@naylence/runtime 0.4.8 → 0.4.10

package/dist/cjs/naylence/fame/security/index.js

@@ -1,7 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.ENV_VAR_JWKS_URL = exports.ENV_VAR_JWT_AUDIENCE = exports.ENV_VAR_JWT_ALGORITHM = exports.ENV_VAR_JWT_TRUSTED_ISSUER = exports.CREDENTIAL_PROVIDER_FACTORY_BASE_TYPE = exports.EdDSAEnvelopeSigner = exports.encodeUtf8 = exports.immutableHeaders = exports.frameDigest = exports.decodeBase64Url = exports.canonicalJson = exports.SigningConfigClass = exports.SECURITY_MANAGER_FACTORY_BASE_TYPE = exports.SECURITY_POLICY_FACTORY_BASE_TYPE = exports.KEY_STORE_FACTORY_BASE_TYPE = exports.ATTACHMENT_KEY_VALIDATOR_FACTORY_BASE_TYPE = exports.KEY_MANAGER_FACTORY_BASE_TYPE = exports.SecureChannelManagerFactory = exports.SECURE_CHANNEL_MANAGER_FACTORY_BASE_TYPE = exports.ENCRYPTION_MANAGER_FACTORY_BASE_TYPE = exports.NoopTrustStoreProvider = exports.TrustStoreProviderFactory = exports.TRUST_STORE_PROVIDER_FACTORY_BASE_TYPE = exports.CertificateManagerFactory = exports.CERTIFICATE_MANAGER_FACTORY_BASE_TYPE = exports.TokenProviderFactory = exports.TOKEN_PROVIDER_FACTORY_BASE_TYPE = exports.TokenVerifierFactory = exports.TOKEN_VERIFIER_FACTORY_BASE_TYPE = exports.TokenIssuerFactory = exports.TOKEN_ISSUER_FACTORY_BASE_TYPE = exports.AuthInjectionStrategyFactory = exports.AUTH_INJECTION_STRATEGY_FACTORY_BASE_TYPE = exports.AUTH_PROFILE_ENV_VAR_HMAC_SECRET = exports.AUTH_PROFILE_ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = exports.AUTH_PROFILE_ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER = exports.AUTH_PROFILE_ENV_VAR_TRUSTED_CLIENT_SCOPE = exports.AUTH_PROFILE_ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY = exports.AUTH_PROFILE_ENV_VAR_JWKS_URL = exports.AUTH_PROFILE_ENV_VAR_JWT_AUDIENCE = exports.AUTH_PROFILE_ENV_VAR_JWT_ALGORITHM = exports.AUTH_PROFILE_ENV_VAR_JWT_TRUSTED_ISSUER = exports.AUTH_PROFILE_NAME_NOOP = exports.AUTH_PROFILE_NAME_OAUTH2_CALLBACK = exports.AUTH_PROFILE_NAME_OAUTH2_GATED = exports.AUTH_PROFILE_NAME_OAUTH2 = exports.AUTH_PROFILE_NAME_DEFAULT = exports.AuthorizationProfileFactory = exports.AuthorizerFactory = exports.AUTHORIZER_FACTORY_BASE_TYPE = void 0;
-exports.PROFILE_NAME_OPEN = exports.PROFILE_NAME_GATED_CALLBACK = exports.PROFILE_NAME_GATED = exports.PROFILE_NAME_OVERLAY_CALLBACK = exports.PROFILE_NAME_OVERLAY = exports.PROFILE_NAME_STRICT_OVERLAY = exports.ENV_VAR_AUTHORIZATION_PROFILE = exports.ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = exports.ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER = exports.ENV_VAR_HMAC_SECRET = exports.ENV_VAR_DEFAULT_ENCRYPTION_LEVEL = void 0;
+exports.PROFILE_NAME_OPEN = exports.PROFILE_NAME_GATED_CALLBACK = exports.PROFILE_NAME_GATED = exports.PROFILE_NAME_OVERLAY_CALLBACK = exports.PROFILE_NAME_OVERLAY = exports.ENV_VAR_AUTHORIZATION_PROFILE = exports.ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = exports.ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER = exports.ENV_VAR_HMAC_SECRET = exports.ENV_VAR_DEFAULT_ENCRYPTION_LEVEL = void 0;
 const tslib_1 = require("tslib");
 tslib_1.__exportStar(require("./auth/authorizer.js"), exports);
 tslib_1.__exportStar(require("./auth/auth-identity.js"), exports);
@@ -130,7 +130,6 @@ Object.defineProperty(exports, "ENV_VAR_HMAC_SECRET", { enumerable: true, get: f
 Object.defineProperty(exports, "ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER", { enumerable: true, get: function () { return node_security_profile_factory_js_1.ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER; } });
 Object.defineProperty(exports, "ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE", { enumerable: true, get: function () { return node_security_profile_factory_js_1.ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE; } });
 Object.defineProperty(exports, "ENV_VAR_AUTHORIZATION_PROFILE", { enumerable: true, get: function () { return node_security_profile_factory_js_1.ENV_VAR_AUTHORIZATION_PROFILE; } });
-Object.defineProperty(exports, "PROFILE_NAME_STRICT_OVERLAY", { enumerable: true, get: function () { return node_security_profile_factory_js_1.PROFILE_NAME_STRICT_OVERLAY; } });
 Object.defineProperty(exports, "PROFILE_NAME_OVERLAY", { enumerable: true, get: function () { return node_security_profile_factory_js_1.PROFILE_NAME_OVERLAY; } });
 Object.defineProperty(exports, "PROFILE_NAME_OVERLAY_CALLBACK", { enumerable: true, get: function () { return node_security_profile_factory_js_1.PROFILE_NAME_OVERLAY_CALLBACK; } });
 Object.defineProperty(exports, "PROFILE_NAME_GATED", { enumerable: true, get: function () { return node_security_profile_factory_js_1.PROFILE_NAME_GATED; } });

package/dist/cjs/naylence/fame/security/node-security-profile-factory.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.NodeSecurityProfileFactory = exports.FACTORY_META = exports.PROFILE_NAME_OPEN = exports.PROFILE_NAME_GATED_CALLBACK = exports.PROFILE_NAME_GATED = exports.PROFILE_NAME_OVERLAY_CALLBACK = exports.PROFILE_NAME_OVERLAY = exports.PROFILE_NAME_STRICT_OVERLAY = exports.ENV_VAR_AUTHORIZATION_PROFILE = exports.ENV_VAR_TRUSTED_CLIENT_SCOPE = exports.ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY = exports.ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = exports.ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER = exports.ENV_VAR_HMAC_SECRET = exports.ENV_VAR_DEFAULT_ENCRYPTION_LEVEL = exports.ENV_VAR_JWKS_URL = exports.ENV_VAR_JWT_AUDIENCE = exports.ENV_VAR_JWT_ALGORITHM = exports.ENV_VAR_JWT_TRUSTED_ISSUER = void 0;
+exports.NodeSecurityProfileFactory = exports.FACTORY_META = exports.PROFILE_NAME_OPEN = exports.PROFILE_NAME_GATED_CALLBACK = exports.PROFILE_NAME_GATED = exports.PROFILE_NAME_OVERLAY_CALLBACK = exports.PROFILE_NAME_OVERLAY = exports.ENV_VAR_AUTHORIZATION_PROFILE = exports.ENV_VAR_TRUSTED_CLIENT_SCOPE = exports.ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY = exports.ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = exports.ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER = exports.ENV_VAR_HMAC_SECRET = exports.ENV_VAR_DEFAULT_ENCRYPTION_LEVEL = exports.ENV_VAR_JWKS_URL = exports.ENV_VAR_JWT_AUDIENCE = exports.ENV_VAR_JWT_ALGORITHM = exports.ENV_VAR_JWT_TRUSTED_ISSUER = void 0;
 const factory_1 = require("@naylence/factory");
 const security_manager_factory_js_1 = require("./security-manager-factory.js");
 const logging_js_1 = require("../util/logging.js");
@@ -17,61 +17,11 @@ exports.ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = 'FAME_JWT_REVERSE_AUTH_AUDIENCE';
 exports.ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY = 'FAME_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY';
 exports.ENV_VAR_TRUSTED_CLIENT_SCOPE = 'FAME_TRUSTED_CLIENT_SCOPE';
 exports.ENV_VAR_AUTHORIZATION_PROFILE = 'FAME_AUTHORIZATION_PROFILE';
-exports.PROFILE_NAME_STRICT_OVERLAY = 'strict-overlay';
 exports.PROFILE_NAME_OVERLAY = 'overlay';
 exports.PROFILE_NAME_OVERLAY_CALLBACK = 'overlay-callback';
 exports.PROFILE_NAME_GATED = 'gated';
 exports.PROFILE_NAME_GATED_CALLBACK = 'gated-callback';
 exports.PROFILE_NAME_OPEN = 'open';
-const STRICT_OVERLAY_PROFILE = {
-    type: 'DefaultSecurityManager',
-    security_policy: {
-        type: 'DefaultSecurityPolicy',
-        signing: {
-            signing_material: 'x509-chain',
-            require_cert_sid_match: true,
-            inbound: {
-                signature_policy: 'required',
-                unsigned_violation_action: 'nack',
-                invalid_signature_action: 'nack',
-            },
-            response: {
-                mirror_request_signing: true,
-                always_sign_responses: false,
-                sign_error_responses: true,
-            },
-            outbound: {
-                default_signing: true,
-                sign_sensitive_operations: true,
-                sign_if_recipient_expects: true,
-            },
-        },
-        encryption: {
-            inbound: {
-                allow_plaintext: true,
-                allow_channel: true,
-                allow_sealed: true,
-                plaintext_violation_action: 'nack',
-                channel_violation_action: 'nack',
-                sealed_violation_action: 'nack',
-            },
-            response: {
-                mirror_request_level: true,
-                minimum_response_level: 'plaintext',
-                escalate_sealed_responses: false,
-            },
-            outbound: {
-                default_level: factory_1.Expressions.env(exports.ENV_VAR_DEFAULT_ENCRYPTION_LEVEL, 'channel'),
-                escalate_if_peer_supports: false,
-                prefer_sealed_for_sensitive: false,
-            },
-        },
-    },
-    authorizer: {
-        type: 'AuthorizationProfile',
-        profile: factory_1.Expressions.env(exports.ENV_VAR_AUTHORIZATION_PROFILE, 'jwt'),
-    },
-};
 const OVERLAY_PROFILE = {
     type: 'DefaultSecurityManager',
     security_policy: {
@@ -274,7 +224,6 @@ const OPEN_PROFILE = {
 };
 (0, profile_registry_js_1.registerProfile)(security_manager_factory_js_1.SECURITY_MANAGER_FACTORY_BASE_TYPE, exports.PROFILE_NAME_OVERLAY, OVERLAY_PROFILE, { source: 'node-security-profile-factory' });
 (0, profile_registry_js_1.registerProfile)(security_manager_factory_js_1.SECURITY_MANAGER_FACTORY_BASE_TYPE, exports.PROFILE_NAME_OVERLAY_CALLBACK, OVERLAY_CALLBACK_PROFILE, { source: 'node-security-profile-factory' });
-(0, profile_registry_js_1.registerProfile)(security_manager_factory_js_1.SECURITY_MANAGER_FACTORY_BASE_TYPE, exports.PROFILE_NAME_STRICT_OVERLAY, STRICT_OVERLAY_PROFILE, { source: 'node-security-profile-factory' });
 (0, profile_registry_js_1.registerProfile)(security_manager_factory_js_1.SECURITY_MANAGER_FACTORY_BASE_TYPE, exports.PROFILE_NAME_GATED, GATED_PROFILE, { source: 'node-security-profile-factory' });
 (0, profile_registry_js_1.registerProfile)(security_manager_factory_js_1.SECURITY_MANAGER_FACTORY_BASE_TYPE, exports.PROFILE_NAME_GATED_CALLBACK, GATED_CALLBACK_PROFILE, { source: 'node-security-profile-factory' });
 (0, profile_registry_js_1.registerProfile)(security_manager_factory_js_1.SECURITY_MANAGER_FACTORY_BASE_TYPE, exports.PROFILE_NAME_OPEN, OPEN_PROFILE, { source: 'node-security-profile-factory' });

package/dist/cjs/version.js

@@ -1,10 +1,10 @@
 "use strict";
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.4.8
+// Generated from package.json version: 0.4.10
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.VERSION = void 0;
 /**
  * The package version, injected at build time.
  * @internal
  */
-exports.VERSION = '0.4.8';
+exports.VERSION = '0.4.10';

package/dist/esm/naylence/fame/node/factory-commons.js

@@ -460,9 +460,8 @@ function requiresCryptoProvider(config) {
         const profile = record.profile;
         if (typeof profile === 'string') {
             const profileLower = profile.toLowerCase();
-            // Overlay variants require crypto provider for envelope signing
-            if (profileLower.includes('overlay') ||
-                profileLower === 'strict-overlay') {
+            // Overlay variants (including strict-overlay) require crypto provider for envelope signing
+            if (profileLower.includes('overlay')) {
                 return true;
             }
         }

package/dist/esm/naylence/fame/security/auth/policy/authorization-policy-definition.js

@@ -26,7 +26,7 @@ export const KNOWN_RULE_FIELDS = new Set([
     'effect',
     'action',
     'address',
-    'frame_type',
+    'frame_type', // Reserved for advanced-security
     'origin_type',
     'scope',
     'when', // Reserved for advanced-security

package/dist/esm/naylence/fame/security/auth/policy/basic-authorization-policy.js

@@ -93,11 +93,6 @@ export class BasicAuthorizationPolicy {
         const resolvedActionNormalized = this.normalizeActionToken(resolvedAction) ?? resolvedAction;
         const address = extractAddress(envelope);
         const grantedScopes = extractGrantedScopes(context);
-        const rawFrameType = envelope.frame
-            ?.type;
-        const frameTypeNormalized = typeof rawFrameType === 'string' && rawFrameType.trim().length > 0
-            ? rawFrameType.trim().toLowerCase()
-            : '';
         // Extract and normalize origin type for rule matching
         const rawOriginType = context?.originType;
         const originTypeNormalized = typeof rawOriginType === 'string'
@@ -115,22 +110,16 @@ export class BasicAuthorizationPolicy {
                 step.expression = 'when clause (skipped by basic policy)';
                 step.result = false;
                 evaluationTrace.push(step);
+                logger.debug('rule_skipped_when_clause', { ruleId: rule.id });
                 continue;
             }
-            // Check frame type match
-            if (rule.frameTypes) {
-                if (!frameTypeNormalized) {
-                    step.expression = 'frame_type: missing';
-                    step.result = false;
-                    evaluationTrace.push(step);
-                    continue;
-                }
-                if (!rule.frameTypes.has(frameTypeNormalized)) {
-                    step.expression = `frame_type: ${rawFrameType ?? 'unknown'} not in rule set`;
-                    step.result = false;
-                    evaluationTrace.push(step);
-                    continue;
-                }
+            // Skip rules with 'frame_type' clause (reserved for advanced-security package)
+            if (rule.hasFrameTypeClause) {
+                step.expression = 'frame_type clause (skipped by basic policy)';
+                step.result = false;
+                evaluationTrace.push(step);
+                logger.debug('rule_skipped_frame_type_clause', { ruleId: rule.id });
+                continue;
             }
             // Check origin type match (early gate for efficiency)
             if (rule.originTypes) {
@@ -245,8 +234,14 @@ export class BasicAuthorizationPolicy {
         const actions = this.compileActions(rule.action, id);
         // Compile address patterns (glob-only, no regex)
         const addressPatterns = this.compileAddress(rule.address, id);
-        // Compile frame type gating
-        const frameTypes = this.compileFrameTypes(rule.frame_type, id);
+        // Check for frame_type clause (reserved for advanced-security)
+        const hasFrameTypeClause = rule.frame_type !== undefined;
+        if (hasFrameTypeClause && warnOnUnknown) {
+            logger.warning('reserved_field_frame_type_will_be_skipped', {
+                ruleId: id,
+                message: `Rule "${id}" uses reserved field "frame_type" which is only supported in advanced-security package. This rule will be skipped during evaluation.`,
+            });
+        }
         // Compile origin type gating
         const originTypes = this.compileOriginTypes(rule.origin_type, id);
         // Compile scope matcher (glob-only, no regex)
@@ -273,11 +268,12 @@ export class BasicAuthorizationPolicy {
             description: rule.description,
             effect: rule.effect,
             actions,
-            frameTypes,
+            frameTypes: undefined, // No longer used; reserved for advanced-security
             originTypes,
             addressPatterns,
             scopeMatcher,
             hasWhenClause: typeof rule.when === 'string' && rule.when.length > 0,
+            hasFrameTypeClause,
         };
     }
     /**
@@ -367,43 +363,6 @@ export class BasicAuthorizationPolicy {
         }
         return patterns;
     }
-    /**
-     * Compiles frame_type field into a Set of normalized frame types.
-     * Supports single string or array of strings (implicit any-of).
-     * Returns undefined if not specified (no frame type gating).
-     */
-    compileFrameTypes(frameType, ruleId) {
-        if (frameType === undefined) {
-            return undefined;
-        }
-        // Handle single frame type
-        if (typeof frameType === 'string') {
-            const normalized = frameType.trim().toLowerCase();
-            if (!normalized) {
-                throw new Error(`Invalid frame_type in rule "${ruleId}": value must not be empty`);
-            }
-            return new Set([normalized]);
-        }
-        // Handle array of frame types
-        if (!Array.isArray(frameType)) {
-            throw new Error(`Invalid frame_type in rule "${ruleId}": must be a string or array of strings`);
-        }
-        if (frameType.length === 0) {
-            throw new Error(`Invalid frame_type in rule "${ruleId}": array must not be empty`);
-        }
-        const frameTypes = new Set();
-        for (const ft of frameType) {
-            if (typeof ft !== 'string') {
-                throw new Error(`Invalid frame_type in rule "${ruleId}": all values must be strings`);
-            }
-            const normalized = ft.trim().toLowerCase();
-            if (!normalized) {
-                throw new Error(`Invalid frame_type in rule "${ruleId}": values must not be empty`);
-            }
-            frameTypes.add(normalized);
-        }
-        return frameTypes;
-    }
     /**
      * Compiles origin_type field into a Set of normalized origin types.
      * Supports single string or array of strings (implicit any-of).

package/dist/esm/naylence/fame/security/index.js

@@ -69,4 +69,4 @@ export * from './credential/browser-auto-key-credential-provider.js';
 export * from './credential/browser-wrapped-key-credential-provider.js';
 export * from './credential/session-key-credential-provider.js';
 export * from './credential/dev-fixed-key-credential-provider.js';
-export { ENV_VAR_JWT_TRUSTED_ISSUER, ENV_VAR_JWT_ALGORITHM, ENV_VAR_JWT_AUDIENCE, ENV_VAR_JWKS_URL, ENV_VAR_DEFAULT_ENCRYPTION_LEVEL, ENV_VAR_HMAC_SECRET, ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE, ENV_VAR_AUTHORIZATION_PROFILE, PROFILE_NAME_STRICT_OVERLAY, PROFILE_NAME_OVERLAY, PROFILE_NAME_OVERLAY_CALLBACK, PROFILE_NAME_GATED, PROFILE_NAME_GATED_CALLBACK, PROFILE_NAME_OPEN, } from './node-security-profile-factory.js';
+export { ENV_VAR_JWT_TRUSTED_ISSUER, ENV_VAR_JWT_ALGORITHM, ENV_VAR_JWT_AUDIENCE, ENV_VAR_JWKS_URL, ENV_VAR_DEFAULT_ENCRYPTION_LEVEL, ENV_VAR_HMAC_SECRET, ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE, ENV_VAR_AUTHORIZATION_PROFILE, PROFILE_NAME_OVERLAY, PROFILE_NAME_OVERLAY_CALLBACK, PROFILE_NAME_GATED, PROFILE_NAME_GATED_CALLBACK, PROFILE_NAME_OPEN, } from './node-security-profile-factory.js';

package/dist/esm/naylence/fame/security/node-security-profile-factory.js

@@ -14,61 +14,11 @@ export const ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = 'FAME_JWT_REVERSE_AUTH_AUDIENCE
 export const ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY = 'FAME_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY';
 export const ENV_VAR_TRUSTED_CLIENT_SCOPE = 'FAME_TRUSTED_CLIENT_SCOPE';
 export const ENV_VAR_AUTHORIZATION_PROFILE = 'FAME_AUTHORIZATION_PROFILE';
-export const PROFILE_NAME_STRICT_OVERLAY = 'strict-overlay';
 export const PROFILE_NAME_OVERLAY = 'overlay';
 export const PROFILE_NAME_OVERLAY_CALLBACK = 'overlay-callback';
 export const PROFILE_NAME_GATED = 'gated';
 export const PROFILE_NAME_GATED_CALLBACK = 'gated-callback';
 export const PROFILE_NAME_OPEN = 'open';
-const STRICT_OVERLAY_PROFILE = {
-    type: 'DefaultSecurityManager',
-    security_policy: {
-        type: 'DefaultSecurityPolicy',
-        signing: {
-            signing_material: 'x509-chain',
-            require_cert_sid_match: true,
-            inbound: {
-                signature_policy: 'required',
-                unsigned_violation_action: 'nack',
-                invalid_signature_action: 'nack',
-            },
-            response: {
-                mirror_request_signing: true,
-                always_sign_responses: false,
-                sign_error_responses: true,
-            },
-            outbound: {
-                default_signing: true,
-                sign_sensitive_operations: true,
-                sign_if_recipient_expects: true,
-            },
-        },
-        encryption: {
-            inbound: {
-                allow_plaintext: true,
-                allow_channel: true,
-                allow_sealed: true,
-                plaintext_violation_action: 'nack',
-                channel_violation_action: 'nack',
-                sealed_violation_action: 'nack',
-            },
-            response: {
-                mirror_request_level: true,
-                minimum_response_level: 'plaintext',
-                escalate_sealed_responses: false,
-            },
-            outbound: {
-                default_level: Expressions.env(ENV_VAR_DEFAULT_ENCRYPTION_LEVEL, 'channel'),
-                escalate_if_peer_supports: false,
-                prefer_sealed_for_sensitive: false,
-            },
-        },
-    },
-    authorizer: {
-        type: 'AuthorizationProfile',
-        profile: Expressions.env(ENV_VAR_AUTHORIZATION_PROFILE, 'jwt'),
-    },
-};
 const OVERLAY_PROFILE = {
     type: 'DefaultSecurityManager',
     security_policy: {
@@ -271,7 +221,6 @@ const OPEN_PROFILE = {
 };
 registerProfile(SECURITY_MANAGER_FACTORY_BASE_TYPE, PROFILE_NAME_OVERLAY, OVERLAY_PROFILE, { source: 'node-security-profile-factory' });
 registerProfile(SECURITY_MANAGER_FACTORY_BASE_TYPE, PROFILE_NAME_OVERLAY_CALLBACK, OVERLAY_CALLBACK_PROFILE, { source: 'node-security-profile-factory' });
-registerProfile(SECURITY_MANAGER_FACTORY_BASE_TYPE, PROFILE_NAME_STRICT_OVERLAY, STRICT_OVERLAY_PROFILE, { source: 'node-security-profile-factory' });
 registerProfile(SECURITY_MANAGER_FACTORY_BASE_TYPE, PROFILE_NAME_GATED, GATED_PROFILE, { source: 'node-security-profile-factory' });
 registerProfile(SECURITY_MANAGER_FACTORY_BASE_TYPE, PROFILE_NAME_GATED_CALLBACK, GATED_CALLBACK_PROFILE, { source: 'node-security-profile-factory' });
 registerProfile(SECURITY_MANAGER_FACTORY_BASE_TYPE, PROFILE_NAME_OPEN, OPEN_PROFILE, { source: 'node-security-profile-factory' });

package/dist/esm/version.js

@@ -1,7 +1,7 @@
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.4.8
+// Generated from package.json version: 0.4.10
 /**
  * The package version, injected at build time.
  * @internal
  */
-export const VERSION = '0.4.8';
+export const VERSION = '0.4.10';

package/dist/node/index.cjs

@@ -14,12 +14,12 @@ var fastify = require('fastify');
 var websocketPlugin = require('@fastify/websocket');
 
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.4.8
+// Generated from package.json version: 0.4.10
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.4.8';
+const VERSION = '0.4.10';
 
 /**
  * Fame protocol specific error classes with WebSocket close codes and proper inheritance.
@@ -13681,9 +13681,8 @@ function requiresCryptoProvider(config) {
         const profile = record.profile;
         if (typeof profile === 'string') {
             const profileLower = profile.toLowerCase();
-            // Overlay variants require crypto provider for envelope signing
-            if (profileLower.includes('overlay') ||
-                profileLower === 'strict-overlay') {
+            // Overlay variants (including strict-overlay) require crypto provider for envelope signing
+            if (profileLower.includes('overlay')) {
                 return true;
             }
         }
@@ -22124,7 +22123,7 @@ const KNOWN_RULE_FIELDS = new Set([
     'effect',
     'action',
     'address',
-    'frame_type',
+    'frame_type', // Reserved for advanced-security
     'origin_type',
     'scope',
     'when', // Reserved for advanced-security
@@ -22647,11 +22646,6 @@ class BasicAuthorizationPolicy {
         const resolvedActionNormalized = this.normalizeActionToken(resolvedAction) ?? resolvedAction;
         const address = extractAddress(envelope);
         const grantedScopes = extractGrantedScopes(context);
-        const rawFrameType = envelope.frame
-            ?.type;
-        const frameTypeNormalized = typeof rawFrameType === 'string' && rawFrameType.trim().length > 0
-            ? rawFrameType.trim().toLowerCase()
-            : '';
         // Extract and normalize origin type for rule matching
         const rawOriginType = context?.originType;
         const originTypeNormalized = typeof rawOriginType === 'string'
@@ -22669,22 +22663,16 @@ class BasicAuthorizationPolicy {
                 step.expression = 'when clause (skipped by basic policy)';
                 step.result = false;
                 evaluationTrace.push(step);
+                logger$J.debug('rule_skipped_when_clause', { ruleId: rule.id });
                 continue;
             }
-            // Check frame type match
-            if (rule.frameTypes) {
-                if (!frameTypeNormalized) {
-                    step.expression = 'frame_type: missing';
-                    step.result = false;
-                    evaluationTrace.push(step);
-                    continue;
-                }
-                if (!rule.frameTypes.has(frameTypeNormalized)) {
-                    step.expression = `frame_type: ${rawFrameType ?? 'unknown'} not in rule set`;
-                    step.result = false;
-                    evaluationTrace.push(step);
-                    continue;
-                }
+            // Skip rules with 'frame_type' clause (reserved for advanced-security package)
+            if (rule.hasFrameTypeClause) {
+                step.expression = 'frame_type clause (skipped by basic policy)';
+                step.result = false;
+                evaluationTrace.push(step);
+                logger$J.debug('rule_skipped_frame_type_clause', { ruleId: rule.id });
+                continue;
             }
             // Check origin type match (early gate for efficiency)
             if (rule.originTypes) {
@@ -22799,8 +22787,14 @@ class BasicAuthorizationPolicy {
         const actions = this.compileActions(rule.action, id);
         // Compile address patterns (glob-only, no regex)
         const addressPatterns = this.compileAddress(rule.address, id);
-        // Compile frame type gating
-        const frameTypes = this.compileFrameTypes(rule.frame_type, id);
+        // Check for frame_type clause (reserved for advanced-security)
+        const hasFrameTypeClause = rule.frame_type !== undefined;
+        if (hasFrameTypeClause && warnOnUnknown) {
+            logger$J.warning('reserved_field_frame_type_will_be_skipped', {
+                ruleId: id,
+                message: `Rule "${id}" uses reserved field "frame_type" which is only supported in advanced-security package. This rule will be skipped during evaluation.`,
+            });
+        }
         // Compile origin type gating
         const originTypes = this.compileOriginTypes(rule.origin_type, id);
         // Compile scope matcher (glob-only, no regex)
@@ -22827,11 +22821,12 @@ class BasicAuthorizationPolicy {
             description: rule.description,
             effect: rule.effect,
             actions,
-            frameTypes,
+            frameTypes: undefined, // No longer used; reserved for advanced-security
             originTypes,
             addressPatterns,
             scopeMatcher,
             hasWhenClause: typeof rule.when === 'string' && rule.when.length > 0,
+            hasFrameTypeClause,
         };
     }
     /**
@@ -22921,43 +22916,6 @@ class BasicAuthorizationPolicy {
         }
         return patterns;
     }
-    /**
-     * Compiles frame_type field into a Set of normalized frame types.
-     * Supports single string or array of strings (implicit any-of).
-     * Returns undefined if not specified (no frame type gating).
-     */
-    compileFrameTypes(frameType, ruleId) {
-        if (frameType === undefined) {
-            return undefined;
-        }
-        // Handle single frame type
-        if (typeof frameType === 'string') {
-            const normalized = frameType.trim().toLowerCase();
-            if (!normalized) {
-                throw new Error(`Invalid frame_type in rule "${ruleId}": value must not be empty`);
-            }
-            return new Set([normalized]);
-        }
-        // Handle array of frame types
-        if (!Array.isArray(frameType)) {
-            throw new Error(`Invalid frame_type in rule "${ruleId}": must be a string or array of strings`);
-        }
-        if (frameType.length === 0) {
-            throw new Error(`Invalid frame_type in rule "${ruleId}": array must not be empty`);
-        }
-        const frameTypes = new Set();
-        for (const ft of frameType) {
-            if (typeof ft !== 'string') {
-                throw new Error(`Invalid frame_type in rule "${ruleId}": all values must be strings`);
-            }
-            const normalized = ft.trim().toLowerCase();
-            if (!normalized) {
-                throw new Error(`Invalid frame_type in rule "${ruleId}": values must not be empty`);
-            }
-            frameTypes.add(normalized);
-        }
-        return frameTypes;
-    }
     /**
      * Compiles origin_type field into a Set of normalized origin types.
      * Supports single string or array of strings (implicit any-of).
@@ -29611,61 +29569,11 @@ const ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = 'FAME_JWT_REVERSE_AUTH_AUDIENCE';
 const ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY = 'FAME_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY';
 const ENV_VAR_TRUSTED_CLIENT_SCOPE = 'FAME_TRUSTED_CLIENT_SCOPE';
 const ENV_VAR_AUTHORIZATION_PROFILE = 'FAME_AUTHORIZATION_PROFILE';
-const PROFILE_NAME_STRICT_OVERLAY = 'strict-overlay';
 const PROFILE_NAME_OVERLAY = 'overlay';
 const PROFILE_NAME_OVERLAY_CALLBACK = 'overlay-callback';
 const PROFILE_NAME_GATED = 'gated';
 const PROFILE_NAME_GATED_CALLBACK = 'gated-callback';
 const PROFILE_NAME_OPEN$1 = 'open';
-const STRICT_OVERLAY_PROFILE = {
-    type: 'DefaultSecurityManager',
-    security_policy: {
-        type: 'DefaultSecurityPolicy',
-        signing: {
-            signing_material: 'x509-chain',
-            require_cert_sid_match: true,
-            inbound: {
-                signature_policy: 'required',
-                unsigned_violation_action: 'nack',
-                invalid_signature_action: 'nack',
-            },
-            response: {
-                mirror_request_signing: true,
-                always_sign_responses: false,
-                sign_error_responses: true,
-            },
-            outbound: {
-                default_signing: true,
-                sign_sensitive_operations: true,
-                sign_if_recipient_expects: true,
-            },
-        },
-        encryption: {
-            inbound: {
-                allow_plaintext: true,
-                allow_channel: true,
-                allow_sealed: true,
-                plaintext_violation_action: 'nack',
-                channel_violation_action: 'nack',
-                sealed_violation_action: 'nack',
-            },
-            response: {
-                mirror_request_level: true,
-                minimum_response_level: 'plaintext',
-                escalate_sealed_responses: false,
-            },
-            outbound: {
-                default_level: factory.Expressions.env(ENV_VAR_DEFAULT_ENCRYPTION_LEVEL, 'channel'),
-                escalate_if_peer_supports: false,
-                prefer_sealed_for_sensitive: false,
-            },
-        },
-    },
-    authorizer: {
-        type: 'AuthorizationProfile',
-        profile: factory.Expressions.env(ENV_VAR_AUTHORIZATION_PROFILE, 'jwt'),
-    },
-};
 const OVERLAY_PROFILE = {
     type: 'DefaultSecurityManager',
     security_policy: {
@@ -29868,7 +29776,6 @@ const OPEN_PROFILE$1 = {
 };
 registerProfile(SECURITY_MANAGER_FACTORY_BASE_TYPE, PROFILE_NAME_OVERLAY, OVERLAY_PROFILE, { source: 'node-security-profile-factory' });
 registerProfile(SECURITY_MANAGER_FACTORY_BASE_TYPE, PROFILE_NAME_OVERLAY_CALLBACK, OVERLAY_CALLBACK_PROFILE, { source: 'node-security-profile-factory' });
-registerProfile(SECURITY_MANAGER_FACTORY_BASE_TYPE, PROFILE_NAME_STRICT_OVERLAY, STRICT_OVERLAY_PROFILE, { source: 'node-security-profile-factory' });
 registerProfile(SECURITY_MANAGER_FACTORY_BASE_TYPE, PROFILE_NAME_GATED, GATED_PROFILE, { source: 'node-security-profile-factory' });
 registerProfile(SECURITY_MANAGER_FACTORY_BASE_TYPE, PROFILE_NAME_GATED_CALLBACK, GATED_CALLBACK_PROFILE, { source: 'node-security-profile-factory' });
 registerProfile(SECURITY_MANAGER_FACTORY_BASE_TYPE, PROFILE_NAME_OPEN$1, OPEN_PROFILE$1, { source: 'node-security-profile-factory' });
@@ -30005,7 +29912,6 @@ var nodeSecurityProfileFactory = /*#__PURE__*/Object.freeze({
     PROFILE_NAME_OPEN: PROFILE_NAME_OPEN$1,
     PROFILE_NAME_OVERLAY: PROFILE_NAME_OVERLAY,
     PROFILE_NAME_OVERLAY_CALLBACK: PROFILE_NAME_OVERLAY_CALLBACK,
-    PROFILE_NAME_STRICT_OVERLAY: PROFILE_NAME_STRICT_OVERLAY,
     default: NodeSecurityProfileFactory
 });
 
@@ -43886,7 +43792,6 @@ exports.PROFILE_NAME_GATED_CALLBACK = PROFILE_NAME_GATED_CALLBACK;
 exports.PROFILE_NAME_OPEN = PROFILE_NAME_OPEN$1;
 exports.PROFILE_NAME_OVERLAY = PROFILE_NAME_OVERLAY;
 exports.PROFILE_NAME_OVERLAY_CALLBACK = PROFILE_NAME_OVERLAY_CALLBACK;
-exports.PROFILE_NAME_STRICT_OVERLAY = PROFILE_NAME_STRICT_OVERLAY;
 exports.PromptCredentialProvider = PromptCredentialProvider;
 exports.REPLICA_STICKINESS_MANAGER_FACTORY_BASE_TYPE = REPLICA_STICKINESS_MANAGER_FACTORY_BASE_TYPE;
 exports.REQUIRED_FIELDS_BY_KTY = REQUIRED_FIELDS_BY_KTY;