@naylence/runtime 0.3.5-test.910 → 0.3.5-test.913

package/dist/types/naylence/fame/factory-manifest.d.ts

@@ -4,7 +4,7 @@
  *
  * Provides the list of runtime factory modules for registration.
  */
-export declare const MODULES: readonly ["./connector/broadcast-channel-connector-factory.js", "./connector/broadcast-channel-listener-factory.js", "./connector/http-listener-factory.js", "./connector/http-stateless-connector-factory.js", "./connector/inpage-connector-factory.js", "./connector/inpage-listener-factory.js", "./connector/websocket-connector-factory.js", "./connector/websocket-listener-factory.js", "./delivery/at-least-once-delivery-policy-factory.js", "./delivery/at-most-once-delivery-policy-factory.js", "./delivery/delivery-profile-factory.js", "./fabric/in-process-fame-fabric-factory.js", "./node/admission/admission-profile-factory.js", "./node/admission/direct-admission-client-factory.js", "./node/admission/noop-admission-client-factory.js", "./node/admission/welcome-service-client-factory.js", "./node/node-factory.js", "./placement/static-node-placement-strategy-factory.js", "./security/auth/bearer-token-header-auth-injection-strategy-factory.js", "./security/auth/default-authorizer-factory.js", "./security/auth/jwks-jwt-token-verifier-factory.js", "./security/auth/jwt-token-issuer-factory.js", "./security/auth/jwt-token-verifier-factory.js", "./security/auth/no-auth-injection-strategy-factory.js", "./security/auth/none-token-provider-factory.js", "./security/auth/noop-authorizer-factory.js", "./security/auth/noop-token-issuer-factory.js", "./security/auth/noop-token-verifier-factory.js", "./security/auth/oauth2-authorizer-factory.js", "./security/auth/oauth2-client-credentials-token-provider-factory.js", "./security/auth/query-param-auth-injection-strategy-factory.js", "./security/auth/shared-secret-authorizer-factory.js", "./security/auth/shared-secret-token-provider-factory.js", "./security/auth/shared-secret-token-verifier-factory.js", "./security/auth/static-token-provider-factory.js", "./security/auth/websocket-subprotocol-auth-injection-strategy-factory.js", "./security/credential/dev-fixed-key-credential-provider-factory.js", "./security/credential/env-credential-provider-factory.js", "./security/credential/none-credential-provider-factory.js", "./security/credential/prompt-credential-provider-factory.js", "./security/credential/secret-store-credential-provider-factory.js", "./security/credential/session-key-credential-provider-factory.js", "./security/credential/static-credential-provider-factory.js", "./security/default-security-manager-factory.js", "./security/encryption/noop-encryption-manager-factory.js", "./security/encryption/noop-secure-channel-manager-factory.js", "./security/keys/default-key-manager-factory.js", "./security/keys/in-memory-key-store-factory.js", "./security/keys/noop-key-validator-factory.js", "./security/node-security-profile-factory.js", "./security/policy/default-security-policy-factory.js", "./security/policy/no-security-policy-factory.js", "./security/signing/eddsa-envelope-signer-factory.js", "./security/signing/eddsa-envelope-verifier-factory.js", "./sentinel/capability-aware-routing-policy-factory.js", "./sentinel/composite-routing-policy-factory.js", "./sentinel/hybrid-path-routing-policy-factory.js", "./sentinel/load-balancing/composite-load-balancing-strategy-factory.js", "./sentinel/load-balancing/hrw-load-balancing-strategy-factory.js", "./sentinel/load-balancing/load-balancing-profile-factory.js", "./sentinel/load-balancing/random-load-balancing-strategy-factory.js", "./sentinel/load-balancing/round-robin-load-balancing-strategy-factory.js", "./sentinel/load-balancing/sticky-load-balancing-strategy-factory.js", "./sentinel/routing-profile-factory.js", "./sentinel/sentinel-factory.js", "./sentinel/store/route-store-factory.js", "./stickiness/simple-load-balancer-stickiness-manager-factory.js", "./telemetry/noop-trace-emitter-factory.js", "./telemetry/open-telemetry-trace-emitter-factory.js", "./telemetry/trace-emitter-profile-factory.js", "./welcome/default-welcome-service-factory.js"];
+export declare const MODULES: readonly ["./connector/broadcast-channel-connector-factory.js", "./connector/broadcast-channel-listener-factory.js", "./connector/http-listener-factory.js", "./connector/http-stateless-connector-factory.js", "./connector/inpage-connector-factory.js", "./connector/inpage-listener-factory.js", "./connector/websocket-connector-factory.js", "./connector/websocket-listener-factory.js", "./delivery/at-least-once-delivery-policy-factory.js", "./delivery/at-most-once-delivery-policy-factory.js", "./delivery/delivery-profile-factory.js", "./fabric/in-process-fame-fabric-factory.js", "./node/admission/admission-profile-factory.js", "./node/admission/direct-admission-client-factory.js", "./node/admission/noop-admission-client-factory.js", "./node/admission/welcome-service-client-factory.js", "./node/node-factory.js", "./placement/static-node-placement-strategy-factory.js", "./security/auth/bearer-token-header-auth-injection-strategy-factory.js", "./security/auth/default-authorizer-factory.js", "./security/auth/jwks-jwt-token-verifier-factory.js", "./security/auth/jwt-token-issuer-factory.js", "./security/auth/jwt-token-verifier-factory.js", "./security/auth/no-auth-injection-strategy-factory.js", "./security/auth/none-token-provider-factory.js", "./security/auth/noop-authorizer-factory.js", "./security/auth/noop-token-issuer-factory.js", "./security/auth/noop-token-verifier-factory.js", "./security/auth/oauth2-authorizer-factory.js", "./security/auth/oauth2-client-credentials-token-provider-factory.js", "./security/auth/oauth2-pkce-token-provider-factory.js", "./security/auth/query-param-auth-injection-strategy-factory.js", "./security/auth/shared-secret-authorizer-factory.js", "./security/auth/shared-secret-token-provider-factory.js", "./security/auth/shared-secret-token-verifier-factory.js", "./security/auth/static-token-provider-factory.js", "./security/auth/websocket-subprotocol-auth-injection-strategy-factory.js", "./security/credential/dev-fixed-key-credential-provider-factory.js", "./security/credential/env-credential-provider-factory.js", "./security/credential/none-credential-provider-factory.js", "./security/credential/prompt-credential-provider-factory.js", "./security/credential/secret-store-credential-provider-factory.js", "./security/credential/session-key-credential-provider-factory.js", "./security/credential/static-credential-provider-factory.js", "./security/default-security-manager-factory.js", "./security/encryption/noop-encryption-manager-factory.js", "./security/encryption/noop-secure-channel-manager-factory.js", "./security/keys/default-key-manager-factory.js", "./security/keys/in-memory-key-store-factory.js", "./security/keys/noop-key-validator-factory.js", "./security/node-security-profile-factory.js", "./security/policy/default-security-policy-factory.js", "./security/policy/no-security-policy-factory.js", "./security/signing/eddsa-envelope-signer-factory.js", "./security/signing/eddsa-envelope-verifier-factory.js", "./sentinel/capability-aware-routing-policy-factory.js", "./sentinel/composite-routing-policy-factory.js", "./sentinel/hybrid-path-routing-policy-factory.js", "./sentinel/load-balancing/composite-load-balancing-strategy-factory.js", "./sentinel/load-balancing/hrw-load-balancing-strategy-factory.js", "./sentinel/load-balancing/load-balancing-profile-factory.js", "./sentinel/load-balancing/random-load-balancing-strategy-factory.js", "./sentinel/load-balancing/round-robin-load-balancing-strategy-factory.js", "./sentinel/load-balancing/sticky-load-balancing-strategy-factory.js", "./sentinel/routing-profile-factory.js", "./sentinel/sentinel-factory.js", "./sentinel/store/route-store-factory.js", "./stickiness/simple-load-balancer-stickiness-manager-factory.js", "./telemetry/noop-trace-emitter-factory.js", "./telemetry/open-telemetry-trace-emitter-factory.js", "./telemetry/trace-emitter-profile-factory.js", "./welcome/default-welcome-service-factory.js"];
 export type FactoryModuleSpec = (typeof MODULES)[number];
 export type FactoryModuleLoader = () => Promise<Record<string, unknown>>;
 export declare const MODULE_LOADERS: Record<FactoryModuleSpec, FactoryModuleLoader>;

package/dist/types/naylence/fame/http/jwks-api-router.d.ts

@@ -1,10 +1,10 @@
 /**
- * JWKS (JSON Web Key Set) API router for Express
+ * JWKS (JSON Web Key Set) API plugin for Fastify
  *
  * Provides /.well-known/jwks.json endpoint for public key discovery
  * Used by OAuth2/JWT token verification
  */
-import { type Router } from 'express';
+import type { FastifyPluginAsync } from 'fastify';
 import type { CryptoProvider } from '../security/crypto/providers/crypto-provider.js';
 export interface CreateJwksRouterOptions {
     /**
@@ -30,19 +30,19 @@ export interface CreateJwksRouterOptions {
     keyTypes?: string[];
 }
 /**
- * Create an Express router that exposes JWKS at /.well-known/jwks.json
+ * Create a Fastify plugin that exposes JWKS at /.well-known/jwks.json
  *
  * @param options - Router configuration options
- * @returns Express router with JWKS endpoint
+ * @returns Fastify plugin with JWKS endpoint
  *
  * @example
  * ```typescript
- * import express from 'express';
+ * import Fastify from 'fastify';
  * import { createJwksRouter } from '@naylence/runtime';
  *
- * const app = express();
+ * const app = Fastify();
  * const cryptoProvider = new MyCryptoProvider();
- * app.use(createJwksRouter({ cryptoProvider }));
+ * app.register(createJwksRouter({ cryptoProvider }));
  * ```
  */
-export declare function createJwksRouter(options?: CreateJwksRouterOptions): Router;
+export declare function createJwksRouter(options?: CreateJwksRouterOptions): FastifyPluginAsync;

package/dist/types/naylence/fame/http/oauth2-server.d.ts

@@ -21,11 +21,11 @@
  *   FAME_JWT_ISSUER: JWT issuer (default: https://auth.fame.fabric)
  *   FAME_JWT_ALGORITHM: JWT algorithm (default: EdDSA)
  */
-import express from 'express';
+import type { FastifyInstance } from 'fastify';
 /**
- * Create and configure the OAuth2 Express application
+ * Create and configure the OAuth2 Fastify application
  */
-export declare function createApp(): Promise<express.Application>;
+export declare function createApp(): Promise<FastifyInstance>;
 /**
  * Main entry point when run as CLI
  */

package/dist/types/naylence/fame/http/oauth2-token-router.d.ts

@@ -1,10 +1,11 @@
 /**
- * OAuth2 client credentials grant flow router for Express
+ * OAuth2 client credentials and authorization code (PKCE) grant router for Fastify
  *
- * Provides /oauth/token endpoint for local development and testing
- * Implements OAuth2 client credentials grant with JWT token issuance
+ * Provides /oauth/token and /oauth/authorize endpoints for local development and testing.
+ * Implements OAuth2 client credentials grant with JWT token issuance and
+ * OAuth2 authorization code grant with PKCE verification.
  */
-import { type Router } from 'express';
+import type { FastifyPluginAsync } from 'fastify';
 import type { CryptoProvider } from '../security/crypto/providers/crypto-provider.js';
 export interface CreateOAuth2TokenRouterOptions {
     /**
@@ -44,12 +45,76 @@ export interface CreateOAuth2TokenRouterOptions {
      * Default: EdDSA
      */
     algorithm?: string;
+    /**
+     * Enable PKCE authorization code grant (default: true)
+     */
+    enablePkce?: boolean;
+    /**
+     * Allow public clients (no client_secret) for PKCE exchange (default: true)
+     */
+    allowPublicClients?: boolean;
+    /**
+     * Authorization code TTL in seconds (default: 300)
+     */
+    authorizationCodeTtlSec?: number;
+    /**
+     * Enable developer login experience for authorization flows (default: false)
+     */
+    enableDevLogin?: boolean;
+    /**
+     * Developer login username (required if enableDevLogin is true and not set via env)
+     */
+    devLoginUsername?: string;
+    /**
+     * Developer login password (required if enableDevLogin is true and not set via env)
+     */
+    devLoginPassword?: string;
+    /**
+     * Developer login session TTL in seconds (default: 3600)
+     */
+    devLoginSessionTtlSec?: number;
+    /**
+     * Cookie name for developer login session (default: naylence_dev_session)
+      
+      if (devLoginEnabled) {
+        cleanupLoginSessions(loginSessions, Date.now());
+        const activeSession = getActiveSession(
+          req,
+          loginSessions,
+          devLoginCookieName,
+          devLoginSessionTtlMs
+        );
+        if (!activeSession) {
+          const returnTo = sanitizeReturnTo(
+            req.originalUrl,
+            sessionCookiePath,
+            authorizationRedirectPath
+          );
+          const loginLocation = `${prefix}/login?return_to=${encodeURIComponent(
+            returnTo
+          )}`;
+          setNoCacheHeaders(res);
+          res.redirect(302, loginLocation);
+          return;
+        }
+      }
+     */
+    devLoginCookieName?: string;
+    /**
+     * Whether to mark the developer login cookie as secure (default: false)
+     */
+    devLoginSecureCookie?: boolean;
+    /**
+     * Custom title for the developer login page (default: Developer Login)
+     */
+    devLoginTitle?: string;
 }
 /**
- * Create an Express router that implements OAuth2 client credentials grant
+ * Create a Fastify plugin that implements OAuth2 token and authorization endpoints
+ * with support for client credentials and authorization code (PKCE) grants.
  *
  * @param options - Router configuration options
- * @returns Express router with OAuth2 token endpoint
+ * @returns Fastify plugin with OAuth2 token and authorization endpoints
  *
  * Environment Variables:
  *   FAME_JWT_CLIENT_ID: OAuth2 client identifier
@@ -58,17 +123,8 @@ export interface CreateOAuth2TokenRouterOptions {
  *   FAME_JWT_AUDIENCE: JWT audience claim (optional)
  *   FAME_JWT_ALGORITHM: JWT signing algorithm (optional, default: EdDSA)
  *   FAME_JWT_ALLOWED_SCOPES: Allowed scopes (optional, default: node.connect)
- *
- * @example
- * ```typescript
- * import express from 'express';
- * import { createOAuth2TokenRouter } from '@naylence/runtime';
- *
- * const app = express();
- * app.use(express.urlencoded({ extended: true }));
- *
- * const cryptoProvider = new MyCryptoProvider();
- * app.use(createOAuth2TokenRouter({ cryptoProvider }));
- * ```
+ *   FAME_OAUTH_ENABLE_PKCE: Enable PKCE authorization endpoints (optional, default: true)
+ *   FAME_OAUTH_ALLOW_PUBLIC_CLIENTS: Allow PKCE exchanges without client_secret (optional, default: true)
+ *   FAME_OAUTH_CODE_TTL_SEC: Authorization code TTL in seconds (optional, default: 300)
  */
-export declare function createOAuth2TokenRouter(options: CreateOAuth2TokenRouterOptions): Router;
+export declare function createOAuth2TokenRouter(options: CreateOAuth2TokenRouterOptions): FastifyPluginAsync;

package/dist/types/naylence/fame/http/openid-configuration-router.d.ts

@@ -1,9 +1,9 @@
 /**
- * OpenID Connect Discovery configuration router for Express
+ * OpenID Connect Discovery configuration plugin for Fastify
  *
  * Provides /.well-known/openid-configuration endpoint for OAuth2/OIDC client auto-discovery
  */
-import { type Router } from 'express';
+import type { FastifyPluginAsync } from 'fastify';
 export interface CreateOpenIDConfigurationRouterOptions {
     /**
      * Router prefix (default: empty string)
@@ -41,10 +41,10 @@ export interface CreateOpenIDConfigurationRouterOptions {
     algorithm?: string;
 }
 /**
- * Create an Express router that implements OpenID Connect Discovery
+ * Create a Fastify plugin that implements OpenID Connect Discovery
  *
  * @param options - Router configuration options
- * @returns Express router with OpenID configuration endpoint
+ * @returns Fastify plugin with OpenID configuration endpoint
  *
  * Environment Variables:
  *   FAME_JWT_ISSUER: JWT issuer claim (optional)
@@ -53,13 +53,13 @@ export interface CreateOpenIDConfigurationRouterOptions {
  *
  * @example
  * ```typescript
- * import express from 'express';
+ * import Fastify from 'fastify';
  * import { createOpenIDConfigurationRouter } from '@naylence/runtime';
  *
- * const app = express();
- * app.use(createOpenIDConfigurationRouter({
+ * const app = Fastify();
+ * app.register(createOpenIDConfigurationRouter({
  *   issuer: 'https://auth.example.com',
  * }));
  * ```
  */
-export declare function createOpenIDConfigurationRouter(options?: CreateOpenIDConfigurationRouterOptions): Router;
+export declare function createOpenIDConfigurationRouter(options?: CreateOpenIDConfigurationRouterOptions): FastifyPluginAsync;

package/dist/types/naylence/fame/security/auth/oauth2-pkce-token-provider-factory.d.ts

@@ -0,0 +1,27 @@
+import { type SecretSourceType } from '../credential/secret-source.js';
+import type { TokenProvider } from './token-provider.js';
+import { TokenProviderFactory, type TokenProviderConfig } from './token-provider-factory.js';
+export interface OAuth2PkceTokenProviderConfig extends TokenProviderConfig {
+    type: 'OAuth2PkceTokenProvider';
+    authorizeUrl: string;
+    tokenUrl: string;
+    redirectUri: string;
+    clientId: string;
+    username?: SecretSourceType;
+    clientSecret?: SecretSourceType;
+    scopes?: string[];
+    audience?: string;
+    codeChallengeMethod?: string;
+    codeVerifierLength?: number;
+    clockSkewSeconds?: number;
+    loginHintParam?: string;
+}
+export declare const FACTORY_META: {
+    readonly base: "TokenProviderFactory";
+    readonly key: "OAuth2PkceTokenProvider";
+};
+export declare class OAuth2PkceTokenProviderFactory extends TokenProviderFactory<OAuth2PkceTokenProviderConfig> {
+    readonly type = "OAuth2PkceTokenProvider";
+    create(config?: OAuth2PkceTokenProviderConfig | Record<string, unknown> | null): Promise<TokenProvider>;
+}
+export default OAuth2PkceTokenProviderFactory;

package/dist/types/naylence/fame/security/auth/oauth2-pkce-token-provider.d.ts

@@ -0,0 +1,42 @@
+import { type CredentialProvider } from '../credential/credential-provider.js';
+import type { Token } from './token.js';
+import type { TokenProvider } from './token-provider.js';
+interface FetchLike {
+    (input: RequestInfo | URL, init?: RequestInit): Promise<Response>;
+}
+type PkceMethod = 'S256' | 'PLAIN';
+export interface OAuth2PkceTokenProviderOptions {
+    authorizeUrl: string;
+    tokenUrl: string;
+    redirectUri: string;
+    clientId: string;
+    usernameProvider?: CredentialProvider;
+    clientSecretProvider?: CredentialProvider;
+    scopes?: string[];
+    audience?: string;
+    fetchImpl?: FetchLike;
+    clockSkewSeconds?: number;
+    codeVerifierLength?: number;
+    codeChallengeMethod?: PkceMethod;
+    loginHintParam?: string;
+}
+export declare class OAuth2PkceRedirectInitiatedError extends Error {
+    constructor(message?: string);
+}
+export declare class OAuth2PkceTokenProvider implements TokenProvider {
+    private cachedToken;
+    private readonly options;
+    constructor(rawOptions: OAuth2PkceTokenProviderOptions | Record<string, unknown>);
+    getToken(): Promise<Token>;
+    private isTokenFresh;
+    private beginBrowserAuthorization;
+    private navigate;
+    private tryCompletePendingAuthorization;
+    private isTokenCompatible;
+    private persistToken;
+    private buildAuthorizeUrl;
+    private resolveFetch;
+    private resolveOptionalSecret;
+    private exchangeToken;
+}
+export {};

package/dist/types/naylence/fame/security/crypto/providers/default-crypto-provider.d.ts

@@ -57,6 +57,5 @@ export declare class DefaultCryptoProvider implements CryptoProvider {
     prepareForAttach(nodeId: string, physicalPath: string, logicals: string[]): void;
     setLogicals(logicals: string[]): void;
     storeSignedCertificate(certificatePem: string, certificateChainPem?: string | null): void;
-    createCsr(nodeId: string, physicalPath: string, logicals: string[], subjectName?: string): Promise<string>;
 }
 export {};

package/dist/types/naylence/fame/telemetry/open-telemetry-trace-emitter.d.ts

@@ -3,8 +3,10 @@ import { BaseTraceEmitter } from './base-trace-emitter.js';
 import type { TraceSpanOptions, TraceSpanScope } from './trace-emitter.js';
 import type { OtelLifecycleControl } from './otel-setup.js';
 import type { AuthInjectionStrategy } from '../security/auth/auth-injection-strategy.js';
+type OtelApiBridge = Pick<typeof import('@opentelemetry/api'), 'trace' | 'SpanStatusCode'>;
 export declare class OpenTelemetryTraceEmitter extends BaseTraceEmitter {
     private readonly tracer;
+    private readonly otelApi;
     private lifecycle;
     private authStrategy;
     private shutdownInvoked;
@@ -19,6 +21,8 @@ type OpenTelemetryTraceEmitterOptionsInput = {
     serviceName?: string;
     service_name?: string;
     tracer?: Tracer;
+    otelApi?: OtelApiBridge;
+    otel_api?: OtelApiBridge;
     lifecycle?: OtelLifecycleControl | null;
     lifeCycle?: OtelLifecycleControl | null;
     life_cycle?: OtelLifecycleControl | null;

package/dist/types/version.d.ts

@@ -2,4 +2,4 @@
  * The package version, injected at build time.
  * @internal
  */
-export declare const VERSION = "0.3.5-test.910";
+export declare const VERSION = "0.3.5-test.913";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@naylence/runtime",
-  "version": "0.3.5-test.910",
+  "version": "0.3.5-test.913",
   "type": "module",
   "description": "Naylence Runtime - Complete TypeScript runtime",
   "author": "Naylence Dev <naylencedev@gmail.com>",
@@ -183,8 +183,6 @@
     "@peculiar/asn1-csr": "^2.5.0",
     "@peculiar/asn1-schema": "^2.5.0",
     "@peculiar/asn1-x509": "^2.5.0",
-    "@types/express": "^5.0.3",
-    "express": "^5.1.0",
     "fastify": "^5.6.1",
     "jose": "^6.1.0",
     "yaml": "^2.6.0",
@@ -217,6 +215,7 @@
     "@types/better-sqlite3": "^7.6.13",
     "@types/jest": "^29.5.14",
     "@types/node": "^24.6.0",
+    "@types/supertest": "^2.0.16",
     "@types/ws": "^8.5.10",
     "@typescript-eslint/eslint-plugin": "^8.45.0",
     "@typescript-eslint/parser": "^8.45.0",
@@ -233,6 +232,7 @@
     "rimraf": "^6.0.1",
     "rollup": "^4.52.3",
     "size-limit": "^11.1.5",
+    "supertest": "^7.1.3",
     "ts-jest": "^29.4.5",
     "tslib": "^2.6.2",
     "typescript": "^5.3.2",
@@ -252,4 +252,4 @@
   "engines": {
     "node": ">=18.0.0"
   }
-}
+}

package/dist/esm/naylence/fame/fastapi/oauth2-server.js

@@ -1,205 +0,0 @@
-#!/usr/bin/env node
-/**
- * OAuth2 Development Server - Simple token server for local testing
- *
- * WARNING: This is a DEVELOPMENT ONLY server. Do NOT use in production!
- *
- * Provides a minimal OAuth2 client credentials flow implementation
- * for local testing and development of Fame applications.
- *
- * Environment Variables:
- * - FAME_LOG_LEVEL: Log level (default: trace)
- * - APP_HOST: Server host (default: 0.0.0.0)
- * - APP_PORT: Server port (default: 8099)
- * - FAME_JWT_CLIENT_ID: Expected OAuth2 client ID
- * - FAME_JWT_CLIENT_SECRET: Expected OAuth2 client secret
- * - FAME_JWT_ISSUER: JWT issuer (default: https://oauth2-server)
- * - FAME_JWT_AUDIENCE: JWT audience (default: fame.fabric)
- * - FAME_JWT_ALGORITHM: JWT algorithm (default: EdDSA)
- */
-import Fastify from 'fastify';
-import formbody from '@fastify/formbody';
-import * as jose from 'jose';
-import { generateKeyPair } from 'crypto';
-import { promisify } from 'util';
-import { enableLogging, getLogger } from '../util/logging.js';
-const generateKeyPairAsync = promisify(generateKeyPair);
-const ENV_VAR_LOG_LEVEL = 'FAME_LOG_LEVEL';
-const ENV_VAR_CLIENT_ID = 'FAME_JWT_CLIENT_ID';
-const ENV_VAR_CLIENT_SECRET = 'FAME_JWT_CLIENT_SECRET';
-const ENV_VAR_JWT_ISSUER = 'FAME_JWT_ISSUER';
-const ENV_VAR_JWT_AUDIENCE = 'FAME_JWT_AUDIENCE';
-const ENV_VAR_JWT_ALGORITHM = 'FAME_JWT_ALGORITHM';
-const logger = getLogger('naylence.fame.fastapi.oauth2_server');
-// Global keypair for signing tokens
-let signingKey; // jose.KeyLike type not exported
-let publicKey; // jose.KeyLike type not exported
-let publicJWK;
-async function initializeKeys() {
-    const algorithm = process.env[ENV_VAR_JWT_ALGORITHM] || 'EdDSA';
-    if (algorithm === 'EdDSA') {
-        const { privateKey, publicKey: pubKey } = await generateKeyPairAsync('ed25519', {
-            privateKeyEncoding: { type: 'pkcs8', format: 'pem' },
-            publicKeyEncoding: { type: 'spki', format: 'pem' },
-        });
-        signingKey = await jose.importPKCS8(privateKey, 'EdDSA');
-        publicKey = await jose.importSPKI(pubKey, 'EdDSA');
-        publicJWK = await jose.exportJWK(publicKey);
-        publicJWK.kid = 'dev-key-1';
-        publicJWK.alg = 'EdDSA';
-        publicJWK.use = 'sig';
-    }
-    else {
-        // RS256 fallback
-        const { privateKey, publicKey: pubKey } = await generateKeyPairAsync('rsa', {
-            modulusLength: 2048,
-            privateKeyEncoding: { type: 'pkcs8', format: 'pem' },
-            publicKeyEncoding: { type: 'spki', format: 'pem' },
-        });
-        signingKey = await jose.importPKCS8(privateKey, 'RS256');
-        publicKey = await jose.importSPKI(pubKey, 'RS256');
-        publicJWK = await jose.exportJWK(publicKey);
-        publicJWK.kid = 'dev-key-1';
-        publicJWK.alg = 'RS256';
-        publicJWK.use = 'sig';
-    }
-    logger.info('oauth2_server_keys_initialized', { algorithm });
-}
-async function createApp() {
-    await initializeKeys();
-    const logLevel = (process.env[ENV_VAR_LOG_LEVEL] || 'info').toLowerCase();
-    const fastify = Fastify({
-        logger: {
-            level: logLevel === 'trace' ? 'debug' : logLevel,
-        },
-    });
-    // Register formbody plugin to parse application/x-www-form-urlencoded
-    await fastify.register(formbody);
-    const issuer = process.env[ENV_VAR_JWT_ISSUER] || 'https://oauth2-server';
-    const audience = process.env[ENV_VAR_JWT_AUDIENCE] || 'fame.fabric';
-    const algorithm = process.env[ENV_VAR_JWT_ALGORITHM] || 'EdDSA';
-    const expectedClientId = process.env[ENV_VAR_CLIENT_ID];
-    const expectedClientSecret = process.env[ENV_VAR_CLIENT_SECRET];
-    // OAuth2 token endpoint
-    fastify.post('/oauth/token', async (request, reply) => {
-        const { grant_type, client_id, client_secret, scope } = request.body;
-        // Validate grant type
-        if (grant_type !== 'client_credentials') {
-            return reply.status(400).send({
-                error: 'unsupported_grant_type',
-                error_description: 'Only client_credentials grant type is supported',
-            });
-        }
-        // Validate client credentials
-        if (!expectedClientId || !expectedClientSecret) {
-            logger.error('oauth2_server_missing_credentials', {
-                message: 'FAME_JWT_CLIENT_ID and FAME_JWT_CLIENT_SECRET must be set',
-            });
-            return reply.status(500).send({
-                error: 'server_error',
-                error_description: 'Server not configured properly',
-            });
-        }
-        if (client_id !== expectedClientId ||
-            client_secret !== expectedClientSecret) {
-            return reply.status(401).send({
-                error: 'invalid_client',
-                error_description: 'Invalid client credentials',
-            });
-        }
-        // Generate JWT
-        const now = Math.floor(Date.now() / 1000);
-        const expiresIn = 3600; // 1 hour
-        const payload = {
-            iss: issuer,
-            sub: client_id,
-            aud: audience,
-            iat: now,
-            exp: now + expiresIn,
-            scope: scope || 'node.connect',
-        };
-        const token = await new jose.SignJWT(payload)
-            .setProtectedHeader({ alg: algorithm, kid: 'dev-key-1' })
-            .sign(signingKey);
-        logger.debug('oauth2_token_issued', {
-            client_id,
-            scope: payload.scope,
-            expires_in: expiresIn,
-        });
-        return {
-            access_token: token,
-            token_type: 'Bearer',
-            expires_in: expiresIn,
-            scope: payload.scope,
-        };
-    });
-    // JWKS endpoint for public key distribution
-    fastify.get('/.well-known/jwks.json', async () => {
-        return {
-            keys: [publicJWK],
-        };
-    });
-    // OpenID configuration endpoint
-    fastify.get('/.well-known/openid-configuration', async () => {
-        const baseUrl = issuer;
-        return {
-            issuer: baseUrl,
-            token_endpoint: `${baseUrl}/oauth/token`,
-            jwks_uri: `${baseUrl}/.well-known/jwks.json`,
-            grant_types_supported: ['client_credentials'],
-            response_types_supported: ['token'],
-            token_endpoint_auth_methods_supported: [
-                'client_secret_post',
-                'client_secret_basic',
-            ],
-        };
-    });
-    // Health check
-    fastify.get('/health', async () => {
-        return { status: 'healthy', service: 'oauth2-dev-server' };
-    });
-    return fastify;
-}
-async function main() {
-    try {
-        const logLevel = process.env[ENV_VAR_LOG_LEVEL] || 'trace';
-        enableLogging(logLevel);
-        const app = await createApp();
-        const host = process.env.APP_HOST || '0.0.0.0';
-        const port = parseInt(process.env.APP_PORT || '8099', 10);
-        await app.listen({ host, port });
-        logger.info('oauth2_dev_server_started', {
-            host,
-            port,
-            logLevel,
-        });
-        console.log(`\n⚠️  OAuth2 Development Server (DO NOT USE IN PRODUCTION)`);
-        console.log(`📍 Listening on http://${host}:${port}`);
-        console.log(`🔑 Token endpoint: http://${host}:${port}/oauth/token`);
-        console.log(`📜 JWKS endpoint: http://${host}:${port}/.well-known/jwks.json\n`);
-    }
-    catch (error) {
-        logger.error('oauth2_dev_server_failed_to_start', {
-            error: error instanceof Error ? error.message : String(error),
-        });
-        console.error('Failed to start OAuth2 Development Server:', error);
-        process.exit(1);
-    }
-}
-// Handle graceful shutdown
-process.on('SIGTERM', () => {
-    logger.info('oauth2_dev_server_shutting_down', { signal: 'SIGTERM' });
-    process.exit(0);
-});
-process.on('SIGINT', () => {
-    logger.info('oauth2_dev_server_shutting_down', { signal: 'SIGINT' });
-    process.exit(0);
-});
-// Start server if run directly
-if (import.meta.url === `file://${process.argv[1]}`) {
-    main().catch((error) => {
-        console.error('Fatal error:', error);
-        process.exit(1);
-    });
-}
-export { createApp };

package/dist/types/naylence/fame/fastapi/oauth2-server.d.ts

@@ -1,22 +0,0 @@
-#!/usr/bin/env node
-/**
- * OAuth2 Development Server - Simple token server for local testing
- *
- * WARNING: This is a DEVELOPMENT ONLY server. Do NOT use in production!
- *
- * Provides a minimal OAuth2 client credentials flow implementation
- * for local testing and development of Fame applications.
- *
- * Environment Variables:
- * - FAME_LOG_LEVEL: Log level (default: trace)
- * - APP_HOST: Server host (default: 0.0.0.0)
- * - APP_PORT: Server port (default: 8099)
- * - FAME_JWT_CLIENT_ID: Expected OAuth2 client ID
- * - FAME_JWT_CLIENT_SECRET: Expected OAuth2 client secret
- * - FAME_JWT_ISSUER: JWT issuer (default: https://oauth2-server)
- * - FAME_JWT_AUDIENCE: JWT audience (default: fame.fabric)
- * - FAME_JWT_ALGORITHM: JWT algorithm (default: EdDSA)
- */
-import type { FastifyInstance } from 'fastify';
-declare function createApp(): Promise<FastifyInstance>;
-export { createApp };