@naylence/runtime 0.3.5-test.921 → 0.3.5-test.923

package/dist/browser/index.cjs

@@ -3,15 +3,15 @@
 var core = require('@naylence/core');
 var zod = require('zod');
 var factory = require('@naylence/factory');
+var ed25519 = require('@noble/ed25519');
+var sha2_js = require('@noble/hashes/sha2.js');
 var chacha_js = require('@noble/ciphers/chacha.js');
 var ed25519_js = require('@noble/curves/ed25519.js');
 var hkdf_js = require('@noble/hashes/hkdf.js');
-var sha2_js = require('@noble/hashes/sha2.js');
 var utils_js = require('@noble/hashes/utils.js');
 var yaml = require('yaml');
 var fastify = require('fastify');
 var websocketPlugin = require('@fastify/websocket');
-var ed25519 = require('@noble/ed25519');
 
 var _documentCurrentScript = typeof document !== 'undefined' ? document.currentScript : null;
 // --- ENV SHIM (runs once in browser) ---
@@ -98,12 +98,12 @@ installProcessEnvShim();
 // --- END ENV SHIM ---
 
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.3.5-test.921
+// Generated from package.json version: 0.3.5-test.923
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.3.5-test.921';
+const VERSION = '0.3.5-test.923';
 
 /**
  * Fame protocol specific error classes with WebSocket close codes and proper inheritance.
@@ -25245,6 +25245,251 @@ class SigningConfig {
     }
 }
 
+function hasBuffer() {
+    return typeof Buffer !== 'undefined';
+}
+function readStringProperty(source, ...names) {
+    if (!source || typeof source !== 'object') {
+        return undefined;
+    }
+    for (const name of names) {
+        const value = source[name];
+        if (typeof value === 'string' && value.length > 0) {
+            return value;
+        }
+    }
+    return undefined;
+}
+function decodePem(pem) {
+    const base64 = pem
+        .replace(/-----BEGIN[^-]+-----/g, '')
+        .replace(/-----END[^-]+-----/g, '')
+        .replace(/\s+/g, '');
+    if (typeof atob === 'function') {
+        const binary = atob(base64);
+        const bytes = new Uint8Array(binary.length);
+        for (let i = 0; i < binary.length; i += 1) {
+            bytes[i] = binary.charCodeAt(i);
+        }
+        return bytes;
+    }
+    if (hasBuffer()) {
+        return Uint8Array.from(Buffer.from(base64, 'base64'));
+    }
+    throw new Error('Base64 decoding is not available in this environment');
+}
+function readLength(data, offset) {
+    const initial = data[offset];
+    if (initial === undefined) {
+        throw new Error('Unexpected end of ASN.1 data');
+    }
+    if ((initial & 0x80) === 0) {
+        return { length: initial, nextOffset: offset + 1 };
+    }
+    const lengthOfLength = initial & 0x7f;
+    if (lengthOfLength === 0 || lengthOfLength > 4) {
+        throw new Error('Unsupported ASN.1 length encoding');
+    }
+    let length = 0;
+    let position = offset + 1;
+    for (let i = 0; i < lengthOfLength; i += 1) {
+        const byte = data[position];
+        if (byte === undefined) {
+            throw new Error('Unexpected end of ASN.1 data');
+        }
+        length = (length << 8) | byte;
+        position += 1;
+    }
+    return { length, nextOffset: position };
+}
+function readElement(data, offset, tag) {
+    if (data[offset] !== tag) {
+        throw new Error(`Unexpected ASN.1 tag: expected 0x${tag.toString(16)}, got 0x${(data[offset] ?? 0).toString(16)}`);
+    }
+    const { length, nextOffset } = readLength(data, offset + 1);
+    const contentOffset = nextOffset;
+    return {
+        length,
+        contentOffset,
+        nextOffset: contentOffset + length,
+    };
+}
+function parseEd25519PrivateKey(pem) {
+    const raw = decodePem(pem);
+    if (raw.length === 32) {
+        return raw.slice();
+    }
+    // Handle PKCS#8 structure defined in RFC 8410
+    const sequence = readElement(raw, 0, 0x30);
+    const version = readElement(raw, sequence.contentOffset, 0x02);
+    let offset = version.nextOffset;
+    const algorithm = readElement(raw, offset, 0x30);
+    offset = algorithm.nextOffset;
+    const privateKey = readElement(raw, offset, 0x04);
+    const privateContent = raw.subarray(privateKey.contentOffset, privateKey.contentOffset + privateKey.length);
+    if (privateContent.length === 32) {
+        return privateContent.slice();
+    }
+    if (privateContent.length >= 34 && privateContent[0] === 0x04) {
+        const innerLength = privateContent[1];
+        if (innerLength !== 32 || privateContent.length < innerLength + 2) {
+            throw new Error('Unexpected Ed25519 private key length');
+        }
+        return privateContent.subarray(2, 34);
+    }
+    throw new Error('Unsupported Ed25519 private key structure');
+}
+const textEncoder = typeof TextEncoder !== 'undefined' ? new TextEncoder() : undefined;
+function encodeUtf8(value) {
+    if (textEncoder) {
+        return textEncoder.encode(value);
+    }
+    if (hasBuffer()) {
+        return Uint8Array.from(Buffer.from(value, 'utf8'));
+    }
+    throw new Error('No UTF-8 encoder available in this environment');
+}
+
+if (!ed25519.hashes.sha512) {
+    ed25519.hashes.sha512 = (message) => sha2_js.sha512(message);
+}
+function normalizeSignerOptions(options) {
+    if (!options || typeof options !== 'object') {
+        return {};
+    }
+    const candidate = options;
+    const result = {
+        ...options,
+    };
+    const cryptoProvider = resolveAlias(candidate, ['cryptoProvider', 'crypto_provider']);
+    if (cryptoProvider !== undefined) {
+        result.cryptoProvider = cryptoProvider ?? null;
+    }
+    const signingConfig = resolveAlias(candidate, ['signingConfig', 'signing_config']);
+    if (signingConfig !== undefined) {
+        result.signingConfig = signingConfig;
+    }
+    const privateKeyPem = resolveAlias(candidate, [
+        'privateKeyPem',
+        'private_key_pem',
+    ]);
+    if (privateKeyPem !== undefined) {
+        result.privateKeyPem = privateKeyPem;
+    }
+    const keyId = resolveAlias(candidate, [
+        'keyId',
+        'key_id',
+    ]);
+    if (keyId !== undefined) {
+        result.keyId = keyId;
+    }
+    return result;
+}
+class EdDSAEnvelopeSigner {
+    constructor(options = {}) {
+        const normalized = normalizeSignerOptions(options);
+        const provider = normalized.cryptoProvider ?? null;
+        if (!provider) {
+            throw new Error('No crypto provider is configured for signing');
+        }
+        this.crypto = provider;
+        const signingConfigOption = normalized.signingConfig;
+        if (signingConfigOption instanceof SigningConfig) {
+            this.signingConfig = signingConfigOption;
+        }
+        else if (signingConfigOption) {
+            this.signingConfig = new SigningConfig(signingConfigOption);
+        }
+        else {
+            this.signingConfig = new SigningConfig();
+        }
+        this.explicitPrivateKey = normalized.privateKeyPem;
+        this.explicitKeyId = normalized.keyId;
+    }
+    signEnvelope(envelope, { physicalPath }) {
+        if (!envelope.sid) {
+            throw new Error('Envelope missing sid');
+        }
+        const frame = envelope.frame;
+        if (frame.type === 'Data') {
+            const dataFrame = frame;
+            if (!dataFrame.pd) {
+                const payload = dataFrame.payload ?? '';
+                const payloadString = payload === '' ? '' : canonicalJson(payload);
+                dataFrame.pd = secureDigest(payloadString);
+            }
+        }
+        const digest = frameDigest(frame);
+        const immutable = canonicalJson(immutableHeaders(envelope));
+        const sidDigest = secureDigest(physicalPath);
+        const tbs = new Uint8Array(encodeUtf8(sidDigest).length +
+            1 +
+            encodeUtf8(immutable).length +
+            1 +
+            encodeUtf8(digest).length);
+        const sidBytes = encodeUtf8(sidDigest);
+        const immBytes = encodeUtf8(immutable);
+        const digBytes = encodeUtf8(digest);
+        let offset = 0;
+        tbs.set(sidBytes, offset);
+        offset += sidBytes.length;
+        tbs[offset] = 0x1f;
+        offset += 1;
+        tbs.set(immBytes, offset);
+        offset += immBytes.length;
+        tbs[offset] = 0x1f;
+        offset += 1;
+        tbs.set(digBytes, offset);
+        const privateKey = this.loadPrivateKey();
+        const signatureBytes = ed25519.sign(tbs, privateKey);
+        const signature = urlsafeBase64Encode(signatureBytes);
+        const kid = this.determineKeyId();
+        const signatureHeader = {
+            kid,
+            val: signature,
+            alg: 'EdDSA',
+        };
+        const secHeader = envelope.sec ?? {};
+        secHeader.sig = signatureHeader;
+        envelope.sec = secHeader;
+        return envelope;
+    }
+    loadPrivateKey() {
+        const pem = this.explicitPrivateKey ??
+            readStringProperty(this.crypto, 'signingPrivatePem', 'signing_private_pem');
+        if (!pem) {
+            throw new Error('Crypto provider does not expose a signing private key');
+        }
+        return parseEd25519PrivateKey(pem);
+    }
+    determineKeyId() {
+        if (this.explicitKeyId) {
+            return this.explicitKeyId;
+        }
+        if (this.signingConfig.signingMaterial === core.SigningMaterial.X509_CHAIN) {
+            const certificateProvider = this
+                .crypto;
+            const jwk = certificateProvider.nodeJwk?.();
+            if (jwk && typeof jwk === 'object' && 'kid' in jwk && 'x5c' in jwk) {
+                const kid = jwk.kid;
+                if (typeof kid === 'string' && kid.length > 0) {
+                    return kid;
+                }
+            }
+        }
+        const fallback = readStringProperty(this.crypto, 'signatureKeyId', 'signature_key_id');
+        if (!fallback) {
+            throw new Error('Crypto provider does not expose a signature key id');
+        }
+        return fallback;
+    }
+}
+
+var eddsaEnvelopeSigner = /*#__PURE__*/Object.freeze({
+    __proto__: null,
+    EdDSAEnvelopeSigner: EdDSAEnvelopeSigner
+});
+
 const logger$x = getLogger('naylence.fame.security.auth.jwt_token_issuer');
 let joseModulePromise = null;
 async function requireJose() {
@@ -39352,251 +39597,6 @@ var sharedSecretTokenVerifier = /*#__PURE__*/Object.freeze({
     SharedSecretTokenVerifier: SharedSecretTokenVerifier
 });
 
-function hasBuffer() {
-    return typeof Buffer !== 'undefined';
-}
-function readStringProperty(source, ...names) {
-    if (!source || typeof source !== 'object') {
-        return undefined;
-    }
-    for (const name of names) {
-        const value = source[name];
-        if (typeof value === 'string' && value.length > 0) {
-            return value;
-        }
-    }
-    return undefined;
-}
-function decodePem(pem) {
-    const base64 = pem
-        .replace(/-----BEGIN[^-]+-----/g, '')
-        .replace(/-----END[^-]+-----/g, '')
-        .replace(/\s+/g, '');
-    if (typeof atob === 'function') {
-        const binary = atob(base64);
-        const bytes = new Uint8Array(binary.length);
-        for (let i = 0; i < binary.length; i += 1) {
-            bytes[i] = binary.charCodeAt(i);
-        }
-        return bytes;
-    }
-    if (hasBuffer()) {
-        return Uint8Array.from(Buffer.from(base64, 'base64'));
-    }
-    throw new Error('Base64 decoding is not available in this environment');
-}
-function readLength(data, offset) {
-    const initial = data[offset];
-    if (initial === undefined) {
-        throw new Error('Unexpected end of ASN.1 data');
-    }
-    if ((initial & 0x80) === 0) {
-        return { length: initial, nextOffset: offset + 1 };
-    }
-    const lengthOfLength = initial & 0x7f;
-    if (lengthOfLength === 0 || lengthOfLength > 4) {
-        throw new Error('Unsupported ASN.1 length encoding');
-    }
-    let length = 0;
-    let position = offset + 1;
-    for (let i = 0; i < lengthOfLength; i += 1) {
-        const byte = data[position];
-        if (byte === undefined) {
-            throw new Error('Unexpected end of ASN.1 data');
-        }
-        length = (length << 8) | byte;
-        position += 1;
-    }
-    return { length, nextOffset: position };
-}
-function readElement(data, offset, tag) {
-    if (data[offset] !== tag) {
-        throw new Error(`Unexpected ASN.1 tag: expected 0x${tag.toString(16)}, got 0x${(data[offset] ?? 0).toString(16)}`);
-    }
-    const { length, nextOffset } = readLength(data, offset + 1);
-    const contentOffset = nextOffset;
-    return {
-        length,
-        contentOffset,
-        nextOffset: contentOffset + length,
-    };
-}
-function parseEd25519PrivateKey(pem) {
-    const raw = decodePem(pem);
-    if (raw.length === 32) {
-        return raw.slice();
-    }
-    // Handle PKCS#8 structure defined in RFC 8410
-    const sequence = readElement(raw, 0, 0x30);
-    const version = readElement(raw, sequence.contentOffset, 0x02);
-    let offset = version.nextOffset;
-    const algorithm = readElement(raw, offset, 0x30);
-    offset = algorithm.nextOffset;
-    const privateKey = readElement(raw, offset, 0x04);
-    const privateContent = raw.subarray(privateKey.contentOffset, privateKey.contentOffset + privateKey.length);
-    if (privateContent.length === 32) {
-        return privateContent.slice();
-    }
-    if (privateContent.length >= 34 && privateContent[0] === 0x04) {
-        const innerLength = privateContent[1];
-        if (innerLength !== 32 || privateContent.length < innerLength + 2) {
-            throw new Error('Unexpected Ed25519 private key length');
-        }
-        return privateContent.subarray(2, 34);
-    }
-    throw new Error('Unsupported Ed25519 private key structure');
-}
-const textEncoder = typeof TextEncoder !== 'undefined' ? new TextEncoder() : undefined;
-function encodeUtf8(value) {
-    if (textEncoder) {
-        return textEncoder.encode(value);
-    }
-    if (hasBuffer()) {
-        return Uint8Array.from(Buffer.from(value, 'utf8'));
-    }
-    throw new Error('No UTF-8 encoder available in this environment');
-}
-
-if (!ed25519.hashes.sha512) {
-    ed25519.hashes.sha512 = (message) => sha2_js.sha512(message);
-}
-function normalizeSignerOptions(options) {
-    if (!options || typeof options !== 'object') {
-        return {};
-    }
-    const candidate = options;
-    const result = {
-        ...options,
-    };
-    const cryptoProvider = resolveAlias(candidate, ['cryptoProvider', 'crypto_provider']);
-    if (cryptoProvider !== undefined) {
-        result.cryptoProvider = cryptoProvider ?? null;
-    }
-    const signingConfig = resolveAlias(candidate, ['signingConfig', 'signing_config']);
-    if (signingConfig !== undefined) {
-        result.signingConfig = signingConfig;
-    }
-    const privateKeyPem = resolveAlias(candidate, [
-        'privateKeyPem',
-        'private_key_pem',
-    ]);
-    if (privateKeyPem !== undefined) {
-        result.privateKeyPem = privateKeyPem;
-    }
-    const keyId = resolveAlias(candidate, [
-        'keyId',
-        'key_id',
-    ]);
-    if (keyId !== undefined) {
-        result.keyId = keyId;
-    }
-    return result;
-}
-class EdDSAEnvelopeSigner {
-    constructor(options = {}) {
-        const normalized = normalizeSignerOptions(options);
-        const provider = normalized.cryptoProvider ?? null;
-        if (!provider) {
-            throw new Error('No crypto provider is configured for signing');
-        }
-        this.crypto = provider;
-        const signingConfigOption = normalized.signingConfig;
-        if (signingConfigOption instanceof SigningConfig) {
-            this.signingConfig = signingConfigOption;
-        }
-        else if (signingConfigOption) {
-            this.signingConfig = new SigningConfig(signingConfigOption);
-        }
-        else {
-            this.signingConfig = new SigningConfig();
-        }
-        this.explicitPrivateKey = normalized.privateKeyPem;
-        this.explicitKeyId = normalized.keyId;
-    }
-    signEnvelope(envelope, { physicalPath }) {
-        if (!envelope.sid) {
-            throw new Error('Envelope missing sid');
-        }
-        const frame = envelope.frame;
-        if (frame.type === 'Data') {
-            const dataFrame = frame;
-            if (!dataFrame.pd) {
-                const payload = dataFrame.payload ?? '';
-                const payloadString = payload === '' ? '' : canonicalJson(payload);
-                dataFrame.pd = secureDigest(payloadString);
-            }
-        }
-        const digest = frameDigest(frame);
-        const immutable = canonicalJson(immutableHeaders(envelope));
-        const sidDigest = secureDigest(physicalPath);
-        const tbs = new Uint8Array(encodeUtf8(sidDigest).length +
-            1 +
-            encodeUtf8(immutable).length +
-            1 +
-            encodeUtf8(digest).length);
-        const sidBytes = encodeUtf8(sidDigest);
-        const immBytes = encodeUtf8(immutable);
-        const digBytes = encodeUtf8(digest);
-        let offset = 0;
-        tbs.set(sidBytes, offset);
-        offset += sidBytes.length;
-        tbs[offset] = 0x1f;
-        offset += 1;
-        tbs.set(immBytes, offset);
-        offset += immBytes.length;
-        tbs[offset] = 0x1f;
-        offset += 1;
-        tbs.set(digBytes, offset);
-        const privateKey = this.loadPrivateKey();
-        const signatureBytes = ed25519.sign(tbs, privateKey);
-        const signature = urlsafeBase64Encode(signatureBytes);
-        const kid = this.determineKeyId();
-        const signatureHeader = {
-            kid,
-            val: signature,
-            alg: 'EdDSA',
-        };
-        const secHeader = envelope.sec ?? {};
-        secHeader.sig = signatureHeader;
-        envelope.sec = secHeader;
-        return envelope;
-    }
-    loadPrivateKey() {
-        const pem = this.explicitPrivateKey ??
-            readStringProperty(this.crypto, 'signingPrivatePem', 'signing_private_pem');
-        if (!pem) {
-            throw new Error('Crypto provider does not expose a signing private key');
-        }
-        return parseEd25519PrivateKey(pem);
-    }
-    determineKeyId() {
-        if (this.explicitKeyId) {
-            return this.explicitKeyId;
-        }
-        if (this.signingConfig.signingMaterial === core.SigningMaterial.X509_CHAIN) {
-            const certificateProvider = this
-                .crypto;
-            const jwk = certificateProvider.nodeJwk?.();
-            if (jwk && typeof jwk === 'object' && 'kid' in jwk && 'x5c' in jwk) {
-                const kid = jwk.kid;
-                if (typeof kid === 'string' && kid.length > 0) {
-                    return kid;
-                }
-            }
-        }
-        const fallback = readStringProperty(this.crypto, 'signatureKeyId', 'signature_key_id');
-        if (!fallback) {
-            throw new Error('Crypto provider does not expose a signature key id');
-        }
-        return fallback;
-    }
-}
-
-var eddsaEnvelopeSigner = /*#__PURE__*/Object.freeze({
-    __proto__: null,
-    EdDSAEnvelopeSigner: EdDSAEnvelopeSigner
-});
-
 async function loadPublicKey(jwk, signingConfig) {
     if (jwk.x5c) {
         if (signingConfig.signingMaterial !== core.SigningMaterial.X509_CHAIN) {
@@ -39884,6 +39884,7 @@ exports.ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE;
 exports.ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER = ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER;
 exports.ENV_VAR_JWT_TRUSTED_ISSUER = ENV_VAR_JWT_TRUSTED_ISSUER;
 exports.ENV_VAR_SHOW_ENVELOPES = ENV_VAR_SHOW_ENVELOPES$1;
+exports.EdDSAEnvelopeSigner = EdDSAEnvelopeSigner;
 exports.EncryptedKeyValueStore = EncryptedKeyValueStore;
 exports.EncryptedStorageProviderBase = EncryptedStorageProviderBase;
 exports.EncryptedValue = EncryptedValue;
@@ -40017,6 +40018,7 @@ exports.assertGrant = assertGrant;
 exports.basicConfig = basicConfig;
 exports.broadcastChannelGrantToConnectorConfig = broadcastChannelGrantToConnectorConfig;
 exports.camelToSnakeCase = camelToSnakeCase;
+exports.canonicalJson = canonicalJson;
 exports.capitalizeFirstLetter = capitalizeFirstLetter;
 exports.color = color;
 exports.compareCryptoLevels = compareCryptoLevels;
@@ -40036,12 +40038,14 @@ exports.createX25519Keypair = createX25519Keypair;
 exports.credentialToString = credentialToString;
 exports.currentTraceId = currentTraceId$1;
 exports.debounce = debounce;
+exports.decodeBase64Url = decodeBase64Url;
 exports.decodeFameDataPayload = decodeFameDataPayload;
 exports.deepMerge = deepMerge;
 exports.defaultJsonEncoder = defaultJsonEncoder;
 exports.delay = delay;
 exports.dropEmpty = dropEmpty;
 exports.enableLogging = enableLogging;
+exports.encodeUtf8 = encodeUtf8;
 exports.ensureRuntimeFactoriesRegistered = ensureRuntimeFactoriesRegistered;
 exports.extractId = extractId;
 exports.extractPoolAddressBase = extractPoolAddressBase;
@@ -40049,6 +40053,7 @@ exports.extractPoolBase = extractPoolBase;
 exports.filterKeysByUse = filterKeysByUse;
 exports.formatTimestamp = formatTimestamp;
 exports.formatTimestampForConsole = formatTimestampForConsole$1;
+exports.frameDigest = frameDigest;
 exports.getCurrentEnvelope = getCurrentEnvelope;
 exports.getFameRoot = getFameRoot;
 exports.getKeyProvider = getKeyProvider;
@@ -40058,6 +40063,7 @@ exports.hasCryptoSupport = hasCryptoSupport;
 exports.hostnameToLogical = hostnameToLogical;
 exports.hostnamesToLogicals = hostnamesToLogicals;
 exports.httpGrantToConnectorConfig = httpGrantToConnectorConfig;
+exports.immutableHeaders = immutableHeaders;
 exports.inPageGrantToConnectorConfig = inPageGrantToConnectorConfig;
 exports.isAuthInjectionStrategy = isAuthInjectionStrategy;
 exports.isBroadcastChannelConnectionGrant = isBroadcastChannelConnectionGrant;