@naylence/runtime 0.4.8 → 0.4.9
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/browser/index.cjs +21 -62
- package/dist/browser/index.mjs +21 -62
- package/dist/cjs/naylence/fame/security/auth/policy/authorization-policy-definition.js +1 -1
- package/dist/cjs/naylence/fame/security/auth/policy/basic-authorization-policy.js +18 -59
- package/dist/cjs/version.js +2 -2
- package/dist/esm/naylence/fame/security/auth/policy/authorization-policy-definition.js +1 -1
- package/dist/esm/naylence/fame/security/auth/policy/basic-authorization-policy.js +18 -59
- package/dist/esm/version.js +2 -2
- package/dist/node/index.cjs +21 -62
- package/dist/node/index.mjs +21 -62
- package/dist/node/node.cjs +21 -62
- package/dist/node/node.mjs +21 -62
- package/dist/types/naylence/fame/security/auth/policy/authorization-policy-definition.d.ts +5 -1
- package/dist/types/naylence/fame/security/auth/policy/basic-authorization-policy.d.ts +0 -6
- package/dist/types/version.d.ts +1 -1
- package/package.json +1 -1
package/dist/browser/index.cjs
CHANGED
|
@@ -525,12 +525,12 @@ async function ensureRuntimeFactoriesRegistered(registry = factory.Registry) {
|
|
|
525
525
|
}
|
|
526
526
|
|
|
527
527
|
// This file is auto-generated during build - do not edit manually
|
|
528
|
-
// Generated from package.json version: 0.4.
|
|
528
|
+
// Generated from package.json version: 0.4.9
|
|
529
529
|
/**
|
|
530
530
|
* The package version, injected at build time.
|
|
531
531
|
* @internal
|
|
532
532
|
*/
|
|
533
|
-
const VERSION = '0.4.
|
|
533
|
+
const VERSION = '0.4.9';
|
|
534
534
|
|
|
535
535
|
let initialized = false;
|
|
536
536
|
const runtimePlugin = {
|
|
@@ -22237,7 +22237,7 @@ const KNOWN_RULE_FIELDS = new Set([
|
|
|
22237
22237
|
'effect',
|
|
22238
22238
|
'action',
|
|
22239
22239
|
'address',
|
|
22240
|
-
'frame_type',
|
|
22240
|
+
'frame_type', // Reserved for advanced-security
|
|
22241
22241
|
'origin_type',
|
|
22242
22242
|
'scope',
|
|
22243
22243
|
'when', // Reserved for advanced-security
|
|
@@ -22760,11 +22760,6 @@ class BasicAuthorizationPolicy {
|
|
|
22760
22760
|
const resolvedActionNormalized = this.normalizeActionToken(resolvedAction) ?? resolvedAction;
|
|
22761
22761
|
const address = extractAddress(envelope);
|
|
22762
22762
|
const grantedScopes = extractGrantedScopes(context);
|
|
22763
|
-
const rawFrameType = envelope.frame
|
|
22764
|
-
?.type;
|
|
22765
|
-
const frameTypeNormalized = typeof rawFrameType === 'string' && rawFrameType.trim().length > 0
|
|
22766
|
-
? rawFrameType.trim().toLowerCase()
|
|
22767
|
-
: '';
|
|
22768
22763
|
// Extract and normalize origin type for rule matching
|
|
22769
22764
|
const rawOriginType = context?.originType;
|
|
22770
22765
|
const originTypeNormalized = typeof rawOriginType === 'string'
|
|
@@ -22782,22 +22777,16 @@ class BasicAuthorizationPolicy {
|
|
|
22782
22777
|
step.expression = 'when clause (skipped by basic policy)';
|
|
22783
22778
|
step.result = false;
|
|
22784
22779
|
evaluationTrace.push(step);
|
|
22780
|
+
logger$J.debug('rule_skipped_when_clause', { ruleId: rule.id });
|
|
22785
22781
|
continue;
|
|
22786
22782
|
}
|
|
22787
|
-
//
|
|
22788
|
-
if (rule.
|
|
22789
|
-
|
|
22790
|
-
|
|
22791
|
-
|
|
22792
|
-
|
|
22793
|
-
|
|
22794
|
-
}
|
|
22795
|
-
if (!rule.frameTypes.has(frameTypeNormalized)) {
|
|
22796
|
-
step.expression = `frame_type: ${rawFrameType ?? 'unknown'} not in rule set`;
|
|
22797
|
-
step.result = false;
|
|
22798
|
-
evaluationTrace.push(step);
|
|
22799
|
-
continue;
|
|
22800
|
-
}
|
|
22783
|
+
// Skip rules with 'frame_type' clause (reserved for advanced-security package)
|
|
22784
|
+
if (rule.hasFrameTypeClause) {
|
|
22785
|
+
step.expression = 'frame_type clause (skipped by basic policy)';
|
|
22786
|
+
step.result = false;
|
|
22787
|
+
evaluationTrace.push(step);
|
|
22788
|
+
logger$J.debug('rule_skipped_frame_type_clause', { ruleId: rule.id });
|
|
22789
|
+
continue;
|
|
22801
22790
|
}
|
|
22802
22791
|
// Check origin type match (early gate for efficiency)
|
|
22803
22792
|
if (rule.originTypes) {
|
|
@@ -22912,8 +22901,14 @@ class BasicAuthorizationPolicy {
|
|
|
22912
22901
|
const actions = this.compileActions(rule.action, id);
|
|
22913
22902
|
// Compile address patterns (glob-only, no regex)
|
|
22914
22903
|
const addressPatterns = this.compileAddress(rule.address, id);
|
|
22915
|
-
//
|
|
22916
|
-
const
|
|
22904
|
+
// Check for frame_type clause (reserved for advanced-security)
|
|
22905
|
+
const hasFrameTypeClause = rule.frame_type !== undefined;
|
|
22906
|
+
if (hasFrameTypeClause && warnOnUnknown) {
|
|
22907
|
+
logger$J.warning('reserved_field_frame_type_will_be_skipped', {
|
|
22908
|
+
ruleId: id,
|
|
22909
|
+
message: `Rule "${id}" uses reserved field "frame_type" which is only supported in advanced-security package. This rule will be skipped during evaluation.`,
|
|
22910
|
+
});
|
|
22911
|
+
}
|
|
22917
22912
|
// Compile origin type gating
|
|
22918
22913
|
const originTypes = this.compileOriginTypes(rule.origin_type, id);
|
|
22919
22914
|
// Compile scope matcher (glob-only, no regex)
|
|
@@ -22940,11 +22935,12 @@ class BasicAuthorizationPolicy {
|
|
|
22940
22935
|
description: rule.description,
|
|
22941
22936
|
effect: rule.effect,
|
|
22942
22937
|
actions,
|
|
22943
|
-
frameTypes,
|
|
22938
|
+
frameTypes: undefined, // No longer used; reserved for advanced-security
|
|
22944
22939
|
originTypes,
|
|
22945
22940
|
addressPatterns,
|
|
22946
22941
|
scopeMatcher,
|
|
22947
22942
|
hasWhenClause: typeof rule.when === 'string' && rule.when.length > 0,
|
|
22943
|
+
hasFrameTypeClause,
|
|
22948
22944
|
};
|
|
22949
22945
|
}
|
|
22950
22946
|
/**
|
|
@@ -23034,43 +23030,6 @@ class BasicAuthorizationPolicy {
|
|
|
23034
23030
|
}
|
|
23035
23031
|
return patterns;
|
|
23036
23032
|
}
|
|
23037
|
-
/**
|
|
23038
|
-
* Compiles frame_type field into a Set of normalized frame types.
|
|
23039
|
-
* Supports single string or array of strings (implicit any-of).
|
|
23040
|
-
* Returns undefined if not specified (no frame type gating).
|
|
23041
|
-
*/
|
|
23042
|
-
compileFrameTypes(frameType, ruleId) {
|
|
23043
|
-
if (frameType === undefined) {
|
|
23044
|
-
return undefined;
|
|
23045
|
-
}
|
|
23046
|
-
// Handle single frame type
|
|
23047
|
-
if (typeof frameType === 'string') {
|
|
23048
|
-
const normalized = frameType.trim().toLowerCase();
|
|
23049
|
-
if (!normalized) {
|
|
23050
|
-
throw new Error(`Invalid frame_type in rule "${ruleId}": value must not be empty`);
|
|
23051
|
-
}
|
|
23052
|
-
return new Set([normalized]);
|
|
23053
|
-
}
|
|
23054
|
-
// Handle array of frame types
|
|
23055
|
-
if (!Array.isArray(frameType)) {
|
|
23056
|
-
throw new Error(`Invalid frame_type in rule "${ruleId}": must be a string or array of strings`);
|
|
23057
|
-
}
|
|
23058
|
-
if (frameType.length === 0) {
|
|
23059
|
-
throw new Error(`Invalid frame_type in rule "${ruleId}": array must not be empty`);
|
|
23060
|
-
}
|
|
23061
|
-
const frameTypes = new Set();
|
|
23062
|
-
for (const ft of frameType) {
|
|
23063
|
-
if (typeof ft !== 'string') {
|
|
23064
|
-
throw new Error(`Invalid frame_type in rule "${ruleId}": all values must be strings`);
|
|
23065
|
-
}
|
|
23066
|
-
const normalized = ft.trim().toLowerCase();
|
|
23067
|
-
if (!normalized) {
|
|
23068
|
-
throw new Error(`Invalid frame_type in rule "${ruleId}": values must not be empty`);
|
|
23069
|
-
}
|
|
23070
|
-
frameTypes.add(normalized);
|
|
23071
|
-
}
|
|
23072
|
-
return frameTypes;
|
|
23073
|
-
}
|
|
23074
23033
|
/**
|
|
23075
23034
|
* Compiles origin_type field into a Set of normalized origin types.
|
|
23076
23035
|
* Supports single string or array of strings (implicit any-of).
|
package/dist/browser/index.mjs
CHANGED
|
@@ -523,12 +523,12 @@ async function ensureRuntimeFactoriesRegistered(registry = Registry) {
|
|
|
523
523
|
}
|
|
524
524
|
|
|
525
525
|
// This file is auto-generated during build - do not edit manually
|
|
526
|
-
// Generated from package.json version: 0.4.
|
|
526
|
+
// Generated from package.json version: 0.4.9
|
|
527
527
|
/**
|
|
528
528
|
* The package version, injected at build time.
|
|
529
529
|
* @internal
|
|
530
530
|
*/
|
|
531
|
-
const VERSION = '0.4.
|
|
531
|
+
const VERSION = '0.4.9';
|
|
532
532
|
|
|
533
533
|
let initialized = false;
|
|
534
534
|
const runtimePlugin = {
|
|
@@ -22235,7 +22235,7 @@ const KNOWN_RULE_FIELDS = new Set([
|
|
|
22235
22235
|
'effect',
|
|
22236
22236
|
'action',
|
|
22237
22237
|
'address',
|
|
22238
|
-
'frame_type',
|
|
22238
|
+
'frame_type', // Reserved for advanced-security
|
|
22239
22239
|
'origin_type',
|
|
22240
22240
|
'scope',
|
|
22241
22241
|
'when', // Reserved for advanced-security
|
|
@@ -22758,11 +22758,6 @@ class BasicAuthorizationPolicy {
|
|
|
22758
22758
|
const resolvedActionNormalized = this.normalizeActionToken(resolvedAction) ?? resolvedAction;
|
|
22759
22759
|
const address = extractAddress(envelope);
|
|
22760
22760
|
const grantedScopes = extractGrantedScopes(context);
|
|
22761
|
-
const rawFrameType = envelope.frame
|
|
22762
|
-
?.type;
|
|
22763
|
-
const frameTypeNormalized = typeof rawFrameType === 'string' && rawFrameType.trim().length > 0
|
|
22764
|
-
? rawFrameType.trim().toLowerCase()
|
|
22765
|
-
: '';
|
|
22766
22761
|
// Extract and normalize origin type for rule matching
|
|
22767
22762
|
const rawOriginType = context?.originType;
|
|
22768
22763
|
const originTypeNormalized = typeof rawOriginType === 'string'
|
|
@@ -22780,22 +22775,16 @@ class BasicAuthorizationPolicy {
|
|
|
22780
22775
|
step.expression = 'when clause (skipped by basic policy)';
|
|
22781
22776
|
step.result = false;
|
|
22782
22777
|
evaluationTrace.push(step);
|
|
22778
|
+
logger$J.debug('rule_skipped_when_clause', { ruleId: rule.id });
|
|
22783
22779
|
continue;
|
|
22784
22780
|
}
|
|
22785
|
-
//
|
|
22786
|
-
if (rule.
|
|
22787
|
-
|
|
22788
|
-
|
|
22789
|
-
|
|
22790
|
-
|
|
22791
|
-
|
|
22792
|
-
}
|
|
22793
|
-
if (!rule.frameTypes.has(frameTypeNormalized)) {
|
|
22794
|
-
step.expression = `frame_type: ${rawFrameType ?? 'unknown'} not in rule set`;
|
|
22795
|
-
step.result = false;
|
|
22796
|
-
evaluationTrace.push(step);
|
|
22797
|
-
continue;
|
|
22798
|
-
}
|
|
22781
|
+
// Skip rules with 'frame_type' clause (reserved for advanced-security package)
|
|
22782
|
+
if (rule.hasFrameTypeClause) {
|
|
22783
|
+
step.expression = 'frame_type clause (skipped by basic policy)';
|
|
22784
|
+
step.result = false;
|
|
22785
|
+
evaluationTrace.push(step);
|
|
22786
|
+
logger$J.debug('rule_skipped_frame_type_clause', { ruleId: rule.id });
|
|
22787
|
+
continue;
|
|
22799
22788
|
}
|
|
22800
22789
|
// Check origin type match (early gate for efficiency)
|
|
22801
22790
|
if (rule.originTypes) {
|
|
@@ -22910,8 +22899,14 @@ class BasicAuthorizationPolicy {
|
|
|
22910
22899
|
const actions = this.compileActions(rule.action, id);
|
|
22911
22900
|
// Compile address patterns (glob-only, no regex)
|
|
22912
22901
|
const addressPatterns = this.compileAddress(rule.address, id);
|
|
22913
|
-
//
|
|
22914
|
-
const
|
|
22902
|
+
// Check for frame_type clause (reserved for advanced-security)
|
|
22903
|
+
const hasFrameTypeClause = rule.frame_type !== undefined;
|
|
22904
|
+
if (hasFrameTypeClause && warnOnUnknown) {
|
|
22905
|
+
logger$J.warning('reserved_field_frame_type_will_be_skipped', {
|
|
22906
|
+
ruleId: id,
|
|
22907
|
+
message: `Rule "${id}" uses reserved field "frame_type" which is only supported in advanced-security package. This rule will be skipped during evaluation.`,
|
|
22908
|
+
});
|
|
22909
|
+
}
|
|
22915
22910
|
// Compile origin type gating
|
|
22916
22911
|
const originTypes = this.compileOriginTypes(rule.origin_type, id);
|
|
22917
22912
|
// Compile scope matcher (glob-only, no regex)
|
|
@@ -22938,11 +22933,12 @@ class BasicAuthorizationPolicy {
|
|
|
22938
22933
|
description: rule.description,
|
|
22939
22934
|
effect: rule.effect,
|
|
22940
22935
|
actions,
|
|
22941
|
-
frameTypes,
|
|
22936
|
+
frameTypes: undefined, // No longer used; reserved for advanced-security
|
|
22942
22937
|
originTypes,
|
|
22943
22938
|
addressPatterns,
|
|
22944
22939
|
scopeMatcher,
|
|
22945
22940
|
hasWhenClause: typeof rule.when === 'string' && rule.when.length > 0,
|
|
22941
|
+
hasFrameTypeClause,
|
|
22946
22942
|
};
|
|
22947
22943
|
}
|
|
22948
22944
|
/**
|
|
@@ -23032,43 +23028,6 @@ class BasicAuthorizationPolicy {
|
|
|
23032
23028
|
}
|
|
23033
23029
|
return patterns;
|
|
23034
23030
|
}
|
|
23035
|
-
/**
|
|
23036
|
-
* Compiles frame_type field into a Set of normalized frame types.
|
|
23037
|
-
* Supports single string or array of strings (implicit any-of).
|
|
23038
|
-
* Returns undefined if not specified (no frame type gating).
|
|
23039
|
-
*/
|
|
23040
|
-
compileFrameTypes(frameType, ruleId) {
|
|
23041
|
-
if (frameType === undefined) {
|
|
23042
|
-
return undefined;
|
|
23043
|
-
}
|
|
23044
|
-
// Handle single frame type
|
|
23045
|
-
if (typeof frameType === 'string') {
|
|
23046
|
-
const normalized = frameType.trim().toLowerCase();
|
|
23047
|
-
if (!normalized) {
|
|
23048
|
-
throw new Error(`Invalid frame_type in rule "${ruleId}": value must not be empty`);
|
|
23049
|
-
}
|
|
23050
|
-
return new Set([normalized]);
|
|
23051
|
-
}
|
|
23052
|
-
// Handle array of frame types
|
|
23053
|
-
if (!Array.isArray(frameType)) {
|
|
23054
|
-
throw new Error(`Invalid frame_type in rule "${ruleId}": must be a string or array of strings`);
|
|
23055
|
-
}
|
|
23056
|
-
if (frameType.length === 0) {
|
|
23057
|
-
throw new Error(`Invalid frame_type in rule "${ruleId}": array must not be empty`);
|
|
23058
|
-
}
|
|
23059
|
-
const frameTypes = new Set();
|
|
23060
|
-
for (const ft of frameType) {
|
|
23061
|
-
if (typeof ft !== 'string') {
|
|
23062
|
-
throw new Error(`Invalid frame_type in rule "${ruleId}": all values must be strings`);
|
|
23063
|
-
}
|
|
23064
|
-
const normalized = ft.trim().toLowerCase();
|
|
23065
|
-
if (!normalized) {
|
|
23066
|
-
throw new Error(`Invalid frame_type in rule "${ruleId}": values must not be empty`);
|
|
23067
|
-
}
|
|
23068
|
-
frameTypes.add(normalized);
|
|
23069
|
-
}
|
|
23070
|
-
return frameTypes;
|
|
23071
|
-
}
|
|
23072
23031
|
/**
|
|
23073
23032
|
* Compiles origin_type field into a Set of normalized origin types.
|
|
23074
23033
|
* Supports single string or array of strings (implicit any-of).
|
|
@@ -96,11 +96,6 @@ class BasicAuthorizationPolicy {
|
|
|
96
96
|
const resolvedActionNormalized = this.normalizeActionToken(resolvedAction) ?? resolvedAction;
|
|
97
97
|
const address = extractAddress(envelope);
|
|
98
98
|
const grantedScopes = extractGrantedScopes(context);
|
|
99
|
-
const rawFrameType = envelope.frame
|
|
100
|
-
?.type;
|
|
101
|
-
const frameTypeNormalized = typeof rawFrameType === 'string' && rawFrameType.trim().length > 0
|
|
102
|
-
? rawFrameType.trim().toLowerCase()
|
|
103
|
-
: '';
|
|
104
99
|
// Extract and normalize origin type for rule matching
|
|
105
100
|
const rawOriginType = context?.originType;
|
|
106
101
|
const originTypeNormalized = typeof rawOriginType === 'string'
|
|
@@ -118,22 +113,16 @@ class BasicAuthorizationPolicy {
|
|
|
118
113
|
step.expression = 'when clause (skipped by basic policy)';
|
|
119
114
|
step.result = false;
|
|
120
115
|
evaluationTrace.push(step);
|
|
116
|
+
logger.debug('rule_skipped_when_clause', { ruleId: rule.id });
|
|
121
117
|
continue;
|
|
122
118
|
}
|
|
123
|
-
//
|
|
124
|
-
if (rule.
|
|
125
|
-
|
|
126
|
-
|
|
127
|
-
|
|
128
|
-
|
|
129
|
-
|
|
130
|
-
}
|
|
131
|
-
if (!rule.frameTypes.has(frameTypeNormalized)) {
|
|
132
|
-
step.expression = `frame_type: ${rawFrameType ?? 'unknown'} not in rule set`;
|
|
133
|
-
step.result = false;
|
|
134
|
-
evaluationTrace.push(step);
|
|
135
|
-
continue;
|
|
136
|
-
}
|
|
119
|
+
// Skip rules with 'frame_type' clause (reserved for advanced-security package)
|
|
120
|
+
if (rule.hasFrameTypeClause) {
|
|
121
|
+
step.expression = 'frame_type clause (skipped by basic policy)';
|
|
122
|
+
step.result = false;
|
|
123
|
+
evaluationTrace.push(step);
|
|
124
|
+
logger.debug('rule_skipped_frame_type_clause', { ruleId: rule.id });
|
|
125
|
+
continue;
|
|
137
126
|
}
|
|
138
127
|
// Check origin type match (early gate for efficiency)
|
|
139
128
|
if (rule.originTypes) {
|
|
@@ -248,8 +237,14 @@ class BasicAuthorizationPolicy {
|
|
|
248
237
|
const actions = this.compileActions(rule.action, id);
|
|
249
238
|
// Compile address patterns (glob-only, no regex)
|
|
250
239
|
const addressPatterns = this.compileAddress(rule.address, id);
|
|
251
|
-
//
|
|
252
|
-
const
|
|
240
|
+
// Check for frame_type clause (reserved for advanced-security)
|
|
241
|
+
const hasFrameTypeClause = rule.frame_type !== undefined;
|
|
242
|
+
if (hasFrameTypeClause && warnOnUnknown) {
|
|
243
|
+
logger.warning('reserved_field_frame_type_will_be_skipped', {
|
|
244
|
+
ruleId: id,
|
|
245
|
+
message: `Rule "${id}" uses reserved field "frame_type" which is only supported in advanced-security package. This rule will be skipped during evaluation.`,
|
|
246
|
+
});
|
|
247
|
+
}
|
|
253
248
|
// Compile origin type gating
|
|
254
249
|
const originTypes = this.compileOriginTypes(rule.origin_type, id);
|
|
255
250
|
// Compile scope matcher (glob-only, no regex)
|
|
@@ -276,11 +271,12 @@ class BasicAuthorizationPolicy {
|
|
|
276
271
|
description: rule.description,
|
|
277
272
|
effect: rule.effect,
|
|
278
273
|
actions,
|
|
279
|
-
frameTypes,
|
|
274
|
+
frameTypes: undefined, // No longer used; reserved for advanced-security
|
|
280
275
|
originTypes,
|
|
281
276
|
addressPatterns,
|
|
282
277
|
scopeMatcher,
|
|
283
278
|
hasWhenClause: typeof rule.when === 'string' && rule.when.length > 0,
|
|
279
|
+
hasFrameTypeClause,
|
|
284
280
|
};
|
|
285
281
|
}
|
|
286
282
|
/**
|
|
@@ -370,43 +366,6 @@ class BasicAuthorizationPolicy {
|
|
|
370
366
|
}
|
|
371
367
|
return patterns;
|
|
372
368
|
}
|
|
373
|
-
/**
|
|
374
|
-
* Compiles frame_type field into a Set of normalized frame types.
|
|
375
|
-
* Supports single string or array of strings (implicit any-of).
|
|
376
|
-
* Returns undefined if not specified (no frame type gating).
|
|
377
|
-
*/
|
|
378
|
-
compileFrameTypes(frameType, ruleId) {
|
|
379
|
-
if (frameType === undefined) {
|
|
380
|
-
return undefined;
|
|
381
|
-
}
|
|
382
|
-
// Handle single frame type
|
|
383
|
-
if (typeof frameType === 'string') {
|
|
384
|
-
const normalized = frameType.trim().toLowerCase();
|
|
385
|
-
if (!normalized) {
|
|
386
|
-
throw new Error(`Invalid frame_type in rule "${ruleId}": value must not be empty`);
|
|
387
|
-
}
|
|
388
|
-
return new Set([normalized]);
|
|
389
|
-
}
|
|
390
|
-
// Handle array of frame types
|
|
391
|
-
if (!Array.isArray(frameType)) {
|
|
392
|
-
throw new Error(`Invalid frame_type in rule "${ruleId}": must be a string or array of strings`);
|
|
393
|
-
}
|
|
394
|
-
if (frameType.length === 0) {
|
|
395
|
-
throw new Error(`Invalid frame_type in rule "${ruleId}": array must not be empty`);
|
|
396
|
-
}
|
|
397
|
-
const frameTypes = new Set();
|
|
398
|
-
for (const ft of frameType) {
|
|
399
|
-
if (typeof ft !== 'string') {
|
|
400
|
-
throw new Error(`Invalid frame_type in rule "${ruleId}": all values must be strings`);
|
|
401
|
-
}
|
|
402
|
-
const normalized = ft.trim().toLowerCase();
|
|
403
|
-
if (!normalized) {
|
|
404
|
-
throw new Error(`Invalid frame_type in rule "${ruleId}": values must not be empty`);
|
|
405
|
-
}
|
|
406
|
-
frameTypes.add(normalized);
|
|
407
|
-
}
|
|
408
|
-
return frameTypes;
|
|
409
|
-
}
|
|
410
369
|
/**
|
|
411
370
|
* Compiles origin_type field into a Set of normalized origin types.
|
|
412
371
|
* Supports single string or array of strings (implicit any-of).
|
package/dist/cjs/version.js
CHANGED
|
@@ -1,10 +1,10 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
// This file is auto-generated during build - do not edit manually
|
|
3
|
-
// Generated from package.json version: 0.4.
|
|
3
|
+
// Generated from package.json version: 0.4.9
|
|
4
4
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
5
5
|
exports.VERSION = void 0;
|
|
6
6
|
/**
|
|
7
7
|
* The package version, injected at build time.
|
|
8
8
|
* @internal
|
|
9
9
|
*/
|
|
10
|
-
exports.VERSION = '0.4.
|
|
10
|
+
exports.VERSION = '0.4.9';
|
|
@@ -93,11 +93,6 @@ export class BasicAuthorizationPolicy {
|
|
|
93
93
|
const resolvedActionNormalized = this.normalizeActionToken(resolvedAction) ?? resolvedAction;
|
|
94
94
|
const address = extractAddress(envelope);
|
|
95
95
|
const grantedScopes = extractGrantedScopes(context);
|
|
96
|
-
const rawFrameType = envelope.frame
|
|
97
|
-
?.type;
|
|
98
|
-
const frameTypeNormalized = typeof rawFrameType === 'string' && rawFrameType.trim().length > 0
|
|
99
|
-
? rawFrameType.trim().toLowerCase()
|
|
100
|
-
: '';
|
|
101
96
|
// Extract and normalize origin type for rule matching
|
|
102
97
|
const rawOriginType = context?.originType;
|
|
103
98
|
const originTypeNormalized = typeof rawOriginType === 'string'
|
|
@@ -115,22 +110,16 @@ export class BasicAuthorizationPolicy {
|
|
|
115
110
|
step.expression = 'when clause (skipped by basic policy)';
|
|
116
111
|
step.result = false;
|
|
117
112
|
evaluationTrace.push(step);
|
|
113
|
+
logger.debug('rule_skipped_when_clause', { ruleId: rule.id });
|
|
118
114
|
continue;
|
|
119
115
|
}
|
|
120
|
-
//
|
|
121
|
-
if (rule.
|
|
122
|
-
|
|
123
|
-
|
|
124
|
-
|
|
125
|
-
|
|
126
|
-
|
|
127
|
-
}
|
|
128
|
-
if (!rule.frameTypes.has(frameTypeNormalized)) {
|
|
129
|
-
step.expression = `frame_type: ${rawFrameType ?? 'unknown'} not in rule set`;
|
|
130
|
-
step.result = false;
|
|
131
|
-
evaluationTrace.push(step);
|
|
132
|
-
continue;
|
|
133
|
-
}
|
|
116
|
+
// Skip rules with 'frame_type' clause (reserved for advanced-security package)
|
|
117
|
+
if (rule.hasFrameTypeClause) {
|
|
118
|
+
step.expression = 'frame_type clause (skipped by basic policy)';
|
|
119
|
+
step.result = false;
|
|
120
|
+
evaluationTrace.push(step);
|
|
121
|
+
logger.debug('rule_skipped_frame_type_clause', { ruleId: rule.id });
|
|
122
|
+
continue;
|
|
134
123
|
}
|
|
135
124
|
// Check origin type match (early gate for efficiency)
|
|
136
125
|
if (rule.originTypes) {
|
|
@@ -245,8 +234,14 @@ export class BasicAuthorizationPolicy {
|
|
|
245
234
|
const actions = this.compileActions(rule.action, id);
|
|
246
235
|
// Compile address patterns (glob-only, no regex)
|
|
247
236
|
const addressPatterns = this.compileAddress(rule.address, id);
|
|
248
|
-
//
|
|
249
|
-
const
|
|
237
|
+
// Check for frame_type clause (reserved for advanced-security)
|
|
238
|
+
const hasFrameTypeClause = rule.frame_type !== undefined;
|
|
239
|
+
if (hasFrameTypeClause && warnOnUnknown) {
|
|
240
|
+
logger.warning('reserved_field_frame_type_will_be_skipped', {
|
|
241
|
+
ruleId: id,
|
|
242
|
+
message: `Rule "${id}" uses reserved field "frame_type" which is only supported in advanced-security package. This rule will be skipped during evaluation.`,
|
|
243
|
+
});
|
|
244
|
+
}
|
|
250
245
|
// Compile origin type gating
|
|
251
246
|
const originTypes = this.compileOriginTypes(rule.origin_type, id);
|
|
252
247
|
// Compile scope matcher (glob-only, no regex)
|
|
@@ -273,11 +268,12 @@ export class BasicAuthorizationPolicy {
|
|
|
273
268
|
description: rule.description,
|
|
274
269
|
effect: rule.effect,
|
|
275
270
|
actions,
|
|
276
|
-
frameTypes,
|
|
271
|
+
frameTypes: undefined, // No longer used; reserved for advanced-security
|
|
277
272
|
originTypes,
|
|
278
273
|
addressPatterns,
|
|
279
274
|
scopeMatcher,
|
|
280
275
|
hasWhenClause: typeof rule.when === 'string' && rule.when.length > 0,
|
|
276
|
+
hasFrameTypeClause,
|
|
281
277
|
};
|
|
282
278
|
}
|
|
283
279
|
/**
|
|
@@ -367,43 +363,6 @@ export class BasicAuthorizationPolicy {
|
|
|
367
363
|
}
|
|
368
364
|
return patterns;
|
|
369
365
|
}
|
|
370
|
-
/**
|
|
371
|
-
* Compiles frame_type field into a Set of normalized frame types.
|
|
372
|
-
* Supports single string or array of strings (implicit any-of).
|
|
373
|
-
* Returns undefined if not specified (no frame type gating).
|
|
374
|
-
*/
|
|
375
|
-
compileFrameTypes(frameType, ruleId) {
|
|
376
|
-
if (frameType === undefined) {
|
|
377
|
-
return undefined;
|
|
378
|
-
}
|
|
379
|
-
// Handle single frame type
|
|
380
|
-
if (typeof frameType === 'string') {
|
|
381
|
-
const normalized = frameType.trim().toLowerCase();
|
|
382
|
-
if (!normalized) {
|
|
383
|
-
throw new Error(`Invalid frame_type in rule "${ruleId}": value must not be empty`);
|
|
384
|
-
}
|
|
385
|
-
return new Set([normalized]);
|
|
386
|
-
}
|
|
387
|
-
// Handle array of frame types
|
|
388
|
-
if (!Array.isArray(frameType)) {
|
|
389
|
-
throw new Error(`Invalid frame_type in rule "${ruleId}": must be a string or array of strings`);
|
|
390
|
-
}
|
|
391
|
-
if (frameType.length === 0) {
|
|
392
|
-
throw new Error(`Invalid frame_type in rule "${ruleId}": array must not be empty`);
|
|
393
|
-
}
|
|
394
|
-
const frameTypes = new Set();
|
|
395
|
-
for (const ft of frameType) {
|
|
396
|
-
if (typeof ft !== 'string') {
|
|
397
|
-
throw new Error(`Invalid frame_type in rule "${ruleId}": all values must be strings`);
|
|
398
|
-
}
|
|
399
|
-
const normalized = ft.trim().toLowerCase();
|
|
400
|
-
if (!normalized) {
|
|
401
|
-
throw new Error(`Invalid frame_type in rule "${ruleId}": values must not be empty`);
|
|
402
|
-
}
|
|
403
|
-
frameTypes.add(normalized);
|
|
404
|
-
}
|
|
405
|
-
return frameTypes;
|
|
406
|
-
}
|
|
407
366
|
/**
|
|
408
367
|
* Compiles origin_type field into a Set of normalized origin types.
|
|
409
368
|
* Supports single string or array of strings (implicit any-of).
|
package/dist/esm/version.js
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
// This file is auto-generated during build - do not edit manually
|
|
2
|
-
// Generated from package.json version: 0.4.
|
|
2
|
+
// Generated from package.json version: 0.4.9
|
|
3
3
|
/**
|
|
4
4
|
* The package version, injected at build time.
|
|
5
5
|
* @internal
|
|
6
6
|
*/
|
|
7
|
-
export const VERSION = '0.4.
|
|
7
|
+
export const VERSION = '0.4.9';
|
package/dist/node/index.cjs
CHANGED
|
@@ -14,12 +14,12 @@ var fastify = require('fastify');
|
|
|
14
14
|
var websocketPlugin = require('@fastify/websocket');
|
|
15
15
|
|
|
16
16
|
// This file is auto-generated during build - do not edit manually
|
|
17
|
-
// Generated from package.json version: 0.4.
|
|
17
|
+
// Generated from package.json version: 0.4.9
|
|
18
18
|
/**
|
|
19
19
|
* The package version, injected at build time.
|
|
20
20
|
* @internal
|
|
21
21
|
*/
|
|
22
|
-
const VERSION = '0.4.
|
|
22
|
+
const VERSION = '0.4.9';
|
|
23
23
|
|
|
24
24
|
/**
|
|
25
25
|
* Fame protocol specific error classes with WebSocket close codes and proper inheritance.
|
|
@@ -22124,7 +22124,7 @@ const KNOWN_RULE_FIELDS = new Set([
|
|
|
22124
22124
|
'effect',
|
|
22125
22125
|
'action',
|
|
22126
22126
|
'address',
|
|
22127
|
-
'frame_type',
|
|
22127
|
+
'frame_type', // Reserved for advanced-security
|
|
22128
22128
|
'origin_type',
|
|
22129
22129
|
'scope',
|
|
22130
22130
|
'when', // Reserved for advanced-security
|
|
@@ -22647,11 +22647,6 @@ class BasicAuthorizationPolicy {
|
|
|
22647
22647
|
const resolvedActionNormalized = this.normalizeActionToken(resolvedAction) ?? resolvedAction;
|
|
22648
22648
|
const address = extractAddress(envelope);
|
|
22649
22649
|
const grantedScopes = extractGrantedScopes(context);
|
|
22650
|
-
const rawFrameType = envelope.frame
|
|
22651
|
-
?.type;
|
|
22652
|
-
const frameTypeNormalized = typeof rawFrameType === 'string' && rawFrameType.trim().length > 0
|
|
22653
|
-
? rawFrameType.trim().toLowerCase()
|
|
22654
|
-
: '';
|
|
22655
22650
|
// Extract and normalize origin type for rule matching
|
|
22656
22651
|
const rawOriginType = context?.originType;
|
|
22657
22652
|
const originTypeNormalized = typeof rawOriginType === 'string'
|
|
@@ -22669,22 +22664,16 @@ class BasicAuthorizationPolicy {
|
|
|
22669
22664
|
step.expression = 'when clause (skipped by basic policy)';
|
|
22670
22665
|
step.result = false;
|
|
22671
22666
|
evaluationTrace.push(step);
|
|
22667
|
+
logger$J.debug('rule_skipped_when_clause', { ruleId: rule.id });
|
|
22672
22668
|
continue;
|
|
22673
22669
|
}
|
|
22674
|
-
//
|
|
22675
|
-
if (rule.
|
|
22676
|
-
|
|
22677
|
-
|
|
22678
|
-
|
|
22679
|
-
|
|
22680
|
-
|
|
22681
|
-
}
|
|
22682
|
-
if (!rule.frameTypes.has(frameTypeNormalized)) {
|
|
22683
|
-
step.expression = `frame_type: ${rawFrameType ?? 'unknown'} not in rule set`;
|
|
22684
|
-
step.result = false;
|
|
22685
|
-
evaluationTrace.push(step);
|
|
22686
|
-
continue;
|
|
22687
|
-
}
|
|
22670
|
+
// Skip rules with 'frame_type' clause (reserved for advanced-security package)
|
|
22671
|
+
if (rule.hasFrameTypeClause) {
|
|
22672
|
+
step.expression = 'frame_type clause (skipped by basic policy)';
|
|
22673
|
+
step.result = false;
|
|
22674
|
+
evaluationTrace.push(step);
|
|
22675
|
+
logger$J.debug('rule_skipped_frame_type_clause', { ruleId: rule.id });
|
|
22676
|
+
continue;
|
|
22688
22677
|
}
|
|
22689
22678
|
// Check origin type match (early gate for efficiency)
|
|
22690
22679
|
if (rule.originTypes) {
|
|
@@ -22799,8 +22788,14 @@ class BasicAuthorizationPolicy {
|
|
|
22799
22788
|
const actions = this.compileActions(rule.action, id);
|
|
22800
22789
|
// Compile address patterns (glob-only, no regex)
|
|
22801
22790
|
const addressPatterns = this.compileAddress(rule.address, id);
|
|
22802
|
-
//
|
|
22803
|
-
const
|
|
22791
|
+
// Check for frame_type clause (reserved for advanced-security)
|
|
22792
|
+
const hasFrameTypeClause = rule.frame_type !== undefined;
|
|
22793
|
+
if (hasFrameTypeClause && warnOnUnknown) {
|
|
22794
|
+
logger$J.warning('reserved_field_frame_type_will_be_skipped', {
|
|
22795
|
+
ruleId: id,
|
|
22796
|
+
message: `Rule "${id}" uses reserved field "frame_type" which is only supported in advanced-security package. This rule will be skipped during evaluation.`,
|
|
22797
|
+
});
|
|
22798
|
+
}
|
|
22804
22799
|
// Compile origin type gating
|
|
22805
22800
|
const originTypes = this.compileOriginTypes(rule.origin_type, id);
|
|
22806
22801
|
// Compile scope matcher (glob-only, no regex)
|
|
@@ -22827,11 +22822,12 @@ class BasicAuthorizationPolicy {
|
|
|
22827
22822
|
description: rule.description,
|
|
22828
22823
|
effect: rule.effect,
|
|
22829
22824
|
actions,
|
|
22830
|
-
frameTypes,
|
|
22825
|
+
frameTypes: undefined, // No longer used; reserved for advanced-security
|
|
22831
22826
|
originTypes,
|
|
22832
22827
|
addressPatterns,
|
|
22833
22828
|
scopeMatcher,
|
|
22834
22829
|
hasWhenClause: typeof rule.when === 'string' && rule.when.length > 0,
|
|
22830
|
+
hasFrameTypeClause,
|
|
22835
22831
|
};
|
|
22836
22832
|
}
|
|
22837
22833
|
/**
|
|
@@ -22921,43 +22917,6 @@ class BasicAuthorizationPolicy {
|
|
|
22921
22917
|
}
|
|
22922
22918
|
return patterns;
|
|
22923
22919
|
}
|
|
22924
|
-
/**
|
|
22925
|
-
* Compiles frame_type field into a Set of normalized frame types.
|
|
22926
|
-
* Supports single string or array of strings (implicit any-of).
|
|
22927
|
-
* Returns undefined if not specified (no frame type gating).
|
|
22928
|
-
*/
|
|
22929
|
-
compileFrameTypes(frameType, ruleId) {
|
|
22930
|
-
if (frameType === undefined) {
|
|
22931
|
-
return undefined;
|
|
22932
|
-
}
|
|
22933
|
-
// Handle single frame type
|
|
22934
|
-
if (typeof frameType === 'string') {
|
|
22935
|
-
const normalized = frameType.trim().toLowerCase();
|
|
22936
|
-
if (!normalized) {
|
|
22937
|
-
throw new Error(`Invalid frame_type in rule "${ruleId}": value must not be empty`);
|
|
22938
|
-
}
|
|
22939
|
-
return new Set([normalized]);
|
|
22940
|
-
}
|
|
22941
|
-
// Handle array of frame types
|
|
22942
|
-
if (!Array.isArray(frameType)) {
|
|
22943
|
-
throw new Error(`Invalid frame_type in rule "${ruleId}": must be a string or array of strings`);
|
|
22944
|
-
}
|
|
22945
|
-
if (frameType.length === 0) {
|
|
22946
|
-
throw new Error(`Invalid frame_type in rule "${ruleId}": array must not be empty`);
|
|
22947
|
-
}
|
|
22948
|
-
const frameTypes = new Set();
|
|
22949
|
-
for (const ft of frameType) {
|
|
22950
|
-
if (typeof ft !== 'string') {
|
|
22951
|
-
throw new Error(`Invalid frame_type in rule "${ruleId}": all values must be strings`);
|
|
22952
|
-
}
|
|
22953
|
-
const normalized = ft.trim().toLowerCase();
|
|
22954
|
-
if (!normalized) {
|
|
22955
|
-
throw new Error(`Invalid frame_type in rule "${ruleId}": values must not be empty`);
|
|
22956
|
-
}
|
|
22957
|
-
frameTypes.add(normalized);
|
|
22958
|
-
}
|
|
22959
|
-
return frameTypes;
|
|
22960
|
-
}
|
|
22961
22920
|
/**
|
|
22962
22921
|
* Compiles origin_type field into a Set of normalized origin types.
|
|
22963
22922
|
* Supports single string or array of strings (implicit any-of).
|
package/dist/node/index.mjs
CHANGED
|
@@ -13,12 +13,12 @@ import fastify from 'fastify';
|
|
|
13
13
|
import websocketPlugin from '@fastify/websocket';
|
|
14
14
|
|
|
15
15
|
// This file is auto-generated during build - do not edit manually
|
|
16
|
-
// Generated from package.json version: 0.4.
|
|
16
|
+
// Generated from package.json version: 0.4.9
|
|
17
17
|
/**
|
|
18
18
|
* The package version, injected at build time.
|
|
19
19
|
* @internal
|
|
20
20
|
*/
|
|
21
|
-
const VERSION = '0.4.
|
|
21
|
+
const VERSION = '0.4.9';
|
|
22
22
|
|
|
23
23
|
/**
|
|
24
24
|
* Fame protocol specific error classes with WebSocket close codes and proper inheritance.
|
|
@@ -22123,7 +22123,7 @@ const KNOWN_RULE_FIELDS = new Set([
|
|
|
22123
22123
|
'effect',
|
|
22124
22124
|
'action',
|
|
22125
22125
|
'address',
|
|
22126
|
-
'frame_type',
|
|
22126
|
+
'frame_type', // Reserved for advanced-security
|
|
22127
22127
|
'origin_type',
|
|
22128
22128
|
'scope',
|
|
22129
22129
|
'when', // Reserved for advanced-security
|
|
@@ -22646,11 +22646,6 @@ class BasicAuthorizationPolicy {
|
|
|
22646
22646
|
const resolvedActionNormalized = this.normalizeActionToken(resolvedAction) ?? resolvedAction;
|
|
22647
22647
|
const address = extractAddress(envelope);
|
|
22648
22648
|
const grantedScopes = extractGrantedScopes(context);
|
|
22649
|
-
const rawFrameType = envelope.frame
|
|
22650
|
-
?.type;
|
|
22651
|
-
const frameTypeNormalized = typeof rawFrameType === 'string' && rawFrameType.trim().length > 0
|
|
22652
|
-
? rawFrameType.trim().toLowerCase()
|
|
22653
|
-
: '';
|
|
22654
22649
|
// Extract and normalize origin type for rule matching
|
|
22655
22650
|
const rawOriginType = context?.originType;
|
|
22656
22651
|
const originTypeNormalized = typeof rawOriginType === 'string'
|
|
@@ -22668,22 +22663,16 @@ class BasicAuthorizationPolicy {
|
|
|
22668
22663
|
step.expression = 'when clause (skipped by basic policy)';
|
|
22669
22664
|
step.result = false;
|
|
22670
22665
|
evaluationTrace.push(step);
|
|
22666
|
+
logger$J.debug('rule_skipped_when_clause', { ruleId: rule.id });
|
|
22671
22667
|
continue;
|
|
22672
22668
|
}
|
|
22673
|
-
//
|
|
22674
|
-
if (rule.
|
|
22675
|
-
|
|
22676
|
-
|
|
22677
|
-
|
|
22678
|
-
|
|
22679
|
-
|
|
22680
|
-
}
|
|
22681
|
-
if (!rule.frameTypes.has(frameTypeNormalized)) {
|
|
22682
|
-
step.expression = `frame_type: ${rawFrameType ?? 'unknown'} not in rule set`;
|
|
22683
|
-
step.result = false;
|
|
22684
|
-
evaluationTrace.push(step);
|
|
22685
|
-
continue;
|
|
22686
|
-
}
|
|
22669
|
+
// Skip rules with 'frame_type' clause (reserved for advanced-security package)
|
|
22670
|
+
if (rule.hasFrameTypeClause) {
|
|
22671
|
+
step.expression = 'frame_type clause (skipped by basic policy)';
|
|
22672
|
+
step.result = false;
|
|
22673
|
+
evaluationTrace.push(step);
|
|
22674
|
+
logger$J.debug('rule_skipped_frame_type_clause', { ruleId: rule.id });
|
|
22675
|
+
continue;
|
|
22687
22676
|
}
|
|
22688
22677
|
// Check origin type match (early gate for efficiency)
|
|
22689
22678
|
if (rule.originTypes) {
|
|
@@ -22798,8 +22787,14 @@ class BasicAuthorizationPolicy {
|
|
|
22798
22787
|
const actions = this.compileActions(rule.action, id);
|
|
22799
22788
|
// Compile address patterns (glob-only, no regex)
|
|
22800
22789
|
const addressPatterns = this.compileAddress(rule.address, id);
|
|
22801
|
-
//
|
|
22802
|
-
const
|
|
22790
|
+
// Check for frame_type clause (reserved for advanced-security)
|
|
22791
|
+
const hasFrameTypeClause = rule.frame_type !== undefined;
|
|
22792
|
+
if (hasFrameTypeClause && warnOnUnknown) {
|
|
22793
|
+
logger$J.warning('reserved_field_frame_type_will_be_skipped', {
|
|
22794
|
+
ruleId: id,
|
|
22795
|
+
message: `Rule "${id}" uses reserved field "frame_type" which is only supported in advanced-security package. This rule will be skipped during evaluation.`,
|
|
22796
|
+
});
|
|
22797
|
+
}
|
|
22803
22798
|
// Compile origin type gating
|
|
22804
22799
|
const originTypes = this.compileOriginTypes(rule.origin_type, id);
|
|
22805
22800
|
// Compile scope matcher (glob-only, no regex)
|
|
@@ -22826,11 +22821,12 @@ class BasicAuthorizationPolicy {
|
|
|
22826
22821
|
description: rule.description,
|
|
22827
22822
|
effect: rule.effect,
|
|
22828
22823
|
actions,
|
|
22829
|
-
frameTypes,
|
|
22824
|
+
frameTypes: undefined, // No longer used; reserved for advanced-security
|
|
22830
22825
|
originTypes,
|
|
22831
22826
|
addressPatterns,
|
|
22832
22827
|
scopeMatcher,
|
|
22833
22828
|
hasWhenClause: typeof rule.when === 'string' && rule.when.length > 0,
|
|
22829
|
+
hasFrameTypeClause,
|
|
22834
22830
|
};
|
|
22835
22831
|
}
|
|
22836
22832
|
/**
|
|
@@ -22920,43 +22916,6 @@ class BasicAuthorizationPolicy {
|
|
|
22920
22916
|
}
|
|
22921
22917
|
return patterns;
|
|
22922
22918
|
}
|
|
22923
|
-
/**
|
|
22924
|
-
* Compiles frame_type field into a Set of normalized frame types.
|
|
22925
|
-
* Supports single string or array of strings (implicit any-of).
|
|
22926
|
-
* Returns undefined if not specified (no frame type gating).
|
|
22927
|
-
*/
|
|
22928
|
-
compileFrameTypes(frameType, ruleId) {
|
|
22929
|
-
if (frameType === undefined) {
|
|
22930
|
-
return undefined;
|
|
22931
|
-
}
|
|
22932
|
-
// Handle single frame type
|
|
22933
|
-
if (typeof frameType === 'string') {
|
|
22934
|
-
const normalized = frameType.trim().toLowerCase();
|
|
22935
|
-
if (!normalized) {
|
|
22936
|
-
throw new Error(`Invalid frame_type in rule "${ruleId}": value must not be empty`);
|
|
22937
|
-
}
|
|
22938
|
-
return new Set([normalized]);
|
|
22939
|
-
}
|
|
22940
|
-
// Handle array of frame types
|
|
22941
|
-
if (!Array.isArray(frameType)) {
|
|
22942
|
-
throw new Error(`Invalid frame_type in rule "${ruleId}": must be a string or array of strings`);
|
|
22943
|
-
}
|
|
22944
|
-
if (frameType.length === 0) {
|
|
22945
|
-
throw new Error(`Invalid frame_type in rule "${ruleId}": array must not be empty`);
|
|
22946
|
-
}
|
|
22947
|
-
const frameTypes = new Set();
|
|
22948
|
-
for (const ft of frameType) {
|
|
22949
|
-
if (typeof ft !== 'string') {
|
|
22950
|
-
throw new Error(`Invalid frame_type in rule "${ruleId}": all values must be strings`);
|
|
22951
|
-
}
|
|
22952
|
-
const normalized = ft.trim().toLowerCase();
|
|
22953
|
-
if (!normalized) {
|
|
22954
|
-
throw new Error(`Invalid frame_type in rule "${ruleId}": values must not be empty`);
|
|
22955
|
-
}
|
|
22956
|
-
frameTypes.add(normalized);
|
|
22957
|
-
}
|
|
22958
|
-
return frameTypes;
|
|
22959
|
-
}
|
|
22960
22919
|
/**
|
|
22961
22920
|
* Compiles origin_type field into a Set of normalized origin types.
|
|
22962
22921
|
* Supports single string or array of strings (implicit any-of).
|
package/dist/node/node.cjs
CHANGED
|
@@ -4436,12 +4436,12 @@ async function ensureRuntimeFactoriesRegistered(registry = factory.Registry) {
|
|
|
4436
4436
|
}
|
|
4437
4437
|
|
|
4438
4438
|
// This file is auto-generated during build - do not edit manually
|
|
4439
|
-
// Generated from package.json version: 0.4.
|
|
4439
|
+
// Generated from package.json version: 0.4.9
|
|
4440
4440
|
/**
|
|
4441
4441
|
* The package version, injected at build time.
|
|
4442
4442
|
* @internal
|
|
4443
4443
|
*/
|
|
4444
|
-
const VERSION = '0.4.
|
|
4444
|
+
const VERSION = '0.4.9';
|
|
4445
4445
|
|
|
4446
4446
|
let initialized = false;
|
|
4447
4447
|
const runtimePlugin = {
|
|
@@ -23331,7 +23331,7 @@ const KNOWN_RULE_FIELDS = new Set([
|
|
|
23331
23331
|
'effect',
|
|
23332
23332
|
'action',
|
|
23333
23333
|
'address',
|
|
23334
|
-
'frame_type',
|
|
23334
|
+
'frame_type', // Reserved for advanced-security
|
|
23335
23335
|
'origin_type',
|
|
23336
23336
|
'scope',
|
|
23337
23337
|
'when', // Reserved for advanced-security
|
|
@@ -23861,11 +23861,6 @@ class BasicAuthorizationPolicy {
|
|
|
23861
23861
|
const resolvedActionNormalized = this.normalizeActionToken(resolvedAction) ?? resolvedAction;
|
|
23862
23862
|
const address = extractAddress(envelope);
|
|
23863
23863
|
const grantedScopes = extractGrantedScopes(context);
|
|
23864
|
-
const rawFrameType = envelope.frame
|
|
23865
|
-
?.type;
|
|
23866
|
-
const frameTypeNormalized = typeof rawFrameType === 'string' && rawFrameType.trim().length > 0
|
|
23867
|
-
? rawFrameType.trim().toLowerCase()
|
|
23868
|
-
: '';
|
|
23869
23864
|
// Extract and normalize origin type for rule matching
|
|
23870
23865
|
const rawOriginType = context?.originType;
|
|
23871
23866
|
const originTypeNormalized = typeof rawOriginType === 'string'
|
|
@@ -23883,22 +23878,16 @@ class BasicAuthorizationPolicy {
|
|
|
23883
23878
|
step.expression = 'when clause (skipped by basic policy)';
|
|
23884
23879
|
step.result = false;
|
|
23885
23880
|
evaluationTrace.push(step);
|
|
23881
|
+
logger$M.debug('rule_skipped_when_clause', { ruleId: rule.id });
|
|
23886
23882
|
continue;
|
|
23887
23883
|
}
|
|
23888
|
-
//
|
|
23889
|
-
if (rule.
|
|
23890
|
-
|
|
23891
|
-
|
|
23892
|
-
|
|
23893
|
-
|
|
23894
|
-
|
|
23895
|
-
}
|
|
23896
|
-
if (!rule.frameTypes.has(frameTypeNormalized)) {
|
|
23897
|
-
step.expression = `frame_type: ${rawFrameType ?? 'unknown'} not in rule set`;
|
|
23898
|
-
step.result = false;
|
|
23899
|
-
evaluationTrace.push(step);
|
|
23900
|
-
continue;
|
|
23901
|
-
}
|
|
23884
|
+
// Skip rules with 'frame_type' clause (reserved for advanced-security package)
|
|
23885
|
+
if (rule.hasFrameTypeClause) {
|
|
23886
|
+
step.expression = 'frame_type clause (skipped by basic policy)';
|
|
23887
|
+
step.result = false;
|
|
23888
|
+
evaluationTrace.push(step);
|
|
23889
|
+
logger$M.debug('rule_skipped_frame_type_clause', { ruleId: rule.id });
|
|
23890
|
+
continue;
|
|
23902
23891
|
}
|
|
23903
23892
|
// Check origin type match (early gate for efficiency)
|
|
23904
23893
|
if (rule.originTypes) {
|
|
@@ -24013,8 +24002,14 @@ class BasicAuthorizationPolicy {
|
|
|
24013
24002
|
const actions = this.compileActions(rule.action, id);
|
|
24014
24003
|
// Compile address patterns (glob-only, no regex)
|
|
24015
24004
|
const addressPatterns = this.compileAddress(rule.address, id);
|
|
24016
|
-
//
|
|
24017
|
-
const
|
|
24005
|
+
// Check for frame_type clause (reserved for advanced-security)
|
|
24006
|
+
const hasFrameTypeClause = rule.frame_type !== undefined;
|
|
24007
|
+
if (hasFrameTypeClause && warnOnUnknown) {
|
|
24008
|
+
logger$M.warning('reserved_field_frame_type_will_be_skipped', {
|
|
24009
|
+
ruleId: id,
|
|
24010
|
+
message: `Rule "${id}" uses reserved field "frame_type" which is only supported in advanced-security package. This rule will be skipped during evaluation.`,
|
|
24011
|
+
});
|
|
24012
|
+
}
|
|
24018
24013
|
// Compile origin type gating
|
|
24019
24014
|
const originTypes = this.compileOriginTypes(rule.origin_type, id);
|
|
24020
24015
|
// Compile scope matcher (glob-only, no regex)
|
|
@@ -24041,11 +24036,12 @@ class BasicAuthorizationPolicy {
|
|
|
24041
24036
|
description: rule.description,
|
|
24042
24037
|
effect: rule.effect,
|
|
24043
24038
|
actions,
|
|
24044
|
-
frameTypes,
|
|
24039
|
+
frameTypes: undefined, // No longer used; reserved for advanced-security
|
|
24045
24040
|
originTypes,
|
|
24046
24041
|
addressPatterns,
|
|
24047
24042
|
scopeMatcher,
|
|
24048
24043
|
hasWhenClause: typeof rule.when === 'string' && rule.when.length > 0,
|
|
24044
|
+
hasFrameTypeClause,
|
|
24049
24045
|
};
|
|
24050
24046
|
}
|
|
24051
24047
|
/**
|
|
@@ -24135,43 +24131,6 @@ class BasicAuthorizationPolicy {
|
|
|
24135
24131
|
}
|
|
24136
24132
|
return patterns;
|
|
24137
24133
|
}
|
|
24138
|
-
/**
|
|
24139
|
-
* Compiles frame_type field into a Set of normalized frame types.
|
|
24140
|
-
* Supports single string or array of strings (implicit any-of).
|
|
24141
|
-
* Returns undefined if not specified (no frame type gating).
|
|
24142
|
-
*/
|
|
24143
|
-
compileFrameTypes(frameType, ruleId) {
|
|
24144
|
-
if (frameType === undefined) {
|
|
24145
|
-
return undefined;
|
|
24146
|
-
}
|
|
24147
|
-
// Handle single frame type
|
|
24148
|
-
if (typeof frameType === 'string') {
|
|
24149
|
-
const normalized = frameType.trim().toLowerCase();
|
|
24150
|
-
if (!normalized) {
|
|
24151
|
-
throw new Error(`Invalid frame_type in rule "${ruleId}": value must not be empty`);
|
|
24152
|
-
}
|
|
24153
|
-
return new Set([normalized]);
|
|
24154
|
-
}
|
|
24155
|
-
// Handle array of frame types
|
|
24156
|
-
if (!Array.isArray(frameType)) {
|
|
24157
|
-
throw new Error(`Invalid frame_type in rule "${ruleId}": must be a string or array of strings`);
|
|
24158
|
-
}
|
|
24159
|
-
if (frameType.length === 0) {
|
|
24160
|
-
throw new Error(`Invalid frame_type in rule "${ruleId}": array must not be empty`);
|
|
24161
|
-
}
|
|
24162
|
-
const frameTypes = new Set();
|
|
24163
|
-
for (const ft of frameType) {
|
|
24164
|
-
if (typeof ft !== 'string') {
|
|
24165
|
-
throw new Error(`Invalid frame_type in rule "${ruleId}": all values must be strings`);
|
|
24166
|
-
}
|
|
24167
|
-
const normalized = ft.trim().toLowerCase();
|
|
24168
|
-
if (!normalized) {
|
|
24169
|
-
throw new Error(`Invalid frame_type in rule "${ruleId}": values must not be empty`);
|
|
24170
|
-
}
|
|
24171
|
-
frameTypes.add(normalized);
|
|
24172
|
-
}
|
|
24173
|
-
return frameTypes;
|
|
24174
|
-
}
|
|
24175
24134
|
/**
|
|
24176
24135
|
* Compiles origin_type field into a Set of normalized origin types.
|
|
24177
24136
|
* Supports single string or array of strings (implicit any-of).
|
package/dist/node/node.mjs
CHANGED
|
@@ -4435,12 +4435,12 @@ async function ensureRuntimeFactoriesRegistered(registry = Registry) {
|
|
|
4435
4435
|
}
|
|
4436
4436
|
|
|
4437
4437
|
// This file is auto-generated during build - do not edit manually
|
|
4438
|
-
// Generated from package.json version: 0.4.
|
|
4438
|
+
// Generated from package.json version: 0.4.9
|
|
4439
4439
|
/**
|
|
4440
4440
|
* The package version, injected at build time.
|
|
4441
4441
|
* @internal
|
|
4442
4442
|
*/
|
|
4443
|
-
const VERSION = '0.4.
|
|
4443
|
+
const VERSION = '0.4.9';
|
|
4444
4444
|
|
|
4445
4445
|
let initialized = false;
|
|
4446
4446
|
const runtimePlugin = {
|
|
@@ -23330,7 +23330,7 @@ const KNOWN_RULE_FIELDS = new Set([
|
|
|
23330
23330
|
'effect',
|
|
23331
23331
|
'action',
|
|
23332
23332
|
'address',
|
|
23333
|
-
'frame_type',
|
|
23333
|
+
'frame_type', // Reserved for advanced-security
|
|
23334
23334
|
'origin_type',
|
|
23335
23335
|
'scope',
|
|
23336
23336
|
'when', // Reserved for advanced-security
|
|
@@ -23860,11 +23860,6 @@ class BasicAuthorizationPolicy {
|
|
|
23860
23860
|
const resolvedActionNormalized = this.normalizeActionToken(resolvedAction) ?? resolvedAction;
|
|
23861
23861
|
const address = extractAddress(envelope);
|
|
23862
23862
|
const grantedScopes = extractGrantedScopes(context);
|
|
23863
|
-
const rawFrameType = envelope.frame
|
|
23864
|
-
?.type;
|
|
23865
|
-
const frameTypeNormalized = typeof rawFrameType === 'string' && rawFrameType.trim().length > 0
|
|
23866
|
-
? rawFrameType.trim().toLowerCase()
|
|
23867
|
-
: '';
|
|
23868
23863
|
// Extract and normalize origin type for rule matching
|
|
23869
23864
|
const rawOriginType = context?.originType;
|
|
23870
23865
|
const originTypeNormalized = typeof rawOriginType === 'string'
|
|
@@ -23882,22 +23877,16 @@ class BasicAuthorizationPolicy {
|
|
|
23882
23877
|
step.expression = 'when clause (skipped by basic policy)';
|
|
23883
23878
|
step.result = false;
|
|
23884
23879
|
evaluationTrace.push(step);
|
|
23880
|
+
logger$M.debug('rule_skipped_when_clause', { ruleId: rule.id });
|
|
23885
23881
|
continue;
|
|
23886
23882
|
}
|
|
23887
|
-
//
|
|
23888
|
-
if (rule.
|
|
23889
|
-
|
|
23890
|
-
|
|
23891
|
-
|
|
23892
|
-
|
|
23893
|
-
|
|
23894
|
-
}
|
|
23895
|
-
if (!rule.frameTypes.has(frameTypeNormalized)) {
|
|
23896
|
-
step.expression = `frame_type: ${rawFrameType ?? 'unknown'} not in rule set`;
|
|
23897
|
-
step.result = false;
|
|
23898
|
-
evaluationTrace.push(step);
|
|
23899
|
-
continue;
|
|
23900
|
-
}
|
|
23883
|
+
// Skip rules with 'frame_type' clause (reserved for advanced-security package)
|
|
23884
|
+
if (rule.hasFrameTypeClause) {
|
|
23885
|
+
step.expression = 'frame_type clause (skipped by basic policy)';
|
|
23886
|
+
step.result = false;
|
|
23887
|
+
evaluationTrace.push(step);
|
|
23888
|
+
logger$M.debug('rule_skipped_frame_type_clause', { ruleId: rule.id });
|
|
23889
|
+
continue;
|
|
23901
23890
|
}
|
|
23902
23891
|
// Check origin type match (early gate for efficiency)
|
|
23903
23892
|
if (rule.originTypes) {
|
|
@@ -24012,8 +24001,14 @@ class BasicAuthorizationPolicy {
|
|
|
24012
24001
|
const actions = this.compileActions(rule.action, id);
|
|
24013
24002
|
// Compile address patterns (glob-only, no regex)
|
|
24014
24003
|
const addressPatterns = this.compileAddress(rule.address, id);
|
|
24015
|
-
//
|
|
24016
|
-
const
|
|
24004
|
+
// Check for frame_type clause (reserved for advanced-security)
|
|
24005
|
+
const hasFrameTypeClause = rule.frame_type !== undefined;
|
|
24006
|
+
if (hasFrameTypeClause && warnOnUnknown) {
|
|
24007
|
+
logger$M.warning('reserved_field_frame_type_will_be_skipped', {
|
|
24008
|
+
ruleId: id,
|
|
24009
|
+
message: `Rule "${id}" uses reserved field "frame_type" which is only supported in advanced-security package. This rule will be skipped during evaluation.`,
|
|
24010
|
+
});
|
|
24011
|
+
}
|
|
24017
24012
|
// Compile origin type gating
|
|
24018
24013
|
const originTypes = this.compileOriginTypes(rule.origin_type, id);
|
|
24019
24014
|
// Compile scope matcher (glob-only, no regex)
|
|
@@ -24040,11 +24035,12 @@ class BasicAuthorizationPolicy {
|
|
|
24040
24035
|
description: rule.description,
|
|
24041
24036
|
effect: rule.effect,
|
|
24042
24037
|
actions,
|
|
24043
|
-
frameTypes,
|
|
24038
|
+
frameTypes: undefined, // No longer used; reserved for advanced-security
|
|
24044
24039
|
originTypes,
|
|
24045
24040
|
addressPatterns,
|
|
24046
24041
|
scopeMatcher,
|
|
24047
24042
|
hasWhenClause: typeof rule.when === 'string' && rule.when.length > 0,
|
|
24043
|
+
hasFrameTypeClause,
|
|
24048
24044
|
};
|
|
24049
24045
|
}
|
|
24050
24046
|
/**
|
|
@@ -24134,43 +24130,6 @@ class BasicAuthorizationPolicy {
|
|
|
24134
24130
|
}
|
|
24135
24131
|
return patterns;
|
|
24136
24132
|
}
|
|
24137
|
-
/**
|
|
24138
|
-
* Compiles frame_type field into a Set of normalized frame types.
|
|
24139
|
-
* Supports single string or array of strings (implicit any-of).
|
|
24140
|
-
* Returns undefined if not specified (no frame type gating).
|
|
24141
|
-
*/
|
|
24142
|
-
compileFrameTypes(frameType, ruleId) {
|
|
24143
|
-
if (frameType === undefined) {
|
|
24144
|
-
return undefined;
|
|
24145
|
-
}
|
|
24146
|
-
// Handle single frame type
|
|
24147
|
-
if (typeof frameType === 'string') {
|
|
24148
|
-
const normalized = frameType.trim().toLowerCase();
|
|
24149
|
-
if (!normalized) {
|
|
24150
|
-
throw new Error(`Invalid frame_type in rule "${ruleId}": value must not be empty`);
|
|
24151
|
-
}
|
|
24152
|
-
return new Set([normalized]);
|
|
24153
|
-
}
|
|
24154
|
-
// Handle array of frame types
|
|
24155
|
-
if (!Array.isArray(frameType)) {
|
|
24156
|
-
throw new Error(`Invalid frame_type in rule "${ruleId}": must be a string or array of strings`);
|
|
24157
|
-
}
|
|
24158
|
-
if (frameType.length === 0) {
|
|
24159
|
-
throw new Error(`Invalid frame_type in rule "${ruleId}": array must not be empty`);
|
|
24160
|
-
}
|
|
24161
|
-
const frameTypes = new Set();
|
|
24162
|
-
for (const ft of frameType) {
|
|
24163
|
-
if (typeof ft !== 'string') {
|
|
24164
|
-
throw new Error(`Invalid frame_type in rule "${ruleId}": all values must be strings`);
|
|
24165
|
-
}
|
|
24166
|
-
const normalized = ft.trim().toLowerCase();
|
|
24167
|
-
if (!normalized) {
|
|
24168
|
-
throw new Error(`Invalid frame_type in rule "${ruleId}": values must not be empty`);
|
|
24169
|
-
}
|
|
24170
|
-
frameTypes.add(normalized);
|
|
24171
|
-
}
|
|
24172
|
-
return frameTypes;
|
|
24173
|
-
}
|
|
24174
24133
|
/**
|
|
24175
24134
|
* Compiles origin_type field into a Set of normalized origin types.
|
|
24176
24135
|
* Supports single string or array of strings (implicit any-of).
|
|
@@ -93,9 +93,13 @@ export interface AuthorizationRuleDefinition {
|
|
|
93
93
|
*/
|
|
94
94
|
address?: string | string[];
|
|
95
95
|
/**
|
|
96
|
-
* Optional frame type gating.
|
|
96
|
+
* Optional frame type gating (reserved for advanced-security package).
|
|
97
97
|
* Can be a single frame type string or an array (implicit any-of).
|
|
98
98
|
* Matching is case-insensitive.
|
|
99
|
+
*
|
|
100
|
+
* WARNING: Basic policy parser will skip rules containing this field
|
|
101
|
+
* and log a warning during policy construction. This field is only
|
|
102
|
+
* supported in the advanced-security package.
|
|
99
103
|
*/
|
|
100
104
|
frame_type?: string | string[];
|
|
101
105
|
/**
|
|
@@ -62,12 +62,6 @@ export declare class BasicAuthorizationPolicy implements AuthorizationPolicy {
|
|
|
62
62
|
* All patterns are treated as globs - `^` prefix is rejected as an error.
|
|
63
63
|
*/
|
|
64
64
|
private compileAddress;
|
|
65
|
-
/**
|
|
66
|
-
* Compiles frame_type field into a Set of normalized frame types.
|
|
67
|
-
* Supports single string or array of strings (implicit any-of).
|
|
68
|
-
* Returns undefined if not specified (no frame type gating).
|
|
69
|
-
*/
|
|
70
|
-
private compileFrameTypes;
|
|
71
65
|
/**
|
|
72
66
|
* Compiles origin_type field into a Set of normalized origin types.
|
|
73
67
|
* Supports single string or array of strings (implicit any-of).
|
package/dist/types/version.d.ts
CHANGED