@naylence/runtime 0.3.21 → 0.4.0

package/dist/esm/naylence/fame/security/auth/policy/basic-authorization-policy.js

@@ -0,0 +1,445 @@
+/**
+ * Basic authorization policy implementation.
+ *
+ * Evaluates authorization rules defined in YAML/JSON policy files.
+ * Uses first-match-wins semantics with glob/regex pattern matching.
+ */
+import { getLogger } from '../../../util/logging.js';
+import { KNOWN_POLICY_FIELDS, KNOWN_RULE_FIELDS, VALID_ACTIONS, VALID_EFFECTS, VALID_ORIGIN_TYPES, } from './authorization-policy-definition.js';
+import { compileGlobPattern } from './pattern-matcher.js';
+import { compileGlobOnlyScopeRequirement } from './scope-matcher.js';
+const logger = getLogger('naylence.fame.security.auth.policy.basic_authorization_policy');
+/**
+ * Extracts the target address string from the envelope.
+ */
+function extractAddress(envelope) {
+    const to = envelope.to;
+    if (!to) {
+        return undefined;
+    }
+    // FameAddress can be a string or object with toString()
+    if (typeof to === 'string') {
+        return to;
+    }
+    if (typeof to === 'object' && 'toString' in to) {
+        return to.toString();
+    }
+    return undefined;
+}
+/**
+ * Extracts granted scopes from the authorization context.
+ */
+function extractGrantedScopes(context) {
+    const authContext = context?.security?.authorization;
+    if (!authContext) {
+        return [];
+    }
+    // Check grantedScopes first
+    if (Array.isArray(authContext.grantedScopes)) {
+        return authContext.grantedScopes;
+    }
+    // Fall back to claims.scope if available
+    const claims = authContext.claims;
+    if (claims) {
+        const scopeClaim = claims.scope ?? claims.scopes ?? claims.scp;
+        if (typeof scopeClaim === 'string') {
+            // Space-separated scopes (OAuth2 convention)
+            return scopeClaim.split(/\s+/).filter((s) => s.length > 0);
+        }
+        if (Array.isArray(scopeClaim)) {
+            return scopeClaim.filter((s) => typeof s === 'string');
+        }
+    }
+    return [];
+}
+/**
+ * Basic authorization policy that evaluates rules from a policy definition.
+ *
+ * Features:
+ * - First-match-wins rule evaluation
+ * - Glob and regex pattern matching for addresses
+ * - Scope matching with any_of/all_of/none_of operators
+ * - Action-based filtering (connect, send, receive)
+ */
+export class BasicAuthorizationPolicy {
+    constructor(options) {
+        const { policyDefinition, warnOnUnknownFields = true } = options;
+        // Validate and extract default effect
+        this.defaultEffect = this.validateDefaultEffect(policyDefinition.default_effect);
+        // Warn about unknown policy fields
+        if (warnOnUnknownFields) {
+            this.warnUnknownPolicyFields(policyDefinition);
+        }
+        // Compile rules for efficient evaluation
+        this.compiledRules = this.compileRules(policyDefinition.rules, warnOnUnknownFields);
+        logger.debug('policy_compiled', {
+            defaultEffect: this.defaultEffect,
+            ruleCount: this.compiledRules.length,
+        });
+    }
+    /**
+     * Evaluates the policy against a request with an explicitly provided action.
+     *
+     * @param _node - The node handling the request (unused in basic policy)
+     * @param envelope - The FAME envelope being authorized
+     * @param context - Optional delivery context with authorization info
+     * @param action - The authorization action token (required, no inference)
+     * @returns Authorization decision indicating allow/deny
+     */
+    async evaluateRequest(_node, envelope, context, action) {
+        // Action must be explicitly provided; default to wildcard if omitted
+        // for backward compatibility during transition
+        const resolvedAction = action ?? '*';
+        const address = extractAddress(envelope);
+        const grantedScopes = extractGrantedScopes(context);
+        const rawFrameType = envelope.frame
+            ?.type;
+        const frameTypeNormalized = typeof rawFrameType === 'string' && rawFrameType.trim().length > 0
+            ? rawFrameType.trim().toLowerCase()
+            : '';
+        // Extract and normalize origin type for rule matching
+        const rawOriginType = context?.originType;
+        const originTypeNormalized = typeof rawOriginType === 'string' && rawOriginType.trim().length > 0
+            ? rawOriginType.trim().toLowerCase()
+            : undefined;
+        const evaluationTrace = [];
+        // Evaluate rules in order (first match wins)
+        for (const rule of this.compiledRules) {
+            const step = {
+                ruleId: rule.id,
+                result: false,
+            };
+            // Skip rules with 'when' clause (handled by advanced policy)
+            if (rule.hasWhenClause) {
+                step.expression = 'when clause (skipped by basic policy)';
+                step.result = false;
+                evaluationTrace.push(step);
+                continue;
+            }
+            // Check frame type match
+            if (rule.frameTypes) {
+                if (!frameTypeNormalized) {
+                    step.expression = 'frame_type: missing';
+                    step.result = false;
+                    evaluationTrace.push(step);
+                    continue;
+                }
+                if (!rule.frameTypes.has(frameTypeNormalized)) {
+                    step.expression = `frame_type: ${rawFrameType ?? 'unknown'} not in rule set`;
+                    step.result = false;
+                    evaluationTrace.push(step);
+                    continue;
+                }
+            }
+            // Check origin type match (early gate for efficiency)
+            if (rule.originTypes) {
+                if (originTypeNormalized === undefined) {
+                    step.expression = 'origin_type: missing (rule requires origin)';
+                    step.result = false;
+                    evaluationTrace.push(step);
+                    continue;
+                }
+                if (!rule.originTypes.has(originTypeNormalized)) {
+                    step.expression = `origin_type: ${rawOriginType ?? 'unknown'} not in [${Array.from(rule.originTypes).join(', ')}]`;
+                    step.result = false;
+                    evaluationTrace.push(step);
+                    continue;
+                }
+            }
+            // Check action match
+            if (!rule.actions.has('*') && !rule.actions.has(resolvedAction)) {
+                step.expression = `action: ${resolvedAction} not in [${Array.from(rule.actions).join(', ')}]`;
+                step.result = false;
+                evaluationTrace.push(step);
+                continue;
+            }
+            // Check address match (any pattern in the list matches)
+            if (rule.addressPatterns) {
+                if (!address) {
+                    step.expression = `address: pattern requires address, but none provided`;
+                    step.result = false;
+                    evaluationTrace.push(step);
+                    continue;
+                }
+                const matched = rule.addressPatterns.some((p) => p.match(address));
+                if (!matched) {
+                    const patterns = rule.addressPatterns.map((p) => p.source).join(', ');
+                    step.expression = `address: none of [${patterns}] matched ${address}`;
+                    step.result = false;
+                    evaluationTrace.push(step);
+                    continue;
+                }
+            }
+            // Check scope match
+            if (rule.scopeMatcher) {
+                if (!rule.scopeMatcher(grantedScopes)) {
+                    step.expression = `scope: requirement not satisfied`;
+                    step.boundValues = { grantedScopes: [...grantedScopes] };
+                    step.result = false;
+                    evaluationTrace.push(step);
+                    continue;
+                }
+            }
+            // Rule matched
+            step.result = true;
+            step.expression = 'all conditions matched';
+            step.boundValues = {
+                action: resolvedAction,
+                address,
+                grantedScopes: [...grantedScopes],
+            };
+            evaluationTrace.push(step);
+            logger.debug('rule_matched', {
+                ruleId: rule.id,
+                effect: rule.effect,
+                action: resolvedAction,
+                address,
+            });
+            return {
+                effect: rule.effect,
+                reason: rule.description ?? `Matched rule: ${rule.id}`,
+                matchedRule: rule.id,
+                evaluationTrace,
+            };
+        }
+        // No rule matched, apply default effect
+        logger.debug('no_rule_matched', {
+            defaultEffect: this.defaultEffect,
+            action: resolvedAction,
+            address,
+        });
+        return {
+            effect: this.defaultEffect,
+            reason: `No rule matched, applying default effect: ${this.defaultEffect}`,
+            evaluationTrace,
+        };
+    }
+    validateDefaultEffect(effect) {
+        if (effect !== 'allow' && effect !== 'deny') {
+            throw new Error(`Invalid default_effect: "${String(effect)}". Must be "allow" or "deny"`);
+        }
+        return effect;
+    }
+    warnUnknownPolicyFields(definition) {
+        for (const key of Object.keys(definition)) {
+            if (!KNOWN_POLICY_FIELDS.has(key)) {
+                logger.warning('unknown_policy_field', { field: key });
+            }
+        }
+    }
+    compileRules(rules, warnOnUnknown) {
+        return rules.map((rule, index) => this.compileRule(rule, index, warnOnUnknown));
+    }
+    compileRule(rule, index, warnOnUnknown) {
+        // Generate ID if not provided
+        const id = rule.id ?? `rule_${index}`;
+        // Validate effect
+        if (!VALID_EFFECTS.includes(rule.effect)) {
+            throw new Error(`Invalid effect in rule "${id}": "${String(rule.effect)}". Must be "allow" or "deny"`);
+        }
+        // Validate and compile action(s)
+        const actions = this.compileActions(rule.action, id);
+        // Compile address patterns (glob-only, no regex)
+        const addressPatterns = this.compileAddress(rule.address, id);
+        // Compile frame type gating
+        const frameTypes = this.compileFrameTypes(rule.frame_type, id);
+        // Compile origin type gating
+        const originTypes = this.compileOriginTypes(rule.origin_type, id);
+        // Compile scope matcher (glob-only, no regex)
+        let scopeMatcher;
+        if (rule.scope !== undefined) {
+            try {
+                const compiled = compileGlobOnlyScopeRequirement(rule.scope, id);
+                scopeMatcher = (scopes) => compiled.evaluate(scopes);
+            }
+            catch (error) {
+                throw new Error(`Invalid scope requirement in rule "${id}": ${error instanceof Error ? error.message : String(error)}`);
+            }
+        }
+        // Warn about unknown fields
+        if (warnOnUnknown) {
+            for (const key of Object.keys(rule)) {
+                if (!KNOWN_RULE_FIELDS.has(key)) {
+                    logger.warning('unknown_rule_field', { ruleId: id, field: key });
+                }
+            }
+        }
+        return {
+            id,
+            description: rule.description,
+            effect: rule.effect,
+            actions,
+            frameTypes,
+            originTypes,
+            addressPatterns,
+            scopeMatcher,
+            hasWhenClause: typeof rule.when === 'string' && rule.when.length > 0,
+        };
+    }
+    /**
+     * Compiles action field into a Set of valid actions.
+     * Supports single RuleAction or array of RuleAction (implicit any-of).
+     */
+    compileActions(action, ruleId) {
+        // Default to wildcard if not specified
+        if (action === undefined) {
+            return new Set(['*']);
+        }
+        // Handle single action
+        if (typeof action === 'string') {
+            if (!VALID_ACTIONS.includes(action)) {
+                throw new Error(`Invalid action in rule "${ruleId}": "${action}". Must be one of: ${VALID_ACTIONS.join(', ')}`);
+            }
+            return new Set([action]);
+        }
+        // Handle array of actions
+        if (!Array.isArray(action)) {
+            throw new Error(`Invalid action in rule "${ruleId}": must be a string or array of strings`);
+        }
+        if (action.length === 0) {
+            throw new Error(`Invalid action in rule "${ruleId}": array must not be empty`);
+        }
+        const actions = new Set();
+        for (const a of action) {
+            if (typeof a !== 'string') {
+                throw new Error(`Invalid action in rule "${ruleId}": all values must be strings`);
+            }
+            if (!VALID_ACTIONS.includes(a)) {
+                throw new Error(`Invalid action in rule "${ruleId}": "${a}". Must be one of: ${VALID_ACTIONS.join(', ')}`);
+            }
+            actions.add(a);
+        }
+        return actions;
+    }
+    /**
+     * Compiles address field into an array of glob matchers.
+     * Supports single string or array of strings (implicit any-of).
+     * Returns undefined if not specified (no address gating).
+     *
+     * All patterns are treated as globs - `^` prefix is rejected as an error.
+     */
+    compileAddress(address, ruleId) {
+        if (address === undefined) {
+            return undefined;
+        }
+        const context = `address in rule "${ruleId}"`;
+        // Handle single address pattern
+        if (typeof address === 'string') {
+            const trimmed = address.trim();
+            if (!trimmed) {
+                throw new Error(`Invalid address in rule "${ruleId}": value must not be empty`);
+            }
+            try {
+                return [compileGlobPattern(trimmed, context)];
+            }
+            catch (error) {
+                throw new Error(`Invalid address in rule "${ruleId}": ${error instanceof Error ? error.message : String(error)}`);
+            }
+        }
+        // Handle array of address patterns
+        if (!Array.isArray(address)) {
+            throw new Error(`Invalid address in rule "${ruleId}": must be a string or array of strings`);
+        }
+        if (address.length === 0) {
+            throw new Error(`Invalid address in rule "${ruleId}": array must not be empty`);
+        }
+        const patterns = [];
+        for (const addr of address) {
+            if (typeof addr !== 'string') {
+                throw new Error(`Invalid address in rule "${ruleId}": all values must be strings`);
+            }
+            const trimmed = addr.trim();
+            if (!trimmed) {
+                throw new Error(`Invalid address in rule "${ruleId}": values must not be empty`);
+            }
+            try {
+                patterns.push(compileGlobPattern(trimmed, context));
+            }
+            catch (error) {
+                throw new Error(`Invalid address in rule "${ruleId}": ${error instanceof Error ? error.message : String(error)}`);
+            }
+        }
+        return patterns;
+    }
+    /**
+     * Compiles frame_type field into a Set of normalized frame types.
+     * Supports single string or array of strings (implicit any-of).
+     * Returns undefined if not specified (no frame type gating).
+     */
+    compileFrameTypes(frameType, ruleId) {
+        if (frameType === undefined) {
+            return undefined;
+        }
+        // Handle single frame type
+        if (typeof frameType === 'string') {
+            const normalized = frameType.trim().toLowerCase();
+            if (!normalized) {
+                throw new Error(`Invalid frame_type in rule "${ruleId}": value must not be empty`);
+            }
+            return new Set([normalized]);
+        }
+        // Handle array of frame types
+        if (!Array.isArray(frameType)) {
+            throw new Error(`Invalid frame_type in rule "${ruleId}": must be a string or array of strings`);
+        }
+        if (frameType.length === 0) {
+            throw new Error(`Invalid frame_type in rule "${ruleId}": array must not be empty`);
+        }
+        const frameTypes = new Set();
+        for (const ft of frameType) {
+            if (typeof ft !== 'string') {
+                throw new Error(`Invalid frame_type in rule "${ruleId}": all values must be strings`);
+            }
+            const normalized = ft.trim().toLowerCase();
+            if (!normalized) {
+                throw new Error(`Invalid frame_type in rule "${ruleId}": values must not be empty`);
+            }
+            frameTypes.add(normalized);
+        }
+        return frameTypes;
+    }
+    /**
+     * Compiles origin_type field into a Set of normalized origin types.
+     * Supports single string or array of strings (implicit any-of).
+     * Returns undefined if not specified (no origin type gating).
+     * Valid values: 'downstream', 'upstream', 'peer', 'local' (case-insensitive).
+     */
+    compileOriginTypes(originType, ruleId) {
+        if (originType === undefined) {
+            return undefined;
+        }
+        // Handle single origin type
+        if (typeof originType === 'string') {
+            const normalized = originType.trim().toLowerCase();
+            if (!normalized) {
+                throw new Error(`Invalid origin_type in rule "${ruleId}": value must not be empty`);
+            }
+            if (!VALID_ORIGIN_TYPES.includes(normalized)) {
+                throw new Error(`Invalid origin_type in rule "${ruleId}": "${originType}". Must be one of: ${VALID_ORIGIN_TYPES.join(', ')}`);
+            }
+            return new Set([normalized]);
+        }
+        // Handle array of origin types
+        if (!Array.isArray(originType)) {
+            throw new Error(`Invalid origin_type in rule "${ruleId}": must be a string or array of strings`);
+        }
+        if (originType.length === 0) {
+            throw new Error(`Invalid origin_type in rule "${ruleId}": array must not be empty`);
+        }
+        const originTypes = new Set();
+        for (const ot of originType) {
+            if (typeof ot !== 'string') {
+                throw new Error(`Invalid origin_type in rule "${ruleId}": all values must be strings`);
+            }
+            const normalized = ot.trim().toLowerCase();
+            if (!normalized) {
+                throw new Error(`Invalid origin_type in rule "${ruleId}": values must not be empty`);
+            }
+            if (!VALID_ORIGIN_TYPES.includes(normalized)) {
+                throw new Error(`Invalid origin_type in rule "${ruleId}": "${ot}". Must be one of: ${VALID_ORIGIN_TYPES.join(', ')}`);
+            }
+            originTypes.add(normalized);
+        }
+        return originTypes;
+    }
+}

package/dist/esm/naylence/fame/security/auth/policy/index.js

@@ -0,0 +1,20 @@
+/**
+ * Authorization policy module exports.
+ *
+ * This module provides interfaces and factories for pluggable authorization policies.
+ */
+// Core interfaces and types
+export * from './authorization-policy.js';
+export * from './authorization-policy-source.js';
+export * from './authorization-policy-definition.js';
+// Pattern and scope matchers
+export { compilePattern, compileGlobPattern, getCompiledGlobPattern, matchPattern, isRegexPattern, assertNotRegexPattern, } from './pattern-matcher.js';
+export { evaluateScopeRequirement, compileScopeRequirement, normalizeScopeRequirement, compileGlobOnlyScopeRequirement, } from './scope-matcher.js';
+// Factory base classes
+export { AUTHORIZATION_POLICY_FACTORY_BASE_TYPE, AuthorizationPolicyFactory, } from './authorization-policy-factory.js';
+export { AUTHORIZATION_POLICY_SOURCE_FACTORY_BASE_TYPE, AuthorizationPolicySourceFactory, } from './authorization-policy-source-factory.js';
+// Basic authorization policy (browser and node)
+export { BasicAuthorizationPolicy } from './basic-authorization-policy.js';
+export { BasicAuthorizationPolicyFactory } from './basic-authorization-policy-factory.js';
+// Note: LocalFileAuthorizationPolicySource and its factory are node-only
+// and are registered via the factory manifest, not exported here directly.

package/dist/esm/naylence/fame/security/auth/policy/local-file-authorization-policy-source-factory.js

@@ -0,0 +1,64 @@
+import { safeImport } from '../../../util/lazy-import.js';
+import { AUTHORIZATION_POLICY_SOURCE_FACTORY_BASE_TYPE, AuthorizationPolicySourceFactory, } from './authorization-policy-source-factory.js';
+let localFileModulePromise = null;
+async function getLocalFileModule() {
+    if (!localFileModulePromise) {
+        localFileModulePromise = safeImport(() => import('./local-file-authorization-policy-source.js'), 'local-file-authorization-policy-source');
+    }
+    return localFileModulePromise;
+}
+function normalizeConfig(config) {
+    if (!config) {
+        throw new Error('LocalFileAuthorizationPolicySourceFactory requires a configuration with a path');
+    }
+    const candidate = config;
+    const path = candidate.path;
+    if (typeof path !== 'string' || path.trim().length === 0) {
+        throw new Error('LocalFileAuthorizationPolicySourceConfig requires a non-empty path');
+    }
+    const format = candidate.format;
+    if (format !== undefined && !['yaml', 'json', 'auto'].includes(format)) {
+        throw new Error(`Invalid format "${String(format)}". Must be "yaml", "json", or "auto"`);
+    }
+    const policyFactory = candidate.policyFactory;
+    return {
+        path: path.trim(),
+        format: format ?? 'auto',
+        policyFactory,
+    };
+}
+/**
+ * Factory metadata for registration.
+ */
+export const FACTORY_META = {
+    base: AUTHORIZATION_POLICY_SOURCE_FACTORY_BASE_TYPE,
+    key: 'LocalFileAuthorizationPolicySource',
+};
+/**
+ * Factory for creating LocalFileAuthorizationPolicySource instances.
+ *
+ * This factory uses lazy loading to avoid pulling in Node.js-specific
+ * code (filesystem operations) in browser environments.
+ */
+export class LocalFileAuthorizationPolicySourceFactory extends AuthorizationPolicySourceFactory {
+    constructor() {
+        super(...arguments);
+        this.type = 'LocalFileAuthorizationPolicySource';
+    }
+    /**
+     * Creates a LocalFileAuthorizationPolicySource from the given configuration.
+     *
+     * @param config - Configuration specifying the policy file path and options
+     * @returns The created policy source
+     */
+    async create(config) {
+        const normalized = normalizeConfig(config);
+        const { LocalFileAuthorizationPolicySource } = await getLocalFileModule();
+        return new LocalFileAuthorizationPolicySource({
+            path: normalized.path,
+            format: normalized.format,
+            policyFactory: normalized.policyFactory,
+        });
+    }
+}
+export default LocalFileAuthorizationPolicySourceFactory;

package/dist/esm/naylence/fame/security/auth/policy/local-file-authorization-policy-source.js

@@ -0,0 +1,127 @@
+import { parse as parseYaml } from 'yaml';
+import { getLogger } from '../../../util/logging.js';
+import { AuthorizationPolicyFactory, } from './authorization-policy-factory.js';
+const logger = getLogger('naylence.fame.security.auth.policy.local_file_authorization_policy_source');
+function isPlainObject(value) {
+    return Boolean(value) && typeof value === 'object' && !Array.isArray(value);
+}
+function parseJson(content) {
+    const parsed = JSON.parse(content);
+    if (!isPlainObject(parsed)) {
+        throw new Error('Parsed JSON policy must be an object');
+    }
+    return parsed;
+}
+function parseYamlContent(content) {
+    const parsed = parseYaml(content ?? '');
+    if (parsed == null) {
+        return {};
+    }
+    if (!isPlainObject(parsed)) {
+        throw new Error('Parsed YAML policy must be an object');
+    }
+    return parsed;
+}
+function detectFormat(filePath) {
+    const lower = filePath.toLowerCase();
+    if (lower.endsWith('.yaml') || lower.endsWith('.yml')) {
+        return 'yaml';
+    }
+    if (lower.endsWith('.json')) {
+        return 'json';
+    }
+    // Default to YAML for unknown extensions
+    return 'yaml';
+}
+/**
+ * An authorization policy source that loads policy definitions from a local file.
+ *
+ * Supports YAML and JSON formats. The file must contain a valid policy
+ * configuration object that can be used to create an AuthorizationPolicy
+ * via the factory system.
+ *
+ * This is a Node.js-only implementation that uses the filesystem.
+ */
+export class LocalFileAuthorizationPolicySource {
+    constructor(options) {
+        this.cachedPolicy = null;
+        this.path = options.path;
+        this.format = options.format ?? 'auto';
+        this.policyFactoryConfig = options.policyFactory;
+    }
+    /**
+     * Loads the authorization policy from the configured file.
+     *
+     * The file is read and parsed according to the configured format.
+     * The parsed content is then used to create an AuthorizationPolicy
+     * via the factory system.
+     *
+     * @returns The loaded authorization policy
+     */
+    async loadPolicy() {
+        // Return cached policy if available
+        if (this.cachedPolicy) {
+            return this.cachedPolicy;
+        }
+        logger.debug('loading_policy_from_file', { path: this.path });
+        // Dynamic import of fs for Node.js
+        const fs = await import('node:fs/promises');
+        // Read the file
+        const content = await fs.readFile(this.path, 'utf-8');
+        // Determine format
+        const effectiveFormat = this.format === 'auto' ? detectFormat(this.path) : this.format;
+        // Parse the content
+        let policyDefinition;
+        if (effectiveFormat === 'json') {
+            policyDefinition = parseJson(content);
+        }
+        else {
+            policyDefinition = parseYamlContent(content);
+        }
+        logger.debug('parsed_policy_definition', {
+            path: this.path,
+            format: effectiveFormat,
+            hasType: 'type' in policyDefinition,
+        });
+        // Determine the factory configuration to use
+        const factoryConfig = this.policyFactoryConfig ?? policyDefinition;
+        // Ensure we have a type field for the factory
+        if (!('type' in factoryConfig) || typeof factoryConfig.type !== 'string') {
+            throw new Error(`Policy definition at ${this.path} must have a 'type' field, ` +
+                `or policyFactory config must be provided`);
+        }
+        // Build the factory config with the policy definition
+        // The file content IS the policy definition, so we extract the type
+        // and wrap the remaining content as the policyDefinition
+        const { type, ...restOfFile } = policyDefinition;
+        const mergedConfig = this.policyFactoryConfig != null
+            ? { ...this.policyFactoryConfig, policyDefinition }
+            : { type: factoryConfig.type, policyDefinition: restOfFile };
+        // Create the policy using the factory system
+        const policy = await AuthorizationPolicyFactory.createAuthorizationPolicy(mergedConfig);
+        if (!policy) {
+            throw new Error(`Failed to create authorization policy from ${this.path}`);
+        }
+        this.cachedPolicy = policy;
+        logger.info('loaded_policy_from_file', {
+            path: this.path,
+            policyType: factoryConfig.type,
+        });
+        return policy;
+    }
+    /**
+     * Clears the cached policy, forcing a reload on the next loadPolicy() call.
+     */
+    clearCache() {
+        this.cachedPolicy = null;
+    }
+    /**
+     * Reloads the policy from the file, clearing any cached version.
+     *
+     * @returns The reloaded authorization policy
+     */
+    async reloadPolicy() {
+        this.clearCache();
+        return this.loadPolicy();
+    }
+}