@naylence/runtime 0.3.5-test.911 → 0.3.5-test.913

package/dist/browser/index.cjs

@@ -8,9 +8,6 @@ var ed25519_js = require('@noble/curves/ed25519.js');
 var hkdf_js = require('@noble/hashes/hkdf.js');
 var sha2_js = require('@noble/hashes/sha2.js');
 var utils_js = require('@noble/hashes/utils.js');
-var asn1Schema = require('@peculiar/asn1-schema');
-var asn1X509 = require('@peculiar/asn1-x509');
-var asn1Csr = require('@peculiar/asn1-csr');
 var yaml = require('yaml');
 var fastify = require('fastify');
 var websocketPlugin = require('@fastify/websocket');
@@ -101,12 +98,12 @@ installProcessEnvShim();
 // --- END ENV SHIM ---
 
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.3.5-test.911
+// Generated from package.json version: 0.3.5-test.913
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.3.5-test.911';
+const VERSION = '0.3.5-test.913';
 
 /**
  * Fame protocol specific error classes with WebSocket close codes and proper inheritance.
@@ -13093,6 +13090,57 @@ const CONFIG_SEARCH_PATHS = [
 ];
 const fsModuleSpecifier = String.fromCharCode(102) + String.fromCharCode(115);
 let cachedFsModule = null;
+// Capture this module's URL without triggering TypeScript's import.meta restriction on CJS builds
+const currentModuleUrl = (() => {
+    try {
+        return (0, eval)('import.meta.url');
+    }
+    catch {
+        return undefined;
+    }
+})();
+// Shared flag that allows synchronous waiting for the Node-specific require shim
+const requireReadyFlag = isNode && typeof SharedArrayBuffer !== 'undefined'
+    ? new Int32Array(new SharedArrayBuffer(Int32Array.BYTES_PER_ELEMENT))
+    : null;
+if (requireReadyFlag) {
+    // 0 means initializing, 1 means ready (success or failure)
+    Atomics.store(requireReadyFlag, 0, 0);
+    // Prepare a CommonJS-style require when running in pure ESM contexts
+    void (async () => {
+        try {
+            if (typeof require !== 'function') {
+                const moduleNamespace = (await import('node:module'));
+                const createRequire = moduleNamespace.createRequire;
+                if (typeof createRequire === 'function') {
+                    const fallbackPath = `${process.cwd()}/.__naylence_require_shim__.mjs`;
+                    const nodeRequire = createRequire(currentModuleUrl ?? fallbackPath);
+                    globalThis.require = nodeRequire;
+                }
+            }
+        }
+        catch {
+            // Ignore failures – getFsModule will surface a helpful error when needed
+        }
+    })()
+        .catch(() => {
+        // Ignore async errors – the ready flag will still unblock consumers
+    })
+        .finally(() => {
+        Atomics.store(requireReadyFlag, 0, 1);
+        Atomics.notify(requireReadyFlag, 0);
+    });
+}
+function ensureRequireReady() {
+    if (!requireReadyFlag) {
+        return;
+    }
+    if (Atomics.load(requireReadyFlag, 0) === 1) {
+        return;
+    }
+    // Block until the asynchronous loader finishes initialising
+    Atomics.wait(requireReadyFlag, 0, 0);
+}
 function getFsModule() {
     if (cachedFsModule) {
         return cachedFsModule;
@@ -13100,6 +13148,7 @@ function getFsModule() {
     if (!isNode) {
         throw new Error('File system access is not available in this environment');
     }
+    ensureRequireReady();
     if (typeof require === 'function') {
         try {
             cachedFsModule = require(fsModuleSpecifier);
@@ -25478,11 +25527,6 @@ const DEFAULT_AUDIENCE = 'router-dev';
 const DEFAULT_TTL_SEC$1 = 3600;
 const DEFAULT_HMAC_SECRET_BYTES = 32;
 const ENCRYPTION_ALG = 'ECDH-ES';
-const EXTENSION_REQUEST_OID = '1.2.840.113549.1.9.14';
-const COMMON_NAME_OID = '2.5.4.3';
-const ED25519_OID = '1.3.101.112';
-const CSR_PEM_TAG = 'CERTIFICATE REQUEST';
-const LOGICAL_URI_PREFIX = 'naylence://';
 function normalizeDefaultCryptoProviderOptions(options) {
     if (!options) {
         return {};
@@ -25748,76 +25792,6 @@ class DefaultCryptoProvider {
             has_chain: Boolean(certificateChainPem),
         });
     }
-    async createCsr(nodeId, physicalPath, logicals, subjectName) {
-        const trimmedNodeId = assertNonEmptyString(nodeId, 'nodeId');
-        const trimmedPhysicalPath = assertNonEmptyString(physicalPath, 'physicalPath');
-        try {
-            if (this.artifacts.signing.algorithm !== 'EdDSA') {
-                throw new Error('CSR creation only supported for Ed25519 signing keys in the default crypto provider');
-            }
-            const cryptoImpl = await ensureWebCrypto();
-            const privateKey = await cryptoImpl.subtle.importKey('pkcs8', pemToArrayBuffer(this.signingPrivatePem), {
-                name: 'Ed25519',
-            }, false, ['sign']);
-            const publicKeyDer = pemToArrayBuffer(this.signingPublicPem);
-            const subjectPkInfo = asn1Schema.AsnConvert.parse(publicKeyDer, asn1X509.SubjectPublicKeyInfo);
-            const sanitizedLogicals = Array.isArray(logicals)
-                ? logicals.filter((value) => typeof value === 'string' && value.trim().length > 0)
-                : [];
-            const commonName = typeof subjectName === 'string' && subjectName.trim().length > 0
-                ? subjectName.trim()
-                : trimmedNodeId;
-            const subject = buildSubjectName(commonName);
-            const attributes = new asn1Csr.Attributes();
-            if (sanitizedLogicals.length > 0) {
-                const san = new asn1X509.SubjectAlternativeName(sanitizedLogicals.map((logical) => new asn1X509.GeneralName({
-                    uniformResourceIdentifier: `${LOGICAL_URI_PREFIX}${logical}`,
-                })));
-                const extensions = new asn1X509.Extensions([
-                    new asn1X509.Extension({
-                        extnID: asn1X509.id_ce_subjectAltName,
-                        critical: false,
-                        extnValue: new asn1Schema.OctetString(asn1Schema.AsnConvert.serialize(san)),
-                    }),
-                ]);
-                attributes.push(new asn1X509.Attribute({
-                    type: EXTENSION_REQUEST_OID,
-                    values: [asn1Schema.AsnConvert.serialize(extensions)],
-                }));
-            }
-            const requestInfo = new asn1Csr.CertificationRequestInfo({
-                subject,
-                subjectPKInfo: subjectPkInfo,
-                attributes,
-            });
-            const requestInfoDer = asn1Schema.AsnConvert.serialize(requestInfo);
-            const signature = await cryptoImpl.subtle.sign('Ed25519', privateKey, requestInfoDer);
-            const certificationRequest = new asn1Csr.CertificationRequest({
-                certificationRequestInfo: requestInfo,
-                signatureAlgorithm: new asn1X509.AlgorithmIdentifier({
-                    algorithm: ED25519_OID,
-                }),
-                signature: encodeBitString(signature),
-            });
-            certificationRequest.certificationRequestInfoRaw = requestInfoDer;
-            const csrDer = asn1Schema.AsnConvert.serialize(certificationRequest);
-            const csrPem = arrayBufferToPem(csrDer, CSR_PEM_TAG);
-            logger$v.debug('csr_created', {
-                node_id: trimmedNodeId,
-                physical_path: trimmedPhysicalPath,
-                logical_count: sanitizedLogicals.length,
-            });
-            return csrPem;
-        }
-        catch (error) {
-            logger$v.error('csr_creation_failed', {
-                node_id: trimmedNodeId,
-                physical_path: trimmedPhysicalPath,
-                error: error instanceof Error ? error.message : String(error),
-            });
-            throw error;
-        }
-    }
 }
 async function buildProviderArtifacts(options) {
     const algorithm = normalizeAlgorithm(options.algorithm ?? readEnvAlgorithm());
@@ -26053,90 +26027,6 @@ function pemToDerBase64(pem) {
     // Ensure the output is valid base64 without whitespace
     return base64.replace(/\s+/g, '');
 }
-let cryptoPromise = null;
-async function ensureWebCrypto() {
-    if (typeof globalThis.crypto !== 'undefined' && globalThis.crypto?.subtle) {
-        return globalThis.crypto;
-    }
-    if (!cryptoPromise) {
-        if (typeof process !== 'undefined' &&
-            typeof process.versions?.node === 'string') {
-            cryptoPromise = import('node:crypto').then((module) => {
-                const webcrypto = module.webcrypto;
-                if (!webcrypto || !webcrypto.subtle) {
-                    throw new Error('WebCrypto API is not available in this Node.js runtime');
-                }
-                globalThis.crypto = webcrypto;
-                return webcrypto;
-            });
-        }
-        else {
-            cryptoPromise = Promise.reject(new Error('WebCrypto API is not available in this environment'));
-        }
-    }
-    return cryptoPromise;
-}
-function pemToArrayBuffer(pem) {
-    const normalized = pem
-        .replace(/-----BEGIN[^-]+-----/g, '')
-        .replace(/-----END[^-]+-----/g, '')
-        .replace(/\s+/g, '');
-    const bytes = base64ToBytes$1(normalized);
-    return bytes.buffer.slice(bytes.byteOffset, bytes.byteOffset + bytes.byteLength);
-}
-function base64ToBytes$1(base64) {
-    if (typeof Buffer !== 'undefined') {
-        const buffer = Buffer.from(base64, 'base64');
-        const bytes = new Uint8Array(buffer.length);
-        for (let i = 0; i < buffer.length; i += 1) {
-            bytes[i] = buffer[i];
-        }
-        return bytes;
-    }
-    if (typeof atob === 'function') {
-        const binary = atob(base64);
-        const bytes = new Uint8Array(binary.length);
-        for (let i = 0; i < binary.length; i += 1) {
-            bytes[i] = binary.charCodeAt(i);
-        }
-        return bytes;
-    }
-    throw new Error('No base64 decoder available in this environment');
-}
-function arrayBufferToPem(buffer, tag) {
-    const base64 = bytesToBase64(new Uint8Array(buffer));
-    return `-----BEGIN ${tag}-----\n${formatPem(base64)}\n-----END ${tag}-----\n`;
-}
-function formatPem(base64) {
-    const lines = [];
-    for (let i = 0; i < base64.length; i += 64) {
-        lines.push(base64.slice(i, i + 64));
-    }
-    return lines.join('\n');
-}
-function encodeBitString(signature) {
-    const bytes = new Uint8Array(signature);
-    const bitString = new Uint8Array(bytes.length + 1);
-    bitString.set(bytes, 1);
-    return bitString.buffer;
-}
-function buildSubjectName(commonName) {
-    const attribute = new asn1X509.AttributeTypeAndValue({
-        type: COMMON_NAME_OID,
-        value: new asn1X509.AttributeValue({ utf8String: commonName }),
-    });
-    return new asn1X509.Name([new asn1X509.RelativeDistinguishedName([attribute])]);
-}
-function assertNonEmptyString(value, name) {
-    if (typeof value !== 'string') {
-        throw new TypeError(`${name} must be a string`);
-    }
-    const trimmed = value.trim();
-    if (trimmed.length === 0) {
-        throw new TypeError(`${name} must be a non-empty string`);
-    }
-    return trimmed;
-}
 function cloneJson(value) {
     return JSON.parse(JSON.stringify(value));
 }
@@ -31778,6 +31668,8 @@ const ENV_VAR_DIRECT_INPAGE_CHANNEL = 'FAME_DIRECT_INPAGE_CHANNEL';
 const ENV_VAR_ADMISSION_SERVICE_URL = 'FAME_ADMISSION_SERVICE_URL';
 const DEFAULT_INPAGE_CHANNEL = 'naylence-fabric';
 const PROFILE_NAME_WELCOME = 'welcome';
+const PROFILE_NAME_WELCOME_PKCE = 'welcome-pkce';
+const PROFILE_NAME_WELCOME_PKCE_ALIAS = 'welcome_pkce';
 const PROFILE_NAME_DIRECT = 'direct';
 const PROFILE_NAME_DIRECT_HTTP = 'direct-http';
 const PROFILE_NAME_DIRECT_INPAGE = 'direct-inpage';
@@ -31838,6 +31730,7 @@ function createOAuthPkceTokenProviderConfig() {
 }
 const welcomeIsRoot = factory.Expressions.env(ENV_VAR_IS_ROOT, 'false');
 const welcomeTokenProvider = createOAuthTokenProviderConfig();
+const welcomePkceTokenProvider = createOAuthPkceTokenProviderConfig();
 const WELCOME_SERVICE_PROFILE = {
     type: 'WelcomeServiceClient',
     is_root: welcomeIsRoot,
@@ -31851,6 +31744,19 @@ const WELCOME_SERVICE_PROFILE = {
         tokenProvider: welcomeTokenProvider,
     },
 };
+const WELCOME_SERVICE_PKCE_PROFILE = {
+    type: 'WelcomeServiceClient',
+    is_root: welcomeIsRoot,
+    isRoot: welcomeIsRoot,
+    url: factory.Expressions.env(ENV_VAR_ADMISSION_SERVICE_URL),
+    supported_transports: ['websocket'],
+    supportedTransports: ['websocket'],
+    auth: {
+        type: 'BearerTokenHeaderAuth',
+        token_provider: welcomePkceTokenProvider,
+        tokenProvider: welcomePkceTokenProvider,
+    },
+};
 const directGrantTokenProvider = createOAuthTokenProviderConfig();
 const directGrant = {
     type: 'WebSocketConnectionGrant',
@@ -31956,6 +31862,8 @@ const NOOP_PROFILE = {
 };
 const PROFILE_MAP$1 = {
     [PROFILE_NAME_WELCOME]: WELCOME_SERVICE_PROFILE,
+    [PROFILE_NAME_WELCOME_PKCE]: WELCOME_SERVICE_PKCE_PROFILE,
+    [PROFILE_NAME_WELCOME_PKCE_ALIAS]: WELCOME_SERVICE_PKCE_PROFILE,
     [PROFILE_NAME_DIRECT]: DIRECT_PROFILE,
     [PROFILE_NAME_DIRECT_PKCE]: DIRECT_PKCE_PROFILE,
     [PROFILE_NAME_DIRECT_PKCE_ALIAS]: DIRECT_PKCE_PROFILE,

package/dist/browser/index.mjs

@@ -7,9 +7,6 @@ import { x25519 } from '@noble/curves/ed25519.js';
 import { hkdf } from '@noble/hashes/hkdf.js';
 import { sha256, sha512 } from '@noble/hashes/sha2.js';
 import { utf8ToBytes, bytesToHex, randomBytes, concatBytes } from '@noble/hashes/utils.js';
-import { AsnConvert, OctetString } from '@peculiar/asn1-schema';
-import { SubjectPublicKeyInfo, SubjectAlternativeName, GeneralName, Extensions, Extension, id_ce_subjectAltName, Attribute, AlgorithmIdentifier, AttributeTypeAndValue, AttributeValue, Name, RelativeDistinguishedName } from '@peculiar/asn1-x509';
-import { Attributes, CertificationRequestInfo, CertificationRequest } from '@peculiar/asn1-csr';
 import { parse } from 'yaml';
 import fastify from 'fastify';
 import websocketPlugin from '@fastify/websocket';
@@ -99,12 +96,12 @@ installProcessEnvShim();
 // --- END ENV SHIM ---
 
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.3.5-test.911
+// Generated from package.json version: 0.3.5-test.913
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.3.5-test.911';
+const VERSION = '0.3.5-test.913';
 
 /**
  * Fame protocol specific error classes with WebSocket close codes and proper inheritance.
@@ -13091,6 +13088,57 @@ const CONFIG_SEARCH_PATHS = [
 ];
 const fsModuleSpecifier = String.fromCharCode(102) + String.fromCharCode(115);
 let cachedFsModule = null;
+// Capture this module's URL without triggering TypeScript's import.meta restriction on CJS builds
+const currentModuleUrl = (() => {
+    try {
+        return (0, eval)('import.meta.url');
+    }
+    catch {
+        return undefined;
+    }
+})();
+// Shared flag that allows synchronous waiting for the Node-specific require shim
+const requireReadyFlag = isNode && typeof SharedArrayBuffer !== 'undefined'
+    ? new Int32Array(new SharedArrayBuffer(Int32Array.BYTES_PER_ELEMENT))
+    : null;
+if (requireReadyFlag) {
+    // 0 means initializing, 1 means ready (success or failure)
+    Atomics.store(requireReadyFlag, 0, 0);
+    // Prepare a CommonJS-style require when running in pure ESM contexts
+    void (async () => {
+        try {
+            if (typeof require !== 'function') {
+                const moduleNamespace = (await import('node:module'));
+                const createRequire = moduleNamespace.createRequire;
+                if (typeof createRequire === 'function') {
+                    const fallbackPath = `${process.cwd()}/.__naylence_require_shim__.mjs`;
+                    const nodeRequire = createRequire(currentModuleUrl ?? fallbackPath);
+                    globalThis.require = nodeRequire;
+                }
+            }
+        }
+        catch {
+            // Ignore failures – getFsModule will surface a helpful error when needed
+        }
+    })()
+        .catch(() => {
+        // Ignore async errors – the ready flag will still unblock consumers
+    })
+        .finally(() => {
+        Atomics.store(requireReadyFlag, 0, 1);
+        Atomics.notify(requireReadyFlag, 0);
+    });
+}
+function ensureRequireReady() {
+    if (!requireReadyFlag) {
+        return;
+    }
+    if (Atomics.load(requireReadyFlag, 0) === 1) {
+        return;
+    }
+    // Block until the asynchronous loader finishes initialising
+    Atomics.wait(requireReadyFlag, 0, 0);
+}
 function getFsModule() {
     if (cachedFsModule) {
         return cachedFsModule;
@@ -13098,6 +13146,7 @@ function getFsModule() {
     if (!isNode) {
         throw new Error('File system access is not available in this environment');
     }
+    ensureRequireReady();
     if (typeof require === 'function') {
         try {
             cachedFsModule = require(fsModuleSpecifier);
@@ -25476,11 +25525,6 @@ const DEFAULT_AUDIENCE = 'router-dev';
 const DEFAULT_TTL_SEC$1 = 3600;
 const DEFAULT_HMAC_SECRET_BYTES = 32;
 const ENCRYPTION_ALG = 'ECDH-ES';
-const EXTENSION_REQUEST_OID = '1.2.840.113549.1.9.14';
-const COMMON_NAME_OID = '2.5.4.3';
-const ED25519_OID = '1.3.101.112';
-const CSR_PEM_TAG = 'CERTIFICATE REQUEST';
-const LOGICAL_URI_PREFIX = 'naylence://';
 function normalizeDefaultCryptoProviderOptions(options) {
     if (!options) {
         return {};
@@ -25746,76 +25790,6 @@ class DefaultCryptoProvider {
             has_chain: Boolean(certificateChainPem),
         });
     }
-    async createCsr(nodeId, physicalPath, logicals, subjectName) {
-        const trimmedNodeId = assertNonEmptyString(nodeId, 'nodeId');
-        const trimmedPhysicalPath = assertNonEmptyString(physicalPath, 'physicalPath');
-        try {
-            if (this.artifacts.signing.algorithm !== 'EdDSA') {
-                throw new Error('CSR creation only supported for Ed25519 signing keys in the default crypto provider');
-            }
-            const cryptoImpl = await ensureWebCrypto();
-            const privateKey = await cryptoImpl.subtle.importKey('pkcs8', pemToArrayBuffer(this.signingPrivatePem), {
-                name: 'Ed25519',
-            }, false, ['sign']);
-            const publicKeyDer = pemToArrayBuffer(this.signingPublicPem);
-            const subjectPkInfo = AsnConvert.parse(publicKeyDer, SubjectPublicKeyInfo);
-            const sanitizedLogicals = Array.isArray(logicals)
-                ? logicals.filter((value) => typeof value === 'string' && value.trim().length > 0)
-                : [];
-            const commonName = typeof subjectName === 'string' && subjectName.trim().length > 0
-                ? subjectName.trim()
-                : trimmedNodeId;
-            const subject = buildSubjectName(commonName);
-            const attributes = new Attributes();
-            if (sanitizedLogicals.length > 0) {
-                const san = new SubjectAlternativeName(sanitizedLogicals.map((logical) => new GeneralName({
-                    uniformResourceIdentifier: `${LOGICAL_URI_PREFIX}${logical}`,
-                })));
-                const extensions = new Extensions([
-                    new Extension({
-                        extnID: id_ce_subjectAltName,
-                        critical: false,
-                        extnValue: new OctetString(AsnConvert.serialize(san)),
-                    }),
-                ]);
-                attributes.push(new Attribute({
-                    type: EXTENSION_REQUEST_OID,
-                    values: [AsnConvert.serialize(extensions)],
-                }));
-            }
-            const requestInfo = new CertificationRequestInfo({
-                subject,
-                subjectPKInfo: subjectPkInfo,
-                attributes,
-            });
-            const requestInfoDer = AsnConvert.serialize(requestInfo);
-            const signature = await cryptoImpl.subtle.sign('Ed25519', privateKey, requestInfoDer);
-            const certificationRequest = new CertificationRequest({
-                certificationRequestInfo: requestInfo,
-                signatureAlgorithm: new AlgorithmIdentifier({
-                    algorithm: ED25519_OID,
-                }),
-                signature: encodeBitString(signature),
-            });
-            certificationRequest.certificationRequestInfoRaw = requestInfoDer;
-            const csrDer = AsnConvert.serialize(certificationRequest);
-            const csrPem = arrayBufferToPem(csrDer, CSR_PEM_TAG);
-            logger$v.debug('csr_created', {
-                node_id: trimmedNodeId,
-                physical_path: trimmedPhysicalPath,
-                logical_count: sanitizedLogicals.length,
-            });
-            return csrPem;
-        }
-        catch (error) {
-            logger$v.error('csr_creation_failed', {
-                node_id: trimmedNodeId,
-                physical_path: trimmedPhysicalPath,
-                error: error instanceof Error ? error.message : String(error),
-            });
-            throw error;
-        }
-    }
 }
 async function buildProviderArtifacts(options) {
     const algorithm = normalizeAlgorithm(options.algorithm ?? readEnvAlgorithm());
@@ -26051,90 +26025,6 @@ function pemToDerBase64(pem) {
     // Ensure the output is valid base64 without whitespace
     return base64.replace(/\s+/g, '');
 }
-let cryptoPromise = null;
-async function ensureWebCrypto() {
-    if (typeof globalThis.crypto !== 'undefined' && globalThis.crypto?.subtle) {
-        return globalThis.crypto;
-    }
-    if (!cryptoPromise) {
-        if (typeof process !== 'undefined' &&
-            typeof process.versions?.node === 'string') {
-            cryptoPromise = import('node:crypto').then((module) => {
-                const webcrypto = module.webcrypto;
-                if (!webcrypto || !webcrypto.subtle) {
-                    throw new Error('WebCrypto API is not available in this Node.js runtime');
-                }
-                globalThis.crypto = webcrypto;
-                return webcrypto;
-            });
-        }
-        else {
-            cryptoPromise = Promise.reject(new Error('WebCrypto API is not available in this environment'));
-        }
-    }
-    return cryptoPromise;
-}
-function pemToArrayBuffer(pem) {
-    const normalized = pem
-        .replace(/-----BEGIN[^-]+-----/g, '')
-        .replace(/-----END[^-]+-----/g, '')
-        .replace(/\s+/g, '');
-    const bytes = base64ToBytes$1(normalized);
-    return bytes.buffer.slice(bytes.byteOffset, bytes.byteOffset + bytes.byteLength);
-}
-function base64ToBytes$1(base64) {
-    if (typeof Buffer !== 'undefined') {
-        const buffer = Buffer.from(base64, 'base64');
-        const bytes = new Uint8Array(buffer.length);
-        for (let i = 0; i < buffer.length; i += 1) {
-            bytes[i] = buffer[i];
-        }
-        return bytes;
-    }
-    if (typeof atob === 'function') {
-        const binary = atob(base64);
-        const bytes = new Uint8Array(binary.length);
-        for (let i = 0; i < binary.length; i += 1) {
-            bytes[i] = binary.charCodeAt(i);
-        }
-        return bytes;
-    }
-    throw new Error('No base64 decoder available in this environment');
-}
-function arrayBufferToPem(buffer, tag) {
-    const base64 = bytesToBase64(new Uint8Array(buffer));
-    return `-----BEGIN ${tag}-----\n${formatPem(base64)}\n-----END ${tag}-----\n`;
-}
-function formatPem(base64) {
-    const lines = [];
-    for (let i = 0; i < base64.length; i += 64) {
-        lines.push(base64.slice(i, i + 64));
-    }
-    return lines.join('\n');
-}
-function encodeBitString(signature) {
-    const bytes = new Uint8Array(signature);
-    const bitString = new Uint8Array(bytes.length + 1);
-    bitString.set(bytes, 1);
-    return bitString.buffer;
-}
-function buildSubjectName(commonName) {
-    const attribute = new AttributeTypeAndValue({
-        type: COMMON_NAME_OID,
-        value: new AttributeValue({ utf8String: commonName }),
-    });
-    return new Name([new RelativeDistinguishedName([attribute])]);
-}
-function assertNonEmptyString(value, name) {
-    if (typeof value !== 'string') {
-        throw new TypeError(`${name} must be a string`);
-    }
-    const trimmed = value.trim();
-    if (trimmed.length === 0) {
-        throw new TypeError(`${name} must be a non-empty string`);
-    }
-    return trimmed;
-}
 function cloneJson(value) {
     return JSON.parse(JSON.stringify(value));
 }
@@ -31776,6 +31666,8 @@ const ENV_VAR_DIRECT_INPAGE_CHANNEL = 'FAME_DIRECT_INPAGE_CHANNEL';
 const ENV_VAR_ADMISSION_SERVICE_URL = 'FAME_ADMISSION_SERVICE_URL';
 const DEFAULT_INPAGE_CHANNEL = 'naylence-fabric';
 const PROFILE_NAME_WELCOME = 'welcome';
+const PROFILE_NAME_WELCOME_PKCE = 'welcome-pkce';
+const PROFILE_NAME_WELCOME_PKCE_ALIAS = 'welcome_pkce';
 const PROFILE_NAME_DIRECT = 'direct';
 const PROFILE_NAME_DIRECT_HTTP = 'direct-http';
 const PROFILE_NAME_DIRECT_INPAGE = 'direct-inpage';
@@ -31836,6 +31728,7 @@ function createOAuthPkceTokenProviderConfig() {
 }
 const welcomeIsRoot = Expressions.env(ENV_VAR_IS_ROOT, 'false');
 const welcomeTokenProvider = createOAuthTokenProviderConfig();
+const welcomePkceTokenProvider = createOAuthPkceTokenProviderConfig();
 const WELCOME_SERVICE_PROFILE = {
     type: 'WelcomeServiceClient',
     is_root: welcomeIsRoot,
@@ -31849,6 +31742,19 @@ const WELCOME_SERVICE_PROFILE = {
         tokenProvider: welcomeTokenProvider,
     },
 };
+const WELCOME_SERVICE_PKCE_PROFILE = {
+    type: 'WelcomeServiceClient',
+    is_root: welcomeIsRoot,
+    isRoot: welcomeIsRoot,
+    url: Expressions.env(ENV_VAR_ADMISSION_SERVICE_URL),
+    supported_transports: ['websocket'],
+    supportedTransports: ['websocket'],
+    auth: {
+        type: 'BearerTokenHeaderAuth',
+        token_provider: welcomePkceTokenProvider,
+        tokenProvider: welcomePkceTokenProvider,
+    },
+};
 const directGrantTokenProvider = createOAuthTokenProviderConfig();
 const directGrant = {
     type: 'WebSocketConnectionGrant',
@@ -31954,6 +31860,8 @@ const NOOP_PROFILE = {
 };
 const PROFILE_MAP$1 = {
     [PROFILE_NAME_WELCOME]: WELCOME_SERVICE_PROFILE,
+    [PROFILE_NAME_WELCOME_PKCE]: WELCOME_SERVICE_PKCE_PROFILE,
+    [PROFILE_NAME_WELCOME_PKCE_ALIAS]: WELCOME_SERVICE_PKCE_PROFILE,
     [PROFILE_NAME_DIRECT]: DIRECT_PROFILE,
     [PROFILE_NAME_DIRECT_PKCE]: DIRECT_PKCE_PROFILE,
     [PROFILE_NAME_DIRECT_PKCE_ALIAS]: DIRECT_PKCE_PROFILE,

package/dist/cjs/naylence/fame/config/extended-fame-config.js

@@ -57,6 +57,57 @@ const CONFIG_SEARCH_PATHS = [
 ];
 const fsModuleSpecifier = String.fromCharCode(102) + String.fromCharCode(115);
 let cachedFsModule = null;
+// Capture this module's URL without triggering TypeScript's import.meta restriction on CJS builds
+const currentModuleUrl = (() => {
+    try {
+        return (0, eval)('import.meta.url');
+    }
+    catch {
+        return undefined;
+    }
+})();
+// Shared flag that allows synchronous waiting for the Node-specific require shim
+const requireReadyFlag = logging_types_js_1.isNode && typeof SharedArrayBuffer !== 'undefined'
+    ? new Int32Array(new SharedArrayBuffer(Int32Array.BYTES_PER_ELEMENT))
+    : null;
+if (requireReadyFlag) {
+    // 0 means initializing, 1 means ready (success or failure)
+    Atomics.store(requireReadyFlag, 0, 0);
+    // Prepare a CommonJS-style require when running in pure ESM contexts
+    void (async () => {
+        try {
+            if (typeof require !== 'function') {
+                const moduleNamespace = (await Promise.resolve().then(() => __importStar(require('node:module'))));
+                const createRequire = moduleNamespace.createRequire;
+                if (typeof createRequire === 'function') {
+                    const fallbackPath = `${process.cwd()}/.__naylence_require_shim__.mjs`;
+                    const nodeRequire = createRequire(currentModuleUrl ?? fallbackPath);
+                    globalThis.require = nodeRequire;
+                }
+            }
+        }
+        catch {
+            // Ignore failures – getFsModule will surface a helpful error when needed
+        }
+    })()
+        .catch(() => {
+        // Ignore async errors – the ready flag will still unblock consumers
+    })
+        .finally(() => {
+        Atomics.store(requireReadyFlag, 0, 1);
+        Atomics.notify(requireReadyFlag, 0);
+    });
+}
+function ensureRequireReady() {
+    if (!requireReadyFlag) {
+        return;
+    }
+    if (Atomics.load(requireReadyFlag, 0) === 1) {
+        return;
+    }
+    // Block until the asynchronous loader finishes initialising
+    Atomics.wait(requireReadyFlag, 0, 0);
+}
 function getFsModule() {
     if (cachedFsModule) {
         return cachedFsModule;
@@ -64,6 +115,7 @@ function getFsModule() {
     if (!logging_types_js_1.isNode) {
         throw new Error('File system access is not available in this environment');
     }
+    ensureRequireReady();
     if (typeof require === 'function') {
         try {
             cachedFsModule = require(fsModuleSpecifier);