@naylence/runtime 0.3.5-test.925 → 0.3.5-test.927

package/dist/browser/index.cjs

@@ -98,12 +98,12 @@ installProcessEnvShim();
 // --- END ENV SHIM ---
 
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.3.5-test.925
+// Generated from package.json version: 0.3.5-test.927
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.3.5-test.925';
+const VERSION = '0.3.5-test.927';
 
 /**
  * Fame protocol specific error classes with WebSocket close codes and proper inheritance.
@@ -10457,6 +10457,19 @@ class UpstreamSessionManager extends TaskSpawner {
         await connector.start(this.wrappedHandler);
         this.connector = connector;
         const callbackGrants = this.node.gatherSupportedCallbackGrants();
+        // Include admission client's connection grants as callback grants
+        // This ensures DirectAdmissionClient grants are available for grant selection
+        if (welcome.frame.connectionGrants && Array.isArray(welcome.frame.connectionGrants)) {
+            for (const grant of welcome.frame.connectionGrants) {
+                if (grant && typeof grant === 'object') {
+                    // Avoid duplicates by checking if grant already exists
+                    const isDuplicate = callbackGrants.some(existing => JSON.stringify(existing) === JSON.stringify(grant));
+                    if (!isDuplicate) {
+                        callbackGrants.push(grant);
+                    }
+                }
+            }
+        }
         if (this.shouldAdvertiseBroadcastGrant(grant, callbackGrants)) {
             const augmented = this.createBroadcastCallbackGrant(grant);
             if (augmented) {
@@ -39008,14 +39021,18 @@ function ensureFinitePositive(value, label) {
     }
     return Math.max(1, Math.floor(value));
 }
+/**
+ * In-memory token cache for PKCE tokens.
+ *
+ * Tokens are intentionally NOT persisted to localStorage or sessionStorage to avoid
+ * stale-token issues when the OAuth2 server restarts and generates new signing keys.
+ * Each fresh page load triggers a new PKCE flow when a token is needed.
+ */
+let inMemoryTokenCache = new Map();
 const STORAGE_NAMESPACE = 'naylence.oauth2_pkce.';
-const TOKEN_STORAGE_SUFFIX = '.token';
 function getStorageKey(clientId) {
     return `${STORAGE_NAMESPACE}${clientId}`;
 }
-function getTokenStorageKey(clientId) {
-    return `${STORAGE_NAMESPACE}${clientId}${TOKEN_STORAGE_SUFFIX}`;
-}
 function isBrowserEnvironment() {
     return (typeof window !== 'undefined' &&
         typeof window.location !== 'undefined' &&
@@ -39067,57 +39084,23 @@ function stableScopeKey(scopes) {
     }
     return [...scopes].sort().join(' ');
 }
+/**
+ * Read token from in-memory cache.
+ * Returns null if no cached token exists for the given clientId.
+ */
 function readPersistedToken(clientId) {
-    if (!isBrowserEnvironment()) {
-        return null;
-    }
-    try {
-        const raw = window.sessionStorage.getItem(getTokenStorageKey(clientId));
-        if (!raw) {
-            return null;
-        }
-        const parsed = JSON.parse(raw);
-        const value = coerceString(parsed.value);
-        if (!value) {
-            return null;
-        }
-        const expiresAt = coerceNumber(parsed.expiresAt);
-        const scopes = normalizeScopes(parsed.scopes);
-        const audience = coerceString(parsed.audience);
-        const record = {
-            value,
-            scopes,
-            audience,
-        };
-        if (typeof expiresAt === 'number') {
-            record.expiresAt = expiresAt;
-        }
-        return record;
-    }
-    catch (error) {
-        logger.debug('pkce_token_storage_read_failed', {
-            error: error instanceof Error ? error.message : String(error),
-        });
-        return null;
-    }
+    return inMemoryTokenCache.get(clientId) ?? null;
 }
+/**
+ * Write token to in-memory cache.
+ * If token is null, removes the cached token for the given clientId.
+ */
 function writePersistedToken(clientId, token) {
-    if (!isBrowserEnvironment()) {
+    if (!token) {
+        inMemoryTokenCache.delete(clientId);
         return;
     }
-    const key = getTokenStorageKey(clientId);
-    try {
-        if (!token) {
-            window.sessionStorage.removeItem(key);
-            return;
-        }
-        window.sessionStorage.setItem(key, JSON.stringify(token));
-    }
-    catch (error) {
-        logger.debug('pkce_token_storage_write_failed', {
-            error: error instanceof Error ? error.message : String(error),
-        });
-    }
+    inMemoryTokenCache.set(clientId, token);
 }
 function clearOAuthParamsFromUrl(url) {
     if (!isBrowserEnvironment()) {
@@ -39418,6 +39401,17 @@ class OAuth2PkceTokenProvider {
         });
         return token;
     }
+    /**
+     * Clear the cached token for this provider instance.
+     * This clears both the instance cache and the in-memory module cache.
+     */
+    clearToken() {
+        this.cachedToken = undefined;
+        writePersistedToken(this.options.clientId, null);
+        logger.debug('oauth2_pkce_token_cleared', {
+            authorize_url: this.options.authorizeUrl,
+        });
+    }
 }
 
 var oauth2PkceTokenProvider = /*#__PURE__*/Object.freeze({

package/dist/browser/index.mjs

@@ -96,12 +96,12 @@ installProcessEnvShim();
 // --- END ENV SHIM ---
 
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.3.5-test.925
+// Generated from package.json version: 0.3.5-test.927
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.3.5-test.925';
+const VERSION = '0.3.5-test.927';
 
 /**
  * Fame protocol specific error classes with WebSocket close codes and proper inheritance.
@@ -10455,6 +10455,19 @@ class UpstreamSessionManager extends TaskSpawner {
         await connector.start(this.wrappedHandler);
         this.connector = connector;
         const callbackGrants = this.node.gatherSupportedCallbackGrants();
+        // Include admission client's connection grants as callback grants
+        // This ensures DirectAdmissionClient grants are available for grant selection
+        if (welcome.frame.connectionGrants && Array.isArray(welcome.frame.connectionGrants)) {
+            for (const grant of welcome.frame.connectionGrants) {
+                if (grant && typeof grant === 'object') {
+                    // Avoid duplicates by checking if grant already exists
+                    const isDuplicate = callbackGrants.some(existing => JSON.stringify(existing) === JSON.stringify(grant));
+                    if (!isDuplicate) {
+                        callbackGrants.push(grant);
+                    }
+                }
+            }
+        }
         if (this.shouldAdvertiseBroadcastGrant(grant, callbackGrants)) {
             const augmented = this.createBroadcastCallbackGrant(grant);
             if (augmented) {
@@ -39006,14 +39019,18 @@ function ensureFinitePositive(value, label) {
     }
     return Math.max(1, Math.floor(value));
 }
+/**
+ * In-memory token cache for PKCE tokens.
+ *
+ * Tokens are intentionally NOT persisted to localStorage or sessionStorage to avoid
+ * stale-token issues when the OAuth2 server restarts and generates new signing keys.
+ * Each fresh page load triggers a new PKCE flow when a token is needed.
+ */
+let inMemoryTokenCache = new Map();
 const STORAGE_NAMESPACE = 'naylence.oauth2_pkce.';
-const TOKEN_STORAGE_SUFFIX = '.token';
 function getStorageKey(clientId) {
     return `${STORAGE_NAMESPACE}${clientId}`;
 }
-function getTokenStorageKey(clientId) {
-    return `${STORAGE_NAMESPACE}${clientId}${TOKEN_STORAGE_SUFFIX}`;
-}
 function isBrowserEnvironment() {
     return (typeof window !== 'undefined' &&
         typeof window.location !== 'undefined' &&
@@ -39065,57 +39082,23 @@ function stableScopeKey(scopes) {
     }
     return [...scopes].sort().join(' ');
 }
+/**
+ * Read token from in-memory cache.
+ * Returns null if no cached token exists for the given clientId.
+ */
 function readPersistedToken(clientId) {
-    if (!isBrowserEnvironment()) {
-        return null;
-    }
-    try {
-        const raw = window.sessionStorage.getItem(getTokenStorageKey(clientId));
-        if (!raw) {
-            return null;
-        }
-        const parsed = JSON.parse(raw);
-        const value = coerceString(parsed.value);
-        if (!value) {
-            return null;
-        }
-        const expiresAt = coerceNumber(parsed.expiresAt);
-        const scopes = normalizeScopes(parsed.scopes);
-        const audience = coerceString(parsed.audience);
-        const record = {
-            value,
-            scopes,
-            audience,
-        };
-        if (typeof expiresAt === 'number') {
-            record.expiresAt = expiresAt;
-        }
-        return record;
-    }
-    catch (error) {
-        logger.debug('pkce_token_storage_read_failed', {
-            error: error instanceof Error ? error.message : String(error),
-        });
-        return null;
-    }
+    return inMemoryTokenCache.get(clientId) ?? null;
 }
+/**
+ * Write token to in-memory cache.
+ * If token is null, removes the cached token for the given clientId.
+ */
 function writePersistedToken(clientId, token) {
-    if (!isBrowserEnvironment()) {
+    if (!token) {
+        inMemoryTokenCache.delete(clientId);
         return;
     }
-    const key = getTokenStorageKey(clientId);
-    try {
-        if (!token) {
-            window.sessionStorage.removeItem(key);
-            return;
-        }
-        window.sessionStorage.setItem(key, JSON.stringify(token));
-    }
-    catch (error) {
-        logger.debug('pkce_token_storage_write_failed', {
-            error: error instanceof Error ? error.message : String(error),
-        });
-    }
+    inMemoryTokenCache.set(clientId, token);
 }
 function clearOAuthParamsFromUrl(url) {
     if (!isBrowserEnvironment()) {
@@ -39416,6 +39399,17 @@ class OAuth2PkceTokenProvider {
         });
         return token;
     }
+    /**
+     * Clear the cached token for this provider instance.
+     * This clears both the instance cache and the in-memory module cache.
+     */
+    clearToken() {
+        this.cachedToken = undefined;
+        writePersistedToken(this.options.clientId, null);
+        logger.debug('oauth2_pkce_token_cleared', {
+            authorize_url: this.options.authorizeUrl,
+        });
+    }
 }
 
 var oauth2PkceTokenProvider = /*#__PURE__*/Object.freeze({

package/dist/cjs/naylence/fame/node/upstream-session-manager.js

@@ -304,6 +304,19 @@ class UpstreamSessionManager extends task_spawner_js_1.TaskSpawner {
         await connector.start(this.wrappedHandler);
         this.connector = connector;
         const callbackGrants = this.node.gatherSupportedCallbackGrants();
+        // Include admission client's connection grants as callback grants
+        // This ensures DirectAdmissionClient grants are available for grant selection
+        if (welcome.frame.connectionGrants && Array.isArray(welcome.frame.connectionGrants)) {
+            for (const grant of welcome.frame.connectionGrants) {
+                if (grant && typeof grant === 'object') {
+                    // Avoid duplicates by checking if grant already exists
+                    const isDuplicate = callbackGrants.some(existing => JSON.stringify(existing) === JSON.stringify(grant));
+                    if (!isDuplicate) {
+                        callbackGrants.push(grant);
+                    }
+                }
+            }
+        }
         if (this.shouldAdvertiseBroadcastGrant(grant, callbackGrants)) {
             const augmented = this.createBroadcastCallbackGrant(grant);
             if (augmented) {

package/dist/cjs/naylence/fame/security/auth/oauth2-pkce-token-provider.js

@@ -145,14 +145,18 @@ function ensureFinitePositive(value, label) {
     }
     return Math.max(1, Math.floor(value));
 }
+/**
+ * In-memory token cache for PKCE tokens.
+ *
+ * Tokens are intentionally NOT persisted to localStorage or sessionStorage to avoid
+ * stale-token issues when the OAuth2 server restarts and generates new signing keys.
+ * Each fresh page load triggers a new PKCE flow when a token is needed.
+ */
+let inMemoryTokenCache = new Map();
 const STORAGE_NAMESPACE = 'naylence.oauth2_pkce.';
-const TOKEN_STORAGE_SUFFIX = '.token';
 function getStorageKey(clientId) {
     return `${STORAGE_NAMESPACE}${clientId}`;
 }
-function getTokenStorageKey(clientId) {
-    return `${STORAGE_NAMESPACE}${clientId}${TOKEN_STORAGE_SUFFIX}`;
-}
 function isBrowserEnvironment() {
     return (typeof window !== 'undefined' &&
         typeof window.location !== 'undefined' &&
@@ -204,57 +208,23 @@ function stableScopeKey(scopes) {
     }
     return [...scopes].sort().join(' ');
 }
+/**
+ * Read token from in-memory cache.
+ * Returns null if no cached token exists for the given clientId.
+ */
 function readPersistedToken(clientId) {
-    if (!isBrowserEnvironment()) {
-        return null;
-    }
-    try {
-        const raw = window.sessionStorage.getItem(getTokenStorageKey(clientId));
-        if (!raw) {
-            return null;
-        }
-        const parsed = JSON.parse(raw);
-        const value = coerceString(parsed.value);
-        if (!value) {
-            return null;
-        }
-        const expiresAt = coerceNumber(parsed.expiresAt);
-        const scopes = normalizeScopes(parsed.scopes);
-        const audience = coerceString(parsed.audience);
-        const record = {
-            value,
-            scopes,
-            audience,
-        };
-        if (typeof expiresAt === 'number') {
-            record.expiresAt = expiresAt;
-        }
-        return record;
-    }
-    catch (error) {
-        logger.debug('pkce_token_storage_read_failed', {
-            error: error instanceof Error ? error.message : String(error),
-        });
-        return null;
-    }
+    return inMemoryTokenCache.get(clientId) ?? null;
 }
+/**
+ * Write token to in-memory cache.
+ * If token is null, removes the cached token for the given clientId.
+ */
 function writePersistedToken(clientId, token) {
-    if (!isBrowserEnvironment()) {
+    if (!token) {
+        inMemoryTokenCache.delete(clientId);
         return;
     }
-    const key = getTokenStorageKey(clientId);
-    try {
-        if (!token) {
-            window.sessionStorage.removeItem(key);
-            return;
-        }
-        window.sessionStorage.setItem(key, JSON.stringify(token));
-    }
-    catch (error) {
-        logger.debug('pkce_token_storage_write_failed', {
-            error: error instanceof Error ? error.message : String(error),
-        });
-    }
+    inMemoryTokenCache.set(clientId, token);
 }
 function clearOAuthParamsFromUrl(url) {
     if (!isBrowserEnvironment()) {
@@ -556,5 +526,16 @@ class OAuth2PkceTokenProvider {
         });
         return token;
     }
+    /**
+     * Clear the cached token for this provider instance.
+     * This clears both the instance cache and the in-memory module cache.
+     */
+    clearToken() {
+        this.cachedToken = undefined;
+        writePersistedToken(this.options.clientId, null);
+        logger.debug('oauth2_pkce_token_cleared', {
+            authorize_url: this.options.authorizeUrl,
+        });
+    }
 }
 exports.OAuth2PkceTokenProvider = OAuth2PkceTokenProvider;

package/dist/cjs/version.js

@@ -1,10 +1,10 @@
 "use strict";
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.3.5-test.925
+// Generated from package.json version: 0.3.5-test.927
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.VERSION = void 0;
 /**
  * The package version, injected at build time.
  * @internal
  */
-exports.VERSION = '0.3.5-test.925';
+exports.VERSION = '0.3.5-test.927';

package/dist/esm/naylence/fame/node/upstream-session-manager.js

@@ -301,6 +301,19 @@ export class UpstreamSessionManager extends TaskSpawner {
         await connector.start(this.wrappedHandler);
         this.connector = connector;
         const callbackGrants = this.node.gatherSupportedCallbackGrants();
+        // Include admission client's connection grants as callback grants
+        // This ensures DirectAdmissionClient grants are available for grant selection
+        if (welcome.frame.connectionGrants && Array.isArray(welcome.frame.connectionGrants)) {
+            for (const grant of welcome.frame.connectionGrants) {
+                if (grant && typeof grant === 'object') {
+                    // Avoid duplicates by checking if grant already exists
+                    const isDuplicate = callbackGrants.some(existing => JSON.stringify(existing) === JSON.stringify(grant));
+                    if (!isDuplicate) {
+                        callbackGrants.push(grant);
+                    }
+                }
+            }
+        }
         if (this.shouldAdvertiseBroadcastGrant(grant, callbackGrants)) {
             const augmented = this.createBroadcastCallbackGrant(grant);
             if (augmented) {

package/dist/esm/naylence/fame/security/auth/oauth2-pkce-token-provider.js

@@ -142,14 +142,18 @@ function ensureFinitePositive(value, label) {
     }
     return Math.max(1, Math.floor(value));
 }
+/**
+ * In-memory token cache for PKCE tokens.
+ *
+ * Tokens are intentionally NOT persisted to localStorage or sessionStorage to avoid
+ * stale-token issues when the OAuth2 server restarts and generates new signing keys.
+ * Each fresh page load triggers a new PKCE flow when a token is needed.
+ */
+let inMemoryTokenCache = new Map();
 const STORAGE_NAMESPACE = 'naylence.oauth2_pkce.';
-const TOKEN_STORAGE_SUFFIX = '.token';
 function getStorageKey(clientId) {
     return `${STORAGE_NAMESPACE}${clientId}`;
 }
-function getTokenStorageKey(clientId) {
-    return `${STORAGE_NAMESPACE}${clientId}${TOKEN_STORAGE_SUFFIX}`;
-}
 function isBrowserEnvironment() {
     return (typeof window !== 'undefined' &&
         typeof window.location !== 'undefined' &&
@@ -201,57 +205,23 @@ function stableScopeKey(scopes) {
     }
     return [...scopes].sort().join(' ');
 }
+/**
+ * Read token from in-memory cache.
+ * Returns null if no cached token exists for the given clientId.
+ */
 function readPersistedToken(clientId) {
-    if (!isBrowserEnvironment()) {
-        return null;
-    }
-    try {
-        const raw = window.sessionStorage.getItem(getTokenStorageKey(clientId));
-        if (!raw) {
-            return null;
-        }
-        const parsed = JSON.parse(raw);
-        const value = coerceString(parsed.value);
-        if (!value) {
-            return null;
-        }
-        const expiresAt = coerceNumber(parsed.expiresAt);
-        const scopes = normalizeScopes(parsed.scopes);
-        const audience = coerceString(parsed.audience);
-        const record = {
-            value,
-            scopes,
-            audience,
-        };
-        if (typeof expiresAt === 'number') {
-            record.expiresAt = expiresAt;
-        }
-        return record;
-    }
-    catch (error) {
-        logger.debug('pkce_token_storage_read_failed', {
-            error: error instanceof Error ? error.message : String(error),
-        });
-        return null;
-    }
+    return inMemoryTokenCache.get(clientId) ?? null;
 }
+/**
+ * Write token to in-memory cache.
+ * If token is null, removes the cached token for the given clientId.
+ */
 function writePersistedToken(clientId, token) {
-    if (!isBrowserEnvironment()) {
+    if (!token) {
+        inMemoryTokenCache.delete(clientId);
         return;
     }
-    const key = getTokenStorageKey(clientId);
-    try {
-        if (!token) {
-            window.sessionStorage.removeItem(key);
-            return;
-        }
-        window.sessionStorage.setItem(key, JSON.stringify(token));
-    }
-    catch (error) {
-        logger.debug('pkce_token_storage_write_failed', {
-            error: error instanceof Error ? error.message : String(error),
-        });
-    }
+    inMemoryTokenCache.set(clientId, token);
 }
 function clearOAuthParamsFromUrl(url) {
     if (!isBrowserEnvironment()) {
@@ -552,4 +522,15 @@ export class OAuth2PkceTokenProvider {
         });
         return token;
     }
+    /**
+     * Clear the cached token for this provider instance.
+     * This clears both the instance cache and the in-memory module cache.
+     */
+    clearToken() {
+        this.cachedToken = undefined;
+        writePersistedToken(this.options.clientId, null);
+        logger.debug('oauth2_pkce_token_cleared', {
+            authorize_url: this.options.authorizeUrl,
+        });
+    }
 }

package/dist/esm/version.js

@@ -1,7 +1,7 @@
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.3.5-test.925
+// Generated from package.json version: 0.3.5-test.927
 /**
  * The package version, injected at build time.
  * @internal
  */
-export const VERSION = '0.3.5-test.925';
+export const VERSION = '0.3.5-test.927';

package/dist/node/index.cjs

@@ -14,12 +14,12 @@ var fastify = require('fastify');
 var websocketPlugin = require('@fastify/websocket');
 
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.3.5-test.925
+// Generated from package.json version: 0.3.5-test.927
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.3.5-test.925';
+const VERSION = '0.3.5-test.927';
 
 /**
  * Fame protocol specific error classes with WebSocket close codes and proper inheritance.
@@ -10373,6 +10373,19 @@ class UpstreamSessionManager extends TaskSpawner {
         await connector.start(this.wrappedHandler);
         this.connector = connector;
         const callbackGrants = this.node.gatherSupportedCallbackGrants();
+        // Include admission client's connection grants as callback grants
+        // This ensures DirectAdmissionClient grants are available for grant selection
+        if (welcome.frame.connectionGrants && Array.isArray(welcome.frame.connectionGrants)) {
+            for (const grant of welcome.frame.connectionGrants) {
+                if (grant && typeof grant === 'object') {
+                    // Avoid duplicates by checking if grant already exists
+                    const isDuplicate = callbackGrants.some(existing => JSON.stringify(existing) === JSON.stringify(grant));
+                    if (!isDuplicate) {
+                        callbackGrants.push(grant);
+                    }
+                }
+            }
+        }
         if (this.shouldAdvertiseBroadcastGrant(grant, callbackGrants)) {
             const augmented = this.createBroadcastCallbackGrant(grant);
             if (augmented) {
@@ -38922,14 +38935,18 @@ function ensureFinitePositive(value, label) {
     }
     return Math.max(1, Math.floor(value));
 }
+/**
+ * In-memory token cache for PKCE tokens.
+ *
+ * Tokens are intentionally NOT persisted to localStorage or sessionStorage to avoid
+ * stale-token issues when the OAuth2 server restarts and generates new signing keys.
+ * Each fresh page load triggers a new PKCE flow when a token is needed.
+ */
+let inMemoryTokenCache = new Map();
 const STORAGE_NAMESPACE = 'naylence.oauth2_pkce.';
-const TOKEN_STORAGE_SUFFIX = '.token';
 function getStorageKey(clientId) {
     return `${STORAGE_NAMESPACE}${clientId}`;
 }
-function getTokenStorageKey(clientId) {
-    return `${STORAGE_NAMESPACE}${clientId}${TOKEN_STORAGE_SUFFIX}`;
-}
 function isBrowserEnvironment() {
     return (typeof window !== 'undefined' &&
         typeof window.location !== 'undefined' &&
@@ -38981,57 +38998,23 @@ function stableScopeKey(scopes) {
     }
     return [...scopes].sort().join(' ');
 }
+/**
+ * Read token from in-memory cache.
+ * Returns null if no cached token exists for the given clientId.
+ */
 function readPersistedToken(clientId) {
-    if (!isBrowserEnvironment()) {
-        return null;
-    }
-    try {
-        const raw = window.sessionStorage.getItem(getTokenStorageKey(clientId));
-        if (!raw) {
-            return null;
-        }
-        const parsed = JSON.parse(raw);
-        const value = coerceString(parsed.value);
-        if (!value) {
-            return null;
-        }
-        const expiresAt = coerceNumber(parsed.expiresAt);
-        const scopes = normalizeScopes(parsed.scopes);
-        const audience = coerceString(parsed.audience);
-        const record = {
-            value,
-            scopes,
-            audience,
-        };
-        if (typeof expiresAt === 'number') {
-            record.expiresAt = expiresAt;
-        }
-        return record;
-    }
-    catch (error) {
-        logger.debug('pkce_token_storage_read_failed', {
-            error: error instanceof Error ? error.message : String(error),
-        });
-        return null;
-    }
+    return inMemoryTokenCache.get(clientId) ?? null;
 }
+/**
+ * Write token to in-memory cache.
+ * If token is null, removes the cached token for the given clientId.
+ */
 function writePersistedToken(clientId, token) {
-    if (!isBrowserEnvironment()) {
+    if (!token) {
+        inMemoryTokenCache.delete(clientId);
         return;
     }
-    const key = getTokenStorageKey(clientId);
-    try {
-        if (!token) {
-            window.sessionStorage.removeItem(key);
-            return;
-        }
-        window.sessionStorage.setItem(key, JSON.stringify(token));
-    }
-    catch (error) {
-        logger.debug('pkce_token_storage_write_failed', {
-            error: error instanceof Error ? error.message : String(error),
-        });
-    }
+    inMemoryTokenCache.set(clientId, token);
 }
 function clearOAuthParamsFromUrl(url) {
     if (!isBrowserEnvironment()) {
@@ -39332,6 +39315,17 @@ class OAuth2PkceTokenProvider {
         });
         return token;
     }
+    /**
+     * Clear the cached token for this provider instance.
+     * This clears both the instance cache and the in-memory module cache.
+     */
+    clearToken() {
+        this.cachedToken = undefined;
+        writePersistedToken(this.options.clientId, null);
+        logger.debug('oauth2_pkce_token_cleared', {
+            authorize_url: this.options.authorizeUrl,
+        });
+    }
 }
 
 var oauth2PkceTokenProvider = /*#__PURE__*/Object.freeze({

package/dist/node/index.mjs

@@ -13,12 +13,12 @@ import fastify from 'fastify';
 import websocketPlugin from '@fastify/websocket';
 
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.3.5-test.925
+// Generated from package.json version: 0.3.5-test.927
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.3.5-test.925';
+const VERSION = '0.3.5-test.927';
 
 /**
  * Fame protocol specific error classes with WebSocket close codes and proper inheritance.
@@ -10372,6 +10372,19 @@ class UpstreamSessionManager extends TaskSpawner {
         await connector.start(this.wrappedHandler);
         this.connector = connector;
         const callbackGrants = this.node.gatherSupportedCallbackGrants();
+        // Include admission client's connection grants as callback grants
+        // This ensures DirectAdmissionClient grants are available for grant selection
+        if (welcome.frame.connectionGrants && Array.isArray(welcome.frame.connectionGrants)) {
+            for (const grant of welcome.frame.connectionGrants) {
+                if (grant && typeof grant === 'object') {
+                    // Avoid duplicates by checking if grant already exists
+                    const isDuplicate = callbackGrants.some(existing => JSON.stringify(existing) === JSON.stringify(grant));
+                    if (!isDuplicate) {
+                        callbackGrants.push(grant);
+                    }
+                }
+            }
+        }
         if (this.shouldAdvertiseBroadcastGrant(grant, callbackGrants)) {
             const augmented = this.createBroadcastCallbackGrant(grant);
             if (augmented) {
@@ -38921,14 +38934,18 @@ function ensureFinitePositive(value, label) {
     }
     return Math.max(1, Math.floor(value));
 }
+/**
+ * In-memory token cache for PKCE tokens.
+ *
+ * Tokens are intentionally NOT persisted to localStorage or sessionStorage to avoid
+ * stale-token issues when the OAuth2 server restarts and generates new signing keys.
+ * Each fresh page load triggers a new PKCE flow when a token is needed.
+ */
+let inMemoryTokenCache = new Map();
 const STORAGE_NAMESPACE = 'naylence.oauth2_pkce.';
-const TOKEN_STORAGE_SUFFIX = '.token';
 function getStorageKey(clientId) {
     return `${STORAGE_NAMESPACE}${clientId}`;
 }
-function getTokenStorageKey(clientId) {
-    return `${STORAGE_NAMESPACE}${clientId}${TOKEN_STORAGE_SUFFIX}`;
-}
 function isBrowserEnvironment() {
     return (typeof window !== 'undefined' &&
         typeof window.location !== 'undefined' &&
@@ -38980,57 +38997,23 @@ function stableScopeKey(scopes) {
     }
     return [...scopes].sort().join(' ');
 }
+/**
+ * Read token from in-memory cache.
+ * Returns null if no cached token exists for the given clientId.
+ */
 function readPersistedToken(clientId) {
-    if (!isBrowserEnvironment()) {
-        return null;
-    }
-    try {
-        const raw = window.sessionStorage.getItem(getTokenStorageKey(clientId));
-        if (!raw) {
-            return null;
-        }
-        const parsed = JSON.parse(raw);
-        const value = coerceString(parsed.value);
-        if (!value) {
-            return null;
-        }
-        const expiresAt = coerceNumber(parsed.expiresAt);
-        const scopes = normalizeScopes(parsed.scopes);
-        const audience = coerceString(parsed.audience);
-        const record = {
-            value,
-            scopes,
-            audience,
-        };
-        if (typeof expiresAt === 'number') {
-            record.expiresAt = expiresAt;
-        }
-        return record;
-    }
-    catch (error) {
-        logger.debug('pkce_token_storage_read_failed', {
-            error: error instanceof Error ? error.message : String(error),
-        });
-        return null;
-    }
+    return inMemoryTokenCache.get(clientId) ?? null;
 }
+/**
+ * Write token to in-memory cache.
+ * If token is null, removes the cached token for the given clientId.
+ */
 function writePersistedToken(clientId, token) {
-    if (!isBrowserEnvironment()) {
+    if (!token) {
+        inMemoryTokenCache.delete(clientId);
         return;
     }
-    const key = getTokenStorageKey(clientId);
-    try {
-        if (!token) {
-            window.sessionStorage.removeItem(key);
-            return;
-        }
-        window.sessionStorage.setItem(key, JSON.stringify(token));
-    }
-    catch (error) {
-        logger.debug('pkce_token_storage_write_failed', {
-            error: error instanceof Error ? error.message : String(error),
-        });
-    }
+    inMemoryTokenCache.set(clientId, token);
 }
 function clearOAuthParamsFromUrl(url) {
     if (!isBrowserEnvironment()) {
@@ -39331,6 +39314,17 @@ class OAuth2PkceTokenProvider {
         });
         return token;
     }
+    /**
+     * Clear the cached token for this provider instance.
+     * This clears both the instance cache and the in-memory module cache.
+     */
+    clearToken() {
+        this.cachedToken = undefined;
+        writePersistedToken(this.options.clientId, null);
+        logger.debug('oauth2_pkce_token_cleared', {
+            authorize_url: this.options.authorizeUrl,
+        });
+    }
 }
 
 var oauth2PkceTokenProvider = /*#__PURE__*/Object.freeze({

package/dist/node/node.cjs

@@ -5372,12 +5372,12 @@ for (const [name, config] of Object.entries(SQLITE_PROFILES)) {
 }
 
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.3.5-test.925
+// Generated from package.json version: 0.3.5-test.927
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.3.5-test.925';
+const VERSION = '0.3.5-test.927';
 
 /**
  * Fame errors module - Fame protocol specific error classes
@@ -12065,6 +12065,19 @@ class UpstreamSessionManager extends TaskSpawner {
         await connector.start(this.wrappedHandler);
         this.connector = connector;
         const callbackGrants = this.node.gatherSupportedCallbackGrants();
+        // Include admission client's connection grants as callback grants
+        // This ensures DirectAdmissionClient grants are available for grant selection
+        if (welcome.frame.connectionGrants && Array.isArray(welcome.frame.connectionGrants)) {
+            for (const grant of welcome.frame.connectionGrants) {
+                if (grant && typeof grant === 'object') {
+                    // Avoid duplicates by checking if grant already exists
+                    const isDuplicate = callbackGrants.some(existing => JSON.stringify(existing) === JSON.stringify(grant));
+                    if (!isDuplicate) {
+                        callbackGrants.push(grant);
+                    }
+                }
+            }
+        }
         if (this.shouldAdvertiseBroadcastGrant(grant, callbackGrants)) {
             const augmented = this.createBroadcastCallbackGrant(grant);
             if (augmented) {
@@ -41140,14 +41153,18 @@ function ensureFinitePositive(value, label) {
     }
     return Math.max(1, Math.floor(value));
 }
+/**
+ * In-memory token cache for PKCE tokens.
+ *
+ * Tokens are intentionally NOT persisted to localStorage or sessionStorage to avoid
+ * stale-token issues when the OAuth2 server restarts and generates new signing keys.
+ * Each fresh page load triggers a new PKCE flow when a token is needed.
+ */
+let inMemoryTokenCache = new Map();
 const STORAGE_NAMESPACE = 'naylence.oauth2_pkce.';
-const TOKEN_STORAGE_SUFFIX = '.token';
 function getStorageKey(clientId) {
     return `${STORAGE_NAMESPACE}${clientId}`;
 }
-function getTokenStorageKey(clientId) {
-    return `${STORAGE_NAMESPACE}${clientId}${TOKEN_STORAGE_SUFFIX}`;
-}
 function isBrowserEnvironment() {
     return (typeof window !== 'undefined' &&
         typeof window.location !== 'undefined' &&
@@ -41199,57 +41216,23 @@ function stableScopeKey(scopes) {
     }
     return [...scopes].sort().join(' ');
 }
+/**
+ * Read token from in-memory cache.
+ * Returns null if no cached token exists for the given clientId.
+ */
 function readPersistedToken(clientId) {
-    if (!isBrowserEnvironment()) {
-        return null;
-    }
-    try {
-        const raw = window.sessionStorage.getItem(getTokenStorageKey(clientId));
-        if (!raw) {
-            return null;
-        }
-        const parsed = JSON.parse(raw);
-        const value = coerceString(parsed.value);
-        if (!value) {
-            return null;
-        }
-        const expiresAt = coerceNumber(parsed.expiresAt);
-        const scopes = normalizeScopes(parsed.scopes);
-        const audience = coerceString(parsed.audience);
-        const record = {
-            value,
-            scopes,
-            audience,
-        };
-        if (typeof expiresAt === 'number') {
-            record.expiresAt = expiresAt;
-        }
-        return record;
-    }
-    catch (error) {
-        logger.debug('pkce_token_storage_read_failed', {
-            error: error instanceof Error ? error.message : String(error),
-        });
-        return null;
-    }
+    return inMemoryTokenCache.get(clientId) ?? null;
 }
+/**
+ * Write token to in-memory cache.
+ * If token is null, removes the cached token for the given clientId.
+ */
 function writePersistedToken(clientId, token) {
-    if (!isBrowserEnvironment()) {
+    if (!token) {
+        inMemoryTokenCache.delete(clientId);
         return;
     }
-    const key = getTokenStorageKey(clientId);
-    try {
-        if (!token) {
-            window.sessionStorage.removeItem(key);
-            return;
-        }
-        window.sessionStorage.setItem(key, JSON.stringify(token));
-    }
-    catch (error) {
-        logger.debug('pkce_token_storage_write_failed', {
-            error: error instanceof Error ? error.message : String(error),
-        });
-    }
+    inMemoryTokenCache.set(clientId, token);
 }
 function clearOAuthParamsFromUrl(url) {
     if (!isBrowserEnvironment()) {
@@ -41550,6 +41533,17 @@ class OAuth2PkceTokenProvider {
         });
         return token;
     }
+    /**
+     * Clear the cached token for this provider instance.
+     * This clears both the instance cache and the in-memory module cache.
+     */
+    clearToken() {
+        this.cachedToken = undefined;
+        writePersistedToken(this.options.clientId, null);
+        logger.debug('oauth2_pkce_token_cleared', {
+            authorize_url: this.options.authorizeUrl,
+        });
+    }
 }
 
 var oauth2PkceTokenProvider = /*#__PURE__*/Object.freeze({

package/dist/node/node.mjs

@@ -5371,12 +5371,12 @@ for (const [name, config] of Object.entries(SQLITE_PROFILES)) {
 }
 
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.3.5-test.925
+// Generated from package.json version: 0.3.5-test.927
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.3.5-test.925';
+const VERSION = '0.3.5-test.927';
 
 /**
  * Fame errors module - Fame protocol specific error classes
@@ -12064,6 +12064,19 @@ class UpstreamSessionManager extends TaskSpawner {
         await connector.start(this.wrappedHandler);
         this.connector = connector;
         const callbackGrants = this.node.gatherSupportedCallbackGrants();
+        // Include admission client's connection grants as callback grants
+        // This ensures DirectAdmissionClient grants are available for grant selection
+        if (welcome.frame.connectionGrants && Array.isArray(welcome.frame.connectionGrants)) {
+            for (const grant of welcome.frame.connectionGrants) {
+                if (grant && typeof grant === 'object') {
+                    // Avoid duplicates by checking if grant already exists
+                    const isDuplicate = callbackGrants.some(existing => JSON.stringify(existing) === JSON.stringify(grant));
+                    if (!isDuplicate) {
+                        callbackGrants.push(grant);
+                    }
+                }
+            }
+        }
         if (this.shouldAdvertiseBroadcastGrant(grant, callbackGrants)) {
             const augmented = this.createBroadcastCallbackGrant(grant);
             if (augmented) {
@@ -41139,14 +41152,18 @@ function ensureFinitePositive(value, label) {
     }
     return Math.max(1, Math.floor(value));
 }
+/**
+ * In-memory token cache for PKCE tokens.
+ *
+ * Tokens are intentionally NOT persisted to localStorage or sessionStorage to avoid
+ * stale-token issues when the OAuth2 server restarts and generates new signing keys.
+ * Each fresh page load triggers a new PKCE flow when a token is needed.
+ */
+let inMemoryTokenCache = new Map();
 const STORAGE_NAMESPACE = 'naylence.oauth2_pkce.';
-const TOKEN_STORAGE_SUFFIX = '.token';
 function getStorageKey(clientId) {
     return `${STORAGE_NAMESPACE}${clientId}`;
 }
-function getTokenStorageKey(clientId) {
-    return `${STORAGE_NAMESPACE}${clientId}${TOKEN_STORAGE_SUFFIX}`;
-}
 function isBrowserEnvironment() {
     return (typeof window !== 'undefined' &&
         typeof window.location !== 'undefined' &&
@@ -41198,57 +41215,23 @@ function stableScopeKey(scopes) {
     }
     return [...scopes].sort().join(' ');
 }
+/**
+ * Read token from in-memory cache.
+ * Returns null if no cached token exists for the given clientId.
+ */
 function readPersistedToken(clientId) {
-    if (!isBrowserEnvironment()) {
-        return null;
-    }
-    try {
-        const raw = window.sessionStorage.getItem(getTokenStorageKey(clientId));
-        if (!raw) {
-            return null;
-        }
-        const parsed = JSON.parse(raw);
-        const value = coerceString(parsed.value);
-        if (!value) {
-            return null;
-        }
-        const expiresAt = coerceNumber(parsed.expiresAt);
-        const scopes = normalizeScopes(parsed.scopes);
-        const audience = coerceString(parsed.audience);
-        const record = {
-            value,
-            scopes,
-            audience,
-        };
-        if (typeof expiresAt === 'number') {
-            record.expiresAt = expiresAt;
-        }
-        return record;
-    }
-    catch (error) {
-        logger.debug('pkce_token_storage_read_failed', {
-            error: error instanceof Error ? error.message : String(error),
-        });
-        return null;
-    }
+    return inMemoryTokenCache.get(clientId) ?? null;
 }
+/**
+ * Write token to in-memory cache.
+ * If token is null, removes the cached token for the given clientId.
+ */
 function writePersistedToken(clientId, token) {
-    if (!isBrowserEnvironment()) {
+    if (!token) {
+        inMemoryTokenCache.delete(clientId);
         return;
     }
-    const key = getTokenStorageKey(clientId);
-    try {
-        if (!token) {
-            window.sessionStorage.removeItem(key);
-            return;
-        }
-        window.sessionStorage.setItem(key, JSON.stringify(token));
-    }
-    catch (error) {
-        logger.debug('pkce_token_storage_write_failed', {
-            error: error instanceof Error ? error.message : String(error),
-        });
-    }
+    inMemoryTokenCache.set(clientId, token);
 }
 function clearOAuthParamsFromUrl(url) {
     if (!isBrowserEnvironment()) {
@@ -41549,6 +41532,17 @@ class OAuth2PkceTokenProvider {
         });
         return token;
     }
+    /**
+     * Clear the cached token for this provider instance.
+     * This clears both the instance cache and the in-memory module cache.
+     */
+    clearToken() {
+        this.cachedToken = undefined;
+        writePersistedToken(this.options.clientId, null);
+        logger.debug('oauth2_pkce_token_cleared', {
+            authorize_url: this.options.authorizeUrl,
+        });
+    }
 }
 
 var oauth2PkceTokenProvider = /*#__PURE__*/Object.freeze({

package/dist/types/naylence/fame/security/auth/oauth2-pkce-token-provider.d.ts

@@ -38,5 +38,10 @@ export declare class OAuth2PkceTokenProvider implements TokenProvider {
     private resolveFetch;
     private resolveOptionalSecret;
     private exchangeToken;
+    /**
+     * Clear the cached token for this provider instance.
+     * This clears both the instance cache and the in-memory module cache.
+     */
+    clearToken(): void;
 }
 export {};

package/dist/types/version.d.ts

@@ -2,4 +2,4 @@
  * The package version, injected at build time.
  * @internal
  */
-export declare const VERSION = "0.3.5-test.925";
+export declare const VERSION = "0.3.5-test.927";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@naylence/runtime",
-  "version": "0.3.5-test.925",
+  "version": "0.3.5-test.927",
   "type": "module",
   "description": "Naylence Runtime - Complete TypeScript runtime",
   "author": "Naylence Dev <naylencedev@gmail.com>",