npm - @naylence/runtime - Versions diffs - 0.3.21 → 0.4.1 - Mend

@naylence/runtime 0.3.21 → 0.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (88) hide show

package/dist/cjs/naylence/fame/security/index.js CHANGED Viewed

@@ -1,13 +1,33 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.PROFILE_NAME_OPEN = exports.PROFILE_NAME_GATED_CALLBACK = exports.PROFILE_NAME_GATED = exports.PROFILE_NAME_OVERLAY_CALLBACK = exports.PROFILE_NAME_OVERLAY = exports.PROFILE_NAME_STRICT_OVERLAY = exports.ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = exports.ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER = exports.ENV_VAR_HMAC_SECRET = exports.ENV_VAR_DEFAULT_ENCRYPTION_LEVEL = exports.ENV_VAR_JWKS_URL = exports.ENV_VAR_JWT_AUDIENCE = exports.ENV_VAR_JWT_ALGORITHM = exports.ENV_VAR_JWT_TRUSTED_ISSUER = exports.CREDENTIAL_PROVIDER_FACTORY_BASE_TYPE = exports.EdDSAEnvelopeSigner = exports.encodeUtf8 = exports.immutableHeaders = exports.frameDigest = exports.decodeBase64Url = exports.canonicalJson = exports.SigningConfigClass = exports.SECURITY_MANAGER_FACTORY_BASE_TYPE = exports.SECURITY_POLICY_FACTORY_BASE_TYPE = exports.KEY_STORE_FACTORY_BASE_TYPE = exports.ATTACHMENT_KEY_VALIDATOR_FACTORY_BASE_TYPE = exports.KEY_MANAGER_FACTORY_BASE_TYPE = exports.SecureChannelManagerFactory = exports.SECURE_CHANNEL_MANAGER_FACTORY_BASE_TYPE = exports.ENCRYPTION_MANAGER_FACTORY_BASE_TYPE = exports.NoopTrustStoreProvider = exports.TrustStoreProviderFactory = exports.TRUST_STORE_PROVIDER_FACTORY_BASE_TYPE = exports.CertificateManagerFactory = exports.CERTIFICATE_MANAGER_FACTORY_BASE_TYPE = exports.TokenProviderFactory = exports.TOKEN_PROVIDER_FACTORY_BASE_TYPE = exports.TokenVerifierFactory = exports.TOKEN_VERIFIER_FACTORY_BASE_TYPE = exports.TokenIssuerFactory = exports.TOKEN_ISSUER_FACTORY_BASE_TYPE = exports.AuthInjectionStrategyFactory = exports.AUTH_INJECTION_STRATEGY_FACTORY_BASE_TYPE = exports.AuthorizerFactory = exports.AUTHORIZER_FACTORY_BASE_TYPE = void 0;
+exports.ENV_VAR_JWKS_URL = exports.ENV_VAR_JWT_AUDIENCE = exports.ENV_VAR_JWT_ALGORITHM = exports.ENV_VAR_JWT_TRUSTED_ISSUER = exports.CREDENTIAL_PROVIDER_FACTORY_BASE_TYPE = exports.EdDSAEnvelopeSigner = exports.encodeUtf8 = exports.immutableHeaders = exports.frameDigest = exports.decodeBase64Url = exports.canonicalJson = exports.SigningConfigClass = exports.SECURITY_MANAGER_FACTORY_BASE_TYPE = exports.SECURITY_POLICY_FACTORY_BASE_TYPE = exports.KEY_STORE_FACTORY_BASE_TYPE = exports.ATTACHMENT_KEY_VALIDATOR_FACTORY_BASE_TYPE = exports.KEY_MANAGER_FACTORY_BASE_TYPE = exports.SecureChannelManagerFactory = exports.SECURE_CHANNEL_MANAGER_FACTORY_BASE_TYPE = exports.ENCRYPTION_MANAGER_FACTORY_BASE_TYPE = exports.NoopTrustStoreProvider = exports.TrustStoreProviderFactory = exports.TRUST_STORE_PROVIDER_FACTORY_BASE_TYPE = exports.CertificateManagerFactory = exports.CERTIFICATE_MANAGER_FACTORY_BASE_TYPE = exports.TokenProviderFactory = exports.TOKEN_PROVIDER_FACTORY_BASE_TYPE = exports.TokenVerifierFactory = exports.TOKEN_VERIFIER_FACTORY_BASE_TYPE = exports.TokenIssuerFactory = exports.TOKEN_ISSUER_FACTORY_BASE_TYPE = exports.AuthInjectionStrategyFactory = exports.AUTH_INJECTION_STRATEGY_FACTORY_BASE_TYPE = exports.AUTH_PROFILE_ENV_VAR_HMAC_SECRET = exports.AUTH_PROFILE_ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = exports.AUTH_PROFILE_ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER = exports.AUTH_PROFILE_ENV_VAR_TRUSTED_CLIENT_SCOPE = exports.AUTH_PROFILE_ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY = exports.AUTH_PROFILE_ENV_VAR_JWKS_URL = exports.AUTH_PROFILE_ENV_VAR_JWT_AUDIENCE = exports.AUTH_PROFILE_ENV_VAR_JWT_ALGORITHM = exports.AUTH_PROFILE_ENV_VAR_JWT_TRUSTED_ISSUER = exports.AUTH_PROFILE_NAME_NOOP = exports.AUTH_PROFILE_NAME_OAUTH2_CALLBACK = exports.AUTH_PROFILE_NAME_OAUTH2_GATED = exports.AUTH_PROFILE_NAME_OAUTH2 = exports.AUTH_PROFILE_NAME_DEFAULT = exports.AuthorizationProfileFactory = exports.AuthorizerFactory = exports.AUTHORIZER_FACTORY_BASE_TYPE = void 0;
+exports.PROFILE_NAME_OPEN = exports.PROFILE_NAME_GATED_CALLBACK = exports.PROFILE_NAME_GATED = exports.PROFILE_NAME_OVERLAY_CALLBACK = exports.PROFILE_NAME_OVERLAY = exports.PROFILE_NAME_STRICT_OVERLAY = exports.ENV_VAR_AUTHORIZATION_PROFILE = exports.ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = exports.ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER = exports.ENV_VAR_HMAC_SECRET = exports.ENV_VAR_DEFAULT_ENCRYPTION_LEVEL = void 0;
 const tslib_1 = require("tslib");
 tslib_1.__exportStar(require("./auth/authorizer.js"), exports);
 tslib_1.__exportStar(require("./auth/auth-identity.js"), exports);
+tslib_1.__exportStar(require("./auth/policy-authorizer.js"), exports);
 var authorizer_factory_js_1 = require("./auth/authorizer-factory.js");
 Object.defineProperty(exports, "AUTHORIZER_FACTORY_BASE_TYPE", { enumerable: true, get: function () { return authorizer_factory_js_1.AUTHORIZER_FACTORY_BASE_TYPE; } });
 Object.defineProperty(exports, "AuthorizerFactory", { enumerable: true, get: function () { return authorizer_factory_js_1.AuthorizerFactory; } });
+var authorization_profile_factory_js_1 = require("./auth/authorization-profile-factory.js");
+Object.defineProperty(exports, "AuthorizationProfileFactory", { enumerable: true, get: function () { return authorization_profile_factory_js_1.AuthorizationProfileFactory; } });
+Object.defineProperty(exports, "AUTH_PROFILE_NAME_DEFAULT", { enumerable: true, get: function () { return authorization_profile_factory_js_1.PROFILE_NAME_DEFAULT; } });
+Object.defineProperty(exports, "AUTH_PROFILE_NAME_OAUTH2", { enumerable: true, get: function () { return authorization_profile_factory_js_1.PROFILE_NAME_OAUTH2; } });
+Object.defineProperty(exports, "AUTH_PROFILE_NAME_OAUTH2_GATED", { enumerable: true, get: function () { return authorization_profile_factory_js_1.PROFILE_NAME_OAUTH2_GATED; } });
+Object.defineProperty(exports, "AUTH_PROFILE_NAME_OAUTH2_CALLBACK", { enumerable: true, get: function () { return authorization_profile_factory_js_1.PROFILE_NAME_OAUTH2_CALLBACK; } });
+Object.defineProperty(exports, "AUTH_PROFILE_NAME_NOOP", { enumerable: true, get: function () { return authorization_profile_factory_js_1.PROFILE_NAME_NOOP; } });
+Object.defineProperty(exports, "AUTH_PROFILE_ENV_VAR_JWT_TRUSTED_ISSUER", { enumerable: true, get: function () { return authorization_profile_factory_js_1.ENV_VAR_JWT_TRUSTED_ISSUER; } });
+Object.defineProperty(exports, "AUTH_PROFILE_ENV_VAR_JWT_ALGORITHM", { enumerable: true, get: function () { return authorization_profile_factory_js_1.ENV_VAR_JWT_ALGORITHM; } });
+Object.defineProperty(exports, "AUTH_PROFILE_ENV_VAR_JWT_AUDIENCE", { enumerable: true, get: function () { return authorization_profile_factory_js_1.ENV_VAR_JWT_AUDIENCE; } });
+Object.defineProperty(exports, "AUTH_PROFILE_ENV_VAR_JWKS_URL", { enumerable: true, get: function () { return authorization_profile_factory_js_1.ENV_VAR_JWKS_URL; } });
+Object.defineProperty(exports, "AUTH_PROFILE_ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY", { enumerable: true, get: function () { return authorization_profile_factory_js_1.ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY; } });
+Object.defineProperty(exports, "AUTH_PROFILE_ENV_VAR_TRUSTED_CLIENT_SCOPE", { enumerable: true, get: function () { return authorization_profile_factory_js_1.ENV_VAR_TRUSTED_CLIENT_SCOPE; } });
+Object.defineProperty(exports, "AUTH_PROFILE_ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER", { enumerable: true, get: function () { return authorization_profile_factory_js_1.ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER; } });
+Object.defineProperty(exports, "AUTH_PROFILE_ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE", { enumerable: true, get: function () { return authorization_profile_factory_js_1.ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE; } });
+Object.defineProperty(exports, "AUTH_PROFILE_ENV_VAR_HMAC_SECRET", { enumerable: true, get: function () { return authorization_profile_factory_js_1.ENV_VAR_HMAC_SECRET; } });
 tslib_1.__exportStar(require("./auth/auth-injection-strategy.js"), exports);
+// Authorization policy exports
+tslib_1.__exportStar(require("./auth/policy/index.js"), exports);
 var auth_injection_strategy_factory_js_1 = require("./auth/auth-injection-strategy-factory.js");
 Object.defineProperty(exports, "AUTH_INJECTION_STRATEGY_FACTORY_BASE_TYPE", { enumerable: true, get: function () { return auth_injection_strategy_factory_js_1.AUTH_INJECTION_STRATEGY_FACTORY_BASE_TYPE; } });
 Object.defineProperty(exports, "AuthInjectionStrategyFactory", { enumerable: true, get: function () { return auth_injection_strategy_factory_js_1.AuthInjectionStrategyFactory; } });
@@ -109,6 +129,7 @@ Object.defineProperty(exports, "ENV_VAR_DEFAULT_ENCRYPTION_LEVEL", { enumerable:
 Object.defineProperty(exports, "ENV_VAR_HMAC_SECRET", { enumerable: true, get: function () { return node_security_profile_factory_js_1.ENV_VAR_HMAC_SECRET; } });
 Object.defineProperty(exports, "ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER", { enumerable: true, get: function () { return node_security_profile_factory_js_1.ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER; } });
 Object.defineProperty(exports, "ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE", { enumerable: true, get: function () { return node_security_profile_factory_js_1.ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE; } });
+Object.defineProperty(exports, "ENV_VAR_AUTHORIZATION_PROFILE", { enumerable: true, get: function () { return node_security_profile_factory_js_1.ENV_VAR_AUTHORIZATION_PROFILE; } });
 Object.defineProperty(exports, "PROFILE_NAME_STRICT_OVERLAY", { enumerable: true, get: function () { return node_security_profile_factory_js_1.PROFILE_NAME_STRICT_OVERLAY; } });
 Object.defineProperty(exports, "PROFILE_NAME_OVERLAY", { enumerable: true, get: function () { return node_security_profile_factory_js_1.PROFILE_NAME_OVERLAY; } });
 Object.defineProperty(exports, "PROFILE_NAME_OVERLAY_CALLBACK", { enumerable: true, get: function () { return node_security_profile_factory_js_1.PROFILE_NAME_OVERLAY_CALLBACK; } });

package/dist/cjs/naylence/fame/security/node-security-profile-factory.js CHANGED Viewed

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.NodeSecurityProfileFactory = exports.FACTORY_META = exports.PROFILE_NAME_OPEN = exports.PROFILE_NAME_GATED_CALLBACK = exports.PROFILE_NAME_GATED = exports.PROFILE_NAME_OVERLAY_CALLBACK = exports.PROFILE_NAME_OVERLAY = exports.PROFILE_NAME_STRICT_OVERLAY = exports.ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY = exports.ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = exports.ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER = exports.ENV_VAR_HMAC_SECRET = exports.ENV_VAR_DEFAULT_ENCRYPTION_LEVEL = exports.ENV_VAR_JWKS_URL = exports.ENV_VAR_JWT_AUDIENCE = exports.ENV_VAR_JWT_ALGORITHM = exports.ENV_VAR_JWT_TRUSTED_ISSUER = void 0;
+exports.NodeSecurityProfileFactory = exports.FACTORY_META = exports.PROFILE_NAME_OPEN = exports.PROFILE_NAME_GATED_CALLBACK = exports.PROFILE_NAME_GATED = exports.PROFILE_NAME_OVERLAY_CALLBACK = exports.PROFILE_NAME_OVERLAY = exports.PROFILE_NAME_STRICT_OVERLAY = exports.ENV_VAR_AUTHORIZATION_PROFILE = exports.ENV_VAR_TRUSTED_CLIENT_SCOPE = exports.ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY = exports.ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = exports.ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER = exports.ENV_VAR_HMAC_SECRET = exports.ENV_VAR_DEFAULT_ENCRYPTION_LEVEL = exports.ENV_VAR_JWKS_URL = exports.ENV_VAR_JWT_AUDIENCE = exports.ENV_VAR_JWT_ALGORITHM = exports.ENV_VAR_JWT_TRUSTED_ISSUER = void 0;
 const factory_1 = require("@naylence/factory");
 const security_manager_factory_js_1 = require("./security-manager-factory.js");
 const logging_js_1 = require("../util/logging.js");
@@ -14,14 +14,14 @@ exports.ENV_VAR_HMAC_SECRET = 'FAME_HMAC_SECRET';
 exports.ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER = 'FAME_JWT_REVERSE_AUTH_TRUSTED_ISSUER';
 exports.ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = 'FAME_JWT_REVERSE_AUTH_AUDIENCE';
 exports.ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY = 'FAME_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY';
+exports.ENV_VAR_TRUSTED_CLIENT_SCOPE = 'FAME_TRUSTED_CLIENT_SCOPE';
+exports.ENV_VAR_AUTHORIZATION_PROFILE = 'FAME_AUTHORIZATION_PROFILE';
 exports.PROFILE_NAME_STRICT_OVERLAY = 'strict-overlay';
 exports.PROFILE_NAME_OVERLAY = 'overlay';
 exports.PROFILE_NAME_OVERLAY_CALLBACK = 'overlay-callback';
 exports.PROFILE_NAME_GATED = 'gated';
 exports.PROFILE_NAME_GATED_CALLBACK = 'gated-callback';
 exports.PROFILE_NAME_OPEN = 'open';
-const DEFAULT_REVERSE_AUTH_ISSUER = 'reverse-auth.naylence.ai';
-const DEFAULT_REVERSE_AUTH_AUDIENCE = 'dev.naylence.ai';
 const STRICT_OVERLAY_PROFILE = {
     type: 'DefaultSecurityManager',
     security_policy: {
@@ -67,12 +67,8 @@ const STRICT_OVERLAY_PROFILE = {
         },
     },
     authorizer: {
-        type: 'DefaultAuthorizer',
-        verifier: {
-            type: 'JWKSJWTTokenVerifier',
-            jwks_url: factory_1.Expressions.env(exports.ENV_VAR_JWKS_URL),
-            issuer: factory_1.Expressions.env(exports.ENV_VAR_JWT_TRUSTED_ISSUER),
-        },
+        type: 'AuthorizationProfile',
+        profile: factory_1.Expressions.env(exports.ENV_VAR_AUTHORIZATION_PROFILE, 'jwt'),
     },
 };
 const OVERLAY_PROFILE = {
@@ -119,14 +115,8 @@ const OVERLAY_PROFILE = {
         },
     },
     authorizer: {
-        type: 'OAuth2Authorizer',
-        issuer: factory_1.Expressions.env(exports.ENV_VAR_JWT_TRUSTED_ISSUER),
-        required_scopes: ['node.connect'],
-        require_scope: true,
-        default_ttl_sec: 3600,
-        max_ttl_sec: 86400,
-        algorithm: factory_1.Expressions.env(exports.ENV_VAR_JWT_ALGORITHM, 'RS256'),
-        audience: factory_1.Expressions.env(exports.ENV_VAR_JWT_AUDIENCE),
+        type: 'AuthorizationProfile',
+        profile: factory_1.Expressions.env(exports.ENV_VAR_AUTHORIZATION_PROFILE, 'oauth2'),
     },
 };
 const OVERLAY_CALLBACK_PROFILE = {
@@ -173,29 +163,8 @@ const OVERLAY_CALLBACK_PROFILE = {
         },
     },
     authorizer: {
-        type: 'OAuth2Authorizer',
-        issuer: factory_1.Expressions.env(exports.ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, DEFAULT_REVERSE_AUTH_ISSUER),
-        audience: factory_1.Expressions.env(exports.ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE),
-        require_scope: true,
-        default_ttl_sec: 3600,
-        max_ttl_sec: 86400,
-        reverse_auth_ttl_sec: 86400,
-        token_verifier_config: {
-            type: 'JWTTokenVerifier',
-            algorithm: 'HS256',
-            hmac_secret: factory_1.Expressions.env(exports.ENV_VAR_HMAC_SECRET),
-            issuer: factory_1.Expressions.env(exports.ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, DEFAULT_REVERSE_AUTH_ISSUER),
-            ttl_sec: 86400,
-        },
-        token_issuer_config: {
-            type: 'JWTTokenIssuer',
-            algorithm: 'HS256',
-            hmac_secret: factory_1.Expressions.env(exports.ENV_VAR_HMAC_SECRET),
-            kid: 'hmac-reverse-auth-key',
-            issuer: factory_1.Expressions.env(exports.ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, DEFAULT_REVERSE_AUTH_ISSUER),
-            ttl_sec: 86400,
-            audience: factory_1.Expressions.env(exports.ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE, DEFAULT_REVERSE_AUTH_AUDIENCE),
-        },
+        type: 'AuthorizationProfile',
+        profile: factory_1.Expressions.env(exports.ENV_VAR_AUTHORIZATION_PROFILE, 'oauth2-callback'),
     },
 };
 const GATED_PROFILE = {
@@ -241,15 +210,8 @@ const GATED_PROFILE = {
         },
     },
     authorizer: {
-        type: 'OAuth2Authorizer',
-        issuer: factory_1.Expressions.env(exports.ENV_VAR_JWT_TRUSTED_ISSUER),
-        required_scopes: ['node.connect'],
-        require_scope: true,
-        default_ttl_sec: 3600,
-        max_ttl_sec: 86400,
-        algorithm: factory_1.Expressions.env(exports.ENV_VAR_JWT_ALGORITHM, 'RS256'),
-        audience: factory_1.Expressions.env(exports.ENV_VAR_JWT_AUDIENCE),
-        enforce_token_subject_node_identity: factory_1.Expressions.env(exports.ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY, 'false'),
+        type: 'AuthorizationProfile',
+        profile: factory_1.Expressions.env(exports.ENV_VAR_AUTHORIZATION_PROFILE, 'oauth2-gated'),
     },
 };
 const GATED_CALLBACK_PROFILE = {
@@ -295,29 +257,8 @@ const GATED_CALLBACK_PROFILE = {
         },
     },
     authorizer: {
-        type: 'OAuth2Authorizer',
-        issuer: factory_1.Expressions.env(exports.ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, DEFAULT_REVERSE_AUTH_ISSUER),
-        audience: factory_1.Expressions.env(exports.ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE),
-        require_scope: true,
-        default_ttl_sec: 3600,
-        max_ttl_sec: 86400,
-        reverse_auth_ttl_sec: 86400,
-        token_verifier_config: {
-            type: 'JWTTokenVerifier',
-            algorithm: 'HS256',
-            hmac_secret: factory_1.Expressions.env(exports.ENV_VAR_HMAC_SECRET),
-            issuer: factory_1.Expressions.env(exports.ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, DEFAULT_REVERSE_AUTH_ISSUER),
-            ttl_sec: 86400,
-        },
-        token_issuer_config: {
-            type: 'JWTTokenIssuer',
-            algorithm: 'HS256',
-            hmac_secret: factory_1.Expressions.env(exports.ENV_VAR_HMAC_SECRET),
-            kid: 'hmac-reverse-auth-key',
-            issuer: factory_1.Expressions.env(exports.ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, DEFAULT_REVERSE_AUTH_ISSUER),
-            ttl_sec: 86400,
-            audience: factory_1.Expressions.env(exports.ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE, DEFAULT_REVERSE_AUTH_AUDIENCE),
-        },
+        type: 'AuthorizationProfile',
+        profile: factory_1.Expressions.env(exports.ENV_VAR_AUTHORIZATION_PROFILE, 'oauth2-callback'),
     },
 };
 const OPEN_PROFILE = {
@@ -326,7 +267,8 @@ const OPEN_PROFILE = {
         type: 'NoSecurityPolicy',
     },
     authorizer: {
-        type: 'NoopAuthorizer',
+        type: 'AuthorizationProfile',
+        profile: factory_1.Expressions.env(exports.ENV_VAR_AUTHORIZATION_PROFILE, 'noop'),
     },
 };
 const PROFILE_MAP = {

package/dist/cjs/naylence/fame/sentinel/router.js CHANGED Viewed

@@ -1,6 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.RouterState = exports.ForwardPeer = exports.ForwardChild = exports.DeliverLocal = exports.ForwardUp = exports.Drop = void 0;
+exports.RouterState = exports.Deny = exports.ForwardPeer = exports.ForwardChild = exports.DeliverLocal = exports.ForwardUp = exports.Drop = void 0;
+exports.mapRoutingActionToAuthorizationAction = mapRoutingActionToAuthorizationAction;
 exports.emitDeliveryNack = emitDeliveryNack;
 const core_1 = require("@naylence/core");
 const errors_js_1 = require("../errors/errors.js");
@@ -99,6 +100,71 @@ class ForwardPeer {
     }
 }
 exports.ForwardPeer = ForwardPeer;
+/**
+ * RoutingAction that denies an envelope due to authorization failure.
+ *
+ * Emits an opaque NO_ROUTE NACK on wire (by default) to avoid leaking
+ * route existence, while logging the true denial reason internally.
+ */
+class Deny {
+    constructor(options) {
+        this.options = options;
+    }
+    async execute(envelope, router, state, context) {
+        const { internalReason, deniedAction, matchedRule, context: extraContext, disclosure = 'opaque', } = this.options;
+        // Log detailed denial internally
+        logger.warning('route_authorization_denied', {
+            envp_id: envelope.id,
+            frame_type: envelope.frame?.type ?? null,
+            to: envelope.to?.toString() ?? null,
+            internal_reason: internalReason,
+            denied_action: deniedAction ?? null,
+            matched_rule: matchedRule ?? null,
+            origin_type: context?.originType ?? null,
+            ...extraContext,
+        });
+        // Emit opaque NACK on wire (or verbose if configured)
+        const wireCode = disclosure === 'verbose' ? 'UNAUTHORIZED_ROUTE' : 'NO_ROUTE';
+        await emitDeliveryNack(envelope, router, state, wireCode, context ?? undefined);
+    }
+}
+exports.Deny = Deny;
+/**
+ * Maps a RoutingAction instance to an authorization action token.
+ *
+ * This function uses instanceof checks to determine the action type,
+ * avoiding the need to expose action objects to the authorizer.
+ *
+ * For unknown/custom RoutingAction types, returns null. Callers should
+ * treat null as "deny by default" for security (unknown actions are not
+ * authorized).
+ *
+ * @param action - The RoutingAction instance to map
+ * @returns The authorization action token, or null for terminal/unknown actions
+ */
+function mapRoutingActionToAuthorizationAction(action) {
+    if (action instanceof ForwardUp) {
+        return 'ForwardUpstream';
+    }
+    if (action instanceof ForwardChild) {
+        return 'ForwardDownstream';
+    }
+    if (action instanceof ForwardPeer) {
+        return 'ForwardPeer';
+    }
+    if (action instanceof DeliverLocal) {
+        return 'DeliverLocal';
+    }
+    // Drop and Deny are terminal actions that don't need authorization
+    if (action instanceof Drop || action instanceof Deny) {
+        return null;
+    }
+    // Unknown RoutingAction: return null, caller should deny by default
+    logger.warning('unknown_routing_action_for_authorization', {
+        action_type: action?.constructor?.name ?? 'unknown',
+    });
+    return null;
+}
 class RouterState {
     constructor(options) {
         const normalized = normalizeRouterStateOptions(options);

package/dist/cjs/naylence/fame/sentinel/sentinel.js CHANGED Viewed

@@ -281,8 +281,11 @@ class Sentinel extends node_js_1.FameNode {
             }
         }
         const state = this.buildRouterState();
-        const action = await this.routingPolicy.decide(processedEnvelope, state, context);
-        await action.execute(processedEnvelope, this, state, context);
+        let action = await this.routingPolicy.decide(processedEnvelope, state, context);
+        // Dispatch onRoutingActionSelected hook to allow authorization/replacement
+        // The hook must return the action to execute; null/undefined/throw => Drop
+        const actionToExecute = await this.dispatchRoutingActionSelected(processedEnvelope, action, state, context);
+        await actionToExecute.execute(processedEnvelope, this, state, context);
     }
     async forwardToRoute(nextSegment, envelope, context) {
         if (this.originMatches(context, nextSegment, core_1.DeliveryOriginType.DOWNSTREAM)) {
@@ -828,6 +831,47 @@ class Sentinel extends node_js_1.FameNode {
             });
         }
     }
+    /**
+     * Dispatches the onRoutingActionSelected event to all event listeners.
+     *
+     * This allows listeners (like DefaultSecurityManager) to authorize
+     * routing actions and optionally replace them with Deny actions.
+     *
+     * The hook must return the RoutingAction to execute. If a listener returns
+     * null, undefined, or throws, the router will execute a Drop action.
+     *
+     * @param envelope - The envelope being routed
+     * @param selected - The RoutingAction selected by the routing policy
+     * @param state - The current router state
+     * @param context - Optional delivery context
+     * @returns The RoutingAction to execute (never null/undefined)
+     */
+    async dispatchRoutingActionSelected(envelope, selected, state, context) {
+        let currentAction = selected;
+        for (const listener of this.eventListeners) {
+            if (typeof listener.onRoutingActionSelected !== 'function') {
+                continue;
+            }
+            try {
+                const result = await listener.onRoutingActionSelected(this, envelope, currentAction, state, context);
+                // null/undefined => treat as denial, execute Drop
+                if (result == null) {
+                    return new router_js_1.Drop();
+                }
+                // Update current action for next listener in chain
+                currentAction = result;
+            }
+            catch (error) {
+                // Hook threw => treat as denial, execute Drop
+                logger.warning('routing_action_hook_error', {
+                    envp_id: envelope.id,
+                    error: error instanceof Error ? error.message : String(error),
+                });
+                return new router_js_1.Drop();
+            }
+        }
+        return currentAction;
+    }
     static async aserve(options = {}) {
         const { logLevel, rootConfig, config, node = null, fabric: providedFabric = null, signals = ['SIGINT', 'SIGTERM'], signal, ...fabricOptions } = options;
         const resolvedLevel = normalizeServeLogLevel(logLevel) ?? logging_js_1.LogLevel.INFO;

package/dist/cjs/naylence/fame/util/register-runtime-factories.js CHANGED Viewed

@@ -45,6 +45,8 @@ const NODE_ONLY_FACTORY_MODULES = new Set([
     './connector/websocket-listener-factory.js',
     './telemetry/open-telemetry-trace-emitter-factory.js',
     './security/credential/prompt-credential-provider-factory.js',
+    './security/auth/default-policy-authorizer-factory.js',
+    './security/auth/policy/local-file-authorization-policy-source-factory.js',
 ]);
 const BROWSER_ONLY_FACTORY_MODULES = new Set([
     './security/auth/oauth2-pkce-token-provider-factory.js',

package/dist/cjs/version.js CHANGED Viewed

@@ -1,10 +1,10 @@
 "use strict";
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.3.21
+// Generated from package.json version: 0.4.1
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.VERSION = void 0;
 /**
  * The package version, injected at build time.
  * @internal
  */
-exports.VERSION = '0.3.21';
+exports.VERSION = '0.4.1';

package/dist/esm/naylence/fame/factory-manifest.js CHANGED Viewed

@@ -27,8 +27,10 @@ export const MODULES = [
     "./node/node-identity-policy-profile-factory.js",
     "./node/token-subject-node-identity-policy-factory.js",
     "./placement/static-node-placement-strategy-factory.js",
+    "./security/auth/authorization-profile-factory.js",
     "./security/auth/bearer-token-header-auth-injection-strategy-factory.js",
     "./security/auth/default-authorizer-factory.js",
+    "./security/auth/default-policy-authorizer-factory.js",
     "./security/auth/jwks-jwt-token-verifier-factory.js",
     "./security/auth/jwt-token-issuer-factory.js",
     "./security/auth/jwt-token-verifier-factory.js",
@@ -40,6 +42,8 @@ export const MODULES = [
     "./security/auth/oauth2-authorizer-factory.js",
     "./security/auth/oauth2-client-credentials-token-provider-factory.js",
     "./security/auth/oauth2-pkce-token-provider-factory.js",
+    "./security/auth/policy/basic-authorization-policy-factory.js",
+    "./security/auth/policy/local-file-authorization-policy-source-factory.js",
     "./security/auth/query-param-auth-injection-strategy-factory.js",
     "./security/auth/shared-secret-authorizer-factory.js",
     "./security/auth/shared-secret-token-provider-factory.js",
@@ -106,8 +110,10 @@ export const MODULE_LOADERS = {
     "./node/node-identity-policy-profile-factory.js": () => import("./node/node-identity-policy-profile-factory.js"),
     "./node/token-subject-node-identity-policy-factory.js": () => import("./node/token-subject-node-identity-policy-factory.js"),
     "./placement/static-node-placement-strategy-factory.js": () => import("./placement/static-node-placement-strategy-factory.js"),
+    "./security/auth/authorization-profile-factory.js": () => import("./security/auth/authorization-profile-factory.js"),
     "./security/auth/bearer-token-header-auth-injection-strategy-factory.js": () => import("./security/auth/bearer-token-header-auth-injection-strategy-factory.js"),
     "./security/auth/default-authorizer-factory.js": () => import("./security/auth/default-authorizer-factory.js"),
+    "./security/auth/default-policy-authorizer-factory.js": () => import(/* webpackIgnore: true */ /* @vite-ignore */ "./security/auth/default-policy-authorizer-factory.js"),
     "./security/auth/jwks-jwt-token-verifier-factory.js": () => import("./security/auth/jwks-jwt-token-verifier-factory.js"),
     "./security/auth/jwt-token-issuer-factory.js": () => import("./security/auth/jwt-token-issuer-factory.js"),
     "./security/auth/jwt-token-verifier-factory.js": () => import("./security/auth/jwt-token-verifier-factory.js"),
@@ -119,6 +125,8 @@ export const MODULE_LOADERS = {
     "./security/auth/oauth2-authorizer-factory.js": () => import("./security/auth/oauth2-authorizer-factory.js"),
     "./security/auth/oauth2-client-credentials-token-provider-factory.js": () => import("./security/auth/oauth2-client-credentials-token-provider-factory.js"),
     "./security/auth/oauth2-pkce-token-provider-factory.js": () => import("./security/auth/oauth2-pkce-token-provider-factory.js"),
+    "./security/auth/policy/basic-authorization-policy-factory.js": () => import("./security/auth/policy/basic-authorization-policy-factory.js"),
+    "./security/auth/policy/local-file-authorization-policy-source-factory.js": () => import(/* webpackIgnore: true */ /* @vite-ignore */ "./security/auth/policy/local-file-authorization-policy-source-factory.js"),
     "./security/auth/query-param-auth-injection-strategy-factory.js": () => import("./security/auth/query-param-auth-injection-strategy-factory.js"),
     "./security/auth/shared-secret-authorizer-factory.js": () => import("./security/auth/shared-secret-authorizer-factory.js"),
     "./security/auth/shared-secret-token-provider-factory.js": () => import("./security/auth/shared-secret-token-provider-factory.js"),

package/dist/esm/naylence/fame/node/node-event-listener.js CHANGED Viewed

@@ -45,6 +45,10 @@ export class BaseNodeEventListener {
         // Default implementation passes envelope through unchanged
         return envelope;
     }
+    async onRoutingActionSelected(_node, _envelope, selected, _state, _context) {
+        // Default implementation returns the selected action unchanged
+        return selected;
+    }
     async onForwardUpstream(_node, envelope, _context) {
         // Default implementation passes envelope through unchanged
         return envelope;

package/dist/esm/naylence/fame/security/auth/authorization-profile-factory.js ADDED Viewed

@@ -0,0 +1,161 @@
+import { Expressions } from '@naylence/factory';
+import { getLogger } from '../../util/logging.js';
+import { AUTHORIZER_FACTORY_BASE_TYPE, AuthorizerFactory, } from './authorizer-factory.js';
+const logger = getLogger('naylence.fame.security.auth.authorization_profile_factory');
+export const PROFILE_NAME_DEFAULT = 'jwt';
+export const PROFILE_NAME_OAUTH2 = 'oauth2';
+export const PROFILE_NAME_OAUTH2_GATED = 'oauth2-gated';
+export const PROFILE_NAME_OAUTH2_CALLBACK = 'oauth2-callback';
+export const PROFILE_NAME_NOOP = 'noop';
+export const ENV_VAR_JWT_TRUSTED_ISSUER = 'FAME_JWT_TRUSTED_ISSUER';
+export const ENV_VAR_JWT_ALGORITHM = 'FAME_JWT_ALGORITHM';
+export const ENV_VAR_JWT_AUDIENCE = 'FAME_JWT_AUDIENCE';
+export const ENV_VAR_JWKS_URL = 'FAME_JWKS_URL';
+export const ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY = 'FAME_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY';
+export const ENV_VAR_TRUSTED_CLIENT_SCOPE = 'FAME_TRUSTED_CLIENT_SCOPE';
+export const ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER = 'FAME_JWT_REVERSE_AUTH_TRUSTED_ISSUER';
+export const ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = 'FAME_JWT_REVERSE_AUTH_AUDIENCE';
+export const ENV_VAR_HMAC_SECRET = 'FAME_HMAC_SECRET';
+const DEFAULT_REVERSE_AUTH_ISSUER = 'reverse-auth.naylence.ai';
+const DEFAULT_REVERSE_AUTH_AUDIENCE = 'dev.naylence.ai';
+const DEFAULT_PROFILE = {
+    type: 'DefaultAuthorizer',
+    verifier: {
+        type: 'JWKSJWTTokenVerifier',
+        jwks_url: Expressions.env(ENV_VAR_JWKS_URL),
+        issuer: Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER),
+    },
+};
+const OAUTH2_PROFILE = {
+    type: 'OAuth2Authorizer',
+    issuer: Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER),
+    required_scopes: ['node.connect'],
+    require_scope: true,
+    default_ttl_sec: 3600,
+    max_ttl_sec: 86400,
+    algorithm: Expressions.env(ENV_VAR_JWT_ALGORITHM, 'RS256'),
+    audience: Expressions.env(ENV_VAR_JWT_AUDIENCE),
+};
+const OAUTH2_GATED_PROFILE = {
+    ...OAUTH2_PROFILE,
+    enforce_token_subject_node_identity: Expressions.env(ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY, 'false'),
+    trusted_client_scope: Expressions.env(ENV_VAR_TRUSTED_CLIENT_SCOPE, 'node.trusted'),
+};
+const OAUTH2_CALLBACK_PROFILE = {
+    type: 'OAuth2Authorizer',
+    issuer: Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, DEFAULT_REVERSE_AUTH_ISSUER),
+    audience: Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE),
+    require_scope: true,
+    default_ttl_sec: 3600,
+    max_ttl_sec: 86400,
+    reverse_auth_ttl_sec: 86400,
+    token_verifier_config: {
+        type: 'JWTTokenVerifier',
+        algorithm: 'HS256',
+        hmac_secret: Expressions.env(ENV_VAR_HMAC_SECRET),
+        issuer: Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, DEFAULT_REVERSE_AUTH_ISSUER),
+        ttl_sec: 86400,
+    },
+    token_issuer_config: {
+        type: 'JWTTokenIssuer',
+        algorithm: 'HS256',
+        hmac_secret: Expressions.env(ENV_VAR_HMAC_SECRET),
+        kid: 'hmac-reverse-auth-key',
+        issuer: Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, DEFAULT_REVERSE_AUTH_ISSUER),
+        ttl_sec: 86400,
+        audience: Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE, DEFAULT_REVERSE_AUTH_AUDIENCE),
+    },
+};
+const NOOP_PROFILE = {
+    type: 'NoopAuthorizer',
+};
+const PROFILE_MAP = {
+    [PROFILE_NAME_DEFAULT]: DEFAULT_PROFILE,
+    [PROFILE_NAME_OAUTH2]: OAUTH2_PROFILE,
+    [PROFILE_NAME_OAUTH2_GATED]: OAUTH2_GATED_PROFILE,
+    [PROFILE_NAME_OAUTH2_CALLBACK]: OAUTH2_CALLBACK_PROFILE,
+    [PROFILE_NAME_NOOP]: NOOP_PROFILE,
+};
+const PROFILE_ALIASES = {
+    jwt: PROFILE_NAME_DEFAULT,
+    jwks: PROFILE_NAME_DEFAULT,
+    default: PROFILE_NAME_DEFAULT,
+    oauth2: PROFILE_NAME_OAUTH2,
+    oidc: PROFILE_NAME_OAUTH2,
+    'oauth2-gated': PROFILE_NAME_OAUTH2_GATED,
+    oauth2_gated: PROFILE_NAME_OAUTH2_GATED,
+    'oauth2-callback': PROFILE_NAME_OAUTH2_CALLBACK,
+    oauth2_callback: PROFILE_NAME_OAUTH2_CALLBACK,
+    'reverse-auth': PROFILE_NAME_OAUTH2_CALLBACK,
+    noop: PROFILE_NAME_NOOP,
+    'no-op': PROFILE_NAME_NOOP,
+    no_op: PROFILE_NAME_NOOP,
+};
+export const FACTORY_META = {
+    base: AUTHORIZER_FACTORY_BASE_TYPE,
+    key: 'AuthorizationProfile',
+};
+export class AuthorizationProfileFactory extends AuthorizerFactory {
+    constructor() {
+        super(...arguments);
+        this.type = 'AuthorizationProfile';
+    }
+    async create(config, ...factoryArgs) {
+        const normalized = normalizeConfig(config);
+        const profileConfig = resolveProfileConfig(normalized.profile);
+        logger.debug('enabling_authorization_profile', {
+            profile: normalized.profile,
+        });
+        const authorizer = await AuthorizerFactory.createAuthorizer(profileConfig, { factoryArgs });
+        if (!authorizer) {
+            throw new Error(`Failed to create authorizer for profile: ${normalized.profile}`);
+        }
+        return authorizer;
+    }
+}
+function normalizeConfig(config) {
+    if (!config) {
+        return { profile: PROFILE_NAME_OAUTH2 };
+    }
+    const candidate = config;
+    const profileValue = resolveProfileName(candidate);
+    const canonicalProfile = canonicalizeProfileName(profileValue);
+    candidate.profile = canonicalProfile;
+    return { profile: canonicalProfile };
+}
+function resolveProfileName(candidate) {
+    const direct = coerceProfileString(candidate.profile);
+    if (direct) {
+        return direct;
+    }
+    const legacyKeys = ['profile_name', 'profileName'];
+    for (const legacyKey of legacyKeys) {
+        const legacyValue = coerceProfileString(candidate[legacyKey]);
+        if (legacyValue) {
+            return legacyValue;
+        }
+    }
+    return PROFILE_NAME_OAUTH2;
+}
+function coerceProfileString(value) {
+    if (typeof value !== 'string') {
+        return null;
+    }
+    const trimmed = value.trim();
+    return trimmed.length > 0 ? trimmed : null;
+}
+function canonicalizeProfileName(value) {
+    const normalized = value.replace(/[\s_]+/g, '-').toLowerCase();
+    return PROFILE_ALIASES[normalized] ?? normalized;
+}
+function resolveProfileConfig(profileName) {
+    const profile = PROFILE_MAP[profileName];
+    if (!profile) {
+        throw new Error(`Unknown authorization profile: ${profileName}`);
+    }
+    return deepClone(profile);
+}
+function deepClone(value) {
+    return JSON.parse(JSON.stringify(value));
+}
+export default AuthorizationProfileFactory;