@naylence/runtime 0.4.5 → 0.4.6

package/dist/node/index.cjs

@@ -14,12 +14,12 @@ var fastify = require('fastify');
 var websocketPlugin = require('@fastify/websocket');
 
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.4.5
+// Generated from package.json version: 0.4.6
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.4.5';
+const VERSION = '0.4.6';
 
 /**
  * Fame protocol specific error classes with WebSocket close codes and proper inheritance.
@@ -21828,14 +21828,13 @@ const ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE$1 = 'FAME_JWT_REVERSE_AUTH_AUDIENCE';
 const ENV_VAR_HMAC_SECRET$1 = 'FAME_HMAC_SECRET';
 const DEFAULT_REVERSE_AUTH_ISSUER = 'reverse-auth.naylence.ai';
 const DEFAULT_REVERSE_AUTH_AUDIENCE = 'dev.naylence.ai';
-const DEFAULT_VERIFIER_CONFIG = {
-    type: 'JWKSJWTTokenVerifier',
-    jwks_url: factory.Expressions.env(ENV_VAR_JWKS_URL$1),
-    issuer: factory.Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER$1),
-};
 const DEFAULT_PROFILE = {
     type: 'DefaultAuthorizer',
-    verifier: DEFAULT_VERIFIER_CONFIG,
+    verifier: {
+        type: 'JWKSJWTTokenVerifier',
+        jwks_url: factory.Expressions.env(ENV_VAR_JWKS_URL$1),
+        issuer: factory.Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER$1),
+    },
 };
 const OAUTH2_PROFILE = {
     type: 'OAuth2Authorizer',
@@ -21880,6 +21879,11 @@ const OAUTH2_CALLBACK_PROFILE = {
 const NOOP_PROFILE$2 = {
     type: 'NoopAuthorizer',
 };
+const DEFAULT_VERIFIER_CONFIG = {
+    type: 'JWKSJWTTokenVerifier',
+    jwks_url: factory.Expressions.env(ENV_VAR_JWKS_URL$1),
+    issuer: factory.Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER$1),
+};
 const DEFAULT_POLICY_SOURCE = {
     type: 'LocalFileAuthorizationPolicySource',
     path: factory.Expressions.env(ENV_VAR_AUTH_POLICY_PATH, './auth-policy.yaml'),
@@ -21931,13 +21935,55 @@ class AuthorizationProfileFactory extends AuthorizerFactory {
         logger$K.debug('enabling_authorization_profile', {
             profile: normalized.profile,
         });
-        const authorizer = await AuthorizerFactory.createAuthorizer(profileConfig, { factoryArgs });
+        // Extract CreateResourceOptions from factoryArgs - it's typically the last object with env/config/variables
+        const createOptions = extractCreateResourceOptions(factoryArgs);
+        // Only evaluate expressions if we have env/config/variables available
+        let evaluatedConfig = profileConfig;
+        const hasContext = createOptions.env || createOptions.config || createOptions.variables;
+        if (hasContext) {
+            // Build validation context from createOptions to evaluate expressions
+            const validationContext = {
+                env: createOptions.env,
+                config: createOptions.config,
+                variables: createOptions.variables,
+                allowUnknownProperties: true,
+            };
+            // Evaluate expressions in the profile config
+            const validationResult = factory.configValidator.validate(profileConfig, validationContext);
+            if (!validationResult.valid) {
+                const errorMessages = validationResult.errors
+                    .map((error) => `${error.path || 'root'}: ${error.message}`)
+                    .join('; ');
+                throw new Error(`Failed to evaluate authorization profile configuration: ${errorMessages}`);
+            }
+            evaluatedConfig = validationResult.config ?? profileConfig;
+        }
+        const authorizer = await AuthorizerFactory.createAuthorizer(evaluatedConfig, hasContext ? { validate: false } : { factoryArgs } // Pass factoryArgs if no validation was done
+        );
         if (!authorizer) {
             throw new Error(`Failed to create authorizer for profile: ${normalized.profile}`);
         }
         return authorizer;
     }
 }
+/**
+ * Extracts CreateResourceOptions from factoryArgs.
+ * The factory system passes CreateResourceOptions as an object in factoryArgs.
+ */
+function extractCreateResourceOptions(factoryArgs) {
+    // Find the last object argument that looks like CreateResourceOptions
+    for (let i = factoryArgs.length - 1; i >= 0; i--) {
+        const arg = factoryArgs[i];
+        if (arg && typeof arg === 'object' && !Array.isArray(arg)) {
+            const candidate = arg;
+            // Check if it has typical CreateResourceOptions properties
+            if ('env' in candidate || 'config' in candidate || 'variables' in candidate || 'factoryArgs' in candidate) {
+                return candidate;
+            }
+        }
+    }
+    return {};
+}
 function normalizeConfig$w(config) {
     if (!config) {
         return { profile: PROFILE_NAME_OAUTH2 };
@@ -21949,21 +21995,13 @@ function normalizeConfig$w(config) {
     return { profile: canonicalProfile };
 }
 function resolveProfileName$2(candidate) {
-    let direct = coerceProfileString$2(candidate.profile);
-    if (direct && factory.ExpressionEvaluator.isExpression(direct)) {
-        const evaluated = factory.ExpressionEvaluator.evaluate(direct);
-        direct = coerceProfileString$2(evaluated);
-    }
+    const direct = coerceProfileString$2(candidate.profile);
     if (direct) {
         return direct;
     }
     const legacyKeys = ['profile_name', 'profileName'];
     for (const legacyKey of legacyKeys) {
-        let legacyValue = coerceProfileString$2(candidate[legacyKey]);
-        if (legacyValue && factory.ExpressionEvaluator.isExpression(legacyValue)) {
-            const evaluated = factory.ExpressionEvaluator.evaluate(legacyValue);
-            legacyValue = coerceProfileString$2(evaluated);
-        }
+        const legacyValue = coerceProfileString$2(candidate[legacyKey]);
         if (legacyValue) {
             return legacyValue;
         }
@@ -35965,7 +36003,7 @@ class DefaultSecurityManagerFactory extends SecurityManagerFactory {
         }
         if (!authorizer) {
             authorizer =
-                await DefaultSecurityManagerFactory.createAuthorizerFromConfig(config, policy);
+                await DefaultSecurityManagerFactory.createAuthorizerFromConfig(config, policy, createOptions);
         }
         if (authorizer &&
             eventListeners &&
@@ -36196,14 +36234,14 @@ class DefaultSecurityManagerFactory extends SecurityManagerFactory {
         }
         return null;
     }
-    static async createAuthorizerFromConfig(config, policy) {
+    static async createAuthorizerFromConfig(config, policy, createOptions) {
         let authorizerConfig = config.authorizer ?? null;
         if (!authorizerConfig) {
             authorizerConfig = config.authorizer_config ?? null;
         }
         if (authorizerConfig &&
             DefaultSecurityManagerFactory.isConfigLike(authorizerConfig)) {
-            return ((await AuthorizerFactory.createAuthorizer(authorizerConfig)) ?? null);
+            return ((await AuthorizerFactory.createAuthorizer(authorizerConfig, createOptions ?? undefined)) ?? null);
         }
         try {
             const requirements = policy.requirements?.();
@@ -36219,6 +36257,7 @@ class DefaultSecurityManagerFactory extends SecurityManagerFactory {
             }
             const tokenVerifier = new NoopTokenVerifier();
             return ((await AuthorizerFactory.createAuthorizer(null, {
+                ...createOptions,
                 factoryArgs: [tokenVerifier],
             })) ?? null);
         }

package/dist/node/index.mjs

@@ -1,7 +1,7 @@
 import { parseAddressComponents, FlowFlags, FameAddress, DEFAULT_POLLING_TIMEOUT_MS, extractEnvelopeAndContext, createChannelMessage, generateId, createFameEnvelope, parseAddress, formatAddress, formatAddressFromComponents, FameResponseType, localDeliveryContext, Binding, DeliveryOriginType, makeResponse, isFameMessageResponse, parseRequest, makeRequest, DEFAULT_INVOKE_TIMEOUT_MILLIS, parseResponse, ConnectorState, ConnectorStateUtils, FameFabric, isFameMessageService, isFameRPCService, FameServiceProxy, generateIdAsync, snakeToCamelObject, getDefaultFameConfigResolver, setDefaultFameConfigResolver, SigningMaterial, AuthorizationContextSchema, FameDeliveryContextSchema, SecurityContextSchema, withFabric, FameEnvelopeSchema, SINK_CAPABILITY, FameFabricFactory, serializeEnvelope, createAuthorizationContext, deserializeEnvelope, FameChannelMessage } from '@naylence/core';
 export * from '@naylence/core';
 import { z, ZodError } from 'zod';
-import { AbstractResourceFactory, createResource as createResource$1, createDefaultResource, registerFactory, Expressions, ExtensionManager, ExpressionEvaluationPolicy, Registry, ExpressionEvaluator, configValidator } from '@naylence/factory';
+import { AbstractResourceFactory, createResource as createResource$1, createDefaultResource, registerFactory, Expressions, ExtensionManager, ExpressionEvaluationPolicy, Registry, configValidator } from '@naylence/factory';
 import { sign, hashes, verify } from '@noble/ed25519';
 import { sha256, sha512 } from '@noble/hashes/sha2.js';
 import { chacha20poly1305 } from '@noble/ciphers/chacha.js';
@@ -13,12 +13,12 @@ import fastify from 'fastify';
 import websocketPlugin from '@fastify/websocket';
 
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.4.5
+// Generated from package.json version: 0.4.6
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.4.5';
+const VERSION = '0.4.6';
 
 /**
  * Fame protocol specific error classes with WebSocket close codes and proper inheritance.
@@ -21827,14 +21827,13 @@ const ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE$1 = 'FAME_JWT_REVERSE_AUTH_AUDIENCE';
 const ENV_VAR_HMAC_SECRET$1 = 'FAME_HMAC_SECRET';
 const DEFAULT_REVERSE_AUTH_ISSUER = 'reverse-auth.naylence.ai';
 const DEFAULT_REVERSE_AUTH_AUDIENCE = 'dev.naylence.ai';
-const DEFAULT_VERIFIER_CONFIG = {
-    type: 'JWKSJWTTokenVerifier',
-    jwks_url: Expressions.env(ENV_VAR_JWKS_URL$1),
-    issuer: Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER$1),
-};
 const DEFAULT_PROFILE = {
     type: 'DefaultAuthorizer',
-    verifier: DEFAULT_VERIFIER_CONFIG,
+    verifier: {
+        type: 'JWKSJWTTokenVerifier',
+        jwks_url: Expressions.env(ENV_VAR_JWKS_URL$1),
+        issuer: Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER$1),
+    },
 };
 const OAUTH2_PROFILE = {
     type: 'OAuth2Authorizer',
@@ -21879,6 +21878,11 @@ const OAUTH2_CALLBACK_PROFILE = {
 const NOOP_PROFILE$2 = {
     type: 'NoopAuthorizer',
 };
+const DEFAULT_VERIFIER_CONFIG = {
+    type: 'JWKSJWTTokenVerifier',
+    jwks_url: Expressions.env(ENV_VAR_JWKS_URL$1),
+    issuer: Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER$1),
+};
 const DEFAULT_POLICY_SOURCE = {
     type: 'LocalFileAuthorizationPolicySource',
     path: Expressions.env(ENV_VAR_AUTH_POLICY_PATH, './auth-policy.yaml'),
@@ -21930,13 +21934,55 @@ class AuthorizationProfileFactory extends AuthorizerFactory {
         logger$K.debug('enabling_authorization_profile', {
             profile: normalized.profile,
         });
-        const authorizer = await AuthorizerFactory.createAuthorizer(profileConfig, { factoryArgs });
+        // Extract CreateResourceOptions from factoryArgs - it's typically the last object with env/config/variables
+        const createOptions = extractCreateResourceOptions(factoryArgs);
+        // Only evaluate expressions if we have env/config/variables available
+        let evaluatedConfig = profileConfig;
+        const hasContext = createOptions.env || createOptions.config || createOptions.variables;
+        if (hasContext) {
+            // Build validation context from createOptions to evaluate expressions
+            const validationContext = {
+                env: createOptions.env,
+                config: createOptions.config,
+                variables: createOptions.variables,
+                allowUnknownProperties: true,
+            };
+            // Evaluate expressions in the profile config
+            const validationResult = configValidator.validate(profileConfig, validationContext);
+            if (!validationResult.valid) {
+                const errorMessages = validationResult.errors
+                    .map((error) => `${error.path || 'root'}: ${error.message}`)
+                    .join('; ');
+                throw new Error(`Failed to evaluate authorization profile configuration: ${errorMessages}`);
+            }
+            evaluatedConfig = validationResult.config ?? profileConfig;
+        }
+        const authorizer = await AuthorizerFactory.createAuthorizer(evaluatedConfig, hasContext ? { validate: false } : { factoryArgs } // Pass factoryArgs if no validation was done
+        );
         if (!authorizer) {
             throw new Error(`Failed to create authorizer for profile: ${normalized.profile}`);
         }
         return authorizer;
     }
 }
+/**
+ * Extracts CreateResourceOptions from factoryArgs.
+ * The factory system passes CreateResourceOptions as an object in factoryArgs.
+ */
+function extractCreateResourceOptions(factoryArgs) {
+    // Find the last object argument that looks like CreateResourceOptions
+    for (let i = factoryArgs.length - 1; i >= 0; i--) {
+        const arg = factoryArgs[i];
+        if (arg && typeof arg === 'object' && !Array.isArray(arg)) {
+            const candidate = arg;
+            // Check if it has typical CreateResourceOptions properties
+            if ('env' in candidate || 'config' in candidate || 'variables' in candidate || 'factoryArgs' in candidate) {
+                return candidate;
+            }
+        }
+    }
+    return {};
+}
 function normalizeConfig$w(config) {
     if (!config) {
         return { profile: PROFILE_NAME_OAUTH2 };
@@ -21948,21 +21994,13 @@ function normalizeConfig$w(config) {
     return { profile: canonicalProfile };
 }
 function resolveProfileName$2(candidate) {
-    let direct = coerceProfileString$2(candidate.profile);
-    if (direct && ExpressionEvaluator.isExpression(direct)) {
-        const evaluated = ExpressionEvaluator.evaluate(direct);
-        direct = coerceProfileString$2(evaluated);
-    }
+    const direct = coerceProfileString$2(candidate.profile);
     if (direct) {
         return direct;
     }
     const legacyKeys = ['profile_name', 'profileName'];
     for (const legacyKey of legacyKeys) {
-        let legacyValue = coerceProfileString$2(candidate[legacyKey]);
-        if (legacyValue && ExpressionEvaluator.isExpression(legacyValue)) {
-            const evaluated = ExpressionEvaluator.evaluate(legacyValue);
-            legacyValue = coerceProfileString$2(evaluated);
-        }
+        const legacyValue = coerceProfileString$2(candidate[legacyKey]);
         if (legacyValue) {
             return legacyValue;
         }
@@ -35964,7 +36002,7 @@ class DefaultSecurityManagerFactory extends SecurityManagerFactory {
         }
         if (!authorizer) {
             authorizer =
-                await DefaultSecurityManagerFactory.createAuthorizerFromConfig(config, policy);
+                await DefaultSecurityManagerFactory.createAuthorizerFromConfig(config, policy, createOptions);
         }
         if (authorizer &&
             eventListeners &&
@@ -36195,14 +36233,14 @@ class DefaultSecurityManagerFactory extends SecurityManagerFactory {
         }
         return null;
     }
-    static async createAuthorizerFromConfig(config, policy) {
+    static async createAuthorizerFromConfig(config, policy, createOptions) {
         let authorizerConfig = config.authorizer ?? null;
         if (!authorizerConfig) {
             authorizerConfig = config.authorizer_config ?? null;
         }
         if (authorizerConfig &&
             DefaultSecurityManagerFactory.isConfigLike(authorizerConfig)) {
-            return ((await AuthorizerFactory.createAuthorizer(authorizerConfig)) ?? null);
+            return ((await AuthorizerFactory.createAuthorizer(authorizerConfig, createOptions ?? undefined)) ?? null);
         }
         try {
             const requirements = policy.requirements?.();
@@ -36218,6 +36256,7 @@ class DefaultSecurityManagerFactory extends SecurityManagerFactory {
             }
             const tokenVerifier = new NoopTokenVerifier();
             return ((await AuthorizerFactory.createAuthorizer(null, {
+                ...createOptions,
                 factoryArgs: [tokenVerifier],
             })) ?? null);
         }

package/dist/node/node.cjs

@@ -4436,12 +4436,12 @@ async function ensureRuntimeFactoriesRegistered(registry = factory.Registry) {
 }
 
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.4.5
+// Generated from package.json version: 0.4.6
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.4.5';
+const VERSION = '0.4.6';
 
 let initialized = false;
 const runtimePlugin = {
@@ -23033,14 +23033,13 @@ const ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE$1 = 'FAME_JWT_REVERSE_AUTH_AUDIENCE';
 const ENV_VAR_HMAC_SECRET$1 = 'FAME_HMAC_SECRET';
 const DEFAULT_REVERSE_AUTH_ISSUER = 'reverse-auth.naylence.ai';
 const DEFAULT_REVERSE_AUTH_AUDIENCE = 'dev.naylence.ai';
-const DEFAULT_VERIFIER_CONFIG = {
-    type: 'JWKSJWTTokenVerifier',
-    jwks_url: factory.Expressions.env(ENV_VAR_JWKS_URL$1),
-    issuer: factory.Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER$1),
-};
 const DEFAULT_PROFILE = {
     type: 'DefaultAuthorizer',
-    verifier: DEFAULT_VERIFIER_CONFIG,
+    verifier: {
+        type: 'JWKSJWTTokenVerifier',
+        jwks_url: factory.Expressions.env(ENV_VAR_JWKS_URL$1),
+        issuer: factory.Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER$1),
+    },
 };
 const OAUTH2_PROFILE = {
     type: 'OAuth2Authorizer',
@@ -23085,6 +23084,11 @@ const OAUTH2_CALLBACK_PROFILE = {
 const NOOP_PROFILE$2 = {
     type: 'NoopAuthorizer',
 };
+const DEFAULT_VERIFIER_CONFIG = {
+    type: 'JWKSJWTTokenVerifier',
+    jwks_url: factory.Expressions.env(ENV_VAR_JWKS_URL$1),
+    issuer: factory.Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER$1),
+};
 const DEFAULT_POLICY_SOURCE = {
     type: 'LocalFileAuthorizationPolicySource',
     path: factory.Expressions.env(ENV_VAR_AUTH_POLICY_PATH, './auth-policy.yaml'),
@@ -23136,13 +23140,55 @@ class AuthorizationProfileFactory extends AuthorizerFactory {
         logger$N.debug('enabling_authorization_profile', {
             profile: normalized.profile,
         });
-        const authorizer = await AuthorizerFactory.createAuthorizer(profileConfig, { factoryArgs });
+        // Extract CreateResourceOptions from factoryArgs - it's typically the last object with env/config/variables
+        const createOptions = extractCreateResourceOptions(factoryArgs);
+        // Only evaluate expressions if we have env/config/variables available
+        let evaluatedConfig = profileConfig;
+        const hasContext = createOptions.env || createOptions.config || createOptions.variables;
+        if (hasContext) {
+            // Build validation context from createOptions to evaluate expressions
+            const validationContext = {
+                env: createOptions.env,
+                config: createOptions.config,
+                variables: createOptions.variables,
+                allowUnknownProperties: true,
+            };
+            // Evaluate expressions in the profile config
+            const validationResult = factory.configValidator.validate(profileConfig, validationContext);
+            if (!validationResult.valid) {
+                const errorMessages = validationResult.errors
+                    .map((error) => `${error.path || 'root'}: ${error.message}`)
+                    .join('; ');
+                throw new Error(`Failed to evaluate authorization profile configuration: ${errorMessages}`);
+            }
+            evaluatedConfig = validationResult.config ?? profileConfig;
+        }
+        const authorizer = await AuthorizerFactory.createAuthorizer(evaluatedConfig, hasContext ? { validate: false } : { factoryArgs } // Pass factoryArgs if no validation was done
+        );
         if (!authorizer) {
             throw new Error(`Failed to create authorizer for profile: ${normalized.profile}`);
         }
         return authorizer;
     }
 }
+/**
+ * Extracts CreateResourceOptions from factoryArgs.
+ * The factory system passes CreateResourceOptions as an object in factoryArgs.
+ */
+function extractCreateResourceOptions(factoryArgs) {
+    // Find the last object argument that looks like CreateResourceOptions
+    for (let i = factoryArgs.length - 1; i >= 0; i--) {
+        const arg = factoryArgs[i];
+        if (arg && typeof arg === 'object' && !Array.isArray(arg)) {
+            const candidate = arg;
+            // Check if it has typical CreateResourceOptions properties
+            if ('env' in candidate || 'config' in candidate || 'variables' in candidate || 'factoryArgs' in candidate) {
+                return candidate;
+            }
+        }
+    }
+    return {};
+}
 function normalizeConfig$w(config) {
     if (!config) {
         return { profile: PROFILE_NAME_OAUTH2 };
@@ -23154,21 +23200,13 @@ function normalizeConfig$w(config) {
     return { profile: canonicalProfile };
 }
 function resolveProfileName$2(candidate) {
-    let direct = coerceProfileString$2(candidate.profile);
-    if (direct && factory.ExpressionEvaluator.isExpression(direct)) {
-        const evaluated = factory.ExpressionEvaluator.evaluate(direct);
-        direct = coerceProfileString$2(evaluated);
-    }
+    const direct = coerceProfileString$2(candidate.profile);
     if (direct) {
         return direct;
     }
     const legacyKeys = ['profile_name', 'profileName'];
     for (const legacyKey of legacyKeys) {
-        let legacyValue = coerceProfileString$2(candidate[legacyKey]);
-        if (legacyValue && factory.ExpressionEvaluator.isExpression(legacyValue)) {
-            const evaluated = factory.ExpressionEvaluator.evaluate(legacyValue);
-            legacyValue = coerceProfileString$2(evaluated);
-        }
+        const legacyValue = coerceProfileString$2(candidate[legacyKey]);
         if (legacyValue) {
             return legacyValue;
         }
@@ -40722,7 +40760,7 @@ class DefaultSecurityManagerFactory extends SecurityManagerFactory {
         }
         if (!authorizer) {
             authorizer =
-                await DefaultSecurityManagerFactory.createAuthorizerFromConfig(config, policy);
+                await DefaultSecurityManagerFactory.createAuthorizerFromConfig(config, policy, createOptions);
         }
         if (authorizer &&
             eventListeners &&
@@ -40953,14 +40991,14 @@ class DefaultSecurityManagerFactory extends SecurityManagerFactory {
         }
         return null;
     }
-    static async createAuthorizerFromConfig(config, policy) {
+    static async createAuthorizerFromConfig(config, policy, createOptions) {
         let authorizerConfig = config.authorizer ?? null;
         if (!authorizerConfig) {
             authorizerConfig = config.authorizer_config ?? null;
         }
         if (authorizerConfig &&
             DefaultSecurityManagerFactory.isConfigLike(authorizerConfig)) {
-            return ((await AuthorizerFactory.createAuthorizer(authorizerConfig)) ?? null);
+            return ((await AuthorizerFactory.createAuthorizer(authorizerConfig, createOptions ?? undefined)) ?? null);
         }
         try {
             const requirements = policy.requirements?.();
@@ -40976,6 +41014,7 @@ class DefaultSecurityManagerFactory extends SecurityManagerFactory {
             }
             const tokenVerifier = new NoopTokenVerifier();
             return ((await AuthorizerFactory.createAuthorizer(null, {
+                ...createOptions,
                 factoryArgs: [tokenVerifier],
             })) ?? null);
         }

package/dist/node/node.mjs

@@ -1,6 +1,6 @@
 import { FlowFlags, ConnectorState, generateId, ConnectorStateUtils, FameResponseType, createFameEnvelope, parseAddressComponents, FameAddress, DEFAULT_POLLING_TIMEOUT_MS, extractEnvelopeAndContext, createChannelMessage, parseAddress, formatAddress, formatAddressFromComponents, localDeliveryContext, Binding, DeliveryOriginType, makeResponse, isFameMessageResponse, parseRequest, makeRequest, DEFAULT_INVOKE_TIMEOUT_MILLIS, parseResponse, FameFabric, isFameMessageService, isFameRPCService, FameServiceProxy, generateIdAsync, snakeToCamelObject, getDefaultFameConfigResolver, setDefaultFameConfigResolver, SigningMaterial, AuthorizationContextSchema, FameDeliveryContextSchema, SecurityContextSchema, withFabric, FameEnvelopeSchema, serializeEnvelope, FameChannelMessage, deserializeEnvelope, SINK_CAPABILITY, FameFabricFactory, createAuthorizationContext } from '@naylence/core';
 export * from '@naylence/core';
-import { ExtensionManager, ExpressionEvaluationPolicy, AbstractResourceFactory, createResource as createResource$1, createDefaultResource, Registry, registerFactory, Expressions, ExpressionEvaluator, configValidator } from '@naylence/factory';
+import { ExtensionManager, ExpressionEvaluationPolicy, AbstractResourceFactory, createResource as createResource$1, createDefaultResource, Registry, registerFactory, Expressions, configValidator } from '@naylence/factory';
 import { z, ZodError } from 'zod';
 import fs from 'node:fs';
 import fsPromises from 'node:fs/promises';
@@ -4435,12 +4435,12 @@ async function ensureRuntimeFactoriesRegistered(registry = Registry) {
 }
 
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.4.5
+// Generated from package.json version: 0.4.6
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.4.5';
+const VERSION = '0.4.6';
 
 let initialized = false;
 const runtimePlugin = {
@@ -23032,14 +23032,13 @@ const ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE$1 = 'FAME_JWT_REVERSE_AUTH_AUDIENCE';
 const ENV_VAR_HMAC_SECRET$1 = 'FAME_HMAC_SECRET';
 const DEFAULT_REVERSE_AUTH_ISSUER = 'reverse-auth.naylence.ai';
 const DEFAULT_REVERSE_AUTH_AUDIENCE = 'dev.naylence.ai';
-const DEFAULT_VERIFIER_CONFIG = {
-    type: 'JWKSJWTTokenVerifier',
-    jwks_url: Expressions.env(ENV_VAR_JWKS_URL$1),
-    issuer: Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER$1),
-};
 const DEFAULT_PROFILE = {
     type: 'DefaultAuthorizer',
-    verifier: DEFAULT_VERIFIER_CONFIG,
+    verifier: {
+        type: 'JWKSJWTTokenVerifier',
+        jwks_url: Expressions.env(ENV_VAR_JWKS_URL$1),
+        issuer: Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER$1),
+    },
 };
 const OAUTH2_PROFILE = {
     type: 'OAuth2Authorizer',
@@ -23084,6 +23083,11 @@ const OAUTH2_CALLBACK_PROFILE = {
 const NOOP_PROFILE$2 = {
     type: 'NoopAuthorizer',
 };
+const DEFAULT_VERIFIER_CONFIG = {
+    type: 'JWKSJWTTokenVerifier',
+    jwks_url: Expressions.env(ENV_VAR_JWKS_URL$1),
+    issuer: Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER$1),
+};
 const DEFAULT_POLICY_SOURCE = {
     type: 'LocalFileAuthorizationPolicySource',
     path: Expressions.env(ENV_VAR_AUTH_POLICY_PATH, './auth-policy.yaml'),
@@ -23135,13 +23139,55 @@ class AuthorizationProfileFactory extends AuthorizerFactory {
         logger$N.debug('enabling_authorization_profile', {
             profile: normalized.profile,
         });
-        const authorizer = await AuthorizerFactory.createAuthorizer(profileConfig, { factoryArgs });
+        // Extract CreateResourceOptions from factoryArgs - it's typically the last object with env/config/variables
+        const createOptions = extractCreateResourceOptions(factoryArgs);
+        // Only evaluate expressions if we have env/config/variables available
+        let evaluatedConfig = profileConfig;
+        const hasContext = createOptions.env || createOptions.config || createOptions.variables;
+        if (hasContext) {
+            // Build validation context from createOptions to evaluate expressions
+            const validationContext = {
+                env: createOptions.env,
+                config: createOptions.config,
+                variables: createOptions.variables,
+                allowUnknownProperties: true,
+            };
+            // Evaluate expressions in the profile config
+            const validationResult = configValidator.validate(profileConfig, validationContext);
+            if (!validationResult.valid) {
+                const errorMessages = validationResult.errors
+                    .map((error) => `${error.path || 'root'}: ${error.message}`)
+                    .join('; ');
+                throw new Error(`Failed to evaluate authorization profile configuration: ${errorMessages}`);
+            }
+            evaluatedConfig = validationResult.config ?? profileConfig;
+        }
+        const authorizer = await AuthorizerFactory.createAuthorizer(evaluatedConfig, hasContext ? { validate: false } : { factoryArgs } // Pass factoryArgs if no validation was done
+        );
         if (!authorizer) {
             throw new Error(`Failed to create authorizer for profile: ${normalized.profile}`);
         }
         return authorizer;
     }
 }
+/**
+ * Extracts CreateResourceOptions from factoryArgs.
+ * The factory system passes CreateResourceOptions as an object in factoryArgs.
+ */
+function extractCreateResourceOptions(factoryArgs) {
+    // Find the last object argument that looks like CreateResourceOptions
+    for (let i = factoryArgs.length - 1; i >= 0; i--) {
+        const arg = factoryArgs[i];
+        if (arg && typeof arg === 'object' && !Array.isArray(arg)) {
+            const candidate = arg;
+            // Check if it has typical CreateResourceOptions properties
+            if ('env' in candidate || 'config' in candidate || 'variables' in candidate || 'factoryArgs' in candidate) {
+                return candidate;
+            }
+        }
+    }
+    return {};
+}
 function normalizeConfig$w(config) {
     if (!config) {
         return { profile: PROFILE_NAME_OAUTH2 };
@@ -23153,21 +23199,13 @@ function normalizeConfig$w(config) {
     return { profile: canonicalProfile };
 }
 function resolveProfileName$2(candidate) {
-    let direct = coerceProfileString$2(candidate.profile);
-    if (direct && ExpressionEvaluator.isExpression(direct)) {
-        const evaluated = ExpressionEvaluator.evaluate(direct);
-        direct = coerceProfileString$2(evaluated);
-    }
+    const direct = coerceProfileString$2(candidate.profile);
     if (direct) {
         return direct;
     }
     const legacyKeys = ['profile_name', 'profileName'];
     for (const legacyKey of legacyKeys) {
-        let legacyValue = coerceProfileString$2(candidate[legacyKey]);
-        if (legacyValue && ExpressionEvaluator.isExpression(legacyValue)) {
-            const evaluated = ExpressionEvaluator.evaluate(legacyValue);
-            legacyValue = coerceProfileString$2(evaluated);
-        }
+        const legacyValue = coerceProfileString$2(candidate[legacyKey]);
         if (legacyValue) {
             return legacyValue;
         }
@@ -40721,7 +40759,7 @@ class DefaultSecurityManagerFactory extends SecurityManagerFactory {
         }
         if (!authorizer) {
             authorizer =
-                await DefaultSecurityManagerFactory.createAuthorizerFromConfig(config, policy);
+                await DefaultSecurityManagerFactory.createAuthorizerFromConfig(config, policy, createOptions);
         }
         if (authorizer &&
             eventListeners &&
@@ -40952,14 +40990,14 @@ class DefaultSecurityManagerFactory extends SecurityManagerFactory {
         }
         return null;
     }
-    static async createAuthorizerFromConfig(config, policy) {
+    static async createAuthorizerFromConfig(config, policy, createOptions) {
         let authorizerConfig = config.authorizer ?? null;
         if (!authorizerConfig) {
             authorizerConfig = config.authorizer_config ?? null;
         }
         if (authorizerConfig &&
             DefaultSecurityManagerFactory.isConfigLike(authorizerConfig)) {
-            return ((await AuthorizerFactory.createAuthorizer(authorizerConfig)) ?? null);
+            return ((await AuthorizerFactory.createAuthorizer(authorizerConfig, createOptions ?? undefined)) ?? null);
         }
         try {
             const requirements = policy.requirements?.();
@@ -40975,6 +41013,7 @@ class DefaultSecurityManagerFactory extends SecurityManagerFactory {
             }
             const tokenVerifier = new NoopTokenVerifier();
             return ((await AuthorizerFactory.createAuthorizer(null, {
+                ...createOptions,
                 factoryArgs: [tokenVerifier],
             })) ?? null);
         }

package/dist/types/version.d.ts

@@ -2,4 +2,4 @@
  * The package version, injected at build time.
  * @internal
  */
-export declare const VERSION = "0.4.5";
+export declare const VERSION = "0.4.6";