npm - @naylence/runtime - Versions diffs - 0.3.17 → 0.3.19 - Mend

@naylence/runtime 0.3.17 → 0.3.19

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

package/dist/browser/index.cjs +30 -9
package/dist/browser/index.mjs +30 -9
package/dist/cjs/naylence/fame/security/auth/oauth2-authorizer-factory.js +17 -5
package/dist/cjs/naylence/fame/security/default-security-manager.js +8 -2
package/dist/cjs/naylence/fame/security/node-security-profile-factory.js +3 -1
package/dist/cjs/version.js +2 -2
package/dist/esm/naylence/fame/security/auth/oauth2-authorizer-factory.js +17 -5
package/dist/esm/naylence/fame/security/default-security-manager.js +8 -2
package/dist/esm/naylence/fame/security/node-security-profile-factory.js +2 -0
package/dist/esm/version.js +2 -2
package/dist/node/index.cjs +30 -9
package/dist/node/index.mjs +30 -9
package/dist/node/node.cjs +30 -9
package/dist/node/node.mjs +30 -9
package/dist/types/naylence/fame/security/node-security-profile-factory.d.ts +1 -0
package/dist/types/version.d.ts +1 -1
package/package.json +1 -1

package/dist/browser/index.cjs CHANGED Viewed

@@ -515,12 +515,12 @@ async function ensureRuntimeFactoriesRegistered(registry = factory.Registry) {
 }
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.3.17
+// Generated from package.json version: 0.3.19
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.3.17';
+const VERSION = '0.3.19';
 let initialized = false;
 const runtimePlugin = {
@@ -25863,9 +25863,15 @@ class DefaultSecurityManager {
                     hasNodeAttachValidation(authorizer)) {
                     try {
                         const validated = await authorizer.validateNodeAttachRequest(_node, envelope.frame, authResult);
-                        if (validated) {
-                            finalAuthResult = validated;
+                        if (validated === undefined) {
+                            logger$z.warning('node_attach_validation_rejected', {
+                                envp_id: envelope.id,
+                                frame_type: envelope.frame.type,
+                                origin_type: context.originType ?? 'unknown',
+                            });
+                            return null;
                         }
+                        finalAuthResult = validated;
                     }
                     catch (error) {
                         logger$z.error('node_attach_authorization_validation_failed', {
@@ -28228,6 +28234,7 @@ const ENV_VAR_DEFAULT_ENCRYPTION_LEVEL = 'FAME_DEFAULT_ENCRYPTION_LEVEL';
 const ENV_VAR_HMAC_SECRET = 'FAME_HMAC_SECRET';
 const ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER = 'FAME_JWT_REVERSE_AUTH_TRUSTED_ISSUER';
 const ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = 'FAME_JWT_REVERSE_AUTH_AUDIENCE';
+const ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY = 'FAME_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY';
 const PROFILE_NAME_STRICT_OVERLAY = 'strict-overlay';
 const PROFILE_NAME_OVERLAY = 'overlay';
 const PROFILE_NAME_OVERLAY_CALLBACK = 'overlay-callback';
@@ -28463,6 +28470,7 @@ const GATED_PROFILE = {
         max_ttl_sec: 86400,
         algorithm: factory.Expressions.env(ENV_VAR_JWT_ALGORITHM, 'RS256'),
         audience: factory.Expressions.env(ENV_VAR_JWT_AUDIENCE$1),
+        enforce_token_subject_node_identity: factory.Expressions.env(ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY, 'false'),
     },
 };
 const GATED_CALLBACK_PROFILE = {
@@ -28669,6 +28677,7 @@ function deepClone$3(value) {
 var nodeSecurityProfileFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
     ENV_VAR_DEFAULT_ENCRYPTION_LEVEL: ENV_VAR_DEFAULT_ENCRYPTION_LEVEL,
+    ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY: ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY,
     ENV_VAR_HMAC_SECRET: ENV_VAR_HMAC_SECRET,
     ENV_VAR_JWKS_URL: ENV_VAR_JWKS_URL,
     ENV_VAR_JWT_ALGORITHM: ENV_VAR_JWT_ALGORITHM,
@@ -34778,11 +34787,8 @@ function normalizeConfig$c(config) {
         : typeof source.reverse_auth_ttl_sec === 'number'
             ? source.reverse_auth_ttl_sec
             : DEFAULT_REVERSE_AUTH_TTL_SEC;
-    const enforceTokenSubjectNodeIdentity = typeof source.enforceTokenSubjectNodeIdentity === 'boolean'
-        ? source.enforceTokenSubjectNodeIdentity
-        : typeof source.enforce_token_subject_node_identity === 'boolean'
-            ? source.enforce_token_subject_node_identity
-            : false;
+    const enforceTokenSubjectNodeIdentity = normalizeBooleanOption(source.enforceTokenSubjectNodeIdentity ??
+        source.enforce_token_subject_node_identity, false);
     const tokenVerifierConfigInput = source.tokenVerifierConfig ?? source.token_verifier_config ?? null;
     const tokenVerifierConfig = normalizeTokenVerifierConfig({
         config: tokenVerifierConfigInput,
@@ -34822,6 +34828,21 @@ function normalizeTokenVerifierConfig({ config, issuer, jwksUrl, algorithm, }) {
     };
     return defaultConfig;
 }
+function normalizeBooleanOption(value, defaultValue) {
+    if (typeof value === 'boolean') {
+        return value;
+    }
+    if (typeof value === 'string') {
+        const lower = value.toLowerCase().trim();
+        if (lower === 'true' || lower === '1' || lower === 'yes') {
+            return true;
+        }
+        if (lower === 'false' || lower === '0' || lower === 'no') {
+            return false;
+        }
+    }
+    return defaultValue;
+}
 var oauth2AuthorizerFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,

package/dist/browser/index.mjs CHANGED Viewed

@@ -513,12 +513,12 @@ async function ensureRuntimeFactoriesRegistered(registry = Registry) {
 }
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.3.17
+// Generated from package.json version: 0.3.19
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.3.17';
+const VERSION = '0.3.19';
 let initialized = false;
 const runtimePlugin = {
@@ -25861,9 +25861,15 @@ class DefaultSecurityManager {
                     hasNodeAttachValidation(authorizer)) {
                     try {
                         const validated = await authorizer.validateNodeAttachRequest(_node, envelope.frame, authResult);
-                        if (validated) {
-                            finalAuthResult = validated;
+                        if (validated === undefined) {
+                            logger$z.warning('node_attach_validation_rejected', {
+                                envp_id: envelope.id,
+                                frame_type: envelope.frame.type,
+                                origin_type: context.originType ?? 'unknown',
+                            });
+                            return null;
                         }
+                        finalAuthResult = validated;
                     }
                     catch (error) {
                         logger$z.error('node_attach_authorization_validation_failed', {
@@ -28226,6 +28232,7 @@ const ENV_VAR_DEFAULT_ENCRYPTION_LEVEL = 'FAME_DEFAULT_ENCRYPTION_LEVEL';
 const ENV_VAR_HMAC_SECRET = 'FAME_HMAC_SECRET';
 const ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER = 'FAME_JWT_REVERSE_AUTH_TRUSTED_ISSUER';
 const ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = 'FAME_JWT_REVERSE_AUTH_AUDIENCE';
+const ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY = 'FAME_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY';
 const PROFILE_NAME_STRICT_OVERLAY = 'strict-overlay';
 const PROFILE_NAME_OVERLAY = 'overlay';
 const PROFILE_NAME_OVERLAY_CALLBACK = 'overlay-callback';
@@ -28461,6 +28468,7 @@ const GATED_PROFILE = {
         max_ttl_sec: 86400,
         algorithm: Expressions.env(ENV_VAR_JWT_ALGORITHM, 'RS256'),
         audience: Expressions.env(ENV_VAR_JWT_AUDIENCE$1),
+        enforce_token_subject_node_identity: Expressions.env(ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY, 'false'),
     },
 };
 const GATED_CALLBACK_PROFILE = {
@@ -28667,6 +28675,7 @@ function deepClone$3(value) {
 var nodeSecurityProfileFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
     ENV_VAR_DEFAULT_ENCRYPTION_LEVEL: ENV_VAR_DEFAULT_ENCRYPTION_LEVEL,
+    ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY: ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY,
     ENV_VAR_HMAC_SECRET: ENV_VAR_HMAC_SECRET,
     ENV_VAR_JWKS_URL: ENV_VAR_JWKS_URL,
     ENV_VAR_JWT_ALGORITHM: ENV_VAR_JWT_ALGORITHM,
@@ -34776,11 +34785,8 @@ function normalizeConfig$c(config) {
         : typeof source.reverse_auth_ttl_sec === 'number'
             ? source.reverse_auth_ttl_sec
             : DEFAULT_REVERSE_AUTH_TTL_SEC;
-    const enforceTokenSubjectNodeIdentity = typeof source.enforceTokenSubjectNodeIdentity === 'boolean'
-        ? source.enforceTokenSubjectNodeIdentity
-        : typeof source.enforce_token_subject_node_identity === 'boolean'
-            ? source.enforce_token_subject_node_identity
-            : false;
+    const enforceTokenSubjectNodeIdentity = normalizeBooleanOption(source.enforceTokenSubjectNodeIdentity ??
+        source.enforce_token_subject_node_identity, false);
     const tokenVerifierConfigInput = source.tokenVerifierConfig ?? source.token_verifier_config ?? null;
     const tokenVerifierConfig = normalizeTokenVerifierConfig({
         config: tokenVerifierConfigInput,
@@ -34820,6 +34826,21 @@ function normalizeTokenVerifierConfig({ config, issuer, jwksUrl, algorithm, }) {
     };
     return defaultConfig;
 }
+function normalizeBooleanOption(value, defaultValue) {
+    if (typeof value === 'boolean') {
+        return value;
+    }
+    if (typeof value === 'string') {
+        const lower = value.toLowerCase().trim();
+        if (lower === 'true' || lower === '1' || lower === 'yes') {
+            return true;
+        }
+        if (lower === 'false' || lower === '0' || lower === 'no') {
+            return false;
+        }
+    }
+    return defaultValue;
+}
 var oauth2AuthorizerFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,

package/dist/cjs/naylence/fame/security/auth/oauth2-authorizer-factory.js CHANGED Viewed

@@ -155,11 +155,8 @@ function normalizeConfig(config) {
         : typeof source.reverse_auth_ttl_sec === 'number'
             ? source.reverse_auth_ttl_sec
             : ttl_constants_js_1.DEFAULT_REVERSE_AUTH_TTL_SEC;
-    const enforceTokenSubjectNodeIdentity = typeof source.enforceTokenSubjectNodeIdentity === 'boolean'
-        ? source.enforceTokenSubjectNodeIdentity
-        : typeof source.enforce_token_subject_node_identity === 'boolean'
-            ? source.enforce_token_subject_node_identity
-            : false;
+    const enforceTokenSubjectNodeIdentity = normalizeBooleanOption(source.enforceTokenSubjectNodeIdentity ??
+        source.enforce_token_subject_node_identity, false);
     const tokenVerifierConfigInput = source.tokenVerifierConfig ?? source.token_verifier_config ?? null;
     const tokenVerifierConfig = normalizeTokenVerifierConfig({
         config: tokenVerifierConfigInput,
@@ -199,4 +196,19 @@ function normalizeTokenVerifierConfig({ config, issuer, jwksUrl, algorithm, }) {
     };
     return defaultConfig;
 }
+function normalizeBooleanOption(value, defaultValue) {
+    if (typeof value === 'boolean') {
+        return value;
+    }
+    if (typeof value === 'string') {
+        const lower = value.toLowerCase().trim();
+        if (lower === 'true' || lower === '1' || lower === 'yes') {
+            return true;
+        }
+        if (lower === 'false' || lower === '0' || lower === 'no') {
+            return false;
+        }
+    }
+    return defaultValue;
+}
 exports.default = OAuth2AuthorizerFactory;

package/dist/cjs/naylence/fame/security/default-security-manager.js CHANGED Viewed

@@ -692,9 +692,15 @@ class DefaultSecurityManager {
                     hasNodeAttachValidation(authorizer)) {
                     try {
                         const validated = await authorizer.validateNodeAttachRequest(_node, envelope.frame, authResult);
-                        if (validated) {
-                            finalAuthResult = validated;
+                        if (validated === undefined) {
+                            logger.warning('node_attach_validation_rejected', {
+                                envp_id: envelope.id,
+                                frame_type: envelope.frame.type,
+                                origin_type: context.originType ?? 'unknown',
+                            });
+                            return null;
                         }
+                        finalAuthResult = validated;
                     }
                     catch (error) {
                         logger.error('node_attach_authorization_validation_failed', {

package/dist/cjs/naylence/fame/security/node-security-profile-factory.js CHANGED Viewed

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.NodeSecurityProfileFactory = exports.FACTORY_META = exports.PROFILE_NAME_OPEN = exports.PROFILE_NAME_GATED_CALLBACK = exports.PROFILE_NAME_GATED = exports.PROFILE_NAME_OVERLAY_CALLBACK = exports.PROFILE_NAME_OVERLAY = exports.PROFILE_NAME_STRICT_OVERLAY = exports.ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = exports.ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER = exports.ENV_VAR_HMAC_SECRET = exports.ENV_VAR_DEFAULT_ENCRYPTION_LEVEL = exports.ENV_VAR_JWKS_URL = exports.ENV_VAR_JWT_AUDIENCE = exports.ENV_VAR_JWT_ALGORITHM = exports.ENV_VAR_JWT_TRUSTED_ISSUER = void 0;
+exports.NodeSecurityProfileFactory = exports.FACTORY_META = exports.PROFILE_NAME_OPEN = exports.PROFILE_NAME_GATED_CALLBACK = exports.PROFILE_NAME_GATED = exports.PROFILE_NAME_OVERLAY_CALLBACK = exports.PROFILE_NAME_OVERLAY = exports.PROFILE_NAME_STRICT_OVERLAY = exports.ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY = exports.ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = exports.ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER = exports.ENV_VAR_HMAC_SECRET = exports.ENV_VAR_DEFAULT_ENCRYPTION_LEVEL = exports.ENV_VAR_JWKS_URL = exports.ENV_VAR_JWT_AUDIENCE = exports.ENV_VAR_JWT_ALGORITHM = exports.ENV_VAR_JWT_TRUSTED_ISSUER = void 0;
 const factory_1 = require("@naylence/factory");
 const security_manager_factory_js_1 = require("./security-manager-factory.js");
 const logging_js_1 = require("../util/logging.js");
@@ -13,6 +13,7 @@ exports.ENV_VAR_DEFAULT_ENCRYPTION_LEVEL = 'FAME_DEFAULT_ENCRYPTION_LEVEL';
 exports.ENV_VAR_HMAC_SECRET = 'FAME_HMAC_SECRET';
 exports.ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER = 'FAME_JWT_REVERSE_AUTH_TRUSTED_ISSUER';
 exports.ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = 'FAME_JWT_REVERSE_AUTH_AUDIENCE';
+exports.ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY = 'FAME_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY';
 exports.PROFILE_NAME_STRICT_OVERLAY = 'strict-overlay';
 exports.PROFILE_NAME_OVERLAY = 'overlay';
 exports.PROFILE_NAME_OVERLAY_CALLBACK = 'overlay-callback';
@@ -248,6 +249,7 @@ const GATED_PROFILE = {
         max_ttl_sec: 86400,
         algorithm: factory_1.Expressions.env(exports.ENV_VAR_JWT_ALGORITHM, 'RS256'),
         audience: factory_1.Expressions.env(exports.ENV_VAR_JWT_AUDIENCE),
+        enforce_token_subject_node_identity: factory_1.Expressions.env(exports.ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY, 'false'),
     },
 };
 const GATED_CALLBACK_PROFILE = {

package/dist/cjs/version.js CHANGED Viewed

@@ -1,10 +1,10 @@
 "use strict";
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.3.17
+// Generated from package.json version: 0.3.19
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.VERSION = void 0;
 /**
  * The package version, injected at build time.
  * @internal
  */
-exports.VERSION = '0.3.17';
+exports.VERSION = '0.3.19';

package/dist/esm/naylence/fame/security/auth/oauth2-authorizer-factory.js CHANGED Viewed

@@ -118,11 +118,8 @@ function normalizeConfig(config) {
         : typeof source.reverse_auth_ttl_sec === 'number'
             ? source.reverse_auth_ttl_sec
             : DEFAULT_REVERSE_AUTH_TTL_SEC;
-    const enforceTokenSubjectNodeIdentity = typeof source.enforceTokenSubjectNodeIdentity === 'boolean'
-        ? source.enforceTokenSubjectNodeIdentity
-        : typeof source.enforce_token_subject_node_identity === 'boolean'
-            ? source.enforce_token_subject_node_identity
-            : false;
+    const enforceTokenSubjectNodeIdentity = normalizeBooleanOption(source.enforceTokenSubjectNodeIdentity ??
+        source.enforce_token_subject_node_identity, false);
     const tokenVerifierConfigInput = source.tokenVerifierConfig ?? source.token_verifier_config ?? null;
     const tokenVerifierConfig = normalizeTokenVerifierConfig({
         config: tokenVerifierConfigInput,
@@ -162,4 +159,19 @@ function normalizeTokenVerifierConfig({ config, issuer, jwksUrl, algorithm, }) {
     };
     return defaultConfig;
 }
+function normalizeBooleanOption(value, defaultValue) {
+    if (typeof value === 'boolean') {
+        return value;
+    }
+    if (typeof value === 'string') {
+        const lower = value.toLowerCase().trim();
+        if (lower === 'true' || lower === '1' || lower === 'yes') {
+            return true;
+        }
+        if (lower === 'false' || lower === '0' || lower === 'no') {
+            return false;
+        }
+    }
+    return defaultValue;
+}
 export default OAuth2AuthorizerFactory;

package/dist/esm/naylence/fame/security/default-security-manager.js CHANGED Viewed

@@ -689,9 +689,15 @@ export class DefaultSecurityManager {
                     hasNodeAttachValidation(authorizer)) {
                     try {
                         const validated = await authorizer.validateNodeAttachRequest(_node, envelope.frame, authResult);
-                        if (validated) {
-                            finalAuthResult = validated;
+                        if (validated === undefined) {
+                            logger.warning('node_attach_validation_rejected', {
+                                envp_id: envelope.id,
+                                frame_type: envelope.frame.type,
+                                origin_type: context.originType ?? 'unknown',
+                            });
+                            return null;
                         }
+                        finalAuthResult = validated;
                     }
                     catch (error) {
                         logger.error('node_attach_authorization_validation_failed', {

package/dist/esm/naylence/fame/security/node-security-profile-factory.js CHANGED Viewed

@@ -10,6 +10,7 @@ export const ENV_VAR_DEFAULT_ENCRYPTION_LEVEL = 'FAME_DEFAULT_ENCRYPTION_LEVEL';
 export const ENV_VAR_HMAC_SECRET = 'FAME_HMAC_SECRET';
 export const ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER = 'FAME_JWT_REVERSE_AUTH_TRUSTED_ISSUER';
 export const ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = 'FAME_JWT_REVERSE_AUTH_AUDIENCE';
+export const ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY = 'FAME_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY';
 export const PROFILE_NAME_STRICT_OVERLAY = 'strict-overlay';
 export const PROFILE_NAME_OVERLAY = 'overlay';
 export const PROFILE_NAME_OVERLAY_CALLBACK = 'overlay-callback';
@@ -245,6 +246,7 @@ const GATED_PROFILE = {
         max_ttl_sec: 86400,
         algorithm: Expressions.env(ENV_VAR_JWT_ALGORITHM, 'RS256'),
         audience: Expressions.env(ENV_VAR_JWT_AUDIENCE),
+        enforce_token_subject_node_identity: Expressions.env(ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY, 'false'),
     },
 };
 const GATED_CALLBACK_PROFILE = {

package/dist/esm/version.js CHANGED Viewed

@@ -1,7 +1,7 @@
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.3.17
+// Generated from package.json version: 0.3.19
 /**
  * The package version, injected at build time.
  * @internal
  */
-export const VERSION = '0.3.17';
+export const VERSION = '0.3.19';

package/dist/node/index.cjs CHANGED Viewed

@@ -14,12 +14,12 @@ var fastify = require('fastify');
 var websocketPlugin = require('@fastify/websocket');
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.3.17
+// Generated from package.json version: 0.3.19
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.3.17';
+const VERSION = '0.3.19';
 /**
  * Fame protocol specific error classes with WebSocket close codes and proper inheritance.
@@ -25750,9 +25750,15 @@ class DefaultSecurityManager {
                     hasNodeAttachValidation(authorizer)) {
                     try {
                         const validated = await authorizer.validateNodeAttachRequest(_node, envelope.frame, authResult);
-                        if (validated) {
-                            finalAuthResult = validated;
+                        if (validated === undefined) {
+                            logger$z.warning('node_attach_validation_rejected', {
+                                envp_id: envelope.id,
+                                frame_type: envelope.frame.type,
+                                origin_type: context.originType ?? 'unknown',
+                            });
+                            return null;
                         }
+                        finalAuthResult = validated;
                     }
                     catch (error) {
                         logger$z.error('node_attach_authorization_validation_failed', {
@@ -28115,6 +28121,7 @@ const ENV_VAR_DEFAULT_ENCRYPTION_LEVEL = 'FAME_DEFAULT_ENCRYPTION_LEVEL';
 const ENV_VAR_HMAC_SECRET = 'FAME_HMAC_SECRET';
 const ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER = 'FAME_JWT_REVERSE_AUTH_TRUSTED_ISSUER';
 const ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = 'FAME_JWT_REVERSE_AUTH_AUDIENCE';
+const ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY = 'FAME_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY';
 const PROFILE_NAME_STRICT_OVERLAY = 'strict-overlay';
 const PROFILE_NAME_OVERLAY = 'overlay';
 const PROFILE_NAME_OVERLAY_CALLBACK = 'overlay-callback';
@@ -28350,6 +28357,7 @@ const GATED_PROFILE = {
         max_ttl_sec: 86400,
         algorithm: factory.Expressions.env(ENV_VAR_JWT_ALGORITHM, 'RS256'),
         audience: factory.Expressions.env(ENV_VAR_JWT_AUDIENCE$1),
+        enforce_token_subject_node_identity: factory.Expressions.env(ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY, 'false'),
     },
 };
 const GATED_CALLBACK_PROFILE = {
@@ -28556,6 +28564,7 @@ function deepClone$3(value) {
 var nodeSecurityProfileFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
     ENV_VAR_DEFAULT_ENCRYPTION_LEVEL: ENV_VAR_DEFAULT_ENCRYPTION_LEVEL,
+    ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY: ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY,
     ENV_VAR_HMAC_SECRET: ENV_VAR_HMAC_SECRET,
     ENV_VAR_JWKS_URL: ENV_VAR_JWKS_URL,
     ENV_VAR_JWT_ALGORITHM: ENV_VAR_JWT_ALGORITHM,
@@ -33328,11 +33337,8 @@ function normalizeConfig$c(config) {
         : typeof source.reverse_auth_ttl_sec === 'number'
             ? source.reverse_auth_ttl_sec
             : DEFAULT_REVERSE_AUTH_TTL_SEC;
-    const enforceTokenSubjectNodeIdentity = typeof source.enforceTokenSubjectNodeIdentity === 'boolean'
-        ? source.enforceTokenSubjectNodeIdentity
-        : typeof source.enforce_token_subject_node_identity === 'boolean'
-            ? source.enforce_token_subject_node_identity
-            : false;
+    const enforceTokenSubjectNodeIdentity = normalizeBooleanOption(source.enforceTokenSubjectNodeIdentity ??
+        source.enforce_token_subject_node_identity, false);
     const tokenVerifierConfigInput = source.tokenVerifierConfig ?? source.token_verifier_config ?? null;
     const tokenVerifierConfig = normalizeTokenVerifierConfig({
         config: tokenVerifierConfigInput,
@@ -33372,6 +33378,21 @@ function normalizeTokenVerifierConfig({ config, issuer, jwksUrl, algorithm, }) {
     };
     return defaultConfig;
 }
+function normalizeBooleanOption(value, defaultValue) {
+    if (typeof value === 'boolean') {
+        return value;
+    }
+    if (typeof value === 'string') {
+        const lower = value.toLowerCase().trim();
+        if (lower === 'true' || lower === '1' || lower === 'yes') {
+            return true;
+        }
+        if (lower === 'false' || lower === '0' || lower === 'no') {
+            return false;
+        }
+    }
+    return defaultValue;
+}
 var oauth2AuthorizerFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,

package/dist/node/index.mjs CHANGED Viewed

@@ -13,12 +13,12 @@ import fastify from 'fastify';
 import websocketPlugin from '@fastify/websocket';
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.3.17
+// Generated from package.json version: 0.3.19
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.3.17';
+const VERSION = '0.3.19';
 /**
  * Fame protocol specific error classes with WebSocket close codes and proper inheritance.
@@ -25749,9 +25749,15 @@ class DefaultSecurityManager {
                     hasNodeAttachValidation(authorizer)) {
                     try {
                         const validated = await authorizer.validateNodeAttachRequest(_node, envelope.frame, authResult);
-                        if (validated) {
-                            finalAuthResult = validated;
+                        if (validated === undefined) {
+                            logger$z.warning('node_attach_validation_rejected', {
+                                envp_id: envelope.id,
+                                frame_type: envelope.frame.type,
+                                origin_type: context.originType ?? 'unknown',
+                            });
+                            return null;
                         }
+                        finalAuthResult = validated;
                     }
                     catch (error) {
                         logger$z.error('node_attach_authorization_validation_failed', {
@@ -28114,6 +28120,7 @@ const ENV_VAR_DEFAULT_ENCRYPTION_LEVEL = 'FAME_DEFAULT_ENCRYPTION_LEVEL';
 const ENV_VAR_HMAC_SECRET = 'FAME_HMAC_SECRET';
 const ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER = 'FAME_JWT_REVERSE_AUTH_TRUSTED_ISSUER';
 const ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = 'FAME_JWT_REVERSE_AUTH_AUDIENCE';
+const ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY = 'FAME_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY';
 const PROFILE_NAME_STRICT_OVERLAY = 'strict-overlay';
 const PROFILE_NAME_OVERLAY = 'overlay';
 const PROFILE_NAME_OVERLAY_CALLBACK = 'overlay-callback';
@@ -28349,6 +28356,7 @@ const GATED_PROFILE = {
         max_ttl_sec: 86400,
         algorithm: Expressions.env(ENV_VAR_JWT_ALGORITHM, 'RS256'),
         audience: Expressions.env(ENV_VAR_JWT_AUDIENCE$1),
+        enforce_token_subject_node_identity: Expressions.env(ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY, 'false'),
     },
 };
 const GATED_CALLBACK_PROFILE = {
@@ -28555,6 +28563,7 @@ function deepClone$3(value) {
 var nodeSecurityProfileFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
     ENV_VAR_DEFAULT_ENCRYPTION_LEVEL: ENV_VAR_DEFAULT_ENCRYPTION_LEVEL,
+    ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY: ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY,
     ENV_VAR_HMAC_SECRET: ENV_VAR_HMAC_SECRET,
     ENV_VAR_JWKS_URL: ENV_VAR_JWKS_URL,
     ENV_VAR_JWT_ALGORITHM: ENV_VAR_JWT_ALGORITHM,
@@ -33327,11 +33336,8 @@ function normalizeConfig$c(config) {
         : typeof source.reverse_auth_ttl_sec === 'number'
             ? source.reverse_auth_ttl_sec
             : DEFAULT_REVERSE_AUTH_TTL_SEC;
-    const enforceTokenSubjectNodeIdentity = typeof source.enforceTokenSubjectNodeIdentity === 'boolean'
-        ? source.enforceTokenSubjectNodeIdentity
-        : typeof source.enforce_token_subject_node_identity === 'boolean'
-            ? source.enforce_token_subject_node_identity
-            : false;
+    const enforceTokenSubjectNodeIdentity = normalizeBooleanOption(source.enforceTokenSubjectNodeIdentity ??
+        source.enforce_token_subject_node_identity, false);
     const tokenVerifierConfigInput = source.tokenVerifierConfig ?? source.token_verifier_config ?? null;
     const tokenVerifierConfig = normalizeTokenVerifierConfig({
         config: tokenVerifierConfigInput,
@@ -33371,6 +33377,21 @@ function normalizeTokenVerifierConfig({ config, issuer, jwksUrl, algorithm, }) {
     };
     return defaultConfig;
 }
+function normalizeBooleanOption(value, defaultValue) {
+    if (typeof value === 'boolean') {
+        return value;
+    }
+    if (typeof value === 'string') {
+        const lower = value.toLowerCase().trim();
+        if (lower === 'true' || lower === '1' || lower === 'yes') {
+            return true;
+        }
+        if (lower === 'false' || lower === '0' || lower === 'no') {
+            return false;
+        }
+    }
+    return defaultValue;
+}
 var oauth2AuthorizerFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,

package/dist/node/node.cjs CHANGED Viewed

@@ -4426,12 +4426,12 @@ async function ensureRuntimeFactoriesRegistered(registry = factory.Registry) {
 }
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.3.17
+// Generated from package.json version: 0.3.19
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.3.17';
+const VERSION = '0.3.19';
 let initialized = false;
 const runtimePlugin = {
@@ -26938,9 +26938,15 @@ class DefaultSecurityManager {
                     hasNodeAttachValidation(authorizer)) {
                     try {
                         const validated = await authorizer.validateNodeAttachRequest(_node, envelope.frame, authResult);
-                        if (validated) {
-                            finalAuthResult = validated;
+                        if (validated === undefined) {
+                            logger$C.warning('node_attach_validation_rejected', {
+                                envp_id: envelope.id,
+                                frame_type: envelope.frame.type,
+                                origin_type: context.originType ?? 'unknown',
+                            });
+                            return null;
                         }
+                        finalAuthResult = validated;
                     }
                     catch (error) {
                         logger$C.error('node_attach_authorization_validation_failed', {
@@ -29319,6 +29325,7 @@ const ENV_VAR_DEFAULT_ENCRYPTION_LEVEL = 'FAME_DEFAULT_ENCRYPTION_LEVEL';
 const ENV_VAR_HMAC_SECRET = 'FAME_HMAC_SECRET';
 const ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER = 'FAME_JWT_REVERSE_AUTH_TRUSTED_ISSUER';
 const ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = 'FAME_JWT_REVERSE_AUTH_AUDIENCE';
+const ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY = 'FAME_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY';
 const PROFILE_NAME_STRICT_OVERLAY = 'strict-overlay';
 const PROFILE_NAME_OVERLAY = 'overlay';
 const PROFILE_NAME_OVERLAY_CALLBACK = 'overlay-callback';
@@ -29554,6 +29561,7 @@ const GATED_PROFILE = {
         max_ttl_sec: 86400,
         algorithm: factory.Expressions.env(ENV_VAR_JWT_ALGORITHM$2, 'RS256'),
         audience: factory.Expressions.env(ENV_VAR_JWT_AUDIENCE$2),
+        enforce_token_subject_node_identity: factory.Expressions.env(ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY, 'false'),
     },
 };
 const GATED_CALLBACK_PROFILE = {
@@ -29760,6 +29768,7 @@ function deepClone$3(value) {
 var nodeSecurityProfileFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
     ENV_VAR_DEFAULT_ENCRYPTION_LEVEL: ENV_VAR_DEFAULT_ENCRYPTION_LEVEL,
+    ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY: ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY,
     ENV_VAR_HMAC_SECRET: ENV_VAR_HMAC_SECRET,
     ENV_VAR_JWKS_URL: ENV_VAR_JWKS_URL,
     ENV_VAR_JWT_ALGORITHM: ENV_VAR_JWT_ALGORITHM$2,
@@ -38069,11 +38078,8 @@ function normalizeConfig$c(config) {
         : typeof source.reverse_auth_ttl_sec === 'number'
             ? source.reverse_auth_ttl_sec
             : DEFAULT_REVERSE_AUTH_TTL_SEC;
-    const enforceTokenSubjectNodeIdentity = typeof source.enforceTokenSubjectNodeIdentity === 'boolean'
-        ? source.enforceTokenSubjectNodeIdentity
-        : typeof source.enforce_token_subject_node_identity === 'boolean'
-            ? source.enforce_token_subject_node_identity
-            : false;
+    const enforceTokenSubjectNodeIdentity = normalizeBooleanOption(source.enforceTokenSubjectNodeIdentity ??
+        source.enforce_token_subject_node_identity, false);
     const tokenVerifierConfigInput = source.tokenVerifierConfig ?? source.token_verifier_config ?? null;
     const tokenVerifierConfig = normalizeTokenVerifierConfig({
         config: tokenVerifierConfigInput,
@@ -38113,6 +38119,21 @@ function normalizeTokenVerifierConfig({ config, issuer, jwksUrl, algorithm, }) {
     };
     return defaultConfig;
 }
+function normalizeBooleanOption(value, defaultValue) {
+    if (typeof value === 'boolean') {
+        return value;
+    }
+    if (typeof value === 'string') {
+        const lower = value.toLowerCase().trim();
+        if (lower === 'true' || lower === '1' || lower === 'yes') {
+            return true;
+        }
+        if (lower === 'false' || lower === '0' || lower === 'no') {
+            return false;
+        }
+    }
+    return defaultValue;
+}
 var oauth2AuthorizerFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,

package/dist/node/node.mjs CHANGED Viewed

@@ -4425,12 +4425,12 @@ async function ensureRuntimeFactoriesRegistered(registry = Registry) {
 }
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.3.17
+// Generated from package.json version: 0.3.19
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.3.17';
+const VERSION = '0.3.19';
 let initialized = false;
 const runtimePlugin = {
@@ -26937,9 +26937,15 @@ class DefaultSecurityManager {
                     hasNodeAttachValidation(authorizer)) {
                     try {
                         const validated = await authorizer.validateNodeAttachRequest(_node, envelope.frame, authResult);
-                        if (validated) {
-                            finalAuthResult = validated;
+                        if (validated === undefined) {
+                            logger$C.warning('node_attach_validation_rejected', {
+                                envp_id: envelope.id,
+                                frame_type: envelope.frame.type,
+                                origin_type: context.originType ?? 'unknown',
+                            });
+                            return null;
                         }
+                        finalAuthResult = validated;
                     }
                     catch (error) {
                         logger$C.error('node_attach_authorization_validation_failed', {
@@ -29318,6 +29324,7 @@ const ENV_VAR_DEFAULT_ENCRYPTION_LEVEL = 'FAME_DEFAULT_ENCRYPTION_LEVEL';
 const ENV_VAR_HMAC_SECRET = 'FAME_HMAC_SECRET';
 const ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER = 'FAME_JWT_REVERSE_AUTH_TRUSTED_ISSUER';
 const ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = 'FAME_JWT_REVERSE_AUTH_AUDIENCE';
+const ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY = 'FAME_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY';
 const PROFILE_NAME_STRICT_OVERLAY = 'strict-overlay';
 const PROFILE_NAME_OVERLAY = 'overlay';
 const PROFILE_NAME_OVERLAY_CALLBACK = 'overlay-callback';
@@ -29553,6 +29560,7 @@ const GATED_PROFILE = {
         max_ttl_sec: 86400,
         algorithm: Expressions.env(ENV_VAR_JWT_ALGORITHM$2, 'RS256'),
         audience: Expressions.env(ENV_VAR_JWT_AUDIENCE$2),
+        enforce_token_subject_node_identity: Expressions.env(ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY, 'false'),
     },
 };
 const GATED_CALLBACK_PROFILE = {
@@ -29759,6 +29767,7 @@ function deepClone$3(value) {
 var nodeSecurityProfileFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
     ENV_VAR_DEFAULT_ENCRYPTION_LEVEL: ENV_VAR_DEFAULT_ENCRYPTION_LEVEL,
+    ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY: ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY,
     ENV_VAR_HMAC_SECRET: ENV_VAR_HMAC_SECRET,
     ENV_VAR_JWKS_URL: ENV_VAR_JWKS_URL,
     ENV_VAR_JWT_ALGORITHM: ENV_VAR_JWT_ALGORITHM$2,
@@ -38068,11 +38077,8 @@ function normalizeConfig$c(config) {
         : typeof source.reverse_auth_ttl_sec === 'number'
             ? source.reverse_auth_ttl_sec
             : DEFAULT_REVERSE_AUTH_TTL_SEC;
-    const enforceTokenSubjectNodeIdentity = typeof source.enforceTokenSubjectNodeIdentity === 'boolean'
-        ? source.enforceTokenSubjectNodeIdentity
-        : typeof source.enforce_token_subject_node_identity === 'boolean'
-            ? source.enforce_token_subject_node_identity
-            : false;
+    const enforceTokenSubjectNodeIdentity = normalizeBooleanOption(source.enforceTokenSubjectNodeIdentity ??
+        source.enforce_token_subject_node_identity, false);
     const tokenVerifierConfigInput = source.tokenVerifierConfig ?? source.token_verifier_config ?? null;
     const tokenVerifierConfig = normalizeTokenVerifierConfig({
         config: tokenVerifierConfigInput,
@@ -38112,6 +38118,21 @@ function normalizeTokenVerifierConfig({ config, issuer, jwksUrl, algorithm, }) {
     };
     return defaultConfig;
 }
+function normalizeBooleanOption(value, defaultValue) {
+    if (typeof value === 'boolean') {
+        return value;
+    }
+    if (typeof value === 'string') {
+        const lower = value.toLowerCase().trim();
+        if (lower === 'true' || lower === '1' || lower === 'yes') {
+            return true;
+        }
+        if (lower === 'false' || lower === '0' || lower === 'no') {
+            return false;
+        }
+    }
+    return defaultValue;
+}
 var oauth2AuthorizerFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,

package/dist/types/naylence/fame/security/node-security-profile-factory.d.ts CHANGED Viewed

@@ -10,6 +10,7 @@ export declare const ENV_VAR_DEFAULT_ENCRYPTION_LEVEL = "FAME_DEFAULT_ENCRYPTION
 export declare const ENV_VAR_HMAC_SECRET = "FAME_HMAC_SECRET";
 export declare const ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER = "FAME_JWT_REVERSE_AUTH_TRUSTED_ISSUER";
 export declare const ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = "FAME_JWT_REVERSE_AUTH_AUDIENCE";
+export declare const ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY = "FAME_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY";
 export declare const PROFILE_NAME_STRICT_OVERLAY = "strict-overlay";
 export declare const PROFILE_NAME_OVERLAY = "overlay";
 export declare const PROFILE_NAME_OVERLAY_CALLBACK = "overlay-callback";

package/dist/types/version.d.ts CHANGED Viewed

@@ -2,4 +2,4 @@
  * The package version, injected at build time.
  * @internal
  */
-export declare const VERSION = "0.3.17";
+export declare const VERSION = "0.3.19";

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@naylence/runtime",
-  "version": "0.3.17",
+  "version": "0.3.19",
   "type": "module",
   "description": "Naylence Runtime - Complete TypeScript runtime",
   "author": "Naylence Dev <naylencedev@gmail.com>",