@naylence/runtime 0.3.5-test.911 → 0.3.5-test.913

package/dist/esm/naylence/fame/http/openid-configuration-router.js

@@ -1,9 +1,8 @@
 /**
- * OpenID Connect Discovery configuration router for Express
+ * OpenID Connect Discovery configuration plugin for Fastify
  *
  * Provides /.well-known/openid-configuration endpoint for OAuth2/OIDC client auto-discovery
  */
-import express from 'express';
 import { getLogger } from '../util/logging.js';
 const logger = getLogger('naylence.fame.http.openid_configuration_router');
 const DEFAULT_PREFIX = '';
@@ -77,10 +76,10 @@ function getAllowedScopes(configScopes) {
     return configScopes ?? ['node.connect'];
 }
 /**
- * Create an Express router that implements OpenID Connect Discovery
+ * Create a Fastify plugin that implements OpenID Connect Discovery
  *
  * @param options - Router configuration options
- * @returns Express router with OpenID configuration endpoint
+ * @returns Fastify plugin with OpenID configuration endpoint
  *
  * Environment Variables:
  *   FAME_JWT_ISSUER: JWT issuer claim (optional)
@@ -89,17 +88,16 @@ function getAllowedScopes(configScopes) {
  *
  * @example
  * ```typescript
- * import express from 'express';
+ * import Fastify from 'fastify';
  * import { createOpenIDConfigurationRouter } from '@naylence/runtime';
  *
- * const app = express();
- * app.use(createOpenIDConfigurationRouter({
+ * const app = Fastify();
+ * app.register(createOpenIDConfigurationRouter({
  *   issuer: 'https://auth.example.com',
  * }));
  * ```
  */
 export function createOpenIDConfigurationRouter(options = {}) {
-    const router = express.Router();
     const { prefix = DEFAULT_PREFIX, issuer, baseUrl, tokenEndpointPath = '/oauth/token', jwksEndpointPath = '/.well-known/jwks.json', allowedScopes: configAllowedScopes, algorithm: configAlgorithm, } = normalizeOpenIDConfigurationRouterOptions(options);
     // Resolve configuration with environment variable priority
     const defaultIssuer = process.env[ENV_VAR_JWT_ISSUER] ?? issuer ?? 'https://auth.fame.fabric';
@@ -115,27 +113,28 @@ export function createOpenIDConfigurationRouter(options = {}) {
         algorithm,
         allowedScopes,
     });
-    // OpenID Connect Discovery endpoint
-    router.get(`${prefix}/.well-known/openid-configuration`, (_req, res) => {
-        // Construct absolute URLs for endpoints
-        const tokenEndpoint = `${defaultBaseUrl.replace(/\/$/, '')}${tokenEndpointPath}`;
-        const jwksUri = `${defaultBaseUrl.replace(/\/$/, '')}${jwksEndpointPath}`;
-        const config = {
-            issuer: defaultIssuer,
-            token_endpoint: tokenEndpoint,
-            jwks_uri: jwksUri,
-            scopes_supported: allowedScopes,
-            response_types_supported: ['token'],
-            grant_types_supported: ['client_credentials'],
-            token_endpoint_auth_methods_supported: [
-                'client_secret_basic',
-                'client_secret_post',
-            ],
-            subject_types_supported: ['public'],
-            id_token_signing_alg_values_supported: [algorithm],
-        };
-        logger.debug('openid_config_served', { config });
-        res.json(config);
-    });
-    return router;
+    const plugin = async (instance) => {
+        instance.get(`${prefix}/.well-known/openid-configuration`, async (_request, reply) => {
+            // Construct absolute URLs for endpoints
+            const tokenEndpoint = `${defaultBaseUrl.replace(/\/$/, '')}${tokenEndpointPath}`;
+            const jwksUri = `${defaultBaseUrl.replace(/\/$/, '')}${jwksEndpointPath}`;
+            const config = {
+                issuer: defaultIssuer,
+                token_endpoint: tokenEndpoint,
+                jwks_uri: jwksUri,
+                scopes_supported: allowedScopes,
+                response_types_supported: ['token'],
+                grant_types_supported: ['client_credentials'],
+                token_endpoint_auth_methods_supported: [
+                    'client_secret_basic',
+                    'client_secret_post',
+                ],
+                subject_types_supported: ['public'],
+                id_token_signing_alg_values_supported: [algorithm],
+            };
+            logger.debug('openid_config_served', { config });
+            reply.send(config);
+        });
+    };
+    return plugin;
 }

package/dist/esm/naylence/fame/node/admission/admission-profile-factory.js

@@ -19,6 +19,8 @@ const ENV_VAR_DIRECT_INPAGE_CHANNEL = 'FAME_DIRECT_INPAGE_CHANNEL';
 const ENV_VAR_ADMISSION_SERVICE_URL = 'FAME_ADMISSION_SERVICE_URL';
 const DEFAULT_INPAGE_CHANNEL = 'naylence-fabric';
 const PROFILE_NAME_WELCOME = 'welcome';
+const PROFILE_NAME_WELCOME_PKCE = 'welcome-pkce';
+const PROFILE_NAME_WELCOME_PKCE_ALIAS = 'welcome_pkce';
 const PROFILE_NAME_DIRECT = 'direct';
 const PROFILE_NAME_DIRECT_HTTP = 'direct-http';
 const PROFILE_NAME_DIRECT_INPAGE = 'direct-inpage';
@@ -79,6 +81,7 @@ function createOAuthPkceTokenProviderConfig() {
 }
 const welcomeIsRoot = Expressions.env(ENV_VAR_IS_ROOT, 'false');
 const welcomeTokenProvider = createOAuthTokenProviderConfig();
+const welcomePkceTokenProvider = createOAuthPkceTokenProviderConfig();
 const WELCOME_SERVICE_PROFILE = {
     type: 'WelcomeServiceClient',
     is_root: welcomeIsRoot,
@@ -92,6 +95,19 @@ const WELCOME_SERVICE_PROFILE = {
         tokenProvider: welcomeTokenProvider,
     },
 };
+const WELCOME_SERVICE_PKCE_PROFILE = {
+    type: 'WelcomeServiceClient',
+    is_root: welcomeIsRoot,
+    isRoot: welcomeIsRoot,
+    url: Expressions.env(ENV_VAR_ADMISSION_SERVICE_URL),
+    supported_transports: ['websocket'],
+    supportedTransports: ['websocket'],
+    auth: {
+        type: 'BearerTokenHeaderAuth',
+        token_provider: welcomePkceTokenProvider,
+        tokenProvider: welcomePkceTokenProvider,
+    },
+};
 const directGrantTokenProvider = createOAuthTokenProviderConfig();
 const directGrant = {
     type: 'WebSocketConnectionGrant',
@@ -197,6 +213,8 @@ const NOOP_PROFILE = {
 };
 const PROFILE_MAP = {
     [PROFILE_NAME_WELCOME]: WELCOME_SERVICE_PROFILE,
+    [PROFILE_NAME_WELCOME_PKCE]: WELCOME_SERVICE_PKCE_PROFILE,
+    [PROFILE_NAME_WELCOME_PKCE_ALIAS]: WELCOME_SERVICE_PKCE_PROFILE,
     [PROFILE_NAME_DIRECT]: DIRECT_PROFILE,
     [PROFILE_NAME_DIRECT_PKCE]: DIRECT_PKCE_PROFILE,
     [PROFILE_NAME_DIRECT_PKCE_ALIAS]: DIRECT_PKCE_PROFILE,

package/dist/esm/naylence/fame/security/crypto/providers/default-crypto-provider.js

@@ -1,6 +1,3 @@
-import { AsnConvert, OctetString } from '@peculiar/asn1-schema';
-import { AlgorithmIdentifier, Attribute, AttributeTypeAndValue, AttributeValue, Extension, Extensions, GeneralName, Name, RelativeDistinguishedName, SubjectAlternativeName, SubjectPublicKeyInfo, id_ce_subjectAltName, } from '@peculiar/asn1-x509';
-import { Attributes, CertificationRequest, CertificationRequestInfo, } from '@peculiar/asn1-csr';
 import { generateId } from '@naylence/core';
 import { getLogger } from '../../../util/logging.js';
 import { secureDigest } from '../../../util/util.js';
@@ -16,11 +13,6 @@ const DEFAULT_AUDIENCE = 'router-dev';
 const DEFAULT_TTL_SEC = 3600;
 const DEFAULT_HMAC_SECRET_BYTES = 32;
 const ENCRYPTION_ALG = 'ECDH-ES';
-const EXTENSION_REQUEST_OID = '1.2.840.113549.1.9.14';
-const COMMON_NAME_OID = '2.5.4.3';
-const ED25519_OID = '1.3.101.112';
-const CSR_PEM_TAG = 'CERTIFICATE REQUEST';
-const LOGICAL_URI_PREFIX = 'naylence://';
 function normalizeDefaultCryptoProviderOptions(options) {
     if (!options) {
         return {};
@@ -286,76 +278,6 @@ export class DefaultCryptoProvider {
             has_chain: Boolean(certificateChainPem),
         });
     }
-    async createCsr(nodeId, physicalPath, logicals, subjectName) {
-        const trimmedNodeId = assertNonEmptyString(nodeId, 'nodeId');
-        const trimmedPhysicalPath = assertNonEmptyString(physicalPath, 'physicalPath');
-        try {
-            if (this.artifacts.signing.algorithm !== 'EdDSA') {
-                throw new Error('CSR creation only supported for Ed25519 signing keys in the default crypto provider');
-            }
-            const cryptoImpl = await ensureWebCrypto();
-            const privateKey = await cryptoImpl.subtle.importKey('pkcs8', pemToArrayBuffer(this.signingPrivatePem), {
-                name: 'Ed25519',
-            }, false, ['sign']);
-            const publicKeyDer = pemToArrayBuffer(this.signingPublicPem);
-            const subjectPkInfo = AsnConvert.parse(publicKeyDer, SubjectPublicKeyInfo);
-            const sanitizedLogicals = Array.isArray(logicals)
-                ? logicals.filter((value) => typeof value === 'string' && value.trim().length > 0)
-                : [];
-            const commonName = typeof subjectName === 'string' && subjectName.trim().length > 0
-                ? subjectName.trim()
-                : trimmedNodeId;
-            const subject = buildSubjectName(commonName);
-            const attributes = new Attributes();
-            if (sanitizedLogicals.length > 0) {
-                const san = new SubjectAlternativeName(sanitizedLogicals.map((logical) => new GeneralName({
-                    uniformResourceIdentifier: `${LOGICAL_URI_PREFIX}${logical}`,
-                })));
-                const extensions = new Extensions([
-                    new Extension({
-                        extnID: id_ce_subjectAltName,
-                        critical: false,
-                        extnValue: new OctetString(AsnConvert.serialize(san)),
-                    }),
-                ]);
-                attributes.push(new Attribute({
-                    type: EXTENSION_REQUEST_OID,
-                    values: [AsnConvert.serialize(extensions)],
-                }));
-            }
-            const requestInfo = new CertificationRequestInfo({
-                subject,
-                subjectPKInfo: subjectPkInfo,
-                attributes,
-            });
-            const requestInfoDer = AsnConvert.serialize(requestInfo);
-            const signature = await cryptoImpl.subtle.sign('Ed25519', privateKey, requestInfoDer);
-            const certificationRequest = new CertificationRequest({
-                certificationRequestInfo: requestInfo,
-                signatureAlgorithm: new AlgorithmIdentifier({
-                    algorithm: ED25519_OID,
-                }),
-                signature: encodeBitString(signature),
-            });
-            certificationRequest.certificationRequestInfoRaw = requestInfoDer;
-            const csrDer = AsnConvert.serialize(certificationRequest);
-            const csrPem = arrayBufferToPem(csrDer, CSR_PEM_TAG);
-            logger.debug('csr_created', {
-                node_id: trimmedNodeId,
-                physical_path: trimmedPhysicalPath,
-                logical_count: sanitizedLogicals.length,
-            });
-            return csrPem;
-        }
-        catch (error) {
-            logger.error('csr_creation_failed', {
-                node_id: trimmedNodeId,
-                physical_path: trimmedPhysicalPath,
-                error: error instanceof Error ? error.message : String(error),
-            });
-            throw error;
-        }
-    }
 }
 async function buildProviderArtifacts(options) {
     const algorithm = normalizeAlgorithm(options.algorithm ?? readEnvAlgorithm());
@@ -591,90 +513,6 @@ function pemToDerBase64(pem) {
     // Ensure the output is valid base64 without whitespace
     return base64.replace(/\s+/g, '');
 }
-let cryptoPromise = null;
-async function ensureWebCrypto() {
-    if (typeof globalThis.crypto !== 'undefined' && globalThis.crypto?.subtle) {
-        return globalThis.crypto;
-    }
-    if (!cryptoPromise) {
-        if (typeof process !== 'undefined' &&
-            typeof process.versions?.node === 'string') {
-            cryptoPromise = import('node:crypto').then((module) => {
-                const webcrypto = module.webcrypto;
-                if (!webcrypto || !webcrypto.subtle) {
-                    throw new Error('WebCrypto API is not available in this Node.js runtime');
-                }
-                globalThis.crypto = webcrypto;
-                return webcrypto;
-            });
-        }
-        else {
-            cryptoPromise = Promise.reject(new Error('WebCrypto API is not available in this environment'));
-        }
-    }
-    return cryptoPromise;
-}
-function pemToArrayBuffer(pem) {
-    const normalized = pem
-        .replace(/-----BEGIN[^-]+-----/g, '')
-        .replace(/-----END[^-]+-----/g, '')
-        .replace(/\s+/g, '');
-    const bytes = base64ToBytes(normalized);
-    return bytes.buffer.slice(bytes.byteOffset, bytes.byteOffset + bytes.byteLength);
-}
-function base64ToBytes(base64) {
-    if (typeof Buffer !== 'undefined') {
-        const buffer = Buffer.from(base64, 'base64');
-        const bytes = new Uint8Array(buffer.length);
-        for (let i = 0; i < buffer.length; i += 1) {
-            bytes[i] = buffer[i];
-        }
-        return bytes;
-    }
-    if (typeof atob === 'function') {
-        const binary = atob(base64);
-        const bytes = new Uint8Array(binary.length);
-        for (let i = 0; i < binary.length; i += 1) {
-            bytes[i] = binary.charCodeAt(i);
-        }
-        return bytes;
-    }
-    throw new Error('No base64 decoder available in this environment');
-}
-function arrayBufferToPem(buffer, tag) {
-    const base64 = bytesToBase64(new Uint8Array(buffer));
-    return `-----BEGIN ${tag}-----\n${formatPem(base64)}\n-----END ${tag}-----\n`;
-}
-function formatPem(base64) {
-    const lines = [];
-    for (let i = 0; i < base64.length; i += 64) {
-        lines.push(base64.slice(i, i + 64));
-    }
-    return lines.join('\n');
-}
-function encodeBitString(signature) {
-    const bytes = new Uint8Array(signature);
-    const bitString = new Uint8Array(bytes.length + 1);
-    bitString.set(bytes, 1);
-    return bitString.buffer;
-}
-function buildSubjectName(commonName) {
-    const attribute = new AttributeTypeAndValue({
-        type: COMMON_NAME_OID,
-        value: new AttributeValue({ utf8String: commonName }),
-    });
-    return new Name([new RelativeDistinguishedName([attribute])]);
-}
-function assertNonEmptyString(value, name) {
-    if (typeof value !== 'string') {
-        throw new TypeError(`${name} must be a string`);
-    }
-    const trimmed = value.trim();
-    if (trimmed.length === 0) {
-        throw new TypeError(`${name} must be a non-empty string`);
-    }
-    return trimmed;
-}
 function cloneJson(value) {
     return JSON.parse(JSON.stringify(value));
 }

package/dist/esm/version.js

@@ -1,7 +1,7 @@
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.3.5-test.911
+// Generated from package.json version: 0.3.5-test.913
 /**
  * The package version, injected at build time.
  * @internal
  */
-export const VERSION = '0.3.5-test.911';
+export const VERSION = '0.3.5-test.913';

package/dist/node/index.cjs

@@ -8,21 +8,18 @@ var ed25519_js = require('@noble/curves/ed25519.js');
 var hkdf_js = require('@noble/hashes/hkdf.js');
 var sha2_js = require('@noble/hashes/sha2.js');
 var utils_js = require('@noble/hashes/utils.js');
-var asn1Schema = require('@peculiar/asn1-schema');
-var asn1X509 = require('@peculiar/asn1-x509');
-var asn1Csr = require('@peculiar/asn1-csr');
 var yaml = require('yaml');
 var fastify = require('fastify');
 var websocketPlugin = require('@fastify/websocket');
 var ed25519 = require('@noble/ed25519');
 
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.3.5-test.911
+// Generated from package.json version: 0.3.5-test.913
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.3.5-test.911';
+const VERSION = '0.3.5-test.913';
 
 /**
  * Fame protocol specific error classes with WebSocket close codes and proper inheritance.
@@ -13009,6 +13006,57 @@ const CONFIG_SEARCH_PATHS = [
 ];
 const fsModuleSpecifier = String.fromCharCode(102) + String.fromCharCode(115);
 let cachedFsModule = null;
+// Capture this module's URL without triggering TypeScript's import.meta restriction on CJS builds
+const currentModuleUrl = (() => {
+    try {
+        return (0, eval)('import.meta.url');
+    }
+    catch {
+        return undefined;
+    }
+})();
+// Shared flag that allows synchronous waiting for the Node-specific require shim
+const requireReadyFlag = isNode && typeof SharedArrayBuffer !== 'undefined'
+    ? new Int32Array(new SharedArrayBuffer(Int32Array.BYTES_PER_ELEMENT))
+    : null;
+if (requireReadyFlag) {
+    // 0 means initializing, 1 means ready (success or failure)
+    Atomics.store(requireReadyFlag, 0, 0);
+    // Prepare a CommonJS-style require when running in pure ESM contexts
+    void (async () => {
+        try {
+            if (typeof require !== 'function') {
+                const moduleNamespace = (await import('node:module'));
+                const createRequire = moduleNamespace.createRequire;
+                if (typeof createRequire === 'function') {
+                    const fallbackPath = `${process.cwd()}/.__naylence_require_shim__.mjs`;
+                    const nodeRequire = createRequire(currentModuleUrl ?? fallbackPath);
+                    globalThis.require = nodeRequire;
+                }
+            }
+        }
+        catch {
+            // Ignore failures – getFsModule will surface a helpful error when needed
+        }
+    })()
+        .catch(() => {
+        // Ignore async errors – the ready flag will still unblock consumers
+    })
+        .finally(() => {
+        Atomics.store(requireReadyFlag, 0, 1);
+        Atomics.notify(requireReadyFlag, 0);
+    });
+}
+function ensureRequireReady() {
+    if (!requireReadyFlag) {
+        return;
+    }
+    if (Atomics.load(requireReadyFlag, 0) === 1) {
+        return;
+    }
+    // Block until the asynchronous loader finishes initialising
+    Atomics.wait(requireReadyFlag, 0, 0);
+}
 function getFsModule() {
     if (cachedFsModule) {
         return cachedFsModule;
@@ -13016,6 +13064,7 @@ function getFsModule() {
     if (!isNode) {
         throw new Error('File system access is not available in this environment');
     }
+    ensureRequireReady();
     if (typeof require === 'function') {
         try {
             cachedFsModule = require(fsModuleSpecifier);
@@ -25394,11 +25443,6 @@ const DEFAULT_AUDIENCE = 'router-dev';
 const DEFAULT_TTL_SEC$1 = 3600;
 const DEFAULT_HMAC_SECRET_BYTES = 32;
 const ENCRYPTION_ALG = 'ECDH-ES';
-const EXTENSION_REQUEST_OID = '1.2.840.113549.1.9.14';
-const COMMON_NAME_OID = '2.5.4.3';
-const ED25519_OID = '1.3.101.112';
-const CSR_PEM_TAG = 'CERTIFICATE REQUEST';
-const LOGICAL_URI_PREFIX = 'naylence://';
 function normalizeDefaultCryptoProviderOptions(options) {
     if (!options) {
         return {};
@@ -25664,76 +25708,6 @@ class DefaultCryptoProvider {
             has_chain: Boolean(certificateChainPem),
         });
     }
-    async createCsr(nodeId, physicalPath, logicals, subjectName) {
-        const trimmedNodeId = assertNonEmptyString(nodeId, 'nodeId');
-        const trimmedPhysicalPath = assertNonEmptyString(physicalPath, 'physicalPath');
-        try {
-            if (this.artifacts.signing.algorithm !== 'EdDSA') {
-                throw new Error('CSR creation only supported for Ed25519 signing keys in the default crypto provider');
-            }
-            const cryptoImpl = await ensureWebCrypto();
-            const privateKey = await cryptoImpl.subtle.importKey('pkcs8', pemToArrayBuffer(this.signingPrivatePem), {
-                name: 'Ed25519',
-            }, false, ['sign']);
-            const publicKeyDer = pemToArrayBuffer(this.signingPublicPem);
-            const subjectPkInfo = asn1Schema.AsnConvert.parse(publicKeyDer, asn1X509.SubjectPublicKeyInfo);
-            const sanitizedLogicals = Array.isArray(logicals)
-                ? logicals.filter((value) => typeof value === 'string' && value.trim().length > 0)
-                : [];
-            const commonName = typeof subjectName === 'string' && subjectName.trim().length > 0
-                ? subjectName.trim()
-                : trimmedNodeId;
-            const subject = buildSubjectName(commonName);
-            const attributes = new asn1Csr.Attributes();
-            if (sanitizedLogicals.length > 0) {
-                const san = new asn1X509.SubjectAlternativeName(sanitizedLogicals.map((logical) => new asn1X509.GeneralName({
-                    uniformResourceIdentifier: `${LOGICAL_URI_PREFIX}${logical}`,
-                })));
-                const extensions = new asn1X509.Extensions([
-                    new asn1X509.Extension({
-                        extnID: asn1X509.id_ce_subjectAltName,
-                        critical: false,
-                        extnValue: new asn1Schema.OctetString(asn1Schema.AsnConvert.serialize(san)),
-                    }),
-                ]);
-                attributes.push(new asn1X509.Attribute({
-                    type: EXTENSION_REQUEST_OID,
-                    values: [asn1Schema.AsnConvert.serialize(extensions)],
-                }));
-            }
-            const requestInfo = new asn1Csr.CertificationRequestInfo({
-                subject,
-                subjectPKInfo: subjectPkInfo,
-                attributes,
-            });
-            const requestInfoDer = asn1Schema.AsnConvert.serialize(requestInfo);
-            const signature = await cryptoImpl.subtle.sign('Ed25519', privateKey, requestInfoDer);
-            const certificationRequest = new asn1Csr.CertificationRequest({
-                certificationRequestInfo: requestInfo,
-                signatureAlgorithm: new asn1X509.AlgorithmIdentifier({
-                    algorithm: ED25519_OID,
-                }),
-                signature: encodeBitString(signature),
-            });
-            certificationRequest.certificationRequestInfoRaw = requestInfoDer;
-            const csrDer = asn1Schema.AsnConvert.serialize(certificationRequest);
-            const csrPem = arrayBufferToPem(csrDer, CSR_PEM_TAG);
-            logger$v.debug('csr_created', {
-                node_id: trimmedNodeId,
-                physical_path: trimmedPhysicalPath,
-                logical_count: sanitizedLogicals.length,
-            });
-            return csrPem;
-        }
-        catch (error) {
-            logger$v.error('csr_creation_failed', {
-                node_id: trimmedNodeId,
-                physical_path: trimmedPhysicalPath,
-                error: error instanceof Error ? error.message : String(error),
-            });
-            throw error;
-        }
-    }
 }
 async function buildProviderArtifacts(options) {
     const algorithm = normalizeAlgorithm(options.algorithm ?? readEnvAlgorithm());
@@ -25969,90 +25943,6 @@ function pemToDerBase64(pem) {
     // Ensure the output is valid base64 without whitespace
     return base64.replace(/\s+/g, '');
 }
-let cryptoPromise = null;
-async function ensureWebCrypto() {
-    if (typeof globalThis.crypto !== 'undefined' && globalThis.crypto?.subtle) {
-        return globalThis.crypto;
-    }
-    if (!cryptoPromise) {
-        if (typeof process !== 'undefined' &&
-            typeof process.versions?.node === 'string') {
-            cryptoPromise = import('node:crypto').then((module) => {
-                const webcrypto = module.webcrypto;
-                if (!webcrypto || !webcrypto.subtle) {
-                    throw new Error('WebCrypto API is not available in this Node.js runtime');
-                }
-                globalThis.crypto = webcrypto;
-                return webcrypto;
-            });
-        }
-        else {
-            cryptoPromise = Promise.reject(new Error('WebCrypto API is not available in this environment'));
-        }
-    }
-    return cryptoPromise;
-}
-function pemToArrayBuffer(pem) {
-    const normalized = pem
-        .replace(/-----BEGIN[^-]+-----/g, '')
-        .replace(/-----END[^-]+-----/g, '')
-        .replace(/\s+/g, '');
-    const bytes = base64ToBytes$1(normalized);
-    return bytes.buffer.slice(bytes.byteOffset, bytes.byteOffset + bytes.byteLength);
-}
-function base64ToBytes$1(base64) {
-    if (typeof Buffer !== 'undefined') {
-        const buffer = Buffer.from(base64, 'base64');
-        const bytes = new Uint8Array(buffer.length);
-        for (let i = 0; i < buffer.length; i += 1) {
-            bytes[i] = buffer[i];
-        }
-        return bytes;
-    }
-    if (typeof atob === 'function') {
-        const binary = atob(base64);
-        const bytes = new Uint8Array(binary.length);
-        for (let i = 0; i < binary.length; i += 1) {
-            bytes[i] = binary.charCodeAt(i);
-        }
-        return bytes;
-    }
-    throw new Error('No base64 decoder available in this environment');
-}
-function arrayBufferToPem(buffer, tag) {
-    const base64 = bytesToBase64(new Uint8Array(buffer));
-    return `-----BEGIN ${tag}-----\n${formatPem(base64)}\n-----END ${tag}-----\n`;
-}
-function formatPem(base64) {
-    const lines = [];
-    for (let i = 0; i < base64.length; i += 64) {
-        lines.push(base64.slice(i, i + 64));
-    }
-    return lines.join('\n');
-}
-function encodeBitString(signature) {
-    const bytes = new Uint8Array(signature);
-    const bitString = new Uint8Array(bytes.length + 1);
-    bitString.set(bytes, 1);
-    return bitString.buffer;
-}
-function buildSubjectName(commonName) {
-    const attribute = new asn1X509.AttributeTypeAndValue({
-        type: COMMON_NAME_OID,
-        value: new asn1X509.AttributeValue({ utf8String: commonName }),
-    });
-    return new asn1X509.Name([new asn1X509.RelativeDistinguishedName([attribute])]);
-}
-function assertNonEmptyString(value, name) {
-    if (typeof value !== 'string') {
-        throw new TypeError(`${name} must be a string`);
-    }
-    const trimmed = value.trim();
-    if (trimmed.length === 0) {
-        throw new TypeError(`${name} must be a non-empty string`);
-    }
-    return trimmed;
-}
 function cloneJson(value) {
     return JSON.parse(JSON.stringify(value));
 }
@@ -30500,6 +30390,8 @@ const ENV_VAR_DIRECT_INPAGE_CHANNEL = 'FAME_DIRECT_INPAGE_CHANNEL';
 const ENV_VAR_ADMISSION_SERVICE_URL = 'FAME_ADMISSION_SERVICE_URL';
 const DEFAULT_INPAGE_CHANNEL = 'naylence-fabric';
 const PROFILE_NAME_WELCOME = 'welcome';
+const PROFILE_NAME_WELCOME_PKCE = 'welcome-pkce';
+const PROFILE_NAME_WELCOME_PKCE_ALIAS = 'welcome_pkce';
 const PROFILE_NAME_DIRECT = 'direct';
 const PROFILE_NAME_DIRECT_HTTP = 'direct-http';
 const PROFILE_NAME_DIRECT_INPAGE = 'direct-inpage';
@@ -30560,6 +30452,7 @@ function createOAuthPkceTokenProviderConfig() {
 }
 const welcomeIsRoot = factory.Expressions.env(ENV_VAR_IS_ROOT, 'false');
 const welcomeTokenProvider = createOAuthTokenProviderConfig();
+const welcomePkceTokenProvider = createOAuthPkceTokenProviderConfig();
 const WELCOME_SERVICE_PROFILE = {
     type: 'WelcomeServiceClient',
     is_root: welcomeIsRoot,
@@ -30573,6 +30466,19 @@ const WELCOME_SERVICE_PROFILE = {
         tokenProvider: welcomeTokenProvider,
     },
 };
+const WELCOME_SERVICE_PKCE_PROFILE = {
+    type: 'WelcomeServiceClient',
+    is_root: welcomeIsRoot,
+    isRoot: welcomeIsRoot,
+    url: factory.Expressions.env(ENV_VAR_ADMISSION_SERVICE_URL),
+    supported_transports: ['websocket'],
+    supportedTransports: ['websocket'],
+    auth: {
+        type: 'BearerTokenHeaderAuth',
+        token_provider: welcomePkceTokenProvider,
+        tokenProvider: welcomePkceTokenProvider,
+    },
+};
 const directGrantTokenProvider = createOAuthTokenProviderConfig();
 const directGrant = {
     type: 'WebSocketConnectionGrant',
@@ -30678,6 +30584,8 @@ const NOOP_PROFILE = {
 };
 const PROFILE_MAP$1 = {
     [PROFILE_NAME_WELCOME]: WELCOME_SERVICE_PROFILE,
+    [PROFILE_NAME_WELCOME_PKCE]: WELCOME_SERVICE_PKCE_PROFILE,
+    [PROFILE_NAME_WELCOME_PKCE_ALIAS]: WELCOME_SERVICE_PKCE_PROFILE,
     [PROFILE_NAME_DIRECT]: DIRECT_PROFILE,
     [PROFILE_NAME_DIRECT_PKCE]: DIRECT_PKCE_PROFILE,
     [PROFILE_NAME_DIRECT_PKCE_ALIAS]: DIRECT_PKCE_PROFILE,