@naylence/runtime 0.4.0 → 0.4.2

package/dist/cjs/naylence/fame/factory-manifest.js

@@ -63,6 +63,7 @@ exports.MODULES = [
     "./node/node-identity-policy-profile-factory.js",
     "./node/token-subject-node-identity-policy-factory.js",
     "./placement/static-node-placement-strategy-factory.js",
+    "./security/auth/authorization-profile-factory.js",
     "./security/auth/bearer-token-header-auth-injection-strategy-factory.js",
     "./security/auth/default-authorizer-factory.js",
     "./security/auth/default-policy-authorizer-factory.js",
@@ -145,6 +146,7 @@ exports.MODULE_LOADERS = {
     "./node/node-identity-policy-profile-factory.js": () => Promise.resolve().then(() => __importStar(require("./node/node-identity-policy-profile-factory.js"))),
     "./node/token-subject-node-identity-policy-factory.js": () => Promise.resolve().then(() => __importStar(require("./node/token-subject-node-identity-policy-factory.js"))),
     "./placement/static-node-placement-strategy-factory.js": () => Promise.resolve().then(() => __importStar(require("./placement/static-node-placement-strategy-factory.js"))),
+    "./security/auth/authorization-profile-factory.js": () => Promise.resolve().then(() => __importStar(require("./security/auth/authorization-profile-factory.js"))),
     "./security/auth/bearer-token-header-auth-injection-strategy-factory.js": () => Promise.resolve().then(() => __importStar(require("./security/auth/bearer-token-header-auth-injection-strategy-factory.js"))),
     "./security/auth/default-authorizer-factory.js": () => Promise.resolve().then(() => __importStar(require("./security/auth/default-authorizer-factory.js"))),
     "./security/auth/default-policy-authorizer-factory.js": () => Promise.resolve().then(() => __importStar(require(/* webpackIgnore: true */ /* @vite-ignore */ "./security/auth/default-policy-authorizer-factory.js"))),

package/dist/cjs/naylence/fame/node/default-node-identity-policy.js

@@ -2,10 +2,12 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.DefaultNodeIdentityPolicy = void 0;
 const core_1 = require("@naylence/core");
-const token_provider_factory_js_1 = require("../security/auth/token-provider-factory.js");
-const token_provider_js_1 = require("../security/auth/token-provider.js");
-const logging_js_1 = require("../util/logging.js");
-const logger = (0, logging_js_1.getLogger)('naylence.fame.node.default_node_identity_policy');
+/**
+ * Default node identity policy that preserves the current node ID.
+ *
+ * This policy does NOT derive identity from tokens or grants.
+ * For token-subject-based identity, use TokenSubjectNodeIdentityPolicy.
+ */
 class DefaultNodeIdentityPolicy {
     async resolveInitialNodeId(context) {
         if (context.configuredId) {
@@ -17,44 +19,10 @@ class DefaultNodeIdentityPolicy {
         return await (0, core_1.generateIdAsync)({ mode: 'fingerprint' });
     }
     async resolveAdmissionNodeId(context) {
-        // Try to extract identity from grants first
-        if (context.grants && context.grants.length > 0) {
-            for (const grant of context.grants) {
-                try {
-                    const auth = grant.auth;
-                    if (!auth) {
-                        continue;
-                    }
-                    const tokenProviderConfig = (auth.tokenProvider ??
-                        auth.token_provider);
-                    if (!tokenProviderConfig ||
-                        typeof tokenProviderConfig.type !== 'string') {
-                        continue;
-                    }
-                    const provider = await token_provider_factory_js_1.TokenProviderFactory.createTokenProvider(tokenProviderConfig);
-                    if ((0, token_provider_js_1.isIdentityExposingTokenProvider)(provider)) {
-                        const identity = await provider.getIdentity();
-                        if (identity && identity.subject) {
-                            logger.debug('identity_extracted_from_grant', {
-                                identity_id: identity.subject,
-                                grant_type: grant.type,
-                            });
-                            return identity.subject;
-                        }
-                    }
-                }
-                catch (error) {
-                    logger.warning('identity_extraction_failed', {
-                        error: error instanceof Error ? error.message : String(error),
-                        grant_type: grant.type,
-                    });
-                }
-            }
+        if (context.currentNodeId) {
+            return context.currentNodeId;
         }
-        if (!context.currentNodeId) {
-            return await (0, core_1.generateIdAsync)({ mode: 'fingerprint' });
-        }
-        return context.currentNodeId;
+        return await (0, core_1.generateIdAsync)({ mode: 'fingerprint' });
     }
 }
 exports.DefaultNodeIdentityPolicy = DefaultNodeIdentityPolicy;

package/dist/cjs/naylence/fame/security/auth/authorization-profile-factory.js

@@ -0,0 +1,165 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthorizationProfileFactory = exports.FACTORY_META = exports.ENV_VAR_HMAC_SECRET = exports.ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = exports.ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER = exports.ENV_VAR_TRUSTED_CLIENT_SCOPE = exports.ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY = exports.ENV_VAR_JWKS_URL = exports.ENV_VAR_JWT_AUDIENCE = exports.ENV_VAR_JWT_ALGORITHM = exports.ENV_VAR_JWT_TRUSTED_ISSUER = exports.PROFILE_NAME_NOOP = exports.PROFILE_NAME_OAUTH2_CALLBACK = exports.PROFILE_NAME_OAUTH2_GATED = exports.PROFILE_NAME_OAUTH2 = exports.PROFILE_NAME_DEFAULT = void 0;
+const factory_1 = require("@naylence/factory");
+const logging_js_1 = require("../../util/logging.js");
+const authorizer_factory_js_1 = require("./authorizer-factory.js");
+const logger = (0, logging_js_1.getLogger)('naylence.fame.security.auth.authorization_profile_factory');
+exports.PROFILE_NAME_DEFAULT = 'jwt';
+exports.PROFILE_NAME_OAUTH2 = 'oauth2';
+exports.PROFILE_NAME_OAUTH2_GATED = 'oauth2-gated';
+exports.PROFILE_NAME_OAUTH2_CALLBACK = 'oauth2-callback';
+exports.PROFILE_NAME_NOOP = 'noop';
+exports.ENV_VAR_JWT_TRUSTED_ISSUER = 'FAME_JWT_TRUSTED_ISSUER';
+exports.ENV_VAR_JWT_ALGORITHM = 'FAME_JWT_ALGORITHM';
+exports.ENV_VAR_JWT_AUDIENCE = 'FAME_JWT_AUDIENCE';
+exports.ENV_VAR_JWKS_URL = 'FAME_JWKS_URL';
+exports.ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY = 'FAME_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY';
+exports.ENV_VAR_TRUSTED_CLIENT_SCOPE = 'FAME_TRUSTED_CLIENT_SCOPE';
+exports.ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER = 'FAME_JWT_REVERSE_AUTH_TRUSTED_ISSUER';
+exports.ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = 'FAME_JWT_REVERSE_AUTH_AUDIENCE';
+exports.ENV_VAR_HMAC_SECRET = 'FAME_HMAC_SECRET';
+const DEFAULT_REVERSE_AUTH_ISSUER = 'reverse-auth.naylence.ai';
+const DEFAULT_REVERSE_AUTH_AUDIENCE = 'dev.naylence.ai';
+const DEFAULT_PROFILE = {
+    type: 'DefaultAuthorizer',
+    verifier: {
+        type: 'JWKSJWTTokenVerifier',
+        jwks_url: factory_1.Expressions.env(exports.ENV_VAR_JWKS_URL),
+        issuer: factory_1.Expressions.env(exports.ENV_VAR_JWT_TRUSTED_ISSUER),
+    },
+};
+const OAUTH2_PROFILE = {
+    type: 'OAuth2Authorizer',
+    issuer: factory_1.Expressions.env(exports.ENV_VAR_JWT_TRUSTED_ISSUER),
+    required_scopes: ['node.connect'],
+    require_scope: true,
+    default_ttl_sec: 3600,
+    max_ttl_sec: 86400,
+    algorithm: factory_1.Expressions.env(exports.ENV_VAR_JWT_ALGORITHM, 'RS256'),
+    audience: factory_1.Expressions.env(exports.ENV_VAR_JWT_AUDIENCE),
+};
+const OAUTH2_GATED_PROFILE = {
+    ...OAUTH2_PROFILE,
+    enforce_token_subject_node_identity: factory_1.Expressions.env(exports.ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY, 'false'),
+    trusted_client_scope: factory_1.Expressions.env(exports.ENV_VAR_TRUSTED_CLIENT_SCOPE, 'node.trusted'),
+};
+const OAUTH2_CALLBACK_PROFILE = {
+    type: 'OAuth2Authorizer',
+    issuer: factory_1.Expressions.env(exports.ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, DEFAULT_REVERSE_AUTH_ISSUER),
+    audience: factory_1.Expressions.env(exports.ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE),
+    require_scope: true,
+    default_ttl_sec: 3600,
+    max_ttl_sec: 86400,
+    reverse_auth_ttl_sec: 86400,
+    token_verifier_config: {
+        type: 'JWTTokenVerifier',
+        algorithm: 'HS256',
+        hmac_secret: factory_1.Expressions.env(exports.ENV_VAR_HMAC_SECRET),
+        issuer: factory_1.Expressions.env(exports.ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, DEFAULT_REVERSE_AUTH_ISSUER),
+        ttl_sec: 86400,
+    },
+    token_issuer_config: {
+        type: 'JWTTokenIssuer',
+        algorithm: 'HS256',
+        hmac_secret: factory_1.Expressions.env(exports.ENV_VAR_HMAC_SECRET),
+        kid: 'hmac-reverse-auth-key',
+        issuer: factory_1.Expressions.env(exports.ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, DEFAULT_REVERSE_AUTH_ISSUER),
+        ttl_sec: 86400,
+        audience: factory_1.Expressions.env(exports.ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE, DEFAULT_REVERSE_AUTH_AUDIENCE),
+    },
+};
+const NOOP_PROFILE = {
+    type: 'NoopAuthorizer',
+};
+const PROFILE_MAP = {
+    [exports.PROFILE_NAME_DEFAULT]: DEFAULT_PROFILE,
+    [exports.PROFILE_NAME_OAUTH2]: OAUTH2_PROFILE,
+    [exports.PROFILE_NAME_OAUTH2_GATED]: OAUTH2_GATED_PROFILE,
+    [exports.PROFILE_NAME_OAUTH2_CALLBACK]: OAUTH2_CALLBACK_PROFILE,
+    [exports.PROFILE_NAME_NOOP]: NOOP_PROFILE,
+};
+const PROFILE_ALIASES = {
+    jwt: exports.PROFILE_NAME_DEFAULT,
+    jwks: exports.PROFILE_NAME_DEFAULT,
+    default: exports.PROFILE_NAME_DEFAULT,
+    oauth2: exports.PROFILE_NAME_OAUTH2,
+    oidc: exports.PROFILE_NAME_OAUTH2,
+    'oauth2-gated': exports.PROFILE_NAME_OAUTH2_GATED,
+    oauth2_gated: exports.PROFILE_NAME_OAUTH2_GATED,
+    'oauth2-callback': exports.PROFILE_NAME_OAUTH2_CALLBACK,
+    oauth2_callback: exports.PROFILE_NAME_OAUTH2_CALLBACK,
+    'reverse-auth': exports.PROFILE_NAME_OAUTH2_CALLBACK,
+    noop: exports.PROFILE_NAME_NOOP,
+    'no-op': exports.PROFILE_NAME_NOOP,
+    no_op: exports.PROFILE_NAME_NOOP,
+};
+exports.FACTORY_META = {
+    base: authorizer_factory_js_1.AUTHORIZER_FACTORY_BASE_TYPE,
+    key: 'AuthorizationProfile',
+};
+class AuthorizationProfileFactory extends authorizer_factory_js_1.AuthorizerFactory {
+    constructor() {
+        super(...arguments);
+        this.type = 'AuthorizationProfile';
+    }
+    async create(config, ...factoryArgs) {
+        const normalized = normalizeConfig(config);
+        const profileConfig = resolveProfileConfig(normalized.profile);
+        logger.debug('enabling_authorization_profile', {
+            profile: normalized.profile,
+        });
+        const authorizer = await authorizer_factory_js_1.AuthorizerFactory.createAuthorizer(profileConfig, { factoryArgs });
+        if (!authorizer) {
+            throw new Error(`Failed to create authorizer for profile: ${normalized.profile}`);
+        }
+        return authorizer;
+    }
+}
+exports.AuthorizationProfileFactory = AuthorizationProfileFactory;
+function normalizeConfig(config) {
+    if (!config) {
+        return { profile: exports.PROFILE_NAME_OAUTH2 };
+    }
+    const candidate = config;
+    const profileValue = resolveProfileName(candidate);
+    const canonicalProfile = canonicalizeProfileName(profileValue);
+    candidate.profile = canonicalProfile;
+    return { profile: canonicalProfile };
+}
+function resolveProfileName(candidate) {
+    const direct = coerceProfileString(candidate.profile);
+    if (direct) {
+        return direct;
+    }
+    const legacyKeys = ['profile_name', 'profileName'];
+    for (const legacyKey of legacyKeys) {
+        const legacyValue = coerceProfileString(candidate[legacyKey]);
+        if (legacyValue) {
+            return legacyValue;
+        }
+    }
+    return exports.PROFILE_NAME_OAUTH2;
+}
+function coerceProfileString(value) {
+    if (typeof value !== 'string') {
+        return null;
+    }
+    const trimmed = value.trim();
+    return trimmed.length > 0 ? trimmed : null;
+}
+function canonicalizeProfileName(value) {
+    const normalized = value.replace(/[\s_]+/g, '-').toLowerCase();
+    return PROFILE_ALIASES[normalized] ?? normalized;
+}
+function resolveProfileConfig(profileName) {
+    const profile = PROFILE_MAP[profileName];
+    if (!profile) {
+        throw new Error(`Unknown authorization profile: ${profileName}`);
+    }
+    return deepClone(profile);
+}
+function deepClone(value) {
+    return JSON.parse(JSON.stringify(value));
+}
+exports.default = AuthorizationProfileFactory;

package/dist/cjs/naylence/fame/security/index.js

@@ -1,6 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.PROFILE_NAME_OPEN = exports.PROFILE_NAME_GATED_CALLBACK = exports.PROFILE_NAME_GATED = exports.PROFILE_NAME_OVERLAY_CALLBACK = exports.PROFILE_NAME_OVERLAY = exports.PROFILE_NAME_STRICT_OVERLAY = exports.ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = exports.ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER = exports.ENV_VAR_HMAC_SECRET = exports.ENV_VAR_DEFAULT_ENCRYPTION_LEVEL = exports.ENV_VAR_JWKS_URL = exports.ENV_VAR_JWT_AUDIENCE = exports.ENV_VAR_JWT_ALGORITHM = exports.ENV_VAR_JWT_TRUSTED_ISSUER = exports.CREDENTIAL_PROVIDER_FACTORY_BASE_TYPE = exports.EdDSAEnvelopeSigner = exports.encodeUtf8 = exports.immutableHeaders = exports.frameDigest = exports.decodeBase64Url = exports.canonicalJson = exports.SigningConfigClass = exports.SECURITY_MANAGER_FACTORY_BASE_TYPE = exports.SECURITY_POLICY_FACTORY_BASE_TYPE = exports.KEY_STORE_FACTORY_BASE_TYPE = exports.ATTACHMENT_KEY_VALIDATOR_FACTORY_BASE_TYPE = exports.KEY_MANAGER_FACTORY_BASE_TYPE = exports.SecureChannelManagerFactory = exports.SECURE_CHANNEL_MANAGER_FACTORY_BASE_TYPE = exports.ENCRYPTION_MANAGER_FACTORY_BASE_TYPE = exports.NoopTrustStoreProvider = exports.TrustStoreProviderFactory = exports.TRUST_STORE_PROVIDER_FACTORY_BASE_TYPE = exports.CertificateManagerFactory = exports.CERTIFICATE_MANAGER_FACTORY_BASE_TYPE = exports.TokenProviderFactory = exports.TOKEN_PROVIDER_FACTORY_BASE_TYPE = exports.TokenVerifierFactory = exports.TOKEN_VERIFIER_FACTORY_BASE_TYPE = exports.TokenIssuerFactory = exports.TOKEN_ISSUER_FACTORY_BASE_TYPE = exports.AuthInjectionStrategyFactory = exports.AUTH_INJECTION_STRATEGY_FACTORY_BASE_TYPE = exports.AuthorizerFactory = exports.AUTHORIZER_FACTORY_BASE_TYPE = void 0;
+exports.ENV_VAR_JWKS_URL = exports.ENV_VAR_JWT_AUDIENCE = exports.ENV_VAR_JWT_ALGORITHM = exports.ENV_VAR_JWT_TRUSTED_ISSUER = exports.CREDENTIAL_PROVIDER_FACTORY_BASE_TYPE = exports.EdDSAEnvelopeSigner = exports.encodeUtf8 = exports.immutableHeaders = exports.frameDigest = exports.decodeBase64Url = exports.canonicalJson = exports.SigningConfigClass = exports.SECURITY_MANAGER_FACTORY_BASE_TYPE = exports.SECURITY_POLICY_FACTORY_BASE_TYPE = exports.KEY_STORE_FACTORY_BASE_TYPE = exports.ATTACHMENT_KEY_VALIDATOR_FACTORY_BASE_TYPE = exports.KEY_MANAGER_FACTORY_BASE_TYPE = exports.SecureChannelManagerFactory = exports.SECURE_CHANNEL_MANAGER_FACTORY_BASE_TYPE = exports.ENCRYPTION_MANAGER_FACTORY_BASE_TYPE = exports.NoopTrustStoreProvider = exports.TrustStoreProviderFactory = exports.TRUST_STORE_PROVIDER_FACTORY_BASE_TYPE = exports.CertificateManagerFactory = exports.CERTIFICATE_MANAGER_FACTORY_BASE_TYPE = exports.TokenProviderFactory = exports.TOKEN_PROVIDER_FACTORY_BASE_TYPE = exports.TokenVerifierFactory = exports.TOKEN_VERIFIER_FACTORY_BASE_TYPE = exports.TokenIssuerFactory = exports.TOKEN_ISSUER_FACTORY_BASE_TYPE = exports.AuthInjectionStrategyFactory = exports.AUTH_INJECTION_STRATEGY_FACTORY_BASE_TYPE = exports.AUTH_PROFILE_ENV_VAR_HMAC_SECRET = exports.AUTH_PROFILE_ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = exports.AUTH_PROFILE_ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER = exports.AUTH_PROFILE_ENV_VAR_TRUSTED_CLIENT_SCOPE = exports.AUTH_PROFILE_ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY = exports.AUTH_PROFILE_ENV_VAR_JWKS_URL = exports.AUTH_PROFILE_ENV_VAR_JWT_AUDIENCE = exports.AUTH_PROFILE_ENV_VAR_JWT_ALGORITHM = exports.AUTH_PROFILE_ENV_VAR_JWT_TRUSTED_ISSUER = exports.AUTH_PROFILE_NAME_NOOP = exports.AUTH_PROFILE_NAME_OAUTH2_CALLBACK = exports.AUTH_PROFILE_NAME_OAUTH2_GATED = exports.AUTH_PROFILE_NAME_OAUTH2 = exports.AUTH_PROFILE_NAME_DEFAULT = exports.AuthorizationProfileFactory = exports.AuthorizerFactory = exports.AUTHORIZER_FACTORY_BASE_TYPE = void 0;
+exports.PROFILE_NAME_OPEN = exports.PROFILE_NAME_GATED_CALLBACK = exports.PROFILE_NAME_GATED = exports.PROFILE_NAME_OVERLAY_CALLBACK = exports.PROFILE_NAME_OVERLAY = exports.PROFILE_NAME_STRICT_OVERLAY = exports.ENV_VAR_AUTHORIZATION_PROFILE = exports.ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = exports.ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER = exports.ENV_VAR_HMAC_SECRET = exports.ENV_VAR_DEFAULT_ENCRYPTION_LEVEL = void 0;
 const tslib_1 = require("tslib");
 tslib_1.__exportStar(require("./auth/authorizer.js"), exports);
 tslib_1.__exportStar(require("./auth/auth-identity.js"), exports);
@@ -8,6 +9,22 @@ tslib_1.__exportStar(require("./auth/policy-authorizer.js"), exports);
 var authorizer_factory_js_1 = require("./auth/authorizer-factory.js");
 Object.defineProperty(exports, "AUTHORIZER_FACTORY_BASE_TYPE", { enumerable: true, get: function () { return authorizer_factory_js_1.AUTHORIZER_FACTORY_BASE_TYPE; } });
 Object.defineProperty(exports, "AuthorizerFactory", { enumerable: true, get: function () { return authorizer_factory_js_1.AuthorizerFactory; } });
+var authorization_profile_factory_js_1 = require("./auth/authorization-profile-factory.js");
+Object.defineProperty(exports, "AuthorizationProfileFactory", { enumerable: true, get: function () { return authorization_profile_factory_js_1.AuthorizationProfileFactory; } });
+Object.defineProperty(exports, "AUTH_PROFILE_NAME_DEFAULT", { enumerable: true, get: function () { return authorization_profile_factory_js_1.PROFILE_NAME_DEFAULT; } });
+Object.defineProperty(exports, "AUTH_PROFILE_NAME_OAUTH2", { enumerable: true, get: function () { return authorization_profile_factory_js_1.PROFILE_NAME_OAUTH2; } });
+Object.defineProperty(exports, "AUTH_PROFILE_NAME_OAUTH2_GATED", { enumerable: true, get: function () { return authorization_profile_factory_js_1.PROFILE_NAME_OAUTH2_GATED; } });
+Object.defineProperty(exports, "AUTH_PROFILE_NAME_OAUTH2_CALLBACK", { enumerable: true, get: function () { return authorization_profile_factory_js_1.PROFILE_NAME_OAUTH2_CALLBACK; } });
+Object.defineProperty(exports, "AUTH_PROFILE_NAME_NOOP", { enumerable: true, get: function () { return authorization_profile_factory_js_1.PROFILE_NAME_NOOP; } });
+Object.defineProperty(exports, "AUTH_PROFILE_ENV_VAR_JWT_TRUSTED_ISSUER", { enumerable: true, get: function () { return authorization_profile_factory_js_1.ENV_VAR_JWT_TRUSTED_ISSUER; } });
+Object.defineProperty(exports, "AUTH_PROFILE_ENV_VAR_JWT_ALGORITHM", { enumerable: true, get: function () { return authorization_profile_factory_js_1.ENV_VAR_JWT_ALGORITHM; } });
+Object.defineProperty(exports, "AUTH_PROFILE_ENV_VAR_JWT_AUDIENCE", { enumerable: true, get: function () { return authorization_profile_factory_js_1.ENV_VAR_JWT_AUDIENCE; } });
+Object.defineProperty(exports, "AUTH_PROFILE_ENV_VAR_JWKS_URL", { enumerable: true, get: function () { return authorization_profile_factory_js_1.ENV_VAR_JWKS_URL; } });
+Object.defineProperty(exports, "AUTH_PROFILE_ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY", { enumerable: true, get: function () { return authorization_profile_factory_js_1.ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY; } });
+Object.defineProperty(exports, "AUTH_PROFILE_ENV_VAR_TRUSTED_CLIENT_SCOPE", { enumerable: true, get: function () { return authorization_profile_factory_js_1.ENV_VAR_TRUSTED_CLIENT_SCOPE; } });
+Object.defineProperty(exports, "AUTH_PROFILE_ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER", { enumerable: true, get: function () { return authorization_profile_factory_js_1.ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER; } });
+Object.defineProperty(exports, "AUTH_PROFILE_ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE", { enumerable: true, get: function () { return authorization_profile_factory_js_1.ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE; } });
+Object.defineProperty(exports, "AUTH_PROFILE_ENV_VAR_HMAC_SECRET", { enumerable: true, get: function () { return authorization_profile_factory_js_1.ENV_VAR_HMAC_SECRET; } });
 tslib_1.__exportStar(require("./auth/auth-injection-strategy.js"), exports);
 // Authorization policy exports
 tslib_1.__exportStar(require("./auth/policy/index.js"), exports);
@@ -112,6 +129,7 @@ Object.defineProperty(exports, "ENV_VAR_DEFAULT_ENCRYPTION_LEVEL", { enumerable:
 Object.defineProperty(exports, "ENV_VAR_HMAC_SECRET", { enumerable: true, get: function () { return node_security_profile_factory_js_1.ENV_VAR_HMAC_SECRET; } });
 Object.defineProperty(exports, "ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER", { enumerable: true, get: function () { return node_security_profile_factory_js_1.ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER; } });
 Object.defineProperty(exports, "ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE", { enumerable: true, get: function () { return node_security_profile_factory_js_1.ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE; } });
+Object.defineProperty(exports, "ENV_VAR_AUTHORIZATION_PROFILE", { enumerable: true, get: function () { return node_security_profile_factory_js_1.ENV_VAR_AUTHORIZATION_PROFILE; } });
 Object.defineProperty(exports, "PROFILE_NAME_STRICT_OVERLAY", { enumerable: true, get: function () { return node_security_profile_factory_js_1.PROFILE_NAME_STRICT_OVERLAY; } });
 Object.defineProperty(exports, "PROFILE_NAME_OVERLAY", { enumerable: true, get: function () { return node_security_profile_factory_js_1.PROFILE_NAME_OVERLAY; } });
 Object.defineProperty(exports, "PROFILE_NAME_OVERLAY_CALLBACK", { enumerable: true, get: function () { return node_security_profile_factory_js_1.PROFILE_NAME_OVERLAY_CALLBACK; } });

package/dist/cjs/naylence/fame/security/node-security-profile-factory.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.NodeSecurityProfileFactory = exports.FACTORY_META = exports.PROFILE_NAME_OPEN = exports.PROFILE_NAME_GATED_CALLBACK = exports.PROFILE_NAME_GATED = exports.PROFILE_NAME_OVERLAY_CALLBACK = exports.PROFILE_NAME_OVERLAY = exports.PROFILE_NAME_STRICT_OVERLAY = exports.ENV_VAR_TRUSTED_CLIENT_SCOPE = exports.ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY = exports.ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = exports.ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER = exports.ENV_VAR_HMAC_SECRET = exports.ENV_VAR_DEFAULT_ENCRYPTION_LEVEL = exports.ENV_VAR_JWKS_URL = exports.ENV_VAR_JWT_AUDIENCE = exports.ENV_VAR_JWT_ALGORITHM = exports.ENV_VAR_JWT_TRUSTED_ISSUER = void 0;
+exports.NodeSecurityProfileFactory = exports.FACTORY_META = exports.PROFILE_NAME_OPEN = exports.PROFILE_NAME_GATED_CALLBACK = exports.PROFILE_NAME_GATED = exports.PROFILE_NAME_OVERLAY_CALLBACK = exports.PROFILE_NAME_OVERLAY = exports.PROFILE_NAME_STRICT_OVERLAY = exports.ENV_VAR_AUTHORIZATION_PROFILE = exports.ENV_VAR_TRUSTED_CLIENT_SCOPE = exports.ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY = exports.ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = exports.ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER = exports.ENV_VAR_HMAC_SECRET = exports.ENV_VAR_DEFAULT_ENCRYPTION_LEVEL = exports.ENV_VAR_JWKS_URL = exports.ENV_VAR_JWT_AUDIENCE = exports.ENV_VAR_JWT_ALGORITHM = exports.ENV_VAR_JWT_TRUSTED_ISSUER = void 0;
 const factory_1 = require("@naylence/factory");
 const security_manager_factory_js_1 = require("./security-manager-factory.js");
 const logging_js_1 = require("../util/logging.js");
@@ -15,14 +15,13 @@ exports.ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER = 'FAME_JWT_REVERSE_AUTH_TRUSTED
 exports.ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = 'FAME_JWT_REVERSE_AUTH_AUDIENCE';
 exports.ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY = 'FAME_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY';
 exports.ENV_VAR_TRUSTED_CLIENT_SCOPE = 'FAME_TRUSTED_CLIENT_SCOPE';
+exports.ENV_VAR_AUTHORIZATION_PROFILE = 'FAME_AUTHORIZATION_PROFILE';
 exports.PROFILE_NAME_STRICT_OVERLAY = 'strict-overlay';
 exports.PROFILE_NAME_OVERLAY = 'overlay';
 exports.PROFILE_NAME_OVERLAY_CALLBACK = 'overlay-callback';
 exports.PROFILE_NAME_GATED = 'gated';
 exports.PROFILE_NAME_GATED_CALLBACK = 'gated-callback';
 exports.PROFILE_NAME_OPEN = 'open';
-const DEFAULT_REVERSE_AUTH_ISSUER = 'reverse-auth.naylence.ai';
-const DEFAULT_REVERSE_AUTH_AUDIENCE = 'dev.naylence.ai';
 const STRICT_OVERLAY_PROFILE = {
     type: 'DefaultSecurityManager',
     security_policy: {
@@ -68,12 +67,8 @@ const STRICT_OVERLAY_PROFILE = {
         },
     },
     authorizer: {
-        type: 'DefaultAuthorizer',
-        verifier: {
-            type: 'JWKSJWTTokenVerifier',
-            jwks_url: factory_1.Expressions.env(exports.ENV_VAR_JWKS_URL),
-            issuer: factory_1.Expressions.env(exports.ENV_VAR_JWT_TRUSTED_ISSUER),
-        },
+        type: 'AuthorizationProfile',
+        profile: factory_1.Expressions.env(exports.ENV_VAR_AUTHORIZATION_PROFILE, 'jwt'),
     },
 };
 const OVERLAY_PROFILE = {
@@ -120,14 +115,8 @@ const OVERLAY_PROFILE = {
         },
     },
     authorizer: {
-        type: 'OAuth2Authorizer',
-        issuer: factory_1.Expressions.env(exports.ENV_VAR_JWT_TRUSTED_ISSUER),
-        required_scopes: ['node.connect'],
-        require_scope: true,
-        default_ttl_sec: 3600,
-        max_ttl_sec: 86400,
-        algorithm: factory_1.Expressions.env(exports.ENV_VAR_JWT_ALGORITHM, 'RS256'),
-        audience: factory_1.Expressions.env(exports.ENV_VAR_JWT_AUDIENCE),
+        type: 'AuthorizationProfile',
+        profile: factory_1.Expressions.env(exports.ENV_VAR_AUTHORIZATION_PROFILE, 'oauth2'),
     },
 };
 const OVERLAY_CALLBACK_PROFILE = {
@@ -174,29 +163,8 @@ const OVERLAY_CALLBACK_PROFILE = {
         },
     },
     authorizer: {
-        type: 'OAuth2Authorizer',
-        issuer: factory_1.Expressions.env(exports.ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, DEFAULT_REVERSE_AUTH_ISSUER),
-        audience: factory_1.Expressions.env(exports.ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE),
-        require_scope: true,
-        default_ttl_sec: 3600,
-        max_ttl_sec: 86400,
-        reverse_auth_ttl_sec: 86400,
-        token_verifier_config: {
-            type: 'JWTTokenVerifier',
-            algorithm: 'HS256',
-            hmac_secret: factory_1.Expressions.env(exports.ENV_VAR_HMAC_SECRET),
-            issuer: factory_1.Expressions.env(exports.ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, DEFAULT_REVERSE_AUTH_ISSUER),
-            ttl_sec: 86400,
-        },
-        token_issuer_config: {
-            type: 'JWTTokenIssuer',
-            algorithm: 'HS256',
-            hmac_secret: factory_1.Expressions.env(exports.ENV_VAR_HMAC_SECRET),
-            kid: 'hmac-reverse-auth-key',
-            issuer: factory_1.Expressions.env(exports.ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, DEFAULT_REVERSE_AUTH_ISSUER),
-            ttl_sec: 86400,
-            audience: factory_1.Expressions.env(exports.ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE, DEFAULT_REVERSE_AUTH_AUDIENCE),
-        },
+        type: 'AuthorizationProfile',
+        profile: factory_1.Expressions.env(exports.ENV_VAR_AUTHORIZATION_PROFILE, 'oauth2-callback'),
     },
 };
 const GATED_PROFILE = {
@@ -242,16 +210,8 @@ const GATED_PROFILE = {
         },
     },
     authorizer: {
-        type: 'OAuth2Authorizer',
-        issuer: factory_1.Expressions.env(exports.ENV_VAR_JWT_TRUSTED_ISSUER),
-        required_scopes: ['node.connect'],
-        require_scope: true,
-        default_ttl_sec: 3600,
-        max_ttl_sec: 86400,
-        algorithm: factory_1.Expressions.env(exports.ENV_VAR_JWT_ALGORITHM, 'RS256'),
-        audience: factory_1.Expressions.env(exports.ENV_VAR_JWT_AUDIENCE),
-        enforce_token_subject_node_identity: factory_1.Expressions.env(exports.ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY, 'false'),
-        trusted_client_scope: factory_1.Expressions.env(exports.ENV_VAR_TRUSTED_CLIENT_SCOPE, 'node.trusted'),
+        type: 'AuthorizationProfile',
+        profile: factory_1.Expressions.env(exports.ENV_VAR_AUTHORIZATION_PROFILE, 'oauth2-gated'),
     },
 };
 const GATED_CALLBACK_PROFILE = {
@@ -297,29 +257,8 @@ const GATED_CALLBACK_PROFILE = {
         },
     },
     authorizer: {
-        type: 'OAuth2Authorizer',
-        issuer: factory_1.Expressions.env(exports.ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, DEFAULT_REVERSE_AUTH_ISSUER),
-        audience: factory_1.Expressions.env(exports.ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE),
-        require_scope: true,
-        default_ttl_sec: 3600,
-        max_ttl_sec: 86400,
-        reverse_auth_ttl_sec: 86400,
-        token_verifier_config: {
-            type: 'JWTTokenVerifier',
-            algorithm: 'HS256',
-            hmac_secret: factory_1.Expressions.env(exports.ENV_VAR_HMAC_SECRET),
-            issuer: factory_1.Expressions.env(exports.ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, DEFAULT_REVERSE_AUTH_ISSUER),
-            ttl_sec: 86400,
-        },
-        token_issuer_config: {
-            type: 'JWTTokenIssuer',
-            algorithm: 'HS256',
-            hmac_secret: factory_1.Expressions.env(exports.ENV_VAR_HMAC_SECRET),
-            kid: 'hmac-reverse-auth-key',
-            issuer: factory_1.Expressions.env(exports.ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, DEFAULT_REVERSE_AUTH_ISSUER),
-            ttl_sec: 86400,
-            audience: factory_1.Expressions.env(exports.ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE, DEFAULT_REVERSE_AUTH_AUDIENCE),
-        },
+        type: 'AuthorizationProfile',
+        profile: factory_1.Expressions.env(exports.ENV_VAR_AUTHORIZATION_PROFILE, 'oauth2-callback'),
     },
 };
 const OPEN_PROFILE = {
@@ -328,7 +267,8 @@ const OPEN_PROFILE = {
         type: 'NoSecurityPolicy',
     },
     authorizer: {
-        type: 'NoopAuthorizer',
+        type: 'AuthorizationProfile',
+        profile: factory_1.Expressions.env(exports.ENV_VAR_AUTHORIZATION_PROFILE, 'noop'),
     },
 };
 const PROFILE_MAP = {

package/dist/cjs/version.js

@@ -1,10 +1,10 @@
 "use strict";
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.4.0
+// Generated from package.json version: 0.4.2
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.VERSION = void 0;
 /**
  * The package version, injected at build time.
  * @internal
  */
-exports.VERSION = '0.4.0';
+exports.VERSION = '0.4.2';

package/dist/esm/naylence/fame/factory-manifest.js

@@ -27,6 +27,7 @@ export const MODULES = [
     "./node/node-identity-policy-profile-factory.js",
     "./node/token-subject-node-identity-policy-factory.js",
     "./placement/static-node-placement-strategy-factory.js",
+    "./security/auth/authorization-profile-factory.js",
     "./security/auth/bearer-token-header-auth-injection-strategy-factory.js",
     "./security/auth/default-authorizer-factory.js",
     "./security/auth/default-policy-authorizer-factory.js",
@@ -109,6 +110,7 @@ export const MODULE_LOADERS = {
     "./node/node-identity-policy-profile-factory.js": () => import("./node/node-identity-policy-profile-factory.js"),
     "./node/token-subject-node-identity-policy-factory.js": () => import("./node/token-subject-node-identity-policy-factory.js"),
     "./placement/static-node-placement-strategy-factory.js": () => import("./placement/static-node-placement-strategy-factory.js"),
+    "./security/auth/authorization-profile-factory.js": () => import("./security/auth/authorization-profile-factory.js"),
     "./security/auth/bearer-token-header-auth-injection-strategy-factory.js": () => import("./security/auth/bearer-token-header-auth-injection-strategy-factory.js"),
     "./security/auth/default-authorizer-factory.js": () => import("./security/auth/default-authorizer-factory.js"),
     "./security/auth/default-policy-authorizer-factory.js": () => import(/* webpackIgnore: true */ /* @vite-ignore */ "./security/auth/default-policy-authorizer-factory.js"),

package/dist/esm/naylence/fame/node/default-node-identity-policy.js

@@ -1,8 +1,10 @@
 import { generateIdAsync } from '@naylence/core';
-import { TokenProviderFactory } from '../security/auth/token-provider-factory.js';
-import { isIdentityExposingTokenProvider } from '../security/auth/token-provider.js';
-import { getLogger } from '../util/logging.js';
-const logger = getLogger('naylence.fame.node.default_node_identity_policy');
+/**
+ * Default node identity policy that preserves the current node ID.
+ *
+ * This policy does NOT derive identity from tokens or grants.
+ * For token-subject-based identity, use TokenSubjectNodeIdentityPolicy.
+ */
 export class DefaultNodeIdentityPolicy {
     async resolveInitialNodeId(context) {
         if (context.configuredId) {
@@ -14,43 +16,9 @@ export class DefaultNodeIdentityPolicy {
         return await generateIdAsync({ mode: 'fingerprint' });
     }
     async resolveAdmissionNodeId(context) {
-        // Try to extract identity from grants first
-        if (context.grants && context.grants.length > 0) {
-            for (const grant of context.grants) {
-                try {
-                    const auth = grant.auth;
-                    if (!auth) {
-                        continue;
-                    }
-                    const tokenProviderConfig = (auth.tokenProvider ??
-                        auth.token_provider);
-                    if (!tokenProviderConfig ||
-                        typeof tokenProviderConfig.type !== 'string') {
-                        continue;
-                    }
-                    const provider = await TokenProviderFactory.createTokenProvider(tokenProviderConfig);
-                    if (isIdentityExposingTokenProvider(provider)) {
-                        const identity = await provider.getIdentity();
-                        if (identity && identity.subject) {
-                            logger.debug('identity_extracted_from_grant', {
-                                identity_id: identity.subject,
-                                grant_type: grant.type,
-                            });
-                            return identity.subject;
-                        }
-                    }
-                }
-                catch (error) {
-                    logger.warning('identity_extraction_failed', {
-                        error: error instanceof Error ? error.message : String(error),
-                        grant_type: grant.type,
-                    });
-                }
-            }
+        if (context.currentNodeId) {
+            return context.currentNodeId;
         }
-        if (!context.currentNodeId) {
-            return await generateIdAsync({ mode: 'fingerprint' });
-        }
-        return context.currentNodeId;
+        return await generateIdAsync({ mode: 'fingerprint' });
     }
 }