@naylence/runtime 0.4.4 → 0.4.6

package/dist/browser/index.cjs

@@ -525,12 +525,12 @@ async function ensureRuntimeFactoriesRegistered(registry = factory.Registry) {
 }
 
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.4.4
+// Generated from package.json version: 0.4.6
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.4.4';
+const VERSION = '0.4.6';
 
 let initialized = false;
 const runtimePlugin = {
@@ -21941,14 +21941,13 @@ const ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE$1 = 'FAME_JWT_REVERSE_AUTH_AUDIENCE';
 const ENV_VAR_HMAC_SECRET$1 = 'FAME_HMAC_SECRET';
 const DEFAULT_REVERSE_AUTH_ISSUER = 'reverse-auth.naylence.ai';
 const DEFAULT_REVERSE_AUTH_AUDIENCE = 'dev.naylence.ai';
-const DEFAULT_VERIFIER_CONFIG = {
-    type: 'JWKSJWTTokenVerifier',
-    jwks_url: factory.Expressions.env(ENV_VAR_JWKS_URL$1),
-    issuer: factory.Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER$1),
-};
 const DEFAULT_PROFILE = {
     type: 'DefaultAuthorizer',
-    verifier: DEFAULT_VERIFIER_CONFIG,
+    verifier: {
+        type: 'JWKSJWTTokenVerifier',
+        jwks_url: factory.Expressions.env(ENV_VAR_JWKS_URL$1),
+        issuer: factory.Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER$1),
+    },
 };
 const OAUTH2_PROFILE = {
     type: 'OAuth2Authorizer',
@@ -21993,6 +21992,11 @@ const OAUTH2_CALLBACK_PROFILE = {
 const NOOP_PROFILE$2 = {
     type: 'NoopAuthorizer',
 };
+const DEFAULT_VERIFIER_CONFIG = {
+    type: 'JWKSJWTTokenVerifier',
+    jwks_url: factory.Expressions.env(ENV_VAR_JWKS_URL$1),
+    issuer: factory.Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER$1),
+};
 const DEFAULT_POLICY_SOURCE = {
     type: 'LocalFileAuthorizationPolicySource',
     path: factory.Expressions.env(ENV_VAR_AUTH_POLICY_PATH, './auth-policy.yaml'),
@@ -22044,13 +22048,55 @@ class AuthorizationProfileFactory extends AuthorizerFactory {
         logger$K.debug('enabling_authorization_profile', {
             profile: normalized.profile,
         });
-        const authorizer = await AuthorizerFactory.createAuthorizer(profileConfig, { factoryArgs });
+        // Extract CreateResourceOptions from factoryArgs - it's typically the last object with env/config/variables
+        const createOptions = extractCreateResourceOptions(factoryArgs);
+        // Only evaluate expressions if we have env/config/variables available
+        let evaluatedConfig = profileConfig;
+        const hasContext = createOptions.env || createOptions.config || createOptions.variables;
+        if (hasContext) {
+            // Build validation context from createOptions to evaluate expressions
+            const validationContext = {
+                env: createOptions.env,
+                config: createOptions.config,
+                variables: createOptions.variables,
+                allowUnknownProperties: true,
+            };
+            // Evaluate expressions in the profile config
+            const validationResult = factory.configValidator.validate(profileConfig, validationContext);
+            if (!validationResult.valid) {
+                const errorMessages = validationResult.errors
+                    .map((error) => `${error.path || 'root'}: ${error.message}`)
+                    .join('; ');
+                throw new Error(`Failed to evaluate authorization profile configuration: ${errorMessages}`);
+            }
+            evaluatedConfig = validationResult.config ?? profileConfig;
+        }
+        const authorizer = await AuthorizerFactory.createAuthorizer(evaluatedConfig, hasContext ? { validate: false } : { factoryArgs } // Pass factoryArgs if no validation was done
+        );
         if (!authorizer) {
             throw new Error(`Failed to create authorizer for profile: ${normalized.profile}`);
         }
         return authorizer;
     }
 }
+/**
+ * Extracts CreateResourceOptions from factoryArgs.
+ * The factory system passes CreateResourceOptions as an object in factoryArgs.
+ */
+function extractCreateResourceOptions(factoryArgs) {
+    // Find the last object argument that looks like CreateResourceOptions
+    for (let i = factoryArgs.length - 1; i >= 0; i--) {
+        const arg = factoryArgs[i];
+        if (arg && typeof arg === 'object' && !Array.isArray(arg)) {
+            const candidate = arg;
+            // Check if it has typical CreateResourceOptions properties
+            if ('env' in candidate || 'config' in candidate || 'variables' in candidate || 'factoryArgs' in candidate) {
+                return candidate;
+            }
+        }
+    }
+    return {};
+}
 function normalizeConfig$w(config) {
     if (!config) {
         return { profile: PROFILE_NAME_OAUTH2 };
@@ -37407,7 +37453,7 @@ class DefaultSecurityManagerFactory extends SecurityManagerFactory {
         }
         if (!authorizer) {
             authorizer =
-                await DefaultSecurityManagerFactory.createAuthorizerFromConfig(config, policy);
+                await DefaultSecurityManagerFactory.createAuthorizerFromConfig(config, policy, createOptions);
         }
         if (authorizer &&
             eventListeners &&
@@ -37638,14 +37684,14 @@ class DefaultSecurityManagerFactory extends SecurityManagerFactory {
         }
         return null;
     }
-    static async createAuthorizerFromConfig(config, policy) {
+    static async createAuthorizerFromConfig(config, policy, createOptions) {
         let authorizerConfig = config.authorizer ?? null;
         if (!authorizerConfig) {
             authorizerConfig = config.authorizer_config ?? null;
         }
         if (authorizerConfig &&
             DefaultSecurityManagerFactory.isConfigLike(authorizerConfig)) {
-            return ((await AuthorizerFactory.createAuthorizer(authorizerConfig)) ?? null);
+            return ((await AuthorizerFactory.createAuthorizer(authorizerConfig, createOptions ?? undefined)) ?? null);
         }
         try {
             const requirements = policy.requirements?.();
@@ -37661,6 +37707,7 @@ class DefaultSecurityManagerFactory extends SecurityManagerFactory {
             }
             const tokenVerifier = new NoopTokenVerifier();
             return ((await AuthorizerFactory.createAuthorizer(null, {
+                ...createOptions,
                 factoryArgs: [tokenVerifier],
             })) ?? null);
         }

package/dist/browser/index.mjs

@@ -523,12 +523,12 @@ async function ensureRuntimeFactoriesRegistered(registry = Registry) {
 }
 
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.4.4
+// Generated from package.json version: 0.4.6
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.4.4';
+const VERSION = '0.4.6';
 
 let initialized = false;
 const runtimePlugin = {
@@ -21939,14 +21939,13 @@ const ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE$1 = 'FAME_JWT_REVERSE_AUTH_AUDIENCE';
 const ENV_VAR_HMAC_SECRET$1 = 'FAME_HMAC_SECRET';
 const DEFAULT_REVERSE_AUTH_ISSUER = 'reverse-auth.naylence.ai';
 const DEFAULT_REVERSE_AUTH_AUDIENCE = 'dev.naylence.ai';
-const DEFAULT_VERIFIER_CONFIG = {
-    type: 'JWKSJWTTokenVerifier',
-    jwks_url: Expressions.env(ENV_VAR_JWKS_URL$1),
-    issuer: Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER$1),
-};
 const DEFAULT_PROFILE = {
     type: 'DefaultAuthorizer',
-    verifier: DEFAULT_VERIFIER_CONFIG,
+    verifier: {
+        type: 'JWKSJWTTokenVerifier',
+        jwks_url: Expressions.env(ENV_VAR_JWKS_URL$1),
+        issuer: Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER$1),
+    },
 };
 const OAUTH2_PROFILE = {
     type: 'OAuth2Authorizer',
@@ -21991,6 +21990,11 @@ const OAUTH2_CALLBACK_PROFILE = {
 const NOOP_PROFILE$2 = {
     type: 'NoopAuthorizer',
 };
+const DEFAULT_VERIFIER_CONFIG = {
+    type: 'JWKSJWTTokenVerifier',
+    jwks_url: Expressions.env(ENV_VAR_JWKS_URL$1),
+    issuer: Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER$1),
+};
 const DEFAULT_POLICY_SOURCE = {
     type: 'LocalFileAuthorizationPolicySource',
     path: Expressions.env(ENV_VAR_AUTH_POLICY_PATH, './auth-policy.yaml'),
@@ -22042,13 +22046,55 @@ class AuthorizationProfileFactory extends AuthorizerFactory {
         logger$K.debug('enabling_authorization_profile', {
             profile: normalized.profile,
         });
-        const authorizer = await AuthorizerFactory.createAuthorizer(profileConfig, { factoryArgs });
+        // Extract CreateResourceOptions from factoryArgs - it's typically the last object with env/config/variables
+        const createOptions = extractCreateResourceOptions(factoryArgs);
+        // Only evaluate expressions if we have env/config/variables available
+        let evaluatedConfig = profileConfig;
+        const hasContext = createOptions.env || createOptions.config || createOptions.variables;
+        if (hasContext) {
+            // Build validation context from createOptions to evaluate expressions
+            const validationContext = {
+                env: createOptions.env,
+                config: createOptions.config,
+                variables: createOptions.variables,
+                allowUnknownProperties: true,
+            };
+            // Evaluate expressions in the profile config
+            const validationResult = configValidator.validate(profileConfig, validationContext);
+            if (!validationResult.valid) {
+                const errorMessages = validationResult.errors
+                    .map((error) => `${error.path || 'root'}: ${error.message}`)
+                    .join('; ');
+                throw new Error(`Failed to evaluate authorization profile configuration: ${errorMessages}`);
+            }
+            evaluatedConfig = validationResult.config ?? profileConfig;
+        }
+        const authorizer = await AuthorizerFactory.createAuthorizer(evaluatedConfig, hasContext ? { validate: false } : { factoryArgs } // Pass factoryArgs if no validation was done
+        );
         if (!authorizer) {
             throw new Error(`Failed to create authorizer for profile: ${normalized.profile}`);
         }
         return authorizer;
     }
 }
+/**
+ * Extracts CreateResourceOptions from factoryArgs.
+ * The factory system passes CreateResourceOptions as an object in factoryArgs.
+ */
+function extractCreateResourceOptions(factoryArgs) {
+    // Find the last object argument that looks like CreateResourceOptions
+    for (let i = factoryArgs.length - 1; i >= 0; i--) {
+        const arg = factoryArgs[i];
+        if (arg && typeof arg === 'object' && !Array.isArray(arg)) {
+            const candidate = arg;
+            // Check if it has typical CreateResourceOptions properties
+            if ('env' in candidate || 'config' in candidate || 'variables' in candidate || 'factoryArgs' in candidate) {
+                return candidate;
+            }
+        }
+    }
+    return {};
+}
 function normalizeConfig$w(config) {
     if (!config) {
         return { profile: PROFILE_NAME_OAUTH2 };
@@ -37405,7 +37451,7 @@ class DefaultSecurityManagerFactory extends SecurityManagerFactory {
         }
         if (!authorizer) {
             authorizer =
-                await DefaultSecurityManagerFactory.createAuthorizerFromConfig(config, policy);
+                await DefaultSecurityManagerFactory.createAuthorizerFromConfig(config, policy, createOptions);
         }
         if (authorizer &&
             eventListeners &&
@@ -37636,14 +37682,14 @@ class DefaultSecurityManagerFactory extends SecurityManagerFactory {
         }
         return null;
     }
-    static async createAuthorizerFromConfig(config, policy) {
+    static async createAuthorizerFromConfig(config, policy, createOptions) {
         let authorizerConfig = config.authorizer ?? null;
         if (!authorizerConfig) {
             authorizerConfig = config.authorizer_config ?? null;
         }
         if (authorizerConfig &&
             DefaultSecurityManagerFactory.isConfigLike(authorizerConfig)) {
-            return ((await AuthorizerFactory.createAuthorizer(authorizerConfig)) ?? null);
+            return ((await AuthorizerFactory.createAuthorizer(authorizerConfig, createOptions ?? undefined)) ?? null);
         }
         try {
             const requirements = policy.requirements?.();
@@ -37659,6 +37705,7 @@ class DefaultSecurityManagerFactory extends SecurityManagerFactory {
             }
             const tokenVerifier = new NoopTokenVerifier();
             return ((await AuthorizerFactory.createAuthorizer(null, {
+                ...createOptions,
                 factoryArgs: [tokenVerifier],
             })) ?? null);
         }

package/dist/cjs/naylence/fame/security/auth/authorization-profile-factory.js

@@ -24,14 +24,13 @@ exports.ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = 'FAME_JWT_REVERSE_AUTH_AUDIENCE';
 exports.ENV_VAR_HMAC_SECRET = 'FAME_HMAC_SECRET';
 const DEFAULT_REVERSE_AUTH_ISSUER = 'reverse-auth.naylence.ai';
 const DEFAULT_REVERSE_AUTH_AUDIENCE = 'dev.naylence.ai';
-const DEFAULT_VERIFIER_CONFIG = {
-    type: 'JWKSJWTTokenVerifier',
-    jwks_url: factory_1.Expressions.env(exports.ENV_VAR_JWKS_URL),
-    issuer: factory_1.Expressions.env(exports.ENV_VAR_JWT_TRUSTED_ISSUER),
-};
 const DEFAULT_PROFILE = {
     type: 'DefaultAuthorizer',
-    verifier: DEFAULT_VERIFIER_CONFIG,
+    verifier: {
+        type: 'JWKSJWTTokenVerifier',
+        jwks_url: factory_1.Expressions.env(exports.ENV_VAR_JWKS_URL),
+        issuer: factory_1.Expressions.env(exports.ENV_VAR_JWT_TRUSTED_ISSUER),
+    },
 };
 const OAUTH2_PROFILE = {
     type: 'OAuth2Authorizer',
@@ -76,6 +75,11 @@ const OAUTH2_CALLBACK_PROFILE = {
 const NOOP_PROFILE = {
     type: 'NoopAuthorizer',
 };
+const DEFAULT_VERIFIER_CONFIG = {
+    type: 'JWKSJWTTokenVerifier',
+    jwks_url: factory_1.Expressions.env(exports.ENV_VAR_JWKS_URL),
+    issuer: factory_1.Expressions.env(exports.ENV_VAR_JWT_TRUSTED_ISSUER),
+};
 const DEFAULT_POLICY_SOURCE = {
     type: 'LocalFileAuthorizationPolicySource',
     path: factory_1.Expressions.env(exports.ENV_VAR_AUTH_POLICY_PATH, './auth-policy.yaml'),
@@ -127,7 +131,31 @@ class AuthorizationProfileFactory extends authorizer_factory_js_1.AuthorizerFact
         logger.debug('enabling_authorization_profile', {
             profile: normalized.profile,
         });
-        const authorizer = await authorizer_factory_js_1.AuthorizerFactory.createAuthorizer(profileConfig, { factoryArgs });
+        // Extract CreateResourceOptions from factoryArgs - it's typically the last object with env/config/variables
+        const createOptions = extractCreateResourceOptions(factoryArgs);
+        // Only evaluate expressions if we have env/config/variables available
+        let evaluatedConfig = profileConfig;
+        const hasContext = createOptions.env || createOptions.config || createOptions.variables;
+        if (hasContext) {
+            // Build validation context from createOptions to evaluate expressions
+            const validationContext = {
+                env: createOptions.env,
+                config: createOptions.config,
+                variables: createOptions.variables,
+                allowUnknownProperties: true,
+            };
+            // Evaluate expressions in the profile config
+            const validationResult = factory_1.configValidator.validate(profileConfig, validationContext);
+            if (!validationResult.valid) {
+                const errorMessages = validationResult.errors
+                    .map((error) => `${error.path || 'root'}: ${error.message}`)
+                    .join('; ');
+                throw new Error(`Failed to evaluate authorization profile configuration: ${errorMessages}`);
+            }
+            evaluatedConfig = validationResult.config ?? profileConfig;
+        }
+        const authorizer = await authorizer_factory_js_1.AuthorizerFactory.createAuthorizer(evaluatedConfig, hasContext ? { validate: false } : { factoryArgs } // Pass factoryArgs if no validation was done
+        );
         if (!authorizer) {
             throw new Error(`Failed to create authorizer for profile: ${normalized.profile}`);
         }
@@ -135,6 +163,24 @@ class AuthorizationProfileFactory extends authorizer_factory_js_1.AuthorizerFact
     }
 }
 exports.AuthorizationProfileFactory = AuthorizationProfileFactory;
+/**
+ * Extracts CreateResourceOptions from factoryArgs.
+ * The factory system passes CreateResourceOptions as an object in factoryArgs.
+ */
+function extractCreateResourceOptions(factoryArgs) {
+    // Find the last object argument that looks like CreateResourceOptions
+    for (let i = factoryArgs.length - 1; i >= 0; i--) {
+        const arg = factoryArgs[i];
+        if (arg && typeof arg === 'object' && !Array.isArray(arg)) {
+            const candidate = arg;
+            // Check if it has typical CreateResourceOptions properties
+            if ('env' in candidate || 'config' in candidate || 'variables' in candidate || 'factoryArgs' in candidate) {
+                return candidate;
+            }
+        }
+    }
+    return {};
+}
 function normalizeConfig(config) {
     if (!config) {
         return { profile: exports.PROFILE_NAME_OAUTH2 };

package/dist/cjs/naylence/fame/security/default-security-manager-factory.js

@@ -159,7 +159,7 @@ class DefaultSecurityManagerFactory extends security_manager_factory_js_1.Securi
         }
         if (!authorizer) {
             authorizer =
-                await DefaultSecurityManagerFactory.createAuthorizerFromConfig(config, policy);
+                await DefaultSecurityManagerFactory.createAuthorizerFromConfig(config, policy, createOptions);
         }
         if (authorizer &&
             eventListeners &&
@@ -390,14 +390,14 @@ class DefaultSecurityManagerFactory extends security_manager_factory_js_1.Securi
         }
         return null;
     }
-    static async createAuthorizerFromConfig(config, policy) {
+    static async createAuthorizerFromConfig(config, policy, createOptions) {
         let authorizerConfig = config.authorizer ?? null;
         if (!authorizerConfig) {
             authorizerConfig = config.authorizer_config ?? null;
         }
         if (authorizerConfig &&
             DefaultSecurityManagerFactory.isConfigLike(authorizerConfig)) {
-            return ((await authorizer_factory_js_1.AuthorizerFactory.createAuthorizer(authorizerConfig)) ?? null);
+            return ((await authorizer_factory_js_1.AuthorizerFactory.createAuthorizer(authorizerConfig, createOptions ?? undefined)) ?? null);
         }
         try {
             const requirements = policy.requirements?.();
@@ -413,6 +413,7 @@ class DefaultSecurityManagerFactory extends security_manager_factory_js_1.Securi
             }
             const tokenVerifier = new noop_token_verifier_js_1.NoopTokenVerifier();
             return ((await authorizer_factory_js_1.AuthorizerFactory.createAuthorizer(null, {
+                ...createOptions,
                 factoryArgs: [tokenVerifier],
             })) ?? null);
         }

package/dist/cjs/version.js

@@ -1,10 +1,10 @@
 "use strict";
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.4.4
+// Generated from package.json version: 0.4.6
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.VERSION = void 0;
 /**
  * The package version, injected at build time.
  * @internal
  */
-exports.VERSION = '0.4.4';
+exports.VERSION = '0.4.6';

package/dist/esm/naylence/fame/security/auth/authorization-profile-factory.js

@@ -1,4 +1,4 @@
-import { Expressions } from '@naylence/factory';
+import { Expressions, configValidator } from '@naylence/factory';
 import { getLogger } from '../../util/logging.js';
 import { AUTHORIZER_FACTORY_BASE_TYPE, AuthorizerFactory, } from './authorizer-factory.js';
 const logger = getLogger('naylence.fame.security.auth.authorization_profile_factory');
@@ -21,14 +21,13 @@ export const ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = 'FAME_JWT_REVERSE_AUTH_AUDIENCE
 export const ENV_VAR_HMAC_SECRET = 'FAME_HMAC_SECRET';
 const DEFAULT_REVERSE_AUTH_ISSUER = 'reverse-auth.naylence.ai';
 const DEFAULT_REVERSE_AUTH_AUDIENCE = 'dev.naylence.ai';
-const DEFAULT_VERIFIER_CONFIG = {
-    type: 'JWKSJWTTokenVerifier',
-    jwks_url: Expressions.env(ENV_VAR_JWKS_URL),
-    issuer: Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER),
-};
 const DEFAULT_PROFILE = {
     type: 'DefaultAuthorizer',
-    verifier: DEFAULT_VERIFIER_CONFIG,
+    verifier: {
+        type: 'JWKSJWTTokenVerifier',
+        jwks_url: Expressions.env(ENV_VAR_JWKS_URL),
+        issuer: Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER),
+    },
 };
 const OAUTH2_PROFILE = {
     type: 'OAuth2Authorizer',
@@ -73,6 +72,11 @@ const OAUTH2_CALLBACK_PROFILE = {
 const NOOP_PROFILE = {
     type: 'NoopAuthorizer',
 };
+const DEFAULT_VERIFIER_CONFIG = {
+    type: 'JWKSJWTTokenVerifier',
+    jwks_url: Expressions.env(ENV_VAR_JWKS_URL),
+    issuer: Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER),
+};
 const DEFAULT_POLICY_SOURCE = {
     type: 'LocalFileAuthorizationPolicySource',
     path: Expressions.env(ENV_VAR_AUTH_POLICY_PATH, './auth-policy.yaml'),
@@ -124,13 +128,55 @@ export class AuthorizationProfileFactory extends AuthorizerFactory {
         logger.debug('enabling_authorization_profile', {
             profile: normalized.profile,
         });
-        const authorizer = await AuthorizerFactory.createAuthorizer(profileConfig, { factoryArgs });
+        // Extract CreateResourceOptions from factoryArgs - it's typically the last object with env/config/variables
+        const createOptions = extractCreateResourceOptions(factoryArgs);
+        // Only evaluate expressions if we have env/config/variables available
+        let evaluatedConfig = profileConfig;
+        const hasContext = createOptions.env || createOptions.config || createOptions.variables;
+        if (hasContext) {
+            // Build validation context from createOptions to evaluate expressions
+            const validationContext = {
+                env: createOptions.env,
+                config: createOptions.config,
+                variables: createOptions.variables,
+                allowUnknownProperties: true,
+            };
+            // Evaluate expressions in the profile config
+            const validationResult = configValidator.validate(profileConfig, validationContext);
+            if (!validationResult.valid) {
+                const errorMessages = validationResult.errors
+                    .map((error) => `${error.path || 'root'}: ${error.message}`)
+                    .join('; ');
+                throw new Error(`Failed to evaluate authorization profile configuration: ${errorMessages}`);
+            }
+            evaluatedConfig = validationResult.config ?? profileConfig;
+        }
+        const authorizer = await AuthorizerFactory.createAuthorizer(evaluatedConfig, hasContext ? { validate: false } : { factoryArgs } // Pass factoryArgs if no validation was done
+        );
         if (!authorizer) {
             throw new Error(`Failed to create authorizer for profile: ${normalized.profile}`);
         }
         return authorizer;
     }
 }
+/**
+ * Extracts CreateResourceOptions from factoryArgs.
+ * The factory system passes CreateResourceOptions as an object in factoryArgs.
+ */
+function extractCreateResourceOptions(factoryArgs) {
+    // Find the last object argument that looks like CreateResourceOptions
+    for (let i = factoryArgs.length - 1; i >= 0; i--) {
+        const arg = factoryArgs[i];
+        if (arg && typeof arg === 'object' && !Array.isArray(arg)) {
+            const candidate = arg;
+            // Check if it has typical CreateResourceOptions properties
+            if ('env' in candidate || 'config' in candidate || 'variables' in candidate || 'factoryArgs' in candidate) {
+                return candidate;
+            }
+        }
+    }
+    return {};
+}
 function normalizeConfig(config) {
     if (!config) {
         return { profile: PROFILE_NAME_OAUTH2 };

package/dist/esm/naylence/fame/security/default-security-manager-factory.js

@@ -156,7 +156,7 @@ export class DefaultSecurityManagerFactory extends SecurityManagerFactory {
         }
         if (!authorizer) {
             authorizer =
-                await DefaultSecurityManagerFactory.createAuthorizerFromConfig(config, policy);
+                await DefaultSecurityManagerFactory.createAuthorizerFromConfig(config, policy, createOptions);
         }
         if (authorizer &&
             eventListeners &&
@@ -387,14 +387,14 @@ export class DefaultSecurityManagerFactory extends SecurityManagerFactory {
         }
         return null;
     }
-    static async createAuthorizerFromConfig(config, policy) {
+    static async createAuthorizerFromConfig(config, policy, createOptions) {
         let authorizerConfig = config.authorizer ?? null;
         if (!authorizerConfig) {
             authorizerConfig = config.authorizer_config ?? null;
         }
         if (authorizerConfig &&
             DefaultSecurityManagerFactory.isConfigLike(authorizerConfig)) {
-            return ((await AuthorizerFactory.createAuthorizer(authorizerConfig)) ?? null);
+            return ((await AuthorizerFactory.createAuthorizer(authorizerConfig, createOptions ?? undefined)) ?? null);
         }
         try {
             const requirements = policy.requirements?.();
@@ -410,6 +410,7 @@ export class DefaultSecurityManagerFactory extends SecurityManagerFactory {
             }
             const tokenVerifier = new NoopTokenVerifier();
             return ((await AuthorizerFactory.createAuthorizer(null, {
+                ...createOptions,
                 factoryArgs: [tokenVerifier],
             })) ?? null);
         }

package/dist/esm/version.js

@@ -1,7 +1,7 @@
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.4.4
+// Generated from package.json version: 0.4.6
 /**
  * The package version, injected at build time.
  * @internal
  */
-export const VERSION = '0.4.4';
+export const VERSION = '0.4.6';

package/dist/node/index.cjs

@@ -14,12 +14,12 @@ var fastify = require('fastify');
 var websocketPlugin = require('@fastify/websocket');
 
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.4.4
+// Generated from package.json version: 0.4.6
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.4.4';
+const VERSION = '0.4.6';
 
 /**
  * Fame protocol specific error classes with WebSocket close codes and proper inheritance.
@@ -21828,14 +21828,13 @@ const ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE$1 = 'FAME_JWT_REVERSE_AUTH_AUDIENCE';
 const ENV_VAR_HMAC_SECRET$1 = 'FAME_HMAC_SECRET';
 const DEFAULT_REVERSE_AUTH_ISSUER = 'reverse-auth.naylence.ai';
 const DEFAULT_REVERSE_AUTH_AUDIENCE = 'dev.naylence.ai';
-const DEFAULT_VERIFIER_CONFIG = {
-    type: 'JWKSJWTTokenVerifier',
-    jwks_url: factory.Expressions.env(ENV_VAR_JWKS_URL$1),
-    issuer: factory.Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER$1),
-};
 const DEFAULT_PROFILE = {
     type: 'DefaultAuthorizer',
-    verifier: DEFAULT_VERIFIER_CONFIG,
+    verifier: {
+        type: 'JWKSJWTTokenVerifier',
+        jwks_url: factory.Expressions.env(ENV_VAR_JWKS_URL$1),
+        issuer: factory.Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER$1),
+    },
 };
 const OAUTH2_PROFILE = {
     type: 'OAuth2Authorizer',
@@ -21880,6 +21879,11 @@ const OAUTH2_CALLBACK_PROFILE = {
 const NOOP_PROFILE$2 = {
     type: 'NoopAuthorizer',
 };
+const DEFAULT_VERIFIER_CONFIG = {
+    type: 'JWKSJWTTokenVerifier',
+    jwks_url: factory.Expressions.env(ENV_VAR_JWKS_URL$1),
+    issuer: factory.Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER$1),
+};
 const DEFAULT_POLICY_SOURCE = {
     type: 'LocalFileAuthorizationPolicySource',
     path: factory.Expressions.env(ENV_VAR_AUTH_POLICY_PATH, './auth-policy.yaml'),
@@ -21931,13 +21935,55 @@ class AuthorizationProfileFactory extends AuthorizerFactory {
         logger$K.debug('enabling_authorization_profile', {
             profile: normalized.profile,
         });
-        const authorizer = await AuthorizerFactory.createAuthorizer(profileConfig, { factoryArgs });
+        // Extract CreateResourceOptions from factoryArgs - it's typically the last object with env/config/variables
+        const createOptions = extractCreateResourceOptions(factoryArgs);
+        // Only evaluate expressions if we have env/config/variables available
+        let evaluatedConfig = profileConfig;
+        const hasContext = createOptions.env || createOptions.config || createOptions.variables;
+        if (hasContext) {
+            // Build validation context from createOptions to evaluate expressions
+            const validationContext = {
+                env: createOptions.env,
+                config: createOptions.config,
+                variables: createOptions.variables,
+                allowUnknownProperties: true,
+            };
+            // Evaluate expressions in the profile config
+            const validationResult = factory.configValidator.validate(profileConfig, validationContext);
+            if (!validationResult.valid) {
+                const errorMessages = validationResult.errors
+                    .map((error) => `${error.path || 'root'}: ${error.message}`)
+                    .join('; ');
+                throw new Error(`Failed to evaluate authorization profile configuration: ${errorMessages}`);
+            }
+            evaluatedConfig = validationResult.config ?? profileConfig;
+        }
+        const authorizer = await AuthorizerFactory.createAuthorizer(evaluatedConfig, hasContext ? { validate: false } : { factoryArgs } // Pass factoryArgs if no validation was done
+        );
         if (!authorizer) {
             throw new Error(`Failed to create authorizer for profile: ${normalized.profile}`);
         }
         return authorizer;
     }
 }
+/**
+ * Extracts CreateResourceOptions from factoryArgs.
+ * The factory system passes CreateResourceOptions as an object in factoryArgs.
+ */
+function extractCreateResourceOptions(factoryArgs) {
+    // Find the last object argument that looks like CreateResourceOptions
+    for (let i = factoryArgs.length - 1; i >= 0; i--) {
+        const arg = factoryArgs[i];
+        if (arg && typeof arg === 'object' && !Array.isArray(arg)) {
+            const candidate = arg;
+            // Check if it has typical CreateResourceOptions properties
+            if ('env' in candidate || 'config' in candidate || 'variables' in candidate || 'factoryArgs' in candidate) {
+                return candidate;
+            }
+        }
+    }
+    return {};
+}
 function normalizeConfig$w(config) {
     if (!config) {
         return { profile: PROFILE_NAME_OAUTH2 };
@@ -35957,7 +36003,7 @@ class DefaultSecurityManagerFactory extends SecurityManagerFactory {
         }
         if (!authorizer) {
             authorizer =
-                await DefaultSecurityManagerFactory.createAuthorizerFromConfig(config, policy);
+                await DefaultSecurityManagerFactory.createAuthorizerFromConfig(config, policy, createOptions);
         }
         if (authorizer &&
             eventListeners &&
@@ -36188,14 +36234,14 @@ class DefaultSecurityManagerFactory extends SecurityManagerFactory {
         }
         return null;
     }
-    static async createAuthorizerFromConfig(config, policy) {
+    static async createAuthorizerFromConfig(config, policy, createOptions) {
         let authorizerConfig = config.authorizer ?? null;
         if (!authorizerConfig) {
             authorizerConfig = config.authorizer_config ?? null;
         }
         if (authorizerConfig &&
             DefaultSecurityManagerFactory.isConfigLike(authorizerConfig)) {
-            return ((await AuthorizerFactory.createAuthorizer(authorizerConfig)) ?? null);
+            return ((await AuthorizerFactory.createAuthorizer(authorizerConfig, createOptions ?? undefined)) ?? null);
         }
         try {
             const requirements = policy.requirements?.();
@@ -36211,6 +36257,7 @@ class DefaultSecurityManagerFactory extends SecurityManagerFactory {
             }
             const tokenVerifier = new NoopTokenVerifier();
             return ((await AuthorizerFactory.createAuthorizer(null, {
+                ...createOptions,
                 factoryArgs: [tokenVerifier],
             })) ?? null);
         }

package/dist/node/index.mjs

@@ -13,12 +13,12 @@ import fastify from 'fastify';
 import websocketPlugin from '@fastify/websocket';
 
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.4.4
+// Generated from package.json version: 0.4.6
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.4.4';
+const VERSION = '0.4.6';
 
 /**
  * Fame protocol specific error classes with WebSocket close codes and proper inheritance.
@@ -21827,14 +21827,13 @@ const ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE$1 = 'FAME_JWT_REVERSE_AUTH_AUDIENCE';
 const ENV_VAR_HMAC_SECRET$1 = 'FAME_HMAC_SECRET';
 const DEFAULT_REVERSE_AUTH_ISSUER = 'reverse-auth.naylence.ai';
 const DEFAULT_REVERSE_AUTH_AUDIENCE = 'dev.naylence.ai';
-const DEFAULT_VERIFIER_CONFIG = {
-    type: 'JWKSJWTTokenVerifier',
-    jwks_url: Expressions.env(ENV_VAR_JWKS_URL$1),
-    issuer: Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER$1),
-};
 const DEFAULT_PROFILE = {
     type: 'DefaultAuthorizer',
-    verifier: DEFAULT_VERIFIER_CONFIG,
+    verifier: {
+        type: 'JWKSJWTTokenVerifier',
+        jwks_url: Expressions.env(ENV_VAR_JWKS_URL$1),
+        issuer: Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER$1),
+    },
 };
 const OAUTH2_PROFILE = {
     type: 'OAuth2Authorizer',
@@ -21879,6 +21878,11 @@ const OAUTH2_CALLBACK_PROFILE = {
 const NOOP_PROFILE$2 = {
     type: 'NoopAuthorizer',
 };
+const DEFAULT_VERIFIER_CONFIG = {
+    type: 'JWKSJWTTokenVerifier',
+    jwks_url: Expressions.env(ENV_VAR_JWKS_URL$1),
+    issuer: Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER$1),
+};
 const DEFAULT_POLICY_SOURCE = {
     type: 'LocalFileAuthorizationPolicySource',
     path: Expressions.env(ENV_VAR_AUTH_POLICY_PATH, './auth-policy.yaml'),
@@ -21930,13 +21934,55 @@ class AuthorizationProfileFactory extends AuthorizerFactory {
         logger$K.debug('enabling_authorization_profile', {
             profile: normalized.profile,
         });
-        const authorizer = await AuthorizerFactory.createAuthorizer(profileConfig, { factoryArgs });
+        // Extract CreateResourceOptions from factoryArgs - it's typically the last object with env/config/variables
+        const createOptions = extractCreateResourceOptions(factoryArgs);
+        // Only evaluate expressions if we have env/config/variables available
+        let evaluatedConfig = profileConfig;
+        const hasContext = createOptions.env || createOptions.config || createOptions.variables;
+        if (hasContext) {
+            // Build validation context from createOptions to evaluate expressions
+            const validationContext = {
+                env: createOptions.env,
+                config: createOptions.config,
+                variables: createOptions.variables,
+                allowUnknownProperties: true,
+            };
+            // Evaluate expressions in the profile config
+            const validationResult = configValidator.validate(profileConfig, validationContext);
+            if (!validationResult.valid) {
+                const errorMessages = validationResult.errors
+                    .map((error) => `${error.path || 'root'}: ${error.message}`)
+                    .join('; ');
+                throw new Error(`Failed to evaluate authorization profile configuration: ${errorMessages}`);
+            }
+            evaluatedConfig = validationResult.config ?? profileConfig;
+        }
+        const authorizer = await AuthorizerFactory.createAuthorizer(evaluatedConfig, hasContext ? { validate: false } : { factoryArgs } // Pass factoryArgs if no validation was done
+        );
         if (!authorizer) {
             throw new Error(`Failed to create authorizer for profile: ${normalized.profile}`);
         }
         return authorizer;
     }
 }
+/**
+ * Extracts CreateResourceOptions from factoryArgs.
+ * The factory system passes CreateResourceOptions as an object in factoryArgs.
+ */
+function extractCreateResourceOptions(factoryArgs) {
+    // Find the last object argument that looks like CreateResourceOptions
+    for (let i = factoryArgs.length - 1; i >= 0; i--) {
+        const arg = factoryArgs[i];
+        if (arg && typeof arg === 'object' && !Array.isArray(arg)) {
+            const candidate = arg;
+            // Check if it has typical CreateResourceOptions properties
+            if ('env' in candidate || 'config' in candidate || 'variables' in candidate || 'factoryArgs' in candidate) {
+                return candidate;
+            }
+        }
+    }
+    return {};
+}
 function normalizeConfig$w(config) {
     if (!config) {
         return { profile: PROFILE_NAME_OAUTH2 };
@@ -35956,7 +36002,7 @@ class DefaultSecurityManagerFactory extends SecurityManagerFactory {
         }
         if (!authorizer) {
             authorizer =
-                await DefaultSecurityManagerFactory.createAuthorizerFromConfig(config, policy);
+                await DefaultSecurityManagerFactory.createAuthorizerFromConfig(config, policy, createOptions);
         }
         if (authorizer &&
             eventListeners &&
@@ -36187,14 +36233,14 @@ class DefaultSecurityManagerFactory extends SecurityManagerFactory {
         }
         return null;
     }
-    static async createAuthorizerFromConfig(config, policy) {
+    static async createAuthorizerFromConfig(config, policy, createOptions) {
         let authorizerConfig = config.authorizer ?? null;
         if (!authorizerConfig) {
             authorizerConfig = config.authorizer_config ?? null;
         }
         if (authorizerConfig &&
             DefaultSecurityManagerFactory.isConfigLike(authorizerConfig)) {
-            return ((await AuthorizerFactory.createAuthorizer(authorizerConfig)) ?? null);
+            return ((await AuthorizerFactory.createAuthorizer(authorizerConfig, createOptions ?? undefined)) ?? null);
         }
         try {
             const requirements = policy.requirements?.();
@@ -36210,6 +36256,7 @@ class DefaultSecurityManagerFactory extends SecurityManagerFactory {
             }
             const tokenVerifier = new NoopTokenVerifier();
             return ((await AuthorizerFactory.createAuthorizer(null, {
+                ...createOptions,
                 factoryArgs: [tokenVerifier],
             })) ?? null);
         }

package/dist/node/node.cjs

@@ -4436,12 +4436,12 @@ async function ensureRuntimeFactoriesRegistered(registry = factory.Registry) {
 }
 
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.4.4
+// Generated from package.json version: 0.4.6
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.4.4';
+const VERSION = '0.4.6';
 
 let initialized = false;
 const runtimePlugin = {
@@ -23033,14 +23033,13 @@ const ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE$1 = 'FAME_JWT_REVERSE_AUTH_AUDIENCE';
 const ENV_VAR_HMAC_SECRET$1 = 'FAME_HMAC_SECRET';
 const DEFAULT_REVERSE_AUTH_ISSUER = 'reverse-auth.naylence.ai';
 const DEFAULT_REVERSE_AUTH_AUDIENCE = 'dev.naylence.ai';
-const DEFAULT_VERIFIER_CONFIG = {
-    type: 'JWKSJWTTokenVerifier',
-    jwks_url: factory.Expressions.env(ENV_VAR_JWKS_URL$1),
-    issuer: factory.Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER$1),
-};
 const DEFAULT_PROFILE = {
     type: 'DefaultAuthorizer',
-    verifier: DEFAULT_VERIFIER_CONFIG,
+    verifier: {
+        type: 'JWKSJWTTokenVerifier',
+        jwks_url: factory.Expressions.env(ENV_VAR_JWKS_URL$1),
+        issuer: factory.Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER$1),
+    },
 };
 const OAUTH2_PROFILE = {
     type: 'OAuth2Authorizer',
@@ -23085,6 +23084,11 @@ const OAUTH2_CALLBACK_PROFILE = {
 const NOOP_PROFILE$2 = {
     type: 'NoopAuthorizer',
 };
+const DEFAULT_VERIFIER_CONFIG = {
+    type: 'JWKSJWTTokenVerifier',
+    jwks_url: factory.Expressions.env(ENV_VAR_JWKS_URL$1),
+    issuer: factory.Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER$1),
+};
 const DEFAULT_POLICY_SOURCE = {
     type: 'LocalFileAuthorizationPolicySource',
     path: factory.Expressions.env(ENV_VAR_AUTH_POLICY_PATH, './auth-policy.yaml'),
@@ -23136,13 +23140,55 @@ class AuthorizationProfileFactory extends AuthorizerFactory {
         logger$N.debug('enabling_authorization_profile', {
             profile: normalized.profile,
         });
-        const authorizer = await AuthorizerFactory.createAuthorizer(profileConfig, { factoryArgs });
+        // Extract CreateResourceOptions from factoryArgs - it's typically the last object with env/config/variables
+        const createOptions = extractCreateResourceOptions(factoryArgs);
+        // Only evaluate expressions if we have env/config/variables available
+        let evaluatedConfig = profileConfig;
+        const hasContext = createOptions.env || createOptions.config || createOptions.variables;
+        if (hasContext) {
+            // Build validation context from createOptions to evaluate expressions
+            const validationContext = {
+                env: createOptions.env,
+                config: createOptions.config,
+                variables: createOptions.variables,
+                allowUnknownProperties: true,
+            };
+            // Evaluate expressions in the profile config
+            const validationResult = factory.configValidator.validate(profileConfig, validationContext);
+            if (!validationResult.valid) {
+                const errorMessages = validationResult.errors
+                    .map((error) => `${error.path || 'root'}: ${error.message}`)
+                    .join('; ');
+                throw new Error(`Failed to evaluate authorization profile configuration: ${errorMessages}`);
+            }
+            evaluatedConfig = validationResult.config ?? profileConfig;
+        }
+        const authorizer = await AuthorizerFactory.createAuthorizer(evaluatedConfig, hasContext ? { validate: false } : { factoryArgs } // Pass factoryArgs if no validation was done
+        );
         if (!authorizer) {
             throw new Error(`Failed to create authorizer for profile: ${normalized.profile}`);
         }
         return authorizer;
     }
 }
+/**
+ * Extracts CreateResourceOptions from factoryArgs.
+ * The factory system passes CreateResourceOptions as an object in factoryArgs.
+ */
+function extractCreateResourceOptions(factoryArgs) {
+    // Find the last object argument that looks like CreateResourceOptions
+    for (let i = factoryArgs.length - 1; i >= 0; i--) {
+        const arg = factoryArgs[i];
+        if (arg && typeof arg === 'object' && !Array.isArray(arg)) {
+            const candidate = arg;
+            // Check if it has typical CreateResourceOptions properties
+            if ('env' in candidate || 'config' in candidate || 'variables' in candidate || 'factoryArgs' in candidate) {
+                return candidate;
+            }
+        }
+    }
+    return {};
+}
 function normalizeConfig$w(config) {
     if (!config) {
         return { profile: PROFILE_NAME_OAUTH2 };
@@ -40714,7 +40760,7 @@ class DefaultSecurityManagerFactory extends SecurityManagerFactory {
         }
         if (!authorizer) {
             authorizer =
-                await DefaultSecurityManagerFactory.createAuthorizerFromConfig(config, policy);
+                await DefaultSecurityManagerFactory.createAuthorizerFromConfig(config, policy, createOptions);
         }
         if (authorizer &&
             eventListeners &&
@@ -40945,14 +40991,14 @@ class DefaultSecurityManagerFactory extends SecurityManagerFactory {
         }
         return null;
     }
-    static async createAuthorizerFromConfig(config, policy) {
+    static async createAuthorizerFromConfig(config, policy, createOptions) {
         let authorizerConfig = config.authorizer ?? null;
         if (!authorizerConfig) {
             authorizerConfig = config.authorizer_config ?? null;
         }
         if (authorizerConfig &&
             DefaultSecurityManagerFactory.isConfigLike(authorizerConfig)) {
-            return ((await AuthorizerFactory.createAuthorizer(authorizerConfig)) ?? null);
+            return ((await AuthorizerFactory.createAuthorizer(authorizerConfig, createOptions ?? undefined)) ?? null);
         }
         try {
             const requirements = policy.requirements?.();
@@ -40968,6 +41014,7 @@ class DefaultSecurityManagerFactory extends SecurityManagerFactory {
             }
             const tokenVerifier = new NoopTokenVerifier();
             return ((await AuthorizerFactory.createAuthorizer(null, {
+                ...createOptions,
                 factoryArgs: [tokenVerifier],
             })) ?? null);
         }

package/dist/node/node.mjs

@@ -4435,12 +4435,12 @@ async function ensureRuntimeFactoriesRegistered(registry = Registry) {
 }
 
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.4.4
+// Generated from package.json version: 0.4.6
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.4.4';
+const VERSION = '0.4.6';
 
 let initialized = false;
 const runtimePlugin = {
@@ -23032,14 +23032,13 @@ const ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE$1 = 'FAME_JWT_REVERSE_AUTH_AUDIENCE';
 const ENV_VAR_HMAC_SECRET$1 = 'FAME_HMAC_SECRET';
 const DEFAULT_REVERSE_AUTH_ISSUER = 'reverse-auth.naylence.ai';
 const DEFAULT_REVERSE_AUTH_AUDIENCE = 'dev.naylence.ai';
-const DEFAULT_VERIFIER_CONFIG = {
-    type: 'JWKSJWTTokenVerifier',
-    jwks_url: Expressions.env(ENV_VAR_JWKS_URL$1),
-    issuer: Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER$1),
-};
 const DEFAULT_PROFILE = {
     type: 'DefaultAuthorizer',
-    verifier: DEFAULT_VERIFIER_CONFIG,
+    verifier: {
+        type: 'JWKSJWTTokenVerifier',
+        jwks_url: Expressions.env(ENV_VAR_JWKS_URL$1),
+        issuer: Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER$1),
+    },
 };
 const OAUTH2_PROFILE = {
     type: 'OAuth2Authorizer',
@@ -23084,6 +23083,11 @@ const OAUTH2_CALLBACK_PROFILE = {
 const NOOP_PROFILE$2 = {
     type: 'NoopAuthorizer',
 };
+const DEFAULT_VERIFIER_CONFIG = {
+    type: 'JWKSJWTTokenVerifier',
+    jwks_url: Expressions.env(ENV_VAR_JWKS_URL$1),
+    issuer: Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER$1),
+};
 const DEFAULT_POLICY_SOURCE = {
     type: 'LocalFileAuthorizationPolicySource',
     path: Expressions.env(ENV_VAR_AUTH_POLICY_PATH, './auth-policy.yaml'),
@@ -23135,13 +23139,55 @@ class AuthorizationProfileFactory extends AuthorizerFactory {
         logger$N.debug('enabling_authorization_profile', {
             profile: normalized.profile,
         });
-        const authorizer = await AuthorizerFactory.createAuthorizer(profileConfig, { factoryArgs });
+        // Extract CreateResourceOptions from factoryArgs - it's typically the last object with env/config/variables
+        const createOptions = extractCreateResourceOptions(factoryArgs);
+        // Only evaluate expressions if we have env/config/variables available
+        let evaluatedConfig = profileConfig;
+        const hasContext = createOptions.env || createOptions.config || createOptions.variables;
+        if (hasContext) {
+            // Build validation context from createOptions to evaluate expressions
+            const validationContext = {
+                env: createOptions.env,
+                config: createOptions.config,
+                variables: createOptions.variables,
+                allowUnknownProperties: true,
+            };
+            // Evaluate expressions in the profile config
+            const validationResult = configValidator.validate(profileConfig, validationContext);
+            if (!validationResult.valid) {
+                const errorMessages = validationResult.errors
+                    .map((error) => `${error.path || 'root'}: ${error.message}`)
+                    .join('; ');
+                throw new Error(`Failed to evaluate authorization profile configuration: ${errorMessages}`);
+            }
+            evaluatedConfig = validationResult.config ?? profileConfig;
+        }
+        const authorizer = await AuthorizerFactory.createAuthorizer(evaluatedConfig, hasContext ? { validate: false } : { factoryArgs } // Pass factoryArgs if no validation was done
+        );
         if (!authorizer) {
             throw new Error(`Failed to create authorizer for profile: ${normalized.profile}`);
         }
         return authorizer;
     }
 }
+/**
+ * Extracts CreateResourceOptions from factoryArgs.
+ * The factory system passes CreateResourceOptions as an object in factoryArgs.
+ */
+function extractCreateResourceOptions(factoryArgs) {
+    // Find the last object argument that looks like CreateResourceOptions
+    for (let i = factoryArgs.length - 1; i >= 0; i--) {
+        const arg = factoryArgs[i];
+        if (arg && typeof arg === 'object' && !Array.isArray(arg)) {
+            const candidate = arg;
+            // Check if it has typical CreateResourceOptions properties
+            if ('env' in candidate || 'config' in candidate || 'variables' in candidate || 'factoryArgs' in candidate) {
+                return candidate;
+            }
+        }
+    }
+    return {};
+}
 function normalizeConfig$w(config) {
     if (!config) {
         return { profile: PROFILE_NAME_OAUTH2 };
@@ -40713,7 +40759,7 @@ class DefaultSecurityManagerFactory extends SecurityManagerFactory {
         }
         if (!authorizer) {
             authorizer =
-                await DefaultSecurityManagerFactory.createAuthorizerFromConfig(config, policy);
+                await DefaultSecurityManagerFactory.createAuthorizerFromConfig(config, policy, createOptions);
         }
         if (authorizer &&
             eventListeners &&
@@ -40944,14 +40990,14 @@ class DefaultSecurityManagerFactory extends SecurityManagerFactory {
         }
         return null;
     }
-    static async createAuthorizerFromConfig(config, policy) {
+    static async createAuthorizerFromConfig(config, policy, createOptions) {
         let authorizerConfig = config.authorizer ?? null;
         if (!authorizerConfig) {
             authorizerConfig = config.authorizer_config ?? null;
         }
         if (authorizerConfig &&
             DefaultSecurityManagerFactory.isConfigLike(authorizerConfig)) {
-            return ((await AuthorizerFactory.createAuthorizer(authorizerConfig)) ?? null);
+            return ((await AuthorizerFactory.createAuthorizer(authorizerConfig, createOptions ?? undefined)) ?? null);
         }
         try {
             const requirements = policy.requirements?.();
@@ -40967,6 +41013,7 @@ class DefaultSecurityManagerFactory extends SecurityManagerFactory {
             }
             const tokenVerifier = new NoopTokenVerifier();
             return ((await AuthorizerFactory.createAuthorizer(null, {
+                ...createOptions,
                 factoryArgs: [tokenVerifier],
             })) ?? null);
         }

package/dist/types/version.d.ts

@@ -2,4 +2,4 @@
  * The package version, injected at build time.
  * @internal
  */
-export declare const VERSION = "0.4.4";
+export declare const VERSION = "0.4.6";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@naylence/runtime",
-  "version": "0.4.4",
+  "version": "0.4.6",
   "type": "module",
   "description": "Naylence Runtime - Complete TypeScript runtime",
   "author": "Naylence Dev <naylencedev@gmail.com>",