@naylence/runtime 0.3.21 → 0.4.0

package/dist/cjs/naylence/fame/factory-manifest.js

@@ -65,6 +65,7 @@ exports.MODULES = [
     "./placement/static-node-placement-strategy-factory.js",
     "./security/auth/bearer-token-header-auth-injection-strategy-factory.js",
     "./security/auth/default-authorizer-factory.js",
+    "./security/auth/default-policy-authorizer-factory.js",
     "./security/auth/jwks-jwt-token-verifier-factory.js",
     "./security/auth/jwt-token-issuer-factory.js",
     "./security/auth/jwt-token-verifier-factory.js",
@@ -76,6 +77,8 @@ exports.MODULES = [
     "./security/auth/oauth2-authorizer-factory.js",
     "./security/auth/oauth2-client-credentials-token-provider-factory.js",
     "./security/auth/oauth2-pkce-token-provider-factory.js",
+    "./security/auth/policy/basic-authorization-policy-factory.js",
+    "./security/auth/policy/local-file-authorization-policy-source-factory.js",
     "./security/auth/query-param-auth-injection-strategy-factory.js",
     "./security/auth/shared-secret-authorizer-factory.js",
     "./security/auth/shared-secret-token-provider-factory.js",
@@ -144,6 +147,7 @@ exports.MODULE_LOADERS = {
     "./placement/static-node-placement-strategy-factory.js": () => Promise.resolve().then(() => __importStar(require("./placement/static-node-placement-strategy-factory.js"))),
     "./security/auth/bearer-token-header-auth-injection-strategy-factory.js": () => Promise.resolve().then(() => __importStar(require("./security/auth/bearer-token-header-auth-injection-strategy-factory.js"))),
     "./security/auth/default-authorizer-factory.js": () => Promise.resolve().then(() => __importStar(require("./security/auth/default-authorizer-factory.js"))),
+    "./security/auth/default-policy-authorizer-factory.js": () => Promise.resolve().then(() => __importStar(require(/* webpackIgnore: true */ /* @vite-ignore */ "./security/auth/default-policy-authorizer-factory.js"))),
     "./security/auth/jwks-jwt-token-verifier-factory.js": () => Promise.resolve().then(() => __importStar(require("./security/auth/jwks-jwt-token-verifier-factory.js"))),
     "./security/auth/jwt-token-issuer-factory.js": () => Promise.resolve().then(() => __importStar(require("./security/auth/jwt-token-issuer-factory.js"))),
     "./security/auth/jwt-token-verifier-factory.js": () => Promise.resolve().then(() => __importStar(require("./security/auth/jwt-token-verifier-factory.js"))),
@@ -155,6 +159,8 @@ exports.MODULE_LOADERS = {
     "./security/auth/oauth2-authorizer-factory.js": () => Promise.resolve().then(() => __importStar(require("./security/auth/oauth2-authorizer-factory.js"))),
     "./security/auth/oauth2-client-credentials-token-provider-factory.js": () => Promise.resolve().then(() => __importStar(require("./security/auth/oauth2-client-credentials-token-provider-factory.js"))),
     "./security/auth/oauth2-pkce-token-provider-factory.js": () => Promise.resolve().then(() => __importStar(require("./security/auth/oauth2-pkce-token-provider-factory.js"))),
+    "./security/auth/policy/basic-authorization-policy-factory.js": () => Promise.resolve().then(() => __importStar(require("./security/auth/policy/basic-authorization-policy-factory.js"))),
+    "./security/auth/policy/local-file-authorization-policy-source-factory.js": () => Promise.resolve().then(() => __importStar(require(/* webpackIgnore: true */ /* @vite-ignore */ "./security/auth/policy/local-file-authorization-policy-source-factory.js"))),
     "./security/auth/query-param-auth-injection-strategy-factory.js": () => Promise.resolve().then(() => __importStar(require("./security/auth/query-param-auth-injection-strategy-factory.js"))),
     "./security/auth/shared-secret-authorizer-factory.js": () => Promise.resolve().then(() => __importStar(require("./security/auth/shared-secret-authorizer-factory.js"))),
     "./security/auth/shared-secret-token-provider-factory.js": () => Promise.resolve().then(() => __importStar(require("./security/auth/shared-secret-token-provider-factory.js"))),

package/dist/cjs/naylence/fame/node/node-event-listener.js

@@ -48,6 +48,10 @@ class BaseNodeEventListener {
         // Default implementation passes envelope through unchanged
         return envelope;
     }
+    async onRoutingActionSelected(_node, _envelope, selected, _state, _context) {
+        // Default implementation returns the selected action unchanged
+        return selected;
+    }
     async onForwardUpstream(_node, envelope, _context) {
         // Default implementation passes envelope through unchanged
         return envelope;

package/dist/cjs/naylence/fame/security/auth/default-policy-authorizer-factory.js

@@ -0,0 +1,147 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DefaultPolicyAuthorizerFactory = exports.FACTORY_META = void 0;
+const lazy_import_js_1 = require("../../util/lazy-import.js");
+const authorizer_factory_js_1 = require("./authorizer-factory.js");
+const token_verifier_factory_js_1 = require("./token-verifier-factory.js");
+const authorization_policy_source_factory_js_1 = require("./policy/authorization-policy-source-factory.js");
+const authorization_policy_factory_js_1 = require("./policy/authorization-policy-factory.js");
+let defaultPolicyAuthorizerModulePromise = null;
+async function getDefaultPolicyAuthorizerModule() {
+    if (!defaultPolicyAuthorizerModulePromise) {
+        defaultPolicyAuthorizerModulePromise = (0, lazy_import_js_1.safeImport)(() => Promise.resolve().then(() => __importStar(require('./default-policy-authorizer.js'))), 'default-policy-authorizer');
+    }
+    return defaultPolicyAuthorizerModulePromise;
+}
+function normalizeConfig(config) {
+    if (!config) {
+        return {};
+    }
+    const candidate = config;
+    const verifierConfig = candidate.verifier ?? null;
+    if (verifierConfig && typeof verifierConfig !== 'object') {
+        throw new Error('PolicyAuthorizer verifier configuration must be an object');
+    }
+    const policyConfig = candidate.policy ?? null;
+    if (policyConfig && typeof policyConfig !== 'object') {
+        throw new Error('PolicyAuthorizer policy configuration must be an object');
+    }
+    const policySourceConfig = candidate.policySource ?? candidate.policy_source ?? null;
+    if (policySourceConfig && typeof policySourceConfig !== 'object') {
+        throw new Error('PolicyAuthorizer policySource configuration must be an object');
+    }
+    return {
+        verifier: verifierConfig,
+        policy: policyConfig,
+        policySource: policySourceConfig,
+    };
+}
+function isTokenVerifier(candidate) {
+    return Boolean(candidate && typeof candidate.verify === 'function');
+}
+function isAuthorizationPolicy(candidate) {
+    return Boolean(candidate &&
+        typeof candidate.evaluateRequest === 'function');
+}
+function isAuthorizationPolicySource(candidate) {
+    return Boolean(candidate &&
+        typeof candidate.loadPolicy === 'function');
+}
+/**
+ * Factory metadata for registration.
+ */
+exports.FACTORY_META = {
+    base: authorizer_factory_js_1.AUTHORIZER_FACTORY_BASE_TYPE,
+    key: 'PolicyAuthorizer',
+};
+/**
+ * Factory for creating DefaultPolicyAuthorizer instances.
+ *
+ * This factory uses lazy loading to avoid pulling in Node.js-specific
+ * code in browser environments.
+ */
+class DefaultPolicyAuthorizerFactory extends authorizer_factory_js_1.AuthorizerFactory {
+    constructor() {
+        super(...arguments);
+        this.type = 'PolicyAuthorizer';
+        this.isDefault = true;
+    }
+    /**
+     * Creates a DefaultPolicyAuthorizer from the given configuration.
+     *
+     * @param config - Configuration for the authorizer
+     * @param factoryArgs - Additional factory arguments:
+     *   - TokenVerifier instance
+     *   - AuthorizationPolicy instance
+     *   - AuthorizationPolicySource instance
+     * @returns The created authorizer
+     */
+    async create(config, ...factoryArgs) {
+        const normalized = normalizeConfig(config);
+        // Resolve token verifier
+        let tokenVerifier = factoryArgs.find(isTokenVerifier);
+        if (!tokenVerifier && normalized.verifier) {
+            tokenVerifier = await token_verifier_factory_js_1.TokenVerifierFactory.createTokenVerifier(normalized.verifier);
+        }
+        if (!tokenVerifier) {
+            throw new Error('PolicyAuthorizer requires a verifier configuration or instance');
+        }
+        // Resolve policy or policy source
+        let policy = factoryArgs.find(isAuthorizationPolicy);
+        let policySource = factoryArgs.find(isAuthorizationPolicySource);
+        // Create policy from config if not provided as argument
+        if (!policy && normalized.policy) {
+            policy = await authorization_policy_factory_js_1.AuthorizationPolicyFactory.createAuthorizationPolicy(normalized.policy);
+        }
+        // Create policy source from config if not provided as argument
+        if (!policySource && normalized.policySource) {
+            policySource =
+                await authorization_policy_source_factory_js_1.AuthorizationPolicySourceFactory.createAuthorizationPolicySource(normalized.policySource);
+        }
+        // Validate that we have either policy or policy source
+        if (!policy && !policySource) {
+            throw new Error('PolicyAuthorizer requires either a policy or policySource configuration');
+        }
+        const { DefaultPolicyAuthorizer } = await getDefaultPolicyAuthorizerModule();
+        return new DefaultPolicyAuthorizer({
+            tokenVerifier,
+            policy,
+            policySource,
+        });
+    }
+}
+exports.DefaultPolicyAuthorizerFactory = DefaultPolicyAuthorizerFactory;
+exports.default = DefaultPolicyAuthorizerFactory;

package/dist/cjs/naylence/fame/security/auth/default-policy-authorizer.js

@@ -0,0 +1,291 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DefaultPolicyAuthorizer = void 0;
+const core_1 = require("@naylence/core");
+const logging_js_1 = require("../../util/logging.js");
+const logger = (0, logging_js_1.getLogger)('naylence.fame.security.auth.default_policy_authorizer');
+function decodeCredentials(credentials) {
+    if (typeof TextDecoder !== 'undefined') {
+        return new TextDecoder().decode(credentials);
+    }
+    if (typeof Buffer !== 'undefined') {
+        return Buffer.from(credentials).toString('utf-8');
+    }
+    throw new Error('Unable to decode credential bytes without TextDecoder support');
+}
+function normalizeToken(credentials) {
+    const raw = typeof credentials === 'string'
+        ? credentials
+        : decodeCredentials(credentials);
+    const trimmed = raw.trim();
+    if (trimmed.length === 0) {
+        return undefined;
+    }
+    if (trimmed.toLowerCase().startsWith('bearer ')) {
+        const candidate = trimmed.slice(7).trim();
+        return candidate.length > 0 ? candidate : undefined;
+    }
+    return trimmed;
+}
+function normalizeOptions(options) {
+    if (options === undefined || options === null) {
+        return {};
+    }
+    if (typeof options !== 'object') {
+        throw new TypeError('DefaultPolicyAuthorizer options must be an object');
+    }
+    const candidate = options;
+    return {
+        tokenVerifier: candidate.tokenVerifier ?? candidate.token_verifier,
+        policy: candidate.policy,
+        policySource: candidate.policySource ?? candidate.policy_source,
+    };
+}
+/**
+ * An authorizer that delegates authorization decisions to a pluggable policy.
+ *
+ * This authorizer combines token-based authentication with policy-based
+ * authorization. The token verifier handles authentication (validating
+ * credentials), while the authorization policy handles authorization
+ * decisions (allow/deny based on the request context).
+ */
+class DefaultPolicyAuthorizer {
+    constructor(options = {}) {
+        this.policyLoaded = false;
+        const normalized = normalizeOptions(options);
+        if (normalized.tokenVerifier) {
+            this.tokenVerifierImpl = normalized.tokenVerifier;
+        }
+        if (normalized.policy) {
+            this.policyImpl = normalized.policy;
+            this.policyLoaded = true;
+        }
+        if (normalized.policySource) {
+            this.policySource = normalized.policySource;
+        }
+        // Validate that we have either a policy or a policy source
+        if (!normalized.policy && !normalized.policySource) {
+            throw new Error('DefaultPolicyAuthorizer requires either a policy or a policySource');
+        }
+    }
+    /**
+     * The currently active authorization policy.
+     */
+    get policy() {
+        if (!this.policyImpl) {
+            throw new Error('Authorization policy not loaded. Call ensurePolicyLoaded() first.');
+        }
+        return this.policyImpl;
+    }
+    /**
+     * The token verifier used for authentication.
+     */
+    get tokenVerifier() {
+        if (!this.tokenVerifierImpl) {
+            throw new Error('DefaultPolicyAuthorizer is not initialized properly, missing tokenVerifier');
+        }
+        return this.tokenVerifierImpl;
+    }
+    set tokenVerifier(verifier) {
+        this.tokenVerifierImpl = verifier;
+    }
+    /**
+     * Ensures the authorization policy is loaded.
+     * If using a policy source, loads the policy from it.
+     */
+    async ensurePolicyLoaded() {
+        if (this.policyLoaded && this.policyImpl) {
+            return;
+        }
+        if (!this.policySource) {
+            throw new Error('No policy source configured and no policy provided');
+        }
+        logger.debug('loading_policy_from_source');
+        this.policyImpl = await this.policySource.loadPolicy();
+        this.policyLoaded = true;
+        logger.info('policy_loaded_from_source');
+    }
+    /**
+     * Reloads the authorization policy from the policy source.
+     * Only works if a policy source was configured.
+     */
+    async reloadPolicy() {
+        if (!this.policySource) {
+            throw new Error('Cannot reload policy: no policy source configured');
+        }
+        logger.debug('reloading_policy_from_source');
+        this.policyImpl = await this.policySource.loadPolicy();
+        this.policyLoaded = true;
+        logger.info('policy_reloaded_from_source');
+    }
+    /**
+     * Authenticates credentials and returns an authorization context.
+     *
+     * @param credentials - The credentials to authenticate (token string or bytes)
+     * @returns The authorization context if authentication succeeds, undefined otherwise
+     */
+    async authenticate(credentials) {
+        const token = normalizeToken(credentials);
+        if (!token) {
+            return undefined;
+        }
+        try {
+            const verifier = this.tokenVerifier;
+            const context = await verifier.verify(token);
+            return (0, core_1.createAuthorizationContext)({
+                ...context,
+                authenticated: true,
+                authorized: false, // Authorization happens in authorize()
+                authMethod: context.authMethod ?? 'jwt',
+            });
+        }
+        catch (error) {
+            logger.warning('token_verification_failed', {
+                error: error instanceof Error ? error.message : String(error),
+            });
+            return undefined;
+        }
+    }
+    /**
+     * Authorizes a request using the configured authorization policy.
+     *
+     * For NodeAttach frames, evaluates policy with action='Connect'.
+     * For other frames, this method performs basic authentication validation
+     * but does NOT infer send/receive actions. Route-level authorization
+     * is handled separately via authorizeRoute().
+     *
+     * @param node - The node handling the request
+     * @param envelope - The FAME envelope being authorized
+     * @param context - Optional delivery context
+     * @returns The authorization context if authorized, undefined if denied
+     */
+    async authorize(node, envelope, context) {
+        const authorization = context?.security?.authorization;
+        // Must be authenticated first
+        if (!authorization || !authorization.authenticated) {
+            logger.debug('authorization_denied_not_authenticated');
+            return undefined;
+        }
+        // Ensure policy is loaded
+        await this.ensurePolicyLoaded();
+        // For NodeAttach frames, evaluate policy with 'Connect' action
+        const frameType = envelope.frame?.type;
+        if (frameType === 'NodeAttach') {
+            let decision;
+            try {
+                decision = await this.policy.evaluateRequest(node, envelope, context, 'Connect');
+            }
+            catch (error) {
+                logger.error('policy_evaluation_failed', {
+                    error: error instanceof Error ? error.message : String(error),
+                    action: 'Connect',
+                });
+                return undefined;
+            }
+            if (decision.effect === 'allow') {
+                logger.debug('authorization_allowed', {
+                    matchedRule: decision.matchedRule,
+                    reason: decision.reason,
+                    action: 'Connect',
+                });
+                return (0, core_1.createAuthorizationContext)({
+                    ...authorization,
+                    authorized: true,
+                    authMethod: authorization.authMethod ?? 'policy',
+                });
+            }
+            else {
+                logger.debug('authorization_denied', {
+                    matchedRule: decision.matchedRule,
+                    reason: decision.reason,
+                    action: 'Connect',
+                });
+                return undefined;
+            }
+        }
+        // For non-NodeAttach frames, authentication is sufficient at this stage.
+        // Route-level authorization is performed via authorizeRoute() after
+        // the routing decision is made.
+        logger.debug('authorization_passed_authentication_only', {
+            envp_id: envelope.id,
+            frame_type: frameType,
+        });
+        return (0, core_1.createAuthorizationContext)({
+            ...authorization,
+            authorized: true,
+            authMethod: authorization.authMethod ?? 'policy',
+        });
+    }
+    /**
+     * Authorizes a routing action after the routing decision has been made.
+     *
+     * This method evaluates the authorization policy with the explicitly
+     * provided action token (ForwardUpstream, ForwardDownstream, ForwardPeer,
+     * DeliverLocal).
+     *
+     * @param node - The node handling the request
+     * @param envelope - The FAME envelope being routed
+     * @param action - The authorization action token from the routing decision
+     * @param context - Optional delivery context
+     * @returns RouteAuthorizationResult with authorization decision
+     */
+    async authorizeRoute(node, envelope, action, context) {
+        const authorization = context?.security?.authorization;
+        // If not authenticated, deny route authorization
+        if (!authorization || !authorization.authenticated) {
+            logger.debug('route_authorization_denied_not_authenticated', {
+                action,
+            });
+            return {
+                authorized: false,
+                denialReason: 'not_authenticated',
+            };
+        }
+        // Ensure policy is loaded
+        await this.ensurePolicyLoaded();
+        // Evaluate the policy with the provided action
+        let decision;
+        try {
+            decision = await this.policy.evaluateRequest(node, envelope, context, action);
+        }
+        catch (error) {
+            logger.error('route_policy_evaluation_failed', {
+                error: error instanceof Error ? error.message : String(error),
+                action,
+            });
+            return {
+                authorized: false,
+                denialReason: 'policy_evaluation_error',
+            };
+        }
+        if (decision.effect === 'allow') {
+            logger.debug('route_authorization_allowed', {
+                matchedRule: decision.matchedRule,
+                reason: decision.reason,
+                action,
+            });
+            return {
+                authorized: true,
+                authContext: (0, core_1.createAuthorizationContext)({
+                    ...authorization,
+                    authorized: true,
+                    authMethod: authorization.authMethod ?? 'policy',
+                }),
+                matchedRule: decision.matchedRule,
+            };
+        }
+        else {
+            logger.debug('route_authorization_denied', {
+                matchedRule: decision.matchedRule,
+                reason: decision.reason,
+                action,
+            });
+            return {
+                authorized: false,
+                denialReason: decision.reason ?? 'policy_denied',
+                matchedRule: decision.matchedRule,
+            };
+        }
+    }
+}
+exports.DefaultPolicyAuthorizer = DefaultPolicyAuthorizer;

package/dist/cjs/naylence/fame/security/auth/oauth2-authorizer-factory.js

@@ -87,6 +87,7 @@ class OAuth2AuthorizerFactory extends authorizer_factory_js_1.AuthorizerFactory
             maxTtlSec: normalized.maxTtlSec,
             reverseAuthTtlSec: normalized.reverseAuthTtlSec,
             enforceTokenSubjectNodeIdentity: normalized.enforceTokenSubjectNodeIdentity,
+            trustedClientScope: normalized.trustedClientScope,
         };
         if (tokenIssuer) {
             authorizerOptions.tokenIssuer = tokenIssuer;
@@ -157,6 +158,11 @@ function normalizeConfig(config) {
             : ttl_constants_js_1.DEFAULT_REVERSE_AUTH_TTL_SEC;
     const enforceTokenSubjectNodeIdentity = normalizeBooleanOption(source.enforceTokenSubjectNodeIdentity ??
         source.enforce_token_subject_node_identity, false);
+    const trustedClientScope = typeof source.trustedClientScope === 'string'
+        ? source.trustedClientScope
+        : typeof source.trusted_client_scope === 'string'
+            ? source.trusted_client_scope
+            : undefined;
     const tokenVerifierConfigInput = source.tokenVerifierConfig ?? source.token_verifier_config ?? null;
     const tokenVerifierConfig = normalizeTokenVerifierConfig({
         config: tokenVerifierConfigInput,
@@ -177,6 +183,7 @@ function normalizeConfig(config) {
         reverseAuthTtlSec: reverseAuthCandidate,
         enforceTokenSubjectNodeIdentity,
         ...(audience ? { audience } : {}),
+        ...(trustedClientScope ? { trustedClientScope } : {}),
     };
     if (tokenIssuerConfig) {
         normalized.tokenIssuerConfig = tokenIssuerConfig;

package/dist/cjs/naylence/fame/security/auth/oauth2-authorizer.js

@@ -41,6 +41,10 @@ function normalizeOptions(raw) {
         (typeof snake.enforce_token_subject_node_identity === 'boolean'
             ? snake.enforce_token_subject_node_identity
             : undefined);
+    const trustedClientScope = camel.trustedClientScope ??
+        (typeof snake.trusted_client_scope === 'string'
+            ? snake.trusted_client_scope
+            : undefined);
     return {
         tokenVerifier,
         tokenIssuer,
@@ -51,6 +55,7 @@ function normalizeOptions(raw) {
         maxTtlSec,
         reverseAuthTtlSec,
         enforceTokenSubjectNodeIdentity,
+        trustedClientScope,
     };
 }
 class OAuth2Authorizer {
@@ -66,6 +71,7 @@ class OAuth2Authorizer {
             options.reverseAuthTtlSec ?? ttl_constants_js_1.DEFAULT_REVERSE_AUTH_TTL_SEC;
         this.enforceTokenSubjectNodeIdentity =
             options.enforceTokenSubjectNodeIdentity ?? false;
+        this.trustedClientScope = options.trustedClientScope ?? 'node.trusted';
     }
     get tokenVerifier() {
         return this.tokenVerifierImpl;
@@ -195,11 +201,20 @@ class OAuth2Authorizer {
             });
             return undefined;
         }
-        // Enforce token subject node identity if enabled
+        // Enforce token subject node identity if enabled and not a trusted client
         if (this.enforceTokenSubjectNodeIdentity) {
-            const validationResult = await this.validateTokenSubjectNodeIdentity(frame.systemId, claims);
-            if (!validationResult) {
-                return undefined;
+            const isTrustedClient = scopes.has(this.trustedClientScope);
+            if (isTrustedClient) {
+                logger.debug('oauth2_attach_trusted_client_bypass', {
+                    system_id: frame.systemId,
+                    trusted_scope: this.trustedClientScope,
+                });
+            }
+            else {
+                const validationResult = await this.validateTokenSubjectNodeIdentity(frame.systemId, claims);
+                if (!validationResult) {
+                    return undefined;
+                }
             }
         }
         claims.instance_id = claims.instance_id ?? frame.instanceId;

package/dist/cjs/naylence/fame/security/auth/policy/authorization-policy-definition.js

@@ -0,0 +1,60 @@
+"use strict";
+/**
+ * Authorization policy definition types.
+ *
+ * This module defines the schema for authorization policies that can be
+ * loaded from YAML/JSON files and evaluated at runtime.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.VALID_EFFECTS = exports.VALID_ORIGIN_TYPES = exports.VALID_ACTIONS = exports.KNOWN_RULE_FIELDS = exports.KNOWN_POLICY_FIELDS = exports.MAX_SCOPE_NESTING_DEPTH = void 0;
+/**
+ * Maximum nesting depth for scope requirements.
+ */
+exports.MAX_SCOPE_NESTING_DEPTH = 5;
+/**
+ * Known fields in AuthorizationPolicyDefinition.
+ */
+exports.KNOWN_POLICY_FIELDS = new Set([
+    'version',
+    'default_effect',
+    'rules',
+]);
+/**
+ * Known fields in AuthorizationRuleDefinition.
+ * Fields not in this set trigger a warning.
+ */
+exports.KNOWN_RULE_FIELDS = new Set([
+    'id',
+    'description',
+    'effect',
+    'action',
+    'address',
+    'frame_type',
+    'origin_type',
+    'scope',
+    'when', // Reserved for advanced-security
+]);
+/**
+ * Valid action values.
+ */
+exports.VALID_ACTIONS = [
+    'Connect',
+    'ForwardUpstream',
+    'ForwardDownstream',
+    'ForwardPeer',
+    'DeliverLocal',
+    '*',
+];
+/**
+ * Valid origin type values (lowercase, matching DeliveryOriginType string values).
+ */
+exports.VALID_ORIGIN_TYPES = [
+    'downstream',
+    'upstream',
+    'peer',
+    'local',
+];
+/**
+ * Valid effect values.
+ */
+exports.VALID_EFFECTS = ['allow', 'deny'];

package/dist/cjs/naylence/fame/security/auth/policy/authorization-policy-factory.js

@@ -0,0 +1,35 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthorizationPolicyFactory = exports.AUTHORIZATION_POLICY_FACTORY_BASE_TYPE = void 0;
+const factory_1 = require("@naylence/factory");
+/**
+ * Base type identifier for authorization policy factories.
+ */
+exports.AUTHORIZATION_POLICY_FACTORY_BASE_TYPE = 'AuthorizationPolicyFactory';
+/**
+ * Abstract factory base class for creating authorization policies.
+ *
+ * Implementations of this factory create specific types of authorization
+ * policies (e.g., expression-based, rule-based, etc.).
+ */
+class AuthorizationPolicyFactory extends factory_1.AbstractResourceFactory {
+    /**
+     * Static helper to create an authorization policy using the factory registry.
+     *
+     * @param config - Configuration for the policy
+     * @param options - Resource creation options
+     * @returns The created policy, or undefined if no factory matched
+     */
+    static async createAuthorizationPolicy(config, options = {}) {
+        if (config) {
+            const policy = await (0, factory_1.createResource)(exports.AUTHORIZATION_POLICY_FACTORY_BASE_TYPE, config, options);
+            if (!policy) {
+                throw new Error('Failed to create authorization policy from configuration');
+            }
+            return policy;
+        }
+        const policy = await (0, factory_1.createDefaultResource)(exports.AUTHORIZATION_POLICY_FACTORY_BASE_TYPE, null, options);
+        return policy ?? undefined;
+    }
+}
+exports.AuthorizationPolicyFactory = AuthorizationPolicyFactory;