@naylence/runtime 0.3.21 → 0.4.0

package/dist/esm/naylence/fame/security/auth/policy/pattern-matcher.js

@@ -0,0 +1,185 @@
+/**
+ * Pattern matching utilities for authorization policies.
+ *
+ * Supports:
+ * - Glob patterns: `*` (single segment), `**` (any depth), `?` (single char)
+ * - Regex patterns: patterns starting with `^` (for advanced/BSL use only)
+ *
+ * The OSS/basic policy uses glob-only matching via `compileGlobPattern()`.
+ * The advanced/BSL policy may use `compilePattern()` which interprets `^` as regex.
+ */
+/**
+ * Checks if a pattern string is a regex pattern.
+ * Regex patterns start with `^`.
+ */
+export function isRegexPattern(pattern) {
+    return pattern.startsWith('^');
+}
+/**
+ * Asserts that a pattern is not a regex pattern.
+ * Throws an error if the pattern starts with `^`.
+ *
+ * Use this in OSS/basic policy to reject regex patterns.
+ *
+ * @param pattern - The pattern to check
+ * @param context - Optional context for the error message (e.g., "address", "scope")
+ * @throws Error if the pattern is a regex pattern
+ */
+export function assertNotRegexPattern(pattern, context) {
+    if (pattern.startsWith('^')) {
+        const contextStr = context ? ` in ${context}` : '';
+        throw new Error(`Regex patterns are not supported${contextStr} in OSS/basic policy. ` +
+            `Pattern "${pattern}" starts with '^'. Use glob patterns instead.`);
+    }
+}
+/**
+ * Escapes special regex characters in a string.
+ */
+function escapeRegex(str) {
+    return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+/**
+ * Converts a glob pattern to a regex pattern.
+ *
+ * Glob syntax:
+ * - `*` matches a single segment (no dots)
+ * - `**` matches any number of segments (including zero)
+ * - Other characters are matched literally
+ *
+ * @param glob - The glob pattern to convert
+ * @returns A regex pattern string (without anchors)
+ */
+function globToRegex(glob) {
+    const parts = [];
+    let i = 0;
+    while (i < glob.length) {
+        if (glob[i] === '*') {
+            if (glob[i + 1] === '*') {
+                // `**` matches any characters (including dots)
+                parts.push('.*');
+                i += 2;
+            }
+            else {
+                // `*` matches any characters except dots (single segment)
+                parts.push('[^.]*');
+                i += 1;
+            }
+        }
+        else if (glob[i] === '?') {
+            // `?` matches a single character (not a dot)
+            parts.push('[^.]');
+            i += 1;
+        }
+        else {
+            // Escape and add literal character
+            parts.push(escapeRegex(glob[i]));
+            i += 1;
+        }
+    }
+    return parts.join('');
+}
+/**
+ * Compiles a pattern string into an efficient matcher.
+ *
+ * @param pattern - Glob pattern or regex (starting with `^`)
+ * @returns A compiled pattern object
+ * @throws Error if the regex pattern is invalid
+ */
+export function compilePattern(pattern) {
+    if (isRegexPattern(pattern)) {
+        // Regex pattern - compile directly
+        const regex = new RegExp(pattern);
+        return {
+            source: pattern,
+            isRegex: true,
+            match: (value) => regex.test(value),
+        };
+    }
+    // Glob pattern - convert to regex with anchors
+    const regexStr = `^${globToRegex(pattern)}$`;
+    const regex = new RegExp(regexStr);
+    return {
+        source: pattern,
+        isRegex: false,
+        match: (value) => regex.test(value),
+    };
+}
+/**
+ * Compiles a pattern string as a glob pattern only (no regex interpretation).
+ *
+ * This is the preferred method for OSS/basic policy evaluation.
+ * Patterns starting with `^` are rejected with an error.
+ *
+ * @param pattern - Glob pattern (regex patterns rejected)
+ * @param context - Optional context for error messages
+ * @returns A compiled pattern object
+ * @throws Error if pattern starts with `^` (regex attempt)
+ */
+export function compileGlobPattern(pattern, context) {
+    // Reject regex patterns in OSS/basic policy
+    assertNotRegexPattern(pattern, context);
+    // Convert glob to regex with anchors
+    const regexStr = `^${globToRegex(pattern)}$`;
+    const regex = new RegExp(regexStr);
+    return {
+        source: pattern,
+        isRegex: false,
+        match: (value) => regex.test(value),
+    };
+}
+/**
+ * Cache for compiled patterns to avoid recompilation.
+ */
+const patternCache = new Map();
+/**
+ * Cache for glob-only compiled patterns.
+ */
+const globPatternCache = new Map();
+/**
+ * Gets or compiles a pattern, with caching.
+ *
+ * @param pattern - Glob pattern or regex
+ * @returns A compiled pattern object
+ */
+export function getCompiledPattern(pattern) {
+    let compiled = patternCache.get(pattern);
+    if (!compiled) {
+        compiled = compilePattern(pattern);
+        patternCache.set(pattern, compiled);
+    }
+    return compiled;
+}
+/**
+ * Gets or compiles a glob-only pattern, with caching.
+ *
+ * This is the preferred method for OSS/basic policy evaluation.
+ * Patterns are always treated as globs, never regex.
+ *
+ * @param pattern - Glob pattern (never interpreted as regex)
+ * @returns A compiled pattern object
+ */
+export function getCompiledGlobPattern(pattern) {
+    let compiled = globPatternCache.get(pattern);
+    if (!compiled) {
+        compiled = compileGlobPattern(pattern);
+        globPatternCache.set(pattern, compiled);
+    }
+    return compiled;
+}
+/**
+ * Matches a value against a pattern string.
+ *
+ * @param pattern - Glob pattern or regex (starting with `^`)
+ * @param value - The value to match
+ * @returns True if the value matches the pattern
+ */
+export function matchPattern(pattern, value) {
+    return getCompiledPattern(pattern).match(value);
+}
+/**
+ * Clears the pattern cache.
+ * Useful for testing or when memory is a concern.
+ */
+export function clearPatternCache() {
+    patternCache.clear();
+}

package/dist/esm/naylence/fame/security/auth/policy/scope-matcher.js

@@ -0,0 +1,162 @@
+/**
+ * Scope matching utilities for authorization policies.
+ *
+ * Supports:
+ * - Simple string patterns (glob only in OSS/basic policy)
+ * - Logical operators: any_of, all_of, none_of
+ * - Recursive nesting with depth limits
+ */
+import { MAX_SCOPE_NESTING_DEPTH } from './authorization-policy-definition.js';
+import { matchPattern, compileGlobPattern, } from './pattern-matcher.js';
+/**
+ * Checks if any of the granted scopes match the given pattern.
+ */
+function anyScopeMatchesPattern(grantedScopes, pattern) {
+    return grantedScopes.some((scope) => matchPattern(pattern, scope));
+}
+/**
+ * Normalizes a scope requirement into a typed structure.
+ *
+ * @param requirement - The scope requirement to normalize
+ * @param depth - Current nesting depth (for recursion limit)
+ * @returns Normalized scope requirement
+ * @throws Error if nesting exceeds maximum depth
+ */
+export function normalizeScopeRequirement(requirement, depth = 0) {
+    if (depth > MAX_SCOPE_NESTING_DEPTH) {
+        throw new Error(`Scope requirement nesting exceeds maximum depth of ${MAX_SCOPE_NESTING_DEPTH}`);
+    }
+    // Simple string pattern
+    if (typeof requirement === 'string') {
+        return { type: 'pattern', pattern: requirement };
+    }
+    // Object with logical operator
+    if (typeof requirement !== 'object' || requirement === null) {
+        throw new Error(`Invalid scope requirement: ${String(requirement)}`);
+    }
+    const keys = Object.keys(requirement);
+    if (keys.length !== 1) {
+        throw new Error(`Scope requirement object must have exactly one key (any_of, all_of, or none_of), got: ${keys.join(', ')}`);
+    }
+    const key = keys[0];
+    const value = requirement[key];
+    if (!Array.isArray(value)) {
+        throw new Error(`Scope requirement "${key}" must have an array value, got: ${typeof value}`);
+    }
+    const nested = value.map((item) => normalizeScopeRequirement(item, depth + 1));
+    switch (key) {
+        case 'any_of':
+            return { type: 'any_of', requirements: nested };
+        case 'all_of':
+            return { type: 'all_of', requirements: nested };
+        case 'none_of':
+            return { type: 'none_of', requirements: nested };
+        default:
+            throw new Error(`Unknown scope requirement operator: "${key}". Expected any_of, all_of, or none_of`);
+    }
+}
+/**
+ * Evaluates a normalized scope requirement against granted scopes.
+ *
+ * @param requirement - The normalized scope requirement
+ * @param grantedScopes - The scopes granted to the principal
+ * @returns True if the requirement is satisfied
+ */
+export function evaluateNormalizedScopeRequirement(requirement, grantedScopes) {
+    switch (requirement.type) {
+        case 'pattern':
+            return anyScopeMatchesPattern(grantedScopes, requirement.pattern);
+        case 'any_of':
+            return requirement.requirements.some((req) => evaluateNormalizedScopeRequirement(req, grantedScopes));
+        case 'all_of':
+            return requirement.requirements.every((req) => evaluateNormalizedScopeRequirement(req, grantedScopes));
+        case 'none_of':
+            return !requirement.requirements.some((req) => evaluateNormalizedScopeRequirement(req, grantedScopes));
+        default:
+            // Exhaustive check
+            throw new Error(`Unknown scope requirement type: ${requirement.type}`);
+    }
+}
+/**
+ * Evaluates a scope requirement against granted scopes.
+ *
+ * This is the main entry point for scope matching.
+ *
+ * @param requirement - The scope requirement (string or object)
+ * @param grantedScopes - The scopes granted to the principal
+ * @returns True if the requirement is satisfied
+ */
+export function evaluateScopeRequirement(requirement, grantedScopes) {
+    const normalized = normalizeScopeRequirement(requirement);
+    return evaluateNormalizedScopeRequirement(normalized, grantedScopes);
+}
+/**
+ * Pre-compiles a scope requirement for efficient repeated evaluation.
+ *
+ * @param requirement - The scope requirement to compile
+ * @returns A function that evaluates the requirement against granted scopes
+ */
+export function compileScopeRequirement(requirement) {
+    const normalized = normalizeScopeRequirement(requirement);
+    return (grantedScopes) => evaluateNormalizedScopeRequirement(normalized, grantedScopes);
+}
+/**
+ * Pre-compiles a scope requirement for OSS/basic policy (glob-only, no regex).
+ *
+ * This version rejects patterns starting with `^` at compile time.
+ *
+ * @param requirement - The scope requirement to compile
+ * @param ruleId - Rule ID for error messages
+ * @returns A compiled scope requirement
+ * @throws Error if any pattern starts with `^` (regex attempt)
+ */
+export function compileGlobOnlyScopeRequirement(requirement, ruleId) {
+    const context = `scope in rule "${ruleId}"`;
+    // Compile the requirement, pre-compiling all patterns as globs
+    const compiled = compileGlobOnlyNormalized(normalizeScopeRequirement(requirement), context);
+    return {
+        evaluate: (grantedScopes) => evaluateCompiledScope(compiled, grantedScopes),
+    };
+}
+/**
+ * Compiles a normalized scope requirement into efficient matchers (glob-only).
+ */
+function compileGlobOnlyNormalized(requirement, context) {
+    switch (requirement.type) {
+        case 'pattern':
+            return {
+                type: 'pattern',
+                matcher: compileGlobPattern(requirement.pattern, context),
+            };
+        case 'any_of':
+            return {
+                type: 'any_of',
+                requirements: requirement.requirements.map((r) => compileGlobOnlyNormalized(r, context)),
+            };
+        case 'all_of':
+            return {
+                type: 'all_of',
+                requirements: requirement.requirements.map((r) => compileGlobOnlyNormalized(r, context)),
+            };
+        case 'none_of':
+            return {
+                type: 'none_of',
+                requirements: requirement.requirements.map((r) => compileGlobOnlyNormalized(r, context)),
+            };
+    }
+}
+/**
+ * Evaluates a compiled scope node against granted scopes.
+ */
+function evaluateCompiledScope(node, grantedScopes) {
+    switch (node.type) {
+        case 'pattern':
+            return grantedScopes.some((scope) => node.matcher.match(scope));
+        case 'any_of':
+            return node.requirements.some((r) => evaluateCompiledScope(r, grantedScopes));
+        case 'all_of':
+            return node.requirements.every((r) => evaluateCompiledScope(r, grantedScopes));
+        case 'none_of':
+            return !node.requirements.some((r) => evaluateCompiledScope(r, grantedScopes));
+    }
+}

package/dist/esm/naylence/fame/security/auth/policy-authorizer.js

@@ -0,0 +1 @@
+export {};

package/dist/esm/naylence/fame/security/default-security-manager.js

@@ -4,6 +4,7 @@ import { SecurityAction, } from './policy/security-policy.js';
 import { EnvelopeSecurityHandler } from '../node/envelope-security-handler.js';
 import { SecureChannelFrameHandler } from '../node/secure-channel-frame-handler.js';
 import { KeyFrameHandler } from '../sentinel/key-frame-handler.js';
+import { Deny, mapRoutingActionToAuthorizationAction, } from '../sentinel/router.js';
 import { getLogger } from '../util/logging.js';
 import { secureDigest } from '../util/util.js';
 import { canonicalJson } from '../security/signing/eddsa-signer-verifier.js';
@@ -789,6 +790,99 @@ export class DefaultSecurityManager {
         });
         return envelope;
     }
+    /**
+     * Route authorization hook - invoked after routing policy selects an action.
+     *
+     * This method provides centralized route authorization by:
+     * 1. Mapping the RoutingAction to an authorization action token
+     * 2. Calling authorizer.authorizeRoute() if available
+     * 3. Returning a Deny action on authorization failure (opaque on wire)
+     *
+     * @param node - The node performing the routing
+     * @param envelope - The envelope being routed
+     * @param selected - The RoutingAction selected by routing policy
+     * @param state - The current router state
+     * @param context - Optional delivery context
+     * @returns The action to execute (selected if authorized, Deny if denied)
+     */
+    async onRoutingActionSelected(node, envelope, selected, _state, context) {
+        // If no authorizer or authorizer doesn't implement authorizeRoute, allow
+        if (!this._authorizer) {
+            return selected;
+        }
+        if (typeof this._authorizer.authorizeRoute !== 'function') {
+            return selected;
+        }
+        // Map RoutingAction to authorization action token
+        const actionToken = mapRoutingActionToAuthorizationAction(selected);
+        // Terminal actions (Drop, Deny) don't need authorization
+        if (actionToken === null) {
+            return selected;
+        }
+        try {
+            const authResult = await this._authorizer.authorizeRoute(node, envelope, actionToken, context ?? undefined);
+            // undefined means allow (authorizer has no opinion)
+            if (authResult === undefined) {
+                return selected;
+            }
+            // Check authorization result
+            if (authResult.authorized) {
+                logger.debug('route_authorization_allowed', {
+                    envp_id: envelope.id,
+                    action: actionToken,
+                    frame_type: envelope.frame?.type ?? null,
+                    matched_rule: authResult.matchedRule ?? null,
+                });
+                return selected;
+            }
+            // Authorization denied - return Deny action with opaque NACK
+            logger.warning('route_authorization_denied_by_policy', {
+                envp_id: envelope.id,
+                action: actionToken,
+                frame_type: envelope.frame?.type ?? null,
+                origin_type: context?.originType ?? null,
+                to: envelope.to?.toString() ?? null,
+                denial_reason: authResult.denialReason ?? 'policy_denied',
+                matched_rule: authResult.matchedRule ?? null,
+            });
+            // Determine disclosure mode from configuration
+            const disclosure = this.getNackDisclosureMode();
+            return new Deny({
+                internalReason: authResult.denialReason ?? 'unauthorized_route',
+                deniedAction: actionToken,
+                matchedRule: authResult.matchedRule,
+                disclosure,
+                context: {
+                    frame_type: envelope.frame?.type ?? null,
+                    origin_type: context?.originType ?? null,
+                },
+            });
+        }
+        catch (error) {
+            logger.error('route_authorization_error', {
+                envp_id: envelope.id,
+                action: actionToken,
+                error: error instanceof Error ? error.message : String(error),
+            });
+            // On error, deny by default (fail-safe)
+            return new Deny({
+                internalReason: 'authorization_error',
+                deniedAction: actionToken,
+                disclosure: 'opaque',
+                context: {
+                    error: error instanceof Error ? error.message : String(error),
+                },
+            });
+        }
+    }
+    /**
+     * Gets the NACK disclosure mode from configuration.
+     * Default is 'opaque' to avoid leaking route existence.
+     */
+    getNackDisclosureMode() {
+        // Future: Could be made configurable via _policy or constructor options
+        return 'opaque';
+    }
     async onForwardToRoute(node, nextSegment, envelope, context) {
         logger.debug('on_forward_to_route_start', {
             envp_id: envelope.id,

package/dist/esm/naylence/fame/security/index.js

@@ -1,7 +1,10 @@
 export * from './auth/authorizer.js';
 export * from './auth/auth-identity.js';
+export * from './auth/policy-authorizer.js';
 export { AUTHORIZER_FACTORY_BASE_TYPE, AuthorizerFactory, } from './auth/authorizer-factory.js';
 export * from './auth/auth-injection-strategy.js';
+// Authorization policy exports
+export * from './auth/policy/index.js';
 export { AUTH_INJECTION_STRATEGY_FACTORY_BASE_TYPE, AuthInjectionStrategyFactory, } from './auth/auth-injection-strategy-factory.js';
 export * from './auth/token-issuer.js';
 export { TOKEN_ISSUER_FACTORY_BASE_TYPE, TokenIssuerFactory, } from './auth/token-issuer-factory.js';

package/dist/esm/naylence/fame/security/node-security-profile-factory.js

@@ -11,6 +11,7 @@ export const ENV_VAR_HMAC_SECRET = 'FAME_HMAC_SECRET';
 export const ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER = 'FAME_JWT_REVERSE_AUTH_TRUSTED_ISSUER';
 export const ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = 'FAME_JWT_REVERSE_AUTH_AUDIENCE';
 export const ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY = 'FAME_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY';
+export const ENV_VAR_TRUSTED_CLIENT_SCOPE = 'FAME_TRUSTED_CLIENT_SCOPE';
 export const PROFILE_NAME_STRICT_OVERLAY = 'strict-overlay';
 export const PROFILE_NAME_OVERLAY = 'overlay';
 export const PROFILE_NAME_OVERLAY_CALLBACK = 'overlay-callback';
@@ -247,6 +248,7 @@ const GATED_PROFILE = {
         algorithm: Expressions.env(ENV_VAR_JWT_ALGORITHM, 'RS256'),
         audience: Expressions.env(ENV_VAR_JWT_AUDIENCE),
         enforce_token_subject_node_identity: Expressions.env(ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY, 'false'),
+        trusted_client_scope: Expressions.env(ENV_VAR_TRUSTED_CLIENT_SCOPE, 'node.trusted'),
     },
 };
 const GATED_CALLBACK_PROFILE = {

package/dist/esm/naylence/fame/sentinel/router.js

@@ -90,6 +90,70 @@ export class ForwardPeer {
         }
     }
 }
+/**
+ * RoutingAction that denies an envelope due to authorization failure.
+ *
+ * Emits an opaque NO_ROUTE NACK on wire (by default) to avoid leaking
+ * route existence, while logging the true denial reason internally.
+ */
+export class Deny {
+    constructor(options) {
+        this.options = options;
+    }
+    async execute(envelope, router, state, context) {
+        const { internalReason, deniedAction, matchedRule, context: extraContext, disclosure = 'opaque', } = this.options;
+        // Log detailed denial internally
+        logger.warning('route_authorization_denied', {
+            envp_id: envelope.id,
+            frame_type: envelope.frame?.type ?? null,
+            to: envelope.to?.toString() ?? null,
+            internal_reason: internalReason,
+            denied_action: deniedAction ?? null,
+            matched_rule: matchedRule ?? null,
+            origin_type: context?.originType ?? null,
+            ...extraContext,
+        });
+        // Emit opaque NACK on wire (or verbose if configured)
+        const wireCode = disclosure === 'verbose' ? 'UNAUTHORIZED_ROUTE' : 'NO_ROUTE';
+        await emitDeliveryNack(envelope, router, state, wireCode, context ?? undefined);
+    }
+}
+/**
+ * Maps a RoutingAction instance to an authorization action token.
+ *
+ * This function uses instanceof checks to determine the action type,
+ * avoiding the need to expose action objects to the authorizer.
+ *
+ * For unknown/custom RoutingAction types, returns null. Callers should
+ * treat null as "deny by default" for security (unknown actions are not
+ * authorized).
+ *
+ * @param action - The RoutingAction instance to map
+ * @returns The authorization action token, or null for terminal/unknown actions
+ */
+export function mapRoutingActionToAuthorizationAction(action) {
+    if (action instanceof ForwardUp) {
+        return 'ForwardUpstream';
+    }
+    if (action instanceof ForwardChild) {
+        return 'ForwardDownstream';
+    }
+    if (action instanceof ForwardPeer) {
+        return 'ForwardPeer';
+    }
+    if (action instanceof DeliverLocal) {
+        return 'DeliverLocal';
+    }
+    // Drop and Deny are terminal actions that don't need authorization
+    if (action instanceof Drop || action instanceof Deny) {
+        return null;
+    }
+    // Unknown RoutingAction: return null, caller should deny by default
+    logger.warning('unknown_routing_action_for_authorization', {
+        action_type: action?.constructor?.name ?? 'unknown',
+    });
+    return null;
+}
 export class RouterState {
     constructor(options) {
         const normalized = normalizeRouterStateOptions(options);

package/dist/esm/naylence/fame/sentinel/sentinel.js

@@ -20,7 +20,7 @@ import { AsyncEvent } from '../util/async-event.js';
 import { AsyncLock } from '../util/lock.js';
 import { createResource } from '../connector/connector-factory.js';
 import { UpstreamSessionManager } from '../node/upstream-session-manager.js';
-import { emitDeliveryNack, RouterState } from './router.js';
+import { Drop, emitDeliveryNack, RouterState, } from './router.js';
 const logger = getLogger('naylence.fame.sentinel.sentinel');
 const ALLOWED_BEFORE_ATTACH = new Set(['NodeAttach']);
 const SYSTEM_INBOX = '__sys__';
@@ -280,8 +280,11 @@ export class Sentinel extends FameNode {
             }
         }
         const state = this.buildRouterState();
-        const action = await this.routingPolicy.decide(processedEnvelope, state, context);
-        await action.execute(processedEnvelope, this, state, context);
+        let action = await this.routingPolicy.decide(processedEnvelope, state, context);
+        // Dispatch onRoutingActionSelected hook to allow authorization/replacement
+        // The hook must return the action to execute; null/undefined/throw => Drop
+        const actionToExecute = await this.dispatchRoutingActionSelected(processedEnvelope, action, state, context);
+        await actionToExecute.execute(processedEnvelope, this, state, context);
     }
     async forwardToRoute(nextSegment, envelope, context) {
         if (this.originMatches(context, nextSegment, DeliveryOriginType.DOWNSTREAM)) {
@@ -827,6 +830,47 @@ export class Sentinel extends FameNode {
             });
         }
     }
+    /**
+     * Dispatches the onRoutingActionSelected event to all event listeners.
+     *
+     * This allows listeners (like DefaultSecurityManager) to authorize
+     * routing actions and optionally replace them with Deny actions.
+     *
+     * The hook must return the RoutingAction to execute. If a listener returns
+     * null, undefined, or throws, the router will execute a Drop action.
+     *
+     * @param envelope - The envelope being routed
+     * @param selected - The RoutingAction selected by the routing policy
+     * @param state - The current router state
+     * @param context - Optional delivery context
+     * @returns The RoutingAction to execute (never null/undefined)
+     */
+    async dispatchRoutingActionSelected(envelope, selected, state, context) {
+        let currentAction = selected;
+        for (const listener of this.eventListeners) {
+            if (typeof listener.onRoutingActionSelected !== 'function') {
+                continue;
+            }
+            try {
+                const result = await listener.onRoutingActionSelected(this, envelope, currentAction, state, context);
+                // null/undefined => treat as denial, execute Drop
+                if (result == null) {
+                    return new Drop();
+                }
+                // Update current action for next listener in chain
+                currentAction = result;
+            }
+            catch (error) {
+                // Hook threw => treat as denial, execute Drop
+                logger.warning('routing_action_hook_error', {
+                    envp_id: envelope.id,
+                    error: error instanceof Error ? error.message : String(error),
+                });
+                return new Drop();
+            }
+        }
+        return currentAction;
+    }
     static async aserve(options = {}) {
         const { logLevel, rootConfig, config, node = null, fabric: providedFabric = null, signals = ['SIGINT', 'SIGTERM'], signal, ...fabricOptions } = options;
         const resolvedLevel = normalizeServeLogLevel(logLevel) ?? LogLevel.INFO;

package/dist/esm/naylence/fame/util/register-runtime-factories.js

@@ -7,6 +7,8 @@ const NODE_ONLY_FACTORY_MODULES = new Set([
     './connector/websocket-listener-factory.js',
     './telemetry/open-telemetry-trace-emitter-factory.js',
     './security/credential/prompt-credential-provider-factory.js',
+    './security/auth/default-policy-authorizer-factory.js',
+    './security/auth/policy/local-file-authorization-policy-source-factory.js',
 ]);
 const BROWSER_ONLY_FACTORY_MODULES = new Set([
     './security/auth/oauth2-pkce-token-provider-factory.js',

package/dist/esm/version.js

@@ -1,7 +1,7 @@
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.3.21
+// Generated from package.json version: 0.4.0
 /**
  * The package version, injected at build time.
  * @internal
  */
-export const VERSION = '0.3.21';
+export const VERSION = '0.4.0';