@naylence/advanced-security 0.3.14 → 0.3.15

package/dist/browser/index.cjs

@@ -1,5 +1,6 @@
 'use strict';
 
+var factory = require('@naylence/factory');
 var runtime = require('@naylence/runtime');
 var asn1Schema = require('@peculiar/asn1-schema');
 var asn1Csr = require('@peculiar/asn1-csr');
@@ -12,603 +13,1127 @@ var ed25519_js = require('@noble/curves/ed25519.js');
 var hkdf_js = require('@noble/hashes/hkdf.js');
 var utils_js = require('@noble/hashes/utils.js');
 var jose = require('jose');
-var factory = require('@naylence/factory');
 var sha256_js = require('@noble/hashes/sha256.js');
 var x509 = require('@peculiar/x509');
 
-// This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.3.14
 /**
- * The package version, injected at build time.
- * @internal
+ * AUTO-GENERATED FILE. DO NOT EDIT DIRECTLY.
+ * Generated by scripts/generate-factory-manifest.mjs
+ *
+ * Provides the list of advanced security factory modules for registration.
  */
-const VERSION = '0.3.14';
+const MODULES = [
+    "./security/cert/default-ca-service-factory.js",
+    "./security/cert/default-certificate-manager-factory.js",
+    "./security/cert/trust-store/browser-trust-store-provider-factory.js",
+    "./security/cert/trust-store/node-trust-store-provider-factory.js",
+    "./security/encryption/channel/channel-encryption-manager-factory.js",
+    "./security/encryption/composite-encryption-manager-factory.js",
+    "./security/encryption/default-secure-channel-manager-factory.js",
+    "./security/encryption/sealed/x25519-encryption-manager-factory.js",
+    "./security/keys/x5c-key-manager-factory.js",
+    "./security/signing/eddsa-envelope-signer-factory.js",
+    "./security/signing/eddsa-envelope-verifier-factory.js",
+    "./stickiness/aft-load-balancer-stickiness-manager-factory.js",
+    "./stickiness/aft-replica-stickiness-manager-factory.js",
+    "./welcome/advanced-welcome-service-factory.js"
+];
+const MODULE_LOADERS = {
+    "./security/cert/default-ca-service-factory.js": () => Promise.resolve().then(function () { return defaultCaServiceFactory; }),
+    "./security/cert/default-certificate-manager-factory.js": () => Promise.resolve().then(function () { return defaultCertificateManagerFactory; }),
+    "./security/cert/trust-store/browser-trust-store-provider-factory.js": () => Promise.resolve().then(function () { return browserTrustStoreProviderFactory; }),
+    "./security/cert/trust-store/node-trust-store-provider-factory.js": () => Promise.resolve().then(function () { return nodeTrustStoreProviderFactory; }),
+    "./security/encryption/channel/channel-encryption-manager-factory.js": () => Promise.resolve().then(function () { return channelEncryptionManagerFactory; }),
+    "./security/encryption/composite-encryption-manager-factory.js": () => Promise.resolve().then(function () { return compositeEncryptionManagerFactory; }),
+    "./security/encryption/default-secure-channel-manager-factory.js": () => Promise.resolve().then(function () { return defaultSecureChannelManagerFactory; }),
+    "./security/encryption/sealed/x25519-encryption-manager-factory.js": () => Promise.resolve().then(function () { return x25519EncryptionManagerFactory; }),
+    "./security/keys/x5c-key-manager-factory.js": () => Promise.resolve().then(function () { return x5cKeyManagerFactory; }),
+    "./security/signing/eddsa-envelope-signer-factory.js": () => Promise.resolve().then(function () { return eddsaEnvelopeSignerFactory; }),
+    "./security/signing/eddsa-envelope-verifier-factory.js": () => Promise.resolve().then(function () { return eddsaEnvelopeVerifierFactory; }),
+    "./stickiness/aft-load-balancer-stickiness-manager-factory.js": () => Promise.resolve().then(function () { return aftLoadBalancerStickinessManagerFactory; }),
+    "./stickiness/aft-replica-stickiness-manager-factory.js": () => Promise.resolve().then(function () { return aftReplicaStickinessManagerFactory; }),
+    "./welcome/advanced-welcome-service-factory.js": () => Promise.resolve().then(function () { return advancedWelcomeServiceFactory; }),
+};
 
-const logger$h = runtime.getLogger("naylence.fame.security.cert.util");
-const CACHE_LIMIT = 512;
-const OID_ED25519 = "1.3.101.112";
-const textEncoder = new TextEncoder();
-const trustCache = new Map();
-function publicKeyFromX5c(x5c, options = {}) {
-    if (!Array.isArray(x5c) || x5c.length === 0) {
-        throw new Error("Empty certificate chain");
+const logger$h = runtime.getLogger("naylence.fame.security.encryption.encryption_manager_registry");
+class EncryptionManagerFactoryRegistry {
+    constructor(autoDiscover = true) {
+        this.factories = [];
+        this.algorithmToFactory = new Map();
+        this.typeToFactories = new Map();
+        this.factorySet = new Set();
+        this.autoDiscoveredFactories = new Set();
+        this.autoDiscovered = false;
+        if (autoDiscover) {
+            this.autoDiscoverFactories();
+        }
     }
-    const callId = generateCallId();
-    const enforceNameConstraints = options.enforceNameConstraints ?? true;
-    const trustStorePem = normalizeTrustStoreOption(options.trustStorePem ?? null);
-    const returnCertificate = options.returnCertificate ?? false;
-    const { parsed, chainBytes } = parseCertificateChain(x5c);
-    logger$h.debug("public_key_from_x5c_called", {
-        call_id: callId,
-        x5c_count: parsed.length,
-        enforce_name_constraints: enforceNameConstraints,
-        has_trust_store: Boolean(trustStorePem),
-        return_cert: returnCertificate,
-    });
-    let cacheKey = null;
-    if (!returnCertificate) {
-        cacheKey = buildCacheKey(chainBytes, trustStorePem, enforceNameConstraints);
-        const cached = getCachedPublicKey(cacheKey);
-        if (cached) {
-            logger$h.debug("certificate_cache_hit", {
-                call_id: callId,
-                cache_key: cacheKey,
+    autoDiscoverFactories() {
+        if (this.autoDiscovered) {
+            return;
+        }
+        try {
+            const extensionInfos = factory.ExtensionManager.getExtensionsByType(runtime.ENCRYPTION_MANAGER_FACTORY_BASE_TYPE);
+            let registeredCount = 0;
+            for (const [factoryName, info] of extensionInfos) {
+                if (factoryName === "CompositeEncryptionManager") {
+                    logger$h.debug("skipping_composite_factory_to_avoid_circular_dependency", {
+                        factory_name: factoryName,
+                    });
+                    continue;
+                }
+                try {
+                    const factoryInstance = (info.instance ??
+                        factory.ExtensionManager.getGlobalFactory(runtime.ENCRYPTION_MANAGER_FACTORY_BASE_TYPE, factoryName));
+                    this.registerFactory(factoryInstance, { autoDiscovered: true });
+                    registeredCount += 1;
+                    logger$h.debug("auto_discovered_factory", {
+                        factory_name: factoryName,
+                        factory_class: factoryInstance.constructor.name,
+                        algorithms: factoryInstance.getSupportedAlgorithms(),
+                        encryption_type: factoryInstance.getEncryptionType(),
+                        priority: factoryInstance.getPriority(),
+                    });
+                }
+                catch (error) {
+                    logger$h.warning("failed_to_auto_register_factory", {
+                        factory_name: factoryName,
+                        error: error instanceof Error ? error.message : String(error),
+                    });
+                }
+            }
+            this.autoDiscovered = true;
+            logger$h.debug("completed_auto_discovery", {
+                registered_factories: registeredCount,
+                total_discovered: extensionInfos.size,
+                skipped_composite: true,
+            });
+        }
+        catch (error) {
+            logger$h.warning("failed_auto_discovery_of_factories", {
+                error: error instanceof Error ? error.message : String(error),
             });
-            return cached;
         }
-        logger$h.debug("certificate_cache_miss", {
-            call_id: callId,
-            cache_key: cacheKey,
-        });
     }
-    const validation = validateCertificateChain(parsed, enforceNameConstraints, trustStorePem);
-    if (cacheKey) {
-        setCachedPublicKey(cacheKey, validation.publicKey, validation.notAfter);
+    registerFactory(factory, options = {}) {
+        if (this.factorySet.has(factory)) {
+            return;
+        }
+        this.factorySet.add(factory);
+        this.factories.push(factory);
+        if (options.autoDiscovered) {
+            this.autoDiscoveredFactories.add(factory);
+        }
+        for (const algorithm of factory.getSupportedAlgorithms()) {
+            const existing = this.algorithmToFactory.get(algorithm);
+            if (!existing || factory.getPriority() > existing.getPriority()) {
+                this.algorithmToFactory.set(algorithm, factory);
+                logger$h.debug("registered_algorithm_mapping", {
+                    algorithm,
+                    factory: factory.constructor.name,
+                    priority: factory.getPriority(),
+                });
+            }
+        }
+        const encryptionType = factory.getEncryptionType();
+        const typeFactories = this.typeToFactories.get(encryptionType) ?? [];
+        typeFactories.push(factory);
+        typeFactories.sort((a, b) => b.getPriority() - a.getPriority());
+        this.typeToFactories.set(encryptionType, typeFactories);
+        logger$h.debug("registered_encryption_manager_factory", {
+            factory: factory.constructor.name,
+            encryption_type: encryptionType,
+            algorithms: factory.getSupportedAlgorithms(),
+            priority: factory.getPriority(),
+            auto_discovered: options.autoDiscovered ?? false,
+        });
     }
-    if (returnCertificate) {
-        return {
-            publicKey: validation.publicKey.slice(),
-            certificate: validation.certificate,
-        };
+    getFactoryForAlgorithm(algorithm) {
+        this.ensureAutoDiscovery();
+        return this.algorithmToFactory.get(algorithm);
     }
-    return validation.publicKey.slice();
-}
-function validateJwkX5cCertificate(options) {
-    const { jwk, trustStorePem = null, enforceNameConstraints = true, strict = true, } = options;
-    if (!jwk || typeof jwk !== "object") {
-        const error = "Invalid JWK object";
-        if (strict) {
-            throw new Error(error);
+    getFactoryForOptions(opts) {
+        this.ensureAutoDiscovery();
+        for (const factory of this.factories) {
+            if (factory.supportsOptions(opts ?? undefined)) {
+                logger$h.debug("found_factory_for_options", {
+                    factory: factory.constructor.name,
+                    encryption_type: factory.getEncryptionType(),
+                });
+                return factory;
+            }
         }
-        return { isValid: false, error };
+        logger$h.debug("no_factory_found_for_options", { opts });
+        return undefined;
     }
-    const x5c = jwk.x5c;
-    if (x5c === undefined) {
-        return { isValid: true };
+    getFactoriesByType(encryptionType) {
+        this.ensureAutoDiscovery();
+        return this.typeToFactories.get(encryptionType) ?? [];
     }
-    if (!Array.isArray(x5c) ||
-        x5c.length === 0 ||
-        x5c.some((entry) => typeof entry !== "string")) {
-        const error = "Invalid x5c field in JWK";
-        if (strict) {
-            throw new Error(error);
-        }
-        return { isValid: false, error };
+    getAllSupportedAlgorithms() {
+        this.ensureAutoDiscovery();
+        return Array.from(this.algorithmToFactory.keys());
     }
-    try {
-        publicKeyFromX5c(x5c, {
-            trustStorePem,
-            enforceNameConstraints,
-        });
-        return { isValid: true };
+    getRegistryInfo() {
+        return {
+            totalFactories: this.factories.length,
+            autoDiscovered: this.autoDiscovered,
+            algorithmMappings: Object.fromEntries(Array.from(this.algorithmToFactory.entries()).map(([algorithm, factory]) => [algorithm, factory.constructor.name])),
+            typeMappings: Object.fromEntries(Array.from(this.typeToFactories.entries()).map(([encType, factories]) => [
+                encType,
+                factories.map((factory) => factory.constructor.name),
+            ])),
+        };
     }
-    catch (error) {
-        const message = error instanceof Error ? error.message : String(error ?? "unknown");
-        const normalized = `Certificate validation failed: ${message}`;
-        if (strict) {
-            throw new Error(normalized);
+    forceRediscovery() {
+        const manualFactories = this.factories.filter((factory) => !this.autoDiscoveredFactories.has(factory));
+        this.autoDiscovered = false;
+        this.algorithmToFactory.clear();
+        this.typeToFactories.clear();
+        this.factories.length = 0;
+        this.factorySet.clear();
+        this.autoDiscoveredFactories.clear();
+        for (const factory of manualFactories) {
+            this.registerFactory(factory);
         }
-        return { isValid: false, error: normalized };
+        this.autoDiscoverFactories();
     }
-}
-function validateCertificateChain(parsed, enforceNameConstraints, trustStorePem) {
-    const leaf = parsed[0];
-    const nowMs = Date.now();
-    const notBefore = leaf.certificate.tbsCertificate.validity.notBefore.getTime();
-    const notAfter = leaf.certificate.tbsCertificate.validity.notAfter.getTime();
-    const notBeforeMs = notBefore.getTime();
-    const notAfterMs = notAfter.getTime();
-    if (nowMs < notBeforeMs || nowMs > notAfterMs) {
-        throw new Error(`Certificate is not currently valid (notBefore: ${notBefore.toISOString()}, notAfter: ${notAfter.toISOString()}, now: ${new Date(nowMs).toISOString()})`);
+    isAutoDiscovered() {
+        return this.autoDiscovered;
     }
-    const issuers = parsed.slice(1);
-    if (enforceNameConstraints && issuers.length > 0) {
-        const leafUris = extractUrisFromCert(leaf.certificate);
-        validateNameConstraints(issuers, leafUris);
+    ensureInitialized() {
+        this.ensureAutoDiscovery();
     }
-    if (trustStorePem) {
-        validateTrustAnchor(parsed, trustStorePem);
+    ensureAutoDiscovery() {
+        if (!this.autoDiscovered) {
+            this.autoDiscoverFactories();
+        }
     }
-    validateChainContinuity(parsed);
-    const publicKey = leaf.subjectPublicKey.slice();
-    return {
-        publicKey,
-        certificate: leaf.certificate,
-        notAfter,
-    };
 }
-function parseCertificateChain(x5c) {
-    const parsed = [];
-    const derChunks = [];
-    for (let index = 0; index < x5c.length; index += 1) {
-        const entry = x5c[index];
-        if (typeof entry !== "string" || entry.trim().length === 0) {
-            throw new Error(`Invalid certificate at index ${index}`);
-        }
-        let der;
-        try {
-            der = decodeBase64$2(entry);
-        }
-        catch (error) {
-            const reason = error instanceof Error ? error.message : String(error);
-            throw new Error(`Failed to decode certificate at index ${index}: ${reason}`);
-        }
-        let certificate;
+const globalRegistry = new EncryptionManagerFactoryRegistry(true);
+function getEncryptionManagerFactoryRegistry() {
+    globalRegistry.ensureInitialized();
+    return globalRegistry;
+}
+
+const SECURITY_PREFIX = "./security/";
+const SECURITY_MODULES = MODULES.filter((spec) => spec.startsWith(SECURITY_PREFIX));
+const EXTRA_MODULES = MODULES.filter((spec) => !spec.startsWith(SECURITY_PREFIX));
+const NODE_ONLY_MODULES = new Set([
+    "./security/cert/default-ca-service-factory.js",
+    "./security/cert/trust-store/node-trust-store-provider-factory.js",
+]);
+const FACTORY_MODULE_PREFIX$1 = "@naylence/advanced-security/naylence/fame/";
+const BROWSER_DIST_SEGMENT = "/dist/browser/";
+function detectModuleUrl() {
+    if (typeof __filename === "string") {
         try {
-            certificate = asn1Schema.AsnConvert.parse(der, asn1X509.Certificate);
+            return __filename.startsWith("file://")
+                ? __filename
+                : `file://${__filename}`;
         }
-        catch (error) {
-            const reason = error instanceof Error ? error.message : String(error);
-            throw new Error(`Failed to parse certificate at index ${index}: ${reason}`);
+        catch {
+            // fall through to stack parsing
         }
-        parsed.push(createParsedCertificate(certificate, der));
-        derChunks.push(der);
     }
-    return { parsed, chainBytes: concatBytes(derChunks) };
-}
-function createParsedCertificate(certificate, raw) {
-    return {
-        raw,
-        certificate,
-        serialNumber: toHex(new Uint8Array(certificate.tbsCertificate.serialNumber)).toUpperCase(),
-        subjectName: serializeName(certificate.tbsCertificate.subject),
-        issuerName: serializeName(certificate.tbsCertificate.issuer),
-        subjectPublicKey: new Uint8Array(certificate.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey).slice(),
-    };
-}
-function extractUrisFromCert(cert) {
-    const extension = findExtension(cert, asn1X509.id_ce_subjectAltName);
-    if (!extension) {
-        return [];
+    try {
+        throw new Error();
     }
-    const subjectAlternativeName = asn1Schema.AsnConvert.parse(extension.extnValue.buffer, asn1X509.SubjectAlternativeName);
-    const uris = [];
-    for (const generalName of subjectAlternativeName) {
-        if (generalName.uniformResourceIdentifier) {
-            uris.push(generalName.uniformResourceIdentifier);
+    catch (error) {
+        const stack = typeof error === "object" && error && "stack" in error
+            ? String(error.stack ?? "")
+            : "";
+        const lines = stack.split("\n");
+        for (const line of lines) {
+            const match = line.match(/(https?:\/\/[^\s)]+|file:\/\/[^\s)]+\.(?:js|ts)|\/(?:[^\s)]+\.(?:js|ts)))/u);
+            const candidate = match?.[1];
+            if (!candidate) {
+                continue;
+            }
+            if (candidate.startsWith("http://") || candidate.startsWith("https://")) {
+                return candidate;
+            }
+            if (candidate.startsWith("file://")) {
+                return candidate;
+            }
+            return `file://${candidate}`;
         }
     }
-    return uris;
+    return null;
 }
-function validateNameConstraints(issuers, leafUris) {
-    for (const issuer of issuers) {
-        const extension = findExtension(issuer.certificate, asn1X509.id_ce_nameConstraints);
-        if (!extension) {
-            continue;
-        }
-        const constraints = asn1Schema.AsnConvert.parse(extension.extnValue.buffer, asn1X509.NameConstraints);
-        if (!constraints.permittedSubtrees) {
-            continue;
-        }
-        const permittedUris = collectPermittedUris(Array.from(constraints.permittedSubtrees));
-        if (permittedUris.length === 0) {
-            continue;
-        }
-        for (const uri of leafUris) {
-            const allowed = permittedUris.some((prefix) => uri.startsWith(prefix));
-            if (!allowed) {
-                throw new Error(`URI '${uri}' violates name constraints - not in permitted subtrees: ${permittedUris.join(", ")}`);
+function computeBrowserFactoryBase(rawUrl) {
+    if (!rawUrl) {
+        return null;
+    }
+    const sanitized = rawUrl.split("?")[0]?.split("#")[0] ?? rawUrl;
+    const esmMarker = "/dist/esm/naylence/fame/";
+    const distMarker = "/dist/";
+    if (sanitized.includes(esmMarker)) {
+        return sanitized.slice(0, sanitized.indexOf(esmMarker) + esmMarker.length);
+    }
+    if (rawUrl.includes(BROWSER_DIST_SEGMENT)) {
+        return new URL("../esm/naylence/fame/", rawUrl).href;
+    }
+    if (sanitized.includes(BROWSER_DIST_SEGMENT)) {
+        const base = sanitized.slice(0, sanitized.indexOf(BROWSER_DIST_SEGMENT) + BROWSER_DIST_SEGMENT.length);
+        return `${base.replace(/browser\/?$/u, "")}esm/naylence/fame/`;
+    }
+    if (sanitized.includes(distMarker)) {
+        const index = sanitized.indexOf(distMarker);
+        const base = sanitized.slice(0, index + distMarker.length);
+        return `${base}esm/naylence/fame/`;
+    }
+    const srcMarker = "/src/naylence/fame/";
+    if (sanitized.includes(srcMarker)) {
+        const index = sanitized.indexOf(srcMarker);
+        const projectRoot = sanitized.slice(0, index);
+        return `${projectRoot}/dist/esm/naylence/fame/`;
+    }
+    if (sanitized.startsWith("http://") || sanitized.startsWith("https://")) {
+        try {
+            const parsed = new URL(rawUrl);
+            const viteDepsSegment = "/node_modules/.vite/deps/";
+            if (parsed.pathname.includes(viteDepsSegment)) {
+                const baseOrigin = `${parsed.protocol}//${parsed.host}`;
+                return `${baseOrigin}/node_modules/@naylence/advanced-security/dist/esm/naylence/fame/`;
             }
         }
-    }
-}
-function collectPermittedUris(subtrees) {
-    const uris = [];
-    for (const subtree of subtrees) {
-        if (subtree.base.uniformResourceIdentifier &&
-            subtree.base.uniformResourceIdentifier.length > 0) {
-            uris.push(subtree.base.uniformResourceIdentifier);
+        catch {
+            // ignore
         }
     }
-    return uris;
+    return null;
 }
-function validateTrustAnchor(chain, trustStorePem) {
-    const trustedCerts = parseTrustStore(trustStorePem);
-    if (trustedCerts.length === 0) {
-        throw new Error("No valid certificates found in trust store");
+const moduleUrl = detectModuleUrl();
+const browserFactoryBase = computeBrowserFactoryBase(moduleUrl);
+const prefersSource = typeof moduleUrl === "string" && moduleUrl.includes("/src/");
+function resolveFactoryModuleSpecifier$1(specifier) {
+    if (specifier.startsWith("../")) {
+        return `${FACTORY_MODULE_PREFIX$1}${specifier.slice("../".length)}`;
     }
-    logger$h.debug("trust_anchor_validation_start", {
-        chain_length: chain.length,
-        trust_store_cert_count: trustedCerts.length,
-    });
-    const chainInfo = chain.map((cert, index) => `[${index}] ${cert.subjectName} (Serial: ${cert.serialNumber})`);
-    const trustedInfo = trustedCerts.map((cert, index) => `[${index}] ${cert.subjectName} (Serial: ${cert.serialNumber})`);
-    logger$h.debug("certificate_chain_validation", {
-        chain_certificates: chainInfo,
-        trust_store_certificates: trustedInfo,
-    });
-    // Strategy 1: direct trust (exact certificate match)
-    for (let i = 0; i < chain.length; i += 1) {
-        const cert = chain[i];
-        const match = trustedCerts.find((trusted) => trusted.serialNumber === cert.serialNumber &&
-            namesEqual(trusted.certificate.tbsCertificate.subject, cert.certificate.tbsCertificate.subject));
-        if (match) {
-            logger$h.debug("certificate_chain_trust_validation_passed", {
-                matching_serial: match.serialNumber,
-                validation_strategy: `direct_trust_cert_${i}`,
-            });
-            return;
-        }
+    if (specifier.startsWith("./")) {
+        return `${FACTORY_MODULE_PREFIX$1}${specifier.slice("./".length)}`;
     }
-    const leaf = chain[0];
-    // Strategy 2: leaf issuer in trust store
-    for (const trusted of trustedCerts) {
-        if (namesEqual(trusted.certificate.tbsCertificate.subject, leaf.certificate.tbsCertificate.issuer) &&
-            trusted.serialNumber !== leaf.serialNumber) {
-            verifyCertificateSignature(leaf.certificate, trusted.certificate);
-            logger$h.debug("certificate_chain_trust_validation_passed", {
-                matching_serial: trusted.serialNumber,
-                validation_strategy: "leaf_issuer_trust",
-            });
+    return null;
+}
+function resolveModuleCandidates(spec) {
+    const candidates = [];
+    const seen = new Set();
+    const addCandidate = (candidate) => {
+        if (!candidate) {
             return;
         }
-    }
-    // Strategy 3: any intermediate issuer in trust store
-    for (let index = 1; index < chain.length; index += 1) {
-        const intermediate = chain[index];
-        for (const trusted of trustedCerts) {
-            if (namesEqual(trusted.certificate.tbsCertificate.subject, intermediate.certificate.tbsCertificate.issuer) &&
-                trusted.serialNumber !== intermediate.serialNumber) {
-                verifyCertificateSignature(intermediate.certificate, trusted.certificate);
-                logger$h.debug("certificate_chain_trust_validation_passed", {
-                    matching_serial: trusted.serialNumber,
-                    validation_strategy: `intermediate_issuer_trust_cert_${index}`,
-                });
-                return;
-            }
+        if (!seen.has(candidate)) {
+            seen.add(candidate);
+            candidates.push(candidate);
+        }
+    };
+    if (prefersSource && spec.startsWith("./")) {
+        const sourceCandidate = `../${spec.slice(2)}`;
+        addCandidate(sourceCandidate);
+        if (sourceCandidate.endsWith(".js")) {
+            addCandidate(sourceCandidate.replace(/\.js$/u, ".ts"));
         }
     }
-    logger$h.warning("certificate_chain_trust_validation_failed", {
-        leaf_subject: leaf.subjectName,
-        leaf_issuer: leaf.issuerName,
-        leaf_serial: leaf.serialNumber,
-        trusted_certificates: trustedInfo,
-        chain_certificates: chainInfo,
-        reason: "no_matching_trust_anchor",
-    });
-    throw new Error("Certificate chain is not rooted in a trusted anchor");
-}
-function parseTrustStore(trustStorePem) {
-    const normalized = normalizePem$2(trustStorePem);
-    const blocks = extractPemBlocks$1(normalized);
-    const parsed = [];
-    for (const block of blocks) {
+    if (browserFactoryBase && spec.startsWith("./")) {
         try {
-            const der = decodeBase64$2(block);
-            const certificate = asn1Schema.AsnConvert.parse(der, asn1X509.Certificate);
-            parsed.push(createParsedCertificate(certificate, der));
+            const browserCandidate = new URL(spec.slice("./".length), browserFactoryBase).href;
+            addCandidate(browserCandidate);
+            if (browserCandidate.endsWith(".js")) {
+                addCandidate(browserCandidate.replace(/\.js$/u, ".ts"));
+            }
         }
-        catch (error) {
-            const reason = error instanceof Error ? error.message : String(error);
-            logger$h.debug("trust_store_certificate_parse_failed", { reason });
+        catch {
+            // ignore resolution failures for browser base
         }
     }
-    return parsed;
-}
-function extractPemBlocks$1(pem) {
-    const blocks = [];
-    const regex = /-----BEGIN CERTIFICATE-----([\s\S]*?)-----END CERTIFICATE-----/gu;
-    let match;
-    // eslint-disable-next-line no-cond-assign
-    while ((match = regex.exec(pem)) !== null) {
-        const body = match[1] ?? "";
-        blocks.push(body.replace(/\s+/gu, ""));
+    const packageCandidate = resolveFactoryModuleSpecifier$1(spec);
+    addCandidate(packageCandidate);
+    if (packageCandidate?.endsWith(".js")) {
+        addCandidate(packageCandidate.replace(/\.js$/u, ".ts"));
     }
-    return blocks;
-}
-function validateChainContinuity(chain) {
-    if (chain.length <= 1) {
-        return;
+    const fallback = spec.startsWith("./") ? `../${spec.slice(2)}` : spec;
+    addCandidate(fallback);
+    if (fallback.endsWith(".js")) {
+        addCandidate(fallback.replace(/\.js$/u, ".ts"));
     }
-    logger$h.debug("validating_chain_continuity", { chain_length: chain.length });
-    for (let index = 0; index < chain.length - 1; index += 1) {
-        const cert = chain[index];
-        const issuer = chain[index + 1];
-        if (!namesEqual(cert.certificate.tbsCertificate.issuer, issuer.certificate.tbsCertificate.subject)) {
-            logger$h.warning("certificate_chain_continuity_failed", {
-                cert_index: index,
-                cert_subject: cert.subjectName,
-                cert_issuer: cert.issuerName,
-                expected_issuer_subject: issuer.subjectName,
-                reason: "issuer_name_mismatch",
-            });
-            throw new Error(`Certificate chain continuity broken: certificate at index ${index} issuer does not match next certificate subject`);
-        }
-        try {
-            verifyCertificateSignature(cert.certificate, issuer.certificate);
-            logger$h.debug("chain_continuity_verification_success", {
-                cert_index: index,
-                cert_serial: cert.serialNumber,
-                issuer_serial: issuer.serialNumber,
-            });
-        }
-        catch (error) {
-            const reason = error instanceof Error ? error.message : String(error);
-            logger$h.warning("certificate_chain_continuity_failed", {
-                cert_index: index,
-                cert_subject: cert.subjectName,
-                issuer_subject: issuer.subjectName,
-                cert_serial: cert.serialNumber,
-                issuer_serial: issuer.serialNumber,
-                error: reason,
-                reason: "signature_verification_failed",
-            });
-            throw new Error(`Certificate chain continuity broken: certificate at index ${index} was not signed by certificate at index ${index + 1}: ${reason}`);
-        }
+    addCandidate(spec);
+    if (spec.endsWith(".js")) {
+        addCandidate(spec.replace(/\.js$/u, ".ts"));
     }
-    logger$h.debug("chain_continuity_validation_passed", {
-        chain_length: chain.length,
-    });
+    return candidates;
 }
-function verifyCertificateSignature(certificate, issuer) {
-    ensureEd25519Support();
-    const signatureAlgorithm = certificate.signatureAlgorithm.algorithm;
-    const issuerAlgorithm = issuer.tbsCertificate.subjectPublicKeyInfo.algorithm.algorithm;
-    if (signatureAlgorithm !== OID_ED25519 || issuerAlgorithm !== OID_ED25519) {
-        throw new Error(`Unsupported signature algorithm (certificate: ${signatureAlgorithm}, issuer: ${issuerAlgorithm})`);
-    }
-    const signatureBytes = new Uint8Array(certificate.signatureValue);
-    const tbsBytes = new Uint8Array(asn1Schema.AsnConvert.serialize(certificate.tbsCertificate));
-    const issuerKey = new Uint8Array(issuer.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey);
-    if (issuerKey.length !== 32) {
-        throw new Error("Issuer Ed25519 public key must be 32 bytes");
-    }
-    const valid = ed25519.verify(signatureBytes, tbsBytes, issuerKey);
-    if (!valid) {
-        throw new Error("Certificate signature verification failed");
-    }
+const registeredModules = new Set();
+const inflightModules = new Map();
+const browserSkippedModules = new Set();
+function isNodeEnvironment$5() {
+    return (typeof process !== "undefined" &&
+        typeof process.release !== "undefined" &&
+        process.release?.name === "node");
 }
-function ensureEd25519Support() {
-    const etcPatch = ed25519.etc;
-    if (!etcPatch.sha512) {
-        etcPatch.sha512 = (message) => sha2_js.sha512(message);
+function shouldSkipModule(spec) {
+    if (isNodeEnvironment$5()) {
+        return false;
     }
-    if (!etcPatch.sha512Sync) {
-        etcPatch.sha512Sync = (...messages) => {
-            if (messages.length === 1) {
-                return sha2_js.sha512(messages[0]);
-            }
-            const combined = ed25519.etc.concatBytes(...messages);
-            return sha2_js.sha512(combined);
-        };
+    if (!NODE_ONLY_MODULES.has(spec)) {
+        return false;
+    }
+    if (!browserSkippedModules.has(spec)) {
+        // console.warn(
+        //   "[advanced-security:factory-manifest] skipped browser-incompatible module",
+        //   spec,
+        // );
+        browserSkippedModules.add(spec);
     }
+    return true;
 }
-function findExtension(certificate, oid) {
-    const extensions = certificate.tbsCertificate.extensions;
-    if (!extensions) {
+function getDynamicImporter() {
+    if (typeof globalThis === "undefined") {
         return null;
     }
-    for (const extension of extensions) {
-        if (extension.extnID === oid) {
-            return extension;
-        }
+    const candidate = globalThis.__naylenceFactoryDynamicImporter;
+    if (typeof candidate === "function") {
+        return candidate;
     }
     return null;
 }
-function namesEqual(a, b) {
-    const left = new Uint8Array(asn1Schema.AsnConvert.serialize(a));
-    const right = new Uint8Array(asn1Schema.AsnConvert.serialize(b));
-    if (left.length !== right.length) {
-        return false;
+async function registerModule(spec, registrar) {
+    const candidates = resolveModuleCandidates(spec);
+    const dynamicImporter = getDynamicImporter();
+    const loader = dynamicImporter
+        ? (specifier) => dynamicImporter(specifier)
+        : (specifier) => import(/* @vite-ignore */ specifier);
+    const attempts = [];
+    const staticLoader = MODULE_LOADERS?.[spec];
+    if (staticLoader) {
+        attempts.push({ load: () => staticLoader(), candidate: spec });
     }
-    for (let i = 0; i < left.length; i += 1) {
-        if (left[i] !== right[i]) {
+    for (const candidate of candidates) {
+        attempts.push({ load: () => loader(candidate), candidate });
+    }
+    const registerFromModule = (mod) => {
+        const meta = mod.FACTORY_META;
+        const Ctor = mod.default;
+        if (!meta?.base || !meta?.key || typeof Ctor !== "function") {
+            console.warn("[debug] invalid factory module", spec, {
+                meta,
+                hasCtor: typeof Ctor === "function",
+            });
+            console.warn("[advanced-security:factory-manifest] skipped", spec, "— missing FACTORY_META or default export ctor");
             return false;
         }
+        const { base, key, ...metadata } = meta;
+        const extraMetadata = Object.keys(metadata).length > 0 ? metadata : undefined;
+        // console.log("[debug] registering module", { spec, base, key, metadata: extraMetadata });
+        registrar.registerFactory(base, key, Ctor, extraMetadata);
+        return true;
+    };
+    for (const [index, { candidate, load }] of attempts.entries()) {
+        try {
+            const mod = await load();
+            return registerFromModule(mod);
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            const moduleNotFound = message.includes("Cannot find module") ||
+                message.includes("ERR_MODULE_NOT_FOUND") ||
+                message.includes("Unknown file extension") ||
+                message.includes("Failed to fetch dynamically imported module") ||
+                message.includes("Failed to resolve module specifier") ||
+                message.includes("Importing a module script failed");
+            const isLastAttempt = index === attempts.length - 1;
+            if (!moduleNotFound || isLastAttempt) {
+                console.warn("[debug] failed to import candidate", {
+                    spec,
+                    candidate,
+                    message,
+                });
+                console.warn("[advanced-security:factory-manifest] skipped", spec, "-", message);
+                return false;
+            }
+        }
     }
-    return true;
-}
-function serializeName(name) {
-    const rdns = Array.from(name);
-    return rdns
-        .map((rdn) => Array.from(rdn)
-        .map((attr) => `${oidToLabel$1(attr.type)}=${attr.value.toString()}`)
-        .join("+"))
-        .join(",");
+    return false;
 }
-function oidToLabel$1(oid) {
-    switch (oid) {
-        case "2.5.4.3":
-            return "CN";
-        case "2.5.4.6":
-            return "C";
-        case "2.5.4.7":
-            return "L";
-        case "2.5.4.8":
-            return "ST";
-        case "2.5.4.10":
-            return "O";
-        case "2.5.4.11":
-            return "OU";
-        default:
-            return oid;
+async function registerModuleOnce(spec, registrar) {
+    if (registeredModules.has(spec)) {
+        return false;
     }
-}
-function concatBytes(chunks) {
-    const totalLength = chunks.reduce((sum, chunk) => sum + chunk.length, 0);
-    const result = new Uint8Array(totalLength);
-    let offset = 0;
-    for (const chunk of chunks) {
-        result.set(chunk, offset);
-        offset += chunk.length;
+    const inflight = inflightModules.get(spec);
+    if (inflight) {
+        return inflight;
+    }
+    const registration = (async () => {
+        const registered = await registerModule(spec, registrar);
+        if (registered) {
+            registeredModules.add(spec);
+        }
+        return registered;
+    })();
+    inflightModules.set(spec, registration);
+    try {
+        return await registration;
+    }
+    finally {
+        inflightModules.delete(spec);
     }
-    return result;
 }
-function decodeBase64$2(input) {
-    if (typeof Buffer !== "undefined") {
-        const normalized = input.replace(/\s+/gu, "");
-        return new Uint8Array(Buffer.from(normalized, "base64"));
+async function registerModules(modules, registrar) {
+    if (modules.length === 0) {
+        return 0;
     }
-    if (typeof atob === "function") {
-        const normalized = input.replace(/\s+/gu, "");
-        const binary = atob(normalized);
-        const bytes = new Uint8Array(binary.length);
-        for (let i = 0; i < binary.length; i += 1) {
-            bytes[i] = binary.charCodeAt(i);
-        }
-        return bytes;
+    const eligibleModules = modules.filter((spec) => !shouldSkipModule(spec));
+    if (eligibleModules.length === 0) {
+        return 0;
     }
-    throw new Error("No base64 decoder available in this environment");
+    const results = await Promise.all(eligibleModules.map((spec) => registerModuleOnce(spec, registrar)));
+    return results.reduce((count, registered) => (registered ? count + 1 : count), 0);
 }
-function toHex(data) {
-    return Array.from(data)
-        .map((byte) => byte.toString(16).padStart(2, "0"))
-        .join("");
-}
-function buildCacheKey(chainBytes, trustStorePem, enforceNameConstraints) {
-    const chainHash = toHex(sha2_js.sha256(chainBytes));
-    const trustHash = trustStorePem
-        ? toHex(sha2_js.sha256(textEncoder.encode(trustStorePem)))
-        : "no-trust";
-    const constraintFlag = enforceNameConstraints ? "nc1" : "nc0";
-    return `${chainHash}|${trustHash}|${constraintFlag}`;
-}
-function getCachedPublicKey(cacheKey) {
-    const entry = trustCache.get(cacheKey);
-    if (!entry) {
-        return null;
+async function registerAdvancedSecurityFactories(registrar = factory.Registry, options) {
+    const newlyRegisteredSecurity = await registerModules(SECURITY_MODULES, registrar);
+    if (newlyRegisteredSecurity > 0) {
+        getEncryptionManagerFactoryRegistry().forceRediscovery();
     }
-    if (Date.now() > entry.expiresAt) {
-        trustCache.delete(cacheKey);
-        logger$h.debug("certificate_cache_expired", { cache_key: cacheKey });
-        return null;
+    {
+        await registerModules(EXTRA_MODULES, registrar);
     }
-    return entry.value.slice();
 }
-function setCachedPublicKey(cacheKey, value, notAfter) {
-    while (trustCache.size >= CACHE_LIMIT) {
-        const firstKey = trustCache.keys().next().value;
-        if (firstKey === undefined) {
-            break;
+
+// This file is auto-generated during build - do not edit manually
+// Generated from package.json version: 0.3.15
+/**
+ * The package version, injected at build time.
+ * @internal
+ */
+const VERSION = '0.3.15';
+
+async function registerAdvancedSecurityPluginFactories(registrar = factory.Registry) {
+    await registerAdvancedSecurityFactories(registrar);
+}
+let initialized = false;
+let initializing = null;
+const advancedSecurityPlugin = {
+    name: "naylence:advanced-security",
+    version: VERSION,
+    async register() {
+        // console.log('[naylence:advanced-security] register() called, initialized=', initialized);
+        if (initialized) {
+            // console.log('[naylence:advanced-security] already initialized, skipping');
+            return;
         }
-        trustCache.delete(firstKey);
-        logger$h.debug("certificate_cache_evicted", { cache_key: firstKey });
+        if (initializing) {
+            console.log("[naylence:advanced-security] already initializing, awaiting...");
+            await initializing;
+            return;
+        }
+        initializing = (async () => {
+            try {
+                // console.log('[naylence:advanced-security] registering advanced security factories...');
+                await registerAdvancedSecurityPluginFactories();
+                // console.log('[naylence:advanced-security] advanced security factories registered');
+                initialized = true;
+            }
+            finally {
+                initializing = null;
+            }
+        })();
+        await initializing;
+    },
+};
+const ADVANCED_SECURITY_PLUGIN_SPECIFIER = advancedSecurityPlugin.name;
+
+var plugin = /*#__PURE__*/Object.freeze({
+    __proto__: null,
+    ADVANCED_SECURITY_PLUGIN_SPECIFIER: ADVANCED_SECURITY_PLUGIN_SPECIFIER,
+    default: advancedSecurityPlugin,
+    registerAdvancedSecurityPluginFactories: registerAdvancedSecurityPluginFactories
+});
+
+const logger$g = runtime.getLogger("naylence.fame.security.cert.util");
+const CACHE_LIMIT = 512;
+const OID_ED25519 = "1.3.101.112";
+const textEncoder = new TextEncoder();
+const trustCache = new Map();
+function publicKeyFromX5c(x5c, options = {}) {
+    if (!Array.isArray(x5c) || x5c.length === 0) {
+        throw new Error("Empty certificate chain");
     }
-    trustCache.set(cacheKey, {
-        value: value.slice(),
-        expiresAt: notAfter.getTime(),
-    });
-    logger$h.debug("certificate_cache_stored", {
-        cache_key: cacheKey,
-        expires_at: notAfter.toISOString(),
-        cache_size: trustCache.size,
+    const callId = generateCallId();
+    const enforceNameConstraints = options.enforceNameConstraints ?? true;
+    const trustStorePem = normalizeTrustStoreOption(options.trustStorePem ?? null);
+    const returnCertificate = options.returnCertificate ?? false;
+    const { parsed, chainBytes } = parseCertificateChain(x5c);
+    logger$g.debug("public_key_from_x5c_called", {
+        call_id: callId,
+        x5c_count: parsed.length,
+        enforce_name_constraints: enforceNameConstraints,
+        has_trust_store: Boolean(trustStorePem),
+        return_cert: returnCertificate,
     });
-}
-function normalizeTrustStoreOption(value) {
-    if (!value) {
-        return null;
+    let cacheKey = null;
+    if (!returnCertificate) {
+        cacheKey = buildCacheKey(chainBytes, trustStorePem, enforceNameConstraints);
+        const cached = getCachedPublicKey(cacheKey);
+        if (cached) {
+            logger$g.debug("certificate_cache_hit", {
+                call_id: callId,
+                cache_key: cacheKey,
+            });
+            return cached;
+        }
+        logger$g.debug("certificate_cache_miss", {
+            call_id: callId,
+            cache_key: cacheKey,
+        });
     }
-    const trimmed = value.trim();
-    if (trimmed.length === 0) {
-        return null;
+    const validation = validateCertificateChain(parsed, enforceNameConstraints, trustStorePem);
+    if (cacheKey) {
+        setCachedPublicKey(cacheKey, validation.publicKey, validation.notAfter);
     }
-    if (!trimmed.includes("-----BEGIN CERTIFICATE-----")) {
-        throw new Error("trustStorePem must contain PEM-encoded certificates when provided");
+    if (returnCertificate) {
+        return {
+            publicKey: validation.publicKey.slice(),
+            certificate: validation.certificate,
+        };
     }
-    return normalizePem$2(trimmed);
-}
-function normalizePem$2(pem) {
-    return pem.replace(/\r/gu, "").trim();
-}
-function generateCallId() {
-    return Math.random().toString(36).slice(2, 10);
+    return validation.publicKey.slice();
 }
-
-const GRANT_PURPOSE_CA_SIGN = "ca_sign";
-
-const ED25519_OID$2 = "1.3.101.112";
-const OID_COMMON_NAME$2 = "2.5.4.3";
-const LOGICAL_URI_PREFIX$1 = "naylence://";
-function ensureSubtleCrypto() {
-    const instance = globalThis.crypto?.subtle;
-    if (!instance) {
-        throw new Error("WebCrypto subtle API is required to create a CSR");
+function validateJwkX5cCertificate(options) {
+    const { jwk, trustStorePem = null, enforceNameConstraints = true, strict = true, } = options;
+    if (!jwk || typeof jwk !== "object") {
+        const error = "Invalid JWK object";
+        if (strict) {
+            throw new Error(error);
+        }
+        return { isValid: false, error };
     }
-    return instance;
-}
-function buildSubject(commonName) {
-    if (!commonName || typeof commonName !== "string") {
-        throw new Error("commonName must be a non-empty string");
+    const x5c = jwk.x5c;
+    if (x5c === undefined) {
+        return { isValid: true };
     }
-    return new asn1X509.Name([
-        new asn1X509.RelativeDistinguishedName([
-            new asn1X509.AttributeTypeAndValue({
-                type: OID_COMMON_NAME$2,
-                value: new asn1X509.AttributeValue({ utf8String: commonName }),
-            }),
-        ]),
-    ]);
-}
-function arrayBufferToBase64(buffer) {
-    const bytes = new Uint8Array(buffer);
-    if (typeof globalThis.Buffer?.from === "function") {
-        return globalThis.Buffer.from(bytes).toString("base64");
+    if (!Array.isArray(x5c) ||
+        x5c.length === 0 ||
+        x5c.some((entry) => typeof entry !== "string")) {
+        const error = "Invalid x5c field in JWK";
+        if (strict) {
+            throw new Error(error);
+        }
+        return { isValid: false, error };
     }
-    let binary = "";
-    const chunkSize = 0x8000;
-    for (let offset = 0; offset < bytes.length; offset += chunkSize) {
-        const slice = bytes.subarray(offset, offset + chunkSize);
-        binary += String.fromCharCode(...slice);
+    try {
+        publicKeyFromX5c(x5c, {
+            trustStorePem,
+            enforceNameConstraints,
+        });
+        return { isValid: true };
     }
-    if (typeof globalThis.btoa !== "function") {
-        throw new Error("Base64 encoding not available in this environment");
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error ?? "unknown");
+        const normalized = `Certificate validation failed: ${message}`;
+        if (strict) {
+            throw new Error(normalized);
+        }
+        return { isValid: false, error: normalized };
     }
-    return globalThis.btoa(binary);
 }
-function derToPem$1(der, label) {
-    const base64 = arrayBufferToBase64(der);
-    const lines = [];
-    for (let index = 0; index < base64.length; index += 64) {
-        lines.push(base64.slice(index, index + 64));
+function validateCertificateChain(parsed, enforceNameConstraints, trustStorePem) {
+    const leaf = parsed[0];
+    const nowMs = Date.now();
+    const notBefore = leaf.certificate.tbsCertificate.validity.notBefore.getTime();
+    const notAfter = leaf.certificate.tbsCertificate.validity.notAfter.getTime();
+    const notBeforeMs = notBefore.getTime();
+    const notAfterMs = notAfter.getTime();
+    if (nowMs < notBeforeMs || nowMs > notAfterMs) {
+        throw new Error(`Certificate is not currently valid (notBefore: ${notBefore.toISOString()}, notAfter: ${notAfter.toISOString()}, now: ${new Date(nowMs).toISOString()})`);
     }
-    return `-----BEGIN ${label}-----\n${lines.join("\n")}\n-----END ${label}-----\n`;
-}
-async function createEd25519Csr(options) {
-    const subtle = ensureSubtleCrypto();
-    const { privateKey, publicKey, commonName } = options;
-    if (!(privateKey instanceof CryptoKey) || privateKey.type !== "private") {
-        throw new Error("privateKey must be a CryptoKey of type 'private'");
+    const issuers = parsed.slice(1);
+    if (enforceNameConstraints && issuers.length > 0) {
+        const leafUris = extractUrisFromCert(leaf.certificate);
+        validateNameConstraints(issuers, leafUris);
     }
-    if (!(publicKey instanceof CryptoKey) || publicKey.type !== "public") {
-        throw new Error("publicKey must be a CryptoKey of type 'public'");
+    if (trustStorePem) {
+        validateTrustAnchor(parsed, trustStorePem);
     }
-    const subject = buildSubject(commonName);
-    const spkiDer = await subtle.exportKey("spki", publicKey);
-    const subjectPublicKeyInfo = asn1Schema.AsnConvert.parse(spkiDer, asn1X509.SubjectPublicKeyInfo);
-    const attributes = new asn1Csr.Attributes();
-    const sanitizedLogicals = Array.isArray(options.logicals)
-        ? options.logicals
-            .map((logical) => logical.trim())
-            .filter((logical) => logical.length > 0)
-        : [];
-    if (sanitizedLogicals.length > 0) {
-        const san = new asn1X509.SubjectAlternativeName(sanitizedLogicals.map((logical) => new asn1X509.GeneralName({
-            uniformResourceIdentifier: `${LOGICAL_URI_PREFIX$1}${logical}`,
-        })));
-        const extensions = new asn1X509.Extensions([
-            new asn1X509.Extension({
-                extnID: asn1X509.id_ce_subjectAltName,
-                critical: false,
+    validateChainContinuity(parsed);
+    const publicKey = leaf.subjectPublicKey.slice();
+    return {
+        publicKey,
+        certificate: leaf.certificate,
+        notAfter,
+    };
+}
+function parseCertificateChain(x5c) {
+    const parsed = [];
+    const derChunks = [];
+    for (let index = 0; index < x5c.length; index += 1) {
+        const entry = x5c[index];
+        if (typeof entry !== "string" || entry.trim().length === 0) {
+            throw new Error(`Invalid certificate at index ${index}`);
+        }
+        let der;
+        try {
+            der = decodeBase64$2(entry);
+        }
+        catch (error) {
+            const reason = error instanceof Error ? error.message : String(error);
+            throw new Error(`Failed to decode certificate at index ${index}: ${reason}`);
+        }
+        let certificate;
+        try {
+            certificate = asn1Schema.AsnConvert.parse(der, asn1X509.Certificate);
+        }
+        catch (error) {
+            const reason = error instanceof Error ? error.message : String(error);
+            throw new Error(`Failed to parse certificate at index ${index}: ${reason}`);
+        }
+        parsed.push(createParsedCertificate(certificate, der));
+        derChunks.push(der);
+    }
+    return { parsed, chainBytes: concatBytes(derChunks) };
+}
+function createParsedCertificate(certificate, raw) {
+    return {
+        raw,
+        certificate,
+        serialNumber: toHex(new Uint8Array(certificate.tbsCertificate.serialNumber)).toUpperCase(),
+        subjectName: serializeName(certificate.tbsCertificate.subject),
+        issuerName: serializeName(certificate.tbsCertificate.issuer),
+        subjectPublicKey: new Uint8Array(certificate.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey).slice(),
+    };
+}
+function extractUrisFromCert(cert) {
+    const extension = findExtension(cert, asn1X509.id_ce_subjectAltName);
+    if (!extension) {
+        return [];
+    }
+    const subjectAlternativeName = asn1Schema.AsnConvert.parse(extension.extnValue.buffer, asn1X509.SubjectAlternativeName);
+    const uris = [];
+    for (const generalName of subjectAlternativeName) {
+        if (generalName.uniformResourceIdentifier) {
+            uris.push(generalName.uniformResourceIdentifier);
+        }
+    }
+    return uris;
+}
+function validateNameConstraints(issuers, leafUris) {
+    for (const issuer of issuers) {
+        const extension = findExtension(issuer.certificate, asn1X509.id_ce_nameConstraints);
+        if (!extension) {
+            continue;
+        }
+        const constraints = asn1Schema.AsnConvert.parse(extension.extnValue.buffer, asn1X509.NameConstraints);
+        if (!constraints.permittedSubtrees) {
+            continue;
+        }
+        const permittedUris = collectPermittedUris(Array.from(constraints.permittedSubtrees));
+        if (permittedUris.length === 0) {
+            continue;
+        }
+        for (const uri of leafUris) {
+            const allowed = permittedUris.some((prefix) => uri.startsWith(prefix));
+            if (!allowed) {
+                throw new Error(`URI '${uri}' violates name constraints - not in permitted subtrees: ${permittedUris.join(", ")}`);
+            }
+        }
+    }
+}
+function collectPermittedUris(subtrees) {
+    const uris = [];
+    for (const subtree of subtrees) {
+        if (subtree.base.uniformResourceIdentifier &&
+            subtree.base.uniformResourceIdentifier.length > 0) {
+            uris.push(subtree.base.uniformResourceIdentifier);
+        }
+    }
+    return uris;
+}
+function validateTrustAnchor(chain, trustStorePem) {
+    const trustedCerts = parseTrustStore(trustStorePem);
+    if (trustedCerts.length === 0) {
+        throw new Error("No valid certificates found in trust store");
+    }
+    logger$g.debug("trust_anchor_validation_start", {
+        chain_length: chain.length,
+        trust_store_cert_count: trustedCerts.length,
+    });
+    const chainInfo = chain.map((cert, index) => `[${index}] ${cert.subjectName} (Serial: ${cert.serialNumber})`);
+    const trustedInfo = trustedCerts.map((cert, index) => `[${index}] ${cert.subjectName} (Serial: ${cert.serialNumber})`);
+    logger$g.debug("certificate_chain_validation", {
+        chain_certificates: chainInfo,
+        trust_store_certificates: trustedInfo,
+    });
+    // Strategy 1: direct trust (exact certificate match)
+    for (let i = 0; i < chain.length; i += 1) {
+        const cert = chain[i];
+        const match = trustedCerts.find((trusted) => trusted.serialNumber === cert.serialNumber &&
+            namesEqual(trusted.certificate.tbsCertificate.subject, cert.certificate.tbsCertificate.subject));
+        if (match) {
+            logger$g.debug("certificate_chain_trust_validation_passed", {
+                matching_serial: match.serialNumber,
+                validation_strategy: `direct_trust_cert_${i}`,
+            });
+            return;
+        }
+    }
+    const leaf = chain[0];
+    // Strategy 2: leaf issuer in trust store
+    for (const trusted of trustedCerts) {
+        if (namesEqual(trusted.certificate.tbsCertificate.subject, leaf.certificate.tbsCertificate.issuer) &&
+            trusted.serialNumber !== leaf.serialNumber) {
+            verifyCertificateSignature(leaf.certificate, trusted.certificate);
+            logger$g.debug("certificate_chain_trust_validation_passed", {
+                matching_serial: trusted.serialNumber,
+                validation_strategy: "leaf_issuer_trust",
+            });
+            return;
+        }
+    }
+    // Strategy 3: any intermediate issuer in trust store
+    for (let index = 1; index < chain.length; index += 1) {
+        const intermediate = chain[index];
+        for (const trusted of trustedCerts) {
+            if (namesEqual(trusted.certificate.tbsCertificate.subject, intermediate.certificate.tbsCertificate.issuer) &&
+                trusted.serialNumber !== intermediate.serialNumber) {
+                verifyCertificateSignature(intermediate.certificate, trusted.certificate);
+                logger$g.debug("certificate_chain_trust_validation_passed", {
+                    matching_serial: trusted.serialNumber,
+                    validation_strategy: `intermediate_issuer_trust_cert_${index}`,
+                });
+                return;
+            }
+        }
+    }
+    logger$g.warning("certificate_chain_trust_validation_failed", {
+        leaf_subject: leaf.subjectName,
+        leaf_issuer: leaf.issuerName,
+        leaf_serial: leaf.serialNumber,
+        trusted_certificates: trustedInfo,
+        chain_certificates: chainInfo,
+        reason: "no_matching_trust_anchor",
+    });
+    throw new Error("Certificate chain is not rooted in a trusted anchor");
+}
+function parseTrustStore(trustStorePem) {
+    const normalized = normalizePem$2(trustStorePem);
+    const blocks = extractPemBlocks$1(normalized);
+    const parsed = [];
+    for (const block of blocks) {
+        try {
+            const der = decodeBase64$2(block);
+            const certificate = asn1Schema.AsnConvert.parse(der, asn1X509.Certificate);
+            parsed.push(createParsedCertificate(certificate, der));
+        }
+        catch (error) {
+            const reason = error instanceof Error ? error.message : String(error);
+            logger$g.debug("trust_store_certificate_parse_failed", { reason });
+        }
+    }
+    return parsed;
+}
+function extractPemBlocks$1(pem) {
+    const blocks = [];
+    const regex = /-----BEGIN CERTIFICATE-----([\s\S]*?)-----END CERTIFICATE-----/gu;
+    let match;
+    // eslint-disable-next-line no-cond-assign
+    while ((match = regex.exec(pem)) !== null) {
+        const body = match[1] ?? "";
+        blocks.push(body.replace(/\s+/gu, ""));
+    }
+    return blocks;
+}
+function validateChainContinuity(chain) {
+    if (chain.length <= 1) {
+        return;
+    }
+    logger$g.debug("validating_chain_continuity", { chain_length: chain.length });
+    for (let index = 0; index < chain.length - 1; index += 1) {
+        const cert = chain[index];
+        const issuer = chain[index + 1];
+        if (!namesEqual(cert.certificate.tbsCertificate.issuer, issuer.certificate.tbsCertificate.subject)) {
+            logger$g.warning("certificate_chain_continuity_failed", {
+                cert_index: index,
+                cert_subject: cert.subjectName,
+                cert_issuer: cert.issuerName,
+                expected_issuer_subject: issuer.subjectName,
+                reason: "issuer_name_mismatch",
+            });
+            throw new Error(`Certificate chain continuity broken: certificate at index ${index} issuer does not match next certificate subject`);
+        }
+        try {
+            verifyCertificateSignature(cert.certificate, issuer.certificate);
+            logger$g.debug("chain_continuity_verification_success", {
+                cert_index: index,
+                cert_serial: cert.serialNumber,
+                issuer_serial: issuer.serialNumber,
+            });
+        }
+        catch (error) {
+            const reason = error instanceof Error ? error.message : String(error);
+            logger$g.warning("certificate_chain_continuity_failed", {
+                cert_index: index,
+                cert_subject: cert.subjectName,
+                issuer_subject: issuer.subjectName,
+                cert_serial: cert.serialNumber,
+                issuer_serial: issuer.serialNumber,
+                error: reason,
+                reason: "signature_verification_failed",
+            });
+            throw new Error(`Certificate chain continuity broken: certificate at index ${index} was not signed by certificate at index ${index + 1}: ${reason}`);
+        }
+    }
+    logger$g.debug("chain_continuity_validation_passed", {
+        chain_length: chain.length,
+    });
+}
+function verifyCertificateSignature(certificate, issuer) {
+    ensureEd25519Support();
+    const signatureAlgorithm = certificate.signatureAlgorithm.algorithm;
+    const issuerAlgorithm = issuer.tbsCertificate.subjectPublicKeyInfo.algorithm.algorithm;
+    if (signatureAlgorithm !== OID_ED25519 || issuerAlgorithm !== OID_ED25519) {
+        throw new Error(`Unsupported signature algorithm (certificate: ${signatureAlgorithm}, issuer: ${issuerAlgorithm})`);
+    }
+    const signatureBytes = new Uint8Array(certificate.signatureValue);
+    const tbsBytes = new Uint8Array(asn1Schema.AsnConvert.serialize(certificate.tbsCertificate));
+    const issuerKey = new Uint8Array(issuer.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey);
+    if (issuerKey.length !== 32) {
+        throw new Error("Issuer Ed25519 public key must be 32 bytes");
+    }
+    const valid = ed25519.verify(signatureBytes, tbsBytes, issuerKey);
+    if (!valid) {
+        throw new Error("Certificate signature verification failed");
+    }
+}
+function ensureEd25519Support() {
+    const etcPatch = ed25519.etc;
+    if (!etcPatch.sha512) {
+        etcPatch.sha512 = (message) => sha2_js.sha512(message);
+    }
+    if (!etcPatch.sha512Sync) {
+        etcPatch.sha512Sync = (...messages) => {
+            if (messages.length === 1) {
+                return sha2_js.sha512(messages[0]);
+            }
+            const combined = ed25519.etc.concatBytes(...messages);
+            return sha2_js.sha512(combined);
+        };
+    }
+}
+function findExtension(certificate, oid) {
+    const extensions = certificate.tbsCertificate.extensions;
+    if (!extensions) {
+        return null;
+    }
+    for (const extension of extensions) {
+        if (extension.extnID === oid) {
+            return extension;
+        }
+    }
+    return null;
+}
+function namesEqual(a, b) {
+    const left = new Uint8Array(asn1Schema.AsnConvert.serialize(a));
+    const right = new Uint8Array(asn1Schema.AsnConvert.serialize(b));
+    if (left.length !== right.length) {
+        return false;
+    }
+    for (let i = 0; i < left.length; i += 1) {
+        if (left[i] !== right[i]) {
+            return false;
+        }
+    }
+    return true;
+}
+function serializeName(name) {
+    const rdns = Array.from(name);
+    return rdns
+        .map((rdn) => Array.from(rdn)
+        .map((attr) => `${oidToLabel$1(attr.type)}=${attr.value.toString()}`)
+        .join("+"))
+        .join(",");
+}
+function oidToLabel$1(oid) {
+    switch (oid) {
+        case "2.5.4.3":
+            return "CN";
+        case "2.5.4.6":
+            return "C";
+        case "2.5.4.7":
+            return "L";
+        case "2.5.4.8":
+            return "ST";
+        case "2.5.4.10":
+            return "O";
+        case "2.5.4.11":
+            return "OU";
+        default:
+            return oid;
+    }
+}
+function concatBytes(chunks) {
+    const totalLength = chunks.reduce((sum, chunk) => sum + chunk.length, 0);
+    const result = new Uint8Array(totalLength);
+    let offset = 0;
+    for (const chunk of chunks) {
+        result.set(chunk, offset);
+        offset += chunk.length;
+    }
+    return result;
+}
+function decodeBase64$2(input) {
+    if (typeof Buffer !== "undefined") {
+        const normalized = input.replace(/\s+/gu, "");
+        return new Uint8Array(Buffer.from(normalized, "base64"));
+    }
+    if (typeof atob === "function") {
+        const normalized = input.replace(/\s+/gu, "");
+        const binary = atob(normalized);
+        const bytes = new Uint8Array(binary.length);
+        for (let i = 0; i < binary.length; i += 1) {
+            bytes[i] = binary.charCodeAt(i);
+        }
+        return bytes;
+    }
+    throw new Error("No base64 decoder available in this environment");
+}
+function toHex(data) {
+    return Array.from(data)
+        .map((byte) => byte.toString(16).padStart(2, "0"))
+        .join("");
+}
+function buildCacheKey(chainBytes, trustStorePem, enforceNameConstraints) {
+    const chainHash = toHex(sha2_js.sha256(chainBytes));
+    const trustHash = trustStorePem
+        ? toHex(sha2_js.sha256(textEncoder.encode(trustStorePem)))
+        : "no-trust";
+    const constraintFlag = enforceNameConstraints ? "nc1" : "nc0";
+    return `${chainHash}|${trustHash}|${constraintFlag}`;
+}
+function getCachedPublicKey(cacheKey) {
+    const entry = trustCache.get(cacheKey);
+    if (!entry) {
+        return null;
+    }
+    if (Date.now() > entry.expiresAt) {
+        trustCache.delete(cacheKey);
+        logger$g.debug("certificate_cache_expired", { cache_key: cacheKey });
+        return null;
+    }
+    return entry.value.slice();
+}
+function setCachedPublicKey(cacheKey, value, notAfter) {
+    while (trustCache.size >= CACHE_LIMIT) {
+        const firstKey = trustCache.keys().next().value;
+        if (firstKey === undefined) {
+            break;
+        }
+        trustCache.delete(firstKey);
+        logger$g.debug("certificate_cache_evicted", { cache_key: firstKey });
+    }
+    trustCache.set(cacheKey, {
+        value: value.slice(),
+        expiresAt: notAfter.getTime(),
+    });
+    logger$g.debug("certificate_cache_stored", {
+        cache_key: cacheKey,
+        expires_at: notAfter.toISOString(),
+        cache_size: trustCache.size,
+    });
+}
+function normalizeTrustStoreOption(value) {
+    if (!value) {
+        return null;
+    }
+    const trimmed = value.trim();
+    if (trimmed.length === 0) {
+        return null;
+    }
+    if (!trimmed.includes("-----BEGIN CERTIFICATE-----")) {
+        throw new Error("trustStorePem must contain PEM-encoded certificates when provided");
+    }
+    return normalizePem$2(trimmed);
+}
+function normalizePem$2(pem) {
+    return pem.replace(/\r/gu, "").trim();
+}
+function generateCallId() {
+    return Math.random().toString(36).slice(2, 10);
+}
+
+const GRANT_PURPOSE_CA_SIGN = "ca_sign";
+
+const ED25519_OID$2 = "1.3.101.112";
+const OID_COMMON_NAME$2 = "2.5.4.3";
+const LOGICAL_URI_PREFIX$1 = "naylence://";
+function ensureSubtleCrypto() {
+    const instance = globalThis.crypto?.subtle;
+    if (!instance) {
+        throw new Error("WebCrypto subtle API is required to create a CSR");
+    }
+    return instance;
+}
+function buildSubject(commonName) {
+    if (!commonName || typeof commonName !== "string") {
+        throw new Error("commonName must be a non-empty string");
+    }
+    return new asn1X509.Name([
+        new asn1X509.RelativeDistinguishedName([
+            new asn1X509.AttributeTypeAndValue({
+                type: OID_COMMON_NAME$2,
+                value: new asn1X509.AttributeValue({ utf8String: commonName }),
+            }),
+        ]),
+    ]);
+}
+function arrayBufferToBase64(buffer) {
+    const bytes = new Uint8Array(buffer);
+    if (typeof globalThis.Buffer?.from === "function") {
+        return globalThis.Buffer.from(bytes).toString("base64");
+    }
+    let binary = "";
+    const chunkSize = 0x8000;
+    for (let offset = 0; offset < bytes.length; offset += chunkSize) {
+        const slice = bytes.subarray(offset, offset + chunkSize);
+        binary += String.fromCharCode(...slice);
+    }
+    if (typeof globalThis.btoa !== "function") {
+        throw new Error("Base64 encoding not available in this environment");
+    }
+    return globalThis.btoa(binary);
+}
+function derToPem$1(der, label) {
+    const base64 = arrayBufferToBase64(der);
+    const lines = [];
+    for (let index = 0; index < base64.length; index += 64) {
+        lines.push(base64.slice(index, index + 64));
+    }
+    return `-----BEGIN ${label}-----\n${lines.join("\n")}\n-----END ${label}-----\n`;
+}
+async function createEd25519Csr(options) {
+    const subtle = ensureSubtleCrypto();
+    const { privateKey, publicKey, commonName } = options;
+    if (!(privateKey instanceof CryptoKey) || privateKey.type !== "private") {
+        throw new Error("privateKey must be a CryptoKey of type 'private'");
+    }
+    if (!(publicKey instanceof CryptoKey) || publicKey.type !== "public") {
+        throw new Error("publicKey must be a CryptoKey of type 'public'");
+    }
+    const subject = buildSubject(commonName);
+    const spkiDer = await subtle.exportKey("spki", publicKey);
+    const subjectPublicKeyInfo = asn1Schema.AsnConvert.parse(spkiDer, asn1X509.SubjectPublicKeyInfo);
+    const attributes = new asn1Csr.Attributes();
+    const sanitizedLogicals = Array.isArray(options.logicals)
+        ? options.logicals
+            .map((logical) => logical.trim())
+            .filter((logical) => logical.length > 0)
+        : [];
+    if (sanitizedLogicals.length > 0) {
+        const san = new asn1X509.SubjectAlternativeName(sanitizedLogicals.map((logical) => new asn1X509.GeneralName({
+            uniformResourceIdentifier: `${LOGICAL_URI_PREFIX$1}${logical}`,
+        })));
+        const extensions = new asn1X509.Extensions([
+            new asn1X509.Extension({
+                extnID: asn1X509.id_ce_subjectAltName,
+                critical: false,
                 extnValue: new asn1Schema.OctetString(asn1Schema.AsnConvert.serialize(san)),
             }),
         ]);
@@ -688,7 +1213,7 @@ const NODE_ID_OID = "1.3.6.1.4.1.58530.4";
  * Provides async HTTP client to request certificates from the CA signing service.
  */
 // Simple logger for now - TODO: integrate with runtime logging
-const logger$g = {
+const logger$f = {
     debug: (_event, _meta) => {
         // console.log(`[DEBUG] ${event}`, meta);
     },
@@ -1160,13 +1685,13 @@ class CAServiceClient {
                     const result = await response.json();
                     const certificatePem = result.certificate_pem;
                     const certificateChainPem = result.certificate_chain_pem || certificatePem;
-                    logger$g.debug("certificate_request_successful", {
+                    logger$f.debug("certificate_request_successful", {
                         requester_id: requesterId,
                         expires_at: result.expires_at,
                     });
                     // Extract and log certificate information with structured logging
                     const certInfo = extractCertificateInfo(certificatePem);
-                    logger$g.debug("certificate_details", {
+                    logger$f.debug("certificate_details", {
                         requester_id: requesterId,
                         certificate_type: "issued_certificate",
                         ...certInfo,
@@ -1185,7 +1710,7 @@ class CAServiceClient {
                                     // First cert in chain is usually the issued certificate
                                     if (certPemBlock.trim() !== certificatePem.trim()) {
                                         const chainCertInfo = extractCertificateInfo(certPemBlock);
-                                        logger$g.debug("certificate_chain_details", {
+                                        logger$f.debug("certificate_chain_details", {
                                             requester_id: requesterId,
                                             certificate_type: "certificate_chain",
                                             chain_index: i,
@@ -1196,7 +1721,7 @@ class CAServiceClient {
                                 else {
                                     // Subsequent certs are intermediate/root CAs
                                     const caCertInfo = extractCertificateInfo(certPemBlock);
-                                    logger$g.debug("certificate_chain_details", {
+                                    logger$f.debug("certificate_chain_details", {
                                         requester_id: requesterId,
                                         certificate_type: "ca_certificate",
                                         chain_index: i,
@@ -1224,7 +1749,7 @@ class CAServiceClient {
                         // Body read failed entirely
                         errorDetail = `HTTP ${response.status}`;
                     }
-                    logger$g.error("certificate_request_failed", {
+                    logger$f.error("certificate_request_failed", {
                         requester_id: requesterId,
                         status_code: response.status,
                         error: errorDetail,
@@ -1241,13 +1766,13 @@ class CAServiceClient {
                 throw error;
             }
             if (error instanceof Error && error.name === "AbortError") {
-                logger$g.error("certificate_request_timeout", {
+                logger$f.error("certificate_request_timeout", {
                     requester_id: requesterId,
                     timeout_seconds: this.timeoutSeconds,
                 });
                 throw new CertificateRequestError(`Certificate request timed out after ${this.timeoutSeconds} seconds`);
             }
-            logger$g.error("certificate_request_network_error", {
+            logger$f.error("certificate_request_network_error", {
                 requester_id: requesterId,
                 error: String(error),
             });
@@ -1256,7 +1781,7 @@ class CAServiceClient {
     }
 }
 
-const logger$f = runtime.getLogger("naylence.fame.security.encryption.sealed.x25519_encryption_manager");
+const logger$e = runtime.getLogger("naylence.fame.security.encryption.sealed.x25519_encryption_manager");
 class X25519EncryptionManager {
     constructor({ keyProvider, nodeLike = null, cryptoProvider = null, }) {
         this.pendingEnvelopes = new Map();
@@ -1273,7 +1798,7 @@ class X25519EncryptionManager {
         // KeyManagementHandler will queue the envelope and send KeyRequest.
         // X25519 should NOT queue here to avoid dual queueing.
         if (opts?.requestAddress) {
-            logger$f.debug("key_not_found_delegating_to_key_management", {
+            logger$e.debug("key_not_found_delegating_to_key_management", {
                 envelope_id: envelope.id,
                 request_address: String(opts.requestAddress),
             });
@@ -1289,7 +1814,7 @@ class X25519EncryptionManager {
             return await this.encryptWithKey(envelope, recipPub, recipKid);
         }
         catch (error) {
-            logger$f.error("x25519_encryption_failed", {
+            logger$e.error("x25519_encryption_failed", {
                 error: error instanceof Error ? error.message : String(error),
             });
             return runtime.EncryptionResult.skipped(envelope);
@@ -1327,20 +1852,20 @@ class X25519EncryptionManager {
             return envelope;
         }
         catch (error) {
-            logger$f.error("x25519_decryption_failed", {
+            logger$e.error("x25519_decryption_failed", {
                 error: error instanceof Error ? error.message : String(error),
             });
             return envelope;
         }
     }
     async notifyKeyAvailable(keyId) {
-        logger$f.debug("x25519_notify_key_available_called", {
+        logger$e.debug("x25519_notify_key_available_called", {
             key_id: keyId,
             pending_keys: Array.from(this.pendingEnvelopes.keys()),
         });
         const queued = this.pendingEnvelopes.get(keyId);
         if (!queued || queued.length === 0) {
-            logger$f.debug("no_queued_envelopes_for_key", {
+            logger$e.debug("no_queued_envelopes_for_key", {
                 key_id: keyId,
                 has_queue: this.pendingEnvelopes.has(keyId),
                 queue_length: queued?.length ?? 0,
@@ -1352,13 +1877,13 @@ class X25519EncryptionManager {
         this.keyRequestsInProgress.delete(keyId);
         const node = this.nodeLike;
         if (!node) {
-            logger$f.debug("discarding_queued_envelopes_no_node", {
+            logger$e.debug("discarding_queued_envelopes_no_node", {
                 key_id: keyId,
                 count: queued.length,
             });
             return;
         }
-        logger$f.debug("replaying_envelopes_for_key", {
+        logger$e.debug("replaying_envelopes_for_key", {
             key_id: keyId,
             count: queued.length,
         });
@@ -1367,7 +1892,7 @@ class X25519EncryptionManager {
                 await node.deliver(envelope);
             }
             catch (error) {
-                logger$f.error("failed_to_replay_envelope", {
+                logger$e.error("failed_to_replay_envelope", {
                     key_id: keyId,
                     envelope_id: envelope.id,
                     error: error instanceof Error ? error.message : String(error),
@@ -1468,7 +1993,7 @@ class X25519EncryptionManager {
                 ? this.extractPrivateKeyFromRecord(providerRecord)
                 : null;
             if (providerRecordKey) {
-                logger$f.debug("using_provider_key_record_private_key", {
+                logger$e.debug("using_provider_key_record_private_key", {
                     kid,
                     provider_key_id: providerKeyId,
                     mismatched_kid: kid && providerKeyId !== kid ? kid : null,
@@ -1478,7 +2003,7 @@ class X25519EncryptionManager {
         }
         if (!providerPem) {
             if (kid && providerKeyId && providerKeyId !== kid) {
-                logger$f.debug("crypto_provider_key_id_mismatch_no_private_key", {
+                logger$e.debug("crypto_provider_key_id_mismatch_no_private_key", {
                     kid,
                     provider_key_id: providerKeyId,
                 });
@@ -1490,13 +2015,13 @@ class X25519EncryptionManager {
             return null;
         }
         if (!kid || providerKeyId === kid) {
-            logger$f.debug("using_crypto_provider_private_key_fallback", {
+            logger$e.debug("using_crypto_provider_private_key_fallback", {
                 kid: kid ?? null,
                 provider_key_id: providerKeyId,
             });
         }
         else {
-            logger$f.warning("crypto_provider_key_id_mismatch_using_private_key", {
+            logger$e.warning("crypto_provider_key_id_mismatch_using_private_key", {
                 kid,
                 provider_key_id: providerKeyId,
                 key_record_present: Boolean(record),
@@ -1505,7 +2030,7 @@ class X25519EncryptionManager {
         return fallbackKey;
     }
     async queueEnvelopeForKey(envelope, opts, recipientKeyId) {
-        logger$f.debug("queueing_envelope_for_sealed_encryption", {
+        logger$e.debug("queueing_envelope_for_sealed_encryption", {
             envelope_id: envelope.id,
             recipient_key_id: recipientKeyId,
             request_address: opts?.requestAddress
@@ -1553,7 +2078,7 @@ class X25519EncryptionManager {
             await node.deliver(keyRequestEnvelope, context);
         }
         catch (error) {
-            logger$f.error("failed_to_request_recipient_key", {
+            logger$e.error("failed_to_request_recipient_key", {
                 recipient_key_id: recipientKeyId,
                 error: error instanceof Error ? error.message : String(error),
             });
@@ -1566,7 +2091,7 @@ class X25519EncryptionManager {
             return this.extractPublicKeyFromRecord(record);
         }
         catch (error) {
-            logger$f.debug("recipient_key_lookup_failed", {
+            logger$e.debug("recipient_key_lookup_failed", {
                 kid,
                 error: error instanceof Error ? error.message : String(error),
             });
@@ -1581,7 +2106,7 @@ class X25519EncryptionManager {
             return await this.keyProvider.getKey(kid);
         }
         catch (error) {
-            logger$f.debug("private_key_lookup_failed", {
+            logger$e.debug("private_key_lookup_failed", {
                 kid,
                 error: error instanceof Error ? error.message : String(error),
             });
@@ -1652,7 +2177,7 @@ class X25519EncryptionManager {
         const base64 = base64Lines.join("");
         const der = this.decodeBase64Flexible(base64);
         if (!der) {
-            logger$f.debug("pem_decode_failed", {
+            logger$e.debug("pem_decode_failed", {
                 key_type: keyType,
             });
             return null;
@@ -1885,7 +2410,7 @@ var index$1 = /*#__PURE__*/Object.freeze({
     X25519EncryptionManagerFactory: X25519EncryptionManagerFactory
 });
 
-const logger$e = runtime.getLogger("naylence.fame.security.encryption.channel.channel_encryption_manager");
+const logger$d = runtime.getLogger("naylence.fame.security.encryption.channel.channel_encryption_manager");
 const SUPPORTED_CHANNEL_ALGORITHMS = ["chacha20-poly1305-channel"];
 const CHANNEL_ENCRYPTION_ALGORITHM = "chacha20-poly1305-channel";
 const HANDSHAKE_ALGORITHM = "CHACHA20P1305";
@@ -2036,13 +2561,13 @@ class ChannelEncryptionManager {
         const destination = opts?.destination ?? envelope.to ?? null;
         const destinationStr = toDestinationString(destination);
         if (!destinationStr) {
-            logger$e.warning("no_destination_for_channel_encryption", {
+            logger$d.warning("no_destination_for_channel_encryption", {
                 envelope_id: envelope.id,
             });
             return runtime.EncryptionResult.skipped(envelope);
         }
         if (!this.secureChannelManager) {
-            logger$e.warning("no_secure_channel_manager_available", {
+            logger$d.warning("no_secure_channel_manager_available", {
                 envelope_id: envelope.id,
             });
             return runtime.EncryptionResult.skipped(envelope);
@@ -2053,7 +2578,7 @@ class ChannelEncryptionManager {
                 return this.encryptWithChannel(envelope, existingChannelId);
             }
             catch (error) {
-                logger$e.error("channel_encryption_failed", {
+                logger$d.error("channel_encryption_failed", {
                     error: error instanceof Error ? error.message : String(error),
                     channel_id: existingChannelId,
                 });
@@ -2080,35 +2605,35 @@ class ChannelEncryptionManager {
         }
         const channelId = encHeader.kid;
         if (!channelId) {
-            logger$e.error("missing_channel_id_in_encryption_header", {
+            logger$d.error("missing_channel_id_in_encryption_header", {
                 envelope_id: envelope.id,
             });
             return envelope;
         }
         const nonce = this.decodeNonceValue(encHeader.val ?? "");
         if (!nonce) {
-            logger$e.error("invalid_nonce_in_encryption_header", {
+            logger$d.error("invalid_nonce_in_encryption_header", {
                 envelope_id: envelope.id,
                 value_present: Boolean(encHeader.val),
             });
             return envelope;
         }
         if (!this.secureChannelManager) {
-            logger$e.warning("no_secure_channel_manager_for_decryption", {
+            logger$d.warning("no_secure_channel_manager_for_decryption", {
                 envelope_id: envelope.id,
             });
             return envelope;
         }
         const channelState = this.getChannelState(channelId);
         if (!channelState) {
-            logger$e.error("channel_not_available_for_decryption", {
+            logger$d.error("channel_not_available_for_decryption", {
                 channel_id: channelId,
             });
             return envelope;
         }
         const ciphertext = this.extractCiphertext(frame.payload);
         if (!ciphertext) {
-            logger$e.error("invalid_ciphertext_payload", { envelope_id: envelope.id });
+            logger$d.error("invalid_ciphertext_payload", { envelope_id: envelope.id });
             return envelope;
         }
         try {
@@ -2133,7 +2658,7 @@ class ChannelEncryptionManager {
             return envelope;
         }
         catch (error) {
-            logger$e.error("channel_decryption_failed", {
+            logger$d.error("channel_decryption_failed", {
                 channel_id: channelId,
                 error: error instanceof Error ? error.message : String(error),
             });
@@ -2141,24 +2666,24 @@ class ChannelEncryptionManager {
         }
     }
     async notifyChannelEstablished(channelId) {
-        logger$e.debug("channel_encryption_manager_notified", {
+        logger$d.debug("channel_encryption_manager_notified", {
             channel_id: channelId,
             manager_type: "channel",
         });
         if (!channelId.startsWith("auto-")) {
-            logger$e.warning("unexpected_channel_id_format", { channel_id: channelId });
+            logger$d.warning("unexpected_channel_id_format", { channel_id: channelId });
             return;
         }
         const destinationStr = this.extractDestinationFromChannelId(channelId);
         if (!destinationStr) {
-            logger$e.warning("cannot_parse_destination_from_channel_id", {
+            logger$d.warning("cannot_parse_destination_from_channel_id", {
                 channel_id: channelId,
             });
             return;
         }
         this.handshakeInProgress.delete(destinationStr);
         if (!this.pendingEnvelopes.has(destinationStr)) {
-            logger$e.debug("no_pending_queue_for_destination", {
+            logger$d.debug("no_pending_queue_for_destination", {
                 destination: destinationStr,
             });
             return;
@@ -2166,7 +2691,7 @@ class ChannelEncryptionManager {
         const queuedEnvelopes = this.pendingEnvelopes.get(destinationStr) ?? [];
         this.pendingEnvelopes.delete(destinationStr);
         if (!this.secureChannelManager) {
-            logger$e.error("no_secure_channel_manager_for_queue_drain", {
+            logger$d.error("no_secure_channel_manager_for_queue_drain", {
                 channel_id: channelId,
             });
             return;
@@ -2175,7 +2700,7 @@ class ChannelEncryptionManager {
             try {
                 const result = this.encryptWithChannel(envelope, channelId);
                 if (!result.envelope) {
-                    logger$e.warning("failed_to_encrypt_queued_envelope", {
+                    logger$d.warning("failed_to_encrypt_queued_envelope", {
                         envelope_id: envelope.id,
                         channel_id: channelId,
                     });
@@ -2185,7 +2710,7 @@ class ChannelEncryptionManager {
                 this.runAsyncTask(() => this.deliverEnvelope(encryptedEnvelope), `deliver-queued-${envelope.id}`);
             }
             catch (error) {
-                logger$e.error("failed_to_encrypt_queued_envelope", {
+                logger$d.error("failed_to_encrypt_queued_envelope", {
                     envelope_id: envelope.id,
                     error: error instanceof Error ? error.message : String(error),
                 });
@@ -2193,19 +2718,19 @@ class ChannelEncryptionManager {
         }
     }
     async notifyChannelFailed(channelId, reason = "handshake_failed") {
-        logger$e.debug("channel_encryption_manager_notified_failure", {
+        logger$d.debug("channel_encryption_manager_notified_failure", {
             channel_id: channelId,
             reason,
         });
         if (!channelId.startsWith("auto-")) {
-            logger$e.warning("unexpected_channel_id_format_on_failure", {
+            logger$d.warning("unexpected_channel_id_format_on_failure", {
                 channel_id: channelId,
             });
             return;
         }
         const destinationStr = this.extractDestinationFromChannelId(channelId);
         if (!destinationStr) {
-            logger$e.warning("cannot_parse_destination_from_channel_id_on_failure", {
+            logger$d.warning("cannot_parse_destination_from_channel_id_on_failure", {
                 channel_id: channelId,
             });
             return;
@@ -2215,14 +2740,14 @@ class ChannelEncryptionManager {
         const cachedChannelId = this.addrChannelMap.get(destinationStr);
         if (cachedChannelId === channelId) {
             this.addrChannelMap.delete(destinationStr);
-            logger$e.debug("cleared_channel_cache_for_failed_channel", {
+            logger$d.debug("cleared_channel_cache_for_failed_channel", {
                 destination: destinationStr,
                 channel_id: channelId,
             });
         }
         const queuedEnvelopes = this.pendingEnvelopes.get(destinationStr);
         if (!queuedEnvelopes || queuedEnvelopes.length === 0) {
-            logger$e.debug("no_pending_queue_for_failed_destination", {
+            logger$d.debug("no_pending_queue_for_failed_destination", {
                 destination: destinationStr,
             });
             return;
@@ -2241,7 +2766,7 @@ class ChannelEncryptionManager {
         const cached = this.addrChannelMap.get(destination);
         if (cached) {
             this.addrChannelMap.delete(destination);
-            logger$e.debug("cleared_channel_cache_for_destination", {
+            logger$d.debug("cleared_channel_cache_for_destination", {
                 destination,
                 cached_channel_id: cached,
             });
@@ -2259,14 +2784,14 @@ class ChannelEncryptionManager {
         }
         const cached = this.addrChannelMap.get(destination);
         if (cached && this.getChannelState(cached)) {
-            logger$e.debug("using_cached_channel", { destination, channel_id: cached });
+            logger$d.debug("using_cached_channel", { destination, channel_id: cached });
             return cached;
         }
         const channels = this.secureChannelManager.channels;
         for (const channelId of Object.keys(channels)) {
             if (channelId.startsWith(`auto-${destination}-`)) {
                 this.addrChannelMap.set(destination, channelId);
-                logger$e.debug("using_existing_channel", {
+                logger$d.debug("using_existing_channel", {
                     destination,
                     channel_id: channelId,
                 });
@@ -2279,12 +2804,12 @@ class ChannelEncryptionManager {
         const queue = this.pendingEnvelopes.get(destinationStr) ?? [];
         queue.push(envelope);
         this.pendingEnvelopes.set(destinationStr, queue);
-        logger$e.debug("queued_envelope_for_channel_handshake", {
+        logger$d.debug("queued_envelope_for_channel_handshake", {
             envelope_id: envelope.id,
             destination: destinationStr,
         });
         if (this.handshakeInProgress.has(destinationStr)) {
-            logger$e.debug("handshake_already_in_progress", {
+            logger$d.debug("handshake_already_in_progress", {
                 destination: destinationStr,
             });
             return;
@@ -2302,7 +2827,7 @@ class ChannelEncryptionManager {
     }
     async initiateChannelHandshakeAsync(destination, destinationStr, opts) {
         if (!this.secureChannelManager) {
-            logger$e.error("no_secure_channel_manager_for_async_handshake_initiation");
+            logger$d.error("no_secure_channel_manager_for_async_handshake_initiation");
             return;
         }
         const channelId = this.generateChannelId(destinationStr);
@@ -2310,19 +2835,19 @@ class ChannelEncryptionManager {
             const openFrame = this.secureChannelManager.generateOpenFrame(channelId, HANDSHAKE_ALGORITHM);
             const success = await this.sendSecureOpenFrameAsync(openFrame, destination);
             if (success) {
-                logger$e.debug("sent_secure_open_frame_async", {
+                logger$d.debug("sent_secure_open_frame_async", {
                     channel_id: channelId,
                     destination: destinationStr,
                 });
             }
             else {
-                logger$e.warning("failed_to_send_secure_open_frame_async", {
+                logger$d.warning("failed_to_send_secure_open_frame_async", {
                     channel_id: channelId,
                 });
             }
         }
         catch (error) {
-            logger$e.error("async_channel_handshake_initiation_failed", {
+            logger$d.error("async_channel_handshake_initiation_failed", {
                 destination: destinationStr,
                 error: error instanceof Error ? error.message : String(error),
             });
@@ -2331,22 +2856,22 @@ class ChannelEncryptionManager {
     async sendSecureOpenFrameAsync(openFrame, destination) {
         const node = this.nodeLike;
         if (!node) {
-            logger$e.error("no_node_available_for_sending_secure_open_async");
+            logger$d.error("no_node_available_for_sending_secure_open_async");
             return false;
         }
         const envelopeFactory = node.envelopeFactory;
         if (!envelopeFactory) {
-            logger$e.error("no_envelope_factory_available_for_secure_open_async");
+            logger$d.error("no_envelope_factory_available_for_secure_open_async");
             return false;
         }
         const replyTo = this.buildSystemReplyTo();
         if (!replyTo) {
-            logger$e.error("no_physical_path_available_for_reply_to_async");
+            logger$d.error("no_physical_path_available_for_reply_to_async");
             return false;
         }
         const toAddress = toFameAddress(destination);
         if (!toAddress) {
-            logger$e.error("invalid_destination_for_secure_open", {
+            logger$d.error("invalid_destination_for_secure_open", {
                 destination: String(destination),
             });
             return false;
@@ -2358,7 +2883,7 @@ class ChannelEncryptionManager {
             corrId: core.generateId(),
         });
         await this.deliverEnvelope(envelope);
-        logger$e.debug("delivered_secure_open_frame_async", {
+        logger$d.debug("delivered_secure_open_frame_async", {
             channel_id: openFrame.cid,
         });
         return true;
@@ -2366,7 +2891,7 @@ class ChannelEncryptionManager {
     async deliverEnvelope(envelope) {
         const node = this.nodeLike;
         if (!node) {
-            logger$e.error("no_node_available_for_delivery", {
+            logger$d.error("no_node_available_for_delivery", {
                 envelope_id: envelope.id,
             });
             return;
@@ -2376,19 +2901,19 @@ class ChannelEncryptionManager {
     }
     encryptWithChannel(envelope, channelId) {
         if (!this.secureChannelManager) {
-            logger$e.error("no_secure_channel_manager_for_encryption");
+            logger$d.error("no_secure_channel_manager_for_encryption");
             return runtime.EncryptionResult.skipped(envelope);
         }
         const frame = envelope.frame;
         if (!this.isDataFrame(frame)) {
-            logger$e.error("attempted_to_encrypt_non_dataframe", {
+            logger$d.error("attempted_to_encrypt_non_dataframe", {
                 frame_type: frame.type ?? typeof frame,
             });
             return runtime.EncryptionResult.skipped(envelope);
         }
         const channelState = this.getChannelState(channelId);
         if (!channelState) {
-            logger$e.error("channel_not_in_channels", { channel_id: channelId });
+            logger$d.error("channel_not_in_channels", { channel_id: channelId });
             return runtime.EncryptionResult.skipped(envelope);
         }
         const payloadBytes = this.serializePayload(frame.payload);
@@ -2447,7 +2972,7 @@ class ChannelEncryptionManager {
                 return decodeBase64$1(payload);
             }
             catch (error) {
-                logger$e.error("failed_to_decode_base64_ciphertext", {
+                logger$d.error("failed_to_decode_base64_ciphertext", {
                     error: error instanceof Error ? error.message : String(error),
                 });
                 return null;
@@ -2477,7 +3002,7 @@ class ChannelEncryptionManager {
         return parts.slice(1, -1).join("-");
     }
     async handleFailedEnvelope(envelope, destinationStr, channelId, reason) {
-        logger$e.warning("envelope_failed_due_to_channel_handshake_failure", {
+        logger$d.warning("envelope_failed_due_to_channel_handshake_failure", {
             envelope_id: envelope.id,
             destination: destinationStr,
             channel_id: channelId,
@@ -2485,14 +3010,14 @@ class ChannelEncryptionManager {
         });
         const frame = envelope.frame;
         if (!this.isDataFrame(frame)) {
-            logger$e.debug("skipping_nack_for_non_dataframe", {
+            logger$d.debug("skipping_nack_for_non_dataframe", {
                 envelope_id: envelope.id,
                 frame_type: frame.type ?? typeof frame,
             });
             return;
         }
         if (!envelope.replyTo) {
-            logger$e.debug("skipping_nack_no_reply_to", { envelope_id: envelope.id });
+            logger$d.debug("skipping_nack_no_reply_to", { envelope_id: envelope.id });
             return;
         }
         await this.sendDeliveryNack(envelope, `channel_handshake_failed: ${reason}`);
@@ -2500,17 +3025,17 @@ class ChannelEncryptionManager {
     async sendDeliveryNack(envelope, failureReason) {
         const node = this.nodeLike;
         if (!node) {
-            logger$e.error("no_node_available_for_sending_delivery_nack");
+            logger$d.error("no_node_available_for_sending_delivery_nack");
             return;
         }
         const envelopeFactory = node.envelopeFactory;
         if (!envelopeFactory) {
-            logger$e.error("no_envelope_factory_available_for_delivery_nack");
+            logger$d.error("no_envelope_factory_available_for_delivery_nack");
             return;
         }
         const replyTo = toFameAddress(envelope.replyTo ?? null);
         if (!replyTo) {
-            logger$e.error("invalid_reply_to_for_delivery_nack", {
+            logger$d.error("invalid_reply_to_for_delivery_nack", {
                 reply_to: envelope.replyTo,
             });
             return;
@@ -2527,7 +3052,7 @@ class ChannelEncryptionManager {
             corrId: envelope.corrId ?? core.generateId(),
         });
         await this.deliverEnvelope(nackEnvelope);
-        logger$e.debug("delivered_delivery_nack", {
+        logger$d.debug("delivered_delivery_nack", {
             original_envelope_id: envelope.id,
             nack_envelope_id: nackEnvelope.id,
         });
@@ -2565,7 +3090,7 @@ class ChannelEncryptionManager {
                 await task();
             }
             catch (error) {
-                logger$e.error("async_task_failed", {
+                logger$d.error("async_task_failed", {
                     task_name: name,
                     error: error instanceof Error ? error.message : String(error),
                 });
@@ -2619,7 +3144,7 @@ class ChannelEncryptionManager {
     }
 }
 
-const logger$d = runtime.getLogger("naylence.fame.security.encryption.channel.channel_encryption_manager_factory");
+const logger$c = runtime.getLogger("naylence.fame.security.encryption.channel.channel_encryption_manager_factory");
 const DEFAULT_SUPPORTED_ALGORITHMS = ["chacha20-poly1305-channel"];
 const FACTORY_META$c = {
     base: runtime.ENCRYPTION_MANAGER_FACTORY_BASE_TYPE,
@@ -2651,7 +3176,7 @@ class ChannelEncryptionManagerFactory extends runtime.EncryptionManagerFactory {
     async create(_config, ...factoryArgs) {
         const [dependencies] = factoryArgs;
         const resolvedDependencies = this.resolveDependencies(dependencies);
-        logger$d.debug("creating_channel_encryption_manager", {
+        logger$c.debug("creating_channel_encryption_manager", {
             has_secure_channel_manager: Boolean(resolvedDependencies.secureChannelManager),
             has_node_like: Boolean(resolvedDependencies.nodeLike),
             has_task_spawner: Boolean(resolvedDependencies.taskSpawner),
@@ -2713,7 +3238,7 @@ var index = /*#__PURE__*/Object.freeze({
     ChannelEncryptionManagerFactory: ChannelEncryptionManagerFactory
 });
 
-const logger$c = runtime.getLogger("naylence.fame.security.encryption.default_secure_channel_manager");
+const logger$b = runtime.getLogger("naylence.fame.security.encryption.default_secure_channel_manager");
 const DEFAULT_ALGORITHM = "CHACHA20P1305";
 const CHANNEL_KEY_LENGTH = 32;
 const NONCE_PREFIX_LENGTH = 4;
@@ -2760,7 +3285,7 @@ class DefaultSecureChannelManager {
         const privateKey = ed25519_js.x25519.utils.randomSecretKey();
         const publicKey = ed25519_js.x25519.scalarMultBase(privateKey);
         this.ephemeralKeys.set(channelId, privateKey);
-        logger$c.debug("generated_channel_open", { cid: channelId, algorithm });
+        logger$b.debug("generated_channel_open", { cid: channelId, algorithm });
         return {
             type: "SecureOpen",
             cid: channelId,
@@ -2773,7 +3298,7 @@ class DefaultSecureChannelManager {
         runtime.requireCryptoSupport();
         const algorithm = frame.alg || DEFAULT_ALGORITHM;
         if (!this.isSupportedAlgorithm(algorithm)) {
-            logger$c.warning("unsupported_channel_algorithm", {
+            logger$b.warning("unsupported_channel_algorithm", {
                 cid: frame.cid,
                 alg: algorithm,
             });
@@ -2791,7 +3316,7 @@ class DefaultSecureChannelManager {
             peerPublicKey = decodeBase64(frame.ephPub);
         }
         catch (error) {
-            logger$c.warning("invalid_peer_public_key", {
+            logger$b.warning("invalid_peer_public_key", {
                 cid: frame.cid,
                 error: error instanceof Error ? error.message : String(error),
             });
@@ -2813,7 +3338,7 @@ class DefaultSecureChannelManager {
             algorithm,
         });
         this.channelsMap.set(frame.cid, channelState);
-        logger$c.debug("channel_established", { cid: frame.cid, algorithm });
+        logger$b.debug("channel_established", { cid: frame.cid, algorithm });
         myPrivateKey.fill(0);
         sharedSecret.fill(0);
         return {
@@ -2827,7 +3352,7 @@ class DefaultSecureChannelManager {
     async handleAcceptFrame(frame) {
         runtime.requireCryptoSupport();
         if (frame.ok === false) {
-            logger$c.warning("channel_rejected", {
+            logger$b.warning("channel_rejected", {
                 cid: frame.cid,
                 error: frame.reason,
             });
@@ -2836,7 +3361,7 @@ class DefaultSecureChannelManager {
         }
         const privateKey = this.ephemeralKeys.get(frame.cid);
         if (!privateKey) {
-            logger$c.error("no_ephemeral_key", { cid: frame.cid });
+            logger$b.error("no_ephemeral_key", { cid: frame.cid });
             return false;
         }
         let peerPublicKey;
@@ -2844,7 +3369,7 @@ class DefaultSecureChannelManager {
             peerPublicKey = decodeBase64(frame.ephPub);
         }
         catch (error) {
-            logger$c.warning("invalid_accept_public_key", {
+            logger$b.warning("invalid_accept_public_key", {
                 cid: frame.cid,
                 error: error instanceof Error ? error.message : String(error),
             });
@@ -2859,17 +3384,17 @@ class DefaultSecureChannelManager {
             algorithm,
         });
         this.channelsMap.set(frame.cid, channelState);
-        logger$c.debug("channel_completed", { cid: frame.cid, algorithm });
+        logger$b.debug("channel_completed", { cid: frame.cid, algorithm });
         sharedSecret.fill(0);
         this.cleanupEphemeralKey(frame.cid);
         return true;
     }
     handleCloseFrame(frame) {
         if (this.channelsMap.delete(frame.cid)) {
-            logger$c.debug("channel_closed", { cid: frame.cid, reason: frame.reason });
+            logger$b.debug("channel_closed", { cid: frame.cid, reason: frame.reason });
         }
         else {
-            logger$c.warning("close_unknown_channel", { cid: frame.cid });
+            logger$b.warning("close_unknown_channel", { cid: frame.cid });
         }
         this.cleanupEphemeralKey(frame.cid);
     }
@@ -2896,7 +3421,7 @@ class DefaultSecureChannelManager {
     }
     closeChannel(channelId, reason = "User requested") {
         if (this.channelsMap.delete(channelId)) {
-            logger$c.debug("channel_closed_by_user", { cid: channelId, reason });
+            logger$b.debug("channel_closed_by_user", { cid: channelId, reason });
         }
         this.cleanupEphemeralKey(channelId);
         return {
@@ -2913,7 +3438,7 @@ class DefaultSecureChannelManager {
                 this.channelsMap.delete(channelId);
                 this.cleanupEphemeralKey(channelId);
                 removed += 1;
-                logger$c.debug("channel_expired_cleanup", { cid: channelId });
+                logger$b.debug("channel_expired_cleanup", { cid: channelId });
             }
         }
         return removed;
@@ -2942,7 +3467,7 @@ class DefaultSecureChannelManager {
             if (channelId.startsWith(prefix)) {
                 if (this.removeChannel(channelId)) {
                     removed += 1;
-                    logger$c.debug("removed_channel_for_destination", {
+                    logger$b.debug("removed_channel_for_destination", {
                         channel_id: channelId,
                         destination,
                     });
@@ -2950,7 +3475,7 @@ class DefaultSecureChannelManager {
             }
         }
         if (removed > 0) {
-            logger$c.info("cleanup_channels_for_destination", {
+            logger$b.info("cleanup_channels_for_destination", {
                 destination,
                 channels_removed: removed,
             });
@@ -3022,187 +3547,26 @@ class DefaultSecureChannelManagerFactory extends runtime.SecureChannelManagerFac
         }
         return undefined;
     }
-    toPositiveNumber(value) {
-        if (typeof value === "number" && Number.isFinite(value) && value > 0) {
-            return value;
-        }
-        if (typeof value === "string" && value.trim() !== "") {
-            const parsed = Number(value);
-            if (Number.isFinite(parsed) && parsed > 0) {
-                return parsed;
-            }
-        }
-        return undefined;
-    }
-}
-
-var defaultSecureChannelManagerFactory = /*#__PURE__*/Object.freeze({
-    __proto__: null,
-    DefaultSecureChannelManagerFactory: DefaultSecureChannelManagerFactory,
-    FACTORY_META: FACTORY_META$b,
-    default: DefaultSecureChannelManagerFactory
-});
-
-const logger$b = runtime.getLogger("naylence.fame.security.encryption.encryption_manager_registry");
-class EncryptionManagerFactoryRegistry {
-    constructor(autoDiscover = true) {
-        this.factories = [];
-        this.algorithmToFactory = new Map();
-        this.typeToFactories = new Map();
-        this.factorySet = new Set();
-        this.autoDiscoveredFactories = new Set();
-        this.autoDiscovered = false;
-        if (autoDiscover) {
-            this.autoDiscoverFactories();
-        }
-    }
-    autoDiscoverFactories() {
-        if (this.autoDiscovered) {
-            return;
-        }
-        try {
-            const extensionInfos = factory.ExtensionManager.getExtensionsByType(runtime.ENCRYPTION_MANAGER_FACTORY_BASE_TYPE);
-            let registeredCount = 0;
-            for (const [factoryName, info] of extensionInfos) {
-                if (factoryName === "CompositeEncryptionManager") {
-                    logger$b.debug("skipping_composite_factory_to_avoid_circular_dependency", {
-                        factory_name: factoryName,
-                    });
-                    continue;
-                }
-                try {
-                    const factoryInstance = (info.instance ??
-                        factory.ExtensionManager.getGlobalFactory(runtime.ENCRYPTION_MANAGER_FACTORY_BASE_TYPE, factoryName));
-                    this.registerFactory(factoryInstance, { autoDiscovered: true });
-                    registeredCount += 1;
-                    logger$b.debug("auto_discovered_factory", {
-                        factory_name: factoryName,
-                        factory_class: factoryInstance.constructor.name,
-                        algorithms: factoryInstance.getSupportedAlgorithms(),
-                        encryption_type: factoryInstance.getEncryptionType(),
-                        priority: factoryInstance.getPriority(),
-                    });
-                }
-                catch (error) {
-                    logger$b.warning("failed_to_auto_register_factory", {
-                        factory_name: factoryName,
-                        error: error instanceof Error ? error.message : String(error),
-                    });
-                }
-            }
-            this.autoDiscovered = true;
-            logger$b.debug("completed_auto_discovery", {
-                registered_factories: registeredCount,
-                total_discovered: extensionInfos.size,
-                skipped_composite: true,
-            });
-        }
-        catch (error) {
-            logger$b.warning("failed_auto_discovery_of_factories", {
-                error: error instanceof Error ? error.message : String(error),
-            });
-        }
-    }
-    registerFactory(factory, options = {}) {
-        if (this.factorySet.has(factory)) {
-            return;
-        }
-        this.factorySet.add(factory);
-        this.factories.push(factory);
-        if (options.autoDiscovered) {
-            this.autoDiscoveredFactories.add(factory);
-        }
-        for (const algorithm of factory.getSupportedAlgorithms()) {
-            const existing = this.algorithmToFactory.get(algorithm);
-            if (!existing || factory.getPriority() > existing.getPriority()) {
-                this.algorithmToFactory.set(algorithm, factory);
-                logger$b.debug("registered_algorithm_mapping", {
-                    algorithm,
-                    factory: factory.constructor.name,
-                    priority: factory.getPriority(),
-                });
-            }
-        }
-        const encryptionType = factory.getEncryptionType();
-        const typeFactories = this.typeToFactories.get(encryptionType) ?? [];
-        typeFactories.push(factory);
-        typeFactories.sort((a, b) => b.getPriority() - a.getPriority());
-        this.typeToFactories.set(encryptionType, typeFactories);
-        logger$b.debug("registered_encryption_manager_factory", {
-            factory: factory.constructor.name,
-            encryption_type: encryptionType,
-            algorithms: factory.getSupportedAlgorithms(),
-            priority: factory.getPriority(),
-            auto_discovered: options.autoDiscovered ?? false,
-        });
-    }
-    getFactoryForAlgorithm(algorithm) {
-        this.ensureAutoDiscovery();
-        return this.algorithmToFactory.get(algorithm);
-    }
-    getFactoryForOptions(opts) {
-        this.ensureAutoDiscovery();
-        for (const factory of this.factories) {
-            if (factory.supportsOptions(opts ?? undefined)) {
-                logger$b.debug("found_factory_for_options", {
-                    factory: factory.constructor.name,
-                    encryption_type: factory.getEncryptionType(),
-                });
-                return factory;
-            }
-        }
-        logger$b.debug("no_factory_found_for_options", { opts });
-        return undefined;
-    }
-    getFactoriesByType(encryptionType) {
-        this.ensureAutoDiscovery();
-        return this.typeToFactories.get(encryptionType) ?? [];
-    }
-    getAllSupportedAlgorithms() {
-        this.ensureAutoDiscovery();
-        return Array.from(this.algorithmToFactory.keys());
-    }
-    getRegistryInfo() {
-        return {
-            totalFactories: this.factories.length,
-            autoDiscovered: this.autoDiscovered,
-            algorithmMappings: Object.fromEntries(Array.from(this.algorithmToFactory.entries()).map(([algorithm, factory]) => [algorithm, factory.constructor.name])),
-            typeMappings: Object.fromEntries(Array.from(this.typeToFactories.entries()).map(([encType, factories]) => [
-                encType,
-                factories.map((factory) => factory.constructor.name),
-            ])),
-        };
-    }
-    forceRediscovery() {
-        const manualFactories = this.factories.filter((factory) => !this.autoDiscoveredFactories.has(factory));
-        this.autoDiscovered = false;
-        this.algorithmToFactory.clear();
-        this.typeToFactories.clear();
-        this.factories.length = 0;
-        this.factorySet.clear();
-        this.autoDiscoveredFactories.clear();
-        for (const factory of manualFactories) {
-            this.registerFactory(factory);
+    toPositiveNumber(value) {
+        if (typeof value === "number" && Number.isFinite(value) && value > 0) {
+            return value;
         }
-        this.autoDiscoverFactories();
-    }
-    isAutoDiscovered() {
-        return this.autoDiscovered;
-    }
-    ensureInitialized() {
-        this.ensureAutoDiscovery();
-    }
-    ensureAutoDiscovery() {
-        if (!this.autoDiscovered) {
-            this.autoDiscoverFactories();
+        if (typeof value === "string" && value.trim() !== "") {
+            const parsed = Number(value);
+            if (Number.isFinite(parsed) && parsed > 0) {
+                return parsed;
+            }
         }
+        return undefined;
     }
 }
-const globalRegistry = new EncryptionManagerFactoryRegistry(true);
-function getEncryptionManagerFactoryRegistry() {
-    globalRegistry.ensureInitialized();
-    return globalRegistry;
-}
+
+var defaultSecureChannelManagerFactory = /*#__PURE__*/Object.freeze({
+    __proto__: null,
+    DefaultSecureChannelManagerFactory: DefaultSecureChannelManagerFactory,
+    FACTORY_META: FACTORY_META$b,
+    default: DefaultSecureChannelManagerFactory
+});
 
 const logger$a = runtime.getLogger("naylence.fame.security.encryption.composite_encryption_manager");
 const DEFAULT_SEALED_ALGORITHMS = [
@@ -5117,1275 +5481,953 @@ class AFTLoadBalancerStickinessManager extends runtime.BaseNodeEventListener {
         }
         const verification = await this.verifier.verify(aftToken, envelope.sid ?? undefined);
         if (!verification.valid) {
-            this.metrics.verifyFailures += 1;
-            logger$4.warning("aft_verification_failed", {
-                envelope_id: envelope.id,
-                replica_id: replicaId,
-                error: verification.error,
-            });
-            return null;
-        }
-        this.storeAssociation(aftToken, {
-            replicaId,
-            token: aftToken,
-            sid: verification.sid ?? "",
-            exp: verification.exp ?? Math.floor(Date.now() / 1000) + this.defaultTtlSec,
-            trustLevel: verification.trustLevel,
-            scope: verification.scope ?? null,
-            clientSid: verification.clientSid ?? null,
-        });
-        if (verification.clientSid) {
-            this.sidCache.set(verification.clientSid, replicaId);
-            logger$4.debug("sid_cache_updated", {
-                envelope_id: envelope.id,
-                client_sid: verification.clientSid,
-                replica_id: replicaId,
-            });
-        }
-        this.metrics.associationsCreated += 1;
-        logger$4.debug("aft_association_created", {
-            envelope_id: envelope.id,
-            replica_id: replicaId,
-            sid: verification.sid,
-            exp: verification.exp,
-            trust_level: verification.trustLevel,
-            scope: verification.scope,
-        });
-        return this.config.clientEcho ? aftToken : null;
-    }
-    getStickyReplicaSegment(envelope, segments) {
-        if (!this.config.enabled) {
-            logger$4.debug("stickiness_disabled", { envelope_id: envelope.id });
-            return null;
-        }
-        if (envelope.aft) {
-            const replicaId = this.routeByAft(envelope.aft, envelope);
-            if (replicaId) {
-                this.metrics.cacheHits += 1;
-                logger$4.debug("aft_routed_envelope", {
-                    envelope_id: envelope.id,
-                    replica_id: replicaId,
-                    routing_type: "aft_direct",
-                });
-                return replicaId;
-            }
-        }
-        if (envelope.sid) {
-            const cachedReplica = this.sidCache.get(envelope.sid);
-            if (cachedReplica) {
-                if (this.config.securityLevel === exports.StickinessMode.SID_ONLY) {
-                    this.metrics.cacheHits += 1;
-                    logger$4.debug("sid_cache_routed_envelope", {
-                        envelope_id: envelope.id,
-                        replica_id: cachedReplica,
-                        sid: envelope.sid,
-                        routing_type: "sid_only",
-                    });
-                    return cachedReplica;
-                }
-                for (const [token, association] of this.aftAssociations.entries()) {
-                    if (association.replicaId === cachedReplica &&
-                        !association.isExpired()) {
-                        envelope.aft = token;
-                        this.metrics.cacheHits += 1;
-                        logger$4.debug("sid_cache_routed_envelope", {
-                            envelope_id: envelope.id,
-                            replica_id: cachedReplica,
-                            sid: envelope.sid,
-                            routing_type: "sid_cache_with_aft",
-                        });
-                        return cachedReplica;
-                    }
-                }
-                this.metrics.cacheHits += 1;
-                logger$4.debug("sid_cache_routed_envelope", {
-                    envelope_id: envelope.id,
-                    replica_id: cachedReplica,
-                    sid: envelope.sid,
-                    routing_type: "sid_cache_direct",
-                });
-                return cachedReplica;
-            }
-            logger$4.debug("no_cached_replica_for_sid", {
-                envelope_id: envelope.id,
-                sid: envelope.sid,
-            });
-        }
-        if (envelope.sid && Array.isArray(segments) && segments.length > 0) {
-            const index = computeDeterministicIndex(envelope.sid, segments.length);
-            const chosen = segments[index];
-            this.metrics.cacheHits += 1;
-            logger$4.debug("sid_based_deterministic_choice", {
-                envelope_id: envelope.id,
-                sid: envelope.sid,
-                chosen,
-                routing_type: "sid_deterministic",
-            });
-            return chosen;
-        }
-        this.metrics.cacheMisses += 1;
-        logger$4.debug("no_stickiness_routing", {
-            envelope_id: envelope.id,
-            has_aft: Boolean(envelope.aft),
-            has_sid: Boolean(envelope.sid),
-        });
-        return null;
-    }
-    cleanupExpiredAssociations() {
-        const now = Math.floor(Date.now() / 1000);
-        const expiredTokens = [];
-        for (const [token, association] of this.aftAssociations.entries()) {
-            if (association.isExpired(now)) {
-                expiredTokens.push(token);
-            }
-        }
-        for (const token of expiredTokens) {
-            this.removeAssociation(token);
-        }
-        if (expiredTokens.length > 0) {
-            this.metrics.associationsExpired += expiredTokens.length;
-            logger$4.debug("cleaned_expired_associations", {
-                count: expiredTokens.length,
-            });
-        }
-    }
-    replicaLeft(replicaId) {
-        const tokensToRemove = [];
-        for (const [token, association] of this.aftAssociations.entries()) {
-            if (association.replicaId === replicaId) {
-                tokensToRemove.push(token);
-            }
-        }
-        for (const token of tokensToRemove) {
-            this.removeAssociation(token);
-        }
-        if (tokensToRemove.length > 0) {
-            logger$4.debug("removed_associations_for_departed_replica", {
-                replica_id: replicaId,
-                count: tokensToRemove.length,
-            });
-        }
-    }
-    handleReplicaLeft(replicaId) {
-        this.replicaLeft(replicaId);
-        logger$4.debug("stickiness_replica_cleanup", { replica_id: replicaId });
-    }
-    getMetrics() {
-        return {
-            ...this.metrics,
-            cacheSize: this.aftAssociations.size,
-            sidCacheSize: this.sidCache.size,
-        };
-    }
-    getAssociations() {
-        const result = {};
-        for (const [token, association] of this.aftAssociations.entries()) {
-            result[token] = {
-                replica_id: association.replicaId,
-                sid: association.sid,
-                client_sid: association.clientSid,
-                exp: association.exp,
-                trust_level: association.trustLevel,
-                scope: association.scope,
-                created_at: association.createdAt,
-                expired: association.isExpired(),
-            };
-        }
-        return result;
-    }
-    getStickinessMetrics() {
-        return this.getMetrics();
-    }
-    logMetrics() {
-        const hits = this.metrics.cacheHits;
-        const misses = this.metrics.cacheMisses;
-        const total = hits + misses;
-        const hitRate = total > 0 ? Math.round((hits / total) * 10000) / 100 : 0;
-        logger$4.info("stickiness_metrics_report", {
-            enabled: this.config.enabled,
-            security_level: this.config.securityLevel,
-            cache_hits: hits,
-            cache_misses: misses,
-            verify_failures: this.metrics.verifyFailures,
-            associations_created: this.metrics.associationsCreated,
-            associations_expired: this.metrics.associationsExpired,
-            active_associations: this.aftAssociations.size,
-            sid_cache_entries: this.sidCache.size,
-            hit_rate: hitRate,
+            this.metrics.verifyFailures += 1;
+            logger$4.warning("aft_verification_failed", {
+                envelope_id: envelope.id,
+                replica_id: replicaId,
+                error: verification.error,
+            });
+            return null;
+        }
+        this.storeAssociation(aftToken, {
+            replicaId,
+            token: aftToken,
+            sid: verification.sid ?? "",
+            exp: verification.exp ?? Math.floor(Date.now() / 1000) + this.defaultTtlSec,
+            trustLevel: verification.trustLevel,
+            scope: verification.scope ?? null,
+            clientSid: verification.clientSid ?? null,
         });
-    }
-    async onDeliver(_node, envelope, context) {
-        logger$4.debug("stickiness_manager_on_deliver", {
+        if (verification.clientSid) {
+            this.sidCache.set(verification.clientSid, replicaId);
+            logger$4.debug("sid_cache_updated", {
+                envelope_id: envelope.id,
+                client_sid: verification.clientSid,
+                replica_id: replicaId,
+            });
+        }
+        this.metrics.associationsCreated += 1;
+        logger$4.debug("aft_association_created", {
             envelope_id: envelope.id,
-            origin_type: context?.originType ?? "unknown",
-            from_system_id: context?.fromSystemId ?? null,
+            replica_id: replicaId,
+            sid: verification.sid,
+            exp: verification.exp,
+            trust_level: verification.trustLevel,
+            scope: verification.scope,
         });
-        if (context?.originType === core.DeliveryOriginType.DOWNSTREAM) {
-            const sourceRoute = context.fromSystemId;
-            if (sourceRoute) {
-                logger$4.debug("processing_downstream_envelope", {
+        return this.config.clientEcho ? aftToken : null;
+    }
+    getStickyReplicaSegment(envelope, segments) {
+        if (!this.config.enabled) {
+            logger$4.debug("stickiness_disabled", { envelope_id: envelope.id });
+            return null;
+        }
+        if (envelope.aft) {
+            const replicaId = this.routeByAft(envelope.aft, envelope);
+            if (replicaId) {
+                this.metrics.cacheHits += 1;
+                logger$4.debug("aft_routed_envelope", {
                     envelope_id: envelope.id,
-                    source_route: sourceRoute,
+                    replica_id: replicaId,
+                    routing_type: "aft_direct",
                 });
-                if (this.config.securityLevel === exports.StickinessMode.SID_ONLY &&
-                    envelope.sid &&
-                    !this.sidCache.has(envelope.sid)) {
-                    this.sidCache.set(envelope.sid, sourceRoute);
-                    logger$4.debug("sid_only_association_recorded", {
+                return replicaId;
+            }
+        }
+        if (envelope.sid) {
+            const cachedReplica = this.sidCache.get(envelope.sid);
+            if (cachedReplica) {
+                if (this.config.securityLevel === exports.StickinessMode.SID_ONLY) {
+                    this.metrics.cacheHits += 1;
+                    logger$4.debug("sid_cache_routed_envelope", {
                         envelope_id: envelope.id,
+                        replica_id: cachedReplica,
                         sid: envelope.sid,
-                        replica_id: sourceRoute,
-                    });
-                }
-                const hadInstruction = Boolean(extractAftInstruction(envelope));
-                const token = await this.handleOutboundEnvelope(envelope, sourceRoute);
-                if (hadInstruction) {
-                    logger$4.debug("processed_aft_setter_instruction", {
-                        envelope_id: envelope.id,
-                        source_route: sourceRoute,
-                        client_echo: Boolean(token),
+                        routing_type: "sid_only",
                     });
+                    return cachedReplica;
                 }
-                else {
-                    logger$4.debug("no_aft_setter_instruction", {
-                        envelope_id: envelope.id,
-                        source_route: sourceRoute,
-                    });
+                for (const [token, association] of this.aftAssociations.entries()) {
+                    if (association.replicaId === cachedReplica &&
+                        !association.isExpired()) {
+                        envelope.aft = token;
+                        this.metrics.cacheHits += 1;
+                        logger$4.debug("sid_cache_routed_envelope", {
+                            envelope_id: envelope.id,
+                            replica_id: cachedReplica,
+                            sid: envelope.sid,
+                            routing_type: "sid_cache_with_aft",
+                        });
+                        return cachedReplica;
+                    }
                 }
-            }
-            else {
-                logger$4.debug("downstream_envelope_without_source_route", {
+                this.metrics.cacheHits += 1;
+                logger$4.debug("sid_cache_routed_envelope", {
                     envelope_id: envelope.id,
+                    replica_id: cachedReplica,
+                    sid: envelope.sid,
+                    routing_type: "sid_cache_direct",
                 });
+                return cachedReplica;
             }
-        }
-        else {
-            logger$4.debug("envelope_not_from_downstream", {
+            logger$4.debug("no_cached_replica_for_sid", {
                 envelope_id: envelope.id,
+                sid: envelope.sid,
             });
         }
-        return envelope;
-    }
-    storeAssociation(token, data) {
-        if (this.aftAssociations.has(token)) {
-            this.aftAssociations.delete(token);
-        }
-        const association = new AFTAssociation(data);
-        this.aftAssociations.set(token, association);
-        while (this.aftAssociations.size > this.cacheMax) {
-            const oldest = this.aftAssociations.keys().next();
-            if (oldest.done) {
-                break;
-            }
-            const oldestToken = oldest.value;
-            this.removeAssociation(oldestToken);
-        }
-    }
-    removeAssociation(token) {
-        this.aftAssociations.delete(token);
-        for (const [sid, cachedToken] of this.sidCache.entries()) {
-            if (cachedToken === token) {
-                this.sidCache.delete(sid);
-            }
-        }
-    }
-    routeByAft(token, envelope) {
-        const association = this.aftAssociations.get(token);
-        if (!association) {
-            return null;
-        }
-        if (association.isExpired()) {
-            this.metrics.associationsExpired += 1;
-            this.removeAssociation(token);
-            return null;
-        }
-        if (this.verifier.securityLevel === exports.StickinessMode.STRICT &&
-            association.isLowTrust()) {
-            logger$4.warning("rejecting_low_trust_association", {
+        if (envelope.sid && Array.isArray(segments) && segments.length > 0) {
+            const index = computeDeterministicIndex(envelope.sid, segments.length);
+            const chosen = segments[index];
+            this.metrics.cacheHits += 1;
+            logger$4.debug("sid_based_deterministic_choice", {
                 envelope_id: envelope.id,
-                replica_id: association.replicaId,
-                reason: "strict mode rejects low-trust associations",
+                sid: envelope.sid,
+                chosen,
+                routing_type: "sid_deterministic",
             });
-            return null;
+            return chosen;
         }
-        this.aftAssociations.delete(token);
-        this.aftAssociations.set(token, association);
-        return association.replicaId;
-    }
-}
-function extractAftInstruction(envelope) {
-    if (!envelope.meta) {
+        this.metrics.cacheMisses += 1;
+        logger$4.debug("no_stickiness_routing", {
+            envelope_id: envelope.id,
+            has_aft: Boolean(envelope.aft),
+            has_sid: Boolean(envelope.sid),
+        });
         return null;
     }
-    const meta = envelope.meta;
-    const nested = meta.set;
-    if (nested && typeof nested === "object" && !Array.isArray(nested)) {
-        const aftValue = nested.aft;
-        if (aftValue !== undefined) {
-            return aftValue;
-        }
-    }
-    if (meta["set.aft"] !== undefined) {
-        return meta["set.aft"];
-    }
-    return null;
-}
-function computeDeterministicIndex(key, modulo) {
-    if (modulo <= 0) {
-        return 0;
-    }
-    let hash = 0;
-    for (let i = 0; i < key.length; i += 1) {
-        hash = (hash * 31 + key.charCodeAt(i)) >>> 0;
-    }
-    return hash % modulo;
-}
-
-const FACTORY_META$6 = {
-    base: runtime.LOAD_BALANCER_STICKINESS_MANAGER_FACTORY_BASE_TYPE,
-    key: "AFTLoadBalancerStickinessManager",
-};
-const DEFAULT_VALUES$1 = {
-    enabled: true,
-    clientEcho: false,
-    defaultTtlSec: 30,
-    cacheMax: 100000,
-    securityLevel: exports.StickinessMode.SIGNED_OPTIONAL,
-    maxTtlSec: 7200,
-};
-function toBoolean(value, fallback) {
-    return typeof value === "boolean" ? value : fallback;
-}
-function toNumber(value, fallback) {
-    if (typeof value === "number" && Number.isFinite(value)) {
-        return value;
-    }
-    return fallback;
-}
-function normalizeConfig$4(config) {
-    const record = (config ?? {});
-    const normalizedSecurity = record.securityLevel
-        ? normalizeStickinessMode(record.securityLevel)
-        : DEFAULT_VALUES$1.securityLevel;
-    return {
-        ...record,
-        type: "AFTLoadBalancerStickinessManager",
-        enabled: toBoolean(record.enabled, DEFAULT_VALUES$1.enabled),
-        clientEcho: toBoolean(record.clientEcho, DEFAULT_VALUES$1.clientEcho),
-        defaultTtlSec: toNumber(record.defaultTtlSec, DEFAULT_VALUES$1.defaultTtlSec),
-        cacheMax: toNumber(record.cacheMax, DEFAULT_VALUES$1.cacheMax),
-        securityLevel: normalizedSecurity,
-        maxTtlSec: toNumber(record.maxTtlSec, DEFAULT_VALUES$1.maxTtlSec),
-    };
-}
-class AFTLoadBalancerStickinessManagerFactory extends runtime.LoadBalancerStickinessManagerFactory {
-    constructor() {
-        super(...arguments);
-        this.type = "AFTLoadBalancerStickinessManager";
-        this.isDefault = false;
-    }
-    async create(config, keyProvider, verifier) {
-        const resolvedConfig = normalizeConfig$4(config);
-        let effectiveVerifier = verifier ?? null;
-        if (!effectiveVerifier && keyProvider) {
-            effectiveVerifier = createAftVerifier({
-                securityLevel: resolvedConfig.securityLevel ?? DEFAULT_VALUES$1.securityLevel,
-                keyProvider,
-                defaultTtlSec: resolvedConfig.defaultTtlSec ?? DEFAULT_VALUES$1.defaultTtlSec,
+    cleanupExpiredAssociations() {
+        const now = Math.floor(Date.now() / 1000);
+        const expiredTokens = [];
+        for (const [token, association] of this.aftAssociations.entries()) {
+            if (association.isExpired(now)) {
+                expiredTokens.push(token);
+            }
+        }
+        for (const token of expiredTokens) {
+            this.removeAssociation(token);
+        }
+        if (expiredTokens.length > 0) {
+            this.metrics.associationsExpired += expiredTokens.length;
+            logger$4.debug("cleaned_expired_associations", {
+                count: expiredTokens.length,
             });
         }
-        if (!effectiveVerifier) {
-            throw new Error("AFTLoadBalancerStickinessManagerFactory requires an AFT verifier or key provider");
+    }
+    replicaLeft(replicaId) {
+        const tokensToRemove = [];
+        for (const [token, association] of this.aftAssociations.entries()) {
+            if (association.replicaId === replicaId) {
+                tokensToRemove.push(token);
+            }
+        }
+        for (const token of tokensToRemove) {
+            this.removeAssociation(token);
+        }
+        if (tokensToRemove.length > 0) {
+            logger$4.debug("removed_associations_for_departed_replica", {
+                replica_id: replicaId,
+                count: tokensToRemove.length,
+            });
         }
-        return new AFTLoadBalancerStickinessManager(resolvedConfig, effectiveVerifier);
     }
-}
-
-var aftLoadBalancerStickinessManagerFactory = /*#__PURE__*/Object.freeze({
-    __proto__: null,
-    AFTLoadBalancerStickinessManagerFactory: AFTLoadBalancerStickinessManagerFactory,
-    FACTORY_META: FACTORY_META$6,
-    default: AFTLoadBalancerStickinessManagerFactory
-});
-
-const logger$3 = runtime.getLogger("naylence.fame.stickiness.aft_replica_stickiness_manager");
-function isStickinessRequired(context) {
-    if (typeof context.stickinessRequired === "boolean") {
-        return context.stickinessRequired;
+    handleReplicaLeft(replicaId) {
+        this.replicaLeft(replicaId);
+        logger$4.debug("stickiness_replica_cleanup", { replica_id: replicaId });
     }
-    if (typeof context.stickiness_required === "boolean") {
-        return context.stickiness_required;
+    getMetrics() {
+        return {
+            ...this.metrics,
+            cacheSize: this.aftAssociations.size,
+            sidCacheSize: this.sidCache.size,
+        };
     }
-    return false;
-}
-class AFTReplicaStickinessManager extends runtime.BaseNodeEventListener {
-    constructor(options = {}) {
-        super();
-        this.securityLevel =
-            normalizeStickinessMode(options.securityLevel ?? DEFAULT_STICKINESS_SECURITY_LEVEL) ?? DEFAULT_STICKINESS_SECURITY_LEVEL;
-        this.aftHelper = options.aftHelper ?? null;
-        this.maxTtlSec = options.maxTtlSec ?? 7200;
-        this.isInitialized = this.aftHelper !== null;
-        this.negotiatedStickiness = null;
-        if (this.aftHelper) {
-            logger$3.debug("aft_replica_stickiness_manager_initialized", {
-                helper_type: this.aftHelper.signer.constructor.name,
-                security_level: this.aftHelper.signer.securityLevel,
-                max_ttl_sec: this.aftHelper.maxTtlSec,
-            });
-        }
-        else {
-            logger$3.debug("aft_replica_stickiness_manager_created", {
-                security_level: this.securityLevel,
-                max_ttl_sec: this.maxTtlSec,
-            });
+    getAssociations() {
+        const result = {};
+        for (const [token, association] of this.aftAssociations.entries()) {
+            result[token] = {
+                replica_id: association.replicaId,
+                sid: association.sid,
+                client_sid: association.clientSid,
+                exp: association.exp,
+                trust_level: association.trustLevel,
+                scope: association.scope,
+                created_at: association.createdAt,
+                expired: association.isExpired(),
+            };
         }
+        return result;
     }
-    offer() {
-        return { mode: "aft", supportedModes: ["aft", "attr"], version: 1 };
+    getStickinessMetrics() {
+        return this.getMetrics();
     }
-    accept(stickiness) {
-        this.negotiatedStickiness = stickiness ?? null;
-        logger$3.debug("replica_stickiness_policy_set", {
-            enabled: stickiness?.enabled ?? null,
-            mode: stickiness?.mode ?? null,
-            ttl: stickiness?.ttlSec ?? null,
+    logMetrics() {
+        const hits = this.metrics.cacheHits;
+        const misses = this.metrics.cacheMisses;
+        const total = hits + misses;
+        const hitRate = total > 0 ? Math.round((hits / total) * 10000) / 100 : 0;
+        logger$4.info("stickiness_metrics_report", {
+            enabled: this.config.enabled,
+            security_level: this.config.securityLevel,
+            cache_hits: hits,
+            cache_misses: misses,
+            verify_failures: this.metrics.verifyFailures,
+            associations_created: this.metrics.associationsCreated,
+            associations_expired: this.metrics.associationsExpired,
+            active_associations: this.aftAssociations.size,
+            sid_cache_entries: this.sidCache.size,
+            hit_rate: hitRate,
         });
     }
-    async onForwardUpstream(_node, envelope, context) {
-        if (!context) {
-            return envelope;
-        }
-        const helper = this.aftHelper;
-        if (!helper) {
-            logger$3.debug("aft_helper_not_ready_skip_injection", {
-                envelope_id: envelope.id,
-                delivery_origin: context.originType ?? null,
-                reason: "not_initialized",
-            });
-            return envelope;
-        }
-        const stickinessContext = context;
-        if (isStickinessRequired(stickinessContext) &&
-            context.originType === core.DeliveryOriginType.LOCAL) {
-            if (this.negotiatedStickiness) {
-                const negotiated = this.negotiatedStickiness;
-                if (negotiated.enabled === false ||
-                    (negotiated.mode !== null &&
-                        negotiated.mode !== undefined &&
-                        negotiated.mode !== "aft")) {
-                    logger$3.debug("aft_injection_skipped_due_to_policy", {
+    async onDeliver(_node, envelope, context) {
+        logger$4.debug("stickiness_manager_on_deliver", {
+            envelope_id: envelope.id,
+            origin_type: context?.originType ?? "unknown",
+            from_system_id: context?.fromSystemId ?? null,
+        });
+        if (context?.originType === core.DeliveryOriginType.DOWNSTREAM) {
+            const sourceRoute = context.fromSystemId;
+            if (sourceRoute) {
+                logger$4.debug("processing_downstream_envelope", {
+                    envelope_id: envelope.id,
+                    source_route: sourceRoute,
+                });
+                if (this.config.securityLevel === exports.StickinessMode.SID_ONLY &&
+                    envelope.sid &&
+                    !this.sidCache.has(envelope.sid)) {
+                    this.sidCache.set(envelope.sid, sourceRoute);
+                    logger$4.debug("sid_only_association_recorded", {
                         envelope_id: envelope.id,
-                        policy_mode: negotiated.mode ?? null,
-                        policy_enabled: negotiated.enabled ?? null,
+                        sid: envelope.sid,
+                        replica_id: sourceRoute,
+                    });
+                }
+                const hadInstruction = Boolean(extractAftInstruction(envelope));
+                const token = await this.handleOutboundEnvelope(envelope, sourceRoute);
+                if (hadInstruction) {
+                    logger$4.debug("processed_aft_setter_instruction", {
+                        envelope_id: envelope.id,
+                        source_route: sourceRoute,
+                        client_echo: Boolean(token),
+                    });
+                }
+                else {
+                    logger$4.debug("no_aft_setter_instruction", {
+                        envelope_id: envelope.id,
+                        source_route: sourceRoute,
                     });
-                    return envelope;
                 }
-            }
-            logger$3.debug("applying_aft_for_upstream_stickiness_required", {
-                envelope_id: envelope.id,
-                from_system_id: context.fromSystemId ?? null,
-                delivery_origin: context.originType ?? null,
-            });
-            const success = await helper.requestStickiness(envelope, {
-                ttlSec: null,
-                scope: "node",
-                context: stickinessContext,
-            });
-            if (success) {
-                logger$3.debug("aft_token_applied_via_context_flag_upstream", {
-                    envelope_id: envelope.id,
-                    from_system_id: context.fromSystemId ?? null,
-                    delivery_origin: context.originType ?? null,
-                });
             }
             else {
-                logger$3.debug("aft_token_not_applied_upstream", {
+                logger$4.debug("downstream_envelope_without_source_route", {
                     envelope_id: envelope.id,
-                    delivery_origin: context.originType ?? null,
-                    reason: "helper_returned_false",
                 });
             }
         }
-        return envelope;
-    }
-    async onNodeStarted(node) {
-        if (!this.isInitialized) {
-            await this.initializeAftHelper(node);
-            return;
-        }
-        if (this.aftHelper && node.sid) {
-            this.updateNodeSid(node.sid);
-            logger$3.debug("aft_replica_stickiness_manager_sid_updated", {
-                node_id: node.id ?? "unknown",
-                node_sid: node.sid,
-                security_level: this.aftHelper.signer.securityLevel,
-            });
-        }
-        else if (!node.sid) {
-            logger$3.warning("aft_replica_stickiness_manager_no_sid_available", {
-                node_id: node.id ?? "unknown",
-            });
-        }
         else {
-            logger$3.error("aft_replica_stickiness_manager_node_missing_sid", {
-                node_type: node.constructor?.name ?? typeof node,
+            logger$4.debug("envelope_not_from_downstream", {
+                envelope_id: envelope.id,
             });
         }
+        return envelope;
     }
-    updateNodeSid(nodeSid) {
-        if (this.aftHelper) {
-            this.aftHelper.nodeSid = nodeSid;
-            logger$3.debug("aft_replica_stickiness_manager_sid_updated", {
-                new_sid: nodeSid,
-            });
+    storeAssociation(token, data) {
+        if (this.aftAssociations.has(token)) {
+            this.aftAssociations.delete(token);
         }
-    }
-    async initializeAftHelper(node) {
-        const nodeSid = node.sid;
-        if (!nodeSid) {
-            logger$3.error("aft_replica_stickiness_manager_cannot_initialize_no_sid", {
-                node_id: node.id ?? "unknown",
-            });
-            return;
+        const association = new AFTAssociation(data);
+        this.aftAssociations.set(token, association);
+        while (this.aftAssociations.size > this.cacheMax) {
+            const oldest = this.aftAssociations.keys().next();
+            if (oldest.done) {
+                break;
+            }
+            const oldestToken = oldest.value;
+            this.removeAssociation(oldestToken);
         }
-        const cryptoProvider = node.cryptoProvider ?? null;
-        if (!cryptoProvider) {
-            logger$3.error("aft_replica_stickiness_manager_cannot_initialize_no_crypto_provider", {
-                node_id: node.id ?? "unknown",
-            });
-            return;
+    }
+    removeAssociation(token) {
+        this.aftAssociations.delete(token);
+        for (const [sid, cachedToken] of this.sidCache.entries()) {
+            if (cachedToken === token) {
+                this.sidCache.delete(sid);
+            }
         }
-        const keyId = typeof cryptoProvider.signatureKeyId === "string" &&
-            cryptoProvider.signatureKeyId.length > 0
-            ? cryptoProvider.signatureKeyId
-            : "default-key-id";
-        const privateKeyPem = typeof cryptoProvider.signingPrivatePem === "string"
-            ? cryptoProvider.signingPrivatePem
-            : null;
-        if (this.securityLevel === exports.StickinessMode.STRICT && !privateKeyPem) {
-            logger$3.error("aft_replica_stickiness_manager_initialization_failed", {
-                node_id: node.id ?? "unknown",
-                error: "Missing signing private key for strict security level",
-            });
-            return;
+    }
+    routeByAft(token, envelope) {
+        const association = this.aftAssociations.get(token);
+        if (!association) {
+            return null;
         }
-        try {
-            const helper = createAftHelper({
-                securityLevel: this.securityLevel,
-                nodeSid,
-                kid: keyId,
-                privateKeyPem,
-                maxTtlSec: this.maxTtlSec,
-            });
-            this.aftHelper = helper;
-            this.isInitialized = true;
-            logger$3.debug("aft_replica_stickiness_manager_initialized", {
-                node_id: node.id ?? "unknown",
-                node_sid: nodeSid,
-                key_id: keyId,
-                security_level: helper.signer.securityLevel,
-            });
+        if (association.isExpired()) {
+            this.metrics.associationsExpired += 1;
+            this.removeAssociation(token);
+            return null;
         }
-        catch (error) {
-            logger$3.error("aft_replica_stickiness_manager_initialization_failed", {
-                node_id: node.id ?? "unknown",
-                error: error instanceof Error ? error.message : String(error),
+        if (this.verifier.securityLevel === exports.StickinessMode.STRICT &&
+            association.isLowTrust()) {
+            logger$4.warning("rejecting_low_trust_association", {
+                envelope_id: envelope.id,
+                replica_id: association.replicaId,
+                reason: "strict mode rejects low-trust associations",
             });
+            return null;
         }
+        this.aftAssociations.delete(token);
+        this.aftAssociations.set(token, association);
+        return association.replicaId;
     }
-    get signer() {
-        return this.aftHelper?.signer ?? null;
+}
+function extractAftInstruction(envelope) {
+    if (!envelope.meta) {
+        return null;
     }
-    getHelper() {
-        return this.aftHelper;
+    const meta = envelope.meta;
+    const nested = meta.set;
+    if (nested && typeof nested === "object" && !Array.isArray(nested)) {
+        const aftValue = nested.aft;
+        if (aftValue !== undefined) {
+            return aftValue;
+        }
+    }
+    if (meta["set.aft"] !== undefined) {
+        return meta["set.aft"];
     }
+    return null;
 }
-function createAftReplicaStickinessManager(aftHelper) {
-    return new AFTReplicaStickinessManager({ aftHelper });
+function computeDeterministicIndex(key, modulo) {
+    if (modulo <= 0) {
+        return 0;
+    }
+    let hash = 0;
+    for (let i = 0; i < key.length; i += 1) {
+        hash = (hash * 31 + key.charCodeAt(i)) >>> 0;
+    }
+    return hash % modulo;
 }
 
-const FACTORY_META$5 = {
-    base: runtime.REPLICA_STICKINESS_MANAGER_FACTORY_BASE_TYPE,
-    key: "AFTReplicaStickinessManager",
+const FACTORY_META$6 = {
+    base: runtime.LOAD_BALANCER_STICKINESS_MANAGER_FACTORY_BASE_TYPE,
+    key: "AFTLoadBalancerStickinessManager",
 };
-const DEFAULT_VALUES = {
+const DEFAULT_VALUES$1 = {
+    enabled: true,
+    clientEcho: false,
+    defaultTtlSec: 30,
+    cacheMax: 100000,
     securityLevel: exports.StickinessMode.SIGNED_OPTIONAL,
     maxTtlSec: 7200,
 };
-function normalizeConfig$3(config) {
+function toBoolean(value, fallback) {
+    return typeof value === "boolean" ? value : fallback;
+}
+function toNumber(value, fallback) {
+    if (typeof value === "number" && Number.isFinite(value)) {
+        return value;
+    }
+    return fallback;
+}
+function normalizeConfig$4(config) {
     const record = (config ?? {});
     const normalizedSecurity = record.securityLevel
         ? normalizeStickinessMode(record.securityLevel)
-        : DEFAULT_VALUES.securityLevel;
-    const securityLevel = normalizedSecurity ?? DEFAULT_VALUES.securityLevel;
-    const maxTtlSecValue = typeof record.maxTtlSec === "number" && Number.isFinite(record.maxTtlSec)
-        ? Math.max(0, Math.floor(record.maxTtlSec))
-        : DEFAULT_VALUES.maxTtlSec;
+        : DEFAULT_VALUES$1.securityLevel;
     return {
         ...record,
-        type: "AFTReplicaStickinessManager",
-        securityLevel,
-        maxTtlSec: maxTtlSecValue,
+        type: "AFTLoadBalancerStickinessManager",
+        enabled: toBoolean(record.enabled, DEFAULT_VALUES$1.enabled),
+        clientEcho: toBoolean(record.clientEcho, DEFAULT_VALUES$1.clientEcho),
+        defaultTtlSec: toNumber(record.defaultTtlSec, DEFAULT_VALUES$1.defaultTtlSec),
+        cacheMax: toNumber(record.cacheMax, DEFAULT_VALUES$1.cacheMax),
+        securityLevel: normalizedSecurity,
+        maxTtlSec: toNumber(record.maxTtlSec, DEFAULT_VALUES$1.maxTtlSec),
     };
 }
-class AFTReplicaStickinessManagerFactory extends runtime.ReplicaStickinessManagerFactory {
+class AFTLoadBalancerStickinessManagerFactory extends runtime.LoadBalancerStickinessManagerFactory {
     constructor() {
         super(...arguments);
-        this.type = FACTORY_META$5.key;
-        this.isDefault = true;
+        this.type = "AFTLoadBalancerStickinessManager";
+        this.isDefault = false;
     }
-    async create(config, dependencies) {
-        const resolvedConfig = normalizeConfig$3(config);
-        const helper = dependencies?.aftHelper ?? null;
-        const securityLevel = normalizeStickinessMode(resolvedConfig.securityLevel ?? DEFAULT_VALUES.securityLevel) ?? DEFAULT_VALUES.securityLevel;
-        const maxTtlSec = typeof resolvedConfig.maxTtlSec === "number" &&
-            Number.isFinite(resolvedConfig.maxTtlSec)
-            ? Math.max(0, Math.floor(resolvedConfig.maxTtlSec))
-            : DEFAULT_VALUES.maxTtlSec;
-        return new AFTReplicaStickinessManager({
-            securityLevel,
-            maxTtlSec,
-            aftHelper: helper,
-        });
+    async create(config, keyProvider, verifier) {
+        const resolvedConfig = normalizeConfig$4(config);
+        let effectiveVerifier = verifier ?? null;
+        if (!effectiveVerifier && keyProvider) {
+            effectiveVerifier = createAftVerifier({
+                securityLevel: resolvedConfig.securityLevel ?? DEFAULT_VALUES$1.securityLevel,
+                keyProvider,
+                defaultTtlSec: resolvedConfig.defaultTtlSec ?? DEFAULT_VALUES$1.defaultTtlSec,
+            });
+        }
+        if (!effectiveVerifier) {
+            throw new Error("AFTLoadBalancerStickinessManagerFactory requires an AFT verifier or key provider");
+        }
+        return new AFTLoadBalancerStickinessManager(resolvedConfig, effectiveVerifier);
     }
 }
 
-var aftReplicaStickinessManagerFactory = /*#__PURE__*/Object.freeze({
+var aftLoadBalancerStickinessManagerFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
-    AFTReplicaStickinessManagerFactory: AFTReplicaStickinessManagerFactory,
-    FACTORY_META: FACTORY_META$5,
-    default: AFTReplicaStickinessManagerFactory
+    AFTLoadBalancerStickinessManagerFactory: AFTLoadBalancerStickinessManagerFactory,
+    FACTORY_META: FACTORY_META$6,
+    default: AFTLoadBalancerStickinessManagerFactory
 });
 
-const logger$2 = runtime.getLogger("naylence.fame.welcome.advanced_welcome_service");
-const ENV_VAR_SHOW_ENVELOPES = "FAME_SHOW_ENVELOPES";
-const DEFAULT_TTL_SEC = 3600;
-const showEnvelopes = typeof process !== "undefined" &&
-    process.env?.[ENV_VAR_SHOW_ENVELOPES] === "true";
-function nowUtc() {
-    return new Date();
-}
-function formatTimestampForConsole() {
-    return runtime.color(runtime.formatTimestamp(), runtime.AnsiColor.GRAY);
-}
-function prettyModel(value) {
-    try {
-        return runtime.jsonDumps(value);
-    }
-    catch (error) {
-        return String(error);
-    }
-}
-function coercePlacementMetadataValue(metadata, camelCaseKey, snakeCaseKey) {
-    if (!metadata) {
-        return undefined;
-    }
-    const record = metadata;
-    if (record[camelCaseKey] !== undefined) {
-        return record[camelCaseKey];
+const logger$3 = runtime.getLogger("naylence.fame.stickiness.aft_replica_stickiness_manager");
+function isStickinessRequired(context) {
+    if (typeof context.stickinessRequired === "boolean") {
+        return context.stickinessRequired;
     }
-    if (record[snakeCaseKey] !== undefined) {
-        return record[snakeCaseKey];
+    if (typeof context.stickiness_required === "boolean") {
+        return context.stickiness_required;
     }
-    return undefined;
+    return false;
 }
-class AdvancedWelcomeService {
-    constructor(options) {
-        this.placementStrategy = options.placementStrategy;
-        this.transportProvisioner = options.transportProvisioner;
-        this.tokenIssuer = options.tokenIssuer;
-        this.authorizer = options.authorizer ?? null;
-        this.caServiceUrl = options.caServiceUrl;
-        this.ttlSec =
-            typeof options.ttlSec === "number" && Number.isFinite(options.ttlSec)
-                ? Math.max(0, options.ttlSec)
-                : DEFAULT_TTL_SEC;
-        logger$2.debug("initialized_advanced_welcome_service", {
-            ca_service_url: this.caServiceUrl,
-            ttl_sec: this.ttlSec,
-        });
-    }
-    async handleHello(hello, metadata) {
-        const fullMetadata = metadata
-            ? { ...metadata }
-            : {};
-        const trimmedSystemId = typeof hello.systemId === "string" ? hello.systemId.trim() : "";
-        const systemId = trimmedSystemId.length > 0 ? trimmedSystemId : core.generateId();
-        const wasAssigned = trimmedSystemId.length === 0;
-        const normalizedHello = {
-            ...hello,
-            systemId,
-        };
-        if (showEnvelopes) {
-            // eslint-disable-next-line no-console
-            console.log(`\n${formatTimestampForConsole()} - ${runtime.color("Received envelope 📨", runtime.AnsiColor.BLUE)}\n${prettyModel(normalizedHello)}`);
+class AFTReplicaStickinessManager extends runtime.BaseNodeEventListener {
+    constructor(options = {}) {
+        super();
+        this.securityLevel =
+            normalizeStickinessMode(options.securityLevel ?? DEFAULT_STICKINESS_SECURITY_LEVEL) ?? DEFAULT_STICKINESS_SECURITY_LEVEL;
+        this.aftHelper = options.aftHelper ?? null;
+        this.maxTtlSec = options.maxTtlSec ?? 7200;
+        this.isInitialized = this.aftHelper !== null;
+        this.negotiatedStickiness = null;
+        if (this.aftHelper) {
+            logger$3.debug("aft_replica_stickiness_manager_initialized", {
+                helper_type: this.aftHelper.signer.constructor.name,
+                security_level: this.aftHelper.signer.securityLevel,
+                max_ttl_sec: this.aftHelper.maxTtlSec,
+            });
+        }
+        else {
+            logger$3.debug("aft_replica_stickiness_manager_created", {
+                security_level: this.securityLevel,
+                max_ttl_sec: this.maxTtlSec,
+            });
         }
-        logger$2.debug("starting_hello_frame_processing", {
-            instanceId: normalizedHello.instanceId,
-            systemId,
-            logicals: normalizedHello.logicals,
-            capabilities: normalizedHello.capabilities,
-            ttlSec: this.ttlSec,
+    }
+    offer() {
+        return { mode: "aft", supportedModes: ["aft", "attr"], version: 1 };
+    }
+    accept(stickiness) {
+        this.negotiatedStickiness = stickiness ?? null;
+        logger$3.debug("replica_stickiness_policy_set", {
+            enabled: stickiness?.enabled ?? null,
+            mode: stickiness?.mode ?? null,
+            ttl: stickiness?.ttlSec ?? null,
         });
-        const now = nowUtc();
-        const expiry = new Date(now.getTime() + this.ttlSec * 1000);
-        if (normalizedHello.instanceId) {
-            if (fullMetadata.instanceId === undefined) {
-                fullMetadata.instanceId = normalizedHello.instanceId;
-            }
-            if (fullMetadata.instance_id === undefined) {
-                fullMetadata.instance_id = normalizedHello.instanceId;
-            }
+    }
+    async onForwardUpstream(_node, envelope, context) {
+        if (!context) {
+            return envelope;
         }
-        logger$2.debug("system_id_assignment_completed", {
-            systemId,
-            wasAssigned,
-        });
-        if (normalizedHello.logicals?.length) {
-            logger$2.debug("validating_logicals_for_dns_compatibility", {
-                logicals: normalizedHello.logicals,
+        const helper = this.aftHelper;
+        if (!helper) {
+            logger$3.debug("aft_helper_not_ready_skip_injection", {
+                envelope_id: envelope.id,
+                delivery_origin: context.originType ?? null,
+                reason: "not_initialized",
             });
-            const [pathsValid, pathError] = runtime.validateHostLogicals(normalizedHello.logicals);
-            if (!pathsValid) {
-                logger$2.error("logical_validation_failed", {
-                    error: pathError,
-                    logicals: normalizedHello.logicals,
+            return envelope;
+        }
+        const stickinessContext = context;
+        if (isStickinessRequired(stickinessContext) &&
+            context.originType === core.DeliveryOriginType.LOCAL) {
+            if (this.negotiatedStickiness) {
+                const negotiated = this.negotiatedStickiness;
+                if (negotiated.enabled === false ||
+                    (negotiated.mode !== null &&
+                        negotiated.mode !== undefined &&
+                        negotiated.mode !== "aft")) {
+                    logger$3.debug("aft_injection_skipped_due_to_policy", {
+                        envelope_id: envelope.id,
+                        policy_mode: negotiated.mode ?? null,
+                        policy_enabled: negotiated.enabled ?? null,
+                    });
+                    return envelope;
+                }
+            }
+            logger$3.debug("applying_aft_for_upstream_stickiness_required", {
+                envelope_id: envelope.id,
+                from_system_id: context.fromSystemId ?? null,
+                delivery_origin: context.originType ?? null,
+            });
+            const success = await helper.requestStickiness(envelope, {
+                ttlSec: null,
+                scope: "node",
+                context: stickinessContext,
+            });
+            if (success) {
+                logger$3.debug("aft_token_applied_via_context_flag_upstream", {
+                    envelope_id: envelope.id,
+                    from_system_id: context.fromSystemId ?? null,
+                    delivery_origin: context.originType ?? null,
+                });
+            }
+            else {
+                logger$3.debug("aft_token_not_applied_upstream", {
+                    envelope_id: envelope.id,
+                    delivery_origin: context.originType ?? null,
+                    reason: "helper_returned_false",
                 });
-                throw new Error(`Invalid logical format: ${pathError}`);
             }
-            logger$2.debug("logicals_validation_successful");
         }
-        logger$2.debug("requesting_node_placement", { systemId });
-        const placementResult = await this.placementStrategy.place(normalizedHello);
-        if (!placementResult.accept) {
-            logger$2.error("node_placement_rejected", {
-                systemId,
-                reason: placementResult.reason,
+        return envelope;
+    }
+    async onNodeStarted(node) {
+        if (!this.isInitialized) {
+            await this.initializeAftHelper(node);
+            return;
+        }
+        if (this.aftHelper && node.sid) {
+            this.updateNodeSid(node.sid);
+            logger$3.debug("aft_replica_stickiness_manager_sid_updated", {
+                node_id: node.id ?? "unknown",
+                node_sid: node.sid,
+                security_level: this.aftHelper.signer.securityLevel,
             });
-            throw new Error(placementResult.reason || "Node not accepted");
         }
-        const assignedPath = placementResult.assignedPath;
-        logger$2.debug("node_placement_accepted", {
-            systemId,
-            assignedPath,
-            targetPhysicalPath: placementResult.targetPhysicalPath ?? null,
-            targetSystemId: placementResult.targetSystemId ?? null,
-        });
-        const acceptedCapabilities = coercePlacementMetadataValue(placementResult.metadata, "acceptedCapabilities", "accepted_capabilities") ??
-            normalizedHello.capabilities ??
-            null;
-        const acceptedLogicals = coercePlacementMetadataValue(placementResult.metadata, "acceptedLogicals", "accepted_logicals") ??
-            normalizedHello.logicals ??
-            null;
-        logger$2.debug("processing_placement_result_metadata", {
-            acceptedCapabilities,
-            acceptedLogicals,
-            hasPlacementMetadata: placementResult.metadata !== undefined &&
-                placementResult.metadata !== null,
-        });
-        const connectionGrants = [];
-        const metadataInstanceId = (typeof fullMetadata.instanceId === "string" &&
-            fullMetadata.instanceId) ||
-            (typeof fullMetadata.instance_id === "string" &&
-                fullMetadata.instance_id) ||
-            normalizedHello.instanceId ||
-            core.generateId();
-        if (placementResult.targetSystemId) {
-            logger$2.debug("issuing_node_attach_token", {
-                systemId,
-                assignedPath,
+        else if (!node.sid) {
+            logger$3.warning("aft_replica_stickiness_manager_no_sid_available", {
+                node_id: node.id ?? "unknown",
             });
-            const nodeAttachToken = await this.tokenIssuer.issue({
-                aud: placementResult.targetPhysicalPath,
-                system_id: systemId,
-                parent_path: placementResult.targetPhysicalPath,
-                assigned_path: placementResult.assignedPath,
-                accepted_logicals: acceptedLogicals,
-                instance_id: metadataInstanceId,
+        }
+        else {
+            logger$3.error("aft_replica_stickiness_manager_node_missing_sid", {
+                node_type: node.constructor?.name ?? typeof node,
             });
-            logger$2.debug("token_issued_successfully");
-            logger$2.debug("provisioning_transport", { systemId });
-            const transportInfo = await this.transportProvisioner.provision(placementResult, normalizedHello, fullMetadata, nodeAttachToken);
-            logger$2.debug("transport_provisioned_successfully", {
-                systemId,
-                directiveType: transportInfo.connectionGrant &&
-                    typeof transportInfo.connectionGrant === "object"
-                    ? (transportInfo.connectionGrant.type ??
-                        "Unknown")
-                    : "Unknown",
+        }
+    }
+    updateNodeSid(nodeSid) {
+        if (this.aftHelper) {
+            this.aftHelper.nodeSid = nodeSid;
+            logger$3.debug("aft_replica_stickiness_manager_sid_updated", {
+                new_sid: nodeSid,
             });
-            connectionGrants.push(transportInfo.connectionGrant);
         }
-        const caSignToken = await this.tokenIssuer.issue({
-            aud: "ca",
-            system_id: systemId,
-            assigned_path: assignedPath,
-            accepted_logicals: acceptedLogicals,
-            instance_id: metadataInstanceId,
-        });
-        const caGrant = {
-            type: runtime.HTTP_CONNECTION_GRANT_TYPE,
-            purpose: GRANT_PURPOSE_CA_SIGN,
-            url: this.caServiceUrl,
-            auth: {
-                type: "BearerTokenHeaderAuth",
-                tokenProvider: {
-                    type: "StaticTokenProvider",
-                    token: caSignToken,
-                },
-            },
-        };
-        connectionGrants.push(caGrant);
-        const welcomeFrame = {
-            type: "NodeWelcome",
-            systemId,
-            targetSystemId: placementResult.targetSystemId ?? undefined,
-            targetPhysicalPath: placementResult.targetPhysicalPath ?? undefined,
-            instanceId: normalizedHello.instanceId,
-            assignedPath,
-            acceptedCapabilities: acceptedCapabilities ?? undefined,
-            acceptedLogicals: acceptedLogicals ?? undefined,
-            rejectedLogicals: undefined,
-            connectionGrants,
-            metadata: Object.keys(fullMetadata).length > 0 ? fullMetadata : undefined,
-            expiresAt: expiry.toISOString(),
-        };
-        logger$2.debug("hello_frame_processing_completed_successfully", {
-            systemId,
-            assignedPath,
-            acceptedLogicals,
-            acceptedCapabilities,
-            expiresAt: welcomeFrame.expiresAt,
-            instanceId: normalizedHello.instanceId,
-        });
-        if (showEnvelopes) {
-            // eslint-disable-next-line no-console
-            console.log(`\n${formatTimestampForConsole()} - ${runtime.color("Sent envelope", runtime.AnsiColor.BLUE)} 🚀\n${prettyModel(welcomeFrame)}`);
+    }
+    async initializeAftHelper(node) {
+        const nodeSid = node.sid;
+        if (!nodeSid) {
+            logger$3.error("aft_replica_stickiness_manager_cannot_initialize_no_sid", {
+                node_id: node.id ?? "unknown",
+            });
+            return;
+        }
+        const cryptoProvider = node.cryptoProvider ?? null;
+        if (!cryptoProvider) {
+            logger$3.error("aft_replica_stickiness_manager_cannot_initialize_no_crypto_provider", {
+                node_id: node.id ?? "unknown",
+            });
+            return;
+        }
+        const keyId = typeof cryptoProvider.signatureKeyId === "string" &&
+            cryptoProvider.signatureKeyId.length > 0
+            ? cryptoProvider.signatureKeyId
+            : "default-key-id";
+        const privateKeyPem = typeof cryptoProvider.signingPrivatePem === "string"
+            ? cryptoProvider.signingPrivatePem
+            : null;
+        if (this.securityLevel === exports.StickinessMode.STRICT && !privateKeyPem) {
+            logger$3.error("aft_replica_stickiness_manager_initialization_failed", {
+                node_id: node.id ?? "unknown",
+                error: "Missing signing private key for strict security level",
+            });
+            return;
+        }
+        try {
+            const helper = createAftHelper({
+                securityLevel: this.securityLevel,
+                nodeSid,
+                kid: keyId,
+                privateKeyPem,
+                maxTtlSec: this.maxTtlSec,
+            });
+            this.aftHelper = helper;
+            this.isInitialized = true;
+            logger$3.debug("aft_replica_stickiness_manager_initialized", {
+                node_id: node.id ?? "unknown",
+                node_sid: nodeSid,
+                key_id: keyId,
+                security_level: helper.signer.securityLevel,
+            });
         }
-        return welcomeFrame;
+        catch (error) {
+            logger$3.error("aft_replica_stickiness_manager_initialization_failed", {
+                node_id: node.id ?? "unknown",
+                error: error instanceof Error ? error.message : String(error),
+            });
+        }
+    }
+    get signer() {
+        return this.aftHelper?.signer ?? null;
+    }
+    getHelper() {
+        return this.aftHelper;
     }
 }
+function createAftReplicaStickinessManager(aftHelper) {
+    return new AFTReplicaStickinessManager({ aftHelper });
+}
 
-const FACTORY_META$4 = {
-    base: runtime.WELCOME_SERVICE_FACTORY_BASE_TYPE,
-    key: "AdvancedWelcomeService",
-    priority: 100,
-    isDefault: true,
+const FACTORY_META$5 = {
+    base: runtime.REPLICA_STICKINESS_MANAGER_FACTORY_BASE_TYPE,
+    key: "AFTReplicaStickinessManager",
 };
-class AdvancedWelcomeServiceFactory extends runtime.WelcomeServiceFactory {
+const DEFAULT_VALUES = {
+    securityLevel: exports.StickinessMode.SIGNED_OPTIONAL,
+    maxTtlSec: 7200,
+};
+function normalizeConfig$3(config) {
+    const record = (config ?? {});
+    const normalizedSecurity = record.securityLevel
+        ? normalizeStickinessMode(record.securityLevel)
+        : DEFAULT_VALUES.securityLevel;
+    const securityLevel = normalizedSecurity ?? DEFAULT_VALUES.securityLevel;
+    const maxTtlSecValue = typeof record.maxTtlSec === "number" && Number.isFinite(record.maxTtlSec)
+        ? Math.max(0, Math.floor(record.maxTtlSec))
+        : DEFAULT_VALUES.maxTtlSec;
+    return {
+        ...record,
+        type: "AFTReplicaStickinessManager",
+        securityLevel,
+        maxTtlSec: maxTtlSecValue,
+    };
+}
+class AFTReplicaStickinessManagerFactory extends runtime.ReplicaStickinessManagerFactory {
     constructor() {
         super(...arguments);
-        this.type = FACTORY_META$4.key;
-        this.isDefault = FACTORY_META$4.isDefault;
-        this.priority = FACTORY_META$4.priority;
-    }
-    async create(config, ...factoryArgs) {
-        const normalized = normalizeConfig$2(config);
-        // Crypto provider should be passed from upstream (node-welcome-server)
-        // Do not create it here - downstream components should use what's passed in factoryArgs
-        const placementStrategy = await runtime.NodePlacementStrategyFactory.createNodePlacementStrategy(normalized.placementConfig ?? null, factoryArgs.length > 0 ? { factoryArgs } : undefined);
-        const transportProvisioner = await runtime.TransportProvisionerFactory.createTransportProvisioner(normalized.transportConfig ?? null, factoryArgs.length > 0 ? { factoryArgs } : undefined);
-        const tokenIssuer = await runtime.TokenIssuerFactory.createTokenIssuer(normalized.tokenIssuerConfig ?? null, factoryArgs.length > 0 ? { factoryArgs } : undefined);
-        let authorizer = null;
-        if (normalized.authorizerConfig) {
-            authorizer =
-                (await runtime.AuthorizerFactory.createAuthorizer(normalized.authorizerConfig, {
-                    factoryArgs,
-                })) ?? null;
-        }
-        const options = {
-            placementStrategy,
-            transportProvisioner,
-            tokenIssuer,
-            authorizer,
-            caServiceUrl: normalized.caServiceUrl,
-        };
-        if (normalized.ttlSec !== undefined) {
-            options.ttlSec = normalized.ttlSec;
-        }
-        return new AdvancedWelcomeService(options);
-    }
-}
-function normalizeConfig$2(config) {
-    if (!config) {
-        throw new Error("AdvancedWelcomeService requires configuration");
-    }
-    const source = config;
-    const ttlCandidate = typeof source.ttlSec === "number"
-        ? source.ttlSec
-        : typeof source.ttl_sec === "number"
-            ? source.ttl_sec
-            : undefined;
-    const caServiceUrlCandidate = typeof source.caServiceUrl === "string" &&
-        source.caServiceUrl.trim().length > 0
-        ? source.caServiceUrl.trim()
-        : typeof source.ca_service_url === "string" &&
-            source.ca_service_url.trim().length > 0
-            ? source.ca_service_url.trim()
-            : undefined;
-    if (!caServiceUrlCandidate) {
-        throw new Error("AdvancedWelcomeService configuration requires caServiceUrl");
-    }
-    const normalized = {
-        caServiceUrl: caServiceUrlCandidate,
-    };
-    if (source.placement !== undefined) {
-        normalized.placementConfig =
-            source.placement ?? null;
-    }
-    if (source.transport !== undefined) {
-        normalized.transportConfig =
-            source.transport ?? null;
-    }
-    const tokenIssuerConfig = source.tokenIssuer !== undefined
-        ? source.tokenIssuer
-        : source.token_issuer !== undefined
-            ? source.token_issuer
-            : undefined;
-    if (tokenIssuerConfig !== undefined) {
-        normalized.tokenIssuerConfig =
-            tokenIssuerConfig ?? null;
-    }
-    if (source.authorizer !== undefined) {
-        normalized.authorizerConfig =
-            source.authorizer ?? null;
+        this.type = FACTORY_META$5.key;
+        this.isDefault = true;
     }
-    if (ttlCandidate !== undefined && Number.isFinite(ttlCandidate)) {
-        normalized.ttlSec = ttlCandidate;
+    async create(config, dependencies) {
+        const resolvedConfig = normalizeConfig$3(config);
+        const helper = dependencies?.aftHelper ?? null;
+        const securityLevel = normalizeStickinessMode(resolvedConfig.securityLevel ?? DEFAULT_VALUES.securityLevel) ?? DEFAULT_VALUES.securityLevel;
+        const maxTtlSec = typeof resolvedConfig.maxTtlSec === "number" &&
+            Number.isFinite(resolvedConfig.maxTtlSec)
+            ? Math.max(0, Math.floor(resolvedConfig.maxTtlSec))
+            : DEFAULT_VALUES.maxTtlSec;
+        return new AFTReplicaStickinessManager({
+            securityLevel,
+            maxTtlSec,
+            aftHelper: helper,
+        });
     }
-    return normalized;
 }
 
-var advancedWelcomeServiceFactory = /*#__PURE__*/Object.freeze({
+var aftReplicaStickinessManagerFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
-    AdvancedWelcomeServiceFactory: AdvancedWelcomeServiceFactory,
-    FACTORY_META: FACTORY_META$4,
-    default: AdvancedWelcomeServiceFactory
+    AFTReplicaStickinessManagerFactory: AFTReplicaStickinessManagerFactory,
+    FACTORY_META: FACTORY_META$5,
+    default: AFTReplicaStickinessManagerFactory
 });
 
-/**
- * AUTO-GENERATED FILE. DO NOT EDIT DIRECTLY.
- * Generated by scripts/generate-factory-manifest.mjs
- *
- * Provides the list of advanced security factory modules for registration.
- */
-const MODULES = [
-    "./security/cert/default-ca-service-factory.js",
-    "./security/cert/default-certificate-manager-factory.js",
-    "./security/cert/trust-store/browser-trust-store-provider-factory.js",
-    "./security/cert/trust-store/node-trust-store-provider-factory.js",
-    "./security/encryption/channel/channel-encryption-manager-factory.js",
-    "./security/encryption/composite-encryption-manager-factory.js",
-    "./security/encryption/default-secure-channel-manager-factory.js",
-    "./security/encryption/sealed/x25519-encryption-manager-factory.js",
-    "./security/keys/x5c-key-manager-factory.js",
-    "./security/signing/eddsa-envelope-signer-factory.js",
-    "./security/signing/eddsa-envelope-verifier-factory.js",
-    "./stickiness/aft-load-balancer-stickiness-manager-factory.js",
-    "./stickiness/aft-replica-stickiness-manager-factory.js",
-    "./welcome/advanced-welcome-service-factory.js"
-];
-const MODULE_LOADERS = {
-    "./security/cert/default-ca-service-factory.js": () => Promise.resolve().then(function () { return defaultCaServiceFactory; }),
-    "./security/cert/default-certificate-manager-factory.js": () => Promise.resolve().then(function () { return defaultCertificateManagerFactory; }),
-    "./security/cert/trust-store/browser-trust-store-provider-factory.js": () => Promise.resolve().then(function () { return browserTrustStoreProviderFactory; }),
-    "./security/cert/trust-store/node-trust-store-provider-factory.js": () => Promise.resolve().then(function () { return nodeTrustStoreProviderFactory; }),
-    "./security/encryption/channel/channel-encryption-manager-factory.js": () => Promise.resolve().then(function () { return channelEncryptionManagerFactory; }),
-    "./security/encryption/composite-encryption-manager-factory.js": () => Promise.resolve().then(function () { return compositeEncryptionManagerFactory; }),
-    "./security/encryption/default-secure-channel-manager-factory.js": () => Promise.resolve().then(function () { return defaultSecureChannelManagerFactory; }),
-    "./security/encryption/sealed/x25519-encryption-manager-factory.js": () => Promise.resolve().then(function () { return x25519EncryptionManagerFactory; }),
-    "./security/keys/x5c-key-manager-factory.js": () => Promise.resolve().then(function () { return x5cKeyManagerFactory; }),
-    "./security/signing/eddsa-envelope-signer-factory.js": () => Promise.resolve().then(function () { return eddsaEnvelopeSignerFactory; }),
-    "./security/signing/eddsa-envelope-verifier-factory.js": () => Promise.resolve().then(function () { return eddsaEnvelopeVerifierFactory; }),
-    "./stickiness/aft-load-balancer-stickiness-manager-factory.js": () => Promise.resolve().then(function () { return aftLoadBalancerStickinessManagerFactory; }),
-    "./stickiness/aft-replica-stickiness-manager-factory.js": () => Promise.resolve().then(function () { return aftReplicaStickinessManagerFactory; }),
-    "./welcome/advanced-welcome-service-factory.js": () => Promise.resolve().then(function () { return advancedWelcomeServiceFactory; }),
-};
-
-const SECURITY_PREFIX = "./security/";
-const SECURITY_MODULES = MODULES.filter((spec) => spec.startsWith(SECURITY_PREFIX));
-const EXTRA_MODULES = MODULES.filter((spec) => !spec.startsWith(SECURITY_PREFIX));
-const NODE_ONLY_MODULES = new Set([
-    "./security/cert/default-ca-service-factory.js",
-    "./security/cert/trust-store/node-trust-store-provider-factory.js",
-]);
-const FACTORY_MODULE_PREFIX$1 = "@naylence/advanced-security/naylence/fame/";
-const BROWSER_DIST_SEGMENT = "/dist/browser/";
-function detectModuleUrl() {
-    if (typeof __filename === "string") {
-        try {
-            return __filename.startsWith("file://")
-                ? __filename
-                : `file://${__filename}`;
-        }
-        catch {
-            // fall through to stack parsing
-        }
-    }
-    try {
-        throw new Error();
-    }
-    catch (error) {
-        const stack = typeof error === "object" && error && "stack" in error
-            ? String(error.stack ?? "")
-            : "";
-        const lines = stack.split("\n");
-        for (const line of lines) {
-            const match = line.match(/(https?:\/\/[^\s)]+|file:\/\/[^\s)]+\.(?:js|ts)|\/(?:[^\s)]+\.(?:js|ts)))/u);
-            const candidate = match?.[1];
-            if (!candidate) {
-                continue;
-            }
-            if (candidate.startsWith("http://") || candidate.startsWith("https://")) {
-                return candidate;
-            }
-            if (candidate.startsWith("file://")) {
-                return candidate;
-            }
-            return `file://${candidate}`;
-        }
-    }
-    return null;
+const logger$2 = runtime.getLogger("naylence.fame.welcome.advanced_welcome_service");
+const ENV_VAR_SHOW_ENVELOPES = "FAME_SHOW_ENVELOPES";
+const DEFAULT_TTL_SEC = 3600;
+const showEnvelopes = typeof process !== "undefined" &&
+    process.env?.[ENV_VAR_SHOW_ENVELOPES] === "true";
+function nowUtc() {
+    return new Date();
 }
-function computeBrowserFactoryBase(rawUrl) {
-    if (!rawUrl) {
-        return null;
-    }
-    const sanitized = rawUrl.split("?")[0]?.split("#")[0] ?? rawUrl;
-    const esmMarker = "/dist/esm/naylence/fame/";
-    const distMarker = "/dist/";
-    if (sanitized.includes(esmMarker)) {
-        return sanitized.slice(0, sanitized.indexOf(esmMarker) + esmMarker.length);
-    }
-    if (rawUrl.includes(BROWSER_DIST_SEGMENT)) {
-        return new URL("../esm/naylence/fame/", rawUrl).href;
+function formatTimestampForConsole() {
+    return runtime.color(runtime.formatTimestamp(), runtime.AnsiColor.GRAY);
+}
+function prettyModel(value) {
+    try {
+        return runtime.jsonDumps(value);
     }
-    if (sanitized.includes(BROWSER_DIST_SEGMENT)) {
-        const base = sanitized.slice(0, sanitized.indexOf(BROWSER_DIST_SEGMENT) + BROWSER_DIST_SEGMENT.length);
-        return `${base.replace(/browser\/?$/u, "")}esm/naylence/fame/`;
+    catch (error) {
+        return String(error);
     }
-    if (sanitized.includes(distMarker)) {
-        const index = sanitized.indexOf(distMarker);
-        const base = sanitized.slice(0, index + distMarker.length);
-        return `${base}esm/naylence/fame/`;
+}
+function coercePlacementMetadataValue(metadata, camelCaseKey, snakeCaseKey) {
+    if (!metadata) {
+        return undefined;
     }
-    const srcMarker = "/src/naylence/fame/";
-    if (sanitized.includes(srcMarker)) {
-        const index = sanitized.indexOf(srcMarker);
-        const projectRoot = sanitized.slice(0, index);
-        return `${projectRoot}/dist/esm/naylence/fame/`;
+    const record = metadata;
+    if (record[camelCaseKey] !== undefined) {
+        return record[camelCaseKey];
     }
-    if (sanitized.startsWith("http://") || sanitized.startsWith("https://")) {
-        try {
-            const parsed = new URL(rawUrl);
-            const viteDepsSegment = "/node_modules/.vite/deps/";
-            if (parsed.pathname.includes(viteDepsSegment)) {
-                const baseOrigin = `${parsed.protocol}//${parsed.host}`;
-                return `${baseOrigin}/node_modules/@naylence/advanced-security/dist/esm/naylence/fame/`;
-            }
-        }
-        catch {
-            // ignore
-        }
+    if (record[snakeCaseKey] !== undefined) {
+        return record[snakeCaseKey];
     }
-    return null;
+    return undefined;
 }
-const moduleUrl = detectModuleUrl();
-const browserFactoryBase = computeBrowserFactoryBase(moduleUrl);
-const prefersSource = typeof moduleUrl === "string" && moduleUrl.includes("/src/");
-function resolveFactoryModuleSpecifier$1(specifier) {
-    if (specifier.startsWith("../")) {
-        return `${FACTORY_MODULE_PREFIX$1}${specifier.slice("../".length)}`;
-    }
-    if (specifier.startsWith("./")) {
-        return `${FACTORY_MODULE_PREFIX$1}${specifier.slice("./".length)}`;
+class AdvancedWelcomeService {
+    constructor(options) {
+        this.placementStrategy = options.placementStrategy;
+        this.transportProvisioner = options.transportProvisioner;
+        this.tokenIssuer = options.tokenIssuer;
+        this.authorizer = options.authorizer ?? null;
+        this.caServiceUrl = options.caServiceUrl;
+        this.ttlSec =
+            typeof options.ttlSec === "number" && Number.isFinite(options.ttlSec)
+                ? Math.max(0, options.ttlSec)
+                : DEFAULT_TTL_SEC;
+        logger$2.debug("initialized_advanced_welcome_service", {
+            ca_service_url: this.caServiceUrl,
+            ttl_sec: this.ttlSec,
+        });
     }
-    return null;
-}
-function resolveModuleCandidates(spec) {
-    const candidates = [];
-    const seen = new Set();
-    const addCandidate = (candidate) => {
-        if (!candidate) {
-            return;
-        }
-        if (!seen.has(candidate)) {
-            seen.add(candidate);
-            candidates.push(candidate);
+    async handleHello(hello, metadata) {
+        const fullMetadata = metadata
+            ? { ...metadata }
+            : {};
+        const trimmedSystemId = typeof hello.systemId === "string" ? hello.systemId.trim() : "";
+        const systemId = trimmedSystemId.length > 0 ? trimmedSystemId : core.generateId();
+        const wasAssigned = trimmedSystemId.length === 0;
+        const normalizedHello = {
+            ...hello,
+            systemId,
+        };
+        if (showEnvelopes) {
+            // eslint-disable-next-line no-console
+            console.log(`\n${formatTimestampForConsole()} - ${runtime.color("Received envelope 📨", runtime.AnsiColor.BLUE)}\n${prettyModel(normalizedHello)}`);
         }
-    };
-    if (prefersSource && spec.startsWith("./")) {
-        const sourceCandidate = `../${spec.slice(2)}`;
-        addCandidate(sourceCandidate);
-        if (sourceCandidate.endsWith(".js")) {
-            addCandidate(sourceCandidate.replace(/\.js$/u, ".ts"));
+        logger$2.debug("starting_hello_frame_processing", {
+            instanceId: normalizedHello.instanceId,
+            systemId,
+            logicals: normalizedHello.logicals,
+            capabilities: normalizedHello.capabilities,
+            ttlSec: this.ttlSec,
+        });
+        const now = nowUtc();
+        const expiry = new Date(now.getTime() + this.ttlSec * 1000);
+        if (normalizedHello.instanceId) {
+            if (fullMetadata.instanceId === undefined) {
+                fullMetadata.instanceId = normalizedHello.instanceId;
+            }
+            if (fullMetadata.instance_id === undefined) {
+                fullMetadata.instance_id = normalizedHello.instanceId;
+            }
         }
-    }
-    if (browserFactoryBase && spec.startsWith("./")) {
-        try {
-            const browserCandidate = new URL(spec.slice("./".length), browserFactoryBase).href;
-            addCandidate(browserCandidate);
-            if (browserCandidate.endsWith(".js")) {
-                addCandidate(browserCandidate.replace(/\.js$/u, ".ts"));
+        logger$2.debug("system_id_assignment_completed", {
+            systemId,
+            wasAssigned,
+        });
+        if (normalizedHello.logicals?.length) {
+            logger$2.debug("validating_logicals_for_dns_compatibility", {
+                logicals: normalizedHello.logicals,
+            });
+            const [pathsValid, pathError] = runtime.validateHostLogicals(normalizedHello.logicals);
+            if (!pathsValid) {
+                logger$2.error("logical_validation_failed", {
+                    error: pathError,
+                    logicals: normalizedHello.logicals,
+                });
+                throw new Error(`Invalid logical format: ${pathError}`);
             }
+            logger$2.debug("logicals_validation_successful");
         }
-        catch {
-            // ignore resolution failures for browser base
+        logger$2.debug("requesting_node_placement", { systemId });
+        const placementResult = await this.placementStrategy.place(normalizedHello);
+        if (!placementResult.accept) {
+            logger$2.error("node_placement_rejected", {
+                systemId,
+                reason: placementResult.reason,
+            });
+            throw new Error(placementResult.reason || "Node not accepted");
         }
+        const assignedPath = placementResult.assignedPath;
+        logger$2.debug("node_placement_accepted", {
+            systemId,
+            assignedPath,
+            targetPhysicalPath: placementResult.targetPhysicalPath ?? null,
+            targetSystemId: placementResult.targetSystemId ?? null,
+        });
+        const acceptedCapabilities = coercePlacementMetadataValue(placementResult.metadata, "acceptedCapabilities", "accepted_capabilities") ??
+            normalizedHello.capabilities ??
+            null;
+        const acceptedLogicals = coercePlacementMetadataValue(placementResult.metadata, "acceptedLogicals", "accepted_logicals") ??
+            normalizedHello.logicals ??
+            null;
+        logger$2.debug("processing_placement_result_metadata", {
+            acceptedCapabilities,
+            acceptedLogicals,
+            hasPlacementMetadata: placementResult.metadata !== undefined &&
+                placementResult.metadata !== null,
+        });
+        const connectionGrants = [];
+        const metadataInstanceId = (typeof fullMetadata.instanceId === "string" &&
+            fullMetadata.instanceId) ||
+            (typeof fullMetadata.instance_id === "string" &&
+                fullMetadata.instance_id) ||
+            normalizedHello.instanceId ||
+            core.generateId();
+        if (placementResult.targetSystemId) {
+            logger$2.debug("issuing_node_attach_token", {
+                systemId,
+                assignedPath,
+            });
+            const nodeAttachToken = await this.tokenIssuer.issue({
+                aud: placementResult.targetPhysicalPath,
+                system_id: systemId,
+                parent_path: placementResult.targetPhysicalPath,
+                assigned_path: placementResult.assignedPath,
+                accepted_logicals: acceptedLogicals,
+                instance_id: metadataInstanceId,
+            });
+            logger$2.debug("token_issued_successfully");
+            logger$2.debug("provisioning_transport", { systemId });
+            const transportInfo = await this.transportProvisioner.provision(placementResult, normalizedHello, fullMetadata, nodeAttachToken);
+            logger$2.debug("transport_provisioned_successfully", {
+                systemId,
+                directiveType: transportInfo.connectionGrant &&
+                    typeof transportInfo.connectionGrant === "object"
+                    ? (transportInfo.connectionGrant.type ??
+                        "Unknown")
+                    : "Unknown",
+            });
+            connectionGrants.push(transportInfo.connectionGrant);
+        }
+        const caSignToken = await this.tokenIssuer.issue({
+            aud: "ca",
+            system_id: systemId,
+            assigned_path: assignedPath,
+            accepted_logicals: acceptedLogicals,
+            instance_id: metadataInstanceId,
+        });
+        const caGrant = {
+            type: runtime.HTTP_CONNECTION_GRANT_TYPE,
+            purpose: GRANT_PURPOSE_CA_SIGN,
+            url: this.caServiceUrl,
+            auth: {
+                type: "BearerTokenHeaderAuth",
+                tokenProvider: {
+                    type: "StaticTokenProvider",
+                    token: caSignToken,
+                },
+            },
+        };
+        connectionGrants.push(caGrant);
+        const welcomeFrame = {
+            type: "NodeWelcome",
+            systemId,
+            targetSystemId: placementResult.targetSystemId ?? undefined,
+            targetPhysicalPath: placementResult.targetPhysicalPath ?? undefined,
+            instanceId: normalizedHello.instanceId,
+            assignedPath,
+            acceptedCapabilities: acceptedCapabilities ?? undefined,
+            acceptedLogicals: acceptedLogicals ?? undefined,
+            rejectedLogicals: undefined,
+            connectionGrants,
+            metadata: Object.keys(fullMetadata).length > 0 ? fullMetadata : undefined,
+            expiresAt: expiry.toISOString(),
+        };
+        logger$2.debug("hello_frame_processing_completed_successfully", {
+            systemId,
+            assignedPath,
+            acceptedLogicals,
+            acceptedCapabilities,
+            expiresAt: welcomeFrame.expiresAt,
+            instanceId: normalizedHello.instanceId,
+        });
+        if (showEnvelopes) {
+            // eslint-disable-next-line no-console
+            console.log(`\n${formatTimestampForConsole()} - ${runtime.color("Sent envelope", runtime.AnsiColor.BLUE)} 🚀\n${prettyModel(welcomeFrame)}`);
+        }
+        return welcomeFrame;
     }
-    const packageCandidate = resolveFactoryModuleSpecifier$1(spec);
-    addCandidate(packageCandidate);
-    if (packageCandidate?.endsWith(".js")) {
-        addCandidate(packageCandidate.replace(/\.js$/u, ".ts"));
-    }
-    const fallback = spec.startsWith("./") ? `../${spec.slice(2)}` : spec;
-    addCandidate(fallback);
-    if (fallback.endsWith(".js")) {
-        addCandidate(fallback.replace(/\.js$/u, ".ts"));
-    }
-    addCandidate(spec);
-    if (spec.endsWith(".js")) {
-        addCandidate(spec.replace(/\.js$/u, ".ts"));
-    }
-    return candidates;
-}
-const registeredModules = new Set();
-const inflightModules = new Map();
-const browserSkippedModules = new Set();
-function isNodeEnvironment$5() {
-    return (typeof process !== "undefined" &&
-        typeof process.release !== "undefined" &&
-        process.release?.name === "node");
-}
-function shouldSkipModule(spec) {
-    if (isNodeEnvironment$5()) {
-        return false;
-    }
-    if (!NODE_ONLY_MODULES.has(spec)) {
-        return false;
-    }
-    if (!browserSkippedModules.has(spec)) {
-        // console.warn(
-        //   "[advanced-security:factory-manifest] skipped browser-incompatible module",
-        //   spec,
-        // );
-        browserSkippedModules.add(spec);
-    }
-    return true;
-}
-function getDynamicImporter() {
-    if (typeof globalThis === "undefined") {
-        return null;
-    }
-    const candidate = globalThis.__naylenceFactoryDynamicImporter;
-    if (typeof candidate === "function") {
-        return candidate;
-    }
-    return null;
 }
-async function registerModule(spec, registrar) {
-    const candidates = resolveModuleCandidates(spec);
-    const dynamicImporter = getDynamicImporter();
-    const loader = dynamicImporter
-        ? (specifier) => dynamicImporter(specifier)
-        : (specifier) => import(/* @vite-ignore */ specifier);
-    const attempts = [];
-    const staticLoader = MODULE_LOADERS?.[spec];
-    if (staticLoader) {
-        attempts.push({ load: () => staticLoader(), candidate: spec });
-    }
-    for (const candidate of candidates) {
-        attempts.push({ load: () => loader(candidate), candidate });
+
+const FACTORY_META$4 = {
+    base: runtime.WELCOME_SERVICE_FACTORY_BASE_TYPE,
+    key: "AdvancedWelcomeService",
+    priority: 100,
+    isDefault: true,
+};
+class AdvancedWelcomeServiceFactory extends runtime.WelcomeServiceFactory {
+    constructor() {
+        super(...arguments);
+        this.type = FACTORY_META$4.key;
+        this.isDefault = FACTORY_META$4.isDefault;
+        this.priority = FACTORY_META$4.priority;
     }
-    const registerFromModule = (mod) => {
-        const meta = mod.FACTORY_META;
-        const Ctor = mod.default;
-        if (!meta?.base || !meta?.key || typeof Ctor !== "function") {
-            console.warn("[debug] invalid factory module", spec, {
-                meta,
-                hasCtor: typeof Ctor === "function",
-            });
-            console.warn("[advanced-security:factory-manifest] skipped", spec, "— missing FACTORY_META or default export ctor");
-            return false;
-        }
-        const { base, key, ...metadata } = meta;
-        const extraMetadata = Object.keys(metadata).length > 0 ? metadata : undefined;
-        // console.log("[debug] registering module", { spec, base, key, metadata: extraMetadata });
-        registrar.registerFactory(base, key, Ctor, extraMetadata);
-        return true;
-    };
-    for (const [index, { candidate, load }] of attempts.entries()) {
-        try {
-            const mod = await load();
-            return registerFromModule(mod);
+    async create(config, ...factoryArgs) {
+        const normalized = normalizeConfig$2(config);
+        // Crypto provider should be passed from upstream (node-welcome-server)
+        // Do not create it here - downstream components should use what's passed in factoryArgs
+        const placementStrategy = await runtime.NodePlacementStrategyFactory.createNodePlacementStrategy(normalized.placementConfig ?? null, factoryArgs.length > 0 ? { factoryArgs } : undefined);
+        const transportProvisioner = await runtime.TransportProvisionerFactory.createTransportProvisioner(normalized.transportConfig ?? null, factoryArgs.length > 0 ? { factoryArgs } : undefined);
+        const tokenIssuer = await runtime.TokenIssuerFactory.createTokenIssuer(normalized.tokenIssuerConfig ?? null, factoryArgs.length > 0 ? { factoryArgs } : undefined);
+        let authorizer = null;
+        if (normalized.authorizerConfig) {
+            authorizer =
+                (await runtime.AuthorizerFactory.createAuthorizer(normalized.authorizerConfig, {
+                    factoryArgs,
+                })) ?? null;
         }
-        catch (error) {
-            const message = error instanceof Error ? error.message : String(error);
-            const moduleNotFound = message.includes("Cannot find module") ||
-                message.includes("ERR_MODULE_NOT_FOUND") ||
-                message.includes("Unknown file extension") ||
-                message.includes("Failed to fetch dynamically imported module") ||
-                message.includes("Failed to resolve module specifier") ||
-                message.includes("Importing a module script failed");
-            const isLastAttempt = index === attempts.length - 1;
-            if (!moduleNotFound || isLastAttempt) {
-                console.warn("[debug] failed to import candidate", {
-                    spec,
-                    candidate,
-                    message,
-                });
-                console.warn("[advanced-security:factory-manifest] skipped", spec, "-", message);
-                return false;
-            }
+        const options = {
+            placementStrategy,
+            transportProvisioner,
+            tokenIssuer,
+            authorizer,
+            caServiceUrl: normalized.caServiceUrl,
+        };
+        if (normalized.ttlSec !== undefined) {
+            options.ttlSec = normalized.ttlSec;
         }
+        return new AdvancedWelcomeService(options);
     }
-    return false;
 }
-async function registerModuleOnce(spec, registrar) {
-    if (registeredModules.has(spec)) {
-        return false;
-    }
-    const inflight = inflightModules.get(spec);
-    if (inflight) {
-        return inflight;
+function normalizeConfig$2(config) {
+    if (!config) {
+        throw new Error("AdvancedWelcomeService requires configuration");
     }
-    const registration = (async () => {
-        const registered = await registerModule(spec, registrar);
-        if (registered) {
-            registeredModules.add(spec);
-        }
-        return registered;
-    })();
-    inflightModules.set(spec, registration);
-    try {
-        return await registration;
+    const source = config;
+    const ttlCandidate = typeof source.ttlSec === "number"
+        ? source.ttlSec
+        : typeof source.ttl_sec === "number"
+            ? source.ttl_sec
+            : undefined;
+    const caServiceUrlCandidate = typeof source.caServiceUrl === "string" &&
+        source.caServiceUrl.trim().length > 0
+        ? source.caServiceUrl.trim()
+        : typeof source.ca_service_url === "string" &&
+            source.ca_service_url.trim().length > 0
+            ? source.ca_service_url.trim()
+            : undefined;
+    if (!caServiceUrlCandidate) {
+        throw new Error("AdvancedWelcomeService configuration requires caServiceUrl");
     }
-    finally {
-        inflightModules.delete(spec);
+    const normalized = {
+        caServiceUrl: caServiceUrlCandidate,
+    };
+    if (source.placement !== undefined) {
+        normalized.placementConfig =
+            source.placement ?? null;
     }
-}
-async function registerModules(modules, registrar) {
-    if (modules.length === 0) {
-        return 0;
+    if (source.transport !== undefined) {
+        normalized.transportConfig =
+            source.transport ?? null;
     }
-    const eligibleModules = modules.filter((spec) => !shouldSkipModule(spec));
-    if (eligibleModules.length === 0) {
-        return 0;
+    const tokenIssuerConfig = source.tokenIssuer !== undefined
+        ? source.tokenIssuer
+        : source.token_issuer !== undefined
+            ? source.token_issuer
+            : undefined;
+    if (tokenIssuerConfig !== undefined) {
+        normalized.tokenIssuerConfig =
+            tokenIssuerConfig ?? null;
     }
-    const results = await Promise.all(eligibleModules.map((spec) => registerModuleOnce(spec, registrar)));
-    return results.reduce((count, registered) => (registered ? count + 1 : count), 0);
-}
-async function registerAdvancedSecurityFactories(registrar = factory.Registry, options) {
-    const newlyRegisteredSecurity = await registerModules(SECURITY_MODULES, registrar);
-    if (newlyRegisteredSecurity > 0) {
-        getEncryptionManagerFactoryRegistry().forceRediscovery();
+    if (source.authorizer !== undefined) {
+        normalized.authorizerConfig =
+            source.authorizer ?? null;
     }
-    {
-        await registerModules(EXTRA_MODULES, registrar);
+    if (ttlCandidate !== undefined && Number.isFinite(ttlCandidate)) {
+        normalized.ttlSec = ttlCandidate;
     }
+    return normalized;
 }
 
+var advancedWelcomeServiceFactory = /*#__PURE__*/Object.freeze({
+    __proto__: null,
+    AdvancedWelcomeServiceFactory: AdvancedWelcomeServiceFactory,
+    FACTORY_META: FACTORY_META$4,
+    default: AdvancedWelcomeServiceFactory
+});
+
 /**
  * Isomorphic entry point for Naylence Advanced Security.
  *
@@ -6460,7 +6502,16 @@ const __advancedSecurityPluginLoader = ensureAdvancedSecurityPluginLoader();
  * runtimes lacking Node.js built-ins. Node-specific certificate authority
  * helpers and Fastify bindings are intentionally excluded.
  */
-// Import and use the loader to ensure bundlers don't tree-shake it away
+// Always register the plugin directly. This ensures it is initialized even if
+// the dynamic import mechanism fails.
+(async () => {
+    try {
+        await advancedSecurityPlugin.register();
+    }
+    catch (err) {
+        console.error('[naylence:advanced-security] Failed to auto-register plugin:', err);
+    }
+})();
 // Mark as used so bundlers keep the import
 if (typeof __advancedSecurityPluginLoader === "undefined") {
     throw new Error("Advanced security plugin loader not initialized");
@@ -9827,48 +9878,6 @@ var nodeTrustStoreProviderFactory = /*#__PURE__*/Object.freeze({
     default: EnvTrustStoreProviderFactory
 });
 
-async function registerAdvancedSecurityPluginFactories(registrar = factory.Registry) {
-    await registerAdvancedSecurityFactories(registrar);
-}
-let initialized = false;
-let initializing = null;
-const advancedSecurityPlugin = {
-    name: "naylence:advanced-security",
-    version: VERSION,
-    async register() {
-        // console.log('[naylence:advanced-security] register() called, initialized=', initialized);
-        if (initialized) {
-            // console.log('[naylence:advanced-security] already initialized, skipping');
-            return;
-        }
-        if (initializing) {
-            console.log("[naylence:advanced-security] already initializing, awaiting...");
-            await initializing;
-            return;
-        }
-        initializing = (async () => {
-            try {
-                // console.log('[naylence:advanced-security] registering advanced security factories...');
-                await registerAdvancedSecurityPluginFactories();
-                // console.log('[naylence:advanced-security] advanced security factories registered');
-                initialized = true;
-            }
-            finally {
-                initializing = null;
-            }
-        })();
-        await initializing;
-    },
-};
-const ADVANCED_SECURITY_PLUGIN_SPECIFIER = advancedSecurityPlugin.name;
-
-var plugin = /*#__PURE__*/Object.freeze({
-    __proto__: null,
-    ADVANCED_SECURITY_PLUGIN_SPECIFIER: ADVANCED_SECURITY_PLUGIN_SPECIFIER,
-    default: advancedSecurityPlugin,
-    registerAdvancedSecurityPluginFactories: registerAdvancedSecurityPluginFactories
-});
-
 exports.ADVANCED_EDDSA_ENVELOPE_SIGNER_FACTORY_META = FACTORY_META$9;
 exports.ADVANCED_EDDSA_ENVELOPE_VERIFIER_FACTORY_META = FACTORY_META$8;
 exports.ADVANCED_WELCOME_FACTORY_META = FACTORY_META$4;