@naylence/advanced-security 0.4.5 → 0.4.7

package/dist/cjs/naylence/fame/factory-manifest.js

@@ -6,6 +6,7 @@
  */
 export const MODULES = [
     "./security/auth/policy/advanced-authorization-policy-factory.js",
+    "./security/auth/policy/http-authorization-policy-source-factory.js",
     "./security/cert/default-ca-service-factory.js",
     "./security/cert/default-certificate-manager-factory.js",
     "./security/cert/trust-store/browser-trust-store-provider-factory.js",
@@ -23,6 +24,7 @@ export const MODULES = [
 ];
 export const MODULE_LOADERS = {
     "./security/auth/policy/advanced-authorization-policy-factory.js": () => import("./security/auth/policy/advanced-authorization-policy-factory.js"),
+    "./security/auth/policy/http-authorization-policy-source-factory.js": () => import("./security/auth/policy/http-authorization-policy-source-factory.js"),
     "./security/cert/default-ca-service-factory.js": () => import("./security/cert/default-ca-service-factory.js"),
     "./security/cert/default-certificate-manager-factory.js": () => import("./security/cert/default-certificate-manager-factory.js"),
     "./security/cert/trust-store/browser-trust-store-provider-factory.js": () => import("./security/cert/trust-store/browser-trust-store-provider-factory.js"),

package/dist/cjs/naylence/fame/factory-manifest.js.map

@@ -1 +1 @@
-{"version":3,"file":"factory-manifest.js","sourceRoot":"","sources":["../../../../src/naylence/fame/factory-manifest.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,MAAM,CAAC,MAAM,OAAO,GAAG;IACrB,iEAAiE;IACjE,+CAA+C;IAC/C,wDAAwD;IACxD,qEAAqE;IACrE,kEAAkE;IAClE,qEAAqE;IACrE,+DAA+D;IAC/D,iEAAiE;IACjE,mEAAmE;IACnE,4CAA4C;IAC5C,qDAAqD;IACrD,uDAAuD;IACvD,8DAA8D;IAC9D,wDAAwD;IACxD,+CAA+C;CACvC,CAAC;AAKX,MAAM,CAAC,MAAM,cAAc,GAAmD;IAC5E,iEAAiE,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,iEAAiE,CAAC;IAClJ,+CAA+C,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,+CAA+C,CAAC;IAC9G,wDAAwD,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,wDAAwD,CAAC;IAChI,qEAAqE,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,qEAAqE,CAAC;IAC1J,kEAAkE,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,kEAAkE,CAAC;IACpJ,qEAAqE,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,qEAAqE,CAAC;IAC1J,+DAA+D,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,+DAA+D,CAAC;IAC9I,iEAAiE,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,iEAAiE,CAAC;IAClJ,mEAAmE,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,mEAAmE,CAAC;IACtJ,4CAA4C,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,4CAA4C,CAAC;IACxG,qDAAqD,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,qDAAqD,CAAC;IAC1H,uDAAuD,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,uDAAuD,CAAC;IAC9H,8DAA8D,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,8DAA8D,CAAC;IAC5I,wDAAwD,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,wDAAwD,CAAC;IAChI,+CAA+C,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,+CAA+C,CAAC;CAC/G,CAAC"}
+{"version":3,"file":"factory-manifest.js","sourceRoot":"","sources":["../../../../src/naylence/fame/factory-manifest.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,MAAM,CAAC,MAAM,OAAO,GAAG;IACrB,iEAAiE;IACjE,oEAAoE;IACpE,+CAA+C;IAC/C,wDAAwD;IACxD,qEAAqE;IACrE,kEAAkE;IAClE,qEAAqE;IACrE,+DAA+D;IAC/D,iEAAiE;IACjE,mEAAmE;IACnE,4CAA4C;IAC5C,qDAAqD;IACrD,uDAAuD;IACvD,8DAA8D;IAC9D,wDAAwD;IACxD,+CAA+C;CACvC,CAAC;AAKX,MAAM,CAAC,MAAM,cAAc,GAAmD;IAC5E,iEAAiE,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,iEAAiE,CAAC;IAClJ,oEAAoE,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,oEAAoE,CAAC;IACxJ,+CAA+C,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,+CAA+C,CAAC;IAC9G,wDAAwD,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,wDAAwD,CAAC;IAChI,qEAAqE,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,qEAAqE,CAAC;IAC1J,kEAAkE,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,kEAAkE,CAAC;IACpJ,qEAAqE,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,qEAAqE,CAAC;IAC1J,+DAA+D,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,+DAA+D,CAAC;IAC9I,iEAAiE,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,iEAAiE,CAAC;IAClJ,mEAAmE,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,mEAAmE,CAAC;IACtJ,4CAA4C,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,4CAA4C,CAAC;IACxG,qDAAqD,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,qDAAqD,CAAC;IAC1H,uDAAuD,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,uDAAuD,CAAC;IAC9H,8DAA8D,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,8DAA8D,CAAC;IAC5I,wDAAwD,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,wDAAwD,CAAC;IAChI,+CAA+C,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,+CAA+C,CAAC;CAC/G,CAAC"}

package/dist/cjs/naylence/fame/security/auth/index.js

@@ -4,4 +4,6 @@
  * @packageDocumentation
  */
 export * from "./policy/index.js";
+// Authorization profiles
+export { PROFILE_NAME_POLICY_HTTP, ENV_VAR_AUTH_POLICY_URL, ENV_VAR_AUTH_POLICY_TIMEOUT_MS, ENV_VAR_AUTH_POLICY_CACHE_TTL_MS, ENV_VAR_AUTH_POLICY_BEARER_TOKEN, } from "./policy-http-authorization-profile.js";
 //# sourceMappingURL=index.js.map

package/dist/cjs/naylence/fame/security/auth/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../../src/naylence/fame/security/auth/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,cAAc,mBAAmB,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../../src/naylence/fame/security/auth/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,cAAc,mBAAmB,CAAC;AAElC,yBAAyB;AACzB,OAAO,EACL,wBAAwB,EACxB,uBAAuB,EACvB,8BAA8B,EAC9B,gCAAgC,EAChC,gCAAgC,GACjC,MAAM,wCAAwC,CAAC"}

package/dist/cjs/naylence/fame/security/auth/policy/auth-policy-server-cli.js

@@ -0,0 +1,47 @@
+#!/usr/bin/env node
+/**
+ * Auth Policy Server CLI Entry Point
+ *
+ * Development server for serving authorization policies over HTTP.
+ * Useful for testing HttpAuthorizationPolicySource.
+ *
+ * Environment variables:
+ *   FAME_APP_HOST - Host to bind to (default: 0.0.0.0)
+ *   FAME_APP_PORT - Port to listen on (default: 8099)
+ *   FAME_POLICY_FILE - Path to policy file (YAML or JSON)
+ *   FAME_POLICY_BEARER_TOKEN - Bearer token for authentication
+ *   FAME_LOG_LEVEL - Log level (debug, info, warning, error)
+ *
+ * Usage:
+ *   npx naylence-policy-server
+ *   FAME_POLICY_FILE=./policy.yaml FAME_POLICY_BEARER_TOKEN=secret npx naylence-policy-server
+ */
+import { pathToFileURL } from "node:url";
+import { main } from "./auth-policy-server.js";
+function isDirectExecution() {
+    if (typeof process === "undefined") {
+        return false;
+    }
+    const entry = process.argv?.[1];
+    if (typeof entry !== "string" || entry.length === 0) {
+        return false;
+    }
+    const entryUrl = pathToFileURL(entry).href;
+    return import.meta.url === entryUrl;
+}
+function registerSignalHandlers() {
+    const handleShutdown = (signal) => {
+        console.log("[INFO] auth_policy_server_shutting_down", { signal });
+        process.exit(0);
+    };
+    process.on("SIGTERM", () => handleShutdown("SIGTERM"));
+    process.on("SIGINT", () => handleShutdown("SIGINT"));
+}
+if (isDirectExecution()) {
+    registerSignalHandlers();
+    main().catch((error) => {
+        console.error("Fatal error:", error);
+        process.exit(1);
+    });
+}
+//# sourceMappingURL=auth-policy-server-cli.js.map

package/dist/cjs/naylence/fame/security/auth/policy/auth-policy-server-cli.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-policy-server-cli.js","sourceRoot":"","sources":["../../../../../../../src/naylence/fame/security/auth/policy/auth-policy-server-cli.ts"],"names":[],"mappings":";AACA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAEzC,OAAO,EAAE,IAAI,EAAE,MAAM,yBAAyB,CAAC;AAE/C,SAAS,iBAAiB;IACxB,IAAI,OAAO,OAAO,KAAK,WAAW,EAAE,CAAC;QACnC,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,KAAK,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;IAChC,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACpD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,QAAQ,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC;IAC3C,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,KAAK,QAAQ,CAAC;AACtC,CAAC;AAED,SAAS,sBAAsB;IAC7B,MAAM,cAAc,GAAG,CAAC,MAAsB,EAAE,EAAE;QAChD,OAAO,CAAC,GAAG,CAAC,yCAAyC,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC;QACnE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC,CAAC;IAEF,OAAO,CAAC,EAAE,CAAC,SAAS,EAAE,GAAG,EAAE,CAAC,cAAc,CAAC,SAAS,CAAC,CAAC,CAAC;IACvD,OAAO,CAAC,EAAE,CAAC,QAAQ,EAAE,GAAG,EAAE,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC,CAAC;AACvD,CAAC;AAED,IAAI,iBAAiB,EAAE,EAAE,CAAC;IACxB,sBAAsB,EAAE,CAAC;IAEzB,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE;QACrB,OAAO,CAAC,KAAK,CAAC,cAAc,EAAE,KAAK,CAAC,CAAC;QACrC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/cjs/naylence/fame/security/auth/policy/auth-policy-server.js

@@ -0,0 +1,562 @@
+/**
+ * Auth Policy Server - Authorization Policy HTTP endpoint
+ *
+ * Provides authorization policies via HTTP using Fastify.
+ * Supports OAuth2 JWT authentication and ETag-based caching.
+ * Serves multiple policies by ID from a configurable directory.
+ * This is a development server for testing HTTP policy source functionality.
+ *
+ * Policy files should be named: policy-{policy_id}.yaml or policy-{policy_id}.json
+ * Example: policy-production.yaml, policy-dev.json
+ *
+ * Authentication:
+ * - Set FAME_OAUTH2_ISSUER to enable OAuth2 JWT validation
+ * - Optionally set FAME_OAUTH2_AUDIENCE, FAME_OAUTH2_JWKS_URL
+ * - Set FAME_OAUTH2_ALGORITHMS to customize JWT algorithms (default: RS256,ES256,EdDSA)
+ * - If no OAuth2 config provided, authentication is disabled (dev mode)
+ */
+import { createHash } from "node:crypto";
+import Fastify from "fastify";
+import { realpathSync, readFileSync, existsSync, statSync, readdirSync, watch, } from "node:fs";
+import { resolve, extname, join } from "node:path";
+import { parse as parseYaml, stringify as stringifyYaml } from "yaml";
+// Simple console logger for policy server
+const logger = {
+    info: (event, meta) => {
+        console.log(`[INFO] ${event}`, meta || "");
+    },
+    warning: (event, meta) => {
+        console.warn(`[WARNING] ${event}`, meta || "");
+    },
+    error: (event, meta) => {
+        console.error(`[ERROR] ${event}`, meta || "");
+    },
+    debug: (event, meta) => {
+        const logLevel = (process.env.FAME_LOG_LEVEL || "info").toLowerCase();
+        if (logLevel === "debug" || logLevel === "trace") {
+            console.log(`[DEBUG] ${event}`, meta || "");
+        }
+    },
+};
+// Environment variables
+const ENV_VAR_FAME_APP_HOST = "FAME_APP_HOST";
+const ENV_VAR_FAME_APP_PORT = "FAME_APP_PORT";
+const ENV_VAR_FAME_POLICY_DIR = "FAME_POLICY_DIR";
+// OAuth2 configuration
+const ENV_VAR_OAUTH2_ISSUER = "FAME_OAUTH2_ISSUER";
+const ENV_VAR_OAUTH2_AUDIENCE = "FAME_OAUTH2_AUDIENCE";
+const ENV_VAR_OAUTH2_JWKS_URL = "FAME_OAUTH2_JWKS_URL";
+const ENV_VAR_OAUTH2_REQUIRED_SCOPES = "FAME_OAUTH2_REQUIRED_SCOPES";
+const ENV_VAR_OAUTH2_ALGORITHMS = "FAME_OAUTH2_ALGORITHMS";
+// Default algorithms for JWT verification (matches @naylence/runtime defaults)
+const DEFAULT_JWT_ALGORITHMS = ["RS256", "ES256", "EdDSA"];
+// Policy file naming pattern: policy-{id}.yaml or policy-{id}.json
+const POLICY_FILE_PATTERN = /^policy-(.+)\.(ya?ml|json)$/i;
+/**
+ * Default authorization policy for development.
+ * Allows all operations - suitable for testing only.
+ */
+const DEFAULT_POLICY = {
+    version: "1",
+    type: "AdvancedAuthorizationPolicy",
+    default_effect: "deny",
+    rules: [
+        {
+            id: "allow-all-dev",
+            effect: "allow",
+            comment: "Development policy - allows all operations",
+        },
+    ],
+};
+/**
+ * Compute ETag from content using SHA-256.
+ */
+function computeEtag(content) {
+    const hash = createHash("sha256");
+    hash.update(content, "utf-8");
+    return `"${hash.digest("hex").substring(0, 16)}"`;
+}
+/**
+ * Extract policy ID from filename.
+ * Expected format: policy-{id}.yaml or policy-{id}.json
+ */
+function extractPolicyId(filename) {
+    const match = POLICY_FILE_PATTERN.exec(filename);
+    if (!match) {
+        return null;
+    }
+    const id = match[1];
+    const ext = match[2]?.toLowerCase();
+    const format = ext === "json" ? "json" : "yaml";
+    return { id, format };
+}
+/**
+ * Load a single policy from file.
+ */
+function loadPolicyFile(filePath) {
+    try {
+        const content = readFileSync(filePath, "utf-8");
+        const ext = extname(filePath).toLowerCase();
+        let policy;
+        if (ext === ".json") {
+            policy = JSON.parse(content);
+        }
+        else {
+            policy = parseYaml(content);
+        }
+        const stats = statSync(filePath);
+        const format = ext === ".json" ? "json" : "yaml";
+        return {
+            policy,
+            policyContent: content,
+            etag: computeEtag(content),
+            lastModified: stats.mtime,
+            filePath,
+            format,
+        };
+    }
+    catch (error) {
+        logger.error("policy_file_load_error", {
+            path: filePath,
+            error: error instanceof Error ? error.message : String(error),
+        });
+        return null;
+    }
+}
+/**
+ * Load all policies from a directory.
+ */
+function loadPoliciesFromDir(dirPath) {
+    const policies = new Map();
+    if (!existsSync(dirPath)) {
+        logger.warning("policy_directory_not_found", { path: dirPath });
+        return policies;
+    }
+    const files = readdirSync(dirPath);
+    for (const filename of files) {
+        const parsed = extractPolicyId(filename);
+        if (!parsed) {
+            continue;
+        }
+        const filePath = join(dirPath, filename);
+        const entry = loadPolicyFile(filePath);
+        if (entry) {
+            policies.set(parsed.id, {
+                id: parsed.id,
+                ...entry,
+            });
+            logger.info("policy_loaded", { id: parsed.id, path: filePath });
+        }
+    }
+    return policies;
+}
+/**
+ * Create default policy entry.
+ */
+function createDefaultPolicyEntry() {
+    const content = JSON.stringify(DEFAULT_POLICY, null, 2);
+    return {
+        id: "default",
+        policy: DEFAULT_POLICY,
+        policyContent: content,
+        etag: computeEtag(content),
+        lastModified: new Date(),
+        filePath: "(built-in)",
+        format: "json",
+    };
+}
+/**
+ * Create an OAuth2 token verifier from environment configuration.
+ */
+async function createTokenVerifier() {
+    const issuer = process.env[ENV_VAR_OAUTH2_ISSUER];
+    if (!issuer) {
+        return null;
+    }
+    try {
+        // Dynamically import the token verifier factory from @naylence/runtime
+        const { TokenVerifierFactory } = await import("@naylence/runtime");
+        const jwksUrl = process.env[ENV_VAR_OAUTH2_JWKS_URL] ||
+            `${issuer.replace(/\/+$/, "")}/.well-known/jwks.json`;
+        // Parse algorithms from environment or use defaults
+        const algorithmsEnv = process.env[ENV_VAR_OAUTH2_ALGORITHMS];
+        const algorithms = algorithmsEnv
+            ? algorithmsEnv.split(",").map((a) => a.trim()).filter(Boolean)
+            : DEFAULT_JWT_ALGORITHMS;
+        const config = {
+            type: "JWKSJWTTokenVerifier",
+            issuer,
+            jwks_url: jwksUrl,
+            algorithms,
+        };
+        const audience = process.env[ENV_VAR_OAUTH2_AUDIENCE];
+        if (audience) {
+            config.audience = audience;
+        }
+        const verifier = await TokenVerifierFactory.createTokenVerifier(config);
+        logger.info("oauth2_token_verifier_created", { issuer, jwksUrl });
+        return verifier;
+    }
+    catch (error) {
+        logger.error("failed_to_create_token_verifier", {
+            error: error instanceof Error ? error.message : String(error),
+        });
+        return null;
+    }
+}
+/**
+ * Authenticate request using OAuth2 JWT verification.
+ */
+async function authenticateRequest(request, tokenVerifier) {
+    if (!tokenVerifier) {
+        // No auth required (dev mode)
+        return { authenticated: true };
+    }
+    const authHeader = request.headers.authorization;
+    if (!authHeader) {
+        return { authenticated: false, error: "Missing Authorization header" };
+    }
+    const parts = authHeader.split(" ");
+    if (parts.length !== 2 || parts[0]?.toLowerCase() !== "bearer") {
+        return { authenticated: false, error: "Invalid Authorization header format" };
+    }
+    const token = parts[1];
+    if (!token) {
+        return { authenticated: false, error: "Missing bearer token" };
+    }
+    try {
+        const claims = await tokenVerifier.verify(token);
+        // Check required scopes if configured
+        const requiredScopesEnv = process.env[ENV_VAR_OAUTH2_REQUIRED_SCOPES];
+        if (requiredScopesEnv) {
+            const requiredScopes = requiredScopesEnv.split(",").map((s) => s.trim());
+            const tokenScopes = typeof claims.scope === "string"
+                ? claims.scope.split(" ")
+                : Array.isArray(claims.scp)
+                    ? claims.scp
+                    : [];
+            const hasAllScopes = requiredScopes.every((required) => tokenScopes.includes(required));
+            if (!hasAllScopes) {
+                return {
+                    authenticated: false,
+                    error: `Missing required scopes: ${requiredScopes.join(", ")}`,
+                };
+            }
+        }
+        logger.debug("jwt_token_verified", { sub: claims.sub });
+        return { authenticated: true, claims };
+    }
+    catch (error) {
+        logger.warning("jwt_verification_failed", {
+            error: error instanceof Error ? error.message : String(error),
+        });
+        return {
+            authenticated: false,
+            error: error instanceof Error ? error.message : "Token verification failed",
+        };
+    }
+}
+/**
+ * Create policy router with authorization policy endpoints.
+ * Supports fetching policies by ID from: /fame/v1/auth-policies/:policyId
+ */
+function createPolicyRouter(fastify, state, tokenVerifier, prefix = "/fame/v1") {
+    const policiesPath = `${prefix}/auth-policies`;
+    // List all available policies
+    fastify.get(policiesPath, async (request, reply) => {
+        const authResult = await authenticateRequest(request, tokenVerifier);
+        if (!authResult.authenticated) {
+            logger.warning("authentication_failed", { error: authResult.error });
+            return reply.status(401).send({
+                error: "unauthorized",
+                message: authResult.error,
+            });
+        }
+        const policyList = Array.from(state.policies.values()).map((entry) => ({
+            id: entry.id,
+            lastModified: entry.lastModified.toISOString(),
+            format: entry.format,
+        }));
+        return reply
+            .header("Content-Type", "application/json")
+            .send({ policies: policyList });
+    });
+    // Get policy by ID (auto-detect format based on Accept header or original format)
+    fastify.get(`${policiesPath}/:policyId`, async (request, reply) => {
+        const authResult = await authenticateRequest(request, tokenVerifier);
+        if (!authResult.authenticated) {
+            logger.warning("authentication_failed", { error: authResult.error });
+            return reply.status(401).send({
+                error: "unauthorized",
+                message: authResult.error,
+            });
+        }
+        const { policyId } = request.params;
+        const entry = state.policies.get(policyId);
+        if (!entry) {
+            logger.warning("policy_not_found", { policyId });
+            return reply.status(404).send({
+                error: "not_found",
+                message: `Policy '${policyId}' not found`,
+                availablePolicies: Array.from(state.policies.keys()),
+            });
+        }
+        // Check ETag for conditional request
+        const ifNoneMatch = request.headers["if-none-match"];
+        if (ifNoneMatch && ifNoneMatch === entry.etag) {
+            logger.debug("returning_304_not_modified", { policyId, etag: entry.etag });
+            return reply
+                .status(304)
+                .header("ETag", entry.etag)
+                .header("Cache-Control", "public, max-age=60, stale-while-revalidate=300")
+                .send();
+        }
+        logger.debug("serving_policy", {
+            policyId,
+            etag: entry.etag,
+            lastModified: entry.lastModified.toISOString(),
+        });
+        // Determine content type based on Accept header or original format
+        const acceptHeader = request.headers.accept || "";
+        const isYamlRequest = acceptHeader.includes("yaml") || acceptHeader.includes("text/plain");
+        let contentType;
+        let responseBody;
+        if (isYamlRequest || entry.format === "yaml") {
+            contentType = "application/yaml";
+            responseBody =
+                entry.format === "yaml"
+                    ? entry.policyContent
+                    : stringifyYaml(entry.policy);
+        }
+        else {
+            contentType = "application/json";
+            responseBody = JSON.stringify(entry.policy, null, 2);
+        }
+        return reply
+            .header("Content-Type", contentType)
+            .header("ETag", entry.etag)
+            .header("Last-Modified", entry.lastModified.toUTCString())
+            .header("Cache-Control", "public, max-age=60, stale-while-revalidate=300")
+            .send(responseBody);
+    });
+    // Get policy by ID as YAML
+    fastify.get(`${policiesPath}/:policyId.yaml`, async (request, reply) => {
+        const authResult = await authenticateRequest(request, tokenVerifier);
+        if (!authResult.authenticated) {
+            return reply.status(401).send({
+                error: "unauthorized",
+                message: authResult.error,
+            });
+        }
+        const { policyId } = request.params;
+        const entry = state.policies.get(policyId);
+        if (!entry) {
+            return reply.status(404).send({
+                error: "not_found",
+                message: `Policy '${policyId}' not found`,
+            });
+        }
+        const ifNoneMatch = request.headers["if-none-match"];
+        if (ifNoneMatch && ifNoneMatch === entry.etag) {
+            return reply
+                .status(304)
+                .header("ETag", entry.etag)
+                .header("Cache-Control", "public, max-age=60, stale-while-revalidate=300")
+                .send();
+        }
+        const yamlContent = entry.format === "yaml" ? entry.policyContent : stringifyYaml(entry.policy);
+        return reply
+            .header("Content-Type", "application/yaml")
+            .header("ETag", entry.etag)
+            .header("Last-Modified", entry.lastModified.toUTCString())
+            .header("Cache-Control", "public, max-age=60, stale-while-revalidate=300")
+            .send(yamlContent);
+    });
+    // Get policy by ID as JSON
+    fastify.get(`${policiesPath}/:policyId.json`, async (request, reply) => {
+        const authResult = await authenticateRequest(request, tokenVerifier);
+        if (!authResult.authenticated) {
+            return reply.status(401).send({
+                error: "unauthorized",
+                message: authResult.error,
+            });
+        }
+        const { policyId } = request.params;
+        const entry = state.policies.get(policyId);
+        if (!entry) {
+            return reply.status(404).send({
+                error: "not_found",
+                message: `Policy '${policyId}' not found`,
+            });
+        }
+        const ifNoneMatch = request.headers["if-none-match"];
+        if (ifNoneMatch && ifNoneMatch === entry.etag) {
+            return reply
+                .status(304)
+                .header("ETag", entry.etag)
+                .header("Cache-Control", "public, max-age=60, stale-while-revalidate=300")
+                .send();
+        }
+        return reply
+            .header("Content-Type", "application/json")
+            .header("ETag", entry.etag)
+            .header("Last-Modified", entry.lastModified.toUTCString())
+            .header("Cache-Control", "public, max-age=60, stale-while-revalidate=300")
+            .send(entry.policy);
+    });
+    // Health check
+    fastify.get("/health", async () => {
+        return {
+            status: "healthy",
+            service: "auth-policy-server",
+            policyDirectory: state.policyDir || "(using defaults)",
+            policyCount: state.policies.size,
+            policies: Array.from(state.policies.keys()),
+        };
+    });
+}
+/**
+ * Create Fastify application with policy server.
+ */
+async function createApp() {
+    const fastify = Fastify({
+        logger: false,
+    });
+    // Load policies from directory or use default
+    const policyDir = process.env[ENV_VAR_FAME_POLICY_DIR];
+    const state = {
+        policyDir,
+        policies: new Map(),
+    };
+    if (policyDir && existsSync(policyDir)) {
+        state.policies = loadPoliciesFromDir(policyDir);
+        // Watch directory for changes
+        watch(policyDir, (eventType, filename) => {
+            if (!filename)
+                return;
+            const parsed = extractPolicyId(filename);
+            if (!parsed)
+                return;
+            const filePath = join(policyDir, filename);
+            if (eventType === "rename") {
+                // File added or removed
+                if (existsSync(filePath)) {
+                    const entry = loadPolicyFile(filePath);
+                    if (entry) {
+                        state.policies.set(parsed.id, { id: parsed.id, ...entry });
+                        logger.info("policy_added", { id: parsed.id, path: filePath });
+                    }
+                }
+                else {
+                    state.policies.delete(parsed.id);
+                    logger.info("policy_removed", { id: parsed.id });
+                }
+            }
+            else if (eventType === "change") {
+                // File modified
+                const entry = loadPolicyFile(filePath);
+                if (entry) {
+                    state.policies.set(parsed.id, { id: parsed.id, ...entry });
+                    logger.info("policy_reloaded", { id: parsed.id, path: filePath });
+                }
+            }
+        });
+        logger.info("watching_policy_directory", { path: policyDir });
+    }
+    // Always add a default policy
+    if (state.policies.size === 0) {
+        state.policies.set("default", createDefaultPolicyEntry());
+        logger.info("using_default_policy", {
+            reason: policyDir ? "no_policies_found_in_directory" : "no_directory_specified",
+        });
+    }
+    // Create OAuth2 token verifier if configured
+    const tokenVerifier = await createTokenVerifier();
+    // Register policy router
+    createPolicyRouter(fastify, state, tokenVerifier);
+    if (tokenVerifier) {
+        logger.info("oauth2_jwt_auth_enabled", {
+            issuer: process.env[ENV_VAR_OAUTH2_ISSUER],
+        });
+    }
+    else {
+        logger.warning("auth_disabled", {
+            message: "Set FAME_OAUTH2_ISSUER to enable OAuth2 JWT authentication",
+        });
+    }
+    return { app: fastify, state };
+}
+async function main() {
+    try {
+        const { app, state } = await createApp();
+        const host = process.env[ENV_VAR_FAME_APP_HOST] || "0.0.0.0";
+        const port = parseInt(process.env[ENV_VAR_FAME_APP_PORT] || "8099", 10);
+        await app.listen({ host, port });
+        const issuer = process.env[ENV_VAR_OAUTH2_ISSUER];
+        logger.info("auth_policy_server_started", { host, port });
+        console.log(`\n📍 Auth Policy Server listening on http://${host}:${port}`);
+        console.log(`📋 List policies: http://${host}:${port}/fame/v1/auth-policies`);
+        console.log(`📋 Get policy: http://${host}:${port}/fame/v1/auth-policies/{policy_id}`);
+        console.log(`📋 Get as YAML: http://${host}:${port}/fame/v1/auth-policies/{policy_id}.yaml`);
+        console.log(`📋 Get as JSON: http://${host}:${port}/fame/v1/auth-policies/{policy_id}.json`);
+        console.log(`🔍 Health check: http://${host}:${port}/health`);
+        if (state.policyDir) {
+            console.log(`📁 Serving policies from: ${state.policyDir}`);
+            console.log(`📁 Policy files should be named: policy-{id}.yaml or policy-{id}.json`);
+        }
+        else {
+            console.log(`⚠️  No policy directory set (set FAME_POLICY_DIR to serve custom policies)`);
+        }
+        console.log(`📊 Loaded ${state.policies.size} policy(ies): ${Array.from(state.policies.keys()).join(", ")}`);
+        if (issuer) {
+            console.log(`🔐 OAuth2 JWT authentication enabled (issuer: ${issuer})`);
+        }
+        else {
+            console.log(`⚠️  No authentication (set FAME_OAUTH2_ISSUER to enable)`);
+        }
+        console.log("");
+    }
+    catch (error) {
+        logger.error("auth_policy_server_startup_failed", {
+            error: error instanceof Error ? error.message : String(error),
+        });
+        process.exit(1);
+    }
+}
+export { createApp, main, loadPoliciesFromDir, loadPolicyFile, extractPolicyId, computeEtag, DEFAULT_POLICY, };
+const isTopLevelInvocation = (() => {
+    if (typeof process === "undefined") {
+        return false;
+    }
+    const entry = process.argv[1] ?? null;
+    if (!entry) {
+        return false;
+    }
+    try {
+        const entryPath = resolveToRealPath(entry);
+        if (!entryPath) {
+            return false;
+        }
+        return /(?:^|[\\/])auth-policy-server\.js$/u.test(entryPath);
+    }
+    catch {
+        return false;
+    }
+})();
+if (isTopLevelInvocation) {
+    void main();
+}
+function resolveToRealPath(pathLike) {
+    try {
+        return realpathSync(pathLike);
+    }
+    catch {
+        try {
+            return realpathSync.native?.(pathLike) ?? resolve(pathLike);
+        }
+        catch {
+            return resolve(pathLike);
+        }
+    }
+}
+//# sourceMappingURL=auth-policy-server.js.map