@twin.org/rights-management-plugins 0.0.3-next.29 → 0.0.3-next.31

package/dist/es/index.js

@@ -1,7 +1,9 @@
 // Copyright 2025 IOTA Stiftung.
 // SPDX-License-Identifier: Apache-2.0.
-export * from "./models/IDefaultPolicyArbiterConstructorOptions.js";
+export * from "./models/IAutomationPolicyExecutionActionConfig.js";
+export * from "./models/IAutomationPolicyExecutionActionConstructorOptions.js";
 export * from "./models/IDefaultPolicyArbiterConfig.js";
+export * from "./models/IDefaultPolicyArbiterConstructorOptions.js";
 export * from "./models/IDefaultPolicyEnforcementProcessorConstructorOptions.js";
 export * from "./models/IIdentityPolicyInformationSourceConstructorOptions.js";
 export * from "./models/ILoggingPolicyExecutionActionConfig.js";
@@ -18,10 +20,11 @@ export * from "./policyArbiters/defaultPolicyArbiter.js";
 export * from "./policyArbiters/passThroughPolicyArbiter.js";
 export * from "./policyEnforcementProcessor/defaultPolicyEnforcementProcessor.js";
 export * from "./policyEnforcementProcessor/passThroughPolicyEnforcementProcessor.js";
+export * from "./policyExecutionActions/automationPolicyExecutionAction.js";
 export * from "./policyExecutionActions/loggingPolicyExecutionAction.js";
-export * from "./policyObligationEnforcers/passThroughPolicyObligationEnforcer.js";
 export * from "./policyInformationSources/identityPolicyInformationSource.js";
 export * from "./policyInformationSources/staticPolicyInformationSource.js";
 export * from "./policyNegotiators/passThroughPolicyNegotiator.js";
+export * from "./policyObligationEnforcers/passThroughPolicyObligationEnforcer.js";
 export * from "./policyRequesters/passThroughPolicyRequester.js";
 //# sourceMappingURL=index.js.map

package/dist/es/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,gCAAgC;AAChC,uCAAuC;AACvC,cAAc,qDAAqD,CAAC;AACpE,cAAc,yCAAyC,CAAC;AACxD,cAAc,kEAAkE,CAAC;AACjF,cAAc,gEAAgE,CAAC;AAC/E,cAAc,iDAAiD,CAAC;AAChE,cAAc,6DAA6D,CAAC;AAC5E,cAAc,yDAAyD,CAAC;AACxE,cAAc,sEAAsE,CAAC;AACrF,cAAc,4DAA4D,CAAC;AAC3E,cAAc,oEAAoE,CAAC;AACnF,cAAc,2DAA2D,CAAC;AAC1E,cAAc,4CAA4C,CAAC;AAC3D,cAAc,kDAAkD,CAAC;AACjE,cAAc,8DAA8D,CAAC;AAC7E,cAAc,0CAA0C,CAAC;AACzD,cAAc,8CAA8C,CAAC;AAC7D,cAAc,mEAAmE,CAAC;AAClF,cAAc,uEAAuE,CAAC;AACtF,cAAc,0DAA0D,CAAC;AACzE,cAAc,oEAAoE,CAAC;AACnF,cAAc,+DAA+D,CAAC;AAC9E,cAAc,6DAA6D,CAAC;AAC5E,cAAc,oDAAoD,CAAC;AACnE,cAAc,kDAAkD,CAAC","sourcesContent":["// Copyright 2025 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\nexport * from \"./models/IDefaultPolicyArbiterConstructorOptions.js\";\nexport * from \"./models/IDefaultPolicyArbiterConfig.js\";\nexport * from \"./models/IDefaultPolicyEnforcementProcessorConstructorOptions.js\";\nexport * from \"./models/IIdentityPolicyInformationSourceConstructorOptions.js\";\nexport * from \"./models/ILoggingPolicyExecutionActionConfig.js\";\nexport * from \"./models/ILoggingPolicyExecutionActionConstructorOptions.js\";\nexport * from \"./models/IPassThroughPolicyArbiterConstructorOptions.js\";\nexport * from \"./models/IPassThroughPolicyEnforcementProcessorConstructorOptions.js\";\nexport * from \"./models/IPassThroughPolicyNegotiatorConstructorOptions.js\";\nexport * from \"./models/IPassThroughPolicyObligationEnforcerConstructorOptions.js\";\nexport * from \"./models/IPassThroughPolicyRequesterConstructorOptions.js\";\nexport * from \"./models/IStaticPolicyInformationSource.js\";\nexport * from \"./models/IStaticPolicyInformationSourceConfig.js\";\nexport * from \"./models/IStaticPolicyInformationSourceConstructorOptions.js\";\nexport * from \"./policyArbiters/defaultPolicyArbiter.js\";\nexport * from \"./policyArbiters/passThroughPolicyArbiter.js\";\nexport * from \"./policyEnforcementProcessor/defaultPolicyEnforcementProcessor.js\";\nexport * from \"./policyEnforcementProcessor/passThroughPolicyEnforcementProcessor.js\";\nexport * from \"./policyExecutionActions/loggingPolicyExecutionAction.js\";\nexport * from \"./policyObligationEnforcers/passThroughPolicyObligationEnforcer.js\";\nexport * from \"./policyInformationSources/identityPolicyInformationSource.js\";\nexport * from \"./policyInformationSources/staticPolicyInformationSource.js\";\nexport * from \"./policyNegotiators/passThroughPolicyNegotiator.js\";\nexport * from \"./policyRequesters/passThroughPolicyRequester.js\";\n"]}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,gCAAgC;AAChC,uCAAuC;AACvC,cAAc,oDAAoD,CAAC;AACnE,cAAc,gEAAgE,CAAC;AAC/E,cAAc,yCAAyC,CAAC;AACxD,cAAc,qDAAqD,CAAC;AACpE,cAAc,kEAAkE,CAAC;AACjF,cAAc,gEAAgE,CAAC;AAC/E,cAAc,iDAAiD,CAAC;AAChE,cAAc,6DAA6D,CAAC;AAC5E,cAAc,yDAAyD,CAAC;AACxE,cAAc,sEAAsE,CAAC;AACrF,cAAc,4DAA4D,CAAC;AAC3E,cAAc,oEAAoE,CAAC;AACnF,cAAc,2DAA2D,CAAC;AAC1E,cAAc,4CAA4C,CAAC;AAC3D,cAAc,kDAAkD,CAAC;AACjE,cAAc,8DAA8D,CAAC;AAC7E,cAAc,0CAA0C,CAAC;AACzD,cAAc,8CAA8C,CAAC;AAC7D,cAAc,mEAAmE,CAAC;AAClF,cAAc,uEAAuE,CAAC;AACtF,cAAc,6DAA6D,CAAC;AAC5E,cAAc,0DAA0D,CAAC;AACzE,cAAc,+DAA+D,CAAC;AAC9E,cAAc,6DAA6D,CAAC;AAC5E,cAAc,oDAAoD,CAAC;AACnE,cAAc,oEAAoE,CAAC;AACnF,cAAc,kDAAkD,CAAC","sourcesContent":["// Copyright 2025 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\nexport * from \"./models/IAutomationPolicyExecutionActionConfig.js\";\nexport * from \"./models/IAutomationPolicyExecutionActionConstructorOptions.js\";\nexport * from \"./models/IDefaultPolicyArbiterConfig.js\";\nexport * from \"./models/IDefaultPolicyArbiterConstructorOptions.js\";\nexport * from \"./models/IDefaultPolicyEnforcementProcessorConstructorOptions.js\";\nexport * from \"./models/IIdentityPolicyInformationSourceConstructorOptions.js\";\nexport * from \"./models/ILoggingPolicyExecutionActionConfig.js\";\nexport * from \"./models/ILoggingPolicyExecutionActionConstructorOptions.js\";\nexport * from \"./models/IPassThroughPolicyArbiterConstructorOptions.js\";\nexport * from \"./models/IPassThroughPolicyEnforcementProcessorConstructorOptions.js\";\nexport * from \"./models/IPassThroughPolicyNegotiatorConstructorOptions.js\";\nexport * from \"./models/IPassThroughPolicyObligationEnforcerConstructorOptions.js\";\nexport * from \"./models/IPassThroughPolicyRequesterConstructorOptions.js\";\nexport * from \"./models/IStaticPolicyInformationSource.js\";\nexport * from \"./models/IStaticPolicyInformationSourceConfig.js\";\nexport * from \"./models/IStaticPolicyInformationSourceConstructorOptions.js\";\nexport * from \"./policyArbiters/defaultPolicyArbiter.js\";\nexport * from \"./policyArbiters/passThroughPolicyArbiter.js\";\nexport * from \"./policyEnforcementProcessor/defaultPolicyEnforcementProcessor.js\";\nexport * from \"./policyEnforcementProcessor/passThroughPolicyEnforcementProcessor.js\";\nexport * from \"./policyExecutionActions/automationPolicyExecutionAction.js\";\nexport * from \"./policyExecutionActions/loggingPolicyExecutionAction.js\";\nexport * from \"./policyInformationSources/identityPolicyInformationSource.js\";\nexport * from \"./policyInformationSources/staticPolicyInformationSource.js\";\nexport * from \"./policyNegotiators/passThroughPolicyNegotiator.js\";\nexport * from \"./policyObligationEnforcers/passThroughPolicyObligationEnforcer.js\";\nexport * from \"./policyRequesters/passThroughPolicyRequester.js\";\n"]}

package/dist/es/models/IAutomationPolicyExecutionActionConfig.js

@@ -0,0 +1,4 @@
+// Copyright 2026 IOTA Stiftung.
+// SPDX-License-Identifier: Apache-2.0.
+export {};
+//# sourceMappingURL=IAutomationPolicyExecutionActionConfig.js.map

package/dist/es/models/IAutomationPolicyExecutionActionConfig.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"IAutomationPolicyExecutionActionConfig.js","sourceRoot":"","sources":["../../../src/models/IAutomationPolicyExecutionActionConfig.ts"],"names":[],"mappings":"AAAA,gCAAgC;AAChC,uCAAuC","sourcesContent":["// Copyright 2026 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\n\n/**\n * Options for the Automation Policy Execution Action Component.\n */\nexport interface IAutomationPolicyExecutionActionConfig {\n\t/**\n\t * The policy decision stages to trigger the automation actions, if undefined defaults to \"inform\".\n\t */\n\ttriggerActions?: string[];\n}\n"]}

package/dist/es/models/IAutomationPolicyExecutionActionConstructorOptions.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=IAutomationPolicyExecutionActionConstructorOptions.js.map

package/dist/es/models/IAutomationPolicyExecutionActionConstructorOptions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"IAutomationPolicyExecutionActionConstructorOptions.js","sourceRoot":"","sources":["../../../src/models/IAutomationPolicyExecutionActionConstructorOptions.ts"],"names":[],"mappings":"","sourcesContent":["// Copyright 2026 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\nimport type { IAutomationPolicyExecutionActionConfig } from \"./IAutomationPolicyExecutionActionConfig.js\";\n\n/**\n * Options for the Automation Policy Execution Action.\n */\nexport interface IAutomationPolicyExecutionActionConstructorOptions {\n\t/**\n\t * The automation component for executing automation policies.\n\t * @default automation\n\t */\n\tautomationComponentType?: string;\n\n\t/**\n\t * The configuration for the automation policy execution.\n\t */\n\tconfig?: IAutomationPolicyExecutionActionConfig;\n}\n"]}

package/dist/es/policyArbiters/defaultPolicyArbiter.js

@@ -24,20 +24,31 @@ export class DefaultPolicyArbiter {
      */
     static _DEFAULT_MAX_INHERITANCE_DEPTH = 10;
     /**
-     * TWIN prefix operations.
+     * Datasource key for the primary JSON path data source.
      * @internal
      */
-    static _TWIN_PREFIX_OPERATIONS = "twin:";
+    static _DATA_SOURCE_KEY = "data";
     /**
-     * TWIN prefix JSONPath.
+     * Datasource key for the information source used in JSON path expressions.
      * @internal
      */
-    static _TWIN_PREFIX_JSONPATH = "jsonpath";
+    static _INFORMATION_SOURCE_KEY = "information";
     /**
-     * TWIN prefix information.
+     * TWIN prefix JSONPath canonical alias.
      * @internal
      */
-    static _TWIN_PREFIX_INFORMATION = "information";
+    static _TWIN_JSONPATH = "twin:jsonPath";
+    /**
+     * Canonical jsonPath expression property.
+     * @internal
+     */
+    static _TWIN_JSONPATH_EXPRESSION = "twin:jsonPathExpression";
+    /**
+     * Optional data source key property for canonical twin:jsonPath targets.
+     * When absent, defaults to the primary data source.
+     * @internal
+     */
+    static _TWIN_JSONPATH_DATA_SOURCE = "twin:jsonPathDataSource";
     /**
      * The logging component.
      * @internal
@@ -141,8 +152,8 @@ export class DefaultPolicyArbiter {
         const mergedPolicy = await this.mergeInheritedPolicies(agreement);
         const expandedPolicy = this.expandCompactPolicyRules(mergedPolicy);
         const dataSources = {
-            [`${DefaultPolicyArbiter._TWIN_PREFIX_OPERATIONS}${DefaultPolicyArbiter._TWIN_PREFIX_JSONPATH}`]: data,
-            [`${DefaultPolicyArbiter._TWIN_PREFIX_OPERATIONS}${DefaultPolicyArbiter._TWIN_PREFIX_INFORMATION}`]: information
+            [DefaultPolicyArbiter._DATA_SOURCE_KEY]: data,
+            [DefaultPolicyArbiter._INFORMATION_SOURCE_KEY]: information
         };
         // Extract agreement parties once for use in rule evaluation
         const agreementAssigner = OdrlPolicyHelper.getPartyIds(agreement.assigner);
@@ -797,7 +808,7 @@ export class DefaultPolicyArbiter {
      */
     async enforceDuty(policy, duty, dataSources, ruleDataContext) {
         const enforcerNames = PolicyObligationEnforcerFactory.names();
-        const information = dataSources[`${DefaultPolicyArbiter._TWIN_PREFIX_OPERATIONS}${DefaultPolicyArbiter._TWIN_PREFIX_INFORMATION}`];
+        const information = dataSources[DefaultPolicyArbiter._INFORMATION_SOURCE_KEY];
         if (enforcerNames.length === 0) {
             throw new GeneralError(DefaultPolicyArbiter.CLASS_NAME, "noObligationEnforcersRegistered");
         }
@@ -827,51 +838,70 @@ export class DefaultPolicyArbiter {
      * @internal
      */
     tryResolveTargetDataSource(targetId, dataSources, resolveValue = false) {
-        // If there is no target id, default to the entire "twin:jsonpath" datasource
+        // If there is no target id, default to the data datasource
         if (Is.empty(targetId)) {
             return {
-                prefix: `${DefaultPolicyArbiter._TWIN_PREFIX_OPERATIONS}${DefaultPolicyArbiter._TWIN_PREFIX_JSONPATH}`,
-                source: dataSources[`${DefaultPolicyArbiter._TWIN_PREFIX_OPERATIONS}${DefaultPolicyArbiter._TWIN_PREFIX_JSONPATH}`],
+                source: dataSources[DefaultPolicyArbiter._DATA_SOURCE_KEY],
                 target: "$",
-                value: dataSources[`${DefaultPolicyArbiter._TWIN_PREFIX_OPERATIONS}${DefaultPolicyArbiter._TWIN_PREFIX_JSONPATH}`]
+                value: dataSources[DefaultPolicyArbiter._DATA_SOURCE_KEY]
             };
         }
-        // Otherwise lookup the target id prefix in the datasources and return the remaining suffix as the target path/key
-        const prefixes = Object.keys(dataSources).sort((a, b) => b.length - a.length);
-        for (const prefix of prefixes) {
-            if (targetId.startsWith(`${prefix}:`)) {
-                const source = dataSources[prefix];
-                const target = targetId.slice(prefix.length + 1);
-                if (!target.startsWith("$")) {
-                    throw new GeneralError(DefaultPolicyArbiter.CLASS_NAME, "ruleTargetNotSupported", {
-                        target: targetId
-                    });
-                }
-                if (!resolveValue) {
-                    return {
-                        prefix,
-                        source,
-                        target
-                    };
-                }
-                const matches = JsonPathHelper.query(target, source);
-                if (matches.length === 0) {
-                    throw new GeneralError(DefaultPolicyArbiter.CLASS_NAME, "ruleTargetNotSupported", {
-                        target: targetId
-                    });
-                }
-                return {
-                    prefix,
-                    source,
-                    target,
-                    value: matches.length === 1 ? matches[0].value : matches.map(m => m.value)
-                };
-            }
+        // Handle twin:jsonPath:<datasource>:<expression> format.
+        // The datasource segment is optional; when absent the expression starts with "$"
+        // and falls back to the primary data source.
+        if (targetId.startsWith(`${DefaultPolicyArbiter._TWIN_JSONPATH}:`)) {
+            const rest = targetId.slice(DefaultPolicyArbiter._TWIN_JSONPATH.length + 1);
+            const matchingKey = Object.keys(dataSources).find(k => rest.startsWith(`${k}:`));
+            const sourceKey = matchingKey ?? DefaultPolicyArbiter._DATA_SOURCE_KEY;
+            const expression = matchingKey ? rest.slice(matchingKey.length + 1) : rest;
+            return this.resolveDataSourceByKey(sourceKey, expression, dataSources, resolveValue);
+        }
+        // Handle <datasource>:<expression> format
+        const matchingKey = Object.keys(dataSources).find(k => targetId.startsWith(`${k}:`));
+        if (matchingKey) {
+            const expression = targetId.slice(matchingKey.length + 1);
+            return this.resolveDataSourceByKey(matchingKey, expression, dataSources, resolveValue);
         }
         throw new GeneralError(DefaultPolicyArbiter.CLASS_NAME, "ruleTargetNotSupported", {
             target: targetId
         });
     }
+    /**
+     * Resolve a datasource by key and evaluate a JSONPath expression against it.
+     * @param sourceKey The datasource key.
+     * @param expression The JSONPath expression.
+     * @param dataSources The available datasources.
+     * @param resolveValue Whether to evaluate the expression and return the matched value.
+     * @returns The resolved source, target expression, and optionally the matched value.
+     * @internal
+     */
+    resolveDataSourceByKey(sourceKey, expression, dataSources, resolveValue = false) {
+        if (!Is.stringValue(expression)) {
+            throw new GeneralError(DefaultPolicyArbiter.CLASS_NAME, "jsonPathExpressionMissing", {
+                operand: "target"
+            });
+        }
+        if (!expression.startsWith("$")) {
+            throw new GeneralError(DefaultPolicyArbiter.CLASS_NAME, "ruleTargetNotSupported", {
+                target: `${sourceKey}:${expression}`
+            });
+        }
+        const source = dataSources[sourceKey];
+        if (!resolveValue) {
+            return { source, target: expression };
+        }
+        const matches = JsonPathHelper.query(expression, source);
+        if (matches.length === 0) {
+            throw new GeneralError(DefaultPolicyArbiter.CLASS_NAME, "ruleTargetNotSupported", {
+                target: `${sourceKey}:${expression}`
+            });
+        }
+        return {
+            source,
+            target: expression,
+            value: matches.length === 1 ? matches[0].value : matches.map(m => m.value)
+        };
+    }
     /**
      * Extract the target id from the permission.
      * @param target The permission target.
@@ -889,7 +919,23 @@ export class DefaultPolicyArbiter {
         if (arr.length === 0) {
             return undefined;
         }
-        return Is.string(arr[0]) ? arr[0] : OdrlPolicyHelper.getUid(arr[0]);
+        const first = arr[0];
+        if (Is.string(first)) {
+            return first;
+        }
+        if (this.isTwinJsonPathTarget(first)) {
+            const t = first;
+            const expression = t[DefaultPolicyArbiter._TWIN_JSONPATH_EXPRESSION];
+            if (!Is.stringValue(expression)) {
+                return undefined;
+            }
+            const dataSource = t[DefaultPolicyArbiter._TWIN_JSONPATH_DATA_SOURCE];
+            const sourceKey = Is.stringValue(dataSource)
+                ? dataSource
+                : DefaultPolicyArbiter._DATA_SOURCE_KEY;
+            return `${sourceKey}:${expression}`;
+        }
+        return OdrlPolicyHelper.getUid(first);
     }
     /**
      * Resolve the target identifier used for rule data context lookup.
@@ -905,8 +951,16 @@ export class DefaultPolicyArbiter {
             const firstTarget = arr[0];
             if (Is.object(firstTarget) &&
                 OdrlPolicyHelper.getType(firstTarget) === OdrlTypes.AssetCollection &&
-                Is.stringValue(firstTarget.source)) {
-                return firstTarget.source;
+                firstTarget.source === DefaultPolicyArbiter._TWIN_JSONPATH) {
+                const ctx = firstTarget;
+                const expression = ctx[DefaultPolicyArbiter._TWIN_JSONPATH_EXPRESSION];
+                if (Is.stringValue(expression)) {
+                    const dataSource = ctx[DefaultPolicyArbiter._TWIN_JSONPATH_DATA_SOURCE];
+                    const sourceKey = Is.stringValue(dataSource)
+                        ? dataSource
+                        : DefaultPolicyArbiter._DATA_SOURCE_KEY;
+                    return `${DefaultPolicyArbiter._TWIN_JSONPATH}:${sourceKey}:${expression}`;
+                }
             }
         }
         return this.getTargetId(target);
@@ -952,6 +1006,14 @@ export class DefaultPolicyArbiter {
             throw new GeneralError(DefaultPolicyArbiter.CLASS_NAME, "multipleTargetsNotSupported");
         }
         const firstTarget = arr[0];
+        if (this.isTwinJsonPathTarget(firstTarget)) {
+            const t = firstTarget;
+            const resolved = this.resolveDataSourceByKey(t[DefaultPolicyArbiter._TWIN_JSONPATH_DATA_SOURCE] ?? DefaultPolicyArbiter._DATA_SOURCE_KEY, t[DefaultPolicyArbiter._TWIN_JSONPATH_EXPRESSION], dataSources);
+            return {
+                target: resolved.target,
+                refinements: []
+            };
+        }
         if (Is.object(firstTarget)) {
             // Guard against unsupported ODRL asset properties
             if (Is.notEmpty(firstTarget.hasPolicy)) {
@@ -962,18 +1024,23 @@ export class DefaultPolicyArbiter {
             }
             if (Is.object(firstTarget) &&
                 OdrlPolicyHelper.getType(firstTarget) === OdrlTypes.AssetCollection) {
-                if (!Is.stringValue(firstTarget.source)) {
+                if (firstTarget.source !== DefaultPolicyArbiter._TWIN_JSONPATH) {
                     throw new GeneralError(DefaultPolicyArbiter.CLASS_NAME, "assetCollectionSourceNotSupported", {
                         source: firstTarget.source ?? ""
                     });
                 }
+                const ctx = firstTarget;
+                const dataSource = ctx[DefaultPolicyArbiter._TWIN_JSONPATH_DATA_SOURCE];
+                const sourceKey = Is.stringValue(dataSource)
+                    ? dataSource
+                    : DefaultPolicyArbiter._DATA_SOURCE_KEY;
                 let sourceLookup;
                 try {
-                    sourceLookup = this.tryResolveTargetDataSource(firstTarget.source, dataSources);
+                    sourceLookup = this.resolveDataSourceByKey(sourceKey, ctx[DefaultPolicyArbiter._TWIN_JSONPATH_EXPRESSION], dataSources);
                 }
                 catch {
                     throw new GeneralError(DefaultPolicyArbiter.CLASS_NAME, "assetCollectionSourceNotSupported", {
-                        source: firstTarget.source
+                        source: ctx[DefaultPolicyArbiter._TWIN_JSONPATH_EXPRESSION] ?? ""
                     });
                 }
                 return {
@@ -1054,11 +1121,18 @@ export class DefaultPolicyArbiter {
             };
         }
         const regularConstraint = refinement;
-        return {
+        const constraintWithExtensions = regularConstraint;
+        const canonicalExpression = constraintWithExtensions[DefaultPolicyArbiter._TWIN_JSONPATH_EXPRESSION];
+        const rewrittenConstraint = {
             ...regularConstraint,
             leftOperand: this.rewriteOperandForDecisionTarget(regularConstraint.leftOperand, sourceTarget, itemTarget),
             rightOperand: this.rewriteOperandForDecisionTarget(regularConstraint.rightOperand, sourceTarget, itemTarget)
         };
+        if (Is.stringValue(canonicalExpression)) {
+            rewrittenConstraint[DefaultPolicyArbiter._TWIN_JSONPATH_EXPRESSION] =
+                this.rewriteWildcardPath(canonicalExpression, sourceTarget, itemTarget);
+        }
+        return rewrittenConstraint;
     }
     /**
      * Rewrite JSONPath-based operands from wildcard source to concrete item target.
@@ -1069,23 +1143,33 @@ export class DefaultPolicyArbiter {
      * @internal
      */
     rewriteOperandForDecisionTarget(operand, sourceTarget, itemTarget) {
-        if (Is.stringValue(operand)) {
-            const prefix = `${DefaultPolicyArbiter._TWIN_PREFIX_OPERATIONS}${DefaultPolicyArbiter._TWIN_PREFIX_JSONPATH}:`;
-            if (operand.startsWith(prefix)) {
-                const valuePath = operand.slice(prefix.length);
-                return `${prefix}${this.rewriteWildcardPath(valuePath, sourceTarget, itemTarget)}`;
-            }
-            return operand;
-        }
         if (Is.object(operand)) {
-            const typedOperand = { ...operand };
-            if (typedOperand["@type"] ===
-                `${DefaultPolicyArbiter._TWIN_PREFIX_OPERATIONS}${DefaultPolicyArbiter._TWIN_PREFIX_JSONPATH}` &&
-                Is.stringValue(typedOperand["@value"])) {
-                typedOperand["@value"] = this.rewriteWildcardPath(typedOperand["@value"], sourceTarget, itemTarget);
+            const typedOperand = {
+                ...operand
+            };
+            if (this.isTwinJsonPathOperandType(typedOperand["@type"])) {
+                if (Is.stringValue(typedOperand["@value"])) {
+                    typedOperand["@value"] = this.rewriteWildcardPath(typedOperand["@value"], sourceTarget, itemTarget);
+                }
+                const canonicalExpression = typedOperand[DefaultPolicyArbiter._TWIN_JSONPATH_EXPRESSION];
+                if (Is.stringValue(canonicalExpression)) {
+                    typedOperand[DefaultPolicyArbiter._TWIN_JSONPATH_EXPRESSION] = this.rewriteWildcardPath(canonicalExpression, sourceTarget, itemTarget);
+                }
             }
             return typedOperand;
         }
+        // Legacy string form: "twin:information:$.foo". Extract the prefix, rewrite the
+        // JSONPath expression to scope to the per-item target, then re-assemble. Without
+        // this, the leftOperand stays at the wildcard
+        // `$.itemList.itemListElement[*].unloadingLocation.id` for every item, returning
+        // the full array of all ids per check — so all items pass the equality test.
+        if (Is.stringValue(operand) &&
+            operand.startsWith(`twin:${DefaultPolicyArbiter._INFORMATION_SOURCE_KEY}:`)) {
+            const prefix = `twin:${DefaultPolicyArbiter._INFORMATION_SOURCE_KEY}:`;
+            const expression = operand.slice(prefix.length);
+            const rewritten = this.rewriteWildcardPath(expression, sourceTarget, itemTarget);
+            return `${prefix}${rewritten}`;
+        }
         return operand;
     }
     /**
@@ -1150,8 +1234,8 @@ export class DefaultPolicyArbiter {
             throw new GeneralError(DefaultPolicyArbiter.CLASS_NAME, "constraintStatusNotSupported");
         }
         // Evaluate the main constraint condition
-        const leftValue = this.calculateOperandValue(regularConstraint.leftOperand, dataSources);
-        const rightValue = this.calculateOperandValue(regularConstraint.rightOperand, dataSources);
+        const leftValue = this.calculateOperandValue(regularConstraint.leftOperand, dataSources, regularConstraint);
+        const rightValue = this.calculateOperandValue(regularConstraint.rightOperand, dataSources, regularConstraint);
         const mainSatisfied = this.evaluateOperator(regularConstraint.operator, leftValue, rightValue);
         // If main constraint is not satisfied, the overall constraint fails
         return mainSatisfied;
@@ -1276,27 +1360,24 @@ export class DefaultPolicyArbiter {
      * @internal
      */
     tryResolveOperandLookup(operandTypeOrValue, operandValue, dataSources) {
-        let lookupTargetId;
-        if (dataSources[operandTypeOrValue]) {
-            if (!Is.stringValue(operandValue)) {
-                return undefined;
+        let sourceKey = this.normalizeTwinJsonPathOperandAlias(operandTypeOrValue);
+        let value = operandValue;
+        // Combined form: operandTypeOrValue is a full "<prefix>:<expression>" string
+        // like "twin:jsonPath:$.foo" rather than the canonical separation of @type +
+        // @value/expression. Detect by walking the registered datasource keys for a prefix
+        // match; on hit, split into key + expression so resolveDataSourceByKey can evaluate.
+        if (!dataSources[sourceKey]) {
+            const matchingKey = Object.keys(dataSources).find(k => sourceKey.startsWith(`${k}:`));
+            if (matchingKey) {
+                value = sourceKey.slice(matchingKey.length + 1);
+                sourceKey = matchingKey;
             }
-            lookupTargetId = `${operandTypeOrValue}:${operandValue}`;
-        }
-        else if (operandTypeOrValue.includes(":")) {
-            lookupTargetId = operandTypeOrValue;
         }
-        else {
+        if (!dataSources[sourceKey] || !Is.stringValue(value)) {
             return undefined;
         }
-        // Delegate prefixed path matching to shared datasource resolver
-        if (operandTypeOrValue.startsWith(DefaultPolicyArbiter._TWIN_PREFIX_OPERATIONS)) {
-            const resolved = this.tryResolveTargetDataSource(lookupTargetId, dataSources);
-            return {
-                source: resolved.source,
-                jsonPath: resolved.target
-            };
-        }
+        const resolved = this.resolveDataSourceByKey(sourceKey, value, dataSources);
+        return { source: resolved.source, jsonPath: resolved.target };
     }
     /**
      * Calculate an operand value.
@@ -1305,24 +1386,40 @@ export class DefaultPolicyArbiter {
      * @returns The resolved operand value.
      * @internal
      */
-    calculateOperandValue(operand, dataSources) {
-        // Treat prefixed operands as selectors against a namespaced source dictionary.
-        // Examples: twin:jsonpath:$.field, twin:information:$.credentials.level
+    calculateOperandValue(operand, dataSources, constraint) {
         let jsonPath;
         let operandRoot;
         if (Is.stringValue(operand)) {
-            const lookup = this.tryResolveOperandLookup(operand, operand, dataSources);
+            const expression = this.extractJsonPathExpressionFromConstraint(constraint, operand);
+            let resolvedOperand = operand;
+            if (operand === DefaultPolicyArbiter._TWIN_JSONPATH &&
+                Is.object(constraint)) {
+                const dataSourceOverride = constraint[DefaultPolicyArbiter._TWIN_JSONPATH_DATA_SOURCE];
+                if (Is.stringValue(dataSourceOverride)) {
+                    resolvedOperand = dataSourceOverride;
+                }
+            }
+            const lookup = this.tryResolveOperandLookup(resolvedOperand, expression ?? operand, dataSources);
             if (lookup) {
                 jsonPath = lookup.jsonPath;
                 operandRoot = lookup.source;
             }
         }
         else if (Is.object(operand)) {
+            const typedOperand = operand;
             // Is this an object { "@value": "18", "@type": "xsd:integer" } ?
-            const value = operand["@value"];
-            const type = operand["@type"];
+            const value = this.extractJsonPathExpressionFromTypedOperand(typedOperand) ??
+                typedOperand["@value"];
+            const type = typedOperand["@type"];
             if (Is.stringValue(type)) {
-                const lookup = this.tryResolveOperandLookup(type, value, dataSources);
+                let resolvedType = type;
+                if (this.isTwinJsonPathOperandType(type)) {
+                    const dataSourceOverride = typedOperand[DefaultPolicyArbiter._TWIN_JSONPATH_DATA_SOURCE];
+                    if (Is.stringValue(dataSourceOverride)) {
+                        resolvedType = dataSourceOverride;
+                    }
+                }
+                const lookup = this.tryResolveOperandLookup(resolvedType, value, dataSources);
                 if (lookup) {
                     jsonPath = lookup.jsonPath;
                     operandRoot = lookup.source;
@@ -1352,6 +1449,89 @@ export class DefaultPolicyArbiter {
         // Not JSON Path or object value so return as is
         return operand;
     }
+    /**
+     * Determine if a target object uses the canonical twin:jsonPath object format.
+     * @param target The target value.
+     * @returns True if the target is a canonical twin:jsonPath object.
+     * @internal
+     */
+    isTwinJsonPathTarget(target) {
+        return Is.object(target) && this.isTwinJsonPathOperandType(OdrlPolicyHelper.getType(target));
+    }
+    /**
+     * Determine if the operand type is a jsonPath namespace.
+     * @param type The operand type.
+     * @returns True if the type is twin:jsonPath.
+     * @internal
+     */
+    isTwinJsonPathOperandType(type) {
+        return type === DefaultPolicyArbiter._TWIN_JSONPATH;
+    }
+    /**
+     * Normalize canonical jsonPath alias to the legacy jsonpath namespace key.
+     * @param operandTypeOrValue The raw operand type or value.
+     * @returns The normalized operand type/value.
+     * @internal
+     */
+    normalizeTwinJsonPathOperandAlias(operandTypeOrValue) {
+        if (operandTypeOrValue === DefaultPolicyArbiter._TWIN_JSONPATH ||
+            operandTypeOrValue.startsWith(`${DefaultPolicyArbiter._TWIN_JSONPATH}:`)) {
+            const suffix = operandTypeOrValue.slice(DefaultPolicyArbiter._TWIN_JSONPATH.length);
+            return `${DefaultPolicyArbiter._DATA_SOURCE_KEY}${suffix}`;
+        }
+        return operandTypeOrValue;
+    }
+    /**
+     * Extract canonical jsonPath expression from typed operand object.
+     * @param operand The typed operand.
+     * @returns The jsonPath expression if present.
+     * @internal
+     */
+    extractJsonPathExpressionFromTypedOperand(operand) {
+        if (!this.isTwinJsonPathOperandType(operand["@type"])) {
+            return undefined;
+        }
+        const expression = operand[DefaultPolicyArbiter._TWIN_JSONPATH_EXPRESSION];
+        if (Is.stringValue(expression)) {
+            return expression;
+        }
+        const type = operand["@type"];
+        if (type === DefaultPolicyArbiter._TWIN_JSONPATH) {
+            throw new GeneralError(DefaultPolicyArbiter.CLASS_NAME, "jsonPathExpressionMissing", {
+                operand: "rightOperand"
+            });
+        }
+    }
+    /**
+     * Extract canonical jsonPath expression from constraint for leftOperand aliases.
+     * @param constraint The constraint containing the left operand.
+     * @param leftOperand The left operand.
+     * @returns The expression if canonical form is used.
+     * @internal
+     */
+    extractJsonPathExpressionFromConstraint(constraint, leftOperand) {
+        if (!Is.object(constraint)) {
+            return undefined;
+        }
+        if (constraint.leftOperand !== leftOperand) {
+            return undefined;
+        }
+        if (leftOperand.startsWith(`${DefaultPolicyArbiter._TWIN_JSONPATH}:`)) {
+            throw new GeneralError(DefaultPolicyArbiter.CLASS_NAME, "jsonPathExpressionMissing", {
+                operand: "leftOperand"
+            });
+        }
+        if (leftOperand !== DefaultPolicyArbiter._TWIN_JSONPATH) {
+            return undefined;
+        }
+        const expression = constraint[DefaultPolicyArbiter._TWIN_JSONPATH_EXPRESSION];
+        if (Is.stringValue(expression)) {
+            return expression;
+        }
+        throw new GeneralError(DefaultPolicyArbiter.CLASS_NAME, "jsonPathExpressionMissing", {
+            operand: "leftOperand"
+        });
+    }
     /**
      * Evaluate an ODRL operator against resolved operands.
      * @param operator The operator.