@naylence/runtime 0.4.0 → 0.4.2

package/dist/browser/index.cjs

@@ -128,6 +128,7 @@ const MODULES = [
     "./node/node-identity-policy-profile-factory.js",
     "./node/token-subject-node-identity-policy-factory.js",
     "./placement/static-node-placement-strategy-factory.js",
+    "./security/auth/authorization-profile-factory.js",
     "./security/auth/bearer-token-header-auth-injection-strategy-factory.js",
     "./security/auth/default-authorizer-factory.js",
     "./security/auth/default-policy-authorizer-factory.js",
@@ -210,6 +211,7 @@ const MODULE_LOADERS = {
     "./node/node-identity-policy-profile-factory.js": () => Promise.resolve().then(function () { return nodeIdentityPolicyProfileFactory; }),
     "./node/token-subject-node-identity-policy-factory.js": () => Promise.resolve().then(function () { return tokenSubjectNodeIdentityPolicyFactory; }),
     "./placement/static-node-placement-strategy-factory.js": () => Promise.resolve().then(function () { return staticNodePlacementStrategyFactory; }),
+    "./security/auth/authorization-profile-factory.js": () => Promise.resolve().then(function () { return authorizationProfileFactory; }),
     "./security/auth/bearer-token-header-auth-injection-strategy-factory.js": () => Promise.resolve().then(function () { return bearerTokenHeaderAuthInjectionStrategyFactory; }),
     "./security/auth/default-authorizer-factory.js": () => Promise.resolve().then(function () { return defaultAuthorizerFactory; }),
     "./security/auth/default-policy-authorizer-factory.js": () => Promise.resolve().then(function () { return defaultPolicyAuthorizerFactory; }),
@@ -523,12 +525,12 @@ async function ensureRuntimeFactoriesRegistered(registry = factory.Registry) {
 }
 
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.4.0
+// Generated from package.json version: 0.4.2
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.4.0';
+const VERSION = '0.4.2';
 
 let initialized = false;
 const runtimePlugin = {
@@ -3732,7 +3734,7 @@ class EnvCredentialProviderFactory extends CredentialProviderFactory {
         return new EnvCredentialProvider(resolved.varName);
     }
 }
-const FACTORY_META$1f = {
+const FACTORY_META$1g = {
     base: CREDENTIAL_PROVIDER_FACTORY_BASE_TYPE,
     key: 'EnvCredentialProvider',
 };
@@ -3740,7 +3742,7 @@ const FACTORY_META$1f = {
 var envCredentialProviderFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
     EnvCredentialProviderFactory: EnvCredentialProviderFactory,
-    FACTORY_META: FACTORY_META$1f,
+    FACTORY_META: FACTORY_META$1g,
     default: EnvCredentialProviderFactory,
     normalizeEnvConfig: normalizeEnvConfig
 });
@@ -3838,14 +3840,14 @@ class PromptCredentialProviderFactory extends CredentialProviderFactory {
         return new PromptCredentialProvider(resolved.credentialName);
     }
 }
-const FACTORY_META$1e = {
+const FACTORY_META$1f = {
     base: CREDENTIAL_PROVIDER_FACTORY_BASE_TYPE,
     key: 'PromptCredentialProvider',
 };
 
 var promptCredentialProviderFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
-    FACTORY_META: FACTORY_META$1e,
+    FACTORY_META: FACTORY_META$1f,
     PromptCredentialProviderFactory: PromptCredentialProviderFactory,
     default: PromptCredentialProviderFactory,
     normalizePromptConfig: normalizePromptConfig
@@ -3899,14 +3901,14 @@ class SecretStoreCredentialProviderFactory extends CredentialProviderFactory {
         return new SecretStoreCredentialProvider(resolved.secretName);
     }
 }
-const FACTORY_META$1d = {
+const FACTORY_META$1e = {
     base: CREDENTIAL_PROVIDER_FACTORY_BASE_TYPE,
     key: 'SecretStoreCredentialProvider',
 };
 
 var secretStoreCredentialProviderFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
-    FACTORY_META: FACTORY_META$1d,
+    FACTORY_META: FACTORY_META$1e,
     SecretStoreCredentialProviderFactory: SecretStoreCredentialProviderFactory,
     default: SecretStoreCredentialProviderFactory,
     normalizeSecretStoreConfig: normalizeSecretStoreConfig
@@ -3955,14 +3957,14 @@ class StaticCredentialProviderFactory extends CredentialProviderFactory {
         return new StaticCredentialProvider(resolved.credentialValue);
     }
 }
-const FACTORY_META$1c = {
+const FACTORY_META$1d = {
     base: CREDENTIAL_PROVIDER_FACTORY_BASE_TYPE,
     key: 'StaticCredentialProvider',
 };
 
 var staticCredentialProviderFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
-    FACTORY_META: FACTORY_META$1c,
+    FACTORY_META: FACTORY_META$1d,
     StaticCredentialProviderFactory: StaticCredentialProviderFactory,
     default: StaticCredentialProviderFactory,
     normalizeStaticConfig: normalizeStaticConfig
@@ -4206,7 +4208,7 @@ const BASE_PROFILE_MAP = {
     [PROFILE_NAME_INDEXEDDB]: INDEXEDDB_PROFILE_CONFIG,
 };
 // Extended profile map - can be augmented by Node.js environment
-const PROFILE_MAP$6 = {
+const PROFILE_MAP$7 = {
     ...BASE_PROFILE_MAP,
 };
 class StorageProfileFactory extends StorageProviderFactory {
@@ -4221,9 +4223,9 @@ class StorageProfileFactory extends StorageProviderFactory {
             type: 'StorageProfile',
         });
         const profileName = (parsed.profile ?? PROFILE_NAME_MEMORY).toLowerCase();
-        const profileConfig = PROFILE_MAP$6[profileName];
+        const profileConfig = PROFILE_MAP$7[profileName];
         if (!profileConfig) {
-            throw new Error(`Unknown storage profile '${profileName}'. Supported profiles: ${Object.keys(PROFILE_MAP$6).join(', ')}`);
+            throw new Error(`Unknown storage profile '${profileName}'. Supported profiles: ${Object.keys(PROFILE_MAP$7).join(', ')}`);
         }
         const createOptions = {
             ...options,
@@ -13251,44 +13253,12 @@ class ConnectionRetryPolicyFactory extends factory.AbstractResourceFactory {
     }
 }
 
-const TOKEN_PROVIDER_FACTORY_BASE_TYPE = 'TokenProviderFactory';
-class TokenProviderFactory extends factory.AbstractResourceFactory {
-    static async createTokenProvider(config, options = {}) {
-        if (config) {
-            const provider = await factory.createResource(TOKEN_PROVIDER_FACTORY_BASE_TYPE, config, options);
-            if (!provider) {
-                throw new Error('Failed to create token provider from configuration');
-            }
-            return provider;
-        }
-        let provider = null;
-        try {
-            provider = await factory.createDefaultResource(TOKEN_PROVIDER_FACTORY_BASE_TYPE, null, options);
-        }
-        catch (error) {
-            const message = 'Failed to create default token provider' +
-                (error instanceof Error && error.message ? `: ${error.message}` : '');
-            throw new Error(message);
-        }
-        if (!provider) {
-            throw new Error('Failed to create default token provider');
-        }
-        return provider;
-    }
-}
-
-function isTokenProvider(candidate) {
-    return (typeof candidate === 'object' &&
-        candidate !== null &&
-        typeof candidate.getToken === 'function');
-}
-function isIdentityExposingTokenProvider(candidate) {
-    return (isTokenProvider(candidate) &&
-        typeof candidate.getIdentity ===
-            'function');
-}
-
-const logger$12 = getLogger('naylence.fame.node.default_node_identity_policy');
+/**
+ * Default node identity policy that preserves the current node ID.
+ *
+ * This policy does NOT derive identity from tokens or grants.
+ * For token-subject-based identity, use TokenSubjectNodeIdentityPolicy.
+ */
 class DefaultNodeIdentityPolicy {
     async resolveInitialNodeId(context) {
         if (context.configuredId) {
@@ -13300,44 +13270,10 @@ class DefaultNodeIdentityPolicy {
         return await core.generateIdAsync({ mode: 'fingerprint' });
     }
     async resolveAdmissionNodeId(context) {
-        // Try to extract identity from grants first
-        if (context.grants && context.grants.length > 0) {
-            for (const grant of context.grants) {
-                try {
-                    const auth = grant.auth;
-                    if (!auth) {
-                        continue;
-                    }
-                    const tokenProviderConfig = (auth.tokenProvider ??
-                        auth.token_provider);
-                    if (!tokenProviderConfig ||
-                        typeof tokenProviderConfig.type !== 'string') {
-                        continue;
-                    }
-                    const provider = await TokenProviderFactory.createTokenProvider(tokenProviderConfig);
-                    if (isIdentityExposingTokenProvider(provider)) {
-                        const identity = await provider.getIdentity();
-                        if (identity && identity.subject) {
-                            logger$12.debug('identity_extracted_from_grant', {
-                                identity_id: identity.subject,
-                                grant_type: grant.type,
-                            });
-                            return identity.subject;
-                        }
-                    }
-                }
-                catch (error) {
-                    logger$12.warning('identity_extraction_failed', {
-                        error: error instanceof Error ? error.message : String(error),
-                        grant_type: grant.type,
-                    });
-                }
-            }
+        if (context.currentNodeId) {
+            return context.currentNodeId;
         }
-        if (!context.currentNodeId) {
-            return await core.generateIdAsync({ mode: 'fingerprint' });
-        }
-        return context.currentNodeId;
+        return await core.generateIdAsync({ mode: 'fingerprint' });
     }
 }
 
@@ -13411,7 +13347,7 @@ class AttachmentKeyValidator {
     }
 }
 
-const logger$11 = getLogger('naylence.fame.node.admission.default_node_attach_client');
+const logger$12 = getLogger('naylence.fame.node.admission.default_node_attach_client');
 const HANDSHAKE_POLL_INTERVAL_MS = 20;
 class DefaultNodeAttachClient {
     constructor(options = {}) {
@@ -13435,7 +13371,7 @@ class DefaultNodeAttachClient {
                 }
                 else {
                     // Silently ignore frames from other agents during concurrent handshakes
-                    logger$11.debug('handshake_ignoring_frame_from_different_system', {
+                    logger$12.debug('handshake_ignoring_frame_from_different_system', {
                         frame_type: envelope.frame.type,
                         frame_system_id: frameSystemId,
                         expected_system_id: this.expectedSystemId,
@@ -13478,7 +13414,7 @@ class DefaultNodeAttachClient {
             }
         }
         catch (error) {
-            logger$11.debug('stickiness_offer_skipped', {
+            logger$12.debug('stickiness_offer_skipped', {
                 error: error instanceof Error ? error.message : String(error),
             });
         }
@@ -13499,7 +13435,7 @@ class DefaultNodeAttachClient {
             if (!processedEnvelope) {
                 throw new Error('Envelope was blocked by onForwardUpstream event');
             }
-            logger$11.debug('sending_node_attach_envelope', {
+            logger$12.debug('sending_node_attach_envelope', {
                 envp_id: processedEnvelope.id ?? envelope.id ?? null,
                 frame_type: processedEnvelope.frame?.type ?? 'unknown',
                 trace_id: processedEnvelope.traceId ?? envelope.traceId ?? null,
@@ -13535,7 +13471,7 @@ class DefaultNodeAttachClient {
             try {
                 const keyInfos = await this.attachmentKeyValidator.validateKeys(parentKeys);
                 if (Array.isArray(keyInfos) && keyInfos.length > 0) {
-                    logger$11.debug('parent_certificate_validation_passed', {
+                    logger$12.debug('parent_certificate_validation_passed', {
                         parent_id: parentId,
                         correlation_id: corrId,
                         validated_keys: keyInfos.length,
@@ -13544,7 +13480,7 @@ class DefaultNodeAttachClient {
             }
             catch (error) {
                 if (error instanceof KeyValidationError) {
-                    logger$11.error('parent_certificate_validation_failed', {
+                    logger$12.error('parent_certificate_validation_failed', {
                         parent_id: parentId,
                         correlation_id: corrId,
                         error_code: error.code,
@@ -13558,12 +13494,12 @@ class DefaultNodeAttachClient {
             }
         }
         else {
-            logger$11.debug('parent_certificate_validation_skipped', {
+            logger$12.debug('parent_certificate_validation_skipped', {
                 parent_id: parentId,
                 reason: 'no_validator',
             });
         }
-        logger$11.debug('processing_node_attach_ack', {
+        logger$12.debug('processing_node_attach_ack', {
             parent_id: ackFrame.targetSystemId,
         });
         this.inHandshake = false;
@@ -13594,7 +13530,7 @@ class DefaultNodeAttachClient {
             }
         }
         catch (error) {
-            logger$11.debug('stickiness_accept_skipped', {
+            logger$12.debug('stickiness_accept_skipped', {
                 error: error instanceof Error ? error.message : String(error),
             });
         }
@@ -13648,7 +13584,7 @@ class DefaultNodeAttachClient {
                 // NodeAttach frames during handshake are expected in multi-agent scenarios
                 // where multiple agents attach concurrently to the same channel
                 if (envelope.frame.type === 'NodeAttach') {
-                    logger$11.debug('handshake_ignoring_concurrent_attach', {
+                    logger$12.debug('handshake_ignoring_concurrent_attach', {
                         frame_type: envelope.frame.type,
                         frame_system_id: envelope.frame?.systemId ??
                             'unknown',
@@ -13656,7 +13592,7 @@ class DefaultNodeAttachClient {
                 }
                 else {
                     // Other unexpected frames are still logged as errors
-                    logger$11.error('unexpected_frame_during_handshake', {
+                    logger$12.error('unexpected_frame_during_handshake', {
                         frame_type: envelope.frame.type,
                     });
                 }
@@ -13796,7 +13732,7 @@ class TraceEmitterFactory extends factory.AbstractResourceFactory {
 // void import('./trace-emitter-profile-factory.js');
 
 const BINDING_STORE_NAMESPACE = '__binding_store';
-const logger$10 = getLogger('naylence.fame.node.factory_commons');
+const logger$11 = getLogger('naylence.fame.node.factory_commons');
 function isPlainRecord$2(value) {
     return Boolean(value) && typeof value === 'object' && !Array.isArray(value);
 }
@@ -13990,7 +13926,7 @@ async function resolveNodeIdentityPolicy(config, options) {
         return await NodeIdentityPolicyFactory.createNodeIdentityPolicy(config ?? undefined, cloneCreateOptions(options));
     }
     catch (error) {
-        logger$10.warning('node_identity_policy_creation_failed', {
+        logger$11.warning('node_identity_policy_creation_failed', {
             error: error instanceof Error ? error.message : String(error),
         });
         return null;
@@ -14001,7 +13937,7 @@ async function resolveConnectionRetryPolicy(config, options) {
         return await ConnectionRetryPolicyFactory.createConnectionRetryPolicy(config ?? undefined, cloneCreateOptions(options));
     }
     catch (error) {
-        logger$10.warning('connection_retry_policy_creation_failed', {
+        logger$11.warning('connection_retry_policy_creation_failed', {
             error: error instanceof Error ? error.message : String(error),
         });
         return null;
@@ -14013,7 +13949,7 @@ async function resolveStorageProvider(config, options) {
             return await StorageProviderFactory.createStorageProvider(config, cloneCreateOptions(options));
         }
         catch (error) {
-            logger$10.warning('storage_provider_creation_failed', {
+            logger$11.warning('storage_provider_creation_failed', {
                 error: error instanceof Error ? error.message : String(error),
             });
         }
@@ -14035,7 +13971,7 @@ async function resolveAdmissionClient(config, options, identityPolicy) {
         return await AdmissionClientFactory.createAdmissionClient((config ?? null), createOptions);
     }
     catch (error) {
-        logger$10.warning('admission_client_creation_failed', {
+        logger$11.warning('admission_client_creation_failed', {
             error: error instanceof Error ? error.message : String(error),
         });
         return null;
@@ -14062,7 +13998,7 @@ async function resolveReplicaStickinessManager(hasParent, requestedLogicals, opt
         return await ReplicaStickinessManagerFactory.createReplicaStickinessManager(undefined, cloneCreateOptions(options));
     }
     catch (error) {
-        logger$10.debug('replica_stickiness_manager_unavailable', { error });
+        logger$11.debug('replica_stickiness_manager_unavailable', { error });
         return null;
     }
 }
@@ -14071,7 +14007,7 @@ async function resolveAttachmentKeyValidator(config, options) {
         return await AttachmentKeyValidatorFactory.createAttachmentKeyValidator(config ?? undefined, cloneCreateOptions(options));
     }
     catch (error) {
-        logger$10.warning('attachment_key_validator_creation_failed', {
+        logger$11.warning('attachment_key_validator_creation_failed', {
             error: error instanceof Error ? error.message : String(error),
         });
         return null;
@@ -14089,7 +14025,7 @@ async function resolveDeliveryPolicy(config, options) {
         return await DeliveryPolicyFactory.createDeliveryPolicy(config ?? undefined, cloneCreateOptions(options));
     }
     catch (error) {
-        logger$10.warning('delivery_policy_creation_failed', {
+        logger$11.warning('delivery_policy_creation_failed', {
             error: error instanceof Error ? error.message : String(error),
         });
         return null;
@@ -14103,7 +14039,7 @@ async function resolveTransportListeners(configs, eventListeners, options) {
         return await TransportListenerFactory.createTransportListeners(configs, eventListeners, cloneCreateOptions(options));
     }
     catch (error) {
-        logger$10.warning('transport_listener_creation_failed', {
+        logger$11.warning('transport_listener_creation_failed', {
             error: error instanceof Error ? error.message : String(error),
         });
         return [];
@@ -14114,7 +14050,7 @@ async function resolveTraceEmitter(config, options) {
         return await TraceEmitterFactory.createTraceEmitter(config ?? undefined, cloneCreateOptions(options));
     }
     catch (error) {
-        logger$10.warning('trace_emitter_creation_failed', {
+        logger$11.warning('trace_emitter_creation_failed', {
             error: error instanceof Error ? error.message : String(error),
         });
         return null;
@@ -14170,7 +14106,7 @@ async function createSecurityManagerFromConfig(config, overrides, options) {
         return manager ?? null;
     }
     catch (error) {
-        logger$10.warning('security_manager_creation_failed', {
+        logger$11.warning('security_manager_creation_failed', {
             error: error instanceof Error ? error.message : String(error),
         });
         return null;
@@ -14199,7 +14135,7 @@ async function resolveCryptoProvider(config, options) {
     // This happens with overlay security profiles that need envelope signing
     if (requiresCryptoProvider(config)) {
         try {
-            logger$10.debug('auto_creating_crypto_provider', {
+            logger$11.debug('auto_creating_crypto_provider', {
                 reason: 'overlay_security_requires_signing',
             });
             // Dynamically import to avoid circular dependencies
@@ -14219,7 +14155,7 @@ async function resolveCryptoProvider(config, options) {
             });
         }
         catch (error) {
-            logger$10.error('failed_to_auto_create_crypto_provider', {
+            logger$11.error('failed_to_auto_create_crypto_provider', {
                 error: error instanceof Error ? error.message : String(error),
             });
             throw error;
@@ -14765,7 +14701,7 @@ class NodeLikeFactory extends factory.AbstractResourceFactory {
 //   registerFactory(NODE_LIKE_FACTORY_BASE_TYPE, type, factory);
 // }
 
-const FACTORY_META$1b = {
+const FACTORY_META$1c = {
     base: NODE_LIKE_FACTORY_BASE_TYPE,
     key: 'Node',
 };
@@ -14807,7 +14743,7 @@ class NodeFactory extends NodeLikeFactory {
 
 var nodeFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
-    FACTORY_META: FACTORY_META$1b,
+    FACTORY_META: FACTORY_META$1c,
     NodeFactory: NodeFactory,
     default: NodeFactory
 });
@@ -15384,7 +15320,7 @@ function normalizeSecurityRequirements(value) {
     };
 }
 
-const logger$$ = getLogger('naylence.fame.node.envelope_security_handler');
+const logger$10 = getLogger('naylence.fame.node.envelope_security_handler');
 const ENCRYPTION_OPTION_ALIAS_PAIRS = [
     ['recipKid', 'recip_kid'],
     ['recipientKeyId', 'recipient_key_id'],
@@ -15433,7 +15369,7 @@ class EnvelopeSecurityHandler {
         const shouldSign = this.securityPolicy
             ? await this.securityPolicy.shouldSignEnvelope(envelope, context, this.node)
             : false;
-        logger$$.debug('checking_signing', {
+        logger$10.debug('checking_signing', {
             has_signer: Boolean(this.envelopeSigner),
             should_sign: shouldSign,
             envp_id: envelope.id,
@@ -15455,7 +15391,7 @@ class EnvelopeSecurityHandler {
         const shouldEncrypt = this.securityPolicy
             ? await this.securityPolicy.shouldEncryptEnvelope(envelope, context, this.node)
             : false;
-        logger$$.debug('checking_encryption', {
+        logger$10.debug('checking_encryption', {
             has_encryption_manager: Boolean(this.encryptionManager),
             should_encrypt: shouldEncrypt,
             envp_id: envelope.id,
@@ -15463,7 +15399,7 @@ class EnvelopeSecurityHandler {
         });
         if (this.encryptionManager && this.securityPolicy) {
             if (envelope.sec?.enc) {
-                logger$$.debug('skipping_encryption_already_encrypted', {
+                logger$10.debug('skipping_encryption_already_encrypted', {
                     envp_id: envelope.id,
                     destination: envelope.to ? String(envelope.to) : undefined,
                 });
@@ -15476,7 +15412,7 @@ class EnvelopeSecurityHandler {
                     exports.CryptoLevel.PLAINTEXT;
                 desiredCryptoLevel =
                     await this.securityPolicy.decideResponseCryptoLevel(requestCryptoLevel, envelope, context);
-                logger$$.debug('response_crypto_level_decided', {
+                logger$10.debug('response_crypto_level_decided', {
                     envp_id: envelope.id,
                     crypto_level: desiredCryptoLevel,
                     destination: envelope.to ? String(envelope.to) : undefined,
@@ -15487,7 +15423,7 @@ class EnvelopeSecurityHandler {
             else {
                 desiredCryptoLevel =
                     await this.securityPolicy.decideOutboundCryptoLevel(envelope, context, this.node);
-                logger$$.debug('outbound_crypto_level_decided', {
+                logger$10.debug('outbound_crypto_level_decided', {
                     envp_id: envelope.id,
                     frame_type: envelope.frame.type,
                     crypto_level: desiredCryptoLevel,
@@ -15495,11 +15431,11 @@ class EnvelopeSecurityHandler {
                 });
             }
             if (desiredCryptoLevel === exports.CryptoLevel.SEALED) {
-                logger$$.debug('applying_sealed_encryption', { envp_id: envelope.id });
+                logger$10.debug('applying_sealed_encryption', { envp_id: envelope.id });
                 return await this.handleSealedEncryption(envelope, context);
             }
             if (desiredCryptoLevel === exports.CryptoLevel.CHANNEL) {
-                logger$$.debug('applying_channel_encryption', { envp_id: envelope.id });
+                logger$10.debug('applying_channel_encryption', { envp_id: envelope.id });
                 return await this.handleChannelEncryption(envelope, context);
             }
         }
@@ -15550,7 +15486,7 @@ class EnvelopeSecurityHandler {
                 frameType === 'KeyAnnounce' ||
                 frameType === 'SecureOpen' ||
                 frameType === 'SecureAccept') {
-                logger$$.error('critical_frame_unsigned_rejected', {
+                logger$10.error('critical_frame_unsigned_rejected', {
                     envp_id: envelope.id,
                     frame_type: frameType,
                     reason: 'critical_frames_must_be_signed',
@@ -15558,7 +15494,7 @@ class EnvelopeSecurityHandler {
                 return [envelope, false];
             }
             const action = this.securityPolicy.getUnsignedViolationAction(envelope, context);
-            logger$$.warning('unsigned_envelope_violation', {
+            logger$10.warning('unsigned_envelope_violation', {
                 envp_id: envelope.id,
                 frame_type: frameType,
                 action,
@@ -15570,26 +15506,26 @@ class EnvelopeSecurityHandler {
         return [envelope, true];
     }
     async handleChannelHandshakeComplete(channelId, destination) {
-        logger$$.debug('channel_handshake_completed', {
+        logger$10.debug('channel_handshake_completed', {
             channel_id: channelId,
             destination,
         });
         if (this.encryptionManager?.notifyChannelEstablished) {
             await this.encryptionManager.notifyChannelEstablished(channelId);
-            logger$$.debug('notified_encryption_manager_channel_ready', {
+            logger$10.debug('notified_encryption_manager_channel_ready', {
                 channel_id: channelId,
             });
         }
     }
     async handleChannelHandshakeFailed(channelId, destination, reason = 'handshake_failed') {
-        logger$$.debug('channel_handshake_failed', {
+        logger$10.debug('channel_handshake_failed', {
             channel_id: channelId,
             destination,
             reason,
         });
         if (this.encryptionManager?.notifyChannelFailed) {
             await this.encryptionManager.notifyChannelFailed(channelId, reason);
-            logger$$.debug('notified_encryption_manager_channel_failed', {
+            logger$10.debug('notified_encryption_manager_channel_failed', {
                 channel_id: channelId,
                 reason,
             });
@@ -15636,7 +15572,7 @@ class EnvelopeSecurityHandler {
                 checkPayload: false,
             });
             if (verified) {
-                logger$$.debug('envelope_verified', {
+                logger$10.debug('envelope_verified', {
                     envp_id: envelope.id,
                     sid: envelope.sid,
                     kid,
@@ -15647,7 +15583,7 @@ class EnvelopeSecurityHandler {
         }
         this.keyManagementHandler.queuePendingSignedEnvelope(kid, envelope, context);
         await this.keyManagementHandler.maybeRequestSigningKey(kid, context.originType, fromSystemId);
-        logger$$.debug('queued_envelope_missing_signing_key', {
+        logger$10.debug('queued_envelope_missing_signing_key', {
             kid,
             envp_id: envelope.id,
         });
@@ -15655,7 +15591,7 @@ class EnvelopeSecurityHandler {
     }
     async handleSealedEncryption(envelope, context) {
         if (!envelope.to) {
-            logger$$.warning('sealed_encryption_requested_but_no_destination', {
+            logger$10.warning('sealed_encryption_requested_but_no_destination', {
                 envp_id: envelope.id,
             });
             return true;
@@ -15667,20 +15603,20 @@ class EnvelopeSecurityHandler {
                 : undefined;
             if (options) {
                 if (options.encryptionType === 'channel') {
-                    logger$$.warning('policy_returned_channel_for_sealed_request', {
+                    logger$10.warning('policy_returned_channel_for_sealed_request', {
                         envp_id: envelope.id,
                     });
                     return await this.handleToBeEncryptedEnvelopeWithOptions(envelope, context, normalizeEncryptionOptions({
                         requestAddress: envelope.to,
                     }));
                 }
-                logger$$.debug('using_sealed_encryption_options', {
+                logger$10.debug('using_sealed_encryption_options', {
                     envp_id: envelope.id,
                     options,
                 });
                 return await this.handleToBeEncryptedEnvelopeWithOptions(envelope, context, options);
             }
-            logger$$.debug('no_encryption_options_requesting_key', {
+            logger$10.debug('no_encryption_options_requesting_key', {
                 envp_id: envelope.id,
             });
             return await this.handleToBeEncryptedEnvelopeWithOptions(envelope, context, normalizeEncryptionOptions({
@@ -15688,7 +15624,7 @@ class EnvelopeSecurityHandler {
             }));
         }
         catch (error) {
-            logger$$.debug('sealed_key_lookup_failed_requesting', {
+            logger$10.debug('sealed_key_lookup_failed_requesting', {
                 envp_id: envelope.id,
                 error: error instanceof Error ? error.message : String(error),
             });
@@ -15699,7 +15635,7 @@ class EnvelopeSecurityHandler {
     }
     async handleChannelEncryption(envelope, context) {
         if (!envelope.to) {
-            logger$$.warning('channel_encryption_requested_but_no_destination', {
+            logger$10.warning('channel_encryption_requested_but_no_destination', {
                 envp_id: envelope.id,
             });
             return true;
@@ -15714,13 +15650,13 @@ class EnvelopeSecurityHandler {
             return true;
         }
         if (context.originType !== core.DeliveryOriginType.LOCAL) {
-            logger$$.warning('envelope_encryption_rejected_non_local', {
+            logger$10.warning('envelope_encryption_rejected_non_local', {
                 origin: context.originType,
             });
             return true;
         }
         if (!isDataFrame$4(envelope.frame)) {
-            logger$$.trace('skipping_encryption_non_dataframe', {
+            logger$10.trace('skipping_encryption_non_dataframe', {
                 envp_id: envelope.id,
                 frame_type: envelope.frame.type,
             });
@@ -15731,7 +15667,7 @@ class EnvelopeSecurityHandler {
             ? normalizeEncryptionOptions(rawOptions)
             : undefined;
         if (!options) {
-            logger$$.warning('no_encryption_options_provided', {
+            logger$10.warning('no_encryption_options_provided', {
                 envp_id: envelope.id,
             });
             return true;
@@ -15743,13 +15679,13 @@ class EnvelopeSecurityHandler {
             return true;
         }
         if (context.originType !== core.DeliveryOriginType.LOCAL) {
-            logger$$.warning('envelope_encryption_rejected_non_local', {
+            logger$10.warning('envelope_encryption_rejected_non_local', {
                 origin: context.originType,
             });
             return true;
         }
         if (!isDataFrame$4(envelope.frame)) {
-            logger$$.trace('skipping_encryption_non_dataframe', {
+            logger$10.trace('skipping_encryption_non_dataframe', {
                 envp_id: envelope.id,
                 frame_type: envelope.frame.type,
             });
@@ -15766,7 +15702,7 @@ class EnvelopeSecurityHandler {
         // Skip encryption if envelope is already encrypted
         // This prevents re-queuing when replayed envelopes go through security again
         if (envelope.sec?.enc) {
-            logger$$.debug('skipping_encryption_already_encrypted', {
+            logger$10.debug('skipping_encryption_already_encrypted', {
                 envp_id: envelope.id,
                 destination: envelope.to ? String(envelope.to) : undefined,
             });
@@ -15775,14 +15711,14 @@ class EnvelopeSecurityHandler {
         try {
             const result = await this.encryptionManager.encryptEnvelope(envelope, normalizedOptions);
             if (result.status === exports.EncryptionStatus.QUEUED) {
-                logger$$.debug('envelope_queued_for_encryption', {
+                logger$10.debug('envelope_queued_for_encryption', {
                     envp_id: envelope.id,
                 });
                 await this.handleEncryptionQueueing(envelope, context, normalizedOptions);
                 return false;
             }
             if (result.status === exports.EncryptionStatus.OK) {
-                logger$$.debug('envelope_encrypted', { envp_id: envelope.id });
+                logger$10.debug('envelope_encrypted', { envp_id: envelope.id });
                 if (result.envelope) {
                     envelope.frame = result.envelope.frame;
                     envelope.sec = result.envelope.sec;
@@ -15790,17 +15726,17 @@ class EnvelopeSecurityHandler {
                 return true;
             }
             if (result.status === exports.EncryptionStatus.SKIPPED) {
-                logger$$.debug('envelope_encryption_skipped', { envp_id: envelope.id });
+                logger$10.debug('envelope_encryption_skipped', { envp_id: envelope.id });
                 return true;
             }
-            logger$$.warning('unknown_encryption_status', {
+            logger$10.warning('unknown_encryption_status', {
                 envp_id: envelope.id,
                 status: result.status,
             });
             return true;
         }
         catch (error) {
-            logger$$.error('encryption_failed', {
+            logger$10.error('encryption_failed', {
                 envp_id: envelope.id,
                 error: error instanceof Error ? error.message : String(error),
             });
@@ -15839,7 +15775,7 @@ class EnvelopeSecurityHandler {
             return;
         }
         if (normalizedOptions.encryptionType === 'channel') {
-            logger$$.debug('channel_encryption_queueing_handled_internally', {
+            logger$10.debug('channel_encryption_queueing_handled_internally', {
                 envp_id: envelope.id,
                 destination: normalizedOptions.destination
                     ? String(normalizedOptions.destination)
@@ -15847,13 +15783,13 @@ class EnvelopeSecurityHandler {
             });
             return;
         }
-        logger$$.warning('unknown_encryption_queueing_options', {
+        logger$10.warning('unknown_encryption_queueing_options', {
             envp_id: envelope.id,
             options: normalizedOptions,
         });
     }
     async handleFailedChannelEnvelopeCleanup(destination, reason) {
-        logger$$.debug('channel_handshake_failure_cleanup_attempted', {
+        logger$10.debug('channel_handshake_failure_cleanup_attempted', {
             destination,
             reason,
             note: 'envelope_cleanup_handled_by_encryption_manager',
@@ -15864,7 +15800,7 @@ class EnvelopeSecurityHandler {
     }
 }
 
-const logger$_ = getLogger('naylence.fame.node.secure_channel_frame_handler');
+const logger$$ = getLogger('naylence.fame.node.secure_channel_frame_handler');
 function isPlainRecord$1(value) {
     if (typeof value !== 'object' || value === null) {
         return false;
@@ -15954,7 +15890,7 @@ class SecureChannelFrameHandler {
         assertSecureChannelManager(this.secureChannelManager);
         const frame = envelope.frame;
         assertFrameType(frame, 'SecureOpen');
-        logger$_.debug('received_secure_open', {
+        logger$$.debug('received_secure_open', {
             cid: frame.cid,
             algorithm: frame.alg,
         });
@@ -15977,13 +15913,13 @@ class SecureChannelFrameHandler {
                 stickySid: envelope.sid ?? undefined,
                 expectedResponseType: core.FameResponseType.NONE,
             };
-            logger$_.debug('stickiness_requested_for_channel_encryption', {
+            logger$$.debug('stickiness_requested_for_channel_encryption', {
                 cid: frame.cid,
                 reason: 'secure_channel_established',
             });
         }
         await this.sendCallback(responseEnvelope, responseContext);
-        logger$_.debug('sent_secure_accept', { cid: frame.cid, ok: acceptFrame.ok });
+        logger$$.debug('sent_secure_accept', { cid: frame.cid, ok: acceptFrame.ok });
         if (acceptFrame.ok && this.envelopeSecurityHandler) {
             const destination = extractDestinationFromChannelId(frame.cid);
             if (destination) {
@@ -15995,13 +15931,13 @@ class SecureChannelFrameHandler {
         assertSecureChannelManager(this.secureChannelManager);
         const frame = envelope.frame;
         assertFrameType(frame, 'SecureAccept');
-        logger$_.debug('received_secure_accept', { cid: frame.cid, ok: frame.ok });
+        logger$$.debug('received_secure_accept', { cid: frame.cid, ok: frame.ok });
         const success = await this.secureChannelManager.handleAcceptFrame(frame);
         if (!success) {
-            logger$_.warning('failed_to_complete_channel', { cid: frame.cid });
+            logger$$.warning('failed_to_complete_channel', { cid: frame.cid });
         }
         else {
-            logger$_.debug('channel_established', { cid: frame.cid });
+            logger$$.debug('channel_established', { cid: frame.cid });
             if (this.envelopeSecurityHandler) {
                 const destination = extractDestinationFromChannelId(frame.cid);
                 if (destination) {
@@ -16013,7 +15949,7 @@ class SecureChannelFrameHandler {
             const destination = extractDestinationFromChannelId(frame.cid);
             if (destination) {
                 await this.envelopeSecurityHandler.handleChannelHandshakeFailed(frame.cid, destination, 'negative_secure_accept');
-                logger$_.debug('notified_handshake_failure', {
+                logger$$.debug('notified_handshake_failure', {
                     cid: frame.cid,
                     destination,
                 });
@@ -16024,7 +15960,7 @@ class SecureChannelFrameHandler {
         assertSecureChannelManager(this.secureChannelManager);
         const frame = envelope.frame;
         assertFrameType(frame, 'SecureClose');
-        logger$_.debug('received_secure_close', {
+        logger$$.debug('received_secure_close', {
             cid: frame.cid,
             reason: frame.reason,
         });
@@ -16082,7 +16018,7 @@ function createNodeDeliveryContext(options = {}) {
 class FameEnvironmentContext {
 }
 
-const FACTORY_META$1a = {
+const FACTORY_META$1b = {
     base: NODE_IDENTITY_POLICY_FACTORY_BASE_TYPE,
     key: 'DefaultNodeIdentityPolicy',
 };
@@ -16100,11 +16036,48 @@ class DefaultNodeIdentityPolicyFactory extends NodeIdentityPolicyFactory {
 var defaultNodeIdentityPolicyFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
     DefaultNodeIdentityPolicyFactory: DefaultNodeIdentityPolicyFactory,
-    FACTORY_META: FACTORY_META$1a,
+    FACTORY_META: FACTORY_META$1b,
     default: DefaultNodeIdentityPolicyFactory
 });
 
-const logger$Z = getLogger('naylence.fame.node.token_subject_node_identity_policy');
+const TOKEN_PROVIDER_FACTORY_BASE_TYPE = 'TokenProviderFactory';
+class TokenProviderFactory extends factory.AbstractResourceFactory {
+    static async createTokenProvider(config, options = {}) {
+        if (config) {
+            const provider = await factory.createResource(TOKEN_PROVIDER_FACTORY_BASE_TYPE, config, options);
+            if (!provider) {
+                throw new Error('Failed to create token provider from configuration');
+            }
+            return provider;
+        }
+        let provider = null;
+        try {
+            provider = await factory.createDefaultResource(TOKEN_PROVIDER_FACTORY_BASE_TYPE, null, options);
+        }
+        catch (error) {
+            const message = 'Failed to create default token provider' +
+                (error instanceof Error && error.message ? `: ${error.message}` : '');
+            throw new Error(message);
+        }
+        if (!provider) {
+            throw new Error('Failed to create default token provider');
+        }
+        return provider;
+    }
+}
+
+function isTokenProvider(candidate) {
+    return (typeof candidate === 'object' &&
+        candidate !== null &&
+        typeof candidate.getToken === 'function');
+}
+function isIdentityExposingTokenProvider(candidate) {
+    return (isTokenProvider(candidate) &&
+        typeof candidate.getIdentity ===
+            'function');
+}
+
+const logger$_ = getLogger('naylence.fame.node.token_subject_node_identity_policy');
 class TokenSubjectNodeIdentityPolicy {
     async resolveInitialNodeId(context) {
         if (context.configuredId) {
@@ -16116,7 +16089,7 @@ class TokenSubjectNodeIdentityPolicy {
         return core.generateIdAsync();
     }
     async resolveAdmissionNodeId(context) {
-        logger$Z.debug('resolve_admission_node_id_start', {
+        logger$_.debug('resolve_admission_node_id_start', {
             grantsCount: context.grants?.length ?? 0,
             currentNodeId: context.currentNodeId,
         });
@@ -16125,31 +16098,31 @@ class TokenSubjectNodeIdentityPolicy {
                 try {
                     const auth = grant.auth;
                     if (!auth) {
-                        logger$Z.debug('skipping_grant_no_auth', { grantType: grant.type });
+                        logger$_.debug('skipping_grant_no_auth', { grantType: grant.type });
                         continue;
                     }
                     const tokenProviderConfig = (auth.tokenProvider ??
                         auth.token_provider);
                     if (!tokenProviderConfig ||
                         typeof tokenProviderConfig.type !== 'string') {
-                        logger$Z.debug('skipping_grant_invalid_token_provider_config', {
+                        logger$_.debug('skipping_grant_invalid_token_provider_config', {
                             grantType: grant.type,
                             config: tokenProviderConfig,
                         });
                         continue;
                     }
-                    logger$Z.debug('creating_token_provider', {
+                    logger$_.debug('creating_token_provider', {
                         type: tokenProviderConfig.type,
                     });
                     const provider = await TokenProviderFactory.createTokenProvider(tokenProviderConfig);
                     const isExposing = isIdentityExposingTokenProvider(provider);
-                    logger$Z.debug('token_provider_created', {
+                    logger$_.debug('token_provider_created', {
                         type: tokenProviderConfig.type,
                         isIdentityExposing: isExposing,
                     });
                     if (isExposing) {
                         const identity = await provider.getIdentity();
-                        logger$Z.debug('retrieved_identity', { identity });
+                        logger$_.debug('retrieved_identity', { identity });
                         if (identity && identity.subject) {
                             const hashedSubject = await core.generateIdAsync({
                                 mode: 'fingerprint',
@@ -16157,7 +16130,7 @@ class TokenSubjectNodeIdentityPolicy {
                                 length: 8,
                             });
                             const newNodeId = `${hashedSubject}-${context.currentNodeId}`;
-                            logger$Z.info('resolved_identity_from_token', {
+                            logger$_.info('resolved_identity_from_token', {
                                 subject: identity.subject,
                                 hashedSubject,
                                 newNodeId,
@@ -16165,17 +16138,17 @@ class TokenSubjectNodeIdentityPolicy {
                             return newNodeId;
                         }
                         else {
-                            logger$Z.debug('identity_missing_subject', { identity });
+                            logger$_.debug('identity_missing_subject', { identity });
                         }
                     }
                 }
                 catch (err) {
-                    logger$Z.warning('failed_to_extract_identity_from_grant', { error: err });
+                    logger$_.warning('failed_to_extract_identity_from_grant', { error: err });
                 }
             }
         }
         else {
-            logger$Z.debug('no_grants_available');
+            logger$_.debug('no_grants_available');
         }
         return context.currentNodeId;
     }
@@ -16186,7 +16159,7 @@ var tokenSubjectNodeIdentityPolicy = /*#__PURE__*/Object.freeze({
     TokenSubjectNodeIdentityPolicy: TokenSubjectNodeIdentityPolicy
 });
 
-const FACTORY_META$19 = {
+const FACTORY_META$1a = {
     base: NODE_IDENTITY_POLICY_FACTORY_BASE_TYPE,
     key: 'TokenSubjectNodeIdentityPolicy',
 };
@@ -16205,27 +16178,27 @@ class TokenSubjectNodeIdentityPolicyFactory extends NodeIdentityPolicyFactory {
 
 var tokenSubjectNodeIdentityPolicyFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
-    FACTORY_META: FACTORY_META$19,
+    FACTORY_META: FACTORY_META$1a,
     TokenSubjectNodeIdentityPolicyFactory: TokenSubjectNodeIdentityPolicyFactory,
     default: TokenSubjectNodeIdentityPolicyFactory
 });
 
-const logger$Y = getLogger('naylence.fame.node.node_identity_policy_profile_factory');
-const PROFILE_NAME_DEFAULT = 'default';
+const logger$Z = getLogger('naylence.fame.node.node_identity_policy_profile_factory');
+const PROFILE_NAME_DEFAULT$1 = 'default';
 const PROFILE_NAME_TOKEN_SUBJECT = 'token-subject';
 const PROFILE_NAME_TOKEN_SUBJECT_ALIAS = 'token_subject';
-const DEFAULT_PROFILE = {
+const DEFAULT_PROFILE$1 = {
     type: 'DefaultNodeIdentityPolicy',
 };
 const TOKEN_SUBJECT_PROFILE = {
     type: 'TokenSubjectNodeIdentityPolicy',
 };
-const PROFILE_MAP$5 = {
-    [PROFILE_NAME_DEFAULT]: DEFAULT_PROFILE,
+const PROFILE_MAP$6 = {
+    [PROFILE_NAME_DEFAULT$1]: DEFAULT_PROFILE$1,
     [PROFILE_NAME_TOKEN_SUBJECT]: TOKEN_SUBJECT_PROFILE,
     [PROFILE_NAME_TOKEN_SUBJECT_ALIAS]: TOKEN_SUBJECT_PROFILE,
 };
-const FACTORY_META$18 = {
+const FACTORY_META$19 = {
     base: NODE_IDENTITY_POLICY_FACTORY_BASE_TYPE,
     key: 'NodeIdentityPolicyProfile',
 };
@@ -16235,17 +16208,17 @@ class NodeIdentityPolicyProfileFactory extends NodeIdentityPolicyFactory {
         this.type = 'NodeIdentityPolicyProfile';
     }
     async create(config) {
-        const normalized = normalizeConfig$w(config);
-        const profileConfig = resolveProfileConfig$4(normalized.profile);
-        logger$Y.debug('enabling_node_identity_policy_profile', {
+        const normalized = normalizeConfig$x(config);
+        const profileConfig = resolveProfileConfig$5(normalized.profile);
+        logger$Z.debug('enabling_node_identity_policy_profile', {
             profile: normalized.profile,
         });
         return NodeIdentityPolicyFactory.createNodeIdentityPolicy(profileConfig);
     }
 }
-function normalizeConfig$w(config) {
+function normalizeConfig$x(config) {
     if (!config) {
-        return { profile: PROFILE_NAME_DEFAULT };
+        return { profile: PROFILE_NAME_DEFAULT$1 };
     }
     const candidate = config;
     const profileValue = typeof candidate.profile === 'string' && candidate.profile.trim().length > 0
@@ -16256,24 +16229,24 @@ function normalizeConfig$w(config) {
             : typeof candidate.profileName === 'string' &&
                 candidate.profileName.trim().length > 0
                 ? candidate.profileName
-                : PROFILE_NAME_DEFAULT;
+                : PROFILE_NAME_DEFAULT$1;
     const normalizedProfile = profileValue.trim().toLowerCase();
     return { profile: normalizedProfile };
 }
-function resolveProfileConfig$4(profileName) {
-    const profile = PROFILE_MAP$5[profileName];
+function resolveProfileConfig$5(profileName) {
+    const profile = PROFILE_MAP$6[profileName];
     if (!profile) {
         throw new Error(`Unknown node identity policy profile: ${profileName}`);
     }
-    return deepClone$4(profile);
+    return deepClone$5(profile);
 }
-function deepClone$4(value) {
+function deepClone$5(value) {
     return JSON.parse(JSON.stringify(value));
 }
 
 var nodeIdentityPolicyProfileFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
-    FACTORY_META: FACTORY_META$18,
+    FACTORY_META: FACTORY_META$19,
     NodeIdentityPolicyProfileFactory: NodeIdentityPolicyProfileFactory,
     default: NodeIdentityPolicyProfileFactory
 });
@@ -16326,8 +16299,8 @@ class DefaultConnectionRetryPolicy {
     }
 }
 
-const logger$X = getLogger('naylence.fame.node.default-connection-retry-policy-factory');
-const FACTORY_META$17 = {
+const logger$Y = getLogger('naylence.fame.node.default-connection-retry-policy-factory');
+const FACTORY_META$18 = {
     base: CONNECTION_RETRY_POLICY_FACTORY_BASE_TYPE,
     key: 'DefaultConnectionRetryPolicy',
 };
@@ -16348,7 +16321,7 @@ class DefaultConnectionRetryPolicyFactory extends ConnectionRetryPolicyFactory {
             }
         }
         const policy = new DefaultConnectionRetryPolicy(options);
-        logger$X.debug('connection_retry_policy_created', {
+        logger$Y.debug('connection_retry_policy_created', {
             maxInitialAttempts: policy.maxInitialAttempts,
         });
         return policy;
@@ -16358,7 +16331,7 @@ class DefaultConnectionRetryPolicyFactory extends ConnectionRetryPolicyFactory {
 var defaultConnectionRetryPolicyFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
     DefaultConnectionRetryPolicyFactory: DefaultConnectionRetryPolicyFactory,
-    FACTORY_META: FACTORY_META$17,
+    FACTORY_META: FACTORY_META$18,
     default: DefaultConnectionRetryPolicyFactory
 });
 
@@ -16373,7 +16346,7 @@ class LoadBalancerStickinessManagerFactory extends factory.AbstractResourceFacto
     }
 }
 
-const logger$W = getLogger('naylence.fame.sentinel.load_balancing.composite_load_balancing_strategy');
+const logger$X = getLogger('naylence.fame.sentinel.load_balancing.composite_load_balancing_strategy');
 class CompositeLoadBalancingStrategy {
     constructor(strategies) {
         if (!strategies.length) {
@@ -16390,7 +16363,7 @@ class CompositeLoadBalancingStrategy {
             try {
                 const result = strategy.choose(poolKey, segments, envelope);
                 if (result !== null) {
-                    logger$W.debug('composite_strategy_success', {
+                    logger$X.debug('composite_strategy_success', {
                         envelopeId: envelope.id,
                         poolKey,
                         strategyIndex: index,
@@ -16401,7 +16374,7 @@ class CompositeLoadBalancingStrategy {
                 }
             }
             catch (error) {
-                logger$W.warning('composite_strategy_error', {
+                logger$X.warning('composite_strategy_error', {
                     envelopeId: envelope.id,
                     poolKey,
                     strategyIndex: index,
@@ -16410,7 +16383,7 @@ class CompositeLoadBalancingStrategy {
                 });
             }
         }
-        logger$W.debug('composite_strategy_all_failed', {
+        logger$X.debug('composite_strategy_all_failed', {
             envelopeId: envelope.id,
             poolKey,
             strategyCount: this.strategies.length,
@@ -16419,7 +16392,7 @@ class CompositeLoadBalancingStrategy {
     }
 }
 
-const logger$V = getLogger('naylence.fame.sentinel.load_balancing.sticky_load_balancing_strategy');
+const logger$W = getLogger('naylence.fame.sentinel.load_balancing.sticky_load_balancing_strategy');
 class StickyLoadBalancingStrategy {
     constructor(stickinessManager) {
         this.lastChosenReplica = null;
@@ -16434,7 +16407,7 @@ class StickyLoadBalancingStrategy {
         }
         const stickyReplica = this.stickinessManager.getStickyReplicaSegment(envelope, segments);
         if (stickyReplica && segments.includes(stickyReplica)) {
-            logger$V.debug('routing_via_stickiness', {
+            logger$W.debug('routing_via_stickiness', {
                 envelopeId: envelope.id,
                 poolKey,
                 replicaId: stickyReplica,
@@ -16444,7 +16417,7 @@ class StickyLoadBalancingStrategy {
             this.lastChosenReplica = stickyReplica;
             return stickyReplica;
         }
-        logger$V.debug('no_stickiness_match_fallback', {
+        logger$W.debug('no_stickiness_match_fallback', {
             envelopeId: envelope.id,
             poolKey,
             aftPresent: Boolean(envelope.aft),
@@ -16532,7 +16505,7 @@ class RouteStoreFactory extends factory.AbstractResourceFactory {
         return store ?? null;
     }
 }
-const FACTORY_META$16 = {
+const FACTORY_META$17 = {
     base: ROUTE_STORE_FACTORY_BASE_TYPE,
     key: 'InMemoryRouteStore',
 };
@@ -16550,7 +16523,7 @@ class InMemoryRouteStoreFactory extends RouteStoreFactory {
 
 var routeStoreFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
-    FACTORY_META: FACTORY_META$16,
+    FACTORY_META: FACTORY_META$17,
     InMemoryRouteStoreFactory: InMemoryRouteStoreFactory,
     ROUTE_STORE_FACTORY_BASE_TYPE: ROUTE_STORE_FACTORY_BASE_TYPE,
     RouteStoreFactory: RouteStoreFactory,
@@ -16782,7 +16755,7 @@ function resolveRecordArray(primary, secondary) {
     return pickRecordArray(candidate) ?? undefined;
 }
 
-const logger$U = getLogger('naylence.fame.sentinel.route_manager');
+const logger$V = getLogger('naylence.fame.sentinel.route_manager');
 const DEFAULT_CONNECTOR_CLEANUP_DELAY_MS$1 = 200;
 function normalizeRouteManagerOptions(options) {
     const { route_store, get_id, cleanup_delay_ms, retain_address_bindings_on_disconnect, ...rest } = options;
@@ -16866,7 +16839,7 @@ class RouteManager extends TaskSpawner {
                 await this.safeStop(entry.connector);
             }
             catch (error) {
-                logger$U.debug('pending_route_stop_failed', {
+                logger$V.debug('pending_route_stop_failed', {
                     error: error instanceof Error ? error.message : String(error),
                 });
             }
@@ -16889,7 +16862,7 @@ class RouteManager extends TaskSpawner {
             this.cancelPendingCleanup(segment);
             this.downstreamRoutes.set(segment, route);
         });
-        logger$U.debug('registered_downstream_route', { route: segment });
+        logger$V.debug('registered_downstream_route', { route: segment });
     }
     async unregisterDownstreamRoute(segment, options) {
         const normalizedOptions = normalizeRouteRemovalOptions(options);
@@ -16905,7 +16878,7 @@ class RouteManager extends TaskSpawner {
             this.cancelPendingCleanup(segment);
             this._peer_routes.set(segment, route);
         });
-        logger$U.debug('registered_peer_route', { route: segment });
+        logger$V.debug('registered_peer_route', { route: segment });
     }
     async unregisterPeerRoute(segment, options) {
         const normalizedOptions = normalizeRouteRemovalOptions(options);
@@ -16923,11 +16896,11 @@ class RouteManager extends TaskSpawner {
         await Promise.all(entryTuples.map(async ([segment, entry]) => {
             const normalized = this.normalizeEntry(entry);
             if (!normalized.connectorConfig) {
-                logger$U.warning('route_restore_missing_config', { segment });
+                logger$V.warning('route_restore_missing_config', { segment });
                 return;
             }
             if (normalized.attachExpiresAt && normalized.attachExpiresAt < now) {
-                logger$U.debug('skipping_expired_route', { segment });
+                logger$V.debug('skipping_expired_route', { segment });
                 return;
             }
             const authorization = this.parseAuthorization(normalized.metadata);
@@ -16960,7 +16933,7 @@ class RouteManager extends TaskSpawner {
                 }
                 catch (error) {
                     if (this.isTransientError(error)) {
-                        logger$U.warning('transient_restore_failure', {
+                        logger$V.warning('transient_restore_failure', {
                             segment,
                             attempt,
                             error: error instanceof Error ? error.message : String(error),
@@ -16969,7 +16942,7 @@ class RouteManager extends TaskSpawner {
                         backoff *= 2;
                         continue;
                     }
-                    logger$U.error('failed_to_restore_route', {
+                    logger$V.error('failed_to_restore_route', {
                         segment,
                         error: error instanceof Error ? error.message : String(error),
                     });
@@ -16998,13 +16971,13 @@ class RouteManager extends TaskSpawner {
         await this._downstream_route_store
             .delete(segment)
             .catch((error) => {
-            logger$U.warning('route_expiration_delete_failed', {
+            logger$V.warning('route_expiration_delete_failed', {
                 segment,
                 error: error instanceof Error ? error.message : String(error),
             });
         });
         this.purgeRouteReferences(segment);
-        logger$U.debug('expired_route', { route: segment });
+        logger$V.debug('expired_route', { route: segment });
     }
     async removeDownstreamRoute(segment, options) {
         const normalizedOptions = normalizeRouteRemovalOptions(options);
@@ -17062,7 +17035,7 @@ class RouteManager extends TaskSpawner {
             this.purgeRouteReferences(segment);
         }
         await store.delete(segment).catch((error) => {
-            logger$U.warning('route_delete_failed', {
+            logger$V.warning('route_delete_failed', {
                 segment,
                 error: error instanceof Error ? error.message : String(error),
             });
@@ -17081,7 +17054,7 @@ class RouteManager extends TaskSpawner {
             caller_stack: captureStack ? captureCallerStack() : undefined,
             retained_addresses: retainAddresses,
         };
-        logger$U.debug('removed_route', removalMeta);
+        logger$V.debug('removed_route', removalMeta);
     }
     purgeRouteReferences(segment) {
         for (const [address, info] of this._downstream_addresses_routes.entries()) {
@@ -17136,10 +17109,10 @@ class RouteManager extends TaskSpawner {
             }
             catch (error) {
                 if (combined.signal.aborted) {
-                    logger$U.debug('connector_cleanup_cancelled', { segment });
+                    logger$V.debug('connector_cleanup_cancelled', { segment });
                 }
                 else {
-                    logger$U.debug('connector_cleanup_delay_failed', {
+                    logger$V.debug('connector_cleanup_delay_failed', {
                         segment,
                         error: error instanceof Error ? error.message : String(error),
                     });
@@ -17162,7 +17135,7 @@ class RouteManager extends TaskSpawner {
         }
         catch (error) {
             if (error instanceof Error) {
-                logger$U.debug('connector_stop_ignored', { error: error.message });
+                logger$V.debug('connector_stop_ignored', { error: error.message });
             }
         }
         for (const [flowId, peer] of this.flowRoutes.entries()) {
@@ -17187,12 +17160,12 @@ class RouteManager extends TaskSpawner {
             }
         }
         catch (error) {
-            logger$U.error('janitor_loop_error', {
+            logger$V.error('janitor_loop_error', {
                 error: error instanceof Error ? error.message : String(error),
             });
         }
         finally {
-            logger$U.debug('janitor_loop_exited');
+            logger$V.debug('janitor_loop_exited');
         }
     }
     async scanStoreForExpirations(store, now, kind) {
@@ -17212,13 +17185,13 @@ class RouteManager extends TaskSpawner {
                 }
             });
             await store.delete(segment).catch((error) => {
-                logger$U.warning('route_auto_expire_delete_failed', {
+                logger$V.warning('route_auto_expire_delete_failed', {
                     segment,
                     error: error instanceof Error ? error.message : String(error),
                 });
             });
             this.purgeRouteReferences(segment);
-            logger$U.debug('auto_expired_route', { segment });
+            logger$V.debug('auto_expired_route', { segment });
         }));
     }
     parseAuthorization(metadata) {
@@ -17241,7 +17214,7 @@ class RouteManager extends TaskSpawner {
             return { ...base, ...extraFields };
         }
         catch (error) {
-            logger$U.error('corrupt_route_metadata', {
+            logger$V.error('corrupt_route_metadata', {
                 error: error instanceof Error ? error.message : String(error),
             });
             return null;
@@ -17317,12 +17290,12 @@ function captureCallerStack(skip = 3, depth = 6) {
     return frames.map((frame) => frame.trim()).join(' | ');
 }
 
-const logger$T = getLogger('naylence.fame.sentinel.router');
+const logger$U = getLogger('naylence.fame.sentinel.router');
 const ZERO_EPH_PUB_BASE64 = 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=';
 class Drop {
     async execute(envelope, router, state, context) {
         await emitDeliveryNack(envelope, router, state, 'NO_ROUTE', context ?? undefined);
-        logger$T.debug('dropped_envelope', Object.assign(summarizeEnvelope(envelope, ''), {
+        logger$U.debug('dropped_envelope', Object.assign(summarizeEnvelope(envelope, ''), {
             localAddresses: Array.from(state.local.values()),
             downstreamRoutes: Array.from(state.downstreamAddressRoutes.entries()),
             peerRoutes: Array.from(state.peerAddressRoutes.entries()),
@@ -17352,7 +17325,7 @@ class ForwardChild {
         }
         catch (error) {
             if (error instanceof FameTransportClose) {
-                logger$T.error('transport_closed_forward_child', {
+                logger$U.error('transport_closed_forward_child', {
                     segment: this.segment,
                     error: error.message,
                 });
@@ -17384,7 +17357,7 @@ class ForwardPeer {
         }
         catch (error) {
             if (error instanceof FameTransportClose) {
-                logger$T.error('transport_closed_forward_peer', {
+                logger$U.error('transport_closed_forward_peer', {
                     segment: this.segment,
                     error: error.message,
                 });
@@ -17419,7 +17392,7 @@ class Deny {
     async execute(envelope, router, state, context) {
         const { internalReason, deniedAction, matchedRule, context: extraContext, disclosure = 'opaque', } = this.options;
         // Log detailed denial internally
-        logger$T.warning('route_authorization_denied', {
+        logger$U.warning('route_authorization_denied', {
             envp_id: envelope.id,
             frame_type: envelope.frame?.type ?? null,
             to: envelope.to?.toString() ?? null,
@@ -17465,7 +17438,7 @@ function mapRoutingActionToAuthorizationAction(action) {
         return null;
     }
     // Unknown RoutingAction: return null, caller should deny by default
-    logger$T.warning('unknown_routing_action_for_authorization', {
+    logger$U.warning('unknown_routing_action_for_authorization', {
         action_type: action?.constructor?.name ?? 'unknown',
     });
     return null;
@@ -17498,7 +17471,7 @@ async function emitDeliveryNack(envelope, routingNode, state, code, context) {
         return;
     }
     if (!state.envelopeFactory) {
-        logger$T.warning('router_missing_envelope_factory', summarizeEnvelope(envelope));
+        logger$U.warning('router_missing_envelope_factory', summarizeEnvelope(envelope));
         return;
     }
     const nackFrame = createNackFrame(envelope, code);
@@ -17529,7 +17502,7 @@ async function emitDeliveryNack(envelope, routingNode, state, code, context) {
         }
     }
     catch (error) {
-        logger$T.warning('nack_forward_failed', {
+        logger$U.warning('nack_forward_failed', {
             error: error instanceof Error ? error.message : String(error),
             ...summarizeEnvelope(envelope),
         });
@@ -17735,7 +17708,7 @@ class HRWLoadBalancingStrategy {
     }
 }
 
-const logger$S = getLogger('naylence.fame.sentinel.capability_aware_routing_policy');
+const logger$T = getLogger('naylence.fame.sentinel.capability_aware_routing_policy');
 function normalizeOptions$i(options) {
     if (!options || typeof options !== 'object') {
         return {};
@@ -17787,7 +17760,7 @@ class CapabilityAwareRoutingPolicy {
             if (chosenSegment) {
                 return new ForwardChild(chosenSegment);
             }
-            logger$S.warning('capability_policy_lb_failed', {
+            logger$T.warning('capability_policy_lb_failed', {
                 segments: providerSegments,
                 capabilities,
                 ...summarizeEnvelope(envelope),
@@ -17816,7 +17789,7 @@ class CapabilityAwareRoutingPolicy {
             }
         }
         catch (error) {
-            logger$S.warning('capability_policy_resolve_failed', {
+            logger$T.warning('capability_policy_resolve_failed', {
                 error: error instanceof Error ? error.message : String(error),
             });
         }
@@ -18053,7 +18026,7 @@ function toFameAddress(address) {
     return address instanceof core.FameAddress ? address : new core.FameAddress(address);
 }
 
-const logger$R = getLogger('naylence.fame.sentinel.node_attach_frame_handler');
+const logger$S = getLogger('naylence.fame.sentinel.node_attach_frame_handler');
 const DOWNSTREAM_ORIGINS = new Set([
     core.DeliveryOriginType.DOWNSTREAM,
     core.DeliveryOriginType.PEER,
@@ -18146,7 +18119,7 @@ class NodeAttachFrameHandler extends TaskSpawner {
         this.maxTtlSec = options.maxTtlSec ?? null;
     }
     async acceptNodeAttach(envelope, context) {
-        logger$R.debug('handling_node_attach_request');
+        logger$S.debug('handling_node_attach_request');
         const normalizedContext = this.normalizeContext(context);
         const frame = this.normalizeNodeAttachFrame(envelope.frame);
         if (frame.type !== 'NodeAttach') {
@@ -18191,14 +18164,14 @@ class NodeAttachFrameHandler extends TaskSpawner {
         let isRebind = false;
         if (frame.originType === core.DeliveryOriginType.DOWNSTREAM) {
             const hasExistingRoute = this.routeManager.downstreamRoutes.has(attachedSystemId);
-            logger$R.debug('checking_for_existing_route', {
+            logger$S.debug('checking_for_existing_route', {
                 system_id: attachedSystemId,
                 has_existing: hasExistingRoute,
                 existing_routes: Array.from(this.routeManager.downstreamRoutes.keys()),
             });
             if (hasExistingRoute) {
                 isRebind = true;
-                logger$R.warning('rebinding_existing_downstream_route', {
+                logger$S.warning('rebinding_existing_downstream_route', {
                     system_id: attachedSystemId,
                 });
                 oldAssignedPath = buildAssignedPath$1(this.routingNode.physicalPath, attachedSystemId);
@@ -18217,7 +18190,7 @@ class NodeAttachFrameHandler extends TaskSpawner {
                     meta: { systemId: attachedSystemId },
                 })
                     .catch((error) => {
-                    logger$R.warning('failed_to_unregister_downstream_route_before_rebind', {
+                    logger$S.warning('failed_to_unregister_downstream_route_before_rebind', {
                         system_id: attachedSystemId,
                         error: error instanceof Error ? error.message : String(error),
                     });
@@ -18234,7 +18207,7 @@ class NodeAttachFrameHandler extends TaskSpawner {
                             for (const address of orphanedAddresses) {
                                 encryptionMgr.clearChannelCacheForDestination(address);
                             }
-                            logger$R.debug('cleared_channel_cache_for_rebind', {
+                            logger$S.debug('cleared_channel_cache_for_rebind', {
                                 system_id: attachedSystemId,
                                 addresses: orphanedAddresses,
                             });
@@ -18246,7 +18219,7 @@ class NodeAttachFrameHandler extends TaskSpawner {
                                     encryptionMgr.removeChannelsForDestination(address);
                             }
                             if (totalRemoved > 0) {
-                                logger$R.debug('removed_channel_states_for_rebind', {
+                                logger$S.debug('removed_channel_states_for_rebind', {
                                     system_id: attachedSystemId,
                                     channels_removed: totalRemoved,
                                 });
@@ -18254,7 +18227,7 @@ class NodeAttachFrameHandler extends TaskSpawner {
                         }
                     }
                     catch (error) {
-                        logger$R.warning('failed_to_cleanup_channels_for_rebind', {
+                        logger$S.warning('failed_to_cleanup_channels_for_rebind', {
                             system_id: attachedSystemId,
                             error: error instanceof Error ? error.message : String(error),
                         });
@@ -18277,7 +18250,7 @@ class NodeAttachFrameHandler extends TaskSpawner {
                     meta: { systemId: attachedSystemId },
                 })
                     .catch((error) => {
-                    logger$R.warning('failed_to_unregister_peer_route_before_rebind', {
+                    logger$S.warning('failed_to_unregister_peer_route_before_rebind', {
                         system_id: attachedSystemId,
                         error: error instanceof Error ? error.message : String(error),
                     });
@@ -18315,7 +18288,7 @@ class NodeAttachFrameHandler extends TaskSpawner {
                 ? { stickiness: negotiatedStickiness }
                 : {}),
         });
-        logger$R.debug('sending_node_attach_ack', {
+        logger$S.debug('sending_node_attach_ack', {
             env_id: ackEnvelope.id ?? 'unknown',
         });
         await this.sendAndNotify(connector, ackEnvelope, attachedSystemId, normalizedContext);
@@ -18362,7 +18335,7 @@ class NodeAttachFrameHandler extends TaskSpawner {
             return this.stickinessManager.negotiate(stickiness);
         }
         catch (error) {
-            logger$R.debug('stickiness_negotiate_skipped', {
+            logger$S.debug('stickiness_negotiate_skipped', {
                 error: error instanceof Error ? error.message : String(error),
             });
             return null;
@@ -18378,13 +18351,13 @@ class NodeAttachFrameHandler extends TaskSpawner {
         }
         if (!attachExpiresAt || earliestKeyExpiry < attachExpiresAt) {
             if (attachExpiresAt) {
-                logger$R.warning('attachment_ttl_limited_by_key_expiry', {
+                logger$S.warning('attachment_ttl_limited_by_key_expiry', {
                     limited_attach_expires_at: earliestKeyExpiry.toISOString(),
                     original_attach_expires_at: attachExpiresAt.toISOString(),
                 });
             }
             else {
-                logger$R.debug('attachment_ttl_set_by_key_expiry', {
+                logger$S.debug('attachment_ttl_set_by_key_expiry', {
                     attach_expires_at: earliestKeyExpiry.toISOString(),
                     reason: 'no_max_ttl_configured',
                 });
@@ -18395,7 +18368,7 @@ class NodeAttachFrameHandler extends TaskSpawner {
     }
     async validateAttachmentKeys(frame, envelope, connector, context, systemId) {
         if (!this.attachmentKeyValidator) {
-            logger$R.debug('child_key_validation_skipped', {
+            logger$S.debug('child_key_validation_skipped', {
                 child_id: systemId,
                 reason: 'no_validator',
             });
@@ -18411,7 +18384,7 @@ class NodeAttachFrameHandler extends TaskSpawner {
                 }
             }
             if (keyInfos.length > 0) {
-                logger$R.debug('node_attach_key_validation_passed', {
+                logger$S.debug('node_attach_key_validation_passed', {
                     system_id: systemId,
                     instance_id: frame.instanceId,
                     correlation_id: envelope.corrId,
@@ -18431,13 +18404,13 @@ class NodeAttachFrameHandler extends TaskSpawner {
                     reason: `Certificate validation failed: ${error.message}`,
                 });
                 await this.sendAndNotify(connector, rejectionAck, systemId, context).catch((sendError) => {
-                    logger$R.error('failed_sending_negative_attach_ack', {
+                    logger$S.error('failed_sending_negative_attach_ack', {
                         error: sendError instanceof Error
                             ? sendError.message
                             : String(sendError),
                     });
                 });
-                logger$R.error('node_attach_key_validation_failed', {
+                logger$S.error('node_attach_key_validation_failed', {
                     system_id: systemId,
                     instance_id: frame.instanceId,
                     correlation_id: envelope.corrId,
@@ -18503,10 +18476,10 @@ class NodeAttachFrameHandler extends TaskSpawner {
         try {
             await delay(delaySeconds * 1000);
             await connector.close(1008, 'attach-unauthorized');
-            logger$R.debug('closed_unauthorized_connection');
+            logger$S.debug('closed_unauthorized_connection');
         }
         catch (error) {
-            logger$R.error('failed_to_close_unauthorized_connection', {
+            logger$S.error('failed_to_close_unauthorized_connection', {
                 error: error instanceof Error ? error.message : String(error),
             });
         }
@@ -18619,7 +18592,7 @@ class NodeAttachFrameHandler extends TaskSpawner {
     }
 }
 
-const logger$Q = getLogger('naylence.fame.sentinel.address_bind_frame_handler');
+const logger$R = getLogger('naylence.fame.sentinel.address_bind_frame_handler');
 const RESERVED_ADDRESS_NAMES = new Set(['__sys__', '__rpc__']);
 function pickManagerField(manager, keys) {
     const record = manager;
@@ -18943,7 +18916,7 @@ class AddressBindFrameHandler {
         if (this.routingNode.forwardToPeers) {
             await this.routingNode.forwardToPeers(envelope, undefined, [sourceSystemId], context);
         }
-        logger$Q.debug('address_bound', {
+        logger$R.debug('address_bound', {
             address: addressStr,
             segment: sourceSystemId,
         });
@@ -19041,7 +19014,7 @@ class AddressBindFrameHandler {
             }
             await this.routingNode.forwardToRoute(sourceSystemId, ackEnvelope, ackContext);
         }
-        logger$Q.debug('address_unbound', {
+        logger$R.debug('address_unbound', {
             address: addressStr,
             segment: sourceSystemId,
         });
@@ -19059,7 +19032,7 @@ class AddressBindFrameHandler {
     }
 }
 
-const logger$P = getLogger('naylence.fame.sentinel.node_heartbeat_frame_handler');
+const logger$Q = getLogger('naylence.fame.sentinel.node_heartbeat_frame_handler');
 function normalizeOptions$h(options) {
     if (!options || typeof options !== 'object') {
         throw new Error('NodeHeartbeatFrameHandler requires a routingNode option');
@@ -19096,7 +19069,7 @@ class NodeHeartbeatFrameHandler {
         if (!frame || frame.type !== 'NodeHeartbeat') {
             throw new Error(`Invalid envelope frame. Expected: NodeHeartbeatFrame, actual: ${frame?.type ?? 'unknown'}`);
         }
-        logger$P.trace('handling_heartbeat', {
+        logger$Q.trace('handling_heartbeat', {
             hb_system_id: frame.systemId ?? 'unknown',
             hb_env_id: envelope.id ?? 'unknown',
             hb_corr_id: envelope.corrId ?? 'unknown',
@@ -19124,7 +19097,7 @@ class NodeHeartbeatFrameHandler {
             ...(envelope.corrId ? { corrId: envelope.corrId } : {}),
             ...(envelope.traceId ? { traceId: envelope.traceId } : {}),
         });
-        logger$P.debug('sending_heartbeat_ack', {
+        logger$Q.debug('sending_heartbeat_ack', {
             hb_ack_env_id: ackEnvelope.id ?? 'unknown',
             hb_ack_corr_id: ackEnvelope.corrId ?? 'unknown',
         });
@@ -19152,7 +19125,7 @@ class NodeHeartbeatFrameHandler {
     }
 }
 
-const logger$O = getLogger('naylence.fame.sentinel.capability_frame_handler');
+const logger$P = getLogger('naylence.fame.sentinel.capability_frame_handler');
 class CapabilityFrameHandler {
     constructor(options) {
         this.capabilityRoutes = new Map();
@@ -19179,7 +19152,7 @@ class CapabilityFrameHandler {
         const segment = this.getSourceSystemId(context);
         const downstreamRoutes = getDownstreamRoutes(this.routeManager);
         if (!segment || !hasRoute(downstreamRoutes, segment)) {
-            logger$O.debug('capability_advertise_unknown_segment', { segment });
+            logger$P.debug('capability_advertise_unknown_segment', { segment });
             return;
         }
         const addressKey = this.normalizeAddress(frame.address);
@@ -19212,7 +19185,7 @@ class CapabilityFrameHandler {
         }
         const segment = this.getSourceSystemId(context);
         if (!segment) {
-            logger$O.debug('capability_withdraw_missing_segment');
+            logger$P.debug('capability_withdraw_missing_segment');
             return;
         }
         const addressKey = this.normalizeAddress(frame.address);
@@ -19266,7 +19239,7 @@ class CapabilityFrameHandler {
     async forwardAckToSegment(segment, ackFrame, originalEnvelope, ackContext) {
         const envelopeFactory = this.routingNode.envelopeFactory;
         if (!envelopeFactory) {
-            logger$O.warning('missing_envelope_factory_for_capability_ack');
+            logger$P.warning('missing_envelope_factory_for_capability_ack');
             return;
         }
         const ackEnvelope = envelopeFactory.createEnvelope({
@@ -19329,7 +19302,7 @@ function getStickySid(context) {
     return typed.stickySid ?? typed.sticky_sid ?? undefined;
 }
 
-const logger$N = getLogger('naylence.fame.sentinel.credit_update_frame_handler');
+const logger$O = getLogger('naylence.fame.sentinel.credit_update_frame_handler');
 function normalizeOptions$g(options) {
     if (!options || typeof options !== 'object') {
         throw new Error('CreditUpdateFrameHandler requires a routeManager option');
@@ -19349,12 +19322,12 @@ class CreditUpdateFrameHandler {
     async acceptCreditUpdate(envelope, context) {
         const flowId = envelope.flowId;
         if (!flowId) {
-            logger$N.warning('credit_update_missing_flow_id');
+            logger$O.warning('credit_update_missing_flow_id');
             return;
         }
         const targetConnector = this.routeManager.getFlowRoute(flowId);
         if (!targetConnector) {
-            logger$N.warning('credit_update_unknown_flow', { flowId });
+            logger$O.warning('credit_update_unknown_flow', { flowId });
             return;
         }
         if (context?.fromConnector && context.fromConnector === targetConnector) {
@@ -19364,7 +19337,7 @@ class CreditUpdateFrameHandler {
     }
 }
 
-const logger$M = getLogger('naylence.fame.sentinel.sentinel');
+const logger$N = getLogger('naylence.fame.sentinel.sentinel');
 const ALLOWED_BEFORE_ATTACH = new Set(['NodeAttach']);
 const SYSTEM_INBOX = '__sys__';
 const RESERVED_UPSTREAM_ADDRESS_NAMES = new Set(['__sys__', '__rpc__']);
@@ -19458,7 +19431,7 @@ class Sentinel extends FameNode {
                 routeStore = createPersistentRouteStore(this.storageProvider);
             }
             catch (error) {
-                logger$M.warning('persistent_route_store_unavailable', {
+                logger$N.warning('persistent_route_store_unavailable', {
                     error: error instanceof Error ? error.message : String(error),
                 });
                 routeStore = getDefaultRouteStore();
@@ -19540,7 +19513,7 @@ class Sentinel extends FameNode {
     bumpRoutingEpoch() {
         const previousEpoch = this.routingEpochValue;
         this.routingEpochValue = core.generateId();
-        logger$M.debug('routing_epoch_bumped', {
+        logger$N.debug('routing_epoch_bumped', {
             previous_epoch: previousEpoch,
             new_epoch: this.routingEpochValue,
         });
@@ -19631,7 +19604,7 @@ class Sentinel extends FameNode {
     }
     async forwardToRoute(nextSegment, envelope, context) {
         if (this.originMatches(context, nextSegment, core.DeliveryOriginType.DOWNSTREAM)) {
-            logger$M.debug('downstream_loop_detected', {
+            logger$N.debug('downstream_loop_detected', {
                 envp_id: envelope.id,
                 segment: nextSegment,
             });
@@ -19644,14 +19617,14 @@ class Sentinel extends FameNode {
             }
             const connector = this.routeManager.downstreamRoutes.get(nextSegment);
             if (!connector) {
-                logger$M.warning('no_route_for_child_segment', { segment: nextSegment });
+                logger$N.warning('no_route_for_child_segment', { segment: nextSegment });
                 await this.emitDeliveryNack(processed, {
                     code: 'CHILD_UNREACHABLE',
                     context: context ?? null,
                 });
                 return;
             }
-            logger$M.debug('forwarding_downstream', {
+            logger$N.debug('forwarding_downstream', {
                 ...summarizeEnvelope(processed, ''),
                 route: nextSegment,
             });
@@ -19668,7 +19641,7 @@ class Sentinel extends FameNode {
     }
     async forwardToPeer(peerSegment, envelope, context) {
         if (this.originMatches(context, peerSegment, core.DeliveryOriginType.PEER)) {
-            logger$M.debug('peer_loop_detected', {
+            logger$N.debug('peer_loop_detected', {
                 envp_id: envelope.id,
                 segment: peerSegment,
             });
@@ -19679,7 +19652,7 @@ class Sentinel extends FameNode {
         }
         const connector = this.routeManager._peer_routes.get(peerSegment);
         if (!connector) {
-            logger$M.warning('no_route_for_peer_segment', {
+            logger$N.warning('no_route_for_peer_segment', {
                 peer_segment: peerSegment,
             });
             await this.emitDeliveryNack(processed, {
@@ -19722,7 +19695,7 @@ class Sentinel extends FameNode {
     }
     async forwardUpstream(envelope, context) {
         if (context?.originType === core.DeliveryOriginType.UPSTREAM) {
-            logger$M.debug('skipping_forward_upstream', {
+            logger$N.debug('skipping_forward_upstream', {
                 envp_id: envelope.id,
                 origin_type: context.originType,
             });
@@ -19842,7 +19815,7 @@ class Sentinel extends FameNode {
                 }
                 catch (error) {
                     if (!combined.signal.aborted) {
-                        logger$M.debug('attach_timeout_delay_failed', {
+                        logger$N.debug('attach_timeout_delay_failed', {
                             system_id: systemId,
                             error: error instanceof Error ? error.message : String(error),
                         });
@@ -19869,12 +19842,12 @@ class Sentinel extends FameNode {
                     await connector.stop();
                 }
                 catch (error) {
-                    logger$M.debug('attach_timeout_stop_failed', {
+                    logger$N.debug('attach_timeout_stop_failed', {
                         system_id: systemId,
                         error: error instanceof Error ? error.message : String(error),
                     });
                 }
-                logger$M.warning('attach_timeout_expired', {
+                logger$N.warning('attach_timeout_expired', {
                     system_id: systemId,
                     timeout_ms: timeoutMs,
                 });
@@ -19928,7 +19901,7 @@ class Sentinel extends FameNode {
                     return new core.FameAddress(addressKey);
                 }
                 catch (error) {
-                    logger$M.debug('invalid_capability_address', {
+                    logger$N.debug('invalid_capability_address', {
                         capability,
                         address: addressKey,
                         error: error instanceof Error ? error.message : String(error),
@@ -20084,7 +20057,7 @@ class Sentinel extends FameNode {
     }
     async propagateAddressBindingsUpstream() {
         if (!this.hasParent) {
-            logger$M.warning('No upstream defined to rebind addresses');
+            logger$N.warning('No upstream defined to rebind addresses');
             return;
         }
         const entries = Array.from(this.routeManager._downstream_addresses_routes.entries());
@@ -20107,7 +20080,7 @@ class Sentinel extends FameNode {
                 await this.bindAddressUpstream(new core.FameAddress(address), info);
             }
             catch (error) {
-                logger$M.error('rebind_failed', {
+                logger$N.error('rebind_failed', {
                     address,
                     error: error instanceof Error ? error.message : String(error),
                 });
@@ -20205,7 +20178,7 @@ class Sentinel extends FameNode {
             }
             catch (error) {
                 // Hook threw => treat as denial, execute Drop
-                logger$M.warning('routing_action_hook_error', {
+                logger$N.warning('routing_action_hook_error', {
                     envp_id: envelope.id,
                     error: error instanceof Error ? error.message : String(error),
                 });
@@ -20229,7 +20202,7 @@ class Sentinel extends FameNode {
         }
         const abortSignal = signal ?? null;
         if (abortSignal?.aborted) {
-            logger$M.info('shutdown_signal_received', { signal: 'abort' });
+            logger$N.info('shutdown_signal_received', { signal: 'abort' });
             return;
         }
         // Build fabric options, preferring rootConfig if provided
@@ -20245,7 +20218,7 @@ class Sentinel extends FameNode {
         if (node !== null) {
             fabricCreateOptions.node = node;
         }
-        logger$M.debug('fabric_create_options', {
+        logger$N.debug('fabric_create_options', {
             hasRootConfig: 'rootConfig' in fabricCreateOptions,
             hasNode: 'node' in fabricCreateOptions,
             rootConfigKeys: fabricCreateOptions.rootConfig
@@ -20278,7 +20251,7 @@ class Sentinel extends FameNode {
         const registerSignalListeners = () => {
             for (const sig of signals) {
                 const listener = () => {
-                    logger$M.info('shutdown_signal_received', { signal: sig });
+                    logger$N.info('shutdown_signal_received', { signal: sig });
                     cleanupListeners();
                     stopResolve();
                 };
@@ -20287,7 +20260,7 @@ class Sentinel extends FameNode {
             }
             if (abortSignal) {
                 abortListener = () => {
-                    logger$M.info('shutdown_signal_received', { signal: 'abort' });
+                    logger$N.info('shutdown_signal_received', { signal: 'abort' });
                     cleanupListeners();
                     stopResolve();
                 };
@@ -20300,12 +20273,12 @@ class Sentinel extends FameNode {
             await providedFabric.enter();
             try {
                 registerSignalListeners();
-                logger$M.info('sentinel_live', {
+                logger$N.info('sentinel_live', {
                     message: 'Node is live! Press Ctrl+C to stop.',
                 });
                 try {
                     await stopPromise;
-                    logger$M.info('sentinel_shutdown_begin');
+                    logger$N.info('sentinel_shutdown_begin');
                 }
                 finally {
                     cleanupListeners();
@@ -20319,19 +20292,19 @@ class Sentinel extends FameNode {
             // Use withFabric pattern for automatic lifecycle management
             await core.withFabric(fabricCreateOptions, async () => {
                 registerSignalListeners();
-                logger$M.info('sentinel_live', {
+                logger$N.info('sentinel_live', {
                     message: 'Node is live! Press Ctrl+C to stop.',
                 });
                 try {
                     await stopPromise;
-                    logger$M.info('sentinel_shutdown_begin');
+                    logger$N.info('sentinel_shutdown_begin');
                 }
                 finally {
                     cleanupListeners();
                 }
             });
         }
-        logger$M.info('sentinel_shutdown_complete');
+        logger$N.info('sentinel_shutdown_complete');
     }
 }
 function normalizeServeLogLevel(level) {
@@ -20476,7 +20449,7 @@ function isPlainRecord(value) {
     return Boolean(value) && typeof value === 'object' && !Array.isArray(value);
 }
 
-const FACTORY_META$15 = {
+const FACTORY_META$16 = {
     base: NODE_LIKE_FACTORY_BASE_TYPE,
     key: 'Sentinel',
 };
@@ -20660,7 +20633,7 @@ class SentinelFactory extends NodeLikeFactory {
 
 var sentinelFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
-    FACTORY_META: FACTORY_META$15,
+    FACTORY_META: FACTORY_META$16,
     SentinelFactory: SentinelFactory,
     default: SentinelFactory
 });
@@ -20704,7 +20677,7 @@ function createConnectorConfig(config) {
  * A transport adapter that works with both Node.js and browser WebSocket APIs.
  * Supports both native WebSocket clients and server-side WebSocket connections.
  */
-const logger$L = getLogger('naylence.fame.connector.websocket_connector');
+const logger$M = getLogger('naylence.fame.connector.websocket_connector');
 /**
  * WebSocket state constants (mirrors standard WebSocket states)
  */
@@ -20745,7 +20718,7 @@ class WebSocketConnector extends BaseAsyncConnector {
             websocket.send_bytes &&
             typeof websocket.receive_bytes === 'function' &&
             typeof websocket.send_bytes === 'function');
-        logger$L.debug('websocket_connector_created', {
+        logger$M.debug('websocket_connector_created', {
             is_fastapi_like: this._isFastApiLike,
             ready_state: websocket.readyState,
             url: websocket.url,
@@ -20760,7 +20733,7 @@ class WebSocketConnector extends BaseAsyncConnector {
                     socketAny.binaryType = 'arraybuffer';
                 }
                 catch (error) {
-                    logger$L.debug('websocket_set_binary_type_failed', {
+                    logger$M.debug('websocket_set_binary_type_failed', {
                         error: error instanceof Error ? error.message : String(error),
                         current_type: socketAny.binaryType,
                     });
@@ -20816,7 +20789,7 @@ class WebSocketConnector extends BaseAsyncConnector {
         else {
             this._receiveQueue.push(data);
         }
-        logger$L.debug('websocket_message_pushed_to_queue', {
+        logger$M.debug('websocket_message_pushed_to_queue', {
             queueLength: this._receiveQueue.length,
             waitersLength: this._receiveWaiters.length,
         });
@@ -20869,7 +20842,7 @@ class WebSocketConnector extends BaseAsyncConnector {
                 const result = receiveMethod.call(this._websocket);
                 // Ensure we have a Promise
                 if (!result || typeof result.then !== 'function') {
-                    logger$L.error('fastapi_receive_not_awaitable', {
+                    logger$M.error('fastapi_receive_not_awaitable', {
                         result_type: typeof result,
                         result_str: String(result).substring(0, 100),
                     });
@@ -20885,7 +20858,7 @@ class WebSocketConnector extends BaseAsyncConnector {
                     }
                     // Handle known WebSocket shutdown race condition
                     if (this._isAwaitFutureError(error)) {
-                        logger$L.debug('websocket_shutdown_race_condition_handled', {
+                        logger$M.debug('websocket_shutdown_race_condition_handled', {
                             note: 'Normal WebSocket close timing - converting to cancellation',
                             websocket_state: this._websocket.client_state || 'unknown',
                         });
@@ -20928,7 +20901,7 @@ class WebSocketConnector extends BaseAsyncConnector {
         }
         catch (error) {
             if (this._isAwaitFutureError(error)) {
-                logger$L.debug('websocket_shutdown_race_condition_detected', {
+                logger$M.debug('websocket_shutdown_race_condition_detected', {
                     websocket_type: this._websocket.constructor.name,
                     is_fastapi: this._isFastApiLike,
                     note: 'Normal WebSocket close timing during shutdown',
@@ -20974,12 +20947,12 @@ class WebSocketConnector extends BaseAsyncConnector {
                             if (socketAny.readyState !== WebSocketState.CLOSED) {
                                 try {
                                     socketAny.terminate();
-                                    logger$L.debug('websocket_force_terminated', {
+                                    logger$M.debug('websocket_force_terminated', {
                                         ready_state: socketAny.readyState,
                                     });
                                 }
                                 catch (error) {
-                                    logger$L.debug('websocket_force_terminate_failed', {
+                                    logger$M.debug('websocket_force_terminate_failed', {
                                         error: error instanceof Error ? error.message : String(error),
                                     });
                                 }
@@ -20990,7 +20963,7 @@ class WebSocketConnector extends BaseAsyncConnector {
             }
         }
         catch (error) {
-            logger$L.error('websocket_close_failed', {
+            logger$M.error('websocket_close_failed', {
                 error: error instanceof Error ? error.message : String(error),
             });
             // Don't re-throw - close errors are not critical during shutdown
@@ -21211,7 +21184,7 @@ class WebSocketConnector extends BaseAsyncConnector {
                 this._removeReceiveHandlers();
             }
             catch (error) {
-                logger$L.debug('websocket_remove_handlers_failed', {
+                logger$M.debug('websocket_remove_handlers_failed', {
                     error: error instanceof Error ? error.message : String(error),
                 });
             }
@@ -21263,7 +21236,7 @@ class WebSocketConnector extends BaseAsyncConnector {
  * Browser-local connector that routes binary frames between peers via an in-page EventTarget.
  * Relies on BaseAsyncConnector for flow control and shutdown behavior.
  */
-const logger$K = getLogger('naylence.fame.connector.inpage_connector');
+const logger$L = getLogger('naylence.fame.connector.inpage_connector');
 const INPAGE_CONNECTOR_TYPE = 'inpage-connector';
 const DEFAULT_CHANNEL$6 = 'naylence-fabric';
 const DEFAULT_INBOX_CAPACITY$6 = 2048;
@@ -21361,7 +21334,7 @@ class InPageConnector extends BaseAsyncConnector {
         }
         this.localNodeId = normalizedLocalNodeId;
         this.targetNodeId = InPageConnector.normalizeTargetNodeId(config.initialTargetNodeId);
-        logger$K.debug('inpage_connector_initialized', {
+        logger$L.debug('inpage_connector_initialized', {
             channel: this.channelName,
             connector_id: this.connectorId,
             local_node_id: this.localNodeId,
@@ -21370,7 +21343,7 @@ class InPageConnector extends BaseAsyncConnector {
         });
         this.onMsg = (event) => {
             if (!this.listenerRegistered) {
-                logger$K.warning('inpage_message_after_unregister', {
+                logger$L.warning('inpage_message_after_unregister', {
                     channel: this.channelName,
                     connector_id: this.connectorId,
                     timestamp: new Date().toISOString(),
@@ -21379,7 +21352,7 @@ class InPageConnector extends BaseAsyncConnector {
             }
             const messageEvent = event;
             const message = messageEvent.data;
-            logger$K.debug('inpage_raw_event', {
+            logger$L.debug('inpage_raw_event', {
                 channel: this.channelName,
                 connector_id: this.connectorId,
                 message_type: message && typeof message === 'object'
@@ -21399,7 +21372,7 @@ class InPageConnector extends BaseAsyncConnector {
                 : null;
             const senderNodeId = InPageConnector.normalizeNodeId(busMessage.senderNodeId);
             if (!senderId || !senderNodeId) {
-                logger$K.debug('inpage_message_rejected', {
+                logger$L.debug('inpage_message_rejected', {
                     channel: this.channelName,
                     connector_id: this.connectorId,
                     reason: 'missing_sender_metadata',
@@ -21407,7 +21380,7 @@ class InPageConnector extends BaseAsyncConnector {
                 return;
             }
             if (senderId === this.connectorId || senderNodeId === this.localNodeId) {
-                logger$K.debug('inpage_message_rejected', {
+                logger$L.debug('inpage_message_rejected', {
                     channel: this.channelName,
                     connector_id: this.connectorId,
                     reason: 'self_echo',
@@ -21421,14 +21394,14 @@ class InPageConnector extends BaseAsyncConnector {
             }
             const payload = InPageConnector.coercePayload(busMessage.payload);
             if (!payload) {
-                logger$K.debug('inpage_payload_rejected', {
+                logger$L.debug('inpage_payload_rejected', {
                     channel: this.channelName,
                     connector_id: this.connectorId,
                     reason: 'unrecognized_payload_type',
                 });
                 return;
             }
-            logger$K.debug('inpage_message_received', {
+            logger$L.debug('inpage_message_received', {
                 channel: this.channelName,
                 sender_id: senderId,
                 sender_node_id: senderNodeId,
@@ -21457,14 +21430,14 @@ class InPageConnector extends BaseAsyncConnector {
             }
             catch (error) {
                 if (error instanceof QueueFullError) {
-                    logger$K.warning('inpage_receive_queue_full', {
+                    logger$L.warning('inpage_receive_queue_full', {
                         channel: this.channelName,
                         inbox_capacity: this.inboxCapacity,
                         inbox_remaining_capacity: this.inbox.remainingCapacity,
                     });
                 }
                 else {
-                    logger$K.error('inpage_receive_error', {
+                    logger$L.error('inpage_receive_error', {
                         channel: this.channelName,
                         error: error instanceof Error ? error.message : String(error),
                     });
@@ -21476,7 +21449,7 @@ class InPageConnector extends BaseAsyncConnector {
         // Setup visibility change monitoring
         this.visibilityChangeHandler = () => {
             const isHidden = document.hidden;
-            logger$K.debug('inpage_visibility_changed', {
+            logger$L.debug('inpage_visibility_changed', {
                 channel: this.channelName,
                 connector_id: this.connectorId,
                 visibility: isHidden ? 'hidden' : 'visible',
@@ -21485,7 +21458,7 @@ class InPageConnector extends BaseAsyncConnector {
             // Pause/resume connector based on visibility
             if (isHidden && this.state === core.ConnectorState.STARTED) {
                 this.pause().catch((err) => {
-                    logger$K.warning('inpage_pause_failed', {
+                    logger$L.warning('inpage_pause_failed', {
                         channel: this.channelName,
                         connector_id: this.connectorId,
                         error: err instanceof Error ? err.message : String(err),
@@ -21494,7 +21467,7 @@ class InPageConnector extends BaseAsyncConnector {
             }
             else if (!isHidden && this.state === core.ConnectorState.PAUSED) {
                 this.resume().catch((err) => {
-                    logger$K.warning('inpage_resume_failed', {
+                    logger$L.warning('inpage_resume_failed', {
                         channel: this.channelName,
                         connector_id: this.connectorId,
                         error: err instanceof Error ? err.message : String(err),
@@ -21508,7 +21481,7 @@ class InPageConnector extends BaseAsyncConnector {
             // Track page lifecycle events to detect browser unload/discard
             if (typeof window !== 'undefined') {
                 const lifecycleLogger = (event) => {
-                    logger$K.info('inpage_page_lifecycle', {
+                    logger$L.info('inpage_page_lifecycle', {
                         channel: this.channelName,
                         connector_id: this.connectorId,
                         event_type: event.type,
@@ -21524,7 +21497,7 @@ class InPageConnector extends BaseAsyncConnector {
                 document.addEventListener('resume', lifecycleLogger);
             }
             // Log initial state with detailed visibility info
-            logger$K.debug('inpage_initial_visibility', {
+            logger$L.debug('inpage_initial_visibility', {
                 channel: this.channelName,
                 connector_id: this.connectorId,
                 visibility: document.hidden ? 'hidden' : 'visible',
@@ -21542,7 +21515,7 @@ class InPageConnector extends BaseAsyncConnector {
         await super.start(inboundHandler);
         // After transitioning to STARTED, check if tab is already hidden
         if (typeof document !== 'undefined' && document.hidden) {
-            logger$K.debug('inpage_start_in_hidden_tab', {
+            logger$L.debug('inpage_start_in_hidden_tab', {
                 channel: this.channelName,
                 connector_id: this.connectorId,
                 document_hidden: document.hidden,
@@ -21552,7 +21525,7 @@ class InPageConnector extends BaseAsyncConnector {
             });
             // Immediately pause if tab is hidden at start time
             await this.pause().catch((err) => {
-                logger$K.warning('inpage_initial_pause_failed', {
+                logger$L.warning('inpage_initial_pause_failed', {
                     channel: this.channelName,
                     connector_id: this.connectorId,
                     error: err instanceof Error ? err.message : String(err),
@@ -21582,14 +21555,14 @@ class InPageConnector extends BaseAsyncConnector {
         }
         catch (error) {
             if (error instanceof QueueFullError) {
-                logger$K.warning('inpage_push_queue_full', {
+                logger$L.warning('inpage_push_queue_full', {
                     channel: this.channelName,
                     inbox_capacity: this.inboxCapacity,
                     inbox_remaining_capacity: this.inbox.remainingCapacity,
                 });
                 throw error;
             }
-            logger$K.error('inpage_push_failed', {
+            logger$L.error('inpage_push_failed', {
                 channel: this.channelName,
                 error: error instanceof Error ? error.message : String(error),
             });
@@ -21599,7 +21572,7 @@ class InPageConnector extends BaseAsyncConnector {
     async _transportSendBytes(data) {
         ensureBrowserEnvironment$2();
         const targetNodeId = this.targetNodeId ?? '*';
-        logger$K.debug('inpage_message_sending', {
+        logger$L.debug('inpage_message_sending', {
             channel: this.channelName,
             sender_id: this.connectorId,
             sender_node_id: this.localNodeId,
@@ -21623,7 +21596,7 @@ class InPageConnector extends BaseAsyncConnector {
         return item;
     }
     async _transportClose(code, reason) {
-        logger$K.debug('inpage_transport_closing', {
+        logger$L.debug('inpage_transport_closing', {
             channel: this.channelName,
             connector_id: this.connectorId,
             code,
@@ -21632,14 +21605,14 @@ class InPageConnector extends BaseAsyncConnector {
             timestamp: new Date().toISOString(),
         });
         if (this.listenerRegistered) {
-            logger$K.debug('inpage_removing_listener', {
+            logger$L.debug('inpage_removing_listener', {
                 channel: this.channelName,
                 connector_id: this.connectorId,
                 timestamp: new Date().toISOString(),
             });
             getSharedBus$1().removeEventListener(this.channelName, this.onMsg);
             this.listenerRegistered = false;
-            logger$K.debug('inpage_listener_removed', {
+            logger$L.debug('inpage_listener_removed', {
                 channel: this.channelName,
                 connector_id: this.connectorId,
                 timestamp: new Date().toISOString(),
@@ -21671,7 +21644,7 @@ class InPageConnector extends BaseAsyncConnector {
             if (targetNodeId &&
                 targetNodeId !== '*' &&
                 targetNodeId !== this.localNodeId) {
-                logger$K.debug('inpage_message_rejected', {
+                logger$L.debug('inpage_message_rejected', {
                     channel: this.channelName,
                     connector_id: this.connectorId,
                     reason: 'wildcard_target_mismatch',
@@ -21687,7 +21660,7 @@ class InPageConnector extends BaseAsyncConnector {
         if (expectedSender &&
             expectedSender !== '*' &&
             senderNodeId !== expectedSender) {
-            logger$K.debug('inpage_message_rejected', {
+            logger$L.debug('inpage_message_rejected', {
                 channel: this.channelName,
                 connector_id: this.connectorId,
                 reason: 'unexpected_sender',
@@ -21700,7 +21673,7 @@ class InPageConnector extends BaseAsyncConnector {
         if (targetNodeId &&
             targetNodeId !== '*' &&
             targetNodeId !== this.localNodeId) {
-            logger$K.debug('inpage_message_rejected', {
+            logger$L.debug('inpage_message_rejected', {
                 channel: this.channelName,
                 connector_id: this.connectorId,
                 reason: 'unexpected_target',
@@ -21725,7 +21698,7 @@ class InPageConnector extends BaseAsyncConnector {
         return 'unknown';
     }
     logInboxSnapshot(event, extra = {}) {
-        logger$K.debug(event, {
+        logger$L.debug(event, {
             channel: this.channelName,
             connector_id: this.connectorId,
             connector_state: this.state,
@@ -21744,7 +21717,7 @@ class InPageConnector extends BaseAsyncConnector {
             return;
         }
         this.targetNodeId = normalized;
-        logger$K.debug('inpage_target_updated', {
+        logger$L.debug('inpage_target_updated', {
             channel: this.channelName,
             connector_id: this.connectorId,
             local_node_id: this.localNodeId,
@@ -21754,7 +21727,7 @@ class InPageConnector extends BaseAsyncConnector {
     }
     setWildcardTarget() {
         this.targetNodeId = '*';
-        logger$K.debug('inpage_target_updated', {
+        logger$L.debug('inpage_target_updated', {
             channel: this.channelName,
             connector_id: this.connectorId,
             local_node_id: this.localNodeId,
@@ -21948,6 +21921,185 @@ class AuthorizerFactory extends factory.AbstractResourceFactory {
     }
 }
 
+const logger$K = getLogger('naylence.fame.security.auth.authorization_profile_factory');
+const PROFILE_NAME_DEFAULT = 'jwt';
+const PROFILE_NAME_OAUTH2 = 'oauth2';
+const PROFILE_NAME_OAUTH2_GATED = 'oauth2-gated';
+const PROFILE_NAME_OAUTH2_CALLBACK = 'oauth2-callback';
+const PROFILE_NAME_NOOP$2 = 'noop';
+const ENV_VAR_JWT_TRUSTED_ISSUER$1 = 'FAME_JWT_TRUSTED_ISSUER';
+const ENV_VAR_JWT_ALGORITHM$1 = 'FAME_JWT_ALGORITHM';
+const ENV_VAR_JWT_AUDIENCE$2 = 'FAME_JWT_AUDIENCE';
+const ENV_VAR_JWKS_URL$1 = 'FAME_JWKS_URL';
+const ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY$1 = 'FAME_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY';
+const ENV_VAR_TRUSTED_CLIENT_SCOPE$1 = 'FAME_TRUSTED_CLIENT_SCOPE';
+const ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER$1 = 'FAME_JWT_REVERSE_AUTH_TRUSTED_ISSUER';
+const ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE$1 = 'FAME_JWT_REVERSE_AUTH_AUDIENCE';
+const ENV_VAR_HMAC_SECRET$1 = 'FAME_HMAC_SECRET';
+const DEFAULT_REVERSE_AUTH_ISSUER = 'reverse-auth.naylence.ai';
+const DEFAULT_REVERSE_AUTH_AUDIENCE = 'dev.naylence.ai';
+const DEFAULT_PROFILE = {
+    type: 'DefaultAuthorizer',
+    verifier: {
+        type: 'JWKSJWTTokenVerifier',
+        jwks_url: factory.Expressions.env(ENV_VAR_JWKS_URL$1),
+        issuer: factory.Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER$1),
+    },
+};
+const OAUTH2_PROFILE = {
+    type: 'OAuth2Authorizer',
+    issuer: factory.Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER$1),
+    required_scopes: ['node.connect'],
+    require_scope: true,
+    default_ttl_sec: 3600,
+    max_ttl_sec: 86400,
+    algorithm: factory.Expressions.env(ENV_VAR_JWT_ALGORITHM$1, 'RS256'),
+    audience: factory.Expressions.env(ENV_VAR_JWT_AUDIENCE$2),
+};
+const OAUTH2_GATED_PROFILE = {
+    ...OAUTH2_PROFILE,
+    enforce_token_subject_node_identity: factory.Expressions.env(ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY$1, 'false'),
+    trusted_client_scope: factory.Expressions.env(ENV_VAR_TRUSTED_CLIENT_SCOPE$1, 'node.trusted'),
+};
+const OAUTH2_CALLBACK_PROFILE = {
+    type: 'OAuth2Authorizer',
+    issuer: factory.Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER$1, DEFAULT_REVERSE_AUTH_ISSUER),
+    audience: factory.Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE$1),
+    require_scope: true,
+    default_ttl_sec: 3600,
+    max_ttl_sec: 86400,
+    reverse_auth_ttl_sec: 86400,
+    token_verifier_config: {
+        type: 'JWTTokenVerifier',
+        algorithm: 'HS256',
+        hmac_secret: factory.Expressions.env(ENV_VAR_HMAC_SECRET$1),
+        issuer: factory.Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER$1, DEFAULT_REVERSE_AUTH_ISSUER),
+        ttl_sec: 86400,
+    },
+    token_issuer_config: {
+        type: 'JWTTokenIssuer',
+        algorithm: 'HS256',
+        hmac_secret: factory.Expressions.env(ENV_VAR_HMAC_SECRET$1),
+        kid: 'hmac-reverse-auth-key',
+        issuer: factory.Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER$1, DEFAULT_REVERSE_AUTH_ISSUER),
+        ttl_sec: 86400,
+        audience: factory.Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE$1, DEFAULT_REVERSE_AUTH_AUDIENCE),
+    },
+};
+const NOOP_PROFILE$2 = {
+    type: 'NoopAuthorizer',
+};
+const PROFILE_MAP$5 = {
+    [PROFILE_NAME_DEFAULT]: DEFAULT_PROFILE,
+    [PROFILE_NAME_OAUTH2]: OAUTH2_PROFILE,
+    [PROFILE_NAME_OAUTH2_GATED]: OAUTH2_GATED_PROFILE,
+    [PROFILE_NAME_OAUTH2_CALLBACK]: OAUTH2_CALLBACK_PROFILE,
+    [PROFILE_NAME_NOOP$2]: NOOP_PROFILE$2,
+};
+const PROFILE_ALIASES$1 = {
+    jwt: PROFILE_NAME_DEFAULT,
+    jwks: PROFILE_NAME_DEFAULT,
+    default: PROFILE_NAME_DEFAULT,
+    oauth2: PROFILE_NAME_OAUTH2,
+    oidc: PROFILE_NAME_OAUTH2,
+    'oauth2-gated': PROFILE_NAME_OAUTH2_GATED,
+    oauth2_gated: PROFILE_NAME_OAUTH2_GATED,
+    'oauth2-callback': PROFILE_NAME_OAUTH2_CALLBACK,
+    oauth2_callback: PROFILE_NAME_OAUTH2_CALLBACK,
+    'reverse-auth': PROFILE_NAME_OAUTH2_CALLBACK,
+    noop: PROFILE_NAME_NOOP$2,
+    'no-op': PROFILE_NAME_NOOP$2,
+    no_op: PROFILE_NAME_NOOP$2,
+};
+const FACTORY_META$15 = {
+    base: AUTHORIZER_FACTORY_BASE_TYPE,
+    key: 'AuthorizationProfile',
+};
+class AuthorizationProfileFactory extends AuthorizerFactory {
+    constructor() {
+        super(...arguments);
+        this.type = 'AuthorizationProfile';
+    }
+    async create(config, ...factoryArgs) {
+        const normalized = normalizeConfig$w(config);
+        const profileConfig = resolveProfileConfig$4(normalized.profile);
+        logger$K.debug('enabling_authorization_profile', {
+            profile: normalized.profile,
+        });
+        const authorizer = await AuthorizerFactory.createAuthorizer(profileConfig, { factoryArgs });
+        if (!authorizer) {
+            throw new Error(`Failed to create authorizer for profile: ${normalized.profile}`);
+        }
+        return authorizer;
+    }
+}
+function normalizeConfig$w(config) {
+    if (!config) {
+        return { profile: PROFILE_NAME_OAUTH2 };
+    }
+    const candidate = config;
+    const profileValue = resolveProfileName$2(candidate);
+    const canonicalProfile = canonicalizeProfileName$1(profileValue);
+    candidate.profile = canonicalProfile;
+    return { profile: canonicalProfile };
+}
+function resolveProfileName$2(candidate) {
+    const direct = coerceProfileString$2(candidate.profile);
+    if (direct) {
+        return direct;
+    }
+    const legacyKeys = ['profile_name', 'profileName'];
+    for (const legacyKey of legacyKeys) {
+        const legacyValue = coerceProfileString$2(candidate[legacyKey]);
+        if (legacyValue) {
+            return legacyValue;
+        }
+    }
+    return PROFILE_NAME_OAUTH2;
+}
+function coerceProfileString$2(value) {
+    if (typeof value !== 'string') {
+        return null;
+    }
+    const trimmed = value.trim();
+    return trimmed.length > 0 ? trimmed : null;
+}
+function canonicalizeProfileName$1(value) {
+    const normalized = value.replace(/[\s_]+/g, '-').toLowerCase();
+    return PROFILE_ALIASES$1[normalized] ?? normalized;
+}
+function resolveProfileConfig$4(profileName) {
+    const profile = PROFILE_MAP$5[profileName];
+    if (!profile) {
+        throw new Error(`Unknown authorization profile: ${profileName}`);
+    }
+    return deepClone$4(profile);
+}
+function deepClone$4(value) {
+    return JSON.parse(JSON.stringify(value));
+}
+
+var authorizationProfileFactory = /*#__PURE__*/Object.freeze({
+    __proto__: null,
+    AuthorizationProfileFactory: AuthorizationProfileFactory,
+    ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY: ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY$1,
+    ENV_VAR_HMAC_SECRET: ENV_VAR_HMAC_SECRET$1,
+    ENV_VAR_JWKS_URL: ENV_VAR_JWKS_URL$1,
+    ENV_VAR_JWT_ALGORITHM: ENV_VAR_JWT_ALGORITHM$1,
+    ENV_VAR_JWT_AUDIENCE: ENV_VAR_JWT_AUDIENCE$2,
+    ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE: ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE$1,
+    ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER: ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER$1,
+    ENV_VAR_JWT_TRUSTED_ISSUER: ENV_VAR_JWT_TRUSTED_ISSUER$1,
+    ENV_VAR_TRUSTED_CLIENT_SCOPE: ENV_VAR_TRUSTED_CLIENT_SCOPE$1,
+    FACTORY_META: FACTORY_META$15,
+    PROFILE_NAME_DEFAULT: PROFILE_NAME_DEFAULT,
+    PROFILE_NAME_NOOP: PROFILE_NAME_NOOP$2,
+    PROFILE_NAME_OAUTH2: PROFILE_NAME_OAUTH2,
+    PROFILE_NAME_OAUTH2_CALLBACK: PROFILE_NAME_OAUTH2_CALLBACK,
+    PROFILE_NAME_OAUTH2_GATED: PROFILE_NAME_OAUTH2_GATED,
+    default: AuthorizationProfileFactory
+});
+
 function isAuthInjectionStrategy(candidate) {
     return (typeof candidate === 'object' &&
         candidate !== null &&
@@ -29429,14 +29581,13 @@ const ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER = 'FAME_JWT_REVERSE_AUTH_TRUSTED_I
 const ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = 'FAME_JWT_REVERSE_AUTH_AUDIENCE';
 const ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY = 'FAME_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY';
 const ENV_VAR_TRUSTED_CLIENT_SCOPE = 'FAME_TRUSTED_CLIENT_SCOPE';
+const ENV_VAR_AUTHORIZATION_PROFILE = 'FAME_AUTHORIZATION_PROFILE';
 const PROFILE_NAME_STRICT_OVERLAY = 'strict-overlay';
 const PROFILE_NAME_OVERLAY = 'overlay';
 const PROFILE_NAME_OVERLAY_CALLBACK = 'overlay-callback';
 const PROFILE_NAME_GATED = 'gated';
 const PROFILE_NAME_GATED_CALLBACK = 'gated-callback';
 const PROFILE_NAME_OPEN$1 = 'open';
-const DEFAULT_REVERSE_AUTH_ISSUER = 'reverse-auth.naylence.ai';
-const DEFAULT_REVERSE_AUTH_AUDIENCE = 'dev.naylence.ai';
 const STRICT_OVERLAY_PROFILE = {
     type: 'DefaultSecurityManager',
     security_policy: {
@@ -29482,12 +29633,8 @@ const STRICT_OVERLAY_PROFILE = {
         },
     },
     authorizer: {
-        type: 'DefaultAuthorizer',
-        verifier: {
-            type: 'JWKSJWTTokenVerifier',
-            jwks_url: factory.Expressions.env(ENV_VAR_JWKS_URL),
-            issuer: factory.Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER),
-        },
+        type: 'AuthorizationProfile',
+        profile: factory.Expressions.env(ENV_VAR_AUTHORIZATION_PROFILE, 'jwt'),
     },
 };
 const OVERLAY_PROFILE = {
@@ -29534,14 +29681,8 @@ const OVERLAY_PROFILE = {
         },
     },
     authorizer: {
-        type: 'OAuth2Authorizer',
-        issuer: factory.Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER),
-        required_scopes: ['node.connect'],
-        require_scope: true,
-        default_ttl_sec: 3600,
-        max_ttl_sec: 86400,
-        algorithm: factory.Expressions.env(ENV_VAR_JWT_ALGORITHM, 'RS256'),
-        audience: factory.Expressions.env(ENV_VAR_JWT_AUDIENCE$1),
+        type: 'AuthorizationProfile',
+        profile: factory.Expressions.env(ENV_VAR_AUTHORIZATION_PROFILE, 'oauth2'),
     },
 };
 const OVERLAY_CALLBACK_PROFILE = {
@@ -29588,29 +29729,8 @@ const OVERLAY_CALLBACK_PROFILE = {
         },
     },
     authorizer: {
-        type: 'OAuth2Authorizer',
-        issuer: factory.Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, DEFAULT_REVERSE_AUTH_ISSUER),
-        audience: factory.Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE),
-        require_scope: true,
-        default_ttl_sec: 3600,
-        max_ttl_sec: 86400,
-        reverse_auth_ttl_sec: 86400,
-        token_verifier_config: {
-            type: 'JWTTokenVerifier',
-            algorithm: 'HS256',
-            hmac_secret: factory.Expressions.env(ENV_VAR_HMAC_SECRET),
-            issuer: factory.Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, DEFAULT_REVERSE_AUTH_ISSUER),
-            ttl_sec: 86400,
-        },
-        token_issuer_config: {
-            type: 'JWTTokenIssuer',
-            algorithm: 'HS256',
-            hmac_secret: factory.Expressions.env(ENV_VAR_HMAC_SECRET),
-            kid: 'hmac-reverse-auth-key',
-            issuer: factory.Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, DEFAULT_REVERSE_AUTH_ISSUER),
-            ttl_sec: 86400,
-            audience: factory.Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE, DEFAULT_REVERSE_AUTH_AUDIENCE),
-        },
+        type: 'AuthorizationProfile',
+        profile: factory.Expressions.env(ENV_VAR_AUTHORIZATION_PROFILE, 'oauth2-callback'),
     },
 };
 const GATED_PROFILE = {
@@ -29656,16 +29776,8 @@ const GATED_PROFILE = {
         },
     },
     authorizer: {
-        type: 'OAuth2Authorizer',
-        issuer: factory.Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER),
-        required_scopes: ['node.connect'],
-        require_scope: true,
-        default_ttl_sec: 3600,
-        max_ttl_sec: 86400,
-        algorithm: factory.Expressions.env(ENV_VAR_JWT_ALGORITHM, 'RS256'),
-        audience: factory.Expressions.env(ENV_VAR_JWT_AUDIENCE$1),
-        enforce_token_subject_node_identity: factory.Expressions.env(ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY, 'false'),
-        trusted_client_scope: factory.Expressions.env(ENV_VAR_TRUSTED_CLIENT_SCOPE, 'node.trusted'),
+        type: 'AuthorizationProfile',
+        profile: factory.Expressions.env(ENV_VAR_AUTHORIZATION_PROFILE, 'oauth2-gated'),
     },
 };
 const GATED_CALLBACK_PROFILE = {
@@ -29711,29 +29823,8 @@ const GATED_CALLBACK_PROFILE = {
         },
     },
     authorizer: {
-        type: 'OAuth2Authorizer',
-        issuer: factory.Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, DEFAULT_REVERSE_AUTH_ISSUER),
-        audience: factory.Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE),
-        require_scope: true,
-        default_ttl_sec: 3600,
-        max_ttl_sec: 86400,
-        reverse_auth_ttl_sec: 86400,
-        token_verifier_config: {
-            type: 'JWTTokenVerifier',
-            algorithm: 'HS256',
-            hmac_secret: factory.Expressions.env(ENV_VAR_HMAC_SECRET),
-            issuer: factory.Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, DEFAULT_REVERSE_AUTH_ISSUER),
-            ttl_sec: 86400,
-        },
-        token_issuer_config: {
-            type: 'JWTTokenIssuer',
-            algorithm: 'HS256',
-            hmac_secret: factory.Expressions.env(ENV_VAR_HMAC_SECRET),
-            kid: 'hmac-reverse-auth-key',
-            issuer: factory.Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, DEFAULT_REVERSE_AUTH_ISSUER),
-            ttl_sec: 86400,
-            audience: factory.Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE, DEFAULT_REVERSE_AUTH_AUDIENCE),
-        },
+        type: 'AuthorizationProfile',
+        profile: factory.Expressions.env(ENV_VAR_AUTHORIZATION_PROFILE, 'oauth2-callback'),
     },
 };
 const OPEN_PROFILE$1 = {
@@ -29742,7 +29833,8 @@ const OPEN_PROFILE$1 = {
         type: 'NoSecurityPolicy',
     },
     authorizer: {
-        type: 'NoopAuthorizer',
+        type: 'AuthorizationProfile',
+        profile: factory.Expressions.env(ENV_VAR_AUTHORIZATION_PROFILE, 'noop'),
     },
 };
 const PROFILE_MAP$4 = {
@@ -29871,6 +29963,7 @@ function deepClone$3(value) {
 
 var nodeSecurityProfileFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
+    ENV_VAR_AUTHORIZATION_PROFILE: ENV_VAR_AUTHORIZATION_PROFILE,
     ENV_VAR_DEFAULT_ENCRYPTION_LEVEL: ENV_VAR_DEFAULT_ENCRYPTION_LEVEL,
     ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY: ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY,
     ENV_VAR_HMAC_SECRET: ENV_VAR_HMAC_SECRET,
@@ -43628,11 +43721,26 @@ exports.AUTHORIZATION_POLICY_FACTORY_BASE_TYPE = AUTHORIZATION_POLICY_FACTORY_BA
 exports.AUTHORIZATION_POLICY_SOURCE_FACTORY_BASE_TYPE = AUTHORIZATION_POLICY_SOURCE_FACTORY_BASE_TYPE;
 exports.AUTHORIZER_FACTORY_BASE_TYPE = AUTHORIZER_FACTORY_BASE_TYPE;
 exports.AUTH_INJECTION_STRATEGY_FACTORY_BASE_TYPE = AUTH_INJECTION_STRATEGY_FACTORY_BASE_TYPE;
+exports.AUTH_PROFILE_ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY = ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY$1;
+exports.AUTH_PROFILE_ENV_VAR_HMAC_SECRET = ENV_VAR_HMAC_SECRET$1;
+exports.AUTH_PROFILE_ENV_VAR_JWKS_URL = ENV_VAR_JWKS_URL$1;
+exports.AUTH_PROFILE_ENV_VAR_JWT_ALGORITHM = ENV_VAR_JWT_ALGORITHM$1;
+exports.AUTH_PROFILE_ENV_VAR_JWT_AUDIENCE = ENV_VAR_JWT_AUDIENCE$2;
+exports.AUTH_PROFILE_ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE$1;
+exports.AUTH_PROFILE_ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER = ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER$1;
+exports.AUTH_PROFILE_ENV_VAR_JWT_TRUSTED_ISSUER = ENV_VAR_JWT_TRUSTED_ISSUER$1;
+exports.AUTH_PROFILE_ENV_VAR_TRUSTED_CLIENT_SCOPE = ENV_VAR_TRUSTED_CLIENT_SCOPE$1;
+exports.AUTH_PROFILE_NAME_DEFAULT = PROFILE_NAME_DEFAULT;
+exports.AUTH_PROFILE_NAME_NOOP = PROFILE_NAME_NOOP$2;
+exports.AUTH_PROFILE_NAME_OAUTH2 = PROFILE_NAME_OAUTH2;
+exports.AUTH_PROFILE_NAME_OAUTH2_CALLBACK = PROFILE_NAME_OAUTH2_CALLBACK;
+exports.AUTH_PROFILE_NAME_OAUTH2_GATED = PROFILE_NAME_OAUTH2_GATED;
 exports.AsyncLock = AsyncLock;
 exports.AttachmentKeyValidator = AttachmentKeyValidator;
 exports.AuthInjectionStrategyFactory = AuthInjectionStrategyFactory;
 exports.AuthorizationPolicyFactory = AuthorizationPolicyFactory;
 exports.AuthorizationPolicySourceFactory = AuthorizationPolicySourceFactory;
+exports.AuthorizationProfileFactory = AuthorizationProfileFactory;
 exports.AuthorizerFactory = AuthorizerFactory;
 exports.BROADCAST_CHANNEL_CONNECTION_GRANT_TYPE = BROADCAST_CHANNEL_CONNECTION_GRANT_TYPE;
 exports.BROADCAST_CHANNEL_CONNECTOR_FACTORY_META = FACTORY_META$$;
@@ -43675,6 +43783,7 @@ exports.DevFixedKeyCredentialProvider = DevFixedKeyCredentialProvider;
 exports.ENCRYPTION_MANAGER_FACTORY_BASE_TYPE = ENCRYPTION_MANAGER_FACTORY_BASE_TYPE;
 exports.ENVELOPE_SIGNER_FACTORY_BASE_TYPE = ENVELOPE_SIGNER_FACTORY_BASE_TYPE;
 exports.ENVELOPE_VERIFIER_FACTORY_BASE_TYPE = ENVELOPE_VERIFIER_FACTORY_BASE_TYPE;
+exports.ENV_VAR_AUTHORIZATION_PROFILE = ENV_VAR_AUTHORIZATION_PROFILE;
 exports.ENV_VAR_DEFAULT_ENCRYPTION_LEVEL = ENV_VAR_DEFAULT_ENCRYPTION_LEVEL;
 exports.ENV_VAR_HMAC_SECRET = ENV_VAR_HMAC_SECRET;
 exports.ENV_VAR_JWKS_URL = ENV_VAR_JWKS_URL;