@naylence/runtime 0.3.5-test.911 → 0.3.5-test.913

package/dist/node/node.cjs

@@ -12,12 +12,9 @@ var ed25519_js = require('@noble/curves/ed25519.js');
 var hkdf_js = require('@noble/hashes/hkdf.js');
 var sha2_js = require('@noble/hashes/sha2.js');
 var utils_js = require('@noble/hashes/utils.js');
-var asn1Schema = require('@peculiar/asn1-schema');
-var asn1X509 = require('@peculiar/asn1-x509');
-var asn1Csr = require('@peculiar/asn1-csr');
 var fastify = require('fastify');
 var websocketPlugin = require('@fastify/websocket');
-var express = require('express');
+var formbody = require('@fastify/formbody');
 var node_crypto = require('node:crypto');
 var ed25519 = require('@noble/ed25519');
 
@@ -5367,12 +5364,12 @@ for (const [name, config] of Object.entries(SQLITE_PROFILES)) {
 }
 
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.3.5-test.911
+// Generated from package.json version: 0.3.5-test.913
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.3.5-test.911';
+const VERSION = '0.3.5-test.913';
 
 /**
  * Fame errors module - Fame protocol specific error classes
@@ -14701,6 +14698,57 @@ const CONFIG_SEARCH_PATHS = [
 ];
 const fsModuleSpecifier = String.fromCharCode(102) + String.fromCharCode(115);
 let cachedFsModule = null;
+// Capture this module's URL without triggering TypeScript's import.meta restriction on CJS builds
+const currentModuleUrl = (() => {
+    try {
+        return (0, eval)('import.meta.url');
+    }
+    catch {
+        return undefined;
+    }
+})();
+// Shared flag that allows synchronous waiting for the Node-specific require shim
+const requireReadyFlag = isNode && typeof SharedArrayBuffer !== 'undefined'
+    ? new Int32Array(new SharedArrayBuffer(Int32Array.BYTES_PER_ELEMENT))
+    : null;
+if (requireReadyFlag) {
+    // 0 means initializing, 1 means ready (success or failure)
+    Atomics.store(requireReadyFlag, 0, 0);
+    // Prepare a CommonJS-style require when running in pure ESM contexts
+    void (async () => {
+        try {
+            if (typeof require !== 'function') {
+                const moduleNamespace = (await import('node:module'));
+                const createRequire = moduleNamespace.createRequire;
+                if (typeof createRequire === 'function') {
+                    const fallbackPath = `${process.cwd()}/.__naylence_require_shim__.mjs`;
+                    const nodeRequire = createRequire(currentModuleUrl ?? fallbackPath);
+                    globalThis.require = nodeRequire;
+                }
+            }
+        }
+        catch {
+            // Ignore failures – getFsModule will surface a helpful error when needed
+        }
+    })()
+        .catch(() => {
+        // Ignore async errors – the ready flag will still unblock consumers
+    })
+        .finally(() => {
+        Atomics.store(requireReadyFlag, 0, 1);
+        Atomics.notify(requireReadyFlag, 0);
+    });
+}
+function ensureRequireReady() {
+    if (!requireReadyFlag) {
+        return;
+    }
+    if (Atomics.load(requireReadyFlag, 0) === 1) {
+        return;
+    }
+    // Block until the asynchronous loader finishes initialising
+    Atomics.wait(requireReadyFlag, 0, 0);
+}
 function getFsModule() {
     if (cachedFsModule) {
         return cachedFsModule;
@@ -14708,6 +14756,7 @@ function getFsModule() {
     if (!isNode) {
         throw new Error('File system access is not available in this environment');
     }
+    ensureRequireReady();
     if (typeof require === 'function') {
         try {
             cachedFsModule = require(fsModuleSpecifier);
@@ -26571,11 +26620,6 @@ const DEFAULT_AUDIENCE = 'router-dev';
 const DEFAULT_TTL_SEC$1 = 3600;
 const DEFAULT_HMAC_SECRET_BYTES = 32;
 const ENCRYPTION_ALG = 'ECDH-ES';
-const EXTENSION_REQUEST_OID = '1.2.840.113549.1.9.14';
-const COMMON_NAME_OID = '2.5.4.3';
-const ED25519_OID = '1.3.101.112';
-const CSR_PEM_TAG = 'CERTIFICATE REQUEST';
-const LOGICAL_URI_PREFIX = 'naylence://';
 function normalizeDefaultCryptoProviderOptions(options) {
     if (!options) {
         return {};
@@ -26841,76 +26885,6 @@ class DefaultCryptoProvider {
             has_chain: Boolean(certificateChainPem),
         });
     }
-    async createCsr(nodeId, physicalPath, logicals, subjectName) {
-        const trimmedNodeId = assertNonEmptyString(nodeId, 'nodeId');
-        const trimmedPhysicalPath = assertNonEmptyString(physicalPath, 'physicalPath');
-        try {
-            if (this.artifacts.signing.algorithm !== 'EdDSA') {
-                throw new Error('CSR creation only supported for Ed25519 signing keys in the default crypto provider');
-            }
-            const cryptoImpl = await ensureWebCrypto();
-            const privateKey = await cryptoImpl.subtle.importKey('pkcs8', pemToArrayBuffer(this.signingPrivatePem), {
-                name: 'Ed25519',
-            }, false, ['sign']);
-            const publicKeyDer = pemToArrayBuffer(this.signingPublicPem);
-            const subjectPkInfo = asn1Schema.AsnConvert.parse(publicKeyDer, asn1X509.SubjectPublicKeyInfo);
-            const sanitizedLogicals = Array.isArray(logicals)
-                ? logicals.filter((value) => typeof value === 'string' && value.trim().length > 0)
-                : [];
-            const commonName = typeof subjectName === 'string' && subjectName.trim().length > 0
-                ? subjectName.trim()
-                : trimmedNodeId;
-            const subject = buildSubjectName(commonName);
-            const attributes = new asn1Csr.Attributes();
-            if (sanitizedLogicals.length > 0) {
-                const san = new asn1X509.SubjectAlternativeName(sanitizedLogicals.map((logical) => new asn1X509.GeneralName({
-                    uniformResourceIdentifier: `${LOGICAL_URI_PREFIX}${logical}`,
-                })));
-                const extensions = new asn1X509.Extensions([
-                    new asn1X509.Extension({
-                        extnID: asn1X509.id_ce_subjectAltName,
-                        critical: false,
-                        extnValue: new asn1Schema.OctetString(asn1Schema.AsnConvert.serialize(san)),
-                    }),
-                ]);
-                attributes.push(new asn1X509.Attribute({
-                    type: EXTENSION_REQUEST_OID,
-                    values: [asn1Schema.AsnConvert.serialize(extensions)],
-                }));
-            }
-            const requestInfo = new asn1Csr.CertificationRequestInfo({
-                subject,
-                subjectPKInfo: subjectPkInfo,
-                attributes,
-            });
-            const requestInfoDer = asn1Schema.AsnConvert.serialize(requestInfo);
-            const signature = await cryptoImpl.subtle.sign('Ed25519', privateKey, requestInfoDer);
-            const certificationRequest = new asn1Csr.CertificationRequest({
-                certificationRequestInfo: requestInfo,
-                signatureAlgorithm: new asn1X509.AlgorithmIdentifier({
-                    algorithm: ED25519_OID,
-                }),
-                signature: encodeBitString(signature),
-            });
-            certificationRequest.certificationRequestInfoRaw = requestInfoDer;
-            const csrDer = asn1Schema.AsnConvert.serialize(certificationRequest);
-            const csrPem = arrayBufferToPem(csrDer, CSR_PEM_TAG);
-            logger$y.debug('csr_created', {
-                node_id: trimmedNodeId,
-                physical_path: trimmedPhysicalPath,
-                logical_count: sanitizedLogicals.length,
-            });
-            return csrPem;
-        }
-        catch (error) {
-            logger$y.error('csr_creation_failed', {
-                node_id: trimmedNodeId,
-                physical_path: trimmedPhysicalPath,
-                error: error instanceof Error ? error.message : String(error),
-            });
-            throw error;
-        }
-    }
 }
 async function buildProviderArtifacts(options) {
     const algorithm = normalizeAlgorithm(options.algorithm ?? readEnvAlgorithm());
@@ -27146,90 +27120,6 @@ function pemToDerBase64(pem) {
     // Ensure the output is valid base64 without whitespace
     return base64.replace(/\s+/g, '');
 }
-let cryptoPromise = null;
-async function ensureWebCrypto() {
-    if (typeof globalThis.crypto !== 'undefined' && globalThis.crypto?.subtle) {
-        return globalThis.crypto;
-    }
-    if (!cryptoPromise) {
-        if (typeof process !== 'undefined' &&
-            typeof process.versions?.node === 'string') {
-            cryptoPromise = import('node:crypto').then((module) => {
-                const webcrypto = module.webcrypto;
-                if (!webcrypto || !webcrypto.subtle) {
-                    throw new Error('WebCrypto API is not available in this Node.js runtime');
-                }
-                globalThis.crypto = webcrypto;
-                return webcrypto;
-            });
-        }
-        else {
-            cryptoPromise = Promise.reject(new Error('WebCrypto API is not available in this environment'));
-        }
-    }
-    return cryptoPromise;
-}
-function pemToArrayBuffer(pem) {
-    const normalized = pem
-        .replace(/-----BEGIN[^-]+-----/g, '')
-        .replace(/-----END[^-]+-----/g, '')
-        .replace(/\s+/g, '');
-    const bytes = base64ToBytes$1(normalized);
-    return bytes.buffer.slice(bytes.byteOffset, bytes.byteOffset + bytes.byteLength);
-}
-function base64ToBytes$1(base64) {
-    if (typeof Buffer !== 'undefined') {
-        const buffer = Buffer.from(base64, 'base64');
-        const bytes = new Uint8Array(buffer.length);
-        for (let i = 0; i < buffer.length; i += 1) {
-            bytes[i] = buffer[i];
-        }
-        return bytes;
-    }
-    if (typeof atob === 'function') {
-        const binary = atob(base64);
-        const bytes = new Uint8Array(binary.length);
-        for (let i = 0; i < binary.length; i += 1) {
-            bytes[i] = binary.charCodeAt(i);
-        }
-        return bytes;
-    }
-    throw new Error('No base64 decoder available in this environment');
-}
-function arrayBufferToPem(buffer, tag) {
-    const base64 = bytesToBase64(new Uint8Array(buffer));
-    return `-----BEGIN ${tag}-----\n${formatPem(base64)}\n-----END ${tag}-----\n`;
-}
-function formatPem(base64) {
-    const lines = [];
-    for (let i = 0; i < base64.length; i += 64) {
-        lines.push(base64.slice(i, i + 64));
-    }
-    return lines.join('\n');
-}
-function encodeBitString(signature) {
-    const bytes = new Uint8Array(signature);
-    const bitString = new Uint8Array(bytes.length + 1);
-    bitString.set(bytes, 1);
-    return bitString.buffer;
-}
-function buildSubjectName(commonName) {
-    const attribute = new asn1X509.AttributeTypeAndValue({
-        type: COMMON_NAME_OID,
-        value: new asn1X509.AttributeValue({ utf8String: commonName }),
-    });
-    return new asn1X509.Name([new asn1X509.RelativeDistinguishedName([attribute])]);
-}
-function assertNonEmptyString(value, name) {
-    if (typeof value !== 'string') {
-        throw new TypeError(`${name} must be a string`);
-    }
-    const trimmed = value.trim();
-    if (trimmed.length === 0) {
-        throw new TypeError(`${name} must be a non-empty string`);
-    }
-    return trimmed;
-}
 function cloneJson(value) {
     return JSON.parse(JSON.stringify(value));
 }
@@ -32389,7 +32279,7 @@ var inProcessFameFabricFactory = /*#__PURE__*/Object.freeze({
 });
 
 /**
- * JWKS (JSON Web Key Set) API router for Express
+ * JWKS (JSON Web Key Set) API plugin for Fastify
  *
  * Provides /.well-known/jwks.json endpoint for public key discovery
  * Used by OAuth2/JWT token verification
@@ -32472,23 +32362,22 @@ function filterKeysByType(jwksData, allowedTypes) {
     return { ...jwksData, keys: filteredKeys };
 }
 /**
- * Create an Express router that exposes JWKS at /.well-known/jwks.json
+ * Create a Fastify plugin that exposes JWKS at /.well-known/jwks.json
  *
  * @param options - Router configuration options
- * @returns Express router with JWKS endpoint
+ * @returns Fastify plugin with JWKS endpoint
  *
  * @example
  * ```typescript
- * import express from 'express';
+ * import Fastify from 'fastify';
  * import { createJwksRouter } from '@naylence/runtime';
  *
- * const app = express();
+ * const app = Fastify();
  * const cryptoProvider = new MyCryptoProvider();
- * app.use(createJwksRouter({ cryptoProvider }));
+ * app.register(createJwksRouter({ cryptoProvider }));
  * ```
  */
 function createJwksRouter(options = {}) {
-    const router = express.Router();
     const { getJwksJson, cryptoProvider, prefix = DEFAULT_PREFIX$2, keyTypes, } = normalizeCreateJwksRouterOptions(options);
     // Get JWKS data
     let jwks;
@@ -32511,26 +32400,172 @@ function createJwksRouter(options = {}) {
         key_types: allowedKeyTypes,
         total_keys: jwks.keys.length,
     });
-    // JWKS endpoint
-    router.get(`${prefix}/.well-known/jwks.json`, (_req, res) => {
-        const filteredJwks = filterKeysByType(jwks, allowedKeyTypes);
-        logger$l.debug('jwks_served', {
-            total_keys: jwks.keys.length,
-            filtered_keys: filteredJwks.keys.length,
-        });
-        res.json(filteredJwks);
-    });
-    return router;
+    const plugin = async (instance) => {
+        instance.get(`${prefix}/.well-known/jwks.json`, async (_request, reply) => {
+            const filteredJwks = filterKeysByType(jwks, allowedKeyTypes);
+            logger$l.debug('jwks_served', {
+                total_keys: jwks.keys.length,
+                filtered_keys: filteredJwks.keys.length,
+            });
+            reply.send(filteredJwks);
+        });
+    };
+    return plugin;
 }
 
 /**
- * OAuth2 client credentials and authorization code (PKCE) grant router for Express
+ * OAuth2 client credentials and authorization code (PKCE) grant router for Fastify
  *
  * Provides /oauth/token and /oauth/authorize endpoints for local development and testing.
  * Implements OAuth2 client credentials grant with JWT token issuance and
  * OAuth2 authorization code grant with PKCE verification.
  */
 const logger$k = getLogger('naylence.fame.http.oauth2_token_router');
+class RouterCompat {
+    constructor() {
+        this.routes = [];
+    }
+    get(path, handler) {
+        this.routes.push({ method: 'GET', path, handler });
+    }
+    post(path, handler) {
+        this.routes.push({ method: 'POST', path, handler });
+    }
+    toPlugin() {
+        return async (fastify) => {
+            await fastify.register(formbody);
+            for (const route of this.routes) {
+                fastify.route({
+                    method: route.method,
+                    url: route.path,
+                    handler: async (request, reply) => {
+                        const compatRequest = toCompatRequest(request);
+                        const compatResponse = new FastifyResponseAdapter(reply);
+                        await route.handler(compatRequest, compatResponse);
+                    },
+                });
+            }
+        };
+    }
+}
+class FastifyResponseAdapter {
+    constructor(reply) {
+        this.reply = reply;
+    }
+    status(code) {
+        this.reply.status(code);
+        return this;
+    }
+    set(field, value) {
+        if (field.toLowerCase() === 'set-cookie') {
+            this.appendHeader(field, value);
+        }
+        else {
+            this.reply.header(field, value);
+        }
+        return this;
+    }
+    type(contentType) {
+        const normalized = contentType === 'html'
+            ? 'text/html'
+            : contentType === 'json'
+                ? 'application/json'
+                : contentType;
+        this.reply.type(normalized);
+        return this;
+    }
+    json(payload) {
+        this.reply.send(payload);
+    }
+    send(payload) {
+        this.reply.send(payload);
+    }
+    redirect(statusOrUrl, maybeUrl) {
+        if (typeof statusOrUrl === 'number') {
+            if (maybeUrl === undefined) {
+                throw new Error('redirect url is required when status code is provided');
+            }
+            this.reply.status(statusOrUrl);
+            this.reply.header('Location', maybeUrl);
+            this.reply.send();
+        }
+        else {
+            this.reply.redirect(statusOrUrl);
+        }
+    }
+    cookie(name, value, options) {
+        const serialized = serializeCookie(name, value, options);
+        this.appendHeader('Set-Cookie', serialized);
+    }
+    appendHeader(name, value) {
+        const existing = this.reply.getHeader(name);
+        if (Array.isArray(existing)) {
+            this.reply.header(name, [...existing, value]);
+        }
+        else if (typeof existing === 'string') {
+            this.reply.header(name, [existing, value]);
+        }
+        else if (existing === undefined) {
+            this.reply.header(name, value);
+        }
+        else {
+            this.reply.header(name, [String(existing), value]);
+        }
+    }
+}
+function toCompatRequest(request) {
+    const headers = {};
+    for (const [key, value] of Object.entries(request.headers)) {
+        if (typeof value === 'string') {
+            headers[key.toLowerCase()] = value;
+        }
+        else if (Array.isArray(value)) {
+            headers[key.toLowerCase()] = value.join(', ');
+        }
+        else if (value !== undefined && value !== null) {
+            headers[key.toLowerCase()] = String(value);
+        }
+        else {
+            headers[key.toLowerCase()] = undefined;
+        }
+    }
+    return {
+        body: request.body,
+        headers,
+        method: request.method,
+        originalUrl: request.raw.url ?? request.url,
+        query: request.query ?? {},
+    };
+}
+function serializeCookie(name, value, options) {
+    const segments = [
+        `${encodeURIComponent(name)}=${encodeURIComponent(value)}`,
+    ];
+    if (options.maxAge !== undefined) {
+        const maxAgeMs = options.maxAge;
+        const maxAgeSeconds = Math.floor(maxAgeMs / 1000);
+        segments.push(`Max-Age=${maxAgeSeconds}`);
+        const expires = new Date(Date.now() + maxAgeMs).toUTCString();
+        segments.push(`Expires=${expires}`);
+    }
+    segments.push(`Path=${options.path ?? '/'}`);
+    if (options.httpOnly) {
+        segments.push('HttpOnly');
+    }
+    if (options.secure) {
+        segments.push('Secure');
+    }
+    if (options.sameSite) {
+        const normalized = options.sameSite.toLowerCase();
+        const formatted = normalized === 'strict'
+            ? 'Strict'
+            : normalized === 'none'
+                ? 'None'
+                : 'Lax';
+        segments.push(`SameSite=${formatted}`);
+    }
+    return segments.join('; ');
+}
 const DEFAULT_PREFIX$1 = '/oauth';
 const ENV_VAR_CLIENT_ID = 'FAME_JWT_CLIENT_ID';
 const ENV_VAR_CLIENT_SECRET = 'FAME_JWT_CLIENT_SECRET';
@@ -32952,11 +32987,11 @@ function respondInvalidClient(res) {
     });
 }
 /**
- * Create an Express router that implements OAuth2 token and authorization endpoints
+ * Create a Fastify plugin that implements OAuth2 token and authorization endpoints
  * with support for client credentials and authorization code (PKCE) grants.
  *
  * @param options - Router configuration options
- * @returns Express router with OAuth2 token and authorization endpoints
+ * @returns Fastify plugin with OAuth2 token and authorization endpoints
  *
  * Environment Variables:
  *   FAME_JWT_CLIENT_ID: OAuth2 client identifier
@@ -32970,7 +33005,7 @@ function respondInvalidClient(res) {
  *   FAME_OAUTH_CODE_TTL_SEC: Authorization code TTL in seconds (optional, default: 300)
  */
 function createOAuth2TokenRouter(options) {
-    const router = express.Router();
+    const router = new RouterCompat();
     const { cryptoProvider, prefix = DEFAULT_PREFIX$1, issuer, audience, tokenTtlSec, allowedScopes: configAllowedScopes, algorithm: configAlgorithm, enablePkce: configEnablePkce, allowPublicClients: configAllowPublicClients, authorizationCodeTtlSec: configAuthorizationCodeTtlSec, enableDevLogin: configEnableDevLogin, devLoginUsername: configDevLoginUsername, devLoginPassword: configDevLoginPassword, devLoginSessionTtlSec: configDevLoginSessionTtlSec, devLoginCookieName: configDevLoginCookieName, devLoginSecureCookie: configDevLoginSecureCookie, devLoginTitle: configDevLoginTitle, } = normalizeCreateOAuth2TokenRouterOptions(options);
     if (!cryptoProvider) {
         throw new Error('cryptoProvider is required to create OAuth2 token router');
@@ -33269,7 +33304,7 @@ function createOAuth2TokenRouter(options) {
     };
     router.post(`${prefix}/logout`, logoutHandler);
     router.get(`${prefix}/logout`, logoutHandler);
-    router.post(`${prefix}/token`, async (req, res, next) => {
+    router.post(`${prefix}/token`, async (req, res) => {
         try {
             cleanupAuthorizationCodes(authorizationCodes, Date.now());
             const { grant_type, client_id, client_secret, scope, audience: reqAudience, code, redirect_uri, code_verifier, } = req.body ?? {};
@@ -33454,7 +33489,7 @@ function createOAuth2TokenRouter(options) {
         }
         catch (error) {
             logger$k.error('oauth2_token_error', { error: error.message });
-            next(error);
+            throw error;
         }
     });
     async function issueTokenResponse(params) {
@@ -33487,11 +33522,11 @@ function createOAuth2TokenRouter(options) {
         }
         return response;
     }
-    return router;
+    return router.toPlugin();
 }
 
 /**
- * OpenID Connect Discovery configuration router for Express
+ * OpenID Connect Discovery configuration plugin for Fastify
  *
  * Provides /.well-known/openid-configuration endpoint for OAuth2/OIDC client auto-discovery
  */
@@ -33567,10 +33602,10 @@ function getAllowedScopes(configScopes) {
     return configScopes ?? ['node.connect'];
 }
 /**
- * Create an Express router that implements OpenID Connect Discovery
+ * Create a Fastify plugin that implements OpenID Connect Discovery
  *
  * @param options - Router configuration options
- * @returns Express router with OpenID configuration endpoint
+ * @returns Fastify plugin with OpenID configuration endpoint
  *
  * Environment Variables:
  *   FAME_JWT_ISSUER: JWT issuer claim (optional)
@@ -33579,17 +33614,16 @@ function getAllowedScopes(configScopes) {
  *
  * @example
  * ```typescript
- * import express from 'express';
+ * import Fastify from 'fastify';
  * import { createOpenIDConfigurationRouter } from '@naylence/runtime';
  *
- * const app = express();
- * app.use(createOpenIDConfigurationRouter({
+ * const app = Fastify();
+ * app.register(createOpenIDConfigurationRouter({
  *   issuer: 'https://auth.example.com',
  * }));
  * ```
  */
 function createOpenIDConfigurationRouter(options = {}) {
-    const router = express.Router();
     const { prefix = DEFAULT_PREFIX, issuer, baseUrl, tokenEndpointPath = '/oauth/token', jwksEndpointPath = '/.well-known/jwks.json', allowedScopes: configAllowedScopes, algorithm: configAlgorithm, } = normalizeOpenIDConfigurationRouterOptions(options);
     // Resolve configuration with environment variable priority
     const defaultIssuer = process.env[ENV_VAR_JWT_ISSUER] ?? issuer ?? 'https://auth.fame.fabric';
@@ -33605,29 +33639,30 @@ function createOpenIDConfigurationRouter(options = {}) {
         algorithm,
         allowedScopes,
     });
-    // OpenID Connect Discovery endpoint
-    router.get(`${prefix}/.well-known/openid-configuration`, (_req, res) => {
-        // Construct absolute URLs for endpoints
-        const tokenEndpoint = `${defaultBaseUrl.replace(/\/$/, '')}${tokenEndpointPath}`;
-        const jwksUri = `${defaultBaseUrl.replace(/\/$/, '')}${jwksEndpointPath}`;
-        const config = {
-            issuer: defaultIssuer,
-            token_endpoint: tokenEndpoint,
-            jwks_uri: jwksUri,
-            scopes_supported: allowedScopes,
-            response_types_supported: ['token'],
-            grant_types_supported: ['client_credentials'],
-            token_endpoint_auth_methods_supported: [
-                'client_secret_basic',
-                'client_secret_post',
-            ],
-            subject_types_supported: ['public'],
-            id_token_signing_alg_values_supported: [algorithm],
-        };
-        logger$j.debug('openid_config_served', { config });
-        res.json(config);
-    });
-    return router;
+    const plugin = async (instance) => {
+        instance.get(`${prefix}/.well-known/openid-configuration`, async (_request, reply) => {
+            // Construct absolute URLs for endpoints
+            const tokenEndpoint = `${defaultBaseUrl.replace(/\/$/, '')}${tokenEndpointPath}`;
+            const jwksUri = `${defaultBaseUrl.replace(/\/$/, '')}${jwksEndpointPath}`;
+            const config = {
+                issuer: defaultIssuer,
+                token_endpoint: tokenEndpoint,
+                jwks_uri: jwksUri,
+                scopes_supported: allowedScopes,
+                response_types_supported: ['token'],
+                grant_types_supported: ['client_credentials'],
+                token_endpoint_auth_methods_supported: [
+                    'client_secret_basic',
+                    'client_secret_post',
+                ],
+                subject_types_supported: ['public'],
+                id_token_signing_alg_values_supported: [algorithm],
+            };
+            logger$j.debug('openid_config_served', { config });
+            reply.send(config);
+        });
+    };
+    return plugin;
 }
 
 /**
@@ -33679,23 +33714,18 @@ async function getCryptoProvider() {
     return DefaultCryptoProvider.create();
 }
 /**
- * Create and configure the OAuth2 Express application
+ * Create and configure the OAuth2 Fastify application
  */
 async function createApp() {
-    const app = express();
-    // Middleware
-    app.use(express.json());
-    app.use(express.urlencoded({ extended: true }));
+    const app = fastify({ logger: false });
     // Get crypto provider
     const cryptoProvider = await getCryptoProvider();
     // Add routers
-    app.use(createOAuth2TokenRouter({ cryptoProvider }));
-    app.use(createJwksRouter({ cryptoProvider }));
-    app.use(createOpenIDConfigurationRouter());
+    app.register(createOAuth2TokenRouter({ cryptoProvider }));
+    app.register(createJwksRouter({ cryptoProvider }));
+    app.register(createOpenIDConfigurationRouter());
     // Health check endpoint
-    app.get('/health', (_req, res) => {
-        res.json({ status: 'ok' });
-    });
+    app.get('/health', async () => ({ status: 'ok' }));
     return app;
 }
 /**
@@ -33723,27 +33753,29 @@ async function main() {
     });
     const app = await createApp();
     // Start server
-    app.listen(port, host, () => {
-        logger$i.info('oauth2_server_started', {
-            host,
-            port,
-            endpoints: {
-                token: '/oauth/token',
-                jwks: '/.well-known/jwks.json',
-                openid_config: '/.well-known/openid-configuration',
-                health: '/health',
-            },
-        });
+    await app.listen({ port, host });
+    logger$i.info('oauth2_server_started', {
+        host,
+        port,
+        endpoints: {
+            token: '/oauth/token',
+            jwks: '/.well-known/jwks.json',
+            openid_config: '/.well-known/openid-configuration',
+            health: '/health',
+        },
     });
+    const shutdown = (signal) => {
+        logger$i.info('oauth2_server_shutting_down', { signal });
+        app
+            .close()
+            .catch((error) => logger$i.error('oauth2_server_shutdown_error', {
+            error: error instanceof Error ? error.message : String(error),
+        }))
+            .finally(() => process.exit(0));
+    };
     // Graceful shutdown
-    process.on('SIGINT', () => {
-        logger$i.info('oauth2_server_shutting_down', { signal: 'SIGINT' });
-        process.exit(0);
-    });
-    process.on('SIGTERM', () => {
-        logger$i.info('oauth2_server_shutting_down', { signal: 'SIGTERM' });
-        process.exit(0);
-    });
+    process.on('SIGINT', () => shutdown('SIGINT'));
+    process.on('SIGTERM', () => shutdown('SIGTERM'));
 }
 
 const telemetryLogger = getLogger('naylence.fame.telemetry.base_trace_emitter');
@@ -34918,6 +34950,8 @@ const ENV_VAR_DIRECT_INPAGE_CHANNEL = 'FAME_DIRECT_INPAGE_CHANNEL';
 const ENV_VAR_ADMISSION_SERVICE_URL = 'FAME_ADMISSION_SERVICE_URL';
 const DEFAULT_INPAGE_CHANNEL = 'naylence-fabric';
 const PROFILE_NAME_WELCOME = 'welcome';
+const PROFILE_NAME_WELCOME_PKCE = 'welcome-pkce';
+const PROFILE_NAME_WELCOME_PKCE_ALIAS = 'welcome_pkce';
 const PROFILE_NAME_DIRECT = 'direct';
 const PROFILE_NAME_DIRECT_HTTP = 'direct-http';
 const PROFILE_NAME_DIRECT_INPAGE = 'direct-inpage';
@@ -34978,6 +35012,7 @@ function createOAuthPkceTokenProviderConfig() {
 }
 const welcomeIsRoot = factory.Expressions.env(ENV_VAR_IS_ROOT, 'false');
 const welcomeTokenProvider = createOAuthTokenProviderConfig();
+const welcomePkceTokenProvider = createOAuthPkceTokenProviderConfig();
 const WELCOME_SERVICE_PROFILE = {
     type: 'WelcomeServiceClient',
     is_root: welcomeIsRoot,
@@ -34991,6 +35026,19 @@ const WELCOME_SERVICE_PROFILE = {
         tokenProvider: welcomeTokenProvider,
     },
 };
+const WELCOME_SERVICE_PKCE_PROFILE = {
+    type: 'WelcomeServiceClient',
+    is_root: welcomeIsRoot,
+    isRoot: welcomeIsRoot,
+    url: factory.Expressions.env(ENV_VAR_ADMISSION_SERVICE_URL),
+    supported_transports: ['websocket'],
+    supportedTransports: ['websocket'],
+    auth: {
+        type: 'BearerTokenHeaderAuth',
+        token_provider: welcomePkceTokenProvider,
+        tokenProvider: welcomePkceTokenProvider,
+    },
+};
 const directGrantTokenProvider = createOAuthTokenProviderConfig();
 const directGrant = {
     type: 'WebSocketConnectionGrant',
@@ -35096,6 +35144,8 @@ const NOOP_PROFILE = {
 };
 const PROFILE_MAP$1 = {
     [PROFILE_NAME_WELCOME]: WELCOME_SERVICE_PROFILE,
+    [PROFILE_NAME_WELCOME_PKCE]: WELCOME_SERVICE_PKCE_PROFILE,
+    [PROFILE_NAME_WELCOME_PKCE_ALIAS]: WELCOME_SERVICE_PKCE_PROFILE,
     [PROFILE_NAME_DIRECT]: DIRECT_PROFILE,
     [PROFILE_NAME_DIRECT_PKCE]: DIRECT_PKCE_PROFILE,
     [PROFILE_NAME_DIRECT_PKCE_ALIAS]: DIRECT_PKCE_PROFILE,