@naylence/runtime 0.4.8 → 0.4.10

package/dist/browser/index.cjs

@@ -525,12 +525,12 @@ async function ensureRuntimeFactoriesRegistered(registry = factory.Registry) {
 }
 
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.4.8
+// Generated from package.json version: 0.4.10
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.4.8';
+const VERSION = '0.4.10';
 
 let initialized = false;
 const runtimePlugin = {
@@ -14219,9 +14219,8 @@ function requiresCryptoProvider(config) {
         const profile = record.profile;
         if (typeof profile === 'string') {
             const profileLower = profile.toLowerCase();
-            // Overlay variants require crypto provider for envelope signing
-            if (profileLower.includes('overlay') ||
-                profileLower === 'strict-overlay') {
+            // Overlay variants (including strict-overlay) require crypto provider for envelope signing
+            if (profileLower.includes('overlay')) {
                 return true;
             }
         }
@@ -22237,7 +22236,7 @@ const KNOWN_RULE_FIELDS = new Set([
     'effect',
     'action',
     'address',
-    'frame_type',
+    'frame_type', // Reserved for advanced-security
     'origin_type',
     'scope',
     'when', // Reserved for advanced-security
@@ -22760,11 +22759,6 @@ class BasicAuthorizationPolicy {
         const resolvedActionNormalized = this.normalizeActionToken(resolvedAction) ?? resolvedAction;
         const address = extractAddress(envelope);
         const grantedScopes = extractGrantedScopes(context);
-        const rawFrameType = envelope.frame
-            ?.type;
-        const frameTypeNormalized = typeof rawFrameType === 'string' && rawFrameType.trim().length > 0
-            ? rawFrameType.trim().toLowerCase()
-            : '';
         // Extract and normalize origin type for rule matching
         const rawOriginType = context?.originType;
         const originTypeNormalized = typeof rawOriginType === 'string'
@@ -22782,22 +22776,16 @@ class BasicAuthorizationPolicy {
                 step.expression = 'when clause (skipped by basic policy)';
                 step.result = false;
                 evaluationTrace.push(step);
+                logger$J.debug('rule_skipped_when_clause', { ruleId: rule.id });
                 continue;
             }
-            // Check frame type match
-            if (rule.frameTypes) {
-                if (!frameTypeNormalized) {
-                    step.expression = 'frame_type: missing';
-                    step.result = false;
-                    evaluationTrace.push(step);
-                    continue;
-                }
-                if (!rule.frameTypes.has(frameTypeNormalized)) {
-                    step.expression = `frame_type: ${rawFrameType ?? 'unknown'} not in rule set`;
-                    step.result = false;
-                    evaluationTrace.push(step);
-                    continue;
-                }
+            // Skip rules with 'frame_type' clause (reserved for advanced-security package)
+            if (rule.hasFrameTypeClause) {
+                step.expression = 'frame_type clause (skipped by basic policy)';
+                step.result = false;
+                evaluationTrace.push(step);
+                logger$J.debug('rule_skipped_frame_type_clause', { ruleId: rule.id });
+                continue;
             }
             // Check origin type match (early gate for efficiency)
             if (rule.originTypes) {
@@ -22912,8 +22900,14 @@ class BasicAuthorizationPolicy {
         const actions = this.compileActions(rule.action, id);
         // Compile address patterns (glob-only, no regex)
         const addressPatterns = this.compileAddress(rule.address, id);
-        // Compile frame type gating
-        const frameTypes = this.compileFrameTypes(rule.frame_type, id);
+        // Check for frame_type clause (reserved for advanced-security)
+        const hasFrameTypeClause = rule.frame_type !== undefined;
+        if (hasFrameTypeClause && warnOnUnknown) {
+            logger$J.warning('reserved_field_frame_type_will_be_skipped', {
+                ruleId: id,
+                message: `Rule "${id}" uses reserved field "frame_type" which is only supported in advanced-security package. This rule will be skipped during evaluation.`,
+            });
+        }
         // Compile origin type gating
         const originTypes = this.compileOriginTypes(rule.origin_type, id);
         // Compile scope matcher (glob-only, no regex)
@@ -22940,11 +22934,12 @@ class BasicAuthorizationPolicy {
             description: rule.description,
             effect: rule.effect,
             actions,
-            frameTypes,
+            frameTypes: undefined, // No longer used; reserved for advanced-security
             originTypes,
             addressPatterns,
             scopeMatcher,
             hasWhenClause: typeof rule.when === 'string' && rule.when.length > 0,
+            hasFrameTypeClause,
         };
     }
     /**
@@ -23034,43 +23029,6 @@ class BasicAuthorizationPolicy {
         }
         return patterns;
     }
-    /**
-     * Compiles frame_type field into a Set of normalized frame types.
-     * Supports single string or array of strings (implicit any-of).
-     * Returns undefined if not specified (no frame type gating).
-     */
-    compileFrameTypes(frameType, ruleId) {
-        if (frameType === undefined) {
-            return undefined;
-        }
-        // Handle single frame type
-        if (typeof frameType === 'string') {
-            const normalized = frameType.trim().toLowerCase();
-            if (!normalized) {
-                throw new Error(`Invalid frame_type in rule "${ruleId}": value must not be empty`);
-            }
-            return new Set([normalized]);
-        }
-        // Handle array of frame types
-        if (!Array.isArray(frameType)) {
-            throw new Error(`Invalid frame_type in rule "${ruleId}": must be a string or array of strings`);
-        }
-        if (frameType.length === 0) {
-            throw new Error(`Invalid frame_type in rule "${ruleId}": array must not be empty`);
-        }
-        const frameTypes = new Set();
-        for (const ft of frameType) {
-            if (typeof ft !== 'string') {
-                throw new Error(`Invalid frame_type in rule "${ruleId}": all values must be strings`);
-            }
-            const normalized = ft.trim().toLowerCase();
-            if (!normalized) {
-                throw new Error(`Invalid frame_type in rule "${ruleId}": values must not be empty`);
-            }
-            frameTypes.add(normalized);
-        }
-        return frameTypes;
-    }
     /**
      * Compiles origin_type field into a Set of normalized origin types.
      * Supports single string or array of strings (implicit any-of).
@@ -29724,61 +29682,11 @@ const ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = 'FAME_JWT_REVERSE_AUTH_AUDIENCE';
 const ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY = 'FAME_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY';
 const ENV_VAR_TRUSTED_CLIENT_SCOPE = 'FAME_TRUSTED_CLIENT_SCOPE';
 const ENV_VAR_AUTHORIZATION_PROFILE = 'FAME_AUTHORIZATION_PROFILE';
-const PROFILE_NAME_STRICT_OVERLAY = 'strict-overlay';
 const PROFILE_NAME_OVERLAY = 'overlay';
 const PROFILE_NAME_OVERLAY_CALLBACK = 'overlay-callback';
 const PROFILE_NAME_GATED = 'gated';
 const PROFILE_NAME_GATED_CALLBACK = 'gated-callback';
 const PROFILE_NAME_OPEN$1 = 'open';
-const STRICT_OVERLAY_PROFILE = {
-    type: 'DefaultSecurityManager',
-    security_policy: {
-        type: 'DefaultSecurityPolicy',
-        signing: {
-            signing_material: 'x509-chain',
-            require_cert_sid_match: true,
-            inbound: {
-                signature_policy: 'required',
-                unsigned_violation_action: 'nack',
-                invalid_signature_action: 'nack',
-            },
-            response: {
-                mirror_request_signing: true,
-                always_sign_responses: false,
-                sign_error_responses: true,
-            },
-            outbound: {
-                default_signing: true,
-                sign_sensitive_operations: true,
-                sign_if_recipient_expects: true,
-            },
-        },
-        encryption: {
-            inbound: {
-                allow_plaintext: true,
-                allow_channel: true,
-                allow_sealed: true,
-                plaintext_violation_action: 'nack',
-                channel_violation_action: 'nack',
-                sealed_violation_action: 'nack',
-            },
-            response: {
-                mirror_request_level: true,
-                minimum_response_level: 'plaintext',
-                escalate_sealed_responses: false,
-            },
-            outbound: {
-                default_level: factory.Expressions.env(ENV_VAR_DEFAULT_ENCRYPTION_LEVEL, 'channel'),
-                escalate_if_peer_supports: false,
-                prefer_sealed_for_sensitive: false,
-            },
-        },
-    },
-    authorizer: {
-        type: 'AuthorizationProfile',
-        profile: factory.Expressions.env(ENV_VAR_AUTHORIZATION_PROFILE, 'jwt'),
-    },
-};
 const OVERLAY_PROFILE = {
     type: 'DefaultSecurityManager',
     security_policy: {
@@ -29981,7 +29889,6 @@ const OPEN_PROFILE$1 = {
 };
 registerProfile(SECURITY_MANAGER_FACTORY_BASE_TYPE, PROFILE_NAME_OVERLAY, OVERLAY_PROFILE, { source: 'node-security-profile-factory' });
 registerProfile(SECURITY_MANAGER_FACTORY_BASE_TYPE, PROFILE_NAME_OVERLAY_CALLBACK, OVERLAY_CALLBACK_PROFILE, { source: 'node-security-profile-factory' });
-registerProfile(SECURITY_MANAGER_FACTORY_BASE_TYPE, PROFILE_NAME_STRICT_OVERLAY, STRICT_OVERLAY_PROFILE, { source: 'node-security-profile-factory' });
 registerProfile(SECURITY_MANAGER_FACTORY_BASE_TYPE, PROFILE_NAME_GATED, GATED_PROFILE, { source: 'node-security-profile-factory' });
 registerProfile(SECURITY_MANAGER_FACTORY_BASE_TYPE, PROFILE_NAME_GATED_CALLBACK, GATED_CALLBACK_PROFILE, { source: 'node-security-profile-factory' });
 registerProfile(SECURITY_MANAGER_FACTORY_BASE_TYPE, PROFILE_NAME_OPEN$1, OPEN_PROFILE$1, { source: 'node-security-profile-factory' });
@@ -30118,7 +30025,6 @@ var nodeSecurityProfileFactory = /*#__PURE__*/Object.freeze({
     PROFILE_NAME_OPEN: PROFILE_NAME_OPEN$1,
     PROFILE_NAME_OVERLAY: PROFILE_NAME_OVERLAY,
     PROFILE_NAME_OVERLAY_CALLBACK: PROFILE_NAME_OVERLAY_CALLBACK,
-    PROFILE_NAME_STRICT_OVERLAY: PROFILE_NAME_STRICT_OVERLAY,
     default: NodeSecurityProfileFactory
 });
 
@@ -43996,7 +43902,6 @@ exports.PROFILE_NAME_GATED_CALLBACK = PROFILE_NAME_GATED_CALLBACK;
 exports.PROFILE_NAME_OPEN = PROFILE_NAME_OPEN$1;
 exports.PROFILE_NAME_OVERLAY = PROFILE_NAME_OVERLAY;
 exports.PROFILE_NAME_OVERLAY_CALLBACK = PROFILE_NAME_OVERLAY_CALLBACK;
-exports.PROFILE_NAME_STRICT_OVERLAY = PROFILE_NAME_STRICT_OVERLAY;
 exports.PromptCredentialProvider = PromptCredentialProvider;
 exports.REPLICA_STICKINESS_MANAGER_FACTORY_BASE_TYPE = REPLICA_STICKINESS_MANAGER_FACTORY_BASE_TYPE;
 exports.REQUIRED_FIELDS_BY_KTY = REQUIRED_FIELDS_BY_KTY;

package/dist/browser/index.mjs

@@ -523,12 +523,12 @@ async function ensureRuntimeFactoriesRegistered(registry = Registry) {
 }
 
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.4.8
+// Generated from package.json version: 0.4.10
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.4.8';
+const VERSION = '0.4.10';
 
 let initialized = false;
 const runtimePlugin = {
@@ -14217,9 +14217,8 @@ function requiresCryptoProvider(config) {
         const profile = record.profile;
         if (typeof profile === 'string') {
             const profileLower = profile.toLowerCase();
-            // Overlay variants require crypto provider for envelope signing
-            if (profileLower.includes('overlay') ||
-                profileLower === 'strict-overlay') {
+            // Overlay variants (including strict-overlay) require crypto provider for envelope signing
+            if (profileLower.includes('overlay')) {
                 return true;
             }
         }
@@ -22235,7 +22234,7 @@ const KNOWN_RULE_FIELDS = new Set([
     'effect',
     'action',
     'address',
-    'frame_type',
+    'frame_type', // Reserved for advanced-security
     'origin_type',
     'scope',
     'when', // Reserved for advanced-security
@@ -22758,11 +22757,6 @@ class BasicAuthorizationPolicy {
         const resolvedActionNormalized = this.normalizeActionToken(resolvedAction) ?? resolvedAction;
         const address = extractAddress(envelope);
         const grantedScopes = extractGrantedScopes(context);
-        const rawFrameType = envelope.frame
-            ?.type;
-        const frameTypeNormalized = typeof rawFrameType === 'string' && rawFrameType.trim().length > 0
-            ? rawFrameType.trim().toLowerCase()
-            : '';
         // Extract and normalize origin type for rule matching
         const rawOriginType = context?.originType;
         const originTypeNormalized = typeof rawOriginType === 'string'
@@ -22780,22 +22774,16 @@ class BasicAuthorizationPolicy {
                 step.expression = 'when clause (skipped by basic policy)';
                 step.result = false;
                 evaluationTrace.push(step);
+                logger$J.debug('rule_skipped_when_clause', { ruleId: rule.id });
                 continue;
             }
-            // Check frame type match
-            if (rule.frameTypes) {
-                if (!frameTypeNormalized) {
-                    step.expression = 'frame_type: missing';
-                    step.result = false;
-                    evaluationTrace.push(step);
-                    continue;
-                }
-                if (!rule.frameTypes.has(frameTypeNormalized)) {
-                    step.expression = `frame_type: ${rawFrameType ?? 'unknown'} not in rule set`;
-                    step.result = false;
-                    evaluationTrace.push(step);
-                    continue;
-                }
+            // Skip rules with 'frame_type' clause (reserved for advanced-security package)
+            if (rule.hasFrameTypeClause) {
+                step.expression = 'frame_type clause (skipped by basic policy)';
+                step.result = false;
+                evaluationTrace.push(step);
+                logger$J.debug('rule_skipped_frame_type_clause', { ruleId: rule.id });
+                continue;
             }
             // Check origin type match (early gate for efficiency)
             if (rule.originTypes) {
@@ -22910,8 +22898,14 @@ class BasicAuthorizationPolicy {
         const actions = this.compileActions(rule.action, id);
         // Compile address patterns (glob-only, no regex)
         const addressPatterns = this.compileAddress(rule.address, id);
-        // Compile frame type gating
-        const frameTypes = this.compileFrameTypes(rule.frame_type, id);
+        // Check for frame_type clause (reserved for advanced-security)
+        const hasFrameTypeClause = rule.frame_type !== undefined;
+        if (hasFrameTypeClause && warnOnUnknown) {
+            logger$J.warning('reserved_field_frame_type_will_be_skipped', {
+                ruleId: id,
+                message: `Rule "${id}" uses reserved field "frame_type" which is only supported in advanced-security package. This rule will be skipped during evaluation.`,
+            });
+        }
         // Compile origin type gating
         const originTypes = this.compileOriginTypes(rule.origin_type, id);
         // Compile scope matcher (glob-only, no regex)
@@ -22938,11 +22932,12 @@ class BasicAuthorizationPolicy {
             description: rule.description,
             effect: rule.effect,
             actions,
-            frameTypes,
+            frameTypes: undefined, // No longer used; reserved for advanced-security
             originTypes,
             addressPatterns,
             scopeMatcher,
             hasWhenClause: typeof rule.when === 'string' && rule.when.length > 0,
+            hasFrameTypeClause,
         };
     }
     /**
@@ -23032,43 +23027,6 @@ class BasicAuthorizationPolicy {
         }
         return patterns;
     }
-    /**
-     * Compiles frame_type field into a Set of normalized frame types.
-     * Supports single string or array of strings (implicit any-of).
-     * Returns undefined if not specified (no frame type gating).
-     */
-    compileFrameTypes(frameType, ruleId) {
-        if (frameType === undefined) {
-            return undefined;
-        }
-        // Handle single frame type
-        if (typeof frameType === 'string') {
-            const normalized = frameType.trim().toLowerCase();
-            if (!normalized) {
-                throw new Error(`Invalid frame_type in rule "${ruleId}": value must not be empty`);
-            }
-            return new Set([normalized]);
-        }
-        // Handle array of frame types
-        if (!Array.isArray(frameType)) {
-            throw new Error(`Invalid frame_type in rule "${ruleId}": must be a string or array of strings`);
-        }
-        if (frameType.length === 0) {
-            throw new Error(`Invalid frame_type in rule "${ruleId}": array must not be empty`);
-        }
-        const frameTypes = new Set();
-        for (const ft of frameType) {
-            if (typeof ft !== 'string') {
-                throw new Error(`Invalid frame_type in rule "${ruleId}": all values must be strings`);
-            }
-            const normalized = ft.trim().toLowerCase();
-            if (!normalized) {
-                throw new Error(`Invalid frame_type in rule "${ruleId}": values must not be empty`);
-            }
-            frameTypes.add(normalized);
-        }
-        return frameTypes;
-    }
     /**
      * Compiles origin_type field into a Set of normalized origin types.
      * Supports single string or array of strings (implicit any-of).
@@ -29722,61 +29680,11 @@ const ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = 'FAME_JWT_REVERSE_AUTH_AUDIENCE';
 const ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY = 'FAME_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY';
 const ENV_VAR_TRUSTED_CLIENT_SCOPE = 'FAME_TRUSTED_CLIENT_SCOPE';
 const ENV_VAR_AUTHORIZATION_PROFILE = 'FAME_AUTHORIZATION_PROFILE';
-const PROFILE_NAME_STRICT_OVERLAY = 'strict-overlay';
 const PROFILE_NAME_OVERLAY = 'overlay';
 const PROFILE_NAME_OVERLAY_CALLBACK = 'overlay-callback';
 const PROFILE_NAME_GATED = 'gated';
 const PROFILE_NAME_GATED_CALLBACK = 'gated-callback';
 const PROFILE_NAME_OPEN$1 = 'open';
-const STRICT_OVERLAY_PROFILE = {
-    type: 'DefaultSecurityManager',
-    security_policy: {
-        type: 'DefaultSecurityPolicy',
-        signing: {
-            signing_material: 'x509-chain',
-            require_cert_sid_match: true,
-            inbound: {
-                signature_policy: 'required',
-                unsigned_violation_action: 'nack',
-                invalid_signature_action: 'nack',
-            },
-            response: {
-                mirror_request_signing: true,
-                always_sign_responses: false,
-                sign_error_responses: true,
-            },
-            outbound: {
-                default_signing: true,
-                sign_sensitive_operations: true,
-                sign_if_recipient_expects: true,
-            },
-        },
-        encryption: {
-            inbound: {
-                allow_plaintext: true,
-                allow_channel: true,
-                allow_sealed: true,
-                plaintext_violation_action: 'nack',
-                channel_violation_action: 'nack',
-                sealed_violation_action: 'nack',
-            },
-            response: {
-                mirror_request_level: true,
-                minimum_response_level: 'plaintext',
-                escalate_sealed_responses: false,
-            },
-            outbound: {
-                default_level: Expressions.env(ENV_VAR_DEFAULT_ENCRYPTION_LEVEL, 'channel'),
-                escalate_if_peer_supports: false,
-                prefer_sealed_for_sensitive: false,
-            },
-        },
-    },
-    authorizer: {
-        type: 'AuthorizationProfile',
-        profile: Expressions.env(ENV_VAR_AUTHORIZATION_PROFILE, 'jwt'),
-    },
-};
 const OVERLAY_PROFILE = {
     type: 'DefaultSecurityManager',
     security_policy: {
@@ -29979,7 +29887,6 @@ const OPEN_PROFILE$1 = {
 };
 registerProfile(SECURITY_MANAGER_FACTORY_BASE_TYPE, PROFILE_NAME_OVERLAY, OVERLAY_PROFILE, { source: 'node-security-profile-factory' });
 registerProfile(SECURITY_MANAGER_FACTORY_BASE_TYPE, PROFILE_NAME_OVERLAY_CALLBACK, OVERLAY_CALLBACK_PROFILE, { source: 'node-security-profile-factory' });
-registerProfile(SECURITY_MANAGER_FACTORY_BASE_TYPE, PROFILE_NAME_STRICT_OVERLAY, STRICT_OVERLAY_PROFILE, { source: 'node-security-profile-factory' });
 registerProfile(SECURITY_MANAGER_FACTORY_BASE_TYPE, PROFILE_NAME_GATED, GATED_PROFILE, { source: 'node-security-profile-factory' });
 registerProfile(SECURITY_MANAGER_FACTORY_BASE_TYPE, PROFILE_NAME_GATED_CALLBACK, GATED_CALLBACK_PROFILE, { source: 'node-security-profile-factory' });
 registerProfile(SECURITY_MANAGER_FACTORY_BASE_TYPE, PROFILE_NAME_OPEN$1, OPEN_PROFILE$1, { source: 'node-security-profile-factory' });
@@ -30116,7 +30023,6 @@ var nodeSecurityProfileFactory = /*#__PURE__*/Object.freeze({
     PROFILE_NAME_OPEN: PROFILE_NAME_OPEN$1,
     PROFILE_NAME_OVERLAY: PROFILE_NAME_OVERLAY,
     PROFILE_NAME_OVERLAY_CALLBACK: PROFILE_NAME_OVERLAY_CALLBACK,
-    PROFILE_NAME_STRICT_OVERLAY: PROFILE_NAME_STRICT_OVERLAY,
     default: NodeSecurityProfileFactory
 });
 
@@ -43836,4 +43742,4 @@ var otelSetup = /*#__PURE__*/Object.freeze({
     setupOtel: setupOtel
 });
 
-export { ADMISSION_CLIENT_FACTORY_BASE_TYPE, ATTACHMENT_KEY_VALIDATOR_FACTORY_BASE_TYPE, AUTHORIZATION_POLICY_FACTORY_BASE_TYPE, AUTHORIZATION_POLICY_SOURCE_FACTORY_BASE_TYPE, AUTHORIZER_FACTORY_BASE_TYPE, AUTH_INJECTION_STRATEGY_FACTORY_BASE_TYPE, ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY$1 as AUTH_PROFILE_ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY, ENV_VAR_HMAC_SECRET$1 as AUTH_PROFILE_ENV_VAR_HMAC_SECRET, ENV_VAR_JWKS_URL$1 as AUTH_PROFILE_ENV_VAR_JWKS_URL, ENV_VAR_JWT_ALGORITHM$1 as AUTH_PROFILE_ENV_VAR_JWT_ALGORITHM, ENV_VAR_JWT_AUDIENCE$2 as AUTH_PROFILE_ENV_VAR_JWT_AUDIENCE, ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE$1 as AUTH_PROFILE_ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE, ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER$1 as AUTH_PROFILE_ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, ENV_VAR_JWT_TRUSTED_ISSUER$1 as AUTH_PROFILE_ENV_VAR_JWT_TRUSTED_ISSUER, ENV_VAR_TRUSTED_CLIENT_SCOPE$1 as AUTH_PROFILE_ENV_VAR_TRUSTED_CLIENT_SCOPE, PROFILE_NAME_DEFAULT as AUTH_PROFILE_NAME_DEFAULT, PROFILE_NAME_NOOP$2 as AUTH_PROFILE_NAME_NOOP, PROFILE_NAME_OAUTH2 as AUTH_PROFILE_NAME_OAUTH2, PROFILE_NAME_OAUTH2_CALLBACK as AUTH_PROFILE_NAME_OAUTH2_CALLBACK, PROFILE_NAME_OAUTH2_GATED as AUTH_PROFILE_NAME_OAUTH2_GATED, AnsiColor, AsyncLock, AttachmentKeyValidator, AuthInjectionStrategyFactory, AuthorizationPolicyFactory, AuthorizationPolicySourceFactory, AuthorizationProfileFactory, AuthorizerFactory, BROADCAST_CHANNEL_CONNECTION_GRANT_TYPE, FACTORY_META$$ as BROADCAST_CHANNEL_CONNECTOR_FACTORY_META, BROADCAST_CHANNEL_CONNECTOR_TYPE, FACTORY_META$Z as BROADCAST_CHANNEL_LISTENER_FACTORY_META, BackPressureFull, BaseAsyncConnector, BaseNodeEventListener, BasicAuthorizationPolicy, BasicAuthorizationPolicyFactory, BindingManager, BindingStoreEntryRecord, BroadcastChannelConnector, BroadcastChannelConnectorFactory, BroadcastChannelListener, BroadcastChannelListenerFactory, BrowserAutoKeyCredentialProvider, BrowserWrappedKeyCredentialProvider, CERTIFICATE_MANAGER_FACTORY_BASE_TYPE, CONNECTION_RETRY_POLICY_FACTORY_BASE_TYPE, CREDENTIAL_PROVIDER_FACTORY_BASE_TYPE, CRYPTO_LEVEL_SECURITY_ORDER, CertificateManagerFactory, ConnectionRetryPolicyFactory, ConnectorConfigDefaults, ConnectorFactory, ConsoleMetricsEmitter, CryptoLevel, FACTORY_META$11 as DEFAULT_WELCOME_FACTORY_META, DefaultConnectionRetryPolicy, DefaultConnectionRetryPolicyFactory, DefaultCryptoProvider, DefaultKeyManager, DefaultNodeIdentityPolicy, DefaultNodeIdentityPolicyFactory, DefaultSecurityManager, DefaultSecurityPolicy, DefaultWelcomeService, DefaultWelcomeServiceFactory, DevFixedKeyCredentialProvider, ENCRYPTION_MANAGER_FACTORY_BASE_TYPE, ENVELOPE_SIGNER_FACTORY_BASE_TYPE, ENVELOPE_VERIFIER_FACTORY_BASE_TYPE, ENV_VAR_AUTHORIZATION_PROFILE, ENV_VAR_DEFAULT_ENCRYPTION_LEVEL, ENV_VAR_HMAC_SECRET, ENV_VAR_JWKS_URL, ENV_VAR_JWT_ALGORITHM, ENV_VAR_JWT_AUDIENCE$1 as ENV_VAR_JWT_AUDIENCE, ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE, ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, ENV_VAR_JWT_TRUSTED_ISSUER, ENV_VAR_SESSION_MAX_INITIAL_ATTEMPTS, ENV_VAR_SHOW_ENVELOPES$1 as ENV_VAR_SHOW_ENVELOPES, EdDSAEnvelopeSigner, EncryptedKeyValueStore, EncryptedStorageProviderBase, EncryptedValue, EncryptionConfiguration, EncryptionManagerFactory, EncryptionResult, EncryptionStatus, EnvCredentialProvider, EnvelopeContext, EnvelopeListenerManager, EnvelopeSecurityHandler, EnvelopeSignerFactory, EnvelopeVerifierFactory, FACTORY_META$12 as FACTORY_META, FIXED_PREFIX_LEN, FameAuthorizedDeliveryContextSchema, FameConnectError, FameEnvironmentContext, FameError, FameMessageTooLarge, FameNode, FameNodeAuthorizationContextSchema, FameProtocolError, FameTransportClose, FlowController, GRANT_PURPOSE_NODE_ATTACH, HTTP_CONNECTION_GRANT_TYPE, HTTP_STATELESS_CONNECTOR_TYPE, INPAGE_CONNECTION_GRANT_TYPE, FACTORY_META$10 as INPAGE_CONNECTOR_FACTORY_META, INPAGE_CONNECTOR_TYPE, FACTORY_META$_ as INPAGE_LISTENER_FACTORY_META, InMemoryBinding, InMemoryFanoutBroker, InMemoryKeyValueStore, InMemoryReadWriteChannel, InMemoryStorageProvider, InPageConnector, InPageConnectorFactory, InPageListener, InPageListenerFactory, IndexedDBKeyValueStore, IndexedDBStorageProvider, InvalidPassphraseError, JWKValidationError, KEY_MANAGER_FACTORY_BASE_TYPE, KEY_STORE_FACTORY_BASE_TYPE, KNOWN_POLICY_FIELDS, KNOWN_RULE_FIELDS, KeyInfo, KeyManagementHandler, KeyManagerFactory, KeyStore, KeyStoreFactory, KeyValidationError, LOAD_BALANCER_STICKINESS_MANAGER_FACTORY_BASE_TYPE, LoadBalancerStickinessManagerFactory, LogLevel, LogLevelNames, MAX_SCOPE_NESTING_DEPTH, MemoryMetricsEmitter, NODE_IDENTITY_POLICY_FACTORY_BASE_TYPE, NODE_LIKE_FACTORY_BASE_TYPE, NODE_PLACEMENT_STRATEGY_FACTORY_BASE_TYPE, NoOpMetricsEmitter, NoSecurityPolicy, NodeFactory, NodeIdentityPolicyFactory, NodeIdentityPolicyProfileFactory, NodePlacementStrategyFactory, NoneCredentialProvider, NoopEncryptionManager, NoopKeyValidator, NoopTrustStoreProvider, NotAuthorized, PROFILE_NAME_GATED, PROFILE_NAME_GATED_CALLBACK, PROFILE_NAME_OPEN$1 as PROFILE_NAME_OPEN, PROFILE_NAME_OVERLAY, PROFILE_NAME_OVERLAY_CALLBACK, PROFILE_NAME_STRICT_OVERLAY, PromptCredentialProvider, REPLICA_STICKINESS_MANAGER_FACTORY_BASE_TYPE, REQUIRED_FIELDS_BY_KTY, ReplicaStickinessManagerFactory, RootSessionManager, RouteManager, RpcMixin, RpcProxy, SEALED_ENVELOPE_NONCE_LENGTH, SEALED_ENVELOPE_OVERHEAD, SEALED_ENVELOPE_PRIVATE_KEY_LENGTH, SEALED_ENVELOPE_PUBLIC_KEY_LENGTH, SEALED_ENVELOPE_TAG_LENGTH, SECURE_CHANNEL_MANAGER_FACTORY_BASE_TYPE, SECURITY_MANAGER_FACTORY_BASE_TYPE, SECURITY_POLICY_FACTORY_BASE_TYPE, STORAGE_PROVIDER_FACTORY_BASE_TYPE, SecretSource, SecretStoreCredentialProvider, SecureChannelFrameHandler, SecureChannelManagerFactory, SecurityAction, SecurityRequirements, Sentinel, SentinelFactory, SessionKeyCredentialProvider, SignaturePolicy, SigningConfig as SigningConfigClass, SigningConfiguration, SimpleLoadBalancerStickinessManager, SimpleLoadBalancerStickinessManagerFactory, StaticCredentialProvider, StorageAESEncryptionManager, TOKEN_ISSUER_FACTORY_BASE_TYPE, TOKEN_PROVIDER_FACTORY_BASE_TYPE, TOKEN_VERIFIER_FACTORY_BASE_TYPE, TRANSPORT_PROVISIONER_FACTORY_BASE_TYPE, TRUST_STORE_PROVIDER_FACTORY_BASE_TYPE, TaskSpawner, TokenIssuerFactory, TokenProviderFactory, TokenSubjectNodeIdentityPolicy, TokenSubjectNodeIdentityPolicyFactory, TokenVerifierFactory, TransportProvisionerFactory, TrustStoreProviderFactory, TtlValidationError, UpstreamSessionManager, VALID_ACTIONS, VALID_CURVES_BY_KTY, VALID_EFFECTS, VALID_KEY_USES, VALID_ORIGIN_TYPES, VERSION, WEBSOCKET_CONNECTION_GRANT_TYPE, WELCOME_SERVICE_FACTORY_BASE_TYPE, WebSocketCloseCode, WebSocketConnector, WebSocketState, WelcomeServiceFactory, _NoopFlowController, __runtimePluginLoader, addEnvelopeFields, addLogLevel, addTimestamp, assertConnectionGrant, assertGrant, assertNotRegexPattern, basicConfig, broadcastChannelGrantToConnectorConfig, camelToSnakeCase, canonicalJson, capitalizeFirstLetter, clearProfiles, color, compareCryptoLevels, compileGlobOnlyScopeRequirement, compileGlobPattern, compilePattern, compileScopeRequirement, compiledPathPattern, consoleTransport, convertWildcardLogicalToDnsConstraint, createConnectorConfig, createEd25519Keypair, createHostLogicalUri, createLogicalUri, createNodeDeliveryContext, createResource, createRpcProxy, createRsaKeypair, createTransportCloseError, createX25519Keypair, credentialToString, currentTraceId$1 as currentTraceId, debounce, decodeBase64Url, decodeFameDataPayload, deepMerge, defaultJsonEncoder, delay, dropEmpty, enableLogging, encodeUtf8, ensureRuntimeFactoriesRegistered, evaluateScopeRequirement, extractId, extractPoolAddressBase, extractPoolBase, filterKeysByUse, formatTimestamp, formatTimestampForConsole$1 as formatTimestampForConsole, frameDigest, getCompiledGlobPattern, getCurrentEnvelope, getFabricForNode, getFameRoot, getKeyProvider, getKeyStore, getLogger, getProfile, hasCryptoSupport, hostnameToLogical, hostnamesToLogicals, httpGrantToConnectorConfig, immutableHeaders, inPageGrantToConnectorConfig, isAuthInjectionStrategy, isBroadcastChannelConnectionGrant, isConnectionGrant, isConnectorConfig, isEnvelopeLoggingEnabled, isFameError, isFameErrorType, isGrant, isHttpConnectionGrant, isIdentityExposingTokenProvider, isInPageConnectionGrant, isNodeLike, isPlainObject$4 as isPlainObject, isPoolAddress, isPoolLogical, isRegexPattern, isRegisterable, isTokenExpired, isTokenProvider, isTokenValid, isWebSocketConnectionGrant, jsonDumps, listProfiles, logicalPatternsToDnsConstraints, logicalToHostname, logicalsToHostnames, matchPattern, matchesPoolAddress, matchesPoolLogical, maybeAwait, nodeWelcomeRouter, nodeWelcomeRouterPlugin, normalizeBroadcastChannelConnectionGrant, normalizeEncryptionConfig, normalizeEnvelopeSnapshot, normalizeHttpConnectionGrant, normalizeInPageConnectionGrant, normalizeInboundCryptoRules, normalizeInboundSigningRules, normalizeOutboundCryptoRules, normalizeOutboundSigningRules, normalizePath, normalizeResponseCryptoRules, normalizeResponseSigningRules, normalizeScopeRequirement, normalizeSecretSource, normalizeSecurityRequirements, normalizeSigningConfig, normalizeWebSocketConnectionGrant, objectToBytes, operation, parseSealedEnvelope, pinoTransport, prettyModel$1 as prettyModel, registerDefaultFactories, registerDefaultKeyStoreFactory, registerNodePlacementStrategyFactory, registerProfile, registerRuntimeFactories, requireCryptoSupport, retryWithBackoff, safeColor, safeImport, sealedDecrypt, sealedEncrypt, secureDigest, setKeyStore, showEnvelopes$1 as showEnvelopes, sleep, snakeToCamelCase, stringifyNonPrimitives, supportsColor, throttle, urlsafeBase64Decode, urlsafeBase64Encode, validateCacheTtlSec, validateEncryptionKey, validateHostLogical, validateHostLogicals, validateJwkComplete, validateJwkStructure, validateJwkUseField, validateJwtTokenTtlSec, validateKeyCorrelationTtlSec, validateLogical, validateLogicalSegment, validateOAuth2TtlSec, validateSigningKey, validateTtlSec, waitForAll, waitForAllSettled, waitForAny, websocketGrantToConnectorConfig, withEnvelopeContext, withEnvelopeContextAsync, withLegacySnakeCaseKeys, withLock, withTimeout };
+export { ADMISSION_CLIENT_FACTORY_BASE_TYPE, ATTACHMENT_KEY_VALIDATOR_FACTORY_BASE_TYPE, AUTHORIZATION_POLICY_FACTORY_BASE_TYPE, AUTHORIZATION_POLICY_SOURCE_FACTORY_BASE_TYPE, AUTHORIZER_FACTORY_BASE_TYPE, AUTH_INJECTION_STRATEGY_FACTORY_BASE_TYPE, ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY$1 as AUTH_PROFILE_ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY, ENV_VAR_HMAC_SECRET$1 as AUTH_PROFILE_ENV_VAR_HMAC_SECRET, ENV_VAR_JWKS_URL$1 as AUTH_PROFILE_ENV_VAR_JWKS_URL, ENV_VAR_JWT_ALGORITHM$1 as AUTH_PROFILE_ENV_VAR_JWT_ALGORITHM, ENV_VAR_JWT_AUDIENCE$2 as AUTH_PROFILE_ENV_VAR_JWT_AUDIENCE, ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE$1 as AUTH_PROFILE_ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE, ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER$1 as AUTH_PROFILE_ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, ENV_VAR_JWT_TRUSTED_ISSUER$1 as AUTH_PROFILE_ENV_VAR_JWT_TRUSTED_ISSUER, ENV_VAR_TRUSTED_CLIENT_SCOPE$1 as AUTH_PROFILE_ENV_VAR_TRUSTED_CLIENT_SCOPE, PROFILE_NAME_DEFAULT as AUTH_PROFILE_NAME_DEFAULT, PROFILE_NAME_NOOP$2 as AUTH_PROFILE_NAME_NOOP, PROFILE_NAME_OAUTH2 as AUTH_PROFILE_NAME_OAUTH2, PROFILE_NAME_OAUTH2_CALLBACK as AUTH_PROFILE_NAME_OAUTH2_CALLBACK, PROFILE_NAME_OAUTH2_GATED as AUTH_PROFILE_NAME_OAUTH2_GATED, AnsiColor, AsyncLock, AttachmentKeyValidator, AuthInjectionStrategyFactory, AuthorizationPolicyFactory, AuthorizationPolicySourceFactory, AuthorizationProfileFactory, AuthorizerFactory, BROADCAST_CHANNEL_CONNECTION_GRANT_TYPE, FACTORY_META$$ as BROADCAST_CHANNEL_CONNECTOR_FACTORY_META, BROADCAST_CHANNEL_CONNECTOR_TYPE, FACTORY_META$Z as BROADCAST_CHANNEL_LISTENER_FACTORY_META, BackPressureFull, BaseAsyncConnector, BaseNodeEventListener, BasicAuthorizationPolicy, BasicAuthorizationPolicyFactory, BindingManager, BindingStoreEntryRecord, BroadcastChannelConnector, BroadcastChannelConnectorFactory, BroadcastChannelListener, BroadcastChannelListenerFactory, BrowserAutoKeyCredentialProvider, BrowserWrappedKeyCredentialProvider, CERTIFICATE_MANAGER_FACTORY_BASE_TYPE, CONNECTION_RETRY_POLICY_FACTORY_BASE_TYPE, CREDENTIAL_PROVIDER_FACTORY_BASE_TYPE, CRYPTO_LEVEL_SECURITY_ORDER, CertificateManagerFactory, ConnectionRetryPolicyFactory, ConnectorConfigDefaults, ConnectorFactory, ConsoleMetricsEmitter, CryptoLevel, FACTORY_META$11 as DEFAULT_WELCOME_FACTORY_META, DefaultConnectionRetryPolicy, DefaultConnectionRetryPolicyFactory, DefaultCryptoProvider, DefaultKeyManager, DefaultNodeIdentityPolicy, DefaultNodeIdentityPolicyFactory, DefaultSecurityManager, DefaultSecurityPolicy, DefaultWelcomeService, DefaultWelcomeServiceFactory, DevFixedKeyCredentialProvider, ENCRYPTION_MANAGER_FACTORY_BASE_TYPE, ENVELOPE_SIGNER_FACTORY_BASE_TYPE, ENVELOPE_VERIFIER_FACTORY_BASE_TYPE, ENV_VAR_AUTHORIZATION_PROFILE, ENV_VAR_DEFAULT_ENCRYPTION_LEVEL, ENV_VAR_HMAC_SECRET, ENV_VAR_JWKS_URL, ENV_VAR_JWT_ALGORITHM, ENV_VAR_JWT_AUDIENCE$1 as ENV_VAR_JWT_AUDIENCE, ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE, ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, ENV_VAR_JWT_TRUSTED_ISSUER, ENV_VAR_SESSION_MAX_INITIAL_ATTEMPTS, ENV_VAR_SHOW_ENVELOPES$1 as ENV_VAR_SHOW_ENVELOPES, EdDSAEnvelopeSigner, EncryptedKeyValueStore, EncryptedStorageProviderBase, EncryptedValue, EncryptionConfiguration, EncryptionManagerFactory, EncryptionResult, EncryptionStatus, EnvCredentialProvider, EnvelopeContext, EnvelopeListenerManager, EnvelopeSecurityHandler, EnvelopeSignerFactory, EnvelopeVerifierFactory, FACTORY_META$12 as FACTORY_META, FIXED_PREFIX_LEN, FameAuthorizedDeliveryContextSchema, FameConnectError, FameEnvironmentContext, FameError, FameMessageTooLarge, FameNode, FameNodeAuthorizationContextSchema, FameProtocolError, FameTransportClose, FlowController, GRANT_PURPOSE_NODE_ATTACH, HTTP_CONNECTION_GRANT_TYPE, HTTP_STATELESS_CONNECTOR_TYPE, INPAGE_CONNECTION_GRANT_TYPE, FACTORY_META$10 as INPAGE_CONNECTOR_FACTORY_META, INPAGE_CONNECTOR_TYPE, FACTORY_META$_ as INPAGE_LISTENER_FACTORY_META, InMemoryBinding, InMemoryFanoutBroker, InMemoryKeyValueStore, InMemoryReadWriteChannel, InMemoryStorageProvider, InPageConnector, InPageConnectorFactory, InPageListener, InPageListenerFactory, IndexedDBKeyValueStore, IndexedDBStorageProvider, InvalidPassphraseError, JWKValidationError, KEY_MANAGER_FACTORY_BASE_TYPE, KEY_STORE_FACTORY_BASE_TYPE, KNOWN_POLICY_FIELDS, KNOWN_RULE_FIELDS, KeyInfo, KeyManagementHandler, KeyManagerFactory, KeyStore, KeyStoreFactory, KeyValidationError, LOAD_BALANCER_STICKINESS_MANAGER_FACTORY_BASE_TYPE, LoadBalancerStickinessManagerFactory, LogLevel, LogLevelNames, MAX_SCOPE_NESTING_DEPTH, MemoryMetricsEmitter, NODE_IDENTITY_POLICY_FACTORY_BASE_TYPE, NODE_LIKE_FACTORY_BASE_TYPE, NODE_PLACEMENT_STRATEGY_FACTORY_BASE_TYPE, NoOpMetricsEmitter, NoSecurityPolicy, NodeFactory, NodeIdentityPolicyFactory, NodeIdentityPolicyProfileFactory, NodePlacementStrategyFactory, NoneCredentialProvider, NoopEncryptionManager, NoopKeyValidator, NoopTrustStoreProvider, NotAuthorized, PROFILE_NAME_GATED, PROFILE_NAME_GATED_CALLBACK, PROFILE_NAME_OPEN$1 as PROFILE_NAME_OPEN, PROFILE_NAME_OVERLAY, PROFILE_NAME_OVERLAY_CALLBACK, PromptCredentialProvider, REPLICA_STICKINESS_MANAGER_FACTORY_BASE_TYPE, REQUIRED_FIELDS_BY_KTY, ReplicaStickinessManagerFactory, RootSessionManager, RouteManager, RpcMixin, RpcProxy, SEALED_ENVELOPE_NONCE_LENGTH, SEALED_ENVELOPE_OVERHEAD, SEALED_ENVELOPE_PRIVATE_KEY_LENGTH, SEALED_ENVELOPE_PUBLIC_KEY_LENGTH, SEALED_ENVELOPE_TAG_LENGTH, SECURE_CHANNEL_MANAGER_FACTORY_BASE_TYPE, SECURITY_MANAGER_FACTORY_BASE_TYPE, SECURITY_POLICY_FACTORY_BASE_TYPE, STORAGE_PROVIDER_FACTORY_BASE_TYPE, SecretSource, SecretStoreCredentialProvider, SecureChannelFrameHandler, SecureChannelManagerFactory, SecurityAction, SecurityRequirements, Sentinel, SentinelFactory, SessionKeyCredentialProvider, SignaturePolicy, SigningConfig as SigningConfigClass, SigningConfiguration, SimpleLoadBalancerStickinessManager, SimpleLoadBalancerStickinessManagerFactory, StaticCredentialProvider, StorageAESEncryptionManager, TOKEN_ISSUER_FACTORY_BASE_TYPE, TOKEN_PROVIDER_FACTORY_BASE_TYPE, TOKEN_VERIFIER_FACTORY_BASE_TYPE, TRANSPORT_PROVISIONER_FACTORY_BASE_TYPE, TRUST_STORE_PROVIDER_FACTORY_BASE_TYPE, TaskSpawner, TokenIssuerFactory, TokenProviderFactory, TokenSubjectNodeIdentityPolicy, TokenSubjectNodeIdentityPolicyFactory, TokenVerifierFactory, TransportProvisionerFactory, TrustStoreProviderFactory, TtlValidationError, UpstreamSessionManager, VALID_ACTIONS, VALID_CURVES_BY_KTY, VALID_EFFECTS, VALID_KEY_USES, VALID_ORIGIN_TYPES, VERSION, WEBSOCKET_CONNECTION_GRANT_TYPE, WELCOME_SERVICE_FACTORY_BASE_TYPE, WebSocketCloseCode, WebSocketConnector, WebSocketState, WelcomeServiceFactory, _NoopFlowController, __runtimePluginLoader, addEnvelopeFields, addLogLevel, addTimestamp, assertConnectionGrant, assertGrant, assertNotRegexPattern, basicConfig, broadcastChannelGrantToConnectorConfig, camelToSnakeCase, canonicalJson, capitalizeFirstLetter, clearProfiles, color, compareCryptoLevels, compileGlobOnlyScopeRequirement, compileGlobPattern, compilePattern, compileScopeRequirement, compiledPathPattern, consoleTransport, convertWildcardLogicalToDnsConstraint, createConnectorConfig, createEd25519Keypair, createHostLogicalUri, createLogicalUri, createNodeDeliveryContext, createResource, createRpcProxy, createRsaKeypair, createTransportCloseError, createX25519Keypair, credentialToString, currentTraceId$1 as currentTraceId, debounce, decodeBase64Url, decodeFameDataPayload, deepMerge, defaultJsonEncoder, delay, dropEmpty, enableLogging, encodeUtf8, ensureRuntimeFactoriesRegistered, evaluateScopeRequirement, extractId, extractPoolAddressBase, extractPoolBase, filterKeysByUse, formatTimestamp, formatTimestampForConsole$1 as formatTimestampForConsole, frameDigest, getCompiledGlobPattern, getCurrentEnvelope, getFabricForNode, getFameRoot, getKeyProvider, getKeyStore, getLogger, getProfile, hasCryptoSupport, hostnameToLogical, hostnamesToLogicals, httpGrantToConnectorConfig, immutableHeaders, inPageGrantToConnectorConfig, isAuthInjectionStrategy, isBroadcastChannelConnectionGrant, isConnectionGrant, isConnectorConfig, isEnvelopeLoggingEnabled, isFameError, isFameErrorType, isGrant, isHttpConnectionGrant, isIdentityExposingTokenProvider, isInPageConnectionGrant, isNodeLike, isPlainObject$4 as isPlainObject, isPoolAddress, isPoolLogical, isRegexPattern, isRegisterable, isTokenExpired, isTokenProvider, isTokenValid, isWebSocketConnectionGrant, jsonDumps, listProfiles, logicalPatternsToDnsConstraints, logicalToHostname, logicalsToHostnames, matchPattern, matchesPoolAddress, matchesPoolLogical, maybeAwait, nodeWelcomeRouter, nodeWelcomeRouterPlugin, normalizeBroadcastChannelConnectionGrant, normalizeEncryptionConfig, normalizeEnvelopeSnapshot, normalizeHttpConnectionGrant, normalizeInPageConnectionGrant, normalizeInboundCryptoRules, normalizeInboundSigningRules, normalizeOutboundCryptoRules, normalizeOutboundSigningRules, normalizePath, normalizeResponseCryptoRules, normalizeResponseSigningRules, normalizeScopeRequirement, normalizeSecretSource, normalizeSecurityRequirements, normalizeSigningConfig, normalizeWebSocketConnectionGrant, objectToBytes, operation, parseSealedEnvelope, pinoTransport, prettyModel$1 as prettyModel, registerDefaultFactories, registerDefaultKeyStoreFactory, registerNodePlacementStrategyFactory, registerProfile, registerRuntimeFactories, requireCryptoSupport, retryWithBackoff, safeColor, safeImport, sealedDecrypt, sealedEncrypt, secureDigest, setKeyStore, showEnvelopes$1 as showEnvelopes, sleep, snakeToCamelCase, stringifyNonPrimitives, supportsColor, throttle, urlsafeBase64Decode, urlsafeBase64Encode, validateCacheTtlSec, validateEncryptionKey, validateHostLogical, validateHostLogicals, validateJwkComplete, validateJwkStructure, validateJwkUseField, validateJwtTokenTtlSec, validateKeyCorrelationTtlSec, validateLogical, validateLogicalSegment, validateOAuth2TtlSec, validateSigningKey, validateTtlSec, waitForAll, waitForAllSettled, waitForAny, websocketGrantToConnectorConfig, withEnvelopeContext, withEnvelopeContextAsync, withLegacySnakeCaseKeys, withLock, withTimeout };

package/dist/cjs/naylence/fame/node/factory-commons.js

@@ -496,9 +496,8 @@ function requiresCryptoProvider(config) {
         const profile = record.profile;
         if (typeof profile === 'string') {
             const profileLower = profile.toLowerCase();
-            // Overlay variants require crypto provider for envelope signing
-            if (profileLower.includes('overlay') ||
-                profileLower === 'strict-overlay') {
+            // Overlay variants (including strict-overlay) require crypto provider for envelope signing
+            if (profileLower.includes('overlay')) {
                 return true;
             }
         }

package/dist/cjs/naylence/fame/security/auth/policy/authorization-policy-definition.js

@@ -29,7 +29,7 @@ exports.KNOWN_RULE_FIELDS = new Set([
     'effect',
     'action',
     'address',
-    'frame_type',
+    'frame_type', // Reserved for advanced-security
     'origin_type',
     'scope',
     'when', // Reserved for advanced-security

package/dist/cjs/naylence/fame/security/auth/policy/basic-authorization-policy.js

@@ -96,11 +96,6 @@ class BasicAuthorizationPolicy {
         const resolvedActionNormalized = this.normalizeActionToken(resolvedAction) ?? resolvedAction;
         const address = extractAddress(envelope);
         const grantedScopes = extractGrantedScopes(context);
-        const rawFrameType = envelope.frame
-            ?.type;
-        const frameTypeNormalized = typeof rawFrameType === 'string' && rawFrameType.trim().length > 0
-            ? rawFrameType.trim().toLowerCase()
-            : '';
         // Extract and normalize origin type for rule matching
         const rawOriginType = context?.originType;
         const originTypeNormalized = typeof rawOriginType === 'string'
@@ -118,22 +113,16 @@ class BasicAuthorizationPolicy {
                 step.expression = 'when clause (skipped by basic policy)';
                 step.result = false;
                 evaluationTrace.push(step);
+                logger.debug('rule_skipped_when_clause', { ruleId: rule.id });
                 continue;
             }
-            // Check frame type match
-            if (rule.frameTypes) {
-                if (!frameTypeNormalized) {
-                    step.expression = 'frame_type: missing';
-                    step.result = false;
-                    evaluationTrace.push(step);
-                    continue;
-                }
-                if (!rule.frameTypes.has(frameTypeNormalized)) {
-                    step.expression = `frame_type: ${rawFrameType ?? 'unknown'} not in rule set`;
-                    step.result = false;
-                    evaluationTrace.push(step);
-                    continue;
-                }
+            // Skip rules with 'frame_type' clause (reserved for advanced-security package)
+            if (rule.hasFrameTypeClause) {
+                step.expression = 'frame_type clause (skipped by basic policy)';
+                step.result = false;
+                evaluationTrace.push(step);
+                logger.debug('rule_skipped_frame_type_clause', { ruleId: rule.id });
+                continue;
             }
             // Check origin type match (early gate for efficiency)
             if (rule.originTypes) {
@@ -248,8 +237,14 @@ class BasicAuthorizationPolicy {
         const actions = this.compileActions(rule.action, id);
         // Compile address patterns (glob-only, no regex)
         const addressPatterns = this.compileAddress(rule.address, id);
-        // Compile frame type gating
-        const frameTypes = this.compileFrameTypes(rule.frame_type, id);
+        // Check for frame_type clause (reserved for advanced-security)
+        const hasFrameTypeClause = rule.frame_type !== undefined;
+        if (hasFrameTypeClause && warnOnUnknown) {
+            logger.warning('reserved_field_frame_type_will_be_skipped', {
+                ruleId: id,
+                message: `Rule "${id}" uses reserved field "frame_type" which is only supported in advanced-security package. This rule will be skipped during evaluation.`,
+            });
+        }
         // Compile origin type gating
         const originTypes = this.compileOriginTypes(rule.origin_type, id);
         // Compile scope matcher (glob-only, no regex)
@@ -276,11 +271,12 @@ class BasicAuthorizationPolicy {
             description: rule.description,
             effect: rule.effect,
             actions,
-            frameTypes,
+            frameTypes: undefined, // No longer used; reserved for advanced-security
             originTypes,
             addressPatterns,
             scopeMatcher,
             hasWhenClause: typeof rule.when === 'string' && rule.when.length > 0,
+            hasFrameTypeClause,
         };
     }
     /**
@@ -370,43 +366,6 @@ class BasicAuthorizationPolicy {
         }
         return patterns;
     }
-    /**
-     * Compiles frame_type field into a Set of normalized frame types.
-     * Supports single string or array of strings (implicit any-of).
-     * Returns undefined if not specified (no frame type gating).
-     */
-    compileFrameTypes(frameType, ruleId) {
-        if (frameType === undefined) {
-            return undefined;
-        }
-        // Handle single frame type
-        if (typeof frameType === 'string') {
-            const normalized = frameType.trim().toLowerCase();
-            if (!normalized) {
-                throw new Error(`Invalid frame_type in rule "${ruleId}": value must not be empty`);
-            }
-            return new Set([normalized]);
-        }
-        // Handle array of frame types
-        if (!Array.isArray(frameType)) {
-            throw new Error(`Invalid frame_type in rule "${ruleId}": must be a string or array of strings`);
-        }
-        if (frameType.length === 0) {
-            throw new Error(`Invalid frame_type in rule "${ruleId}": array must not be empty`);
-        }
-        const frameTypes = new Set();
-        for (const ft of frameType) {
-            if (typeof ft !== 'string') {
-                throw new Error(`Invalid frame_type in rule "${ruleId}": all values must be strings`);
-            }
-            const normalized = ft.trim().toLowerCase();
-            if (!normalized) {
-                throw new Error(`Invalid frame_type in rule "${ruleId}": values must not be empty`);
-            }
-            frameTypes.add(normalized);
-        }
-        return frameTypes;
-    }
     /**
      * Compiles origin_type field into a Set of normalized origin types.
      * Supports single string or array of strings (implicit any-of).