@naylence/runtime 0.4.2 → 0.4.4

package/dist/node/index.cjs

@@ -14,12 +14,12 @@ var fastify = require('fastify');
 var websocketPlugin = require('@fastify/websocket');
 
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.4.2
+// Generated from package.json version: 0.4.4
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.4.2';
+const VERSION = '0.4.4';
 
 /**
  * Fame protocol specific error classes with WebSocket close codes and proper inheritance.
@@ -21813,6 +21813,7 @@ const PROFILE_NAME_DEFAULT = 'jwt';
 const PROFILE_NAME_OAUTH2 = 'oauth2';
 const PROFILE_NAME_OAUTH2_GATED = 'oauth2-gated';
 const PROFILE_NAME_OAUTH2_CALLBACK = 'oauth2-callback';
+const PROFILE_NAME_POLICY_LOCALFILE = 'policy-localfile';
 const PROFILE_NAME_NOOP$2 = 'noop';
 const ENV_VAR_JWT_TRUSTED_ISSUER$1 = 'FAME_JWT_TRUSTED_ISSUER';
 const ENV_VAR_JWT_ALGORITHM$1 = 'FAME_JWT_ALGORITHM';
@@ -21820,18 +21821,21 @@ const ENV_VAR_JWT_AUDIENCE$2 = 'FAME_JWT_AUDIENCE';
 const ENV_VAR_JWKS_URL$1 = 'FAME_JWKS_URL';
 const ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY$1 = 'FAME_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY';
 const ENV_VAR_TRUSTED_CLIENT_SCOPE$1 = 'FAME_TRUSTED_CLIENT_SCOPE';
+const ENV_VAR_AUTH_POLICY_PATH = 'FAME_AUTH_POLICY_PATH';
+const ENV_VAR_AUTH_POLICY_FORMAT = 'FAME_AUTH_POLICY_FORMAT';
 const ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER$1 = 'FAME_JWT_REVERSE_AUTH_TRUSTED_ISSUER';
 const ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE$1 = 'FAME_JWT_REVERSE_AUTH_AUDIENCE';
 const ENV_VAR_HMAC_SECRET$1 = 'FAME_HMAC_SECRET';
 const DEFAULT_REVERSE_AUTH_ISSUER = 'reverse-auth.naylence.ai';
 const DEFAULT_REVERSE_AUTH_AUDIENCE = 'dev.naylence.ai';
+const DEFAULT_VERIFIER_CONFIG = {
+    type: 'JWKSJWTTokenVerifier',
+    jwks_url: factory.Expressions.env(ENV_VAR_JWKS_URL$1),
+    issuer: factory.Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER$1),
+};
 const DEFAULT_PROFILE = {
     type: 'DefaultAuthorizer',
-    verifier: {
-        type: 'JWKSJWTTokenVerifier',
-        jwks_url: factory.Expressions.env(ENV_VAR_JWKS_URL$1),
-        issuer: factory.Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER$1),
-    },
+    verifier: DEFAULT_VERIFIER_CONFIG,
 };
 const OAUTH2_PROFILE = {
     type: 'OAuth2Authorizer',
@@ -21876,11 +21880,22 @@ const OAUTH2_CALLBACK_PROFILE = {
 const NOOP_PROFILE$2 = {
     type: 'NoopAuthorizer',
 };
+const DEFAULT_POLICY_SOURCE = {
+    type: 'LocalFileAuthorizationPolicySource',
+    path: factory.Expressions.env(ENV_VAR_AUTH_POLICY_PATH, './auth-policy.yaml'),
+    format: factory.Expressions.env(ENV_VAR_AUTH_POLICY_FORMAT, 'auto'),
+};
+const POLICY_LOCALFILE_PROFILE = {
+    type: 'PolicyAuthorizer',
+    verifier: DEFAULT_VERIFIER_CONFIG,
+    policySource: DEFAULT_POLICY_SOURCE,
+};
 const PROFILE_MAP$5 = {
     [PROFILE_NAME_DEFAULT]: DEFAULT_PROFILE,
     [PROFILE_NAME_OAUTH2]: OAUTH2_PROFILE,
     [PROFILE_NAME_OAUTH2_GATED]: OAUTH2_GATED_PROFILE,
     [PROFILE_NAME_OAUTH2_CALLBACK]: OAUTH2_CALLBACK_PROFILE,
+    [PROFILE_NAME_POLICY_LOCALFILE]: POLICY_LOCALFILE_PROFILE,
     [PROFILE_NAME_NOOP$2]: NOOP_PROFILE$2,
 };
 const PROFILE_ALIASES$1 = {
@@ -21894,6 +21909,9 @@ const PROFILE_ALIASES$1 = {
     'oauth2-callback': PROFILE_NAME_OAUTH2_CALLBACK,
     oauth2_callback: PROFILE_NAME_OAUTH2_CALLBACK,
     'reverse-auth': PROFILE_NAME_OAUTH2_CALLBACK,
+    policy: PROFILE_NAME_POLICY_LOCALFILE,
+    'policy-localfile': PROFILE_NAME_POLICY_LOCALFILE,
+    policy_localfile: PROFILE_NAME_POLICY_LOCALFILE,
     noop: PROFILE_NAME_NOOP$2,
     'no-op': PROFILE_NAME_NOOP$2,
     no_op: PROFILE_NAME_NOOP$2,
@@ -21969,6 +21987,8 @@ function deepClone$4(value) {
 var authorizationProfileFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
     AuthorizationProfileFactory: AuthorizationProfileFactory,
+    ENV_VAR_AUTH_POLICY_FORMAT: ENV_VAR_AUTH_POLICY_FORMAT,
+    ENV_VAR_AUTH_POLICY_PATH: ENV_VAR_AUTH_POLICY_PATH,
     ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY: ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY$1,
     ENV_VAR_HMAC_SECRET: ENV_VAR_HMAC_SECRET$1,
     ENV_VAR_JWKS_URL: ENV_VAR_JWKS_URL$1,
@@ -21984,6 +22004,7 @@ var authorizationProfileFactory = /*#__PURE__*/Object.freeze({
     PROFILE_NAME_OAUTH2: PROFILE_NAME_OAUTH2,
     PROFILE_NAME_OAUTH2_CALLBACK: PROFILE_NAME_OAUTH2_CALLBACK,
     PROFILE_NAME_OAUTH2_GATED: PROFILE_NAME_OAUTH2_GATED,
+    PROFILE_NAME_POLICY_LOCALFILE: PROFILE_NAME_POLICY_LOCALFILE,
     default: AuthorizationProfileFactory
 });
 
@@ -22542,6 +22563,7 @@ class BasicAuthorizationPolicy {
         // Action must be explicitly provided; default to wildcard if omitted
         // for backward compatibility during transition
         const resolvedAction = action ?? '*';
+        const resolvedActionNormalized = this.normalizeActionToken(resolvedAction) ?? resolvedAction;
         const address = extractAddress(envelope);
         const grantedScopes = extractGrantedScopes(context);
         const rawFrameType = envelope.frame
@@ -22551,8 +22573,8 @@ class BasicAuthorizationPolicy {
             : '';
         // Extract and normalize origin type for rule matching
         const rawOriginType = context?.originType;
-        const originTypeNormalized = typeof rawOriginType === 'string' && rawOriginType.trim().length > 0
-            ? rawOriginType.trim().toLowerCase()
+        const originTypeNormalized = typeof rawOriginType === 'string'
+            ? this.normalizeOriginTypeToken(rawOriginType) ?? undefined
             : undefined;
         const evaluationTrace = [];
         // Evaluate rules in order (first match wins)
@@ -22599,8 +22621,8 @@ class BasicAuthorizationPolicy {
                 }
             }
             // Check action match
-            if (!rule.actions.has('*') && !rule.actions.has(resolvedAction)) {
-                step.expression = `action: ${resolvedAction} not in [${Array.from(rule.actions).join(', ')}]`;
+            if (!rule.actions.has('*') && !rule.actions.has(resolvedActionNormalized)) {
+                step.expression = `action: ${resolvedActionNormalized} not in [${Array.from(rule.actions).join(', ')}]`;
                 step.result = false;
                 evaluationTrace.push(step);
                 continue;
@@ -22667,6 +22689,9 @@ class BasicAuthorizationPolicy {
         };
     }
     validateDefaultEffect(effect) {
+        if (effect === undefined || effect === null) {
+            return 'deny';
+        }
         if (effect !== 'allow' && effect !== 'deny') {
             throw new Error(`Invalid default_effect: "${String(effect)}". Must be "allow" or "deny"`);
         }
@@ -22739,10 +22764,11 @@ class BasicAuthorizationPolicy {
         }
         // Handle single action
         if (typeof action === 'string') {
-            if (!VALID_ACTIONS.includes(action)) {
+            const normalized = this.normalizeActionToken(action);
+            if (!normalized) {
                 throw new Error(`Invalid action in rule "${ruleId}": "${action}". Must be one of: ${VALID_ACTIONS.join(', ')}`);
             }
-            return new Set([action]);
+            return new Set([normalized]);
         }
         // Handle array of actions
         if (!Array.isArray(action)) {
@@ -22756,10 +22782,11 @@ class BasicAuthorizationPolicy {
             if (typeof a !== 'string') {
                 throw new Error(`Invalid action in rule "${ruleId}": all values must be strings`);
             }
-            if (!VALID_ACTIONS.includes(a)) {
+            const normalized = this.normalizeActionToken(a);
+            if (!normalized) {
                 throw new Error(`Invalid action in rule "${ruleId}": "${a}". Must be one of: ${VALID_ACTIONS.join(', ')}`);
             }
-            actions.add(a);
+            actions.add(normalized);
         }
         return actions;
     }
@@ -22862,11 +22889,12 @@ class BasicAuthorizationPolicy {
         }
         // Handle single origin type
         if (typeof originType === 'string') {
-            const normalized = originType.trim().toLowerCase();
-            if (!normalized) {
+            const trimmed = originType.trim();
+            if (!trimmed) {
                 throw new Error(`Invalid origin_type in rule "${ruleId}": value must not be empty`);
             }
-            if (!VALID_ORIGIN_TYPES.includes(normalized)) {
+            const normalized = this.normalizeOriginTypeToken(trimmed);
+            if (!normalized) {
                 throw new Error(`Invalid origin_type in rule "${ruleId}": "${originType}". Must be one of: ${VALID_ORIGIN_TYPES.join(', ')}`);
             }
             return new Set([normalized]);
@@ -22883,17 +22911,50 @@ class BasicAuthorizationPolicy {
             if (typeof ot !== 'string') {
                 throw new Error(`Invalid origin_type in rule "${ruleId}": all values must be strings`);
             }
-            const normalized = ot.trim().toLowerCase();
-            if (!normalized) {
+            const trimmed = ot.trim();
+            if (!trimmed) {
                 throw new Error(`Invalid origin_type in rule "${ruleId}": values must not be empty`);
             }
-            if (!VALID_ORIGIN_TYPES.includes(normalized)) {
+            const normalized = this.normalizeOriginTypeToken(trimmed);
+            if (!normalized) {
                 throw new Error(`Invalid origin_type in rule "${ruleId}": "${ot}". Must be one of: ${VALID_ORIGIN_TYPES.join(', ')}`);
             }
             originTypes.add(normalized);
         }
         return originTypes;
     }
+    normalizeActionToken(value) {
+        const trimmed = value.trim();
+        if (!trimmed) {
+            return null;
+        }
+        if (trimmed === '*') {
+            return '*';
+        }
+        const normalized = trimmed.replace(/[\s_-]+/g, '').toLowerCase();
+        const map = {
+            connect: 'Connect',
+            forwardupstream: 'ForwardUpstream',
+            forwarddownstream: 'ForwardDownstream',
+            forwardpeer: 'ForwardPeer',
+            deliverlocal: 'DeliverLocal',
+        };
+        return map[normalized] ?? null;
+    }
+    normalizeOriginTypeToken(value) {
+        const trimmed = value.trim();
+        if (!trimmed) {
+            return null;
+        }
+        const normalized = trimmed.replace(/[\s_-]+/g, '').toLowerCase();
+        const map = {
+            downstream: 'downstream',
+            upstream: 'upstream',
+            peer: 'peer',
+            local: 'local',
+        };
+        return map[normalized] ?? null;
+    }
 }
 
 var basicAuthorizationPolicy = /*#__PURE__*/Object.freeze({
@@ -42557,16 +42618,22 @@ class LocalFileAuthorizationPolicySource {
         const factoryConfig = this.policyFactoryConfig ?? policyDefinition;
         // Ensure we have a type field for the factory
         if (!('type' in factoryConfig) || typeof factoryConfig.type !== 'string') {
-            throw new Error(`Policy definition at ${this.path} must have a 'type' field, ` +
-                `or policyFactory config must be provided`);
+            logger$1.warning('policy_type_missing_defaulting_to_basic', {
+                path: this.path,
+            });
+            factoryConfig.type =
+                'BasicAuthorizationPolicy';
         }
         // Build the factory config with the policy definition
         // The file content IS the policy definition, so we extract the type
         // and wrap the remaining content as the policyDefinition
-        const { type, ...restOfFile } = policyDefinition;
+        const { type: fileType, ...restOfFile } = policyDefinition;
+        const resolvedType = typeof fileType === 'string' && fileType.trim().length > 0
+            ? fileType
+            : factoryConfig.type;
         const mergedConfig = this.policyFactoryConfig != null
             ? { ...this.policyFactoryConfig, policyDefinition }
-            : { type: factoryConfig.type, policyDefinition: restOfFile };
+            : { type: resolvedType, policyDefinition: restOfFile };
         // Create the policy using the factory system
         const policy = await AuthorizationPolicyFactory.createAuthorizationPolicy(mergedConfig);
         if (!policy) {

package/dist/node/index.mjs

@@ -13,12 +13,12 @@ import fastify from 'fastify';
 import websocketPlugin from '@fastify/websocket';
 
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.4.2
+// Generated from package.json version: 0.4.4
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.4.2';
+const VERSION = '0.4.4';
 
 /**
  * Fame protocol specific error classes with WebSocket close codes and proper inheritance.
@@ -21812,6 +21812,7 @@ const PROFILE_NAME_DEFAULT = 'jwt';
 const PROFILE_NAME_OAUTH2 = 'oauth2';
 const PROFILE_NAME_OAUTH2_GATED = 'oauth2-gated';
 const PROFILE_NAME_OAUTH2_CALLBACK = 'oauth2-callback';
+const PROFILE_NAME_POLICY_LOCALFILE = 'policy-localfile';
 const PROFILE_NAME_NOOP$2 = 'noop';
 const ENV_VAR_JWT_TRUSTED_ISSUER$1 = 'FAME_JWT_TRUSTED_ISSUER';
 const ENV_VAR_JWT_ALGORITHM$1 = 'FAME_JWT_ALGORITHM';
@@ -21819,18 +21820,21 @@ const ENV_VAR_JWT_AUDIENCE$2 = 'FAME_JWT_AUDIENCE';
 const ENV_VAR_JWKS_URL$1 = 'FAME_JWKS_URL';
 const ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY$1 = 'FAME_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY';
 const ENV_VAR_TRUSTED_CLIENT_SCOPE$1 = 'FAME_TRUSTED_CLIENT_SCOPE';
+const ENV_VAR_AUTH_POLICY_PATH = 'FAME_AUTH_POLICY_PATH';
+const ENV_VAR_AUTH_POLICY_FORMAT = 'FAME_AUTH_POLICY_FORMAT';
 const ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER$1 = 'FAME_JWT_REVERSE_AUTH_TRUSTED_ISSUER';
 const ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE$1 = 'FAME_JWT_REVERSE_AUTH_AUDIENCE';
 const ENV_VAR_HMAC_SECRET$1 = 'FAME_HMAC_SECRET';
 const DEFAULT_REVERSE_AUTH_ISSUER = 'reverse-auth.naylence.ai';
 const DEFAULT_REVERSE_AUTH_AUDIENCE = 'dev.naylence.ai';
+const DEFAULT_VERIFIER_CONFIG = {
+    type: 'JWKSJWTTokenVerifier',
+    jwks_url: Expressions.env(ENV_VAR_JWKS_URL$1),
+    issuer: Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER$1),
+};
 const DEFAULT_PROFILE = {
     type: 'DefaultAuthorizer',
-    verifier: {
-        type: 'JWKSJWTTokenVerifier',
-        jwks_url: Expressions.env(ENV_VAR_JWKS_URL$1),
-        issuer: Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER$1),
-    },
+    verifier: DEFAULT_VERIFIER_CONFIG,
 };
 const OAUTH2_PROFILE = {
     type: 'OAuth2Authorizer',
@@ -21875,11 +21879,22 @@ const OAUTH2_CALLBACK_PROFILE = {
 const NOOP_PROFILE$2 = {
     type: 'NoopAuthorizer',
 };
+const DEFAULT_POLICY_SOURCE = {
+    type: 'LocalFileAuthorizationPolicySource',
+    path: Expressions.env(ENV_VAR_AUTH_POLICY_PATH, './auth-policy.yaml'),
+    format: Expressions.env(ENV_VAR_AUTH_POLICY_FORMAT, 'auto'),
+};
+const POLICY_LOCALFILE_PROFILE = {
+    type: 'PolicyAuthorizer',
+    verifier: DEFAULT_VERIFIER_CONFIG,
+    policySource: DEFAULT_POLICY_SOURCE,
+};
 const PROFILE_MAP$5 = {
     [PROFILE_NAME_DEFAULT]: DEFAULT_PROFILE,
     [PROFILE_NAME_OAUTH2]: OAUTH2_PROFILE,
     [PROFILE_NAME_OAUTH2_GATED]: OAUTH2_GATED_PROFILE,
     [PROFILE_NAME_OAUTH2_CALLBACK]: OAUTH2_CALLBACK_PROFILE,
+    [PROFILE_NAME_POLICY_LOCALFILE]: POLICY_LOCALFILE_PROFILE,
     [PROFILE_NAME_NOOP$2]: NOOP_PROFILE$2,
 };
 const PROFILE_ALIASES$1 = {
@@ -21893,6 +21908,9 @@ const PROFILE_ALIASES$1 = {
     'oauth2-callback': PROFILE_NAME_OAUTH2_CALLBACK,
     oauth2_callback: PROFILE_NAME_OAUTH2_CALLBACK,
     'reverse-auth': PROFILE_NAME_OAUTH2_CALLBACK,
+    policy: PROFILE_NAME_POLICY_LOCALFILE,
+    'policy-localfile': PROFILE_NAME_POLICY_LOCALFILE,
+    policy_localfile: PROFILE_NAME_POLICY_LOCALFILE,
     noop: PROFILE_NAME_NOOP$2,
     'no-op': PROFILE_NAME_NOOP$2,
     no_op: PROFILE_NAME_NOOP$2,
@@ -21968,6 +21986,8 @@ function deepClone$4(value) {
 var authorizationProfileFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
     AuthorizationProfileFactory: AuthorizationProfileFactory,
+    ENV_VAR_AUTH_POLICY_FORMAT: ENV_VAR_AUTH_POLICY_FORMAT,
+    ENV_VAR_AUTH_POLICY_PATH: ENV_VAR_AUTH_POLICY_PATH,
     ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY: ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY$1,
     ENV_VAR_HMAC_SECRET: ENV_VAR_HMAC_SECRET$1,
     ENV_VAR_JWKS_URL: ENV_VAR_JWKS_URL$1,
@@ -21983,6 +22003,7 @@ var authorizationProfileFactory = /*#__PURE__*/Object.freeze({
     PROFILE_NAME_OAUTH2: PROFILE_NAME_OAUTH2,
     PROFILE_NAME_OAUTH2_CALLBACK: PROFILE_NAME_OAUTH2_CALLBACK,
     PROFILE_NAME_OAUTH2_GATED: PROFILE_NAME_OAUTH2_GATED,
+    PROFILE_NAME_POLICY_LOCALFILE: PROFILE_NAME_POLICY_LOCALFILE,
     default: AuthorizationProfileFactory
 });
 
@@ -22541,6 +22562,7 @@ class BasicAuthorizationPolicy {
         // Action must be explicitly provided; default to wildcard if omitted
         // for backward compatibility during transition
         const resolvedAction = action ?? '*';
+        const resolvedActionNormalized = this.normalizeActionToken(resolvedAction) ?? resolvedAction;
         const address = extractAddress(envelope);
         const grantedScopes = extractGrantedScopes(context);
         const rawFrameType = envelope.frame
@@ -22550,8 +22572,8 @@ class BasicAuthorizationPolicy {
             : '';
         // Extract and normalize origin type for rule matching
         const rawOriginType = context?.originType;
-        const originTypeNormalized = typeof rawOriginType === 'string' && rawOriginType.trim().length > 0
-            ? rawOriginType.trim().toLowerCase()
+        const originTypeNormalized = typeof rawOriginType === 'string'
+            ? this.normalizeOriginTypeToken(rawOriginType) ?? undefined
             : undefined;
         const evaluationTrace = [];
         // Evaluate rules in order (first match wins)
@@ -22598,8 +22620,8 @@ class BasicAuthorizationPolicy {
                 }
             }
             // Check action match
-            if (!rule.actions.has('*') && !rule.actions.has(resolvedAction)) {
-                step.expression = `action: ${resolvedAction} not in [${Array.from(rule.actions).join(', ')}]`;
+            if (!rule.actions.has('*') && !rule.actions.has(resolvedActionNormalized)) {
+                step.expression = `action: ${resolvedActionNormalized} not in [${Array.from(rule.actions).join(', ')}]`;
                 step.result = false;
                 evaluationTrace.push(step);
                 continue;
@@ -22666,6 +22688,9 @@ class BasicAuthorizationPolicy {
         };
     }
     validateDefaultEffect(effect) {
+        if (effect === undefined || effect === null) {
+            return 'deny';
+        }
         if (effect !== 'allow' && effect !== 'deny') {
             throw new Error(`Invalid default_effect: "${String(effect)}". Must be "allow" or "deny"`);
         }
@@ -22738,10 +22763,11 @@ class BasicAuthorizationPolicy {
         }
         // Handle single action
         if (typeof action === 'string') {
-            if (!VALID_ACTIONS.includes(action)) {
+            const normalized = this.normalizeActionToken(action);
+            if (!normalized) {
                 throw new Error(`Invalid action in rule "${ruleId}": "${action}". Must be one of: ${VALID_ACTIONS.join(', ')}`);
             }
-            return new Set([action]);
+            return new Set([normalized]);
         }
         // Handle array of actions
         if (!Array.isArray(action)) {
@@ -22755,10 +22781,11 @@ class BasicAuthorizationPolicy {
             if (typeof a !== 'string') {
                 throw new Error(`Invalid action in rule "${ruleId}": all values must be strings`);
             }
-            if (!VALID_ACTIONS.includes(a)) {
+            const normalized = this.normalizeActionToken(a);
+            if (!normalized) {
                 throw new Error(`Invalid action in rule "${ruleId}": "${a}". Must be one of: ${VALID_ACTIONS.join(', ')}`);
             }
-            actions.add(a);
+            actions.add(normalized);
         }
         return actions;
     }
@@ -22861,11 +22888,12 @@ class BasicAuthorizationPolicy {
         }
         // Handle single origin type
         if (typeof originType === 'string') {
-            const normalized = originType.trim().toLowerCase();
-            if (!normalized) {
+            const trimmed = originType.trim();
+            if (!trimmed) {
                 throw new Error(`Invalid origin_type in rule "${ruleId}": value must not be empty`);
             }
-            if (!VALID_ORIGIN_TYPES.includes(normalized)) {
+            const normalized = this.normalizeOriginTypeToken(trimmed);
+            if (!normalized) {
                 throw new Error(`Invalid origin_type in rule "${ruleId}": "${originType}". Must be one of: ${VALID_ORIGIN_TYPES.join(', ')}`);
             }
             return new Set([normalized]);
@@ -22882,17 +22910,50 @@ class BasicAuthorizationPolicy {
             if (typeof ot !== 'string') {
                 throw new Error(`Invalid origin_type in rule "${ruleId}": all values must be strings`);
             }
-            const normalized = ot.trim().toLowerCase();
-            if (!normalized) {
+            const trimmed = ot.trim();
+            if (!trimmed) {
                 throw new Error(`Invalid origin_type in rule "${ruleId}": values must not be empty`);
             }
-            if (!VALID_ORIGIN_TYPES.includes(normalized)) {
+            const normalized = this.normalizeOriginTypeToken(trimmed);
+            if (!normalized) {
                 throw new Error(`Invalid origin_type in rule "${ruleId}": "${ot}". Must be one of: ${VALID_ORIGIN_TYPES.join(', ')}`);
             }
             originTypes.add(normalized);
         }
         return originTypes;
     }
+    normalizeActionToken(value) {
+        const trimmed = value.trim();
+        if (!trimmed) {
+            return null;
+        }
+        if (trimmed === '*') {
+            return '*';
+        }
+        const normalized = trimmed.replace(/[\s_-]+/g, '').toLowerCase();
+        const map = {
+            connect: 'Connect',
+            forwardupstream: 'ForwardUpstream',
+            forwarddownstream: 'ForwardDownstream',
+            forwardpeer: 'ForwardPeer',
+            deliverlocal: 'DeliverLocal',
+        };
+        return map[normalized] ?? null;
+    }
+    normalizeOriginTypeToken(value) {
+        const trimmed = value.trim();
+        if (!trimmed) {
+            return null;
+        }
+        const normalized = trimmed.replace(/[\s_-]+/g, '').toLowerCase();
+        const map = {
+            downstream: 'downstream',
+            upstream: 'upstream',
+            peer: 'peer',
+            local: 'local',
+        };
+        return map[normalized] ?? null;
+    }
 }
 
 var basicAuthorizationPolicy = /*#__PURE__*/Object.freeze({
@@ -42556,16 +42617,22 @@ class LocalFileAuthorizationPolicySource {
         const factoryConfig = this.policyFactoryConfig ?? policyDefinition;
         // Ensure we have a type field for the factory
         if (!('type' in factoryConfig) || typeof factoryConfig.type !== 'string') {
-            throw new Error(`Policy definition at ${this.path} must have a 'type' field, ` +
-                `or policyFactory config must be provided`);
+            logger$1.warning('policy_type_missing_defaulting_to_basic', {
+                path: this.path,
+            });
+            factoryConfig.type =
+                'BasicAuthorizationPolicy';
         }
         // Build the factory config with the policy definition
         // The file content IS the policy definition, so we extract the type
         // and wrap the remaining content as the policyDefinition
-        const { type, ...restOfFile } = policyDefinition;
+        const { type: fileType, ...restOfFile } = policyDefinition;
+        const resolvedType = typeof fileType === 'string' && fileType.trim().length > 0
+            ? fileType
+            : factoryConfig.type;
         const mergedConfig = this.policyFactoryConfig != null
             ? { ...this.policyFactoryConfig, policyDefinition }
-            : { type: factoryConfig.type, policyDefinition: restOfFile };
+            : { type: resolvedType, policyDefinition: restOfFile };
         // Create the policy using the factory system
         const policy = await AuthorizationPolicyFactory.createAuthorizationPolicy(mergedConfig);
         if (!policy) {