@naylence/runtime 0.4.5 → 0.4.6

package/dist/browser/index.cjs

@@ -525,12 +525,12 @@ async function ensureRuntimeFactoriesRegistered(registry = factory.Registry) {
 }
 
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.4.5
+// Generated from package.json version: 0.4.6
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.4.5';
+const VERSION = '0.4.6';
 
 let initialized = false;
 const runtimePlugin = {
@@ -21941,14 +21941,13 @@ const ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE$1 = 'FAME_JWT_REVERSE_AUTH_AUDIENCE';
 const ENV_VAR_HMAC_SECRET$1 = 'FAME_HMAC_SECRET';
 const DEFAULT_REVERSE_AUTH_ISSUER = 'reverse-auth.naylence.ai';
 const DEFAULT_REVERSE_AUTH_AUDIENCE = 'dev.naylence.ai';
-const DEFAULT_VERIFIER_CONFIG = {
-    type: 'JWKSJWTTokenVerifier',
-    jwks_url: factory.Expressions.env(ENV_VAR_JWKS_URL$1),
-    issuer: factory.Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER$1),
-};
 const DEFAULT_PROFILE = {
     type: 'DefaultAuthorizer',
-    verifier: DEFAULT_VERIFIER_CONFIG,
+    verifier: {
+        type: 'JWKSJWTTokenVerifier',
+        jwks_url: factory.Expressions.env(ENV_VAR_JWKS_URL$1),
+        issuer: factory.Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER$1),
+    },
 };
 const OAUTH2_PROFILE = {
     type: 'OAuth2Authorizer',
@@ -21993,6 +21992,11 @@ const OAUTH2_CALLBACK_PROFILE = {
 const NOOP_PROFILE$2 = {
     type: 'NoopAuthorizer',
 };
+const DEFAULT_VERIFIER_CONFIG = {
+    type: 'JWKSJWTTokenVerifier',
+    jwks_url: factory.Expressions.env(ENV_VAR_JWKS_URL$1),
+    issuer: factory.Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER$1),
+};
 const DEFAULT_POLICY_SOURCE = {
     type: 'LocalFileAuthorizationPolicySource',
     path: factory.Expressions.env(ENV_VAR_AUTH_POLICY_PATH, './auth-policy.yaml'),
@@ -22044,13 +22048,55 @@ class AuthorizationProfileFactory extends AuthorizerFactory {
         logger$K.debug('enabling_authorization_profile', {
             profile: normalized.profile,
         });
-        const authorizer = await AuthorizerFactory.createAuthorizer(profileConfig, { factoryArgs });
+        // Extract CreateResourceOptions from factoryArgs - it's typically the last object with env/config/variables
+        const createOptions = extractCreateResourceOptions(factoryArgs);
+        // Only evaluate expressions if we have env/config/variables available
+        let evaluatedConfig = profileConfig;
+        const hasContext = createOptions.env || createOptions.config || createOptions.variables;
+        if (hasContext) {
+            // Build validation context from createOptions to evaluate expressions
+            const validationContext = {
+                env: createOptions.env,
+                config: createOptions.config,
+                variables: createOptions.variables,
+                allowUnknownProperties: true,
+            };
+            // Evaluate expressions in the profile config
+            const validationResult = factory.configValidator.validate(profileConfig, validationContext);
+            if (!validationResult.valid) {
+                const errorMessages = validationResult.errors
+                    .map((error) => `${error.path || 'root'}: ${error.message}`)
+                    .join('; ');
+                throw new Error(`Failed to evaluate authorization profile configuration: ${errorMessages}`);
+            }
+            evaluatedConfig = validationResult.config ?? profileConfig;
+        }
+        const authorizer = await AuthorizerFactory.createAuthorizer(evaluatedConfig, hasContext ? { validate: false } : { factoryArgs } // Pass factoryArgs if no validation was done
+        );
         if (!authorizer) {
             throw new Error(`Failed to create authorizer for profile: ${normalized.profile}`);
         }
         return authorizer;
     }
 }
+/**
+ * Extracts CreateResourceOptions from factoryArgs.
+ * The factory system passes CreateResourceOptions as an object in factoryArgs.
+ */
+function extractCreateResourceOptions(factoryArgs) {
+    // Find the last object argument that looks like CreateResourceOptions
+    for (let i = factoryArgs.length - 1; i >= 0; i--) {
+        const arg = factoryArgs[i];
+        if (arg && typeof arg === 'object' && !Array.isArray(arg)) {
+            const candidate = arg;
+            // Check if it has typical CreateResourceOptions properties
+            if ('env' in candidate || 'config' in candidate || 'variables' in candidate || 'factoryArgs' in candidate) {
+                return candidate;
+            }
+        }
+    }
+    return {};
+}
 function normalizeConfig$w(config) {
     if (!config) {
         return { profile: PROFILE_NAME_OAUTH2 };
@@ -22062,21 +22108,13 @@ function normalizeConfig$w(config) {
     return { profile: canonicalProfile };
 }
 function resolveProfileName$2(candidate) {
-    let direct = coerceProfileString$2(candidate.profile);
-    if (direct && factory.ExpressionEvaluator.isExpression(direct)) {
-        const evaluated = factory.ExpressionEvaluator.evaluate(direct);
-        direct = coerceProfileString$2(evaluated);
-    }
+    const direct = coerceProfileString$2(candidate.profile);
     if (direct) {
         return direct;
     }
     const legacyKeys = ['profile_name', 'profileName'];
     for (const legacyKey of legacyKeys) {
-        let legacyValue = coerceProfileString$2(candidate[legacyKey]);
-        if (legacyValue && factory.ExpressionEvaluator.isExpression(legacyValue)) {
-            const evaluated = factory.ExpressionEvaluator.evaluate(legacyValue);
-            legacyValue = coerceProfileString$2(evaluated);
-        }
+        const legacyValue = coerceProfileString$2(candidate[legacyKey]);
         if (legacyValue) {
             return legacyValue;
         }
@@ -37415,7 +37453,7 @@ class DefaultSecurityManagerFactory extends SecurityManagerFactory {
         }
         if (!authorizer) {
             authorizer =
-                await DefaultSecurityManagerFactory.createAuthorizerFromConfig(config, policy);
+                await DefaultSecurityManagerFactory.createAuthorizerFromConfig(config, policy, createOptions);
         }
         if (authorizer &&
             eventListeners &&
@@ -37646,14 +37684,14 @@ class DefaultSecurityManagerFactory extends SecurityManagerFactory {
         }
         return null;
     }
-    static async createAuthorizerFromConfig(config, policy) {
+    static async createAuthorizerFromConfig(config, policy, createOptions) {
         let authorizerConfig = config.authorizer ?? null;
         if (!authorizerConfig) {
             authorizerConfig = config.authorizer_config ?? null;
         }
         if (authorizerConfig &&
             DefaultSecurityManagerFactory.isConfigLike(authorizerConfig)) {
-            return ((await AuthorizerFactory.createAuthorizer(authorizerConfig)) ?? null);
+            return ((await AuthorizerFactory.createAuthorizer(authorizerConfig, createOptions ?? undefined)) ?? null);
         }
         try {
             const requirements = policy.requirements?.();
@@ -37669,6 +37707,7 @@ class DefaultSecurityManagerFactory extends SecurityManagerFactory {
             }
             const tokenVerifier = new NoopTokenVerifier();
             return ((await AuthorizerFactory.createAuthorizer(null, {
+                ...createOptions,
                 factoryArgs: [tokenVerifier],
             })) ?? null);
         }

package/dist/browser/index.mjs

@@ -1,7 +1,7 @@
 import { parseAddressComponents, FlowFlags, FameAddress, DEFAULT_POLLING_TIMEOUT_MS, extractEnvelopeAndContext, createChannelMessage, generateId, createFameEnvelope, parseAddress, formatAddress, formatAddressFromComponents, FameResponseType, localDeliveryContext, Binding, DeliveryOriginType, makeResponse, isFameMessageResponse, parseRequest, makeRequest, DEFAULT_INVOKE_TIMEOUT_MILLIS, parseResponse, ConnectorState, ConnectorStateUtils, FameFabric, isFameMessageService, isFameRPCService, FameServiceProxy, generateIdAsync, snakeToCamelObject, getDefaultFameConfigResolver, setDefaultFameConfigResolver, SigningMaterial, AuthorizationContextSchema, FameDeliveryContextSchema, SecurityContextSchema, withFabric, FameEnvelopeSchema, deserializeEnvelope, FameChannelMessage, SINK_CAPABILITY, FameFabricFactory, serializeEnvelope, createAuthorizationContext } from '@naylence/core';
 export * from '@naylence/core';
 import { z, ZodError } from 'zod';
-import { Registry, AbstractResourceFactory, createResource as createResource$1, createDefaultResource, registerFactory, Expressions, ExtensionManager, ExpressionEvaluationPolicy, ExpressionEvaluator, configValidator } from '@naylence/factory';
+import { Registry, AbstractResourceFactory, createResource as createResource$1, createDefaultResource, registerFactory, Expressions, ExtensionManager, ExpressionEvaluationPolicy, configValidator } from '@naylence/factory';
 import { sign, hashes, verify } from '@noble/ed25519';
 import { sha256, sha512 } from '@noble/hashes/sha2.js';
 import { chacha20poly1305 } from '@noble/ciphers/chacha.js';
@@ -523,12 +523,12 @@ async function ensureRuntimeFactoriesRegistered(registry = Registry) {
 }
 
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.4.5
+// Generated from package.json version: 0.4.6
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.4.5';
+const VERSION = '0.4.6';
 
 let initialized = false;
 const runtimePlugin = {
@@ -21939,14 +21939,13 @@ const ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE$1 = 'FAME_JWT_REVERSE_AUTH_AUDIENCE';
 const ENV_VAR_HMAC_SECRET$1 = 'FAME_HMAC_SECRET';
 const DEFAULT_REVERSE_AUTH_ISSUER = 'reverse-auth.naylence.ai';
 const DEFAULT_REVERSE_AUTH_AUDIENCE = 'dev.naylence.ai';
-const DEFAULT_VERIFIER_CONFIG = {
-    type: 'JWKSJWTTokenVerifier',
-    jwks_url: Expressions.env(ENV_VAR_JWKS_URL$1),
-    issuer: Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER$1),
-};
 const DEFAULT_PROFILE = {
     type: 'DefaultAuthorizer',
-    verifier: DEFAULT_VERIFIER_CONFIG,
+    verifier: {
+        type: 'JWKSJWTTokenVerifier',
+        jwks_url: Expressions.env(ENV_VAR_JWKS_URL$1),
+        issuer: Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER$1),
+    },
 };
 const OAUTH2_PROFILE = {
     type: 'OAuth2Authorizer',
@@ -21991,6 +21990,11 @@ const OAUTH2_CALLBACK_PROFILE = {
 const NOOP_PROFILE$2 = {
     type: 'NoopAuthorizer',
 };
+const DEFAULT_VERIFIER_CONFIG = {
+    type: 'JWKSJWTTokenVerifier',
+    jwks_url: Expressions.env(ENV_VAR_JWKS_URL$1),
+    issuer: Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER$1),
+};
 const DEFAULT_POLICY_SOURCE = {
     type: 'LocalFileAuthorizationPolicySource',
     path: Expressions.env(ENV_VAR_AUTH_POLICY_PATH, './auth-policy.yaml'),
@@ -22042,13 +22046,55 @@ class AuthorizationProfileFactory extends AuthorizerFactory {
         logger$K.debug('enabling_authorization_profile', {
             profile: normalized.profile,
         });
-        const authorizer = await AuthorizerFactory.createAuthorizer(profileConfig, { factoryArgs });
+        // Extract CreateResourceOptions from factoryArgs - it's typically the last object with env/config/variables
+        const createOptions = extractCreateResourceOptions(factoryArgs);
+        // Only evaluate expressions if we have env/config/variables available
+        let evaluatedConfig = profileConfig;
+        const hasContext = createOptions.env || createOptions.config || createOptions.variables;
+        if (hasContext) {
+            // Build validation context from createOptions to evaluate expressions
+            const validationContext = {
+                env: createOptions.env,
+                config: createOptions.config,
+                variables: createOptions.variables,
+                allowUnknownProperties: true,
+            };
+            // Evaluate expressions in the profile config
+            const validationResult = configValidator.validate(profileConfig, validationContext);
+            if (!validationResult.valid) {
+                const errorMessages = validationResult.errors
+                    .map((error) => `${error.path || 'root'}: ${error.message}`)
+                    .join('; ');
+                throw new Error(`Failed to evaluate authorization profile configuration: ${errorMessages}`);
+            }
+            evaluatedConfig = validationResult.config ?? profileConfig;
+        }
+        const authorizer = await AuthorizerFactory.createAuthorizer(evaluatedConfig, hasContext ? { validate: false } : { factoryArgs } // Pass factoryArgs if no validation was done
+        );
         if (!authorizer) {
             throw new Error(`Failed to create authorizer for profile: ${normalized.profile}`);
         }
         return authorizer;
     }
 }
+/**
+ * Extracts CreateResourceOptions from factoryArgs.
+ * The factory system passes CreateResourceOptions as an object in factoryArgs.
+ */
+function extractCreateResourceOptions(factoryArgs) {
+    // Find the last object argument that looks like CreateResourceOptions
+    for (let i = factoryArgs.length - 1; i >= 0; i--) {
+        const arg = factoryArgs[i];
+        if (arg && typeof arg === 'object' && !Array.isArray(arg)) {
+            const candidate = arg;
+            // Check if it has typical CreateResourceOptions properties
+            if ('env' in candidate || 'config' in candidate || 'variables' in candidate || 'factoryArgs' in candidate) {
+                return candidate;
+            }
+        }
+    }
+    return {};
+}
 function normalizeConfig$w(config) {
     if (!config) {
         return { profile: PROFILE_NAME_OAUTH2 };
@@ -22060,21 +22106,13 @@ function normalizeConfig$w(config) {
     return { profile: canonicalProfile };
 }
 function resolveProfileName$2(candidate) {
-    let direct = coerceProfileString$2(candidate.profile);
-    if (direct && ExpressionEvaluator.isExpression(direct)) {
-        const evaluated = ExpressionEvaluator.evaluate(direct);
-        direct = coerceProfileString$2(evaluated);
-    }
+    const direct = coerceProfileString$2(candidate.profile);
     if (direct) {
         return direct;
     }
     const legacyKeys = ['profile_name', 'profileName'];
     for (const legacyKey of legacyKeys) {
-        let legacyValue = coerceProfileString$2(candidate[legacyKey]);
-        if (legacyValue && ExpressionEvaluator.isExpression(legacyValue)) {
-            const evaluated = ExpressionEvaluator.evaluate(legacyValue);
-            legacyValue = coerceProfileString$2(evaluated);
-        }
+        const legacyValue = coerceProfileString$2(candidate[legacyKey]);
         if (legacyValue) {
             return legacyValue;
         }
@@ -37413,7 +37451,7 @@ class DefaultSecurityManagerFactory extends SecurityManagerFactory {
         }
         if (!authorizer) {
             authorizer =
-                await DefaultSecurityManagerFactory.createAuthorizerFromConfig(config, policy);
+                await DefaultSecurityManagerFactory.createAuthorizerFromConfig(config, policy, createOptions);
         }
         if (authorizer &&
             eventListeners &&
@@ -37644,14 +37682,14 @@ class DefaultSecurityManagerFactory extends SecurityManagerFactory {
         }
         return null;
     }
-    static async createAuthorizerFromConfig(config, policy) {
+    static async createAuthorizerFromConfig(config, policy, createOptions) {
         let authorizerConfig = config.authorizer ?? null;
         if (!authorizerConfig) {
             authorizerConfig = config.authorizer_config ?? null;
         }
         if (authorizerConfig &&
             DefaultSecurityManagerFactory.isConfigLike(authorizerConfig)) {
-            return ((await AuthorizerFactory.createAuthorizer(authorizerConfig)) ?? null);
+            return ((await AuthorizerFactory.createAuthorizer(authorizerConfig, createOptions ?? undefined)) ?? null);
         }
         try {
             const requirements = policy.requirements?.();
@@ -37667,6 +37705,7 @@ class DefaultSecurityManagerFactory extends SecurityManagerFactory {
             }
             const tokenVerifier = new NoopTokenVerifier();
             return ((await AuthorizerFactory.createAuthorizer(null, {
+                ...createOptions,
                 factoryArgs: [tokenVerifier],
             })) ?? null);
         }

package/dist/cjs/naylence/fame/security/auth/authorization-profile-factory.js

@@ -24,14 +24,13 @@ exports.ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = 'FAME_JWT_REVERSE_AUTH_AUDIENCE';
 exports.ENV_VAR_HMAC_SECRET = 'FAME_HMAC_SECRET';
 const DEFAULT_REVERSE_AUTH_ISSUER = 'reverse-auth.naylence.ai';
 const DEFAULT_REVERSE_AUTH_AUDIENCE = 'dev.naylence.ai';
-const DEFAULT_VERIFIER_CONFIG = {
-    type: 'JWKSJWTTokenVerifier',
-    jwks_url: factory_1.Expressions.env(exports.ENV_VAR_JWKS_URL),
-    issuer: factory_1.Expressions.env(exports.ENV_VAR_JWT_TRUSTED_ISSUER),
-};
 const DEFAULT_PROFILE = {
     type: 'DefaultAuthorizer',
-    verifier: DEFAULT_VERIFIER_CONFIG,
+    verifier: {
+        type: 'JWKSJWTTokenVerifier',
+        jwks_url: factory_1.Expressions.env(exports.ENV_VAR_JWKS_URL),
+        issuer: factory_1.Expressions.env(exports.ENV_VAR_JWT_TRUSTED_ISSUER),
+    },
 };
 const OAUTH2_PROFILE = {
     type: 'OAuth2Authorizer',
@@ -76,6 +75,11 @@ const OAUTH2_CALLBACK_PROFILE = {
 const NOOP_PROFILE = {
     type: 'NoopAuthorizer',
 };
+const DEFAULT_VERIFIER_CONFIG = {
+    type: 'JWKSJWTTokenVerifier',
+    jwks_url: factory_1.Expressions.env(exports.ENV_VAR_JWKS_URL),
+    issuer: factory_1.Expressions.env(exports.ENV_VAR_JWT_TRUSTED_ISSUER),
+};
 const DEFAULT_POLICY_SOURCE = {
     type: 'LocalFileAuthorizationPolicySource',
     path: factory_1.Expressions.env(exports.ENV_VAR_AUTH_POLICY_PATH, './auth-policy.yaml'),
@@ -127,7 +131,31 @@ class AuthorizationProfileFactory extends authorizer_factory_js_1.AuthorizerFact
         logger.debug('enabling_authorization_profile', {
             profile: normalized.profile,
         });
-        const authorizer = await authorizer_factory_js_1.AuthorizerFactory.createAuthorizer(profileConfig, { factoryArgs });
+        // Extract CreateResourceOptions from factoryArgs - it's typically the last object with env/config/variables
+        const createOptions = extractCreateResourceOptions(factoryArgs);
+        // Only evaluate expressions if we have env/config/variables available
+        let evaluatedConfig = profileConfig;
+        const hasContext = createOptions.env || createOptions.config || createOptions.variables;
+        if (hasContext) {
+            // Build validation context from createOptions to evaluate expressions
+            const validationContext = {
+                env: createOptions.env,
+                config: createOptions.config,
+                variables: createOptions.variables,
+                allowUnknownProperties: true,
+            };
+            // Evaluate expressions in the profile config
+            const validationResult = factory_1.configValidator.validate(profileConfig, validationContext);
+            if (!validationResult.valid) {
+                const errorMessages = validationResult.errors
+                    .map((error) => `${error.path || 'root'}: ${error.message}`)
+                    .join('; ');
+                throw new Error(`Failed to evaluate authorization profile configuration: ${errorMessages}`);
+            }
+            evaluatedConfig = validationResult.config ?? profileConfig;
+        }
+        const authorizer = await authorizer_factory_js_1.AuthorizerFactory.createAuthorizer(evaluatedConfig, hasContext ? { validate: false } : { factoryArgs } // Pass factoryArgs if no validation was done
+        );
         if (!authorizer) {
             throw new Error(`Failed to create authorizer for profile: ${normalized.profile}`);
         }
@@ -135,6 +163,24 @@ class AuthorizationProfileFactory extends authorizer_factory_js_1.AuthorizerFact
     }
 }
 exports.AuthorizationProfileFactory = AuthorizationProfileFactory;
+/**
+ * Extracts CreateResourceOptions from factoryArgs.
+ * The factory system passes CreateResourceOptions as an object in factoryArgs.
+ */
+function extractCreateResourceOptions(factoryArgs) {
+    // Find the last object argument that looks like CreateResourceOptions
+    for (let i = factoryArgs.length - 1; i >= 0; i--) {
+        const arg = factoryArgs[i];
+        if (arg && typeof arg === 'object' && !Array.isArray(arg)) {
+            const candidate = arg;
+            // Check if it has typical CreateResourceOptions properties
+            if ('env' in candidate || 'config' in candidate || 'variables' in candidate || 'factoryArgs' in candidate) {
+                return candidate;
+            }
+        }
+    }
+    return {};
+}
 function normalizeConfig(config) {
     if (!config) {
         return { profile: exports.PROFILE_NAME_OAUTH2 };
@@ -146,21 +192,13 @@ function normalizeConfig(config) {
     return { profile: canonicalProfile };
 }
 function resolveProfileName(candidate) {
-    let direct = coerceProfileString(candidate.profile);
-    if (direct && factory_1.ExpressionEvaluator.isExpression(direct)) {
-        const evaluated = factory_1.ExpressionEvaluator.evaluate(direct);
-        direct = coerceProfileString(evaluated);
-    }
+    const direct = coerceProfileString(candidate.profile);
     if (direct) {
         return direct;
     }
     const legacyKeys = ['profile_name', 'profileName'];
     for (const legacyKey of legacyKeys) {
-        let legacyValue = coerceProfileString(candidate[legacyKey]);
-        if (legacyValue && factory_1.ExpressionEvaluator.isExpression(legacyValue)) {
-            const evaluated = factory_1.ExpressionEvaluator.evaluate(legacyValue);
-            legacyValue = coerceProfileString(evaluated);
-        }
+        const legacyValue = coerceProfileString(candidate[legacyKey]);
         if (legacyValue) {
             return legacyValue;
         }

package/dist/cjs/naylence/fame/security/default-security-manager-factory.js

@@ -159,7 +159,7 @@ class DefaultSecurityManagerFactory extends security_manager_factory_js_1.Securi
         }
         if (!authorizer) {
             authorizer =
-                await DefaultSecurityManagerFactory.createAuthorizerFromConfig(config, policy);
+                await DefaultSecurityManagerFactory.createAuthorizerFromConfig(config, policy, createOptions);
         }
         if (authorizer &&
             eventListeners &&
@@ -390,14 +390,14 @@ class DefaultSecurityManagerFactory extends security_manager_factory_js_1.Securi
         }
         return null;
     }
-    static async createAuthorizerFromConfig(config, policy) {
+    static async createAuthorizerFromConfig(config, policy, createOptions) {
         let authorizerConfig = config.authorizer ?? null;
         if (!authorizerConfig) {
             authorizerConfig = config.authorizer_config ?? null;
         }
         if (authorizerConfig &&
             DefaultSecurityManagerFactory.isConfigLike(authorizerConfig)) {
-            return ((await authorizer_factory_js_1.AuthorizerFactory.createAuthorizer(authorizerConfig)) ?? null);
+            return ((await authorizer_factory_js_1.AuthorizerFactory.createAuthorizer(authorizerConfig, createOptions ?? undefined)) ?? null);
         }
         try {
             const requirements = policy.requirements?.();
@@ -413,6 +413,7 @@ class DefaultSecurityManagerFactory extends security_manager_factory_js_1.Securi
             }
             const tokenVerifier = new noop_token_verifier_js_1.NoopTokenVerifier();
             return ((await authorizer_factory_js_1.AuthorizerFactory.createAuthorizer(null, {
+                ...createOptions,
                 factoryArgs: [tokenVerifier],
             })) ?? null);
         }

package/dist/cjs/version.js

@@ -1,10 +1,10 @@
 "use strict";
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.4.5
+// Generated from package.json version: 0.4.6
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.VERSION = void 0;
 /**
  * The package version, injected at build time.
  * @internal
  */
-exports.VERSION = '0.4.5';
+exports.VERSION = '0.4.6';

package/dist/esm/naylence/fame/security/auth/authorization-profile-factory.js

@@ -1,4 +1,4 @@
-import { Expressions, ExpressionEvaluator } from '@naylence/factory';
+import { Expressions, configValidator } from '@naylence/factory';
 import { getLogger } from '../../util/logging.js';
 import { AUTHORIZER_FACTORY_BASE_TYPE, AuthorizerFactory, } from './authorizer-factory.js';
 const logger = getLogger('naylence.fame.security.auth.authorization_profile_factory');
@@ -21,14 +21,13 @@ export const ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = 'FAME_JWT_REVERSE_AUTH_AUDIENCE
 export const ENV_VAR_HMAC_SECRET = 'FAME_HMAC_SECRET';
 const DEFAULT_REVERSE_AUTH_ISSUER = 'reverse-auth.naylence.ai';
 const DEFAULT_REVERSE_AUTH_AUDIENCE = 'dev.naylence.ai';
-const DEFAULT_VERIFIER_CONFIG = {
-    type: 'JWKSJWTTokenVerifier',
-    jwks_url: Expressions.env(ENV_VAR_JWKS_URL),
-    issuer: Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER),
-};
 const DEFAULT_PROFILE = {
     type: 'DefaultAuthorizer',
-    verifier: DEFAULT_VERIFIER_CONFIG,
+    verifier: {
+        type: 'JWKSJWTTokenVerifier',
+        jwks_url: Expressions.env(ENV_VAR_JWKS_URL),
+        issuer: Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER),
+    },
 };
 const OAUTH2_PROFILE = {
     type: 'OAuth2Authorizer',
@@ -73,6 +72,11 @@ const OAUTH2_CALLBACK_PROFILE = {
 const NOOP_PROFILE = {
     type: 'NoopAuthorizer',
 };
+const DEFAULT_VERIFIER_CONFIG = {
+    type: 'JWKSJWTTokenVerifier',
+    jwks_url: Expressions.env(ENV_VAR_JWKS_URL),
+    issuer: Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER),
+};
 const DEFAULT_POLICY_SOURCE = {
     type: 'LocalFileAuthorizationPolicySource',
     path: Expressions.env(ENV_VAR_AUTH_POLICY_PATH, './auth-policy.yaml'),
@@ -124,13 +128,55 @@ export class AuthorizationProfileFactory extends AuthorizerFactory {
         logger.debug('enabling_authorization_profile', {
             profile: normalized.profile,
         });
-        const authorizer = await AuthorizerFactory.createAuthorizer(profileConfig, { factoryArgs });
+        // Extract CreateResourceOptions from factoryArgs - it's typically the last object with env/config/variables
+        const createOptions = extractCreateResourceOptions(factoryArgs);
+        // Only evaluate expressions if we have env/config/variables available
+        let evaluatedConfig = profileConfig;
+        const hasContext = createOptions.env || createOptions.config || createOptions.variables;
+        if (hasContext) {
+            // Build validation context from createOptions to evaluate expressions
+            const validationContext = {
+                env: createOptions.env,
+                config: createOptions.config,
+                variables: createOptions.variables,
+                allowUnknownProperties: true,
+            };
+            // Evaluate expressions in the profile config
+            const validationResult = configValidator.validate(profileConfig, validationContext);
+            if (!validationResult.valid) {
+                const errorMessages = validationResult.errors
+                    .map((error) => `${error.path || 'root'}: ${error.message}`)
+                    .join('; ');
+                throw new Error(`Failed to evaluate authorization profile configuration: ${errorMessages}`);
+            }
+            evaluatedConfig = validationResult.config ?? profileConfig;
+        }
+        const authorizer = await AuthorizerFactory.createAuthorizer(evaluatedConfig, hasContext ? { validate: false } : { factoryArgs } // Pass factoryArgs if no validation was done
+        );
         if (!authorizer) {
             throw new Error(`Failed to create authorizer for profile: ${normalized.profile}`);
         }
         return authorizer;
     }
 }
+/**
+ * Extracts CreateResourceOptions from factoryArgs.
+ * The factory system passes CreateResourceOptions as an object in factoryArgs.
+ */
+function extractCreateResourceOptions(factoryArgs) {
+    // Find the last object argument that looks like CreateResourceOptions
+    for (let i = factoryArgs.length - 1; i >= 0; i--) {
+        const arg = factoryArgs[i];
+        if (arg && typeof arg === 'object' && !Array.isArray(arg)) {
+            const candidate = arg;
+            // Check if it has typical CreateResourceOptions properties
+            if ('env' in candidate || 'config' in candidate || 'variables' in candidate || 'factoryArgs' in candidate) {
+                return candidate;
+            }
+        }
+    }
+    return {};
+}
 function normalizeConfig(config) {
     if (!config) {
         return { profile: PROFILE_NAME_OAUTH2 };
@@ -142,21 +188,13 @@ function normalizeConfig(config) {
     return { profile: canonicalProfile };
 }
 function resolveProfileName(candidate) {
-    let direct = coerceProfileString(candidate.profile);
-    if (direct && ExpressionEvaluator.isExpression(direct)) {
-        const evaluated = ExpressionEvaluator.evaluate(direct);
-        direct = coerceProfileString(evaluated);
-    }
+    const direct = coerceProfileString(candidate.profile);
     if (direct) {
         return direct;
     }
     const legacyKeys = ['profile_name', 'profileName'];
     for (const legacyKey of legacyKeys) {
-        let legacyValue = coerceProfileString(candidate[legacyKey]);
-        if (legacyValue && ExpressionEvaluator.isExpression(legacyValue)) {
-            const evaluated = ExpressionEvaluator.evaluate(legacyValue);
-            legacyValue = coerceProfileString(evaluated);
-        }
+        const legacyValue = coerceProfileString(candidate[legacyKey]);
         if (legacyValue) {
             return legacyValue;
         }

package/dist/esm/naylence/fame/security/default-security-manager-factory.js

@@ -156,7 +156,7 @@ export class DefaultSecurityManagerFactory extends SecurityManagerFactory {
         }
         if (!authorizer) {
             authorizer =
-                await DefaultSecurityManagerFactory.createAuthorizerFromConfig(config, policy);
+                await DefaultSecurityManagerFactory.createAuthorizerFromConfig(config, policy, createOptions);
         }
         if (authorizer &&
             eventListeners &&
@@ -387,14 +387,14 @@ export class DefaultSecurityManagerFactory extends SecurityManagerFactory {
         }
         return null;
     }
-    static async createAuthorizerFromConfig(config, policy) {
+    static async createAuthorizerFromConfig(config, policy, createOptions) {
         let authorizerConfig = config.authorizer ?? null;
         if (!authorizerConfig) {
             authorizerConfig = config.authorizer_config ?? null;
         }
         if (authorizerConfig &&
             DefaultSecurityManagerFactory.isConfigLike(authorizerConfig)) {
-            return ((await AuthorizerFactory.createAuthorizer(authorizerConfig)) ?? null);
+            return ((await AuthorizerFactory.createAuthorizer(authorizerConfig, createOptions ?? undefined)) ?? null);
         }
         try {
             const requirements = policy.requirements?.();
@@ -410,6 +410,7 @@ export class DefaultSecurityManagerFactory extends SecurityManagerFactory {
             }
             const tokenVerifier = new NoopTokenVerifier();
             return ((await AuthorizerFactory.createAuthorizer(null, {
+                ...createOptions,
                 factoryArgs: [tokenVerifier],
             })) ?? null);
         }

package/dist/esm/version.js

@@ -1,7 +1,7 @@
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.4.5
+// Generated from package.json version: 0.4.6
 /**
  * The package version, injected at build time.
  * @internal
  */
-export const VERSION = '0.4.5';
+export const VERSION = '0.4.6';