@naylence/advanced-security 0.3.15 → 0.4.1

package/dist/browser/index.cjs

@@ -2,12 +2,13 @@
 
 var factory = require('@naylence/factory');
 var runtime = require('@naylence/runtime');
+var sha256 = require('@noble/hashes/sha256');
+var core = require('@naylence/core');
 var asn1Schema = require('@peculiar/asn1-schema');
 var asn1Csr = require('@peculiar/asn1-csr');
 var asn1X509 = require('@peculiar/asn1-x509');
 var ed25519 = require('@noble/ed25519');
 var sha2_js = require('@noble/hashes/sha2.js');
-var core = require('@naylence/core');
 var chacha_js = require('@noble/ciphers/chacha.js');
 var ed25519_js = require('@noble/curves/ed25519.js');
 var hkdf_js = require('@noble/hashes/hkdf.js');
@@ -23,6 +24,7 @@ var x509 = require('@peculiar/x509');
  * Provides the list of advanced security factory modules for registration.
  */
 const MODULES = [
+    "./security/auth/policy/advanced-authorization-policy-factory.js",
     "./security/cert/default-ca-service-factory.js",
     "./security/cert/default-certificate-manager-factory.js",
     "./security/cert/trust-store/browser-trust-store-provider-factory.js",
@@ -39,6 +41,7 @@ const MODULES = [
     "./welcome/advanced-welcome-service-factory.js"
 ];
 const MODULE_LOADERS = {
+    "./security/auth/policy/advanced-authorization-policy-factory.js": () => Promise.resolve().then(function () { return advancedAuthorizationPolicyFactory; }),
     "./security/cert/default-ca-service-factory.js": () => Promise.resolve().then(function () { return defaultCaServiceFactory; }),
     "./security/cert/default-certificate-manager-factory.js": () => Promise.resolve().then(function () { return defaultCertificateManagerFactory; }),
     "./security/cert/trust-store/browser-trust-store-provider-factory.js": () => Promise.resolve().then(function () { return browserTrustStoreProviderFactory; }),
@@ -216,6 +219,75 @@ function getEncryptionManagerFactoryRegistry() {
     return globalRegistry;
 }
 
+/**
+ * Strict Overlay Security Profile
+ *
+ * Provides the strict-overlay security profile for advanced security scenarios.
+ * This profile requires X.509 certificate-based signing and supports both
+ * channel and sealed encryption modes.
+ */
+const ENV_VAR_DEFAULT_ENCRYPTION_LEVEL = "FAME_DEFAULT_ENCRYPTION_LEVEL";
+const ENV_VAR_AUTHORIZATION_PROFILE = "FAME_AUTHORIZATION_PROFILE";
+const PROFILE_NAME_STRICT_OVERLAY = "strict-overlay";
+const STRICT_OVERLAY_PROFILE = {
+    type: "DefaultSecurityManager",
+    security_policy: {
+        type: "DefaultSecurityPolicy",
+        signing: {
+            signing_material: "x509-chain",
+            require_cert_sid_match: true,
+            inbound: {
+                signature_policy: "required",
+                unsigned_violation_action: "nack",
+                invalid_signature_action: "nack",
+            },
+            response: {
+                mirror_request_signing: true,
+                always_sign_responses: false,
+                sign_error_responses: true,
+            },
+            outbound: {
+                default_signing: true,
+                sign_sensitive_operations: true,
+                sign_if_recipient_expects: true,
+            },
+        },
+        encryption: {
+            inbound: {
+                allow_plaintext: true,
+                allow_channel: true,
+                allow_sealed: true,
+                plaintext_violation_action: "nack",
+                channel_violation_action: "nack",
+                sealed_violation_action: "nack",
+            },
+            response: {
+                mirror_request_level: true,
+                minimum_response_level: "plaintext",
+                escalate_sealed_responses: false,
+            },
+            outbound: {
+                default_level: factory.Expressions.env(ENV_VAR_DEFAULT_ENCRYPTION_LEVEL, "channel"),
+                escalate_if_peer_supports: false,
+                prefer_sealed_for_sensitive: false,
+            },
+        },
+    },
+    authorizer: {
+        type: "AuthorizationProfile",
+        profile: factory.Expressions.env(ENV_VAR_AUTHORIZATION_PROFILE, "jwt"),
+    },
+};
+// Register the strict-overlay profile
+runtime.registerProfile(runtime.SECURITY_MANAGER_FACTORY_BASE_TYPE, PROFILE_NAME_STRICT_OVERLAY, STRICT_OVERLAY_PROFILE, { source: "advanced-security:strict-overlay-security-profile", allowOverride: true });
+
+var strictOverlaySecurityProfile = /*#__PURE__*/Object.freeze({
+    __proto__: null,
+    ENV_VAR_AUTHORIZATION_PROFILE: ENV_VAR_AUTHORIZATION_PROFILE,
+    ENV_VAR_DEFAULT_ENCRYPTION_LEVEL: ENV_VAR_DEFAULT_ENCRYPTION_LEVEL,
+    PROFILE_NAME_STRICT_OVERLAY: PROFILE_NAME_STRICT_OVERLAY
+});
+
 const SECURITY_PREFIX = "./security/";
 const SECURITY_MODULES = MODULES.filter((spec) => spec.startsWith(SECURITY_PREFIX));
 const EXTRA_MODULES = MODULES.filter((spec) => !spec.startsWith(SECURITY_PREFIX));
@@ -500,12 +572,12 @@ async function registerAdvancedSecurityFactories(registrar = factory.Registry, o
 }
 
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.3.15
+// Generated from package.json version: 0.4.1
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.3.15';
+const VERSION = '0.4.1';
 
 async function registerAdvancedSecurityPluginFactories(registrar = factory.Registry) {
     await registerAdvancedSecurityFactories(registrar);
@@ -530,6 +602,8 @@ const advancedSecurityPlugin = {
             try {
                 // console.log('[naylence:advanced-security] registering advanced security factories...');
                 await registerAdvancedSecurityPluginFactories();
+                // Import modules with side-effect registrations (not in manifest)
+                await Promise.resolve().then(function () { return strictOverlaySecurityProfile; });
                 // console.log('[naylence:advanced-security] advanced security factories registered');
                 initialized = true;
             }
@@ -549,6 +623,2602 @@ var plugin = /*#__PURE__*/Object.freeze({
     registerAdvancedSecurityPluginFactories: registerAdvancedSecurityPluginFactories
 });
 
+/**
+ * Abstract Syntax Tree (AST) node types for the expression language.
+ *
+ * The AST is produced by the parser and consumed by the evaluator.
+ */
+// ============================================================
+// AST Utilities
+// ============================================================
+/**
+ * Counts the total number of nodes in an AST.
+ */
+function countAstNodes(node) {
+    let count = 1;
+    switch (node.type) {
+        case "StringLiteral":
+        case "NumberLiteral":
+        case "BooleanLiteral":
+        case "NullLiteral":
+        case "Identifier":
+            return count;
+        case "ArrayLiteral":
+            for (const element of node.elements) {
+                count += countAstNodes(element);
+            }
+            return count;
+        case "MemberAccess":
+            return count + countAstNodes(node.object);
+        case "IndexAccess":
+            return count + countAstNodes(node.object) + countAstNodes(node.index);
+        case "FunctionCall":
+            for (const arg of node.args) {
+                count += countAstNodes(arg);
+            }
+            return count;
+        case "UnaryOp":
+            return count + countAstNodes(node.operand);
+        case "BinaryOp":
+            return count + countAstNodes(node.left) + countAstNodes(node.right);
+        case "TernaryOp":
+            return (count +
+                countAstNodes(node.condition) +
+                countAstNodes(node.consequent) +
+                countAstNodes(node.alternate));
+    }
+}
+/**
+ * Calculates the maximum depth of an AST.
+ */
+function calculateAstDepth(node) {
+    switch (node.type) {
+        case "StringLiteral":
+        case "NumberLiteral":
+        case "BooleanLiteral":
+        case "NullLiteral":
+        case "Identifier":
+            return 1;
+        case "ArrayLiteral": {
+            let maxChildDepth = 0;
+            for (const element of node.elements) {
+                maxChildDepth = Math.max(maxChildDepth, calculateAstDepth(element));
+            }
+            return 1 + maxChildDepth;
+        }
+        case "MemberAccess":
+            return 1 + calculateAstDepth(node.object);
+        case "IndexAccess":
+            return (1 +
+                Math.max(calculateAstDepth(node.object), calculateAstDepth(node.index)));
+        case "FunctionCall": {
+            let maxArgDepth = 0;
+            for (const arg of node.args) {
+                maxArgDepth = Math.max(maxArgDepth, calculateAstDepth(arg));
+            }
+            return 1 + maxArgDepth;
+        }
+        case "UnaryOp":
+            return 1 + calculateAstDepth(node.operand);
+        case "BinaryOp":
+            return (1 +
+                Math.max(calculateAstDepth(node.left), calculateAstDepth(node.right)));
+        case "TernaryOp":
+            return (1 +
+                Math.max(calculateAstDepth(node.condition), calculateAstDepth(node.consequent), calculateAstDepth(node.alternate)));
+    }
+}
+
+/**
+ * Error types for the expression evaluation engine.
+ *
+ * All expression errors extend ExpressionError for consistent handling.
+ */
+/**
+ * Base error class for all expression-related errors.
+ */
+class ExpressionError extends Error {
+    constructor(message, position, expression) {
+        super(message);
+        this.name = "ExpressionError";
+        this.position = position;
+        this.expression = expression;
+    }
+    /**
+     * Returns a formatted error message with position context.
+     */
+    formatWithContext() {
+        if (this.expression === undefined || this.position === undefined) {
+            return this.message;
+        }
+        const pointer = " ".repeat(this.position) + "^";
+        return `${this.message}\n  ${this.expression}\n  ${pointer}`;
+    }
+}
+/**
+ * Error thrown during tokenization (lexical analysis).
+ */
+class TokenizerError extends ExpressionError {
+    constructor(message, position, expression) {
+        super(message, position, expression);
+        this.name = "TokenizerError";
+    }
+}
+/**
+ * Error thrown during parsing (syntax analysis).
+ */
+class ParseError extends ExpressionError {
+    constructor(message, position, expression) {
+        super(message, position, expression);
+        this.name = "ParseError";
+    }
+}
+/**
+ * Error thrown during evaluation (runtime error).
+ */
+class EvaluationError extends ExpressionError {
+    constructor(message, position, expression, path) {
+        super(message, position, expression);
+        this.name = "EvaluationError";
+        this.path = path;
+    }
+}
+/**
+ * Error thrown for type mismatches during evaluation.
+ */
+class TypeError extends EvaluationError {
+    constructor(expected, actual, position, expression) {
+        super(`Type error: expected ${expected}, got ${actual}`, position, expression);
+        this.name = "TypeError";
+        this.expected = expected;
+        this.actual = actual;
+    }
+}
+/**
+ * Error thrown when a built-in function encounters an error.
+ */
+class BuiltinError extends EvaluationError {
+    constructor(functionName, message, position, expression) {
+        super(`${functionName}: ${message}`, position, expression);
+        this.name = "BuiltinError";
+        this.functionName = functionName;
+    }
+}
+
+/**
+ * Resource limits for expression parsing and evaluation.
+ *
+ * These limits protect against resource exhaustion attacks and
+ * overly complex expressions.
+ */
+/**
+ * Default expression limits.
+ *
+ * These values are chosen to allow reasonable expressions while
+ * preventing resource exhaustion.
+ */
+const DEFAULT_EXPRESSION_LIMITS = {
+    maxExpressionLength: 4096,
+    maxAstDepth: 32,
+    maxAstNodes: 256,
+    maxRegexPatternLength: 256,
+    maxGlobPatternLength: 256,
+    maxStringLength: 1024,
+    maxArrayLength: 64,
+    maxFunctionArgs: 16,
+    maxMemberAccessDepth: 16,
+};
+/**
+ * Validates that expression length is within limits.
+ */
+function checkExpressionLength(expression, limits = DEFAULT_EXPRESSION_LIMITS) {
+    if (expression.length > limits.maxExpressionLength) {
+        throw new Error(`Expression length ${expression.length} exceeds limit of ${limits.maxExpressionLength}`);
+    }
+}
+/**
+ * Validates AST depth during parsing.
+ */
+function checkAstDepth(depth, limits = DEFAULT_EXPRESSION_LIMITS) {
+    if (depth > limits.maxAstDepth) {
+        throw new Error(`AST depth ${depth} exceeds limit of ${limits.maxAstDepth}`);
+    }
+}
+/**
+ * Validates AST node count during parsing.
+ */
+function checkAstNodeCount(count, limits = DEFAULT_EXPRESSION_LIMITS) {
+    if (count > limits.maxAstNodes) {
+        throw new Error(`AST node count ${count} exceeds limit of ${limits.maxAstNodes}`);
+    }
+}
+/**
+ * Validates regex pattern length before compilation.
+ */
+function checkRegexPatternLength(pattern, limits = DEFAULT_EXPRESSION_LIMITS) {
+    if (pattern.length > limits.maxRegexPatternLength) {
+        throw new Error(`Regex pattern length ${pattern.length} exceeds limit of ${limits.maxRegexPatternLength}`);
+    }
+}
+/**
+ * Validates glob pattern length before compilation.
+ */
+function checkGlobPatternLength(pattern, limits = DEFAULT_EXPRESSION_LIMITS) {
+    if (pattern.length > limits.maxGlobPatternLength) {
+        throw new Error(`Glob pattern length ${pattern.length} exceeds limit of ${limits.maxGlobPatternLength}`);
+    }
+}
+/**
+ * Validates array length during evaluation.
+ */
+function checkArrayLength(length, limits = DEFAULT_EXPRESSION_LIMITS) {
+    if (length > limits.maxArrayLength) {
+        throw new Error(`Array length ${length} exceeds limit of ${limits.maxArrayLength}`);
+    }
+}
+/**
+ * Validates function argument count.
+ */
+function checkFunctionArgCount(count, limits = DEFAULT_EXPRESSION_LIMITS) {
+    if (count > limits.maxFunctionArgs) {
+        throw new Error(`Function argument count ${count} exceeds limit of ${limits.maxFunctionArgs}`);
+    }
+}
+
+/**
+ * Tokenizer (lexer) for the expression language.
+ *
+ * Converts expression strings into a stream of tokens for the parser.
+ */
+/**
+ * Keywords recognized by the tokenizer.
+ */
+const KEYWORDS = new Map([
+    ["true", "TRUE"],
+    ["false", "FALSE"],
+    ["null", "NULL"],
+    ["in", "IN"],
+    ["not", "NOT"],
+]);
+/**
+ * Checks if a character is a digit.
+ */
+function isDigit(ch) {
+    return ch >= "0" && ch <= "9";
+}
+/**
+ * Checks if a character can start an identifier.
+ */
+function isIdentifierStart(ch) {
+    return ((ch >= "a" && ch <= "z") ||
+        (ch >= "A" && ch <= "Z") ||
+        ch === "_");
+}
+/**
+ * Checks if a character can continue an identifier.
+ */
+function isIdentifierPart(ch) {
+    return isIdentifierStart(ch) || isDigit(ch);
+}
+/**
+ * Checks if a character is whitespace.
+ */
+function isWhitespace(ch) {
+    return ch === " " || ch === "\t" || ch === "\n" || ch === "\r";
+}
+/**
+ * Tokenizer for expression strings.
+ */
+class Tokenizer {
+    constructor(source, limits) {
+        this.position = 0;
+        this.tokens = [];
+        this.source = source;
+        this.limits = limits;
+    }
+    /**
+     * Tokenizes the source expression and returns all tokens.
+     */
+    tokenize() {
+        checkExpressionLength(this.source, this.limits);
+        while (!this.isAtEnd()) {
+            this.scanToken();
+        }
+        this.tokens.push({
+            type: "EOF",
+            value: "",
+            position: this.position,
+        });
+        return this.tokens;
+    }
+    isAtEnd() {
+        return this.position >= this.source.length;
+    }
+    peek() {
+        if (this.isAtEnd())
+            return "\0";
+        return this.source[this.position];
+    }
+    peekNext() {
+        if (this.position + 1 >= this.source.length)
+            return "\0";
+        return this.source[this.position + 1];
+    }
+    advance() {
+        return this.source[this.position++];
+    }
+    addToken(type, value, position) {
+        this.tokens.push({ type, value, position });
+    }
+    scanToken() {
+        const ch = this.advance();
+        const startPosition = this.position - 1;
+        // Skip whitespace
+        if (isWhitespace(ch)) {
+            return;
+        }
+        // Single-character tokens
+        switch (ch) {
+            case "(":
+                this.addToken("LPAREN", "(", startPosition);
+                return;
+            case ")":
+                this.addToken("RPAREN", ")", startPosition);
+                return;
+            case "[":
+                this.addToken("LBRACKET", "[", startPosition);
+                return;
+            case "]":
+                this.addToken("RBRACKET", "]", startPosition);
+                return;
+            case ".":
+                this.addToken("DOT", ".", startPosition);
+                return;
+            case ",":
+                this.addToken("COMMA", ",", startPosition);
+                return;
+            case "+":
+                this.addToken("PLUS", "+", startPosition);
+                return;
+            case "-":
+                this.addToken("MINUS", "-", startPosition);
+                return;
+            case "*":
+                this.addToken("STAR", "*", startPosition);
+                return;
+            case "/":
+                this.addToken("SLASH", "/", startPosition);
+                return;
+            case "%":
+                this.addToken("PERCENT", "%", startPosition);
+                return;
+            case "?":
+                this.addToken("QUESTION", "?", startPosition);
+                return;
+            case ":":
+                this.addToken("COLON", ":", startPosition);
+                return;
+        }
+        // Two-character operators
+        if (ch === "<") {
+            if (this.peek() === "=") {
+                this.advance();
+                this.addToken("LE", "<=", startPosition);
+            }
+            else {
+                this.addToken("LT", "<", startPosition);
+            }
+            return;
+        }
+        if (ch === ">") {
+            if (this.peek() === "=") {
+                this.advance();
+                this.addToken("GE", ">=", startPosition);
+            }
+            else {
+                this.addToken("GT", ">", startPosition);
+            }
+            return;
+        }
+        if (ch === "=") {
+            if (this.peek() === "=") {
+                this.advance();
+                this.addToken("EQ", "==", startPosition);
+                return;
+            }
+            throw new TokenizerError("Unexpected '='. Did you mean '=='?", startPosition, this.source);
+        }
+        if (ch === "!") {
+            if (this.peek() === "=") {
+                this.advance();
+                this.addToken("NE", "!=", startPosition);
+            }
+            else {
+                this.addToken("NOT", "!", startPosition);
+            }
+            return;
+        }
+        if (ch === "&") {
+            if (this.peek() === "&") {
+                this.advance();
+                this.addToken("AND", "&&", startPosition);
+                return;
+            }
+            throw new TokenizerError("Unexpected '&'. Did you mean '&&'?", startPosition, this.source);
+        }
+        if (ch === "|") {
+            if (this.peek() === "|") {
+                this.advance();
+                this.addToken("OR", "||", startPosition);
+                return;
+            }
+            throw new TokenizerError("Unexpected '|'. Did you mean '||'?", startPosition, this.source);
+        }
+        // String literals
+        if (ch === '"' || ch === "'") {
+            this.scanString(ch, startPosition);
+            return;
+        }
+        // Number literals
+        if (isDigit(ch)) {
+            this.scanNumber(startPosition);
+            return;
+        }
+        // Identifiers and keywords
+        if (isIdentifierStart(ch)) {
+            this.scanIdentifier(startPosition);
+            return;
+        }
+        throw new TokenizerError(`Unexpected character: '${ch}'`, startPosition, this.source);
+    }
+    scanString(quote, startPosition) {
+        let value = "";
+        while (!this.isAtEnd() && this.peek() !== quote) {
+            const ch = this.advance();
+            if (ch === "\\") {
+                // Escape sequence
+                if (this.isAtEnd()) {
+                    throw new TokenizerError("Unterminated string", startPosition, this.source);
+                }
+                const escaped = this.advance();
+                switch (escaped) {
+                    case "n":
+                        value += "\n";
+                        break;
+                    case "r":
+                        value += "\r";
+                        break;
+                    case "t":
+                        value += "\t";
+                        break;
+                    case "\\":
+                        value += "\\";
+                        break;
+                    case '"':
+                        value += '"';
+                        break;
+                    case "'":
+                        value += "'";
+                        break;
+                    default:
+                        throw new TokenizerError(`Invalid escape sequence: \\${escaped}`, this.position - 2, this.source);
+                }
+            }
+            else if (ch === "\n" || ch === "\r") {
+                throw new TokenizerError("Unterminated string (newline in string literal)", startPosition, this.source);
+            }
+            else {
+                value += ch;
+            }
+        }
+        if (this.isAtEnd()) {
+            throw new TokenizerError("Unterminated string", startPosition, this.source);
+        }
+        // Consume closing quote
+        this.advance();
+        this.addToken("STRING", value, startPosition);
+    }
+    scanNumber(startPosition) {
+        // Back up to include the first digit
+        this.position--;
+        let value = "";
+        // Integer part
+        while (isDigit(this.peek())) {
+            value += this.advance();
+        }
+        // Fractional part
+        if (this.peek() === "." && isDigit(this.peekNext())) {
+            value += this.advance(); // consume '.'
+            while (isDigit(this.peek())) {
+                value += this.advance();
+            }
+        }
+        // Exponent part
+        if (this.peek() === "e" || this.peek() === "E") {
+            value += this.advance();
+            if (this.peek() === "+" || this.peek() === "-") {
+                value += this.advance();
+            }
+            if (!isDigit(this.peek())) {
+                throw new TokenizerError("Invalid number: expected exponent digits", startPosition, this.source);
+            }
+            while (isDigit(this.peek())) {
+                value += this.advance();
+            }
+        }
+        this.addToken("NUMBER", value, startPosition);
+    }
+    scanIdentifier(startPosition) {
+        // Back up to include the first character
+        this.position--;
+        let value = "";
+        while (isIdentifierPart(this.peek())) {
+            value += this.advance();
+        }
+        // Check for "not in" compound keyword
+        const valueLower = value.toLowerCase();
+        if (valueLower === "not") {
+            // Check if followed by whitespace and "in"
+            const savedPosition = this.position;
+            // Skip whitespace
+            while (isWhitespace(this.peek())) {
+                this.advance();
+            }
+            // Check for "in"
+            if (this.peek() === "i" &&
+                this.peekNext() === "n" &&
+                !isIdentifierPart(this.source[this.position + 2] ?? "\0")) {
+                this.advance(); // consume 'i'
+                this.advance(); // consume 'n'
+                this.addToken("NOT_IN", "not in", startPosition);
+                return;
+            }
+            // Not "not in", restore position
+            this.position = savedPosition;
+        }
+        // Check for keyword
+        const keywordType = KEYWORDS.get(valueLower);
+        if (keywordType) {
+            this.addToken(keywordType, value, startPosition);
+        }
+        else {
+            this.addToken("IDENTIFIER", value, startPosition);
+        }
+    }
+}
+/**
+ * Tokenizes an expression string into tokens.
+ *
+ * @param source - The expression string to tokenize
+ * @param limits - Optional expression limits
+ * @returns Array of tokens
+ * @throws TokenizerError if the expression contains invalid tokens
+ */
+function tokenize(source, limits) {
+    const tokenizer = new Tokenizer(source, limits);
+    return tokenizer.tokenize();
+}
+
+/**
+ * Parser for the expression language.
+ *
+ * Parses a stream of tokens into an Abstract Syntax Tree (AST).
+ * Uses recursive descent parsing with operator precedence.
+ *
+ * Precedence (lowest to highest):
+ * 1. Ternary: ? :
+ * 2. Logical OR: ||
+ * 3. Logical AND: &&
+ * 4. Membership: in, not in
+ * 5. Equality: ==, !=
+ * 6. Comparison: <, <=, >, >=
+ * 7. Additive: +, -
+ * 8. Multiplicative: *, /, %
+ * 9. Unary: !, -
+ * 10. Postfix: . [] ()
+ * 11. Primary: literals, identifiers, parentheses
+ */
+/**
+ * Parser for expression strings.
+ */
+class Parser {
+    constructor(tokens, source, limits = DEFAULT_EXPRESSION_LIMITS) {
+        this.current = 0;
+        this.tokens = tokens;
+        this.source = source;
+        this.limits = limits;
+    }
+    /**
+     * Parses the token stream into an AST.
+     */
+    parse() {
+        const ast = this.parseTernary();
+        if (!this.isAtEnd()) {
+            const token = this.peek();
+            throw new ParseError(`Unexpected token: ${token.value || token.type}`, token.position, this.source);
+        }
+        // Validate AST limits
+        const nodeCount = countAstNodes(ast);
+        checkAstNodeCount(nodeCount, this.limits);
+        const depth = calculateAstDepth(ast);
+        checkAstDepth(depth, this.limits);
+        return ast;
+    }
+    // ============================================================
+    // Token Helpers
+    // ============================================================
+    isAtEnd() {
+        return this.peek().type === "EOF";
+    }
+    peek() {
+        return this.tokens[this.current];
+    }
+    previous() {
+        return this.tokens[this.current - 1];
+    }
+    advance() {
+        if (!this.isAtEnd()) {
+            this.current++;
+        }
+        return this.previous();
+    }
+    check(type) {
+        if (this.isAtEnd())
+            return false;
+        return this.peek().type === type;
+    }
+    match(...types) {
+        for (const type of types) {
+            if (this.check(type)) {
+                this.advance();
+                return true;
+            }
+        }
+        return false;
+    }
+    consume(type, message) {
+        if (this.check(type)) {
+            return this.advance();
+        }
+        const token = this.peek();
+        throw new ParseError(message, token.position, this.source);
+    }
+    // ============================================================
+    // Expression Parsing (by precedence, lowest to highest)
+    // ============================================================
+    /**
+     * Parses ternary expressions: condition ? consequent : alternate
+     */
+    parseTernary() {
+        const position = this.peek().position;
+        let node = this.parseOr();
+        if (this.match("QUESTION")) {
+            const consequent = this.parseTernary();
+            this.consume("COLON", "Expected ':' in ternary expression");
+            const alternate = this.parseTernary();
+            node = {
+                type: "TernaryOp",
+                position,
+                condition: node,
+                consequent,
+                alternate,
+            };
+        }
+        return node;
+    }
+    /**
+     * Parses logical OR: ||
+     */
+    parseOr() {
+        let node = this.parseAnd();
+        while (this.match("OR")) {
+            const position = this.previous().position;
+            const right = this.parseAnd();
+            node = {
+                type: "BinaryOp",
+                position,
+                operator: "||",
+                left: node,
+                right,
+            };
+        }
+        return node;
+    }
+    /**
+     * Parses logical AND: &&
+     */
+    parseAnd() {
+        let node = this.parseEquality();
+        while (this.match("AND")) {
+            const position = this.previous().position;
+            const right = this.parseEquality();
+            node = {
+                type: "BinaryOp",
+                position,
+                operator: "&&",
+                left: node,
+                right,
+            };
+        }
+        return node;
+    }
+    /**
+     * Parses equality: ==, !=
+     */
+    parseEquality() {
+        let node = this.parseMembership();
+        while (this.match("EQ", "NE")) {
+            const operator = this.previous().type === "EQ" ? "==" : "!=";
+            const position = this.previous().position;
+            const right = this.parseMembership();
+            node = {
+                type: "BinaryOp",
+                position,
+                operator: operator,
+                left: node,
+                right,
+            };
+        }
+        return node;
+    }
+    /**
+     * Parses membership: in, not in
+     */
+    parseMembership() {
+        let node = this.parseComparison();
+        while (this.match("IN", "NOT_IN")) {
+            const operator = this.previous().type === "IN" ? "in" : "not in";
+            const position = this.previous().position;
+            const right = this.parseComparison();
+            node = {
+                type: "BinaryOp",
+                position,
+                operator: operator,
+                left: node,
+                right,
+            };
+        }
+        return node;
+    }
+    /**
+     * Parses comparison: <, <=, >, >=
+     */
+    parseComparison() {
+        let node = this.parseAdditive();
+        while (this.match("LT", "LE", "GT", "GE")) {
+            const token = this.previous();
+            let operator;
+            switch (token.type) {
+                case "LT":
+                    operator = "<";
+                    break;
+                case "LE":
+                    operator = "<=";
+                    break;
+                case "GT":
+                    operator = ">";
+                    break;
+                case "GE":
+                    operator = ">=";
+                    break;
+                default:
+                    throw new ParseError(`Unexpected token: ${token.type}`, token.position, this.source);
+            }
+            const position = token.position;
+            const right = this.parseAdditive();
+            node = {
+                type: "BinaryOp",
+                position,
+                operator,
+                left: node,
+                right,
+            };
+        }
+        return node;
+    }
+    /**
+     * Parses additive: +, -
+     */
+    parseAdditive() {
+        let node = this.parseMultiplicative();
+        while (this.match("PLUS", "MINUS")) {
+            const operator = this.previous().type === "PLUS" ? "+" : "-";
+            const position = this.previous().position;
+            const right = this.parseMultiplicative();
+            node = {
+                type: "BinaryOp",
+                position,
+                operator: operator,
+                left: node,
+                right,
+            };
+        }
+        return node;
+    }
+    /**
+     * Parses multiplicative: *, /, %
+     */
+    parseMultiplicative() {
+        let node = this.parseUnary();
+        while (this.match("STAR", "SLASH", "PERCENT")) {
+            const token = this.previous();
+            let operator;
+            switch (token.type) {
+                case "STAR":
+                    operator = "*";
+                    break;
+                case "SLASH":
+                    operator = "/";
+                    break;
+                case "PERCENT":
+                    operator = "%";
+                    break;
+                default:
+                    throw new ParseError(`Unexpected token: ${token.type}`, token.position, this.source);
+            }
+            const position = token.position;
+            const right = this.parseUnary();
+            node = {
+                type: "BinaryOp",
+                position,
+                operator,
+                left: node,
+                right,
+            };
+        }
+        return node;
+    }
+    /**
+     * Parses unary: !, -
+     */
+    parseUnary() {
+        if (this.match("NOT", "MINUS")) {
+            const token = this.previous();
+            const operator = token.type === "NOT" ? "!" : "-";
+            const position = token.position;
+            const operand = this.parseUnary();
+            return {
+                type: "UnaryOp",
+                position,
+                operator,
+                operand,
+            };
+        }
+        return this.parsePostfix();
+    }
+    /**
+     * Parses postfix: . [] ()
+     */
+    parsePostfix() {
+        let node = this.parsePrimary();
+        while (true) {
+            if (this.match("DOT")) {
+                const position = this.previous().position;
+                const propToken = this.consume("IDENTIFIER", "Expected property name after '.'");
+                node = {
+                    type: "MemberAccess",
+                    position,
+                    object: node,
+                    property: propToken.value,
+                };
+            }
+            else if (this.match("LBRACKET")) {
+                const position = this.previous().position;
+                const index = this.parseTernary();
+                this.consume("RBRACKET", "Expected ']' after index");
+                node = {
+                    type: "IndexAccess",
+                    position,
+                    object: node,
+                    index,
+                };
+            }
+            else if (this.match("LPAREN")) {
+                // Function call - node must be an identifier
+                if (node.type !== "Identifier") {
+                    throw new ParseError("Only named functions can be called", node.position, this.source);
+                }
+                const position = this.previous().position;
+                const args = this.parseArgumentList();
+                checkFunctionArgCount(args.length, this.limits);
+                node = {
+                    type: "FunctionCall",
+                    position,
+                    name: node.name,
+                    args,
+                };
+            }
+            else {
+                break;
+            }
+        }
+        return node;
+    }
+    /**
+     * Parses function argument list (already consumed opening paren).
+     */
+    parseArgumentList() {
+        const args = [];
+        if (!this.check("RPAREN")) {
+            do {
+                args.push(this.parseTernary());
+            } while (this.match("COMMA"));
+        }
+        this.consume("RPAREN", "Expected ')' after function arguments");
+        return args;
+    }
+    /**
+     * Parses primary expressions: literals, identifiers, parentheses, arrays.
+     */
+    parsePrimary() {
+        const token = this.peek();
+        const position = token.position;
+        // Boolean literals
+        if (this.match("TRUE")) {
+            return { type: "BooleanLiteral", position, value: true };
+        }
+        if (this.match("FALSE")) {
+            return { type: "BooleanLiteral", position, value: false };
+        }
+        // Null literal
+        if (this.match("NULL")) {
+            return { type: "NullLiteral", position };
+        }
+        // String literal
+        if (this.match("STRING")) {
+            return {
+                type: "StringLiteral",
+                position,
+                value: this.previous().value,
+            };
+        }
+        // Number literal
+        if (this.match("NUMBER")) {
+            const value = parseFloat(this.previous().value);
+            if (!Number.isFinite(value)) {
+                throw new ParseError("Invalid number", position, this.source);
+            }
+            return { type: "NumberLiteral", position, value };
+        }
+        // Identifier
+        if (this.match("IDENTIFIER")) {
+            return {
+                type: "Identifier",
+                position,
+                name: this.previous().value,
+            };
+        }
+        // Parenthesized expression
+        if (this.match("LPAREN")) {
+            const expr = this.parseTernary();
+            this.consume("RPAREN", "Expected ')' after expression");
+            return expr;
+        }
+        // Array literal
+        if (this.match("LBRACKET")) {
+            const elements = [];
+            if (!this.check("RBRACKET")) {
+                do {
+                    elements.push(this.parseTernary());
+                } while (this.match("COMMA"));
+            }
+            this.consume("RBRACKET", "Expected ']' after array elements");
+            checkArrayLength(elements.length, this.limits);
+            return { type: "ArrayLiteral", position, elements };
+        }
+        throw new ParseError(`Unexpected token: ${token.value || token.type}`, position, this.source);
+    }
+}
+/**
+ * Parses an expression string into an AST.
+ *
+ * @param source - The expression string to parse
+ * @param limits - Optional expression limits
+ * @returns The parsed AST
+ * @throws TokenizerError if tokenization fails
+ * @throws ParseError if parsing fails
+ */
+function parse(source, limits = DEFAULT_EXPRESSION_LIMITS) {
+    const tokens = tokenize(source, limits);
+    const parser = new Parser(tokens, source, limits);
+    return parser.parse();
+}
+
+/**
+ * Built-in functions for the expression language.
+ *
+ * All built-in functions are pure and deterministic.
+ *
+ * Null handling semantics:
+ * - `undefined` is normalized to `null` throughout the expression value model.
+ * - Predicate-style builtins (starts_with, ends_with, contains, glob_match,
+ *   regex_match, etc.) return `false` when passed `null` for required args
+ *   instead of throwing an error.
+ * - Wrong non-null types still raise BuiltinError to surface real bugs.
+ * - Non-predicate operations (arithmetic, comparisons) remain strict.
+ */
+/**
+ * Normalizes a JavaScript value to an ExprValue.
+ *
+ * Rules:
+ * - `undefined` -> `null`
+ * - `null` -> `null`
+ * - boolean/number/string -> returned as-is
+ * - array -> elements are recursively normalized
+ * - object -> returned as-is (reads will normalize on access)
+ * - other types (function, symbol, etc.) -> `null`
+ *
+ * This ensures `undefined` never leaks into the expression value model.
+ */
+function normalizeJsValue(value) {
+    if (value === undefined || value === null) {
+        return null;
+    }
+    if (typeof value === "boolean" || typeof value === "number") {
+        return value;
+    }
+    if (typeof value === "string") {
+        return value;
+    }
+    if (Array.isArray(value)) {
+        return value.map((element) => normalizeJsValue(element));
+    }
+    if (typeof value === "object") {
+        // Return the object as-is; reads will normalize on access
+        return value;
+    }
+    // Function, symbol, bigint, etc. -> null
+    return null;
+}
+/**
+ * Gets the type name of a value for error messages.
+ */
+function getTypeName(value) {
+    if (value === null)
+        return "null";
+    if (Array.isArray(value))
+        return "array";
+    return typeof value;
+}
+/**
+ * Asserts that a value is a string.
+ */
+function assertString$1(value, argName, functionName) {
+    if (typeof value !== "string") {
+        throw new BuiltinError(functionName, `${argName} must be a string, got ${getTypeName(value)}`);
+    }
+}
+/**
+ * Checks if a value is null (for null-tolerant predicates).
+ */
+function isNull$1(value) {
+    return value === null;
+}
+/**
+ * Asserts that a non-null value is a string (for null-tolerant predicates).
+ * Returns false if the value is null (indicating predicate should return false).
+ * Throws BuiltinError if the value is non-null but not a string.
+ */
+function assertStringOrNull$1(value, argName, functionName) {
+    if (isNull$1(value)) {
+        return false;
+    }
+    if (typeof value !== "string") {
+        throw new BuiltinError(functionName, `${argName} must be a string, got ${getTypeName(value)}`);
+    }
+    return true;
+}
+/**
+ * Gets an argument by index, throwing if not present.
+ */
+function getArg$1(args, index, functionName) {
+    const value = args[index];
+    if (value === undefined) {
+        throw new BuiltinError(functionName, `missing argument at index ${index}`);
+    }
+    return value;
+}
+/**
+ * Asserts argument count.
+ */
+function assertArgCount$1(args, expected, functionName) {
+    if (args.length !== expected) {
+        throw new BuiltinError(functionName, `expected ${expected} argument(s), got ${args.length}`);
+    }
+}
+/**
+ * Asserts argument count range.
+ */
+function assertArgCountRange(args, min, max, functionName) {
+    if (args.length < min || args.length > max) {
+        throw new BuiltinError(functionName, `expected ${min}-${max} argument(s), got ${args.length}`);
+    }
+}
+// ============================================================
+// String Helpers
+// ============================================================
+/**
+ * lower(s: string) -> string
+ *
+ * Returns the lowercase version of the string.
+ */
+const lower = (args) => {
+    assertArgCount$1(args, 1, "lower");
+    const s = getArg$1(args, 0, "lower");
+    assertString$1(s, "s", "lower");
+    return s.toLowerCase();
+};
+/**
+ * upper(s: string) -> string
+ *
+ * Returns the uppercase version of the string.
+ */
+const upper = (args) => {
+    assertArgCount$1(args, 1, "upper");
+    const s = getArg$1(args, 0, "upper");
+    assertString$1(s, "s", "upper");
+    return s.toUpperCase();
+};
+/**
+ * starts_with(s: string, prefix: string) -> bool
+ *
+ * Returns true if the string starts with the prefix.
+ * Null-tolerant: returns false if either argument is null.
+ */
+const starts_with = (args) => {
+    assertArgCount$1(args, 2, "starts_with");
+    const s = getArg$1(args, 0, "starts_with");
+    const prefix = getArg$1(args, 1, "starts_with");
+    // Null-tolerant: return false if either arg is null
+    if (!assertStringOrNull$1(s, "s", "starts_with"))
+        return false;
+    if (!assertStringOrNull$1(prefix, "prefix", "starts_with"))
+        return false;
+    return s.startsWith(prefix);
+};
+/**
+ * ends_with(s: string, suffix: string) -> bool
+ *
+ * Returns true if the string ends with the suffix.
+ * Null-tolerant: returns false if either argument is null.
+ */
+const ends_with = (args) => {
+    assertArgCount$1(args, 2, "ends_with");
+    const s = getArg$1(args, 0, "ends_with");
+    const suffix = getArg$1(args, 1, "ends_with");
+    // Null-tolerant: return false if either arg is null
+    if (!assertStringOrNull$1(s, "s", "ends_with"))
+        return false;
+    if (!assertStringOrNull$1(suffix, "suffix", "ends_with"))
+        return false;
+    return s.endsWith(suffix);
+};
+/**
+ * contains(s: string, substring: string) -> bool
+ *
+ * Returns true if the string contains the substring.
+ * Null-tolerant: returns false if either argument is null.
+ */
+const contains = (args) => {
+    assertArgCount$1(args, 2, "contains");
+    const s = getArg$1(args, 0, "contains");
+    const substring = getArg$1(args, 1, "contains");
+    // Null-tolerant: return false if either arg is null
+    if (!assertStringOrNull$1(s, "s", "contains"))
+        return false;
+    if (!assertStringOrNull$1(substring, "substring", "contains"))
+        return false;
+    return s.includes(substring);
+};
+/**
+ * split(s: string, separator: string) -> string[]
+ *
+ * Splits the string by the separator.
+ */
+const split = (args) => {
+    assertArgCountRange(args, 1, 2, "split");
+    const s = getArg$1(args, 0, "split");
+    assertString$1(s, "s", "split");
+    const separator = args.length >= 2 ? getArg$1(args, 1, "split") : " ";
+    assertString$1(separator, "separator", "split");
+    return s.split(separator);
+};
+// ============================================================
+// Collection Helpers
+// ============================================================
+/**
+ * len(x: string | array) -> number
+ *
+ * Returns the length of a string or array.
+ */
+const len = (args) => {
+    assertArgCount$1(args, 1, "len");
+    const x = getArg$1(args, 0, "len");
+    if (typeof x === "string") {
+        return x.length;
+    }
+    if (Array.isArray(x)) {
+        return x.length;
+    }
+    throw new BuiltinError("len", `expected string or array, got ${getTypeName(x)}`);
+};
+// ============================================================
+// Generic Helpers
+// ============================================================
+/**
+ * exists(x: any) -> bool
+ *
+ * Returns true if the value is not null.
+ * Missing bindings and missing properties evaluate to null, so this
+ * can be used to check for presence.
+ */
+const exists = (args) => {
+    assertArgCount$1(args, 1, "exists");
+    const x = getArg$1(args, 0, "exists");
+    return x !== null;
+};
+/**
+ * coalesce(a: any, b: any) -> any
+ *
+ * Returns `a` if it is not null, otherwise returns `b`.
+ * This is useful for providing default values.
+ */
+const coalesce = (args) => {
+    assertArgCount$1(args, 2, "coalesce");
+    const a = getArg$1(args, 0, "coalesce");
+    const b = getArg$1(args, 1, "coalesce");
+    return a !== null ? a : b;
+};
+/**
+ * trim(s: string) -> string
+ *
+ * Trims whitespace from both ends of a string.
+ * Returns an empty string if `s` is null (for convenient composition).
+ * Throws BuiltinError if `s` is non-null but not a string.
+ */
+const trim = (args) => {
+    assertArgCount$1(args, 1, "trim");
+    const s = getArg$1(args, 0, "trim");
+    // Null-friendly: return empty string for null
+    if (s === null) {
+        return "";
+    }
+    // Strict type check for non-null values
+    if (typeof s !== "string") {
+        throw new BuiltinError("trim", `s must be a string, got ${getTypeName(s)}`);
+    }
+    return s.trim();
+};
+/**
+ * secure_hash(input_str: string, length: number) -> string
+ *
+ * Generates a deterministic secure hash/fingerprint of the input string.
+ * Uses SHA-256 hashing to create a stable identifier of the specified length.
+ * Returns base62-encoded string (alphanumeric, case-sensitive).
+ * Automatically rehashes if result contains blacklisted words.
+ * Returns empty string if input_str is null (for convenient composition).
+ * Throws BuiltinError if input_str is non-null but not a string, or if length is invalid.
+ */
+const secure_hash = (args) => {
+    assertArgCount$1(args, 2, "secure_hash");
+    const input_str = getArg$1(args, 0, "secure_hash");
+    const length = getArg$1(args, 1, "secure_hash");
+    // Null-friendly: return empty string for null input
+    if (input_str === null) {
+        return "";
+    }
+    // Strict type check for input_str
+    if (typeof input_str !== "string") {
+        throw new BuiltinError("secure_hash", `input_str must be a string, got ${getTypeName(input_str)}`);
+    }
+    // Strict type check for length
+    if (typeof length !== "number") {
+        throw new BuiltinError("secure_hash", `length must be a number, got ${getTypeName(length)}`);
+    }
+    // Validate length is a positive integer
+    if (!Number.isInteger(length) || length <= 0) {
+        throw new BuiltinError("secure_hash", `length must be a positive integer, got ${length}`);
+    }
+    // Use generateFingerprintSync from @naylence/core
+    // This provides SHA-256 hashing, base62 encoding, and profanity filtering
+    return core.generateFingerprintSync(input_str, length, sha256.sha256);
+};
+// ============================================================
+// Pattern Helpers (BSL-only)
+// ============================================================
+/**
+ * Escapes special regex characters in a string.
+ */
+function escapeRegex(str) {
+    return str.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+/**
+ * Converts a glob pattern to a regex pattern.
+ */
+function globToRegex(glob) {
+    const parts = [];
+    let i = 0;
+    while (i < glob.length) {
+        const ch = glob[i];
+        if (ch === "*") {
+            if (glob[i + 1] === "*") {
+                // `**` matches any characters
+                parts.push(".*");
+                i += 2;
+            }
+            else {
+                // `*` matches any characters except dots
+                parts.push("[^.]*");
+                i += 1;
+            }
+        }
+        else if (ch === "?") {
+            // `?` matches a single character
+            parts.push("[^.]");
+            i += 1;
+        }
+        else {
+            parts.push(escapeRegex(ch));
+            i += 1;
+        }
+    }
+    return parts.join("");
+}
+/**
+ * glob_match(value: string, pattern: string) -> bool
+ *
+ * Returns true if the value matches the glob pattern.
+ * Glob syntax: * (single segment), ** (any depth), ? (single char)
+ * Null-tolerant: returns false if either argument is null.
+ */
+const glob_match = (args, context) => {
+    assertArgCount$1(args, 2, "glob_match");
+    const value = getArg$1(args, 0, "glob_match");
+    const pattern = getArg$1(args, 1, "glob_match");
+    // Null-tolerant: return false if either arg is null
+    if (!assertStringOrNull$1(value, "value", "glob_match"))
+        return false;
+    if (!assertStringOrNull$1(pattern, "pattern", "glob_match"))
+        return false;
+    // Validate pattern length
+    checkGlobPatternLength(pattern, context.limits);
+    // Convert glob to regex
+    const regexPattern = `^${globToRegex(pattern)}$`;
+    try {
+        const regex = new RegExp(regexPattern);
+        return regex.test(value);
+    }
+    catch {
+        throw new BuiltinError("glob_match", `invalid glob pattern: ${pattern}`);
+    }
+};
+/**
+ * Detects potentially catastrophic regex patterns.
+ *
+ * This is a best-effort heuristic check for common ReDoS patterns.
+ */
+function isSafeRegex(pattern) {
+    // Check for obvious catastrophic patterns:
+    // - Nested quantifiers: (a+)+, (a*)*
+    // - Overlapping alternation with quantifiers: (a|a)+
+    // Simple heuristic: reject patterns with nested quantifiers
+    const nestedQuantifiers = /([+*?]|\{\d+,?\d*\})\s*\)\s*([+*?]|\{\d+,?\d*\})/;
+    if (nestedQuantifiers.test(pattern)) {
+        return false;
+    }
+    // Reject patterns with excessive backtracking potential
+    const excessiveBacktracking = /(\.\*){3,}|(\.\+){3,}/;
+    if (excessiveBacktracking.test(pattern)) {
+        return false;
+    }
+    return true;
+}
+/**
+ * regex_match(value: string, pattern: string) -> bool
+ *
+ * Returns true if the value matches the regex pattern.
+ * The pattern is anchored (full match).
+ * Null-tolerant: returns false if either argument is null.
+ */
+const regex_match = (args, context) => {
+    assertArgCount$1(args, 2, "regex_match");
+    const value = getArg$1(args, 0, "regex_match");
+    const pattern = getArg$1(args, 1, "regex_match");
+    // Null-tolerant: return false if either arg is null
+    if (!assertStringOrNull$1(value, "value", "regex_match"))
+        return false;
+    if (!assertStringOrNull$1(pattern, "pattern", "regex_match"))
+        return false;
+    // Validate pattern length
+    checkRegexPatternLength(pattern, context.limits);
+    // Check for potentially unsafe patterns
+    if (!isSafeRegex(pattern)) {
+        throw new BuiltinError("regex_match", `pattern may cause excessive backtracking: ${pattern}`);
+    }
+    // Anchor the pattern for full match
+    const anchoredPattern = pattern.startsWith("^")
+        ? pattern
+        : pattern.endsWith("$")
+            ? pattern
+            : `^(?:${pattern})$`;
+    try {
+        const regex = new RegExp(anchoredPattern);
+        return regex.test(value);
+    }
+    catch (error) {
+        throw new BuiltinError("regex_match", `invalid regex pattern: ${pattern} - ${error instanceof Error ? error.message : String(error)}`);
+    }
+};
+// ============================================================
+// Registry
+// ============================================================
+/**
+ * Registry of all built-in functions.
+ */
+const BUILTIN_FUNCTIONS = new Map([
+    // String helpers
+    ["lower", lower],
+    ["upper", upper],
+    ["starts_with", starts_with],
+    ["ends_with", ends_with],
+    ["contains", contains],
+    ["split", split],
+    ["trim", trim],
+    // Collection helpers
+    ["len", len],
+    // Generic helpers
+    ["exists", exists],
+    ["coalesce", coalesce],
+    ["secure_hash", secure_hash],
+    // Pattern helpers
+    ["glob_match", glob_match],
+    ["regex_match", regex_match],
+]);
+/**
+ * Calls a built-in function by name.
+ *
+ * @param name - The function name
+ * @param args - The function arguments
+ * @param context - The evaluation context
+ * @returns The function result
+ * @throws BuiltinError if the function doesn't exist or fails
+ */
+function callBuiltin(name, args, context, functions = BUILTIN_FUNCTIONS) {
+    const fn = functions.get(name);
+    if (!fn) {
+        throw new EvaluationError(`Unknown function: ${name}`, context.position, context.source);
+    }
+    return fn(args, context);
+}
+
+/**
+ * Expression evaluator.
+ *
+ * Evaluates an AST against a set of variable bindings and returns a value.
+ *
+ * Null handling semantics:
+ * - `undefined` values are normalized to `null` throughout evaluation.
+ * - Missing identifiers evaluate to `null`.
+ * - Member access on `null` or non-object returns `null`.
+ * - Missing properties return `null` (including properties set to `undefined`).
+ */
+/**
+ * Evaluates an AST node and returns the result.
+ */
+class Evaluator {
+    constructor(context) {
+        this.memberAccessDepth = 0;
+        this.context = context;
+        this.limits = context.limits ?? DEFAULT_EXPRESSION_LIMITS;
+        this.source = context.source ?? "";
+        this.functions = context.functions ?? BUILTIN_FUNCTIONS;
+    }
+    /**
+     * Evaluates an AST node and returns the value.
+     */
+    evaluate(node) {
+        switch (node.type) {
+            case "StringLiteral":
+                return node.value;
+            case "NumberLiteral":
+                return node.value;
+            case "BooleanLiteral":
+                return node.value;
+            case "NullLiteral":
+                return null;
+            case "ArrayLiteral":
+                return node.elements.map((e) => this.evaluate(e));
+            case "Identifier":
+                return this.evaluateIdentifier(node.name, node.position);
+            case "MemberAccess":
+                return this.evaluateMemberAccess(node);
+            case "IndexAccess":
+                return this.evaluateIndexAccess(node);
+            case "FunctionCall":
+                return this.evaluateFunctionCall(node);
+            case "UnaryOp":
+                return this.evaluateUnaryOp(node.operator, node.operand, node.position);
+            case "BinaryOp":
+                return this.evaluateBinaryOp(node.operator, node.left, node.right, node.position);
+            case "TernaryOp":
+                return this.evaluateTernaryOp(node.condition, node.consequent, node.alternate, node.position);
+        }
+    }
+    /**
+     * Evaluates as boolean with strict type checking.
+     */
+    evaluateAsBoolean(node) {
+        const value = this.evaluate(node);
+        if (typeof value !== "boolean") {
+            throw new TypeError("boolean", getTypeName(value), node.position, this.source);
+        }
+        return value;
+    }
+    evaluateIdentifier(name, _position) {
+        // Check if it's a top-level binding
+        if (name in this.context.bindings) {
+            // Normalize the value to ensure undefined becomes null
+            return normalizeJsValue(this.context.bindings[name]);
+        }
+        // Unknown identifier evaluates to null (missing field)
+        return null;
+    }
+    evaluateMemberAccess(node) {
+        // Check member access depth
+        this.memberAccessDepth++;
+        if (this.memberAccessDepth > this.limits.maxMemberAccessDepth) {
+            throw new EvaluationError(`Member access depth ${this.memberAccessDepth} exceeds limit of ${this.limits.maxMemberAccessDepth}`, node.position, this.source);
+        }
+        try {
+            const obj = this.evaluate(node.object);
+            // Null-safe member access: null.foo -> null
+            if (obj === null) {
+                return null;
+            }
+            // Must be an object (not primitive, not array)
+            if (typeof obj !== "object" || Array.isArray(obj)) {
+                // Type mismatch during access returns null (not error)
+                return null;
+            }
+            const record = obj;
+            if (node.property in record) {
+                // Normalize the value to ensure undefined becomes null
+                return normalizeJsValue(record[node.property]);
+            }
+            // Missing property evaluates to null
+            return null;
+        }
+        finally {
+            this.memberAccessDepth--;
+        }
+    }
+    evaluateIndexAccess(node) {
+        const obj = this.evaluate(node.object);
+        const index = this.evaluate(node.index);
+        // Null-safe index access: null[0] -> null
+        if (obj === null) {
+            return null;
+        }
+        // Array access with numeric index
+        if (Array.isArray(obj)) {
+            if (typeof index !== "number") {
+                throw new TypeError("number", getTypeName(index), node.position, this.source);
+            }
+            const intIndex = Math.floor(index);
+            if (intIndex < 0 || intIndex >= obj.length) {
+                // Out of bounds evaluates to null
+                return null;
+            }
+            // Normalize array element to ensure undefined becomes null
+            return normalizeJsValue(obj[intIndex]);
+        }
+        // Object access with string key
+        if (typeof obj === "object") {
+            if (typeof index !== "string") {
+                throw new TypeError("string", getTypeName(index), node.position, this.source);
+            }
+            const record = obj;
+            if (index in record) {
+                // Normalize the value to ensure undefined becomes null
+                return normalizeJsValue(record[index]);
+            }
+            // Missing key evaluates to null
+            return null;
+        }
+        // Type mismatch during access returns null
+        return null;
+    }
+    evaluateFunctionCall(node) {
+        // Evaluate arguments
+        const args = node.args.map((arg) => this.evaluate(arg));
+        const builtinContext = {
+            limits: this.limits,
+            position: node.position,
+            source: this.source,
+        };
+        return callBuiltin(node.name, args, builtinContext, this.functions);
+    }
+    evaluateUnaryOp(operator, operand, position) {
+        const value = this.evaluate(operand);
+        switch (operator) {
+            case "!":
+                if (typeof value !== "boolean") {
+                    throw new TypeError("boolean", getTypeName(value), position, this.source);
+                }
+                return !value;
+            case "-":
+                if (typeof value !== "number") {
+                    throw new TypeError("number", getTypeName(value), position, this.source);
+                }
+                return -value;
+        }
+    }
+    evaluateBinaryOp(operator, left, right, position) {
+        // Short-circuit evaluation for logical operators
+        if (operator === "&&") {
+            const leftValue = this.evaluate(left);
+            if (typeof leftValue !== "boolean") {
+                throw new TypeError("boolean", getTypeName(leftValue), left.position, this.source);
+            }
+            if (!leftValue)
+                return false;
+            const rightValue = this.evaluate(right);
+            if (typeof rightValue !== "boolean") {
+                throw new TypeError("boolean", getTypeName(rightValue), right.position, this.source);
+            }
+            return rightValue;
+        }
+        if (operator === "||") {
+            const leftValue = this.evaluate(left);
+            if (typeof leftValue !== "boolean") {
+                throw new TypeError("boolean", getTypeName(leftValue), left.position, this.source);
+            }
+            if (leftValue)
+                return true;
+            const rightValue = this.evaluate(right);
+            if (typeof rightValue !== "boolean") {
+                throw new TypeError("boolean", getTypeName(rightValue), right.position, this.source);
+            }
+            return rightValue;
+        }
+        // Eager evaluation for other operators
+        const leftValue = this.evaluate(left);
+        const rightValue = this.evaluate(right);
+        switch (operator) {
+            // Arithmetic
+            case "+":
+                if (typeof leftValue === "string" && typeof rightValue === "string") {
+                    return leftValue + rightValue;
+                }
+                if (typeof leftValue === "number" && typeof rightValue === "number") {
+                    return leftValue + rightValue;
+                }
+                throw new EvaluationError(`Cannot add ${getTypeName(leftValue)} and ${getTypeName(rightValue)}`, position, this.source);
+            case "-":
+                if (typeof leftValue !== "number" || typeof rightValue !== "number") {
+                    throw new EvaluationError(`Cannot subtract ${getTypeName(leftValue)} and ${getTypeName(rightValue)}`, position, this.source);
+                }
+                return leftValue - rightValue;
+            case "*":
+                if (typeof leftValue !== "number" || typeof rightValue !== "number") {
+                    throw new EvaluationError(`Cannot multiply ${getTypeName(leftValue)} and ${getTypeName(rightValue)}`, position, this.source);
+                }
+                return leftValue * rightValue;
+            case "/":
+                if (typeof leftValue !== "number" || typeof rightValue !== "number") {
+                    throw new EvaluationError(`Cannot divide ${getTypeName(leftValue)} and ${getTypeName(rightValue)}`, position, this.source);
+                }
+                if (rightValue === 0) {
+                    throw new EvaluationError("Division by zero", position, this.source);
+                }
+                return leftValue / rightValue;
+            case "%":
+                if (typeof leftValue !== "number" || typeof rightValue !== "number") {
+                    throw new EvaluationError(`Cannot compute modulo of ${getTypeName(leftValue)} and ${getTypeName(rightValue)}`, position, this.source);
+                }
+                if (rightValue === 0) {
+                    throw new EvaluationError("Modulo by zero", position, this.source);
+                }
+                return leftValue % rightValue;
+            // Comparison
+            case "<":
+            case "<=":
+            case ">":
+            case ">=":
+                return this.evaluateComparison(operator, leftValue, rightValue, position);
+            // Equality
+            case "==":
+                return this.valuesEqual(leftValue, rightValue);
+            case "!=":
+                return !this.valuesEqual(leftValue, rightValue);
+            // Membership
+            case "in":
+                return this.evaluateIn(leftValue, rightValue, position);
+            case "not in":
+                return !this.evaluateIn(leftValue, rightValue, position);
+        }
+    }
+    evaluateComparison(operator, left, right, position) {
+        // Numbers
+        if (typeof left === "number" && typeof right === "number") {
+            switch (operator) {
+                case "<":
+                    return left < right;
+                case "<=":
+                    return left <= right;
+                case ">":
+                    return left > right;
+                case ">=":
+                    return left >= right;
+            }
+        }
+        // Strings
+        if (typeof left === "string" && typeof right === "string") {
+            switch (operator) {
+                case "<":
+                    return left < right;
+                case "<=":
+                    return left <= right;
+                case ">":
+                    return left > right;
+                case ">=":
+                    return left >= right;
+            }
+        }
+        throw new EvaluationError(`Cannot compare ${getTypeName(left)} and ${getTypeName(right)} with ${operator}`, position, this.source);
+    }
+    evaluateIn(left, right, position) {
+        // String in string (substring check)
+        if (typeof left === "string" && typeof right === "string") {
+            return right.includes(left);
+        }
+        // Value in array
+        if (Array.isArray(right)) {
+            return right.some((item) => this.valuesEqual(left, item));
+        }
+        // Key in object
+        if (typeof right === "object" && right !== null && !Array.isArray(right)) {
+            if (typeof left !== "string") {
+                throw new EvaluationError(`Cannot check if ${getTypeName(left)} is a key in object (expected string)`, position, this.source);
+            }
+            return left in right;
+        }
+        throw new EvaluationError(`Cannot check membership: ${getTypeName(left)} in ${getTypeName(right)}`, position, this.source);
+    }
+    evaluateTernaryOp(condition, consequent, alternate, _position) {
+        const condValue = this.evaluate(condition);
+        if (typeof condValue !== "boolean") {
+            throw new TypeError("boolean", getTypeName(condValue), condition.position, this.source);
+        }
+        return condValue ? this.evaluate(consequent) : this.evaluate(alternate);
+    }
+    /**
+     * Deep equality check for expression values.
+     */
+    valuesEqual(a, b) {
+        // Identical primitives or same reference
+        if (a === b)
+            return true;
+        // Type mismatch
+        if (typeof a !== typeof b)
+            return false;
+        // null check (both must be null if one is)
+        if (a === null || b === null)
+            return false;
+        // Arrays
+        if (Array.isArray(a) && Array.isArray(b)) {
+            if (a.length !== b.length)
+                return false;
+            for (let i = 0; i < a.length; i++) {
+                if (!this.valuesEqual(a[i], b[i])) {
+                    return false;
+                }
+            }
+            return true;
+        }
+        // Objects
+        if (typeof a === "object" && typeof b === "object") {
+            const aKeys = Object.keys(a);
+            const bKeys = Object.keys(b);
+            if (aKeys.length !== bKeys.length)
+                return false;
+            for (const key of aKeys) {
+                if (!Object.prototype.hasOwnProperty.call(b, key))
+                    return false;
+                const aRecord = a;
+                const bRecord = b;
+                if (!this.valuesEqual(aRecord[key], bRecord[key])) {
+                    return false;
+                }
+            }
+            return true;
+        }
+        return false;
+    }
+}
+/**
+ * Evaluates an AST as a boolean condition.
+ *
+ * @param ast - The AST to evaluate
+ * @param context - The evaluation context with bindings
+ * @returns true if the condition is met, false otherwise (including errors)
+ */
+function evaluateAsBoolean(ast, context) {
+    try {
+        const evaluator = new Evaluator(context);
+        const value = evaluator.evaluateAsBoolean(ast);
+        return { value };
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        return { value: false, error: message };
+    }
+}
+
+/**
+ * Authorization-specific expression built-ins.
+ *
+ * Null handling semantics:
+ * - Scope predicate builtins (has_scope, has_any_scope, has_all_scopes)
+ *   return `false` when passed `null` for required args.
+ * - Wrong non-null types still raise BuiltinError to surface real bugs.
+ */
+/**
+ * Checks if a value is null.
+ */
+function isNull(value) {
+    return value === null;
+}
+/**
+ * Creates a function registry with auth helpers installed.
+ */
+function createAuthFunctionRegistry(grantedScopes = []) {
+    const scopes = grantedScopes ?? [];
+    /**
+     * Checks if any granted scope matches a pattern (using glob syntax).
+     */
+    const matchesScope = (scope) => {
+        // Exact match for now; safe and deterministic.
+        return scopes.includes(scope);
+    };
+    /**
+     * has_scope(scope: string) -> bool
+     *
+     * Returns true if the scope is in the granted scopes.
+     * Null-tolerant: returns false if scope is null.
+     */
+    const has_scope = (args) => {
+        assertArgCount(args, 1, "has_scope");
+        const scope = getArg(args, 0, "has_scope");
+        // Null-tolerant: return false if scope is null
+        if (!assertStringOrNull(scope, "scope", "has_scope"))
+            return false;
+        return matchesScope(scope);
+    };
+    /**
+     * has_any_scope(scopes: string[]) -> bool
+     *
+     * Returns true if any scope in the array is in the granted scopes.
+     * Null-tolerant: returns false if scopes is null.
+     */
+    const has_any_scope = (args) => {
+        assertArgCount(args, 1, "has_any_scope");
+        const values = getArg(args, 0, "has_any_scope");
+        // Null-tolerant: return false if scopes is null
+        if (!assertStringArrayOrNull(values, "scopes", "has_any_scope"))
+            return false;
+        if (values.length === 0) {
+            return false;
+        }
+        return values.some((scope) => matchesScope(scope));
+    };
+    /**
+     * has_all_scopes(scopes: string[]) -> bool
+     *
+     * Returns true if all scopes in the array are in the granted scopes.
+     * Null-tolerant: returns false if scopes is null.
+     */
+    const has_all_scopes = (args) => {
+        assertArgCount(args, 1, "has_all_scopes");
+        const values = getArg(args, 0, "has_all_scopes");
+        // Null-tolerant: return false if scopes is null
+        if (!assertStringArrayOrNull(values, "scopes", "has_all_scopes"))
+            return false;
+        if (values.length === 0) {
+            return true;
+        }
+        return values.every((scope) => matchesScope(scope));
+    };
+    return new Map([
+        ...BUILTIN_FUNCTIONS,
+        ["has_scope", has_scope],
+        ["has_any_scope", has_any_scope],
+        ["has_all_scopes", has_all_scopes],
+    ]);
+}
+/**
+ * Asserts that a non-null value is a string (for null-tolerant predicates).
+ * Returns false if the value is null (indicating predicate should return false).
+ * Throws BuiltinError if the value is non-null but not a string.
+ */
+function assertStringOrNull(value, argName, functionName) {
+    if (isNull(value)) {
+        return false;
+    }
+    if (typeof value !== "string") {
+        throw new BuiltinError(functionName, `${argName} must be a string, got ${getTypeName(value)}`);
+    }
+    return true;
+}
+/**
+ * Asserts that a non-null value is an array of strings (for null-tolerant predicates).
+ * Returns false if the value is null (indicating predicate should return false).
+ * Throws BuiltinError if the value is non-null but not a string array.
+ */
+function assertStringArrayOrNull(value, argName, functionName) {
+    if (isNull(value)) {
+        return false;
+    }
+    if (!Array.isArray(value)) {
+        throw new BuiltinError(functionName, `${argName} must be an array of strings, got ${getTypeName(value)}`);
+    }
+    for (let i = 0; i < value.length; i++) {
+        if (typeof value[i] !== "string") {
+            throw new BuiltinError(functionName, `${argName}[${i}] must be a string, got ${getTypeName(value[i])}`);
+        }
+    }
+    return true;
+}
+function getArg(args, index, functionName) {
+    const value = args[index];
+    if (value === undefined) {
+        throw new BuiltinError(functionName, `missing argument at index ${index}`);
+    }
+    return value;
+}
+function assertArgCount(args, expected, functionName) {
+    if (args.length !== expected) {
+        throw new BuiltinError(functionName, `expected ${expected} argument(s), got ${args.length}`);
+    }
+}
+
+/**
+ * Expression-based authorization policy implementation.
+ *
+ * Extends the basic policy with support for `when` expression evaluation.
+ * This is part of the BSL-licensed Advanced Security package.
+ */
+/**
+ * Simple console logger implementation.
+ */
+const defaultLogger = {
+    debug: () => { },
+    warning: (event, data) => {
+        console.warn(`[naylence.security.auth.policy.expression] ${event}`, data);
+    },
+};
+/**
+ * Extracts the target address string from the envelope.
+ */
+function extractAddress(envelope) {
+    const to = envelope.to;
+    if (!to) {
+        return undefined;
+    }
+    if (typeof to === "string") {
+        return to;
+    }
+    if (typeof to === "object" && "toString" in to) {
+        return to.toString();
+    }
+    return undefined;
+}
+/**
+ * Extracts granted scopes from the authorization context.
+ */
+function extractGrantedScopes(context) {
+    const authContext = context?.security?.authorization;
+    if (!authContext) {
+        return [];
+    }
+    if (Array.isArray(authContext.grantedScopes)) {
+        return authContext.grantedScopes;
+    }
+    const claims = authContext.claims;
+    if (claims) {
+        const scopeClaim = claims.scope ?? claims.scopes ?? claims.scp;
+        if (typeof scopeClaim === "string") {
+            return scopeClaim.split(/\s+/).filter((s) => s.length > 0);
+        }
+        if (Array.isArray(scopeClaim)) {
+            return scopeClaim.filter((s) => typeof s === "string");
+        }
+    }
+    return [];
+}
+/**
+ * Extracts claims from the authorization context.
+ */
+function extractClaims(context) {
+    const authContext = context?.security?.authorization;
+    if (!authContext?.claims) {
+        return {};
+    }
+    return authContext.claims;
+}
+/**
+ * Creates a safe envelope subset for expression bindings.
+ */
+function createEnvelopeBindings(envelope) {
+    const frame = envelope.frame;
+    const envelopeRecord = envelope;
+    return {
+        id: envelope.id ?? null,
+        traceId: envelopeRecord.traceId ?? null,
+        corrId: envelopeRecord.corrId ?? null,
+        flowId: envelopeRecord.flowId ?? null,
+        to: extractAddress(envelope) ?? null,
+        frame: frame
+            ? { type: frame.type ?? null }
+            : { type: null },
+    };
+}
+/**
+ * Creates delivery context bindings for expression evaluation.
+ */
+function createDeliveryBindings(context, action) {
+    return {
+        origin_type: context?.originType ?? null,
+        routing_action: action,
+    };
+}
+/**
+ * Expression-based authorization policy that evaluates rules with `when` expressions.
+ *
+ * Features:
+ * - All features of BasicAuthorizationPolicy
+ * - Expression evaluation for `when` clauses
+ * - Deterministic, side-effect-free evaluation
+ * - Missing fields evaluate to null (not error)
+ * - Parse/evaluation errors cause rule to not match
+ */
+class AdvancedAuthorizationPolicy {
+    constructor(options) {
+        const { policyDefinition, warnOnUnknownFields = true, expressionLimits = DEFAULT_EXPRESSION_LIMITS, logger = defaultLogger, } = options;
+        this.expressionLimits = expressionLimits;
+        this.logger = logger;
+        // Validate and extract default effect
+        this.defaultEffect = this.validateDefaultEffect(policyDefinition.default_effect);
+        // Warn about unknown policy fields
+        if (warnOnUnknownFields) {
+            this.warnUnknownPolicyFields(policyDefinition);
+        }
+        // Compile rules for efficient evaluation
+        this.compiledRules = this.compileRules(policyDefinition.rules, warnOnUnknownFields);
+        this.logger.debug("expression_policy_compiled", {
+            defaultEffect: this.defaultEffect,
+            ruleCount: this.compiledRules.length,
+            rulesWithWhen: this.compiledRules.filter((r) => r.whenAst).length,
+        });
+    }
+    /**
+     * Evaluates the policy against a request.
+     */
+    async evaluateRequest(_node, envelope, context, action) {
+        const resolvedAction = action ?? "*";
+        const resolvedActionNormalized = this.normalizeActionToken(resolvedAction) ?? resolvedAction;
+        const address = extractAddress(envelope);
+        const grantedScopes = extractGrantedScopes(context);
+        const rawFrameType = envelope.frame
+            ?.type;
+        const frameTypeNormalized = typeof rawFrameType === "string" && rawFrameType.trim().length > 0
+            ? rawFrameType.trim().toLowerCase()
+            : "";
+        const rawOriginType = context?.originType;
+        const originTypeNormalized = typeof rawOriginType === "string"
+            ? this.normalizeOriginTypeToken(rawOriginType) ?? undefined
+            : undefined;
+        // Prepare expression bindings (lazy)
+        let expressionBindings = null;
+        let functionRegistry = null;
+        const evaluationTrace = [];
+        // Evaluate rules in order (first match wins)
+        for (const rule of this.compiledRules) {
+            const step = {
+                ruleId: rule.id,
+                result: false,
+            };
+            // Check frame type match
+            if (rule.frameTypes) {
+                if (!frameTypeNormalized) {
+                    step.expression = "frame_type: missing";
+                    step.result = false;
+                    evaluationTrace.push(step);
+                    continue;
+                }
+                if (!rule.frameTypes.has(frameTypeNormalized)) {
+                    step.expression = `frame_type: ${rawFrameType ?? "unknown"} not in rule set`;
+                    step.result = false;
+                    evaluationTrace.push(step);
+                    continue;
+                }
+            }
+            // Check origin type match
+            if (rule.originTypes) {
+                if (originTypeNormalized === undefined) {
+                    step.expression = "origin_type: missing (rule requires origin)";
+                    step.result = false;
+                    evaluationTrace.push(step);
+                    continue;
+                }
+                if (!rule.originTypes.has(originTypeNormalized)) {
+                    step.expression = `origin_type: ${rawOriginType ?? "unknown"} not in [${Array.from(rule.originTypes).join(", ")}]`;
+                    step.result = false;
+                    evaluationTrace.push(step);
+                    continue;
+                }
+            }
+            // Check action match
+            if (!rule.actions.has("*") && !rule.actions.has(resolvedActionNormalized)) {
+                step.expression = `action: ${resolvedActionNormalized} not in [${Array.from(rule.actions).join(", ")}]`;
+                step.result = false;
+                evaluationTrace.push(step);
+                continue;
+            }
+            // Check address match
+            if (rule.addressPatterns) {
+                if (!address) {
+                    step.expression = "address: pattern requires address, but none provided";
+                    step.result = false;
+                    evaluationTrace.push(step);
+                    continue;
+                }
+                const matched = rule.addressPatterns.some((p) => p.match(address));
+                if (!matched) {
+                    const patterns = rule.addressPatterns.map((p) => p.source).join(", ");
+                    step.expression = `address: none of [${patterns}] matched ${address}`;
+                    step.result = false;
+                    evaluationTrace.push(step);
+                    continue;
+                }
+            }
+            // Check scope match
+            if (rule.scopeMatcher) {
+                if (!rule.scopeMatcher(grantedScopes)) {
+                    step.expression = "scope: requirement not satisfied";
+                    step.boundValues = { grantedScopes: [...grantedScopes] };
+                    step.result = false;
+                    evaluationTrace.push(step);
+                    continue;
+                }
+            }
+            // Check when expression
+            if (rule.whenParseError) {
+                // Parse error - rule does not match
+                step.expression = `when: parse error - ${rule.whenParseError}`;
+                step.result = false;
+                evaluationTrace.push(step);
+                continue;
+            }
+            if (rule.whenAst) {
+                // Lazy initialization of expression bindings
+                if (!expressionBindings) {
+                    expressionBindings = {
+                        claims: extractClaims(context),
+                        envelope: createEnvelopeBindings(envelope),
+                        delivery: createDeliveryBindings(context, resolvedAction),
+                        time: {
+                            now_ms: Date.now(),
+                            now_iso: new Date().toISOString(),
+                        },
+                    };
+                }
+                const functions = functionRegistry ?? createAuthFunctionRegistry(grantedScopes);
+                functionRegistry = functions;
+                const evalContext = {
+                    bindings: expressionBindings,
+                    limits: this.expressionLimits,
+                    source: rule.whenSource,
+                    functions,
+                };
+                const whenResult = evaluateAsBoolean(rule.whenAst, evalContext);
+                if (whenResult.error) {
+                    // Evaluation error - rule does not match
+                    step.expression = `when: evaluation error - ${whenResult.error}`;
+                    step.result = false;
+                    evaluationTrace.push(step);
+                    continue;
+                }
+                if (!whenResult.value) {
+                    // Expression evaluated to false
+                    step.expression = `when: expression evaluated to false`;
+                    step.boundValues = {
+                        whenExpression: rule.whenSource,
+                    };
+                    step.result = false;
+                    evaluationTrace.push(step);
+                    continue;
+                }
+                // Expression evaluated to true
+                step.expression = `when: expression evaluated to true`;
+            }
+            // Rule matched
+            step.result = true;
+            if (!step.expression) {
+                step.expression = "all conditions matched";
+            }
+            step.boundValues = {
+                action: resolvedAction,
+                address,
+                grantedScopes: [...grantedScopes],
+                ...(rule.whenSource ? { whenExpression: rule.whenSource } : {}),
+            };
+            evaluationTrace.push(step);
+            this.logger.debug("rule_matched", {
+                ruleId: rule.id,
+                effect: rule.effect,
+                action: resolvedAction,
+                address,
+                hadWhenClause: Boolean(rule.whenAst),
+            });
+            return {
+                effect: rule.effect,
+                reason: rule.description ?? `Matched rule: ${rule.id}`,
+                matchedRule: rule.id,
+                evaluationTrace,
+            };
+        }
+        // No rule matched, apply default effect
+        this.logger.debug("no_rule_matched", {
+            defaultEffect: this.defaultEffect,
+            action: resolvedAction,
+            address,
+        });
+        return {
+            effect: this.defaultEffect,
+            reason: `No rule matched, applying default effect: ${this.defaultEffect}`,
+            evaluationTrace,
+        };
+    }
+    validateDefaultEffect(effect) {
+        if (effect === undefined || effect === null) {
+            return "deny";
+        }
+        if (effect !== "allow" && effect !== "deny") {
+            throw new Error(`Invalid default_effect: "${String(effect)}". Must be "allow" or "deny"`);
+        }
+        return effect;
+    }
+    warnUnknownPolicyFields(definition) {
+        for (const key of Object.keys(definition)) {
+            if (!runtime.KNOWN_POLICY_FIELDS.has(key)) {
+                this.logger.warning("unknown_policy_field", { field: key });
+            }
+        }
+    }
+    compileRules(rules, warnOnUnknown) {
+        return rules.map((rule, index) => this.compileRule(rule, index, warnOnUnknown));
+    }
+    compileRule(rule, index, warnOnUnknown) {
+        const id = rule.id ?? `rule_${index}`;
+        // Validate effect
+        if (!runtime.VALID_EFFECTS.includes(rule.effect)) {
+            throw new Error(`Invalid effect in rule "${id}": "${String(rule.effect)}". Must be "allow" or "deny"`);
+        }
+        // Compile action(s)
+        const actions = this.compileActions(rule.action, id);
+        // Compile address patterns
+        const addressPatterns = this.compileAddress(rule.address, id);
+        // Compile frame type gating
+        const frameTypes = this.compileFrameTypes(rule.frame_type, id);
+        // Compile origin type gating
+        const originTypes = this.compileOriginTypes(rule.origin_type, id);
+        // Compile scope matcher
+        let scopeMatcher;
+        if (rule.scope !== undefined) {
+            try {
+                const compiled = runtime.compileGlobOnlyScopeRequirement(rule.scope, id);
+                scopeMatcher = (scopes) => compiled.evaluate(scopes);
+            }
+            catch (error) {
+                throw new Error(`Invalid scope requirement in rule "${id}": ${error instanceof Error ? error.message : String(error)}`);
+            }
+        }
+        // Compile when expression
+        let whenAst;
+        let whenSource;
+        let whenParseError;
+        if (typeof rule.when === "string" && rule.when.trim().length > 0) {
+            whenSource = rule.when.trim();
+            try {
+                whenAst = parse(whenSource, this.expressionLimits);
+            }
+            catch (error) {
+                // Parse error - store for evaluation time
+                whenParseError =
+                    error instanceof Error ? error.message : String(error);
+                this.logger.warning("when_parse_error", {
+                    ruleId: id,
+                    expression: whenSource,
+                    error: whenParseError,
+                });
+            }
+        }
+        // Warn about unknown fields
+        if (warnOnUnknown) {
+            for (const key of Object.keys(rule)) {
+                if (!runtime.KNOWN_RULE_FIELDS.has(key)) {
+                    this.logger.warning("unknown_rule_field", { ruleId: id, field: key });
+                }
+            }
+        }
+        return {
+            id,
+            description: rule.description,
+            effect: rule.effect,
+            actions,
+            frameTypes,
+            originTypes,
+            addressPatterns,
+            scopeMatcher,
+            whenAst,
+            whenSource,
+            whenParseError,
+        };
+    }
+    compileActions(action, ruleId) {
+        if (action === undefined) {
+            return new Set(["*"]);
+        }
+        if (typeof action === "string") {
+            const normalized = this.normalizeActionToken(action);
+            if (!normalized) {
+                throw new Error(`Invalid action in rule "${ruleId}": "${action}". Must be one of: ${runtime.VALID_ACTIONS.join(", ")}`);
+            }
+            return new Set([normalized]);
+        }
+        if (!Array.isArray(action)) {
+            throw new Error(`Invalid action in rule "${ruleId}": must be a string or array of strings`);
+        }
+        if (action.length === 0) {
+            throw new Error(`Invalid action in rule "${ruleId}": array must not be empty`);
+        }
+        const actions = new Set();
+        for (const a of action) {
+            if (typeof a !== "string") {
+                throw new Error(`Invalid action in rule "${ruleId}": all values must be strings`);
+            }
+            const normalized = this.normalizeActionToken(a);
+            if (!normalized) {
+                throw new Error(`Invalid action in rule "${ruleId}": "${a}". Must be one of: ${runtime.VALID_ACTIONS.join(", ")}`);
+            }
+            actions.add(normalized);
+        }
+        return actions;
+    }
+    compileAddress(address, ruleId) {
+        if (address === undefined) {
+            return undefined;
+        }
+        const context = `address in rule "${ruleId}"`;
+        if (typeof address === "string") {
+            const trimmed = address.trim();
+            if (!trimmed) {
+                throw new Error(`Invalid address in rule "${ruleId}": value must not be empty`);
+            }
+            try {
+                return [runtime.compileGlobPattern(trimmed, context)];
+            }
+            catch (error) {
+                throw new Error(`Invalid address in rule "${ruleId}": ${error instanceof Error ? error.message : String(error)}`);
+            }
+        }
+        if (!Array.isArray(address)) {
+            throw new Error(`Invalid address in rule "${ruleId}": must be a string or array of strings`);
+        }
+        if (address.length === 0) {
+            throw new Error(`Invalid address in rule "${ruleId}": array must not be empty`);
+        }
+        const patterns = [];
+        for (const addr of address) {
+            if (typeof addr !== "string") {
+                throw new Error(`Invalid address in rule "${ruleId}": all values must be strings`);
+            }
+            const trimmed = addr.trim();
+            if (!trimmed) {
+                throw new Error(`Invalid address in rule "${ruleId}": values must not be empty`);
+            }
+            try {
+                patterns.push(runtime.compileGlobPattern(trimmed, context));
+            }
+            catch (error) {
+                throw new Error(`Invalid address in rule "${ruleId}": ${error instanceof Error ? error.message : String(error)}`);
+            }
+        }
+        return patterns;
+    }
+    compileFrameTypes(frameType, ruleId) {
+        if (frameType === undefined) {
+            return undefined;
+        }
+        if (typeof frameType === "string") {
+            const normalized = frameType.trim().toLowerCase();
+            if (!normalized) {
+                throw new Error(`Invalid frame_type in rule "${ruleId}": value must not be empty`);
+            }
+            return new Set([normalized]);
+        }
+        if (!Array.isArray(frameType)) {
+            throw new Error(`Invalid frame_type in rule "${ruleId}": must be a string or array of strings`);
+        }
+        if (frameType.length === 0) {
+            throw new Error(`Invalid frame_type in rule "${ruleId}": array must not be empty`);
+        }
+        const frameTypes = new Set();
+        for (const ft of frameType) {
+            if (typeof ft !== "string") {
+                throw new Error(`Invalid frame_type in rule "${ruleId}": all values must be strings`);
+            }
+            const normalized = ft.trim().toLowerCase();
+            if (!normalized) {
+                throw new Error(`Invalid frame_type in rule "${ruleId}": values must not be empty`);
+            }
+            frameTypes.add(normalized);
+        }
+        return frameTypes;
+    }
+    compileOriginTypes(originType, ruleId) {
+        if (originType === undefined) {
+            return undefined;
+        }
+        if (typeof originType === "string") {
+            const trimmed = originType.trim();
+            if (!trimmed) {
+                throw new Error(`Invalid origin_type in rule "${ruleId}": value must not be empty`);
+            }
+            const normalized = this.normalizeOriginTypeToken(trimmed);
+            if (!normalized) {
+                throw new Error(`Invalid origin_type in rule "${ruleId}": "${originType}". Must be one of: ${runtime.VALID_ORIGIN_TYPES.join(", ")}`);
+            }
+            return new Set([normalized]);
+        }
+        if (!Array.isArray(originType)) {
+            throw new Error(`Invalid origin_type in rule "${ruleId}": must be a string or array of strings`);
+        }
+        if (originType.length === 0) {
+            throw new Error(`Invalid origin_type in rule "${ruleId}": array must not be empty`);
+        }
+        const originTypes = new Set();
+        for (const ot of originType) {
+            if (typeof ot !== "string") {
+                throw new Error(`Invalid origin_type in rule "${ruleId}": all values must be strings`);
+            }
+            const trimmed = ot.trim();
+            if (!trimmed) {
+                throw new Error(`Invalid origin_type in rule "${ruleId}": values must not be empty`);
+            }
+            const normalized = this.normalizeOriginTypeToken(trimmed);
+            if (!normalized) {
+                throw new Error(`Invalid origin_type in rule "${ruleId}": "${ot}". Must be one of: ${runtime.VALID_ORIGIN_TYPES.join(", ")}`);
+            }
+            originTypes.add(normalized);
+        }
+        return originTypes;
+    }
+    normalizeActionToken(value) {
+        const trimmed = value.trim();
+        if (!trimmed) {
+            return null;
+        }
+        if (trimmed === "*") {
+            return "*";
+        }
+        const normalized = trimmed.replace(/[\s_-]+/g, "").toLowerCase();
+        const map = {
+            connect: "Connect",
+            forwardupstream: "ForwardUpstream",
+            forwarddownstream: "ForwardDownstream",
+            forwardpeer: "ForwardPeer",
+            deliverlocal: "DeliverLocal",
+        };
+        return map[normalized] ?? null;
+    }
+    normalizeOriginTypeToken(value) {
+        const trimmed = value.trim();
+        if (!trimmed) {
+            return null;
+        }
+        const normalized = trimmed.replace(/[\s_-]+/g, "").toLowerCase();
+        const map = {
+            downstream: "downstream",
+            upstream: "upstream",
+            peer: "peer",
+            local: "local",
+        };
+        return map[normalized] ?? null;
+    }
+}
+
+var advancedAuthorizationPolicy = /*#__PURE__*/Object.freeze({
+    __proto__: null,
+    AdvancedAuthorizationPolicy: AdvancedAuthorizationPolicy
+});
+
+/**
+ * Factory for creating AdvancedAuthorizationPolicy instances.
+ */
+let modulePromise = null;
+function getModule() {
+    if (!modulePromise) {
+        modulePromise = Promise.resolve().then(function () { return advancedAuthorizationPolicy; });
+    }
+    return modulePromise;
+}
+function normalizeConfig$5(config) {
+    if (!config) {
+        throw new Error("AdvancedAuthorizationPolicyFactory requires a configuration with a policyDefinition");
+    }
+    const candidate = config;
+    // Support both camelCase and snake_case for policyDefinition
+    const policyDefinition = (candidate.policyDefinition ??
+        candidate.policy_definition);
+    if (!policyDefinition || typeof policyDefinition !== "object") {
+        throw new Error("AdvancedAuthorizationPolicyConfig requires a policyDefinition object");
+    }
+    // Support both camelCase and snake_case for warnOnUnknownFields
+    const warnOnUnknownFields = candidate.warnOnUnknownFields ?? candidate.warn_on_unknown_fields;
+    if (warnOnUnknownFields !== undefined &&
+        typeof warnOnUnknownFields !== "boolean") {
+        throw new Error("warnOnUnknownFields must be a boolean");
+    }
+    // Support both camelCase and snake_case for expressionLimits
+    const expressionLimits = (candidate.expressionLimits ??
+        candidate.expression_limits);
+    return {
+        policyDefinition,
+        warnOnUnknownFields: warnOnUnknownFields ?? true,
+        expressionLimits,
+    };
+}
+/**
+ * Factory metadata for registration.
+ */
+const FACTORY_META$e = {
+    base: runtime.AUTHORIZATION_POLICY_FACTORY_BASE_TYPE,
+    key: "AdvancedAuthorizationPolicy",
+};
+/**
+ * Factory for creating AdvancedAuthorizationPolicy instances.
+ */
+class AdvancedAuthorizationPolicyFactory extends runtime.AuthorizationPolicyFactory {
+    constructor() {
+        super(...arguments);
+        this.type = "AdvancedAuthorizationPolicy";
+    }
+    /**
+     * Creates an AdvancedAuthorizationPolicy from the given configuration.
+     *
+     * @param config - Configuration with policyDefinition
+     * @returns The created authorization policy
+     */
+    async create(config) {
+        const normalized = normalizeConfig$5(config);
+        const { AdvancedAuthorizationPolicy } = await getModule();
+        return new AdvancedAuthorizationPolicy({
+            policyDefinition: normalized.policyDefinition,
+            warnOnUnknownFields: normalized.warnOnUnknownFields,
+            expressionLimits: normalized.expressionLimits,
+        });
+    }
+}
+
+var advancedAuthorizationPolicyFactory = /*#__PURE__*/Object.freeze({
+    __proto__: null,
+    AdvancedAuthorizationPolicyFactory: AdvancedAuthorizationPolicyFactory,
+    FACTORY_META: FACTORY_META$e,
+    default: AdvancedAuthorizationPolicyFactory
+});
+
 const logger$g = runtime.getLogger("naylence.fame.security.cert.util");
 const CACHE_LIMIT = 512;
 const OID_ED25519 = "1.3.101.112";