@naylence/runtime 0.3.5-test.910 → 0.3.5-test.913

package/dist/cjs/naylence/fame/security/crypto/providers/default-crypto-provider.js

@@ -34,9 +34,6 @@ var __importStar = (this && this.__importStar) || (function () {
 })();
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.DefaultCryptoProvider = void 0;
-const asn1_schema_1 = require("@peculiar/asn1-schema");
-const asn1_x509_1 = require("@peculiar/asn1-x509");
-const asn1_csr_1 = require("@peculiar/asn1-csr");
 const core_1 = require("@naylence/core");
 const logging_js_1 = require("../../../util/logging.js");
 const util_js_1 = require("../../../util/util.js");
@@ -52,11 +49,6 @@ const DEFAULT_AUDIENCE = 'router-dev';
 const DEFAULT_TTL_SEC = 3600;
 const DEFAULT_HMAC_SECRET_BYTES = 32;
 const ENCRYPTION_ALG = 'ECDH-ES';
-const EXTENSION_REQUEST_OID = '1.2.840.113549.1.9.14';
-const COMMON_NAME_OID = '2.5.4.3';
-const ED25519_OID = '1.3.101.112';
-const CSR_PEM_TAG = 'CERTIFICATE REQUEST';
-const LOGICAL_URI_PREFIX = 'naylence://';
 function normalizeDefaultCryptoProviderOptions(options) {
     if (!options) {
         return {};
@@ -322,76 +314,6 @@ class DefaultCryptoProvider {
             has_chain: Boolean(certificateChainPem),
         });
     }
-    async createCsr(nodeId, physicalPath, logicals, subjectName) {
-        const trimmedNodeId = assertNonEmptyString(nodeId, 'nodeId');
-        const trimmedPhysicalPath = assertNonEmptyString(physicalPath, 'physicalPath');
-        try {
-            if (this.artifacts.signing.algorithm !== 'EdDSA') {
-                throw new Error('CSR creation only supported for Ed25519 signing keys in the default crypto provider');
-            }
-            const cryptoImpl = await ensureWebCrypto();
-            const privateKey = await cryptoImpl.subtle.importKey('pkcs8', pemToArrayBuffer(this.signingPrivatePem), {
-                name: 'Ed25519',
-            }, false, ['sign']);
-            const publicKeyDer = pemToArrayBuffer(this.signingPublicPem);
-            const subjectPkInfo = asn1_schema_1.AsnConvert.parse(publicKeyDer, asn1_x509_1.SubjectPublicKeyInfo);
-            const sanitizedLogicals = Array.isArray(logicals)
-                ? logicals.filter((value) => typeof value === 'string' && value.trim().length > 0)
-                : [];
-            const commonName = typeof subjectName === 'string' && subjectName.trim().length > 0
-                ? subjectName.trim()
-                : trimmedNodeId;
-            const subject = buildSubjectName(commonName);
-            const attributes = new asn1_csr_1.Attributes();
-            if (sanitizedLogicals.length > 0) {
-                const san = new asn1_x509_1.SubjectAlternativeName(sanitizedLogicals.map((logical) => new asn1_x509_1.GeneralName({
-                    uniformResourceIdentifier: `${LOGICAL_URI_PREFIX}${logical}`,
-                })));
-                const extensions = new asn1_x509_1.Extensions([
-                    new asn1_x509_1.Extension({
-                        extnID: asn1_x509_1.id_ce_subjectAltName,
-                        critical: false,
-                        extnValue: new asn1_schema_1.OctetString(asn1_schema_1.AsnConvert.serialize(san)),
-                    }),
-                ]);
-                attributes.push(new asn1_x509_1.Attribute({
-                    type: EXTENSION_REQUEST_OID,
-                    values: [asn1_schema_1.AsnConvert.serialize(extensions)],
-                }));
-            }
-            const requestInfo = new asn1_csr_1.CertificationRequestInfo({
-                subject,
-                subjectPKInfo: subjectPkInfo,
-                attributes,
-            });
-            const requestInfoDer = asn1_schema_1.AsnConvert.serialize(requestInfo);
-            const signature = await cryptoImpl.subtle.sign('Ed25519', privateKey, requestInfoDer);
-            const certificationRequest = new asn1_csr_1.CertificationRequest({
-                certificationRequestInfo: requestInfo,
-                signatureAlgorithm: new asn1_x509_1.AlgorithmIdentifier({
-                    algorithm: ED25519_OID,
-                }),
-                signature: encodeBitString(signature),
-            });
-            certificationRequest.certificationRequestInfoRaw = requestInfoDer;
-            const csrDer = asn1_schema_1.AsnConvert.serialize(certificationRequest);
-            const csrPem = arrayBufferToPem(csrDer, CSR_PEM_TAG);
-            logger.debug('csr_created', {
-                node_id: trimmedNodeId,
-                physical_path: trimmedPhysicalPath,
-                logical_count: sanitizedLogicals.length,
-            });
-            return csrPem;
-        }
-        catch (error) {
-            logger.error('csr_creation_failed', {
-                node_id: trimmedNodeId,
-                physical_path: trimmedPhysicalPath,
-                error: error instanceof Error ? error.message : String(error),
-            });
-            throw error;
-        }
-    }
 }
 exports.DefaultCryptoProvider = DefaultCryptoProvider;
 async function buildProviderArtifacts(options) {
@@ -628,90 +550,6 @@ function pemToDerBase64(pem) {
     // Ensure the output is valid base64 without whitespace
     return base64.replace(/\s+/g, '');
 }
-let cryptoPromise = null;
-async function ensureWebCrypto() {
-    if (typeof globalThis.crypto !== 'undefined' && globalThis.crypto?.subtle) {
-        return globalThis.crypto;
-    }
-    if (!cryptoPromise) {
-        if (typeof process !== 'undefined' &&
-            typeof process.versions?.node === 'string') {
-            cryptoPromise = Promise.resolve().then(() => __importStar(require('node:crypto'))).then((module) => {
-                const webcrypto = module.webcrypto;
-                if (!webcrypto || !webcrypto.subtle) {
-                    throw new Error('WebCrypto API is not available in this Node.js runtime');
-                }
-                globalThis.crypto = webcrypto;
-                return webcrypto;
-            });
-        }
-        else {
-            cryptoPromise = Promise.reject(new Error('WebCrypto API is not available in this environment'));
-        }
-    }
-    return cryptoPromise;
-}
-function pemToArrayBuffer(pem) {
-    const normalized = pem
-        .replace(/-----BEGIN[^-]+-----/g, '')
-        .replace(/-----END[^-]+-----/g, '')
-        .replace(/\s+/g, '');
-    const bytes = base64ToBytes(normalized);
-    return bytes.buffer.slice(bytes.byteOffset, bytes.byteOffset + bytes.byteLength);
-}
-function base64ToBytes(base64) {
-    if (typeof Buffer !== 'undefined') {
-        const buffer = Buffer.from(base64, 'base64');
-        const bytes = new Uint8Array(buffer.length);
-        for (let i = 0; i < buffer.length; i += 1) {
-            bytes[i] = buffer[i];
-        }
-        return bytes;
-    }
-    if (typeof atob === 'function') {
-        const binary = atob(base64);
-        const bytes = new Uint8Array(binary.length);
-        for (let i = 0; i < binary.length; i += 1) {
-            bytes[i] = binary.charCodeAt(i);
-        }
-        return bytes;
-    }
-    throw new Error('No base64 decoder available in this environment');
-}
-function arrayBufferToPem(buffer, tag) {
-    const base64 = bytesToBase64(new Uint8Array(buffer));
-    return `-----BEGIN ${tag}-----\n${formatPem(base64)}\n-----END ${tag}-----\n`;
-}
-function formatPem(base64) {
-    const lines = [];
-    for (let i = 0; i < base64.length; i += 64) {
-        lines.push(base64.slice(i, i + 64));
-    }
-    return lines.join('\n');
-}
-function encodeBitString(signature) {
-    const bytes = new Uint8Array(signature);
-    const bitString = new Uint8Array(bytes.length + 1);
-    bitString.set(bytes, 1);
-    return bitString.buffer;
-}
-function buildSubjectName(commonName) {
-    const attribute = new asn1_x509_1.AttributeTypeAndValue({
-        type: COMMON_NAME_OID,
-        value: new asn1_x509_1.AttributeValue({ utf8String: commonName }),
-    });
-    return new asn1_x509_1.Name([new asn1_x509_1.RelativeDistinguishedName([attribute])]);
-}
-function assertNonEmptyString(value, name) {
-    if (typeof value !== 'string') {
-        throw new TypeError(`${name} must be a string`);
-    }
-    const trimmed = value.trim();
-    if (trimmed.length === 0) {
-        throw new TypeError(`${name} must be a non-empty string`);
-    }
-    return trimmed;
-}
 function cloneJson(value) {
     return JSON.parse(JSON.stringify(value));
 }

package/dist/cjs/naylence/fame/telemetry/open-telemetry-trace-emitter-factory.js

@@ -40,15 +40,25 @@ const lazy_import_js_1 = require("../util/lazy-import.js");
 const trace_emitter_factory_js_1 = require("./trace-emitter-factory.js");
 const logging_js_1 = require("../util/logging.js");
 let openTelemetryTraceEmitterModulePromise = null;
+let otelApiModulePromise = null;
 const logger = (0, logging_js_1.getLogger)('naylence.fame.telemetry.open_telemetry_trace_emitter_factory');
+const MISSING_OTEL_HELP_MESSAGE = 'Missing optional OpenTelemetry dependency. Install @opentelemetry/api (and related packages) to enable trace emission.';
 function getOpenTelemetryTraceEmitterModule() {
     if (!openTelemetryTraceEmitterModulePromise) {
         openTelemetryTraceEmitterModulePromise = (0, lazy_import_js_1.safeImport)(() => Promise.resolve().then(() => __importStar(require('./open-telemetry-trace-emitter.js'))), '@opentelemetry/api', {
-            helpMessage: 'Missing optional OpenTelemetry dependency. Install @opentelemetry/api (and related packages) to enable trace emission.',
+            helpMessage: MISSING_OTEL_HELP_MESSAGE,
         });
     }
     return openTelemetryTraceEmitterModulePromise;
 }
+function getOtelApiModule() {
+    if (!otelApiModulePromise) {
+        otelApiModulePromise = (0, lazy_import_js_1.safeImport)(() => Promise.resolve().then(() => __importStar(require('@opentelemetry/api'))), '@opentelemetry/api', {
+            helpMessage: MISSING_OTEL_HELP_MESSAGE,
+        });
+    }
+    return otelApiModulePromise;
+}
 exports.FACTORY_META = {
     base: trace_emitter_factory_js_1.TRACE_EMITTER_FACTORY_BASE_TYPE,
     key: 'OpenTelemetryTraceEmitter',
@@ -111,9 +121,16 @@ class OpenTelemetryTraceEmitterFactory extends trace_emitter_factory_js_1.TraceE
             }
             throw error;
         }
-        const { OpenTelemetryTraceEmitter } = await getOpenTelemetryTraceEmitterModule();
+        const [{ OpenTelemetryTraceEmitter }, otelModule] = await Promise.all([
+            getOpenTelemetryTraceEmitterModule(),
+            getOtelApiModule(),
+        ]);
         const emitterOptions = {
             serviceName: normalized.serviceName,
+            otelApi: {
+                trace: otelModule.trace,
+                SpanStatusCode: otelModule.SpanStatusCode,
+            },
         };
         if (options.tracer) {
             emitterOptions.tracer = options.tracer;

package/dist/cjs/naylence/fame/telemetry/open-telemetry-trace-emitter.js

@@ -1,12 +1,12 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.OpenTelemetryTraceEmitter = void 0;
-const api_1 = require("@opentelemetry/api");
 const base_trace_emitter_js_1 = require("./base-trace-emitter.js");
 const otel_context_js_1 = require("./otel-context.js");
 class OpenTelemetryTraceSpan {
-    constructor(span) {
+    constructor(span, api) {
         this.span = span;
+        this.api = api;
     }
     setAttribute(key, value) {
         try {
@@ -32,7 +32,7 @@ class OpenTelemetryTraceSpan {
     setStatusError(description) {
         try {
             const status = {
-                code: api_1.SpanStatusCode.ERROR,
+                code: this.api.SpanStatusCode.ERROR,
             };
             if (description !== undefined) {
                 status.message = description;
@@ -45,10 +45,10 @@ class OpenTelemetryTraceSpan {
     }
 }
 class OpenTelemetrySpanScope {
-    constructor(span) {
+    constructor(span, api) {
         this.span = span;
         this.entered = false;
-        this.wrapper = new OpenTelemetryTraceSpan(span);
+        this.wrapper = new OpenTelemetryTraceSpan(span, api);
     }
     enter() {
         if (!this.entered) {
@@ -83,7 +83,9 @@ class OpenTelemetryTraceEmitter extends base_trace_emitter_js_1.BaseTraceEmitter
         super();
         this.shutdownInvoked = false;
         const normalized = normalizeOpenTelemetryTraceEmitterOptions(options);
-        this.tracer = normalized.tracer ?? api_1.trace.getTracer(normalized.serviceName);
+        this.otelApi = normalized.otelApi;
+        this.tracer =
+            normalized.tracer ?? this.otelApi.trace.getTracer(normalized.serviceName);
         this.lifecycle = normalized.lifecycle ?? null;
         this.authStrategy = normalized.authStrategy ?? null;
     }
@@ -101,7 +103,7 @@ class OpenTelemetryTraceEmitter extends base_trace_emitter_js_1.BaseTraceEmitter
         if (typeof envelopeTraceId === 'string') {
             this.applyEnvelopeTraceId(span, envelopeTraceId);
         }
-        return new OpenTelemetrySpanScope(span);
+        return new OpenTelemetrySpanScope(span, this.otelApi);
     }
     async flush() {
         if (this.lifecycle?.forceFlush) {
@@ -114,7 +116,7 @@ class OpenTelemetryTraceEmitter extends base_trace_emitter_js_1.BaseTraceEmitter
             }
         }
         try {
-            const provider = api_1.trace.getTracerProvider();
+            const provider = this.otelApi.trace.getTracerProvider();
             if (provider && typeof provider.forceFlush === 'function') {
                 await provider.forceFlush();
             }
@@ -149,7 +151,7 @@ class OpenTelemetryTraceEmitter extends base_trace_emitter_js_1.BaseTraceEmitter
             }
         }
         try {
-            const provider = api_1.trace.getTracerProvider();
+            const provider = this.otelApi.trace.getTracerProvider();
             if (provider && typeof provider.shutdown === 'function') {
                 await provider.shutdown();
             }
@@ -191,6 +193,13 @@ function normalizeOpenTelemetryTraceEmitterOptions(input) {
     const source = (input ?? {});
     const serviceName = extractNonEmptyString(pickFirst(source, ['serviceName', 'service_name'])) ?? 'naylence-service';
     const tracer = pickFirst(source, ['tracer']);
+    const otelApi = pickFirst(source, [
+        'otelApi',
+        'otel_api',
+    ]);
+    if (!otelApi) {
+        throw new Error('OpenTelemetryTraceEmitter requires OpenTelemetry API bindings. Provide otelApi via options.');
+    }
     const lifecycle = pickFirst(source, [
         'lifecycle',
         'lifeCycle',
@@ -203,6 +212,7 @@ function normalizeOpenTelemetryTraceEmitterOptions(input) {
     return {
         serviceName,
         tracer,
+        otelApi,
         lifecycle,
         authStrategy,
     };

package/dist/cjs/naylence/fame/util/register-runtime-factories.js

@@ -46,6 +46,9 @@ const NODE_ONLY_FACTORY_MODULES = new Set([
     './telemetry/open-telemetry-trace-emitter-factory.js',
     './security/credential/prompt-credential-provider-factory.js',
 ]);
+const BROWSER_ONLY_FACTORY_MODULES = new Set([
+    './security/auth/oauth2-pkce-token-provider-factory.js',
+]);
 const isNodeEnvironment = typeof process !== 'undefined' && Boolean(process?.versions?.node);
 function detectModuleUrl() {
     // Prefer Node-friendly __filename when available.
@@ -188,6 +191,9 @@ async function performRegistration(registry) {
         if (!isNodeEnvironment && NODE_ONLY_FACTORY_MODULES.has(spec)) {
             return;
         }
+        if (isNodeEnvironment && BROWSER_ONLY_FACTORY_MODULES.has(spec)) {
+            return;
+        }
         try {
             let mod;
             let lastError;

package/dist/cjs/version.js

@@ -1,10 +1,10 @@
 "use strict";
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.3.5-test.910
+// Generated from package.json version: 0.3.5-test.913
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.VERSION = void 0;
 /**
  * The package version, injected at build time.
  * @internal
  */
-exports.VERSION = '0.3.5-test.910';
+exports.VERSION = '0.3.5-test.913';

package/dist/esm/naylence/fame/config/extended-fame-config.js

@@ -14,6 +14,57 @@ const CONFIG_SEARCH_PATHS = [
 ];
 const fsModuleSpecifier = String.fromCharCode(102) + String.fromCharCode(115);
 let cachedFsModule = null;
+// Capture this module's URL without triggering TypeScript's import.meta restriction on CJS builds
+const currentModuleUrl = (() => {
+    try {
+        return (0, eval)('import.meta.url');
+    }
+    catch {
+        return undefined;
+    }
+})();
+// Shared flag that allows synchronous waiting for the Node-specific require shim
+const requireReadyFlag = isNode && typeof SharedArrayBuffer !== 'undefined'
+    ? new Int32Array(new SharedArrayBuffer(Int32Array.BYTES_PER_ELEMENT))
+    : null;
+if (requireReadyFlag) {
+    // 0 means initializing, 1 means ready (success or failure)
+    Atomics.store(requireReadyFlag, 0, 0);
+    // Prepare a CommonJS-style require when running in pure ESM contexts
+    void (async () => {
+        try {
+            if (typeof require !== 'function') {
+                const moduleNamespace = (await import('node:module'));
+                const createRequire = moduleNamespace.createRequire;
+                if (typeof createRequire === 'function') {
+                    const fallbackPath = `${process.cwd()}/.__naylence_require_shim__.mjs`;
+                    const nodeRequire = createRequire(currentModuleUrl ?? fallbackPath);
+                    globalThis.require = nodeRequire;
+                }
+            }
+        }
+        catch {
+            // Ignore failures – getFsModule will surface a helpful error when needed
+        }
+    })()
+        .catch(() => {
+        // Ignore async errors – the ready flag will still unblock consumers
+    })
+        .finally(() => {
+        Atomics.store(requireReadyFlag, 0, 1);
+        Atomics.notify(requireReadyFlag, 0);
+    });
+}
+function ensureRequireReady() {
+    if (!requireReadyFlag) {
+        return;
+    }
+    if (Atomics.load(requireReadyFlag, 0) === 1) {
+        return;
+    }
+    // Block until the asynchronous loader finishes initialising
+    Atomics.wait(requireReadyFlag, 0, 0);
+}
 function getFsModule() {
     if (cachedFsModule) {
         return cachedFsModule;
@@ -21,6 +72,7 @@ function getFsModule() {
     if (!isNode) {
         throw new Error('File system access is not available in this environment');
     }
+    ensureRequireReady();
     if (typeof require === 'function') {
         try {
             cachedFsModule = require(fsModuleSpecifier);

package/dist/esm/naylence/fame/factory-manifest.js

@@ -35,6 +35,7 @@ export const MODULES = [
     "./security/auth/noop-token-verifier-factory.js",
     "./security/auth/oauth2-authorizer-factory.js",
     "./security/auth/oauth2-client-credentials-token-provider-factory.js",
+    "./security/auth/oauth2-pkce-token-provider-factory.js",
     "./security/auth/query-param-auth-injection-strategy-factory.js",
     "./security/auth/shared-secret-authorizer-factory.js",
     "./security/auth/shared-secret-token-provider-factory.js",
@@ -108,6 +109,7 @@ export const MODULE_LOADERS = {
     "./security/auth/noop-token-verifier-factory.js": () => import("./security/auth/noop-token-verifier-factory.js"),
     "./security/auth/oauth2-authorizer-factory.js": () => import("./security/auth/oauth2-authorizer-factory.js"),
     "./security/auth/oauth2-client-credentials-token-provider-factory.js": () => import("./security/auth/oauth2-client-credentials-token-provider-factory.js"),
+    "./security/auth/oauth2-pkce-token-provider-factory.js": () => import("./security/auth/oauth2-pkce-token-provider-factory.js"),
     "./security/auth/query-param-auth-injection-strategy-factory.js": () => import("./security/auth/query-param-auth-injection-strategy-factory.js"),
     "./security/auth/shared-secret-authorizer-factory.js": () => import("./security/auth/shared-secret-authorizer-factory.js"),
     "./security/auth/shared-secret-token-provider-factory.js": () => import("./security/auth/shared-secret-token-provider-factory.js"),

package/dist/esm/naylence/fame/http/jwks-api-router.js

@@ -1,10 +1,9 @@
 /**
- * JWKS (JSON Web Key Set) API router for Express
+ * JWKS (JSON Web Key Set) API plugin for Fastify
  *
  * Provides /.well-known/jwks.json endpoint for public key discovery
  * Used by OAuth2/JWT token verification
  */
-import express from 'express';
 import { getLogger } from '../util/logging.js';
 const logger = getLogger('naylence.fame.http.jwks_api_router');
 const DEFAULT_PREFIX = '';
@@ -84,23 +83,22 @@ function filterKeysByType(jwksData, allowedTypes) {
     return { ...jwksData, keys: filteredKeys };
 }
 /**
- * Create an Express router that exposes JWKS at /.well-known/jwks.json
+ * Create a Fastify plugin that exposes JWKS at /.well-known/jwks.json
  *
  * @param options - Router configuration options
- * @returns Express router with JWKS endpoint
+ * @returns Fastify plugin with JWKS endpoint
  *
  * @example
  * ```typescript
- * import express from 'express';
+ * import Fastify from 'fastify';
  * import { createJwksRouter } from '@naylence/runtime';
  *
- * const app = express();
+ * const app = Fastify();
  * const cryptoProvider = new MyCryptoProvider();
- * app.use(createJwksRouter({ cryptoProvider }));
+ * app.register(createJwksRouter({ cryptoProvider }));
  * ```
  */
 export function createJwksRouter(options = {}) {
-    const router = express.Router();
     const { getJwksJson, cryptoProvider, prefix = DEFAULT_PREFIX, keyTypes, } = normalizeCreateJwksRouterOptions(options);
     // Get JWKS data
     let jwks;
@@ -123,14 +121,15 @@ export function createJwksRouter(options = {}) {
         key_types: allowedKeyTypes,
         total_keys: jwks.keys.length,
     });
-    // JWKS endpoint
-    router.get(`${prefix}/.well-known/jwks.json`, (_req, res) => {
-        const filteredJwks = filterKeysByType(jwks, allowedKeyTypes);
-        logger.debug('jwks_served', {
-            total_keys: jwks.keys.length,
-            filtered_keys: filteredJwks.keys.length,
+    const plugin = async (instance) => {
+        instance.get(`${prefix}/.well-known/jwks.json`, async (_request, reply) => {
+            const filteredJwks = filterKeysByType(jwks, allowedKeyTypes);
+            logger.debug('jwks_served', {
+                total_keys: jwks.keys.length,
+                filtered_keys: filteredJwks.keys.length,
+            });
+            reply.send(filteredJwks);
         });
-        res.json(filteredJwks);
-    });
-    return router;
+    };
+    return plugin;
 }

package/dist/esm/naylence/fame/http/oauth2-server.js

@@ -21,7 +21,7 @@
  *   FAME_JWT_ISSUER: JWT issuer (default: https://auth.fame.fabric)
  *   FAME_JWT_ALGORITHM: JWT algorithm (default: EdDSA)
  */
-import express from 'express';
+import Fastify from 'fastify';
 import { createOAuth2TokenRouter } from './oauth2-token-router.js';
 import { createJwksRouter } from './jwks-api-router.js';
 import { createOpenIDConfigurationRouter } from './openid-configuration-router.js';
@@ -53,23 +53,18 @@ async function getCryptoProvider() {
     return DefaultCryptoProvider.create();
 }
 /**
- * Create and configure the OAuth2 Express application
+ * Create and configure the OAuth2 Fastify application
  */
 export async function createApp() {
-    const app = express();
-    // Middleware
-    app.use(express.json());
-    app.use(express.urlencoded({ extended: true }));
+    const app = Fastify({ logger: false });
     // Get crypto provider
     const cryptoProvider = await getCryptoProvider();
     // Add routers
-    app.use(createOAuth2TokenRouter({ cryptoProvider }));
-    app.use(createJwksRouter({ cryptoProvider }));
-    app.use(createOpenIDConfigurationRouter());
+    app.register(createOAuth2TokenRouter({ cryptoProvider }));
+    app.register(createJwksRouter({ cryptoProvider }));
+    app.register(createOpenIDConfigurationRouter());
     // Health check endpoint
-    app.get('/health', (_req, res) => {
-        res.json({ status: 'ok' });
-    });
+    app.get('/health', async () => ({ status: 'ok' }));
     return app;
 }
 /**
@@ -97,27 +92,29 @@ async function main() {
     });
     const app = await createApp();
     // Start server
-    app.listen(port, host, () => {
-        logger.info('oauth2_server_started', {
-            host,
-            port,
-            endpoints: {
-                token: '/oauth/token',
-                jwks: '/.well-known/jwks.json',
-                openid_config: '/.well-known/openid-configuration',
-                health: '/health',
-            },
-        });
+    await app.listen({ port, host });
+    logger.info('oauth2_server_started', {
+        host,
+        port,
+        endpoints: {
+            token: '/oauth/token',
+            jwks: '/.well-known/jwks.json',
+            openid_config: '/.well-known/openid-configuration',
+            health: '/health',
+        },
     });
+    const shutdown = (signal) => {
+        logger.info('oauth2_server_shutting_down', { signal });
+        app
+            .close()
+            .catch((error) => logger.error('oauth2_server_shutdown_error', {
+            error: error instanceof Error ? error.message : String(error),
+        }))
+            .finally(() => process.exit(0));
+    };
     // Graceful shutdown
-    process.on('SIGINT', () => {
-        logger.info('oauth2_server_shutting_down', { signal: 'SIGINT' });
-        process.exit(0);
-    });
-    process.on('SIGTERM', () => {
-        logger.info('oauth2_server_shutting_down', { signal: 'SIGTERM' });
-        process.exit(0);
-    });
+    process.on('SIGINT', () => shutdown('SIGINT'));
+    process.on('SIGTERM', () => shutdown('SIGTERM'));
 }
 // Export main for CLI usage
 export { main };