npm - @naylence/runtime - Versions diffs - 0.4.0 → 0.4.2 - Mend

@naylence/runtime 0.4.0 → 0.4.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (25) hide show

package/dist/browser/index.cjs +516 -407
package/dist/browser/index.mjs +501 -408
package/dist/cjs/naylence/fame/factory-manifest.js +2 -0
package/dist/cjs/naylence/fame/node/default-node-identity-policy.js +9 -41
package/dist/cjs/naylence/fame/security/auth/authorization-profile-factory.js +165 -0
package/dist/cjs/naylence/fame/security/index.js +19 -1
package/dist/cjs/naylence/fame/security/node-security-profile-factory.js +14 -74
package/dist/cjs/version.js +2 -2
package/dist/esm/naylence/fame/factory-manifest.js +2 -0
package/dist/esm/naylence/fame/node/default-node-identity-policy.js +9 -41
package/dist/esm/naylence/fame/security/auth/authorization-profile-factory.js +161 -0
package/dist/esm/naylence/fame/security/index.js +2 -1
package/dist/esm/naylence/fame/security/node-security-profile-factory.js +13 -73
package/dist/esm/version.js +2 -2
package/dist/node/index.cjs +516 -407
package/dist/node/index.mjs +501 -408
package/dist/node/node.cjs +508 -399
package/dist/node/node.mjs +493 -400
package/dist/types/naylence/fame/factory-manifest.d.ts +1 -1
package/dist/types/naylence/fame/node/default-node-identity-policy.d.ts +6 -0
package/dist/types/naylence/fame/security/auth/authorization-profile-factory.d.ts +29 -0
package/dist/types/naylence/fame/security/index.d.ts +3 -1
package/dist/types/naylence/fame/security/node-security-profile-factory.d.ts +1 -0
package/dist/types/version.d.ts +1 -1
package/package.json +1 -1

package/dist/esm/naylence/fame/security/auth/authorization-profile-factory.js ADDED Viewed

@@ -0,0 +1,161 @@
+import { Expressions } from '@naylence/factory';
+import { getLogger } from '../../util/logging.js';
+import { AUTHORIZER_FACTORY_BASE_TYPE, AuthorizerFactory, } from './authorizer-factory.js';
+const logger = getLogger('naylence.fame.security.auth.authorization_profile_factory');
+export const PROFILE_NAME_DEFAULT = 'jwt';
+export const PROFILE_NAME_OAUTH2 = 'oauth2';
+export const PROFILE_NAME_OAUTH2_GATED = 'oauth2-gated';
+export const PROFILE_NAME_OAUTH2_CALLBACK = 'oauth2-callback';
+export const PROFILE_NAME_NOOP = 'noop';
+export const ENV_VAR_JWT_TRUSTED_ISSUER = 'FAME_JWT_TRUSTED_ISSUER';
+export const ENV_VAR_JWT_ALGORITHM = 'FAME_JWT_ALGORITHM';
+export const ENV_VAR_JWT_AUDIENCE = 'FAME_JWT_AUDIENCE';
+export const ENV_VAR_JWKS_URL = 'FAME_JWKS_URL';
+export const ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY = 'FAME_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY';
+export const ENV_VAR_TRUSTED_CLIENT_SCOPE = 'FAME_TRUSTED_CLIENT_SCOPE';
+export const ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER = 'FAME_JWT_REVERSE_AUTH_TRUSTED_ISSUER';
+export const ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = 'FAME_JWT_REVERSE_AUTH_AUDIENCE';
+export const ENV_VAR_HMAC_SECRET = 'FAME_HMAC_SECRET';
+const DEFAULT_REVERSE_AUTH_ISSUER = 'reverse-auth.naylence.ai';
+const DEFAULT_REVERSE_AUTH_AUDIENCE = 'dev.naylence.ai';
+const DEFAULT_PROFILE = {
+    type: 'DefaultAuthorizer',
+    verifier: {
+        type: 'JWKSJWTTokenVerifier',
+        jwks_url: Expressions.env(ENV_VAR_JWKS_URL),
+        issuer: Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER),
+    },
+};
+const OAUTH2_PROFILE = {
+    type: 'OAuth2Authorizer',
+    issuer: Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER),
+    required_scopes: ['node.connect'],
+    require_scope: true,
+    default_ttl_sec: 3600,
+    max_ttl_sec: 86400,
+    algorithm: Expressions.env(ENV_VAR_JWT_ALGORITHM, 'RS256'),
+    audience: Expressions.env(ENV_VAR_JWT_AUDIENCE),
+};
+const OAUTH2_GATED_PROFILE = {
+    ...OAUTH2_PROFILE,
+    enforce_token_subject_node_identity: Expressions.env(ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY, 'false'),
+    trusted_client_scope: Expressions.env(ENV_VAR_TRUSTED_CLIENT_SCOPE, 'node.trusted'),
+};
+const OAUTH2_CALLBACK_PROFILE = {
+    type: 'OAuth2Authorizer',
+    issuer: Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, DEFAULT_REVERSE_AUTH_ISSUER),
+    audience: Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE),
+    require_scope: true,
+    default_ttl_sec: 3600,
+    max_ttl_sec: 86400,
+    reverse_auth_ttl_sec: 86400,
+    token_verifier_config: {
+        type: 'JWTTokenVerifier',
+        algorithm: 'HS256',
+        hmac_secret: Expressions.env(ENV_VAR_HMAC_SECRET),
+        issuer: Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, DEFAULT_REVERSE_AUTH_ISSUER),
+        ttl_sec: 86400,
+    },
+    token_issuer_config: {
+        type: 'JWTTokenIssuer',
+        algorithm: 'HS256',
+        hmac_secret: Expressions.env(ENV_VAR_HMAC_SECRET),
+        kid: 'hmac-reverse-auth-key',
+        issuer: Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, DEFAULT_REVERSE_AUTH_ISSUER),
+        ttl_sec: 86400,
+        audience: Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE, DEFAULT_REVERSE_AUTH_AUDIENCE),
+    },
+};
+const NOOP_PROFILE = {
+    type: 'NoopAuthorizer',
+};
+const PROFILE_MAP = {
+    [PROFILE_NAME_DEFAULT]: DEFAULT_PROFILE,
+    [PROFILE_NAME_OAUTH2]: OAUTH2_PROFILE,
+    [PROFILE_NAME_OAUTH2_GATED]: OAUTH2_GATED_PROFILE,
+    [PROFILE_NAME_OAUTH2_CALLBACK]: OAUTH2_CALLBACK_PROFILE,
+    [PROFILE_NAME_NOOP]: NOOP_PROFILE,
+};
+const PROFILE_ALIASES = {
+    jwt: PROFILE_NAME_DEFAULT,
+    jwks: PROFILE_NAME_DEFAULT,
+    default: PROFILE_NAME_DEFAULT,
+    oauth2: PROFILE_NAME_OAUTH2,
+    oidc: PROFILE_NAME_OAUTH2,
+    'oauth2-gated': PROFILE_NAME_OAUTH2_GATED,
+    oauth2_gated: PROFILE_NAME_OAUTH2_GATED,
+    'oauth2-callback': PROFILE_NAME_OAUTH2_CALLBACK,
+    oauth2_callback: PROFILE_NAME_OAUTH2_CALLBACK,
+    'reverse-auth': PROFILE_NAME_OAUTH2_CALLBACK,
+    noop: PROFILE_NAME_NOOP,
+    'no-op': PROFILE_NAME_NOOP,
+    no_op: PROFILE_NAME_NOOP,
+};
+export const FACTORY_META = {
+    base: AUTHORIZER_FACTORY_BASE_TYPE,
+    key: 'AuthorizationProfile',
+};
+export class AuthorizationProfileFactory extends AuthorizerFactory {
+    constructor() {
+        super(...arguments);
+        this.type = 'AuthorizationProfile';
+    }
+    async create(config, ...factoryArgs) {
+        const normalized = normalizeConfig(config);
+        const profileConfig = resolveProfileConfig(normalized.profile);
+        logger.debug('enabling_authorization_profile', {
+            profile: normalized.profile,
+        });
+        const authorizer = await AuthorizerFactory.createAuthorizer(profileConfig, { factoryArgs });
+        if (!authorizer) {
+            throw new Error(`Failed to create authorizer for profile: ${normalized.profile}`);
+        }
+        return authorizer;
+    }
+}
+function normalizeConfig(config) {
+    if (!config) {
+        return { profile: PROFILE_NAME_OAUTH2 };
+    }
+    const candidate = config;
+    const profileValue = resolveProfileName(candidate);
+    const canonicalProfile = canonicalizeProfileName(profileValue);
+    candidate.profile = canonicalProfile;
+    return { profile: canonicalProfile };
+}
+function resolveProfileName(candidate) {
+    const direct = coerceProfileString(candidate.profile);
+    if (direct) {
+        return direct;
+    }
+    const legacyKeys = ['profile_name', 'profileName'];
+    for (const legacyKey of legacyKeys) {
+        const legacyValue = coerceProfileString(candidate[legacyKey]);
+        if (legacyValue) {
+            return legacyValue;
+        }
+    }
+    return PROFILE_NAME_OAUTH2;
+}
+function coerceProfileString(value) {
+    if (typeof value !== 'string') {
+        return null;
+    }
+    const trimmed = value.trim();
+    return trimmed.length > 0 ? trimmed : null;
+}
+function canonicalizeProfileName(value) {
+    const normalized = value.replace(/[\s_]+/g, '-').toLowerCase();
+    return PROFILE_ALIASES[normalized] ?? normalized;
+}
+function resolveProfileConfig(profileName) {
+    const profile = PROFILE_MAP[profileName];
+    if (!profile) {
+        throw new Error(`Unknown authorization profile: ${profileName}`);
+    }
+    return deepClone(profile);
+}
+function deepClone(value) {
+    return JSON.parse(JSON.stringify(value));
+}
+export default AuthorizationProfileFactory;

package/dist/esm/naylence/fame/security/index.js CHANGED Viewed

@@ -2,6 +2,7 @@ export * from './auth/authorizer.js';
 export * from './auth/auth-identity.js';
 export * from './auth/policy-authorizer.js';
 export { AUTHORIZER_FACTORY_BASE_TYPE, AuthorizerFactory, } from './auth/authorizer-factory.js';
+export { AuthorizationProfileFactory, PROFILE_NAME_DEFAULT as AUTH_PROFILE_NAME_DEFAULT, PROFILE_NAME_OAUTH2 as AUTH_PROFILE_NAME_OAUTH2, PROFILE_NAME_OAUTH2_GATED as AUTH_PROFILE_NAME_OAUTH2_GATED, PROFILE_NAME_OAUTH2_CALLBACK as AUTH_PROFILE_NAME_OAUTH2_CALLBACK, PROFILE_NAME_NOOP as AUTH_PROFILE_NAME_NOOP, ENV_VAR_JWT_TRUSTED_ISSUER as AUTH_PROFILE_ENV_VAR_JWT_TRUSTED_ISSUER, ENV_VAR_JWT_ALGORITHM as AUTH_PROFILE_ENV_VAR_JWT_ALGORITHM, ENV_VAR_JWT_AUDIENCE as AUTH_PROFILE_ENV_VAR_JWT_AUDIENCE, ENV_VAR_JWKS_URL as AUTH_PROFILE_ENV_VAR_JWKS_URL, ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY as AUTH_PROFILE_ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY, ENV_VAR_TRUSTED_CLIENT_SCOPE as AUTH_PROFILE_ENV_VAR_TRUSTED_CLIENT_SCOPE, ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER as AUTH_PROFILE_ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE as AUTH_PROFILE_ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE, ENV_VAR_HMAC_SECRET as AUTH_PROFILE_ENV_VAR_HMAC_SECRET, } from './auth/authorization-profile-factory.js';
 export * from './auth/auth-injection-strategy.js';
 // Authorization policy exports
 export * from './auth/policy/index.js';
@@ -68,4 +69,4 @@ export * from './credential/browser-auto-key-credential-provider.js';
 export * from './credential/browser-wrapped-key-credential-provider.js';
 export * from './credential/session-key-credential-provider.js';
 export * from './credential/dev-fixed-key-credential-provider.js';
-export { ENV_VAR_JWT_TRUSTED_ISSUER, ENV_VAR_JWT_ALGORITHM, ENV_VAR_JWT_AUDIENCE, ENV_VAR_JWKS_URL, ENV_VAR_DEFAULT_ENCRYPTION_LEVEL, ENV_VAR_HMAC_SECRET, ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE, PROFILE_NAME_STRICT_OVERLAY, PROFILE_NAME_OVERLAY, PROFILE_NAME_OVERLAY_CALLBACK, PROFILE_NAME_GATED, PROFILE_NAME_GATED_CALLBACK, PROFILE_NAME_OPEN, } from './node-security-profile-factory.js';
+export { ENV_VAR_JWT_TRUSTED_ISSUER, ENV_VAR_JWT_ALGORITHM, ENV_VAR_JWT_AUDIENCE, ENV_VAR_JWKS_URL, ENV_VAR_DEFAULT_ENCRYPTION_LEVEL, ENV_VAR_HMAC_SECRET, ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE, ENV_VAR_AUTHORIZATION_PROFILE, PROFILE_NAME_STRICT_OVERLAY, PROFILE_NAME_OVERLAY, PROFILE_NAME_OVERLAY_CALLBACK, PROFILE_NAME_GATED, PROFILE_NAME_GATED_CALLBACK, PROFILE_NAME_OPEN, } from './node-security-profile-factory.js';

package/dist/esm/naylence/fame/security/node-security-profile-factory.js CHANGED Viewed

@@ -12,14 +12,13 @@ export const ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER = 'FAME_JWT_REVERSE_AUTH_TR
 export const ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = 'FAME_JWT_REVERSE_AUTH_AUDIENCE';
 export const ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY = 'FAME_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY';
 export const ENV_VAR_TRUSTED_CLIENT_SCOPE = 'FAME_TRUSTED_CLIENT_SCOPE';
+export const ENV_VAR_AUTHORIZATION_PROFILE = 'FAME_AUTHORIZATION_PROFILE';
 export const PROFILE_NAME_STRICT_OVERLAY = 'strict-overlay';
 export const PROFILE_NAME_OVERLAY = 'overlay';
 export const PROFILE_NAME_OVERLAY_CALLBACK = 'overlay-callback';
 export const PROFILE_NAME_GATED = 'gated';
 export const PROFILE_NAME_GATED_CALLBACK = 'gated-callback';
 export const PROFILE_NAME_OPEN = 'open';
-const DEFAULT_REVERSE_AUTH_ISSUER = 'reverse-auth.naylence.ai';
-const DEFAULT_REVERSE_AUTH_AUDIENCE = 'dev.naylence.ai';
 const STRICT_OVERLAY_PROFILE = {
     type: 'DefaultSecurityManager',
     security_policy: {
@@ -65,12 +64,8 @@ const STRICT_OVERLAY_PROFILE = {
         },
     },
     authorizer: {
-        type: 'DefaultAuthorizer',
-        verifier: {
-            type: 'JWKSJWTTokenVerifier',
-            jwks_url: Expressions.env(ENV_VAR_JWKS_URL),
-            issuer: Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER),
-        },
+        type: 'AuthorizationProfile',
+        profile: Expressions.env(ENV_VAR_AUTHORIZATION_PROFILE, 'jwt'),
     },
 };
 const OVERLAY_PROFILE = {
@@ -117,14 +112,8 @@ const OVERLAY_PROFILE = {
         },
     },
     authorizer: {
-        type: 'OAuth2Authorizer',
-        issuer: Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER),
-        required_scopes: ['node.connect'],
-        require_scope: true,
-        default_ttl_sec: 3600,
-        max_ttl_sec: 86400,
-        algorithm: Expressions.env(ENV_VAR_JWT_ALGORITHM, 'RS256'),
-        audience: Expressions.env(ENV_VAR_JWT_AUDIENCE),
+        type: 'AuthorizationProfile',
+        profile: Expressions.env(ENV_VAR_AUTHORIZATION_PROFILE, 'oauth2'),
     },
 };
 const OVERLAY_CALLBACK_PROFILE = {
@@ -171,29 +160,8 @@ const OVERLAY_CALLBACK_PROFILE = {
         },
     },
     authorizer: {
-        type: 'OAuth2Authorizer',
-        issuer: Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, DEFAULT_REVERSE_AUTH_ISSUER),
-        audience: Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE),
-        require_scope: true,
-        default_ttl_sec: 3600,
-        max_ttl_sec: 86400,
-        reverse_auth_ttl_sec: 86400,
-        token_verifier_config: {
-            type: 'JWTTokenVerifier',
-            algorithm: 'HS256',
-            hmac_secret: Expressions.env(ENV_VAR_HMAC_SECRET),
-            issuer: Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, DEFAULT_REVERSE_AUTH_ISSUER),
-            ttl_sec: 86400,
-        },
-        token_issuer_config: {
-            type: 'JWTTokenIssuer',
-            algorithm: 'HS256',
-            hmac_secret: Expressions.env(ENV_VAR_HMAC_SECRET),
-            kid: 'hmac-reverse-auth-key',
-            issuer: Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, DEFAULT_REVERSE_AUTH_ISSUER),
-            ttl_sec: 86400,
-            audience: Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE, DEFAULT_REVERSE_AUTH_AUDIENCE),
-        },
+        type: 'AuthorizationProfile',
+        profile: Expressions.env(ENV_VAR_AUTHORIZATION_PROFILE, 'oauth2-callback'),
     },
 };
 const GATED_PROFILE = {
@@ -239,16 +207,8 @@ const GATED_PROFILE = {
         },
     },
     authorizer: {
-        type: 'OAuth2Authorizer',
-        issuer: Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER),
-        required_scopes: ['node.connect'],
-        require_scope: true,
-        default_ttl_sec: 3600,
-        max_ttl_sec: 86400,
-        algorithm: Expressions.env(ENV_VAR_JWT_ALGORITHM, 'RS256'),
-        audience: Expressions.env(ENV_VAR_JWT_AUDIENCE),
-        enforce_token_subject_node_identity: Expressions.env(ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY, 'false'),
-        trusted_client_scope: Expressions.env(ENV_VAR_TRUSTED_CLIENT_SCOPE, 'node.trusted'),
+        type: 'AuthorizationProfile',
+        profile: Expressions.env(ENV_VAR_AUTHORIZATION_PROFILE, 'oauth2-gated'),
     },
 };
 const GATED_CALLBACK_PROFILE = {
@@ -294,29 +254,8 @@ const GATED_CALLBACK_PROFILE = {
         },
     },
     authorizer: {
-        type: 'OAuth2Authorizer',
-        issuer: Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, DEFAULT_REVERSE_AUTH_ISSUER),
-        audience: Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE),
-        require_scope: true,
-        default_ttl_sec: 3600,
-        max_ttl_sec: 86400,
-        reverse_auth_ttl_sec: 86400,
-        token_verifier_config: {
-            type: 'JWTTokenVerifier',
-            algorithm: 'HS256',
-            hmac_secret: Expressions.env(ENV_VAR_HMAC_SECRET),
-            issuer: Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, DEFAULT_REVERSE_AUTH_ISSUER),
-            ttl_sec: 86400,
-        },
-        token_issuer_config: {
-            type: 'JWTTokenIssuer',
-            algorithm: 'HS256',
-            hmac_secret: Expressions.env(ENV_VAR_HMAC_SECRET),
-            kid: 'hmac-reverse-auth-key',
-            issuer: Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, DEFAULT_REVERSE_AUTH_ISSUER),
-            ttl_sec: 86400,
-            audience: Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE, DEFAULT_REVERSE_AUTH_AUDIENCE),
-        },
+        type: 'AuthorizationProfile',
+        profile: Expressions.env(ENV_VAR_AUTHORIZATION_PROFILE, 'oauth2-callback'),
     },
 };
 const OPEN_PROFILE = {
@@ -325,7 +264,8 @@ const OPEN_PROFILE = {
         type: 'NoSecurityPolicy',
     },
     authorizer: {
-        type: 'NoopAuthorizer',
+        type: 'AuthorizationProfile',
+        profile: Expressions.env(ENV_VAR_AUTHORIZATION_PROFILE, 'noop'),
     },
 };
 const PROFILE_MAP = {

package/dist/esm/version.js CHANGED Viewed

@@ -1,7 +1,7 @@
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.4.0
+// Generated from package.json version: 0.4.2
 /**
  * The package version, injected at build time.
  * @internal
  */
-export const VERSION = '0.4.0';
+export const VERSION = '0.4.2';