@naylence/advanced-security 0.3.7-test.126 → 0.3.7-test.128

package/dist/node/index.cjs

@@ -1,7 +1,6 @@
 'use strict';
 
 var runtime = require('@naylence/runtime');
-var factory = require('@naylence/factory');
 var asn1Schema = require('@peculiar/asn1-schema');
 var asn1Csr = require('@peculiar/asn1-csr');
 var asn1X509 = require('@peculiar/asn1-x509');
@@ -13,16 +12,17 @@ var ed25519_js = require('@noble/curves/ed25519.js');
 var hkdf_js = require('@noble/hashes/hkdf.js');
 var utils_js = require('@noble/hashes/utils.js');
 var jose = require('jose');
+var factory = require('@naylence/factory');
 var sha256_js = require('@noble/hashes/sha256.js');
 var x509 = require('@peculiar/x509');
 
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.3.7-test.126
+// Generated from package.json version: 0.3.7-test.128
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.3.7-test.126';
+const VERSION = '0.3.7-test.128';
 
 const logger$h = runtime.getLogger("naylence.fame.security.cert.util");
 const CACHE_LIMIT = 512;
@@ -3859,45 +3859,6 @@ class EdDSAEnvelopeVerifier {
     }
 }
 
-const DEFAULT_UNCONFIGURED_MESSAGE = "Trust store is not configured. Set FAME_CA_CERTS to a PEM value, a file path, a data URI, or an HTTPS bundle URL.";
-const TRUST_STORE_PROVIDER_FACTORY_BASE_TYPE = "TrustStoreProviderFactory";
-class TrustStoreProviderFactory extends factory.AbstractResourceFactory {
-    createUnconfiguredProvider(reason) {
-        return new NullTrustStoreProvider(reason ?? DEFAULT_UNCONFIGURED_MESSAGE);
-    }
-    static async createTrustStoreProvider(config, options = {}) {
-        const { dependencies, factoryArgs, ...restOptions } = options;
-        const mergedFactoryArgs = [
-            ...(dependencies ? [dependencies] : []),
-            ...(factoryArgs ?? []),
-        ];
-        const creationOptions = {
-            ...restOptions,
-            factoryArgs: mergedFactoryArgs,
-        };
-        if (config) {
-            const instance = await factory.createResource(TRUST_STORE_PROVIDER_FACTORY_BASE_TYPE, config, creationOptions);
-            return instance ?? new NullTrustStoreProvider();
-        }
-        const instance = await factory.createDefaultResource(TRUST_STORE_PROVIDER_FACTORY_BASE_TYPE, null, creationOptions);
-        return instance ?? new NullTrustStoreProvider();
-    }
-}
-class NullTrustStoreProvider {
-    constructor(reason = DEFAULT_UNCONFIGURED_MESSAGE) {
-        this.reason = reason;
-    }
-    async getTrustStorePem() {
-        throw new Error(this.reason);
-    }
-    async getRoots() {
-        return [];
-    }
-    async initialize() {
-        // No-op for the placeholder provider.
-    }
-}
-
 const FACTORY_META$8 = {
     base: runtime.ENVELOPE_VERIFIER_FACTORY_BASE_TYPE,
     key: "EdDSAEnvelopeVerifier",
@@ -3911,13 +3872,15 @@ class AdvancedEdDSAEnvelopeVerifierFactory extends runtime.EnvelopeVerifierFacto
         this.isDefault = true;
         this.priority = 100;
     }
-    async create(_config, keyProvider, signingConfig, options = {}) {
+    async create(_config, keyProvider, signingConfig, ...factoryArgs) {
         if (!keyProvider) {
             throw new Error("EdDSAEnvelopeVerifierFactory requires a key provider");
         }
+        // Extract options from factoryArgs (third parameter after keyProvider and signingConfig)
+        const options = factoryArgs[0] ?? {};
         let trustStoreProvider = options.trustStoreProvider ?? null;
         if (!trustStoreProvider) {
-            trustStoreProvider = await TrustStoreProviderFactory.createTrustStoreProvider();
+            trustStoreProvider = await runtime.TrustStoreProviderFactory.createTrustStoreProvider();
         }
         const resolved = {
             signingConfig: options.signingConfig ?? signingConfig ?? new runtime.SigningConfigClass(),
@@ -8169,10 +8132,9 @@ class DefaultCertificateManager {
                 });
             }
         }
-        const envPem = await resolveTrustStorePemFromEnvironment();
         return {
-            pem: envPem,
-            reason: envPem ? undefined : "trust_store_provider_unconfigured",
+            pem: null,
+            reason: "trust_store_provider_unconfigured",
         };
     }
     async resolveTrustStorePemFromProvider(provider, nodeId) {
@@ -8452,20 +8414,6 @@ function normalizeAuthConfig(candidate) {
     }
     return normalized;
 }
-async function resolveTrustStorePemFromEnvironment() {
-    try {
-        const provider = await TrustStoreProviderFactory.createTrustStoreProvider();
-        const pem = await provider.getTrustStorePem();
-        return normalizePemOrNull(pem);
-    }
-    catch (error) {
-        const message = error instanceof Error ? error.message : String(error);
-        logger$1.debug("trust_store_provider_resolution_failed", {
-            error: message,
-        });
-        return null;
-    }
-}
 
 const FACTORY_META$2 = {
     base: runtime.CERTIFICATE_MANAGER_FACTORY_BASE_TYPE,
@@ -8510,7 +8458,7 @@ function normalizeSigning(config, explicit) {
     }
     return null;
 }
-function normalizeOptions(config, securitySettings, signing) {
+function normalizeOptions(config, securitySettings, signing, trustStorePem) {
     const caServiceUrl = config.caServiceUrl ?? config.ca_service_url ?? null;
     const cryptoProvider = config.cryptoProvider ?? config.crypto_provider ?? null;
     return {
@@ -8518,6 +8466,7 @@ function normalizeOptions(config, securitySettings, signing) {
         signing,
         caServiceUrl,
         cryptoProvider,
+        trustStorePem,
     };
 }
 class DefaultCertificateManagerFactory extends runtime.CertificateManagerFactory {
@@ -8527,11 +8476,13 @@ class DefaultCertificateManagerFactory extends runtime.CertificateManagerFactory
         this.isDefault = true;
         this.priority = 100;
     }
-    async create(config, securitySettings, signing, ..._factoryArgs) {
+    async create(config, securitySettings, signing, ...factoryArgs) {
         const normalizedConfig = normalizeConfig(config);
         const resolvedSecuritySettings = normalizeSecuritySettings(normalizedConfig, securitySettings ?? null);
         const resolvedSigning = normalizeSigning(normalizedConfig, signing ?? null);
-        const options = normalizeOptions(normalizedConfig, resolvedSecuritySettings, resolvedSigning);
+        // Extract trust store PEM resolver from factoryArgs if provided
+        const trustStorePemResolver = factoryArgs[0];
+        const options = normalizeOptions(normalizedConfig, resolvedSecuritySettings, resolvedSigning, trustStorePemResolver ?? null);
         return new DefaultCertificateManager(options);
     }
 }
@@ -9607,12 +9558,12 @@ function isNodeEnvironment$2() {
 }
 
 const FACTORY_META$1 = {
-    base: TRUST_STORE_PROVIDER_FACTORY_BASE_TYPE,
+    base: runtime.TRUST_STORE_PROVIDER_FACTORY_BASE_TYPE,
     key: "BrowserTrustStoreProvider",
     isDefault: !isNodeEnvironment$1(),
     priority: !isNodeEnvironment$1() ? 100 : 10,
 };
-class BrowserTrustStoreProviderFactory extends TrustStoreProviderFactory {
+class BrowserTrustStoreProviderFactory extends runtime.TrustStoreProviderFactory {
     constructor() {
         super(...arguments);
         this.type = "BrowserTrustStoreProvider";
@@ -9689,12 +9640,12 @@ var browserTrustStoreProviderFactory = /*#__PURE__*/Object.freeze({
 });
 
 const FACTORY_META = {
-    base: TRUST_STORE_PROVIDER_FACTORY_BASE_TYPE,
+    base: runtime.TRUST_STORE_PROVIDER_FACTORY_BASE_TYPE,
     key: "EnvTrustStoreProvider",
     isDefault: isNodeEnvironment(),
     priority: isNodeEnvironment() ? 100 : 0,
 };
-class EnvTrustStoreProviderFactory extends TrustStoreProviderFactory {
+class EnvTrustStoreProviderFactory extends runtime.TrustStoreProviderFactory {
     constructor() {
         super(...arguments);
         this.type = "EnvTrustStoreProvider";

package/dist/node/index.mjs

@@ -1,5 +1,4 @@
-import { getLogger, EncryptionResult, urlsafeBase64Decode, sealedDecrypt, sealedEncrypt, FIXED_PREFIX_LEN, urlsafeBase64Encode, EncryptionManagerFactory, ENCRYPTION_MANAGER_FACTORY_BASE_TYPE, requireCryptoSupport, SECURE_CHANNEL_MANAGER_FACTORY_BASE_TYPE, SecureChannelManagerFactory, ENVELOPE_SIGNER_FACTORY_BASE_TYPE, EnvelopeSignerFactory, SigningConfigClass, validateSigningKey, JWKValidationError, decodeBase64Url, canonicalJson, secureDigest, frameDigest, immutableHeaders, encodeUtf8, ENVELOPE_VERIFIER_FACTORY_BASE_TYPE, EnvelopeVerifierFactory, TaskSpawner, getKeyStore, DefaultKeyManager, validateJwkComplete, currentTraceId, DeliveryOriginType, KEY_MANAGER_FACTORY_BASE_TYPE, KeyManagerFactory, KeyStoreFactory, BaseNodeEventListener, LOAD_BALANCER_STICKINESS_MANAGER_FACTORY_BASE_TYPE, LoadBalancerStickinessManagerFactory, REPLICA_STICKINESS_MANAGER_FACTORY_BASE_TYPE, ReplicaStickinessManagerFactory, color, AnsiColor, validateHostLogicals, HTTP_CONNECTION_GRANT_TYPE, formatTimestamp, jsonDumps, WELCOME_SERVICE_FACTORY_BASE_TYPE, WelcomeServiceFactory, NodePlacementStrategyFactory, TransportProvisionerFactory, TokenIssuerFactory, AuthorizerFactory, validateHostLogical, AuthInjectionStrategyFactory, CERTIFICATE_MANAGER_FACTORY_BASE_TYPE, CertificateManagerFactory } from '@naylence/runtime';
-import { ExtensionManager, AbstractResourceFactory, createResource, createDefaultResource, Registry } from '@naylence/factory';
+import { getLogger, EncryptionResult, urlsafeBase64Decode, sealedDecrypt, sealedEncrypt, FIXED_PREFIX_LEN, urlsafeBase64Encode, EncryptionManagerFactory, ENCRYPTION_MANAGER_FACTORY_BASE_TYPE, requireCryptoSupport, SECURE_CHANNEL_MANAGER_FACTORY_BASE_TYPE, SecureChannelManagerFactory, ENVELOPE_SIGNER_FACTORY_BASE_TYPE, EnvelopeSignerFactory, SigningConfigClass, validateSigningKey, JWKValidationError, decodeBase64Url, canonicalJson, secureDigest, frameDigest, immutableHeaders, encodeUtf8, ENVELOPE_VERIFIER_FACTORY_BASE_TYPE, EnvelopeVerifierFactory, TrustStoreProviderFactory, TaskSpawner, getKeyStore, DefaultKeyManager, validateJwkComplete, currentTraceId, DeliveryOriginType, KEY_MANAGER_FACTORY_BASE_TYPE, KeyManagerFactory, KeyStoreFactory, BaseNodeEventListener, LOAD_BALANCER_STICKINESS_MANAGER_FACTORY_BASE_TYPE, LoadBalancerStickinessManagerFactory, REPLICA_STICKINESS_MANAGER_FACTORY_BASE_TYPE, ReplicaStickinessManagerFactory, color, AnsiColor, validateHostLogicals, HTTP_CONNECTION_GRANT_TYPE, formatTimestamp, jsonDumps, WELCOME_SERVICE_FACTORY_BASE_TYPE, WelcomeServiceFactory, NodePlacementStrategyFactory, TransportProvisionerFactory, TokenIssuerFactory, AuthorizerFactory, validateHostLogical, AuthInjectionStrategyFactory, CERTIFICATE_MANAGER_FACTORY_BASE_TYPE, CertificateManagerFactory, TRUST_STORE_PROVIDER_FACTORY_BASE_TYPE } from '@naylence/runtime';
 import { AsnConvert, OctetString } from '@peculiar/asn1-schema';
 import { Attributes, CertificationRequestInfo, CertificationRequest } from '@peculiar/asn1-csr';
 import { Certificate, SubjectAlternativeName, NameConstraints, id_ce_subjectAltName, id_ce_nameConstraints, SubjectPublicKeyInfo, GeneralName, Extensions, Extension, Attribute, AlgorithmIdentifier, Name, RelativeDistinguishedName, AttributeTypeAndValue, AttributeValue, BasicConstraints, id_ce_basicConstraints, KeyUsageFlags, id_ce_keyUsage, KeyUsage, id_ce_subjectKeyIdentifier, SubjectKeyIdentifier, id_ce_authorityKeyIdentifier, AuthorityKeyIdentifier, KeyIdentifier, GeneralSubtrees, GeneralSubtree, TBSCertificate, Validity, Version, id_ce_extKeyUsage, ExtendedKeyUsage, id_kp_clientAuth, id_kp_serverAuth } from '@peculiar/asn1-x509';
@@ -11,16 +10,17 @@ import { x25519 } from '@noble/curves/ed25519.js';
 import { hkdf } from '@noble/hashes/hkdf.js';
 import { utf8ToBytes, randomBytes as randomBytes$1 } from '@noble/hashes/utils.js';
 import { SignJWT, importPKCS8, compactVerify, importJWK, importSPKI } from 'jose';
+import { ExtensionManager, Registry, AbstractResourceFactory } from '@naylence/factory';
 import { sha256 as sha256$1 } from '@noble/hashes/sha256.js';
 import { X509Certificate } from '@peculiar/x509';
 
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.3.7-test.126
+// Generated from package.json version: 0.3.7-test.128
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.3.7-test.126';
+const VERSION = '0.3.7-test.128';
 
 const logger$h = getLogger("naylence.fame.security.cert.util");
 const CACHE_LIMIT = 512;
@@ -3857,45 +3857,6 @@ class EdDSAEnvelopeVerifier {
     }
 }
 
-const DEFAULT_UNCONFIGURED_MESSAGE = "Trust store is not configured. Set FAME_CA_CERTS to a PEM value, a file path, a data URI, or an HTTPS bundle URL.";
-const TRUST_STORE_PROVIDER_FACTORY_BASE_TYPE = "TrustStoreProviderFactory";
-class TrustStoreProviderFactory extends AbstractResourceFactory {
-    createUnconfiguredProvider(reason) {
-        return new NullTrustStoreProvider(reason ?? DEFAULT_UNCONFIGURED_MESSAGE);
-    }
-    static async createTrustStoreProvider(config, options = {}) {
-        const { dependencies, factoryArgs, ...restOptions } = options;
-        const mergedFactoryArgs = [
-            ...(dependencies ? [dependencies] : []),
-            ...(factoryArgs ?? []),
-        ];
-        const creationOptions = {
-            ...restOptions,
-            factoryArgs: mergedFactoryArgs,
-        };
-        if (config) {
-            const instance = await createResource(TRUST_STORE_PROVIDER_FACTORY_BASE_TYPE, config, creationOptions);
-            return instance ?? new NullTrustStoreProvider();
-        }
-        const instance = await createDefaultResource(TRUST_STORE_PROVIDER_FACTORY_BASE_TYPE, null, creationOptions);
-        return instance ?? new NullTrustStoreProvider();
-    }
-}
-class NullTrustStoreProvider {
-    constructor(reason = DEFAULT_UNCONFIGURED_MESSAGE) {
-        this.reason = reason;
-    }
-    async getTrustStorePem() {
-        throw new Error(this.reason);
-    }
-    async getRoots() {
-        return [];
-    }
-    async initialize() {
-        // No-op for the placeholder provider.
-    }
-}
-
 const FACTORY_META$8 = {
     base: ENVELOPE_VERIFIER_FACTORY_BASE_TYPE,
     key: "EdDSAEnvelopeVerifier",
@@ -3909,10 +3870,12 @@ class AdvancedEdDSAEnvelopeVerifierFactory extends EnvelopeVerifierFactory {
         this.isDefault = true;
         this.priority = 100;
     }
-    async create(_config, keyProvider, signingConfig, options = {}) {
+    async create(_config, keyProvider, signingConfig, ...factoryArgs) {
         if (!keyProvider) {
             throw new Error("EdDSAEnvelopeVerifierFactory requires a key provider");
         }
+        // Extract options from factoryArgs (third parameter after keyProvider and signingConfig)
+        const options = factoryArgs[0] ?? {};
         let trustStoreProvider = options.trustStoreProvider ?? null;
         if (!trustStoreProvider) {
             trustStoreProvider = await TrustStoreProviderFactory.createTrustStoreProvider();
@@ -8167,10 +8130,9 @@ class DefaultCertificateManager {
                 });
             }
         }
-        const envPem = await resolveTrustStorePemFromEnvironment();
         return {
-            pem: envPem,
-            reason: envPem ? undefined : "trust_store_provider_unconfigured",
+            pem: null,
+            reason: "trust_store_provider_unconfigured",
         };
     }
     async resolveTrustStorePemFromProvider(provider, nodeId) {
@@ -8450,20 +8412,6 @@ function normalizeAuthConfig(candidate) {
     }
     return normalized;
 }
-async function resolveTrustStorePemFromEnvironment() {
-    try {
-        const provider = await TrustStoreProviderFactory.createTrustStoreProvider();
-        const pem = await provider.getTrustStorePem();
-        return normalizePemOrNull(pem);
-    }
-    catch (error) {
-        const message = error instanceof Error ? error.message : String(error);
-        logger$1.debug("trust_store_provider_resolution_failed", {
-            error: message,
-        });
-        return null;
-    }
-}
 
 const FACTORY_META$2 = {
     base: CERTIFICATE_MANAGER_FACTORY_BASE_TYPE,
@@ -8508,7 +8456,7 @@ function normalizeSigning(config, explicit) {
     }
     return null;
 }
-function normalizeOptions(config, securitySettings, signing) {
+function normalizeOptions(config, securitySettings, signing, trustStorePem) {
     const caServiceUrl = config.caServiceUrl ?? config.ca_service_url ?? null;
     const cryptoProvider = config.cryptoProvider ?? config.crypto_provider ?? null;
     return {
@@ -8516,6 +8464,7 @@ function normalizeOptions(config, securitySettings, signing) {
         signing,
         caServiceUrl,
         cryptoProvider,
+        trustStorePem,
     };
 }
 class DefaultCertificateManagerFactory extends CertificateManagerFactory {
@@ -8525,11 +8474,13 @@ class DefaultCertificateManagerFactory extends CertificateManagerFactory {
         this.isDefault = true;
         this.priority = 100;
     }
-    async create(config, securitySettings, signing, ..._factoryArgs) {
+    async create(config, securitySettings, signing, ...factoryArgs) {
         const normalizedConfig = normalizeConfig(config);
         const resolvedSecuritySettings = normalizeSecuritySettings(normalizedConfig, securitySettings ?? null);
         const resolvedSigning = normalizeSigning(normalizedConfig, signing ?? null);
-        const options = normalizeOptions(normalizedConfig, resolvedSecuritySettings, resolvedSigning);
+        // Extract trust store PEM resolver from factoryArgs if provided
+        const trustStorePemResolver = factoryArgs[0];
+        const options = normalizeOptions(normalizedConfig, resolvedSecuritySettings, resolvedSigning, trustStorePemResolver ?? null);
         return new DefaultCertificateManager(options);
     }
 }

package/dist/node/node.cjs

@@ -12,17 +12,17 @@ var chacha_js = require('@noble/ciphers/chacha.js');
 var ed25519_js = require('@noble/curves/ed25519.js');
 var hkdf_js = require('@noble/hashes/hkdf.js');
 var utils_js = require('@noble/hashes/utils.js');
-var factory = require('@naylence/factory');
 var jose = require('jose');
+var factory = require('@naylence/factory');
 var sha256_js = require('@noble/hashes/sha256.js');
 
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.3.7-test.126
+// Generated from package.json version: 0.3.7-test.128
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.3.7-test.126';
+const VERSION = '0.3.7-test.128';
 
 const logger$h = runtime.getLogger("naylence.fame.security.cert.util");
 const CACHE_LIMIT = 512;
@@ -3870,45 +3870,6 @@ class EdDSAEnvelopeVerifier {
     }
 }
 
-const DEFAULT_UNCONFIGURED_MESSAGE = "Trust store is not configured. Set FAME_CA_CERTS to a PEM value, a file path, a data URI, or an HTTPS bundle URL.";
-const TRUST_STORE_PROVIDER_FACTORY_BASE_TYPE = "TrustStoreProviderFactory";
-class TrustStoreProviderFactory extends factory.AbstractResourceFactory {
-    createUnconfiguredProvider(reason) {
-        return new NullTrustStoreProvider(reason ?? DEFAULT_UNCONFIGURED_MESSAGE);
-    }
-    static async createTrustStoreProvider(config, options = {}) {
-        const { dependencies, factoryArgs, ...restOptions } = options;
-        const mergedFactoryArgs = [
-            ...(dependencies ? [dependencies] : []),
-            ...(factoryArgs ?? []),
-        ];
-        const creationOptions = {
-            ...restOptions,
-            factoryArgs: mergedFactoryArgs,
-        };
-        if (config) {
-            const instance = await factory.createResource(TRUST_STORE_PROVIDER_FACTORY_BASE_TYPE, config, creationOptions);
-            return instance ?? new NullTrustStoreProvider();
-        }
-        const instance = await factory.createDefaultResource(TRUST_STORE_PROVIDER_FACTORY_BASE_TYPE, null, creationOptions);
-        return instance ?? new NullTrustStoreProvider();
-    }
-}
-class NullTrustStoreProvider {
-    constructor(reason = DEFAULT_UNCONFIGURED_MESSAGE) {
-        this.reason = reason;
-    }
-    async getTrustStorePem() {
-        throw new Error(this.reason);
-    }
-    async getRoots() {
-        return [];
-    }
-    async initialize() {
-        // No-op for the placeholder provider.
-    }
-}
-
 const FACTORY_META$9 = {
     base: runtime.ENVELOPE_VERIFIER_FACTORY_BASE_TYPE,
     key: "EdDSAEnvelopeVerifier",
@@ -3922,13 +3883,15 @@ class AdvancedEdDSAEnvelopeVerifierFactory extends runtime.EnvelopeVerifierFacto
         this.isDefault = true;
         this.priority = 100;
     }
-    async create(_config, keyProvider, signingConfig, options = {}) {
+    async create(_config, keyProvider, signingConfig, ...factoryArgs) {
         if (!keyProvider) {
             throw new Error("EdDSAEnvelopeVerifierFactory requires a key provider");
         }
+        // Extract options from factoryArgs (third parameter after keyProvider and signingConfig)
+        const options = factoryArgs[0] ?? {};
         let trustStoreProvider = options.trustStoreProvider ?? null;
         if (!trustStoreProvider) {
-            trustStoreProvider = await TrustStoreProviderFactory.createTrustStoreProvider();
+            trustStoreProvider = await runtime.TrustStoreProviderFactory.createTrustStoreProvider();
         }
         const resolved = {
             signingConfig: options.signingConfig ?? signingConfig ?? new runtime.SigningConfigClass(),
@@ -7168,10 +7131,9 @@ class DefaultCertificateManager {
                 });
             }
         }
-        const envPem = await resolveTrustStorePemFromEnvironment();
         return {
-            pem: envPem,
-            reason: envPem ? undefined : "trust_store_provider_unconfigured",
+            pem: null,
+            reason: "trust_store_provider_unconfigured",
         };
     }
     async resolveTrustStorePemFromProvider(provider, nodeId) {
@@ -7451,20 +7413,6 @@ function normalizeAuthConfig(candidate) {
     }
     return normalized;
 }
-async function resolveTrustStorePemFromEnvironment() {
-    try {
-        const provider = await TrustStoreProviderFactory.createTrustStoreProvider();
-        const pem = await provider.getTrustStorePem();
-        return normalizePemOrNull(pem);
-    }
-    catch (error) {
-        const message = error instanceof Error ? error.message : String(error);
-        logger$1.debug("trust_store_provider_resolution_failed", {
-            error: message,
-        });
-        return null;
-    }
-}
 
 const FACTORY_META$4 = {
     base: runtime.CERTIFICATE_MANAGER_FACTORY_BASE_TYPE,
@@ -7509,7 +7457,7 @@ function normalizeSigning(config, explicit) {
     }
     return null;
 }
-function normalizeOptions(config, securitySettings, signing) {
+function normalizeOptions(config, securitySettings, signing, trustStorePem) {
     const caServiceUrl = config.caServiceUrl ?? config.ca_service_url ?? null;
     const cryptoProvider = config.cryptoProvider ?? config.crypto_provider ?? null;
     return {
@@ -7517,6 +7465,7 @@ function normalizeOptions(config, securitySettings, signing) {
         signing,
         caServiceUrl,
         cryptoProvider,
+        trustStorePem,
     };
 }
 class DefaultCertificateManagerFactory extends runtime.CertificateManagerFactory {
@@ -7526,11 +7475,13 @@ class DefaultCertificateManagerFactory extends runtime.CertificateManagerFactory
         this.isDefault = true;
         this.priority = 100;
     }
-    async create(config, securitySettings, signing, ..._factoryArgs) {
+    async create(config, securitySettings, signing, ...factoryArgs) {
         const normalizedConfig = normalizeConfig$1(config);
         const resolvedSecuritySettings = normalizeSecuritySettings(normalizedConfig, securitySettings ?? null);
         const resolvedSigning = normalizeSigning(normalizedConfig, signing ?? null);
-        const options = normalizeOptions(normalizedConfig, resolvedSecuritySettings, resolvedSigning);
+        // Extract trust store PEM resolver from factoryArgs if provided
+        const trustStorePemResolver = factoryArgs[0];
+        const options = normalizeOptions(normalizedConfig, resolvedSecuritySettings, resolvedSigning, trustStorePemResolver ?? null);
         return new DefaultCertificateManager(options);
     }
 }
@@ -7542,6 +7493,45 @@ var defaultCertificateManagerFactory = /*#__PURE__*/Object.freeze({
     default: DefaultCertificateManagerFactory
 });
 
+const DEFAULT_UNCONFIGURED_MESSAGE = "Trust store is not configured. Set FAME_CA_CERTS to a PEM value, a file path, a data URI, or an HTTPS bundle URL.";
+const TRUST_STORE_PROVIDER_FACTORY_BASE_TYPE = "TrustStoreProviderFactory";
+class TrustStoreProviderFactory extends factory.AbstractResourceFactory {
+    createUnconfiguredProvider(reason) {
+        return new NullTrustStoreProvider(reason ?? DEFAULT_UNCONFIGURED_MESSAGE);
+    }
+    static async createTrustStoreProvider(config, options = {}) {
+        const { dependencies, factoryArgs, ...restOptions } = options;
+        const mergedFactoryArgs = [
+            ...(dependencies ? [dependencies] : []),
+            ...(factoryArgs ?? []),
+        ];
+        const creationOptions = {
+            ...restOptions,
+            factoryArgs: mergedFactoryArgs,
+        };
+        if (config) {
+            const instance = await factory.createResource(TRUST_STORE_PROVIDER_FACTORY_BASE_TYPE, config, creationOptions);
+            return instance ?? new NullTrustStoreProvider();
+        }
+        const instance = await factory.createDefaultResource(TRUST_STORE_PROVIDER_FACTORY_BASE_TYPE, null, creationOptions);
+        return instance ?? new NullTrustStoreProvider();
+    }
+}
+class NullTrustStoreProvider {
+    constructor(reason = DEFAULT_UNCONFIGURED_MESSAGE) {
+        this.reason = reason;
+    }
+    async getTrustStorePem() {
+        throw new Error(this.reason);
+    }
+    async getRoots() {
+        return [];
+    }
+    async initialize() {
+        // No-op for the placeholder provider.
+    }
+}
+
 const PEM_HEADER = "-----BEGIN CERTIFICATE-----";
 function normalizeLineEndings(value) {
     return value.replace(/\r\n?/gu, "\n");
@@ -8618,12 +8608,12 @@ function isNodeEnvironment$2() {
 }
 
 const FACTORY_META$3 = {
-    base: TRUST_STORE_PROVIDER_FACTORY_BASE_TYPE,
+    base: runtime.TRUST_STORE_PROVIDER_FACTORY_BASE_TYPE,
     key: "EnvTrustStoreProvider",
     isDefault: isNodeEnvironment$1(),
     priority: isNodeEnvironment$1() ? 100 : 0,
 };
-class EnvTrustStoreProviderFactory extends TrustStoreProviderFactory {
+class EnvTrustStoreProviderFactory extends runtime.TrustStoreProviderFactory {
     constructor() {
         super(...arguments);
         this.type = "EnvTrustStoreProvider";
@@ -8683,12 +8673,12 @@ var nodeTrustStoreProviderFactory = /*#__PURE__*/Object.freeze({
 });
 
 const FACTORY_META$2 = {
-    base: TRUST_STORE_PROVIDER_FACTORY_BASE_TYPE,
+    base: runtime.TRUST_STORE_PROVIDER_FACTORY_BASE_TYPE,
     key: "BrowserTrustStoreProvider",
     isDefault: !isNodeEnvironment(),
     priority: !isNodeEnvironment() ? 100 : 10,
 };
-class BrowserTrustStoreProviderFactory extends TrustStoreProviderFactory {
+class BrowserTrustStoreProviderFactory extends runtime.TrustStoreProviderFactory {
     constructor() {
         super(...arguments);
         this.type = "BrowserTrustStoreProvider";