@naylence/advanced-security 0.4.5 → 0.4.7

package/dist/node/node.mjs

@@ -1,7 +1,8 @@
 import { ExtensionManager, Expressions, Registry, AbstractResourceFactory, createResource, createDefaultResource } from '@naylence/factory';
-import { getLogger, ENCRYPTION_MANAGER_FACTORY_BASE_TYPE, registerProfile, SECURITY_MANAGER_FACTORY_BASE_TYPE, KNOWN_POLICY_FIELDS, VALID_EFFECTS, compileGlobOnlyScopeRequirement, KNOWN_RULE_FIELDS, VALID_ACTIONS, compileGlobPattern, VALID_ORIGIN_TYPES, AUTHORIZATION_POLICY_FACTORY_BASE_TYPE, AuthorizationPolicyFactory, EncryptionResult, urlsafeBase64Decode, sealedDecrypt, sealedEncrypt, FIXED_PREFIX_LEN, urlsafeBase64Encode, EncryptionManagerFactory, requireCryptoSupport, SECURE_CHANNEL_MANAGER_FACTORY_BASE_TYPE, SecureChannelManagerFactory, ENVELOPE_SIGNER_FACTORY_BASE_TYPE, EnvelopeSignerFactory, SigningConfigClass, validateSigningKey, JWKValidationError, decodeBase64Url, canonicalJson, secureDigest, frameDigest, immutableHeaders, encodeUtf8, ENVELOPE_VERIFIER_FACTORY_BASE_TYPE, EnvelopeVerifierFactory, TrustStoreProviderFactory as TrustStoreProviderFactory$1, TaskSpawner, getKeyStore, DefaultKeyManager, validateJwkComplete, currentTraceId, DeliveryOriginType, KEY_MANAGER_FACTORY_BASE_TYPE, KeyManagerFactory, KeyStoreFactory, BaseNodeEventListener, LOAD_BALANCER_STICKINESS_MANAGER_FACTORY_BASE_TYPE, LoadBalancerStickinessManagerFactory, REPLICA_STICKINESS_MANAGER_FACTORY_BASE_TYPE, ReplicaStickinessManagerFactory, color, formatTimestamp, AnsiColor, jsonDumps, validateHostLogicals, HTTP_CONNECTION_GRANT_TYPE, WELCOME_SERVICE_FACTORY_BASE_TYPE, WelcomeServiceFactory, NodePlacementStrategyFactory, TransportProvisionerFactory, TokenIssuerFactory, AuthorizerFactory, AuthInjectionStrategyFactory, CERTIFICATE_MANAGER_FACTORY_BASE_TYPE, CertificateManagerFactory, TRUST_STORE_PROVIDER_FACTORY_BASE_TYPE as TRUST_STORE_PROVIDER_FACTORY_BASE_TYPE$1, validateHostLogical } from '@naylence/runtime';
+import { getLogger, ENCRYPTION_MANAGER_FACTORY_BASE_TYPE, registerProfile, SECURITY_MANAGER_FACTORY_BASE_TYPE, AUTHORIZER_FACTORY_BASE_TYPE, KNOWN_POLICY_FIELDS, VALID_EFFECTS, compileGlobOnlyScopeRequirement, KNOWN_RULE_FIELDS, VALID_ACTIONS, compileGlobPattern, VALID_ORIGIN_TYPES, AUTHORIZATION_POLICY_FACTORY_BASE_TYPE, AuthorizationPolicyFactory, AUTHORIZATION_POLICY_SOURCE_FACTORY_BASE_TYPE, AuthorizationPolicySourceFactory, TokenProviderFactory, EncryptionResult, urlsafeBase64Decode, sealedDecrypt, sealedEncrypt, FIXED_PREFIX_LEN, urlsafeBase64Encode, EncryptionManagerFactory, requireCryptoSupport, SECURE_CHANNEL_MANAGER_FACTORY_BASE_TYPE, SecureChannelManagerFactory, ENVELOPE_SIGNER_FACTORY_BASE_TYPE, EnvelopeSignerFactory, SigningConfigClass, validateSigningKey, JWKValidationError, decodeBase64Url, canonicalJson, secureDigest, frameDigest, immutableHeaders, encodeUtf8, ENVELOPE_VERIFIER_FACTORY_BASE_TYPE, EnvelopeVerifierFactory, TrustStoreProviderFactory as TrustStoreProviderFactory$1, TaskSpawner, getKeyStore, DefaultKeyManager, validateJwkComplete, currentTraceId, DeliveryOriginType, KEY_MANAGER_FACTORY_BASE_TYPE, KeyManagerFactory, KeyStoreFactory, BaseNodeEventListener, LOAD_BALANCER_STICKINESS_MANAGER_FACTORY_BASE_TYPE, LoadBalancerStickinessManagerFactory, REPLICA_STICKINESS_MANAGER_FACTORY_BASE_TYPE, ReplicaStickinessManagerFactory, color, formatTimestamp, AnsiColor, jsonDumps, validateHostLogicals, HTTP_CONNECTION_GRANT_TYPE, WELCOME_SERVICE_FACTORY_BASE_TYPE, WelcomeServiceFactory, NodePlacementStrategyFactory, TransportProvisionerFactory, TokenIssuerFactory, AuthorizerFactory, AuthInjectionStrategyFactory, CERTIFICATE_MANAGER_FACTORY_BASE_TYPE, CertificateManagerFactory, TRUST_STORE_PROVIDER_FACTORY_BASE_TYPE as TRUST_STORE_PROVIDER_FACTORY_BASE_TYPE$1, validateHostLogical } from '@naylence/runtime';
 import { sha256 } from '@noble/hashes/sha2';
 import { generateFingerprintSync, localDeliveryContext, createFameEnvelope, FameAddress, generateId, formatAddress, SigningMaterial, DeliveryOriginType as DeliveryOriginType$1 } from '@naylence/core';
+import { parse as parse$1 } from 'yaml';
 import { AsnConvert, OctetString } from '@peculiar/asn1-schema';
 import { Certificate, id_ce_subjectAltName, SubjectAlternativeName, id_ce_nameConstraints, NameConstraints, Name, RelativeDistinguishedName, AttributeTypeAndValue, AttributeValue, SubjectPublicKeyInfo, GeneralName, Extensions, Extension, Attribute, AlgorithmIdentifier, TBSCertificate, Validity, Version, BasicConstraints, id_ce_basicConstraints, KeyUsageFlags, KeyUsage, id_ce_keyUsage, SubjectKeyIdentifier, id_ce_subjectKeyIdentifier, AuthorityKeyIdentifier, KeyIdentifier, id_ce_authorityKeyIdentifier, GeneralSubtrees, GeneralSubtree, ExtendedKeyUsage, id_kp_clientAuth, id_kp_serverAuth, id_ce_extKeyUsage } from '@peculiar/asn1-x509';
 import { sha512, sha256 as sha256$1 } from '@noble/hashes/sha2.js';
@@ -23,6 +24,7 @@ import { sha256 as sha256$2 } from '@noble/hashes/sha256.js';
  */
 const MODULES = [
     "./security/auth/policy/advanced-authorization-policy-factory.js",
+    "./security/auth/policy/http-authorization-policy-source-factory.js",
     "./security/cert/default-ca-service-factory.js",
     "./security/cert/default-certificate-manager-factory.js",
     "./security/cert/trust-store/browser-trust-store-provider-factory.js",
@@ -40,6 +42,7 @@ const MODULES = [
 ];
 const MODULE_LOADERS = {
     "./security/auth/policy/advanced-authorization-policy-factory.js": () => Promise.resolve().then(function () { return advancedAuthorizationPolicyFactory; }),
+    "./security/auth/policy/http-authorization-policy-source-factory.js": () => Promise.resolve().then(function () { return httpAuthorizationPolicySourceFactory; }),
     "./security/cert/default-ca-service-factory.js": () => Promise.resolve().then(function () { return defaultCaServiceFactory; }),
     "./security/cert/default-certificate-manager-factory.js": () => Promise.resolve().then(function () { return defaultCertificateManagerFactory; }),
     "./security/cert/trust-store/browser-trust-store-provider-factory.js": () => Promise.resolve().then(function () { return browserTrustStoreProviderFactory; }),
@@ -56,7 +59,7 @@ const MODULE_LOADERS = {
     "./welcome/advanced-welcome-service-factory.js": () => Promise.resolve().then(function () { return advancedWelcomeServiceFactory; }),
 };
 
-const logger$h = getLogger("naylence.fame.security.encryption.encryption_manager_registry");
+const logger$i = getLogger("naylence.fame.security.encryption.encryption_manager_registry");
 class EncryptionManagerFactoryRegistry {
     constructor(autoDiscover = true) {
         this.factories = [];
@@ -78,7 +81,7 @@ class EncryptionManagerFactoryRegistry {
             let registeredCount = 0;
             for (const [factoryName, info] of extensionInfos) {
                 if (factoryName === "CompositeEncryptionManager") {
-                    logger$h.debug("skipping_composite_factory_to_avoid_circular_dependency", {
+                    logger$i.debug("skipping_composite_factory_to_avoid_circular_dependency", {
                         factory_name: factoryName,
                     });
                     continue;
@@ -88,7 +91,7 @@ class EncryptionManagerFactoryRegistry {
                         ExtensionManager.getGlobalFactory(ENCRYPTION_MANAGER_FACTORY_BASE_TYPE, factoryName));
                     this.registerFactory(factoryInstance, { autoDiscovered: true });
                     registeredCount += 1;
-                    logger$h.debug("auto_discovered_factory", {
+                    logger$i.debug("auto_discovered_factory", {
                         factory_name: factoryName,
                         factory_class: factoryInstance.constructor.name,
                         algorithms: factoryInstance.getSupportedAlgorithms(),
@@ -97,21 +100,21 @@ class EncryptionManagerFactoryRegistry {
                     });
                 }
                 catch (error) {
-                    logger$h.warning("failed_to_auto_register_factory", {
+                    logger$i.warning("failed_to_auto_register_factory", {
                         factory_name: factoryName,
                         error: error instanceof Error ? error.message : String(error),
                     });
                 }
             }
             this.autoDiscovered = true;
-            logger$h.debug("completed_auto_discovery", {
+            logger$i.debug("completed_auto_discovery", {
                 registered_factories: registeredCount,
                 total_discovered: extensionInfos.size,
                 skipped_composite: true,
             });
         }
         catch (error) {
-            logger$h.warning("failed_auto_discovery_of_factories", {
+            logger$i.warning("failed_auto_discovery_of_factories", {
                 error: error instanceof Error ? error.message : String(error),
             });
         }
@@ -129,7 +132,7 @@ class EncryptionManagerFactoryRegistry {
             const existing = this.algorithmToFactory.get(algorithm);
             if (!existing || factory.getPriority() > existing.getPriority()) {
                 this.algorithmToFactory.set(algorithm, factory);
-                logger$h.debug("registered_algorithm_mapping", {
+                logger$i.debug("registered_algorithm_mapping", {
                     algorithm,
                     factory: factory.constructor.name,
                     priority: factory.getPriority(),
@@ -141,7 +144,7 @@ class EncryptionManagerFactoryRegistry {
         typeFactories.push(factory);
         typeFactories.sort((a, b) => b.getPriority() - a.getPriority());
         this.typeToFactories.set(encryptionType, typeFactories);
-        logger$h.debug("registered_encryption_manager_factory", {
+        logger$i.debug("registered_encryption_manager_factory", {
             factory: factory.constructor.name,
             encryption_type: encryptionType,
             algorithms: factory.getSupportedAlgorithms(),
@@ -157,14 +160,14 @@ class EncryptionManagerFactoryRegistry {
         this.ensureAutoDiscovery();
         for (const factory of this.factories) {
             if (factory.supportsOptions(opts ?? undefined)) {
-                logger$h.debug("found_factory_for_options", {
+                logger$i.debug("found_factory_for_options", {
                     factory: factory.constructor.name,
                     encryption_type: factory.getEncryptionType(),
                 });
                 return factory;
             }
         }
-        logger$h.debug("no_factory_found_for_options", { opts });
+        logger$i.debug("no_factory_found_for_options", { opts });
         return undefined;
     }
     getFactoriesByType(encryptionType) {
@@ -289,10 +292,87 @@ var strictOverlaySecurityProfile = /*#__PURE__*/Object.freeze({
     PROFILE_NAME_STRICT_OVERLAY: PROFILE_NAME_STRICT_OVERLAY
 });
 
+/**
+ * HTTP Policy Authorization Profile
+ *
+ * Provides the 'policy-http' authorization profile for loading policies over HTTP(S).
+ * This profile is similar to 'policy-localfile' from the runtime package but uses
+ * the HttpAuthorizationPolicySource instead of LocalFileAuthorizationPolicySource.
+ */
+// Environment variable names for HTTP policy source
+const ENV_VAR_AUTH_POLICY_URL = "FAME_AUTH_POLICY_URL";
+const ENV_VAR_AUTH_POLICY_TIMEOUT_MS = "FAME_AUTH_POLICY_TIMEOUT_MS";
+const ENV_VAR_AUTH_POLICY_CACHE_TTL_MS = "FAME_AUTH_POLICY_CACHE_TTL_MS";
+const ENV_VAR_AUTH_POLICY_TOKEN_URL = "FAME_AUTH_POLICY_TOKEN_URL";
+const ENV_VAR_AUTH_POLICY_CLIENT_ID = "FAME_AUTH_POLICY_CLIENT_ID";
+const ENV_VAR_AUTH_POLICY_CLIENT_SECRET = "FAME_AUTH_POLICY_CLIENT_SECRET";
+const ENV_VAR_AUTH_POLICY_AUDIENCE = "FAME_AUTH_POLICY_AUDIENCE";
+// Legacy environment variable for backwards compatibility
+const ENV_VAR_AUTH_POLICY_BEARER_TOKEN = "FAME_AUTH_POLICY_BEARER_TOKEN";
+// Profile name constant
+const PROFILE_NAME_POLICY_HTTP = "policy-http";
+// Re-use JWT verifier env vars from runtime
+const ENV_VAR_JWKS_URL = "FAME_JWKS_URL";
+const ENV_VAR_JWT_TRUSTED_ISSUER = "FAME_JWT_TRUSTED_ISSUER";
+/**
+ * Default token verifier configuration using JWKS.
+ */
+const DEFAULT_VERIFIER_CONFIG = {
+    type: "JWKSJWTTokenVerifier",
+    jwks_url: Expressions.env(ENV_VAR_JWKS_URL),
+    issuer: Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER),
+};
+/**
+ * Creates OAuth2 token provider configuration for HTTP policy source.
+ *
+ * Uses environment variables for OAuth2 client credentials flow.
+ */
+function createOAuth2TokenProviderConfig() {
+    const tokenUrl = Expressions.env(ENV_VAR_AUTH_POLICY_TOKEN_URL);
+    const clientId = Expressions.env(ENV_VAR_AUTH_POLICY_CLIENT_ID);
+    const clientSecret = Expressions.env(ENV_VAR_AUTH_POLICY_CLIENT_SECRET);
+    const audience = Expressions.env(ENV_VAR_AUTH_POLICY_AUDIENCE);
+    return {
+        type: "OAuth2ClientCredentialsTokenProvider",
+        token_url: tokenUrl,
+        tokenUrl,
+        client_id: clientId,
+        clientId,
+        client_secret: clientSecret,
+        clientSecret,
+        scopes: ["policy.read"],
+        audience,
+    };
+}
+/**
+ * Default HTTP policy source configuration.
+ *
+ * Uses environment variables for URL, timeout, and OAuth2 client credentials.
+ */
+const DEFAULT_HTTP_POLICY_SOURCE = {
+    type: "HttpAuthorizationPolicySource",
+    url: Expressions.env(ENV_VAR_AUTH_POLICY_URL),
+    timeout_ms: Expressions.env(ENV_VAR_AUTH_POLICY_TIMEOUT_MS, "30000"),
+    cache_ttl_ms: Expressions.env(ENV_VAR_AUTH_POLICY_CACHE_TTL_MS, "300000"),
+    // OAuth2 client credentials token provider
+    token_provider: createOAuth2TokenProviderConfig(),
+};
+const POLICY_HTTP_PROFILE = {
+    type: "PolicyAuthorizer",
+    verifier: DEFAULT_VERIFIER_CONFIG,
+    policy_source: DEFAULT_HTTP_POLICY_SOURCE,
+};
+// Register the policy-http profile
+registerProfile(AUTHORIZER_FACTORY_BASE_TYPE, PROFILE_NAME_POLICY_HTTP, POLICY_HTTP_PROFILE, {
+    source: "advanced-security:policy-http-authorization-profile",
+    allowOverride: true,
+});
+
 const SECURITY_PREFIX = "./security/";
 const SECURITY_MODULES = MODULES.filter((spec) => spec.startsWith(SECURITY_PREFIX));
 const EXTRA_MODULES = MODULES.filter((spec) => !spec.startsWith(SECURITY_PREFIX));
 const NODE_ONLY_MODULES = new Set([
+    "./security/auth/policy/http-authorization-policy-source-factory.js",
     "./security/cert/default-ca-service-factory.js",
     "./security/cert/trust-store/node-trust-store-provider-factory.js",
 ]);
@@ -573,12 +653,12 @@ async function registerAdvancedSecurityFactories(registrar = Registry, options)
 }
 
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.4.5
+// Generated from package.json version: 0.4.7
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.4.5';
+const VERSION = '0.4.7';
 
 async function registerAdvancedSecurityPluginFactories(registrar = Registry) {
     await registerAdvancedSecurityFactories(registrar, { includeExtras: true });
@@ -3484,7 +3564,7 @@ function getModule() {
     }
     return modulePromise;
 }
-function normalizeConfig$5(config) {
+function normalizeConfig$6(config) {
     if (!config) {
         throw new Error("AdvancedAuthorizationPolicyFactory requires a configuration with a policyDefinition");
     }
@@ -3513,7 +3593,7 @@ function normalizeConfig$5(config) {
 /**
  * Factory metadata for registration.
  */
-const FACTORY_META$f = {
+const FACTORY_META$g = {
     base: AUTHORIZATION_POLICY_FACTORY_BASE_TYPE,
     key: "AdvancedAuthorizationPolicy",
 };
@@ -3532,7 +3612,7 @@ class AdvancedAuthorizationPolicyFactory extends AuthorizationPolicyFactory {
      * @returns The created authorization policy
      */
     async create(config) {
-        const normalized = normalizeConfig$5(config);
+        const normalized = normalizeConfig$6(config);
         const { AdvancedAuthorizationPolicy } = await getModule();
         return new AdvancedAuthorizationPolicy({
             policyDefinition: normalized.policyDefinition,
@@ -3545,10 +3625,493 @@ class AdvancedAuthorizationPolicyFactory extends AuthorizationPolicyFactory {
 var advancedAuthorizationPolicyFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
     AdvancedAuthorizationPolicyFactory: AdvancedAuthorizationPolicyFactory,
-    FACTORY_META: FACTORY_META$f,
+    FACTORY_META: FACTORY_META$g,
     default: AdvancedAuthorizationPolicyFactory
 });
 
+/**
+ * HTTP-based authorization policy source.
+ *
+ * Loads authorization policies from an HTTP endpoint supporting JSON or YAML.
+ * Supports bearer authentication via TokenProvider and HTTP caching via ETag.
+ *
+ * This is a Node.js-only implementation.
+ *
+ * @packageDocumentation
+ */
+const logger$h = getLogger("naylence.fame.security.auth.policy.http_authorization_policy_source");
+function isPlainObject(value) {
+    return Boolean(value) && typeof value === "object" && !Array.isArray(value);
+}
+function parseJson(content) {
+    const parsed = JSON.parse(content);
+    if (!isPlainObject(parsed)) {
+        throw new Error("Parsed JSON policy must be an object");
+    }
+    return parsed;
+}
+function parseYamlContent(content) {
+    const parsed = parse$1(content ?? "");
+    if (parsed == null) {
+        return {};
+    }
+    if (!isPlainObject(parsed)) {
+        throw new Error("Parsed YAML policy must be an object");
+    }
+    return parsed;
+}
+/**
+ * Detect whether content is JSON or YAML based on Content-Type header.
+ * Falls back to sniffing the content if Content-Type is not definitive.
+ */
+function detectFormat(contentType, content) {
+    if (contentType) {
+        const lower = contentType.toLowerCase();
+        if (lower.includes("application/json") ||
+            lower.includes("text/json")) {
+            return "json";
+        }
+        if (lower.includes("application/yaml") ||
+            lower.includes("application/x-yaml") ||
+            lower.includes("text/yaml") ||
+            lower.includes("text/x-yaml")) {
+            return "yaml";
+        }
+    }
+    // Sniff by first non-whitespace character
+    const trimmed = content.trimStart();
+    if (trimmed.startsWith("{") || trimmed.startsWith("[")) {
+        return "json";
+    }
+    // Default to YAML
+    return "yaml";
+}
+/**
+ * Parse Cache-Control header to extract max-age value.
+ */
+function parseMaxAge(cacheControl) {
+    if (!cacheControl) {
+        return undefined;
+    }
+    const match = cacheControl.match(/max-age\s*=\s*(\d+)/i);
+    if (match && match[1]) {
+        const seconds = parseInt(match[1], 10);
+        if (Number.isFinite(seconds) && seconds >= 0) {
+            return seconds;
+        }
+    }
+    return undefined;
+}
+/**
+ * An authorization policy source that loads policy definitions from an HTTP endpoint.
+ *
+ * Supports JSON and YAML formats, bearer authentication via TokenProvider,
+ * and HTTP caching via ETag and Cache-Control headers.
+ *
+ * This is a Node.js-only implementation that uses fetch.
+ */
+class HttpAuthorizationPolicySource {
+    constructor(options) {
+        this.cachedState = null;
+        this.inflightFetch = null;
+        if (!options.url || typeof options.url !== "string") {
+            throw new Error("HttpAuthorizationPolicySource requires a valid URL");
+        }
+        this.url = options.url;
+        this.method = options.method ?? "GET";
+        this.timeoutMs = options.timeoutMs ?? 30000;
+        this.headers = { ...options.headers };
+        this.tokenProvider = options.tokenProvider;
+        this.bearerPrefix = options.bearerPrefix ?? "Bearer ";
+        this.policyFactoryConfig = options.policyFactory;
+        this.cacheTtlMs = options.cacheTtlMs ?? 300000; // 5 minutes default
+    }
+    /**
+     * Loads the authorization policy from the configured HTTP endpoint.
+     *
+     * Returns a cached policy if still fresh (based on TTL or cache headers).
+     * Multiple concurrent calls are de-duplicated (single-flight pattern).
+     *
+     * @returns The loaded authorization policy
+     */
+    async loadPolicy() {
+        // Return cached policy if still fresh
+        if (this.cachedState && this.isCacheFresh()) {
+            logger$h.debug("returning_cached_policy", {
+                url: this.url,
+                fetchedAt: this.cachedState.metadata.fetchedAt,
+                expiresAt: this.cachedState.metadata.expiresAt,
+            });
+            return this.cachedState.policy;
+        }
+        // De-duplicate concurrent requests
+        if (this.inflightFetch) {
+            return this.inflightFetch;
+        }
+        this.inflightFetch = this.fetchPolicy(false);
+        try {
+            return await this.inflightFetch;
+        }
+        finally {
+            this.inflightFetch = null;
+        }
+    }
+    /**
+     * Forces a reload of the policy from the HTTP endpoint.
+     *
+     * Bypasses cache freshness checks and always fetches from the server.
+     * If the fetch fails, the existing cached policy is preserved and the error is thrown.
+     *
+     * @returns The reloaded authorization policy
+     */
+    async reloadPolicy() {
+        // Clear inflight to force a new request
+        this.inflightFetch = null;
+        return this.fetchPolicy(true);
+    }
+    /**
+     * Clears the cached policy, forcing a fresh fetch on the next loadPolicy() call.
+     */
+    clearCache() {
+        this.cachedState = null;
+        this.inflightFetch = null;
+    }
+    /**
+     * Returns metadata about the last successful fetch.
+     *
+     * Useful for verification, monitoring, or debugging.
+     */
+    getMetadata() {
+        return this.cachedState?.metadata;
+    }
+    /**
+     * Returns the raw policy definition from the last successful fetch.
+     *
+     * Useful for verification or reprocessing.
+     */
+    getRawDefinition() {
+        return this.cachedState?.rawDefinition;
+    }
+    isCacheFresh() {
+        if (!this.cachedState) {
+            return false;
+        }
+        const now = Date.now();
+        const { expiresAt } = this.cachedState.metadata;
+        if (expiresAt !== undefined) {
+            return now < expiresAt;
+        }
+        // No expiration info, check against default TTL
+        const fetchedAt = this.cachedState.metadata.fetchedAt;
+        return now < fetchedAt + this.cacheTtlMs;
+    }
+    async fetchPolicy(forceRefresh) {
+        logger$h.debug("fetching_policy", {
+            url: this.url,
+            method: this.method,
+            forceRefresh,
+        });
+        const requestHeaders = {
+            Accept: "application/json, application/yaml, text/yaml, */*",
+            ...this.headers,
+        };
+        // Add bearer token if token provider is configured
+        if (this.tokenProvider) {
+            try {
+                const token = await this.tokenProvider.getToken();
+                if (token && token.value) {
+                    requestHeaders["Authorization"] = `${this.bearerPrefix}${token.value}`;
+                    logger$h.debug("added_bearer_token", { url: this.url });
+                }
+            }
+            catch (error) {
+                logger$h.warning("token_provider_failed", {
+                    url: this.url,
+                    error: error instanceof Error ? error.message : String(error),
+                });
+                // Continue without token - let the server decide if auth is required
+            }
+        }
+        // Add If-None-Match header for conditional request if we have a cached ETag
+        // and this is not a forced refresh
+        if (!forceRefresh && this.cachedState?.metadata.etag) {
+            requestHeaders["If-None-Match"] = this.cachedState.metadata.etag;
+        }
+        const controller = new AbortController();
+        const timeoutId = setTimeout(() => controller.abort(), this.timeoutMs);
+        try {
+            const response = await fetch(this.url, {
+                method: this.method,
+                headers: requestHeaders,
+                signal: controller.signal,
+            });
+            clearTimeout(timeoutId);
+            // Handle 304 Not Modified - return cached policy
+            if (response.status === 304 && this.cachedState) {
+                logger$h.debug("policy_not_modified", {
+                    url: this.url,
+                    etag: this.cachedState.metadata.etag,
+                });
+                // Update freshness timestamps
+                const now = Date.now();
+                const cacheControl = response.headers.get("Cache-Control");
+                const maxAgeSeconds = parseMaxAge(cacheControl);
+                const expiresAt = maxAgeSeconds !== undefined
+                    ? now + maxAgeSeconds * 1000
+                    : now + this.cacheTtlMs;
+                this.cachedState = {
+                    ...this.cachedState,
+                    metadata: {
+                        ...this.cachedState.metadata,
+                        fetchedAt: now,
+                        maxAgeSeconds,
+                        expiresAt,
+                    },
+                };
+                return this.cachedState.policy;
+            }
+            if (!response.ok) {
+                const errorMessage = `HTTP ${response.status}: ${response.statusText}`;
+                logger$h.error("policy_fetch_failed", {
+                    url: this.url,
+                    status: response.status,
+                    statusText: response.statusText,
+                });
+                // If we have a cached policy, preserve it and throw
+                if (this.cachedState) {
+                    throw new Error(`Failed to fetch policy from ${this.url}: ${errorMessage}. ` +
+                        "Using last known good policy.");
+                }
+                throw new Error(`Failed to fetch policy from ${this.url}: ${errorMessage}`);
+            }
+            // Parse the response
+            const contentType = response.headers.get("Content-Type");
+            const content = await response.text();
+            const format = detectFormat(contentType, content);
+            let policyDefinition;
+            try {
+                if (format === "json") {
+                    policyDefinition = parseJson(content);
+                }
+                else {
+                    policyDefinition = parseYamlContent(content);
+                }
+            }
+            catch (parseError) {
+                const message = parseError instanceof Error
+                    ? parseError.message
+                    : String(parseError);
+                logger$h.error("policy_parse_failed", {
+                    url: this.url,
+                    format,
+                    error: message,
+                });
+                // Preserve cached policy on parse failure
+                if (this.cachedState) {
+                    throw new Error(`Failed to parse policy from ${this.url}: ${message}. ` +
+                        "Using last known good policy.");
+                }
+                throw new Error(`Failed to parse policy from ${this.url}: ${message}`);
+            }
+            logger$h.debug("parsed_policy_definition", {
+                url: this.url,
+                format,
+                hasType: "type" in policyDefinition,
+            });
+            // Build the policy using the factory
+            const policy = await this.buildPolicy(policyDefinition);
+            // Update cache
+            const now = Date.now();
+            const etag = response.headers.get("ETag") ?? undefined;
+            const cacheControl = response.headers.get("Cache-Control");
+            const maxAgeSeconds = parseMaxAge(cacheControl);
+            const expiresAt = maxAgeSeconds !== undefined
+                ? now + maxAgeSeconds * 1000
+                : now + this.cacheTtlMs;
+            this.cachedState = {
+                policy,
+                rawDefinition: policyDefinition,
+                metadata: {
+                    url: this.url,
+                    status: response.status,
+                    etag,
+                    fetchedAt: now,
+                    maxAgeSeconds,
+                    expiresAt,
+                },
+            };
+            logger$h.info("loaded_policy_from_http", {
+                url: this.url,
+                status: response.status,
+                format,
+                etag,
+                maxAgeSeconds,
+            });
+            return policy;
+        }
+        catch (error) {
+            clearTimeout(timeoutId);
+            if (error instanceof Error && error.name === "AbortError") {
+                const timeoutError = new Error(`Request to ${this.url} timed out after ${this.timeoutMs}ms`);
+                logger$h.error("policy_fetch_timeout", {
+                    url: this.url,
+                    timeoutMs: this.timeoutMs,
+                });
+                // Preserve cached policy on timeout
+                if (this.cachedState) {
+                    throw timeoutError;
+                }
+                throw timeoutError;
+            }
+            throw error;
+        }
+    }
+    async buildPolicy(policyDefinition) {
+        // Determine the factory configuration to use
+        const factoryConfig = this.policyFactoryConfig ?? policyDefinition;
+        // Ensure we have a type field for the factory
+        if (!("type" in factoryConfig) || typeof factoryConfig.type !== "string") {
+            logger$h.warning("policy_type_missing_defaulting_to_basic", {
+                url: this.url,
+            });
+            factoryConfig.type = "BasicAuthorizationPolicy";
+        }
+        // Build the factory config with the policy definition
+        // The response content IS the policy definition, so we extract the type
+        // and wrap the remaining content as the policyDefinition
+        const { type: definitionType, ...restOfDefinition } = policyDefinition;
+        const resolvedType = typeof definitionType === "string" && definitionType.trim().length > 0
+            ? definitionType
+            : factoryConfig.type;
+        const mergedConfig = this.policyFactoryConfig != null
+            ? { ...this.policyFactoryConfig, policyDefinition }
+            : { type: resolvedType, policyDefinition: restOfDefinition };
+        const policy = await AuthorizationPolicyFactory.createAuthorizationPolicy(mergedConfig);
+        if (!policy) {
+            throw new Error(`Failed to create authorization policy from ${this.url}`);
+        }
+        return policy;
+    }
+}
+
+var httpAuthorizationPolicySource = /*#__PURE__*/Object.freeze({
+    __proto__: null,
+    HttpAuthorizationPolicySource: HttpAuthorizationPolicySource
+});
+
+/**
+ * Factory for creating HttpAuthorizationPolicySource instances.
+ *
+ * @packageDocumentation
+ */
+let httpModulePromise = null;
+async function getHttpModule() {
+    if (!httpModulePromise) {
+        httpModulePromise = Promise.resolve().then(function () { return httpAuthorizationPolicySource; });
+    }
+    return httpModulePromise;
+}
+function normalizeConfig$5(config) {
+    if (!config) {
+        throw new Error("HttpAuthorizationPolicySourceFactory requires a configuration with a url");
+    }
+    const candidate = config;
+    const url = candidate.url;
+    if (typeof url !== "string" || url.trim().length === 0) {
+        throw new Error("HttpAuthorizationPolicySourceConfig requires a non-empty url");
+    }
+    // Support both camelCase and snake_case
+    const method = candidate.method ?? "GET";
+    if (!["GET", "POST", "PUT"].includes(method)) {
+        throw new Error(`Invalid method "${String(method)}". Must be "GET", "POST", or "PUT"`);
+    }
+    const timeoutMs = candidate.timeout_ms ??
+        candidate.timeoutMs ??
+        30000;
+    if (typeof timeoutMs !== "number" || !Number.isFinite(timeoutMs) || timeoutMs <= 0) {
+        throw new Error("timeout_ms must be a positive number");
+    }
+    const headers = candidate.headers;
+    if (headers !== undefined && typeof headers !== "object") {
+        throw new Error("headers must be an object");
+    }
+    const tokenProviderConfig = candidate.token_provider ??
+        candidate.tokenProvider;
+    const bearerPrefix = candidate.bearer_prefix ??
+        candidate.bearerPrefix ??
+        "Bearer ";
+    const policyFactory = candidate.policy_factory ??
+        candidate.policyFactory;
+    const cacheTtlMs = candidate.cache_ttl_ms ??
+        candidate.cacheTtlMs ??
+        300000;
+    if (typeof cacheTtlMs !== "number" || !Number.isFinite(cacheTtlMs) || cacheTtlMs < 0) {
+        throw new Error("cache_ttl_ms must be a non-negative number");
+    }
+    return {
+        url: url.trim(),
+        method,
+        timeoutMs,
+        headers,
+        tokenProviderConfig,
+        bearerPrefix,
+        policyFactory,
+        cacheTtlMs,
+    };
+}
+/**
+ * Factory metadata for registration.
+ */
+const FACTORY_META$f = {
+    base: AUTHORIZATION_POLICY_SOURCE_FACTORY_BASE_TYPE,
+    key: "HttpAuthorizationPolicySource",
+};
+/**
+ * Factory for creating HttpAuthorizationPolicySource instances.
+ *
+ * This factory uses lazy loading to avoid pulling in Node.js-specific
+ * code (fetch operations) in browser environments where it may not work.
+ */
+class HttpAuthorizationPolicySourceFactory extends AuthorizationPolicySourceFactory {
+    constructor() {
+        super(...arguments);
+        this.type = "HttpAuthorizationPolicySource";
+    }
+    /**
+     * Creates an HttpAuthorizationPolicySource from the given configuration.
+     *
+     * @param config - Configuration specifying the policy URL and options
+     * @returns The created policy source
+     */
+    async create(config) {
+        const normalized = normalizeConfig$5(config);
+        // Create token provider if configured
+        let tokenProvider;
+        if (normalized.tokenProviderConfig) {
+            tokenProvider = await TokenProviderFactory.createTokenProvider(normalized.tokenProviderConfig);
+        }
+        const { HttpAuthorizationPolicySource } = await getHttpModule();
+        const options = {
+            url: normalized.url,
+            method: normalized.method,
+            timeoutMs: normalized.timeoutMs,
+            headers: normalized.headers,
+            tokenProvider,
+            bearerPrefix: normalized.bearerPrefix,
+            policyFactory: normalized.policyFactory,
+            cacheTtlMs: normalized.cacheTtlMs,
+        };
+        return new HttpAuthorizationPolicySource(options);
+    }
+}
+
+var httpAuthorizationPolicySourceFactory = /*#__PURE__*/Object.freeze({
+    __proto__: null,
+    FACTORY_META: FACTORY_META$f,
+    HttpAuthorizationPolicySourceFactory: HttpAuthorizationPolicySourceFactory,
+    default: HttpAuthorizationPolicySourceFactory
+});
+
 /**
  * Advanced authorization policy module exports.
  *
@@ -3557,7 +4120,7 @@ var advancedAuthorizationPolicyFactory = /*#__PURE__*/Object.freeze({
  *
  * @packageDocumentation
  */
-// Auth expression helpers
+// Expression authorization policy
 
 /**
  * Advanced security authentication/authorization module exports.
@@ -13182,4 +13745,4 @@ if (isNode && proc && proc.env) {
     }
 }
 
-export { FACTORY_META$f as ADVANCED_AUTHORIZATION_POLICY_FACTORY_META, FACTORY_META$a as ADVANCED_EDDSA_ENVELOPE_SIGNER_FACTORY_META, FACTORY_META$9 as ADVANCED_EDDSA_ENVELOPE_VERIFIER_FACTORY_META, FACTORY_META$5 as ADVANCED_WELCOME_FACTORY_META, AFTHelper, AFTLoadBalancerStickinessManager, AFTLoadBalancerStickinessManagerFactory, AFTReplicaStickinessManager, AFTReplicaStickinessManagerFactory, FACTORY_META$7 as AFT_LOAD_BALANCER_FACTORY_META, FACTORY_META$6 as AFT_REPLICA_FACTORY_META, AdvancedAuthorizationPolicy, AdvancedAuthorizationPolicyFactory, AdvancedEdDSAEnvelopeSignerFactory, AdvancedEdDSAEnvelopeVerifierFactory, AdvancedWelcomeService, AdvancedWelcomeServiceFactory, FACTORY_META$2 as BROWSER_TRUST_STORE_PROVIDER_FACTORY_META, BUILTIN_FUNCTIONS, BrowserTrustStoreProviderFactory, BuiltinError, CAService, CAServiceClient, CAServiceFactory, CASigningService, CA_SERVICE_FACTORY_BASE_TYPE, CertificateRequestError, CompositeEncryptionManager, CompositeEncryptionManagerFactory, FACTORY_META$4 as DEFAULT_CERTIFICATE_MANAGER_FACTORY_META, DEFAULT_EXPRESSION_LIMITS, FACTORY_META$c as DEFAULT_SECURE_CHANNEL_MANAGER_FACTORY_META, DEFAULT_STICKINESS_SECURITY_LEVEL, DefaultCAService, DefaultCAServiceFactory, DefaultCertificateManager, DefaultCertificateManagerFactory, DefaultSecureChannelManager, DefaultSecureChannelManagerFactory, ENV_FAME_CA_CERT_FILE, ENV_FAME_CA_CERT_PEM, ENV_FAME_CA_KEY_FILE, ENV_FAME_CA_KEY_PEM, ENV_FAME_INTERMEDIATE_CHAIN_FILE, ENV_FAME_INTERMEDIATE_CHAIN_PEM, ENV_FAME_SIGNING_CERT_FILE, ENV_FAME_SIGNING_CERT_PEM, ENV_FAME_SIGNING_KEY_FILE, ENV_FAME_SIGNING_KEY_PEM, FACTORY_META$3 as ENV_TRUST_STORE_PROVIDER_FACTORY_META, ENV_VAR_FAME_CA_SERVICE_URL, EdDSAEnvelopeVerifier, EnvTrustStoreProviderFactory, EvaluationError, Evaluator, ExpressionError, GRANT_PURPOSE_CA_SIGN, LOGICALS_OID, LimitExceededError, NODE_ID_OID, NoAFTSigner, NullTrustStoreProvider, PROFILE_NAME_STRICT_OVERLAY, ParseError, Parser, SID_OID, SidOnlyAFTVerifier, SignedAFTSigner, SignedOptionalAFTVerifier, StickinessMode, StrictAFTVerifier, TRUST_STORE_PROVIDER_FACTORY_BASE_TYPE, Tokenizer, TokenizerError, TrustStoreProviderFactory, TypeError, UnsignedAFTSigner, VERSION, X5CKeyManager, X5CKeyManagerFactory, FACTORY_META$8 as X5C_KEY_MANAGER_FACTORY_META, __advancedSecurityPluginLoader, astToString, base64UrlDecode, base64UrlEncode, calculateAstDepth, callBuiltin, index as channelEncryption, checkArrayLength, checkAstDepth, checkAstNodeCount, checkExpressionLength, checkFunctionArgCount, checkGlobPatternLength, checkRegexPatternLength, countAstNodes, createAftHelper, createAftPayload, createAftReplicaStickinessManager, createAftSigner, createAftVerifier, createAuthFunctionRegistry, createEd25519Csr, createEd25519CsrFromPem, createSecurityBindings, createTestCA, evaluate, evaluateAsBoolean, extractCertificateInfo, extractLogicalHostsFromCert, extractNodeIdFromCert, extractSidFromCert, extractSidFromSpiffeId, extractSpiffeIdFromCert, formatCertificateInfo, getTypeName, isBuiltinFunction, normalizeEncryptionLevelFromAlg, normalizeJsValue, normalizeStickinessMode, parse, publicKeyFromX5c, registerAdvancedSecurityFactories, index$1 as sealedEncryption, serializeAftClaims, serializeAftHeader, tokenize, utf8Decode, validateJwkX5cCertificate, verifyCertSidIntegrity };
+export { FACTORY_META$g as ADVANCED_AUTHORIZATION_POLICY_FACTORY_META, FACTORY_META$a as ADVANCED_EDDSA_ENVELOPE_SIGNER_FACTORY_META, FACTORY_META$9 as ADVANCED_EDDSA_ENVELOPE_VERIFIER_FACTORY_META, FACTORY_META$5 as ADVANCED_WELCOME_FACTORY_META, AFTHelper, AFTLoadBalancerStickinessManager, AFTLoadBalancerStickinessManagerFactory, AFTReplicaStickinessManager, AFTReplicaStickinessManagerFactory, FACTORY_META$7 as AFT_LOAD_BALANCER_FACTORY_META, FACTORY_META$6 as AFT_REPLICA_FACTORY_META, AdvancedAuthorizationPolicy, AdvancedAuthorizationPolicyFactory, AdvancedEdDSAEnvelopeSignerFactory, AdvancedEdDSAEnvelopeVerifierFactory, AdvancedWelcomeService, AdvancedWelcomeServiceFactory, FACTORY_META$2 as BROWSER_TRUST_STORE_PROVIDER_FACTORY_META, BrowserTrustStoreProviderFactory, CAService, CAServiceClient, CAServiceFactory, CASigningService, CA_SERVICE_FACTORY_BASE_TYPE, CertificateRequestError, CompositeEncryptionManager, CompositeEncryptionManagerFactory, FACTORY_META$4 as DEFAULT_CERTIFICATE_MANAGER_FACTORY_META, FACTORY_META$c as DEFAULT_SECURE_CHANNEL_MANAGER_FACTORY_META, DEFAULT_STICKINESS_SECURITY_LEVEL, DefaultCAService, DefaultCAServiceFactory, DefaultCertificateManager, DefaultCertificateManagerFactory, DefaultSecureChannelManager, DefaultSecureChannelManagerFactory, ENV_FAME_CA_CERT_FILE, ENV_FAME_CA_CERT_PEM, ENV_FAME_CA_KEY_FILE, ENV_FAME_CA_KEY_PEM, ENV_FAME_INTERMEDIATE_CHAIN_FILE, ENV_FAME_INTERMEDIATE_CHAIN_PEM, ENV_FAME_SIGNING_CERT_FILE, ENV_FAME_SIGNING_CERT_PEM, ENV_FAME_SIGNING_KEY_FILE, ENV_FAME_SIGNING_KEY_PEM, FACTORY_META$3 as ENV_TRUST_STORE_PROVIDER_FACTORY_META, ENV_VAR_AUTH_POLICY_BEARER_TOKEN, ENV_VAR_AUTH_POLICY_CACHE_TTL_MS, ENV_VAR_AUTH_POLICY_TIMEOUT_MS, ENV_VAR_AUTH_POLICY_URL, ENV_VAR_FAME_CA_SERVICE_URL, EdDSAEnvelopeVerifier, EnvTrustStoreProviderFactory, GRANT_PURPOSE_CA_SIGN, FACTORY_META$f as HTTP_AUTHORIZATION_POLICY_SOURCE_FACTORY_META, HttpAuthorizationPolicySource, HttpAuthorizationPolicySourceFactory, LOGICALS_OID, NODE_ID_OID, NoAFTSigner, NullTrustStoreProvider, PROFILE_NAME_POLICY_HTTP, PROFILE_NAME_STRICT_OVERLAY, SID_OID, SidOnlyAFTVerifier, SignedAFTSigner, SignedOptionalAFTVerifier, StickinessMode, StrictAFTVerifier, TRUST_STORE_PROVIDER_FACTORY_BASE_TYPE, TrustStoreProviderFactory, UnsignedAFTSigner, VERSION, X5CKeyManager, X5CKeyManagerFactory, FACTORY_META$8 as X5C_KEY_MANAGER_FACTORY_META, __advancedSecurityPluginLoader, base64UrlDecode, base64UrlEncode, index as channelEncryption, createAftHelper, createAftPayload, createAftReplicaStickinessManager, createAftSigner, createAftVerifier, createEd25519Csr, createEd25519CsrFromPem, createTestCA, extractCertificateInfo, extractLogicalHostsFromCert, extractNodeIdFromCert, extractSidFromCert, extractSidFromSpiffeId, extractSpiffeIdFromCert, formatCertificateInfo, normalizeStickinessMode, publicKeyFromX5c, registerAdvancedSecurityFactories, index$1 as sealedEncryption, serializeAftClaims, serializeAftHeader, utf8Decode, validateJwkX5cCertificate, verifyCertSidIntegrity };