@naylence/runtime 0.3.21 → 0.4.1

package/dist/cjs/naylence/fame/factory-manifest.js

@@ -63,8 +63,10 @@ exports.MODULES = [
     "./node/node-identity-policy-profile-factory.js",
     "./node/token-subject-node-identity-policy-factory.js",
     "./placement/static-node-placement-strategy-factory.js",
+    "./security/auth/authorization-profile-factory.js",
     "./security/auth/bearer-token-header-auth-injection-strategy-factory.js",
     "./security/auth/default-authorizer-factory.js",
+    "./security/auth/default-policy-authorizer-factory.js",
     "./security/auth/jwks-jwt-token-verifier-factory.js",
     "./security/auth/jwt-token-issuer-factory.js",
     "./security/auth/jwt-token-verifier-factory.js",
@@ -76,6 +78,8 @@ exports.MODULES = [
     "./security/auth/oauth2-authorizer-factory.js",
     "./security/auth/oauth2-client-credentials-token-provider-factory.js",
     "./security/auth/oauth2-pkce-token-provider-factory.js",
+    "./security/auth/policy/basic-authorization-policy-factory.js",
+    "./security/auth/policy/local-file-authorization-policy-source-factory.js",
     "./security/auth/query-param-auth-injection-strategy-factory.js",
     "./security/auth/shared-secret-authorizer-factory.js",
     "./security/auth/shared-secret-token-provider-factory.js",
@@ -142,8 +146,10 @@ exports.MODULE_LOADERS = {
     "./node/node-identity-policy-profile-factory.js": () => Promise.resolve().then(() => __importStar(require("./node/node-identity-policy-profile-factory.js"))),
     "./node/token-subject-node-identity-policy-factory.js": () => Promise.resolve().then(() => __importStar(require("./node/token-subject-node-identity-policy-factory.js"))),
     "./placement/static-node-placement-strategy-factory.js": () => Promise.resolve().then(() => __importStar(require("./placement/static-node-placement-strategy-factory.js"))),
+    "./security/auth/authorization-profile-factory.js": () => Promise.resolve().then(() => __importStar(require("./security/auth/authorization-profile-factory.js"))),
     "./security/auth/bearer-token-header-auth-injection-strategy-factory.js": () => Promise.resolve().then(() => __importStar(require("./security/auth/bearer-token-header-auth-injection-strategy-factory.js"))),
     "./security/auth/default-authorizer-factory.js": () => Promise.resolve().then(() => __importStar(require("./security/auth/default-authorizer-factory.js"))),
+    "./security/auth/default-policy-authorizer-factory.js": () => Promise.resolve().then(() => __importStar(require(/* webpackIgnore: true */ /* @vite-ignore */ "./security/auth/default-policy-authorizer-factory.js"))),
     "./security/auth/jwks-jwt-token-verifier-factory.js": () => Promise.resolve().then(() => __importStar(require("./security/auth/jwks-jwt-token-verifier-factory.js"))),
     "./security/auth/jwt-token-issuer-factory.js": () => Promise.resolve().then(() => __importStar(require("./security/auth/jwt-token-issuer-factory.js"))),
     "./security/auth/jwt-token-verifier-factory.js": () => Promise.resolve().then(() => __importStar(require("./security/auth/jwt-token-verifier-factory.js"))),
@@ -155,6 +161,8 @@ exports.MODULE_LOADERS = {
     "./security/auth/oauth2-authorizer-factory.js": () => Promise.resolve().then(() => __importStar(require("./security/auth/oauth2-authorizer-factory.js"))),
     "./security/auth/oauth2-client-credentials-token-provider-factory.js": () => Promise.resolve().then(() => __importStar(require("./security/auth/oauth2-client-credentials-token-provider-factory.js"))),
     "./security/auth/oauth2-pkce-token-provider-factory.js": () => Promise.resolve().then(() => __importStar(require("./security/auth/oauth2-pkce-token-provider-factory.js"))),
+    "./security/auth/policy/basic-authorization-policy-factory.js": () => Promise.resolve().then(() => __importStar(require("./security/auth/policy/basic-authorization-policy-factory.js"))),
+    "./security/auth/policy/local-file-authorization-policy-source-factory.js": () => Promise.resolve().then(() => __importStar(require(/* webpackIgnore: true */ /* @vite-ignore */ "./security/auth/policy/local-file-authorization-policy-source-factory.js"))),
     "./security/auth/query-param-auth-injection-strategy-factory.js": () => Promise.resolve().then(() => __importStar(require("./security/auth/query-param-auth-injection-strategy-factory.js"))),
     "./security/auth/shared-secret-authorizer-factory.js": () => Promise.resolve().then(() => __importStar(require("./security/auth/shared-secret-authorizer-factory.js"))),
     "./security/auth/shared-secret-token-provider-factory.js": () => Promise.resolve().then(() => __importStar(require("./security/auth/shared-secret-token-provider-factory.js"))),

package/dist/cjs/naylence/fame/node/node-event-listener.js

@@ -48,6 +48,10 @@ class BaseNodeEventListener {
         // Default implementation passes envelope through unchanged
         return envelope;
     }
+    async onRoutingActionSelected(_node, _envelope, selected, _state, _context) {
+        // Default implementation returns the selected action unchanged
+        return selected;
+    }
     async onForwardUpstream(_node, envelope, _context) {
         // Default implementation passes envelope through unchanged
         return envelope;

package/dist/cjs/naylence/fame/security/auth/authorization-profile-factory.js

@@ -0,0 +1,165 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthorizationProfileFactory = exports.FACTORY_META = exports.ENV_VAR_HMAC_SECRET = exports.ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = exports.ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER = exports.ENV_VAR_TRUSTED_CLIENT_SCOPE = exports.ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY = exports.ENV_VAR_JWKS_URL = exports.ENV_VAR_JWT_AUDIENCE = exports.ENV_VAR_JWT_ALGORITHM = exports.ENV_VAR_JWT_TRUSTED_ISSUER = exports.PROFILE_NAME_NOOP = exports.PROFILE_NAME_OAUTH2_CALLBACK = exports.PROFILE_NAME_OAUTH2_GATED = exports.PROFILE_NAME_OAUTH2 = exports.PROFILE_NAME_DEFAULT = void 0;
+const factory_1 = require("@naylence/factory");
+const logging_js_1 = require("../../util/logging.js");
+const authorizer_factory_js_1 = require("./authorizer-factory.js");
+const logger = (0, logging_js_1.getLogger)('naylence.fame.security.auth.authorization_profile_factory');
+exports.PROFILE_NAME_DEFAULT = 'jwt';
+exports.PROFILE_NAME_OAUTH2 = 'oauth2';
+exports.PROFILE_NAME_OAUTH2_GATED = 'oauth2-gated';
+exports.PROFILE_NAME_OAUTH2_CALLBACK = 'oauth2-callback';
+exports.PROFILE_NAME_NOOP = 'noop';
+exports.ENV_VAR_JWT_TRUSTED_ISSUER = 'FAME_JWT_TRUSTED_ISSUER';
+exports.ENV_VAR_JWT_ALGORITHM = 'FAME_JWT_ALGORITHM';
+exports.ENV_VAR_JWT_AUDIENCE = 'FAME_JWT_AUDIENCE';
+exports.ENV_VAR_JWKS_URL = 'FAME_JWKS_URL';
+exports.ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY = 'FAME_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY';
+exports.ENV_VAR_TRUSTED_CLIENT_SCOPE = 'FAME_TRUSTED_CLIENT_SCOPE';
+exports.ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER = 'FAME_JWT_REVERSE_AUTH_TRUSTED_ISSUER';
+exports.ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = 'FAME_JWT_REVERSE_AUTH_AUDIENCE';
+exports.ENV_VAR_HMAC_SECRET = 'FAME_HMAC_SECRET';
+const DEFAULT_REVERSE_AUTH_ISSUER = 'reverse-auth.naylence.ai';
+const DEFAULT_REVERSE_AUTH_AUDIENCE = 'dev.naylence.ai';
+const DEFAULT_PROFILE = {
+    type: 'DefaultAuthorizer',
+    verifier: {
+        type: 'JWKSJWTTokenVerifier',
+        jwks_url: factory_1.Expressions.env(exports.ENV_VAR_JWKS_URL),
+        issuer: factory_1.Expressions.env(exports.ENV_VAR_JWT_TRUSTED_ISSUER),
+    },
+};
+const OAUTH2_PROFILE = {
+    type: 'OAuth2Authorizer',
+    issuer: factory_1.Expressions.env(exports.ENV_VAR_JWT_TRUSTED_ISSUER),
+    required_scopes: ['node.connect'],
+    require_scope: true,
+    default_ttl_sec: 3600,
+    max_ttl_sec: 86400,
+    algorithm: factory_1.Expressions.env(exports.ENV_VAR_JWT_ALGORITHM, 'RS256'),
+    audience: factory_1.Expressions.env(exports.ENV_VAR_JWT_AUDIENCE),
+};
+const OAUTH2_GATED_PROFILE = {
+    ...OAUTH2_PROFILE,
+    enforce_token_subject_node_identity: factory_1.Expressions.env(exports.ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY, 'false'),
+    trusted_client_scope: factory_1.Expressions.env(exports.ENV_VAR_TRUSTED_CLIENT_SCOPE, 'node.trusted'),
+};
+const OAUTH2_CALLBACK_PROFILE = {
+    type: 'OAuth2Authorizer',
+    issuer: factory_1.Expressions.env(exports.ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, DEFAULT_REVERSE_AUTH_ISSUER),
+    audience: factory_1.Expressions.env(exports.ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE),
+    require_scope: true,
+    default_ttl_sec: 3600,
+    max_ttl_sec: 86400,
+    reverse_auth_ttl_sec: 86400,
+    token_verifier_config: {
+        type: 'JWTTokenVerifier',
+        algorithm: 'HS256',
+        hmac_secret: factory_1.Expressions.env(exports.ENV_VAR_HMAC_SECRET),
+        issuer: factory_1.Expressions.env(exports.ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, DEFAULT_REVERSE_AUTH_ISSUER),
+        ttl_sec: 86400,
+    },
+    token_issuer_config: {
+        type: 'JWTTokenIssuer',
+        algorithm: 'HS256',
+        hmac_secret: factory_1.Expressions.env(exports.ENV_VAR_HMAC_SECRET),
+        kid: 'hmac-reverse-auth-key',
+        issuer: factory_1.Expressions.env(exports.ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, DEFAULT_REVERSE_AUTH_ISSUER),
+        ttl_sec: 86400,
+        audience: factory_1.Expressions.env(exports.ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE, DEFAULT_REVERSE_AUTH_AUDIENCE),
+    },
+};
+const NOOP_PROFILE = {
+    type: 'NoopAuthorizer',
+};
+const PROFILE_MAP = {
+    [exports.PROFILE_NAME_DEFAULT]: DEFAULT_PROFILE,
+    [exports.PROFILE_NAME_OAUTH2]: OAUTH2_PROFILE,
+    [exports.PROFILE_NAME_OAUTH2_GATED]: OAUTH2_GATED_PROFILE,
+    [exports.PROFILE_NAME_OAUTH2_CALLBACK]: OAUTH2_CALLBACK_PROFILE,
+    [exports.PROFILE_NAME_NOOP]: NOOP_PROFILE,
+};
+const PROFILE_ALIASES = {
+    jwt: exports.PROFILE_NAME_DEFAULT,
+    jwks: exports.PROFILE_NAME_DEFAULT,
+    default: exports.PROFILE_NAME_DEFAULT,
+    oauth2: exports.PROFILE_NAME_OAUTH2,
+    oidc: exports.PROFILE_NAME_OAUTH2,
+    'oauth2-gated': exports.PROFILE_NAME_OAUTH2_GATED,
+    oauth2_gated: exports.PROFILE_NAME_OAUTH2_GATED,
+    'oauth2-callback': exports.PROFILE_NAME_OAUTH2_CALLBACK,
+    oauth2_callback: exports.PROFILE_NAME_OAUTH2_CALLBACK,
+    'reverse-auth': exports.PROFILE_NAME_OAUTH2_CALLBACK,
+    noop: exports.PROFILE_NAME_NOOP,
+    'no-op': exports.PROFILE_NAME_NOOP,
+    no_op: exports.PROFILE_NAME_NOOP,
+};
+exports.FACTORY_META = {
+    base: authorizer_factory_js_1.AUTHORIZER_FACTORY_BASE_TYPE,
+    key: 'AuthorizationProfile',
+};
+class AuthorizationProfileFactory extends authorizer_factory_js_1.AuthorizerFactory {
+    constructor() {
+        super(...arguments);
+        this.type = 'AuthorizationProfile';
+    }
+    async create(config, ...factoryArgs) {
+        const normalized = normalizeConfig(config);
+        const profileConfig = resolveProfileConfig(normalized.profile);
+        logger.debug('enabling_authorization_profile', {
+            profile: normalized.profile,
+        });
+        const authorizer = await authorizer_factory_js_1.AuthorizerFactory.createAuthorizer(profileConfig, { factoryArgs });
+        if (!authorizer) {
+            throw new Error(`Failed to create authorizer for profile: ${normalized.profile}`);
+        }
+        return authorizer;
+    }
+}
+exports.AuthorizationProfileFactory = AuthorizationProfileFactory;
+function normalizeConfig(config) {
+    if (!config) {
+        return { profile: exports.PROFILE_NAME_OAUTH2 };
+    }
+    const candidate = config;
+    const profileValue = resolveProfileName(candidate);
+    const canonicalProfile = canonicalizeProfileName(profileValue);
+    candidate.profile = canonicalProfile;
+    return { profile: canonicalProfile };
+}
+function resolveProfileName(candidate) {
+    const direct = coerceProfileString(candidate.profile);
+    if (direct) {
+        return direct;
+    }
+    const legacyKeys = ['profile_name', 'profileName'];
+    for (const legacyKey of legacyKeys) {
+        const legacyValue = coerceProfileString(candidate[legacyKey]);
+        if (legacyValue) {
+            return legacyValue;
+        }
+    }
+    return exports.PROFILE_NAME_OAUTH2;
+}
+function coerceProfileString(value) {
+    if (typeof value !== 'string') {
+        return null;
+    }
+    const trimmed = value.trim();
+    return trimmed.length > 0 ? trimmed : null;
+}
+function canonicalizeProfileName(value) {
+    const normalized = value.replace(/[\s_]+/g, '-').toLowerCase();
+    return PROFILE_ALIASES[normalized] ?? normalized;
+}
+function resolveProfileConfig(profileName) {
+    const profile = PROFILE_MAP[profileName];
+    if (!profile) {
+        throw new Error(`Unknown authorization profile: ${profileName}`);
+    }
+    return deepClone(profile);
+}
+function deepClone(value) {
+    return JSON.parse(JSON.stringify(value));
+}
+exports.default = AuthorizationProfileFactory;

package/dist/cjs/naylence/fame/security/auth/default-policy-authorizer-factory.js

@@ -0,0 +1,147 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DefaultPolicyAuthorizerFactory = exports.FACTORY_META = void 0;
+const lazy_import_js_1 = require("../../util/lazy-import.js");
+const authorizer_factory_js_1 = require("./authorizer-factory.js");
+const token_verifier_factory_js_1 = require("./token-verifier-factory.js");
+const authorization_policy_source_factory_js_1 = require("./policy/authorization-policy-source-factory.js");
+const authorization_policy_factory_js_1 = require("./policy/authorization-policy-factory.js");
+let defaultPolicyAuthorizerModulePromise = null;
+async function getDefaultPolicyAuthorizerModule() {
+    if (!defaultPolicyAuthorizerModulePromise) {
+        defaultPolicyAuthorizerModulePromise = (0, lazy_import_js_1.safeImport)(() => Promise.resolve().then(() => __importStar(require('./default-policy-authorizer.js'))), 'default-policy-authorizer');
+    }
+    return defaultPolicyAuthorizerModulePromise;
+}
+function normalizeConfig(config) {
+    if (!config) {
+        return {};
+    }
+    const candidate = config;
+    const verifierConfig = candidate.verifier ?? null;
+    if (verifierConfig && typeof verifierConfig !== 'object') {
+        throw new Error('PolicyAuthorizer verifier configuration must be an object');
+    }
+    const policyConfig = candidate.policy ?? null;
+    if (policyConfig && typeof policyConfig !== 'object') {
+        throw new Error('PolicyAuthorizer policy configuration must be an object');
+    }
+    const policySourceConfig = candidate.policySource ?? candidate.policy_source ?? null;
+    if (policySourceConfig && typeof policySourceConfig !== 'object') {
+        throw new Error('PolicyAuthorizer policySource configuration must be an object');
+    }
+    return {
+        verifier: verifierConfig,
+        policy: policyConfig,
+        policySource: policySourceConfig,
+    };
+}
+function isTokenVerifier(candidate) {
+    return Boolean(candidate && typeof candidate.verify === 'function');
+}
+function isAuthorizationPolicy(candidate) {
+    return Boolean(candidate &&
+        typeof candidate.evaluateRequest === 'function');
+}
+function isAuthorizationPolicySource(candidate) {
+    return Boolean(candidate &&
+        typeof candidate.loadPolicy === 'function');
+}
+/**
+ * Factory metadata for registration.
+ */
+exports.FACTORY_META = {
+    base: authorizer_factory_js_1.AUTHORIZER_FACTORY_BASE_TYPE,
+    key: 'PolicyAuthorizer',
+};
+/**
+ * Factory for creating DefaultPolicyAuthorizer instances.
+ *
+ * This factory uses lazy loading to avoid pulling in Node.js-specific
+ * code in browser environments.
+ */
+class DefaultPolicyAuthorizerFactory extends authorizer_factory_js_1.AuthorizerFactory {
+    constructor() {
+        super(...arguments);
+        this.type = 'PolicyAuthorizer';
+        this.isDefault = true;
+    }
+    /**
+     * Creates a DefaultPolicyAuthorizer from the given configuration.
+     *
+     * @param config - Configuration for the authorizer
+     * @param factoryArgs - Additional factory arguments:
+     *   - TokenVerifier instance
+     *   - AuthorizationPolicy instance
+     *   - AuthorizationPolicySource instance
+     * @returns The created authorizer
+     */
+    async create(config, ...factoryArgs) {
+        const normalized = normalizeConfig(config);
+        // Resolve token verifier
+        let tokenVerifier = factoryArgs.find(isTokenVerifier);
+        if (!tokenVerifier && normalized.verifier) {
+            tokenVerifier = await token_verifier_factory_js_1.TokenVerifierFactory.createTokenVerifier(normalized.verifier);
+        }
+        if (!tokenVerifier) {
+            throw new Error('PolicyAuthorizer requires a verifier configuration or instance');
+        }
+        // Resolve policy or policy source
+        let policy = factoryArgs.find(isAuthorizationPolicy);
+        let policySource = factoryArgs.find(isAuthorizationPolicySource);
+        // Create policy from config if not provided as argument
+        if (!policy && normalized.policy) {
+            policy = await authorization_policy_factory_js_1.AuthorizationPolicyFactory.createAuthorizationPolicy(normalized.policy);
+        }
+        // Create policy source from config if not provided as argument
+        if (!policySource && normalized.policySource) {
+            policySource =
+                await authorization_policy_source_factory_js_1.AuthorizationPolicySourceFactory.createAuthorizationPolicySource(normalized.policySource);
+        }
+        // Validate that we have either policy or policy source
+        if (!policy && !policySource) {
+            throw new Error('PolicyAuthorizer requires either a policy or policySource configuration');
+        }
+        const { DefaultPolicyAuthorizer } = await getDefaultPolicyAuthorizerModule();
+        return new DefaultPolicyAuthorizer({
+            tokenVerifier,
+            policy,
+            policySource,
+        });
+    }
+}
+exports.DefaultPolicyAuthorizerFactory = DefaultPolicyAuthorizerFactory;
+exports.default = DefaultPolicyAuthorizerFactory;

package/dist/cjs/naylence/fame/security/auth/default-policy-authorizer.js

@@ -0,0 +1,291 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DefaultPolicyAuthorizer = void 0;
+const core_1 = require("@naylence/core");
+const logging_js_1 = require("../../util/logging.js");
+const logger = (0, logging_js_1.getLogger)('naylence.fame.security.auth.default_policy_authorizer');
+function decodeCredentials(credentials) {
+    if (typeof TextDecoder !== 'undefined') {
+        return new TextDecoder().decode(credentials);
+    }
+    if (typeof Buffer !== 'undefined') {
+        return Buffer.from(credentials).toString('utf-8');
+    }
+    throw new Error('Unable to decode credential bytes without TextDecoder support');
+}
+function normalizeToken(credentials) {
+    const raw = typeof credentials === 'string'
+        ? credentials
+        : decodeCredentials(credentials);
+    const trimmed = raw.trim();
+    if (trimmed.length === 0) {
+        return undefined;
+    }
+    if (trimmed.toLowerCase().startsWith('bearer ')) {
+        const candidate = trimmed.slice(7).trim();
+        return candidate.length > 0 ? candidate : undefined;
+    }
+    return trimmed;
+}
+function normalizeOptions(options) {
+    if (options === undefined || options === null) {
+        return {};
+    }
+    if (typeof options !== 'object') {
+        throw new TypeError('DefaultPolicyAuthorizer options must be an object');
+    }
+    const candidate = options;
+    return {
+        tokenVerifier: candidate.tokenVerifier ?? candidate.token_verifier,
+        policy: candidate.policy,
+        policySource: candidate.policySource ?? candidate.policy_source,
+    };
+}
+/**
+ * An authorizer that delegates authorization decisions to a pluggable policy.
+ *
+ * This authorizer combines token-based authentication with policy-based
+ * authorization. The token verifier handles authentication (validating
+ * credentials), while the authorization policy handles authorization
+ * decisions (allow/deny based on the request context).
+ */
+class DefaultPolicyAuthorizer {
+    constructor(options = {}) {
+        this.policyLoaded = false;
+        const normalized = normalizeOptions(options);
+        if (normalized.tokenVerifier) {
+            this.tokenVerifierImpl = normalized.tokenVerifier;
+        }
+        if (normalized.policy) {
+            this.policyImpl = normalized.policy;
+            this.policyLoaded = true;
+        }
+        if (normalized.policySource) {
+            this.policySource = normalized.policySource;
+        }
+        // Validate that we have either a policy or a policy source
+        if (!normalized.policy && !normalized.policySource) {
+            throw new Error('DefaultPolicyAuthorizer requires either a policy or a policySource');
+        }
+    }
+    /**
+     * The currently active authorization policy.
+     */
+    get policy() {
+        if (!this.policyImpl) {
+            throw new Error('Authorization policy not loaded. Call ensurePolicyLoaded() first.');
+        }
+        return this.policyImpl;
+    }
+    /**
+     * The token verifier used for authentication.
+     */
+    get tokenVerifier() {
+        if (!this.tokenVerifierImpl) {
+            throw new Error('DefaultPolicyAuthorizer is not initialized properly, missing tokenVerifier');
+        }
+        return this.tokenVerifierImpl;
+    }
+    set tokenVerifier(verifier) {
+        this.tokenVerifierImpl = verifier;
+    }
+    /**
+     * Ensures the authorization policy is loaded.
+     * If using a policy source, loads the policy from it.
+     */
+    async ensurePolicyLoaded() {
+        if (this.policyLoaded && this.policyImpl) {
+            return;
+        }
+        if (!this.policySource) {
+            throw new Error('No policy source configured and no policy provided');
+        }
+        logger.debug('loading_policy_from_source');
+        this.policyImpl = await this.policySource.loadPolicy();
+        this.policyLoaded = true;
+        logger.info('policy_loaded_from_source');
+    }
+    /**
+     * Reloads the authorization policy from the policy source.
+     * Only works if a policy source was configured.
+     */
+    async reloadPolicy() {
+        if (!this.policySource) {
+            throw new Error('Cannot reload policy: no policy source configured');
+        }
+        logger.debug('reloading_policy_from_source');
+        this.policyImpl = await this.policySource.loadPolicy();
+        this.policyLoaded = true;
+        logger.info('policy_reloaded_from_source');
+    }
+    /**
+     * Authenticates credentials and returns an authorization context.
+     *
+     * @param credentials - The credentials to authenticate (token string or bytes)
+     * @returns The authorization context if authentication succeeds, undefined otherwise
+     */
+    async authenticate(credentials) {
+        const token = normalizeToken(credentials);
+        if (!token) {
+            return undefined;
+        }
+        try {
+            const verifier = this.tokenVerifier;
+            const context = await verifier.verify(token);
+            return (0, core_1.createAuthorizationContext)({
+                ...context,
+                authenticated: true,
+                authorized: false, // Authorization happens in authorize()
+                authMethod: context.authMethod ?? 'jwt',
+            });
+        }
+        catch (error) {
+            logger.warning('token_verification_failed', {
+                error: error instanceof Error ? error.message : String(error),
+            });
+            return undefined;
+        }
+    }
+    /**
+     * Authorizes a request using the configured authorization policy.
+     *
+     * For NodeAttach frames, evaluates policy with action='Connect'.
+     * For other frames, this method performs basic authentication validation
+     * but does NOT infer send/receive actions. Route-level authorization
+     * is handled separately via authorizeRoute().
+     *
+     * @param node - The node handling the request
+     * @param envelope - The FAME envelope being authorized
+     * @param context - Optional delivery context
+     * @returns The authorization context if authorized, undefined if denied
+     */
+    async authorize(node, envelope, context) {
+        const authorization = context?.security?.authorization;
+        // Must be authenticated first
+        if (!authorization || !authorization.authenticated) {
+            logger.debug('authorization_denied_not_authenticated');
+            return undefined;
+        }
+        // Ensure policy is loaded
+        await this.ensurePolicyLoaded();
+        // For NodeAttach frames, evaluate policy with 'Connect' action
+        const frameType = envelope.frame?.type;
+        if (frameType === 'NodeAttach') {
+            let decision;
+            try {
+                decision = await this.policy.evaluateRequest(node, envelope, context, 'Connect');
+            }
+            catch (error) {
+                logger.error('policy_evaluation_failed', {
+                    error: error instanceof Error ? error.message : String(error),
+                    action: 'Connect',
+                });
+                return undefined;
+            }
+            if (decision.effect === 'allow') {
+                logger.debug('authorization_allowed', {
+                    matchedRule: decision.matchedRule,
+                    reason: decision.reason,
+                    action: 'Connect',
+                });
+                return (0, core_1.createAuthorizationContext)({
+                    ...authorization,
+                    authorized: true,
+                    authMethod: authorization.authMethod ?? 'policy',
+                });
+            }
+            else {
+                logger.debug('authorization_denied', {
+                    matchedRule: decision.matchedRule,
+                    reason: decision.reason,
+                    action: 'Connect',
+                });
+                return undefined;
+            }
+        }
+        // For non-NodeAttach frames, authentication is sufficient at this stage.
+        // Route-level authorization is performed via authorizeRoute() after
+        // the routing decision is made.
+        logger.debug('authorization_passed_authentication_only', {
+            envp_id: envelope.id,
+            frame_type: frameType,
+        });
+        return (0, core_1.createAuthorizationContext)({
+            ...authorization,
+            authorized: true,
+            authMethod: authorization.authMethod ?? 'policy',
+        });
+    }
+    /**
+     * Authorizes a routing action after the routing decision has been made.
+     *
+     * This method evaluates the authorization policy with the explicitly
+     * provided action token (ForwardUpstream, ForwardDownstream, ForwardPeer,
+     * DeliverLocal).
+     *
+     * @param node - The node handling the request
+     * @param envelope - The FAME envelope being routed
+     * @param action - The authorization action token from the routing decision
+     * @param context - Optional delivery context
+     * @returns RouteAuthorizationResult with authorization decision
+     */
+    async authorizeRoute(node, envelope, action, context) {
+        const authorization = context?.security?.authorization;
+        // If not authenticated, deny route authorization
+        if (!authorization || !authorization.authenticated) {
+            logger.debug('route_authorization_denied_not_authenticated', {
+                action,
+            });
+            return {
+                authorized: false,
+                denialReason: 'not_authenticated',
+            };
+        }
+        // Ensure policy is loaded
+        await this.ensurePolicyLoaded();
+        // Evaluate the policy with the provided action
+        let decision;
+        try {
+            decision = await this.policy.evaluateRequest(node, envelope, context, action);
+        }
+        catch (error) {
+            logger.error('route_policy_evaluation_failed', {
+                error: error instanceof Error ? error.message : String(error),
+                action,
+            });
+            return {
+                authorized: false,
+                denialReason: 'policy_evaluation_error',
+            };
+        }
+        if (decision.effect === 'allow') {
+            logger.debug('route_authorization_allowed', {
+                matchedRule: decision.matchedRule,
+                reason: decision.reason,
+                action,
+            });
+            return {
+                authorized: true,
+                authContext: (0, core_1.createAuthorizationContext)({
+                    ...authorization,
+                    authorized: true,
+                    authMethod: authorization.authMethod ?? 'policy',
+                }),
+                matchedRule: decision.matchedRule,
+            };
+        }
+        else {
+            logger.debug('route_authorization_denied', {
+                matchedRule: decision.matchedRule,
+                reason: decision.reason,
+                action,
+            });
+            return {
+                authorized: false,
+                denialReason: decision.reason ?? 'policy_denied',
+                matchedRule: decision.matchedRule,
+            };
+        }
+    }
+}
+exports.DefaultPolicyAuthorizer = DefaultPolicyAuthorizer;