@naylence/runtime 0.3.21 → 0.4.0

package/dist/cjs/naylence/fame/security/default-security-manager.js

@@ -7,6 +7,7 @@ const security_policy_js_1 = require("./policy/security-policy.js");
 const envelope_security_handler_js_1 = require("../node/envelope-security-handler.js");
 const secure_channel_frame_handler_js_1 = require("../node/secure-channel-frame-handler.js");
 const key_frame_handler_js_1 = require("../sentinel/key-frame-handler.js");
+const router_js_1 = require("../sentinel/router.js");
 const logging_js_1 = require("../util/logging.js");
 const util_js_1 = require("../util/util.js");
 const eddsa_signer_verifier_js_1 = require("../security/signing/eddsa-signer-verifier.js");
@@ -792,6 +793,99 @@ class DefaultSecurityManager {
         });
         return envelope;
     }
+    /**
+     * Route authorization hook - invoked after routing policy selects an action.
+     *
+     * This method provides centralized route authorization by:
+     * 1. Mapping the RoutingAction to an authorization action token
+     * 2. Calling authorizer.authorizeRoute() if available
+     * 3. Returning a Deny action on authorization failure (opaque on wire)
+     *
+     * @param node - The node performing the routing
+     * @param envelope - The envelope being routed
+     * @param selected - The RoutingAction selected by routing policy
+     * @param state - The current router state
+     * @param context - Optional delivery context
+     * @returns The action to execute (selected if authorized, Deny if denied)
+     */
+    async onRoutingActionSelected(node, envelope, selected, _state, context) {
+        // If no authorizer or authorizer doesn't implement authorizeRoute, allow
+        if (!this._authorizer) {
+            return selected;
+        }
+        if (typeof this._authorizer.authorizeRoute !== 'function') {
+            return selected;
+        }
+        // Map RoutingAction to authorization action token
+        const actionToken = (0, router_js_1.mapRoutingActionToAuthorizationAction)(selected);
+        // Terminal actions (Drop, Deny) don't need authorization
+        if (actionToken === null) {
+            return selected;
+        }
+        try {
+            const authResult = await this._authorizer.authorizeRoute(node, envelope, actionToken, context ?? undefined);
+            // undefined means allow (authorizer has no opinion)
+            if (authResult === undefined) {
+                return selected;
+            }
+            // Check authorization result
+            if (authResult.authorized) {
+                logger.debug('route_authorization_allowed', {
+                    envp_id: envelope.id,
+                    action: actionToken,
+                    frame_type: envelope.frame?.type ?? null,
+                    matched_rule: authResult.matchedRule ?? null,
+                });
+                return selected;
+            }
+            // Authorization denied - return Deny action with opaque NACK
+            logger.warning('route_authorization_denied_by_policy', {
+                envp_id: envelope.id,
+                action: actionToken,
+                frame_type: envelope.frame?.type ?? null,
+                origin_type: context?.originType ?? null,
+                to: envelope.to?.toString() ?? null,
+                denial_reason: authResult.denialReason ?? 'policy_denied',
+                matched_rule: authResult.matchedRule ?? null,
+            });
+            // Determine disclosure mode from configuration
+            const disclosure = this.getNackDisclosureMode();
+            return new router_js_1.Deny({
+                internalReason: authResult.denialReason ?? 'unauthorized_route',
+                deniedAction: actionToken,
+                matchedRule: authResult.matchedRule,
+                disclosure,
+                context: {
+                    frame_type: envelope.frame?.type ?? null,
+                    origin_type: context?.originType ?? null,
+                },
+            });
+        }
+        catch (error) {
+            logger.error('route_authorization_error', {
+                envp_id: envelope.id,
+                action: actionToken,
+                error: error instanceof Error ? error.message : String(error),
+            });
+            // On error, deny by default (fail-safe)
+            return new router_js_1.Deny({
+                internalReason: 'authorization_error',
+                deniedAction: actionToken,
+                disclosure: 'opaque',
+                context: {
+                    error: error instanceof Error ? error.message : String(error),
+                },
+            });
+        }
+    }
+    /**
+     * Gets the NACK disclosure mode from configuration.
+     * Default is 'opaque' to avoid leaking route existence.
+     */
+    getNackDisclosureMode() {
+        // Future: Could be made configurable via _policy or constructor options
+        return 'opaque';
+    }
     async onForwardToRoute(node, nextSegment, envelope, context) {
         logger.debug('on_forward_to_route_start', {
             envp_id: envelope.id,

package/dist/cjs/naylence/fame/security/index.js

@@ -4,10 +4,13 @@ exports.PROFILE_NAME_OPEN = exports.PROFILE_NAME_GATED_CALLBACK = exports.PROFIL
 const tslib_1 = require("tslib");
 tslib_1.__exportStar(require("./auth/authorizer.js"), exports);
 tslib_1.__exportStar(require("./auth/auth-identity.js"), exports);
+tslib_1.__exportStar(require("./auth/policy-authorizer.js"), exports);
 var authorizer_factory_js_1 = require("./auth/authorizer-factory.js");
 Object.defineProperty(exports, "AUTHORIZER_FACTORY_BASE_TYPE", { enumerable: true, get: function () { return authorizer_factory_js_1.AUTHORIZER_FACTORY_BASE_TYPE; } });
 Object.defineProperty(exports, "AuthorizerFactory", { enumerable: true, get: function () { return authorizer_factory_js_1.AuthorizerFactory; } });
 tslib_1.__exportStar(require("./auth/auth-injection-strategy.js"), exports);
+// Authorization policy exports
+tslib_1.__exportStar(require("./auth/policy/index.js"), exports);
 var auth_injection_strategy_factory_js_1 = require("./auth/auth-injection-strategy-factory.js");
 Object.defineProperty(exports, "AUTH_INJECTION_STRATEGY_FACTORY_BASE_TYPE", { enumerable: true, get: function () { return auth_injection_strategy_factory_js_1.AUTH_INJECTION_STRATEGY_FACTORY_BASE_TYPE; } });
 Object.defineProperty(exports, "AuthInjectionStrategyFactory", { enumerable: true, get: function () { return auth_injection_strategy_factory_js_1.AuthInjectionStrategyFactory; } });

package/dist/cjs/naylence/fame/security/node-security-profile-factory.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.NodeSecurityProfileFactory = exports.FACTORY_META = exports.PROFILE_NAME_OPEN = exports.PROFILE_NAME_GATED_CALLBACK = exports.PROFILE_NAME_GATED = exports.PROFILE_NAME_OVERLAY_CALLBACK = exports.PROFILE_NAME_OVERLAY = exports.PROFILE_NAME_STRICT_OVERLAY = exports.ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY = exports.ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = exports.ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER = exports.ENV_VAR_HMAC_SECRET = exports.ENV_VAR_DEFAULT_ENCRYPTION_LEVEL = exports.ENV_VAR_JWKS_URL = exports.ENV_VAR_JWT_AUDIENCE = exports.ENV_VAR_JWT_ALGORITHM = exports.ENV_VAR_JWT_TRUSTED_ISSUER = void 0;
+exports.NodeSecurityProfileFactory = exports.FACTORY_META = exports.PROFILE_NAME_OPEN = exports.PROFILE_NAME_GATED_CALLBACK = exports.PROFILE_NAME_GATED = exports.PROFILE_NAME_OVERLAY_CALLBACK = exports.PROFILE_NAME_OVERLAY = exports.PROFILE_NAME_STRICT_OVERLAY = exports.ENV_VAR_TRUSTED_CLIENT_SCOPE = exports.ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY = exports.ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = exports.ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER = exports.ENV_VAR_HMAC_SECRET = exports.ENV_VAR_DEFAULT_ENCRYPTION_LEVEL = exports.ENV_VAR_JWKS_URL = exports.ENV_VAR_JWT_AUDIENCE = exports.ENV_VAR_JWT_ALGORITHM = exports.ENV_VAR_JWT_TRUSTED_ISSUER = void 0;
 const factory_1 = require("@naylence/factory");
 const security_manager_factory_js_1 = require("./security-manager-factory.js");
 const logging_js_1 = require("../util/logging.js");
@@ -14,6 +14,7 @@ exports.ENV_VAR_HMAC_SECRET = 'FAME_HMAC_SECRET';
 exports.ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER = 'FAME_JWT_REVERSE_AUTH_TRUSTED_ISSUER';
 exports.ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = 'FAME_JWT_REVERSE_AUTH_AUDIENCE';
 exports.ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY = 'FAME_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY';
+exports.ENV_VAR_TRUSTED_CLIENT_SCOPE = 'FAME_TRUSTED_CLIENT_SCOPE';
 exports.PROFILE_NAME_STRICT_OVERLAY = 'strict-overlay';
 exports.PROFILE_NAME_OVERLAY = 'overlay';
 exports.PROFILE_NAME_OVERLAY_CALLBACK = 'overlay-callback';
@@ -250,6 +251,7 @@ const GATED_PROFILE = {
         algorithm: factory_1.Expressions.env(exports.ENV_VAR_JWT_ALGORITHM, 'RS256'),
         audience: factory_1.Expressions.env(exports.ENV_VAR_JWT_AUDIENCE),
         enforce_token_subject_node_identity: factory_1.Expressions.env(exports.ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY, 'false'),
+        trusted_client_scope: factory_1.Expressions.env(exports.ENV_VAR_TRUSTED_CLIENT_SCOPE, 'node.trusted'),
     },
 };
 const GATED_CALLBACK_PROFILE = {

package/dist/cjs/naylence/fame/sentinel/router.js

@@ -1,6 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.RouterState = exports.ForwardPeer = exports.ForwardChild = exports.DeliverLocal = exports.ForwardUp = exports.Drop = void 0;
+exports.RouterState = exports.Deny = exports.ForwardPeer = exports.ForwardChild = exports.DeliverLocal = exports.ForwardUp = exports.Drop = void 0;
+exports.mapRoutingActionToAuthorizationAction = mapRoutingActionToAuthorizationAction;
 exports.emitDeliveryNack = emitDeliveryNack;
 const core_1 = require("@naylence/core");
 const errors_js_1 = require("../errors/errors.js");
@@ -99,6 +100,71 @@ class ForwardPeer {
     }
 }
 exports.ForwardPeer = ForwardPeer;
+/**
+ * RoutingAction that denies an envelope due to authorization failure.
+ *
+ * Emits an opaque NO_ROUTE NACK on wire (by default) to avoid leaking
+ * route existence, while logging the true denial reason internally.
+ */
+class Deny {
+    constructor(options) {
+        this.options = options;
+    }
+    async execute(envelope, router, state, context) {
+        const { internalReason, deniedAction, matchedRule, context: extraContext, disclosure = 'opaque', } = this.options;
+        // Log detailed denial internally
+        logger.warning('route_authorization_denied', {
+            envp_id: envelope.id,
+            frame_type: envelope.frame?.type ?? null,
+            to: envelope.to?.toString() ?? null,
+            internal_reason: internalReason,
+            denied_action: deniedAction ?? null,
+            matched_rule: matchedRule ?? null,
+            origin_type: context?.originType ?? null,
+            ...extraContext,
+        });
+        // Emit opaque NACK on wire (or verbose if configured)
+        const wireCode = disclosure === 'verbose' ? 'UNAUTHORIZED_ROUTE' : 'NO_ROUTE';
+        await emitDeliveryNack(envelope, router, state, wireCode, context ?? undefined);
+    }
+}
+exports.Deny = Deny;
+/**
+ * Maps a RoutingAction instance to an authorization action token.
+ *
+ * This function uses instanceof checks to determine the action type,
+ * avoiding the need to expose action objects to the authorizer.
+ *
+ * For unknown/custom RoutingAction types, returns null. Callers should
+ * treat null as "deny by default" for security (unknown actions are not
+ * authorized).
+ *
+ * @param action - The RoutingAction instance to map
+ * @returns The authorization action token, or null for terminal/unknown actions
+ */
+function mapRoutingActionToAuthorizationAction(action) {
+    if (action instanceof ForwardUp) {
+        return 'ForwardUpstream';
+    }
+    if (action instanceof ForwardChild) {
+        return 'ForwardDownstream';
+    }
+    if (action instanceof ForwardPeer) {
+        return 'ForwardPeer';
+    }
+    if (action instanceof DeliverLocal) {
+        return 'DeliverLocal';
+    }
+    // Drop and Deny are terminal actions that don't need authorization
+    if (action instanceof Drop || action instanceof Deny) {
+        return null;
+    }
+    // Unknown RoutingAction: return null, caller should deny by default
+    logger.warning('unknown_routing_action_for_authorization', {
+        action_type: action?.constructor?.name ?? 'unknown',
+    });
+    return null;
+}
 class RouterState {
     constructor(options) {
         const normalized = normalizeRouterStateOptions(options);

package/dist/cjs/naylence/fame/sentinel/sentinel.js

@@ -281,8 +281,11 @@ class Sentinel extends node_js_1.FameNode {
             }
         }
         const state = this.buildRouterState();
-        const action = await this.routingPolicy.decide(processedEnvelope, state, context);
-        await action.execute(processedEnvelope, this, state, context);
+        let action = await this.routingPolicy.decide(processedEnvelope, state, context);
+        // Dispatch onRoutingActionSelected hook to allow authorization/replacement
+        // The hook must return the action to execute; null/undefined/throw => Drop
+        const actionToExecute = await this.dispatchRoutingActionSelected(processedEnvelope, action, state, context);
+        await actionToExecute.execute(processedEnvelope, this, state, context);
     }
     async forwardToRoute(nextSegment, envelope, context) {
         if (this.originMatches(context, nextSegment, core_1.DeliveryOriginType.DOWNSTREAM)) {
@@ -828,6 +831,47 @@ class Sentinel extends node_js_1.FameNode {
             });
         }
     }
+    /**
+     * Dispatches the onRoutingActionSelected event to all event listeners.
+     *
+     * This allows listeners (like DefaultSecurityManager) to authorize
+     * routing actions and optionally replace them with Deny actions.
+     *
+     * The hook must return the RoutingAction to execute. If a listener returns
+     * null, undefined, or throws, the router will execute a Drop action.
+     *
+     * @param envelope - The envelope being routed
+     * @param selected - The RoutingAction selected by the routing policy
+     * @param state - The current router state
+     * @param context - Optional delivery context
+     * @returns The RoutingAction to execute (never null/undefined)
+     */
+    async dispatchRoutingActionSelected(envelope, selected, state, context) {
+        let currentAction = selected;
+        for (const listener of this.eventListeners) {
+            if (typeof listener.onRoutingActionSelected !== 'function') {
+                continue;
+            }
+            try {
+                const result = await listener.onRoutingActionSelected(this, envelope, currentAction, state, context);
+                // null/undefined => treat as denial, execute Drop
+                if (result == null) {
+                    return new router_js_1.Drop();
+                }
+                // Update current action for next listener in chain
+                currentAction = result;
+            }
+            catch (error) {
+                // Hook threw => treat as denial, execute Drop
+                logger.warning('routing_action_hook_error', {
+                    envp_id: envelope.id,
+                    error: error instanceof Error ? error.message : String(error),
+                });
+                return new router_js_1.Drop();
+            }
+        }
+        return currentAction;
+    }
     static async aserve(options = {}) {
         const { logLevel, rootConfig, config, node = null, fabric: providedFabric = null, signals = ['SIGINT', 'SIGTERM'], signal, ...fabricOptions } = options;
         const resolvedLevel = normalizeServeLogLevel(logLevel) ?? logging_js_1.LogLevel.INFO;

package/dist/cjs/naylence/fame/util/register-runtime-factories.js

@@ -45,6 +45,8 @@ const NODE_ONLY_FACTORY_MODULES = new Set([
     './connector/websocket-listener-factory.js',
     './telemetry/open-telemetry-trace-emitter-factory.js',
     './security/credential/prompt-credential-provider-factory.js',
+    './security/auth/default-policy-authorizer-factory.js',
+    './security/auth/policy/local-file-authorization-policy-source-factory.js',
 ]);
 const BROWSER_ONLY_FACTORY_MODULES = new Set([
     './security/auth/oauth2-pkce-token-provider-factory.js',

package/dist/cjs/version.js

@@ -1,10 +1,10 @@
 "use strict";
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.3.21
+// Generated from package.json version: 0.4.0
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.VERSION = void 0;
 /**
  * The package version, injected at build time.
  * @internal
  */
-exports.VERSION = '0.3.21';
+exports.VERSION = '0.4.0';

package/dist/esm/naylence/fame/factory-manifest.js

@@ -29,6 +29,7 @@ export const MODULES = [
     "./placement/static-node-placement-strategy-factory.js",
     "./security/auth/bearer-token-header-auth-injection-strategy-factory.js",
     "./security/auth/default-authorizer-factory.js",
+    "./security/auth/default-policy-authorizer-factory.js",
     "./security/auth/jwks-jwt-token-verifier-factory.js",
     "./security/auth/jwt-token-issuer-factory.js",
     "./security/auth/jwt-token-verifier-factory.js",
@@ -40,6 +41,8 @@ export const MODULES = [
     "./security/auth/oauth2-authorizer-factory.js",
     "./security/auth/oauth2-client-credentials-token-provider-factory.js",
     "./security/auth/oauth2-pkce-token-provider-factory.js",
+    "./security/auth/policy/basic-authorization-policy-factory.js",
+    "./security/auth/policy/local-file-authorization-policy-source-factory.js",
     "./security/auth/query-param-auth-injection-strategy-factory.js",
     "./security/auth/shared-secret-authorizer-factory.js",
     "./security/auth/shared-secret-token-provider-factory.js",
@@ -108,6 +111,7 @@ export const MODULE_LOADERS = {
     "./placement/static-node-placement-strategy-factory.js": () => import("./placement/static-node-placement-strategy-factory.js"),
     "./security/auth/bearer-token-header-auth-injection-strategy-factory.js": () => import("./security/auth/bearer-token-header-auth-injection-strategy-factory.js"),
     "./security/auth/default-authorizer-factory.js": () => import("./security/auth/default-authorizer-factory.js"),
+    "./security/auth/default-policy-authorizer-factory.js": () => import(/* webpackIgnore: true */ /* @vite-ignore */ "./security/auth/default-policy-authorizer-factory.js"),
     "./security/auth/jwks-jwt-token-verifier-factory.js": () => import("./security/auth/jwks-jwt-token-verifier-factory.js"),
     "./security/auth/jwt-token-issuer-factory.js": () => import("./security/auth/jwt-token-issuer-factory.js"),
     "./security/auth/jwt-token-verifier-factory.js": () => import("./security/auth/jwt-token-verifier-factory.js"),
@@ -119,6 +123,8 @@ export const MODULE_LOADERS = {
     "./security/auth/oauth2-authorizer-factory.js": () => import("./security/auth/oauth2-authorizer-factory.js"),
     "./security/auth/oauth2-client-credentials-token-provider-factory.js": () => import("./security/auth/oauth2-client-credentials-token-provider-factory.js"),
     "./security/auth/oauth2-pkce-token-provider-factory.js": () => import("./security/auth/oauth2-pkce-token-provider-factory.js"),
+    "./security/auth/policy/basic-authorization-policy-factory.js": () => import("./security/auth/policy/basic-authorization-policy-factory.js"),
+    "./security/auth/policy/local-file-authorization-policy-source-factory.js": () => import(/* webpackIgnore: true */ /* @vite-ignore */ "./security/auth/policy/local-file-authorization-policy-source-factory.js"),
     "./security/auth/query-param-auth-injection-strategy-factory.js": () => import("./security/auth/query-param-auth-injection-strategy-factory.js"),
     "./security/auth/shared-secret-authorizer-factory.js": () => import("./security/auth/shared-secret-authorizer-factory.js"),
     "./security/auth/shared-secret-token-provider-factory.js": () => import("./security/auth/shared-secret-token-provider-factory.js"),

package/dist/esm/naylence/fame/node/node-event-listener.js

@@ -45,6 +45,10 @@ export class BaseNodeEventListener {
         // Default implementation passes envelope through unchanged
         return envelope;
     }
+    async onRoutingActionSelected(_node, _envelope, selected, _state, _context) {
+        // Default implementation returns the selected action unchanged
+        return selected;
+    }
     async onForwardUpstream(_node, envelope, _context) {
         // Default implementation passes envelope through unchanged
         return envelope;

package/dist/esm/naylence/fame/security/auth/default-policy-authorizer-factory.js

@@ -0,0 +1,110 @@
+import { safeImport } from '../../util/lazy-import.js';
+import { AUTHORIZER_FACTORY_BASE_TYPE, AuthorizerFactory, } from './authorizer-factory.js';
+import { TokenVerifierFactory, } from './token-verifier-factory.js';
+import { AuthorizationPolicySourceFactory, } from './policy/authorization-policy-source-factory.js';
+import { AuthorizationPolicyFactory, } from './policy/authorization-policy-factory.js';
+let defaultPolicyAuthorizerModulePromise = null;
+async function getDefaultPolicyAuthorizerModule() {
+    if (!defaultPolicyAuthorizerModulePromise) {
+        defaultPolicyAuthorizerModulePromise = safeImport(() => import('./default-policy-authorizer.js'), 'default-policy-authorizer');
+    }
+    return defaultPolicyAuthorizerModulePromise;
+}
+function normalizeConfig(config) {
+    if (!config) {
+        return {};
+    }
+    const candidate = config;
+    const verifierConfig = candidate.verifier ?? null;
+    if (verifierConfig && typeof verifierConfig !== 'object') {
+        throw new Error('PolicyAuthorizer verifier configuration must be an object');
+    }
+    const policyConfig = candidate.policy ?? null;
+    if (policyConfig && typeof policyConfig !== 'object') {
+        throw new Error('PolicyAuthorizer policy configuration must be an object');
+    }
+    const policySourceConfig = candidate.policySource ?? candidate.policy_source ?? null;
+    if (policySourceConfig && typeof policySourceConfig !== 'object') {
+        throw new Error('PolicyAuthorizer policySource configuration must be an object');
+    }
+    return {
+        verifier: verifierConfig,
+        policy: policyConfig,
+        policySource: policySourceConfig,
+    };
+}
+function isTokenVerifier(candidate) {
+    return Boolean(candidate && typeof candidate.verify === 'function');
+}
+function isAuthorizationPolicy(candidate) {
+    return Boolean(candidate &&
+        typeof candidate.evaluateRequest === 'function');
+}
+function isAuthorizationPolicySource(candidate) {
+    return Boolean(candidate &&
+        typeof candidate.loadPolicy === 'function');
+}
+/**
+ * Factory metadata for registration.
+ */
+export const FACTORY_META = {
+    base: AUTHORIZER_FACTORY_BASE_TYPE,
+    key: 'PolicyAuthorizer',
+};
+/**
+ * Factory for creating DefaultPolicyAuthorizer instances.
+ *
+ * This factory uses lazy loading to avoid pulling in Node.js-specific
+ * code in browser environments.
+ */
+export class DefaultPolicyAuthorizerFactory extends AuthorizerFactory {
+    constructor() {
+        super(...arguments);
+        this.type = 'PolicyAuthorizer';
+        this.isDefault = true;
+    }
+    /**
+     * Creates a DefaultPolicyAuthorizer from the given configuration.
+     *
+     * @param config - Configuration for the authorizer
+     * @param factoryArgs - Additional factory arguments:
+     *   - TokenVerifier instance
+     *   - AuthorizationPolicy instance
+     *   - AuthorizationPolicySource instance
+     * @returns The created authorizer
+     */
+    async create(config, ...factoryArgs) {
+        const normalized = normalizeConfig(config);
+        // Resolve token verifier
+        let tokenVerifier = factoryArgs.find(isTokenVerifier);
+        if (!tokenVerifier && normalized.verifier) {
+            tokenVerifier = await TokenVerifierFactory.createTokenVerifier(normalized.verifier);
+        }
+        if (!tokenVerifier) {
+            throw new Error('PolicyAuthorizer requires a verifier configuration or instance');
+        }
+        // Resolve policy or policy source
+        let policy = factoryArgs.find(isAuthorizationPolicy);
+        let policySource = factoryArgs.find(isAuthorizationPolicySource);
+        // Create policy from config if not provided as argument
+        if (!policy && normalized.policy) {
+            policy = await AuthorizationPolicyFactory.createAuthorizationPolicy(normalized.policy);
+        }
+        // Create policy source from config if not provided as argument
+        if (!policySource && normalized.policySource) {
+            policySource =
+                await AuthorizationPolicySourceFactory.createAuthorizationPolicySource(normalized.policySource);
+        }
+        // Validate that we have either policy or policy source
+        if (!policy && !policySource) {
+            throw new Error('PolicyAuthorizer requires either a policy or policySource configuration');
+        }
+        const { DefaultPolicyAuthorizer } = await getDefaultPolicyAuthorizerModule();
+        return new DefaultPolicyAuthorizer({
+            tokenVerifier,
+            policy,
+            policySource,
+        });
+    }
+}
+export default DefaultPolicyAuthorizerFactory;