVerifierProvid
     private readonly requiredScopes;
     private readonly requireScope;
     private readonly reverseAuthTtlSec;
+    private readonly enforceTokenSubjectNodeIdentity;
     private node?;
     constructor(rawOptions: OAuth2AuthorizerOptions | Record<string, unknown>);
     get tokenVerifier(): TokenVerifier;
@@ -35,4 +37,5 @@ export declare class OAuth2Authorizer implements Authorizer, TokenVerifierProvid
     private extractScopes;
     private mergeScopes;
     private hasRequiredScope;
+    private validateTokenSubjectNodeIdentity;
 }

package/dist/types/naylence/fame/security/node-security-profile-factory.d.ts CHANGED Viewed

@@ -10,6 +10,7 @@ export declare const ENV_VAR_DEFAULT_ENCRYPTION_LEVEL = "FAME_DEFAULT_ENCRYPTION
 export declare const ENV_VAR_HMAC_SECRET = "FAME_HMAC_SECRET";
 export declare const ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER = "FAME_JWT_REVERSE_AUTH_TRUSTED_ISSUER";
 export declare const ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = "FAME_JWT_REVERSE_AUTH_AUDIENCE";
+export declare const ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY = "FAME_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY";
 export declare const PROFILE_NAME_STRICT_OVERLAY = "strict-overlay";
 export declare const PROFILE_NAME_OVERLAY = "overlay";
 export declare const PROFILE_NAME_OVERLAY_CALLBACK = "overlay-callback";

package/dist/types/version.d.ts CHANGED Viewed

@@ -2,4 +2,4 @@
  * The package version, injected at build time.
  * @internal
  */
-export declare const VERSION = "0.3.16";
+export declare const VERSION = "0.3.18";

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@naylence/runtime",
-  "version": "0.3.16",
+  "version": "0.3.18",
   "type": "module",
   "description": "Naylence Runtime - Complete TypeScript runtime",
   "author": "Naylence Dev <naylencedev@gmail.com>",