npm - @naylence/runtime - Versions diffs - 0.3.21 → 0.4.1 - Mend

@naylence/runtime 0.3.21 → 0.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (88) hide show

package/dist/types/naylence/fame/security/auth/policy/basic-authorization-policy-factory.d.ts ADDED Viewed

@@ -0,0 +1,42 @@
+/**
+ * Factory for creating BasicAuthorizationPolicy instances.
+ */
+import type { AuthorizationPolicyDefinition } from './authorization-policy-definition.js';
+import type { AuthorizationPolicy } from './authorization-policy.js';
+import { AuthorizationPolicyFactory, type AuthorizationPolicyConfig } from './authorization-policy-factory.js';
+/**
+ * Configuration for creating a BasicAuthorizationPolicy via factory.
+ */
+export interface BasicAuthorizationPolicyConfig extends AuthorizationPolicyConfig {
+    type: 'BasicAuthorizationPolicy';
+    /**
+     * The policy definition to evaluate.
+     */
+    policyDefinition: AuthorizationPolicyDefinition;
+    /**
+     * Whether to log warnings for unknown fields.
+     * @default true
+     */
+    warnOnUnknownFields?: boolean;
+}
+/**
+ * Factory metadata for registration.
+ */
+export declare const FACTORY_META: {
+    readonly base: "AuthorizationPolicyFactory";
+    readonly key: "BasicAuthorizationPolicy";
+};
+/**
+ * Factory for creating BasicAuthorizationPolicy instances.
+ */
+export declare class BasicAuthorizationPolicyFactory extends AuthorizationPolicyFactory<BasicAuthorizationPolicyConfig> {
+    readonly type = "BasicAuthorizationPolicy";
+    /**
+     * Creates a BasicAuthorizationPolicy from the given configuration.
+     *
+     * @param config - Configuration with policyDefinition
+     * @returns The created authorization policy
+     */
+    create(config?: BasicAuthorizationPolicyConfig | Record<string, unknown> | null): Promise<AuthorizationPolicy>;
+}
+export default BasicAuthorizationPolicyFactory;

package/dist/types/naylence/fame/security/auth/policy/basic-authorization-policy.d.ts ADDED Viewed

@@ -0,0 +1,78 @@
+/**
+ * Basic authorization policy implementation.
+ *
+ * Evaluates authorization rules defined in YAML/JSON policy files.
+ * Uses first-match-wins semantics with glob/regex pattern matching.
+ */
+import type { FameDeliveryContext, FameEnvelope } from '@naylence/core';
+import type { NodeLike } from '../../../node/node-like.js';
+import type { AuthorizationPolicy, AuthorizationDecision } from './authorization-policy.js';
+import type { AuthorizationPolicyDefinition, RuleAction } from './authorization-policy-definition.js';
+/**
+ * Options for creating a BasicAuthorizationPolicy.
+ */
+export interface BasicAuthorizationPolicyOptions {
+    /**
+     * The policy definition to evaluate.
+     */
+    policyDefinition: AuthorizationPolicyDefinition;
+    /**
+     * Whether to log warnings for unknown fields.
+     * @default true
+     */
+    warnOnUnknownFields?: boolean;
+}
+/**
+ * Basic authorization policy that evaluates rules from a policy definition.
+ *
+ * Features:
+ * - First-match-wins rule evaluation
+ * - Glob and regex pattern matching for addresses
+ * - Scope matching with any_of/all_of/none_of operators
+ * - Action-based filtering (connect, send, receive)
+ */
+export declare class BasicAuthorizationPolicy implements AuthorizationPolicy {
+    private readonly defaultEffect;
+    private readonly compiledRules;
+    constructor(options: BasicAuthorizationPolicyOptions);
+    /**
+     * Evaluates the policy against a request with an explicitly provided action.
+     *
+     * @param _node - The node handling the request (unused in basic policy)
+     * @param envelope - The FAME envelope being authorized
+     * @param context - Optional delivery context with authorization info
+     * @param action - The authorization action token (required, no inference)
+     * @returns Authorization decision indicating allow/deny
+     */
+    evaluateRequest(_node: NodeLike, envelope: FameEnvelope, context?: FameDeliveryContext, action?: RuleAction): Promise<AuthorizationDecision>;
+    private validateDefaultEffect;
+    private warnUnknownPolicyFields;
+    private compileRules;
+    private compileRule;
+    /**
+     * Compiles action field into a Set of valid actions.
+     * Supports single RuleAction or array of RuleAction (implicit any-of).
+     */
+    private compileActions;
+    /**
+     * Compiles address field into an array of glob matchers.
+     * Supports single string or array of strings (implicit any-of).
+     * Returns undefined if not specified (no address gating).
+     *
+     * All patterns are treated as globs - `^` prefix is rejected as an error.
+     */
+    private compileAddress;
+    /**
+     * Compiles frame_type field into a Set of normalized frame types.
+     * Supports single string or array of strings (implicit any-of).
+     * Returns undefined if not specified (no frame type gating).
+     */
+    private compileFrameTypes;
+    /**
+     * Compiles origin_type field into a Set of normalized origin types.
+     * Supports single string or array of strings (implicit any-of).
+     * Returns undefined if not specified (no origin type gating).
+     * Valid values: 'downstream', 'upstream', 'peer', 'local' (case-insensitive).
+     */
+    private compileOriginTypes;
+}

package/dist/types/naylence/fame/security/auth/policy/index.d.ts ADDED Viewed

@@ -0,0 +1,19 @@
+/**
+ * Authorization policy module exports.
+ *
+ * This module provides interfaces and factories for pluggable authorization policies.
+ */
+export * from './authorization-policy.js';
+export * from './authorization-policy-source.js';
+export * from './authorization-policy-definition.js';
+export { compilePattern, compileGlobPattern, getCompiledGlobPattern, matchPattern, isRegexPattern, assertNotRegexPattern, } from './pattern-matcher.js';
+export type { CompiledPattern } from './pattern-matcher.js';
+export { evaluateScopeRequirement, compileScopeRequirement, normalizeScopeRequirement, compileGlobOnlyScopeRequirement, } from './scope-matcher.js';
+export { AUTHORIZATION_POLICY_FACTORY_BASE_TYPE, AuthorizationPolicyFactory, } from './authorization-policy-factory.js';
+export type * from './authorization-policy-factory.js';
+export { AUTHORIZATION_POLICY_SOURCE_FACTORY_BASE_TYPE, AuthorizationPolicySourceFactory, } from './authorization-policy-source-factory.js';
+export type * from './authorization-policy-source-factory.js';
+export { BasicAuthorizationPolicy } from './basic-authorization-policy.js';
+export type { BasicAuthorizationPolicyOptions } from './basic-authorization-policy.js';
+export { BasicAuthorizationPolicyFactory } from './basic-authorization-policy-factory.js';
+export type { BasicAuthorizationPolicyConfig } from './basic-authorization-policy-factory.js';

package/dist/types/naylence/fame/security/auth/policy/local-file-authorization-policy-source-factory.d.ts ADDED Viewed

@@ -0,0 +1,51 @@
+import type { AuthorizationPolicySource } from './authorization-policy-source.js';
+import { AuthorizationPolicySourceFactory, type AuthorizationPolicySourceConfig } from './authorization-policy-source-factory.js';
+import type { AuthorizationPolicyConfig } from './authorization-policy-factory.js';
+/**
+ * Configuration for LocalFileAuthorizationPolicySource.
+ */
+export interface LocalFileAuthorizationPolicySourceConfig extends AuthorizationPolicySourceConfig {
+    type: 'LocalFileAuthorizationPolicySource';
+    /**
+     * Path to the policy file (YAML or JSON).
+     */
+    path: string;
+    /**
+     * Format of the policy file.
+     * If not specified, auto-detects from file extension.
+     * @default 'auto'
+     */
+    format?: 'yaml' | 'json' | 'auto';
+    /**
+     * Configuration for the policy factory to use when parsing the loaded file.
+     * Determines which AuthorizationPolicy implementation is created.
+     *
+     * If not specified, the policy definition from the file is used directly
+     * as the factory configuration (must include a 'type' field).
+     */
+    policyFactory?: AuthorizationPolicyConfig | Record<string, unknown>;
+}
+/**
+ * Factory metadata for registration.
+ */
+export declare const FACTORY_META: {
+    readonly base: "AuthorizationPolicySourceFactory";
+    readonly key: "LocalFileAuthorizationPolicySource";
+};
+/**
+ * Factory for creating LocalFileAuthorizationPolicySource instances.
+ *
+ * This factory uses lazy loading to avoid pulling in Node.js-specific
+ * code (filesystem operations) in browser environments.
+ */
+export declare class LocalFileAuthorizationPolicySourceFactory extends AuthorizationPolicySourceFactory<LocalFileAuthorizationPolicySourceConfig> {
+    readonly type = "LocalFileAuthorizationPolicySource";
+    /**
+     * Creates a LocalFileAuthorizationPolicySource from the given configuration.
+     *
+     * @param config - Configuration specifying the policy file path and options
+     * @returns The created policy source
+     */
+    create(config?: LocalFileAuthorizationPolicySourceConfig | Record<string, unknown> | null): Promise<AuthorizationPolicySource>;
+}
+export default LocalFileAuthorizationPolicySourceFactory;

package/dist/types/naylence/fame/security/auth/policy/local-file-authorization-policy-source.d.ts ADDED Viewed

@@ -0,0 +1,67 @@
+import type { AuthorizationPolicy } from './authorization-policy.js';
+import { type AuthorizationPolicyConfig } from './authorization-policy-factory.js';
+import type { AuthorizationPolicySource } from './authorization-policy-source.js';
+/**
+ * Format of the policy file.
+ */
+export type PolicyFileFormat = 'yaml' | 'json' | 'auto';
+/**
+ * Configuration options for LocalFileAuthorizationPolicySource.
+ */
+export interface LocalFileAuthorizationPolicySourceOptions {
+    /**
+     * Path to the policy file.
+     */
+    path: string;
+    /**
+     * Format of the policy file.
+     * If 'auto', the format is detected from the file extension.
+     * @default 'auto'
+     */
+    format?: PolicyFileFormat;
+    /**
+     * Configuration for the policy factory to use when parsing the loaded file.
+     * Determines which AuthorizationPolicy implementation is created from the
+     * loaded policy definition.
+     *
+     * If not specified, the policy definition from the file is used directly
+     * as the factory configuration (must include a 'type' field).
+     */
+    policyFactory?: AuthorizationPolicyConfig | Record<string, unknown>;
+}
+/**
+ * An authorization policy source that loads policy definitions from a local file.
+ *
+ * Supports YAML and JSON formats. The file must contain a valid policy
+ * configuration object that can be used to create an AuthorizationPolicy
+ * via the factory system.
+ *
+ * This is a Node.js-only implementation that uses the filesystem.
+ */
+export declare class LocalFileAuthorizationPolicySource implements AuthorizationPolicySource {
+    private readonly path;
+    private readonly format;
+    private readonly policyFactoryConfig;
+    private cachedPolicy;
+    constructor(options: LocalFileAuthorizationPolicySourceOptions);
+    /**
+     * Loads the authorization policy from the configured file.
+     *
+     * The file is read and parsed according to the configured format.
+     * The parsed content is then used to create an AuthorizationPolicy
+     * via the factory system.
+     *
+     * @returns The loaded authorization policy
+     */
+    loadPolicy(): Promise<AuthorizationPolicy>;
+    /**
+     * Clears the cached policy, forcing a reload on the next loadPolicy() call.
+     */
+    clearCache(): void;
+    /**
+     * Reloads the policy from the file, clearing any cached version.
+     *
+     * @returns The reloaded authorization policy
+     */
+    reloadPolicy(): Promise<AuthorizationPolicy>;
+}

package/dist/types/naylence/fame/security/auth/policy/pattern-matcher.d.ts ADDED Viewed

@@ -0,0 +1,84 @@
+/**
+ * Pattern matching utilities for authorization policies.
+ *
+ * Supports:
+ * - Glob patterns: `*` (single segment), `**` (any depth), `?` (single char)
+ * - Regex patterns: patterns starting with `^` (for advanced/BSL use only)
+ *
+ * The OSS/basic policy uses glob-only matching via `compileGlobPattern()`.
+ * The advanced/BSL policy may use `compilePattern()` which interprets `^` as regex.
+ */
+/**
+ * Compiled pattern for efficient repeated matching.
+ */
+export interface CompiledPattern {
+    readonly source: string;
+    readonly isRegex: boolean;
+    match(value: string): boolean;
+}
+/**
+ * Checks if a pattern string is a regex pattern.
+ * Regex patterns start with `^`.
+ */
+export declare function isRegexPattern(pattern: string): boolean;
+/**
+ * Asserts that a pattern is not a regex pattern.
+ * Throws an error if the pattern starts with `^`.
+ *
+ * Use this in OSS/basic policy to reject regex patterns.
+ *
+ * @param pattern - The pattern to check
+ * @param context - Optional context for the error message (e.g., "address", "scope")
+ * @throws Error if the pattern is a regex pattern
+ */
+export declare function assertNotRegexPattern(pattern: string, context?: string): void;
+/**
+ * Compiles a pattern string into an efficient matcher.
+ *
+ * @param pattern - Glob pattern or regex (starting with `^`)
+ * @returns A compiled pattern object
+ * @throws Error if the regex pattern is invalid
+ */
+export declare function compilePattern(pattern: string): CompiledPattern;
+/**
+ * Compiles a pattern string as a glob pattern only (no regex interpretation).
+ *
+ * This is the preferred method for OSS/basic policy evaluation.
+ * Patterns starting with `^` are rejected with an error.
+ *
+ * @param pattern - Glob pattern (regex patterns rejected)
+ * @param context - Optional context for error messages
+ * @returns A compiled pattern object
+ * @throws Error if pattern starts with `^` (regex attempt)
+ */
+export declare function compileGlobPattern(pattern: string, context?: string): CompiledPattern;
+/**
+ * Gets or compiles a pattern, with caching.
+ *
+ * @param pattern - Glob pattern or regex
+ * @returns A compiled pattern object
+ */
+export declare function getCompiledPattern(pattern: string): CompiledPattern;
+/**
+ * Gets or compiles a glob-only pattern, with caching.
+ *
+ * This is the preferred method for OSS/basic policy evaluation.
+ * Patterns are always treated as globs, never regex.
+ *
+ * @param pattern - Glob pattern (never interpreted as regex)
+ * @returns A compiled pattern object
+ */
+export declare function getCompiledGlobPattern(pattern: string): CompiledPattern;
+/**
+ * Matches a value against a pattern string.
+ *
+ * @param pattern - Glob pattern or regex (starting with `^`)
+ * @param value - The value to match
+ * @returns True if the value matches the pattern
+ */
+export declare function matchPattern(pattern: string, value: string): boolean;
+/**
+ * Clears the pattern cache.
+ * Useful for testing or when memory is a concern.
+ */
+export declare function clearPatternCache(): void;

package/dist/types/naylence/fame/security/auth/policy/scope-matcher.d.ts ADDED Viewed

@@ -0,0 +1,61 @@
+/**
+ * Scope matching utilities for authorization policies.
+ *
+ * Supports:
+ * - Simple string patterns (glob only in OSS/basic policy)
+ * - Logical operators: any_of, all_of, none_of
+ * - Recursive nesting with depth limits
+ */
+import type { ScopeRequirement, NormalizedScopeRequirement } from './authorization-policy-definition.js';
+/**
+ * Normalizes a scope requirement into a typed structure.
+ *
+ * @param requirement - The scope requirement to normalize
+ * @param depth - Current nesting depth (for recursion limit)
+ * @returns Normalized scope requirement
+ * @throws Error if nesting exceeds maximum depth
+ */
+export declare function normalizeScopeRequirement(requirement: ScopeRequirement, depth?: number): NormalizedScopeRequirement;
+/**
+ * Evaluates a normalized scope requirement against granted scopes.
+ *
+ * @param requirement - The normalized scope requirement
+ * @param grantedScopes - The scopes granted to the principal
+ * @returns True if the requirement is satisfied
+ */
+export declare function evaluateNormalizedScopeRequirement(requirement: NormalizedScopeRequirement, grantedScopes: readonly string[]): boolean;
+/**
+ * Evaluates a scope requirement against granted scopes.
+ *
+ * This is the main entry point for scope matching.
+ *
+ * @param requirement - The scope requirement (string or object)
+ * @param grantedScopes - The scopes granted to the principal
+ * @returns True if the requirement is satisfied
+ */
+export declare function evaluateScopeRequirement(requirement: ScopeRequirement, grantedScopes: readonly string[]): boolean;
+/**
+ * Pre-compiles a scope requirement for efficient repeated evaluation.
+ *
+ * @param requirement - The scope requirement to compile
+ * @returns A function that evaluates the requirement against granted scopes
+ */
+export declare function compileScopeRequirement(requirement: ScopeRequirement): (grantedScopes: readonly string[]) => boolean;
+/**
+ * Compiled scope requirement for efficient repeated evaluation with glob-only patterns.
+ */
+interface CompiledScopeRequirement {
+    evaluate: (grantedScopes: readonly string[]) => boolean;
+}
+/**
+ * Pre-compiles a scope requirement for OSS/basic policy (glob-only, no regex).
+ *
+ * This version rejects patterns starting with `^` at compile time.
+ *
+ * @param requirement - The scope requirement to compile
+ * @param ruleId - Rule ID for error messages
+ * @returns A compiled scope requirement
+ * @throws Error if any pattern starts with `^` (regex attempt)
+ */
+export declare function compileGlobOnlyScopeRequirement(requirement: ScopeRequirement, ruleId: string): CompiledScopeRequirement;
+export {};

package/dist/types/naylence/fame/security/auth/policy-authorizer.d.ts ADDED Viewed

@@ -0,0 +1,12 @@
+import type { Authorizer } from './authorizer.js';
+import type { AuthorizationPolicy } from './policy/authorization-policy.js';
+/**
+ * An authorizer that delegates authorization decisions to a pluggable policy.
+ *
+ * This interface extends the base `Authorizer` interface and adds access
+ * to the underlying `AuthorizationPolicy` for inspection or debugging.
+ */
+export interface PolicyAuthorizer extends Authorizer {
+    /** The currently active authorization policy */
+    readonly policy: AuthorizationPolicy;
+}

package/dist/types/naylence/fame/security/default-security-manager.d.ts CHANGED Viewed

@@ -14,6 +14,7 @@ import type { AttachInfo } from '../node/admission/node-attach-client.js';
 import type { NodeLike } from '../node/node-like.js';
 import { EnvelopeSecurityHandler } from '../node/envelope-security-handler.js';
 import { SecureChannelFrameHandler } from '../node/secure-channel-frame-handler.js';
+import { type RouterState, type RoutingAction } from '../sentinel/router.js';
 export declare class DefaultSecurityManager implements SecurityManager {
     readonly priority = 2000;
     private _policy;
@@ -58,6 +59,27 @@ export declare class DefaultSecurityManager implements SecurityManager {
     onDeliverLocal(node: NodeLike, address: FameAddress, envelope: FameEnvelope, context?: FameDeliveryContext): Promise<FameEnvelope | null>;
     onDeliver(_node: NodeLike, envelope: FameEnvelope, context?: FameDeliveryContext): Promise<FameEnvelope | null>;
     onForwardUpstream(_node: NodeLike, envelope: FameEnvelope, context?: FameDeliveryContext): Promise<FameEnvelope | null>;
+    /**
+     * Route authorization hook - invoked after routing policy selects an action.
+     *
+     * This method provides centralized route authorization by:
+     * 1. Mapping the RoutingAction to an authorization action token
+     * 2. Calling authorizer.authorizeRoute() if available
+     * 3. Returning a Deny action on authorization failure (opaque on wire)
+     *
+     * @param node - The node performing the routing
+     * @param envelope - The envelope being routed
+     * @param selected - The RoutingAction selected by routing policy
+     * @param state - The current router state
+     * @param context - Optional delivery context
+     * @returns The action to execute (selected if authorized, Deny if denied)
+     */
+    onRoutingActionSelected(node: NodeLike, envelope: FameEnvelope, selected: RoutingAction, _state: RouterState, context?: FameDeliveryContext | null): Promise<RoutingAction | null | undefined>;
+    /**
+     * Gets the NACK disclosure mode from configuration.
+     * Default is 'opaque' to avoid leaking route existence.
+     */
+    private getNackDisclosureMode;
     onForwardToRoute(node: NodeLike, nextSegment: string, envelope: FameEnvelope, context?: FameDeliveryContext): Promise<FameEnvelope | null>;
     onForwardToPeer(node: NodeLike, peerSegment: string, envelope: FameEnvelope, context?: FameDeliveryContext): Promise<FameEnvelope | null>;
     onForwardToPeers(node: NodeLike, envelope: FameEnvelope, peers?: unknown, excludePeers?: unknown, context?: FameDeliveryContext): Promise<FameEnvelope | null>;

package/dist/types/naylence/fame/security/index.d.ts CHANGED Viewed

@@ -1,8 +1,12 @@
 export * from './auth/authorizer.js';
 export * from './auth/auth-identity.js';
+export * from './auth/policy-authorizer.js';
 export { AUTHORIZER_FACTORY_BASE_TYPE, AuthorizerFactory, } from './auth/authorizer-factory.js';
 export type * from './auth/authorizer-factory.js';
+export { AuthorizationProfileFactory, PROFILE_NAME_DEFAULT as AUTH_PROFILE_NAME_DEFAULT, PROFILE_NAME_OAUTH2 as AUTH_PROFILE_NAME_OAUTH2, PROFILE_NAME_OAUTH2_GATED as AUTH_PROFILE_NAME_OAUTH2_GATED, PROFILE_NAME_OAUTH2_CALLBACK as AUTH_PROFILE_NAME_OAUTH2_CALLBACK, PROFILE_NAME_NOOP as AUTH_PROFILE_NAME_NOOP, ENV_VAR_JWT_TRUSTED_ISSUER as AUTH_PROFILE_ENV_VAR_JWT_TRUSTED_ISSUER, ENV_VAR_JWT_ALGORITHM as AUTH_PROFILE_ENV_VAR_JWT_ALGORITHM, ENV_VAR_JWT_AUDIENCE as AUTH_PROFILE_ENV_VAR_JWT_AUDIENCE, ENV_VAR_JWKS_URL as AUTH_PROFILE_ENV_VAR_JWKS_URL, ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY as AUTH_PROFILE_ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY, ENV_VAR_TRUSTED_CLIENT_SCOPE as AUTH_PROFILE_ENV_VAR_TRUSTED_CLIENT_SCOPE, ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER as AUTH_PROFILE_ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE as AUTH_PROFILE_ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE, ENV_VAR_HMAC_SECRET as AUTH_PROFILE_ENV_VAR_HMAC_SECRET, } from './auth/authorization-profile-factory.js';
+export type { AuthorizationProfileConfig } from './auth/authorization-profile-factory.js';
 export * from './auth/auth-injection-strategy.js';
+export * from './auth/policy/index.js';
 export { AUTH_INJECTION_STRATEGY_FACTORY_BASE_TYPE, AuthInjectionStrategyFactory, } from './auth/auth-injection-strategy-factory.js';
 export type * from './auth/auth-injection-strategy-factory.js';
 export * from './auth/token-issuer.js';
@@ -76,4 +80,4 @@ export * from './credential/browser-auto-key-credential-provider.js';
 export * from './credential/browser-wrapped-key-credential-provider.js';
 export * from './credential/session-key-credential-provider.js';
 export * from './credential/dev-fixed-key-credential-provider.js';
-export { ENV_VAR_JWT_TRUSTED_ISSUER, ENV_VAR_JWT_ALGORITHM, ENV_VAR_JWT_AUDIENCE, ENV_VAR_JWKS_URL, ENV_VAR_DEFAULT_ENCRYPTION_LEVEL, ENV_VAR_HMAC_SECRET, ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE, PROFILE_NAME_STRICT_OVERLAY, PROFILE_NAME_OVERLAY, PROFILE_NAME_OVERLAY_CALLBACK, PROFILE_NAME_GATED, PROFILE_NAME_GATED_CALLBACK, PROFILE_NAME_OPEN, } from './node-security-profile-factory.js';
+export { ENV_VAR_JWT_TRUSTED_ISSUER, ENV_VAR_JWT_ALGORITHM, ENV_VAR_JWT_AUDIENCE, ENV_VAR_JWKS_URL, ENV_VAR_DEFAULT_ENCRYPTION_LEVEL, ENV_VAR_HMAC_SECRET, ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE, ENV_VAR_AUTHORIZATION_PROFILE, PROFILE_NAME_STRICT_OVERLAY, PROFILE_NAME_OVERLAY, PROFILE_NAME_OVERLAY_CALLBACK, PROFILE_NAME_GATED, PROFILE_NAME_GATED_CALLBACK, PROFILE_NAME_OPEN, } from './node-security-profile-factory.js';

package/dist/types/naylence/fame/security/node-security-profile-factory.d.ts CHANGED Viewed

@@ -11,6 +11,8 @@ export declare const ENV_VAR_HMAC_SECRET = "FAME_HMAC_SECRET";
 export declare const ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER = "FAME_JWT_REVERSE_AUTH_TRUSTED_ISSUER";
 export declare const ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = "FAME_JWT_REVERSE_AUTH_AUDIENCE";
 export declare const ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY = "FAME_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY";
+export declare const ENV_VAR_TRUSTED_CLIENT_SCOPE = "FAME_TRUSTED_CLIENT_SCOPE";
+export declare const ENV_VAR_AUTHORIZATION_PROFILE = "FAME_AUTHORIZATION_PROFILE";
 export declare const PROFILE_NAME_STRICT_OVERLAY = "strict-overlay";
 export declare const PROFILE_NAME_OVERLAY = "overlay";
 export declare const PROFILE_NAME_OVERLAY_CALLBACK = "overlay-callback";

package/dist/types/naylence/fame/sentinel/router.d.ts CHANGED Viewed

@@ -55,6 +55,74 @@ export declare class ForwardPeer implements RoutingAction {
     constructor(segment: string);
     execute(envelope: FameEnvelope, router: RoutingNodeLike, state: RouterState, context?: FameDeliveryContext | null): Promise<void>;
 }
+/**
+ * Nack disclosure mode for authorization denials.
+ * - 'opaque': Emit generic NO_ROUTE (default, does not leak route existence)
+ * - 'verbose': Emit UNAUTHORIZED_ROUTE (only if safe to disclose)
+ */
+export type NackDisclosureMode = 'opaque' | 'verbose';
+/**
+ * Options for creating a Deny action.
+ */
+export interface DenyOptions {
+    /**
+     * Internal reason for denial (logged but not sent on wire).
+     */
+    internalReason: string;
+    /**
+     * The action token that was denied.
+     */
+    deniedAction?: string;
+    /**
+     * Matched rule ID (for logging/audit).
+     */
+    matchedRule?: string;
+    /**
+     * Additional context for internal logging.
+     */
+    context?: Record<string, unknown>;
+    /**
+     * Nack disclosure mode.
+     * @default 'opaque'
+     */
+    disclosure?: NackDisclosureMode;
+}
+/**
+ * RoutingAction that denies an envelope due to authorization failure.
+ *
+ * Emits an opaque NO_ROUTE NACK on wire (by default) to avoid leaking
+ * route existence, while logging the true denial reason internally.
+ */
+export declare class Deny implements RoutingAction {
+    private readonly options;
+    constructor(options: DenyOptions);
+    execute(envelope: FameEnvelope, router: RoutingNodeLike, state: RouterState, context?: FameDeliveryContext | null): Promise<void>;
+}
+/**
+ * Route-oriented authorization action tokens.
+ *
+ * These tokens map RoutingAction instances to policy-friendly action names:
+ * - ForwardUp -> 'ForwardUpstream'
+ * - ForwardChild -> 'ForwardDownstream'
+ * - ForwardPeer -> 'ForwardPeer'
+ * - DeliverLocal -> 'DeliverLocal'
+ * - Drop/Deny -> null (no authorization needed, already terminal)
+ */
+export type AuthorizationAction = 'Connect' | 'ForwardUpstream' | 'ForwardDownstream' | 'ForwardPeer' | 'DeliverLocal';
+/**
+ * Maps a RoutingAction instance to an authorization action token.
+ *
+ * This function uses instanceof checks to determine the action type,
+ * avoiding the need to expose action objects to the authorizer.
+ *
+ * For unknown/custom RoutingAction types, returns null. Callers should
+ * treat null as "deny by default" for security (unknown actions are not
+ * authorized).
+ *
+ * @param action - The RoutingAction instance to map
+ * @returns The authorization action token, or null for terminal/unknown actions
+ */
+export declare function mapRoutingActionToAuthorizationAction(action: RoutingAction): AuthorizationAction | null;
 export interface RouterCapabilitiesMap {
     [capability: string]: Record<string, string>;
 }

package/dist/types/naylence/fame/sentinel/sentinel.d.ts CHANGED Viewed

@@ -99,6 +99,22 @@ export declare class Sentinel extends FameNode implements RoutingNodeLike {
     private onEpochChange;
     private propagateAddressBindingsUpstream;
     private bindAddressUpstream;
+    /**
+     * Dispatches the onRoutingActionSelected event to all event listeners.
+     *
+     * This allows listeners (like DefaultSecurityManager) to authorize
+     * routing actions and optionally replace them with Deny actions.
+     *
+     * The hook must return the RoutingAction to execute. If a listener returns
+     * null, undefined, or throws, the router will execute a Drop action.
+     *
+     * @param envelope - The envelope being routed
+     * @param selected - The RoutingAction selected by the routing policy
+     * @param state - The current router state
+     * @param context - Optional delivery context
+     * @returns The RoutingAction to execute (never null/undefined)
+     */
+    private dispatchRoutingActionSelected;
     static aserve(options?: SentinelServeOptions): Promise<void>;
 }
 export {};

package/dist/types/version.d.ts CHANGED Viewed

@@ -2,4 +2,4 @@
  * The package version, injected at build time.
  * @internal
  */
-export declare const VERSION = "0.3.21";
+export declare const VERSION = "0.4.1";

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@naylence/runtime",
-  "version": "0.3.21",
+  "version": "0.4.1",
   "type": "module",
   "description": "Naylence Runtime - Complete TypeScript runtime",
   "author": "Naylence Dev <naylencedev@gmail.com>",