@naylence/runtime 0.4.2 → 0.4.4

package/dist/cjs/naylence/fame/security/auth/policy/basic-authorization-policy.js

@@ -93,6 +93,7 @@ class BasicAuthorizationPolicy {
         // Action must be explicitly provided; default to wildcard if omitted
         // for backward compatibility during transition
         const resolvedAction = action ?? '*';
+        const resolvedActionNormalized = this.normalizeActionToken(resolvedAction) ?? resolvedAction;
         const address = extractAddress(envelope);
         const grantedScopes = extractGrantedScopes(context);
         const rawFrameType = envelope.frame
@@ -102,8 +103,8 @@ class BasicAuthorizationPolicy {
             : '';
         // Extract and normalize origin type for rule matching
         const rawOriginType = context?.originType;
-        const originTypeNormalized = typeof rawOriginType === 'string' && rawOriginType.trim().length > 0
-            ? rawOriginType.trim().toLowerCase()
+        const originTypeNormalized = typeof rawOriginType === 'string'
+            ? this.normalizeOriginTypeToken(rawOriginType) ?? undefined
             : undefined;
         const evaluationTrace = [];
         // Evaluate rules in order (first match wins)
@@ -150,8 +151,8 @@ class BasicAuthorizationPolicy {
                 }
             }
             // Check action match
-            if (!rule.actions.has('*') && !rule.actions.has(resolvedAction)) {
-                step.expression = `action: ${resolvedAction} not in [${Array.from(rule.actions).join(', ')}]`;
+            if (!rule.actions.has('*') && !rule.actions.has(resolvedActionNormalized)) {
+                step.expression = `action: ${resolvedActionNormalized} not in [${Array.from(rule.actions).join(', ')}]`;
                 step.result = false;
                 evaluationTrace.push(step);
                 continue;
@@ -218,6 +219,9 @@ class BasicAuthorizationPolicy {
         };
     }
     validateDefaultEffect(effect) {
+        if (effect === undefined || effect === null) {
+            return 'deny';
+        }
         if (effect !== 'allow' && effect !== 'deny') {
             throw new Error(`Invalid default_effect: "${String(effect)}". Must be "allow" or "deny"`);
         }
@@ -290,10 +294,11 @@ class BasicAuthorizationPolicy {
         }
         // Handle single action
         if (typeof action === 'string') {
-            if (!authorization_policy_definition_js_1.VALID_ACTIONS.includes(action)) {
+            const normalized = this.normalizeActionToken(action);
+            if (!normalized) {
                 throw new Error(`Invalid action in rule "${ruleId}": "${action}". Must be one of: ${authorization_policy_definition_js_1.VALID_ACTIONS.join(', ')}`);
             }
-            return new Set([action]);
+            return new Set([normalized]);
         }
         // Handle array of actions
         if (!Array.isArray(action)) {
@@ -307,10 +312,11 @@ class BasicAuthorizationPolicy {
             if (typeof a !== 'string') {
                 throw new Error(`Invalid action in rule "${ruleId}": all values must be strings`);
             }
-            if (!authorization_policy_definition_js_1.VALID_ACTIONS.includes(a)) {
+            const normalized = this.normalizeActionToken(a);
+            if (!normalized) {
                 throw new Error(`Invalid action in rule "${ruleId}": "${a}". Must be one of: ${authorization_policy_definition_js_1.VALID_ACTIONS.join(', ')}`);
             }
-            actions.add(a);
+            actions.add(normalized);
         }
         return actions;
     }
@@ -413,11 +419,12 @@ class BasicAuthorizationPolicy {
         }
         // Handle single origin type
         if (typeof originType === 'string') {
-            const normalized = originType.trim().toLowerCase();
-            if (!normalized) {
+            const trimmed = originType.trim();
+            if (!trimmed) {
                 throw new Error(`Invalid origin_type in rule "${ruleId}": value must not be empty`);
             }
-            if (!authorization_policy_definition_js_1.VALID_ORIGIN_TYPES.includes(normalized)) {
+            const normalized = this.normalizeOriginTypeToken(trimmed);
+            if (!normalized) {
                 throw new Error(`Invalid origin_type in rule "${ruleId}": "${originType}". Must be one of: ${authorization_policy_definition_js_1.VALID_ORIGIN_TYPES.join(', ')}`);
             }
             return new Set([normalized]);
@@ -434,16 +441,49 @@ class BasicAuthorizationPolicy {
             if (typeof ot !== 'string') {
                 throw new Error(`Invalid origin_type in rule "${ruleId}": all values must be strings`);
             }
-            const normalized = ot.trim().toLowerCase();
-            if (!normalized) {
+            const trimmed = ot.trim();
+            if (!trimmed) {
                 throw new Error(`Invalid origin_type in rule "${ruleId}": values must not be empty`);
             }
-            if (!authorization_policy_definition_js_1.VALID_ORIGIN_TYPES.includes(normalized)) {
+            const normalized = this.normalizeOriginTypeToken(trimmed);
+            if (!normalized) {
                 throw new Error(`Invalid origin_type in rule "${ruleId}": "${ot}". Must be one of: ${authorization_policy_definition_js_1.VALID_ORIGIN_TYPES.join(', ')}`);
             }
             originTypes.add(normalized);
         }
         return originTypes;
     }
+    normalizeActionToken(value) {
+        const trimmed = value.trim();
+        if (!trimmed) {
+            return null;
+        }
+        if (trimmed === '*') {
+            return '*';
+        }
+        const normalized = trimmed.replace(/[\s_-]+/g, '').toLowerCase();
+        const map = {
+            connect: 'Connect',
+            forwardupstream: 'ForwardUpstream',
+            forwarddownstream: 'ForwardDownstream',
+            forwardpeer: 'ForwardPeer',
+            deliverlocal: 'DeliverLocal',
+        };
+        return map[normalized] ?? null;
+    }
+    normalizeOriginTypeToken(value) {
+        const trimmed = value.trim();
+        if (!trimmed) {
+            return null;
+        }
+        const normalized = trimmed.replace(/[\s_-]+/g, '').toLowerCase();
+        const map = {
+            downstream: 'downstream',
+            upstream: 'upstream',
+            peer: 'peer',
+            local: 'local',
+        };
+        return map[normalized] ?? null;
+    }
 }
 exports.BasicAuthorizationPolicy = BasicAuthorizationPolicy;

package/dist/cjs/naylence/fame/security/auth/policy/local-file-authorization-policy-source.js

@@ -123,16 +123,22 @@ class LocalFileAuthorizationPolicySource {
         const factoryConfig = this.policyFactoryConfig ?? policyDefinition;
         // Ensure we have a type field for the factory
         if (!('type' in factoryConfig) || typeof factoryConfig.type !== 'string') {
-            throw new Error(`Policy definition at ${this.path} must have a 'type' field, ` +
-                `or policyFactory config must be provided`);
+            logger.warning('policy_type_missing_defaulting_to_basic', {
+                path: this.path,
+            });
+            factoryConfig.type =
+                'BasicAuthorizationPolicy';
         }
         // Build the factory config with the policy definition
         // The file content IS the policy definition, so we extract the type
         // and wrap the remaining content as the policyDefinition
-        const { type, ...restOfFile } = policyDefinition;
+        const { type: fileType, ...restOfFile } = policyDefinition;
+        const resolvedType = typeof fileType === 'string' && fileType.trim().length > 0
+            ? fileType
+            : factoryConfig.type;
         const mergedConfig = this.policyFactoryConfig != null
             ? { ...this.policyFactoryConfig, policyDefinition }
-            : { type: factoryConfig.type, policyDefinition: restOfFile };
+            : { type: resolvedType, policyDefinition: restOfFile };
         // Create the policy using the factory system
         const policy = await authorization_policy_factory_js_1.AuthorizationPolicyFactory.createAuthorizationPolicy(mergedConfig);
         if (!policy) {

package/dist/cjs/version.js

@@ -1,10 +1,10 @@
 "use strict";
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.4.2
+// Generated from package.json version: 0.4.4
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.VERSION = void 0;
 /**
  * The package version, injected at build time.
  * @internal
  */
-exports.VERSION = '0.4.2';
+exports.VERSION = '0.4.4';

package/dist/esm/naylence/fame/security/auth/authorization-profile-factory.js

@@ -6,6 +6,7 @@ export const PROFILE_NAME_DEFAULT = 'jwt';
 export const PROFILE_NAME_OAUTH2 = 'oauth2';
 export const PROFILE_NAME_OAUTH2_GATED = 'oauth2-gated';
 export const PROFILE_NAME_OAUTH2_CALLBACK = 'oauth2-callback';
+export const PROFILE_NAME_POLICY_LOCALFILE = 'policy-localfile';
 export const PROFILE_NAME_NOOP = 'noop';
 export const ENV_VAR_JWT_TRUSTED_ISSUER = 'FAME_JWT_TRUSTED_ISSUER';
 export const ENV_VAR_JWT_ALGORITHM = 'FAME_JWT_ALGORITHM';
@@ -13,18 +14,21 @@ export const ENV_VAR_JWT_AUDIENCE = 'FAME_JWT_AUDIENCE';
 export const ENV_VAR_JWKS_URL = 'FAME_JWKS_URL';
 export const ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY = 'FAME_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY';
 export const ENV_VAR_TRUSTED_CLIENT_SCOPE = 'FAME_TRUSTED_CLIENT_SCOPE';
+export const ENV_VAR_AUTH_POLICY_PATH = 'FAME_AUTH_POLICY_PATH';
+export const ENV_VAR_AUTH_POLICY_FORMAT = 'FAME_AUTH_POLICY_FORMAT';
 export const ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER = 'FAME_JWT_REVERSE_AUTH_TRUSTED_ISSUER';
 export const ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = 'FAME_JWT_REVERSE_AUTH_AUDIENCE';
 export const ENV_VAR_HMAC_SECRET = 'FAME_HMAC_SECRET';
 const DEFAULT_REVERSE_AUTH_ISSUER = 'reverse-auth.naylence.ai';
 const DEFAULT_REVERSE_AUTH_AUDIENCE = 'dev.naylence.ai';
+const DEFAULT_VERIFIER_CONFIG = {
+    type: 'JWKSJWTTokenVerifier',
+    jwks_url: Expressions.env(ENV_VAR_JWKS_URL),
+    issuer: Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER),
+};
 const DEFAULT_PROFILE = {
     type: 'DefaultAuthorizer',
-    verifier: {
-        type: 'JWKSJWTTokenVerifier',
-        jwks_url: Expressions.env(ENV_VAR_JWKS_URL),
-        issuer: Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER),
-    },
+    verifier: DEFAULT_VERIFIER_CONFIG,
 };
 const OAUTH2_PROFILE = {
     type: 'OAuth2Authorizer',
@@ -69,11 +73,22 @@ const OAUTH2_CALLBACK_PROFILE = {
 const NOOP_PROFILE = {
     type: 'NoopAuthorizer',
 };
+const DEFAULT_POLICY_SOURCE = {
+    type: 'LocalFileAuthorizationPolicySource',
+    path: Expressions.env(ENV_VAR_AUTH_POLICY_PATH, './auth-policy.yaml'),
+    format: Expressions.env(ENV_VAR_AUTH_POLICY_FORMAT, 'auto'),
+};
+const POLICY_LOCALFILE_PROFILE = {
+    type: 'PolicyAuthorizer',
+    verifier: DEFAULT_VERIFIER_CONFIG,
+    policySource: DEFAULT_POLICY_SOURCE,
+};
 const PROFILE_MAP = {
     [PROFILE_NAME_DEFAULT]: DEFAULT_PROFILE,
     [PROFILE_NAME_OAUTH2]: OAUTH2_PROFILE,
     [PROFILE_NAME_OAUTH2_GATED]: OAUTH2_GATED_PROFILE,
     [PROFILE_NAME_OAUTH2_CALLBACK]: OAUTH2_CALLBACK_PROFILE,
+    [PROFILE_NAME_POLICY_LOCALFILE]: POLICY_LOCALFILE_PROFILE,
     [PROFILE_NAME_NOOP]: NOOP_PROFILE,
 };
 const PROFILE_ALIASES = {
@@ -87,6 +102,9 @@ const PROFILE_ALIASES = {
     'oauth2-callback': PROFILE_NAME_OAUTH2_CALLBACK,
     oauth2_callback: PROFILE_NAME_OAUTH2_CALLBACK,
     'reverse-auth': PROFILE_NAME_OAUTH2_CALLBACK,
+    policy: PROFILE_NAME_POLICY_LOCALFILE,
+    'policy-localfile': PROFILE_NAME_POLICY_LOCALFILE,
+    policy_localfile: PROFILE_NAME_POLICY_LOCALFILE,
     noop: PROFILE_NAME_NOOP,
     'no-op': PROFILE_NAME_NOOP,
     no_op: PROFILE_NAME_NOOP,

package/dist/esm/naylence/fame/security/auth/policy/basic-authorization-policy.js

@@ -90,6 +90,7 @@ export class BasicAuthorizationPolicy {
         // Action must be explicitly provided; default to wildcard if omitted
         // for backward compatibility during transition
         const resolvedAction = action ?? '*';
+        const resolvedActionNormalized = this.normalizeActionToken(resolvedAction) ?? resolvedAction;
         const address = extractAddress(envelope);
         const grantedScopes = extractGrantedScopes(context);
         const rawFrameType = envelope.frame
@@ -99,8 +100,8 @@ export class BasicAuthorizationPolicy {
             : '';
         // Extract and normalize origin type for rule matching
         const rawOriginType = context?.originType;
-        const originTypeNormalized = typeof rawOriginType === 'string' && rawOriginType.trim().length > 0
-            ? rawOriginType.trim().toLowerCase()
+        const originTypeNormalized = typeof rawOriginType === 'string'
+            ? this.normalizeOriginTypeToken(rawOriginType) ?? undefined
             : undefined;
         const evaluationTrace = [];
         // Evaluate rules in order (first match wins)
@@ -147,8 +148,8 @@ export class BasicAuthorizationPolicy {
                 }
             }
             // Check action match
-            if (!rule.actions.has('*') && !rule.actions.has(resolvedAction)) {
-                step.expression = `action: ${resolvedAction} not in [${Array.from(rule.actions).join(', ')}]`;
+            if (!rule.actions.has('*') && !rule.actions.has(resolvedActionNormalized)) {
+                step.expression = `action: ${resolvedActionNormalized} not in [${Array.from(rule.actions).join(', ')}]`;
                 step.result = false;
                 evaluationTrace.push(step);
                 continue;
@@ -215,6 +216,9 @@ export class BasicAuthorizationPolicy {
         };
     }
     validateDefaultEffect(effect) {
+        if (effect === undefined || effect === null) {
+            return 'deny';
+        }
         if (effect !== 'allow' && effect !== 'deny') {
             throw new Error(`Invalid default_effect: "${String(effect)}". Must be "allow" or "deny"`);
         }
@@ -287,10 +291,11 @@ export class BasicAuthorizationPolicy {
         }
         // Handle single action
         if (typeof action === 'string') {
-            if (!VALID_ACTIONS.includes(action)) {
+            const normalized = this.normalizeActionToken(action);
+            if (!normalized) {
                 throw new Error(`Invalid action in rule "${ruleId}": "${action}". Must be one of: ${VALID_ACTIONS.join(', ')}`);
             }
-            return new Set([action]);
+            return new Set([normalized]);
         }
         // Handle array of actions
         if (!Array.isArray(action)) {
@@ -304,10 +309,11 @@ export class BasicAuthorizationPolicy {
             if (typeof a !== 'string') {
                 throw new Error(`Invalid action in rule "${ruleId}": all values must be strings`);
             }
-            if (!VALID_ACTIONS.includes(a)) {
+            const normalized = this.normalizeActionToken(a);
+            if (!normalized) {
                 throw new Error(`Invalid action in rule "${ruleId}": "${a}". Must be one of: ${VALID_ACTIONS.join(', ')}`);
             }
-            actions.add(a);
+            actions.add(normalized);
         }
         return actions;
     }
@@ -410,11 +416,12 @@ export class BasicAuthorizationPolicy {
         }
         // Handle single origin type
         if (typeof originType === 'string') {
-            const normalized = originType.trim().toLowerCase();
-            if (!normalized) {
+            const trimmed = originType.trim();
+            if (!trimmed) {
                 throw new Error(`Invalid origin_type in rule "${ruleId}": value must not be empty`);
             }
-            if (!VALID_ORIGIN_TYPES.includes(normalized)) {
+            const normalized = this.normalizeOriginTypeToken(trimmed);
+            if (!normalized) {
                 throw new Error(`Invalid origin_type in rule "${ruleId}": "${originType}". Must be one of: ${VALID_ORIGIN_TYPES.join(', ')}`);
             }
             return new Set([normalized]);
@@ -431,15 +438,48 @@ export class BasicAuthorizationPolicy {
             if (typeof ot !== 'string') {
                 throw new Error(`Invalid origin_type in rule "${ruleId}": all values must be strings`);
             }
-            const normalized = ot.trim().toLowerCase();
-            if (!normalized) {
+            const trimmed = ot.trim();
+            if (!trimmed) {
                 throw new Error(`Invalid origin_type in rule "${ruleId}": values must not be empty`);
             }
-            if (!VALID_ORIGIN_TYPES.includes(normalized)) {
+            const normalized = this.normalizeOriginTypeToken(trimmed);
+            if (!normalized) {
                 throw new Error(`Invalid origin_type in rule "${ruleId}": "${ot}". Must be one of: ${VALID_ORIGIN_TYPES.join(', ')}`);
             }
             originTypes.add(normalized);
         }
         return originTypes;
     }
+    normalizeActionToken(value) {
+        const trimmed = value.trim();
+        if (!trimmed) {
+            return null;
+        }
+        if (trimmed === '*') {
+            return '*';
+        }
+        const normalized = trimmed.replace(/[\s_-]+/g, '').toLowerCase();
+        const map = {
+            connect: 'Connect',
+            forwardupstream: 'ForwardUpstream',
+            forwarddownstream: 'ForwardDownstream',
+            forwardpeer: 'ForwardPeer',
+            deliverlocal: 'DeliverLocal',
+        };
+        return map[normalized] ?? null;
+    }
+    normalizeOriginTypeToken(value) {
+        const trimmed = value.trim();
+        if (!trimmed) {
+            return null;
+        }
+        const normalized = trimmed.replace(/[\s_-]+/g, '').toLowerCase();
+        const map = {
+            downstream: 'downstream',
+            upstream: 'upstream',
+            peer: 'peer',
+            local: 'local',
+        };
+        return map[normalized] ?? null;
+    }
 }

package/dist/esm/naylence/fame/security/auth/policy/local-file-authorization-policy-source.js

@@ -87,16 +87,22 @@ export class LocalFileAuthorizationPolicySource {
         const factoryConfig = this.policyFactoryConfig ?? policyDefinition;
         // Ensure we have a type field for the factory
         if (!('type' in factoryConfig) || typeof factoryConfig.type !== 'string') {
-            throw new Error(`Policy definition at ${this.path} must have a 'type' field, ` +
-                `or policyFactory config must be provided`);
+            logger.warning('policy_type_missing_defaulting_to_basic', {
+                path: this.path,
+            });
+            factoryConfig.type =
+                'BasicAuthorizationPolicy';
         }
         // Build the factory config with the policy definition
         // The file content IS the policy definition, so we extract the type
         // and wrap the remaining content as the policyDefinition
-        const { type, ...restOfFile } = policyDefinition;
+        const { type: fileType, ...restOfFile } = policyDefinition;
+        const resolvedType = typeof fileType === 'string' && fileType.trim().length > 0
+            ? fileType
+            : factoryConfig.type;
         const mergedConfig = this.policyFactoryConfig != null
             ? { ...this.policyFactoryConfig, policyDefinition }
-            : { type: factoryConfig.type, policyDefinition: restOfFile };
+            : { type: resolvedType, policyDefinition: restOfFile };
         // Create the policy using the factory system
         const policy = await AuthorizationPolicyFactory.createAuthorizationPolicy(mergedConfig);
         if (!policy) {

package/dist/esm/version.js

@@ -1,7 +1,7 @@
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.4.2
+// Generated from package.json version: 0.4.4
 /**
  * The package version, injected at build time.
  * @internal
  */
-export const VERSION = '0.4.2';
+export const VERSION = '0.4.4';