@naylence/runtime 0.3.12 → 0.3.13

package/dist/cjs/naylence/fame/connector/broadcast-channel-connector.browser.js

@@ -242,7 +242,7 @@ class BroadcastChannelConnector extends base_async_connector_js_1.BaseAsyncConne
             // Track page lifecycle events to detect browser unload/discard
             if (typeof window !== 'undefined') {
                 const lifecycleLogger = (event) => {
-                    logger.info('broadcast_channel_page_lifecycle', {
+                    logger.debug('broadcast_channel_page_lifecycle', {
                         channel: this.channelName,
                         connector_id: this.connectorId,
                         event_type: event.type,

package/dist/cjs/naylence/fame/factory-manifest.js

@@ -57,7 +57,10 @@ exports.MODULES = [
     "./node/admission/direct-admission-client-factory.js",
     "./node/admission/noop-admission-client-factory.js",
     "./node/admission/welcome-service-client-factory.js",
+    "./node/default-node-identity-policy-factory.js",
     "./node/node-factory.js",
+    "./node/node-identity-policy-profile-factory.js",
+    "./node/token-subject-node-identity-policy-factory.js",
     "./placement/static-node-placement-strategy-factory.js",
     "./security/auth/bearer-token-header-auth-injection-strategy-factory.js",
     "./security/auth/default-authorizer-factory.js",
@@ -132,7 +135,10 @@ exports.MODULE_LOADERS = {
     "./node/admission/direct-admission-client-factory.js": () => Promise.resolve().then(() => __importStar(require("./node/admission/direct-admission-client-factory.js"))),
     "./node/admission/noop-admission-client-factory.js": () => Promise.resolve().then(() => __importStar(require("./node/admission/noop-admission-client-factory.js"))),
     "./node/admission/welcome-service-client-factory.js": () => Promise.resolve().then(() => __importStar(require("./node/admission/welcome-service-client-factory.js"))),
+    "./node/default-node-identity-policy-factory.js": () => Promise.resolve().then(() => __importStar(require("./node/default-node-identity-policy-factory.js"))),
     "./node/node-factory.js": () => Promise.resolve().then(() => __importStar(require("./node/node-factory.js"))),
+    "./node/node-identity-policy-profile-factory.js": () => Promise.resolve().then(() => __importStar(require("./node/node-identity-policy-profile-factory.js"))),
+    "./node/token-subject-node-identity-policy-factory.js": () => Promise.resolve().then(() => __importStar(require("./node/token-subject-node-identity-policy-factory.js"))),
     "./placement/static-node-placement-strategy-factory.js": () => Promise.resolve().then(() => __importStar(require("./placement/static-node-placement-strategy-factory.js"))),
     "./security/auth/bearer-token-header-auth-injection-strategy-factory.js": () => Promise.resolve().then(() => __importStar(require("./security/auth/bearer-token-header-auth-injection-strategy-factory.js"))),
     "./security/auth/default-authorizer-factory.js": () => Promise.resolve().then(() => __importStar(require("./security/auth/default-authorizer-factory.js"))),

package/dist/cjs/naylence/fame/grants/grant-materializer.js

@@ -0,0 +1,59 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GrantMaterializer = void 0;
+const token_provider_factory_js_1 = require("../security/auth/token-provider-factory.js");
+const materializable_token_provider_js_1 = require("../security/auth/materializable-token-provider.js");
+const logging_js_1 = require("../util/logging.js");
+const logger = (0, logging_js_1.getLogger)('naylence.fame.grants.grant_materializer');
+class GrantMaterializer {
+    static async materialize(grant) {
+        const candidate = grant;
+        const auth = candidate.auth;
+        if (!auth) {
+            return grant;
+        }
+        const tokenProviderConfig = (auth.tokenProvider ??
+            auth.token_provider);
+        if (!tokenProviderConfig || typeof tokenProviderConfig.type !== 'string') {
+            return grant;
+        }
+        try {
+            const provider = await token_provider_factory_js_1.TokenProviderFactory.createTokenProvider(tokenProviderConfig);
+            if ((0, materializable_token_provider_js_1.isMaterializableTokenProvider)(provider)) {
+                const materializedConfig = await provider.materialize();
+                if (materializedConfig) {
+                    logger.debug('grant_materialized', {
+                        grantType: candidate.type,
+                        providerType: tokenProviderConfig.type,
+                    });
+                    const newAuth = { ...auth };
+                    if ('tokenProvider' in newAuth) {
+                        newAuth.tokenProvider = materializedConfig;
+                    }
+                    if ('token_provider' in newAuth) {
+                        newAuth.token_provider = materializedConfig;
+                    }
+                    return {
+                        ...grant,
+                        auth: newAuth,
+                    };
+                }
+            }
+        }
+        catch (error) {
+            if (error &&
+                error.name === 'OAuth2PkceRedirectInitiatedError') {
+                logger.info('grant_materialization_redirecting', {
+                    grantType: candidate.type,
+                });
+                throw error;
+            }
+            logger.warning('grant_materialization_failed', {
+                error: error instanceof Error ? error.message : String(error),
+                grantType: candidate.type,
+            });
+        }
+        return grant;
+    }
+}
+exports.GrantMaterializer = GrantMaterializer;

package/dist/cjs/naylence/fame/node/admission/admission-profile-factory.js

@@ -237,11 +237,13 @@ class AdmissionProfileFactory extends admission_client_factory_js_1.AdmissionCli
         super(...arguments);
         this.type = 'AdmissionProfile';
     }
-    async create(config) {
+    async create(config, ...factoryArgs) {
         const normalized = normalizeConfig(config);
         const profileConfig = resolveProfileConfig(normalized.profile);
         logger.debug('enabling_admission_profile', { profile: normalized.profile });
-        return admission_client_factory_js_1.AdmissionClientFactory.createAdmissionClient(profileConfig);
+        return admission_client_factory_js_1.AdmissionClientFactory.createAdmissionClient(profileConfig, {
+            factoryArgs,
+        });
     }
 }
 exports.AdmissionProfileFactory = AdmissionProfileFactory;

package/dist/cjs/naylence/fame/node/admission/direct-admission-client-factory.js

@@ -13,7 +13,7 @@ class DirectAdmissionClientFactory extends admission_client_factory_js_1.Admissi
         super(...arguments);
         this.type = 'DirectAdmissionClient';
     }
-    async create(config) {
+    async create(config, ...factoryArgs) {
         if (!config) {
             throw new Error('DirectAdmissionClient configuration is required');
         }
@@ -24,9 +24,11 @@ class DirectAdmissionClientFactory extends admission_client_factory_js_1.Admissi
             });
             return JSON.parse(JSON.stringify(evaluated));
         });
+        const identityPolicy = factoryArgs.find((arg) => Boolean(arg && typeof arg === 'object' && 'identityPolicy' in arg))?.identityPolicy;
         return new direct_admission_client_js_1.DirectAdmissionClient({
             connectionGrants: evaluatedGrants,
             ttlSec: normalized.ttlSec ?? null,
+            nodeIdentityPolicy: identityPolicy,
         });
     }
 }

package/dist/cjs/naylence/fame/node/admission/direct-admission-client.js

@@ -5,6 +5,7 @@ const core_1 = require("@naylence/core");
 const ttl_constants_js_1 = require("../../constants/ttl-constants.js");
 const logging_js_1 = require("../../util/logging.js");
 const ttl_validation_js_1 = require("../../util/ttl-validation.js");
+const grant_materializer_js_1 = require("../../grants/grant-materializer.js");
 const logger = (0, logging_js_1.getLogger)('naylence.fame.node.admission.direct_admission_client');
 class DirectAdmissionClient {
     constructor(options) {
@@ -28,6 +29,7 @@ class DirectAdmissionClient {
         else {
             this.ttlSec = ttlCandidate;
         }
+        this.nodeIdentityPolicy = options.nodeIdentityPolicy;
     }
     async hello(systemId, instanceId, requestedLogicals) {
         logger.debug('direct_admission_hello_start', {
@@ -35,26 +37,27 @@ class DirectAdmissionClient {
             instanceId,
             requestedLogicals,
         });
-        const effectiveSystemId = systemId && systemId.trim().length > 0
-            ? systemId
-            : await (0, core_1.generateIdAsync)({ mode: 'fingerprint' }).catch(async () => {
-                logger.debug('direct_admission_fingerprint_generation_failed', {
-                    reason: 'falling back to random id',
-                });
-                return (0, core_1.generateIdAsync)({ mode: 'random' });
-            });
+        const initialSystemId = systemId;
         const acceptedLogicals = requestedLogicals && requestedLogicals.length > 0
             ? [...requestedLogicals]
             : ['*'];
         const now = Date.now();
         const ttlSeconds = this.resolveTtlSeconds();
         const expiresAt = new Date(now + ttlSeconds * 1000);
+        const materializedGrants = await Promise.all(this.connectionGrants.map((grant) => grant_materializer_js_1.GrantMaterializer.materialize(grant)));
+        const effectiveSystemId = this.nodeIdentityPolicy
+            ? await this.nodeIdentityPolicy.resolveAdmissionNodeId({
+                currentNodeId: initialSystemId,
+                identities: [],
+                grants: materializedGrants,
+            })
+            : initialSystemId;
         const welcomeFrame = {
             type: 'NodeWelcome',
             systemId: effectiveSystemId,
             instanceId,
             acceptedLogicals,
-            connectionGrants: this.connectionGrants.map((grant) => cloneGrant(grant)),
+            connectionGrants: materializedGrants.map((grant) => cloneGrant(grant)),
             expiresAt: expiresAt.toISOString(),
         };
         const envelope = (0, core_1.createFameEnvelope)({

package/dist/cjs/naylence/fame/node/default-node-identity-policy-factory.js

@@ -0,0 +1,21 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DefaultNodeIdentityPolicyFactory = exports.FACTORY_META = void 0;
+const default_node_identity_policy_js_1 = require("./default-node-identity-policy.js");
+const node_identity_policy_factory_js_1 = require("./node-identity-policy-factory.js");
+exports.FACTORY_META = {
+    base: node_identity_policy_factory_js_1.NODE_IDENTITY_POLICY_FACTORY_BASE_TYPE,
+    key: 'DefaultNodeIdentityPolicy',
+};
+class DefaultNodeIdentityPolicyFactory extends node_identity_policy_factory_js_1.NodeIdentityPolicyFactory {
+    constructor() {
+        super(...arguments);
+        this.type = 'DefaultNodeIdentityPolicy';
+        this.isDefault = true;
+    }
+    async create(_config) {
+        return new default_node_identity_policy_js_1.DefaultNodeIdentityPolicy();
+    }
+}
+exports.DefaultNodeIdentityPolicyFactory = DefaultNodeIdentityPolicyFactory;
+exports.default = DefaultNodeIdentityPolicyFactory;

package/dist/cjs/naylence/fame/node/default-node-identity-policy.js

@@ -0,0 +1,60 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DefaultNodeIdentityPolicy = void 0;
+const core_1 = require("@naylence/core");
+const token_provider_factory_js_1 = require("../security/auth/token-provider-factory.js");
+const token_provider_js_1 = require("../security/auth/token-provider.js");
+const logging_js_1 = require("../util/logging.js");
+const logger = (0, logging_js_1.getLogger)('naylence.fame.node.default_node_identity_policy');
+class DefaultNodeIdentityPolicy {
+    async resolveInitialNodeId(context) {
+        if (context.configuredId) {
+            return context.configuredId;
+        }
+        if (context.persistedId) {
+            return context.persistedId;
+        }
+        return await (0, core_1.generateIdAsync)({ mode: 'fingerprint' });
+    }
+    async resolveAdmissionNodeId(context) {
+        // Try to extract identity from grants first
+        if (context.grants && context.grants.length > 0) {
+            for (const grant of context.grants) {
+                try {
+                    const auth = grant.auth;
+                    if (!auth) {
+                        continue;
+                    }
+                    const tokenProviderConfig = (auth.tokenProvider ??
+                        auth.token_provider);
+                    if (!tokenProviderConfig ||
+                        typeof tokenProviderConfig.type !== 'string') {
+                        continue;
+                    }
+                    const provider = await token_provider_factory_js_1.TokenProviderFactory.createTokenProvider(tokenProviderConfig);
+                    if ((0, token_provider_js_1.isIdentityExposingTokenProvider)(provider)) {
+                        const identity = await provider.getIdentity();
+                        if (identity && identity.subject) {
+                            logger.debug('identity_extracted_from_grant', {
+                                identity_id: identity.subject,
+                                grant_type: grant.type,
+                            });
+                            return identity.subject;
+                        }
+                    }
+                }
+                catch (error) {
+                    logger.warning('identity_extraction_failed', {
+                        error: error instanceof Error ? error.message : String(error),
+                        grant_type: grant.type,
+                    });
+                }
+            }
+        }
+        if (!context.currentNodeId) {
+            return await (0, core_1.generateIdAsync)({ mode: 'fingerprint' });
+        }
+        return context.currentNodeId;
+    }
+}
+exports.DefaultNodeIdentityPolicy = DefaultNodeIdentityPolicy;

package/dist/cjs/naylence/fame/node/factory-commons.js

@@ -34,9 +34,10 @@ var __importStar = (this && this.__importStar) || (function () {
 })();
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.makeCommonOptions = makeCommonOptions;
-const core_1 = require("@naylence/core");
 const factory_1 = require("@naylence/factory");
 const admission_client_factory_js_1 = require("./admission/admission-client-factory.js");
+const default_node_identity_policy_js_1 = require("./default-node-identity-policy.js");
+const node_identity_policy_factory_js_1 = require("./node-identity-policy-factory.js");
 const default_node_attach_client_js_1 = require("./admission/default-node-attach-client.js");
 const transport_listener_factory_js_1 = require("../connector/transport-listener-factory.js");
 const storage_provider_factory_js_1 = require("../storage/storage-provider-factory.js");
@@ -158,6 +159,7 @@ async function makeCommonOptions(config, rawConfig) {
     const deliveryConfig = pickOption(config.delivery ?? null, aliasRecord, 'delivery_policy');
     const telemetryConfig = pickOption(config.telemetry ?? null, aliasRecord, 'trace_emitter', 'telemetry_config');
     const securityConfig = pickOption(config.security ?? null, aliasRecord, 'security_manager', 'security_profile');
+    const identityPolicyConfig = pickOption(config.identityPolicy ?? null, aliasRecord, 'identity_policy', 'node_identity_policy');
     const publicUrl = pickString(config.publicUrl ?? null, aliasRecord, 'public_url') ?? null;
     const directParentUrl = pickString(config.directParentUrl ?? null, aliasRecord, 'direct_parent_url') ?? null;
     const hasParentFlag = config.hasParent || Boolean(aliasRecord.has_parent ?? false);
@@ -166,7 +168,8 @@ async function makeCommonOptions(config, rawConfig) {
     const storageProvider = await resolveStorageProvider(storageConfig ?? null, expressionOptions);
     const nodeMetaStore = await storageProvider.getKeyValueStore(node_meta_js_1.NodeMetaRecord, node_meta_js_1.NODE_META_NAMESPACE);
     const nodeMeta = await nodeMetaStore.get('self');
-    const admissionClient = await resolveAdmissionClient(admissionConfig ?? null, expressionOptions);
+    const identityPolicy = await resolveNodeIdentityPolicy(identityPolicyConfig ?? null, expressionOptions);
+    const admissionClient = await resolveAdmissionClient(admissionConfig ?? null, expressionOptions, identityPolicy ?? undefined);
     const hasParent = determineHasParent(hasParentFlag, directParentUrl, admissionClient);
     const replicaStickinessManager = await resolveReplicaStickinessManager(hasParent, requestedLogicals, expressionOptions);
     const attachmentKeyValidator = await resolveAttachmentKeyValidator(attachmentKeyValidatorConfig ?? null, expressionOptions);
@@ -198,9 +201,11 @@ async function makeCommonOptions(config, rawConfig) {
         addEventListener(listener, eventListeners);
     }
     const bindingStore = await storageProvider.getKeyValueStore(binding_manager_js_1.BindingStoreEntryRecord, BINDING_STORE_NAMESPACE);
-    const systemId = systemIdOverride ??
-        nodeMeta?.id ??
-        (await (0, core_1.generateIdAsync)({ mode: 'fingerprint' }));
+    const effectiveIdentityPolicy = identityPolicy ?? new default_node_identity_policy_js_1.DefaultNodeIdentityPolicy();
+    const systemId = await effectiveIdentityPolicy.resolveInitialNodeId({
+        configuredId: systemIdOverride,
+        persistedId: nodeMeta?.id,
+    });
     const attachClientOptions = {
         ...(attachmentKeyValidator ? { attachmentKeyValidator } : {}),
         ...(replicaStickinessManager ? { replicaStickinessManager } : {}),
@@ -231,8 +236,20 @@ async function makeCommonOptions(config, rawConfig) {
         eventListeners,
         transportListeners,
         traceEmitter,
+        identityPolicy: identityPolicy ?? undefined,
     };
 }
+async function resolveNodeIdentityPolicy(config, options) {
+    try {
+        return await node_identity_policy_factory_js_1.NodeIdentityPolicyFactory.createNodeIdentityPolicy(config ?? undefined, cloneCreateOptions(options));
+    }
+    catch (error) {
+        logger.warning('node_identity_policy_creation_failed', {
+            error: error instanceof Error ? error.message : String(error),
+        });
+        return null;
+    }
+}
 async function resolveStorageProvider(config, options) {
     if (config) {
         try {
@@ -246,12 +263,19 @@ async function resolveStorageProvider(config, options) {
     }
     return new in_memory_storage_js_1.InMemoryStorageProvider();
 }
-async function resolveAdmissionClient(config, options) {
+async function resolveAdmissionClient(config, options, identityPolicy) {
     if (config && typeof config.hello === 'function') {
         return config;
     }
     try {
-        return await admission_client_factory_js_1.AdmissionClientFactory.createAdmissionClient((config ?? null), cloneCreateOptions(options));
+        const createOptions = cloneCreateOptions(options);
+        if (identityPolicy) {
+            createOptions.factoryArgs = [
+                ...(createOptions.factoryArgs ?? []),
+                { identityPolicy },
+            ];
+        }
+        return await admission_client_factory_js_1.AdmissionClientFactory.createAdmissionClient((config ?? null), createOptions);
     }
     catch (error) {
         logger.warning('admission_client_creation_failed', {

package/dist/cjs/naylence/fame/node/index.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.NodeFactory = exports.NODE_LIKE_FACTORY_BASE_TYPE = void 0;
+exports.NodeIdentityPolicyProfileFactory = exports.TokenSubjectNodeIdentityPolicyFactory = exports.DefaultNodeIdentityPolicyFactory = exports.NodeFactory = exports.NODE_LIKE_FACTORY_BASE_TYPE = void 0;
 const tslib_1 = require("tslib");
 require("./node-factory.js");
 /**
@@ -24,3 +24,13 @@ tslib_1.__exportStar(require("./fame-environment-context.js"), exports);
 tslib_1.__exportStar(require("./session-manager.js"), exports);
 tslib_1.__exportStar(require("./upstream-session-manager.js"), exports);
 tslib_1.__exportStar(require("./root-session-manager.js"), exports);
+tslib_1.__exportStar(require("./node-identity-policy.js"), exports);
+tslib_1.__exportStar(require("./node-identity-policy-factory.js"), exports);
+tslib_1.__exportStar(require("./default-node-identity-policy.js"), exports);
+var default_node_identity_policy_factory_js_1 = require("./default-node-identity-policy-factory.js");
+Object.defineProperty(exports, "DefaultNodeIdentityPolicyFactory", { enumerable: true, get: function () { return default_node_identity_policy_factory_js_1.DefaultNodeIdentityPolicyFactory; } });
+tslib_1.__exportStar(require("./token-subject-node-identity-policy.js"), exports);
+var token_subject_node_identity_policy_factory_js_1 = require("./token-subject-node-identity-policy-factory.js");
+Object.defineProperty(exports, "TokenSubjectNodeIdentityPolicyFactory", { enumerable: true, get: function () { return token_subject_node_identity_policy_factory_js_1.TokenSubjectNodeIdentityPolicyFactory; } });
+var node_identity_policy_profile_factory_js_1 = require("./node-identity-policy-profile-factory.js");
+Object.defineProperty(exports, "NodeIdentityPolicyProfileFactory", { enumerable: true, get: function () { return node_identity_policy_profile_factory_js_1.NodeIdentityPolicyProfileFactory; } });

package/dist/cjs/naylence/fame/node/node-config.js

@@ -25,6 +25,7 @@ const FameNodeConfigSchemaInternal = zod_1.z
     attachmentKeyValidator: zod_1.z.unknown().optional().nullable(),
     telemetry: zod_1.z.unknown().optional().nullable(),
     requestedCapabilities: zod_1.z.array(zod_1.z.string()).optional(),
+    identityPolicy: zod_1.z.unknown().optional().nullable(),
 })
     .passthrough();
 function normalizeFameNodeConfig(input) {
@@ -63,6 +64,9 @@ function normalizeFameNodeConfig(input) {
         telemetry: parsed.telemetry === undefined
             ? null
             : parsed.telemetry,
+        identityPolicy: parsed.identityPolicy === undefined
+            ? null
+            : parsed.identityPolicy,
     };
     if (parsed.requestedCapabilities) {
         normalized.requestedCapabilities = coerceStringArray(parsed.requestedCapabilities);

package/dist/cjs/naylence/fame/node/node-identity-policy-factory.js

@@ -0,0 +1,22 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.NodeIdentityPolicyFactory = exports.NODE_IDENTITY_POLICY_FACTORY_BASE_TYPE = void 0;
+const factory_1 = require("@naylence/factory");
+exports.NODE_IDENTITY_POLICY_FACTORY_BASE_TYPE = 'NodeIdentityPolicyFactory';
+class NodeIdentityPolicyFactory extends factory_1.AbstractResourceFactory {
+    static async createNodeIdentityPolicy(config, options = {}) {
+        if (config) {
+            const policy = await (0, factory_1.createResource)(exports.NODE_IDENTITY_POLICY_FACTORY_BASE_TYPE, config, options);
+            if (!policy) {
+                throw new Error('Failed to create node identity policy from configuration');
+            }
+            return policy;
+        }
+        const policy = await (0, factory_1.createDefaultResource)(exports.NODE_IDENTITY_POLICY_FACTORY_BASE_TYPE, null, options);
+        if (!policy) {
+            throw new Error('Failed to create default node identity policy');
+        }
+        return policy;
+    }
+}
+exports.NodeIdentityPolicyFactory = NodeIdentityPolicyFactory;

package/dist/cjs/naylence/fame/node/node-identity-policy-profile-factory.js

@@ -0,0 +1,67 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.NodeIdentityPolicyProfileFactory = exports.FACTORY_META = void 0;
+const node_identity_policy_factory_js_1 = require("./node-identity-policy-factory.js");
+const logging_js_1 = require("../util/logging.js");
+const logger = (0, logging_js_1.getLogger)('naylence.fame.node.node_identity_policy_profile_factory');
+const PROFILE_NAME_DEFAULT = 'default';
+const PROFILE_NAME_TOKEN_SUBJECT = 'token-subject';
+const PROFILE_NAME_TOKEN_SUBJECT_ALIAS = 'token_subject';
+const DEFAULT_PROFILE = {
+    type: 'DefaultNodeIdentityPolicy',
+};
+const TOKEN_SUBJECT_PROFILE = {
+    type: 'TokenSubjectNodeIdentityPolicy',
+};
+const PROFILE_MAP = {
+    [PROFILE_NAME_DEFAULT]: DEFAULT_PROFILE,
+    [PROFILE_NAME_TOKEN_SUBJECT]: TOKEN_SUBJECT_PROFILE,
+    [PROFILE_NAME_TOKEN_SUBJECT_ALIAS]: TOKEN_SUBJECT_PROFILE,
+};
+exports.FACTORY_META = {
+    base: node_identity_policy_factory_js_1.NODE_IDENTITY_POLICY_FACTORY_BASE_TYPE,
+    key: 'NodeIdentityPolicyProfile',
+};
+class NodeIdentityPolicyProfileFactory extends node_identity_policy_factory_js_1.NodeIdentityPolicyFactory {
+    constructor() {
+        super(...arguments);
+        this.type = 'NodeIdentityPolicyProfile';
+    }
+    async create(config) {
+        const normalized = normalizeConfig(config);
+        const profileConfig = resolveProfileConfig(normalized.profile);
+        logger.debug('enabling_node_identity_policy_profile', {
+            profile: normalized.profile,
+        });
+        return node_identity_policy_factory_js_1.NodeIdentityPolicyFactory.createNodeIdentityPolicy(profileConfig);
+    }
+}
+exports.NodeIdentityPolicyProfileFactory = NodeIdentityPolicyProfileFactory;
+function normalizeConfig(config) {
+    if (!config) {
+        return { profile: PROFILE_NAME_DEFAULT };
+    }
+    const candidate = config;
+    const profileValue = typeof candidate.profile === 'string' && candidate.profile.trim().length > 0
+        ? candidate.profile
+        : typeof candidate.profile_name === 'string' &&
+            candidate.profile_name.trim().length > 0
+            ? candidate.profile_name
+            : typeof candidate.profileName === 'string' &&
+                candidate.profileName.trim().length > 0
+                ? candidate.profileName
+                : PROFILE_NAME_DEFAULT;
+    const normalizedProfile = profileValue.trim().toLowerCase();
+    return { profile: normalizedProfile };
+}
+function resolveProfileConfig(profileName) {
+    const profile = PROFILE_MAP[profileName];
+    if (!profile) {
+        throw new Error(`Unknown node identity policy profile: ${profileName}`);
+    }
+    return deepClone(profile);
+}
+function deepClone(value) {
+    return JSON.parse(JSON.stringify(value));
+}
+exports.default = NodeIdentityPolicyProfileFactory;

package/dist/cjs/naylence/fame/node/node-identity-policy.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/cjs/naylence/fame/node/node.js

@@ -126,14 +126,15 @@ function sortListeners(listeners) {
 class FameNode extends task_spawner_js_1.TaskSpawner {
     constructor(options = {}) {
         super();
+        this._confirmedId = null;
         this._sessionManager = null;
         this._upstreamConnector = null;
         this._isStarted = false;
         this._lastHeartbeatAt = null;
         const systemIdOption = resolveStringOption(options, 'systemId', 'system_id');
-        this._id = systemIdOption ?? (0, core_2.generateId)();
+        this._provisionalId = systemIdOption ?? (0, core_2.generateId)();
         const physicalPathOption = resolveStringOption(options, 'physicalPath', 'physical_path');
-        this._physicalPath = physicalPathOption ?? `/${this._id}`;
+        this._physicalPath = physicalPathOption ?? `/${this._provisionalId}`;
         const hasParentOption = resolveBooleanOption(options, 'hasParent', 'has_parent');
         this._hasParent = hasParentOption ?? false;
         const storageProviderOption = resolveOption(options, 'storageProvider', 'storage_provider');
@@ -187,7 +188,7 @@ class FameNode extends task_spawner_js_1.TaskSpawner {
         const bindingStoreOption = resolveOption(options, 'bindingStore', 'binding_store');
         const bindingManagerOptions = {
             hasUpstream: this._hasParent,
-            getId: () => this._id,
+            getId: () => this.id,
             getPhysicalPath: () => this._physicalPath,
             getAcceptedLogicals: () => this._acceptedLogicals,
             forwardUpstream: (envelope, context) => this.forwardUpstream(envelope, context),
@@ -242,7 +243,8 @@ class FameNode extends task_spawner_js_1.TaskSpawner {
         }
     }
     async initializeRootSessionManager() {
-        const admissionClient = this._admissionClient ?? new noop_admission_client_js_1.NoopAdmissionClient({ systemId: this._id });
+        const admissionClient = this._admissionClient ??
+            new noop_admission_client_js_1.NoopAdmissionClient({ systemId: this._provisionalId });
         const manager = new root_session_manager_js_1.RootSessionManager({
             node: this,
             admissionClient,
@@ -279,9 +281,37 @@ class FameNode extends task_spawner_js_1.TaskSpawner {
         await this.deliver(envelope, context);
         return null;
     }
+    confirmIdentity(systemId, source) {
+        if (this._confirmedId) {
+            if (this._confirmedId !== systemId) {
+                logger.error('node_identity_mismatch', {
+                    current_id: this._confirmedId,
+                    new_id: systemId,
+                    source,
+                });
+                throw new Error(`Node identity mismatch in ${source}: expected ${this._confirmedId}, got ${systemId}`);
+            }
+            return;
+        }
+        const isReassignment = this._provisionalId !== systemId;
+        this._confirmedId = systemId;
+        if (isReassignment) {
+            logger.debug('node_identity_reassigned', {
+                system_id: systemId,
+                previous_id: this._provisionalId,
+                source,
+            });
+        }
+        else {
+            logger.debug('node_identity_confirmed', {
+                system_id: systemId,
+                source,
+            });
+        }
+    }
     async handleWelcome(welcome) {
         if (welcome.systemId) {
-            this._id = welcome.systemId;
+            this.confirmIdentity(welcome.systemId, 'handleWelcome');
         }
         if (welcome.acceptedLogicals) {
             this._acceptedLogicals = new Set(welcome.acceptedLogicals);
@@ -302,7 +332,7 @@ class FameNode extends task_spawner_js_1.TaskSpawner {
         await this.dispatchEvent('onWelcome', welcome);
     }
     async handleAttach(info, connector) {
-        this._id = info.systemId;
+        this.confirmIdentity(info.systemId, 'handleAttach');
         this._physicalPath =
             info.assignedPath ?? info.targetPhysicalPath ?? this._physicalPath;
         this._upstreamConnector = connector;
@@ -388,7 +418,13 @@ class FameNode extends task_spawner_js_1.TaskSpawner {
         });
     }
     get id() {
-        return this._id;
+        if (!this._confirmedId) {
+            throw new Error('Node ID has not been confirmed yet. Use provisionalId for bootstrapping.');
+        }
+        return this._confirmedId;
+    }
+    get provisionalId() {
+        return this._provisionalId;
     }
     get sid() {
         return this._sid;
@@ -907,8 +943,8 @@ class FameNode extends task_spawner_js_1.TaskSpawner {
             const store = await this._nodeMetaStorePromise;
             const existing = await store.get('self');
             const record = existing
-                ? Object.assign(existing, { id: this._id })
-                : new node_meta_js_1.NodeMetaRecord(this._id);
+                ? Object.assign(existing, { id: this.id })
+                : new node_meta_js_1.NodeMetaRecord(this.id);
             await store.set('self', record);
         }
         catch (error) {

package/dist/cjs/naylence/fame/node/root-session-manager.js

@@ -173,8 +173,7 @@ class RootSessionManager extends task_spawner_js_1.TaskSpawner {
     }
     async performAdmission() {
         this.admissionEpoch += 1;
-        this.initializeRootIdentityIfNeeded();
-        const welcome = await this.admissionClient.hello(this.node.id, (0, core_1.generateId)(), this.requestedLogicals);
+        const welcome = await this.admissionClient.hello(this.node.provisionalId, (0, core_1.generateId)(), this.requestedLogicals);
         this.currentWelcome = welcome.frame;
         const cryptoProvider = this.node.cryptoProvider; //getCryptoProvider();
         if (welcome.frame.assignedPath && cryptoProvider?.prepareForAttach) {
@@ -383,15 +382,6 @@ class RootSessionManager extends task_spawner_js_1.TaskSpawner {
             seconds_before_expiry: RootSessionManager.JWT_REFRESH_SAFETY,
         });
     }
-    initializeRootIdentityIfNeeded() {
-        const nodeAny = this.node;
-        if (!this.node.id) {
-            nodeAny._id = (0, core_1.generateId)();
-            logger.debug('root_identity_generated_id_for_admission', {
-                system_id: this.node.id,
-            });
-        }
-    }
     async consumeTask(task) {
         try {
             await task.promise;