@naylence/advanced-security 0.4.5 → 0.4.7

package/dist/types/advanced-security-isomorphic.d.ts

@@ -5,7 +5,6 @@
  * installing the shared dynamic importer shim used by Naylence plugins.
  */
 export { VERSION } from "./version.js";
-export * from "./naylence/fame/expr/index.js";
 export * from "./naylence/fame/security/auth/index.js";
 export { validateJwkX5cCertificate, type ValidateJwkX5cCertificateOptions, type ValidateJwkX5cCertificateResult, publicKeyFromX5c, type PublicKeyFromX5cOptions, } from "./naylence/fame/security/cert/util.js";
 export { GRANT_PURPOSE_CA_SIGN } from "./naylence/fame/security/cert/grants.js";

package/dist/types/advanced-security-isomorphic.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"advanced-security-isomorphic.d.ts","sourceRoot":"","sources":["../../src/advanced-security-isomorphic.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAGvC,cAAc,+BAA+B,CAAC;AAG9C,cAAc,wCAAwC,CAAC;AAEvD,OAAO,EACL,yBAAyB,EACzB,KAAK,gCAAgC,EACrC,KAAK,+BAA+B,EACpC,gBAAgB,EAChB,KAAK,uBAAuB,GAC7B,MAAM,uCAAuC,CAAC;AAC/C,OAAO,EAAE,qBAAqB,EAAE,MAAM,yCAAyC,CAAC;AAChF,OAAO,EACL,gBAAgB,EAChB,KAAK,uBAAuB,GAC7B,MAAM,8CAA8C,CAAC;AACtD,OAAO,EAAE,KAAK,iBAAiB,EAAE,MAAM,4CAA4C,CAAC;AACpF,OAAO,EACL,eAAe,EACf,KAAK,mBAAmB,EACxB,KAAK,0BAA0B,EAC/B,2BAA2B,EAC3B,sBAAsB,EACtB,qBAAqB,GACtB,MAAM,oDAAoD,CAAC;AAE5D,cAAc,8CAA8C,CAAC;AAE7D,OAAO,EACL,kCAAkC,EAClC,YAAY,IAAI,2CAA2C,EAC3D,KAAK,yBAAyB,GAC/B,MAAM,mEAAmE,CAAC;AAC3E,OAAO,EACL,oCAAoC,EACpC,YAAY,IAAI,6CAA6C,EAC7D,KAAK,2BAA2B,GACjC,MAAM,qEAAqE,CAAC;AAC7E,OAAO,EACL,qBAAqB,EACrB,KAAK,4BAA4B,EACjC,KAAK,qBAAqB,GAC3B,MAAM,6DAA6D,CAAC;AAErE,cAAc,wCAAwC,CAAC;AAEvD,cAAc,qCAAqC,CAAC;AACpD,cAAc,kCAAkC,CAAC;AAEjD,OAAO,EACL,iCAAiC,EACjC,KAAK,wCAAwC,GAC9C,MAAM,kEAAkE,CAAC;AAE1E,KAAK,YAAY,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;AAC5C,KAAK,kBAAkB,GAAG,CAAC,SAAS,EAAE,MAAM,KAAK,OAAO,CAAC,YAAY,CAAC,CAAC;AA2FvE,eAAO,MAAM,8BAA8B,oBACL,CAAC"}
+{"version":3,"file":"advanced-security-isomorphic.d.ts","sourceRoot":"","sources":["../../src/advanced-security-isomorphic.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAMvC,cAAc,wCAAwC,CAAC;AAEvD,OAAO,EACL,yBAAyB,EACzB,KAAK,gCAAgC,EACrC,KAAK,+BAA+B,EACpC,gBAAgB,EAChB,KAAK,uBAAuB,GAC7B,MAAM,uCAAuC,CAAC;AAC/C,OAAO,EAAE,qBAAqB,EAAE,MAAM,yCAAyC,CAAC;AAChF,OAAO,EACL,gBAAgB,EAChB,KAAK,uBAAuB,GAC7B,MAAM,8CAA8C,CAAC;AACtD,OAAO,EAAE,KAAK,iBAAiB,EAAE,MAAM,4CAA4C,CAAC;AACpF,OAAO,EACL,eAAe,EACf,KAAK,mBAAmB,EACxB,KAAK,0BAA0B,EAC/B,2BAA2B,EAC3B,sBAAsB,EACtB,qBAAqB,GACtB,MAAM,oDAAoD,CAAC;AAE5D,cAAc,8CAA8C,CAAC;AAE7D,OAAO,EACL,kCAAkC,EAClC,YAAY,IAAI,2CAA2C,EAC3D,KAAK,yBAAyB,GAC/B,MAAM,mEAAmE,CAAC;AAC3E,OAAO,EACL,oCAAoC,EACpC,YAAY,IAAI,6CAA6C,EAC7D,KAAK,2BAA2B,GACjC,MAAM,qEAAqE,CAAC;AAC7E,OAAO,EACL,qBAAqB,EACrB,KAAK,4BAA4B,EACjC,KAAK,qBAAqB,GAC3B,MAAM,6DAA6D,CAAC;AAErE,cAAc,wCAAwC,CAAC;AAEvD,cAAc,qCAAqC,CAAC;AACpD,cAAc,kCAAkC,CAAC;AAEjD,OAAO,EACL,iCAAiC,EACjC,KAAK,wCAAwC,GAC9C,MAAM,kEAAkE,CAAC;AAE1E,KAAK,YAAY,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;AAC5C,KAAK,kBAAkB,GAAG,CAAC,SAAS,EAAE,MAAM,KAAK,OAAO,CAAC,YAAY,CAAC,CAAC;AA2FvE,eAAO,MAAM,8BAA8B,oBACL,CAAC"}

package/dist/types/naylence/fame/factory-manifest.d.ts

@@ -4,7 +4,7 @@
  *
  * Provides the list of advanced security factory modules for registration.
  */
-export declare const MODULES: readonly ["./security/auth/policy/advanced-authorization-policy-factory.js", "./security/cert/default-ca-service-factory.js", "./security/cert/default-certificate-manager-factory.js", "./security/cert/trust-store/browser-trust-store-provider-factory.js", "./security/cert/trust-store/node-trust-store-provider-factory.js", "./security/encryption/channel/channel-encryption-manager-factory.js", "./security/encryption/composite-encryption-manager-factory.js", "./security/encryption/default-secure-channel-manager-factory.js", "./security/encryption/sealed/x25519-encryption-manager-factory.js", "./security/keys/x5c-key-manager-factory.js", "./security/signing/eddsa-envelope-signer-factory.js", "./security/signing/eddsa-envelope-verifier-factory.js", "./stickiness/aft-load-balancer-stickiness-manager-factory.js", "./stickiness/aft-replica-stickiness-manager-factory.js", "./welcome/advanced-welcome-service-factory.js"];
+export declare const MODULES: readonly ["./security/auth/policy/advanced-authorization-policy-factory.js", "./security/auth/policy/http-authorization-policy-source-factory.js", "./security/cert/default-ca-service-factory.js", "./security/cert/default-certificate-manager-factory.js", "./security/cert/trust-store/browser-trust-store-provider-factory.js", "./security/cert/trust-store/node-trust-store-provider-factory.js", "./security/encryption/channel/channel-encryption-manager-factory.js", "./security/encryption/composite-encryption-manager-factory.js", "./security/encryption/default-secure-channel-manager-factory.js", "./security/encryption/sealed/x25519-encryption-manager-factory.js", "./security/keys/x5c-key-manager-factory.js", "./security/signing/eddsa-envelope-signer-factory.js", "./security/signing/eddsa-envelope-verifier-factory.js", "./stickiness/aft-load-balancer-stickiness-manager-factory.js", "./stickiness/aft-replica-stickiness-manager-factory.js", "./welcome/advanced-welcome-service-factory.js"];
 export type FactoryModuleSpec = (typeof MODULES)[number];
 export type FactoryModuleLoader = () => Promise<Record<string, unknown>>;
 export declare const MODULE_LOADERS: Record<FactoryModuleSpec, FactoryModuleLoader>;

package/dist/types/naylence/fame/factory-manifest.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"factory-manifest.d.ts","sourceRoot":"","sources":["../../../../src/naylence/fame/factory-manifest.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,eAAO,MAAM,OAAO,65BAgBV,CAAC;AAEX,MAAM,MAAM,iBAAiB,GAAG,CAAC,OAAO,OAAO,CAAC,CAAC,MAAM,CAAC,CAAC;AACzD,MAAM,MAAM,mBAAmB,GAAG,MAAM,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;AAEzE,eAAO,MAAM,cAAc,EAAE,MAAM,CAAC,iBAAiB,EAAE,mBAAmB,CAgBzE,CAAC"}
+{"version":3,"file":"factory-manifest.d.ts","sourceRoot":"","sources":["../../../../src/naylence/fame/factory-manifest.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,eAAO,MAAM,OAAO,m+BAiBV,CAAC;AAEX,MAAM,MAAM,iBAAiB,GAAG,CAAC,OAAO,OAAO,CAAC,CAAC,MAAM,CAAC,CAAC;AACzD,MAAM,MAAM,mBAAmB,GAAG,MAAM,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;AAEzE,eAAO,MAAM,cAAc,EAAE,MAAM,CAAC,iBAAiB,EAAE,mBAAmB,CAiBzE,CAAC"}

package/dist/types/naylence/fame/security/auth/index.d.ts

@@ -4,4 +4,5 @@
  * @packageDocumentation
  */
 export * from "./policy/index.js";
+export { PROFILE_NAME_POLICY_HTTP, ENV_VAR_AUTH_POLICY_URL, ENV_VAR_AUTH_POLICY_TIMEOUT_MS, ENV_VAR_AUTH_POLICY_CACHE_TTL_MS, ENV_VAR_AUTH_POLICY_BEARER_TOKEN, } from "./policy-http-authorization-profile.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/types/naylence/fame/security/auth/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../../src/naylence/fame/security/auth/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,cAAc,mBAAmB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../../src/naylence/fame/security/auth/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,cAAc,mBAAmB,CAAC;AAGlC,OAAO,EACL,wBAAwB,EACxB,uBAAuB,EACvB,8BAA8B,EAC9B,gCAAgC,EAChC,gCAAgC,GACjC,MAAM,wCAAwC,CAAC"}

package/dist/types/naylence/fame/security/auth/policy/auth-policy-server-cli.d.ts

@@ -0,0 +1,20 @@
+#!/usr/bin/env node
+/**
+ * Auth Policy Server CLI Entry Point
+ *
+ * Development server for serving authorization policies over HTTP.
+ * Useful for testing HttpAuthorizationPolicySource.
+ *
+ * Environment variables:
+ *   FAME_APP_HOST - Host to bind to (default: 0.0.0.0)
+ *   FAME_APP_PORT - Port to listen on (default: 8099)
+ *   FAME_POLICY_FILE - Path to policy file (YAML or JSON)
+ *   FAME_POLICY_BEARER_TOKEN - Bearer token for authentication
+ *   FAME_LOG_LEVEL - Log level (debug, info, warning, error)
+ *
+ * Usage:
+ *   npx naylence-policy-server
+ *   FAME_POLICY_FILE=./policy.yaml FAME_POLICY_BEARER_TOKEN=secret npx naylence-policy-server
+ */
+export {};
+//# sourceMappingURL=auth-policy-server-cli.d.ts.map

package/dist/types/naylence/fame/security/auth/policy/auth-policy-server-cli.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-policy-server-cli.d.ts","sourceRoot":"","sources":["../../../../../../../src/naylence/fame/security/auth/policy/auth-policy-server-cli.ts"],"names":[],"mappings":";AACA;;;;;;;;;;;;;;;;GAgBG"}

package/dist/types/naylence/fame/security/auth/policy/auth-policy-server.d.ts

@@ -0,0 +1,75 @@
+/**
+ * Auth Policy Server - Authorization Policy HTTP endpoint
+ *
+ * Provides authorization policies via HTTP using Fastify.
+ * Supports OAuth2 JWT authentication and ETag-based caching.
+ * Serves multiple policies by ID from a configurable directory.
+ * This is a development server for testing HTTP policy source functionality.
+ *
+ * Policy files should be named: policy-{policy_id}.yaml or policy-{policy_id}.json
+ * Example: policy-production.yaml, policy-dev.json
+ *
+ * Authentication:
+ * - Set FAME_OAUTH2_ISSUER to enable OAuth2 JWT validation
+ * - Optionally set FAME_OAUTH2_AUDIENCE, FAME_OAUTH2_JWKS_URL
+ * - Set FAME_OAUTH2_ALGORITHMS to customize JWT algorithms (default: RS256,ES256,EdDSA)
+ * - If no OAuth2 config provided, authentication is disabled (dev mode)
+ */
+import type { FastifyInstance } from "fastify";
+/**
+ * Default authorization policy for development.
+ * Allows all operations - suitable for testing only.
+ */
+declare const DEFAULT_POLICY: {
+    version: string;
+    type: string;
+    default_effect: string;
+    rules: {
+        id: string;
+        effect: string;
+        comment: string;
+    }[];
+};
+interface PolicyEntry {
+    id: string;
+    policy: Record<string, unknown>;
+    policyContent: string;
+    etag: string;
+    lastModified: Date;
+    filePath: string;
+    format: "yaml" | "json";
+}
+interface PolicyServerState {
+    policyDir?: string;
+    policies: Map<string, PolicyEntry>;
+}
+/**
+ * Compute ETag from content using SHA-256.
+ */
+declare function computeEtag(content: string): string;
+/**
+ * Extract policy ID from filename.
+ * Expected format: policy-{id}.yaml or policy-{id}.json
+ */
+declare function extractPolicyId(filename: string): {
+    id: string;
+    format: "yaml" | "json";
+} | null;
+/**
+ * Load a single policy from file.
+ */
+declare function loadPolicyFile(filePath: string): Omit<PolicyEntry, "id"> | null;
+/**
+ * Load all policies from a directory.
+ */
+declare function loadPoliciesFromDir(dirPath: string): Map<string, PolicyEntry>;
+/**
+ * Create Fastify application with policy server.
+ */
+declare function createApp(): Promise<{
+    app: FastifyInstance;
+    state: PolicyServerState;
+}>;
+declare function main(): Promise<void>;
+export { createApp, main, loadPoliciesFromDir, loadPolicyFile, extractPolicyId, computeEtag, DEFAULT_POLICY, type PolicyEntry, type PolicyServerState, };
+//# sourceMappingURL=auth-policy-server.d.ts.map

package/dist/types/naylence/fame/security/auth/policy/auth-policy-server.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-policy-server.d.ts","sourceRoot":"","sources":["../../../../../../../src/naylence/fame/security/auth/policy/auth-policy-server.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAaH,OAAO,KAAK,EAAE,eAAe,EAAkB,MAAM,SAAS,CAAC;AAuC/D;;;GAGG;AACH,QAAA,MAAM,cAAc;;;;;;;;;CAWnB,CAAC;AAEF,UAAU,WAAW;IACnB,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAChC,aAAa,EAAE,MAAM,CAAC;IACtB,IAAI,EAAE,MAAM,CAAC;IACb,YAAY,EAAE,IAAI,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC;CACzB;AAED,UAAU,iBAAiB;IACzB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,GAAG,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;CACpC;AAED;;GAEG;AACH,iBAAS,WAAW,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAI5C;AAED;;;GAGG;AACH,iBAAS,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG;IAAE,EAAE,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAAA;CAAE,GAAG,IAAI,CASzF;AAED;;GAEG;AACH,iBAAS,cAAc,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC,WAAW,EAAE,IAAI,CAAC,GAAG,IAAI,CA8BxE;AAED;;GAEG;AACH,iBAAS,mBAAmB,CAAC,OAAO,EAAE,MAAM,GAAG,GAAG,CAAC,MAAM,EAAE,WAAW,CAAC,CA4BtE;AA8UD;;GAEG;AACH,iBAAe,SAAS,IAAI,OAAO,CAAC;IAClC,GAAG,EAAE,eAAe,CAAC;IACrB,KAAK,EAAE,iBAAiB,CAAC;CAC1B,CAAC,CA2ED;AAED,iBAAe,IAAI,kBAuClB;AAED,OAAO,EACL,SAAS,EACT,IAAI,EACJ,mBAAmB,EACnB,cAAc,EACd,eAAe,EACf,WAAW,EACX,cAAc,EACd,KAAK,WAAW,EAChB,KAAK,iBAAiB,GACvB,CAAC"}

package/dist/types/naylence/fame/security/auth/policy/http-authorization-policy-source-factory.d.ts

@@ -0,0 +1,81 @@
+/**
+ * Factory for creating HttpAuthorizationPolicySource instances.
+ *
+ * @packageDocumentation
+ */
+import type { AuthorizationPolicySource } from "@naylence/runtime";
+import { AuthorizationPolicySourceFactory, type AuthorizationPolicySourceConfig, type AuthorizationPolicyConfig, type TokenProviderConfig } from "@naylence/runtime";
+import type { HttpMethod } from "./http-authorization-policy-source.js";
+/**
+ * Configuration for HttpAuthorizationPolicySource.
+ *
+ * Supports both camelCase and snake_case property names for flexibility.
+ */
+export interface HttpAuthorizationPolicySourceConfig extends AuthorizationPolicySourceConfig {
+    type: "HttpAuthorizationPolicySource";
+    /**
+     * The URL to fetch the policy from (required).
+     */
+    url: string;
+    /**
+     * HTTP method to use.
+     * @default "GET"
+     */
+    method?: HttpMethod;
+    /**
+     * Request timeout in milliseconds.
+     * @default 30000
+     */
+    timeout_ms?: number;
+    /**
+     * Additional headers to include in the request.
+     */
+    headers?: Record<string, string>;
+    /**
+     * Token provider configuration for bearer authentication.
+     */
+    token_provider?: TokenProviderConfig | Record<string, unknown>;
+    /**
+     * Prefix for the Authorization header.
+     * @default "Bearer "
+     */
+    bearer_prefix?: string;
+    /**
+     * Configuration for the policy factory to use when parsing the loaded data.
+     */
+    policy_factory?: AuthorizationPolicyConfig | Record<string, unknown>;
+    /**
+     * Polling interval in milliseconds (reserved for future use).
+     */
+    poll_interval_ms?: number;
+    /**
+     * Fallback cache TTL in milliseconds when server provides no caching headers.
+     * @default 300000 (5 minutes)
+     */
+    cache_ttl_ms?: number;
+}
+/**
+ * Factory metadata for registration.
+ */
+export declare const FACTORY_META: {
+    readonly base: "AuthorizationPolicySourceFactory";
+    readonly key: "HttpAuthorizationPolicySource";
+};
+/**
+ * Factory for creating HttpAuthorizationPolicySource instances.
+ *
+ * This factory uses lazy loading to avoid pulling in Node.js-specific
+ * code (fetch operations) in browser environments where it may not work.
+ */
+export declare class HttpAuthorizationPolicySourceFactory extends AuthorizationPolicySourceFactory<HttpAuthorizationPolicySourceConfig> {
+    readonly type = "HttpAuthorizationPolicySource";
+    /**
+     * Creates an HttpAuthorizationPolicySource from the given configuration.
+     *
+     * @param config - Configuration specifying the policy URL and options
+     * @returns The created policy source
+     */
+    create(config?: HttpAuthorizationPolicySourceConfig | Record<string, unknown> | null): Promise<AuthorizationPolicySource>;
+}
+export default HttpAuthorizationPolicySourceFactory;
+//# sourceMappingURL=http-authorization-policy-source-factory.d.ts.map

package/dist/types/naylence/fame/security/auth/policy/http-authorization-policy-source-factory.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"http-authorization-policy-source-factory.d.ts","sourceRoot":"","sources":["../../../../../../../src/naylence/fame/security/auth/policy/http-authorization-policy-source-factory.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,yBAAyB,EAAiB,MAAM,mBAAmB,CAAC;AAClF,OAAO,EAEL,gCAAgC,EAChC,KAAK,+BAA+B,EACpC,KAAK,yBAAyB,EAE9B,KAAK,mBAAmB,EACzB,MAAM,mBAAmB,CAAC;AAE3B,OAAO,KAAK,EAEV,UAAU,EACX,MAAM,uCAAuC,CAAC;AAE/C;;;;GAIG;AACH,MAAM,WAAW,mCACf,SAAQ,+BAA+B;IACvC,IAAI,EAAE,+BAA+B,CAAC;IAEtC;;OAEG;IACH,GAAG,EAAE,MAAM,CAAC;IAEZ;;;OAGG;IACH,MAAM,CAAC,EAAE,UAAU,CAAC;IAEpB;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IAEpB;;OAEG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAEjC;;OAEG;IACH,cAAc,CAAC,EAAE,mBAAmB,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAE/D;;;OAGG;IACH,aAAa,CAAC,EAAE,MAAM,CAAC;IAEvB;;OAEG;IACH,cAAc,CAAC,EAAE,yBAAyB,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAErE;;OAEG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAE1B;;;OAGG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAgGD;;GAEG;AACH,eAAO,MAAM,YAAY;;;CAGf,CAAC;AAEX;;;;;GAKG;AACH,qBAAa,oCAAqC,SAAQ,gCAAgC,CAAC,mCAAmC,CAAC;IAC7H,SAAgB,IAAI,mCAAmC;IAEvD;;;;;OAKG;IACU,MAAM,CACjB,MAAM,CAAC,EACH,mCAAmC,GACnC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GACvB,IAAI,GACP,OAAO,CAAC,yBAAyB,CAAC;CA0BtC;AAED,eAAe,oCAAoC,CAAC"}

package/dist/types/naylence/fame/security/auth/policy/http-authorization-policy-source.d.ts

@@ -0,0 +1,150 @@
+/**
+ * HTTP-based authorization policy source.
+ *
+ * Loads authorization policies from an HTTP endpoint supporting JSON or YAML.
+ * Supports bearer authentication via TokenProvider and HTTP caching via ETag.
+ *
+ * This is a Node.js-only implementation.
+ *
+ * @packageDocumentation
+ */
+import type { AuthorizationPolicy, AuthorizationPolicySource, AuthorizationPolicyConfig, TokenProvider } from "@naylence/runtime";
+/**
+ * HTTP method for the policy request.
+ */
+export type HttpMethod = "GET" | "POST" | "PUT";
+/**
+ * Metadata about the last fetch operation.
+ *
+ * Useful for verification, debugging, and monitoring.
+ */
+export interface HttpPolicySourceMetadata {
+    /**
+     * The URL from which the policy was fetched.
+     */
+    url: string;
+    /**
+     * HTTP status code of the last successful fetch.
+     */
+    status: number;
+    /**
+     * ETag from the last successful response.
+     */
+    etag?: string;
+    /**
+     * Timestamp when the policy was last fetched.
+     */
+    fetchedAt: number;
+    /**
+     * Cache-Control max-age value in seconds, if present.
+     */
+    maxAgeSeconds?: number;
+    /**
+     * Computed expiration time based on max-age.
+     */
+    expiresAt?: number;
+}
+/**
+ * Configuration options for HttpAuthorizationPolicySource.
+ */
+export interface HttpAuthorizationPolicySourceOptions {
+    /**
+     * The URL to fetch the policy from.
+     */
+    url: string;
+    /**
+     * HTTP method to use.
+     * @default "GET"
+     */
+    method?: HttpMethod;
+    /**
+     * Request timeout in milliseconds.
+     * @default 30000
+     */
+    timeoutMs?: number;
+    /**
+     * Additional headers to include in the request.
+     */
+    headers?: Record<string, string>;
+    /**
+     * Token provider for bearer authentication.
+     */
+    tokenProvider?: TokenProvider;
+    /**
+     * Prefix for the Authorization header.
+     * @default "Bearer "
+     */
+    bearerPrefix?: string;
+    /**
+     * Configuration for the policy factory to use when parsing the loaded data.
+     * Determines which AuthorizationPolicy implementation is created.
+     *
+     * If not specified, the policy definition from the response is used directly
+     * as the factory configuration (must include a 'type' field).
+     */
+    policyFactory?: AuthorizationPolicyConfig | Record<string, unknown>;
+    /**
+     * Fallback cache TTL in milliseconds when server provides no caching headers.
+     * @default 300000 (5 minutes)
+     */
+    cacheTtlMs?: number;
+}
+/**
+ * An authorization policy source that loads policy definitions from an HTTP endpoint.
+ *
+ * Supports JSON and YAML formats, bearer authentication via TokenProvider,
+ * and HTTP caching via ETag and Cache-Control headers.
+ *
+ * This is a Node.js-only implementation that uses fetch.
+ */
+export declare class HttpAuthorizationPolicySource implements AuthorizationPolicySource {
+    private readonly url;
+    private readonly method;
+    private readonly timeoutMs;
+    private readonly headers;
+    private readonly tokenProvider;
+    private readonly bearerPrefix;
+    private readonly policyFactoryConfig;
+    private readonly cacheTtlMs;
+    private cachedState;
+    private inflightFetch;
+    constructor(options: HttpAuthorizationPolicySourceOptions);
+    /**
+     * Loads the authorization policy from the configured HTTP endpoint.
+     *
+     * Returns a cached policy if still fresh (based on TTL or cache headers).
+     * Multiple concurrent calls are de-duplicated (single-flight pattern).
+     *
+     * @returns The loaded authorization policy
+     */
+    loadPolicy(): Promise<AuthorizationPolicy>;
+    /**
+     * Forces a reload of the policy from the HTTP endpoint.
+     *
+     * Bypasses cache freshness checks and always fetches from the server.
+     * If the fetch fails, the existing cached policy is preserved and the error is thrown.
+     *
+     * @returns The reloaded authorization policy
+     */
+    reloadPolicy(): Promise<AuthorizationPolicy>;
+    /**
+     * Clears the cached policy, forcing a fresh fetch on the next loadPolicy() call.
+     */
+    clearCache(): void;
+    /**
+     * Returns metadata about the last successful fetch.
+     *
+     * Useful for verification, monitoring, or debugging.
+     */
+    getMetadata(): HttpPolicySourceMetadata | undefined;
+    /**
+     * Returns the raw policy definition from the last successful fetch.
+     *
+     * Useful for verification or reprocessing.
+     */
+    getRawDefinition(): Record<string, unknown> | undefined;
+    private isCacheFresh;
+    private fetchPolicy;
+    private buildPolicy;
+}
+//# sourceMappingURL=http-authorization-policy-source.d.ts.map

package/dist/types/naylence/fame/security/auth/policy/http-authorization-policy-source.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"http-authorization-policy-source.d.ts","sourceRoot":"","sources":["../../../../../../../src/naylence/fame/security/auth/policy/http-authorization-policy-source.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAIH,OAAO,KAAK,EACV,mBAAmB,EACnB,yBAAyB,EACzB,yBAAyB,EACzB,aAAa,EACd,MAAM,mBAAmB,CAAC;AAU3B;;GAEG;AACH,MAAM,MAAM,UAAU,GAAG,KAAK,GAAG,MAAM,GAAG,KAAK,CAAC;AAEhD;;;;GAIG;AACH,MAAM,WAAW,wBAAwB;IACvC;;OAEG;IACH,GAAG,EAAE,MAAM,CAAC;IAEZ;;OAEG;IACH,MAAM,EAAE,MAAM,CAAC;IAEf;;OAEG;IACH,IAAI,CAAC,EAAE,MAAM,CAAC;IAEd;;OAEG;IACH,SAAS,EAAE,MAAM,CAAC;IAElB;;OAEG;IACH,aAAa,CAAC,EAAE,MAAM,CAAC;IAEvB;;OAEG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,oCAAoC;IACnD;;OAEG;IACH,GAAG,EAAE,MAAM,CAAC;IAEZ;;;OAGG;IACH,MAAM,CAAC,EAAE,UAAU,CAAC;IAEpB;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB;;OAEG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAEjC;;OAEG;IACH,aAAa,CAAC,EAAE,aAAa,CAAC;IAE9B;;;OAGG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IAEtB;;;;;;OAMG;IACH,aAAa,CAAC,EAAE,yBAAyB,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAEpE;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAyFD;;;;;;;GAOG;AACH,qBAAa,6BAA8B,YAAW,yBAAyB;IAC7E,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAS;IAC7B,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAa;IACpC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;IACnC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAyB;IACjD,OAAO,CAAC,QAAQ,CAAC,aAAa,CAA4B;IAC1D,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAS;IACtC,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAGtB;IACd,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;IAEpC,OAAO,CAAC,WAAW,CAAkC;IACrD,OAAO,CAAC,aAAa,CAA6C;gBAEtD,OAAO,EAAE,oCAAoC;IAiBzD;;;;;;;OAOG;IACG,UAAU,IAAI,OAAO,CAAC,mBAAmB,CAAC;IAyBhD;;;;;;;OAOG;IACG,YAAY,IAAI,OAAO,CAAC,mBAAmB,CAAC;IAOlD;;OAEG;IACH,UAAU,IAAI,IAAI;IAKlB;;;;OAIG;IACH,WAAW,IAAI,wBAAwB,GAAG,SAAS;IAInD;;;;OAIG;IACH,gBAAgB,IAAI,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,SAAS;IAIvD,OAAO,CAAC,YAAY;YAiBN,WAAW;YAgMX,WAAW;CAwC1B"}

package/dist/types/naylence/fame/security/auth/policy/index.d.ts

@@ -6,7 +6,8 @@
  *
  * @packageDocumentation
  */
-export { createAuthFunctionRegistry, createSecurityBindings, normalizeEncryptionLevelFromAlg, type AuthFunctionRegistryOptions, type EncryptionLevel, type SecurityBindings, } from "./expr-builtins.js";
 export { AdvancedAuthorizationPolicy, type AdvancedAuthorizationPolicyOptions, } from "./advanced-authorization-policy.js";
 export { AdvancedAuthorizationPolicyFactory, FACTORY_META as ADVANCED_AUTHORIZATION_POLICY_FACTORY_META, type AdvancedAuthorizationPolicyConfig, } from "./advanced-authorization-policy-factory.js";
+export { HttpAuthorizationPolicySource, type HttpAuthorizationPolicySourceOptions, type HttpPolicySourceMetadata, type HttpMethod, } from "./http-authorization-policy-source.js";
+export { HttpAuthorizationPolicySourceFactory, FACTORY_META as HTTP_AUTHORIZATION_POLICY_SOURCE_FACTORY_META, type HttpAuthorizationPolicySourceConfig, } from "./http-authorization-policy-source-factory.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/types/naylence/fame/security/auth/policy/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../../../src/naylence/fame/security/auth/policy/index.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,EACL,0BAA0B,EAC1B,sBAAsB,EACtB,+BAA+B,EAC/B,KAAK,2BAA2B,EAChC,KAAK,eAAe,EACpB,KAAK,gBAAgB,GACtB,MAAM,oBAAoB,CAAC;AAG5B,OAAO,EACL,2BAA2B,EAC3B,KAAK,kCAAkC,GACxC,MAAM,oCAAoC,CAAC;AAG5C,OAAO,EACL,kCAAkC,EAClC,YAAY,IAAI,0CAA0C,EAC1D,KAAK,iCAAiC,GACvC,MAAM,4CAA4C,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../../../src/naylence/fame/security/auth/policy/index.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,EACL,2BAA2B,EAC3B,KAAK,kCAAkC,GACxC,MAAM,oCAAoC,CAAC;AAG5C,OAAO,EACL,kCAAkC,EAClC,YAAY,IAAI,0CAA0C,EAC1D,KAAK,iCAAiC,GACvC,MAAM,4CAA4C,CAAC;AAGpD,OAAO,EACL,6BAA6B,EAC7B,KAAK,oCAAoC,EACzC,KAAK,wBAAwB,EAC7B,KAAK,UAAU,GAChB,MAAM,uCAAuC,CAAC;AAG/C,OAAO,EACL,oCAAoC,EACpC,YAAY,IAAI,6CAA6C,EAC7D,KAAK,mCAAmC,GACzC,MAAM,+CAA+C,CAAC"}

package/dist/types/naylence/fame/security/auth/policy-http-authorization-profile.d.ts

@@ -0,0 +1,17 @@
+/**
+ * HTTP Policy Authorization Profile
+ *
+ * Provides the 'policy-http' authorization profile for loading policies over HTTP(S).
+ * This profile is similar to 'policy-localfile' from the runtime package but uses
+ * the HttpAuthorizationPolicySource instead of LocalFileAuthorizationPolicySource.
+ */
+export declare const ENV_VAR_AUTH_POLICY_URL = "FAME_AUTH_POLICY_URL";
+export declare const ENV_VAR_AUTH_POLICY_TIMEOUT_MS = "FAME_AUTH_POLICY_TIMEOUT_MS";
+export declare const ENV_VAR_AUTH_POLICY_CACHE_TTL_MS = "FAME_AUTH_POLICY_CACHE_TTL_MS";
+export declare const ENV_VAR_AUTH_POLICY_TOKEN_URL = "FAME_AUTH_POLICY_TOKEN_URL";
+export declare const ENV_VAR_AUTH_POLICY_CLIENT_ID = "FAME_AUTH_POLICY_CLIENT_ID";
+export declare const ENV_VAR_AUTH_POLICY_CLIENT_SECRET = "FAME_AUTH_POLICY_CLIENT_SECRET";
+export declare const ENV_VAR_AUTH_POLICY_AUDIENCE = "FAME_AUTH_POLICY_AUDIENCE";
+export declare const ENV_VAR_AUTH_POLICY_BEARER_TOKEN = "FAME_AUTH_POLICY_BEARER_TOKEN";
+export declare const PROFILE_NAME_POLICY_HTTP = "policy-http";
+//# sourceMappingURL=policy-http-authorization-profile.d.ts.map

package/dist/types/naylence/fame/security/auth/policy-http-authorization-profile.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy-http-authorization-profile.d.ts","sourceRoot":"","sources":["../../../../../../src/naylence/fame/security/auth/policy-http-authorization-profile.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAYH,eAAO,MAAM,uBAAuB,yBAAyB,CAAC;AAC9D,eAAO,MAAM,8BAA8B,gCAAgC,CAAC;AAC5E,eAAO,MAAM,gCAAgC,kCAAkC,CAAC;AAChF,eAAO,MAAM,6BAA6B,+BAA+B,CAAC;AAC1E,eAAO,MAAM,6BAA6B,+BAA+B,CAAC;AAC1E,eAAO,MAAM,iCAAiC,mCAAmC,CAAC;AAClF,eAAO,MAAM,4BAA4B,8BAA8B,CAAC;AAGxE,eAAO,MAAM,gCAAgC,kCAAkC,CAAC;AAGhF,eAAO,MAAM,wBAAwB,gBAAgB,CAAC"}

package/dist/types/naylence/fame/security/register-advanced-security-factories.d.ts

@@ -1,5 +1,6 @@
 import { Registry } from "@naylence/factory";
 import "./strict-overlay-security-profile.js";
+import "./auth/policy-http-authorization-profile.js";
 type FactoryRegistrar = Pick<typeof Registry, "registerFactory">;
 export interface RegisterAdvancedSecurityFactoriesOptions {
     readonly includeExtras?: boolean;

package/dist/types/naylence/fame/security/register-advanced-security-factories.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"register-advanced-security-factories.d.ts","sourceRoot":"","sources":["../../../../../src/naylence/fame/security/register-advanced-security-factories.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AAU7C,OAAO,sCAAsC,CAAC;AAE9C,KAAK,gBAAgB,GAAG,IAAI,CAAC,OAAO,QAAQ,EAAE,iBAAiB,CAAC,CAAC;AA0YjE,MAAM,WAAW,wCAAwC;IACvD,QAAQ,CAAC,aAAa,CAAC,EAAE,OAAO,CAAC;CAClC;AAED,wBAAsB,iCAAiC,CACrD,SAAS,GAAE,gBAA2B,EACtC,OAAO,CAAC,EAAE,wCAAwC,GACjD,OAAO,CAAC,IAAI,CAAC,CAaf"}
+{"version":3,"file":"register-advanced-security-factories.d.ts","sourceRoot":"","sources":["../../../../../src/naylence/fame/security/register-advanced-security-factories.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AAU7C,OAAO,sCAAsC,CAAC;AAC9C,OAAO,6CAA6C,CAAC;AAErD,KAAK,gBAAgB,GAAG,IAAI,CAAC,OAAO,QAAQ,EAAE,iBAAiB,CAAC,CAAC;AA2YjE,MAAM,WAAW,wCAAwC;IACvD,QAAQ,CAAC,aAAa,CAAC,EAAE,OAAO,CAAC;CAClC;AAED,wBAAsB,iCAAiC,CACrD,SAAS,GAAE,gBAA2B,EACtC,OAAO,CAAC,EAAE,wCAAwC,GACjD,OAAO,CAAC,IAAI,CAAC,CAaf"}

package/dist/types/version.d.ts

@@ -2,5 +2,5 @@
  * The package version, injected at build time.
  * @internal
  */
-export declare const VERSION = "0.4.5";
+export declare const VERSION = "0.4.7";
 //# sourceMappingURL=version.d.ts.map

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@naylence/advanced-security",
-  "version": "0.4.5",
+  "version": "0.4.7",
   "type": "module",
   "description": "Advanced security utilities for the Naylence Fame runtime implemented in TypeScript.",
   "author": "Naylence Dev <naylencedev@gmail.com>",
@@ -112,7 +112,8 @@
     "dist/browser/index.cjs"
   ],
   "bin": {
-    "naylence-ca-server": "./dist/esm/naylence/fame/security/cert/ca-server-cli.js"
+    "naylence-ca-server": "./dist/esm/naylence/fame/security/cert/ca-server-cli.js",
+    "naylence-policy-server": "./dist/esm/naylence/fame/security/auth/policy/auth-policy-server-cli.js"
   },
   "files": [
     "dist",