@naylence/advanced-security 0.4.4 → 0.4.6

package/dist/node/index.cjs

@@ -8,7 +8,8 @@ var asn1X509 = require('@peculiar/asn1-x509');
 var ed25519 = require('@noble/ed25519');
 var sha2_js = require('@noble/hashes/sha2.js');
 var core = require('@naylence/core');
-var sha256 = require('@noble/hashes/sha256');
+var sha2 = require('@noble/hashes/sha2');
+var yaml = require('yaml');
 var chacha_js = require('@noble/ciphers/chacha.js');
 var ed25519_js = require('@noble/curves/ed25519.js');
 var hkdf_js = require('@noble/hashes/hkdf.js');
@@ -18,12 +19,12 @@ var sha256_js = require('@noble/hashes/sha256.js');
 var x509 = require('@peculiar/x509');
 
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.4.4
+// Generated from package.json version: 0.4.6
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.4.4';
+const VERSION = '0.4.6';
 
 /**
  * Abstract Syntax Tree (AST) node types for the expression language.
@@ -110,55 +111,6 @@ function calculateAstDepth(node) {
                 Math.max(calculateAstDepth(node.condition), calculateAstDepth(node.consequent), calculateAstDepth(node.alternate)));
     }
 }
-/**
- * Returns a human-readable representation of an AST node for debugging.
- */
-function astToString(node, indent = 0) {
-    const prefix = "  ".repeat(indent);
-    switch (node.type) {
-        case "StringLiteral":
-            return `${prefix}String: "${node.value}"`;
-        case "NumberLiteral":
-            return `${prefix}Number: ${node.value}`;
-        case "BooleanLiteral":
-            return `${prefix}Boolean: ${node.value}`;
-        case "NullLiteral":
-            return `${prefix}Null`;
-        case "ArrayLiteral":
-            return (`${prefix}Array:\n` +
-                node.elements.map((e) => astToString(e, indent + 1)).join("\n"));
-        case "Identifier":
-            return `${prefix}Identifier: ${node.name}`;
-        case "MemberAccess":
-            return (`${prefix}MemberAccess: .${node.property}\n` +
-                astToString(node.object, indent + 1));
-        case "IndexAccess":
-            return (`${prefix}IndexAccess:\n` +
-                `${prefix}  object:\n` +
-                astToString(node.object, indent + 2) +
-                `\n${prefix}  index:\n` +
-                astToString(node.index, indent + 2));
-        case "FunctionCall":
-            return (`${prefix}FunctionCall: ${node.name}\n` +
-                node.args.map((a) => astToString(a, indent + 1)).join("\n"));
-        case "UnaryOp":
-            return (`${prefix}UnaryOp: ${node.operator}\n` +
-                astToString(node.operand, indent + 1));
-        case "BinaryOp":
-            return (`${prefix}BinaryOp: ${node.operator}\n` +
-                astToString(node.left, indent + 1) +
-                "\n" +
-                astToString(node.right, indent + 1));
-        case "TernaryOp":
-            return (`${prefix}TernaryOp:\n` +
-                `${prefix}  condition:\n` +
-                astToString(node.condition, indent + 2) +
-                `\n${prefix}  consequent:\n` +
-                astToString(node.consequent, indent + 2) +
-                `\n${prefix}  alternate:\n` +
-                astToString(node.alternate, indent + 2));
-    }
-}
 
 /**
  * Error types for the expression evaluation engine.
@@ -225,18 +177,6 @@ class TypeError extends EvaluationError {
         this.actual = actual;
     }
 }
-/**
- * Error thrown when expression limits are exceeded.
- */
-class LimitExceededError extends ExpressionError {
-    constructor(limitName, limit, actual) {
-        super(`Limit exceeded: ${limitName} (limit: ${limit}, actual: ${actual})`);
-        this.name = "LimitExceededError";
-        this.limitName = limitName;
-        this.limit = limit;
-        this.actual = actual;
-    }
-}
 /**
  * Error thrown when a built-in function encounters an error.
  */
@@ -1384,7 +1324,7 @@ const secure_hash = (args) => {
     }
     // Use generateFingerprintSync from @naylence/core
     // This provides SHA-256 hashing, base62 encoding, and profanity filtering
-    return core.generateFingerprintSync(input_str, length, sha256.sha256);
+    return core.generateFingerprintSync(input_str, length, sha2.sha256);
 };
 // ============================================================
 // Pattern Helpers (BSL-only)
@@ -1553,12 +1493,6 @@ function callBuiltin(name, args, context, functions = BUILTIN_FUNCTIONS) {
     }
     return fn(args, context);
 }
-/**
- * Checks if a name is a built-in function.
- */
-function isBuiltinFunction(name, functions = BUILTIN_FUNCTIONS) {
-    return functions.has(name);
-}
 
 /**
  * Expression evaluator.
@@ -1905,24 +1839,6 @@ class Evaluator {
         return false;
     }
 }
-/**
- * Evaluates an AST against a context and returns the result.
- *
- * @param ast - The AST to evaluate
- * @param context - The evaluation context with bindings
- * @returns The evaluation result
- */
-function evaluate(ast, context) {
-    try {
-        const evaluator = new Evaluator(context);
-        const value = evaluator.evaluate(ast);
-        return { value, success: true };
-    }
-    catch (error) {
-        const message = error instanceof Error ? error.message : String(error);
-        return { value: null, success: false, error: message };
-    }
-}
 /**
  * Evaluates an AST as a boolean condition.
  *
@@ -1948,8 +1864,86 @@ function evaluateAsBoolean(ast, context) {
  * Null handling semantics:
  * - Scope predicate builtins (has_scope, has_any_scope, has_all_scopes)
  *   return `false` when passed `null` for required args.
+ * - Security predicate builtins (is_signed, is_encrypted, is_encrypted_at_least)
+ *   return `false` when the envelope lacks the required security posture.
  * - Wrong non-null types still raise BuiltinError to surface real bugs.
  */
+/**
+ * Valid encryption levels for is_encrypted_at_least comparisons.
+ */
+const VALID_ENCRYPTION_LEVELS = [
+    "plaintext",
+    "channel",
+    "sealed",
+];
+/**
+ * Encryption level ordering for comparison.
+ * Higher number = stronger encryption.
+ */
+const ENCRYPTION_LEVEL_ORDER = {
+    plaintext: 0,
+    channel: 1,
+    sealed: 2,
+};
+/**
+ * Normalizes an encryption algorithm string to an EncryptionLevel.
+ *
+ * Mapping rules:
+ * - null/undefined => "plaintext" (no encryption present)
+ * - alg contains "-channel" => "channel" (e.g., "chacha20-poly1305-channel")
+ * - alg contains "-sealed" => "sealed" (explicit sealed marker)
+ * - alg matches ECDH-ES pattern with AEAD cipher => "sealed" (e.g., "ECDH-ES+A256GCM")
+ * - otherwise => "unknown"
+ *
+ * Currently supported algorithms:
+ * - Channel: "chacha20-poly1305-channel"
+ * - Sealed: "ECDH-ES+A256GCM"
+ *
+ * This helper is centralized to ensure consistent mapping across TS and Python.
+ */
+function normalizeEncryptionLevelFromAlg(alg) {
+    if (alg === null || alg === undefined) {
+        return "plaintext";
+    }
+    const algLower = alg.toLowerCase();
+    // Check for channel encryption (e.g., "chacha20-poly1305-channel")
+    // Must check before other patterns since channel suffix is explicit
+    if (algLower.includes("-channel")) {
+        return "channel";
+    }
+    // Check for explicit sealed marker
+    if (algLower.includes("-sealed")) {
+        return "sealed";
+    }
+    // ECDH-ES key agreement with AEAD cipher => sealed encryption
+    // Pattern: "ECDH-ES+A256GCM", "ECDH-ES+A128GCM", etc.
+    if (algLower.startsWith("ecdh-es") && algLower.includes("+a")) {
+        return "sealed";
+    }
+    return "unknown";
+}
+/**
+ * Creates security bindings from an envelope's sec header.
+ * Exposes only metadata, never raw values like sig.val or enc.val.
+ */
+function createSecurityBindings(sec) {
+    const sigPresent = sec?.sig !== undefined;
+    const encPresent = sec?.enc !== undefined;
+    return {
+        sig: {
+            present: sigPresent,
+            kid: sec?.sig?.kid ?? null,
+        },
+        enc: {
+            present: encPresent,
+            alg: sec?.enc?.alg ?? null,
+            kid: sec?.enc?.kid ?? null,
+            level: encPresent
+                ? normalizeEncryptionLevelFromAlg(sec?.enc?.alg ?? null)
+                : "plaintext",
+        },
+    };
+}
 /**
  * Checks if a value is null.
  */
@@ -1958,9 +1952,21 @@ function isNull(value) {
 }
 /**
  * Creates a function registry with auth helpers installed.
+ *
+ * This registry extends the base builtins with:
+ * - Scope builtins: has_scope, has_any_scope, has_all_scopes
+ * - Security builtins: is_signed, encryption_level, is_encrypted, is_encrypted_at_least
  */
-function createAuthFunctionRegistry(grantedScopes = []) {
-    const scopes = grantedScopes ?? [];
+function createAuthFunctionRegistry(grantedScopesOrOptions = []) {
+    // Handle both old signature (array) and new signature (options object)
+    const options = Array.isArray(grantedScopesOrOptions)
+        ? { grantedScopes: grantedScopesOrOptions }
+        : grantedScopesOrOptions;
+    const scopes = options.grantedScopes ?? [];
+    const secBindings = options.securityBindings ?? {
+        sig: { present: false},
+        enc: { level: "plaintext" },
+    };
     /**
      * Checks if any granted scope matches a pattern (using glob syntax).
      */
@@ -2016,11 +2022,85 @@ function createAuthFunctionRegistry(grantedScopes = []) {
         }
         return values.every((scope) => matchesScope(scope));
     };
+    // ============================================================
+    // Security posture builtins
+    // ============================================================
+    /**
+     * is_signed() -> bool
+     *
+     * Returns true if the envelope has a signature present.
+     * No arguments required.
+     */
+    const is_signed = (args) => {
+        assertArgCount(args, 0, "is_signed");
+        return secBindings.sig.present;
+    };
+    /**
+     * encryption_level() -> string
+     *
+     * Returns the normalized encryption level: "plaintext" | "channel" | "sealed" | "unknown"
+     * No arguments required.
+     */
+    const encryption_level = (args) => {
+        assertArgCount(args, 0, "encryption_level");
+        return secBindings.enc.level;
+    };
+    /**
+     * is_encrypted() -> bool
+     *
+     * Returns true if the encryption level is not "plaintext".
+     * This means the envelope has some form of encryption (channel, sealed, or unknown).
+     * No arguments required.
+     */
+    const is_encrypted = (args) => {
+        assertArgCount(args, 0, "is_encrypted");
+        return secBindings.enc.level !== "plaintext";
+    };
+    /**
+     * is_encrypted_at_least(level: string) -> bool
+     *
+     * Returns true if the envelope's encryption level meets or exceeds the required level.
+     *
+     * Level ordering: plaintext < channel < sealed
+     *
+     * Special handling:
+     * - "unknown" encryption level does NOT satisfy "channel" or "sealed" (conservative)
+     * - "plaintext" is always satisfied (any envelope meets at least plaintext)
+     * - null argument => false (predicate-style)
+     * - invalid level string => BuiltinError
+     */
+    const is_encrypted_at_least = (args) => {
+        assertArgCount(args, 1, "is_encrypted_at_least");
+        const requiredLevel = getArg(args, 0, "is_encrypted_at_least");
+        // Null-tolerant: return false if level is null
+        if (!assertStringOrNull(requiredLevel, "level", "is_encrypted_at_least")) {
+            return false;
+        }
+        // Validate required level
+        if (!VALID_ENCRYPTION_LEVELS.includes(requiredLevel)) {
+            throw new BuiltinError("is_encrypted_at_least", `level must be one of: ${VALID_ENCRYPTION_LEVELS.join(", ")}; got "${requiredLevel}"`);
+        }
+        const currentLevel = secBindings.enc.level;
+        const requiredOrder = ENCRYPTION_LEVEL_ORDER[requiredLevel] ?? 0;
+        const currentOrder = ENCRYPTION_LEVEL_ORDER[currentLevel];
+        // If current level is "unknown", it only satisfies "plaintext"
+        if (currentOrder === undefined) {
+            // "unknown" is treated as NOT meeting channel/sealed requirements
+            return requiredOrder === 0; // Only plaintext is satisfied by unknown
+        }
+        return currentOrder >= requiredOrder;
+    };
     return new Map([
         ...BUILTIN_FUNCTIONS,
+        // Scope builtins
         ["has_scope", has_scope],
         ["has_any_scope", has_any_scope],
         ["has_all_scopes", has_all_scopes],
+        // Security posture builtins
+        ["is_signed", is_signed],
+        ["encryption_level", encryption_level],
+        ["is_encrypted", is_encrypted],
+        ["is_encrypted_at_least", is_encrypted_at_least],
     ]);
 }
 /**
@@ -2163,19 +2243,33 @@ function extractClaims(context) {
 }
 /**
  * Creates a safe envelope subset for expression bindings.
+ *
+ * Exposes:
+ * - id, sid, traceId, corrId, flowId, to
+ * - frame: { type }
+ * - sec: { sig: { present, kid }, enc: { present, alg, kid, level } }
+ *
+ * IMPORTANT: Does NOT expose raw security values (sig.val, enc.val).
  */
 function createEnvelopeBindings(envelope) {
     const frame = envelope.frame;
     const envelopeRecord = envelope;
+    const sec = envelopeRecord.sec;
+    const securityBindings = createSecurityBindings(sec);
     return {
-        id: envelope.id ?? null,
-        traceId: envelopeRecord.traceId ?? null,
-        corrId: envelopeRecord.corrId ?? null,
-        flowId: envelopeRecord.flowId ?? null,
-        to: extractAddress(envelope) ?? null,
-        frame: frame
-            ? { type: frame.type ?? null }
-            : { type: null },
+        bindings: {
+            id: envelope.id ?? null,
+            sid: envelopeRecord.sid ?? null,
+            traceId: envelopeRecord.traceId ?? null,
+            corrId: envelopeRecord.corrId ?? null,
+            flowId: envelopeRecord.flowId ?? null,
+            to: extractAddress(envelope) ?? null,
+            frame: frame
+                ? { type: frame.type ?? null }
+                : { type: null },
+            sec: securityBindings,
+        },
+        securityBindings,
     };
 }
 /**
@@ -2329,11 +2423,12 @@ class AdvancedAuthorizationPolicy {
                 continue;
             }
             if (rule.whenAst) {
-                // Lazy initialization of expression bindings
+                // Lazy initialization of expression bindings and security context
                 if (!expressionBindings) {
+                    const envelopeResult = createEnvelopeBindings(envelope);
                     expressionBindings = {
                         claims: extractClaims(context),
-                        envelope: createEnvelopeBindings(envelope),
+                        envelope: envelopeResult.bindings,
                         delivery: createDeliveryBindings(context, resolvedAction),
                         node: createNodeBindings(node),
                         time: {
@@ -2341,9 +2436,13 @@ class AdvancedAuthorizationPolicy {
                             now_iso: new Date().toISOString(),
                         },
                     };
+                    // Create function registry with security bindings for security builtins
+                    functionRegistry = createAuthFunctionRegistry({
+                        grantedScopes,
+                        securityBindings: envelopeResult.securityBindings,
+                    });
                 }
-                const functions = functionRegistry ?? createAuthFunctionRegistry(grantedScopes);
-                functionRegistry = functions;
+                const functions = functionRegistry;
                 const evalContext = {
                     bindings: expressionBindings,
                     limits: this.expressionLimits,
@@ -2692,7 +2791,7 @@ function getModule() {
     }
     return modulePromise;
 }
-function normalizeConfig$5(config) {
+function normalizeConfig$6(config) {
     if (!config) {
         throw new Error("AdvancedAuthorizationPolicyFactory requires a configuration with a policyDefinition");
     }
@@ -2721,7 +2820,7 @@ function normalizeConfig$5(config) {
 /**
  * Factory metadata for registration.
  */
-const FACTORY_META$e = {
+const FACTORY_META$f = {
     base: runtime.AUTHORIZATION_POLICY_FACTORY_BASE_TYPE,
     key: "AdvancedAuthorizationPolicy",
 };
@@ -2740,7 +2839,7 @@ class AdvancedAuthorizationPolicyFactory extends runtime.AuthorizationPolicyFact
      * @returns The created authorization policy
      */
     async create(config) {
-        const normalized = normalizeConfig$5(config);
+        const normalized = normalizeConfig$6(config);
         const { AdvancedAuthorizationPolicy } = await getModule();
         return new AdvancedAuthorizationPolicy({
             policyDefinition: normalized.policyDefinition,
@@ -2753,10 +2852,569 @@ class AdvancedAuthorizationPolicyFactory extends runtime.AuthorizationPolicyFact
 var advancedAuthorizationPolicyFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
     AdvancedAuthorizationPolicyFactory: AdvancedAuthorizationPolicyFactory,
-    FACTORY_META: FACTORY_META$e,
+    FACTORY_META: FACTORY_META$f,
     default: AdvancedAuthorizationPolicyFactory
 });
 
+/**
+ * HTTP-based authorization policy source.
+ *
+ * Loads authorization policies from an HTTP endpoint supporting JSON or YAML.
+ * Supports bearer authentication via TokenProvider and HTTP caching via ETag.
+ *
+ * This is a Node.js-only implementation.
+ *
+ * @packageDocumentation
+ */
+const logger$i = runtime.getLogger("naylence.fame.security.auth.policy.http_authorization_policy_source");
+function isPlainObject(value) {
+    return Boolean(value) && typeof value === "object" && !Array.isArray(value);
+}
+function parseJson(content) {
+    const parsed = JSON.parse(content);
+    if (!isPlainObject(parsed)) {
+        throw new Error("Parsed JSON policy must be an object");
+    }
+    return parsed;
+}
+function parseYamlContent(content) {
+    const parsed = yaml.parse(content ?? "");
+    if (parsed == null) {
+        return {};
+    }
+    if (!isPlainObject(parsed)) {
+        throw new Error("Parsed YAML policy must be an object");
+    }
+    return parsed;
+}
+/**
+ * Detect whether content is JSON or YAML based on Content-Type header.
+ * Falls back to sniffing the content if Content-Type is not definitive.
+ */
+function detectFormat(contentType, content) {
+    if (contentType) {
+        const lower = contentType.toLowerCase();
+        if (lower.includes("application/json") ||
+            lower.includes("text/json")) {
+            return "json";
+        }
+        if (lower.includes("application/yaml") ||
+            lower.includes("application/x-yaml") ||
+            lower.includes("text/yaml") ||
+            lower.includes("text/x-yaml")) {
+            return "yaml";
+        }
+    }
+    // Sniff by first non-whitespace character
+    const trimmed = content.trimStart();
+    if (trimmed.startsWith("{") || trimmed.startsWith("[")) {
+        return "json";
+    }
+    // Default to YAML
+    return "yaml";
+}
+/**
+ * Parse Cache-Control header to extract max-age value.
+ */
+function parseMaxAge(cacheControl) {
+    if (!cacheControl) {
+        return undefined;
+    }
+    const match = cacheControl.match(/max-age\s*=\s*(\d+)/i);
+    if (match && match[1]) {
+        const seconds = parseInt(match[1], 10);
+        if (Number.isFinite(seconds) && seconds >= 0) {
+            return seconds;
+        }
+    }
+    return undefined;
+}
+/**
+ * An authorization policy source that loads policy definitions from an HTTP endpoint.
+ *
+ * Supports JSON and YAML formats, bearer authentication via TokenProvider,
+ * and HTTP caching via ETag and Cache-Control headers.
+ *
+ * This is a Node.js-only implementation that uses fetch.
+ */
+class HttpAuthorizationPolicySource {
+    constructor(options) {
+        this.cachedState = null;
+        this.inflightFetch = null;
+        if (!options.url || typeof options.url !== "string") {
+            throw new Error("HttpAuthorizationPolicySource requires a valid URL");
+        }
+        this.url = options.url;
+        this.method = options.method ?? "GET";
+        this.timeoutMs = options.timeoutMs ?? 30000;
+        this.headers = { ...options.headers };
+        this.tokenProvider = options.tokenProvider;
+        this.bearerPrefix = options.bearerPrefix ?? "Bearer ";
+        this.policyFactoryConfig = options.policyFactory;
+        this.cacheTtlMs = options.cacheTtlMs ?? 300000; // 5 minutes default
+    }
+    /**
+     * Loads the authorization policy from the configured HTTP endpoint.
+     *
+     * Returns a cached policy if still fresh (based on TTL or cache headers).
+     * Multiple concurrent calls are de-duplicated (single-flight pattern).
+     *
+     * @returns The loaded authorization policy
+     */
+    async loadPolicy() {
+        // Return cached policy if still fresh
+        if (this.cachedState && this.isCacheFresh()) {
+            logger$i.debug("returning_cached_policy", {
+                url: this.url,
+                fetchedAt: this.cachedState.metadata.fetchedAt,
+                expiresAt: this.cachedState.metadata.expiresAt,
+            });
+            return this.cachedState.policy;
+        }
+        // De-duplicate concurrent requests
+        if (this.inflightFetch) {
+            return this.inflightFetch;
+        }
+        this.inflightFetch = this.fetchPolicy(false);
+        try {
+            return await this.inflightFetch;
+        }
+        finally {
+            this.inflightFetch = null;
+        }
+    }
+    /**
+     * Forces a reload of the policy from the HTTP endpoint.
+     *
+     * Bypasses cache freshness checks and always fetches from the server.
+     * If the fetch fails, the existing cached policy is preserved and the error is thrown.
+     *
+     * @returns The reloaded authorization policy
+     */
+    async reloadPolicy() {
+        // Clear inflight to force a new request
+        this.inflightFetch = null;
+        return this.fetchPolicy(true);
+    }
+    /**
+     * Clears the cached policy, forcing a fresh fetch on the next loadPolicy() call.
+     */
+    clearCache() {
+        this.cachedState = null;
+        this.inflightFetch = null;
+    }
+    /**
+     * Returns metadata about the last successful fetch.
+     *
+     * Useful for verification, monitoring, or debugging.
+     */
+    getMetadata() {
+        return this.cachedState?.metadata;
+    }
+    /**
+     * Returns the raw policy definition from the last successful fetch.
+     *
+     * Useful for verification or reprocessing.
+     */
+    getRawDefinition() {
+        return this.cachedState?.rawDefinition;
+    }
+    isCacheFresh() {
+        if (!this.cachedState) {
+            return false;
+        }
+        const now = Date.now();
+        const { expiresAt } = this.cachedState.metadata;
+        if (expiresAt !== undefined) {
+            return now < expiresAt;
+        }
+        // No expiration info, check against default TTL
+        const fetchedAt = this.cachedState.metadata.fetchedAt;
+        return now < fetchedAt + this.cacheTtlMs;
+    }
+    async fetchPolicy(forceRefresh) {
+        logger$i.debug("fetching_policy", {
+            url: this.url,
+            method: this.method,
+            forceRefresh,
+        });
+        const requestHeaders = {
+            Accept: "application/json, application/yaml, text/yaml, */*",
+            ...this.headers,
+        };
+        // Add bearer token if token provider is configured
+        if (this.tokenProvider) {
+            try {
+                const token = await this.tokenProvider.getToken();
+                if (token && token.value) {
+                    requestHeaders["Authorization"] = `${this.bearerPrefix}${token.value}`;
+                    logger$i.debug("added_bearer_token", { url: this.url });
+                }
+            }
+            catch (error) {
+                logger$i.warning("token_provider_failed", {
+                    url: this.url,
+                    error: error instanceof Error ? error.message : String(error),
+                });
+                // Continue without token - let the server decide if auth is required
+            }
+        }
+        // Add If-None-Match header for conditional request if we have a cached ETag
+        // and this is not a forced refresh
+        if (!forceRefresh && this.cachedState?.metadata.etag) {
+            requestHeaders["If-None-Match"] = this.cachedState.metadata.etag;
+        }
+        const controller = new AbortController();
+        const timeoutId = setTimeout(() => controller.abort(), this.timeoutMs);
+        try {
+            const response = await fetch(this.url, {
+                method: this.method,
+                headers: requestHeaders,
+                signal: controller.signal,
+            });
+            clearTimeout(timeoutId);
+            // Handle 304 Not Modified - return cached policy
+            if (response.status === 304 && this.cachedState) {
+                logger$i.debug("policy_not_modified", {
+                    url: this.url,
+                    etag: this.cachedState.metadata.etag,
+                });
+                // Update freshness timestamps
+                const now = Date.now();
+                const cacheControl = response.headers.get("Cache-Control");
+                const maxAgeSeconds = parseMaxAge(cacheControl);
+                const expiresAt = maxAgeSeconds !== undefined
+                    ? now + maxAgeSeconds * 1000
+                    : now + this.cacheTtlMs;
+                this.cachedState = {
+                    ...this.cachedState,
+                    metadata: {
+                        ...this.cachedState.metadata,
+                        fetchedAt: now,
+                        maxAgeSeconds,
+                        expiresAt,
+                    },
+                };
+                return this.cachedState.policy;
+            }
+            if (!response.ok) {
+                const errorMessage = `HTTP ${response.status}: ${response.statusText}`;
+                logger$i.error("policy_fetch_failed", {
+                    url: this.url,
+                    status: response.status,
+                    statusText: response.statusText,
+                });
+                // If we have a cached policy, preserve it and throw
+                if (this.cachedState) {
+                    throw new Error(`Failed to fetch policy from ${this.url}: ${errorMessage}. ` +
+                        "Using last known good policy.");
+                }
+                throw new Error(`Failed to fetch policy from ${this.url}: ${errorMessage}`);
+            }
+            // Parse the response
+            const contentType = response.headers.get("Content-Type");
+            const content = await response.text();
+            const format = detectFormat(contentType, content);
+            let policyDefinition;
+            try {
+                if (format === "json") {
+                    policyDefinition = parseJson(content);
+                }
+                else {
+                    policyDefinition = parseYamlContent(content);
+                }
+            }
+            catch (parseError) {
+                const message = parseError instanceof Error
+                    ? parseError.message
+                    : String(parseError);
+                logger$i.error("policy_parse_failed", {
+                    url: this.url,
+                    format,
+                    error: message,
+                });
+                // Preserve cached policy on parse failure
+                if (this.cachedState) {
+                    throw new Error(`Failed to parse policy from ${this.url}: ${message}. ` +
+                        "Using last known good policy.");
+                }
+                throw new Error(`Failed to parse policy from ${this.url}: ${message}`);
+            }
+            logger$i.debug("parsed_policy_definition", {
+                url: this.url,
+                format,
+                hasType: "type" in policyDefinition,
+            });
+            // Build the policy using the factory
+            const policy = await this.buildPolicy(policyDefinition);
+            // Update cache
+            const now = Date.now();
+            const etag = response.headers.get("ETag") ?? undefined;
+            const cacheControl = response.headers.get("Cache-Control");
+            const maxAgeSeconds = parseMaxAge(cacheControl);
+            const expiresAt = maxAgeSeconds !== undefined
+                ? now + maxAgeSeconds * 1000
+                : now + this.cacheTtlMs;
+            this.cachedState = {
+                policy,
+                rawDefinition: policyDefinition,
+                metadata: {
+                    url: this.url,
+                    status: response.status,
+                    etag,
+                    fetchedAt: now,
+                    maxAgeSeconds,
+                    expiresAt,
+                },
+            };
+            logger$i.info("loaded_policy_from_http", {
+                url: this.url,
+                status: response.status,
+                format,
+                etag,
+                maxAgeSeconds,
+            });
+            return policy;
+        }
+        catch (error) {
+            clearTimeout(timeoutId);
+            if (error instanceof Error && error.name === "AbortError") {
+                const timeoutError = new Error(`Request to ${this.url} timed out after ${this.timeoutMs}ms`);
+                logger$i.error("policy_fetch_timeout", {
+                    url: this.url,
+                    timeoutMs: this.timeoutMs,
+                });
+                // Preserve cached policy on timeout
+                if (this.cachedState) {
+                    throw timeoutError;
+                }
+                throw timeoutError;
+            }
+            throw error;
+        }
+    }
+    async buildPolicy(policyDefinition) {
+        // Determine the factory configuration to use
+        const factoryConfig = this.policyFactoryConfig ?? policyDefinition;
+        // Ensure we have a type field for the factory
+        if (!("type" in factoryConfig) || typeof factoryConfig.type !== "string") {
+            logger$i.warning("policy_type_missing_defaulting_to_basic", {
+                url: this.url,
+            });
+            factoryConfig.type = "BasicAuthorizationPolicy";
+        }
+        // Build the factory config with the policy definition
+        // The response content IS the policy definition, so we extract the type
+        // and wrap the remaining content as the policyDefinition
+        const { type: definitionType, ...restOfDefinition } = policyDefinition;
+        const resolvedType = typeof definitionType === "string" && definitionType.trim().length > 0
+            ? definitionType
+            : factoryConfig.type;
+        const mergedConfig = this.policyFactoryConfig != null
+            ? { ...this.policyFactoryConfig, policyDefinition }
+            : { type: resolvedType, policyDefinition: restOfDefinition };
+        const policy = await runtime.AuthorizationPolicyFactory.createAuthorizationPolicy(mergedConfig);
+        if (!policy) {
+            throw new Error(`Failed to create authorization policy from ${this.url}`);
+        }
+        return policy;
+    }
+}
+
+var httpAuthorizationPolicySource = /*#__PURE__*/Object.freeze({
+    __proto__: null,
+    HttpAuthorizationPolicySource: HttpAuthorizationPolicySource
+});
+
+/**
+ * Factory for creating HttpAuthorizationPolicySource instances.
+ *
+ * @packageDocumentation
+ */
+let httpModulePromise = null;
+async function getHttpModule() {
+    if (!httpModulePromise) {
+        httpModulePromise = Promise.resolve().then(function () { return httpAuthorizationPolicySource; });
+    }
+    return httpModulePromise;
+}
+function normalizeConfig$5(config) {
+    if (!config) {
+        throw new Error("HttpAuthorizationPolicySourceFactory requires a configuration with a url");
+    }
+    const candidate = config;
+    const url = candidate.url;
+    if (typeof url !== "string" || url.trim().length === 0) {
+        throw new Error("HttpAuthorizationPolicySourceConfig requires a non-empty url");
+    }
+    // Support both camelCase and snake_case
+    const method = candidate.method ?? "GET";
+    if (!["GET", "POST", "PUT"].includes(method)) {
+        throw new Error(`Invalid method "${String(method)}". Must be "GET", "POST", or "PUT"`);
+    }
+    const timeoutMs = candidate.timeout_ms ??
+        candidate.timeoutMs ??
+        30000;
+    if (typeof timeoutMs !== "number" || !Number.isFinite(timeoutMs) || timeoutMs <= 0) {
+        throw new Error("timeout_ms must be a positive number");
+    }
+    const headers = candidate.headers;
+    if (headers !== undefined && typeof headers !== "object") {
+        throw new Error("headers must be an object");
+    }
+    const tokenProviderConfig = candidate.token_provider ??
+        candidate.tokenProvider;
+    const bearerPrefix = candidate.bearer_prefix ??
+        candidate.bearerPrefix ??
+        "Bearer ";
+    const policyFactory = candidate.policy_factory ??
+        candidate.policyFactory;
+    const cacheTtlMs = candidate.cache_ttl_ms ??
+        candidate.cacheTtlMs ??
+        300000;
+    if (typeof cacheTtlMs !== "number" || !Number.isFinite(cacheTtlMs) || cacheTtlMs < 0) {
+        throw new Error("cache_ttl_ms must be a non-negative number");
+    }
+    return {
+        url: url.trim(),
+        method,
+        timeoutMs,
+        headers,
+        tokenProviderConfig,
+        bearerPrefix,
+        policyFactory,
+        cacheTtlMs,
+    };
+}
+/**
+ * Factory metadata for registration.
+ */
+const FACTORY_META$e = {
+    base: runtime.AUTHORIZATION_POLICY_SOURCE_FACTORY_BASE_TYPE,
+    key: "HttpAuthorizationPolicySource",
+};
+/**
+ * Factory for creating HttpAuthorizationPolicySource instances.
+ *
+ * This factory uses lazy loading to avoid pulling in Node.js-specific
+ * code (fetch operations) in browser environments where it may not work.
+ */
+class HttpAuthorizationPolicySourceFactory extends runtime.AuthorizationPolicySourceFactory {
+    constructor() {
+        super(...arguments);
+        this.type = "HttpAuthorizationPolicySource";
+    }
+    /**
+     * Creates an HttpAuthorizationPolicySource from the given configuration.
+     *
+     * @param config - Configuration specifying the policy URL and options
+     * @returns The created policy source
+     */
+    async create(config) {
+        const normalized = normalizeConfig$5(config);
+        // Create token provider if configured
+        let tokenProvider;
+        if (normalized.tokenProviderConfig) {
+            tokenProvider = await runtime.TokenProviderFactory.createTokenProvider(normalized.tokenProviderConfig);
+        }
+        const { HttpAuthorizationPolicySource } = await getHttpModule();
+        const options = {
+            url: normalized.url,
+            method: normalized.method,
+            timeoutMs: normalized.timeoutMs,
+            headers: normalized.headers,
+            tokenProvider,
+            bearerPrefix: normalized.bearerPrefix,
+            policyFactory: normalized.policyFactory,
+            cacheTtlMs: normalized.cacheTtlMs,
+        };
+        return new HttpAuthorizationPolicySource(options);
+    }
+}
+
+var httpAuthorizationPolicySourceFactory = /*#__PURE__*/Object.freeze({
+    __proto__: null,
+    FACTORY_META: FACTORY_META$e,
+    HttpAuthorizationPolicySourceFactory: HttpAuthorizationPolicySourceFactory,
+    default: HttpAuthorizationPolicySourceFactory
+});
+
+/**
+ * HTTP Policy Authorization Profile
+ *
+ * Provides the 'policy-http' authorization profile for loading policies over HTTP(S).
+ * This profile is similar to 'policy-localfile' from the runtime package but uses
+ * the HttpAuthorizationPolicySource instead of LocalFileAuthorizationPolicySource.
+ */
+// Environment variable names for HTTP policy source
+const ENV_VAR_AUTH_POLICY_URL = "FAME_AUTH_POLICY_URL";
+const ENV_VAR_AUTH_POLICY_TIMEOUT_MS = "FAME_AUTH_POLICY_TIMEOUT_MS";
+const ENV_VAR_AUTH_POLICY_CACHE_TTL_MS = "FAME_AUTH_POLICY_CACHE_TTL_MS";
+const ENV_VAR_AUTH_POLICY_TOKEN_URL = "FAME_AUTH_POLICY_TOKEN_URL";
+const ENV_VAR_AUTH_POLICY_CLIENT_ID = "FAME_AUTH_POLICY_CLIENT_ID";
+const ENV_VAR_AUTH_POLICY_CLIENT_SECRET = "FAME_AUTH_POLICY_CLIENT_SECRET";
+const ENV_VAR_AUTH_POLICY_AUDIENCE = "FAME_AUTH_POLICY_AUDIENCE";
+// Legacy environment variable for backwards compatibility
+const ENV_VAR_AUTH_POLICY_BEARER_TOKEN = "FAME_AUTH_POLICY_BEARER_TOKEN";
+// Profile name constant
+const PROFILE_NAME_POLICY_HTTP = "policy-http";
+// Re-use JWT verifier env vars from runtime
+const ENV_VAR_JWKS_URL = "FAME_JWKS_URL";
+const ENV_VAR_JWT_TRUSTED_ISSUER = "FAME_JWT_TRUSTED_ISSUER";
+/**
+ * Default token verifier configuration using JWKS.
+ */
+const DEFAULT_VERIFIER_CONFIG = {
+    type: "JWKSJWTTokenVerifier",
+    jwks_url: factory.Expressions.env(ENV_VAR_JWKS_URL),
+    issuer: factory.Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER),
+};
+/**
+ * Creates OAuth2 token provider configuration for HTTP policy source.
+ *
+ * Uses environment variables for OAuth2 client credentials flow.
+ */
+function createOAuth2TokenProviderConfig() {
+    const tokenUrl = factory.Expressions.env(ENV_VAR_AUTH_POLICY_TOKEN_URL);
+    const clientId = factory.Expressions.env(ENV_VAR_AUTH_POLICY_CLIENT_ID);
+    const clientSecret = factory.Expressions.env(ENV_VAR_AUTH_POLICY_CLIENT_SECRET);
+    const audience = factory.Expressions.env(ENV_VAR_AUTH_POLICY_AUDIENCE);
+    return {
+        type: "OAuth2ClientCredentialsTokenProvider",
+        token_url: tokenUrl,
+        tokenUrl,
+        client_id: clientId,
+        clientId,
+        client_secret: clientSecret,
+        clientSecret,
+        scopes: ["policy.read"],
+        audience,
+    };
+}
+/**
+ * Default HTTP policy source configuration.
+ *
+ * Uses environment variables for URL, timeout, and OAuth2 client credentials.
+ */
+const DEFAULT_HTTP_POLICY_SOURCE = {
+    type: "HttpAuthorizationPolicySource",
+    url: factory.Expressions.env(ENV_VAR_AUTH_POLICY_URL),
+    timeout_ms: factory.Expressions.env(ENV_VAR_AUTH_POLICY_TIMEOUT_MS, "30000"),
+    cache_ttl_ms: factory.Expressions.env(ENV_VAR_AUTH_POLICY_CACHE_TTL_MS, "300000"),
+    // OAuth2 client credentials token provider
+    token_provider: createOAuth2TokenProviderConfig(),
+};
+const POLICY_HTTP_PROFILE = {
+    type: "PolicyAuthorizer",
+    verifier: DEFAULT_VERIFIER_CONFIG,
+    policy_source: DEFAULT_HTTP_POLICY_SOURCE,
+};
+// Register the policy-http profile
+runtime.registerProfile(runtime.AUTHORIZER_FACTORY_BASE_TYPE, PROFILE_NAME_POLICY_HTTP, POLICY_HTTP_PROFILE, {
+    source: "advanced-security:policy-http-authorization-profile",
+    allowOverride: true,
+});
+
 const logger$h = runtime.getLogger("naylence.fame.security.cert.util");
 const CACHE_LIMIT = 512;
 const OID_ED25519 = "1.3.101.112";
@@ -8805,6 +9463,7 @@ var advancedWelcomeServiceFactory = /*#__PURE__*/Object.freeze({
  */
 const MODULES = [
     "./security/auth/policy/advanced-authorization-policy-factory.js",
+    "./security/auth/policy/http-authorization-policy-source-factory.js",
     "./security/cert/default-ca-service-factory.js",
     "./security/cert/default-certificate-manager-factory.js",
     "./security/cert/trust-store/browser-trust-store-provider-factory.js",
@@ -8822,6 +9481,7 @@ const MODULES = [
 ];
 const MODULE_LOADERS = {
     "./security/auth/policy/advanced-authorization-policy-factory.js": () => Promise.resolve().then(function () { return advancedAuthorizationPolicyFactory; }),
+    "./security/auth/policy/http-authorization-policy-source-factory.js": () => Promise.resolve().then(function () { return httpAuthorizationPolicySourceFactory; }),
     "./security/cert/default-ca-service-factory.js": () => Promise.resolve().then(function () { return defaultCaServiceFactory; }),
     "./security/cert/default-certificate-manager-factory.js": () => Promise.resolve().then(function () { return defaultCertificateManagerFactory; }),
     "./security/cert/trust-store/browser-trust-store-provider-factory.js": () => Promise.resolve().then(function () { return browserTrustStoreProviderFactory; }),
@@ -8911,6 +9571,7 @@ const SECURITY_PREFIX = "./security/";
 const SECURITY_MODULES = MODULES.filter((spec) => spec.startsWith(SECURITY_PREFIX));
 const EXTRA_MODULES = MODULES.filter((spec) => !spec.startsWith(SECURITY_PREFIX));
 const NODE_ONLY_MODULES = new Set([
+    "./security/auth/policy/http-authorization-policy-source-factory.js",
     "./security/cert/default-ca-service-factory.js",
     "./security/cert/trust-store/node-trust-store-provider-factory.js",
 ]);
@@ -12664,7 +13325,7 @@ var plugin = /*#__PURE__*/Object.freeze({
     registerAdvancedSecurityPluginFactories: registerAdvancedSecurityPluginFactories
 });
 
-exports.ADVANCED_AUTHORIZATION_POLICY_FACTORY_META = FACTORY_META$e;
+exports.ADVANCED_AUTHORIZATION_POLICY_FACTORY_META = FACTORY_META$f;
 exports.ADVANCED_EDDSA_ENVELOPE_SIGNER_FACTORY_META = FACTORY_META$9;
 exports.ADVANCED_EDDSA_ENVELOPE_VERIFIER_FACTORY_META = FACTORY_META$8;
 exports.ADVANCED_WELCOME_FACTORY_META = FACTORY_META$4;
@@ -12681,74 +13342,51 @@ exports.AdvancedEdDSAEnvelopeSignerFactory = AdvancedEdDSAEnvelopeSignerFactory;
 exports.AdvancedEdDSAEnvelopeVerifierFactory = AdvancedEdDSAEnvelopeVerifierFactory;
 exports.AdvancedWelcomeService = AdvancedWelcomeService;
 exports.AdvancedWelcomeServiceFactory = AdvancedWelcomeServiceFactory;
-exports.BUILTIN_FUNCTIONS = BUILTIN_FUNCTIONS;
-exports.BuiltinError = BuiltinError;
 exports.CAServiceClient = CAServiceClient;
 exports.CompositeEncryptionManager = CompositeEncryptionManager;
 exports.CompositeEncryptionManagerFactory = CompositeEncryptionManagerFactory;
-exports.DEFAULT_EXPRESSION_LIMITS = DEFAULT_EXPRESSION_LIMITS;
 exports.DEFAULT_SECURE_CHANNEL_MANAGER_FACTORY_META = FACTORY_META$b;
 exports.DEFAULT_STICKINESS_SECURITY_LEVEL = DEFAULT_STICKINESS_SECURITY_LEVEL;
 exports.DefaultSecureChannelManager = DefaultSecureChannelManager;
 exports.DefaultSecureChannelManagerFactory = DefaultSecureChannelManagerFactory;
+exports.ENV_VAR_AUTH_POLICY_BEARER_TOKEN = ENV_VAR_AUTH_POLICY_BEARER_TOKEN;
+exports.ENV_VAR_AUTH_POLICY_CACHE_TTL_MS = ENV_VAR_AUTH_POLICY_CACHE_TTL_MS;
+exports.ENV_VAR_AUTH_POLICY_TIMEOUT_MS = ENV_VAR_AUTH_POLICY_TIMEOUT_MS;
+exports.ENV_VAR_AUTH_POLICY_URL = ENV_VAR_AUTH_POLICY_URL;
 exports.ENV_VAR_FAME_CA_SERVICE_URL = ENV_VAR_FAME_CA_SERVICE_URL;
 exports.EdDSAEnvelopeVerifier = EdDSAEnvelopeVerifier;
-exports.EvaluationError = EvaluationError;
-exports.Evaluator = Evaluator;
-exports.ExpressionError = ExpressionError;
 exports.GRANT_PURPOSE_CA_SIGN = GRANT_PURPOSE_CA_SIGN;
-exports.LimitExceededError = LimitExceededError;
+exports.HTTP_AUTHORIZATION_POLICY_SOURCE_FACTORY_META = FACTORY_META$e;
+exports.HttpAuthorizationPolicySource = HttpAuthorizationPolicySource;
+exports.HttpAuthorizationPolicySourceFactory = HttpAuthorizationPolicySourceFactory;
 exports.NoAFTSigner = NoAFTSigner;
-exports.ParseError = ParseError;
-exports.Parser = Parser;
+exports.PROFILE_NAME_POLICY_HTTP = PROFILE_NAME_POLICY_HTTP;
 exports.SidOnlyAFTVerifier = SidOnlyAFTVerifier;
 exports.SignedAFTSigner = SignedAFTSigner;
 exports.SignedOptionalAFTVerifier = SignedOptionalAFTVerifier;
 exports.StrictAFTVerifier = StrictAFTVerifier;
-exports.Tokenizer = Tokenizer;
-exports.TokenizerError = TokenizerError;
-exports.TypeError = TypeError;
 exports.UnsignedAFTSigner = UnsignedAFTSigner;
 exports.VERSION = VERSION;
 exports.X5CKeyManager = X5CKeyManager;
 exports.X5CKeyManagerFactory = X5CKeyManagerFactory;
 exports.X5C_KEY_MANAGER_FACTORY_META = FACTORY_META$7;
 exports.__advancedSecurityPluginLoader = __advancedSecurityPluginLoader;
-exports.astToString = astToString;
 exports.base64UrlDecode = base64UrlDecode;
 exports.base64UrlEncode = base64UrlEncode;
-exports.calculateAstDepth = calculateAstDepth;
-exports.callBuiltin = callBuiltin;
 exports.channelEncryption = index;
-exports.checkArrayLength = checkArrayLength;
-exports.checkAstDepth = checkAstDepth;
-exports.checkAstNodeCount = checkAstNodeCount;
-exports.checkExpressionLength = checkExpressionLength;
-exports.checkFunctionArgCount = checkFunctionArgCount;
-exports.checkGlobPatternLength = checkGlobPatternLength;
-exports.checkRegexPatternLength = checkRegexPatternLength;
-exports.countAstNodes = countAstNodes;
 exports.createAftHelper = createAftHelper;
 exports.createAftPayload = createAftPayload;
 exports.createAftReplicaStickinessManager = createAftReplicaStickinessManager;
 exports.createAftSigner = createAftSigner;
 exports.createAftVerifier = createAftVerifier;
-exports.createAuthFunctionRegistry = createAuthFunctionRegistry;
 exports.createEd25519Csr = createEd25519Csr;
-exports.evaluate = evaluate;
-exports.evaluateAsBoolean = evaluateAsBoolean;
 exports.extractCertificateInfo = extractCertificateInfo;
 exports.formatCertificateInfo = formatCertificateInfo;
-exports.getTypeName = getTypeName;
-exports.isBuiltinFunction = isBuiltinFunction;
-exports.normalizeJsValue = normalizeJsValue;
 exports.normalizeStickinessMode = normalizeStickinessMode;
-exports.parse = parse;
 exports.publicKeyFromX5c = publicKeyFromX5c;
 exports.registerAdvancedSecurityFactories = registerAdvancedSecurityFactories;
 exports.sealedEncryption = index$1;
 exports.serializeAftClaims = serializeAftClaims;
 exports.serializeAftHeader = serializeAftHeader;
-exports.tokenize = tokenize;
 exports.utf8Decode = utf8Decode;
 exports.validateJwkX5cCertificate = validateJwkX5cCertificate;