npm - @naylence/advanced-security - Versions diffs - 0.3.15 → 0.4.1 - Mend

@naylence/advanced-security 0.3.15 → 0.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (129) hide show

package/dist/browser/index.mjs CHANGED Viewed

@@ -1,17 +1,18 @@
-import { ExtensionManager, Registry, AbstractResourceFactory } from '@naylence/factory';
-import { ENCRYPTION_MANAGER_FACTORY_BASE_TYPE, getLogger, EncryptionResult, urlsafeBase64Decode, sealedDecrypt, sealedEncrypt, FIXED_PREFIX_LEN, urlsafeBase64Encode, EncryptionManagerFactory, requireCryptoSupport, SECURE_CHANNEL_MANAGER_FACTORY_BASE_TYPE, SecureChannelManagerFactory, ENVELOPE_SIGNER_FACTORY_BASE_TYPE, EnvelopeSignerFactory, SigningConfigClass, validateSigningKey, JWKValidationError, decodeBase64Url, canonicalJson, secureDigest, frameDigest, immutableHeaders, encodeUtf8, ENVELOPE_VERIFIER_FACTORY_BASE_TYPE, EnvelopeVerifierFactory, TrustStoreProviderFactory, TaskSpawner, getKeyStore, DefaultKeyManager, validateJwkComplete, currentTraceId, DeliveryOriginType, KEY_MANAGER_FACTORY_BASE_TYPE, KeyManagerFactory, KeyStoreFactory, BaseNodeEventListener, LOAD_BALANCER_STICKINESS_MANAGER_FACTORY_BASE_TYPE, LoadBalancerStickinessManagerFactory, REPLICA_STICKINESS_MANAGER_FACTORY_BASE_TYPE, ReplicaStickinessManagerFactory, color, AnsiColor, validateHostLogicals, HTTP_CONNECTION_GRANT_TYPE, formatTimestamp, jsonDumps, WELCOME_SERVICE_FACTORY_BASE_TYPE, WelcomeServiceFactory, NodePlacementStrategyFactory, TransportProvisionerFactory, TokenIssuerFactory, AuthorizerFactory, validateHostLogical, AuthInjectionStrategyFactory, CERTIFICATE_MANAGER_FACTORY_BASE_TYPE, CertificateManagerFactory, TRUST_STORE_PROVIDER_FACTORY_BASE_TYPE } from '@naylence/runtime';
+import { ExtensionManager, Expressions, Registry, AbstractResourceFactory } from '@naylence/factory';
+import { ENCRYPTION_MANAGER_FACTORY_BASE_TYPE, getLogger, registerProfile, SECURITY_MANAGER_FACTORY_BASE_TYPE, KNOWN_POLICY_FIELDS, VALID_EFFECTS, compileGlobOnlyScopeRequirement, KNOWN_RULE_FIELDS, VALID_ACTIONS, compileGlobPattern, VALID_ORIGIN_TYPES, AUTHORIZATION_POLICY_FACTORY_BASE_TYPE, AuthorizationPolicyFactory, EncryptionResult, urlsafeBase64Decode, sealedDecrypt, sealedEncrypt, FIXED_PREFIX_LEN, urlsafeBase64Encode, EncryptionManagerFactory, requireCryptoSupport, SECURE_CHANNEL_MANAGER_FACTORY_BASE_TYPE, SecureChannelManagerFactory, ENVELOPE_SIGNER_FACTORY_BASE_TYPE, EnvelopeSignerFactory, SigningConfigClass, validateSigningKey, JWKValidationError, decodeBase64Url, canonicalJson, secureDigest, frameDigest, immutableHeaders, encodeUtf8, ENVELOPE_VERIFIER_FACTORY_BASE_TYPE, EnvelopeVerifierFactory, TrustStoreProviderFactory, TaskSpawner, getKeyStore, DefaultKeyManager, validateJwkComplete, currentTraceId, DeliveryOriginType, KEY_MANAGER_FACTORY_BASE_TYPE, KeyManagerFactory, KeyStoreFactory, BaseNodeEventListener, LOAD_BALANCER_STICKINESS_MANAGER_FACTORY_BASE_TYPE, LoadBalancerStickinessManagerFactory, REPLICA_STICKINESS_MANAGER_FACTORY_BASE_TYPE, ReplicaStickinessManagerFactory, color, AnsiColor, validateHostLogicals, HTTP_CONNECTION_GRANT_TYPE, formatTimestamp, jsonDumps, WELCOME_SERVICE_FACTORY_BASE_TYPE, WelcomeServiceFactory, NodePlacementStrategyFactory, TransportProvisionerFactory, TokenIssuerFactory, AuthorizerFactory, validateHostLogical, AuthInjectionStrategyFactory, CERTIFICATE_MANAGER_FACTORY_BASE_TYPE, CertificateManagerFactory, TRUST_STORE_PROVIDER_FACTORY_BASE_TYPE } from '@naylence/runtime';
+import { sha256 } from '@noble/hashes/sha256';
+import { generateFingerprintSync, localDeliveryContext, createFameEnvelope, generateId, formatAddress, FameAddress, SigningMaterial, DeliveryOriginType as DeliveryOriginType$1 } from '@naylence/core';
 import { AsnConvert, OctetString } from '@peculiar/asn1-schema';
 import { Attributes, CertificationRequestInfo, CertificationRequest } from '@peculiar/asn1-csr';
 import { Certificate, SubjectAlternativeName, NameConstraints, id_ce_subjectAltName, id_ce_nameConstraints, SubjectPublicKeyInfo, GeneralName, Extensions, Extension, Attribute, AlgorithmIdentifier, Name, RelativeDistinguishedName, AttributeTypeAndValue, AttributeValue, BasicConstraints, id_ce_basicConstraints, KeyUsageFlags, id_ce_keyUsage, KeyUsage, id_ce_subjectKeyIdentifier, SubjectKeyIdentifier, id_ce_authorityKeyIdentifier, AuthorityKeyIdentifier, KeyIdentifier, GeneralSubtrees, GeneralSubtree, TBSCertificate, Validity, Version, id_ce_extKeyUsage, ExtendedKeyUsage, id_kp_clientAuth, id_kp_serverAuth } from '@peculiar/asn1-x509';
 import { verify, etc } from '@noble/ed25519';
-import { sha256, sha512 } from '@noble/hashes/sha2.js';
-import { localDeliveryContext, createFameEnvelope, generateId, formatAddress, FameAddress, SigningMaterial, DeliveryOriginType as DeliveryOriginType$1 } from '@naylence/core';
+import { sha256 as sha256$1, sha512 } from '@noble/hashes/sha2.js';
 import { chacha20poly1305 } from '@noble/ciphers/chacha.js';
 import { x25519 } from '@noble/curves/ed25519.js';
 import { hkdf } from '@noble/hashes/hkdf.js';
 import { utf8ToBytes, randomBytes as randomBytes$1 } from '@noble/hashes/utils.js';
 import { SignJWT, importPKCS8, compactVerify, importJWK, importSPKI } from 'jose';
-import { sha256 as sha256$1 } from '@noble/hashes/sha256.js';
+import { sha256 as sha256$2 } from '@noble/hashes/sha256.js';
 import { X509Certificate } from '@peculiar/x509';
 /**
@@ -21,6 +22,7 @@ import { X509Certificate } from '@peculiar/x509';
  * Provides the list of advanced security factory modules for registration.
  */
 const MODULES = [
+    "./security/auth/policy/advanced-authorization-policy-factory.js",
     "./security/cert/default-ca-service-factory.js",
     "./security/cert/default-certificate-manager-factory.js",
     "./security/cert/trust-store/browser-trust-store-provider-factory.js",
@@ -37,6 +39,7 @@ const MODULES = [
     "./welcome/advanced-welcome-service-factory.js"
 ];
 const MODULE_LOADERS = {
+    "./security/auth/policy/advanced-authorization-policy-factory.js": () => Promise.resolve().then(function () { return advancedAuthorizationPolicyFactory; }),
     "./security/cert/default-ca-service-factory.js": () => Promise.resolve().then(function () { return defaultCaServiceFactory; }),
     "./security/cert/default-certificate-manager-factory.js": () => Promise.resolve().then(function () { return defaultCertificateManagerFactory; }),
     "./security/cert/trust-store/browser-trust-store-provider-factory.js": () => Promise.resolve().then(function () { return browserTrustStoreProviderFactory; }),
@@ -214,6 +217,75 @@ function getEncryptionManagerFactoryRegistry() {
     return globalRegistry;
 }
+/**
+ * Strict Overlay Security Profile
+ *
+ * Provides the strict-overlay security profile for advanced security scenarios.
+ * This profile requires X.509 certificate-based signing and supports both
+ * channel and sealed encryption modes.
+ */
+const ENV_VAR_DEFAULT_ENCRYPTION_LEVEL = "FAME_DEFAULT_ENCRYPTION_LEVEL";
+const ENV_VAR_AUTHORIZATION_PROFILE = "FAME_AUTHORIZATION_PROFILE";
+const PROFILE_NAME_STRICT_OVERLAY = "strict-overlay";
+const STRICT_OVERLAY_PROFILE = {
+    type: "DefaultSecurityManager",
+    security_policy: {
+        type: "DefaultSecurityPolicy",
+        signing: {
+            signing_material: "x509-chain",
+            require_cert_sid_match: true,
+            inbound: {
+                signature_policy: "required",
+                unsigned_violation_action: "nack",
+                invalid_signature_action: "nack",
+            },
+            response: {
+                mirror_request_signing: true,
+                always_sign_responses: false,
+                sign_error_responses: true,
+            },
+            outbound: {
+                default_signing: true,
+                sign_sensitive_operations: true,
+                sign_if_recipient_expects: true,
+            },
+        },
+        encryption: {
+            inbound: {
+                allow_plaintext: true,
+                allow_channel: true,
+                allow_sealed: true,
+                plaintext_violation_action: "nack",
+                channel_violation_action: "nack",
+                sealed_violation_action: "nack",
+            },
+            response: {
+                mirror_request_level: true,
+                minimum_response_level: "plaintext",
+                escalate_sealed_responses: false,
+            },
+            outbound: {
+                default_level: Expressions.env(ENV_VAR_DEFAULT_ENCRYPTION_LEVEL, "channel"),
+                escalate_if_peer_supports: false,
+                prefer_sealed_for_sensitive: false,
+            },
+        },
+    },
+    authorizer: {
+        type: "AuthorizationProfile",
+        profile: Expressions.env(ENV_VAR_AUTHORIZATION_PROFILE, "jwt"),
+    },
+};
+// Register the strict-overlay profile
+registerProfile(SECURITY_MANAGER_FACTORY_BASE_TYPE, PROFILE_NAME_STRICT_OVERLAY, STRICT_OVERLAY_PROFILE, { source: "advanced-security:strict-overlay-security-profile", allowOverride: true });
+var strictOverlaySecurityProfile = /*#__PURE__*/Object.freeze({
+    __proto__: null,
+    ENV_VAR_AUTHORIZATION_PROFILE: ENV_VAR_AUTHORIZATION_PROFILE,
+    ENV_VAR_DEFAULT_ENCRYPTION_LEVEL: ENV_VAR_DEFAULT_ENCRYPTION_LEVEL,
+    PROFILE_NAME_STRICT_OVERLAY: PROFILE_NAME_STRICT_OVERLAY
+});
 const SECURITY_PREFIX = "./security/";
 const SECURITY_MODULES = MODULES.filter((spec) => spec.startsWith(SECURITY_PREFIX));
 const EXTRA_MODULES = MODULES.filter((spec) => !spec.startsWith(SECURITY_PREFIX));
@@ -498,12 +570,12 @@ async function registerAdvancedSecurityFactories(registrar = Registry, options)
 }
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.3.15
+// Generated from package.json version: 0.4.1
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.3.15';
+const VERSION = '0.4.1';
 async function registerAdvancedSecurityPluginFactories(registrar = Registry) {
     await registerAdvancedSecurityFactories(registrar);
@@ -528,6 +600,8 @@ const advancedSecurityPlugin = {
             try {
                 // console.log('[naylence:advanced-security] registering advanced security factories...');
                 await registerAdvancedSecurityPluginFactories();
+                // Import modules with side-effect registrations (not in manifest)
+                await Promise.resolve().then(function () { return strictOverlaySecurityProfile; });
                 // console.log('[naylence:advanced-security] advanced security factories registered');
                 initialized = true;
             }
@@ -547,6 +621,2602 @@ var plugin = /*#__PURE__*/Object.freeze({
     registerAdvancedSecurityPluginFactories: registerAdvancedSecurityPluginFactories
 });
+/**
+ * Abstract Syntax Tree (AST) node types for the expression language.
+ *
+ * The AST is produced by the parser and consumed by the evaluator.
+ */
+// ============================================================
+// AST Utilities
+// ============================================================
+/**
+ * Counts the total number of nodes in an AST.
+ */
+function countAstNodes(node) {
+    let count = 1;
+    switch (node.type) {
+        case "StringLiteral":
+        case "NumberLiteral":
+        case "BooleanLiteral":
+        case "NullLiteral":
+        case "Identifier":
+            return count;
+        case "ArrayLiteral":
+            for (const element of node.elements) {
+                count += countAstNodes(element);
+            }
+            return count;
+        case "MemberAccess":
+            return count + countAstNodes(node.object);
+        case "IndexAccess":
+            return count + countAstNodes(node.object) + countAstNodes(node.index);
+        case "FunctionCall":
+            for (const arg of node.args) {
+                count += countAstNodes(arg);
+            }
+            return count;
+        case "UnaryOp":
+            return count + countAstNodes(node.operand);
+        case "BinaryOp":
+            return count + countAstNodes(node.left) + countAstNodes(node.right);
+        case "TernaryOp":
+            return (count +
+                countAstNodes(node.condition) +
+                countAstNodes(node.consequent) +
+                countAstNodes(node.alternate));
+    }
+}
+/**
+ * Calculates the maximum depth of an AST.
+ */
+function calculateAstDepth(node) {
+    switch (node.type) {
+        case "StringLiteral":
+        case "NumberLiteral":
+        case "BooleanLiteral":
+        case "NullLiteral":
+        case "Identifier":
+            return 1;
+        case "ArrayLiteral": {
+            let maxChildDepth = 0;
+            for (const element of node.elements) {
+                maxChildDepth = Math.max(maxChildDepth, calculateAstDepth(element));
+            }
+            return 1 + maxChildDepth;
+        }
+        case "MemberAccess":
+            return 1 + calculateAstDepth(node.object);
+        case "IndexAccess":
+            return (1 +
+                Math.max(calculateAstDepth(node.object), calculateAstDepth(node.index)));
+        case "FunctionCall": {
+            let maxArgDepth = 0;
+            for (const arg of node.args) {
+                maxArgDepth = Math.max(maxArgDepth, calculateAstDepth(arg));
+            }
+            return 1 + maxArgDepth;
+        }
+        case "UnaryOp":
+            return 1 + calculateAstDepth(node.operand);
+        case "BinaryOp":
+            return (1 +
+                Math.max(calculateAstDepth(node.left), calculateAstDepth(node.right)));
+        case "TernaryOp":
+            return (1 +
+                Math.max(calculateAstDepth(node.condition), calculateAstDepth(node.consequent), calculateAstDepth(node.alternate)));
+    }
+}
+/**
+ * Error types for the expression evaluation engine.
+ *
+ * All expression errors extend ExpressionError for consistent handling.
+ */
+/**
+ * Base error class for all expression-related errors.
+ */
+class ExpressionError extends Error {
+    constructor(message, position, expression) {
+        super(message);
+        this.name = "ExpressionError";
+        this.position = position;
+        this.expression = expression;
+    }
+    /**
+     * Returns a formatted error message with position context.
+     */
+    formatWithContext() {
+        if (this.expression === undefined || this.position === undefined) {
+            return this.message;
+        }
+        const pointer = " ".repeat(this.position) + "^";
+        return `${this.message}\n  ${this.expression}\n  ${pointer}`;
+    }
+}
+/**
+ * Error thrown during tokenization (lexical analysis).
+ */
+class TokenizerError extends ExpressionError {
+    constructor(message, position, expression) {
+        super(message, position, expression);
+        this.name = "TokenizerError";
+    }
+}
+/**
+ * Error thrown during parsing (syntax analysis).
+ */
+class ParseError extends ExpressionError {
+    constructor(message, position, expression) {
+        super(message, position, expression);
+        this.name = "ParseError";
+    }
+}
+/**
+ * Error thrown during evaluation (runtime error).
+ */
+class EvaluationError extends ExpressionError {
+    constructor(message, position, expression, path) {
+        super(message, position, expression);
+        this.name = "EvaluationError";
+        this.path = path;
+    }
+}
+/**
+ * Error thrown for type mismatches during evaluation.
+ */
+class TypeError extends EvaluationError {
+    constructor(expected, actual, position, expression) {
+        super(`Type error: expected ${expected}, got ${actual}`, position, expression);
+        this.name = "TypeError";
+        this.expected = expected;
+        this.actual = actual;
+    }
+}
+/**
+ * Error thrown when a built-in function encounters an error.
+ */
+class BuiltinError extends EvaluationError {
+    constructor(functionName, message, position, expression) {
+        super(`${functionName}: ${message}`, position, expression);
+        this.name = "BuiltinError";
+        this.functionName = functionName;
+    }
+}
+/**
+ * Resource limits for expression parsing and evaluation.
+ *
+ * These limits protect against resource exhaustion attacks and
+ * overly complex expressions.
+ */
+/**
+ * Default expression limits.
+ *
+ * These values are chosen to allow reasonable expressions while
+ * preventing resource exhaustion.
+ */
+const DEFAULT_EXPRESSION_LIMITS = {
+    maxExpressionLength: 4096,
+    maxAstDepth: 32,
+    maxAstNodes: 256,
+    maxRegexPatternLength: 256,
+    maxGlobPatternLength: 256,
+    maxStringLength: 1024,
+    maxArrayLength: 64,
+    maxFunctionArgs: 16,
+    maxMemberAccessDepth: 16,
+};
+/**
+ * Validates that expression length is within limits.
+ */
+function checkExpressionLength(expression, limits = DEFAULT_EXPRESSION_LIMITS) {
+    if (expression.length > limits.maxExpressionLength) {
+        throw new Error(`Expression length ${expression.length} exceeds limit of ${limits.maxExpressionLength}`);
+    }
+}
+/**
+ * Validates AST depth during parsing.
+ */
+function checkAstDepth(depth, limits = DEFAULT_EXPRESSION_LIMITS) {
+    if (depth > limits.maxAstDepth) {
+        throw new Error(`AST depth ${depth} exceeds limit of ${limits.maxAstDepth}`);
+    }
+}
+/**
+ * Validates AST node count during parsing.
+ */
+function checkAstNodeCount(count, limits = DEFAULT_EXPRESSION_LIMITS) {
+    if (count > limits.maxAstNodes) {
+        throw new Error(`AST node count ${count} exceeds limit of ${limits.maxAstNodes}`);
+    }
+}
+/**
+ * Validates regex pattern length before compilation.
+ */
+function checkRegexPatternLength(pattern, limits = DEFAULT_EXPRESSION_LIMITS) {
+    if (pattern.length > limits.maxRegexPatternLength) {
+        throw new Error(`Regex pattern length ${pattern.length} exceeds limit of ${limits.maxRegexPatternLength}`);
+    }
+}
+/**
+ * Validates glob pattern length before compilation.
+ */
+function checkGlobPatternLength(pattern, limits = DEFAULT_EXPRESSION_LIMITS) {
+    if (pattern.length > limits.maxGlobPatternLength) {
+        throw new Error(`Glob pattern length ${pattern.length} exceeds limit of ${limits.maxGlobPatternLength}`);
+    }
+}
+/**
+ * Validates array length during evaluation.
+ */
+function checkArrayLength(length, limits = DEFAULT_EXPRESSION_LIMITS) {
+    if (length > limits.maxArrayLength) {
+        throw new Error(`Array length ${length} exceeds limit of ${limits.maxArrayLength}`);
+    }
+}
+/**
+ * Validates function argument count.
+ */
+function checkFunctionArgCount(count, limits = DEFAULT_EXPRESSION_LIMITS) {
+    if (count > limits.maxFunctionArgs) {
+        throw new Error(`Function argument count ${count} exceeds limit of ${limits.maxFunctionArgs}`);
+    }
+}
+/**
+ * Tokenizer (lexer) for the expression language.
+ *
+ * Converts expression strings into a stream of tokens for the parser.
+ */
+/**
+ * Keywords recognized by the tokenizer.
+ */
+const KEYWORDS = new Map([
+    ["true", "TRUE"],
+    ["false", "FALSE"],
+    ["null", "NULL"],
+    ["in", "IN"],
+    ["not", "NOT"],
+]);
+/**
+ * Checks if a character is a digit.
+ */
+function isDigit(ch) {
+    return ch >= "0" && ch <= "9";
+}
+/**
+ * Checks if a character can start an identifier.
+ */
+function isIdentifierStart(ch) {
+    return ((ch >= "a" && ch <= "z") ||
+        (ch >= "A" && ch <= "Z") ||
+        ch === "_");
+}
+/**
+ * Checks if a character can continue an identifier.
+ */
+function isIdentifierPart(ch) {
+    return isIdentifierStart(ch) || isDigit(ch);
+}
+/**
+ * Checks if a character is whitespace.
+ */
+function isWhitespace(ch) {
+    return ch === " " || ch === "\t" || ch === "\n" || ch === "\r";
+}
+/**
+ * Tokenizer for expression strings.
+ */
+class Tokenizer {
+    constructor(source, limits) {
+        this.position = 0;
+        this.tokens = [];
+        this.source = source;
+        this.limits = limits;
+    }
+    /**
+     * Tokenizes the source expression and returns all tokens.
+     */
+    tokenize() {
+        checkExpressionLength(this.source, this.limits);
+        while (!this.isAtEnd()) {
+            this.scanToken();
+        }
+        this.tokens.push({
+            type: "EOF",
+            value: "",
+            position: this.position,
+        });
+        return this.tokens;
+    }
+    isAtEnd() {
+        return this.position >= this.source.length;
+    }
+    peek() {
+        if (this.isAtEnd())
+            return "\0";
+        return this.source[this.position];
+    }
+    peekNext() {
+        if (this.position + 1 >= this.source.length)
+            return "\0";
+        return this.source[this.position + 1];
+    }
+    advance() {
+        return this.source[this.position++];
+    }
+    addToken(type, value, position) {
+        this.tokens.push({ type, value, position });
+    }
+    scanToken() {
+        const ch = this.advance();
+        const startPosition = this.position - 1;
+        // Skip whitespace
+        if (isWhitespace(ch)) {
+            return;
+        }
+        // Single-character tokens
+        switch (ch) {
+            case "(":
+                this.addToken("LPAREN", "(", startPosition);
+                return;
+            case ")":
+                this.addToken("RPAREN", ")", startPosition);
+                return;
+            case "[":
+                this.addToken("LBRACKET", "[", startPosition);
+                return;
+            case "]":
+                this.addToken("RBRACKET", "]", startPosition);
+                return;
+            case ".":
+                this.addToken("DOT", ".", startPosition);
+                return;
+            case ",":
+                this.addToken("COMMA", ",", startPosition);
+                return;
+            case "+":
+                this.addToken("PLUS", "+", startPosition);
+                return;
+            case "-":
+                this.addToken("MINUS", "-", startPosition);
+                return;
+            case "*":
+                this.addToken("STAR", "*", startPosition);
+                return;
+            case "/":
+                this.addToken("SLASH", "/", startPosition);
+                return;
+            case "%":
+                this.addToken("PERCENT", "%", startPosition);
+                return;
+            case "?":
+                this.addToken("QUESTION", "?", startPosition);
+                return;
+            case ":":
+                this.addToken("COLON", ":", startPosition);
+                return;
+        }
+        // Two-character operators
+        if (ch === "<") {
+            if (this.peek() === "=") {
+                this.advance();
+                this.addToken("LE", "<=", startPosition);
+            }
+            else {
+                this.addToken("LT", "<", startPosition);
+            }
+            return;
+        }
+        if (ch === ">") {
+            if (this.peek() === "=") {
+                this.advance();
+                this.addToken("GE", ">=", startPosition);
+            }
+            else {
+                this.addToken("GT", ">", startPosition);
+            }
+            return;
+        }
+        if (ch === "=") {
+            if (this.peek() === "=") {
+                this.advance();
+                this.addToken("EQ", "==", startPosition);
+                return;
+            }
+            throw new TokenizerError("Unexpected '='. Did you mean '=='?", startPosition, this.source);
+        }
+        if (ch === "!") {
+            if (this.peek() === "=") {
+                this.advance();
+                this.addToken("NE", "!=", startPosition);
+            }
+            else {
+                this.addToken("NOT", "!", startPosition);
+            }
+            return;
+        }
+        if (ch === "&") {
+            if (this.peek() === "&") {
+                this.advance();
+                this.addToken("AND", "&&", startPosition);
+                return;
+            }
+            throw new TokenizerError("Unexpected '&'. Did you mean '&&'?", startPosition, this.source);
+        }
+        if (ch === "|") {
+            if (this.peek() === "|") {
+                this.advance();
+                this.addToken("OR", "||", startPosition);
+                return;
+            }
+            throw new TokenizerError("Unexpected '|'. Did you mean '||'?", startPosition, this.source);
+        }
+        // String literals
+        if (ch === '"' || ch === "'") {
+            this.scanString(ch, startPosition);
+            return;
+        }
+        // Number literals
+        if (isDigit(ch)) {
+            this.scanNumber(startPosition);
+            return;
+        }
+        // Identifiers and keywords
+        if (isIdentifierStart(ch)) {
+            this.scanIdentifier(startPosition);
+            return;
+        }
+        throw new TokenizerError(`Unexpected character: '${ch}'`, startPosition, this.source);
+    }
+    scanString(quote, startPosition) {
+        let value = "";
+        while (!this.isAtEnd() && this.peek() !== quote) {
+            const ch = this.advance();
+            if (ch === "\\") {
+                // Escape sequence
+                if (this.isAtEnd()) {
+                    throw new TokenizerError("Unterminated string", startPosition, this.source);
+                }
+                const escaped = this.advance();
+                switch (escaped) {
+                    case "n":
+                        value += "\n";
+                        break;
+                    case "r":
+                        value += "\r";
+                        break;
+                    case "t":
+                        value += "\t";
+                        break;
+                    case "\\":
+                        value += "\\";
+                        break;
+                    case '"':
+                        value += '"';
+                        break;
+                    case "'":
+                        value += "'";
+                        break;
+                    default:
+                        throw new TokenizerError(`Invalid escape sequence: \\${escaped}`, this.position - 2, this.source);
+                }
+            }
+            else if (ch === "\n" || ch === "\r") {
+                throw new TokenizerError("Unterminated string (newline in string literal)", startPosition, this.source);
+            }
+            else {
+                value += ch;
+            }
+        }
+        if (this.isAtEnd()) {
+            throw new TokenizerError("Unterminated string", startPosition, this.source);
+        }
+        // Consume closing quote
+        this.advance();
+        this.addToken("STRING", value, startPosition);
+    }
+    scanNumber(startPosition) {
+        // Back up to include the first digit
+        this.position--;
+        let value = "";
+        // Integer part
+        while (isDigit(this.peek())) {
+            value += this.advance();
+        }
+        // Fractional part
+        if (this.peek() === "." && isDigit(this.peekNext())) {
+            value += this.advance(); // consume '.'
+            while (isDigit(this.peek())) {
+                value += this.advance();
+            }
+        }
+        // Exponent part
+        if (this.peek() === "e" || this.peek() === "E") {
+            value += this.advance();
+            if (this.peek() === "+" || this.peek() === "-") {
+                value += this.advance();
+            }
+            if (!isDigit(this.peek())) {
+                throw new TokenizerError("Invalid number: expected exponent digits", startPosition, this.source);
+            }
+            while (isDigit(this.peek())) {
+                value += this.advance();
+            }
+        }
+        this.addToken("NUMBER", value, startPosition);
+    }
+    scanIdentifier(startPosition) {
+        // Back up to include the first character
+        this.position--;
+        let value = "";
+        while (isIdentifierPart(this.peek())) {
+            value += this.advance();
+        }
+        // Check for "not in" compound keyword
+        const valueLower = value.toLowerCase();
+        if (valueLower === "not") {
+            // Check if followed by whitespace and "in"
+            const savedPosition = this.position;
+            // Skip whitespace
+            while (isWhitespace(this.peek())) {
+                this.advance();
+            }
+            // Check for "in"
+            if (this.peek() === "i" &&
+                this.peekNext() === "n" &&
+                !isIdentifierPart(this.source[this.position + 2] ?? "\0")) {
+                this.advance(); // consume 'i'
+                this.advance(); // consume 'n'
+                this.addToken("NOT_IN", "not in", startPosition);
+                return;
+            }
+            // Not "not in", restore position
+            this.position = savedPosition;
+        }
+        // Check for keyword
+        const keywordType = KEYWORDS.get(valueLower);
+        if (keywordType) {
+            this.addToken(keywordType, value, startPosition);
+        }
+        else {
+            this.addToken("IDENTIFIER", value, startPosition);
+        }
+    }
+}
+/**
+ * Tokenizes an expression string into tokens.
+ *
+ * @param source - The expression string to tokenize
+ * @param limits - Optional expression limits
+ * @returns Array of tokens
+ * @throws TokenizerError if the expression contains invalid tokens
+ */
+function tokenize(source, limits) {
+    const tokenizer = new Tokenizer(source, limits);
+    return tokenizer.tokenize();
+}
+/**
+ * Parser for the expression language.
+ *
+ * Parses a stream of tokens into an Abstract Syntax Tree (AST).
+ * Uses recursive descent parsing with operator precedence.
+ *
+ * Precedence (lowest to highest):
+ * 1. Ternary: ? :
+ * 2. Logical OR: ||
+ * 3. Logical AND: &&
+ * 4. Membership: in, not in
+ * 5. Equality: ==, !=
+ * 6. Comparison: <, <=, >, >=
+ * 7. Additive: +, -
+ * 8. Multiplicative: *, /, %
+ * 9. Unary: !, -
+ * 10. Postfix: . [] ()
+ * 11. Primary: literals, identifiers, parentheses
+ */
+/**
+ * Parser for expression strings.
+ */
+class Parser {
+    constructor(tokens, source, limits = DEFAULT_EXPRESSION_LIMITS) {
+        this.current = 0;
+        this.tokens = tokens;
+        this.source = source;
+        this.limits = limits;
+    }
+    /**
+     * Parses the token stream into an AST.
+     */
+    parse() {
+        const ast = this.parseTernary();
+        if (!this.isAtEnd()) {
+            const token = this.peek();
+            throw new ParseError(`Unexpected token: ${token.value || token.type}`, token.position, this.source);
+        }
+        // Validate AST limits
+        const nodeCount = countAstNodes(ast);
+        checkAstNodeCount(nodeCount, this.limits);
+        const depth = calculateAstDepth(ast);
+        checkAstDepth(depth, this.limits);
+        return ast;
+    }
+    // ============================================================
+    // Token Helpers
+    // ============================================================
+    isAtEnd() {
+        return this.peek().type === "EOF";
+    }
+    peek() {
+        return this.tokens[this.current];
+    }
+    previous() {
+        return this.tokens[this.current - 1];
+    }
+    advance() {
+        if (!this.isAtEnd()) {
+            this.current++;
+        }
+        return this.previous();
+    }
+    check(type) {
+        if (this.isAtEnd())
+            return false;
+        return this.peek().type === type;
+    }
+    match(...types) {
+        for (const type of types) {
+            if (this.check(type)) {
+                this.advance();
+                return true;
+            }
+        }
+        return false;
+    }
+    consume(type, message) {
+        if (this.check(type)) {
+            return this.advance();
+        }
+        const token = this.peek();
+        throw new ParseError(message, token.position, this.source);
+    }
+    // ============================================================
+    // Expression Parsing (by precedence, lowest to highest)
+    // ============================================================
+    /**
+     * Parses ternary expressions: condition ? consequent : alternate
+     */
+    parseTernary() {
+        const position = this.peek().position;
+        let node = this.parseOr();
+        if (this.match("QUESTION")) {
+            const consequent = this.parseTernary();
+            this.consume("COLON", "Expected ':' in ternary expression");
+            const alternate = this.parseTernary();
+            node = {
+                type: "TernaryOp",
+                position,
+                condition: node,
+                consequent,
+                alternate,
+            };
+        }
+        return node;
+    }
+    /**
+     * Parses logical OR: ||
+     */
+    parseOr() {
+        let node = this.parseAnd();
+        while (this.match("OR")) {
+            const position = this.previous().position;
+            const right = this.parseAnd();
+            node = {
+                type: "BinaryOp",
+                position,
+                operator: "||",
+                left: node,
+                right,
+            };
+        }
+        return node;
+    }
+    /**
+     * Parses logical AND: &&
+     */
+    parseAnd() {
+        let node = this.parseEquality();
+        while (this.match("AND")) {
+            const position = this.previous().position;
+            const right = this.parseEquality();
+            node = {
+                type: "BinaryOp",
+                position,
+                operator: "&&",
+                left: node,
+                right,
+            };
+        }
+        return node;
+    }
+    /**
+     * Parses equality: ==, !=
+     */
+    parseEquality() {
+        let node = this.parseMembership();
+        while (this.match("EQ", "NE")) {
+            const operator = this.previous().type === "EQ" ? "==" : "!=";
+            const position = this.previous().position;
+            const right = this.parseMembership();
+            node = {
+                type: "BinaryOp",
+                position,
+                operator: operator,
+                left: node,
+                right,
+            };
+        }
+        return node;
+    }
+    /**
+     * Parses membership: in, not in
+     */
+    parseMembership() {
+        let node = this.parseComparison();
+        while (this.match("IN", "NOT_IN")) {
+            const operator = this.previous().type === "IN" ? "in" : "not in";
+            const position = this.previous().position;
+            const right = this.parseComparison();
+            node = {
+                type: "BinaryOp",
+                position,
+                operator: operator,
+                left: node,
+                right,
+            };
+        }
+        return node;
+    }
+    /**
+     * Parses comparison: <, <=, >, >=
+     */
+    parseComparison() {
+        let node = this.parseAdditive();
+        while (this.match("LT", "LE", "GT", "GE")) {
+            const token = this.previous();
+            let operator;
+            switch (token.type) {
+                case "LT":
+                    operator = "<";
+                    break;
+                case "LE":
+                    operator = "<=";
+                    break;
+                case "GT":
+                    operator = ">";
+                    break;
+                case "GE":
+                    operator = ">=";
+                    break;
+                default:
+                    throw new ParseError(`Unexpected token: ${token.type}`, token.position, this.source);
+            }
+            const position = token.position;
+            const right = this.parseAdditive();
+            node = {
+                type: "BinaryOp",
+                position,
+                operator,
+                left: node,
+                right,
+            };
+        }
+        return node;
+    }
+    /**
+     * Parses additive: +, -
+     */
+    parseAdditive() {
+        let node = this.parseMultiplicative();
+        while (this.match("PLUS", "MINUS")) {
+            const operator = this.previous().type === "PLUS" ? "+" : "-";
+            const position = this.previous().position;
+            const right = this.parseMultiplicative();
+            node = {
+                type: "BinaryOp",
+                position,
+                operator: operator,
+                left: node,
+                right,
+            };
+        }
+        return node;
+    }
+    /**
+     * Parses multiplicative: *, /, %
+     */
+    parseMultiplicative() {
+        let node = this.parseUnary();
+        while (this.match("STAR", "SLASH", "PERCENT")) {
+            const token = this.previous();
+            let operator;
+            switch (token.type) {
+                case "STAR":
+                    operator = "*";
+                    break;
+                case "SLASH":
+                    operator = "/";
+                    break;
+                case "PERCENT":
+                    operator = "%";
+                    break;
+                default:
+                    throw new ParseError(`Unexpected token: ${token.type}`, token.position, this.source);
+            }
+            const position = token.position;
+            const right = this.parseUnary();
+            node = {
+                type: "BinaryOp",
+                position,
+                operator,
+                left: node,
+                right,
+            };
+        }
+        return node;
+    }
+    /**
+     * Parses unary: !, -
+     */
+    parseUnary() {
+        if (this.match("NOT", "MINUS")) {
+            const token = this.previous();
+            const operator = token.type === "NOT" ? "!" : "-";
+            const position = token.position;
+            const operand = this.parseUnary();
+            return {
+                type: "UnaryOp",
+                position,
+                operator,
+                operand,
+            };
+        }
+        return this.parsePostfix();
+    }
+    /**
+     * Parses postfix: . [] ()
+     */
+    parsePostfix() {
+        let node = this.parsePrimary();
+        while (true) {
+            if (this.match("DOT")) {
+                const position = this.previous().position;
+                const propToken = this.consume("IDENTIFIER", "Expected property name after '.'");
+                node = {
+                    type: "MemberAccess",
+                    position,
+                    object: node,
+                    property: propToken.value,
+                };
+            }
+            else if (this.match("LBRACKET")) {
+                const position = this.previous().position;
+                const index = this.parseTernary();
+                this.consume("RBRACKET", "Expected ']' after index");
+                node = {
+                    type: "IndexAccess",
+                    position,
+                    object: node,
+                    index,
+                };
+            }
+            else if (this.match("LPAREN")) {
+                // Function call - node must be an identifier
+                if (node.type !== "Identifier") {
+                    throw new ParseError("Only named functions can be called", node.position, this.source);
+                }
+                const position = this.previous().position;
+                const args = this.parseArgumentList();
+                checkFunctionArgCount(args.length, this.limits);
+                node = {
+                    type: "FunctionCall",
+                    position,
+                    name: node.name,
+                    args,
+                };
+            }
+            else {
+                break;
+            }
+        }
+        return node;
+    }
+    /**
+     * Parses function argument list (already consumed opening paren).
+     */
+    parseArgumentList() {
+        const args = [];
+        if (!this.check("RPAREN")) {
+            do {
+                args.push(this.parseTernary());
+            } while (this.match("COMMA"));
+        }
+        this.consume("RPAREN", "Expected ')' after function arguments");
+        return args;
+    }
+    /**
+     * Parses primary expressions: literals, identifiers, parentheses, arrays.
+     */
+    parsePrimary() {
+        const token = this.peek();
+        const position = token.position;
+        // Boolean literals
+        if (this.match("TRUE")) {
+            return { type: "BooleanLiteral", position, value: true };
+        }
+        if (this.match("FALSE")) {
+            return { type: "BooleanLiteral", position, value: false };
+        }
+        // Null literal
+        if (this.match("NULL")) {
+            return { type: "NullLiteral", position };
+        }
+        // String literal
+        if (this.match("STRING")) {
+            return {
+                type: "StringLiteral",
+                position,
+                value: this.previous().value,
+            };
+        }
+        // Number literal
+        if (this.match("NUMBER")) {
+            const value = parseFloat(this.previous().value);
+            if (!Number.isFinite(value)) {
+                throw new ParseError("Invalid number", position, this.source);
+            }
+            return { type: "NumberLiteral", position, value };
+        }
+        // Identifier
+        if (this.match("IDENTIFIER")) {
+            return {
+                type: "Identifier",
+                position,
+                name: this.previous().value,
+            };
+        }
+        // Parenthesized expression
+        if (this.match("LPAREN")) {
+            const expr = this.parseTernary();
+            this.consume("RPAREN", "Expected ')' after expression");
+            return expr;
+        }
+        // Array literal
+        if (this.match("LBRACKET")) {
+            const elements = [];
+            if (!this.check("RBRACKET")) {
+                do {
+                    elements.push(this.parseTernary());
+                } while (this.match("COMMA"));
+            }
+            this.consume("RBRACKET", "Expected ']' after array elements");
+            checkArrayLength(elements.length, this.limits);
+            return { type: "ArrayLiteral", position, elements };
+        }
+        throw new ParseError(`Unexpected token: ${token.value || token.type}`, position, this.source);
+    }
+}
+/**
+ * Parses an expression string into an AST.
+ *
+ * @param source - The expression string to parse
+ * @param limits - Optional expression limits
+ * @returns The parsed AST
+ * @throws TokenizerError if tokenization fails
+ * @throws ParseError if parsing fails
+ */
+function parse(source, limits = DEFAULT_EXPRESSION_LIMITS) {
+    const tokens = tokenize(source, limits);
+    const parser = new Parser(tokens, source, limits);
+    return parser.parse();
+}
+/**
+ * Built-in functions for the expression language.
+ *
+ * All built-in functions are pure and deterministic.
+ *
+ * Null handling semantics:
+ * - `undefined` is normalized to `null` throughout the expression value model.
+ * - Predicate-style builtins (starts_with, ends_with, contains, glob_match,
+ *   regex_match, etc.) return `false` when passed `null` for required args
+ *   instead of throwing an error.
+ * - Wrong non-null types still raise BuiltinError to surface real bugs.
+ * - Non-predicate operations (arithmetic, comparisons) remain strict.
+ */
+/**
+ * Normalizes a JavaScript value to an ExprValue.
+ *
+ * Rules:
+ * - `undefined` -> `null`
+ * - `null` -> `null`
+ * - boolean/number/string -> returned as-is
+ * - array -> elements are recursively normalized
+ * - object -> returned as-is (reads will normalize on access)
+ * - other types (function, symbol, etc.) -> `null`
+ *
+ * This ensures `undefined` never leaks into the expression value model.
+ */
+function normalizeJsValue(value) {
+    if (value === undefined || value === null) {
+        return null;
+    }
+    if (typeof value === "boolean" || typeof value === "number") {
+        return value;
+    }
+    if (typeof value === "string") {
+        return value;
+    }
+    if (Array.isArray(value)) {
+        return value.map((element) => normalizeJsValue(element));
+    }
+    if (typeof value === "object") {
+        // Return the object as-is; reads will normalize on access
+        return value;
+    }
+    // Function, symbol, bigint, etc. -> null
+    return null;
+}
+/**
+ * Gets the type name of a value for error messages.
+ */
+function getTypeName(value) {
+    if (value === null)
+        return "null";
+    if (Array.isArray(value))
+        return "array";
+    return typeof value;
+}
+/**
+ * Asserts that a value is a string.
+ */
+function assertString$1(value, argName, functionName) {
+    if (typeof value !== "string") {
+        throw new BuiltinError(functionName, `${argName} must be a string, got ${getTypeName(value)}`);
+    }
+}
+/**
+ * Checks if a value is null (for null-tolerant predicates).
+ */
+function isNull$1(value) {
+    return value === null;
+}
+/**
+ * Asserts that a non-null value is a string (for null-tolerant predicates).
+ * Returns false if the value is null (indicating predicate should return false).
+ * Throws BuiltinError if the value is non-null but not a string.
+ */
+function assertStringOrNull$1(value, argName, functionName) {
+    if (isNull$1(value)) {
+        return false;
+    }
+    if (typeof value !== "string") {
+        throw new BuiltinError(functionName, `${argName} must be a string, got ${getTypeName(value)}`);
+    }
+    return true;
+}
+/**
+ * Gets an argument by index, throwing if not present.
+ */
+function getArg$1(args, index, functionName) {
+    const value = args[index];
+    if (value === undefined) {
+        throw new BuiltinError(functionName, `missing argument at index ${index}`);
+    }
+    return value;
+}
+/**
+ * Asserts argument count.
+ */
+function assertArgCount$1(args, expected, functionName) {
+    if (args.length !== expected) {
+        throw new BuiltinError(functionName, `expected ${expected} argument(s), got ${args.length}`);
+    }
+}
+/**
+ * Asserts argument count range.
+ */
+function assertArgCountRange(args, min, max, functionName) {
+    if (args.length < min || args.length > max) {
+        throw new BuiltinError(functionName, `expected ${min}-${max} argument(s), got ${args.length}`);
+    }
+}
+// ============================================================
+// String Helpers
+// ============================================================
+/**
+ * lower(s: string) -> string
+ *
+ * Returns the lowercase version of the string.
+ */
+const lower = (args) => {
+    assertArgCount$1(args, 1, "lower");
+    const s = getArg$1(args, 0, "lower");
+    assertString$1(s, "s", "lower");
+    return s.toLowerCase();
+};
+/**
+ * upper(s: string) -> string
+ *
+ * Returns the uppercase version of the string.
+ */
+const upper = (args) => {
+    assertArgCount$1(args, 1, "upper");
+    const s = getArg$1(args, 0, "upper");
+    assertString$1(s, "s", "upper");
+    return s.toUpperCase();
+};
+/**
+ * starts_with(s: string, prefix: string) -> bool
+ *
+ * Returns true if the string starts with the prefix.
+ * Null-tolerant: returns false if either argument is null.
+ */
+const starts_with = (args) => {
+    assertArgCount$1(args, 2, "starts_with");
+    const s = getArg$1(args, 0, "starts_with");
+    const prefix = getArg$1(args, 1, "starts_with");
+    // Null-tolerant: return false if either arg is null
+    if (!assertStringOrNull$1(s, "s", "starts_with"))
+        return false;
+    if (!assertStringOrNull$1(prefix, "prefix", "starts_with"))
+        return false;
+    return s.startsWith(prefix);
+};
+/**
+ * ends_with(s: string, suffix: string) -> bool
+ *
+ * Returns true if the string ends with the suffix.
+ * Null-tolerant: returns false if either argument is null.
+ */
+const ends_with = (args) => {
+    assertArgCount$1(args, 2, "ends_with");
+    const s = getArg$1(args, 0, "ends_with");
+    const suffix = getArg$1(args, 1, "ends_with");
+    // Null-tolerant: return false if either arg is null
+    if (!assertStringOrNull$1(s, "s", "ends_with"))
+        return false;
+    if (!assertStringOrNull$1(suffix, "suffix", "ends_with"))
+        return false;
+    return s.endsWith(suffix);
+};
+/**
+ * contains(s: string, substring: string) -> bool
+ *
+ * Returns true if the string contains the substring.
+ * Null-tolerant: returns false if either argument is null.
+ */
+const contains = (args) => {
+    assertArgCount$1(args, 2, "contains");
+    const s = getArg$1(args, 0, "contains");
+    const substring = getArg$1(args, 1, "contains");
+    // Null-tolerant: return false if either arg is null
+    if (!assertStringOrNull$1(s, "s", "contains"))
+        return false;
+    if (!assertStringOrNull$1(substring, "substring", "contains"))
+        return false;
+    return s.includes(substring);
+};
+/**
+ * split(s: string, separator: string) -> string[]
+ *
+ * Splits the string by the separator.
+ */
+const split = (args) => {
+    assertArgCountRange(args, 1, 2, "split");
+    const s = getArg$1(args, 0, "split");
+    assertString$1(s, "s", "split");
+    const separator = args.length >= 2 ? getArg$1(args, 1, "split") : " ";
+    assertString$1(separator, "separator", "split");
+    return s.split(separator);
+};
+// ============================================================
+// Collection Helpers
+// ============================================================
+/**
+ * len(x: string | array) -> number
+ *
+ * Returns the length of a string or array.
+ */
+const len = (args) => {
+    assertArgCount$1(args, 1, "len");
+    const x = getArg$1(args, 0, "len");
+    if (typeof x === "string") {
+        return x.length;
+    }
+    if (Array.isArray(x)) {
+        return x.length;
+    }
+    throw new BuiltinError("len", `expected string or array, got ${getTypeName(x)}`);
+};
+// ============================================================
+// Generic Helpers
+// ============================================================
+/**
+ * exists(x: any) -> bool
+ *
+ * Returns true if the value is not null.
+ * Missing bindings and missing properties evaluate to null, so this
+ * can be used to check for presence.
+ */
+const exists = (args) => {
+    assertArgCount$1(args, 1, "exists");
+    const x = getArg$1(args, 0, "exists");
+    return x !== null;
+};
+/**
+ * coalesce(a: any, b: any) -> any
+ *
+ * Returns `a` if it is not null, otherwise returns `b`.
+ * This is useful for providing default values.
+ */
+const coalesce = (args) => {
+    assertArgCount$1(args, 2, "coalesce");
+    const a = getArg$1(args, 0, "coalesce");
+    const b = getArg$1(args, 1, "coalesce");
+    return a !== null ? a : b;
+};
+/**
+ * trim(s: string) -> string
+ *
+ * Trims whitespace from both ends of a string.
+ * Returns an empty string if `s` is null (for convenient composition).
+ * Throws BuiltinError if `s` is non-null but not a string.
+ */
+const trim = (args) => {
+    assertArgCount$1(args, 1, "trim");
+    const s = getArg$1(args, 0, "trim");
+    // Null-friendly: return empty string for null
+    if (s === null) {
+        return "";
+    }
+    // Strict type check for non-null values
+    if (typeof s !== "string") {
+        throw new BuiltinError("trim", `s must be a string, got ${getTypeName(s)}`);
+    }
+    return s.trim();
+};
+/**
+ * secure_hash(input_str: string, length: number) -> string
+ *
+ * Generates a deterministic secure hash/fingerprint of the input string.
+ * Uses SHA-256 hashing to create a stable identifier of the specified length.
+ * Returns base62-encoded string (alphanumeric, case-sensitive).
+ * Automatically rehashes if result contains blacklisted words.
+ * Returns empty string if input_str is null (for convenient composition).
+ * Throws BuiltinError if input_str is non-null but not a string, or if length is invalid.
+ */
+const secure_hash = (args) => {
+    assertArgCount$1(args, 2, "secure_hash");
+    const input_str = getArg$1(args, 0, "secure_hash");
+    const length = getArg$1(args, 1, "secure_hash");
+    // Null-friendly: return empty string for null input
+    if (input_str === null) {
+        return "";
+    }
+    // Strict type check for input_str
+    if (typeof input_str !== "string") {
+        throw new BuiltinError("secure_hash", `input_str must be a string, got ${getTypeName(input_str)}`);
+    }
+    // Strict type check for length
+    if (typeof length !== "number") {
+        throw new BuiltinError("secure_hash", `length must be a number, got ${getTypeName(length)}`);
+    }
+    // Validate length is a positive integer
+    if (!Number.isInteger(length) || length <= 0) {
+        throw new BuiltinError("secure_hash", `length must be a positive integer, got ${length}`);
+    }
+    // Use generateFingerprintSync from @naylence/core
+    // This provides SHA-256 hashing, base62 encoding, and profanity filtering
+    return generateFingerprintSync(input_str, length, sha256);
+};
+// ============================================================
+// Pattern Helpers (BSL-only)
+// ============================================================
+/**
+ * Escapes special regex characters in a string.
+ */
+function escapeRegex(str) {
+    return str.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+/**
+ * Converts a glob pattern to a regex pattern.
+ */
+function globToRegex(glob) {
+    const parts = [];
+    let i = 0;
+    while (i < glob.length) {
+        const ch = glob[i];
+        if (ch === "*") {
+            if (glob[i + 1] === "*") {
+                // `**` matches any characters
+                parts.push(".*");
+                i += 2;
+            }
+            else {
+                // `*` matches any characters except dots
+                parts.push("[^.]*");
+                i += 1;
+            }
+        }
+        else if (ch === "?") {
+            // `?` matches a single character
+            parts.push("[^.]");
+            i += 1;
+        }
+        else {
+            parts.push(escapeRegex(ch));
+            i += 1;
+        }
+    }
+    return parts.join("");
+}
+/**
+ * glob_match(value: string, pattern: string) -> bool
+ *
+ * Returns true if the value matches the glob pattern.
+ * Glob syntax: * (single segment), ** (any depth), ? (single char)
+ * Null-tolerant: returns false if either argument is null.
+ */
+const glob_match = (args, context) => {
+    assertArgCount$1(args, 2, "glob_match");
+    const value = getArg$1(args, 0, "glob_match");
+    const pattern = getArg$1(args, 1, "glob_match");
+    // Null-tolerant: return false if either arg is null
+    if (!assertStringOrNull$1(value, "value", "glob_match"))
+        return false;
+    if (!assertStringOrNull$1(pattern, "pattern", "glob_match"))
+        return false;
+    // Validate pattern length
+    checkGlobPatternLength(pattern, context.limits);
+    // Convert glob to regex
+    const regexPattern = `^${globToRegex(pattern)}$`;
+    try {
+        const regex = new RegExp(regexPattern);
+        return regex.test(value);
+    }
+    catch {
+        throw new BuiltinError("glob_match", `invalid glob pattern: ${pattern}`);
+    }
+};
+/**
+ * Detects potentially catastrophic regex patterns.
+ *
+ * This is a best-effort heuristic check for common ReDoS patterns.
+ */
+function isSafeRegex(pattern) {
+    // Check for obvious catastrophic patterns:
+    // - Nested quantifiers: (a+)+, (a*)*
+    // - Overlapping alternation with quantifiers: (a|a)+
+    // Simple heuristic: reject patterns with nested quantifiers
+    const nestedQuantifiers = /([+*?]|\{\d+,?\d*\})\s*\)\s*([+*?]|\{\d+,?\d*\})/;
+    if (nestedQuantifiers.test(pattern)) {
+        return false;
+    }
+    // Reject patterns with excessive backtracking potential
+    const excessiveBacktracking = /(\.\*){3,}|(\.\+){3,}/;
+    if (excessiveBacktracking.test(pattern)) {
+        return false;
+    }
+    return true;
+}
+/**
+ * regex_match(value: string, pattern: string) -> bool
+ *
+ * Returns true if the value matches the regex pattern.
+ * The pattern is anchored (full match).
+ * Null-tolerant: returns false if either argument is null.
+ */
+const regex_match = (args, context) => {
+    assertArgCount$1(args, 2, "regex_match");
+    const value = getArg$1(args, 0, "regex_match");
+    const pattern = getArg$1(args, 1, "regex_match");
+    // Null-tolerant: return false if either arg is null
+    if (!assertStringOrNull$1(value, "value", "regex_match"))
+        return false;
+    if (!assertStringOrNull$1(pattern, "pattern", "regex_match"))
+        return false;
+    // Validate pattern length
+    checkRegexPatternLength(pattern, context.limits);
+    // Check for potentially unsafe patterns
+    if (!isSafeRegex(pattern)) {
+        throw new BuiltinError("regex_match", `pattern may cause excessive backtracking: ${pattern}`);
+    }
+    // Anchor the pattern for full match
+    const anchoredPattern = pattern.startsWith("^")
+        ? pattern
+        : pattern.endsWith("$")
+            ? pattern
+            : `^(?:${pattern})$`;
+    try {
+        const regex = new RegExp(anchoredPattern);
+        return regex.test(value);
+    }
+    catch (error) {
+        throw new BuiltinError("regex_match", `invalid regex pattern: ${pattern} - ${error instanceof Error ? error.message : String(error)}`);
+    }
+};
+// ============================================================
+// Registry
+// ============================================================
+/**
+ * Registry of all built-in functions.
+ */
+const BUILTIN_FUNCTIONS = new Map([
+    // String helpers
+    ["lower", lower],
+    ["upper", upper],
+    ["starts_with", starts_with],
+    ["ends_with", ends_with],
+    ["contains", contains],
+    ["split", split],
+    ["trim", trim],
+    // Collection helpers
+    ["len", len],
+    // Generic helpers
+    ["exists", exists],
+    ["coalesce", coalesce],
+    ["secure_hash", secure_hash],
+    // Pattern helpers
+    ["glob_match", glob_match],
+    ["regex_match", regex_match],
+]);
+/**
+ * Calls a built-in function by name.
+ *
+ * @param name - The function name
+ * @param args - The function arguments
+ * @param context - The evaluation context
+ * @returns The function result
+ * @throws BuiltinError if the function doesn't exist or fails
+ */
+function callBuiltin(name, args, context, functions = BUILTIN_FUNCTIONS) {
+    const fn = functions.get(name);
+    if (!fn) {
+        throw new EvaluationError(`Unknown function: ${name}`, context.position, context.source);
+    }
+    return fn(args, context);
+}
+/**
+ * Expression evaluator.
+ *
+ * Evaluates an AST against a set of variable bindings and returns a value.
+ *
+ * Null handling semantics:
+ * - `undefined` values are normalized to `null` throughout evaluation.
+ * - Missing identifiers evaluate to `null`.
+ * - Member access on `null` or non-object returns `null`.
+ * - Missing properties return `null` (including properties set to `undefined`).
+ */
+/**
+ * Evaluates an AST node and returns the result.
+ */
+class Evaluator {
+    constructor(context) {
+        this.memberAccessDepth = 0;
+        this.context = context;
+        this.limits = context.limits ?? DEFAULT_EXPRESSION_LIMITS;
+        this.source = context.source ?? "";
+        this.functions = context.functions ?? BUILTIN_FUNCTIONS;
+    }
+    /**
+     * Evaluates an AST node and returns the value.
+     */
+    evaluate(node) {
+        switch (node.type) {
+            case "StringLiteral":
+                return node.value;
+            case "NumberLiteral":
+                return node.value;
+            case "BooleanLiteral":
+                return node.value;
+            case "NullLiteral":
+                return null;
+            case "ArrayLiteral":
+                return node.elements.map((e) => this.evaluate(e));
+            case "Identifier":
+                return this.evaluateIdentifier(node.name, node.position);
+            case "MemberAccess":
+                return this.evaluateMemberAccess(node);
+            case "IndexAccess":
+                return this.evaluateIndexAccess(node);
+            case "FunctionCall":
+                return this.evaluateFunctionCall(node);
+            case "UnaryOp":
+                return this.evaluateUnaryOp(node.operator, node.operand, node.position);
+            case "BinaryOp":
+                return this.evaluateBinaryOp(node.operator, node.left, node.right, node.position);
+            case "TernaryOp":
+                return this.evaluateTernaryOp(node.condition, node.consequent, node.alternate, node.position);
+        }
+    }
+    /**
+     * Evaluates as boolean with strict type checking.
+     */
+    evaluateAsBoolean(node) {
+        const value = this.evaluate(node);
+        if (typeof value !== "boolean") {
+            throw new TypeError("boolean", getTypeName(value), node.position, this.source);
+        }
+        return value;
+    }
+    evaluateIdentifier(name, _position) {
+        // Check if it's a top-level binding
+        if (name in this.context.bindings) {
+            // Normalize the value to ensure undefined becomes null
+            return normalizeJsValue(this.context.bindings[name]);
+        }
+        // Unknown identifier evaluates to null (missing field)
+        return null;
+    }
+    evaluateMemberAccess(node) {
+        // Check member access depth
+        this.memberAccessDepth++;
+        if (this.memberAccessDepth > this.limits.maxMemberAccessDepth) {
+            throw new EvaluationError(`Member access depth ${this.memberAccessDepth} exceeds limit of ${this.limits.maxMemberAccessDepth}`, node.position, this.source);
+        }
+        try {
+            const obj = this.evaluate(node.object);
+            // Null-safe member access: null.foo -> null
+            if (obj === null) {
+                return null;
+            }
+            // Must be an object (not primitive, not array)
+            if (typeof obj !== "object" || Array.isArray(obj)) {
+                // Type mismatch during access returns null (not error)
+                return null;
+            }
+            const record = obj;
+            if (node.property in record) {
+                // Normalize the value to ensure undefined becomes null
+                return normalizeJsValue(record[node.property]);
+            }
+            // Missing property evaluates to null
+            return null;
+        }
+        finally {
+            this.memberAccessDepth--;
+        }
+    }
+    evaluateIndexAccess(node) {
+        const obj = this.evaluate(node.object);
+        const index = this.evaluate(node.index);
+        // Null-safe index access: null[0] -> null
+        if (obj === null) {
+            return null;
+        }
+        // Array access with numeric index
+        if (Array.isArray(obj)) {
+            if (typeof index !== "number") {
+                throw new TypeError("number", getTypeName(index), node.position, this.source);
+            }
+            const intIndex = Math.floor(index);
+            if (intIndex < 0 || intIndex >= obj.length) {
+                // Out of bounds evaluates to null
+                return null;
+            }
+            // Normalize array element to ensure undefined becomes null
+            return normalizeJsValue(obj[intIndex]);
+        }
+        // Object access with string key
+        if (typeof obj === "object") {
+            if (typeof index !== "string") {
+                throw new TypeError("string", getTypeName(index), node.position, this.source);
+            }
+            const record = obj;
+            if (index in record) {
+                // Normalize the value to ensure undefined becomes null
+                return normalizeJsValue(record[index]);
+            }
+            // Missing key evaluates to null
+            return null;
+        }
+        // Type mismatch during access returns null
+        return null;
+    }
+    evaluateFunctionCall(node) {
+        // Evaluate arguments
+        const args = node.args.map((arg) => this.evaluate(arg));
+        const builtinContext = {
+            limits: this.limits,
+            position: node.position,
+            source: this.source,
+        };
+        return callBuiltin(node.name, args, builtinContext, this.functions);
+    }
+    evaluateUnaryOp(operator, operand, position) {
+        const value = this.evaluate(operand);
+        switch (operator) {
+            case "!":
+                if (typeof value !== "boolean") {
+                    throw new TypeError("boolean", getTypeName(value), position, this.source);
+                }
+                return !value;
+            case "-":
+                if (typeof value !== "number") {
+                    throw new TypeError("number", getTypeName(value), position, this.source);
+                }
+                return -value;
+        }
+    }
+    evaluateBinaryOp(operator, left, right, position) {
+        // Short-circuit evaluation for logical operators
+        if (operator === "&&") {
+            const leftValue = this.evaluate(left);
+            if (typeof leftValue !== "boolean") {
+                throw new TypeError("boolean", getTypeName(leftValue), left.position, this.source);
+            }
+            if (!leftValue)
+                return false;
+            const rightValue = this.evaluate(right);
+            if (typeof rightValue !== "boolean") {
+                throw new TypeError("boolean", getTypeName(rightValue), right.position, this.source);
+            }
+            return rightValue;
+        }
+        if (operator === "||") {
+            const leftValue = this.evaluate(left);
+            if (typeof leftValue !== "boolean") {
+                throw new TypeError("boolean", getTypeName(leftValue), left.position, this.source);
+            }
+            if (leftValue)
+                return true;
+            const rightValue = this.evaluate(right);
+            if (typeof rightValue !== "boolean") {
+                throw new TypeError("boolean", getTypeName(rightValue), right.position, this.source);
+            }
+            return rightValue;
+        }
+        // Eager evaluation for other operators
+        const leftValue = this.evaluate(left);
+        const rightValue = this.evaluate(right);
+        switch (operator) {
+            // Arithmetic
+            case "+":
+                if (typeof leftValue === "string" && typeof rightValue === "string") {
+                    return leftValue + rightValue;
+                }
+                if (typeof leftValue === "number" && typeof rightValue === "number") {
+                    return leftValue + rightValue;
+                }
+                throw new EvaluationError(`Cannot add ${getTypeName(leftValue)} and ${getTypeName(rightValue)}`, position, this.source);
+            case "-":
+                if (typeof leftValue !== "number" || typeof rightValue !== "number") {
+                    throw new EvaluationError(`Cannot subtract ${getTypeName(leftValue)} and ${getTypeName(rightValue)}`, position, this.source);
+                }
+                return leftValue - rightValue;
+            case "*":
+                if (typeof leftValue !== "number" || typeof rightValue !== "number") {
+                    throw new EvaluationError(`Cannot multiply ${getTypeName(leftValue)} and ${getTypeName(rightValue)}`, position, this.source);
+                }
+                return leftValue * rightValue;
+            case "/":
+                if (typeof leftValue !== "number" || typeof rightValue !== "number") {
+                    throw new EvaluationError(`Cannot divide ${getTypeName(leftValue)} and ${getTypeName(rightValue)}`, position, this.source);
+                }
+                if (rightValue === 0) {
+                    throw new EvaluationError("Division by zero", position, this.source);
+                }
+                return leftValue / rightValue;
+            case "%":
+                if (typeof leftValue !== "number" || typeof rightValue !== "number") {
+                    throw new EvaluationError(`Cannot compute modulo of ${getTypeName(leftValue)} and ${getTypeName(rightValue)}`, position, this.source);
+                }
+                if (rightValue === 0) {
+                    throw new EvaluationError("Modulo by zero", position, this.source);
+                }
+                return leftValue % rightValue;
+            // Comparison
+            case "<":
+            case "<=":
+            case ">":
+            case ">=":
+                return this.evaluateComparison(operator, leftValue, rightValue, position);
+            // Equality
+            case "==":
+                return this.valuesEqual(leftValue, rightValue);
+            case "!=":
+                return !this.valuesEqual(leftValue, rightValue);
+            // Membership
+            case "in":
+                return this.evaluateIn(leftValue, rightValue, position);
+            case "not in":
+                return !this.evaluateIn(leftValue, rightValue, position);
+        }
+    }
+    evaluateComparison(operator, left, right, position) {
+        // Numbers
+        if (typeof left === "number" && typeof right === "number") {
+            switch (operator) {
+                case "<":
+                    return left < right;
+                case "<=":
+                    return left <= right;
+                case ">":
+                    return left > right;
+                case ">=":
+                    return left >= right;
+            }
+        }
+        // Strings
+        if (typeof left === "string" && typeof right === "string") {
+            switch (operator) {
+                case "<":
+                    return left < right;
+                case "<=":
+                    return left <= right;
+                case ">":
+                    return left > right;
+                case ">=":
+                    return left >= right;
+            }
+        }
+        throw new EvaluationError(`Cannot compare ${getTypeName(left)} and ${getTypeName(right)} with ${operator}`, position, this.source);
+    }
+    evaluateIn(left, right, position) {
+        // String in string (substring check)
+        if (typeof left === "string" && typeof right === "string") {
+            return right.includes(left);
+        }
+        // Value in array
+        if (Array.isArray(right)) {
+            return right.some((item) => this.valuesEqual(left, item));
+        }
+        // Key in object
+        if (typeof right === "object" && right !== null && !Array.isArray(right)) {
+            if (typeof left !== "string") {
+                throw new EvaluationError(`Cannot check if ${getTypeName(left)} is a key in object (expected string)`, position, this.source);
+            }
+            return left in right;
+        }
+        throw new EvaluationError(`Cannot check membership: ${getTypeName(left)} in ${getTypeName(right)}`, position, this.source);
+    }
+    evaluateTernaryOp(condition, consequent, alternate, _position) {
+        const condValue = this.evaluate(condition);
+        if (typeof condValue !== "boolean") {
+            throw new TypeError("boolean", getTypeName(condValue), condition.position, this.source);
+        }
+        return condValue ? this.evaluate(consequent) : this.evaluate(alternate);
+    }
+    /**
+     * Deep equality check for expression values.
+     */
+    valuesEqual(a, b) {
+        // Identical primitives or same reference
+        if (a === b)
+            return true;
+        // Type mismatch
+        if (typeof a !== typeof b)
+            return false;
+        // null check (both must be null if one is)
+        if (a === null || b === null)
+            return false;
+        // Arrays
+        if (Array.isArray(a) && Array.isArray(b)) {
+            if (a.length !== b.length)
+                return false;
+            for (let i = 0; i < a.length; i++) {
+                if (!this.valuesEqual(a[i], b[i])) {
+                    return false;
+                }
+            }
+            return true;
+        }
+        // Objects
+        if (typeof a === "object" && typeof b === "object") {
+            const aKeys = Object.keys(a);
+            const bKeys = Object.keys(b);
+            if (aKeys.length !== bKeys.length)
+                return false;
+            for (const key of aKeys) {
+                if (!Object.prototype.hasOwnProperty.call(b, key))
+                    return false;
+                const aRecord = a;
+                const bRecord = b;
+                if (!this.valuesEqual(aRecord[key], bRecord[key])) {
+                    return false;
+                }
+            }
+            return true;
+        }
+        return false;
+    }
+}
+/**
+ * Evaluates an AST as a boolean condition.
+ *
+ * @param ast - The AST to evaluate
+ * @param context - The evaluation context with bindings
+ * @returns true if the condition is met, false otherwise (including errors)
+ */
+function evaluateAsBoolean(ast, context) {
+    try {
+        const evaluator = new Evaluator(context);
+        const value = evaluator.evaluateAsBoolean(ast);
+        return { value };
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        return { value: false, error: message };
+    }
+}
+/**
+ * Authorization-specific expression built-ins.
+ *
+ * Null handling semantics:
+ * - Scope predicate builtins (has_scope, has_any_scope, has_all_scopes)
+ *   return `false` when passed `null` for required args.
+ * - Wrong non-null types still raise BuiltinError to surface real bugs.
+ */
+/**
+ * Checks if a value is null.
+ */
+function isNull(value) {
+    return value === null;
+}
+/**
+ * Creates a function registry with auth helpers installed.
+ */
+function createAuthFunctionRegistry(grantedScopes = []) {
+    const scopes = grantedScopes ?? [];
+    /**
+     * Checks if any granted scope matches a pattern (using glob syntax).
+     */
+    const matchesScope = (scope) => {
+        // Exact match for now; safe and deterministic.
+        return scopes.includes(scope);
+    };
+    /**
+     * has_scope(scope: string) -> bool
+     *
+     * Returns true if the scope is in the granted scopes.
+     * Null-tolerant: returns false if scope is null.
+     */
+    const has_scope = (args) => {
+        assertArgCount(args, 1, "has_scope");
+        const scope = getArg(args, 0, "has_scope");
+        // Null-tolerant: return false if scope is null
+        if (!assertStringOrNull(scope, "scope", "has_scope"))
+            return false;
+        return matchesScope(scope);
+    };
+    /**
+     * has_any_scope(scopes: string[]) -> bool
+     *
+     * Returns true if any scope in the array is in the granted scopes.
+     * Null-tolerant: returns false if scopes is null.
+     */
+    const has_any_scope = (args) => {
+        assertArgCount(args, 1, "has_any_scope");
+        const values = getArg(args, 0, "has_any_scope");
+        // Null-tolerant: return false if scopes is null
+        if (!assertStringArrayOrNull(values, "scopes", "has_any_scope"))
+            return false;
+        if (values.length === 0) {
+            return false;
+        }
+        return values.some((scope) => matchesScope(scope));
+    };
+    /**
+     * has_all_scopes(scopes: string[]) -> bool
+     *
+     * Returns true if all scopes in the array are in the granted scopes.
+     * Null-tolerant: returns false if scopes is null.
+     */
+    const has_all_scopes = (args) => {
+        assertArgCount(args, 1, "has_all_scopes");
+        const values = getArg(args, 0, "has_all_scopes");
+        // Null-tolerant: return false if scopes is null
+        if (!assertStringArrayOrNull(values, "scopes", "has_all_scopes"))
+            return false;
+        if (values.length === 0) {
+            return true;
+        }
+        return values.every((scope) => matchesScope(scope));
+    };
+    return new Map([
+        ...BUILTIN_FUNCTIONS,
+        ["has_scope", has_scope],
+        ["has_any_scope", has_any_scope],
+        ["has_all_scopes", has_all_scopes],
+    ]);
+}
+/**
+ * Asserts that a non-null value is a string (for null-tolerant predicates).
+ * Returns false if the value is null (indicating predicate should return false).
+ * Throws BuiltinError if the value is non-null but not a string.
+ */
+function assertStringOrNull(value, argName, functionName) {
+    if (isNull(value)) {
+        return false;
+    }
+    if (typeof value !== "string") {
+        throw new BuiltinError(functionName, `${argName} must be a string, got ${getTypeName(value)}`);
+    }
+    return true;
+}
+/**
+ * Asserts that a non-null value is an array of strings (for null-tolerant predicates).
+ * Returns false if the value is null (indicating predicate should return false).
+ * Throws BuiltinError if the value is non-null but not a string array.
+ */
+function assertStringArrayOrNull(value, argName, functionName) {
+    if (isNull(value)) {
+        return false;
+    }
+    if (!Array.isArray(value)) {
+        throw new BuiltinError(functionName, `${argName} must be an array of strings, got ${getTypeName(value)}`);
+    }
+    for (let i = 0; i < value.length; i++) {
+        if (typeof value[i] !== "string") {
+            throw new BuiltinError(functionName, `${argName}[${i}] must be a string, got ${getTypeName(value[i])}`);
+        }
+    }
+    return true;
+}
+function getArg(args, index, functionName) {
+    const value = args[index];
+    if (value === undefined) {
+        throw new BuiltinError(functionName, `missing argument at index ${index}`);
+    }
+    return value;
+}
+function assertArgCount(args, expected, functionName) {
+    if (args.length !== expected) {
+        throw new BuiltinError(functionName, `expected ${expected} argument(s), got ${args.length}`);
+    }
+}
+/**
+ * Expression-based authorization policy implementation.
+ *
+ * Extends the basic policy with support for `when` expression evaluation.
+ * This is part of the BSL-licensed Advanced Security package.
+ */
+/**
+ * Simple console logger implementation.
+ */
+const defaultLogger = {
+    debug: () => { },
+    warning: (event, data) => {
+        console.warn(`[naylence.security.auth.policy.expression] ${event}`, data);
+    },
+};
+/**
+ * Extracts the target address string from the envelope.
+ */
+function extractAddress(envelope) {
+    const to = envelope.to;
+    if (!to) {
+        return undefined;
+    }
+    if (typeof to === "string") {
+        return to;
+    }
+    if (typeof to === "object" && "toString" in to) {
+        return to.toString();
+    }
+    return undefined;
+}
+/**
+ * Extracts granted scopes from the authorization context.
+ */
+function extractGrantedScopes(context) {
+    const authContext = context?.security?.authorization;
+    if (!authContext) {
+        return [];
+    }
+    if (Array.isArray(authContext.grantedScopes)) {
+        return authContext.grantedScopes;
+    }
+    const claims = authContext.claims;
+    if (claims) {
+        const scopeClaim = claims.scope ?? claims.scopes ?? claims.scp;
+        if (typeof scopeClaim === "string") {
+            return scopeClaim.split(/\s+/).filter((s) => s.length > 0);
+        }
+        if (Array.isArray(scopeClaim)) {
+            return scopeClaim.filter((s) => typeof s === "string");
+        }
+    }
+    return [];
+}
+/**
+ * Extracts claims from the authorization context.
+ */
+function extractClaims(context) {
+    const authContext = context?.security?.authorization;
+    if (!authContext?.claims) {
+        return {};
+    }
+    return authContext.claims;
+}
+/**
+ * Creates a safe envelope subset for expression bindings.
+ */
+function createEnvelopeBindings(envelope) {
+    const frame = envelope.frame;
+    const envelopeRecord = envelope;
+    return {
+        id: envelope.id ?? null,
+        traceId: envelopeRecord.traceId ?? null,
+        corrId: envelopeRecord.corrId ?? null,
+        flowId: envelopeRecord.flowId ?? null,
+        to: extractAddress(envelope) ?? null,
+        frame: frame
+            ? { type: frame.type ?? null }
+            : { type: null },
+    };
+}
+/**
+ * Creates delivery context bindings for expression evaluation.
+ */
+function createDeliveryBindings(context, action) {
+    return {
+        origin_type: context?.originType ?? null,
+        routing_action: action,
+    };
+}
+/**
+ * Expression-based authorization policy that evaluates rules with `when` expressions.
+ *
+ * Features:
+ * - All features of BasicAuthorizationPolicy
+ * - Expression evaluation for `when` clauses
+ * - Deterministic, side-effect-free evaluation
+ * - Missing fields evaluate to null (not error)
+ * - Parse/evaluation errors cause rule to not match
+ */
+class AdvancedAuthorizationPolicy {
+    constructor(options) {
+        const { policyDefinition, warnOnUnknownFields = true, expressionLimits = DEFAULT_EXPRESSION_LIMITS, logger = defaultLogger, } = options;
+        this.expressionLimits = expressionLimits;
+        this.logger = logger;
+        // Validate and extract default effect
+        this.defaultEffect = this.validateDefaultEffect(policyDefinition.default_effect);
+        // Warn about unknown policy fields
+        if (warnOnUnknownFields) {
+            this.warnUnknownPolicyFields(policyDefinition);
+        }
+        // Compile rules for efficient evaluation
+        this.compiledRules = this.compileRules(policyDefinition.rules, warnOnUnknownFields);
+        this.logger.debug("expression_policy_compiled", {
+            defaultEffect: this.defaultEffect,
+            ruleCount: this.compiledRules.length,
+            rulesWithWhen: this.compiledRules.filter((r) => r.whenAst).length,
+        });
+    }
+    /**
+     * Evaluates the policy against a request.
+     */
+    async evaluateRequest(_node, envelope, context, action) {
+        const resolvedAction = action ?? "*";
+        const resolvedActionNormalized = this.normalizeActionToken(resolvedAction) ?? resolvedAction;
+        const address = extractAddress(envelope);
+        const grantedScopes = extractGrantedScopes(context);
+        const rawFrameType = envelope.frame
+            ?.type;
+        const frameTypeNormalized = typeof rawFrameType === "string" && rawFrameType.trim().length > 0
+            ? rawFrameType.trim().toLowerCase()
+            : "";
+        const rawOriginType = context?.originType;
+        const originTypeNormalized = typeof rawOriginType === "string"
+            ? this.normalizeOriginTypeToken(rawOriginType) ?? undefined
+            : undefined;
+        // Prepare expression bindings (lazy)
+        let expressionBindings = null;
+        let functionRegistry = null;
+        const evaluationTrace = [];
+        // Evaluate rules in order (first match wins)
+        for (const rule of this.compiledRules) {
+            const step = {
+                ruleId: rule.id,
+                result: false,
+            };
+            // Check frame type match
+            if (rule.frameTypes) {
+                if (!frameTypeNormalized) {
+                    step.expression = "frame_type: missing";
+                    step.result = false;
+                    evaluationTrace.push(step);
+                    continue;
+                }
+                if (!rule.frameTypes.has(frameTypeNormalized)) {
+                    step.expression = `frame_type: ${rawFrameType ?? "unknown"} not in rule set`;
+                    step.result = false;
+                    evaluationTrace.push(step);
+                    continue;
+                }
+            }
+            // Check origin type match
+            if (rule.originTypes) {
+                if (originTypeNormalized === undefined) {
+                    step.expression = "origin_type: missing (rule requires origin)";
+                    step.result = false;
+                    evaluationTrace.push(step);
+                    continue;
+                }
+                if (!rule.originTypes.has(originTypeNormalized)) {
+                    step.expression = `origin_type: ${rawOriginType ?? "unknown"} not in [${Array.from(rule.originTypes).join(", ")}]`;
+                    step.result = false;
+                    evaluationTrace.push(step);
+                    continue;
+                }
+            }
+            // Check action match
+            if (!rule.actions.has("*") && !rule.actions.has(resolvedActionNormalized)) {
+                step.expression = `action: ${resolvedActionNormalized} not in [${Array.from(rule.actions).join(", ")}]`;
+                step.result = false;
+                evaluationTrace.push(step);
+                continue;
+            }
+            // Check address match
+            if (rule.addressPatterns) {
+                if (!address) {
+                    step.expression = "address: pattern requires address, but none provided";
+                    step.result = false;
+                    evaluationTrace.push(step);
+                    continue;
+                }
+                const matched = rule.addressPatterns.some((p) => p.match(address));
+                if (!matched) {
+                    const patterns = rule.addressPatterns.map((p) => p.source).join(", ");
+                    step.expression = `address: none of [${patterns}] matched ${address}`;
+                    step.result = false;
+                    evaluationTrace.push(step);
+                    continue;
+                }
+            }
+            // Check scope match
+            if (rule.scopeMatcher) {
+                if (!rule.scopeMatcher(grantedScopes)) {
+                    step.expression = "scope: requirement not satisfied";
+                    step.boundValues = { grantedScopes: [...grantedScopes] };
+                    step.result = false;
+                    evaluationTrace.push(step);
+                    continue;
+                }
+            }
+            // Check when expression
+            if (rule.whenParseError) {
+                // Parse error - rule does not match
+                step.expression = `when: parse error - ${rule.whenParseError}`;
+                step.result = false;
+                evaluationTrace.push(step);
+                continue;
+            }
+            if (rule.whenAst) {
+                // Lazy initialization of expression bindings
+                if (!expressionBindings) {
+                    expressionBindings = {
+                        claims: extractClaims(context),
+                        envelope: createEnvelopeBindings(envelope),
+                        delivery: createDeliveryBindings(context, resolvedAction),
+                        time: {
+                            now_ms: Date.now(),
+                            now_iso: new Date().toISOString(),
+                        },
+                    };
+                }
+                const functions = functionRegistry ?? createAuthFunctionRegistry(grantedScopes);
+                functionRegistry = functions;
+                const evalContext = {
+                    bindings: expressionBindings,
+                    limits: this.expressionLimits,
+                    source: rule.whenSource,
+                    functions,
+                };
+                const whenResult = evaluateAsBoolean(rule.whenAst, evalContext);
+                if (whenResult.error) {
+                    // Evaluation error - rule does not match
+                    step.expression = `when: evaluation error - ${whenResult.error}`;
+                    step.result = false;
+                    evaluationTrace.push(step);
+                    continue;
+                }
+                if (!whenResult.value) {
+                    // Expression evaluated to false
+                    step.expression = `when: expression evaluated to false`;
+                    step.boundValues = {
+                        whenExpression: rule.whenSource,
+                    };
+                    step.result = false;
+                    evaluationTrace.push(step);
+                    continue;
+                }
+                // Expression evaluated to true
+                step.expression = `when: expression evaluated to true`;
+            }
+            // Rule matched
+            step.result = true;
+            if (!step.expression) {
+                step.expression = "all conditions matched";
+            }
+            step.boundValues = {
+                action: resolvedAction,
+                address,
+                grantedScopes: [...grantedScopes],
+                ...(rule.whenSource ? { whenExpression: rule.whenSource } : {}),
+            };
+            evaluationTrace.push(step);
+            this.logger.debug("rule_matched", {
+                ruleId: rule.id,
+                effect: rule.effect,
+                action: resolvedAction,
+                address,
+                hadWhenClause: Boolean(rule.whenAst),
+            });
+            return {
+                effect: rule.effect,
+                reason: rule.description ?? `Matched rule: ${rule.id}`,
+                matchedRule: rule.id,
+                evaluationTrace,
+            };
+        }
+        // No rule matched, apply default effect
+        this.logger.debug("no_rule_matched", {
+            defaultEffect: this.defaultEffect,
+            action: resolvedAction,
+            address,
+        });
+        return {
+            effect: this.defaultEffect,
+            reason: `No rule matched, applying default effect: ${this.defaultEffect}`,
+            evaluationTrace,
+        };
+    }
+    validateDefaultEffect(effect) {
+        if (effect === undefined || effect === null) {
+            return "deny";
+        }
+        if (effect !== "allow" && effect !== "deny") {
+            throw new Error(`Invalid default_effect: "${String(effect)}". Must be "allow" or "deny"`);
+        }
+        return effect;
+    }
+    warnUnknownPolicyFields(definition) {
+        for (const key of Object.keys(definition)) {
+            if (!KNOWN_POLICY_FIELDS.has(key)) {
+                this.logger.warning("unknown_policy_field", { field: key });
+            }
+        }
+    }
+    compileRules(rules, warnOnUnknown) {
+        return rules.map((rule, index) => this.compileRule(rule, index, warnOnUnknown));
+    }
+    compileRule(rule, index, warnOnUnknown) {
+        const id = rule.id ?? `rule_${index}`;
+        // Validate effect
+        if (!VALID_EFFECTS.includes(rule.effect)) {
+            throw new Error(`Invalid effect in rule "${id}": "${String(rule.effect)}". Must be "allow" or "deny"`);
+        }
+        // Compile action(s)
+        const actions = this.compileActions(rule.action, id);
+        // Compile address patterns
+        const addressPatterns = this.compileAddress(rule.address, id);
+        // Compile frame type gating
+        const frameTypes = this.compileFrameTypes(rule.frame_type, id);
+        // Compile origin type gating
+        const originTypes = this.compileOriginTypes(rule.origin_type, id);
+        // Compile scope matcher
+        let scopeMatcher;
+        if (rule.scope !== undefined) {
+            try {
+                const compiled = compileGlobOnlyScopeRequirement(rule.scope, id);
+                scopeMatcher = (scopes) => compiled.evaluate(scopes);
+            }
+            catch (error) {
+                throw new Error(`Invalid scope requirement in rule "${id}": ${error instanceof Error ? error.message : String(error)}`);
+            }
+        }
+        // Compile when expression
+        let whenAst;
+        let whenSource;
+        let whenParseError;
+        if (typeof rule.when === "string" && rule.when.trim().length > 0) {
+            whenSource = rule.when.trim();
+            try {
+                whenAst = parse(whenSource, this.expressionLimits);
+            }
+            catch (error) {
+                // Parse error - store for evaluation time
+                whenParseError =
+                    error instanceof Error ? error.message : String(error);
+                this.logger.warning("when_parse_error", {
+                    ruleId: id,
+                    expression: whenSource,
+                    error: whenParseError,
+                });
+            }
+        }
+        // Warn about unknown fields
+        if (warnOnUnknown) {
+            for (const key of Object.keys(rule)) {
+                if (!KNOWN_RULE_FIELDS.has(key)) {
+                    this.logger.warning("unknown_rule_field", { ruleId: id, field: key });
+                }
+            }
+        }
+        return {
+            id,
+            description: rule.description,
+            effect: rule.effect,
+            actions,
+            frameTypes,
+            originTypes,
+            addressPatterns,
+            scopeMatcher,
+            whenAst,
+            whenSource,
+            whenParseError,
+        };
+    }
+    compileActions(action, ruleId) {
+        if (action === undefined) {
+            return new Set(["*"]);
+        }
+        if (typeof action === "string") {
+            const normalized = this.normalizeActionToken(action);
+            if (!normalized) {
+                throw new Error(`Invalid action in rule "${ruleId}": "${action}". Must be one of: ${VALID_ACTIONS.join(", ")}`);
+            }
+            return new Set([normalized]);
+        }
+        if (!Array.isArray(action)) {
+            throw new Error(`Invalid action in rule "${ruleId}": must be a string or array of strings`);
+        }
+        if (action.length === 0) {
+            throw new Error(`Invalid action in rule "${ruleId}": array must not be empty`);
+        }
+        const actions = new Set();
+        for (const a of action) {
+            if (typeof a !== "string") {
+                throw new Error(`Invalid action in rule "${ruleId}": all values must be strings`);
+            }
+            const normalized = this.normalizeActionToken(a);
+            if (!normalized) {
+                throw new Error(`Invalid action in rule "${ruleId}": "${a}". Must be one of: ${VALID_ACTIONS.join(", ")}`);
+            }
+            actions.add(normalized);
+        }
+        return actions;
+    }
+    compileAddress(address, ruleId) {
+        if (address === undefined) {
+            return undefined;
+        }
+        const context = `address in rule "${ruleId}"`;
+        if (typeof address === "string") {
+            const trimmed = address.trim();
+            if (!trimmed) {
+                throw new Error(`Invalid address in rule "${ruleId}": value must not be empty`);
+            }
+            try {
+                return [compileGlobPattern(trimmed, context)];
+            }
+            catch (error) {
+                throw new Error(`Invalid address in rule "${ruleId}": ${error instanceof Error ? error.message : String(error)}`);
+            }
+        }
+        if (!Array.isArray(address)) {
+            throw new Error(`Invalid address in rule "${ruleId}": must be a string or array of strings`);
+        }
+        if (address.length === 0) {
+            throw new Error(`Invalid address in rule "${ruleId}": array must not be empty`);
+        }
+        const patterns = [];
+        for (const addr of address) {
+            if (typeof addr !== "string") {
+                throw new Error(`Invalid address in rule "${ruleId}": all values must be strings`);
+            }
+            const trimmed = addr.trim();
+            if (!trimmed) {
+                throw new Error(`Invalid address in rule "${ruleId}": values must not be empty`);
+            }
+            try {
+                patterns.push(compileGlobPattern(trimmed, context));
+            }
+            catch (error) {
+                throw new Error(`Invalid address in rule "${ruleId}": ${error instanceof Error ? error.message : String(error)}`);
+            }
+        }
+        return patterns;
+    }
+    compileFrameTypes(frameType, ruleId) {
+        if (frameType === undefined) {
+            return undefined;
+        }
+        if (typeof frameType === "string") {
+            const normalized = frameType.trim().toLowerCase();
+            if (!normalized) {
+                throw new Error(`Invalid frame_type in rule "${ruleId}": value must not be empty`);
+            }
+            return new Set([normalized]);
+        }
+        if (!Array.isArray(frameType)) {
+            throw new Error(`Invalid frame_type in rule "${ruleId}": must be a string or array of strings`);
+        }
+        if (frameType.length === 0) {
+            throw new Error(`Invalid frame_type in rule "${ruleId}": array must not be empty`);
+        }
+        const frameTypes = new Set();
+        for (const ft of frameType) {
+            if (typeof ft !== "string") {
+                throw new Error(`Invalid frame_type in rule "${ruleId}": all values must be strings`);
+            }
+            const normalized = ft.trim().toLowerCase();
+            if (!normalized) {
+                throw new Error(`Invalid frame_type in rule "${ruleId}": values must not be empty`);
+            }
+            frameTypes.add(normalized);
+        }
+        return frameTypes;
+    }
+    compileOriginTypes(originType, ruleId) {
+        if (originType === undefined) {
+            return undefined;
+        }
+        if (typeof originType === "string") {
+            const trimmed = originType.trim();
+            if (!trimmed) {
+                throw new Error(`Invalid origin_type in rule "${ruleId}": value must not be empty`);
+            }
+            const normalized = this.normalizeOriginTypeToken(trimmed);
+            if (!normalized) {
+                throw new Error(`Invalid origin_type in rule "${ruleId}": "${originType}". Must be one of: ${VALID_ORIGIN_TYPES.join(", ")}`);
+            }
+            return new Set([normalized]);
+        }
+        if (!Array.isArray(originType)) {
+            throw new Error(`Invalid origin_type in rule "${ruleId}": must be a string or array of strings`);
+        }
+        if (originType.length === 0) {
+            throw new Error(`Invalid origin_type in rule "${ruleId}": array must not be empty`);
+        }
+        const originTypes = new Set();
+        for (const ot of originType) {
+            if (typeof ot !== "string") {
+                throw new Error(`Invalid origin_type in rule "${ruleId}": all values must be strings`);
+            }
+            const trimmed = ot.trim();
+            if (!trimmed) {
+                throw new Error(`Invalid origin_type in rule "${ruleId}": values must not be empty`);
+            }
+            const normalized = this.normalizeOriginTypeToken(trimmed);
+            if (!normalized) {
+                throw new Error(`Invalid origin_type in rule "${ruleId}": "${ot}". Must be one of: ${VALID_ORIGIN_TYPES.join(", ")}`);
+            }
+            originTypes.add(normalized);
+        }
+        return originTypes;
+    }
+    normalizeActionToken(value) {
+        const trimmed = value.trim();
+        if (!trimmed) {
+            return null;
+        }
+        if (trimmed === "*") {
+            return "*";
+        }
+        const normalized = trimmed.replace(/[\s_-]+/g, "").toLowerCase();
+        const map = {
+            connect: "Connect",
+            forwardupstream: "ForwardUpstream",
+            forwarddownstream: "ForwardDownstream",
+            forwardpeer: "ForwardPeer",
+            deliverlocal: "DeliverLocal",
+        };
+        return map[normalized] ?? null;
+    }
+    normalizeOriginTypeToken(value) {
+        const trimmed = value.trim();
+        if (!trimmed) {
+            return null;
+        }
+        const normalized = trimmed.replace(/[\s_-]+/g, "").toLowerCase();
+        const map = {
+            downstream: "downstream",
+            upstream: "upstream",
+            peer: "peer",
+            local: "local",
+        };
+        return map[normalized] ?? null;
+    }
+}
+var advancedAuthorizationPolicy = /*#__PURE__*/Object.freeze({
+    __proto__: null,
+    AdvancedAuthorizationPolicy: AdvancedAuthorizationPolicy
+});
+/**
+ * Factory for creating AdvancedAuthorizationPolicy instances.
+ */
+let modulePromise = null;
+function getModule() {
+    if (!modulePromise) {
+        modulePromise = Promise.resolve().then(function () { return advancedAuthorizationPolicy; });
+    }
+    return modulePromise;
+}
+function normalizeConfig$5(config) {
+    if (!config) {
+        throw new Error("AdvancedAuthorizationPolicyFactory requires a configuration with a policyDefinition");
+    }
+    const candidate = config;
+    // Support both camelCase and snake_case for policyDefinition
+    const policyDefinition = (candidate.policyDefinition ??
+        candidate.policy_definition);
+    if (!policyDefinition || typeof policyDefinition !== "object") {
+        throw new Error("AdvancedAuthorizationPolicyConfig requires a policyDefinition object");
+    }
+    // Support both camelCase and snake_case for warnOnUnknownFields
+    const warnOnUnknownFields = candidate.warnOnUnknownFields ?? candidate.warn_on_unknown_fields;
+    if (warnOnUnknownFields !== undefined &&
+        typeof warnOnUnknownFields !== "boolean") {
+        throw new Error("warnOnUnknownFields must be a boolean");
+    }
+    // Support both camelCase and snake_case for expressionLimits
+    const expressionLimits = (candidate.expressionLimits ??
+        candidate.expression_limits);
+    return {
+        policyDefinition,
+        warnOnUnknownFields: warnOnUnknownFields ?? true,
+        expressionLimits,
+    };
+}
+/**
+ * Factory metadata for registration.
+ */
+const FACTORY_META$e = {
+    base: AUTHORIZATION_POLICY_FACTORY_BASE_TYPE,
+    key: "AdvancedAuthorizationPolicy",
+};
+/**
+ * Factory for creating AdvancedAuthorizationPolicy instances.
+ */
+class AdvancedAuthorizationPolicyFactory extends AuthorizationPolicyFactory {
+    constructor() {
+        super(...arguments);
+        this.type = "AdvancedAuthorizationPolicy";
+    }
+    /**
+     * Creates an AdvancedAuthorizationPolicy from the given configuration.
+     *
+     * @param config - Configuration with policyDefinition
+     * @returns The created authorization policy
+     */
+    async create(config) {
+        const normalized = normalizeConfig$5(config);
+        const { AdvancedAuthorizationPolicy } = await getModule();
+        return new AdvancedAuthorizationPolicy({
+            policyDefinition: normalized.policyDefinition,
+            warnOnUnknownFields: normalized.warnOnUnknownFields,
+            expressionLimits: normalized.expressionLimits,
+        });
+    }
+}
+var advancedAuthorizationPolicyFactory = /*#__PURE__*/Object.freeze({
+    __proto__: null,
+    AdvancedAuthorizationPolicyFactory: AdvancedAuthorizationPolicyFactory,
+    FACTORY_META: FACTORY_META$e,
+    default: AdvancedAuthorizationPolicyFactory
+});
 const logger$g = getLogger("naylence.fame.security.cert.util");
 const CACHE_LIMIT = 512;
 const OID_ED25519 = "1.3.101.112";
@@ -999,9 +3669,9 @@ function toHex(data) {
         .join("");
 }
 function buildCacheKey(chainBytes, trustStorePem, enforceNameConstraints) {
-    const chainHash = toHex(sha256(chainBytes));
+    const chainHash = toHex(sha256$1(chainBytes));
     const trustHash = trustStorePem
-        ? toHex(sha256(textEncoder.encode(trustStorePem)))
+        ? toHex(sha256$1(textEncoder.encode(trustStorePem)))
         : "no-trust";
     const constraintFlag = enforceNameConstraints ? "nc1" : "nc0";
     return `${chainHash}|${trustHash}|${constraintFlag}`;
@@ -3485,7 +6155,7 @@ class DefaultSecureChannelManager {
     }
     deriveChannelKey(channelId, sharedSecret) {
         const info = utf8ToBytes(`fame-channel:${channelId}`);
-        return hkdf(sha256, sharedSecret, undefined, info, CHANNEL_KEY_LENGTH);
+        return hkdf(sha256$1, sharedSecret, undefined, info, CHANNEL_KEY_LENGTH);
     }
     createChannelState({ key, algorithm, }) {
         return {
@@ -7476,7 +10146,7 @@ function computeEarliestExpiry(roots) {
 function computeBundleVersion(roots) {
     const encoder = new TextEncoder();
     const serialized = roots.map((root) => root.pem).join("\n");
-    const digest = sha256$1(encoder.encode(serialized));
+    const digest = sha256$2(encoder.encode(serialized));
     const hex = Array.from(digest)
         .map((byte) => byte.toString(16).padStart(2, "0"))
         .join("");
@@ -8651,7 +11321,7 @@ function computeSpkiSha256(pem) {
             return null;
         }
         const der = new Uint8Array(publicKey.rawData);
-        const digest = sha256(der);
+        const digest = sha256$1(der);
         return toBase64Url(digest);
     }
     catch {
@@ -9104,7 +11774,7 @@ function normalizeRefreshInterval(value) {
     return Math.max(MIN_REFRESH_INTERVAL_MS, Math.floor(value));
 }
 function computeHash(payload) {
-    const digest = sha256(payload);
+    const digest = sha256$1(payload);
     return toBase64Url(digest);
 }
 function hexToBase64Url(hex) {
@@ -9124,7 +11794,7 @@ function bytesToUtf8(data) {
     return String.fromCharCode(...Array.from(data));
 }
 function computeCacheKey(value) {
-    const digest = sha256(new TextEncoder().encode(value));
+    const digest = sha256$1(new TextEncoder().encode(value));
     return Array.from(digest)
         .map((byte) => byte.toString(16).padStart(2, "0"))
         .join("");