@naylence/runtime 0.4.7 → 0.4.9

package/dist/browser/index.cjs

@@ -525,12 +525,12 @@ async function ensureRuntimeFactoriesRegistered(registry = factory.Registry) {
 }
 
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.4.7
+// Generated from package.json version: 0.4.9
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.4.7';
+const VERSION = '0.4.9';
 
 let initialized = false;
 const runtimePlugin = {
@@ -22237,7 +22237,7 @@ const KNOWN_RULE_FIELDS = new Set([
     'effect',
     'action',
     'address',
-    'frame_type',
+    'frame_type', // Reserved for advanced-security
     'origin_type',
     'scope',
     'when', // Reserved for advanced-security
@@ -22760,11 +22760,6 @@ class BasicAuthorizationPolicy {
         const resolvedActionNormalized = this.normalizeActionToken(resolvedAction) ?? resolvedAction;
         const address = extractAddress(envelope);
         const grantedScopes = extractGrantedScopes(context);
-        const rawFrameType = envelope.frame
-            ?.type;
-        const frameTypeNormalized = typeof rawFrameType === 'string' && rawFrameType.trim().length > 0
-            ? rawFrameType.trim().toLowerCase()
-            : '';
         // Extract and normalize origin type for rule matching
         const rawOriginType = context?.originType;
         const originTypeNormalized = typeof rawOriginType === 'string'
@@ -22782,22 +22777,16 @@ class BasicAuthorizationPolicy {
                 step.expression = 'when clause (skipped by basic policy)';
                 step.result = false;
                 evaluationTrace.push(step);
+                logger$J.debug('rule_skipped_when_clause', { ruleId: rule.id });
                 continue;
             }
-            // Check frame type match
-            if (rule.frameTypes) {
-                if (!frameTypeNormalized) {
-                    step.expression = 'frame_type: missing';
-                    step.result = false;
-                    evaluationTrace.push(step);
-                    continue;
-                }
-                if (!rule.frameTypes.has(frameTypeNormalized)) {
-                    step.expression = `frame_type: ${rawFrameType ?? 'unknown'} not in rule set`;
-                    step.result = false;
-                    evaluationTrace.push(step);
-                    continue;
-                }
+            // Skip rules with 'frame_type' clause (reserved for advanced-security package)
+            if (rule.hasFrameTypeClause) {
+                step.expression = 'frame_type clause (skipped by basic policy)';
+                step.result = false;
+                evaluationTrace.push(step);
+                logger$J.debug('rule_skipped_frame_type_clause', { ruleId: rule.id });
+                continue;
             }
             // Check origin type match (early gate for efficiency)
             if (rule.originTypes) {
@@ -22912,8 +22901,14 @@ class BasicAuthorizationPolicy {
         const actions = this.compileActions(rule.action, id);
         // Compile address patterns (glob-only, no regex)
         const addressPatterns = this.compileAddress(rule.address, id);
-        // Compile frame type gating
-        const frameTypes = this.compileFrameTypes(rule.frame_type, id);
+        // Check for frame_type clause (reserved for advanced-security)
+        const hasFrameTypeClause = rule.frame_type !== undefined;
+        if (hasFrameTypeClause && warnOnUnknown) {
+            logger$J.warning('reserved_field_frame_type_will_be_skipped', {
+                ruleId: id,
+                message: `Rule "${id}" uses reserved field "frame_type" which is only supported in advanced-security package. This rule will be skipped during evaluation.`,
+            });
+        }
         // Compile origin type gating
         const originTypes = this.compileOriginTypes(rule.origin_type, id);
         // Compile scope matcher (glob-only, no regex)
@@ -22940,11 +22935,12 @@ class BasicAuthorizationPolicy {
             description: rule.description,
             effect: rule.effect,
             actions,
-            frameTypes,
+            frameTypes: undefined, // No longer used; reserved for advanced-security
             originTypes,
             addressPatterns,
             scopeMatcher,
             hasWhenClause: typeof rule.when === 'string' && rule.when.length > 0,
+            hasFrameTypeClause,
         };
     }
     /**
@@ -23034,43 +23030,6 @@ class BasicAuthorizationPolicy {
         }
         return patterns;
     }
-    /**
-     * Compiles frame_type field into a Set of normalized frame types.
-     * Supports single string or array of strings (implicit any-of).
-     * Returns undefined if not specified (no frame type gating).
-     */
-    compileFrameTypes(frameType, ruleId) {
-        if (frameType === undefined) {
-            return undefined;
-        }
-        // Handle single frame type
-        if (typeof frameType === 'string') {
-            const normalized = frameType.trim().toLowerCase();
-            if (!normalized) {
-                throw new Error(`Invalid frame_type in rule "${ruleId}": value must not be empty`);
-            }
-            return new Set([normalized]);
-        }
-        // Handle array of frame types
-        if (!Array.isArray(frameType)) {
-            throw new Error(`Invalid frame_type in rule "${ruleId}": must be a string or array of strings`);
-        }
-        if (frameType.length === 0) {
-            throw new Error(`Invalid frame_type in rule "${ruleId}": array must not be empty`);
-        }
-        const frameTypes = new Set();
-        for (const ft of frameType) {
-            if (typeof ft !== 'string') {
-                throw new Error(`Invalid frame_type in rule "${ruleId}": all values must be strings`);
-            }
-            const normalized = ft.trim().toLowerCase();
-            if (!normalized) {
-                throw new Error(`Invalid frame_type in rule "${ruleId}": values must not be empty`);
-            }
-            frameTypes.add(normalized);
-        }
-        return frameTypes;
-    }
     /**
      * Compiles origin_type field into a Set of normalized origin types.
      * Supports single string or array of strings (implicit any-of).

package/dist/browser/index.mjs

@@ -523,12 +523,12 @@ async function ensureRuntimeFactoriesRegistered(registry = Registry) {
 }
 
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.4.7
+// Generated from package.json version: 0.4.9
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.4.7';
+const VERSION = '0.4.9';
 
 let initialized = false;
 const runtimePlugin = {
@@ -22235,7 +22235,7 @@ const KNOWN_RULE_FIELDS = new Set([
     'effect',
     'action',
     'address',
-    'frame_type',
+    'frame_type', // Reserved for advanced-security
     'origin_type',
     'scope',
     'when', // Reserved for advanced-security
@@ -22758,11 +22758,6 @@ class BasicAuthorizationPolicy {
         const resolvedActionNormalized = this.normalizeActionToken(resolvedAction) ?? resolvedAction;
         const address = extractAddress(envelope);
         const grantedScopes = extractGrantedScopes(context);
-        const rawFrameType = envelope.frame
-            ?.type;
-        const frameTypeNormalized = typeof rawFrameType === 'string' && rawFrameType.trim().length > 0
-            ? rawFrameType.trim().toLowerCase()
-            : '';
         // Extract and normalize origin type for rule matching
         const rawOriginType = context?.originType;
         const originTypeNormalized = typeof rawOriginType === 'string'
@@ -22780,22 +22775,16 @@ class BasicAuthorizationPolicy {
                 step.expression = 'when clause (skipped by basic policy)';
                 step.result = false;
                 evaluationTrace.push(step);
+                logger$J.debug('rule_skipped_when_clause', { ruleId: rule.id });
                 continue;
             }
-            // Check frame type match
-            if (rule.frameTypes) {
-                if (!frameTypeNormalized) {
-                    step.expression = 'frame_type: missing';
-                    step.result = false;
-                    evaluationTrace.push(step);
-                    continue;
-                }
-                if (!rule.frameTypes.has(frameTypeNormalized)) {
-                    step.expression = `frame_type: ${rawFrameType ?? 'unknown'} not in rule set`;
-                    step.result = false;
-                    evaluationTrace.push(step);
-                    continue;
-                }
+            // Skip rules with 'frame_type' clause (reserved for advanced-security package)
+            if (rule.hasFrameTypeClause) {
+                step.expression = 'frame_type clause (skipped by basic policy)';
+                step.result = false;
+                evaluationTrace.push(step);
+                logger$J.debug('rule_skipped_frame_type_clause', { ruleId: rule.id });
+                continue;
             }
             // Check origin type match (early gate for efficiency)
             if (rule.originTypes) {
@@ -22910,8 +22899,14 @@ class BasicAuthorizationPolicy {
         const actions = this.compileActions(rule.action, id);
         // Compile address patterns (glob-only, no regex)
         const addressPatterns = this.compileAddress(rule.address, id);
-        // Compile frame type gating
-        const frameTypes = this.compileFrameTypes(rule.frame_type, id);
+        // Check for frame_type clause (reserved for advanced-security)
+        const hasFrameTypeClause = rule.frame_type !== undefined;
+        if (hasFrameTypeClause && warnOnUnknown) {
+            logger$J.warning('reserved_field_frame_type_will_be_skipped', {
+                ruleId: id,
+                message: `Rule "${id}" uses reserved field "frame_type" which is only supported in advanced-security package. This rule will be skipped during evaluation.`,
+            });
+        }
         // Compile origin type gating
         const originTypes = this.compileOriginTypes(rule.origin_type, id);
         // Compile scope matcher (glob-only, no regex)
@@ -22938,11 +22933,12 @@ class BasicAuthorizationPolicy {
             description: rule.description,
             effect: rule.effect,
             actions,
-            frameTypes,
+            frameTypes: undefined, // No longer used; reserved for advanced-security
             originTypes,
             addressPatterns,
             scopeMatcher,
             hasWhenClause: typeof rule.when === 'string' && rule.when.length > 0,
+            hasFrameTypeClause,
         };
     }
     /**
@@ -23032,43 +23028,6 @@ class BasicAuthorizationPolicy {
         }
         return patterns;
     }
-    /**
-     * Compiles frame_type field into a Set of normalized frame types.
-     * Supports single string or array of strings (implicit any-of).
-     * Returns undefined if not specified (no frame type gating).
-     */
-    compileFrameTypes(frameType, ruleId) {
-        if (frameType === undefined) {
-            return undefined;
-        }
-        // Handle single frame type
-        if (typeof frameType === 'string') {
-            const normalized = frameType.trim().toLowerCase();
-            if (!normalized) {
-                throw new Error(`Invalid frame_type in rule "${ruleId}": value must not be empty`);
-            }
-            return new Set([normalized]);
-        }
-        // Handle array of frame types
-        if (!Array.isArray(frameType)) {
-            throw new Error(`Invalid frame_type in rule "${ruleId}": must be a string or array of strings`);
-        }
-        if (frameType.length === 0) {
-            throw new Error(`Invalid frame_type in rule "${ruleId}": array must not be empty`);
-        }
-        const frameTypes = new Set();
-        for (const ft of frameType) {
-            if (typeof ft !== 'string') {
-                throw new Error(`Invalid frame_type in rule "${ruleId}": all values must be strings`);
-            }
-            const normalized = ft.trim().toLowerCase();
-            if (!normalized) {
-                throw new Error(`Invalid frame_type in rule "${ruleId}": values must not be empty`);
-            }
-            frameTypes.add(normalized);
-        }
-        return frameTypes;
-    }
     /**
      * Compiles origin_type field into a Set of normalized origin types.
      * Supports single string or array of strings (implicit any-of).

package/dist/cjs/naylence/fame/security/auth/policy/authorization-policy-definition.js

@@ -29,7 +29,7 @@ exports.KNOWN_RULE_FIELDS = new Set([
     'effect',
     'action',
     'address',
-    'frame_type',
+    'frame_type', // Reserved for advanced-security
     'origin_type',
     'scope',
     'when', // Reserved for advanced-security

package/dist/cjs/naylence/fame/security/auth/policy/basic-authorization-policy.js

@@ -96,11 +96,6 @@ class BasicAuthorizationPolicy {
         const resolvedActionNormalized = this.normalizeActionToken(resolvedAction) ?? resolvedAction;
         const address = extractAddress(envelope);
         const grantedScopes = extractGrantedScopes(context);
-        const rawFrameType = envelope.frame
-            ?.type;
-        const frameTypeNormalized = typeof rawFrameType === 'string' && rawFrameType.trim().length > 0
-            ? rawFrameType.trim().toLowerCase()
-            : '';
         // Extract and normalize origin type for rule matching
         const rawOriginType = context?.originType;
         const originTypeNormalized = typeof rawOriginType === 'string'
@@ -118,22 +113,16 @@ class BasicAuthorizationPolicy {
                 step.expression = 'when clause (skipped by basic policy)';
                 step.result = false;
                 evaluationTrace.push(step);
+                logger.debug('rule_skipped_when_clause', { ruleId: rule.id });
                 continue;
             }
-            // Check frame type match
-            if (rule.frameTypes) {
-                if (!frameTypeNormalized) {
-                    step.expression = 'frame_type: missing';
-                    step.result = false;
-                    evaluationTrace.push(step);
-                    continue;
-                }
-                if (!rule.frameTypes.has(frameTypeNormalized)) {
-                    step.expression = `frame_type: ${rawFrameType ?? 'unknown'} not in rule set`;
-                    step.result = false;
-                    evaluationTrace.push(step);
-                    continue;
-                }
+            // Skip rules with 'frame_type' clause (reserved for advanced-security package)
+            if (rule.hasFrameTypeClause) {
+                step.expression = 'frame_type clause (skipped by basic policy)';
+                step.result = false;
+                evaluationTrace.push(step);
+                logger.debug('rule_skipped_frame_type_clause', { ruleId: rule.id });
+                continue;
             }
             // Check origin type match (early gate for efficiency)
             if (rule.originTypes) {
@@ -248,8 +237,14 @@ class BasicAuthorizationPolicy {
         const actions = this.compileActions(rule.action, id);
         // Compile address patterns (glob-only, no regex)
         const addressPatterns = this.compileAddress(rule.address, id);
-        // Compile frame type gating
-        const frameTypes = this.compileFrameTypes(rule.frame_type, id);
+        // Check for frame_type clause (reserved for advanced-security)
+        const hasFrameTypeClause = rule.frame_type !== undefined;
+        if (hasFrameTypeClause && warnOnUnknown) {
+            logger.warning('reserved_field_frame_type_will_be_skipped', {
+                ruleId: id,
+                message: `Rule "${id}" uses reserved field "frame_type" which is only supported in advanced-security package. This rule will be skipped during evaluation.`,
+            });
+        }
         // Compile origin type gating
         const originTypes = this.compileOriginTypes(rule.origin_type, id);
         // Compile scope matcher (glob-only, no regex)
@@ -276,11 +271,12 @@ class BasicAuthorizationPolicy {
             description: rule.description,
             effect: rule.effect,
             actions,
-            frameTypes,
+            frameTypes: undefined, // No longer used; reserved for advanced-security
             originTypes,
             addressPatterns,
             scopeMatcher,
             hasWhenClause: typeof rule.when === 'string' && rule.when.length > 0,
+            hasFrameTypeClause,
         };
     }
     /**
@@ -370,43 +366,6 @@ class BasicAuthorizationPolicy {
         }
         return patterns;
     }
-    /**
-     * Compiles frame_type field into a Set of normalized frame types.
-     * Supports single string or array of strings (implicit any-of).
-     * Returns undefined if not specified (no frame type gating).
-     */
-    compileFrameTypes(frameType, ruleId) {
-        if (frameType === undefined) {
-            return undefined;
-        }
-        // Handle single frame type
-        if (typeof frameType === 'string') {
-            const normalized = frameType.trim().toLowerCase();
-            if (!normalized) {
-                throw new Error(`Invalid frame_type in rule "${ruleId}": value must not be empty`);
-            }
-            return new Set([normalized]);
-        }
-        // Handle array of frame types
-        if (!Array.isArray(frameType)) {
-            throw new Error(`Invalid frame_type in rule "${ruleId}": must be a string or array of strings`);
-        }
-        if (frameType.length === 0) {
-            throw new Error(`Invalid frame_type in rule "${ruleId}": array must not be empty`);
-        }
-        const frameTypes = new Set();
-        for (const ft of frameType) {
-            if (typeof ft !== 'string') {
-                throw new Error(`Invalid frame_type in rule "${ruleId}": all values must be strings`);
-            }
-            const normalized = ft.trim().toLowerCase();
-            if (!normalized) {
-                throw new Error(`Invalid frame_type in rule "${ruleId}": values must not be empty`);
-            }
-            frameTypes.add(normalized);
-        }
-        return frameTypes;
-    }
     /**
      * Compiles origin_type field into a Set of normalized origin types.
      * Supports single string or array of strings (implicit any-of).

package/dist/cjs/version.js

@@ -1,10 +1,10 @@
 "use strict";
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.4.7
+// Generated from package.json version: 0.4.9
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.VERSION = void 0;
 /**
  * The package version, injected at build time.
  * @internal
  */
-exports.VERSION = '0.4.7';
+exports.VERSION = '0.4.9';

package/dist/esm/naylence/fame/security/auth/policy/authorization-policy-definition.js

@@ -26,7 +26,7 @@ export const KNOWN_RULE_FIELDS = new Set([
     'effect',
     'action',
     'address',
-    'frame_type',
+    'frame_type', // Reserved for advanced-security
     'origin_type',
     'scope',
     'when', // Reserved for advanced-security

package/dist/esm/naylence/fame/security/auth/policy/basic-authorization-policy.js

@@ -93,11 +93,6 @@ export class BasicAuthorizationPolicy {
         const resolvedActionNormalized = this.normalizeActionToken(resolvedAction) ?? resolvedAction;
         const address = extractAddress(envelope);
         const grantedScopes = extractGrantedScopes(context);
-        const rawFrameType = envelope.frame
-            ?.type;
-        const frameTypeNormalized = typeof rawFrameType === 'string' && rawFrameType.trim().length > 0
-            ? rawFrameType.trim().toLowerCase()
-            : '';
         // Extract and normalize origin type for rule matching
         const rawOriginType = context?.originType;
         const originTypeNormalized = typeof rawOriginType === 'string'
@@ -115,22 +110,16 @@ export class BasicAuthorizationPolicy {
                 step.expression = 'when clause (skipped by basic policy)';
                 step.result = false;
                 evaluationTrace.push(step);
+                logger.debug('rule_skipped_when_clause', { ruleId: rule.id });
                 continue;
             }
-            // Check frame type match
-            if (rule.frameTypes) {
-                if (!frameTypeNormalized) {
-                    step.expression = 'frame_type: missing';
-                    step.result = false;
-                    evaluationTrace.push(step);
-                    continue;
-                }
-                if (!rule.frameTypes.has(frameTypeNormalized)) {
-                    step.expression = `frame_type: ${rawFrameType ?? 'unknown'} not in rule set`;
-                    step.result = false;
-                    evaluationTrace.push(step);
-                    continue;
-                }
+            // Skip rules with 'frame_type' clause (reserved for advanced-security package)
+            if (rule.hasFrameTypeClause) {
+                step.expression = 'frame_type clause (skipped by basic policy)';
+                step.result = false;
+                evaluationTrace.push(step);
+                logger.debug('rule_skipped_frame_type_clause', { ruleId: rule.id });
+                continue;
             }
             // Check origin type match (early gate for efficiency)
             if (rule.originTypes) {
@@ -245,8 +234,14 @@ export class BasicAuthorizationPolicy {
         const actions = this.compileActions(rule.action, id);
         // Compile address patterns (glob-only, no regex)
         const addressPatterns = this.compileAddress(rule.address, id);
-        // Compile frame type gating
-        const frameTypes = this.compileFrameTypes(rule.frame_type, id);
+        // Check for frame_type clause (reserved for advanced-security)
+        const hasFrameTypeClause = rule.frame_type !== undefined;
+        if (hasFrameTypeClause && warnOnUnknown) {
+            logger.warning('reserved_field_frame_type_will_be_skipped', {
+                ruleId: id,
+                message: `Rule "${id}" uses reserved field "frame_type" which is only supported in advanced-security package. This rule will be skipped during evaluation.`,
+            });
+        }
         // Compile origin type gating
         const originTypes = this.compileOriginTypes(rule.origin_type, id);
         // Compile scope matcher (glob-only, no regex)
@@ -273,11 +268,12 @@ export class BasicAuthorizationPolicy {
             description: rule.description,
             effect: rule.effect,
             actions,
-            frameTypes,
+            frameTypes: undefined, // No longer used; reserved for advanced-security
             originTypes,
             addressPatterns,
             scopeMatcher,
             hasWhenClause: typeof rule.when === 'string' && rule.when.length > 0,
+            hasFrameTypeClause,
         };
     }
     /**
@@ -367,43 +363,6 @@ export class BasicAuthorizationPolicy {
         }
         return patterns;
     }
-    /**
-     * Compiles frame_type field into a Set of normalized frame types.
-     * Supports single string or array of strings (implicit any-of).
-     * Returns undefined if not specified (no frame type gating).
-     */
-    compileFrameTypes(frameType, ruleId) {
-        if (frameType === undefined) {
-            return undefined;
-        }
-        // Handle single frame type
-        if (typeof frameType === 'string') {
-            const normalized = frameType.trim().toLowerCase();
-            if (!normalized) {
-                throw new Error(`Invalid frame_type in rule "${ruleId}": value must not be empty`);
-            }
-            return new Set([normalized]);
-        }
-        // Handle array of frame types
-        if (!Array.isArray(frameType)) {
-            throw new Error(`Invalid frame_type in rule "${ruleId}": must be a string or array of strings`);
-        }
-        if (frameType.length === 0) {
-            throw new Error(`Invalid frame_type in rule "${ruleId}": array must not be empty`);
-        }
-        const frameTypes = new Set();
-        for (const ft of frameType) {
-            if (typeof ft !== 'string') {
-                throw new Error(`Invalid frame_type in rule "${ruleId}": all values must be strings`);
-            }
-            const normalized = ft.trim().toLowerCase();
-            if (!normalized) {
-                throw new Error(`Invalid frame_type in rule "${ruleId}": values must not be empty`);
-            }
-            frameTypes.add(normalized);
-        }
-        return frameTypes;
-    }
     /**
      * Compiles origin_type field into a Set of normalized origin types.
      * Supports single string or array of strings (implicit any-of).

package/dist/esm/version.js

@@ -1,7 +1,7 @@
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.4.7
+// Generated from package.json version: 0.4.9
 /**
  * The package version, injected at build time.
  * @internal
  */
-export const VERSION = '0.4.7';
+export const VERSION = '0.4.9';

package/dist/node/index.cjs

@@ -14,12 +14,12 @@ var fastify = require('fastify');
 var websocketPlugin = require('@fastify/websocket');
 
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.4.7
+// Generated from package.json version: 0.4.9
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.4.7';
+const VERSION = '0.4.9';
 
 /**
  * Fame protocol specific error classes with WebSocket close codes and proper inheritance.
@@ -22124,7 +22124,7 @@ const KNOWN_RULE_FIELDS = new Set([
     'effect',
     'action',
     'address',
-    'frame_type',
+    'frame_type', // Reserved for advanced-security
     'origin_type',
     'scope',
     'when', // Reserved for advanced-security
@@ -22647,11 +22647,6 @@ class BasicAuthorizationPolicy {
         const resolvedActionNormalized = this.normalizeActionToken(resolvedAction) ?? resolvedAction;
         const address = extractAddress(envelope);
         const grantedScopes = extractGrantedScopes(context);
-        const rawFrameType = envelope.frame
-            ?.type;
-        const frameTypeNormalized = typeof rawFrameType === 'string' && rawFrameType.trim().length > 0
-            ? rawFrameType.trim().toLowerCase()
-            : '';
         // Extract and normalize origin type for rule matching
         const rawOriginType = context?.originType;
         const originTypeNormalized = typeof rawOriginType === 'string'
@@ -22669,22 +22664,16 @@ class BasicAuthorizationPolicy {
                 step.expression = 'when clause (skipped by basic policy)';
                 step.result = false;
                 evaluationTrace.push(step);
+                logger$J.debug('rule_skipped_when_clause', { ruleId: rule.id });
                 continue;
             }
-            // Check frame type match
-            if (rule.frameTypes) {
-                if (!frameTypeNormalized) {
-                    step.expression = 'frame_type: missing';
-                    step.result = false;
-                    evaluationTrace.push(step);
-                    continue;
-                }
-                if (!rule.frameTypes.has(frameTypeNormalized)) {
-                    step.expression = `frame_type: ${rawFrameType ?? 'unknown'} not in rule set`;
-                    step.result = false;
-                    evaluationTrace.push(step);
-                    continue;
-                }
+            // Skip rules with 'frame_type' clause (reserved for advanced-security package)
+            if (rule.hasFrameTypeClause) {
+                step.expression = 'frame_type clause (skipped by basic policy)';
+                step.result = false;
+                evaluationTrace.push(step);
+                logger$J.debug('rule_skipped_frame_type_clause', { ruleId: rule.id });
+                continue;
             }
             // Check origin type match (early gate for efficiency)
             if (rule.originTypes) {
@@ -22799,8 +22788,14 @@ class BasicAuthorizationPolicy {
         const actions = this.compileActions(rule.action, id);
         // Compile address patterns (glob-only, no regex)
         const addressPatterns = this.compileAddress(rule.address, id);
-        // Compile frame type gating
-        const frameTypes = this.compileFrameTypes(rule.frame_type, id);
+        // Check for frame_type clause (reserved for advanced-security)
+        const hasFrameTypeClause = rule.frame_type !== undefined;
+        if (hasFrameTypeClause && warnOnUnknown) {
+            logger$J.warning('reserved_field_frame_type_will_be_skipped', {
+                ruleId: id,
+                message: `Rule "${id}" uses reserved field "frame_type" which is only supported in advanced-security package. This rule will be skipped during evaluation.`,
+            });
+        }
         // Compile origin type gating
         const originTypes = this.compileOriginTypes(rule.origin_type, id);
         // Compile scope matcher (glob-only, no regex)
@@ -22827,11 +22822,12 @@ class BasicAuthorizationPolicy {
             description: rule.description,
             effect: rule.effect,
             actions,
-            frameTypes,
+            frameTypes: undefined, // No longer used; reserved for advanced-security
             originTypes,
             addressPatterns,
             scopeMatcher,
             hasWhenClause: typeof rule.when === 'string' && rule.when.length > 0,
+            hasFrameTypeClause,
         };
     }
     /**
@@ -22921,43 +22917,6 @@ class BasicAuthorizationPolicy {
         }
         return patterns;
     }
-    /**
-     * Compiles frame_type field into a Set of normalized frame types.
-     * Supports single string or array of strings (implicit any-of).
-     * Returns undefined if not specified (no frame type gating).
-     */
-    compileFrameTypes(frameType, ruleId) {
-        if (frameType === undefined) {
-            return undefined;
-        }
-        // Handle single frame type
-        if (typeof frameType === 'string') {
-            const normalized = frameType.trim().toLowerCase();
-            if (!normalized) {
-                throw new Error(`Invalid frame_type in rule "${ruleId}": value must not be empty`);
-            }
-            return new Set([normalized]);
-        }
-        // Handle array of frame types
-        if (!Array.isArray(frameType)) {
-            throw new Error(`Invalid frame_type in rule "${ruleId}": must be a string or array of strings`);
-        }
-        if (frameType.length === 0) {
-            throw new Error(`Invalid frame_type in rule "${ruleId}": array must not be empty`);
-        }
-        const frameTypes = new Set();
-        for (const ft of frameType) {
-            if (typeof ft !== 'string') {
-                throw new Error(`Invalid frame_type in rule "${ruleId}": all values must be strings`);
-            }
-            const normalized = ft.trim().toLowerCase();
-            if (!normalized) {
-                throw new Error(`Invalid frame_type in rule "${ruleId}": values must not be empty`);
-            }
-            frameTypes.add(normalized);
-        }
-        return frameTypes;
-    }
     /**
      * Compiles origin_type field into a Set of normalized origin types.
      * Supports single string or array of strings (implicit any-of).

package/dist/node/index.mjs

@@ -13,12 +13,12 @@ import fastify from 'fastify';
 import websocketPlugin from '@fastify/websocket';
 
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.4.7
+// Generated from package.json version: 0.4.9
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.4.7';
+const VERSION = '0.4.9';
 
 /**
  * Fame protocol specific error classes with WebSocket close codes and proper inheritance.
@@ -22123,7 +22123,7 @@ const KNOWN_RULE_FIELDS = new Set([
     'effect',
     'action',
     'address',
-    'frame_type',
+    'frame_type', // Reserved for advanced-security
     'origin_type',
     'scope',
     'when', // Reserved for advanced-security
@@ -22646,11 +22646,6 @@ class BasicAuthorizationPolicy {
         const resolvedActionNormalized = this.normalizeActionToken(resolvedAction) ?? resolvedAction;
         const address = extractAddress(envelope);
         const grantedScopes = extractGrantedScopes(context);
-        const rawFrameType = envelope.frame
-            ?.type;
-        const frameTypeNormalized = typeof rawFrameType === 'string' && rawFrameType.trim().length > 0
-            ? rawFrameType.trim().toLowerCase()
-            : '';
         // Extract and normalize origin type for rule matching
         const rawOriginType = context?.originType;
         const originTypeNormalized = typeof rawOriginType === 'string'
@@ -22668,22 +22663,16 @@ class BasicAuthorizationPolicy {
                 step.expression = 'when clause (skipped by basic policy)';
                 step.result = false;
                 evaluationTrace.push(step);
+                logger$J.debug('rule_skipped_when_clause', { ruleId: rule.id });
                 continue;
             }
-            // Check frame type match
-            if (rule.frameTypes) {
-                if (!frameTypeNormalized) {
-                    step.expression = 'frame_type: missing';
-                    step.result = false;
-                    evaluationTrace.push(step);
-                    continue;
-                }
-                if (!rule.frameTypes.has(frameTypeNormalized)) {
-                    step.expression = `frame_type: ${rawFrameType ?? 'unknown'} not in rule set`;
-                    step.result = false;
-                    evaluationTrace.push(step);
-                    continue;
-                }
+            // Skip rules with 'frame_type' clause (reserved for advanced-security package)
+            if (rule.hasFrameTypeClause) {
+                step.expression = 'frame_type clause (skipped by basic policy)';
+                step.result = false;
+                evaluationTrace.push(step);
+                logger$J.debug('rule_skipped_frame_type_clause', { ruleId: rule.id });
+                continue;
             }
             // Check origin type match (early gate for efficiency)
             if (rule.originTypes) {
@@ -22798,8 +22787,14 @@ class BasicAuthorizationPolicy {
         const actions = this.compileActions(rule.action, id);
         // Compile address patterns (glob-only, no regex)
         const addressPatterns = this.compileAddress(rule.address, id);
-        // Compile frame type gating
-        const frameTypes = this.compileFrameTypes(rule.frame_type, id);
+        // Check for frame_type clause (reserved for advanced-security)
+        const hasFrameTypeClause = rule.frame_type !== undefined;
+        if (hasFrameTypeClause && warnOnUnknown) {
+            logger$J.warning('reserved_field_frame_type_will_be_skipped', {
+                ruleId: id,
+                message: `Rule "${id}" uses reserved field "frame_type" which is only supported in advanced-security package. This rule will be skipped during evaluation.`,
+            });
+        }
         // Compile origin type gating
         const originTypes = this.compileOriginTypes(rule.origin_type, id);
         // Compile scope matcher (glob-only, no regex)
@@ -22826,11 +22821,12 @@ class BasicAuthorizationPolicy {
             description: rule.description,
             effect: rule.effect,
             actions,
-            frameTypes,
+            frameTypes: undefined, // No longer used; reserved for advanced-security
             originTypes,
             addressPatterns,
             scopeMatcher,
             hasWhenClause: typeof rule.when === 'string' && rule.when.length > 0,
+            hasFrameTypeClause,
         };
     }
     /**
@@ -22920,43 +22916,6 @@ class BasicAuthorizationPolicy {
         }
         return patterns;
     }
-    /**
-     * Compiles frame_type field into a Set of normalized frame types.
-     * Supports single string or array of strings (implicit any-of).
-     * Returns undefined if not specified (no frame type gating).
-     */
-    compileFrameTypes(frameType, ruleId) {
-        if (frameType === undefined) {
-            return undefined;
-        }
-        // Handle single frame type
-        if (typeof frameType === 'string') {
-            const normalized = frameType.trim().toLowerCase();
-            if (!normalized) {
-                throw new Error(`Invalid frame_type in rule "${ruleId}": value must not be empty`);
-            }
-            return new Set([normalized]);
-        }
-        // Handle array of frame types
-        if (!Array.isArray(frameType)) {
-            throw new Error(`Invalid frame_type in rule "${ruleId}": must be a string or array of strings`);
-        }
-        if (frameType.length === 0) {
-            throw new Error(`Invalid frame_type in rule "${ruleId}": array must not be empty`);
-        }
-        const frameTypes = new Set();
-        for (const ft of frameType) {
-            if (typeof ft !== 'string') {
-                throw new Error(`Invalid frame_type in rule "${ruleId}": all values must be strings`);
-            }
-            const normalized = ft.trim().toLowerCase();
-            if (!normalized) {
-                throw new Error(`Invalid frame_type in rule "${ruleId}": values must not be empty`);
-            }
-            frameTypes.add(normalized);
-        }
-        return frameTypes;
-    }
     /**
      * Compiles origin_type field into a Set of normalized origin types.
      * Supports single string or array of strings (implicit any-of).

package/dist/node/node.cjs

@@ -4436,12 +4436,12 @@ async function ensureRuntimeFactoriesRegistered(registry = factory.Registry) {
 }
 
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.4.7
+// Generated from package.json version: 0.4.9
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.4.7';
+const VERSION = '0.4.9';
 
 let initialized = false;
 const runtimePlugin = {
@@ -23331,7 +23331,7 @@ const KNOWN_RULE_FIELDS = new Set([
     'effect',
     'action',
     'address',
-    'frame_type',
+    'frame_type', // Reserved for advanced-security
     'origin_type',
     'scope',
     'when', // Reserved for advanced-security
@@ -23861,11 +23861,6 @@ class BasicAuthorizationPolicy {
         const resolvedActionNormalized = this.normalizeActionToken(resolvedAction) ?? resolvedAction;
         const address = extractAddress(envelope);
         const grantedScopes = extractGrantedScopes(context);
-        const rawFrameType = envelope.frame
-            ?.type;
-        const frameTypeNormalized = typeof rawFrameType === 'string' && rawFrameType.trim().length > 0
-            ? rawFrameType.trim().toLowerCase()
-            : '';
         // Extract and normalize origin type for rule matching
         const rawOriginType = context?.originType;
         const originTypeNormalized = typeof rawOriginType === 'string'
@@ -23883,22 +23878,16 @@ class BasicAuthorizationPolicy {
                 step.expression = 'when clause (skipped by basic policy)';
                 step.result = false;
                 evaluationTrace.push(step);
+                logger$M.debug('rule_skipped_when_clause', { ruleId: rule.id });
                 continue;
             }
-            // Check frame type match
-            if (rule.frameTypes) {
-                if (!frameTypeNormalized) {
-                    step.expression = 'frame_type: missing';
-                    step.result = false;
-                    evaluationTrace.push(step);
-                    continue;
-                }
-                if (!rule.frameTypes.has(frameTypeNormalized)) {
-                    step.expression = `frame_type: ${rawFrameType ?? 'unknown'} not in rule set`;
-                    step.result = false;
-                    evaluationTrace.push(step);
-                    continue;
-                }
+            // Skip rules with 'frame_type' clause (reserved for advanced-security package)
+            if (rule.hasFrameTypeClause) {
+                step.expression = 'frame_type clause (skipped by basic policy)';
+                step.result = false;
+                evaluationTrace.push(step);
+                logger$M.debug('rule_skipped_frame_type_clause', { ruleId: rule.id });
+                continue;
             }
             // Check origin type match (early gate for efficiency)
             if (rule.originTypes) {
@@ -24013,8 +24002,14 @@ class BasicAuthorizationPolicy {
         const actions = this.compileActions(rule.action, id);
         // Compile address patterns (glob-only, no regex)
         const addressPatterns = this.compileAddress(rule.address, id);
-        // Compile frame type gating
-        const frameTypes = this.compileFrameTypes(rule.frame_type, id);
+        // Check for frame_type clause (reserved for advanced-security)
+        const hasFrameTypeClause = rule.frame_type !== undefined;
+        if (hasFrameTypeClause && warnOnUnknown) {
+            logger$M.warning('reserved_field_frame_type_will_be_skipped', {
+                ruleId: id,
+                message: `Rule "${id}" uses reserved field "frame_type" which is only supported in advanced-security package. This rule will be skipped during evaluation.`,
+            });
+        }
         // Compile origin type gating
         const originTypes = this.compileOriginTypes(rule.origin_type, id);
         // Compile scope matcher (glob-only, no regex)
@@ -24041,11 +24036,12 @@ class BasicAuthorizationPolicy {
             description: rule.description,
             effect: rule.effect,
             actions,
-            frameTypes,
+            frameTypes: undefined, // No longer used; reserved for advanced-security
             originTypes,
             addressPatterns,
             scopeMatcher,
             hasWhenClause: typeof rule.when === 'string' && rule.when.length > 0,
+            hasFrameTypeClause,
         };
     }
     /**
@@ -24135,43 +24131,6 @@ class BasicAuthorizationPolicy {
         }
         return patterns;
     }
-    /**
-     * Compiles frame_type field into a Set of normalized frame types.
-     * Supports single string or array of strings (implicit any-of).
-     * Returns undefined if not specified (no frame type gating).
-     */
-    compileFrameTypes(frameType, ruleId) {
-        if (frameType === undefined) {
-            return undefined;
-        }
-        // Handle single frame type
-        if (typeof frameType === 'string') {
-            const normalized = frameType.trim().toLowerCase();
-            if (!normalized) {
-                throw new Error(`Invalid frame_type in rule "${ruleId}": value must not be empty`);
-            }
-            return new Set([normalized]);
-        }
-        // Handle array of frame types
-        if (!Array.isArray(frameType)) {
-            throw new Error(`Invalid frame_type in rule "${ruleId}": must be a string or array of strings`);
-        }
-        if (frameType.length === 0) {
-            throw new Error(`Invalid frame_type in rule "${ruleId}": array must not be empty`);
-        }
-        const frameTypes = new Set();
-        for (const ft of frameType) {
-            if (typeof ft !== 'string') {
-                throw new Error(`Invalid frame_type in rule "${ruleId}": all values must be strings`);
-            }
-            const normalized = ft.trim().toLowerCase();
-            if (!normalized) {
-                throw new Error(`Invalid frame_type in rule "${ruleId}": values must not be empty`);
-            }
-            frameTypes.add(normalized);
-        }
-        return frameTypes;
-    }
     /**
      * Compiles origin_type field into a Set of normalized origin types.
      * Supports single string or array of strings (implicit any-of).

package/dist/node/node.mjs

@@ -4435,12 +4435,12 @@ async function ensureRuntimeFactoriesRegistered(registry = Registry) {
 }
 
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.4.7
+// Generated from package.json version: 0.4.9
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.4.7';
+const VERSION = '0.4.9';
 
 let initialized = false;
 const runtimePlugin = {
@@ -23330,7 +23330,7 @@ const KNOWN_RULE_FIELDS = new Set([
     'effect',
     'action',
     'address',
-    'frame_type',
+    'frame_type', // Reserved for advanced-security
     'origin_type',
     'scope',
     'when', // Reserved for advanced-security
@@ -23860,11 +23860,6 @@ class BasicAuthorizationPolicy {
         const resolvedActionNormalized = this.normalizeActionToken(resolvedAction) ?? resolvedAction;
         const address = extractAddress(envelope);
         const grantedScopes = extractGrantedScopes(context);
-        const rawFrameType = envelope.frame
-            ?.type;
-        const frameTypeNormalized = typeof rawFrameType === 'string' && rawFrameType.trim().length > 0
-            ? rawFrameType.trim().toLowerCase()
-            : '';
         // Extract and normalize origin type for rule matching
         const rawOriginType = context?.originType;
         const originTypeNormalized = typeof rawOriginType === 'string'
@@ -23882,22 +23877,16 @@ class BasicAuthorizationPolicy {
                 step.expression = 'when clause (skipped by basic policy)';
                 step.result = false;
                 evaluationTrace.push(step);
+                logger$M.debug('rule_skipped_when_clause', { ruleId: rule.id });
                 continue;
             }
-            // Check frame type match
-            if (rule.frameTypes) {
-                if (!frameTypeNormalized) {
-                    step.expression = 'frame_type: missing';
-                    step.result = false;
-                    evaluationTrace.push(step);
-                    continue;
-                }
-                if (!rule.frameTypes.has(frameTypeNormalized)) {
-                    step.expression = `frame_type: ${rawFrameType ?? 'unknown'} not in rule set`;
-                    step.result = false;
-                    evaluationTrace.push(step);
-                    continue;
-                }
+            // Skip rules with 'frame_type' clause (reserved for advanced-security package)
+            if (rule.hasFrameTypeClause) {
+                step.expression = 'frame_type clause (skipped by basic policy)';
+                step.result = false;
+                evaluationTrace.push(step);
+                logger$M.debug('rule_skipped_frame_type_clause', { ruleId: rule.id });
+                continue;
             }
             // Check origin type match (early gate for efficiency)
             if (rule.originTypes) {
@@ -24012,8 +24001,14 @@ class BasicAuthorizationPolicy {
         const actions = this.compileActions(rule.action, id);
         // Compile address patterns (glob-only, no regex)
         const addressPatterns = this.compileAddress(rule.address, id);
-        // Compile frame type gating
-        const frameTypes = this.compileFrameTypes(rule.frame_type, id);
+        // Check for frame_type clause (reserved for advanced-security)
+        const hasFrameTypeClause = rule.frame_type !== undefined;
+        if (hasFrameTypeClause && warnOnUnknown) {
+            logger$M.warning('reserved_field_frame_type_will_be_skipped', {
+                ruleId: id,
+                message: `Rule "${id}" uses reserved field "frame_type" which is only supported in advanced-security package. This rule will be skipped during evaluation.`,
+            });
+        }
         // Compile origin type gating
         const originTypes = this.compileOriginTypes(rule.origin_type, id);
         // Compile scope matcher (glob-only, no regex)
@@ -24040,11 +24035,12 @@ class BasicAuthorizationPolicy {
             description: rule.description,
             effect: rule.effect,
             actions,
-            frameTypes,
+            frameTypes: undefined, // No longer used; reserved for advanced-security
             originTypes,
             addressPatterns,
             scopeMatcher,
             hasWhenClause: typeof rule.when === 'string' && rule.when.length > 0,
+            hasFrameTypeClause,
         };
     }
     /**
@@ -24134,43 +24130,6 @@ class BasicAuthorizationPolicy {
         }
         return patterns;
     }
-    /**
-     * Compiles frame_type field into a Set of normalized frame types.
-     * Supports single string or array of strings (implicit any-of).
-     * Returns undefined if not specified (no frame type gating).
-     */
-    compileFrameTypes(frameType, ruleId) {
-        if (frameType === undefined) {
-            return undefined;
-        }
-        // Handle single frame type
-        if (typeof frameType === 'string') {
-            const normalized = frameType.trim().toLowerCase();
-            if (!normalized) {
-                throw new Error(`Invalid frame_type in rule "${ruleId}": value must not be empty`);
-            }
-            return new Set([normalized]);
-        }
-        // Handle array of frame types
-        if (!Array.isArray(frameType)) {
-            throw new Error(`Invalid frame_type in rule "${ruleId}": must be a string or array of strings`);
-        }
-        if (frameType.length === 0) {
-            throw new Error(`Invalid frame_type in rule "${ruleId}": array must not be empty`);
-        }
-        const frameTypes = new Set();
-        for (const ft of frameType) {
-            if (typeof ft !== 'string') {
-                throw new Error(`Invalid frame_type in rule "${ruleId}": all values must be strings`);
-            }
-            const normalized = ft.trim().toLowerCase();
-            if (!normalized) {
-                throw new Error(`Invalid frame_type in rule "${ruleId}": values must not be empty`);
-            }
-            frameTypes.add(normalized);
-        }
-        return frameTypes;
-    }
     /**
      * Compiles origin_type field into a Set of normalized origin types.
      * Supports single string or array of strings (implicit any-of).

package/dist/types/naylence/fame/security/auth/policy/authorization-policy-definition.d.ts

@@ -93,9 +93,13 @@ export interface AuthorizationRuleDefinition {
      */
     address?: string | string[];
     /**
-     * Optional frame type gating.
+     * Optional frame type gating (reserved for advanced-security package).
      * Can be a single frame type string or an array (implicit any-of).
      * Matching is case-insensitive.
+     *
+     * WARNING: Basic policy parser will skip rules containing this field
+     * and log a warning during policy construction. This field is only
+     * supported in the advanced-security package.
      */
     frame_type?: string | string[];
     /**

package/dist/types/naylence/fame/security/auth/policy/basic-authorization-policy.d.ts

@@ -62,12 +62,6 @@ export declare class BasicAuthorizationPolicy implements AuthorizationPolicy {
      * All patterns are treated as globs - `^` prefix is rejected as an error.
      */
     private compileAddress;
-    /**
-     * Compiles frame_type field into a Set of normalized frame types.
-     * Supports single string or array of strings (implicit any-of).
-     * Returns undefined if not specified (no frame type gating).
-     */
-    private compileFrameTypes;
     /**
      * Compiles origin_type field into a Set of normalized origin types.
      * Supports single string or array of strings (implicit any-of).

package/dist/types/version.d.ts

@@ -2,4 +2,4 @@
  * The package version, injected at build time.
  * @internal
  */
-export declare const VERSION = "0.4.7";
+export declare const VERSION = "0.4.9";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@naylence/runtime",
-  "version": "0.4.7",
+  "version": "0.4.9",
   "type": "module",
   "description": "Naylence Runtime - Complete TypeScript runtime",
   "author": "Naylence Dev <naylencedev@gmail.com>",
@@ -176,7 +176,7 @@
   "dependencies": {
     "@fastify/formbody": "^8.0.2",
     "@fastify/websocket": "^11.2.0",
-    "@naylence/core": "^0.3.6",
+    "@naylence/core": "^0.3.7",
     "@noble/ciphers": "^2.0.1",
     "@noble/curves": "^2.0.1",
     "@noble/ed25519": "^3.0.0",