@naylence/runtime 0.4.0 → 0.4.2

package/dist/browser/index.mjs

@@ -126,6 +126,7 @@ const MODULES = [
     "./node/node-identity-policy-profile-factory.js",
     "./node/token-subject-node-identity-policy-factory.js",
     "./placement/static-node-placement-strategy-factory.js",
+    "./security/auth/authorization-profile-factory.js",
     "./security/auth/bearer-token-header-auth-injection-strategy-factory.js",
     "./security/auth/default-authorizer-factory.js",
     "./security/auth/default-policy-authorizer-factory.js",
@@ -208,6 +209,7 @@ const MODULE_LOADERS = {
     "./node/node-identity-policy-profile-factory.js": () => Promise.resolve().then(function () { return nodeIdentityPolicyProfileFactory; }),
     "./node/token-subject-node-identity-policy-factory.js": () => Promise.resolve().then(function () { return tokenSubjectNodeIdentityPolicyFactory; }),
     "./placement/static-node-placement-strategy-factory.js": () => Promise.resolve().then(function () { return staticNodePlacementStrategyFactory; }),
+    "./security/auth/authorization-profile-factory.js": () => Promise.resolve().then(function () { return authorizationProfileFactory; }),
     "./security/auth/bearer-token-header-auth-injection-strategy-factory.js": () => Promise.resolve().then(function () { return bearerTokenHeaderAuthInjectionStrategyFactory; }),
     "./security/auth/default-authorizer-factory.js": () => Promise.resolve().then(function () { return defaultAuthorizerFactory; }),
     "./security/auth/default-policy-authorizer-factory.js": () => Promise.resolve().then(function () { return defaultPolicyAuthorizerFactory; }),
@@ -521,12 +523,12 @@ async function ensureRuntimeFactoriesRegistered(registry = Registry) {
 }
 
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.4.0
+// Generated from package.json version: 0.4.2
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.4.0';
+const VERSION = '0.4.2';
 
 let initialized = false;
 const runtimePlugin = {
@@ -3730,7 +3732,7 @@ class EnvCredentialProviderFactory extends CredentialProviderFactory {
         return new EnvCredentialProvider(resolved.varName);
     }
 }
-const FACTORY_META$1f = {
+const FACTORY_META$1g = {
     base: CREDENTIAL_PROVIDER_FACTORY_BASE_TYPE,
     key: 'EnvCredentialProvider',
 };
@@ -3738,7 +3740,7 @@ const FACTORY_META$1f = {
 var envCredentialProviderFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
     EnvCredentialProviderFactory: EnvCredentialProviderFactory,
-    FACTORY_META: FACTORY_META$1f,
+    FACTORY_META: FACTORY_META$1g,
     default: EnvCredentialProviderFactory,
     normalizeEnvConfig: normalizeEnvConfig
 });
@@ -3836,14 +3838,14 @@ class PromptCredentialProviderFactory extends CredentialProviderFactory {
         return new PromptCredentialProvider(resolved.credentialName);
     }
 }
-const FACTORY_META$1e = {
+const FACTORY_META$1f = {
     base: CREDENTIAL_PROVIDER_FACTORY_BASE_TYPE,
     key: 'PromptCredentialProvider',
 };
 
 var promptCredentialProviderFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
-    FACTORY_META: FACTORY_META$1e,
+    FACTORY_META: FACTORY_META$1f,
     PromptCredentialProviderFactory: PromptCredentialProviderFactory,
     default: PromptCredentialProviderFactory,
     normalizePromptConfig: normalizePromptConfig
@@ -3897,14 +3899,14 @@ class SecretStoreCredentialProviderFactory extends CredentialProviderFactory {
         return new SecretStoreCredentialProvider(resolved.secretName);
     }
 }
-const FACTORY_META$1d = {
+const FACTORY_META$1e = {
     base: CREDENTIAL_PROVIDER_FACTORY_BASE_TYPE,
     key: 'SecretStoreCredentialProvider',
 };
 
 var secretStoreCredentialProviderFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
-    FACTORY_META: FACTORY_META$1d,
+    FACTORY_META: FACTORY_META$1e,
     SecretStoreCredentialProviderFactory: SecretStoreCredentialProviderFactory,
     default: SecretStoreCredentialProviderFactory,
     normalizeSecretStoreConfig: normalizeSecretStoreConfig
@@ -3953,14 +3955,14 @@ class StaticCredentialProviderFactory extends CredentialProviderFactory {
         return new StaticCredentialProvider(resolved.credentialValue);
     }
 }
-const FACTORY_META$1c = {
+const FACTORY_META$1d = {
     base: CREDENTIAL_PROVIDER_FACTORY_BASE_TYPE,
     key: 'StaticCredentialProvider',
 };
 
 var staticCredentialProviderFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
-    FACTORY_META: FACTORY_META$1c,
+    FACTORY_META: FACTORY_META$1d,
     StaticCredentialProviderFactory: StaticCredentialProviderFactory,
     default: StaticCredentialProviderFactory,
     normalizeStaticConfig: normalizeStaticConfig
@@ -4204,7 +4206,7 @@ const BASE_PROFILE_MAP = {
     [PROFILE_NAME_INDEXEDDB]: INDEXEDDB_PROFILE_CONFIG,
 };
 // Extended profile map - can be augmented by Node.js environment
-const PROFILE_MAP$6 = {
+const PROFILE_MAP$7 = {
     ...BASE_PROFILE_MAP,
 };
 class StorageProfileFactory extends StorageProviderFactory {
@@ -4219,9 +4221,9 @@ class StorageProfileFactory extends StorageProviderFactory {
             type: 'StorageProfile',
         });
         const profileName = (parsed.profile ?? PROFILE_NAME_MEMORY).toLowerCase();
-        const profileConfig = PROFILE_MAP$6[profileName];
+        const profileConfig = PROFILE_MAP$7[profileName];
         if (!profileConfig) {
-            throw new Error(`Unknown storage profile '${profileName}'. Supported profiles: ${Object.keys(PROFILE_MAP$6).join(', ')}`);
+            throw new Error(`Unknown storage profile '${profileName}'. Supported profiles: ${Object.keys(PROFILE_MAP$7).join(', ')}`);
         }
         const createOptions = {
             ...options,
@@ -13249,44 +13251,12 @@ class ConnectionRetryPolicyFactory extends AbstractResourceFactory {
     }
 }
 
-const TOKEN_PROVIDER_FACTORY_BASE_TYPE = 'TokenProviderFactory';
-class TokenProviderFactory extends AbstractResourceFactory {
-    static async createTokenProvider(config, options = {}) {
-        if (config) {
-            const provider = await createResource$1(TOKEN_PROVIDER_FACTORY_BASE_TYPE, config, options);
-            if (!provider) {
-                throw new Error('Failed to create token provider from configuration');
-            }
-            return provider;
-        }
-        let provider = null;
-        try {
-            provider = await createDefaultResource(TOKEN_PROVIDER_FACTORY_BASE_TYPE, null, options);
-        }
-        catch (error) {
-            const message = 'Failed to create default token provider' +
-                (error instanceof Error && error.message ? `: ${error.message}` : '');
-            throw new Error(message);
-        }
-        if (!provider) {
-            throw new Error('Failed to create default token provider');
-        }
-        return provider;
-    }
-}
-
-function isTokenProvider(candidate) {
-    return (typeof candidate === 'object' &&
-        candidate !== null &&
-        typeof candidate.getToken === 'function');
-}
-function isIdentityExposingTokenProvider(candidate) {
-    return (isTokenProvider(candidate) &&
-        typeof candidate.getIdentity ===
-            'function');
-}
-
-const logger$12 = getLogger('naylence.fame.node.default_node_identity_policy');
+/**
+ * Default node identity policy that preserves the current node ID.
+ *
+ * This policy does NOT derive identity from tokens or grants.
+ * For token-subject-based identity, use TokenSubjectNodeIdentityPolicy.
+ */
 class DefaultNodeIdentityPolicy {
     async resolveInitialNodeId(context) {
         if (context.configuredId) {
@@ -13298,44 +13268,10 @@ class DefaultNodeIdentityPolicy {
         return await generateIdAsync({ mode: 'fingerprint' });
     }
     async resolveAdmissionNodeId(context) {
-        // Try to extract identity from grants first
-        if (context.grants && context.grants.length > 0) {
-            for (const grant of context.grants) {
-                try {
-                    const auth = grant.auth;
-                    if (!auth) {
-                        continue;
-                    }
-                    const tokenProviderConfig = (auth.tokenProvider ??
-                        auth.token_provider);
-                    if (!tokenProviderConfig ||
-                        typeof tokenProviderConfig.type !== 'string') {
-                        continue;
-                    }
-                    const provider = await TokenProviderFactory.createTokenProvider(tokenProviderConfig);
-                    if (isIdentityExposingTokenProvider(provider)) {
-                        const identity = await provider.getIdentity();
-                        if (identity && identity.subject) {
-                            logger$12.debug('identity_extracted_from_grant', {
-                                identity_id: identity.subject,
-                                grant_type: grant.type,
-                            });
-                            return identity.subject;
-                        }
-                    }
-                }
-                catch (error) {
-                    logger$12.warning('identity_extraction_failed', {
-                        error: error instanceof Error ? error.message : String(error),
-                        grant_type: grant.type,
-                    });
-                }
-            }
+        if (context.currentNodeId) {
+            return context.currentNodeId;
         }
-        if (!context.currentNodeId) {
-            return await generateIdAsync({ mode: 'fingerprint' });
-        }
-        return context.currentNodeId;
+        return await generateIdAsync({ mode: 'fingerprint' });
     }
 }
 
@@ -13409,7 +13345,7 @@ class AttachmentKeyValidator {
     }
 }
 
-const logger$11 = getLogger('naylence.fame.node.admission.default_node_attach_client');
+const logger$12 = getLogger('naylence.fame.node.admission.default_node_attach_client');
 const HANDSHAKE_POLL_INTERVAL_MS = 20;
 class DefaultNodeAttachClient {
     constructor(options = {}) {
@@ -13433,7 +13369,7 @@ class DefaultNodeAttachClient {
                 }
                 else {
                     // Silently ignore frames from other agents during concurrent handshakes
-                    logger$11.debug('handshake_ignoring_frame_from_different_system', {
+                    logger$12.debug('handshake_ignoring_frame_from_different_system', {
                         frame_type: envelope.frame.type,
                         frame_system_id: frameSystemId,
                         expected_system_id: this.expectedSystemId,
@@ -13476,7 +13412,7 @@ class DefaultNodeAttachClient {
             }
         }
         catch (error) {
-            logger$11.debug('stickiness_offer_skipped', {
+            logger$12.debug('stickiness_offer_skipped', {
                 error: error instanceof Error ? error.message : String(error),
             });
         }
@@ -13497,7 +13433,7 @@ class DefaultNodeAttachClient {
             if (!processedEnvelope) {
                 throw new Error('Envelope was blocked by onForwardUpstream event');
             }
-            logger$11.debug('sending_node_attach_envelope', {
+            logger$12.debug('sending_node_attach_envelope', {
                 envp_id: processedEnvelope.id ?? envelope.id ?? null,
                 frame_type: processedEnvelope.frame?.type ?? 'unknown',
                 trace_id: processedEnvelope.traceId ?? envelope.traceId ?? null,
@@ -13533,7 +13469,7 @@ class DefaultNodeAttachClient {
             try {
                 const keyInfos = await this.attachmentKeyValidator.validateKeys(parentKeys);
                 if (Array.isArray(keyInfos) && keyInfos.length > 0) {
-                    logger$11.debug('parent_certificate_validation_passed', {
+                    logger$12.debug('parent_certificate_validation_passed', {
                         parent_id: parentId,
                         correlation_id: corrId,
                         validated_keys: keyInfos.length,
@@ -13542,7 +13478,7 @@ class DefaultNodeAttachClient {
             }
             catch (error) {
                 if (error instanceof KeyValidationError) {
-                    logger$11.error('parent_certificate_validation_failed', {
+                    logger$12.error('parent_certificate_validation_failed', {
                         parent_id: parentId,
                         correlation_id: corrId,
                         error_code: error.code,
@@ -13556,12 +13492,12 @@ class DefaultNodeAttachClient {
             }
         }
         else {
-            logger$11.debug('parent_certificate_validation_skipped', {
+            logger$12.debug('parent_certificate_validation_skipped', {
                 parent_id: parentId,
                 reason: 'no_validator',
             });
         }
-        logger$11.debug('processing_node_attach_ack', {
+        logger$12.debug('processing_node_attach_ack', {
             parent_id: ackFrame.targetSystemId,
         });
         this.inHandshake = false;
@@ -13592,7 +13528,7 @@ class DefaultNodeAttachClient {
             }
         }
         catch (error) {
-            logger$11.debug('stickiness_accept_skipped', {
+            logger$12.debug('stickiness_accept_skipped', {
                 error: error instanceof Error ? error.message : String(error),
             });
         }
@@ -13646,7 +13582,7 @@ class DefaultNodeAttachClient {
                 // NodeAttach frames during handshake are expected in multi-agent scenarios
                 // where multiple agents attach concurrently to the same channel
                 if (envelope.frame.type === 'NodeAttach') {
-                    logger$11.debug('handshake_ignoring_concurrent_attach', {
+                    logger$12.debug('handshake_ignoring_concurrent_attach', {
                         frame_type: envelope.frame.type,
                         frame_system_id: envelope.frame?.systemId ??
                             'unknown',
@@ -13654,7 +13590,7 @@ class DefaultNodeAttachClient {
                 }
                 else {
                     // Other unexpected frames are still logged as errors
-                    logger$11.error('unexpected_frame_during_handshake', {
+                    logger$12.error('unexpected_frame_during_handshake', {
                         frame_type: envelope.frame.type,
                     });
                 }
@@ -13794,7 +13730,7 @@ class TraceEmitterFactory extends AbstractResourceFactory {
 // void import('./trace-emitter-profile-factory.js');
 
 const BINDING_STORE_NAMESPACE = '__binding_store';
-const logger$10 = getLogger('naylence.fame.node.factory_commons');
+const logger$11 = getLogger('naylence.fame.node.factory_commons');
 function isPlainRecord$2(value) {
     return Boolean(value) && typeof value === 'object' && !Array.isArray(value);
 }
@@ -13988,7 +13924,7 @@ async function resolveNodeIdentityPolicy(config, options) {
         return await NodeIdentityPolicyFactory.createNodeIdentityPolicy(config ?? undefined, cloneCreateOptions(options));
     }
     catch (error) {
-        logger$10.warning('node_identity_policy_creation_failed', {
+        logger$11.warning('node_identity_policy_creation_failed', {
             error: error instanceof Error ? error.message : String(error),
         });
         return null;
@@ -13999,7 +13935,7 @@ async function resolveConnectionRetryPolicy(config, options) {
         return await ConnectionRetryPolicyFactory.createConnectionRetryPolicy(config ?? undefined, cloneCreateOptions(options));
     }
     catch (error) {
-        logger$10.warning('connection_retry_policy_creation_failed', {
+        logger$11.warning('connection_retry_policy_creation_failed', {
             error: error instanceof Error ? error.message : String(error),
         });
         return null;
@@ -14011,7 +13947,7 @@ async function resolveStorageProvider(config, options) {
             return await StorageProviderFactory.createStorageProvider(config, cloneCreateOptions(options));
         }
         catch (error) {
-            logger$10.warning('storage_provider_creation_failed', {
+            logger$11.warning('storage_provider_creation_failed', {
                 error: error instanceof Error ? error.message : String(error),
             });
         }
@@ -14033,7 +13969,7 @@ async function resolveAdmissionClient(config, options, identityPolicy) {
         return await AdmissionClientFactory.createAdmissionClient((config ?? null), createOptions);
     }
     catch (error) {
-        logger$10.warning('admission_client_creation_failed', {
+        logger$11.warning('admission_client_creation_failed', {
             error: error instanceof Error ? error.message : String(error),
         });
         return null;
@@ -14060,7 +13996,7 @@ async function resolveReplicaStickinessManager(hasParent, requestedLogicals, opt
         return await ReplicaStickinessManagerFactory.createReplicaStickinessManager(undefined, cloneCreateOptions(options));
     }
     catch (error) {
-        logger$10.debug('replica_stickiness_manager_unavailable', { error });
+        logger$11.debug('replica_stickiness_manager_unavailable', { error });
         return null;
     }
 }
@@ -14069,7 +14005,7 @@ async function resolveAttachmentKeyValidator(config, options) {
         return await AttachmentKeyValidatorFactory.createAttachmentKeyValidator(config ?? undefined, cloneCreateOptions(options));
     }
     catch (error) {
-        logger$10.warning('attachment_key_validator_creation_failed', {
+        logger$11.warning('attachment_key_validator_creation_failed', {
             error: error instanceof Error ? error.message : String(error),
         });
         return null;
@@ -14087,7 +14023,7 @@ async function resolveDeliveryPolicy(config, options) {
         return await DeliveryPolicyFactory.createDeliveryPolicy(config ?? undefined, cloneCreateOptions(options));
     }
     catch (error) {
-        logger$10.warning('delivery_policy_creation_failed', {
+        logger$11.warning('delivery_policy_creation_failed', {
             error: error instanceof Error ? error.message : String(error),
         });
         return null;
@@ -14101,7 +14037,7 @@ async function resolveTransportListeners(configs, eventListeners, options) {
         return await TransportListenerFactory.createTransportListeners(configs, eventListeners, cloneCreateOptions(options));
     }
     catch (error) {
-        logger$10.warning('transport_listener_creation_failed', {
+        logger$11.warning('transport_listener_creation_failed', {
             error: error instanceof Error ? error.message : String(error),
         });
         return [];
@@ -14112,7 +14048,7 @@ async function resolveTraceEmitter(config, options) {
         return await TraceEmitterFactory.createTraceEmitter(config ?? undefined, cloneCreateOptions(options));
     }
     catch (error) {
-        logger$10.warning('trace_emitter_creation_failed', {
+        logger$11.warning('trace_emitter_creation_failed', {
             error: error instanceof Error ? error.message : String(error),
         });
         return null;
@@ -14168,7 +14104,7 @@ async function createSecurityManagerFromConfig(config, overrides, options) {
         return manager ?? null;
     }
     catch (error) {
-        logger$10.warning('security_manager_creation_failed', {
+        logger$11.warning('security_manager_creation_failed', {
             error: error instanceof Error ? error.message : String(error),
         });
         return null;
@@ -14197,7 +14133,7 @@ async function resolveCryptoProvider(config, options) {
     // This happens with overlay security profiles that need envelope signing
     if (requiresCryptoProvider(config)) {
         try {
-            logger$10.debug('auto_creating_crypto_provider', {
+            logger$11.debug('auto_creating_crypto_provider', {
                 reason: 'overlay_security_requires_signing',
             });
             // Dynamically import to avoid circular dependencies
@@ -14217,7 +14153,7 @@ async function resolveCryptoProvider(config, options) {
             });
         }
         catch (error) {
-            logger$10.error('failed_to_auto_create_crypto_provider', {
+            logger$11.error('failed_to_auto_create_crypto_provider', {
                 error: error instanceof Error ? error.message : String(error),
             });
             throw error;
@@ -14763,7 +14699,7 @@ class NodeLikeFactory extends AbstractResourceFactory {
 //   registerFactory(NODE_LIKE_FACTORY_BASE_TYPE, type, factory);
 // }
 
-const FACTORY_META$1b = {
+const FACTORY_META$1c = {
     base: NODE_LIKE_FACTORY_BASE_TYPE,
     key: 'Node',
 };
@@ -14805,7 +14741,7 @@ class NodeFactory extends NodeLikeFactory {
 
 var nodeFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
-    FACTORY_META: FACTORY_META$1b,
+    FACTORY_META: FACTORY_META$1c,
     NodeFactory: NodeFactory,
     default: NodeFactory
 });
@@ -15382,7 +15318,7 @@ function normalizeSecurityRequirements(value) {
     };
 }
 
-const logger$$ = getLogger('naylence.fame.node.envelope_security_handler');
+const logger$10 = getLogger('naylence.fame.node.envelope_security_handler');
 const ENCRYPTION_OPTION_ALIAS_PAIRS = [
     ['recipKid', 'recip_kid'],
     ['recipientKeyId', 'recipient_key_id'],
@@ -15431,7 +15367,7 @@ class EnvelopeSecurityHandler {
         const shouldSign = this.securityPolicy
             ? await this.securityPolicy.shouldSignEnvelope(envelope, context, this.node)
             : false;
-        logger$$.debug('checking_signing', {
+        logger$10.debug('checking_signing', {
             has_signer: Boolean(this.envelopeSigner),
             should_sign: shouldSign,
             envp_id: envelope.id,
@@ -15453,7 +15389,7 @@ class EnvelopeSecurityHandler {
         const shouldEncrypt = this.securityPolicy
             ? await this.securityPolicy.shouldEncryptEnvelope(envelope, context, this.node)
             : false;
-        logger$$.debug('checking_encryption', {
+        logger$10.debug('checking_encryption', {
             has_encryption_manager: Boolean(this.encryptionManager),
             should_encrypt: shouldEncrypt,
             envp_id: envelope.id,
@@ -15461,7 +15397,7 @@ class EnvelopeSecurityHandler {
         });
         if (this.encryptionManager && this.securityPolicy) {
             if (envelope.sec?.enc) {
-                logger$$.debug('skipping_encryption_already_encrypted', {
+                logger$10.debug('skipping_encryption_already_encrypted', {
                     envp_id: envelope.id,
                     destination: envelope.to ? String(envelope.to) : undefined,
                 });
@@ -15474,7 +15410,7 @@ class EnvelopeSecurityHandler {
                     CryptoLevel.PLAINTEXT;
                 desiredCryptoLevel =
                     await this.securityPolicy.decideResponseCryptoLevel(requestCryptoLevel, envelope, context);
-                logger$$.debug('response_crypto_level_decided', {
+                logger$10.debug('response_crypto_level_decided', {
                     envp_id: envelope.id,
                     crypto_level: desiredCryptoLevel,
                     destination: envelope.to ? String(envelope.to) : undefined,
@@ -15485,7 +15421,7 @@ class EnvelopeSecurityHandler {
             else {
                 desiredCryptoLevel =
                     await this.securityPolicy.decideOutboundCryptoLevel(envelope, context, this.node);
-                logger$$.debug('outbound_crypto_level_decided', {
+                logger$10.debug('outbound_crypto_level_decided', {
                     envp_id: envelope.id,
                     frame_type: envelope.frame.type,
                     crypto_level: desiredCryptoLevel,
@@ -15493,11 +15429,11 @@ class EnvelopeSecurityHandler {
                 });
             }
             if (desiredCryptoLevel === CryptoLevel.SEALED) {
-                logger$$.debug('applying_sealed_encryption', { envp_id: envelope.id });
+                logger$10.debug('applying_sealed_encryption', { envp_id: envelope.id });
                 return await this.handleSealedEncryption(envelope, context);
             }
             if (desiredCryptoLevel === CryptoLevel.CHANNEL) {
-                logger$$.debug('applying_channel_encryption', { envp_id: envelope.id });
+                logger$10.debug('applying_channel_encryption', { envp_id: envelope.id });
                 return await this.handleChannelEncryption(envelope, context);
             }
         }
@@ -15548,7 +15484,7 @@ class EnvelopeSecurityHandler {
                 frameType === 'KeyAnnounce' ||
                 frameType === 'SecureOpen' ||
                 frameType === 'SecureAccept') {
-                logger$$.error('critical_frame_unsigned_rejected', {
+                logger$10.error('critical_frame_unsigned_rejected', {
                     envp_id: envelope.id,
                     frame_type: frameType,
                     reason: 'critical_frames_must_be_signed',
@@ -15556,7 +15492,7 @@ class EnvelopeSecurityHandler {
                 return [envelope, false];
             }
             const action = this.securityPolicy.getUnsignedViolationAction(envelope, context);
-            logger$$.warning('unsigned_envelope_violation', {
+            logger$10.warning('unsigned_envelope_violation', {
                 envp_id: envelope.id,
                 frame_type: frameType,
                 action,
@@ -15568,26 +15504,26 @@ class EnvelopeSecurityHandler {
         return [envelope, true];
     }
     async handleChannelHandshakeComplete(channelId, destination) {
-        logger$$.debug('channel_handshake_completed', {
+        logger$10.debug('channel_handshake_completed', {
             channel_id: channelId,
             destination,
         });
         if (this.encryptionManager?.notifyChannelEstablished) {
             await this.encryptionManager.notifyChannelEstablished(channelId);
-            logger$$.debug('notified_encryption_manager_channel_ready', {
+            logger$10.debug('notified_encryption_manager_channel_ready', {
                 channel_id: channelId,
             });
         }
     }
     async handleChannelHandshakeFailed(channelId, destination, reason = 'handshake_failed') {
-        logger$$.debug('channel_handshake_failed', {
+        logger$10.debug('channel_handshake_failed', {
             channel_id: channelId,
             destination,
             reason,
         });
         if (this.encryptionManager?.notifyChannelFailed) {
             await this.encryptionManager.notifyChannelFailed(channelId, reason);
-            logger$$.debug('notified_encryption_manager_channel_failed', {
+            logger$10.debug('notified_encryption_manager_channel_failed', {
                 channel_id: channelId,
                 reason,
             });
@@ -15634,7 +15570,7 @@ class EnvelopeSecurityHandler {
                 checkPayload: false,
             });
             if (verified) {
-                logger$$.debug('envelope_verified', {
+                logger$10.debug('envelope_verified', {
                     envp_id: envelope.id,
                     sid: envelope.sid,
                     kid,
@@ -15645,7 +15581,7 @@ class EnvelopeSecurityHandler {
         }
         this.keyManagementHandler.queuePendingSignedEnvelope(kid, envelope, context);
         await this.keyManagementHandler.maybeRequestSigningKey(kid, context.originType, fromSystemId);
-        logger$$.debug('queued_envelope_missing_signing_key', {
+        logger$10.debug('queued_envelope_missing_signing_key', {
             kid,
             envp_id: envelope.id,
         });
@@ -15653,7 +15589,7 @@ class EnvelopeSecurityHandler {
     }
     async handleSealedEncryption(envelope, context) {
         if (!envelope.to) {
-            logger$$.warning('sealed_encryption_requested_but_no_destination', {
+            logger$10.warning('sealed_encryption_requested_but_no_destination', {
                 envp_id: envelope.id,
             });
             return true;
@@ -15665,20 +15601,20 @@ class EnvelopeSecurityHandler {
                 : undefined;
             if (options) {
                 if (options.encryptionType === 'channel') {
-                    logger$$.warning('policy_returned_channel_for_sealed_request', {
+                    logger$10.warning('policy_returned_channel_for_sealed_request', {
                         envp_id: envelope.id,
                     });
                     return await this.handleToBeEncryptedEnvelopeWithOptions(envelope, context, normalizeEncryptionOptions({
                         requestAddress: envelope.to,
                     }));
                 }
-                logger$$.debug('using_sealed_encryption_options', {
+                logger$10.debug('using_sealed_encryption_options', {
                     envp_id: envelope.id,
                     options,
                 });
                 return await this.handleToBeEncryptedEnvelopeWithOptions(envelope, context, options);
             }
-            logger$$.debug('no_encryption_options_requesting_key', {
+            logger$10.debug('no_encryption_options_requesting_key', {
                 envp_id: envelope.id,
             });
             return await this.handleToBeEncryptedEnvelopeWithOptions(envelope, context, normalizeEncryptionOptions({
@@ -15686,7 +15622,7 @@ class EnvelopeSecurityHandler {
             }));
         }
         catch (error) {
-            logger$$.debug('sealed_key_lookup_failed_requesting', {
+            logger$10.debug('sealed_key_lookup_failed_requesting', {
                 envp_id: envelope.id,
                 error: error instanceof Error ? error.message : String(error),
             });
@@ -15697,7 +15633,7 @@ class EnvelopeSecurityHandler {
     }
     async handleChannelEncryption(envelope, context) {
         if (!envelope.to) {
-            logger$$.warning('channel_encryption_requested_but_no_destination', {
+            logger$10.warning('channel_encryption_requested_but_no_destination', {
                 envp_id: envelope.id,
             });
             return true;
@@ -15712,13 +15648,13 @@ class EnvelopeSecurityHandler {
             return true;
         }
         if (context.originType !== DeliveryOriginType.LOCAL) {
-            logger$$.warning('envelope_encryption_rejected_non_local', {
+            logger$10.warning('envelope_encryption_rejected_non_local', {
                 origin: context.originType,
             });
             return true;
         }
         if (!isDataFrame$4(envelope.frame)) {
-            logger$$.trace('skipping_encryption_non_dataframe', {
+            logger$10.trace('skipping_encryption_non_dataframe', {
                 envp_id: envelope.id,
                 frame_type: envelope.frame.type,
             });
@@ -15729,7 +15665,7 @@ class EnvelopeSecurityHandler {
             ? normalizeEncryptionOptions(rawOptions)
             : undefined;
         if (!options) {
-            logger$$.warning('no_encryption_options_provided', {
+            logger$10.warning('no_encryption_options_provided', {
                 envp_id: envelope.id,
             });
             return true;
@@ -15741,13 +15677,13 @@ class EnvelopeSecurityHandler {
             return true;
         }
         if (context.originType !== DeliveryOriginType.LOCAL) {
-            logger$$.warning('envelope_encryption_rejected_non_local', {
+            logger$10.warning('envelope_encryption_rejected_non_local', {
                 origin: context.originType,
             });
             return true;
         }
         if (!isDataFrame$4(envelope.frame)) {
-            logger$$.trace('skipping_encryption_non_dataframe', {
+            logger$10.trace('skipping_encryption_non_dataframe', {
                 envp_id: envelope.id,
                 frame_type: envelope.frame.type,
             });
@@ -15764,7 +15700,7 @@ class EnvelopeSecurityHandler {
         // Skip encryption if envelope is already encrypted
         // This prevents re-queuing when replayed envelopes go through security again
         if (envelope.sec?.enc) {
-            logger$$.debug('skipping_encryption_already_encrypted', {
+            logger$10.debug('skipping_encryption_already_encrypted', {
                 envp_id: envelope.id,
                 destination: envelope.to ? String(envelope.to) : undefined,
             });
@@ -15773,14 +15709,14 @@ class EnvelopeSecurityHandler {
         try {
             const result = await this.encryptionManager.encryptEnvelope(envelope, normalizedOptions);
             if (result.status === EncryptionStatus.QUEUED) {
-                logger$$.debug('envelope_queued_for_encryption', {
+                logger$10.debug('envelope_queued_for_encryption', {
                     envp_id: envelope.id,
                 });
                 await this.handleEncryptionQueueing(envelope, context, normalizedOptions);
                 return false;
             }
             if (result.status === EncryptionStatus.OK) {
-                logger$$.debug('envelope_encrypted', { envp_id: envelope.id });
+                logger$10.debug('envelope_encrypted', { envp_id: envelope.id });
                 if (result.envelope) {
                     envelope.frame = result.envelope.frame;
                     envelope.sec = result.envelope.sec;
@@ -15788,17 +15724,17 @@ class EnvelopeSecurityHandler {
                 return true;
             }
             if (result.status === EncryptionStatus.SKIPPED) {
-                logger$$.debug('envelope_encryption_skipped', { envp_id: envelope.id });
+                logger$10.debug('envelope_encryption_skipped', { envp_id: envelope.id });
                 return true;
             }
-            logger$$.warning('unknown_encryption_status', {
+            logger$10.warning('unknown_encryption_status', {
                 envp_id: envelope.id,
                 status: result.status,
             });
             return true;
         }
         catch (error) {
-            logger$$.error('encryption_failed', {
+            logger$10.error('encryption_failed', {
                 envp_id: envelope.id,
                 error: error instanceof Error ? error.message : String(error),
             });
@@ -15837,7 +15773,7 @@ class EnvelopeSecurityHandler {
             return;
         }
         if (normalizedOptions.encryptionType === 'channel') {
-            logger$$.debug('channel_encryption_queueing_handled_internally', {
+            logger$10.debug('channel_encryption_queueing_handled_internally', {
                 envp_id: envelope.id,
                 destination: normalizedOptions.destination
                     ? String(normalizedOptions.destination)
@@ -15845,13 +15781,13 @@ class EnvelopeSecurityHandler {
             });
             return;
         }
-        logger$$.warning('unknown_encryption_queueing_options', {
+        logger$10.warning('unknown_encryption_queueing_options', {
             envp_id: envelope.id,
             options: normalizedOptions,
         });
     }
     async handleFailedChannelEnvelopeCleanup(destination, reason) {
-        logger$$.debug('channel_handshake_failure_cleanup_attempted', {
+        logger$10.debug('channel_handshake_failure_cleanup_attempted', {
             destination,
             reason,
             note: 'envelope_cleanup_handled_by_encryption_manager',
@@ -15862,7 +15798,7 @@ class EnvelopeSecurityHandler {
     }
 }
 
-const logger$_ = getLogger('naylence.fame.node.secure_channel_frame_handler');
+const logger$$ = getLogger('naylence.fame.node.secure_channel_frame_handler');
 function isPlainRecord$1(value) {
     if (typeof value !== 'object' || value === null) {
         return false;
@@ -15952,7 +15888,7 @@ class SecureChannelFrameHandler {
         assertSecureChannelManager(this.secureChannelManager);
         const frame = envelope.frame;
         assertFrameType(frame, 'SecureOpen');
-        logger$_.debug('received_secure_open', {
+        logger$$.debug('received_secure_open', {
             cid: frame.cid,
             algorithm: frame.alg,
         });
@@ -15975,13 +15911,13 @@ class SecureChannelFrameHandler {
                 stickySid: envelope.sid ?? undefined,
                 expectedResponseType: FameResponseType.NONE,
             };
-            logger$_.debug('stickiness_requested_for_channel_encryption', {
+            logger$$.debug('stickiness_requested_for_channel_encryption', {
                 cid: frame.cid,
                 reason: 'secure_channel_established',
             });
         }
         await this.sendCallback(responseEnvelope, responseContext);
-        logger$_.debug('sent_secure_accept', { cid: frame.cid, ok: acceptFrame.ok });
+        logger$$.debug('sent_secure_accept', { cid: frame.cid, ok: acceptFrame.ok });
         if (acceptFrame.ok && this.envelopeSecurityHandler) {
             const destination = extractDestinationFromChannelId(frame.cid);
             if (destination) {
@@ -15993,13 +15929,13 @@ class SecureChannelFrameHandler {
         assertSecureChannelManager(this.secureChannelManager);
         const frame = envelope.frame;
         assertFrameType(frame, 'SecureAccept');
-        logger$_.debug('received_secure_accept', { cid: frame.cid, ok: frame.ok });
+        logger$$.debug('received_secure_accept', { cid: frame.cid, ok: frame.ok });
         const success = await this.secureChannelManager.handleAcceptFrame(frame);
         if (!success) {
-            logger$_.warning('failed_to_complete_channel', { cid: frame.cid });
+            logger$$.warning('failed_to_complete_channel', { cid: frame.cid });
         }
         else {
-            logger$_.debug('channel_established', { cid: frame.cid });
+            logger$$.debug('channel_established', { cid: frame.cid });
             if (this.envelopeSecurityHandler) {
                 const destination = extractDestinationFromChannelId(frame.cid);
                 if (destination) {
@@ -16011,7 +15947,7 @@ class SecureChannelFrameHandler {
             const destination = extractDestinationFromChannelId(frame.cid);
             if (destination) {
                 await this.envelopeSecurityHandler.handleChannelHandshakeFailed(frame.cid, destination, 'negative_secure_accept');
-                logger$_.debug('notified_handshake_failure', {
+                logger$$.debug('notified_handshake_failure', {
                     cid: frame.cid,
                     destination,
                 });
@@ -16022,7 +15958,7 @@ class SecureChannelFrameHandler {
         assertSecureChannelManager(this.secureChannelManager);
         const frame = envelope.frame;
         assertFrameType(frame, 'SecureClose');
-        logger$_.debug('received_secure_close', {
+        logger$$.debug('received_secure_close', {
             cid: frame.cid,
             reason: frame.reason,
         });
@@ -16080,7 +16016,7 @@ function createNodeDeliveryContext(options = {}) {
 class FameEnvironmentContext {
 }
 
-const FACTORY_META$1a = {
+const FACTORY_META$1b = {
     base: NODE_IDENTITY_POLICY_FACTORY_BASE_TYPE,
     key: 'DefaultNodeIdentityPolicy',
 };
@@ -16098,11 +16034,48 @@ class DefaultNodeIdentityPolicyFactory extends NodeIdentityPolicyFactory {
 var defaultNodeIdentityPolicyFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
     DefaultNodeIdentityPolicyFactory: DefaultNodeIdentityPolicyFactory,
-    FACTORY_META: FACTORY_META$1a,
+    FACTORY_META: FACTORY_META$1b,
     default: DefaultNodeIdentityPolicyFactory
 });
 
-const logger$Z = getLogger('naylence.fame.node.token_subject_node_identity_policy');
+const TOKEN_PROVIDER_FACTORY_BASE_TYPE = 'TokenProviderFactory';
+class TokenProviderFactory extends AbstractResourceFactory {
+    static async createTokenProvider(config, options = {}) {
+        if (config) {
+            const provider = await createResource$1(TOKEN_PROVIDER_FACTORY_BASE_TYPE, config, options);
+            if (!provider) {
+                throw new Error('Failed to create token provider from configuration');
+            }
+            return provider;
+        }
+        let provider = null;
+        try {
+            provider = await createDefaultResource(TOKEN_PROVIDER_FACTORY_BASE_TYPE, null, options);
+        }
+        catch (error) {
+            const message = 'Failed to create default token provider' +
+                (error instanceof Error && error.message ? `: ${error.message}` : '');
+            throw new Error(message);
+        }
+        if (!provider) {
+            throw new Error('Failed to create default token provider');
+        }
+        return provider;
+    }
+}
+
+function isTokenProvider(candidate) {
+    return (typeof candidate === 'object' &&
+        candidate !== null &&
+        typeof candidate.getToken === 'function');
+}
+function isIdentityExposingTokenProvider(candidate) {
+    return (isTokenProvider(candidate) &&
+        typeof candidate.getIdentity ===
+            'function');
+}
+
+const logger$_ = getLogger('naylence.fame.node.token_subject_node_identity_policy');
 class TokenSubjectNodeIdentityPolicy {
     async resolveInitialNodeId(context) {
         if (context.configuredId) {
@@ -16114,7 +16087,7 @@ class TokenSubjectNodeIdentityPolicy {
         return generateIdAsync();
     }
     async resolveAdmissionNodeId(context) {
-        logger$Z.debug('resolve_admission_node_id_start', {
+        logger$_.debug('resolve_admission_node_id_start', {
             grantsCount: context.grants?.length ?? 0,
             currentNodeId: context.currentNodeId,
         });
@@ -16123,31 +16096,31 @@ class TokenSubjectNodeIdentityPolicy {
                 try {
                     const auth = grant.auth;
                     if (!auth) {
-                        logger$Z.debug('skipping_grant_no_auth', { grantType: grant.type });
+                        logger$_.debug('skipping_grant_no_auth', { grantType: grant.type });
                         continue;
                     }
                     const tokenProviderConfig = (auth.tokenProvider ??
                         auth.token_provider);
                     if (!tokenProviderConfig ||
                         typeof tokenProviderConfig.type !== 'string') {
-                        logger$Z.debug('skipping_grant_invalid_token_provider_config', {
+                        logger$_.debug('skipping_grant_invalid_token_provider_config', {
                             grantType: grant.type,
                             config: tokenProviderConfig,
                         });
                         continue;
                     }
-                    logger$Z.debug('creating_token_provider', {
+                    logger$_.debug('creating_token_provider', {
                         type: tokenProviderConfig.type,
                     });
                     const provider = await TokenProviderFactory.createTokenProvider(tokenProviderConfig);
                     const isExposing = isIdentityExposingTokenProvider(provider);
-                    logger$Z.debug('token_provider_created', {
+                    logger$_.debug('token_provider_created', {
                         type: tokenProviderConfig.type,
                         isIdentityExposing: isExposing,
                     });
                     if (isExposing) {
                         const identity = await provider.getIdentity();
-                        logger$Z.debug('retrieved_identity', { identity });
+                        logger$_.debug('retrieved_identity', { identity });
                         if (identity && identity.subject) {
                             const hashedSubject = await generateIdAsync({
                                 mode: 'fingerprint',
@@ -16155,7 +16128,7 @@ class TokenSubjectNodeIdentityPolicy {
                                 length: 8,
                             });
                             const newNodeId = `${hashedSubject}-${context.currentNodeId}`;
-                            logger$Z.info('resolved_identity_from_token', {
+                            logger$_.info('resolved_identity_from_token', {
                                 subject: identity.subject,
                                 hashedSubject,
                                 newNodeId,
@@ -16163,17 +16136,17 @@ class TokenSubjectNodeIdentityPolicy {
                             return newNodeId;
                         }
                         else {
-                            logger$Z.debug('identity_missing_subject', { identity });
+                            logger$_.debug('identity_missing_subject', { identity });
                         }
                     }
                 }
                 catch (err) {
-                    logger$Z.warning('failed_to_extract_identity_from_grant', { error: err });
+                    logger$_.warning('failed_to_extract_identity_from_grant', { error: err });
                 }
             }
         }
         else {
-            logger$Z.debug('no_grants_available');
+            logger$_.debug('no_grants_available');
         }
         return context.currentNodeId;
     }
@@ -16184,7 +16157,7 @@ var tokenSubjectNodeIdentityPolicy = /*#__PURE__*/Object.freeze({
     TokenSubjectNodeIdentityPolicy: TokenSubjectNodeIdentityPolicy
 });
 
-const FACTORY_META$19 = {
+const FACTORY_META$1a = {
     base: NODE_IDENTITY_POLICY_FACTORY_BASE_TYPE,
     key: 'TokenSubjectNodeIdentityPolicy',
 };
@@ -16203,27 +16176,27 @@ class TokenSubjectNodeIdentityPolicyFactory extends NodeIdentityPolicyFactory {
 
 var tokenSubjectNodeIdentityPolicyFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
-    FACTORY_META: FACTORY_META$19,
+    FACTORY_META: FACTORY_META$1a,
     TokenSubjectNodeIdentityPolicyFactory: TokenSubjectNodeIdentityPolicyFactory,
     default: TokenSubjectNodeIdentityPolicyFactory
 });
 
-const logger$Y = getLogger('naylence.fame.node.node_identity_policy_profile_factory');
-const PROFILE_NAME_DEFAULT = 'default';
+const logger$Z = getLogger('naylence.fame.node.node_identity_policy_profile_factory');
+const PROFILE_NAME_DEFAULT$1 = 'default';
 const PROFILE_NAME_TOKEN_SUBJECT = 'token-subject';
 const PROFILE_NAME_TOKEN_SUBJECT_ALIAS = 'token_subject';
-const DEFAULT_PROFILE = {
+const DEFAULT_PROFILE$1 = {
     type: 'DefaultNodeIdentityPolicy',
 };
 const TOKEN_SUBJECT_PROFILE = {
     type: 'TokenSubjectNodeIdentityPolicy',
 };
-const PROFILE_MAP$5 = {
-    [PROFILE_NAME_DEFAULT]: DEFAULT_PROFILE,
+const PROFILE_MAP$6 = {
+    [PROFILE_NAME_DEFAULT$1]: DEFAULT_PROFILE$1,
     [PROFILE_NAME_TOKEN_SUBJECT]: TOKEN_SUBJECT_PROFILE,
     [PROFILE_NAME_TOKEN_SUBJECT_ALIAS]: TOKEN_SUBJECT_PROFILE,
 };
-const FACTORY_META$18 = {
+const FACTORY_META$19 = {
     base: NODE_IDENTITY_POLICY_FACTORY_BASE_TYPE,
     key: 'NodeIdentityPolicyProfile',
 };
@@ -16233,17 +16206,17 @@ class NodeIdentityPolicyProfileFactory extends NodeIdentityPolicyFactory {
         this.type = 'NodeIdentityPolicyProfile';
     }
     async create(config) {
-        const normalized = normalizeConfig$w(config);
-        const profileConfig = resolveProfileConfig$4(normalized.profile);
-        logger$Y.debug('enabling_node_identity_policy_profile', {
+        const normalized = normalizeConfig$x(config);
+        const profileConfig = resolveProfileConfig$5(normalized.profile);
+        logger$Z.debug('enabling_node_identity_policy_profile', {
             profile: normalized.profile,
         });
         return NodeIdentityPolicyFactory.createNodeIdentityPolicy(profileConfig);
     }
 }
-function normalizeConfig$w(config) {
+function normalizeConfig$x(config) {
     if (!config) {
-        return { profile: PROFILE_NAME_DEFAULT };
+        return { profile: PROFILE_NAME_DEFAULT$1 };
     }
     const candidate = config;
     const profileValue = typeof candidate.profile === 'string' && candidate.profile.trim().length > 0
@@ -16254,24 +16227,24 @@ function normalizeConfig$w(config) {
             : typeof candidate.profileName === 'string' &&
                 candidate.profileName.trim().length > 0
                 ? candidate.profileName
-                : PROFILE_NAME_DEFAULT;
+                : PROFILE_NAME_DEFAULT$1;
     const normalizedProfile = profileValue.trim().toLowerCase();
     return { profile: normalizedProfile };
 }
-function resolveProfileConfig$4(profileName) {
-    const profile = PROFILE_MAP$5[profileName];
+function resolveProfileConfig$5(profileName) {
+    const profile = PROFILE_MAP$6[profileName];
     if (!profile) {
         throw new Error(`Unknown node identity policy profile: ${profileName}`);
     }
-    return deepClone$4(profile);
+    return deepClone$5(profile);
 }
-function deepClone$4(value) {
+function deepClone$5(value) {
     return JSON.parse(JSON.stringify(value));
 }
 
 var nodeIdentityPolicyProfileFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
-    FACTORY_META: FACTORY_META$18,
+    FACTORY_META: FACTORY_META$19,
     NodeIdentityPolicyProfileFactory: NodeIdentityPolicyProfileFactory,
     default: NodeIdentityPolicyProfileFactory
 });
@@ -16324,8 +16297,8 @@ class DefaultConnectionRetryPolicy {
     }
 }
 
-const logger$X = getLogger('naylence.fame.node.default-connection-retry-policy-factory');
-const FACTORY_META$17 = {
+const logger$Y = getLogger('naylence.fame.node.default-connection-retry-policy-factory');
+const FACTORY_META$18 = {
     base: CONNECTION_RETRY_POLICY_FACTORY_BASE_TYPE,
     key: 'DefaultConnectionRetryPolicy',
 };
@@ -16346,7 +16319,7 @@ class DefaultConnectionRetryPolicyFactory extends ConnectionRetryPolicyFactory {
             }
         }
         const policy = new DefaultConnectionRetryPolicy(options);
-        logger$X.debug('connection_retry_policy_created', {
+        logger$Y.debug('connection_retry_policy_created', {
             maxInitialAttempts: policy.maxInitialAttempts,
         });
         return policy;
@@ -16356,7 +16329,7 @@ class DefaultConnectionRetryPolicyFactory extends ConnectionRetryPolicyFactory {
 var defaultConnectionRetryPolicyFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
     DefaultConnectionRetryPolicyFactory: DefaultConnectionRetryPolicyFactory,
-    FACTORY_META: FACTORY_META$17,
+    FACTORY_META: FACTORY_META$18,
     default: DefaultConnectionRetryPolicyFactory
 });
 
@@ -16371,7 +16344,7 @@ class LoadBalancerStickinessManagerFactory extends AbstractResourceFactory {
     }
 }
 
-const logger$W = getLogger('naylence.fame.sentinel.load_balancing.composite_load_balancing_strategy');
+const logger$X = getLogger('naylence.fame.sentinel.load_balancing.composite_load_balancing_strategy');
 class CompositeLoadBalancingStrategy {
     constructor(strategies) {
         if (!strategies.length) {
@@ -16388,7 +16361,7 @@ class CompositeLoadBalancingStrategy {
             try {
                 const result = strategy.choose(poolKey, segments, envelope);
                 if (result !== null) {
-                    logger$W.debug('composite_strategy_success', {
+                    logger$X.debug('composite_strategy_success', {
                         envelopeId: envelope.id,
                         poolKey,
                         strategyIndex: index,
@@ -16399,7 +16372,7 @@ class CompositeLoadBalancingStrategy {
                 }
             }
             catch (error) {
-                logger$W.warning('composite_strategy_error', {
+                logger$X.warning('composite_strategy_error', {
                     envelopeId: envelope.id,
                     poolKey,
                     strategyIndex: index,
@@ -16408,7 +16381,7 @@ class CompositeLoadBalancingStrategy {
                 });
             }
         }
-        logger$W.debug('composite_strategy_all_failed', {
+        logger$X.debug('composite_strategy_all_failed', {
             envelopeId: envelope.id,
             poolKey,
             strategyCount: this.strategies.length,
@@ -16417,7 +16390,7 @@ class CompositeLoadBalancingStrategy {
     }
 }
 
-const logger$V = getLogger('naylence.fame.sentinel.load_balancing.sticky_load_balancing_strategy');
+const logger$W = getLogger('naylence.fame.sentinel.load_balancing.sticky_load_balancing_strategy');
 class StickyLoadBalancingStrategy {
     constructor(stickinessManager) {
         this.lastChosenReplica = null;
@@ -16432,7 +16405,7 @@ class StickyLoadBalancingStrategy {
         }
         const stickyReplica = this.stickinessManager.getStickyReplicaSegment(envelope, segments);
         if (stickyReplica && segments.includes(stickyReplica)) {
-            logger$V.debug('routing_via_stickiness', {
+            logger$W.debug('routing_via_stickiness', {
                 envelopeId: envelope.id,
                 poolKey,
                 replicaId: stickyReplica,
@@ -16442,7 +16415,7 @@ class StickyLoadBalancingStrategy {
             this.lastChosenReplica = stickyReplica;
             return stickyReplica;
         }
-        logger$V.debug('no_stickiness_match_fallback', {
+        logger$W.debug('no_stickiness_match_fallback', {
             envelopeId: envelope.id,
             poolKey,
             aftPresent: Boolean(envelope.aft),
@@ -16530,7 +16503,7 @@ class RouteStoreFactory extends AbstractResourceFactory {
         return store ?? null;
     }
 }
-const FACTORY_META$16 = {
+const FACTORY_META$17 = {
     base: ROUTE_STORE_FACTORY_BASE_TYPE,
     key: 'InMemoryRouteStore',
 };
@@ -16548,7 +16521,7 @@ class InMemoryRouteStoreFactory extends RouteStoreFactory {
 
 var routeStoreFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
-    FACTORY_META: FACTORY_META$16,
+    FACTORY_META: FACTORY_META$17,
     InMemoryRouteStoreFactory: InMemoryRouteStoreFactory,
     ROUTE_STORE_FACTORY_BASE_TYPE: ROUTE_STORE_FACTORY_BASE_TYPE,
     RouteStoreFactory: RouteStoreFactory,
@@ -16780,7 +16753,7 @@ function resolveRecordArray(primary, secondary) {
     return pickRecordArray(candidate) ?? undefined;
 }
 
-const logger$U = getLogger('naylence.fame.sentinel.route_manager');
+const logger$V = getLogger('naylence.fame.sentinel.route_manager');
 const DEFAULT_CONNECTOR_CLEANUP_DELAY_MS$1 = 200;
 function normalizeRouteManagerOptions(options) {
     const { route_store, get_id, cleanup_delay_ms, retain_address_bindings_on_disconnect, ...rest } = options;
@@ -16864,7 +16837,7 @@ class RouteManager extends TaskSpawner {
                 await this.safeStop(entry.connector);
             }
             catch (error) {
-                logger$U.debug('pending_route_stop_failed', {
+                logger$V.debug('pending_route_stop_failed', {
                     error: error instanceof Error ? error.message : String(error),
                 });
             }
@@ -16887,7 +16860,7 @@ class RouteManager extends TaskSpawner {
             this.cancelPendingCleanup(segment);
             this.downstreamRoutes.set(segment, route);
         });
-        logger$U.debug('registered_downstream_route', { route: segment });
+        logger$V.debug('registered_downstream_route', { route: segment });
     }
     async unregisterDownstreamRoute(segment, options) {
         const normalizedOptions = normalizeRouteRemovalOptions(options);
@@ -16903,7 +16876,7 @@ class RouteManager extends TaskSpawner {
             this.cancelPendingCleanup(segment);
             this._peer_routes.set(segment, route);
         });
-        logger$U.debug('registered_peer_route', { route: segment });
+        logger$V.debug('registered_peer_route', { route: segment });
     }
     async unregisterPeerRoute(segment, options) {
         const normalizedOptions = normalizeRouteRemovalOptions(options);
@@ -16921,11 +16894,11 @@ class RouteManager extends TaskSpawner {
         await Promise.all(entryTuples.map(async ([segment, entry]) => {
             const normalized = this.normalizeEntry(entry);
             if (!normalized.connectorConfig) {
-                logger$U.warning('route_restore_missing_config', { segment });
+                logger$V.warning('route_restore_missing_config', { segment });
                 return;
             }
             if (normalized.attachExpiresAt && normalized.attachExpiresAt < now) {
-                logger$U.debug('skipping_expired_route', { segment });
+                logger$V.debug('skipping_expired_route', { segment });
                 return;
             }
             const authorization = this.parseAuthorization(normalized.metadata);
@@ -16958,7 +16931,7 @@ class RouteManager extends TaskSpawner {
                 }
                 catch (error) {
                     if (this.isTransientError(error)) {
-                        logger$U.warning('transient_restore_failure', {
+                        logger$V.warning('transient_restore_failure', {
                             segment,
                             attempt,
                             error: error instanceof Error ? error.message : String(error),
@@ -16967,7 +16940,7 @@ class RouteManager extends TaskSpawner {
                         backoff *= 2;
                         continue;
                     }
-                    logger$U.error('failed_to_restore_route', {
+                    logger$V.error('failed_to_restore_route', {
                         segment,
                         error: error instanceof Error ? error.message : String(error),
                     });
@@ -16996,13 +16969,13 @@ class RouteManager extends TaskSpawner {
         await this._downstream_route_store
             .delete(segment)
             .catch((error) => {
-            logger$U.warning('route_expiration_delete_failed', {
+            logger$V.warning('route_expiration_delete_failed', {
                 segment,
                 error: error instanceof Error ? error.message : String(error),
             });
         });
         this.purgeRouteReferences(segment);
-        logger$U.debug('expired_route', { route: segment });
+        logger$V.debug('expired_route', { route: segment });
     }
     async removeDownstreamRoute(segment, options) {
         const normalizedOptions = normalizeRouteRemovalOptions(options);
@@ -17060,7 +17033,7 @@ class RouteManager extends TaskSpawner {
             this.purgeRouteReferences(segment);
         }
         await store.delete(segment).catch((error) => {
-            logger$U.warning('route_delete_failed', {
+            logger$V.warning('route_delete_failed', {
                 segment,
                 error: error instanceof Error ? error.message : String(error),
             });
@@ -17079,7 +17052,7 @@ class RouteManager extends TaskSpawner {
             caller_stack: captureStack ? captureCallerStack() : undefined,
             retained_addresses: retainAddresses,
         };
-        logger$U.debug('removed_route', removalMeta);
+        logger$V.debug('removed_route', removalMeta);
     }
     purgeRouteReferences(segment) {
         for (const [address, info] of this._downstream_addresses_routes.entries()) {
@@ -17134,10 +17107,10 @@ class RouteManager extends TaskSpawner {
             }
             catch (error) {
                 if (combined.signal.aborted) {
-                    logger$U.debug('connector_cleanup_cancelled', { segment });
+                    logger$V.debug('connector_cleanup_cancelled', { segment });
                 }
                 else {
-                    logger$U.debug('connector_cleanup_delay_failed', {
+                    logger$V.debug('connector_cleanup_delay_failed', {
                         segment,
                         error: error instanceof Error ? error.message : String(error),
                     });
@@ -17160,7 +17133,7 @@ class RouteManager extends TaskSpawner {
         }
         catch (error) {
             if (error instanceof Error) {
-                logger$U.debug('connector_stop_ignored', { error: error.message });
+                logger$V.debug('connector_stop_ignored', { error: error.message });
             }
         }
         for (const [flowId, peer] of this.flowRoutes.entries()) {
@@ -17185,12 +17158,12 @@ class RouteManager extends TaskSpawner {
             }
         }
         catch (error) {
-            logger$U.error('janitor_loop_error', {
+            logger$V.error('janitor_loop_error', {
                 error: error instanceof Error ? error.message : String(error),
             });
         }
         finally {
-            logger$U.debug('janitor_loop_exited');
+            logger$V.debug('janitor_loop_exited');
         }
     }
     async scanStoreForExpirations(store, now, kind) {
@@ -17210,13 +17183,13 @@ class RouteManager extends TaskSpawner {
                 }
             });
             await store.delete(segment).catch((error) => {
-                logger$U.warning('route_auto_expire_delete_failed', {
+                logger$V.warning('route_auto_expire_delete_failed', {
                     segment,
                     error: error instanceof Error ? error.message : String(error),
                 });
             });
             this.purgeRouteReferences(segment);
-            logger$U.debug('auto_expired_route', { segment });
+            logger$V.debug('auto_expired_route', { segment });
         }));
     }
     parseAuthorization(metadata) {
@@ -17239,7 +17212,7 @@ class RouteManager extends TaskSpawner {
             return { ...base, ...extraFields };
         }
         catch (error) {
-            logger$U.error('corrupt_route_metadata', {
+            logger$V.error('corrupt_route_metadata', {
                 error: error instanceof Error ? error.message : String(error),
             });
             return null;
@@ -17315,12 +17288,12 @@ function captureCallerStack(skip = 3, depth = 6) {
     return frames.map((frame) => frame.trim()).join(' | ');
 }
 
-const logger$T = getLogger('naylence.fame.sentinel.router');
+const logger$U = getLogger('naylence.fame.sentinel.router');
 const ZERO_EPH_PUB_BASE64 = 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=';
 class Drop {
     async execute(envelope, router, state, context) {
         await emitDeliveryNack(envelope, router, state, 'NO_ROUTE', context ?? undefined);
-        logger$T.debug('dropped_envelope', Object.assign(summarizeEnvelope(envelope, ''), {
+        logger$U.debug('dropped_envelope', Object.assign(summarizeEnvelope(envelope, ''), {
             localAddresses: Array.from(state.local.values()),
             downstreamRoutes: Array.from(state.downstreamAddressRoutes.entries()),
             peerRoutes: Array.from(state.peerAddressRoutes.entries()),
@@ -17350,7 +17323,7 @@ class ForwardChild {
         }
         catch (error) {
             if (error instanceof FameTransportClose) {
-                logger$T.error('transport_closed_forward_child', {
+                logger$U.error('transport_closed_forward_child', {
                     segment: this.segment,
                     error: error.message,
                 });
@@ -17382,7 +17355,7 @@ class ForwardPeer {
         }
         catch (error) {
             if (error instanceof FameTransportClose) {
-                logger$T.error('transport_closed_forward_peer', {
+                logger$U.error('transport_closed_forward_peer', {
                     segment: this.segment,
                     error: error.message,
                 });
@@ -17417,7 +17390,7 @@ class Deny {
     async execute(envelope, router, state, context) {
         const { internalReason, deniedAction, matchedRule, context: extraContext, disclosure = 'opaque', } = this.options;
         // Log detailed denial internally
-        logger$T.warning('route_authorization_denied', {
+        logger$U.warning('route_authorization_denied', {
             envp_id: envelope.id,
             frame_type: envelope.frame?.type ?? null,
             to: envelope.to?.toString() ?? null,
@@ -17463,7 +17436,7 @@ function mapRoutingActionToAuthorizationAction(action) {
         return null;
     }
     // Unknown RoutingAction: return null, caller should deny by default
-    logger$T.warning('unknown_routing_action_for_authorization', {
+    logger$U.warning('unknown_routing_action_for_authorization', {
         action_type: action?.constructor?.name ?? 'unknown',
     });
     return null;
@@ -17496,7 +17469,7 @@ async function emitDeliveryNack(envelope, routingNode, state, code, context) {
         return;
     }
     if (!state.envelopeFactory) {
-        logger$T.warning('router_missing_envelope_factory', summarizeEnvelope(envelope));
+        logger$U.warning('router_missing_envelope_factory', summarizeEnvelope(envelope));
         return;
     }
     const nackFrame = createNackFrame(envelope, code);
@@ -17527,7 +17500,7 @@ async function emitDeliveryNack(envelope, routingNode, state, code, context) {
         }
     }
     catch (error) {
-        logger$T.warning('nack_forward_failed', {
+        logger$U.warning('nack_forward_failed', {
             error: error instanceof Error ? error.message : String(error),
             ...summarizeEnvelope(envelope),
         });
@@ -17733,7 +17706,7 @@ class HRWLoadBalancingStrategy {
     }
 }
 
-const logger$S = getLogger('naylence.fame.sentinel.capability_aware_routing_policy');
+const logger$T = getLogger('naylence.fame.sentinel.capability_aware_routing_policy');
 function normalizeOptions$i(options) {
     if (!options || typeof options !== 'object') {
         return {};
@@ -17785,7 +17758,7 @@ class CapabilityAwareRoutingPolicy {
             if (chosenSegment) {
                 return new ForwardChild(chosenSegment);
             }
-            logger$S.warning('capability_policy_lb_failed', {
+            logger$T.warning('capability_policy_lb_failed', {
                 segments: providerSegments,
                 capabilities,
                 ...summarizeEnvelope(envelope),
@@ -17814,7 +17787,7 @@ class CapabilityAwareRoutingPolicy {
             }
         }
         catch (error) {
-            logger$S.warning('capability_policy_resolve_failed', {
+            logger$T.warning('capability_policy_resolve_failed', {
                 error: error instanceof Error ? error.message : String(error),
             });
         }
@@ -18051,7 +18024,7 @@ function toFameAddress(address) {
     return address instanceof FameAddress ? address : new FameAddress(address);
 }
 
-const logger$R = getLogger('naylence.fame.sentinel.node_attach_frame_handler');
+const logger$S = getLogger('naylence.fame.sentinel.node_attach_frame_handler');
 const DOWNSTREAM_ORIGINS = new Set([
     DeliveryOriginType.DOWNSTREAM,
     DeliveryOriginType.PEER,
@@ -18144,7 +18117,7 @@ class NodeAttachFrameHandler extends TaskSpawner {
         this.maxTtlSec = options.maxTtlSec ?? null;
     }
     async acceptNodeAttach(envelope, context) {
-        logger$R.debug('handling_node_attach_request');
+        logger$S.debug('handling_node_attach_request');
         const normalizedContext = this.normalizeContext(context);
         const frame = this.normalizeNodeAttachFrame(envelope.frame);
         if (frame.type !== 'NodeAttach') {
@@ -18189,14 +18162,14 @@ class NodeAttachFrameHandler extends TaskSpawner {
         let isRebind = false;
         if (frame.originType === DeliveryOriginType.DOWNSTREAM) {
             const hasExistingRoute = this.routeManager.downstreamRoutes.has(attachedSystemId);
-            logger$R.debug('checking_for_existing_route', {
+            logger$S.debug('checking_for_existing_route', {
                 system_id: attachedSystemId,
                 has_existing: hasExistingRoute,
                 existing_routes: Array.from(this.routeManager.downstreamRoutes.keys()),
             });
             if (hasExistingRoute) {
                 isRebind = true;
-                logger$R.warning('rebinding_existing_downstream_route', {
+                logger$S.warning('rebinding_existing_downstream_route', {
                     system_id: attachedSystemId,
                 });
                 oldAssignedPath = buildAssignedPath$1(this.routingNode.physicalPath, attachedSystemId);
@@ -18215,7 +18188,7 @@ class NodeAttachFrameHandler extends TaskSpawner {
                     meta: { systemId: attachedSystemId },
                 })
                     .catch((error) => {
-                    logger$R.warning('failed_to_unregister_downstream_route_before_rebind', {
+                    logger$S.warning('failed_to_unregister_downstream_route_before_rebind', {
                         system_id: attachedSystemId,
                         error: error instanceof Error ? error.message : String(error),
                     });
@@ -18232,7 +18205,7 @@ class NodeAttachFrameHandler extends TaskSpawner {
                             for (const address of orphanedAddresses) {
                                 encryptionMgr.clearChannelCacheForDestination(address);
                             }
-                            logger$R.debug('cleared_channel_cache_for_rebind', {
+                            logger$S.debug('cleared_channel_cache_for_rebind', {
                                 system_id: attachedSystemId,
                                 addresses: orphanedAddresses,
                             });
@@ -18244,7 +18217,7 @@ class NodeAttachFrameHandler extends TaskSpawner {
                                     encryptionMgr.removeChannelsForDestination(address);
                             }
                             if (totalRemoved > 0) {
-                                logger$R.debug('removed_channel_states_for_rebind', {
+                                logger$S.debug('removed_channel_states_for_rebind', {
                                     system_id: attachedSystemId,
                                     channels_removed: totalRemoved,
                                 });
@@ -18252,7 +18225,7 @@ class NodeAttachFrameHandler extends TaskSpawner {
                         }
                     }
                     catch (error) {
-                        logger$R.warning('failed_to_cleanup_channels_for_rebind', {
+                        logger$S.warning('failed_to_cleanup_channels_for_rebind', {
                             system_id: attachedSystemId,
                             error: error instanceof Error ? error.message : String(error),
                         });
@@ -18275,7 +18248,7 @@ class NodeAttachFrameHandler extends TaskSpawner {
                     meta: { systemId: attachedSystemId },
                 })
                     .catch((error) => {
-                    logger$R.warning('failed_to_unregister_peer_route_before_rebind', {
+                    logger$S.warning('failed_to_unregister_peer_route_before_rebind', {
                         system_id: attachedSystemId,
                         error: error instanceof Error ? error.message : String(error),
                     });
@@ -18313,7 +18286,7 @@ class NodeAttachFrameHandler extends TaskSpawner {
                 ? { stickiness: negotiatedStickiness }
                 : {}),
         });
-        logger$R.debug('sending_node_attach_ack', {
+        logger$S.debug('sending_node_attach_ack', {
             env_id: ackEnvelope.id ?? 'unknown',
         });
         await this.sendAndNotify(connector, ackEnvelope, attachedSystemId, normalizedContext);
@@ -18360,7 +18333,7 @@ class NodeAttachFrameHandler extends TaskSpawner {
             return this.stickinessManager.negotiate(stickiness);
         }
         catch (error) {
-            logger$R.debug('stickiness_negotiate_skipped', {
+            logger$S.debug('stickiness_negotiate_skipped', {
                 error: error instanceof Error ? error.message : String(error),
             });
             return null;
@@ -18376,13 +18349,13 @@ class NodeAttachFrameHandler extends TaskSpawner {
         }
         if (!attachExpiresAt || earliestKeyExpiry < attachExpiresAt) {
             if (attachExpiresAt) {
-                logger$R.warning('attachment_ttl_limited_by_key_expiry', {
+                logger$S.warning('attachment_ttl_limited_by_key_expiry', {
                     limited_attach_expires_at: earliestKeyExpiry.toISOString(),
                     original_attach_expires_at: attachExpiresAt.toISOString(),
                 });
             }
             else {
-                logger$R.debug('attachment_ttl_set_by_key_expiry', {
+                logger$S.debug('attachment_ttl_set_by_key_expiry', {
                     attach_expires_at: earliestKeyExpiry.toISOString(),
                     reason: 'no_max_ttl_configured',
                 });
@@ -18393,7 +18366,7 @@ class NodeAttachFrameHandler extends TaskSpawner {
     }
     async validateAttachmentKeys(frame, envelope, connector, context, systemId) {
         if (!this.attachmentKeyValidator) {
-            logger$R.debug('child_key_validation_skipped', {
+            logger$S.debug('child_key_validation_skipped', {
                 child_id: systemId,
                 reason: 'no_validator',
             });
@@ -18409,7 +18382,7 @@ class NodeAttachFrameHandler extends TaskSpawner {
                 }
             }
             if (keyInfos.length > 0) {
-                logger$R.debug('node_attach_key_validation_passed', {
+                logger$S.debug('node_attach_key_validation_passed', {
                     system_id: systemId,
                     instance_id: frame.instanceId,
                     correlation_id: envelope.corrId,
@@ -18429,13 +18402,13 @@ class NodeAttachFrameHandler extends TaskSpawner {
                     reason: `Certificate validation failed: ${error.message}`,
                 });
                 await this.sendAndNotify(connector, rejectionAck, systemId, context).catch((sendError) => {
-                    logger$R.error('failed_sending_negative_attach_ack', {
+                    logger$S.error('failed_sending_negative_attach_ack', {
                         error: sendError instanceof Error
                             ? sendError.message
                             : String(sendError),
                     });
                 });
-                logger$R.error('node_attach_key_validation_failed', {
+                logger$S.error('node_attach_key_validation_failed', {
                     system_id: systemId,
                     instance_id: frame.instanceId,
                     correlation_id: envelope.corrId,
@@ -18501,10 +18474,10 @@ class NodeAttachFrameHandler extends TaskSpawner {
         try {
             await delay(delaySeconds * 1000);
             await connector.close(1008, 'attach-unauthorized');
-            logger$R.debug('closed_unauthorized_connection');
+            logger$S.debug('closed_unauthorized_connection');
         }
         catch (error) {
-            logger$R.error('failed_to_close_unauthorized_connection', {
+            logger$S.error('failed_to_close_unauthorized_connection', {
                 error: error instanceof Error ? error.message : String(error),
             });
         }
@@ -18617,7 +18590,7 @@ class NodeAttachFrameHandler extends TaskSpawner {
     }
 }
 
-const logger$Q = getLogger('naylence.fame.sentinel.address_bind_frame_handler');
+const logger$R = getLogger('naylence.fame.sentinel.address_bind_frame_handler');
 const RESERVED_ADDRESS_NAMES = new Set(['__sys__', '__rpc__']);
 function pickManagerField(manager, keys) {
     const record = manager;
@@ -18941,7 +18914,7 @@ class AddressBindFrameHandler {
         if (this.routingNode.forwardToPeers) {
             await this.routingNode.forwardToPeers(envelope, undefined, [sourceSystemId], context);
         }
-        logger$Q.debug('address_bound', {
+        logger$R.debug('address_bound', {
             address: addressStr,
             segment: sourceSystemId,
         });
@@ -19039,7 +19012,7 @@ class AddressBindFrameHandler {
             }
             await this.routingNode.forwardToRoute(sourceSystemId, ackEnvelope, ackContext);
         }
-        logger$Q.debug('address_unbound', {
+        logger$R.debug('address_unbound', {
             address: addressStr,
             segment: sourceSystemId,
         });
@@ -19057,7 +19030,7 @@ class AddressBindFrameHandler {
     }
 }
 
-const logger$P = getLogger('naylence.fame.sentinel.node_heartbeat_frame_handler');
+const logger$Q = getLogger('naylence.fame.sentinel.node_heartbeat_frame_handler');
 function normalizeOptions$h(options) {
     if (!options || typeof options !== 'object') {
         throw new Error('NodeHeartbeatFrameHandler requires a routingNode option');
@@ -19094,7 +19067,7 @@ class NodeHeartbeatFrameHandler {
         if (!frame || frame.type !== 'NodeHeartbeat') {
             throw new Error(`Invalid envelope frame. Expected: NodeHeartbeatFrame, actual: ${frame?.type ?? 'unknown'}`);
         }
-        logger$P.trace('handling_heartbeat', {
+        logger$Q.trace('handling_heartbeat', {
             hb_system_id: frame.systemId ?? 'unknown',
             hb_env_id: envelope.id ?? 'unknown',
             hb_corr_id: envelope.corrId ?? 'unknown',
@@ -19122,7 +19095,7 @@ class NodeHeartbeatFrameHandler {
             ...(envelope.corrId ? { corrId: envelope.corrId } : {}),
             ...(envelope.traceId ? { traceId: envelope.traceId } : {}),
         });
-        logger$P.debug('sending_heartbeat_ack', {
+        logger$Q.debug('sending_heartbeat_ack', {
             hb_ack_env_id: ackEnvelope.id ?? 'unknown',
             hb_ack_corr_id: ackEnvelope.corrId ?? 'unknown',
         });
@@ -19150,7 +19123,7 @@ class NodeHeartbeatFrameHandler {
     }
 }
 
-const logger$O = getLogger('naylence.fame.sentinel.capability_frame_handler');
+const logger$P = getLogger('naylence.fame.sentinel.capability_frame_handler');
 class CapabilityFrameHandler {
     constructor(options) {
         this.capabilityRoutes = new Map();
@@ -19177,7 +19150,7 @@ class CapabilityFrameHandler {
         const segment = this.getSourceSystemId(context);
         const downstreamRoutes = getDownstreamRoutes(this.routeManager);
         if (!segment || !hasRoute(downstreamRoutes, segment)) {
-            logger$O.debug('capability_advertise_unknown_segment', { segment });
+            logger$P.debug('capability_advertise_unknown_segment', { segment });
             return;
         }
         const addressKey = this.normalizeAddress(frame.address);
@@ -19210,7 +19183,7 @@ class CapabilityFrameHandler {
         }
         const segment = this.getSourceSystemId(context);
         if (!segment) {
-            logger$O.debug('capability_withdraw_missing_segment');
+            logger$P.debug('capability_withdraw_missing_segment');
             return;
         }
         const addressKey = this.normalizeAddress(frame.address);
@@ -19264,7 +19237,7 @@ class CapabilityFrameHandler {
     async forwardAckToSegment(segment, ackFrame, originalEnvelope, ackContext) {
         const envelopeFactory = this.routingNode.envelopeFactory;
         if (!envelopeFactory) {
-            logger$O.warning('missing_envelope_factory_for_capability_ack');
+            logger$P.warning('missing_envelope_factory_for_capability_ack');
             return;
         }
         const ackEnvelope = envelopeFactory.createEnvelope({
@@ -19327,7 +19300,7 @@ function getStickySid(context) {
     return typed.stickySid ?? typed.sticky_sid ?? undefined;
 }
 
-const logger$N = getLogger('naylence.fame.sentinel.credit_update_frame_handler');
+const logger$O = getLogger('naylence.fame.sentinel.credit_update_frame_handler');
 function normalizeOptions$g(options) {
     if (!options || typeof options !== 'object') {
         throw new Error('CreditUpdateFrameHandler requires a routeManager option');
@@ -19347,12 +19320,12 @@ class CreditUpdateFrameHandler {
     async acceptCreditUpdate(envelope, context) {
         const flowId = envelope.flowId;
         if (!flowId) {
-            logger$N.warning('credit_update_missing_flow_id');
+            logger$O.warning('credit_update_missing_flow_id');
             return;
         }
         const targetConnector = this.routeManager.getFlowRoute(flowId);
         if (!targetConnector) {
-            logger$N.warning('credit_update_unknown_flow', { flowId });
+            logger$O.warning('credit_update_unknown_flow', { flowId });
             return;
         }
         if (context?.fromConnector && context.fromConnector === targetConnector) {
@@ -19362,7 +19335,7 @@ class CreditUpdateFrameHandler {
     }
 }
 
-const logger$M = getLogger('naylence.fame.sentinel.sentinel');
+const logger$N = getLogger('naylence.fame.sentinel.sentinel');
 const ALLOWED_BEFORE_ATTACH = new Set(['NodeAttach']);
 const SYSTEM_INBOX = '__sys__';
 const RESERVED_UPSTREAM_ADDRESS_NAMES = new Set(['__sys__', '__rpc__']);
@@ -19456,7 +19429,7 @@ class Sentinel extends FameNode {
                 routeStore = createPersistentRouteStore(this.storageProvider);
             }
             catch (error) {
-                logger$M.warning('persistent_route_store_unavailable', {
+                logger$N.warning('persistent_route_store_unavailable', {
                     error: error instanceof Error ? error.message : String(error),
                 });
                 routeStore = getDefaultRouteStore();
@@ -19538,7 +19511,7 @@ class Sentinel extends FameNode {
     bumpRoutingEpoch() {
         const previousEpoch = this.routingEpochValue;
         this.routingEpochValue = generateId();
-        logger$M.debug('routing_epoch_bumped', {
+        logger$N.debug('routing_epoch_bumped', {
             previous_epoch: previousEpoch,
             new_epoch: this.routingEpochValue,
         });
@@ -19629,7 +19602,7 @@ class Sentinel extends FameNode {
     }
     async forwardToRoute(nextSegment, envelope, context) {
         if (this.originMatches(context, nextSegment, DeliveryOriginType.DOWNSTREAM)) {
-            logger$M.debug('downstream_loop_detected', {
+            logger$N.debug('downstream_loop_detected', {
                 envp_id: envelope.id,
                 segment: nextSegment,
             });
@@ -19642,14 +19615,14 @@ class Sentinel extends FameNode {
             }
             const connector = this.routeManager.downstreamRoutes.get(nextSegment);
             if (!connector) {
-                logger$M.warning('no_route_for_child_segment', { segment: nextSegment });
+                logger$N.warning('no_route_for_child_segment', { segment: nextSegment });
                 await this.emitDeliveryNack(processed, {
                     code: 'CHILD_UNREACHABLE',
                     context: context ?? null,
                 });
                 return;
             }
-            logger$M.debug('forwarding_downstream', {
+            logger$N.debug('forwarding_downstream', {
                 ...summarizeEnvelope(processed, ''),
                 route: nextSegment,
             });
@@ -19666,7 +19639,7 @@ class Sentinel extends FameNode {
     }
     async forwardToPeer(peerSegment, envelope, context) {
         if (this.originMatches(context, peerSegment, DeliveryOriginType.PEER)) {
-            logger$M.debug('peer_loop_detected', {
+            logger$N.debug('peer_loop_detected', {
                 envp_id: envelope.id,
                 segment: peerSegment,
             });
@@ -19677,7 +19650,7 @@ class Sentinel extends FameNode {
         }
         const connector = this.routeManager._peer_routes.get(peerSegment);
         if (!connector) {
-            logger$M.warning('no_route_for_peer_segment', {
+            logger$N.warning('no_route_for_peer_segment', {
                 peer_segment: peerSegment,
             });
             await this.emitDeliveryNack(processed, {
@@ -19720,7 +19693,7 @@ class Sentinel extends FameNode {
     }
     async forwardUpstream(envelope, context) {
         if (context?.originType === DeliveryOriginType.UPSTREAM) {
-            logger$M.debug('skipping_forward_upstream', {
+            logger$N.debug('skipping_forward_upstream', {
                 envp_id: envelope.id,
                 origin_type: context.originType,
             });
@@ -19840,7 +19813,7 @@ class Sentinel extends FameNode {
                 }
                 catch (error) {
                     if (!combined.signal.aborted) {
-                        logger$M.debug('attach_timeout_delay_failed', {
+                        logger$N.debug('attach_timeout_delay_failed', {
                             system_id: systemId,
                             error: error instanceof Error ? error.message : String(error),
                         });
@@ -19867,12 +19840,12 @@ class Sentinel extends FameNode {
                     await connector.stop();
                 }
                 catch (error) {
-                    logger$M.debug('attach_timeout_stop_failed', {
+                    logger$N.debug('attach_timeout_stop_failed', {
                         system_id: systemId,
                         error: error instanceof Error ? error.message : String(error),
                     });
                 }
-                logger$M.warning('attach_timeout_expired', {
+                logger$N.warning('attach_timeout_expired', {
                     system_id: systemId,
                     timeout_ms: timeoutMs,
                 });
@@ -19926,7 +19899,7 @@ class Sentinel extends FameNode {
                     return new FameAddress(addressKey);
                 }
                 catch (error) {
-                    logger$M.debug('invalid_capability_address', {
+                    logger$N.debug('invalid_capability_address', {
                         capability,
                         address: addressKey,
                         error: error instanceof Error ? error.message : String(error),
@@ -20082,7 +20055,7 @@ class Sentinel extends FameNode {
     }
     async propagateAddressBindingsUpstream() {
         if (!this.hasParent) {
-            logger$M.warning('No upstream defined to rebind addresses');
+            logger$N.warning('No upstream defined to rebind addresses');
             return;
         }
         const entries = Array.from(this.routeManager._downstream_addresses_routes.entries());
@@ -20105,7 +20078,7 @@ class Sentinel extends FameNode {
                 await this.bindAddressUpstream(new FameAddress(address), info);
             }
             catch (error) {
-                logger$M.error('rebind_failed', {
+                logger$N.error('rebind_failed', {
                     address,
                     error: error instanceof Error ? error.message : String(error),
                 });
@@ -20203,7 +20176,7 @@ class Sentinel extends FameNode {
             }
             catch (error) {
                 // Hook threw => treat as denial, execute Drop
-                logger$M.warning('routing_action_hook_error', {
+                logger$N.warning('routing_action_hook_error', {
                     envp_id: envelope.id,
                     error: error instanceof Error ? error.message : String(error),
                 });
@@ -20227,7 +20200,7 @@ class Sentinel extends FameNode {
         }
         const abortSignal = signal ?? null;
         if (abortSignal?.aborted) {
-            logger$M.info('shutdown_signal_received', { signal: 'abort' });
+            logger$N.info('shutdown_signal_received', { signal: 'abort' });
             return;
         }
         // Build fabric options, preferring rootConfig if provided
@@ -20243,7 +20216,7 @@ class Sentinel extends FameNode {
         if (node !== null) {
             fabricCreateOptions.node = node;
         }
-        logger$M.debug('fabric_create_options', {
+        logger$N.debug('fabric_create_options', {
             hasRootConfig: 'rootConfig' in fabricCreateOptions,
             hasNode: 'node' in fabricCreateOptions,
             rootConfigKeys: fabricCreateOptions.rootConfig
@@ -20276,7 +20249,7 @@ class Sentinel extends FameNode {
         const registerSignalListeners = () => {
             for (const sig of signals) {
                 const listener = () => {
-                    logger$M.info('shutdown_signal_received', { signal: sig });
+                    logger$N.info('shutdown_signal_received', { signal: sig });
                     cleanupListeners();
                     stopResolve();
                 };
@@ -20285,7 +20258,7 @@ class Sentinel extends FameNode {
             }
             if (abortSignal) {
                 abortListener = () => {
-                    logger$M.info('shutdown_signal_received', { signal: 'abort' });
+                    logger$N.info('shutdown_signal_received', { signal: 'abort' });
                     cleanupListeners();
                     stopResolve();
                 };
@@ -20298,12 +20271,12 @@ class Sentinel extends FameNode {
             await providedFabric.enter();
             try {
                 registerSignalListeners();
-                logger$M.info('sentinel_live', {
+                logger$N.info('sentinel_live', {
                     message: 'Node is live! Press Ctrl+C to stop.',
                 });
                 try {
                     await stopPromise;
-                    logger$M.info('sentinel_shutdown_begin');
+                    logger$N.info('sentinel_shutdown_begin');
                 }
                 finally {
                     cleanupListeners();
@@ -20317,19 +20290,19 @@ class Sentinel extends FameNode {
             // Use withFabric pattern for automatic lifecycle management
             await withFabric(fabricCreateOptions, async () => {
                 registerSignalListeners();
-                logger$M.info('sentinel_live', {
+                logger$N.info('sentinel_live', {
                     message: 'Node is live! Press Ctrl+C to stop.',
                 });
                 try {
                     await stopPromise;
-                    logger$M.info('sentinel_shutdown_begin');
+                    logger$N.info('sentinel_shutdown_begin');
                 }
                 finally {
                     cleanupListeners();
                 }
             });
         }
-        logger$M.info('sentinel_shutdown_complete');
+        logger$N.info('sentinel_shutdown_complete');
     }
 }
 function normalizeServeLogLevel(level) {
@@ -20474,7 +20447,7 @@ function isPlainRecord(value) {
     return Boolean(value) && typeof value === 'object' && !Array.isArray(value);
 }
 
-const FACTORY_META$15 = {
+const FACTORY_META$16 = {
     base: NODE_LIKE_FACTORY_BASE_TYPE,
     key: 'Sentinel',
 };
@@ -20658,7 +20631,7 @@ class SentinelFactory extends NodeLikeFactory {
 
 var sentinelFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
-    FACTORY_META: FACTORY_META$15,
+    FACTORY_META: FACTORY_META$16,
     SentinelFactory: SentinelFactory,
     default: SentinelFactory
 });
@@ -20702,7 +20675,7 @@ function createConnectorConfig(config) {
  * A transport adapter that works with both Node.js and browser WebSocket APIs.
  * Supports both native WebSocket clients and server-side WebSocket connections.
  */
-const logger$L = getLogger('naylence.fame.connector.websocket_connector');
+const logger$M = getLogger('naylence.fame.connector.websocket_connector');
 /**
  * WebSocket state constants (mirrors standard WebSocket states)
  */
@@ -20743,7 +20716,7 @@ class WebSocketConnector extends BaseAsyncConnector {
             websocket.send_bytes &&
             typeof websocket.receive_bytes === 'function' &&
             typeof websocket.send_bytes === 'function');
-        logger$L.debug('websocket_connector_created', {
+        logger$M.debug('websocket_connector_created', {
             is_fastapi_like: this._isFastApiLike,
             ready_state: websocket.readyState,
             url: websocket.url,
@@ -20758,7 +20731,7 @@ class WebSocketConnector extends BaseAsyncConnector {
                     socketAny.binaryType = 'arraybuffer';
                 }
                 catch (error) {
-                    logger$L.debug('websocket_set_binary_type_failed', {
+                    logger$M.debug('websocket_set_binary_type_failed', {
                         error: error instanceof Error ? error.message : String(error),
                         current_type: socketAny.binaryType,
                     });
@@ -20814,7 +20787,7 @@ class WebSocketConnector extends BaseAsyncConnector {
         else {
             this._receiveQueue.push(data);
         }
-        logger$L.debug('websocket_message_pushed_to_queue', {
+        logger$M.debug('websocket_message_pushed_to_queue', {
             queueLength: this._receiveQueue.length,
             waitersLength: this._receiveWaiters.length,
         });
@@ -20867,7 +20840,7 @@ class WebSocketConnector extends BaseAsyncConnector {
                 const result = receiveMethod.call(this._websocket);
                 // Ensure we have a Promise
                 if (!result || typeof result.then !== 'function') {
-                    logger$L.error('fastapi_receive_not_awaitable', {
+                    logger$M.error('fastapi_receive_not_awaitable', {
                         result_type: typeof result,
                         result_str: String(result).substring(0, 100),
                     });
@@ -20883,7 +20856,7 @@ class WebSocketConnector extends BaseAsyncConnector {
                     }
                     // Handle known WebSocket shutdown race condition
                     if (this._isAwaitFutureError(error)) {
-                        logger$L.debug('websocket_shutdown_race_condition_handled', {
+                        logger$M.debug('websocket_shutdown_race_condition_handled', {
                             note: 'Normal WebSocket close timing - converting to cancellation',
                             websocket_state: this._websocket.client_state || 'unknown',
                         });
@@ -20926,7 +20899,7 @@ class WebSocketConnector extends BaseAsyncConnector {
         }
         catch (error) {
             if (this._isAwaitFutureError(error)) {
-                logger$L.debug('websocket_shutdown_race_condition_detected', {
+                logger$M.debug('websocket_shutdown_race_condition_detected', {
                     websocket_type: this._websocket.constructor.name,
                     is_fastapi: this._isFastApiLike,
                     note: 'Normal WebSocket close timing during shutdown',
@@ -20972,12 +20945,12 @@ class WebSocketConnector extends BaseAsyncConnector {
                             if (socketAny.readyState !== WebSocketState.CLOSED) {
                                 try {
                                     socketAny.terminate();
-                                    logger$L.debug('websocket_force_terminated', {
+                                    logger$M.debug('websocket_force_terminated', {
                                         ready_state: socketAny.readyState,
                                     });
                                 }
                                 catch (error) {
-                                    logger$L.debug('websocket_force_terminate_failed', {
+                                    logger$M.debug('websocket_force_terminate_failed', {
                                         error: error instanceof Error ? error.message : String(error),
                                     });
                                 }
@@ -20988,7 +20961,7 @@ class WebSocketConnector extends BaseAsyncConnector {
             }
         }
         catch (error) {
-            logger$L.error('websocket_close_failed', {
+            logger$M.error('websocket_close_failed', {
                 error: error instanceof Error ? error.message : String(error),
             });
             // Don't re-throw - close errors are not critical during shutdown
@@ -21209,7 +21182,7 @@ class WebSocketConnector extends BaseAsyncConnector {
                 this._removeReceiveHandlers();
             }
             catch (error) {
-                logger$L.debug('websocket_remove_handlers_failed', {
+                logger$M.debug('websocket_remove_handlers_failed', {
                     error: error instanceof Error ? error.message : String(error),
                 });
             }
@@ -21261,7 +21234,7 @@ class WebSocketConnector extends BaseAsyncConnector {
  * Browser-local connector that routes binary frames between peers via an in-page EventTarget.
  * Relies on BaseAsyncConnector for flow control and shutdown behavior.
  */
-const logger$K = getLogger('naylence.fame.connector.inpage_connector');
+const logger$L = getLogger('naylence.fame.connector.inpage_connector');
 const INPAGE_CONNECTOR_TYPE = 'inpage-connector';
 const DEFAULT_CHANNEL$6 = 'naylence-fabric';
 const DEFAULT_INBOX_CAPACITY$6 = 2048;
@@ -21359,7 +21332,7 @@ class InPageConnector extends BaseAsyncConnector {
         }
         this.localNodeId = normalizedLocalNodeId;
         this.targetNodeId = InPageConnector.normalizeTargetNodeId(config.initialTargetNodeId);
-        logger$K.debug('inpage_connector_initialized', {
+        logger$L.debug('inpage_connector_initialized', {
             channel: this.channelName,
             connector_id: this.connectorId,
             local_node_id: this.localNodeId,
@@ -21368,7 +21341,7 @@ class InPageConnector extends BaseAsyncConnector {
         });
         this.onMsg = (event) => {
             if (!this.listenerRegistered) {
-                logger$K.warning('inpage_message_after_unregister', {
+                logger$L.warning('inpage_message_after_unregister', {
                     channel: this.channelName,
                     connector_id: this.connectorId,
                     timestamp: new Date().toISOString(),
@@ -21377,7 +21350,7 @@ class InPageConnector extends BaseAsyncConnector {
             }
             const messageEvent = event;
             const message = messageEvent.data;
-            logger$K.debug('inpage_raw_event', {
+            logger$L.debug('inpage_raw_event', {
                 channel: this.channelName,
                 connector_id: this.connectorId,
                 message_type: message && typeof message === 'object'
@@ -21397,7 +21370,7 @@ class InPageConnector extends BaseAsyncConnector {
                 : null;
             const senderNodeId = InPageConnector.normalizeNodeId(busMessage.senderNodeId);
             if (!senderId || !senderNodeId) {
-                logger$K.debug('inpage_message_rejected', {
+                logger$L.debug('inpage_message_rejected', {
                     channel: this.channelName,
                     connector_id: this.connectorId,
                     reason: 'missing_sender_metadata',
@@ -21405,7 +21378,7 @@ class InPageConnector extends BaseAsyncConnector {
                 return;
             }
             if (senderId === this.connectorId || senderNodeId === this.localNodeId) {
-                logger$K.debug('inpage_message_rejected', {
+                logger$L.debug('inpage_message_rejected', {
                     channel: this.channelName,
                     connector_id: this.connectorId,
                     reason: 'self_echo',
@@ -21419,14 +21392,14 @@ class InPageConnector extends BaseAsyncConnector {
             }
             const payload = InPageConnector.coercePayload(busMessage.payload);
             if (!payload) {
-                logger$K.debug('inpage_payload_rejected', {
+                logger$L.debug('inpage_payload_rejected', {
                     channel: this.channelName,
                     connector_id: this.connectorId,
                     reason: 'unrecognized_payload_type',
                 });
                 return;
             }
-            logger$K.debug('inpage_message_received', {
+            logger$L.debug('inpage_message_received', {
                 channel: this.channelName,
                 sender_id: senderId,
                 sender_node_id: senderNodeId,
@@ -21455,14 +21428,14 @@ class InPageConnector extends BaseAsyncConnector {
             }
             catch (error) {
                 if (error instanceof QueueFullError) {
-                    logger$K.warning('inpage_receive_queue_full', {
+                    logger$L.warning('inpage_receive_queue_full', {
                         channel: this.channelName,
                         inbox_capacity: this.inboxCapacity,
                         inbox_remaining_capacity: this.inbox.remainingCapacity,
                     });
                 }
                 else {
-                    logger$K.error('inpage_receive_error', {
+                    logger$L.error('inpage_receive_error', {
                         channel: this.channelName,
                         error: error instanceof Error ? error.message : String(error),
                     });
@@ -21474,7 +21447,7 @@ class InPageConnector extends BaseAsyncConnector {
         // Setup visibility change monitoring
         this.visibilityChangeHandler = () => {
             const isHidden = document.hidden;
-            logger$K.debug('inpage_visibility_changed', {
+            logger$L.debug('inpage_visibility_changed', {
                 channel: this.channelName,
                 connector_id: this.connectorId,
                 visibility: isHidden ? 'hidden' : 'visible',
@@ -21483,7 +21456,7 @@ class InPageConnector extends BaseAsyncConnector {
             // Pause/resume connector based on visibility
             if (isHidden && this.state === ConnectorState.STARTED) {
                 this.pause().catch((err) => {
-                    logger$K.warning('inpage_pause_failed', {
+                    logger$L.warning('inpage_pause_failed', {
                         channel: this.channelName,
                         connector_id: this.connectorId,
                         error: err instanceof Error ? err.message : String(err),
@@ -21492,7 +21465,7 @@ class InPageConnector extends BaseAsyncConnector {
             }
             else if (!isHidden && this.state === ConnectorState.PAUSED) {
                 this.resume().catch((err) => {
-                    logger$K.warning('inpage_resume_failed', {
+                    logger$L.warning('inpage_resume_failed', {
                         channel: this.channelName,
                         connector_id: this.connectorId,
                         error: err instanceof Error ? err.message : String(err),
@@ -21506,7 +21479,7 @@ class InPageConnector extends BaseAsyncConnector {
             // Track page lifecycle events to detect browser unload/discard
             if (typeof window !== 'undefined') {
                 const lifecycleLogger = (event) => {
-                    logger$K.info('inpage_page_lifecycle', {
+                    logger$L.info('inpage_page_lifecycle', {
                         channel: this.channelName,
                         connector_id: this.connectorId,
                         event_type: event.type,
@@ -21522,7 +21495,7 @@ class InPageConnector extends BaseAsyncConnector {
                 document.addEventListener('resume', lifecycleLogger);
             }
             // Log initial state with detailed visibility info
-            logger$K.debug('inpage_initial_visibility', {
+            logger$L.debug('inpage_initial_visibility', {
                 channel: this.channelName,
                 connector_id: this.connectorId,
                 visibility: document.hidden ? 'hidden' : 'visible',
@@ -21540,7 +21513,7 @@ class InPageConnector extends BaseAsyncConnector {
         await super.start(inboundHandler);
         // After transitioning to STARTED, check if tab is already hidden
         if (typeof document !== 'undefined' && document.hidden) {
-            logger$K.debug('inpage_start_in_hidden_tab', {
+            logger$L.debug('inpage_start_in_hidden_tab', {
                 channel: this.channelName,
                 connector_id: this.connectorId,
                 document_hidden: document.hidden,
@@ -21550,7 +21523,7 @@ class InPageConnector extends BaseAsyncConnector {
             });
             // Immediately pause if tab is hidden at start time
             await this.pause().catch((err) => {
-                logger$K.warning('inpage_initial_pause_failed', {
+                logger$L.warning('inpage_initial_pause_failed', {
                     channel: this.channelName,
                     connector_id: this.connectorId,
                     error: err instanceof Error ? err.message : String(err),
@@ -21580,14 +21553,14 @@ class InPageConnector extends BaseAsyncConnector {
         }
         catch (error) {
             if (error instanceof QueueFullError) {
-                logger$K.warning('inpage_push_queue_full', {
+                logger$L.warning('inpage_push_queue_full', {
                     channel: this.channelName,
                     inbox_capacity: this.inboxCapacity,
                     inbox_remaining_capacity: this.inbox.remainingCapacity,
                 });
                 throw error;
             }
-            logger$K.error('inpage_push_failed', {
+            logger$L.error('inpage_push_failed', {
                 channel: this.channelName,
                 error: error instanceof Error ? error.message : String(error),
             });
@@ -21597,7 +21570,7 @@ class InPageConnector extends BaseAsyncConnector {
     async _transportSendBytes(data) {
         ensureBrowserEnvironment$2();
         const targetNodeId = this.targetNodeId ?? '*';
-        logger$K.debug('inpage_message_sending', {
+        logger$L.debug('inpage_message_sending', {
             channel: this.channelName,
             sender_id: this.connectorId,
             sender_node_id: this.localNodeId,
@@ -21621,7 +21594,7 @@ class InPageConnector extends BaseAsyncConnector {
         return item;
     }
     async _transportClose(code, reason) {
-        logger$K.debug('inpage_transport_closing', {
+        logger$L.debug('inpage_transport_closing', {
             channel: this.channelName,
             connector_id: this.connectorId,
             code,
@@ -21630,14 +21603,14 @@ class InPageConnector extends BaseAsyncConnector {
             timestamp: new Date().toISOString(),
         });
         if (this.listenerRegistered) {
-            logger$K.debug('inpage_removing_listener', {
+            logger$L.debug('inpage_removing_listener', {
                 channel: this.channelName,
                 connector_id: this.connectorId,
                 timestamp: new Date().toISOString(),
             });
             getSharedBus$1().removeEventListener(this.channelName, this.onMsg);
             this.listenerRegistered = false;
-            logger$K.debug('inpage_listener_removed', {
+            logger$L.debug('inpage_listener_removed', {
                 channel: this.channelName,
                 connector_id: this.connectorId,
                 timestamp: new Date().toISOString(),
@@ -21669,7 +21642,7 @@ class InPageConnector extends BaseAsyncConnector {
             if (targetNodeId &&
                 targetNodeId !== '*' &&
                 targetNodeId !== this.localNodeId) {
-                logger$K.debug('inpage_message_rejected', {
+                logger$L.debug('inpage_message_rejected', {
                     channel: this.channelName,
                     connector_id: this.connectorId,
                     reason: 'wildcard_target_mismatch',
@@ -21685,7 +21658,7 @@ class InPageConnector extends BaseAsyncConnector {
         if (expectedSender &&
             expectedSender !== '*' &&
             senderNodeId !== expectedSender) {
-            logger$K.debug('inpage_message_rejected', {
+            logger$L.debug('inpage_message_rejected', {
                 channel: this.channelName,
                 connector_id: this.connectorId,
                 reason: 'unexpected_sender',
@@ -21698,7 +21671,7 @@ class InPageConnector extends BaseAsyncConnector {
         if (targetNodeId &&
             targetNodeId !== '*' &&
             targetNodeId !== this.localNodeId) {
-            logger$K.debug('inpage_message_rejected', {
+            logger$L.debug('inpage_message_rejected', {
                 channel: this.channelName,
                 connector_id: this.connectorId,
                 reason: 'unexpected_target',
@@ -21723,7 +21696,7 @@ class InPageConnector extends BaseAsyncConnector {
         return 'unknown';
     }
     logInboxSnapshot(event, extra = {}) {
-        logger$K.debug(event, {
+        logger$L.debug(event, {
             channel: this.channelName,
             connector_id: this.connectorId,
             connector_state: this.state,
@@ -21742,7 +21715,7 @@ class InPageConnector extends BaseAsyncConnector {
             return;
         }
         this.targetNodeId = normalized;
-        logger$K.debug('inpage_target_updated', {
+        logger$L.debug('inpage_target_updated', {
             channel: this.channelName,
             connector_id: this.connectorId,
             local_node_id: this.localNodeId,
@@ -21752,7 +21725,7 @@ class InPageConnector extends BaseAsyncConnector {
     }
     setWildcardTarget() {
         this.targetNodeId = '*';
-        logger$K.debug('inpage_target_updated', {
+        logger$L.debug('inpage_target_updated', {
             channel: this.channelName,
             connector_id: this.connectorId,
             local_node_id: this.localNodeId,
@@ -21946,6 +21919,185 @@ class AuthorizerFactory extends AbstractResourceFactory {
     }
 }
 
+const logger$K = getLogger('naylence.fame.security.auth.authorization_profile_factory');
+const PROFILE_NAME_DEFAULT = 'jwt';
+const PROFILE_NAME_OAUTH2 = 'oauth2';
+const PROFILE_NAME_OAUTH2_GATED = 'oauth2-gated';
+const PROFILE_NAME_OAUTH2_CALLBACK = 'oauth2-callback';
+const PROFILE_NAME_NOOP$2 = 'noop';
+const ENV_VAR_JWT_TRUSTED_ISSUER$1 = 'FAME_JWT_TRUSTED_ISSUER';
+const ENV_VAR_JWT_ALGORITHM$1 = 'FAME_JWT_ALGORITHM';
+const ENV_VAR_JWT_AUDIENCE$2 = 'FAME_JWT_AUDIENCE';
+const ENV_VAR_JWKS_URL$1 = 'FAME_JWKS_URL';
+const ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY$1 = 'FAME_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY';
+const ENV_VAR_TRUSTED_CLIENT_SCOPE$1 = 'FAME_TRUSTED_CLIENT_SCOPE';
+const ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER$1 = 'FAME_JWT_REVERSE_AUTH_TRUSTED_ISSUER';
+const ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE$1 = 'FAME_JWT_REVERSE_AUTH_AUDIENCE';
+const ENV_VAR_HMAC_SECRET$1 = 'FAME_HMAC_SECRET';
+const DEFAULT_REVERSE_AUTH_ISSUER = 'reverse-auth.naylence.ai';
+const DEFAULT_REVERSE_AUTH_AUDIENCE = 'dev.naylence.ai';
+const DEFAULT_PROFILE = {
+    type: 'DefaultAuthorizer',
+    verifier: {
+        type: 'JWKSJWTTokenVerifier',
+        jwks_url: Expressions.env(ENV_VAR_JWKS_URL$1),
+        issuer: Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER$1),
+    },
+};
+const OAUTH2_PROFILE = {
+    type: 'OAuth2Authorizer',
+    issuer: Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER$1),
+    required_scopes: ['node.connect'],
+    require_scope: true,
+    default_ttl_sec: 3600,
+    max_ttl_sec: 86400,
+    algorithm: Expressions.env(ENV_VAR_JWT_ALGORITHM$1, 'RS256'),
+    audience: Expressions.env(ENV_VAR_JWT_AUDIENCE$2),
+};
+const OAUTH2_GATED_PROFILE = {
+    ...OAUTH2_PROFILE,
+    enforce_token_subject_node_identity: Expressions.env(ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY$1, 'false'),
+    trusted_client_scope: Expressions.env(ENV_VAR_TRUSTED_CLIENT_SCOPE$1, 'node.trusted'),
+};
+const OAUTH2_CALLBACK_PROFILE = {
+    type: 'OAuth2Authorizer',
+    issuer: Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER$1, DEFAULT_REVERSE_AUTH_ISSUER),
+    audience: Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE$1),
+    require_scope: true,
+    default_ttl_sec: 3600,
+    max_ttl_sec: 86400,
+    reverse_auth_ttl_sec: 86400,
+    token_verifier_config: {
+        type: 'JWTTokenVerifier',
+        algorithm: 'HS256',
+        hmac_secret: Expressions.env(ENV_VAR_HMAC_SECRET$1),
+        issuer: Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER$1, DEFAULT_REVERSE_AUTH_ISSUER),
+        ttl_sec: 86400,
+    },
+    token_issuer_config: {
+        type: 'JWTTokenIssuer',
+        algorithm: 'HS256',
+        hmac_secret: Expressions.env(ENV_VAR_HMAC_SECRET$1),
+        kid: 'hmac-reverse-auth-key',
+        issuer: Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER$1, DEFAULT_REVERSE_AUTH_ISSUER),
+        ttl_sec: 86400,
+        audience: Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE$1, DEFAULT_REVERSE_AUTH_AUDIENCE),
+    },
+};
+const NOOP_PROFILE$2 = {
+    type: 'NoopAuthorizer',
+};
+const PROFILE_MAP$5 = {
+    [PROFILE_NAME_DEFAULT]: DEFAULT_PROFILE,
+    [PROFILE_NAME_OAUTH2]: OAUTH2_PROFILE,
+    [PROFILE_NAME_OAUTH2_GATED]: OAUTH2_GATED_PROFILE,
+    [PROFILE_NAME_OAUTH2_CALLBACK]: OAUTH2_CALLBACK_PROFILE,
+    [PROFILE_NAME_NOOP$2]: NOOP_PROFILE$2,
+};
+const PROFILE_ALIASES$1 = {
+    jwt: PROFILE_NAME_DEFAULT,
+    jwks: PROFILE_NAME_DEFAULT,
+    default: PROFILE_NAME_DEFAULT,
+    oauth2: PROFILE_NAME_OAUTH2,
+    oidc: PROFILE_NAME_OAUTH2,
+    'oauth2-gated': PROFILE_NAME_OAUTH2_GATED,
+    oauth2_gated: PROFILE_NAME_OAUTH2_GATED,
+    'oauth2-callback': PROFILE_NAME_OAUTH2_CALLBACK,
+    oauth2_callback: PROFILE_NAME_OAUTH2_CALLBACK,
+    'reverse-auth': PROFILE_NAME_OAUTH2_CALLBACK,
+    noop: PROFILE_NAME_NOOP$2,
+    'no-op': PROFILE_NAME_NOOP$2,
+    no_op: PROFILE_NAME_NOOP$2,
+};
+const FACTORY_META$15 = {
+    base: AUTHORIZER_FACTORY_BASE_TYPE,
+    key: 'AuthorizationProfile',
+};
+class AuthorizationProfileFactory extends AuthorizerFactory {
+    constructor() {
+        super(...arguments);
+        this.type = 'AuthorizationProfile';
+    }
+    async create(config, ...factoryArgs) {
+        const normalized = normalizeConfig$w(config);
+        const profileConfig = resolveProfileConfig$4(normalized.profile);
+        logger$K.debug('enabling_authorization_profile', {
+            profile: normalized.profile,
+        });
+        const authorizer = await AuthorizerFactory.createAuthorizer(profileConfig, { factoryArgs });
+        if (!authorizer) {
+            throw new Error(`Failed to create authorizer for profile: ${normalized.profile}`);
+        }
+        return authorizer;
+    }
+}
+function normalizeConfig$w(config) {
+    if (!config) {
+        return { profile: PROFILE_NAME_OAUTH2 };
+    }
+    const candidate = config;
+    const profileValue = resolveProfileName$2(candidate);
+    const canonicalProfile = canonicalizeProfileName$1(profileValue);
+    candidate.profile = canonicalProfile;
+    return { profile: canonicalProfile };
+}
+function resolveProfileName$2(candidate) {
+    const direct = coerceProfileString$2(candidate.profile);
+    if (direct) {
+        return direct;
+    }
+    const legacyKeys = ['profile_name', 'profileName'];
+    for (const legacyKey of legacyKeys) {
+        const legacyValue = coerceProfileString$2(candidate[legacyKey]);
+        if (legacyValue) {
+            return legacyValue;
+        }
+    }
+    return PROFILE_NAME_OAUTH2;
+}
+function coerceProfileString$2(value) {
+    if (typeof value !== 'string') {
+        return null;
+    }
+    const trimmed = value.trim();
+    return trimmed.length > 0 ? trimmed : null;
+}
+function canonicalizeProfileName$1(value) {
+    const normalized = value.replace(/[\s_]+/g, '-').toLowerCase();
+    return PROFILE_ALIASES$1[normalized] ?? normalized;
+}
+function resolveProfileConfig$4(profileName) {
+    const profile = PROFILE_MAP$5[profileName];
+    if (!profile) {
+        throw new Error(`Unknown authorization profile: ${profileName}`);
+    }
+    return deepClone$4(profile);
+}
+function deepClone$4(value) {
+    return JSON.parse(JSON.stringify(value));
+}
+
+var authorizationProfileFactory = /*#__PURE__*/Object.freeze({
+    __proto__: null,
+    AuthorizationProfileFactory: AuthorizationProfileFactory,
+    ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY: ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY$1,
+    ENV_VAR_HMAC_SECRET: ENV_VAR_HMAC_SECRET$1,
+    ENV_VAR_JWKS_URL: ENV_VAR_JWKS_URL$1,
+    ENV_VAR_JWT_ALGORITHM: ENV_VAR_JWT_ALGORITHM$1,
+    ENV_VAR_JWT_AUDIENCE: ENV_VAR_JWT_AUDIENCE$2,
+    ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE: ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE$1,
+    ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER: ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER$1,
+    ENV_VAR_JWT_TRUSTED_ISSUER: ENV_VAR_JWT_TRUSTED_ISSUER$1,
+    ENV_VAR_TRUSTED_CLIENT_SCOPE: ENV_VAR_TRUSTED_CLIENT_SCOPE$1,
+    FACTORY_META: FACTORY_META$15,
+    PROFILE_NAME_DEFAULT: PROFILE_NAME_DEFAULT,
+    PROFILE_NAME_NOOP: PROFILE_NAME_NOOP$2,
+    PROFILE_NAME_OAUTH2: PROFILE_NAME_OAUTH2,
+    PROFILE_NAME_OAUTH2_CALLBACK: PROFILE_NAME_OAUTH2_CALLBACK,
+    PROFILE_NAME_OAUTH2_GATED: PROFILE_NAME_OAUTH2_GATED,
+    default: AuthorizationProfileFactory
+});
+
 function isAuthInjectionStrategy(candidate) {
     return (typeof candidate === 'object' &&
         candidate !== null &&
@@ -29427,14 +29579,13 @@ const ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER = 'FAME_JWT_REVERSE_AUTH_TRUSTED_I
 const ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = 'FAME_JWT_REVERSE_AUTH_AUDIENCE';
 const ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY = 'FAME_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY';
 const ENV_VAR_TRUSTED_CLIENT_SCOPE = 'FAME_TRUSTED_CLIENT_SCOPE';
+const ENV_VAR_AUTHORIZATION_PROFILE = 'FAME_AUTHORIZATION_PROFILE';
 const PROFILE_NAME_STRICT_OVERLAY = 'strict-overlay';
 const PROFILE_NAME_OVERLAY = 'overlay';
 const PROFILE_NAME_OVERLAY_CALLBACK = 'overlay-callback';
 const PROFILE_NAME_GATED = 'gated';
 const PROFILE_NAME_GATED_CALLBACK = 'gated-callback';
 const PROFILE_NAME_OPEN$1 = 'open';
-const DEFAULT_REVERSE_AUTH_ISSUER = 'reverse-auth.naylence.ai';
-const DEFAULT_REVERSE_AUTH_AUDIENCE = 'dev.naylence.ai';
 const STRICT_OVERLAY_PROFILE = {
     type: 'DefaultSecurityManager',
     security_policy: {
@@ -29480,12 +29631,8 @@ const STRICT_OVERLAY_PROFILE = {
         },
     },
     authorizer: {
-        type: 'DefaultAuthorizer',
-        verifier: {
-            type: 'JWKSJWTTokenVerifier',
-            jwks_url: Expressions.env(ENV_VAR_JWKS_URL),
-            issuer: Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER),
-        },
+        type: 'AuthorizationProfile',
+        profile: Expressions.env(ENV_VAR_AUTHORIZATION_PROFILE, 'jwt'),
     },
 };
 const OVERLAY_PROFILE = {
@@ -29532,14 +29679,8 @@ const OVERLAY_PROFILE = {
         },
     },
     authorizer: {
-        type: 'OAuth2Authorizer',
-        issuer: Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER),
-        required_scopes: ['node.connect'],
-        require_scope: true,
-        default_ttl_sec: 3600,
-        max_ttl_sec: 86400,
-        algorithm: Expressions.env(ENV_VAR_JWT_ALGORITHM, 'RS256'),
-        audience: Expressions.env(ENV_VAR_JWT_AUDIENCE$1),
+        type: 'AuthorizationProfile',
+        profile: Expressions.env(ENV_VAR_AUTHORIZATION_PROFILE, 'oauth2'),
     },
 };
 const OVERLAY_CALLBACK_PROFILE = {
@@ -29586,29 +29727,8 @@ const OVERLAY_CALLBACK_PROFILE = {
         },
     },
     authorizer: {
-        type: 'OAuth2Authorizer',
-        issuer: Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, DEFAULT_REVERSE_AUTH_ISSUER),
-        audience: Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE),
-        require_scope: true,
-        default_ttl_sec: 3600,
-        max_ttl_sec: 86400,
-        reverse_auth_ttl_sec: 86400,
-        token_verifier_config: {
-            type: 'JWTTokenVerifier',
-            algorithm: 'HS256',
-            hmac_secret: Expressions.env(ENV_VAR_HMAC_SECRET),
-            issuer: Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, DEFAULT_REVERSE_AUTH_ISSUER),
-            ttl_sec: 86400,
-        },
-        token_issuer_config: {
-            type: 'JWTTokenIssuer',
-            algorithm: 'HS256',
-            hmac_secret: Expressions.env(ENV_VAR_HMAC_SECRET),
-            kid: 'hmac-reverse-auth-key',
-            issuer: Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, DEFAULT_REVERSE_AUTH_ISSUER),
-            ttl_sec: 86400,
-            audience: Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE, DEFAULT_REVERSE_AUTH_AUDIENCE),
-        },
+        type: 'AuthorizationProfile',
+        profile: Expressions.env(ENV_VAR_AUTHORIZATION_PROFILE, 'oauth2-callback'),
     },
 };
 const GATED_PROFILE = {
@@ -29654,16 +29774,8 @@ const GATED_PROFILE = {
         },
     },
     authorizer: {
-        type: 'OAuth2Authorizer',
-        issuer: Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER),
-        required_scopes: ['node.connect'],
-        require_scope: true,
-        default_ttl_sec: 3600,
-        max_ttl_sec: 86400,
-        algorithm: Expressions.env(ENV_VAR_JWT_ALGORITHM, 'RS256'),
-        audience: Expressions.env(ENV_VAR_JWT_AUDIENCE$1),
-        enforce_token_subject_node_identity: Expressions.env(ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY, 'false'),
-        trusted_client_scope: Expressions.env(ENV_VAR_TRUSTED_CLIENT_SCOPE, 'node.trusted'),
+        type: 'AuthorizationProfile',
+        profile: Expressions.env(ENV_VAR_AUTHORIZATION_PROFILE, 'oauth2-gated'),
     },
 };
 const GATED_CALLBACK_PROFILE = {
@@ -29709,29 +29821,8 @@ const GATED_CALLBACK_PROFILE = {
         },
     },
     authorizer: {
-        type: 'OAuth2Authorizer',
-        issuer: Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, DEFAULT_REVERSE_AUTH_ISSUER),
-        audience: Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE),
-        require_scope: true,
-        default_ttl_sec: 3600,
-        max_ttl_sec: 86400,
-        reverse_auth_ttl_sec: 86400,
-        token_verifier_config: {
-            type: 'JWTTokenVerifier',
-            algorithm: 'HS256',
-            hmac_secret: Expressions.env(ENV_VAR_HMAC_SECRET),
-            issuer: Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, DEFAULT_REVERSE_AUTH_ISSUER),
-            ttl_sec: 86400,
-        },
-        token_issuer_config: {
-            type: 'JWTTokenIssuer',
-            algorithm: 'HS256',
-            hmac_secret: Expressions.env(ENV_VAR_HMAC_SECRET),
-            kid: 'hmac-reverse-auth-key',
-            issuer: Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, DEFAULT_REVERSE_AUTH_ISSUER),
-            ttl_sec: 86400,
-            audience: Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE, DEFAULT_REVERSE_AUTH_AUDIENCE),
-        },
+        type: 'AuthorizationProfile',
+        profile: Expressions.env(ENV_VAR_AUTHORIZATION_PROFILE, 'oauth2-callback'),
     },
 };
 const OPEN_PROFILE$1 = {
@@ -29740,7 +29831,8 @@ const OPEN_PROFILE$1 = {
         type: 'NoSecurityPolicy',
     },
     authorizer: {
-        type: 'NoopAuthorizer',
+        type: 'AuthorizationProfile',
+        profile: Expressions.env(ENV_VAR_AUTHORIZATION_PROFILE, 'noop'),
     },
 };
 const PROFILE_MAP$4 = {
@@ -29869,6 +29961,7 @@ function deepClone$3(value) {
 
 var nodeSecurityProfileFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
+    ENV_VAR_AUTHORIZATION_PROFILE: ENV_VAR_AUTHORIZATION_PROFILE,
     ENV_VAR_DEFAULT_ENCRYPTION_LEVEL: ENV_VAR_DEFAULT_ENCRYPTION_LEVEL,
     ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY: ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY,
     ENV_VAR_HMAC_SECRET: ENV_VAR_HMAC_SECRET,
@@ -43620,4 +43713,4 @@ var otelSetup = /*#__PURE__*/Object.freeze({
     setupOtel: setupOtel
 });
 
-export { ADMISSION_CLIENT_FACTORY_BASE_TYPE, ATTACHMENT_KEY_VALIDATOR_FACTORY_BASE_TYPE, AUTHORIZATION_POLICY_FACTORY_BASE_TYPE, AUTHORIZATION_POLICY_SOURCE_FACTORY_BASE_TYPE, AUTHORIZER_FACTORY_BASE_TYPE, AUTH_INJECTION_STRATEGY_FACTORY_BASE_TYPE, AnsiColor, AsyncLock, AttachmentKeyValidator, AuthInjectionStrategyFactory, AuthorizationPolicyFactory, AuthorizationPolicySourceFactory, AuthorizerFactory, BROADCAST_CHANNEL_CONNECTION_GRANT_TYPE, FACTORY_META$$ as BROADCAST_CHANNEL_CONNECTOR_FACTORY_META, BROADCAST_CHANNEL_CONNECTOR_TYPE, FACTORY_META$Z as BROADCAST_CHANNEL_LISTENER_FACTORY_META, BackPressureFull, BaseAsyncConnector, BaseNodeEventListener, BasicAuthorizationPolicy, BasicAuthorizationPolicyFactory, BindingManager, BindingStoreEntryRecord, BroadcastChannelConnector, BroadcastChannelConnectorFactory, BroadcastChannelListener, BroadcastChannelListenerFactory, BrowserAutoKeyCredentialProvider, BrowserWrappedKeyCredentialProvider, CERTIFICATE_MANAGER_FACTORY_BASE_TYPE, CONNECTION_RETRY_POLICY_FACTORY_BASE_TYPE, CREDENTIAL_PROVIDER_FACTORY_BASE_TYPE, CRYPTO_LEVEL_SECURITY_ORDER, CertificateManagerFactory, ConnectionRetryPolicyFactory, ConnectorConfigDefaults, ConnectorFactory, ConsoleMetricsEmitter, CryptoLevel, FACTORY_META$11 as DEFAULT_WELCOME_FACTORY_META, DefaultConnectionRetryPolicy, DefaultConnectionRetryPolicyFactory, DefaultCryptoProvider, DefaultKeyManager, DefaultNodeIdentityPolicy, DefaultNodeIdentityPolicyFactory, DefaultSecurityManager, DefaultSecurityPolicy, DefaultWelcomeService, DefaultWelcomeServiceFactory, DevFixedKeyCredentialProvider, ENCRYPTION_MANAGER_FACTORY_BASE_TYPE, ENVELOPE_SIGNER_FACTORY_BASE_TYPE, ENVELOPE_VERIFIER_FACTORY_BASE_TYPE, ENV_VAR_DEFAULT_ENCRYPTION_LEVEL, ENV_VAR_HMAC_SECRET, ENV_VAR_JWKS_URL, ENV_VAR_JWT_ALGORITHM, ENV_VAR_JWT_AUDIENCE$1 as ENV_VAR_JWT_AUDIENCE, ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE, ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, ENV_VAR_JWT_TRUSTED_ISSUER, ENV_VAR_SESSION_MAX_INITIAL_ATTEMPTS, ENV_VAR_SHOW_ENVELOPES$1 as ENV_VAR_SHOW_ENVELOPES, EdDSAEnvelopeSigner, EncryptedKeyValueStore, EncryptedStorageProviderBase, EncryptedValue, EncryptionConfiguration, EncryptionManagerFactory, EncryptionResult, EncryptionStatus, EnvCredentialProvider, EnvelopeContext, EnvelopeListenerManager, EnvelopeSecurityHandler, EnvelopeSignerFactory, EnvelopeVerifierFactory, FACTORY_META$12 as FACTORY_META, FIXED_PREFIX_LEN, FameAuthorizedDeliveryContextSchema, FameConnectError, FameEnvironmentContext, FameError, FameMessageTooLarge, FameNode, FameNodeAuthorizationContextSchema, FameProtocolError, FameTransportClose, FlowController, GRANT_PURPOSE_NODE_ATTACH, HTTP_CONNECTION_GRANT_TYPE, HTTP_STATELESS_CONNECTOR_TYPE, INPAGE_CONNECTION_GRANT_TYPE, FACTORY_META$10 as INPAGE_CONNECTOR_FACTORY_META, INPAGE_CONNECTOR_TYPE, FACTORY_META$_ as INPAGE_LISTENER_FACTORY_META, InMemoryBinding, InMemoryFanoutBroker, InMemoryKeyValueStore, InMemoryReadWriteChannel, InMemoryStorageProvider, InPageConnector, InPageConnectorFactory, InPageListener, InPageListenerFactory, IndexedDBKeyValueStore, IndexedDBStorageProvider, InvalidPassphraseError, JWKValidationError, KEY_MANAGER_FACTORY_BASE_TYPE, KEY_STORE_FACTORY_BASE_TYPE, KNOWN_POLICY_FIELDS, KNOWN_RULE_FIELDS, KeyInfo, KeyManagementHandler, KeyManagerFactory, KeyStore, KeyStoreFactory, KeyValidationError, LOAD_BALANCER_STICKINESS_MANAGER_FACTORY_BASE_TYPE, LoadBalancerStickinessManagerFactory, LogLevel, LogLevelNames, MAX_SCOPE_NESTING_DEPTH, MemoryMetricsEmitter, NODE_IDENTITY_POLICY_FACTORY_BASE_TYPE, NODE_LIKE_FACTORY_BASE_TYPE, NODE_PLACEMENT_STRATEGY_FACTORY_BASE_TYPE, NoOpMetricsEmitter, NoSecurityPolicy, NodeFactory, NodeIdentityPolicyFactory, NodeIdentityPolicyProfileFactory, NodePlacementStrategyFactory, NoneCredentialProvider, NoopEncryptionManager, NoopKeyValidator, NoopTrustStoreProvider, NotAuthorized, PROFILE_NAME_GATED, PROFILE_NAME_GATED_CALLBACK, PROFILE_NAME_OPEN$1 as PROFILE_NAME_OPEN, PROFILE_NAME_OVERLAY, PROFILE_NAME_OVERLAY_CALLBACK, PROFILE_NAME_STRICT_OVERLAY, PromptCredentialProvider, REPLICA_STICKINESS_MANAGER_FACTORY_BASE_TYPE, REQUIRED_FIELDS_BY_KTY, ReplicaStickinessManagerFactory, RootSessionManager, RouteManager, RpcMixin, RpcProxy, SEALED_ENVELOPE_NONCE_LENGTH, SEALED_ENVELOPE_OVERHEAD, SEALED_ENVELOPE_PRIVATE_KEY_LENGTH, SEALED_ENVELOPE_PUBLIC_KEY_LENGTH, SEALED_ENVELOPE_TAG_LENGTH, SECURE_CHANNEL_MANAGER_FACTORY_BASE_TYPE, SECURITY_MANAGER_FACTORY_BASE_TYPE, SECURITY_POLICY_FACTORY_BASE_TYPE, STORAGE_PROVIDER_FACTORY_BASE_TYPE, SecretSource, SecretStoreCredentialProvider, SecureChannelFrameHandler, SecureChannelManagerFactory, SecurityAction, SecurityRequirements, Sentinel, SentinelFactory, SessionKeyCredentialProvider, SignaturePolicy, SigningConfig as SigningConfigClass, SigningConfiguration, SimpleLoadBalancerStickinessManager, SimpleLoadBalancerStickinessManagerFactory, StaticCredentialProvider, StorageAESEncryptionManager, TOKEN_ISSUER_FACTORY_BASE_TYPE, TOKEN_PROVIDER_FACTORY_BASE_TYPE, TOKEN_VERIFIER_FACTORY_BASE_TYPE, TRANSPORT_PROVISIONER_FACTORY_BASE_TYPE, TRUST_STORE_PROVIDER_FACTORY_BASE_TYPE, TaskSpawner, TokenIssuerFactory, TokenProviderFactory, TokenSubjectNodeIdentityPolicy, TokenSubjectNodeIdentityPolicyFactory, TokenVerifierFactory, TransportProvisionerFactory, TrustStoreProviderFactory, TtlValidationError, UpstreamSessionManager, VALID_ACTIONS, VALID_CURVES_BY_KTY, VALID_EFFECTS, VALID_KEY_USES, VALID_ORIGIN_TYPES, VERSION, WEBSOCKET_CONNECTION_GRANT_TYPE, WELCOME_SERVICE_FACTORY_BASE_TYPE, WebSocketCloseCode, WebSocketConnector, WebSocketState, WelcomeServiceFactory, _NoopFlowController, __runtimePluginLoader, addEnvelopeFields, addLogLevel, addTimestamp, assertConnectionGrant, assertGrant, assertNotRegexPattern, basicConfig, broadcastChannelGrantToConnectorConfig, camelToSnakeCase, canonicalJson, capitalizeFirstLetter, color, compareCryptoLevels, compileGlobOnlyScopeRequirement, compileGlobPattern, compilePattern, compileScopeRequirement, compiledPathPattern, consoleTransport, convertWildcardLogicalToDnsConstraint, createConnectorConfig, createEd25519Keypair, createHostLogicalUri, createLogicalUri, createNodeDeliveryContext, createResource, createRpcProxy, createRsaKeypair, createTransportCloseError, createX25519Keypair, credentialToString, currentTraceId$1 as currentTraceId, debounce, decodeBase64Url, decodeFameDataPayload, deepMerge, defaultJsonEncoder, delay, dropEmpty, enableLogging, encodeUtf8, ensureRuntimeFactoriesRegistered, evaluateScopeRequirement, extractId, extractPoolAddressBase, extractPoolBase, filterKeysByUse, formatTimestamp, formatTimestampForConsole$1 as formatTimestampForConsole, frameDigest, getCompiledGlobPattern, getCurrentEnvelope, getFabricForNode, getFameRoot, getKeyProvider, getKeyStore, getLogger, hasCryptoSupport, hostnameToLogical, hostnamesToLogicals, httpGrantToConnectorConfig, immutableHeaders, inPageGrantToConnectorConfig, isAuthInjectionStrategy, isBroadcastChannelConnectionGrant, isConnectionGrant, isConnectorConfig, isEnvelopeLoggingEnabled, isFameError, isFameErrorType, isGrant, isHttpConnectionGrant, isIdentityExposingTokenProvider, isInPageConnectionGrant, isNodeLike, isPlainObject$4 as isPlainObject, isPoolAddress, isPoolLogical, isRegexPattern, isRegisterable, isTokenExpired, isTokenProvider, isTokenValid, isWebSocketConnectionGrant, jsonDumps, logicalPatternsToDnsConstraints, logicalToHostname, logicalsToHostnames, matchPattern, matchesPoolAddress, matchesPoolLogical, maybeAwait, nodeWelcomeRouter, nodeWelcomeRouterPlugin, normalizeBroadcastChannelConnectionGrant, normalizeEncryptionConfig, normalizeEnvelopeSnapshot, normalizeHttpConnectionGrant, normalizeInPageConnectionGrant, normalizeInboundCryptoRules, normalizeInboundSigningRules, normalizeOutboundCryptoRules, normalizeOutboundSigningRules, normalizePath, normalizeResponseCryptoRules, normalizeResponseSigningRules, normalizeScopeRequirement, normalizeSecretSource, normalizeSecurityRequirements, normalizeSigningConfig, normalizeWebSocketConnectionGrant, objectToBytes, operation, parseSealedEnvelope, pinoTransport, prettyModel$1 as prettyModel, registerDefaultFactories, registerDefaultKeyStoreFactory, registerNodePlacementStrategyFactory, registerRuntimeFactories, requireCryptoSupport, retryWithBackoff, safeColor, safeImport, sealedDecrypt, sealedEncrypt, secureDigest, setKeyStore, showEnvelopes$1 as showEnvelopes, sleep, snakeToCamelCase, stringifyNonPrimitives, supportsColor, throttle, urlsafeBase64Decode, urlsafeBase64Encode, validateCacheTtlSec, validateEncryptionKey, validateHostLogical, validateHostLogicals, validateJwkComplete, validateJwkStructure, validateJwkUseField, validateJwtTokenTtlSec, validateKeyCorrelationTtlSec, validateLogical, validateLogicalSegment, validateOAuth2TtlSec, validateSigningKey, validateTtlSec, waitForAll, waitForAllSettled, waitForAny, websocketGrantToConnectorConfig, withEnvelopeContext, withEnvelopeContextAsync, withLegacySnakeCaseKeys, withLock, withTimeout };
+export { ADMISSION_CLIENT_FACTORY_BASE_TYPE, ATTACHMENT_KEY_VALIDATOR_FACTORY_BASE_TYPE, AUTHORIZATION_POLICY_FACTORY_BASE_TYPE, AUTHORIZATION_POLICY_SOURCE_FACTORY_BASE_TYPE, AUTHORIZER_FACTORY_BASE_TYPE, AUTH_INJECTION_STRATEGY_FACTORY_BASE_TYPE, ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY$1 as AUTH_PROFILE_ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY, ENV_VAR_HMAC_SECRET$1 as AUTH_PROFILE_ENV_VAR_HMAC_SECRET, ENV_VAR_JWKS_URL$1 as AUTH_PROFILE_ENV_VAR_JWKS_URL, ENV_VAR_JWT_ALGORITHM$1 as AUTH_PROFILE_ENV_VAR_JWT_ALGORITHM, ENV_VAR_JWT_AUDIENCE$2 as AUTH_PROFILE_ENV_VAR_JWT_AUDIENCE, ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE$1 as AUTH_PROFILE_ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE, ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER$1 as AUTH_PROFILE_ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, ENV_VAR_JWT_TRUSTED_ISSUER$1 as AUTH_PROFILE_ENV_VAR_JWT_TRUSTED_ISSUER, ENV_VAR_TRUSTED_CLIENT_SCOPE$1 as AUTH_PROFILE_ENV_VAR_TRUSTED_CLIENT_SCOPE, PROFILE_NAME_DEFAULT as AUTH_PROFILE_NAME_DEFAULT, PROFILE_NAME_NOOP$2 as AUTH_PROFILE_NAME_NOOP, PROFILE_NAME_OAUTH2 as AUTH_PROFILE_NAME_OAUTH2, PROFILE_NAME_OAUTH2_CALLBACK as AUTH_PROFILE_NAME_OAUTH2_CALLBACK, PROFILE_NAME_OAUTH2_GATED as AUTH_PROFILE_NAME_OAUTH2_GATED, AnsiColor, AsyncLock, AttachmentKeyValidator, AuthInjectionStrategyFactory, AuthorizationPolicyFactory, AuthorizationPolicySourceFactory, AuthorizationProfileFactory, AuthorizerFactory, BROADCAST_CHANNEL_CONNECTION_GRANT_TYPE, FACTORY_META$$ as BROADCAST_CHANNEL_CONNECTOR_FACTORY_META, BROADCAST_CHANNEL_CONNECTOR_TYPE, FACTORY_META$Z as BROADCAST_CHANNEL_LISTENER_FACTORY_META, BackPressureFull, BaseAsyncConnector, BaseNodeEventListener, BasicAuthorizationPolicy, BasicAuthorizationPolicyFactory, BindingManager, BindingStoreEntryRecord, BroadcastChannelConnector, BroadcastChannelConnectorFactory, BroadcastChannelListener, BroadcastChannelListenerFactory, BrowserAutoKeyCredentialProvider, BrowserWrappedKeyCredentialProvider, CERTIFICATE_MANAGER_FACTORY_BASE_TYPE, CONNECTION_RETRY_POLICY_FACTORY_BASE_TYPE, CREDENTIAL_PROVIDER_FACTORY_BASE_TYPE, CRYPTO_LEVEL_SECURITY_ORDER, CertificateManagerFactory, ConnectionRetryPolicyFactory, ConnectorConfigDefaults, ConnectorFactory, ConsoleMetricsEmitter, CryptoLevel, FACTORY_META$11 as DEFAULT_WELCOME_FACTORY_META, DefaultConnectionRetryPolicy, DefaultConnectionRetryPolicyFactory, DefaultCryptoProvider, DefaultKeyManager, DefaultNodeIdentityPolicy, DefaultNodeIdentityPolicyFactory, DefaultSecurityManager, DefaultSecurityPolicy, DefaultWelcomeService, DefaultWelcomeServiceFactory, DevFixedKeyCredentialProvider, ENCRYPTION_MANAGER_FACTORY_BASE_TYPE, ENVELOPE_SIGNER_FACTORY_BASE_TYPE, ENVELOPE_VERIFIER_FACTORY_BASE_TYPE, ENV_VAR_AUTHORIZATION_PROFILE, ENV_VAR_DEFAULT_ENCRYPTION_LEVEL, ENV_VAR_HMAC_SECRET, ENV_VAR_JWKS_URL, ENV_VAR_JWT_ALGORITHM, ENV_VAR_JWT_AUDIENCE$1 as ENV_VAR_JWT_AUDIENCE, ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE, ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, ENV_VAR_JWT_TRUSTED_ISSUER, ENV_VAR_SESSION_MAX_INITIAL_ATTEMPTS, ENV_VAR_SHOW_ENVELOPES$1 as ENV_VAR_SHOW_ENVELOPES, EdDSAEnvelopeSigner, EncryptedKeyValueStore, EncryptedStorageProviderBase, EncryptedValue, EncryptionConfiguration, EncryptionManagerFactory, EncryptionResult, EncryptionStatus, EnvCredentialProvider, EnvelopeContext, EnvelopeListenerManager, EnvelopeSecurityHandler, EnvelopeSignerFactory, EnvelopeVerifierFactory, FACTORY_META$12 as FACTORY_META, FIXED_PREFIX_LEN, FameAuthorizedDeliveryContextSchema, FameConnectError, FameEnvironmentContext, FameError, FameMessageTooLarge, FameNode, FameNodeAuthorizationContextSchema, FameProtocolError, FameTransportClose, FlowController, GRANT_PURPOSE_NODE_ATTACH, HTTP_CONNECTION_GRANT_TYPE, HTTP_STATELESS_CONNECTOR_TYPE, INPAGE_CONNECTION_GRANT_TYPE, FACTORY_META$10 as INPAGE_CONNECTOR_FACTORY_META, INPAGE_CONNECTOR_TYPE, FACTORY_META$_ as INPAGE_LISTENER_FACTORY_META, InMemoryBinding, InMemoryFanoutBroker, InMemoryKeyValueStore, InMemoryReadWriteChannel, InMemoryStorageProvider, InPageConnector, InPageConnectorFactory, InPageListener, InPageListenerFactory, IndexedDBKeyValueStore, IndexedDBStorageProvider, InvalidPassphraseError, JWKValidationError, KEY_MANAGER_FACTORY_BASE_TYPE, KEY_STORE_FACTORY_BASE_TYPE, KNOWN_POLICY_FIELDS, KNOWN_RULE_FIELDS, KeyInfo, KeyManagementHandler, KeyManagerFactory, KeyStore, KeyStoreFactory, KeyValidationError, LOAD_BALANCER_STICKINESS_MANAGER_FACTORY_BASE_TYPE, LoadBalancerStickinessManagerFactory, LogLevel, LogLevelNames, MAX_SCOPE_NESTING_DEPTH, MemoryMetricsEmitter, NODE_IDENTITY_POLICY_FACTORY_BASE_TYPE, NODE_LIKE_FACTORY_BASE_TYPE, NODE_PLACEMENT_STRATEGY_FACTORY_BASE_TYPE, NoOpMetricsEmitter, NoSecurityPolicy, NodeFactory, NodeIdentityPolicyFactory, NodeIdentityPolicyProfileFactory, NodePlacementStrategyFactory, NoneCredentialProvider, NoopEncryptionManager, NoopKeyValidator, NoopTrustStoreProvider, NotAuthorized, PROFILE_NAME_GATED, PROFILE_NAME_GATED_CALLBACK, PROFILE_NAME_OPEN$1 as PROFILE_NAME_OPEN, PROFILE_NAME_OVERLAY, PROFILE_NAME_OVERLAY_CALLBACK, PROFILE_NAME_STRICT_OVERLAY, PromptCredentialProvider, REPLICA_STICKINESS_MANAGER_FACTORY_BASE_TYPE, REQUIRED_FIELDS_BY_KTY, ReplicaStickinessManagerFactory, RootSessionManager, RouteManager, RpcMixin, RpcProxy, SEALED_ENVELOPE_NONCE_LENGTH, SEALED_ENVELOPE_OVERHEAD, SEALED_ENVELOPE_PRIVATE_KEY_LENGTH, SEALED_ENVELOPE_PUBLIC_KEY_LENGTH, SEALED_ENVELOPE_TAG_LENGTH, SECURE_CHANNEL_MANAGER_FACTORY_BASE_TYPE, SECURITY_MANAGER_FACTORY_BASE_TYPE, SECURITY_POLICY_FACTORY_BASE_TYPE, STORAGE_PROVIDER_FACTORY_BASE_TYPE, SecretSource, SecretStoreCredentialProvider, SecureChannelFrameHandler, SecureChannelManagerFactory, SecurityAction, SecurityRequirements, Sentinel, SentinelFactory, SessionKeyCredentialProvider, SignaturePolicy, SigningConfig as SigningConfigClass, SigningConfiguration, SimpleLoadBalancerStickinessManager, SimpleLoadBalancerStickinessManagerFactory, StaticCredentialProvider, StorageAESEncryptionManager, TOKEN_ISSUER_FACTORY_BASE_TYPE, TOKEN_PROVIDER_FACTORY_BASE_TYPE, TOKEN_VERIFIER_FACTORY_BASE_TYPE, TRANSPORT_PROVISIONER_FACTORY_BASE_TYPE, TRUST_STORE_PROVIDER_FACTORY_BASE_TYPE, TaskSpawner, TokenIssuerFactory, TokenProviderFactory, TokenSubjectNodeIdentityPolicy, TokenSubjectNodeIdentityPolicyFactory, TokenVerifierFactory, TransportProvisionerFactory, TrustStoreProviderFactory, TtlValidationError, UpstreamSessionManager, VALID_ACTIONS, VALID_CURVES_BY_KTY, VALID_EFFECTS, VALID_KEY_USES, VALID_ORIGIN_TYPES, VERSION, WEBSOCKET_CONNECTION_GRANT_TYPE, WELCOME_SERVICE_FACTORY_BASE_TYPE, WebSocketCloseCode, WebSocketConnector, WebSocketState, WelcomeServiceFactory, _NoopFlowController, __runtimePluginLoader, addEnvelopeFields, addLogLevel, addTimestamp, assertConnectionGrant, assertGrant, assertNotRegexPattern, basicConfig, broadcastChannelGrantToConnectorConfig, camelToSnakeCase, canonicalJson, capitalizeFirstLetter, color, compareCryptoLevels, compileGlobOnlyScopeRequirement, compileGlobPattern, compilePattern, compileScopeRequirement, compiledPathPattern, consoleTransport, convertWildcardLogicalToDnsConstraint, createConnectorConfig, createEd25519Keypair, createHostLogicalUri, createLogicalUri, createNodeDeliveryContext, createResource, createRpcProxy, createRsaKeypair, createTransportCloseError, createX25519Keypair, credentialToString, currentTraceId$1 as currentTraceId, debounce, decodeBase64Url, decodeFameDataPayload, deepMerge, defaultJsonEncoder, delay, dropEmpty, enableLogging, encodeUtf8, ensureRuntimeFactoriesRegistered, evaluateScopeRequirement, extractId, extractPoolAddressBase, extractPoolBase, filterKeysByUse, formatTimestamp, formatTimestampForConsole$1 as formatTimestampForConsole, frameDigest, getCompiledGlobPattern, getCurrentEnvelope, getFabricForNode, getFameRoot, getKeyProvider, getKeyStore, getLogger, hasCryptoSupport, hostnameToLogical, hostnamesToLogicals, httpGrantToConnectorConfig, immutableHeaders, inPageGrantToConnectorConfig, isAuthInjectionStrategy, isBroadcastChannelConnectionGrant, isConnectionGrant, isConnectorConfig, isEnvelopeLoggingEnabled, isFameError, isFameErrorType, isGrant, isHttpConnectionGrant, isIdentityExposingTokenProvider, isInPageConnectionGrant, isNodeLike, isPlainObject$4 as isPlainObject, isPoolAddress, isPoolLogical, isRegexPattern, isRegisterable, isTokenExpired, isTokenProvider, isTokenValid, isWebSocketConnectionGrant, jsonDumps, logicalPatternsToDnsConstraints, logicalToHostname, logicalsToHostnames, matchPattern, matchesPoolAddress, matchesPoolLogical, maybeAwait, nodeWelcomeRouter, nodeWelcomeRouterPlugin, normalizeBroadcastChannelConnectionGrant, normalizeEncryptionConfig, normalizeEnvelopeSnapshot, normalizeHttpConnectionGrant, normalizeInPageConnectionGrant, normalizeInboundCryptoRules, normalizeInboundSigningRules, normalizeOutboundCryptoRules, normalizeOutboundSigningRules, normalizePath, normalizeResponseCryptoRules, normalizeResponseSigningRules, normalizeScopeRequirement, normalizeSecretSource, normalizeSecurityRequirements, normalizeSigningConfig, normalizeWebSocketConnectionGrant, objectToBytes, operation, parseSealedEnvelope, pinoTransport, prettyModel$1 as prettyModel, registerDefaultFactories, registerDefaultKeyStoreFactory, registerNodePlacementStrategyFactory, registerRuntimeFactories, requireCryptoSupport, retryWithBackoff, safeColor, safeImport, sealedDecrypt, sealedEncrypt, secureDigest, setKeyStore, showEnvelopes$1 as showEnvelopes, sleep, snakeToCamelCase, stringifyNonPrimitives, supportsColor, throttle, urlsafeBase64Decode, urlsafeBase64Encode, validateCacheTtlSec, validateEncryptionKey, validateHostLogical, validateHostLogicals, validateJwkComplete, validateJwkStructure, validateJwkUseField, validateJwtTokenTtlSec, validateKeyCorrelationTtlSec, validateLogical, validateLogicalSegment, validateOAuth2TtlSec, validateSigningKey, validateTtlSec, waitForAll, waitForAllSettled, waitForAny, websocketGrantToConnectorConfig, withEnvelopeContext, withEnvelopeContextAsync, withLegacySnakeCaseKeys, withLock, withTimeout };