@naylence/runtime 0.4.2 → 0.4.4

package/dist/node/node.cjs

@@ -4436,12 +4436,12 @@ async function ensureRuntimeFactoriesRegistered(registry = factory.Registry) {
 }
 
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.4.2
+// Generated from package.json version: 0.4.4
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.4.2';
+const VERSION = '0.4.4';
 
 let initialized = false;
 const runtimePlugin = {
@@ -23018,6 +23018,7 @@ const PROFILE_NAME_DEFAULT = 'jwt';
 const PROFILE_NAME_OAUTH2 = 'oauth2';
 const PROFILE_NAME_OAUTH2_GATED = 'oauth2-gated';
 const PROFILE_NAME_OAUTH2_CALLBACK = 'oauth2-callback';
+const PROFILE_NAME_POLICY_LOCALFILE = 'policy-localfile';
 const PROFILE_NAME_NOOP$2 = 'noop';
 const ENV_VAR_JWT_TRUSTED_ISSUER$1 = 'FAME_JWT_TRUSTED_ISSUER';
 const ENV_VAR_JWT_ALGORITHM$3 = 'FAME_JWT_ALGORITHM';
@@ -23025,18 +23026,21 @@ const ENV_VAR_JWT_AUDIENCE$3 = 'FAME_JWT_AUDIENCE';
 const ENV_VAR_JWKS_URL$1 = 'FAME_JWKS_URL';
 const ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY$1 = 'FAME_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY';
 const ENV_VAR_TRUSTED_CLIENT_SCOPE$1 = 'FAME_TRUSTED_CLIENT_SCOPE';
+const ENV_VAR_AUTH_POLICY_PATH = 'FAME_AUTH_POLICY_PATH';
+const ENV_VAR_AUTH_POLICY_FORMAT = 'FAME_AUTH_POLICY_FORMAT';
 const ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER$1 = 'FAME_JWT_REVERSE_AUTH_TRUSTED_ISSUER';
 const ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE$1 = 'FAME_JWT_REVERSE_AUTH_AUDIENCE';
 const ENV_VAR_HMAC_SECRET$1 = 'FAME_HMAC_SECRET';
 const DEFAULT_REVERSE_AUTH_ISSUER = 'reverse-auth.naylence.ai';
 const DEFAULT_REVERSE_AUTH_AUDIENCE = 'dev.naylence.ai';
+const DEFAULT_VERIFIER_CONFIG = {
+    type: 'JWKSJWTTokenVerifier',
+    jwks_url: factory.Expressions.env(ENV_VAR_JWKS_URL$1),
+    issuer: factory.Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER$1),
+};
 const DEFAULT_PROFILE = {
     type: 'DefaultAuthorizer',
-    verifier: {
-        type: 'JWKSJWTTokenVerifier',
-        jwks_url: factory.Expressions.env(ENV_VAR_JWKS_URL$1),
-        issuer: factory.Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER$1),
-    },
+    verifier: DEFAULT_VERIFIER_CONFIG,
 };
 const OAUTH2_PROFILE = {
     type: 'OAuth2Authorizer',
@@ -23081,11 +23085,22 @@ const OAUTH2_CALLBACK_PROFILE = {
 const NOOP_PROFILE$2 = {
     type: 'NoopAuthorizer',
 };
+const DEFAULT_POLICY_SOURCE = {
+    type: 'LocalFileAuthorizationPolicySource',
+    path: factory.Expressions.env(ENV_VAR_AUTH_POLICY_PATH, './auth-policy.yaml'),
+    format: factory.Expressions.env(ENV_VAR_AUTH_POLICY_FORMAT, 'auto'),
+};
+const POLICY_LOCALFILE_PROFILE = {
+    type: 'PolicyAuthorizer',
+    verifier: DEFAULT_VERIFIER_CONFIG,
+    policySource: DEFAULT_POLICY_SOURCE,
+};
 const PROFILE_MAP$5 = {
     [PROFILE_NAME_DEFAULT]: DEFAULT_PROFILE,
     [PROFILE_NAME_OAUTH2]: OAUTH2_PROFILE,
     [PROFILE_NAME_OAUTH2_GATED]: OAUTH2_GATED_PROFILE,
     [PROFILE_NAME_OAUTH2_CALLBACK]: OAUTH2_CALLBACK_PROFILE,
+    [PROFILE_NAME_POLICY_LOCALFILE]: POLICY_LOCALFILE_PROFILE,
     [PROFILE_NAME_NOOP$2]: NOOP_PROFILE$2,
 };
 const PROFILE_ALIASES$1 = {
@@ -23099,6 +23114,9 @@ const PROFILE_ALIASES$1 = {
     'oauth2-callback': PROFILE_NAME_OAUTH2_CALLBACK,
     oauth2_callback: PROFILE_NAME_OAUTH2_CALLBACK,
     'reverse-auth': PROFILE_NAME_OAUTH2_CALLBACK,
+    policy: PROFILE_NAME_POLICY_LOCALFILE,
+    'policy-localfile': PROFILE_NAME_POLICY_LOCALFILE,
+    policy_localfile: PROFILE_NAME_POLICY_LOCALFILE,
     noop: PROFILE_NAME_NOOP$2,
     'no-op': PROFILE_NAME_NOOP$2,
     no_op: PROFILE_NAME_NOOP$2,
@@ -23174,6 +23192,8 @@ function deepClone$4(value) {
 var authorizationProfileFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
     AuthorizationProfileFactory: AuthorizationProfileFactory,
+    ENV_VAR_AUTH_POLICY_FORMAT: ENV_VAR_AUTH_POLICY_FORMAT,
+    ENV_VAR_AUTH_POLICY_PATH: ENV_VAR_AUTH_POLICY_PATH,
     ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY: ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY$1,
     ENV_VAR_HMAC_SECRET: ENV_VAR_HMAC_SECRET$1,
     ENV_VAR_JWKS_URL: ENV_VAR_JWKS_URL$1,
@@ -23189,6 +23209,7 @@ var authorizationProfileFactory = /*#__PURE__*/Object.freeze({
     PROFILE_NAME_OAUTH2: PROFILE_NAME_OAUTH2,
     PROFILE_NAME_OAUTH2_CALLBACK: PROFILE_NAME_OAUTH2_CALLBACK,
     PROFILE_NAME_OAUTH2_GATED: PROFILE_NAME_OAUTH2_GATED,
+    PROFILE_NAME_POLICY_LOCALFILE: PROFILE_NAME_POLICY_LOCALFILE,
     default: AuthorizationProfileFactory
 });
 
@@ -23754,6 +23775,7 @@ class BasicAuthorizationPolicy {
         // Action must be explicitly provided; default to wildcard if omitted
         // for backward compatibility during transition
         const resolvedAction = action ?? '*';
+        const resolvedActionNormalized = this.normalizeActionToken(resolvedAction) ?? resolvedAction;
         const address = extractAddress(envelope);
         const grantedScopes = extractGrantedScopes(context);
         const rawFrameType = envelope.frame
@@ -23763,8 +23785,8 @@ class BasicAuthorizationPolicy {
             : '';
         // Extract and normalize origin type for rule matching
         const rawOriginType = context?.originType;
-        const originTypeNormalized = typeof rawOriginType === 'string' && rawOriginType.trim().length > 0
-            ? rawOriginType.trim().toLowerCase()
+        const originTypeNormalized = typeof rawOriginType === 'string'
+            ? this.normalizeOriginTypeToken(rawOriginType) ?? undefined
             : undefined;
         const evaluationTrace = [];
         // Evaluate rules in order (first match wins)
@@ -23811,8 +23833,8 @@ class BasicAuthorizationPolicy {
                 }
             }
             // Check action match
-            if (!rule.actions.has('*') && !rule.actions.has(resolvedAction)) {
-                step.expression = `action: ${resolvedAction} not in [${Array.from(rule.actions).join(', ')}]`;
+            if (!rule.actions.has('*') && !rule.actions.has(resolvedActionNormalized)) {
+                step.expression = `action: ${resolvedActionNormalized} not in [${Array.from(rule.actions).join(', ')}]`;
                 step.result = false;
                 evaluationTrace.push(step);
                 continue;
@@ -23879,6 +23901,9 @@ class BasicAuthorizationPolicy {
         };
     }
     validateDefaultEffect(effect) {
+        if (effect === undefined || effect === null) {
+            return 'deny';
+        }
         if (effect !== 'allow' && effect !== 'deny') {
             throw new Error(`Invalid default_effect: "${String(effect)}". Must be "allow" or "deny"`);
         }
@@ -23951,10 +23976,11 @@ class BasicAuthorizationPolicy {
         }
         // Handle single action
         if (typeof action === 'string') {
-            if (!VALID_ACTIONS.includes(action)) {
+            const normalized = this.normalizeActionToken(action);
+            if (!normalized) {
                 throw new Error(`Invalid action in rule "${ruleId}": "${action}". Must be one of: ${VALID_ACTIONS.join(', ')}`);
             }
-            return new Set([action]);
+            return new Set([normalized]);
         }
         // Handle array of actions
         if (!Array.isArray(action)) {
@@ -23968,10 +23994,11 @@ class BasicAuthorizationPolicy {
             if (typeof a !== 'string') {
                 throw new Error(`Invalid action in rule "${ruleId}": all values must be strings`);
             }
-            if (!VALID_ACTIONS.includes(a)) {
+            const normalized = this.normalizeActionToken(a);
+            if (!normalized) {
                 throw new Error(`Invalid action in rule "${ruleId}": "${a}". Must be one of: ${VALID_ACTIONS.join(', ')}`);
             }
-            actions.add(a);
+            actions.add(normalized);
         }
         return actions;
     }
@@ -24074,11 +24101,12 @@ class BasicAuthorizationPolicy {
         }
         // Handle single origin type
         if (typeof originType === 'string') {
-            const normalized = originType.trim().toLowerCase();
-            if (!normalized) {
+            const trimmed = originType.trim();
+            if (!trimmed) {
                 throw new Error(`Invalid origin_type in rule "${ruleId}": value must not be empty`);
             }
-            if (!VALID_ORIGIN_TYPES.includes(normalized)) {
+            const normalized = this.normalizeOriginTypeToken(trimmed);
+            if (!normalized) {
                 throw new Error(`Invalid origin_type in rule "${ruleId}": "${originType}". Must be one of: ${VALID_ORIGIN_TYPES.join(', ')}`);
             }
             return new Set([normalized]);
@@ -24095,17 +24123,50 @@ class BasicAuthorizationPolicy {
             if (typeof ot !== 'string') {
                 throw new Error(`Invalid origin_type in rule "${ruleId}": all values must be strings`);
             }
-            const normalized = ot.trim().toLowerCase();
-            if (!normalized) {
+            const trimmed = ot.trim();
+            if (!trimmed) {
                 throw new Error(`Invalid origin_type in rule "${ruleId}": values must not be empty`);
             }
-            if (!VALID_ORIGIN_TYPES.includes(normalized)) {
+            const normalized = this.normalizeOriginTypeToken(trimmed);
+            if (!normalized) {
                 throw new Error(`Invalid origin_type in rule "${ruleId}": "${ot}". Must be one of: ${VALID_ORIGIN_TYPES.join(', ')}`);
             }
             originTypes.add(normalized);
         }
         return originTypes;
     }
+    normalizeActionToken(value) {
+        const trimmed = value.trim();
+        if (!trimmed) {
+            return null;
+        }
+        if (trimmed === '*') {
+            return '*';
+        }
+        const normalized = trimmed.replace(/[\s_-]+/g, '').toLowerCase();
+        const map = {
+            connect: 'Connect',
+            forwardupstream: 'ForwardUpstream',
+            forwarddownstream: 'ForwardDownstream',
+            forwardpeer: 'ForwardPeer',
+            deliverlocal: 'DeliverLocal',
+        };
+        return map[normalized] ?? null;
+    }
+    normalizeOriginTypeToken(value) {
+        const trimmed = value.trim();
+        if (!trimmed) {
+            return null;
+        }
+        const normalized = trimmed.replace(/[\s_-]+/g, '').toLowerCase();
+        const map = {
+            downstream: 'downstream',
+            upstream: 'upstream',
+            peer: 'peer',
+            local: 'local',
+        };
+        return map[normalized] ?? null;
+    }
 }
 
 var basicAuthorizationPolicy = /*#__PURE__*/Object.freeze({
@@ -44907,16 +44968,22 @@ class LocalFileAuthorizationPolicySource {
         const factoryConfig = this.policyFactoryConfig ?? policyDefinition;
         // Ensure we have a type field for the factory
         if (!('type' in factoryConfig) || typeof factoryConfig.type !== 'string') {
-            throw new Error(`Policy definition at ${this.path} must have a 'type' field, ` +
-                `or policyFactory config must be provided`);
+            logger$1.warning('policy_type_missing_defaulting_to_basic', {
+                path: this.path,
+            });
+            factoryConfig.type =
+                'BasicAuthorizationPolicy';
         }
         // Build the factory config with the policy definition
         // The file content IS the policy definition, so we extract the type
         // and wrap the remaining content as the policyDefinition
-        const { type, ...restOfFile } = policyDefinition;
+        const { type: fileType, ...restOfFile } = policyDefinition;
+        const resolvedType = typeof fileType === 'string' && fileType.trim().length > 0
+            ? fileType
+            : factoryConfig.type;
         const mergedConfig = this.policyFactoryConfig != null
             ? { ...this.policyFactoryConfig, policyDefinition }
-            : { type: factoryConfig.type, policyDefinition: restOfFile };
+            : { type: resolvedType, policyDefinition: restOfFile };
         // Create the policy using the factory system
         const policy = await AuthorizationPolicyFactory.createAuthorizationPolicy(mergedConfig);
         if (!policy) {

package/dist/node/node.mjs

@@ -4435,12 +4435,12 @@ async function ensureRuntimeFactoriesRegistered(registry = Registry) {
 }
 
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.4.2
+// Generated from package.json version: 0.4.4
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.4.2';
+const VERSION = '0.4.4';
 
 let initialized = false;
 const runtimePlugin = {
@@ -23017,6 +23017,7 @@ const PROFILE_NAME_DEFAULT = 'jwt';
 const PROFILE_NAME_OAUTH2 = 'oauth2';
 const PROFILE_NAME_OAUTH2_GATED = 'oauth2-gated';
 const PROFILE_NAME_OAUTH2_CALLBACK = 'oauth2-callback';
+const PROFILE_NAME_POLICY_LOCALFILE = 'policy-localfile';
 const PROFILE_NAME_NOOP$2 = 'noop';
 const ENV_VAR_JWT_TRUSTED_ISSUER$1 = 'FAME_JWT_TRUSTED_ISSUER';
 const ENV_VAR_JWT_ALGORITHM$3 = 'FAME_JWT_ALGORITHM';
@@ -23024,18 +23025,21 @@ const ENV_VAR_JWT_AUDIENCE$3 = 'FAME_JWT_AUDIENCE';
 const ENV_VAR_JWKS_URL$1 = 'FAME_JWKS_URL';
 const ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY$1 = 'FAME_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY';
 const ENV_VAR_TRUSTED_CLIENT_SCOPE$1 = 'FAME_TRUSTED_CLIENT_SCOPE';
+const ENV_VAR_AUTH_POLICY_PATH = 'FAME_AUTH_POLICY_PATH';
+const ENV_VAR_AUTH_POLICY_FORMAT = 'FAME_AUTH_POLICY_FORMAT';
 const ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER$1 = 'FAME_JWT_REVERSE_AUTH_TRUSTED_ISSUER';
 const ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE$1 = 'FAME_JWT_REVERSE_AUTH_AUDIENCE';
 const ENV_VAR_HMAC_SECRET$1 = 'FAME_HMAC_SECRET';
 const DEFAULT_REVERSE_AUTH_ISSUER = 'reverse-auth.naylence.ai';
 const DEFAULT_REVERSE_AUTH_AUDIENCE = 'dev.naylence.ai';
+const DEFAULT_VERIFIER_CONFIG = {
+    type: 'JWKSJWTTokenVerifier',
+    jwks_url: Expressions.env(ENV_VAR_JWKS_URL$1),
+    issuer: Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER$1),
+};
 const DEFAULT_PROFILE = {
     type: 'DefaultAuthorizer',
-    verifier: {
-        type: 'JWKSJWTTokenVerifier',
-        jwks_url: Expressions.env(ENV_VAR_JWKS_URL$1),
-        issuer: Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER$1),
-    },
+    verifier: DEFAULT_VERIFIER_CONFIG,
 };
 const OAUTH2_PROFILE = {
     type: 'OAuth2Authorizer',
@@ -23080,11 +23084,22 @@ const OAUTH2_CALLBACK_PROFILE = {
 const NOOP_PROFILE$2 = {
     type: 'NoopAuthorizer',
 };
+const DEFAULT_POLICY_SOURCE = {
+    type: 'LocalFileAuthorizationPolicySource',
+    path: Expressions.env(ENV_VAR_AUTH_POLICY_PATH, './auth-policy.yaml'),
+    format: Expressions.env(ENV_VAR_AUTH_POLICY_FORMAT, 'auto'),
+};
+const POLICY_LOCALFILE_PROFILE = {
+    type: 'PolicyAuthorizer',
+    verifier: DEFAULT_VERIFIER_CONFIG,
+    policySource: DEFAULT_POLICY_SOURCE,
+};
 const PROFILE_MAP$5 = {
     [PROFILE_NAME_DEFAULT]: DEFAULT_PROFILE,
     [PROFILE_NAME_OAUTH2]: OAUTH2_PROFILE,
     [PROFILE_NAME_OAUTH2_GATED]: OAUTH2_GATED_PROFILE,
     [PROFILE_NAME_OAUTH2_CALLBACK]: OAUTH2_CALLBACK_PROFILE,
+    [PROFILE_NAME_POLICY_LOCALFILE]: POLICY_LOCALFILE_PROFILE,
     [PROFILE_NAME_NOOP$2]: NOOP_PROFILE$2,
 };
 const PROFILE_ALIASES$1 = {
@@ -23098,6 +23113,9 @@ const PROFILE_ALIASES$1 = {
     'oauth2-callback': PROFILE_NAME_OAUTH2_CALLBACK,
     oauth2_callback: PROFILE_NAME_OAUTH2_CALLBACK,
     'reverse-auth': PROFILE_NAME_OAUTH2_CALLBACK,
+    policy: PROFILE_NAME_POLICY_LOCALFILE,
+    'policy-localfile': PROFILE_NAME_POLICY_LOCALFILE,
+    policy_localfile: PROFILE_NAME_POLICY_LOCALFILE,
     noop: PROFILE_NAME_NOOP$2,
     'no-op': PROFILE_NAME_NOOP$2,
     no_op: PROFILE_NAME_NOOP$2,
@@ -23173,6 +23191,8 @@ function deepClone$4(value) {
 var authorizationProfileFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
     AuthorizationProfileFactory: AuthorizationProfileFactory,
+    ENV_VAR_AUTH_POLICY_FORMAT: ENV_VAR_AUTH_POLICY_FORMAT,
+    ENV_VAR_AUTH_POLICY_PATH: ENV_VAR_AUTH_POLICY_PATH,
     ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY: ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY$1,
     ENV_VAR_HMAC_SECRET: ENV_VAR_HMAC_SECRET$1,
     ENV_VAR_JWKS_URL: ENV_VAR_JWKS_URL$1,
@@ -23188,6 +23208,7 @@ var authorizationProfileFactory = /*#__PURE__*/Object.freeze({
     PROFILE_NAME_OAUTH2: PROFILE_NAME_OAUTH2,
     PROFILE_NAME_OAUTH2_CALLBACK: PROFILE_NAME_OAUTH2_CALLBACK,
     PROFILE_NAME_OAUTH2_GATED: PROFILE_NAME_OAUTH2_GATED,
+    PROFILE_NAME_POLICY_LOCALFILE: PROFILE_NAME_POLICY_LOCALFILE,
     default: AuthorizationProfileFactory
 });
 
@@ -23753,6 +23774,7 @@ class BasicAuthorizationPolicy {
         // Action must be explicitly provided; default to wildcard if omitted
         // for backward compatibility during transition
         const resolvedAction = action ?? '*';
+        const resolvedActionNormalized = this.normalizeActionToken(resolvedAction) ?? resolvedAction;
         const address = extractAddress(envelope);
         const grantedScopes = extractGrantedScopes(context);
         const rawFrameType = envelope.frame
@@ -23762,8 +23784,8 @@ class BasicAuthorizationPolicy {
             : '';
         // Extract and normalize origin type for rule matching
         const rawOriginType = context?.originType;
-        const originTypeNormalized = typeof rawOriginType === 'string' && rawOriginType.trim().length > 0
-            ? rawOriginType.trim().toLowerCase()
+        const originTypeNormalized = typeof rawOriginType === 'string'
+            ? this.normalizeOriginTypeToken(rawOriginType) ?? undefined
             : undefined;
         const evaluationTrace = [];
         // Evaluate rules in order (first match wins)
@@ -23810,8 +23832,8 @@ class BasicAuthorizationPolicy {
                 }
             }
             // Check action match
-            if (!rule.actions.has('*') && !rule.actions.has(resolvedAction)) {
-                step.expression = `action: ${resolvedAction} not in [${Array.from(rule.actions).join(', ')}]`;
+            if (!rule.actions.has('*') && !rule.actions.has(resolvedActionNormalized)) {
+                step.expression = `action: ${resolvedActionNormalized} not in [${Array.from(rule.actions).join(', ')}]`;
                 step.result = false;
                 evaluationTrace.push(step);
                 continue;
@@ -23878,6 +23900,9 @@ class BasicAuthorizationPolicy {
         };
     }
     validateDefaultEffect(effect) {
+        if (effect === undefined || effect === null) {
+            return 'deny';
+        }
         if (effect !== 'allow' && effect !== 'deny') {
             throw new Error(`Invalid default_effect: "${String(effect)}". Must be "allow" or "deny"`);
         }
@@ -23950,10 +23975,11 @@ class BasicAuthorizationPolicy {
         }
         // Handle single action
         if (typeof action === 'string') {
-            if (!VALID_ACTIONS.includes(action)) {
+            const normalized = this.normalizeActionToken(action);
+            if (!normalized) {
                 throw new Error(`Invalid action in rule "${ruleId}": "${action}". Must be one of: ${VALID_ACTIONS.join(', ')}`);
             }
-            return new Set([action]);
+            return new Set([normalized]);
         }
         // Handle array of actions
         if (!Array.isArray(action)) {
@@ -23967,10 +23993,11 @@ class BasicAuthorizationPolicy {
             if (typeof a !== 'string') {
                 throw new Error(`Invalid action in rule "${ruleId}": all values must be strings`);
             }
-            if (!VALID_ACTIONS.includes(a)) {
+            const normalized = this.normalizeActionToken(a);
+            if (!normalized) {
                 throw new Error(`Invalid action in rule "${ruleId}": "${a}". Must be one of: ${VALID_ACTIONS.join(', ')}`);
             }
-            actions.add(a);
+            actions.add(normalized);
         }
         return actions;
     }
@@ -24073,11 +24100,12 @@ class BasicAuthorizationPolicy {
         }
         // Handle single origin type
         if (typeof originType === 'string') {
-            const normalized = originType.trim().toLowerCase();
-            if (!normalized) {
+            const trimmed = originType.trim();
+            if (!trimmed) {
                 throw new Error(`Invalid origin_type in rule "${ruleId}": value must not be empty`);
             }
-            if (!VALID_ORIGIN_TYPES.includes(normalized)) {
+            const normalized = this.normalizeOriginTypeToken(trimmed);
+            if (!normalized) {
                 throw new Error(`Invalid origin_type in rule "${ruleId}": "${originType}". Must be one of: ${VALID_ORIGIN_TYPES.join(', ')}`);
             }
             return new Set([normalized]);
@@ -24094,17 +24122,50 @@ class BasicAuthorizationPolicy {
             if (typeof ot !== 'string') {
                 throw new Error(`Invalid origin_type in rule "${ruleId}": all values must be strings`);
             }
-            const normalized = ot.trim().toLowerCase();
-            if (!normalized) {
+            const trimmed = ot.trim();
+            if (!trimmed) {
                 throw new Error(`Invalid origin_type in rule "${ruleId}": values must not be empty`);
             }
-            if (!VALID_ORIGIN_TYPES.includes(normalized)) {
+            const normalized = this.normalizeOriginTypeToken(trimmed);
+            if (!normalized) {
                 throw new Error(`Invalid origin_type in rule "${ruleId}": "${ot}". Must be one of: ${VALID_ORIGIN_TYPES.join(', ')}`);
             }
             originTypes.add(normalized);
         }
         return originTypes;
     }
+    normalizeActionToken(value) {
+        const trimmed = value.trim();
+        if (!trimmed) {
+            return null;
+        }
+        if (trimmed === '*') {
+            return '*';
+        }
+        const normalized = trimmed.replace(/[\s_-]+/g, '').toLowerCase();
+        const map = {
+            connect: 'Connect',
+            forwardupstream: 'ForwardUpstream',
+            forwarddownstream: 'ForwardDownstream',
+            forwardpeer: 'ForwardPeer',
+            deliverlocal: 'DeliverLocal',
+        };
+        return map[normalized] ?? null;
+    }
+    normalizeOriginTypeToken(value) {
+        const trimmed = value.trim();
+        if (!trimmed) {
+            return null;
+        }
+        const normalized = trimmed.replace(/[\s_-]+/g, '').toLowerCase();
+        const map = {
+            downstream: 'downstream',
+            upstream: 'upstream',
+            peer: 'peer',
+            local: 'local',
+        };
+        return map[normalized] ?? null;
+    }
 }
 
 var basicAuthorizationPolicy = /*#__PURE__*/Object.freeze({
@@ -44906,16 +44967,22 @@ class LocalFileAuthorizationPolicySource {
         const factoryConfig = this.policyFactoryConfig ?? policyDefinition;
         // Ensure we have a type field for the factory
         if (!('type' in factoryConfig) || typeof factoryConfig.type !== 'string') {
-            throw new Error(`Policy definition at ${this.path} must have a 'type' field, ` +
-                `or policyFactory config must be provided`);
+            logger$1.warning('policy_type_missing_defaulting_to_basic', {
+                path: this.path,
+            });
+            factoryConfig.type =
+                'BasicAuthorizationPolicy';
         }
         // Build the factory config with the policy definition
         // The file content IS the policy definition, so we extract the type
         // and wrap the remaining content as the policyDefinition
-        const { type, ...restOfFile } = policyDefinition;
+        const { type: fileType, ...restOfFile } = policyDefinition;
+        const resolvedType = typeof fileType === 'string' && fileType.trim().length > 0
+            ? fileType
+            : factoryConfig.type;
         const mergedConfig = this.policyFactoryConfig != null
             ? { ...this.policyFactoryConfig, policyDefinition }
-            : { type: factoryConfig.type, policyDefinition: restOfFile };
+            : { type: resolvedType, policyDefinition: restOfFile };
         // Create the policy using the factory system
         const policy = await AuthorizationPolicyFactory.createAuthorizationPolicy(mergedConfig);
         if (!policy) {

package/dist/types/naylence/fame/security/auth/authorization-profile-factory.d.ts

@@ -8,6 +8,7 @@ export declare const PROFILE_NAME_DEFAULT = "jwt";
 export declare const PROFILE_NAME_OAUTH2 = "oauth2";
 export declare const PROFILE_NAME_OAUTH2_GATED = "oauth2-gated";
 export declare const PROFILE_NAME_OAUTH2_CALLBACK = "oauth2-callback";
+export declare const PROFILE_NAME_POLICY_LOCALFILE = "policy-localfile";
 export declare const PROFILE_NAME_NOOP = "noop";
 export declare const ENV_VAR_JWT_TRUSTED_ISSUER = "FAME_JWT_TRUSTED_ISSUER";
 export declare const ENV_VAR_JWT_ALGORITHM = "FAME_JWT_ALGORITHM";
@@ -15,6 +16,8 @@ export declare const ENV_VAR_JWT_AUDIENCE = "FAME_JWT_AUDIENCE";
 export declare const ENV_VAR_JWKS_URL = "FAME_JWKS_URL";
 export declare const ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY = "FAME_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY";
 export declare const ENV_VAR_TRUSTED_CLIENT_SCOPE = "FAME_TRUSTED_CLIENT_SCOPE";
+export declare const ENV_VAR_AUTH_POLICY_PATH = "FAME_AUTH_POLICY_PATH";
+export declare const ENV_VAR_AUTH_POLICY_FORMAT = "FAME_AUTH_POLICY_FORMAT";
 export declare const ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER = "FAME_JWT_REVERSE_AUTH_TRUSTED_ISSUER";
 export declare const ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = "FAME_JWT_REVERSE_AUTH_AUDIENCE";
 export declare const ENV_VAR_HMAC_SECRET = "FAME_HMAC_SECRET";

package/dist/types/naylence/fame/security/auth/policy/authorization-policy-definition.d.ts

@@ -20,6 +20,11 @@ export type RuleEffect = 'allow' | 'deny';
  * - '*': Matches all actions (wildcard)
  */
 export type RuleAction = 'Connect' | 'ForwardUpstream' | 'ForwardDownstream' | 'ForwardPeer' | 'DeliverLocal' | '*';
+/**
+ * Action input tokens accepted in policy definitions.
+ * Values are normalized case-insensitively and support snake_case.
+ */
+export type RuleActionInput = RuleAction | string;
 /**
  * Scope requirement using logical operators.
  *
@@ -68,9 +73,10 @@ export interface AuthorizationRuleDefinition {
     /**
      * The action type this rule applies to.
      * Can be a single action or an array of actions (implicit any-of).
+     * Values are matched case-insensitively and support snake_case equivalents.
      * @default '*' (all actions)
      */
-    action?: RuleAction | RuleAction[];
+    action?: RuleActionInput | RuleActionInput[];
     /**
      * Address pattern(s) to match using glob syntax.
      * Can be a single pattern or an array (implicit any-of).
@@ -128,7 +134,7 @@ export interface AuthorizationPolicyDefinition {
     /**
      * Default effect when no rule matches.
      */
-    default_effect: RuleEffect;
+    default_effect?: RuleEffect;
     /**
      * List of authorization rules, evaluated in order.
      * First matching rule determines the outcome.

package/dist/types/naylence/fame/security/auth/policy/basic-authorization-policy.d.ts

@@ -75,4 +75,6 @@ export declare class BasicAuthorizationPolicy implements AuthorizationPolicy {
      * Valid values: 'downstream', 'upstream', 'peer', 'local' (case-insensitive).
      */
     private compileOriginTypes;
+    private normalizeActionToken;
+    private normalizeOriginTypeToken;
 }

package/dist/types/version.d.ts

@@ -2,4 +2,4 @@
  * The package version, injected at build time.
  * @internal
  */
-export declare const VERSION = "0.4.2";
+export declare const VERSION = "0.4.4";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@naylence/runtime",
-  "version": "0.4.2",
+  "version": "0.4.4",
   "type": "module",
   "description": "Naylence Runtime - Complete TypeScript runtime",
   "author": "Naylence Dev <naylencedev@gmail.com>",