@naylence/runtime 0.3.21 → 0.4.0

package/dist/cjs/naylence/fame/security/auth/policy/authorization-policy-source-factory.js

@@ -0,0 +1,35 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthorizationPolicySourceFactory = exports.AUTHORIZATION_POLICY_SOURCE_FACTORY_BASE_TYPE = void 0;
+const factory_1 = require("@naylence/factory");
+/**
+ * Base type identifier for authorization policy source factories.
+ */
+exports.AUTHORIZATION_POLICY_SOURCE_FACTORY_BASE_TYPE = 'AuthorizationPolicySourceFactory';
+/**
+ * Abstract factory base class for creating authorization policy sources.
+ *
+ * Implementations of this factory create specific types of policy sources
+ * (e.g., local file, remote store, in-memory, etc.).
+ */
+class AuthorizationPolicySourceFactory extends factory_1.AbstractResourceFactory {
+    /**
+     * Static helper to create an authorization policy source using the factory registry.
+     *
+     * @param config - Configuration for the policy source
+     * @param options - Resource creation options
+     * @returns The created policy source, or undefined if no factory matched
+     */
+    static async createAuthorizationPolicySource(config, options = {}) {
+        if (config) {
+            const source = await (0, factory_1.createResource)(exports.AUTHORIZATION_POLICY_SOURCE_FACTORY_BASE_TYPE, config, options);
+            if (!source) {
+                throw new Error('Failed to create authorization policy source from configuration');
+            }
+            return source;
+        }
+        const source = await (0, factory_1.createDefaultResource)(exports.AUTHORIZATION_POLICY_SOURCE_FACTORY_BASE_TYPE, null, options);
+        return source ?? undefined;
+    }
+}
+exports.AuthorizationPolicySourceFactory = AuthorizationPolicySourceFactory;

package/dist/cjs/naylence/fame/security/auth/policy/authorization-policy-source.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/cjs/naylence/fame/security/auth/policy/authorization-policy.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/cjs/naylence/fame/security/auth/policy/basic-authorization-policy-factory.js

@@ -0,0 +1,99 @@
+"use strict";
+/**
+ * Factory for creating BasicAuthorizationPolicy instances.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.BasicAuthorizationPolicyFactory = exports.FACTORY_META = void 0;
+const authorization_policy_factory_js_1 = require("./authorization-policy-factory.js");
+/**
+ * Lazy import for tree-shaking.
+ */
+async function safeImportModule() {
+    return await Promise.resolve().then(() => __importStar(require('./basic-authorization-policy.js')));
+}
+function normalizeConfig(config) {
+    if (!config) {
+        throw new Error('BasicAuthorizationPolicyFactory requires a configuration with a policyDefinition');
+    }
+    const candidate = config;
+    // Support both camelCase and snake_case for policyDefinition
+    const policyDefinition = (candidate.policyDefinition ??
+        candidate.policy_definition);
+    if (!policyDefinition || typeof policyDefinition !== 'object') {
+        throw new Error('BasicAuthorizationPolicyConfig requires a policyDefinition object');
+    }
+    // Support both camelCase and snake_case for warnOnUnknownFields
+    const warnOnUnknownFields = candidate.warnOnUnknownFields ?? candidate.warn_on_unknown_fields;
+    if (warnOnUnknownFields !== undefined && typeof warnOnUnknownFields !== 'boolean') {
+        throw new Error('warnOnUnknownFields must be a boolean');
+    }
+    return {
+        policyDefinition,
+        warnOnUnknownFields: warnOnUnknownFields ?? true,
+    };
+}
+/**
+ * Factory metadata for registration.
+ */
+exports.FACTORY_META = {
+    base: authorization_policy_factory_js_1.AUTHORIZATION_POLICY_FACTORY_BASE_TYPE,
+    key: 'BasicAuthorizationPolicy',
+};
+/**
+ * Factory for creating BasicAuthorizationPolicy instances.
+ */
+class BasicAuthorizationPolicyFactory extends authorization_policy_factory_js_1.AuthorizationPolicyFactory {
+    constructor() {
+        super(...arguments);
+        this.type = 'BasicAuthorizationPolicy';
+    }
+    /**
+     * Creates a BasicAuthorizationPolicy from the given configuration.
+     *
+     * @param config - Configuration with policyDefinition
+     * @returns The created authorization policy
+     */
+    async create(config) {
+        const normalized = normalizeConfig(config);
+        const { BasicAuthorizationPolicy } = await safeImportModule();
+        return new BasicAuthorizationPolicy({
+            policyDefinition: normalized.policyDefinition,
+            warnOnUnknownFields: normalized.warnOnUnknownFields,
+        });
+    }
+}
+exports.BasicAuthorizationPolicyFactory = BasicAuthorizationPolicyFactory;
+exports.default = BasicAuthorizationPolicyFactory;

package/dist/cjs/naylence/fame/security/auth/policy/basic-authorization-policy.js

@@ -0,0 +1,449 @@
+"use strict";
+/**
+ * Basic authorization policy implementation.
+ *
+ * Evaluates authorization rules defined in YAML/JSON policy files.
+ * Uses first-match-wins semantics with glob/regex pattern matching.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.BasicAuthorizationPolicy = void 0;
+const logging_js_1 = require("../../../util/logging.js");
+const authorization_policy_definition_js_1 = require("./authorization-policy-definition.js");
+const pattern_matcher_js_1 = require("./pattern-matcher.js");
+const scope_matcher_js_1 = require("./scope-matcher.js");
+const logger = (0, logging_js_1.getLogger)('naylence.fame.security.auth.policy.basic_authorization_policy');
+/**
+ * Extracts the target address string from the envelope.
+ */
+function extractAddress(envelope) {
+    const to = envelope.to;
+    if (!to) {
+        return undefined;
+    }
+    // FameAddress can be a string or object with toString()
+    if (typeof to === 'string') {
+        return to;
+    }
+    if (typeof to === 'object' && 'toString' in to) {
+        return to.toString();
+    }
+    return undefined;
+}
+/**
+ * Extracts granted scopes from the authorization context.
+ */
+function extractGrantedScopes(context) {
+    const authContext = context?.security?.authorization;
+    if (!authContext) {
+        return [];
+    }
+    // Check grantedScopes first
+    if (Array.isArray(authContext.grantedScopes)) {
+        return authContext.grantedScopes;
+    }
+    // Fall back to claims.scope if available
+    const claims = authContext.claims;
+    if (claims) {
+        const scopeClaim = claims.scope ?? claims.scopes ?? claims.scp;
+        if (typeof scopeClaim === 'string') {
+            // Space-separated scopes (OAuth2 convention)
+            return scopeClaim.split(/\s+/).filter((s) => s.length > 0);
+        }
+        if (Array.isArray(scopeClaim)) {
+            return scopeClaim.filter((s) => typeof s === 'string');
+        }
+    }
+    return [];
+}
+/**
+ * Basic authorization policy that evaluates rules from a policy definition.
+ *
+ * Features:
+ * - First-match-wins rule evaluation
+ * - Glob and regex pattern matching for addresses
+ * - Scope matching with any_of/all_of/none_of operators
+ * - Action-based filtering (connect, send, receive)
+ */
+class BasicAuthorizationPolicy {
+    constructor(options) {
+        const { policyDefinition, warnOnUnknownFields = true } = options;
+        // Validate and extract default effect
+        this.defaultEffect = this.validateDefaultEffect(policyDefinition.default_effect);
+        // Warn about unknown policy fields
+        if (warnOnUnknownFields) {
+            this.warnUnknownPolicyFields(policyDefinition);
+        }
+        // Compile rules for efficient evaluation
+        this.compiledRules = this.compileRules(policyDefinition.rules, warnOnUnknownFields);
+        logger.debug('policy_compiled', {
+            defaultEffect: this.defaultEffect,
+            ruleCount: this.compiledRules.length,
+        });
+    }
+    /**
+     * Evaluates the policy against a request with an explicitly provided action.
+     *
+     * @param _node - The node handling the request (unused in basic policy)
+     * @param envelope - The FAME envelope being authorized
+     * @param context - Optional delivery context with authorization info
+     * @param action - The authorization action token (required, no inference)
+     * @returns Authorization decision indicating allow/deny
+     */
+    async evaluateRequest(_node, envelope, context, action) {
+        // Action must be explicitly provided; default to wildcard if omitted
+        // for backward compatibility during transition
+        const resolvedAction = action ?? '*';
+        const address = extractAddress(envelope);
+        const grantedScopes = extractGrantedScopes(context);
+        const rawFrameType = envelope.frame
+            ?.type;
+        const frameTypeNormalized = typeof rawFrameType === 'string' && rawFrameType.trim().length > 0
+            ? rawFrameType.trim().toLowerCase()
+            : '';
+        // Extract and normalize origin type for rule matching
+        const rawOriginType = context?.originType;
+        const originTypeNormalized = typeof rawOriginType === 'string' && rawOriginType.trim().length > 0
+            ? rawOriginType.trim().toLowerCase()
+            : undefined;
+        const evaluationTrace = [];
+        // Evaluate rules in order (first match wins)
+        for (const rule of this.compiledRules) {
+            const step = {
+                ruleId: rule.id,
+                result: false,
+            };
+            // Skip rules with 'when' clause (handled by advanced policy)
+            if (rule.hasWhenClause) {
+                step.expression = 'when clause (skipped by basic policy)';
+                step.result = false;
+                evaluationTrace.push(step);
+                continue;
+            }
+            // Check frame type match
+            if (rule.frameTypes) {
+                if (!frameTypeNormalized) {
+                    step.expression = 'frame_type: missing';
+                    step.result = false;
+                    evaluationTrace.push(step);
+                    continue;
+                }
+                if (!rule.frameTypes.has(frameTypeNormalized)) {
+                    step.expression = `frame_type: ${rawFrameType ?? 'unknown'} not in rule set`;
+                    step.result = false;
+                    evaluationTrace.push(step);
+                    continue;
+                }
+            }
+            // Check origin type match (early gate for efficiency)
+            if (rule.originTypes) {
+                if (originTypeNormalized === undefined) {
+                    step.expression = 'origin_type: missing (rule requires origin)';
+                    step.result = false;
+                    evaluationTrace.push(step);
+                    continue;
+                }
+                if (!rule.originTypes.has(originTypeNormalized)) {
+                    step.expression = `origin_type: ${rawOriginType ?? 'unknown'} not in [${Array.from(rule.originTypes).join(', ')}]`;
+                    step.result = false;
+                    evaluationTrace.push(step);
+                    continue;
+                }
+            }
+            // Check action match
+            if (!rule.actions.has('*') && !rule.actions.has(resolvedAction)) {
+                step.expression = `action: ${resolvedAction} not in [${Array.from(rule.actions).join(', ')}]`;
+                step.result = false;
+                evaluationTrace.push(step);
+                continue;
+            }
+            // Check address match (any pattern in the list matches)
+            if (rule.addressPatterns) {
+                if (!address) {
+                    step.expression = `address: pattern requires address, but none provided`;
+                    step.result = false;
+                    evaluationTrace.push(step);
+                    continue;
+                }
+                const matched = rule.addressPatterns.some((p) => p.match(address));
+                if (!matched) {
+                    const patterns = rule.addressPatterns.map((p) => p.source).join(', ');
+                    step.expression = `address: none of [${patterns}] matched ${address}`;
+                    step.result = false;
+                    evaluationTrace.push(step);
+                    continue;
+                }
+            }
+            // Check scope match
+            if (rule.scopeMatcher) {
+                if (!rule.scopeMatcher(grantedScopes)) {
+                    step.expression = `scope: requirement not satisfied`;
+                    step.boundValues = { grantedScopes: [...grantedScopes] };
+                    step.result = false;
+                    evaluationTrace.push(step);
+                    continue;
+                }
+            }
+            // Rule matched
+            step.result = true;
+            step.expression = 'all conditions matched';
+            step.boundValues = {
+                action: resolvedAction,
+                address,
+                grantedScopes: [...grantedScopes],
+            };
+            evaluationTrace.push(step);
+            logger.debug('rule_matched', {
+                ruleId: rule.id,
+                effect: rule.effect,
+                action: resolvedAction,
+                address,
+            });
+            return {
+                effect: rule.effect,
+                reason: rule.description ?? `Matched rule: ${rule.id}`,
+                matchedRule: rule.id,
+                evaluationTrace,
+            };
+        }
+        // No rule matched, apply default effect
+        logger.debug('no_rule_matched', {
+            defaultEffect: this.defaultEffect,
+            action: resolvedAction,
+            address,
+        });
+        return {
+            effect: this.defaultEffect,
+            reason: `No rule matched, applying default effect: ${this.defaultEffect}`,
+            evaluationTrace,
+        };
+    }
+    validateDefaultEffect(effect) {
+        if (effect !== 'allow' && effect !== 'deny') {
+            throw new Error(`Invalid default_effect: "${String(effect)}". Must be "allow" or "deny"`);
+        }
+        return effect;
+    }
+    warnUnknownPolicyFields(definition) {
+        for (const key of Object.keys(definition)) {
+            if (!authorization_policy_definition_js_1.KNOWN_POLICY_FIELDS.has(key)) {
+                logger.warning('unknown_policy_field', { field: key });
+            }
+        }
+    }
+    compileRules(rules, warnOnUnknown) {
+        return rules.map((rule, index) => this.compileRule(rule, index, warnOnUnknown));
+    }
+    compileRule(rule, index, warnOnUnknown) {
+        // Generate ID if not provided
+        const id = rule.id ?? `rule_${index}`;
+        // Validate effect
+        if (!authorization_policy_definition_js_1.VALID_EFFECTS.includes(rule.effect)) {
+            throw new Error(`Invalid effect in rule "${id}": "${String(rule.effect)}". Must be "allow" or "deny"`);
+        }
+        // Validate and compile action(s)
+        const actions = this.compileActions(rule.action, id);
+        // Compile address patterns (glob-only, no regex)
+        const addressPatterns = this.compileAddress(rule.address, id);
+        // Compile frame type gating
+        const frameTypes = this.compileFrameTypes(rule.frame_type, id);
+        // Compile origin type gating
+        const originTypes = this.compileOriginTypes(rule.origin_type, id);
+        // Compile scope matcher (glob-only, no regex)
+        let scopeMatcher;
+        if (rule.scope !== undefined) {
+            try {
+                const compiled = (0, scope_matcher_js_1.compileGlobOnlyScopeRequirement)(rule.scope, id);
+                scopeMatcher = (scopes) => compiled.evaluate(scopes);
+            }
+            catch (error) {
+                throw new Error(`Invalid scope requirement in rule "${id}": ${error instanceof Error ? error.message : String(error)}`);
+            }
+        }
+        // Warn about unknown fields
+        if (warnOnUnknown) {
+            for (const key of Object.keys(rule)) {
+                if (!authorization_policy_definition_js_1.KNOWN_RULE_FIELDS.has(key)) {
+                    logger.warning('unknown_rule_field', { ruleId: id, field: key });
+                }
+            }
+        }
+        return {
+            id,
+            description: rule.description,
+            effect: rule.effect,
+            actions,
+            frameTypes,
+            originTypes,
+            addressPatterns,
+            scopeMatcher,
+            hasWhenClause: typeof rule.when === 'string' && rule.when.length > 0,
+        };
+    }
+    /**
+     * Compiles action field into a Set of valid actions.
+     * Supports single RuleAction or array of RuleAction (implicit any-of).
+     */
+    compileActions(action, ruleId) {
+        // Default to wildcard if not specified
+        if (action === undefined) {
+            return new Set(['*']);
+        }
+        // Handle single action
+        if (typeof action === 'string') {
+            if (!authorization_policy_definition_js_1.VALID_ACTIONS.includes(action)) {
+                throw new Error(`Invalid action in rule "${ruleId}": "${action}". Must be one of: ${authorization_policy_definition_js_1.VALID_ACTIONS.join(', ')}`);
+            }
+            return new Set([action]);
+        }
+        // Handle array of actions
+        if (!Array.isArray(action)) {
+            throw new Error(`Invalid action in rule "${ruleId}": must be a string or array of strings`);
+        }
+        if (action.length === 0) {
+            throw new Error(`Invalid action in rule "${ruleId}": array must not be empty`);
+        }
+        const actions = new Set();
+        for (const a of action) {
+            if (typeof a !== 'string') {
+                throw new Error(`Invalid action in rule "${ruleId}": all values must be strings`);
+            }
+            if (!authorization_policy_definition_js_1.VALID_ACTIONS.includes(a)) {
+                throw new Error(`Invalid action in rule "${ruleId}": "${a}". Must be one of: ${authorization_policy_definition_js_1.VALID_ACTIONS.join(', ')}`);
+            }
+            actions.add(a);
+        }
+        return actions;
+    }
+    /**
+     * Compiles address field into an array of glob matchers.
+     * Supports single string or array of strings (implicit any-of).
+     * Returns undefined if not specified (no address gating).
+     *
+     * All patterns are treated as globs - `^` prefix is rejected as an error.
+     */
+    compileAddress(address, ruleId) {
+        if (address === undefined) {
+            return undefined;
+        }
+        const context = `address in rule "${ruleId}"`;
+        // Handle single address pattern
+        if (typeof address === 'string') {
+            const trimmed = address.trim();
+            if (!trimmed) {
+                throw new Error(`Invalid address in rule "${ruleId}": value must not be empty`);
+            }
+            try {
+                return [(0, pattern_matcher_js_1.compileGlobPattern)(trimmed, context)];
+            }
+            catch (error) {
+                throw new Error(`Invalid address in rule "${ruleId}": ${error instanceof Error ? error.message : String(error)}`);
+            }
+        }
+        // Handle array of address patterns
+        if (!Array.isArray(address)) {
+            throw new Error(`Invalid address in rule "${ruleId}": must be a string or array of strings`);
+        }
+        if (address.length === 0) {
+            throw new Error(`Invalid address in rule "${ruleId}": array must not be empty`);
+        }
+        const patterns = [];
+        for (const addr of address) {
+            if (typeof addr !== 'string') {
+                throw new Error(`Invalid address in rule "${ruleId}": all values must be strings`);
+            }
+            const trimmed = addr.trim();
+            if (!trimmed) {
+                throw new Error(`Invalid address in rule "${ruleId}": values must not be empty`);
+            }
+            try {
+                patterns.push((0, pattern_matcher_js_1.compileGlobPattern)(trimmed, context));
+            }
+            catch (error) {
+                throw new Error(`Invalid address in rule "${ruleId}": ${error instanceof Error ? error.message : String(error)}`);
+            }
+        }
+        return patterns;
+    }
+    /**
+     * Compiles frame_type field into a Set of normalized frame types.
+     * Supports single string or array of strings (implicit any-of).
+     * Returns undefined if not specified (no frame type gating).
+     */
+    compileFrameTypes(frameType, ruleId) {
+        if (frameType === undefined) {
+            return undefined;
+        }
+        // Handle single frame type
+        if (typeof frameType === 'string') {
+            const normalized = frameType.trim().toLowerCase();
+            if (!normalized) {
+                throw new Error(`Invalid frame_type in rule "${ruleId}": value must not be empty`);
+            }
+            return new Set([normalized]);
+        }
+        // Handle array of frame types
+        if (!Array.isArray(frameType)) {
+            throw new Error(`Invalid frame_type in rule "${ruleId}": must be a string or array of strings`);
+        }
+        if (frameType.length === 0) {
+            throw new Error(`Invalid frame_type in rule "${ruleId}": array must not be empty`);
+        }
+        const frameTypes = new Set();
+        for (const ft of frameType) {
+            if (typeof ft !== 'string') {
+                throw new Error(`Invalid frame_type in rule "${ruleId}": all values must be strings`);
+            }
+            const normalized = ft.trim().toLowerCase();
+            if (!normalized) {
+                throw new Error(`Invalid frame_type in rule "${ruleId}": values must not be empty`);
+            }
+            frameTypes.add(normalized);
+        }
+        return frameTypes;
+    }
+    /**
+     * Compiles origin_type field into a Set of normalized origin types.
+     * Supports single string or array of strings (implicit any-of).
+     * Returns undefined if not specified (no origin type gating).
+     * Valid values: 'downstream', 'upstream', 'peer', 'local' (case-insensitive).
+     */
+    compileOriginTypes(originType, ruleId) {
+        if (originType === undefined) {
+            return undefined;
+        }
+        // Handle single origin type
+        if (typeof originType === 'string') {
+            const normalized = originType.trim().toLowerCase();
+            if (!normalized) {
+                throw new Error(`Invalid origin_type in rule "${ruleId}": value must not be empty`);
+            }
+            if (!authorization_policy_definition_js_1.VALID_ORIGIN_TYPES.includes(normalized)) {
+                throw new Error(`Invalid origin_type in rule "${ruleId}": "${originType}". Must be one of: ${authorization_policy_definition_js_1.VALID_ORIGIN_TYPES.join(', ')}`);
+            }
+            return new Set([normalized]);
+        }
+        // Handle array of origin types
+        if (!Array.isArray(originType)) {
+            throw new Error(`Invalid origin_type in rule "${ruleId}": must be a string or array of strings`);
+        }
+        if (originType.length === 0) {
+            throw new Error(`Invalid origin_type in rule "${ruleId}": array must not be empty`);
+        }
+        const originTypes = new Set();
+        for (const ot of originType) {
+            if (typeof ot !== 'string') {
+                throw new Error(`Invalid origin_type in rule "${ruleId}": all values must be strings`);
+            }
+            const normalized = ot.trim().toLowerCase();
+            if (!normalized) {
+                throw new Error(`Invalid origin_type in rule "${ruleId}": values must not be empty`);
+            }
+            if (!authorization_policy_definition_js_1.VALID_ORIGIN_TYPES.includes(normalized)) {
+                throw new Error(`Invalid origin_type in rule "${ruleId}": "${ot}". Must be one of: ${authorization_policy_definition_js_1.VALID_ORIGIN_TYPES.join(', ')}`);
+            }
+            originTypes.add(normalized);
+        }
+        return originTypes;
+    }
+}
+exports.BasicAuthorizationPolicy = BasicAuthorizationPolicy;

package/dist/cjs/naylence/fame/security/auth/policy/index.js

@@ -0,0 +1,40 @@
+"use strict";
+/**
+ * Authorization policy module exports.
+ *
+ * This module provides interfaces and factories for pluggable authorization policies.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.BasicAuthorizationPolicyFactory = exports.BasicAuthorizationPolicy = exports.AuthorizationPolicySourceFactory = exports.AUTHORIZATION_POLICY_SOURCE_FACTORY_BASE_TYPE = exports.AuthorizationPolicyFactory = exports.AUTHORIZATION_POLICY_FACTORY_BASE_TYPE = exports.compileGlobOnlyScopeRequirement = exports.normalizeScopeRequirement = exports.compileScopeRequirement = exports.evaluateScopeRequirement = exports.assertNotRegexPattern = exports.isRegexPattern = exports.matchPattern = exports.getCompiledGlobPattern = exports.compileGlobPattern = exports.compilePattern = void 0;
+const tslib_1 = require("tslib");
+// Core interfaces and types
+tslib_1.__exportStar(require("./authorization-policy.js"), exports);
+tslib_1.__exportStar(require("./authorization-policy-source.js"), exports);
+tslib_1.__exportStar(require("./authorization-policy-definition.js"), exports);
+// Pattern and scope matchers
+var pattern_matcher_js_1 = require("./pattern-matcher.js");
+Object.defineProperty(exports, "compilePattern", { enumerable: true, get: function () { return pattern_matcher_js_1.compilePattern; } });
+Object.defineProperty(exports, "compileGlobPattern", { enumerable: true, get: function () { return pattern_matcher_js_1.compileGlobPattern; } });
+Object.defineProperty(exports, "getCompiledGlobPattern", { enumerable: true, get: function () { return pattern_matcher_js_1.getCompiledGlobPattern; } });
+Object.defineProperty(exports, "matchPattern", { enumerable: true, get: function () { return pattern_matcher_js_1.matchPattern; } });
+Object.defineProperty(exports, "isRegexPattern", { enumerable: true, get: function () { return pattern_matcher_js_1.isRegexPattern; } });
+Object.defineProperty(exports, "assertNotRegexPattern", { enumerable: true, get: function () { return pattern_matcher_js_1.assertNotRegexPattern; } });
+var scope_matcher_js_1 = require("./scope-matcher.js");
+Object.defineProperty(exports, "evaluateScopeRequirement", { enumerable: true, get: function () { return scope_matcher_js_1.evaluateScopeRequirement; } });
+Object.defineProperty(exports, "compileScopeRequirement", { enumerable: true, get: function () { return scope_matcher_js_1.compileScopeRequirement; } });
+Object.defineProperty(exports, "normalizeScopeRequirement", { enumerable: true, get: function () { return scope_matcher_js_1.normalizeScopeRequirement; } });
+Object.defineProperty(exports, "compileGlobOnlyScopeRequirement", { enumerable: true, get: function () { return scope_matcher_js_1.compileGlobOnlyScopeRequirement; } });
+// Factory base classes
+var authorization_policy_factory_js_1 = require("./authorization-policy-factory.js");
+Object.defineProperty(exports, "AUTHORIZATION_POLICY_FACTORY_BASE_TYPE", { enumerable: true, get: function () { return authorization_policy_factory_js_1.AUTHORIZATION_POLICY_FACTORY_BASE_TYPE; } });
+Object.defineProperty(exports, "AuthorizationPolicyFactory", { enumerable: true, get: function () { return authorization_policy_factory_js_1.AuthorizationPolicyFactory; } });
+var authorization_policy_source_factory_js_1 = require("./authorization-policy-source-factory.js");
+Object.defineProperty(exports, "AUTHORIZATION_POLICY_SOURCE_FACTORY_BASE_TYPE", { enumerable: true, get: function () { return authorization_policy_source_factory_js_1.AUTHORIZATION_POLICY_SOURCE_FACTORY_BASE_TYPE; } });
+Object.defineProperty(exports, "AuthorizationPolicySourceFactory", { enumerable: true, get: function () { return authorization_policy_source_factory_js_1.AuthorizationPolicySourceFactory; } });
+// Basic authorization policy (browser and node)
+var basic_authorization_policy_js_1 = require("./basic-authorization-policy.js");
+Object.defineProperty(exports, "BasicAuthorizationPolicy", { enumerable: true, get: function () { return basic_authorization_policy_js_1.BasicAuthorizationPolicy; } });
+var basic_authorization_policy_factory_js_1 = require("./basic-authorization-policy-factory.js");
+Object.defineProperty(exports, "BasicAuthorizationPolicyFactory", { enumerable: true, get: function () { return basic_authorization_policy_factory_js_1.BasicAuthorizationPolicyFactory; } });
+// Note: LocalFileAuthorizationPolicySource and its factory are node-only
+// and are registered via the factory manifest, not exported here directly.