@naylence/advanced-security 0.4.4 → 0.4.5

package/dist/node/node.mjs

@@ -1,6 +1,6 @@
 import { ExtensionManager, Expressions, Registry, AbstractResourceFactory, createResource, createDefaultResource } from '@naylence/factory';
 import { getLogger, ENCRYPTION_MANAGER_FACTORY_BASE_TYPE, registerProfile, SECURITY_MANAGER_FACTORY_BASE_TYPE, KNOWN_POLICY_FIELDS, VALID_EFFECTS, compileGlobOnlyScopeRequirement, KNOWN_RULE_FIELDS, VALID_ACTIONS, compileGlobPattern, VALID_ORIGIN_TYPES, AUTHORIZATION_POLICY_FACTORY_BASE_TYPE, AuthorizationPolicyFactory, EncryptionResult, urlsafeBase64Decode, sealedDecrypt, sealedEncrypt, FIXED_PREFIX_LEN, urlsafeBase64Encode, EncryptionManagerFactory, requireCryptoSupport, SECURE_CHANNEL_MANAGER_FACTORY_BASE_TYPE, SecureChannelManagerFactory, ENVELOPE_SIGNER_FACTORY_BASE_TYPE, EnvelopeSignerFactory, SigningConfigClass, validateSigningKey, JWKValidationError, decodeBase64Url, canonicalJson, secureDigest, frameDigest, immutableHeaders, encodeUtf8, ENVELOPE_VERIFIER_FACTORY_BASE_TYPE, EnvelopeVerifierFactory, TrustStoreProviderFactory as TrustStoreProviderFactory$1, TaskSpawner, getKeyStore, DefaultKeyManager, validateJwkComplete, currentTraceId, DeliveryOriginType, KEY_MANAGER_FACTORY_BASE_TYPE, KeyManagerFactory, KeyStoreFactory, BaseNodeEventListener, LOAD_BALANCER_STICKINESS_MANAGER_FACTORY_BASE_TYPE, LoadBalancerStickinessManagerFactory, REPLICA_STICKINESS_MANAGER_FACTORY_BASE_TYPE, ReplicaStickinessManagerFactory, color, formatTimestamp, AnsiColor, jsonDumps, validateHostLogicals, HTTP_CONNECTION_GRANT_TYPE, WELCOME_SERVICE_FACTORY_BASE_TYPE, WelcomeServiceFactory, NodePlacementStrategyFactory, TransportProvisionerFactory, TokenIssuerFactory, AuthorizerFactory, AuthInjectionStrategyFactory, CERTIFICATE_MANAGER_FACTORY_BASE_TYPE, CertificateManagerFactory, TRUST_STORE_PROVIDER_FACTORY_BASE_TYPE as TRUST_STORE_PROVIDER_FACTORY_BASE_TYPE$1, validateHostLogical } from '@naylence/runtime';
-import { sha256 } from '@noble/hashes/sha256';
+import { sha256 } from '@noble/hashes/sha2';
 import { generateFingerprintSync, localDeliveryContext, createFameEnvelope, FameAddress, generateId, formatAddress, SigningMaterial, DeliveryOriginType as DeliveryOriginType$1 } from '@naylence/core';
 import { AsnConvert, OctetString } from '@peculiar/asn1-schema';
 import { Certificate, id_ce_subjectAltName, SubjectAlternativeName, id_ce_nameConstraints, NameConstraints, Name, RelativeDistinguishedName, AttributeTypeAndValue, AttributeValue, SubjectPublicKeyInfo, GeneralName, Extensions, Extension, Attribute, AlgorithmIdentifier, TBSCertificate, Validity, Version, BasicConstraints, id_ce_basicConstraints, KeyUsageFlags, KeyUsage, id_ce_keyUsage, SubjectKeyIdentifier, id_ce_subjectKeyIdentifier, AuthorityKeyIdentifier, KeyIdentifier, id_ce_authorityKeyIdentifier, GeneralSubtrees, GeneralSubtree, ExtendedKeyUsage, id_kp_clientAuth, id_kp_serverAuth, id_ce_extKeyUsage } from '@peculiar/asn1-x509';
@@ -573,12 +573,12 @@ async function registerAdvancedSecurityFactories(registrar = Registry, options)
 }
 
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.4.4
+// Generated from package.json version: 0.4.5
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.4.4';
+const VERSION = '0.4.5';
 
 async function registerAdvancedSecurityPluginFactories(registrar = Registry) {
     await registerAdvancedSecurityFactories(registrar, { includeExtras: true });
@@ -2557,8 +2557,86 @@ function evaluateAsBoolean(ast, context) {
  * Null handling semantics:
  * - Scope predicate builtins (has_scope, has_any_scope, has_all_scopes)
  *   return `false` when passed `null` for required args.
+ * - Security predicate builtins (is_signed, is_encrypted, is_encrypted_at_least)
+ *   return `false` when the envelope lacks the required security posture.
  * - Wrong non-null types still raise BuiltinError to surface real bugs.
  */
+/**
+ * Valid encryption levels for is_encrypted_at_least comparisons.
+ */
+const VALID_ENCRYPTION_LEVELS = [
+    "plaintext",
+    "channel",
+    "sealed",
+];
+/**
+ * Encryption level ordering for comparison.
+ * Higher number = stronger encryption.
+ */
+const ENCRYPTION_LEVEL_ORDER = {
+    plaintext: 0,
+    channel: 1,
+    sealed: 2,
+};
+/**
+ * Normalizes an encryption algorithm string to an EncryptionLevel.
+ *
+ * Mapping rules:
+ * - null/undefined => "plaintext" (no encryption present)
+ * - alg contains "-channel" => "channel" (e.g., "chacha20-poly1305-channel")
+ * - alg contains "-sealed" => "sealed" (explicit sealed marker)
+ * - alg matches ECDH-ES pattern with AEAD cipher => "sealed" (e.g., "ECDH-ES+A256GCM")
+ * - otherwise => "unknown"
+ *
+ * Currently supported algorithms:
+ * - Channel: "chacha20-poly1305-channel"
+ * - Sealed: "ECDH-ES+A256GCM"
+ *
+ * This helper is centralized to ensure consistent mapping across TS and Python.
+ */
+function normalizeEncryptionLevelFromAlg(alg) {
+    if (alg === null || alg === undefined) {
+        return "plaintext";
+    }
+    const algLower = alg.toLowerCase();
+    // Check for channel encryption (e.g., "chacha20-poly1305-channel")
+    // Must check before other patterns since channel suffix is explicit
+    if (algLower.includes("-channel")) {
+        return "channel";
+    }
+    // Check for explicit sealed marker
+    if (algLower.includes("-sealed")) {
+        return "sealed";
+    }
+    // ECDH-ES key agreement with AEAD cipher => sealed encryption
+    // Pattern: "ECDH-ES+A256GCM", "ECDH-ES+A128GCM", etc.
+    if (algLower.startsWith("ecdh-es") && algLower.includes("+a")) {
+        return "sealed";
+    }
+    return "unknown";
+}
+/**
+ * Creates security bindings from an envelope's sec header.
+ * Exposes only metadata, never raw values like sig.val or enc.val.
+ */
+function createSecurityBindings(sec) {
+    const sigPresent = sec?.sig !== undefined;
+    const encPresent = sec?.enc !== undefined;
+    return {
+        sig: {
+            present: sigPresent,
+            kid: sec?.sig?.kid ?? null,
+        },
+        enc: {
+            present: encPresent,
+            alg: sec?.enc?.alg ?? null,
+            kid: sec?.enc?.kid ?? null,
+            level: encPresent
+                ? normalizeEncryptionLevelFromAlg(sec?.enc?.alg ?? null)
+                : "plaintext",
+        },
+    };
+}
 /**
  * Checks if a value is null.
  */
@@ -2567,9 +2645,21 @@ function isNull(value) {
 }
 /**
  * Creates a function registry with auth helpers installed.
+ *
+ * This registry extends the base builtins with:
+ * - Scope builtins: has_scope, has_any_scope, has_all_scopes
+ * - Security builtins: is_signed, encryption_level, is_encrypted, is_encrypted_at_least
  */
-function createAuthFunctionRegistry(grantedScopes = []) {
-    const scopes = grantedScopes ?? [];
+function createAuthFunctionRegistry(grantedScopesOrOptions = []) {
+    // Handle both old signature (array) and new signature (options object)
+    const options = Array.isArray(grantedScopesOrOptions)
+        ? { grantedScopes: grantedScopesOrOptions }
+        : grantedScopesOrOptions;
+    const scopes = options.grantedScopes ?? [];
+    const secBindings = options.securityBindings ?? {
+        sig: { present: false, kid: null },
+        enc: { present: false, alg: null, kid: null, level: "plaintext" },
+    };
     /**
      * Checks if any granted scope matches a pattern (using glob syntax).
      */
@@ -2625,11 +2715,85 @@ function createAuthFunctionRegistry(grantedScopes = []) {
         }
         return values.every((scope) => matchesScope(scope));
     };
+    // ============================================================
+    // Security posture builtins
+    // ============================================================
+    /**
+     * is_signed() -> bool
+     *
+     * Returns true if the envelope has a signature present.
+     * No arguments required.
+     */
+    const is_signed = (args) => {
+        assertArgCount(args, 0, "is_signed");
+        return secBindings.sig.present;
+    };
+    /**
+     * encryption_level() -> string
+     *
+     * Returns the normalized encryption level: "plaintext" | "channel" | "sealed" | "unknown"
+     * No arguments required.
+     */
+    const encryption_level = (args) => {
+        assertArgCount(args, 0, "encryption_level");
+        return secBindings.enc.level;
+    };
+    /**
+     * is_encrypted() -> bool
+     *
+     * Returns true if the encryption level is not "plaintext".
+     * This means the envelope has some form of encryption (channel, sealed, or unknown).
+     * No arguments required.
+     */
+    const is_encrypted = (args) => {
+        assertArgCount(args, 0, "is_encrypted");
+        return secBindings.enc.level !== "plaintext";
+    };
+    /**
+     * is_encrypted_at_least(level: string) -> bool
+     *
+     * Returns true if the envelope's encryption level meets or exceeds the required level.
+     *
+     * Level ordering: plaintext < channel < sealed
+     *
+     * Special handling:
+     * - "unknown" encryption level does NOT satisfy "channel" or "sealed" (conservative)
+     * - "plaintext" is always satisfied (any envelope meets at least plaintext)
+     * - null argument => false (predicate-style)
+     * - invalid level string => BuiltinError
+     */
+    const is_encrypted_at_least = (args) => {
+        assertArgCount(args, 1, "is_encrypted_at_least");
+        const requiredLevel = getArg(args, 0, "is_encrypted_at_least");
+        // Null-tolerant: return false if level is null
+        if (!assertStringOrNull(requiredLevel, "level", "is_encrypted_at_least")) {
+            return false;
+        }
+        // Validate required level
+        if (!VALID_ENCRYPTION_LEVELS.includes(requiredLevel)) {
+            throw new BuiltinError("is_encrypted_at_least", `level must be one of: ${VALID_ENCRYPTION_LEVELS.join(", ")}; got "${requiredLevel}"`);
+        }
+        const currentLevel = secBindings.enc.level;
+        const requiredOrder = ENCRYPTION_LEVEL_ORDER[requiredLevel] ?? 0;
+        const currentOrder = ENCRYPTION_LEVEL_ORDER[currentLevel];
+        // If current level is "unknown", it only satisfies "plaintext"
+        if (currentOrder === undefined) {
+            // "unknown" is treated as NOT meeting channel/sealed requirements
+            return requiredOrder === 0; // Only plaintext is satisfied by unknown
+        }
+        return currentOrder >= requiredOrder;
+    };
     return new Map([
         ...BUILTIN_FUNCTIONS,
+        // Scope builtins
         ["has_scope", has_scope],
         ["has_any_scope", has_any_scope],
         ["has_all_scopes", has_all_scopes],
+        // Security posture builtins
+        ["is_signed", is_signed],
+        ["encryption_level", encryption_level],
+        ["is_encrypted", is_encrypted],
+        ["is_encrypted_at_least", is_encrypted_at_least],
     ]);
 }
 /**
@@ -2772,19 +2936,33 @@ function extractClaims(context) {
 }
 /**
  * Creates a safe envelope subset for expression bindings.
+ *
+ * Exposes:
+ * - id, sid, traceId, corrId, flowId, to
+ * - frame: { type }
+ * - sec: { sig: { present, kid }, enc: { present, alg, kid, level } }
+ *
+ * IMPORTANT: Does NOT expose raw security values (sig.val, enc.val).
  */
 function createEnvelopeBindings(envelope) {
     const frame = envelope.frame;
     const envelopeRecord = envelope;
+    const sec = envelopeRecord.sec;
+    const securityBindings = createSecurityBindings(sec);
     return {
-        id: envelope.id ?? null,
-        traceId: envelopeRecord.traceId ?? null,
-        corrId: envelopeRecord.corrId ?? null,
-        flowId: envelopeRecord.flowId ?? null,
-        to: extractAddress(envelope) ?? null,
-        frame: frame
-            ? { type: frame.type ?? null }
-            : { type: null },
+        bindings: {
+            id: envelope.id ?? null,
+            sid: envelopeRecord.sid ?? null,
+            traceId: envelopeRecord.traceId ?? null,
+            corrId: envelopeRecord.corrId ?? null,
+            flowId: envelopeRecord.flowId ?? null,
+            to: extractAddress(envelope) ?? null,
+            frame: frame
+                ? { type: frame.type ?? null }
+                : { type: null },
+            sec: securityBindings,
+        },
+        securityBindings,
     };
 }
 /**
@@ -2938,11 +3116,12 @@ class AdvancedAuthorizationPolicy {
                 continue;
             }
             if (rule.whenAst) {
-                // Lazy initialization of expression bindings
+                // Lazy initialization of expression bindings and security context
                 if (!expressionBindings) {
+                    const envelopeResult = createEnvelopeBindings(envelope);
                     expressionBindings = {
                         claims: extractClaims(context),
-                        envelope: createEnvelopeBindings(envelope),
+                        envelope: envelopeResult.bindings,
                         delivery: createDeliveryBindings(context, resolvedAction),
                         node: createNodeBindings(node),
                         time: {
@@ -2950,9 +3129,13 @@ class AdvancedAuthorizationPolicy {
                             now_iso: new Date().toISOString(),
                         },
                     };
+                    // Create function registry with security bindings for security builtins
+                    functionRegistry = createAuthFunctionRegistry({
+                        grantedScopes,
+                        securityBindings: envelopeResult.securityBindings,
+                    });
                 }
-                const functions = functionRegistry ?? createAuthFunctionRegistry(grantedScopes);
-                functionRegistry = functions;
+                const functions = functionRegistry;
                 const evalContext = {
                     bindings: expressionBindings,
                     limits: this.expressionLimits,
@@ -12999,4 +13182,4 @@ if (isNode && proc && proc.env) {
     }
 }
 
-export { FACTORY_META$f as ADVANCED_AUTHORIZATION_POLICY_FACTORY_META, FACTORY_META$a as ADVANCED_EDDSA_ENVELOPE_SIGNER_FACTORY_META, FACTORY_META$9 as ADVANCED_EDDSA_ENVELOPE_VERIFIER_FACTORY_META, FACTORY_META$5 as ADVANCED_WELCOME_FACTORY_META, AFTHelper, AFTLoadBalancerStickinessManager, AFTLoadBalancerStickinessManagerFactory, AFTReplicaStickinessManager, AFTReplicaStickinessManagerFactory, FACTORY_META$7 as AFT_LOAD_BALANCER_FACTORY_META, FACTORY_META$6 as AFT_REPLICA_FACTORY_META, AdvancedAuthorizationPolicy, AdvancedAuthorizationPolicyFactory, AdvancedEdDSAEnvelopeSignerFactory, AdvancedEdDSAEnvelopeVerifierFactory, AdvancedWelcomeService, AdvancedWelcomeServiceFactory, FACTORY_META$2 as BROWSER_TRUST_STORE_PROVIDER_FACTORY_META, BUILTIN_FUNCTIONS, BrowserTrustStoreProviderFactory, BuiltinError, CAService, CAServiceClient, CAServiceFactory, CASigningService, CA_SERVICE_FACTORY_BASE_TYPE, CertificateRequestError, CompositeEncryptionManager, CompositeEncryptionManagerFactory, FACTORY_META$4 as DEFAULT_CERTIFICATE_MANAGER_FACTORY_META, DEFAULT_EXPRESSION_LIMITS, FACTORY_META$c as DEFAULT_SECURE_CHANNEL_MANAGER_FACTORY_META, DEFAULT_STICKINESS_SECURITY_LEVEL, DefaultCAService, DefaultCAServiceFactory, DefaultCertificateManager, DefaultCertificateManagerFactory, DefaultSecureChannelManager, DefaultSecureChannelManagerFactory, ENV_FAME_CA_CERT_FILE, ENV_FAME_CA_CERT_PEM, ENV_FAME_CA_KEY_FILE, ENV_FAME_CA_KEY_PEM, ENV_FAME_INTERMEDIATE_CHAIN_FILE, ENV_FAME_INTERMEDIATE_CHAIN_PEM, ENV_FAME_SIGNING_CERT_FILE, ENV_FAME_SIGNING_CERT_PEM, ENV_FAME_SIGNING_KEY_FILE, ENV_FAME_SIGNING_KEY_PEM, FACTORY_META$3 as ENV_TRUST_STORE_PROVIDER_FACTORY_META, ENV_VAR_FAME_CA_SERVICE_URL, EdDSAEnvelopeVerifier, EnvTrustStoreProviderFactory, EvaluationError, Evaluator, ExpressionError, GRANT_PURPOSE_CA_SIGN, LOGICALS_OID, LimitExceededError, NODE_ID_OID, NoAFTSigner, NullTrustStoreProvider, PROFILE_NAME_STRICT_OVERLAY, ParseError, Parser, SID_OID, SidOnlyAFTVerifier, SignedAFTSigner, SignedOptionalAFTVerifier, StickinessMode, StrictAFTVerifier, TRUST_STORE_PROVIDER_FACTORY_BASE_TYPE, Tokenizer, TokenizerError, TrustStoreProviderFactory, TypeError, UnsignedAFTSigner, VERSION, X5CKeyManager, X5CKeyManagerFactory, FACTORY_META$8 as X5C_KEY_MANAGER_FACTORY_META, __advancedSecurityPluginLoader, astToString, base64UrlDecode, base64UrlEncode, calculateAstDepth, callBuiltin, index as channelEncryption, checkArrayLength, checkAstDepth, checkAstNodeCount, checkExpressionLength, checkFunctionArgCount, checkGlobPatternLength, checkRegexPatternLength, countAstNodes, createAftHelper, createAftPayload, createAftReplicaStickinessManager, createAftSigner, createAftVerifier, createAuthFunctionRegistry, createEd25519Csr, createEd25519CsrFromPem, createTestCA, evaluate, evaluateAsBoolean, extractCertificateInfo, extractLogicalHostsFromCert, extractNodeIdFromCert, extractSidFromCert, extractSidFromSpiffeId, extractSpiffeIdFromCert, formatCertificateInfo, getTypeName, isBuiltinFunction, normalizeJsValue, normalizeStickinessMode, parse, publicKeyFromX5c, registerAdvancedSecurityFactories, index$1 as sealedEncryption, serializeAftClaims, serializeAftHeader, tokenize, utf8Decode, validateJwkX5cCertificate, verifyCertSidIntegrity };
+export { FACTORY_META$f as ADVANCED_AUTHORIZATION_POLICY_FACTORY_META, FACTORY_META$a as ADVANCED_EDDSA_ENVELOPE_SIGNER_FACTORY_META, FACTORY_META$9 as ADVANCED_EDDSA_ENVELOPE_VERIFIER_FACTORY_META, FACTORY_META$5 as ADVANCED_WELCOME_FACTORY_META, AFTHelper, AFTLoadBalancerStickinessManager, AFTLoadBalancerStickinessManagerFactory, AFTReplicaStickinessManager, AFTReplicaStickinessManagerFactory, FACTORY_META$7 as AFT_LOAD_BALANCER_FACTORY_META, FACTORY_META$6 as AFT_REPLICA_FACTORY_META, AdvancedAuthorizationPolicy, AdvancedAuthorizationPolicyFactory, AdvancedEdDSAEnvelopeSignerFactory, AdvancedEdDSAEnvelopeVerifierFactory, AdvancedWelcomeService, AdvancedWelcomeServiceFactory, FACTORY_META$2 as BROWSER_TRUST_STORE_PROVIDER_FACTORY_META, BUILTIN_FUNCTIONS, BrowserTrustStoreProviderFactory, BuiltinError, CAService, CAServiceClient, CAServiceFactory, CASigningService, CA_SERVICE_FACTORY_BASE_TYPE, CertificateRequestError, CompositeEncryptionManager, CompositeEncryptionManagerFactory, FACTORY_META$4 as DEFAULT_CERTIFICATE_MANAGER_FACTORY_META, DEFAULT_EXPRESSION_LIMITS, FACTORY_META$c as DEFAULT_SECURE_CHANNEL_MANAGER_FACTORY_META, DEFAULT_STICKINESS_SECURITY_LEVEL, DefaultCAService, DefaultCAServiceFactory, DefaultCertificateManager, DefaultCertificateManagerFactory, DefaultSecureChannelManager, DefaultSecureChannelManagerFactory, ENV_FAME_CA_CERT_FILE, ENV_FAME_CA_CERT_PEM, ENV_FAME_CA_KEY_FILE, ENV_FAME_CA_KEY_PEM, ENV_FAME_INTERMEDIATE_CHAIN_FILE, ENV_FAME_INTERMEDIATE_CHAIN_PEM, ENV_FAME_SIGNING_CERT_FILE, ENV_FAME_SIGNING_CERT_PEM, ENV_FAME_SIGNING_KEY_FILE, ENV_FAME_SIGNING_KEY_PEM, FACTORY_META$3 as ENV_TRUST_STORE_PROVIDER_FACTORY_META, ENV_VAR_FAME_CA_SERVICE_URL, EdDSAEnvelopeVerifier, EnvTrustStoreProviderFactory, EvaluationError, Evaluator, ExpressionError, GRANT_PURPOSE_CA_SIGN, LOGICALS_OID, LimitExceededError, NODE_ID_OID, NoAFTSigner, NullTrustStoreProvider, PROFILE_NAME_STRICT_OVERLAY, ParseError, Parser, SID_OID, SidOnlyAFTVerifier, SignedAFTSigner, SignedOptionalAFTVerifier, StickinessMode, StrictAFTVerifier, TRUST_STORE_PROVIDER_FACTORY_BASE_TYPE, Tokenizer, TokenizerError, TrustStoreProviderFactory, TypeError, UnsignedAFTSigner, VERSION, X5CKeyManager, X5CKeyManagerFactory, FACTORY_META$8 as X5C_KEY_MANAGER_FACTORY_META, __advancedSecurityPluginLoader, astToString, base64UrlDecode, base64UrlEncode, calculateAstDepth, callBuiltin, index as channelEncryption, checkArrayLength, checkAstDepth, checkAstNodeCount, checkExpressionLength, checkFunctionArgCount, checkGlobPatternLength, checkRegexPatternLength, countAstNodes, createAftHelper, createAftPayload, createAftReplicaStickinessManager, createAftSigner, createAftVerifier, createAuthFunctionRegistry, createEd25519Csr, createEd25519CsrFromPem, createSecurityBindings, createTestCA, evaluate, evaluateAsBoolean, extractCertificateInfo, extractLogicalHostsFromCert, extractNodeIdFromCert, extractSidFromCert, extractSidFromSpiffeId, extractSpiffeIdFromCert, formatCertificateInfo, getTypeName, isBuiltinFunction, normalizeEncryptionLevelFromAlg, normalizeJsValue, normalizeStickinessMode, parse, publicKeyFromX5c, registerAdvancedSecurityFactories, index$1 as sealedEncryption, serializeAftClaims, serializeAftHeader, tokenize, utf8Decode, validateJwkX5cCertificate, verifyCertSidIntegrity };

package/dist/types/naylence/fame/security/auth/policy/advanced-authorization-policy.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"advanced-authorization-policy.d.ts","sourceRoot":"","sources":["../../../../../../../src/naylence/fame/security/auth/policy/advanced-authorization-policy.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EACV,mBAAmB,EACnB,YAAY,EACb,MAAM,gBAAgB,CAAC;AAExB,OAAO,KAAK,EACV,mBAAmB,EACnB,qBAAqB,EAErB,6BAA6B,EAE7B,UAAU,EAGX,MAAM,mBAAmB,CAAC;AAY3B;;;;;;;GAOG;AACH,eAAO,MAAM,iBAAiB,ySAmBpB,CAAC;AAEX,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AAQlD,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAIhE;;GAEG;AACH,UAAU,MAAM;IACd,KAAK,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;IAC3D,OAAO,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;CAC9D;AA4JD;;GAEG;AACH,MAAM,WAAW,kCAAkC;IACjD;;OAEG;IACH,gBAAgB,EAAE,6BAA6B,CAAC;IAEhD;;;OAGG;IACH,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAE9B;;;OAGG;IACH,gBAAgB,CAAC,EAAE,gBAAgB,CAAC;IAEpC;;OAEG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;;;;;;;GASG;AACH,qBAAa,2BAA4B,YAAW,mBAAmB;IACrE,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAmB;IACjD,OAAO,CAAC,QAAQ,CAAC,aAAa,CAA2B;IACzD,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAmB;IACpD,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;gBAEpB,OAAO,EAAE,kCAAkC;IAkCvD;;OAEG;IACG,eAAe,CACnB,IAAI,EAAE,QAAQ,EACd,QAAQ,EAAE,YAAY,EACtB,OAAO,CAAC,EAAE,mBAAmB,EAC7B,MAAM,CAAC,EAAE,UAAU,GAClB,OAAO,CAAC,qBAAqB,CAAC;IA8MjC,OAAO,CAAC,qBAAqB;IAY7B,OAAO,CAAC,uBAAuB;IAU/B,OAAO,CAAC,YAAY;IAOpB,OAAO,CAAC,WAAW;IAuFnB,OAAO,CAAC,cAAc;IAiDtB,OAAO,CAAC,cAAc;IA+DtB,OAAO,CAAC,iBAAiB;IA6DzB,OAAO,CAAC,kBAAkB;IA6D1B,OAAO,CAAC,oBAAoB;IAmB5B,OAAO,CAAC,wBAAwB;CAcjC"}
+{"version":3,"file":"advanced-authorization-policy.d.ts","sourceRoot":"","sources":["../../../../../../../src/naylence/fame/security/auth/policy/advanced-authorization-policy.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EACV,mBAAmB,EACnB,YAAY,EACb,MAAM,gBAAgB,CAAC;AAExB,OAAO,KAAK,EACV,mBAAmB,EACnB,qBAAqB,EAErB,6BAA6B,EAE7B,UAAU,EAGX,MAAM,mBAAmB,CAAC;AAY3B;;;;;;;GAOG;AACH,eAAO,MAAM,iBAAiB,ySAmBpB,CAAC;AAEX,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AAQlD,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAQhE;;GAEG;AACH,UAAU,MAAM;IACd,KAAK,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;IAC3D,OAAO,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;CAC9D;AA6KD;;GAEG;AACH,MAAM,WAAW,kCAAkC;IACjD;;OAEG;IACH,gBAAgB,EAAE,6BAA6B,CAAC;IAEhD;;;OAGG;IACH,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAE9B;;;OAGG;IACH,gBAAgB,CAAC,EAAE,gBAAgB,CAAC;IAEpC;;OAEG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;;;;;;;GASG;AACH,qBAAa,2BAA4B,YAAW,mBAAmB;IACrE,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAmB;IACjD,OAAO,CAAC,QAAQ,CAAC,aAAa,CAA2B;IACzD,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAmB;IACpD,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;gBAEpB,OAAO,EAAE,kCAAkC;IAkCvD;;OAEG;IACG,eAAe,CACnB,IAAI,EAAE,QAAQ,EACd,QAAQ,EAAE,YAAY,EACtB,OAAO,CAAC,EAAE,mBAAmB,EAC7B,MAAM,CAAC,EAAE,UAAU,GAClB,OAAO,CAAC,qBAAqB,CAAC;IAmNjC,OAAO,CAAC,qBAAqB;IAY7B,OAAO,CAAC,uBAAuB;IAU/B,OAAO,CAAC,YAAY;IAOpB,OAAO,CAAC,WAAW;IAuFnB,OAAO,CAAC,cAAc;IAiDtB,OAAO,CAAC,cAAc;IA+DtB,OAAO,CAAC,iBAAiB;IA6DzB,OAAO,CAAC,kBAAkB;IA6D1B,OAAO,CAAC,oBAAoB;IAmB5B,OAAO,CAAC,wBAAwB;CAcjC"}

package/dist/types/naylence/fame/security/auth/policy/expr-builtins.d.ts

@@ -4,11 +4,81 @@
  * Null handling semantics:
  * - Scope predicate builtins (has_scope, has_any_scope, has_all_scopes)
  *   return `false` when passed `null` for required args.
+ * - Security predicate builtins (is_signed, is_encrypted, is_encrypted_at_least)
+ *   return `false` when the envelope lacks the required security posture.
  * - Wrong non-null types still raise BuiltinError to surface real bugs.
  */
 import { type FunctionRegistry } from "../../../expr/index.js";
+/**
+ * Encryption level type for normalized security posture.
+ */
+export type EncryptionLevel = "plaintext" | "channel" | "sealed" | "unknown";
+/**
+ * Normalizes an encryption algorithm string to an EncryptionLevel.
+ *
+ * Mapping rules:
+ * - null/undefined => "plaintext" (no encryption present)
+ * - alg contains "-channel" => "channel" (e.g., "chacha20-poly1305-channel")
+ * - alg contains "-sealed" => "sealed" (explicit sealed marker)
+ * - alg matches ECDH-ES pattern with AEAD cipher => "sealed" (e.g., "ECDH-ES+A256GCM")
+ * - otherwise => "unknown"
+ *
+ * Currently supported algorithms:
+ * - Channel: "chacha20-poly1305-channel"
+ * - Sealed: "ECDH-ES+A256GCM"
+ *
+ * This helper is centralized to ensure consistent mapping across TS and Python.
+ */
+export declare function normalizeEncryptionLevelFromAlg(alg: string | null | undefined): EncryptionLevel;
+/**
+ * Security metadata bindings exposed to expressions.
+ * This is the shape of the `envelope.sec` binding.
+ */
+export interface SecurityBindings {
+    sig: {
+        present: boolean;
+        kid: string | null;
+    };
+    enc: {
+        present: boolean;
+        alg: string | null;
+        kid: string | null;
+        level: EncryptionLevel;
+    };
+}
+/**
+ * Creates security bindings from an envelope's sec header.
+ * Exposes only metadata, never raw values like sig.val or enc.val.
+ */
+export declare function createSecurityBindings(sec: {
+    sig?: {
+        kid?: string;
+    };
+    enc?: {
+        alg?: string;
+        kid?: string;
+    };
+} | undefined): SecurityBindings;
+/**
+ * Options for creating an auth function registry.
+ */
+export interface AuthFunctionRegistryOptions {
+    /**
+     * Granted scopes for scope checking builtins.
+     */
+    grantedScopes?: readonly string[];
+    /**
+     * Security bindings for security posture builtins.
+     * If not provided, is_signed returns false and encryption_level returns "plaintext".
+     */
+    securityBindings?: SecurityBindings;
+}
 /**
  * Creates a function registry with auth helpers installed.
+ *
+ * This registry extends the base builtins with:
+ * - Scope builtins: has_scope, has_any_scope, has_all_scopes
+ * - Security builtins: is_signed, encryption_level, is_encrypted, is_encrypted_at_least
  */
-export declare function createAuthFunctionRegistry(grantedScopes?: readonly string[]): FunctionRegistry;
+export declare function createAuthFunctionRegistry(grantedScopesOrOptions?: readonly string[] | AuthFunctionRegistryOptions): FunctionRegistry;
 //# sourceMappingURL=expr-builtins.d.ts.map

package/dist/types/naylence/fame/security/auth/policy/expr-builtins.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"expr-builtins.d.ts","sourceRoot":"","sources":["../../../../../../../src/naylence/fame/security/auth/policy/expr-builtins.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAKL,KAAK,gBAAgB,EACtB,MAAM,wBAAwB,CAAC;AAUhC;;GAEG;AACH,wBAAgB,0BAA0B,CACxC,aAAa,GAAE,SAAS,MAAM,EAAO,GACpC,gBAAgB,CAiElB"}
+{"version":3,"file":"expr-builtins.d.ts","sourceRoot":"","sources":["../../../../../../../src/naylence/fame/security/auth/policy/expr-builtins.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAKL,KAAK,gBAAgB,EACtB,MAAM,wBAAwB,CAAC;AAGhC;;GAEG;AACH,MAAM,MAAM,eAAe,GAAG,WAAW,GAAG,SAAS,GAAG,QAAQ,GAAG,SAAS,CAAC;AAqB7E;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,+BAA+B,CAC7C,GAAG,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAC7B,eAAe,CAyBjB;AAED;;;GAGG;AACH,MAAM,WAAW,gBAAgB;IAC/B,GAAG,EAAE;QACH,OAAO,EAAE,OAAO,CAAC;QACjB,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC;KACpB,CAAC;IACF,GAAG,EAAE;QACH,OAAO,EAAE,OAAO,CAAC;QACjB,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC;QACnB,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC;QACnB,KAAK,EAAE,eAAe,CAAC;KACxB,CAAC;CACH;AAED;;;GAGG;AACH,wBAAgB,sBAAsB,CACpC,GAAG,EAAE;IAAE,GAAG,CAAC,EAAE;QAAE,GAAG,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IAAC,GAAG,CAAC,EAAE;QAAE,GAAG,CAAC,EAAE,MAAM,CAAC;QAAC,GAAG,CAAC,EAAE,MAAM,CAAA;KAAE,CAAA;CAAE,GAAG,SAAS,GAChF,gBAAgB,CAkBlB;AASD;;GAEG;AACH,MAAM,WAAW,2BAA2B;IAC1C;;OAEG;IACH,aAAa,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAElC;;;OAGG;IACH,gBAAgB,CAAC,EAAE,gBAAgB,CAAC;CACrC;AAED;;;;;;GAMG;AACH,wBAAgB,0BAA0B,CACxC,sBAAsB,GAAE,SAAS,MAAM,EAAE,GAAG,2BAAgC,GAC3E,gBAAgB,CAiKlB"}

package/dist/types/naylence/fame/security/auth/policy/index.d.ts

@@ -6,7 +6,7 @@
  *
  * @packageDocumentation
  */
-export { createAuthFunctionRegistry } from "./expr-builtins.js";
+export { createAuthFunctionRegistry, createSecurityBindings, normalizeEncryptionLevelFromAlg, type AuthFunctionRegistryOptions, type EncryptionLevel, type SecurityBindings, } from "./expr-builtins.js";
 export { AdvancedAuthorizationPolicy, type AdvancedAuthorizationPolicyOptions, } from "./advanced-authorization-policy.js";
 export { AdvancedAuthorizationPolicyFactory, FACTORY_META as ADVANCED_AUTHORIZATION_POLICY_FACTORY_META, type AdvancedAuthorizationPolicyConfig, } from "./advanced-authorization-policy-factory.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/types/naylence/fame/security/auth/policy/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../../../src/naylence/fame/security/auth/policy/index.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,EAAE,0BAA0B,EAAE,MAAM,oBAAoB,CAAC;AAGhE,OAAO,EACL,2BAA2B,EAC3B,KAAK,kCAAkC,GACxC,MAAM,oCAAoC,CAAC;AAG5C,OAAO,EACL,kCAAkC,EAClC,YAAY,IAAI,0CAA0C,EAC1D,KAAK,iCAAiC,GACvC,MAAM,4CAA4C,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../../../src/naylence/fame/security/auth/policy/index.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,EACL,0BAA0B,EAC1B,sBAAsB,EACtB,+BAA+B,EAC/B,KAAK,2BAA2B,EAChC,KAAK,eAAe,EACpB,KAAK,gBAAgB,GACtB,MAAM,oBAAoB,CAAC;AAG5B,OAAO,EACL,2BAA2B,EAC3B,KAAK,kCAAkC,GACxC,MAAM,oCAAoC,CAAC;AAG5C,OAAO,EACL,kCAAkC,EAClC,YAAY,IAAI,0CAA0C,EAC1D,KAAK,iCAAiC,GACvC,MAAM,4CAA4C,CAAC"}

package/dist/types/version.d.ts

@@ -2,5 +2,5 @@
  * The package version, injected at build time.
  * @internal
  */
-export declare const VERSION = "0.4.4";
+export declare const VERSION = "0.4.5";
 //# sourceMappingURL=version.d.ts.map

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@naylence/advanced-security",
-  "version": "0.4.4",
+  "version": "0.4.5",
   "type": "module",
   "description": "Advanced security utilities for the Naylence Fame runtime implemented in TypeScript.",
   "author": "Naylence Dev <naylencedev@gmail.com>",