@naylence/advanced-security 0.4.5 → 0.4.7

package/dist/browser/index.mjs

@@ -1,7 +1,8 @@
 import { ExtensionManager, Expressions, Registry, AbstractResourceFactory } from '@naylence/factory';
-import { ENCRYPTION_MANAGER_FACTORY_BASE_TYPE, getLogger, registerProfile, SECURITY_MANAGER_FACTORY_BASE_TYPE, KNOWN_POLICY_FIELDS, VALID_EFFECTS, compileGlobOnlyScopeRequirement, KNOWN_RULE_FIELDS, VALID_ACTIONS, compileGlobPattern, VALID_ORIGIN_TYPES, AUTHORIZATION_POLICY_FACTORY_BASE_TYPE, AuthorizationPolicyFactory, EncryptionResult, urlsafeBase64Decode, sealedDecrypt, sealedEncrypt, FIXED_PREFIX_LEN, urlsafeBase64Encode, EncryptionManagerFactory, requireCryptoSupport, SECURE_CHANNEL_MANAGER_FACTORY_BASE_TYPE, SecureChannelManagerFactory, ENVELOPE_SIGNER_FACTORY_BASE_TYPE, EnvelopeSignerFactory, SigningConfigClass, validateSigningKey, JWKValidationError, decodeBase64Url, canonicalJson, secureDigest, frameDigest, immutableHeaders, encodeUtf8, ENVELOPE_VERIFIER_FACTORY_BASE_TYPE, EnvelopeVerifierFactory, TrustStoreProviderFactory, TaskSpawner, getKeyStore, DefaultKeyManager, validateJwkComplete, currentTraceId, DeliveryOriginType, KEY_MANAGER_FACTORY_BASE_TYPE, KeyManagerFactory, KeyStoreFactory, BaseNodeEventListener, LOAD_BALANCER_STICKINESS_MANAGER_FACTORY_BASE_TYPE, LoadBalancerStickinessManagerFactory, REPLICA_STICKINESS_MANAGER_FACTORY_BASE_TYPE, ReplicaStickinessManagerFactory, color, AnsiColor, validateHostLogicals, HTTP_CONNECTION_GRANT_TYPE, formatTimestamp, jsonDumps, WELCOME_SERVICE_FACTORY_BASE_TYPE, WelcomeServiceFactory, NodePlacementStrategyFactory, TransportProvisionerFactory, TokenIssuerFactory, AuthorizerFactory, validateHostLogical, AuthInjectionStrategyFactory, CERTIFICATE_MANAGER_FACTORY_BASE_TYPE, CertificateManagerFactory, TRUST_STORE_PROVIDER_FACTORY_BASE_TYPE } from '@naylence/runtime';
+import { ENCRYPTION_MANAGER_FACTORY_BASE_TYPE, getLogger, registerProfile, SECURITY_MANAGER_FACTORY_BASE_TYPE, KNOWN_POLICY_FIELDS, VALID_EFFECTS, compileGlobOnlyScopeRequirement, KNOWN_RULE_FIELDS, VALID_ACTIONS, compileGlobPattern, VALID_ORIGIN_TYPES, AUTHORIZATION_POLICY_FACTORY_BASE_TYPE, AuthorizationPolicyFactory, AUTHORIZATION_POLICY_SOURCE_FACTORY_BASE_TYPE, AuthorizationPolicySourceFactory, TokenProviderFactory, EncryptionResult, urlsafeBase64Decode, sealedDecrypt, sealedEncrypt, FIXED_PREFIX_LEN, urlsafeBase64Encode, EncryptionManagerFactory, requireCryptoSupport, SECURE_CHANNEL_MANAGER_FACTORY_BASE_TYPE, SecureChannelManagerFactory, ENVELOPE_SIGNER_FACTORY_BASE_TYPE, EnvelopeSignerFactory, SigningConfigClass, validateSigningKey, JWKValidationError, decodeBase64Url, canonicalJson, secureDigest, frameDigest, immutableHeaders, encodeUtf8, ENVELOPE_VERIFIER_FACTORY_BASE_TYPE, EnvelopeVerifierFactory, TrustStoreProviderFactory, TaskSpawner, getKeyStore, DefaultKeyManager, validateJwkComplete, currentTraceId, DeliveryOriginType, KEY_MANAGER_FACTORY_BASE_TYPE, KeyManagerFactory, KeyStoreFactory, BaseNodeEventListener, LOAD_BALANCER_STICKINESS_MANAGER_FACTORY_BASE_TYPE, LoadBalancerStickinessManagerFactory, REPLICA_STICKINESS_MANAGER_FACTORY_BASE_TYPE, ReplicaStickinessManagerFactory, color, AnsiColor, validateHostLogicals, HTTP_CONNECTION_GRANT_TYPE, formatTimestamp, jsonDumps, WELCOME_SERVICE_FACTORY_BASE_TYPE, WelcomeServiceFactory, NodePlacementStrategyFactory, TransportProvisionerFactory, TokenIssuerFactory, AuthorizerFactory, validateHostLogical, AuthInjectionStrategyFactory, CERTIFICATE_MANAGER_FACTORY_BASE_TYPE, CertificateManagerFactory, TRUST_STORE_PROVIDER_FACTORY_BASE_TYPE } from '@naylence/runtime';
 import { sha256 } from '@noble/hashes/sha2';
 import { generateFingerprintSync, localDeliveryContext, createFameEnvelope, generateId, formatAddress, FameAddress, SigningMaterial, DeliveryOriginType as DeliveryOriginType$1 } from '@naylence/core';
+import { parse as parse$1 } from 'yaml';
 import { AsnConvert, OctetString } from '@peculiar/asn1-schema';
 import { Attributes, CertificationRequestInfo, CertificationRequest } from '@peculiar/asn1-csr';
 import { Certificate, SubjectAlternativeName, NameConstraints, id_ce_subjectAltName, id_ce_nameConstraints, SubjectPublicKeyInfo, GeneralName, Extensions, Extension, Attribute, AlgorithmIdentifier, Name, RelativeDistinguishedName, AttributeTypeAndValue, AttributeValue, BasicConstraints, id_ce_basicConstraints, KeyUsageFlags, id_ce_keyUsage, KeyUsage, id_ce_subjectKeyIdentifier, SubjectKeyIdentifier, id_ce_authorityKeyIdentifier, AuthorityKeyIdentifier, KeyIdentifier, GeneralSubtrees, GeneralSubtree, TBSCertificate, Validity, Version, id_ce_extKeyUsage, ExtendedKeyUsage, id_kp_clientAuth, id_kp_serverAuth } from '@peculiar/asn1-x509';
@@ -23,6 +24,7 @@ import { X509Certificate } from '@peculiar/x509';
  */
 const MODULES = [
     "./security/auth/policy/advanced-authorization-policy-factory.js",
+    "./security/auth/policy/http-authorization-policy-source-factory.js",
     "./security/cert/default-ca-service-factory.js",
     "./security/cert/default-certificate-manager-factory.js",
     "./security/cert/trust-store/browser-trust-store-provider-factory.js",
@@ -40,6 +42,7 @@ const MODULES = [
 ];
 const MODULE_LOADERS = {
     "./security/auth/policy/advanced-authorization-policy-factory.js": () => Promise.resolve().then(function () { return advancedAuthorizationPolicyFactory; }),
+    "./security/auth/policy/http-authorization-policy-source-factory.js": () => Promise.resolve().then(function () { return httpAuthorizationPolicySourceFactory; }),
     "./security/cert/default-ca-service-factory.js": () => Promise.resolve().then(function () { return defaultCaServiceFactory; }),
     "./security/cert/default-certificate-manager-factory.js": () => Promise.resolve().then(function () { return defaultCertificateManagerFactory; }),
     "./security/cert/trust-store/browser-trust-store-provider-factory.js": () => Promise.resolve().then(function () { return browserTrustStoreProviderFactory; }),
@@ -56,7 +59,7 @@ const MODULE_LOADERS = {
     "./welcome/advanced-welcome-service-factory.js": () => Promise.resolve().then(function () { return advancedWelcomeServiceFactory; }),
 };
 
-const logger$h = getLogger("naylence.fame.security.encryption.encryption_manager_registry");
+const logger$i = getLogger("naylence.fame.security.encryption.encryption_manager_registry");
 class EncryptionManagerFactoryRegistry {
     constructor(autoDiscover = true) {
         this.factories = [];
@@ -78,7 +81,7 @@ class EncryptionManagerFactoryRegistry {
             let registeredCount = 0;
             for (const [factoryName, info] of extensionInfos) {
                 if (factoryName === "CompositeEncryptionManager") {
-                    logger$h.debug("skipping_composite_factory_to_avoid_circular_dependency", {
+                    logger$i.debug("skipping_composite_factory_to_avoid_circular_dependency", {
                         factory_name: factoryName,
                     });
                     continue;
@@ -88,7 +91,7 @@ class EncryptionManagerFactoryRegistry {
                         ExtensionManager.getGlobalFactory(ENCRYPTION_MANAGER_FACTORY_BASE_TYPE, factoryName));
                     this.registerFactory(factoryInstance, { autoDiscovered: true });
                     registeredCount += 1;
-                    logger$h.debug("auto_discovered_factory", {
+                    logger$i.debug("auto_discovered_factory", {
                         factory_name: factoryName,
                         factory_class: factoryInstance.constructor.name,
                         algorithms: factoryInstance.getSupportedAlgorithms(),
@@ -97,21 +100,21 @@ class EncryptionManagerFactoryRegistry {
                     });
                 }
                 catch (error) {
-                    logger$h.warning("failed_to_auto_register_factory", {
+                    logger$i.warning("failed_to_auto_register_factory", {
                         factory_name: factoryName,
                         error: error instanceof Error ? error.message : String(error),
                     });
                 }
             }
             this.autoDiscovered = true;
-            logger$h.debug("completed_auto_discovery", {
+            logger$i.debug("completed_auto_discovery", {
                 registered_factories: registeredCount,
                 total_discovered: extensionInfos.size,
                 skipped_composite: true,
             });
         }
         catch (error) {
-            logger$h.warning("failed_auto_discovery_of_factories", {
+            logger$i.warning("failed_auto_discovery_of_factories", {
                 error: error instanceof Error ? error.message : String(error),
             });
         }
@@ -129,7 +132,7 @@ class EncryptionManagerFactoryRegistry {
             const existing = this.algorithmToFactory.get(algorithm);
             if (!existing || factory.getPriority() > existing.getPriority()) {
                 this.algorithmToFactory.set(algorithm, factory);
-                logger$h.debug("registered_algorithm_mapping", {
+                logger$i.debug("registered_algorithm_mapping", {
                     algorithm,
                     factory: factory.constructor.name,
                     priority: factory.getPriority(),
@@ -141,7 +144,7 @@ class EncryptionManagerFactoryRegistry {
         typeFactories.push(factory);
         typeFactories.sort((a, b) => b.getPriority() - a.getPriority());
         this.typeToFactories.set(encryptionType, typeFactories);
-        logger$h.debug("registered_encryption_manager_factory", {
+        logger$i.debug("registered_encryption_manager_factory", {
             factory: factory.constructor.name,
             encryption_type: encryptionType,
             algorithms: factory.getSupportedAlgorithms(),
@@ -157,14 +160,14 @@ class EncryptionManagerFactoryRegistry {
         this.ensureAutoDiscovery();
         for (const factory of this.factories) {
             if (factory.supportsOptions(opts ?? undefined)) {
-                logger$h.debug("found_factory_for_options", {
+                logger$i.debug("found_factory_for_options", {
                     factory: factory.constructor.name,
                     encryption_type: factory.getEncryptionType(),
                 });
                 return factory;
             }
         }
-        logger$h.debug("no_factory_found_for_options", { opts });
+        logger$i.debug("no_factory_found_for_options", { opts });
         return undefined;
     }
     getFactoriesByType(encryptionType) {
@@ -290,6 +293,7 @@ const SECURITY_PREFIX = "./security/";
 const SECURITY_MODULES = MODULES.filter((spec) => spec.startsWith(SECURITY_PREFIX));
 const EXTRA_MODULES = MODULES.filter((spec) => !spec.startsWith(SECURITY_PREFIX));
 const NODE_ONLY_MODULES = new Set([
+    "./security/auth/policy/http-authorization-policy-source-factory.js",
     "./security/cert/default-ca-service-factory.js",
     "./security/cert/trust-store/node-trust-store-provider-factory.js",
 ]);
@@ -570,12 +574,12 @@ async function registerAdvancedSecurityFactories(registrar = Registry, options)
 }
 
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.4.5
+// Generated from package.json version: 0.4.7
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.4.5';
+const VERSION = '0.4.7';
 
 async function registerAdvancedSecurityPluginFactories(registrar = Registry) {
     await registerAdvancedSecurityFactories(registrar);
@@ -3386,7 +3390,7 @@ function getModule() {
     }
     return modulePromise;
 }
-function normalizeConfig$5(config) {
+function normalizeConfig$6(config) {
     if (!config) {
         throw new Error("AdvancedAuthorizationPolicyFactory requires a configuration with a policyDefinition");
     }
@@ -3415,7 +3419,7 @@ function normalizeConfig$5(config) {
 /**
  * Factory metadata for registration.
  */
-const FACTORY_META$e = {
+const FACTORY_META$f = {
     base: AUTHORIZATION_POLICY_FACTORY_BASE_TYPE,
     key: "AdvancedAuthorizationPolicy",
 };
@@ -3434,7 +3438,7 @@ class AdvancedAuthorizationPolicyFactory extends AuthorizationPolicyFactory {
      * @returns The created authorization policy
      */
     async create(config) {
-        const normalized = normalizeConfig$5(config);
+        const normalized = normalizeConfig$6(config);
         const { AdvancedAuthorizationPolicy } = await getModule();
         return new AdvancedAuthorizationPolicy({
             policyDefinition: normalized.policyDefinition,
@@ -3447,10 +3451,493 @@ class AdvancedAuthorizationPolicyFactory extends AuthorizationPolicyFactory {
 var advancedAuthorizationPolicyFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
     AdvancedAuthorizationPolicyFactory: AdvancedAuthorizationPolicyFactory,
-    FACTORY_META: FACTORY_META$e,
+    FACTORY_META: FACTORY_META$f,
     default: AdvancedAuthorizationPolicyFactory
 });
 
+/**
+ * HTTP-based authorization policy source.
+ *
+ * Loads authorization policies from an HTTP endpoint supporting JSON or YAML.
+ * Supports bearer authentication via TokenProvider and HTTP caching via ETag.
+ *
+ * This is a Node.js-only implementation.
+ *
+ * @packageDocumentation
+ */
+const logger$h = getLogger("naylence.fame.security.auth.policy.http_authorization_policy_source");
+function isPlainObject(value) {
+    return Boolean(value) && typeof value === "object" && !Array.isArray(value);
+}
+function parseJson(content) {
+    const parsed = JSON.parse(content);
+    if (!isPlainObject(parsed)) {
+        throw new Error("Parsed JSON policy must be an object");
+    }
+    return parsed;
+}
+function parseYamlContent(content) {
+    const parsed = parse$1(content ?? "");
+    if (parsed == null) {
+        return {};
+    }
+    if (!isPlainObject(parsed)) {
+        throw new Error("Parsed YAML policy must be an object");
+    }
+    return parsed;
+}
+/**
+ * Detect whether content is JSON or YAML based on Content-Type header.
+ * Falls back to sniffing the content if Content-Type is not definitive.
+ */
+function detectFormat(contentType, content) {
+    if (contentType) {
+        const lower = contentType.toLowerCase();
+        if (lower.includes("application/json") ||
+            lower.includes("text/json")) {
+            return "json";
+        }
+        if (lower.includes("application/yaml") ||
+            lower.includes("application/x-yaml") ||
+            lower.includes("text/yaml") ||
+            lower.includes("text/x-yaml")) {
+            return "yaml";
+        }
+    }
+    // Sniff by first non-whitespace character
+    const trimmed = content.trimStart();
+    if (trimmed.startsWith("{") || trimmed.startsWith("[")) {
+        return "json";
+    }
+    // Default to YAML
+    return "yaml";
+}
+/**
+ * Parse Cache-Control header to extract max-age value.
+ */
+function parseMaxAge(cacheControl) {
+    if (!cacheControl) {
+        return undefined;
+    }
+    const match = cacheControl.match(/max-age\s*=\s*(\d+)/i);
+    if (match && match[1]) {
+        const seconds = parseInt(match[1], 10);
+        if (Number.isFinite(seconds) && seconds >= 0) {
+            return seconds;
+        }
+    }
+    return undefined;
+}
+/**
+ * An authorization policy source that loads policy definitions from an HTTP endpoint.
+ *
+ * Supports JSON and YAML formats, bearer authentication via TokenProvider,
+ * and HTTP caching via ETag and Cache-Control headers.
+ *
+ * This is a Node.js-only implementation that uses fetch.
+ */
+class HttpAuthorizationPolicySource {
+    constructor(options) {
+        this.cachedState = null;
+        this.inflightFetch = null;
+        if (!options.url || typeof options.url !== "string") {
+            throw new Error("HttpAuthorizationPolicySource requires a valid URL");
+        }
+        this.url = options.url;
+        this.method = options.method ?? "GET";
+        this.timeoutMs = options.timeoutMs ?? 30000;
+        this.headers = { ...options.headers };
+        this.tokenProvider = options.tokenProvider;
+        this.bearerPrefix = options.bearerPrefix ?? "Bearer ";
+        this.policyFactoryConfig = options.policyFactory;
+        this.cacheTtlMs = options.cacheTtlMs ?? 300000; // 5 minutes default
+    }
+    /**
+     * Loads the authorization policy from the configured HTTP endpoint.
+     *
+     * Returns a cached policy if still fresh (based on TTL or cache headers).
+     * Multiple concurrent calls are de-duplicated (single-flight pattern).
+     *
+     * @returns The loaded authorization policy
+     */
+    async loadPolicy() {
+        // Return cached policy if still fresh
+        if (this.cachedState && this.isCacheFresh()) {
+            logger$h.debug("returning_cached_policy", {
+                url: this.url,
+                fetchedAt: this.cachedState.metadata.fetchedAt,
+                expiresAt: this.cachedState.metadata.expiresAt,
+            });
+            return this.cachedState.policy;
+        }
+        // De-duplicate concurrent requests
+        if (this.inflightFetch) {
+            return this.inflightFetch;
+        }
+        this.inflightFetch = this.fetchPolicy(false);
+        try {
+            return await this.inflightFetch;
+        }
+        finally {
+            this.inflightFetch = null;
+        }
+    }
+    /**
+     * Forces a reload of the policy from the HTTP endpoint.
+     *
+     * Bypasses cache freshness checks and always fetches from the server.
+     * If the fetch fails, the existing cached policy is preserved and the error is thrown.
+     *
+     * @returns The reloaded authorization policy
+     */
+    async reloadPolicy() {
+        // Clear inflight to force a new request
+        this.inflightFetch = null;
+        return this.fetchPolicy(true);
+    }
+    /**
+     * Clears the cached policy, forcing a fresh fetch on the next loadPolicy() call.
+     */
+    clearCache() {
+        this.cachedState = null;
+        this.inflightFetch = null;
+    }
+    /**
+     * Returns metadata about the last successful fetch.
+     *
+     * Useful for verification, monitoring, or debugging.
+     */
+    getMetadata() {
+        return this.cachedState?.metadata;
+    }
+    /**
+     * Returns the raw policy definition from the last successful fetch.
+     *
+     * Useful for verification or reprocessing.
+     */
+    getRawDefinition() {
+        return this.cachedState?.rawDefinition;
+    }
+    isCacheFresh() {
+        if (!this.cachedState) {
+            return false;
+        }
+        const now = Date.now();
+        const { expiresAt } = this.cachedState.metadata;
+        if (expiresAt !== undefined) {
+            return now < expiresAt;
+        }
+        // No expiration info, check against default TTL
+        const fetchedAt = this.cachedState.metadata.fetchedAt;
+        return now < fetchedAt + this.cacheTtlMs;
+    }
+    async fetchPolicy(forceRefresh) {
+        logger$h.debug("fetching_policy", {
+            url: this.url,
+            method: this.method,
+            forceRefresh,
+        });
+        const requestHeaders = {
+            Accept: "application/json, application/yaml, text/yaml, */*",
+            ...this.headers,
+        };
+        // Add bearer token if token provider is configured
+        if (this.tokenProvider) {
+            try {
+                const token = await this.tokenProvider.getToken();
+                if (token && token.value) {
+                    requestHeaders["Authorization"] = `${this.bearerPrefix}${token.value}`;
+                    logger$h.debug("added_bearer_token", { url: this.url });
+                }
+            }
+            catch (error) {
+                logger$h.warning("token_provider_failed", {
+                    url: this.url,
+                    error: error instanceof Error ? error.message : String(error),
+                });
+                // Continue without token - let the server decide if auth is required
+            }
+        }
+        // Add If-None-Match header for conditional request if we have a cached ETag
+        // and this is not a forced refresh
+        if (!forceRefresh && this.cachedState?.metadata.etag) {
+            requestHeaders["If-None-Match"] = this.cachedState.metadata.etag;
+        }
+        const controller = new AbortController();
+        const timeoutId = setTimeout(() => controller.abort(), this.timeoutMs);
+        try {
+            const response = await fetch(this.url, {
+                method: this.method,
+                headers: requestHeaders,
+                signal: controller.signal,
+            });
+            clearTimeout(timeoutId);
+            // Handle 304 Not Modified - return cached policy
+            if (response.status === 304 && this.cachedState) {
+                logger$h.debug("policy_not_modified", {
+                    url: this.url,
+                    etag: this.cachedState.metadata.etag,
+                });
+                // Update freshness timestamps
+                const now = Date.now();
+                const cacheControl = response.headers.get("Cache-Control");
+                const maxAgeSeconds = parseMaxAge(cacheControl);
+                const expiresAt = maxAgeSeconds !== undefined
+                    ? now + maxAgeSeconds * 1000
+                    : now + this.cacheTtlMs;
+                this.cachedState = {
+                    ...this.cachedState,
+                    metadata: {
+                        ...this.cachedState.metadata,
+                        fetchedAt: now,
+                        maxAgeSeconds,
+                        expiresAt,
+                    },
+                };
+                return this.cachedState.policy;
+            }
+            if (!response.ok) {
+                const errorMessage = `HTTP ${response.status}: ${response.statusText}`;
+                logger$h.error("policy_fetch_failed", {
+                    url: this.url,
+                    status: response.status,
+                    statusText: response.statusText,
+                });
+                // If we have a cached policy, preserve it and throw
+                if (this.cachedState) {
+                    throw new Error(`Failed to fetch policy from ${this.url}: ${errorMessage}. ` +
+                        "Using last known good policy.");
+                }
+                throw new Error(`Failed to fetch policy from ${this.url}: ${errorMessage}`);
+            }
+            // Parse the response
+            const contentType = response.headers.get("Content-Type");
+            const content = await response.text();
+            const format = detectFormat(contentType, content);
+            let policyDefinition;
+            try {
+                if (format === "json") {
+                    policyDefinition = parseJson(content);
+                }
+                else {
+                    policyDefinition = parseYamlContent(content);
+                }
+            }
+            catch (parseError) {
+                const message = parseError instanceof Error
+                    ? parseError.message
+                    : String(parseError);
+                logger$h.error("policy_parse_failed", {
+                    url: this.url,
+                    format,
+                    error: message,
+                });
+                // Preserve cached policy on parse failure
+                if (this.cachedState) {
+                    throw new Error(`Failed to parse policy from ${this.url}: ${message}. ` +
+                        "Using last known good policy.");
+                }
+                throw new Error(`Failed to parse policy from ${this.url}: ${message}`);
+            }
+            logger$h.debug("parsed_policy_definition", {
+                url: this.url,
+                format,
+                hasType: "type" in policyDefinition,
+            });
+            // Build the policy using the factory
+            const policy = await this.buildPolicy(policyDefinition);
+            // Update cache
+            const now = Date.now();
+            const etag = response.headers.get("ETag") ?? undefined;
+            const cacheControl = response.headers.get("Cache-Control");
+            const maxAgeSeconds = parseMaxAge(cacheControl);
+            const expiresAt = maxAgeSeconds !== undefined
+                ? now + maxAgeSeconds * 1000
+                : now + this.cacheTtlMs;
+            this.cachedState = {
+                policy,
+                rawDefinition: policyDefinition,
+                metadata: {
+                    url: this.url,
+                    status: response.status,
+                    etag,
+                    fetchedAt: now,
+                    maxAgeSeconds,
+                    expiresAt,
+                },
+            };
+            logger$h.info("loaded_policy_from_http", {
+                url: this.url,
+                status: response.status,
+                format,
+                etag,
+                maxAgeSeconds,
+            });
+            return policy;
+        }
+        catch (error) {
+            clearTimeout(timeoutId);
+            if (error instanceof Error && error.name === "AbortError") {
+                const timeoutError = new Error(`Request to ${this.url} timed out after ${this.timeoutMs}ms`);
+                logger$h.error("policy_fetch_timeout", {
+                    url: this.url,
+                    timeoutMs: this.timeoutMs,
+                });
+                // Preserve cached policy on timeout
+                if (this.cachedState) {
+                    throw timeoutError;
+                }
+                throw timeoutError;
+            }
+            throw error;
+        }
+    }
+    async buildPolicy(policyDefinition) {
+        // Determine the factory configuration to use
+        const factoryConfig = this.policyFactoryConfig ?? policyDefinition;
+        // Ensure we have a type field for the factory
+        if (!("type" in factoryConfig) || typeof factoryConfig.type !== "string") {
+            logger$h.warning("policy_type_missing_defaulting_to_basic", {
+                url: this.url,
+            });
+            factoryConfig.type = "BasicAuthorizationPolicy";
+        }
+        // Build the factory config with the policy definition
+        // The response content IS the policy definition, so we extract the type
+        // and wrap the remaining content as the policyDefinition
+        const { type: definitionType, ...restOfDefinition } = policyDefinition;
+        const resolvedType = typeof definitionType === "string" && definitionType.trim().length > 0
+            ? definitionType
+            : factoryConfig.type;
+        const mergedConfig = this.policyFactoryConfig != null
+            ? { ...this.policyFactoryConfig, policyDefinition }
+            : { type: resolvedType, policyDefinition: restOfDefinition };
+        const policy = await AuthorizationPolicyFactory.createAuthorizationPolicy(mergedConfig);
+        if (!policy) {
+            throw new Error(`Failed to create authorization policy from ${this.url}`);
+        }
+        return policy;
+    }
+}
+
+var httpAuthorizationPolicySource = /*#__PURE__*/Object.freeze({
+    __proto__: null,
+    HttpAuthorizationPolicySource: HttpAuthorizationPolicySource
+});
+
+/**
+ * Factory for creating HttpAuthorizationPolicySource instances.
+ *
+ * @packageDocumentation
+ */
+let httpModulePromise = null;
+async function getHttpModule() {
+    if (!httpModulePromise) {
+        httpModulePromise = Promise.resolve().then(function () { return httpAuthorizationPolicySource; });
+    }
+    return httpModulePromise;
+}
+function normalizeConfig$5(config) {
+    if (!config) {
+        throw new Error("HttpAuthorizationPolicySourceFactory requires a configuration with a url");
+    }
+    const candidate = config;
+    const url = candidate.url;
+    if (typeof url !== "string" || url.trim().length === 0) {
+        throw new Error("HttpAuthorizationPolicySourceConfig requires a non-empty url");
+    }
+    // Support both camelCase and snake_case
+    const method = candidate.method ?? "GET";
+    if (!["GET", "POST", "PUT"].includes(method)) {
+        throw new Error(`Invalid method "${String(method)}". Must be "GET", "POST", or "PUT"`);
+    }
+    const timeoutMs = candidate.timeout_ms ??
+        candidate.timeoutMs ??
+        30000;
+    if (typeof timeoutMs !== "number" || !Number.isFinite(timeoutMs) || timeoutMs <= 0) {
+        throw new Error("timeout_ms must be a positive number");
+    }
+    const headers = candidate.headers;
+    if (headers !== undefined && typeof headers !== "object") {
+        throw new Error("headers must be an object");
+    }
+    const tokenProviderConfig = candidate.token_provider ??
+        candidate.tokenProvider;
+    const bearerPrefix = candidate.bearer_prefix ??
+        candidate.bearerPrefix ??
+        "Bearer ";
+    const policyFactory = candidate.policy_factory ??
+        candidate.policyFactory;
+    const cacheTtlMs = candidate.cache_ttl_ms ??
+        candidate.cacheTtlMs ??
+        300000;
+    if (typeof cacheTtlMs !== "number" || !Number.isFinite(cacheTtlMs) || cacheTtlMs < 0) {
+        throw new Error("cache_ttl_ms must be a non-negative number");
+    }
+    return {
+        url: url.trim(),
+        method,
+        timeoutMs,
+        headers,
+        tokenProviderConfig,
+        bearerPrefix,
+        policyFactory,
+        cacheTtlMs,
+    };
+}
+/**
+ * Factory metadata for registration.
+ */
+const FACTORY_META$e = {
+    base: AUTHORIZATION_POLICY_SOURCE_FACTORY_BASE_TYPE,
+    key: "HttpAuthorizationPolicySource",
+};
+/**
+ * Factory for creating HttpAuthorizationPolicySource instances.
+ *
+ * This factory uses lazy loading to avoid pulling in Node.js-specific
+ * code (fetch operations) in browser environments where it may not work.
+ */
+class HttpAuthorizationPolicySourceFactory extends AuthorizationPolicySourceFactory {
+    constructor() {
+        super(...arguments);
+        this.type = "HttpAuthorizationPolicySource";
+    }
+    /**
+     * Creates an HttpAuthorizationPolicySource from the given configuration.
+     *
+     * @param config - Configuration specifying the policy URL and options
+     * @returns The created policy source
+     */
+    async create(config) {
+        const normalized = normalizeConfig$5(config);
+        // Create token provider if configured
+        let tokenProvider;
+        if (normalized.tokenProviderConfig) {
+            tokenProvider = await TokenProviderFactory.createTokenProvider(normalized.tokenProviderConfig);
+        }
+        const { HttpAuthorizationPolicySource } = await getHttpModule();
+        const options = {
+            url: normalized.url,
+            method: normalized.method,
+            timeoutMs: normalized.timeoutMs,
+            headers: normalized.headers,
+            tokenProvider,
+            bearerPrefix: normalized.bearerPrefix,
+            policyFactory: normalized.policyFactory,
+            cacheTtlMs: normalized.cacheTtlMs,
+        };
+        return new HttpAuthorizationPolicySource(options);
+    }
+}
+
+var httpAuthorizationPolicySourceFactory = /*#__PURE__*/Object.freeze({
+    __proto__: null,
+    FACTORY_META: FACTORY_META$e,
+    HttpAuthorizationPolicySourceFactory: HttpAuthorizationPolicySourceFactory,
+    default: HttpAuthorizationPolicySourceFactory
+});
+
 const logger$g = getLogger("naylence.fame.security.cert.util");
 const CACHE_LIMIT = 512;
 const OID_ED25519 = "1.3.101.112";

package/dist/cjs/advanced-security-isomorphic.js

@@ -6,7 +6,7 @@
  */
 export { VERSION } from "./version.js";
 // Expression engine (browser-safe, uses @noble/hashes)
-export * from "./naylence/fame/expr/index.js";
+// export * from "./naylence/fame/expr/index.js";
 // Authorization policy with expression support (browser-safe)
 export * from "./naylence/fame/security/auth/index.js";
 export { validateJwkX5cCertificate, publicKeyFromX5c, } from "./naylence/fame/security/cert/util.js";

package/dist/cjs/advanced-security-isomorphic.js.map

@@ -1 +1 @@
-{"version":3,"file":"advanced-security-isomorphic.js","sourceRoot":"","sources":["../../src/advanced-security-isomorphic.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAEvC,uDAAuD;AACvD,cAAc,+BAA+B,CAAC;AAE9C,8DAA8D;AAC9D,cAAc,wCAAwC,CAAC;AAEvD,OAAO,EACL,yBAAyB,EAGzB,gBAAgB,GAEjB,MAAM,uCAAuC,CAAC;AAC/C,OAAO,EAAE,qBAAqB,EAAE,MAAM,yCAAyC,CAAC;AAChF,OAAO,EACL,gBAAgB,GAEjB,MAAM,8CAA8C,CAAC;AAEtD,OAAO,EACL,eAAe,EAGf,2BAA2B,EAC3B,sBAAsB,EACtB,qBAAqB,GACtB,MAAM,oDAAoD,CAAC;AAE5D,cAAc,8CAA8C,CAAC;AAE7D,OAAO,EACL,kCAAkC,EAClC,YAAY,IAAI,2CAA2C,GAE5D,MAAM,mEAAmE,CAAC;AAC3E,OAAO,EACL,oCAAoC,EACpC,YAAY,IAAI,6CAA6C,GAE9D,MAAM,qEAAqE,CAAC;AAC7E,OAAO,EACL,qBAAqB,GAGtB,MAAM,6DAA6D,CAAC;AAErE,cAAc,wCAAwC,CAAC;AAEvD,cAAc,qCAAqC,CAAC;AACpD,cAAc,kCAAkC,CAAC;AAEjD,OAAO,EACL,iCAAiC,GAElC,MAAM,kEAAkE,CAAC;AAK1E,MAAM,mBAAmB,GAAG,MAAM,CAAC,aAAa,CAA0B,CAAC;AAE3E,MAAM,WAAW,GAAG,UAAqC,CAAC;AAC1D,MAAM,qBAAqB,GAAG,4CAA4C,CAAC;AAC3E,MAAM,kBAAkB,GAAG,kCAAkC,CAAC;AAC9D,MAAM,6BAA6B,GAAG,MAAM,CAAC,GAAG,CAC9C,oCAAoC,CACrC,CAAC;AAEF,MAAM,iCAAiC,GAAG,CAAC,SAAiB,EAAW,EAAE,CACvE,SAAS,KAAK,6BAA6B;IAC3C,SAAS,KAAK,8BAA8B;IAC5C,SAAS,KAAK,oCAAoC;IAClD,SAAS,KAAK,uCAAuC;IACrD,SAAS,KAAK,gDAAgD,CAAC;AAEjE,MAAM,6BAA6B,GAAG,CAAC,SAAiB,EAAiB,EAAE;IACzE,IAAI,SAAS,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;QAChC,MAAM,YAAY,GAAG,SAAS,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QACnD,OAAO,GAAG,qBAAqB,GAAG,YAAY,EAAE,CAAC;IACnD,CAAC;IAED,IAAI,SAAS,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QAC/B,MAAM,YAAY,GAAG,SAAS,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAClD,OAAO,GAAG,qBAAqB,GAAG,YAAY,EAAE,CAAC;IACnD,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC,CAAC;AAEF,MAAM,qBAAqB,GAAG,CAAC,KAAc,EAAW,EAAE;IACxD,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACvE,OAAO,CACL,OAAO,CAAC,QAAQ,CAAC,oBAAoB,CAAC;QACtC,OAAO,CAAC,QAAQ,CAAC,sBAAsB,CAAC;QACxC,OAAO,CAAC,QAAQ,CAAC,wBAAwB,CAAC;QAC1C,OAAO,CAAC,QAAQ,CAAC,6CAA6C,CAAC;QAC/D,OAAO,CAAC,QAAQ,CAAC,oCAAoC,CAAC;QACtD,OAAO,CAAC,QAAQ,CAAC,kCAAkC,CAAC,CACrD,CAAC;AACJ,CAAC,CAAC;AAEF,MAAM,kCAAkC,GAAG,GAAuB,EAAE;IAClE,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAC1B,WAAW,EACX,kBAAkB,CACe,CAAC;IAEpC,IACE,OAAO,QAAQ,KAAK,UAAU;QAC9B,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,6BAA6B,CAAC,EACpD,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,MAAM,cAAc,GAClB,OAAO,QAAQ,KAAK,UAAU,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC;IAExD,MAAM,MAAM,GAAuB,KAAK,EACtC,SAAiB,EACM,EAAE;QACzB,IAAI,iCAAiC,CAAC,SAAS,CAAC,EAAE,CAAC;YACjD,OAAO,mBAAmB,CAAC;QAC7B,CAAC;QAED,MAAM,QAAQ,GAAG,6BAA6B,CAAC,SAAS,CAAC,CAAC;QAC1D,IAAI,QAAQ,EAAE,CAAC;YACb,IAAI,CAAC;gBACH,OAAO,MAAM,MAAM,CAAC,kBAAkB,CAAC,QAAQ,CAAC,CAAC;YACnD,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,IAAI,CAAC,cAAc,IAAI,CAAC,qBAAqB,CAAC,KAAK,CAAC,EAAE,CAAC;oBACrD,MAAM,KAAK,CAAC;gBACd,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAI,cAAc,EAAE,CAAC;YACnB,OAAO,cAAc,CAAC,SAAS,CAAC,CAAC;QACnC,CAAC;QAED,OAAO,MAAM,CAAC,kBAAkB,CAAC,SAAS,CAAC,CAAC;IAC9C,CAAC,CAAC;IAEF,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,6BAA6B,EAAE,IAAI,CAAC,CAAC;IACzD,OAAO,CAAC,GAAG,CAAC,WAAW,EAAE,kBAAkB,EAAE,MAAM,CAAC,CAAC;IAErD,OAAO,MAAM,CAAC;AAChB,CAAC,CAAC;AAEF,MAAM,CAAC,MAAM,8BAA8B,GACzC,kCAAkC,EAAE,CAAC"}
+{"version":3,"file":"advanced-security-isomorphic.js","sourceRoot":"","sources":["../../src/advanced-security-isomorphic.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAEvC,uDAAuD;AACvD,iDAAiD;AAEjD,8DAA8D;AAC9D,cAAc,wCAAwC,CAAC;AAEvD,OAAO,EACL,yBAAyB,EAGzB,gBAAgB,GAEjB,MAAM,uCAAuC,CAAC;AAC/C,OAAO,EAAE,qBAAqB,EAAE,MAAM,yCAAyC,CAAC;AAChF,OAAO,EACL,gBAAgB,GAEjB,MAAM,8CAA8C,CAAC;AAEtD,OAAO,EACL,eAAe,EAGf,2BAA2B,EAC3B,sBAAsB,EACtB,qBAAqB,GACtB,MAAM,oDAAoD,CAAC;AAE5D,cAAc,8CAA8C,CAAC;AAE7D,OAAO,EACL,kCAAkC,EAClC,YAAY,IAAI,2CAA2C,GAE5D,MAAM,mEAAmE,CAAC;AAC3E,OAAO,EACL,oCAAoC,EACpC,YAAY,IAAI,6CAA6C,GAE9D,MAAM,qEAAqE,CAAC;AAC7E,OAAO,EACL,qBAAqB,GAGtB,MAAM,6DAA6D,CAAC;AAErE,cAAc,wCAAwC,CAAC;AAEvD,cAAc,qCAAqC,CAAC;AACpD,cAAc,kCAAkC,CAAC;AAEjD,OAAO,EACL,iCAAiC,GAElC,MAAM,kEAAkE,CAAC;AAK1E,MAAM,mBAAmB,GAAG,MAAM,CAAC,aAAa,CAA0B,CAAC;AAE3E,MAAM,WAAW,GAAG,UAAqC,CAAC;AAC1D,MAAM,qBAAqB,GAAG,4CAA4C,CAAC;AAC3E,MAAM,kBAAkB,GAAG,kCAAkC,CAAC;AAC9D,MAAM,6BAA6B,GAAG,MAAM,CAAC,GAAG,CAC9C,oCAAoC,CACrC,CAAC;AAEF,MAAM,iCAAiC,GAAG,CAAC,SAAiB,EAAW,EAAE,CACvE,SAAS,KAAK,6BAA6B;IAC3C,SAAS,KAAK,8BAA8B;IAC5C,SAAS,KAAK,oCAAoC;IAClD,SAAS,KAAK,uCAAuC;IACrD,SAAS,KAAK,gDAAgD,CAAC;AAEjE,MAAM,6BAA6B,GAAG,CAAC,SAAiB,EAAiB,EAAE;IACzE,IAAI,SAAS,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;QAChC,MAAM,YAAY,GAAG,SAAS,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QACnD,OAAO,GAAG,qBAAqB,GAAG,YAAY,EAAE,CAAC;IACnD,CAAC;IAED,IAAI,SAAS,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QAC/B,MAAM,YAAY,GAAG,SAAS,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAClD,OAAO,GAAG,qBAAqB,GAAG,YAAY,EAAE,CAAC;IACnD,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC,CAAC;AAEF,MAAM,qBAAqB,GAAG,CAAC,KAAc,EAAW,EAAE;IACxD,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACvE,OAAO,CACL,OAAO,CAAC,QAAQ,CAAC,oBAAoB,CAAC;QACtC,OAAO,CAAC,QAAQ,CAAC,sBAAsB,CAAC;QACxC,OAAO,CAAC,QAAQ,CAAC,wBAAwB,CAAC;QAC1C,OAAO,CAAC,QAAQ,CAAC,6CAA6C,CAAC;QAC/D,OAAO,CAAC,QAAQ,CAAC,oCAAoC,CAAC;QACtD,OAAO,CAAC,QAAQ,CAAC,kCAAkC,CAAC,CACrD,CAAC;AACJ,CAAC,CAAC;AAEF,MAAM,kCAAkC,GAAG,GAAuB,EAAE;IAClE,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAC1B,WAAW,EACX,kBAAkB,CACe,CAAC;IAEpC,IACE,OAAO,QAAQ,KAAK,UAAU;QAC9B,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,6BAA6B,CAAC,EACpD,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,MAAM,cAAc,GAClB,OAAO,QAAQ,KAAK,UAAU,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC;IAExD,MAAM,MAAM,GAAuB,KAAK,EACtC,SAAiB,EACM,EAAE;QACzB,IAAI,iCAAiC,CAAC,SAAS,CAAC,EAAE,CAAC;YACjD,OAAO,mBAAmB,CAAC;QAC7B,CAAC;QAED,MAAM,QAAQ,GAAG,6BAA6B,CAAC,SAAS,CAAC,CAAC;QAC1D,IAAI,QAAQ,EAAE,CAAC;YACb,IAAI,CAAC;gBACH,OAAO,MAAM,MAAM,CAAC,kBAAkB,CAAC,QAAQ,CAAC,CAAC;YACnD,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,IAAI,CAAC,cAAc,IAAI,CAAC,qBAAqB,CAAC,KAAK,CAAC,EAAE,CAAC;oBACrD,MAAM,KAAK,CAAC;gBACd,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAI,cAAc,EAAE,CAAC;YACnB,OAAO,cAAc,CAAC,SAAS,CAAC,CAAC;QACnC,CAAC;QAED,OAAO,MAAM,CAAC,kBAAkB,CAAC,SAAS,CAAC,CAAC;IAC9C,CAAC,CAAC;IAEF,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,6BAA6B,EAAE,IAAI,CAAC,CAAC;IACzD,OAAO,CAAC,GAAG,CAAC,WAAW,EAAE,kBAAkB,EAAE,MAAM,CAAC,CAAC;IAErD,OAAO,MAAM,CAAC;AAChB,CAAC,CAAC;AAEF,MAAM,CAAC,MAAM,8BAA8B,GACzC,kCAAkC,EAAE,CAAC"}