@naylence/runtime 0.4.0 → 0.4.2

package/dist/node/node.cjs

@@ -3592,7 +3592,7 @@ class WebSocketConnectionGrantImpl {
         this.purpose = 'connection';
     }
 }
-const FACTORY_META$1f = {
+const FACTORY_META$1g = {
     base: CONNECTOR_FACTORY_BASE_TYPE,
     key: 'WebSocketConnector',
 };
@@ -3963,7 +3963,7 @@ class WebSocketConnectorFactory extends ConnectorFactory {
 
 var websocketConnectorFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
-    FACTORY_META: FACTORY_META$1f,
+    FACTORY_META: FACTORY_META$1g,
     WebSocketConnectorFactory: WebSocketConnectorFactory,
     default: WebSocketConnectorFactory,
     setWebSocketConnectorSslLoader: setWebSocketConnectorSslLoader
@@ -4039,6 +4039,7 @@ const MODULES = [
     "./node/node-identity-policy-profile-factory.js",
     "./node/token-subject-node-identity-policy-factory.js",
     "./placement/static-node-placement-strategy-factory.js",
+    "./security/auth/authorization-profile-factory.js",
     "./security/auth/bearer-token-header-auth-injection-strategy-factory.js",
     "./security/auth/default-authorizer-factory.js",
     "./security/auth/default-policy-authorizer-factory.js",
@@ -4121,6 +4122,7 @@ const MODULE_LOADERS = {
     "./node/node-identity-policy-profile-factory.js": () => Promise.resolve().then(function () { return nodeIdentityPolicyProfileFactory; }),
     "./node/token-subject-node-identity-policy-factory.js": () => Promise.resolve().then(function () { return tokenSubjectNodeIdentityPolicyFactory; }),
     "./placement/static-node-placement-strategy-factory.js": () => Promise.resolve().then(function () { return staticNodePlacementStrategyFactory; }),
+    "./security/auth/authorization-profile-factory.js": () => Promise.resolve().then(function () { return authorizationProfileFactory; }),
     "./security/auth/bearer-token-header-auth-injection-strategy-factory.js": () => Promise.resolve().then(function () { return bearerTokenHeaderAuthInjectionStrategyFactory; }),
     "./security/auth/default-authorizer-factory.js": () => Promise.resolve().then(function () { return defaultAuthorizerFactory; }),
     "./security/auth/default-policy-authorizer-factory.js": () => Promise.resolve().then(function () { return defaultPolicyAuthorizerFactory; }),
@@ -4434,12 +4436,12 @@ async function ensureRuntimeFactoriesRegistered(registry = factory.Registry) {
 }
 
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.4.0
+// Generated from package.json version: 0.4.2
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.4.0';
+const VERSION = '0.4.2';
 
 let initialized = false;
 const runtimePlugin = {
@@ -4554,7 +4556,7 @@ class EnvCredentialProviderFactory extends CredentialProviderFactory {
         return new EnvCredentialProvider(resolved.varName);
     }
 }
-const FACTORY_META$1e = {
+const FACTORY_META$1f = {
     base: CREDENTIAL_PROVIDER_FACTORY_BASE_TYPE,
     key: 'EnvCredentialProvider',
 };
@@ -4562,7 +4564,7 @@ const FACTORY_META$1e = {
 var envCredentialProviderFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
     EnvCredentialProviderFactory: EnvCredentialProviderFactory,
-    FACTORY_META: FACTORY_META$1e,
+    FACTORY_META: FACTORY_META$1f,
     default: EnvCredentialProviderFactory,
     normalizeEnvConfig: normalizeEnvConfig
 });
@@ -4660,14 +4662,14 @@ class PromptCredentialProviderFactory extends CredentialProviderFactory {
         return new PromptCredentialProvider(resolved.credentialName);
     }
 }
-const FACTORY_META$1d = {
+const FACTORY_META$1e = {
     base: CREDENTIAL_PROVIDER_FACTORY_BASE_TYPE,
     key: 'PromptCredentialProvider',
 };
 
 var promptCredentialProviderFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
-    FACTORY_META: FACTORY_META$1d,
+    FACTORY_META: FACTORY_META$1e,
     PromptCredentialProviderFactory: PromptCredentialProviderFactory,
     default: PromptCredentialProviderFactory,
     normalizePromptConfig: normalizePromptConfig
@@ -4721,14 +4723,14 @@ class SecretStoreCredentialProviderFactory extends CredentialProviderFactory {
         return new SecretStoreCredentialProvider(resolved.secretName);
     }
 }
-const FACTORY_META$1c = {
+const FACTORY_META$1d = {
     base: CREDENTIAL_PROVIDER_FACTORY_BASE_TYPE,
     key: 'SecretStoreCredentialProvider',
 };
 
 var secretStoreCredentialProviderFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
-    FACTORY_META: FACTORY_META$1c,
+    FACTORY_META: FACTORY_META$1d,
     SecretStoreCredentialProviderFactory: SecretStoreCredentialProviderFactory,
     default: SecretStoreCredentialProviderFactory,
     normalizeSecretStoreConfig: normalizeSecretStoreConfig
@@ -4777,14 +4779,14 @@ class StaticCredentialProviderFactory extends CredentialProviderFactory {
         return new StaticCredentialProvider(resolved.credentialValue);
     }
 }
-const FACTORY_META$1b = {
+const FACTORY_META$1c = {
     base: CREDENTIAL_PROVIDER_FACTORY_BASE_TYPE,
     key: 'StaticCredentialProvider',
 };
 
 var staticCredentialProviderFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
-    FACTORY_META: FACTORY_META$1b,
+    FACTORY_META: FACTORY_META$1c,
     StaticCredentialProviderFactory: StaticCredentialProviderFactory,
     default: StaticCredentialProviderFactory,
     normalizeStaticConfig: normalizeStaticConfig
@@ -5075,12 +5077,12 @@ const BASE_PROFILE_MAP = {
     [PROFILE_NAME_INDEXEDDB]: INDEXEDDB_PROFILE_CONFIG,
 };
 // Extended profile map - can be augmented by Node.js environment
-const PROFILE_MAP$6 = {
+const PROFILE_MAP$7 = {
     ...BASE_PROFILE_MAP,
 };
 // Function to register additional profiles (used by Node.js build)
 function registerStorageProfile(name, config) {
-    PROFILE_MAP$6[name] = config;
+    PROFILE_MAP$7[name] = config;
 }
 // Export the SQLite configs so they can be registered from node-index.ts
 const SQLITE_PROFILES = {
@@ -5099,9 +5101,9 @@ class StorageProfileFactory extends StorageProviderFactory {
             type: 'StorageProfile',
         });
         const profileName = (parsed.profile ?? PROFILE_NAME_MEMORY).toLowerCase();
-        const profileConfig = PROFILE_MAP$6[profileName];
+        const profileConfig = PROFILE_MAP$7[profileName];
         if (!profileConfig) {
-            throw new Error(`Unknown storage profile '${profileName}'. Supported profiles: ${Object.keys(PROFILE_MAP$6).join(', ')}`);
+            throw new Error(`Unknown storage profile '${profileName}'. Supported profiles: ${Object.keys(PROFILE_MAP$7).join(', ')}`);
         }
         const createOptions = {
             ...options,
@@ -14858,44 +14860,12 @@ class ConnectionRetryPolicyFactory extends factory.AbstractResourceFactory {
     }
 }
 
-const TOKEN_PROVIDER_FACTORY_BASE_TYPE = 'TokenProviderFactory';
-class TokenProviderFactory extends factory.AbstractResourceFactory {
-    static async createTokenProvider(config, options = {}) {
-        if (config) {
-            const provider = await factory.createResource(TOKEN_PROVIDER_FACTORY_BASE_TYPE, config, options);
-            if (!provider) {
-                throw new Error('Failed to create token provider from configuration');
-            }
-            return provider;
-        }
-        let provider = null;
-        try {
-            provider = await factory.createDefaultResource(TOKEN_PROVIDER_FACTORY_BASE_TYPE, null, options);
-        }
-        catch (error) {
-            const message = 'Failed to create default token provider' +
-                (error instanceof Error && error.message ? `: ${error.message}` : '');
-            throw new Error(message);
-        }
-        if (!provider) {
-            throw new Error('Failed to create default token provider');
-        }
-        return provider;
-    }
-}
-
-function isTokenProvider(candidate) {
-    return (typeof candidate === 'object' &&
-        candidate !== null &&
-        typeof candidate.getToken === 'function');
-}
-function isIdentityExposingTokenProvider(candidate) {
-    return (isTokenProvider(candidate) &&
-        typeof candidate.getIdentity ===
-            'function');
-}
-
-const logger$14 = getLogger('naylence.fame.node.default_node_identity_policy');
+/**
+ * Default node identity policy that preserves the current node ID.
+ *
+ * This policy does NOT derive identity from tokens or grants.
+ * For token-subject-based identity, use TokenSubjectNodeIdentityPolicy.
+ */
 class DefaultNodeIdentityPolicy {
     async resolveInitialNodeId(context) {
         if (context.configuredId) {
@@ -14907,44 +14877,10 @@ class DefaultNodeIdentityPolicy {
         return await core.generateIdAsync({ mode: 'fingerprint' });
     }
     async resolveAdmissionNodeId(context) {
-        // Try to extract identity from grants first
-        if (context.grants && context.grants.length > 0) {
-            for (const grant of context.grants) {
-                try {
-                    const auth = grant.auth;
-                    if (!auth) {
-                        continue;
-                    }
-                    const tokenProviderConfig = (auth.tokenProvider ??
-                        auth.token_provider);
-                    if (!tokenProviderConfig ||
-                        typeof tokenProviderConfig.type !== 'string') {
-                        continue;
-                    }
-                    const provider = await TokenProviderFactory.createTokenProvider(tokenProviderConfig);
-                    if (isIdentityExposingTokenProvider(provider)) {
-                        const identity = await provider.getIdentity();
-                        if (identity && identity.subject) {
-                            logger$14.debug('identity_extracted_from_grant', {
-                                identity_id: identity.subject,
-                                grant_type: grant.type,
-                            });
-                            return identity.subject;
-                        }
-                    }
-                }
-                catch (error) {
-                    logger$14.warning('identity_extraction_failed', {
-                        error: error instanceof Error ? error.message : String(error),
-                        grant_type: grant.type,
-                    });
-                }
-            }
-        }
-        if (!context.currentNodeId) {
-            return await core.generateIdAsync({ mode: 'fingerprint' });
+        if (context.currentNodeId) {
+            return context.currentNodeId;
         }
-        return context.currentNodeId;
+        return await core.generateIdAsync({ mode: 'fingerprint' });
     }
 }
 
@@ -15018,7 +14954,7 @@ class AttachmentKeyValidator {
     }
 }
 
-const logger$13 = getLogger('naylence.fame.node.admission.default_node_attach_client');
+const logger$14 = getLogger('naylence.fame.node.admission.default_node_attach_client');
 const HANDSHAKE_POLL_INTERVAL_MS = 20;
 class DefaultNodeAttachClient {
     constructor(options = {}) {
@@ -15042,7 +14978,7 @@ class DefaultNodeAttachClient {
                 }
                 else {
                     // Silently ignore frames from other agents during concurrent handshakes
-                    logger$13.debug('handshake_ignoring_frame_from_different_system', {
+                    logger$14.debug('handshake_ignoring_frame_from_different_system', {
                         frame_type: envelope.frame.type,
                         frame_system_id: frameSystemId,
                         expected_system_id: this.expectedSystemId,
@@ -15085,7 +15021,7 @@ class DefaultNodeAttachClient {
             }
         }
         catch (error) {
-            logger$13.debug('stickiness_offer_skipped', {
+            logger$14.debug('stickiness_offer_skipped', {
                 error: error instanceof Error ? error.message : String(error),
             });
         }
@@ -15106,7 +15042,7 @@ class DefaultNodeAttachClient {
             if (!processedEnvelope) {
                 throw new Error('Envelope was blocked by onForwardUpstream event');
             }
-            logger$13.debug('sending_node_attach_envelope', {
+            logger$14.debug('sending_node_attach_envelope', {
                 envp_id: processedEnvelope.id ?? envelope.id ?? null,
                 frame_type: processedEnvelope.frame?.type ?? 'unknown',
                 trace_id: processedEnvelope.traceId ?? envelope.traceId ?? null,
@@ -15142,7 +15078,7 @@ class DefaultNodeAttachClient {
             try {
                 const keyInfos = await this.attachmentKeyValidator.validateKeys(parentKeys);
                 if (Array.isArray(keyInfos) && keyInfos.length > 0) {
-                    logger$13.debug('parent_certificate_validation_passed', {
+                    logger$14.debug('parent_certificate_validation_passed', {
                         parent_id: parentId,
                         correlation_id: corrId,
                         validated_keys: keyInfos.length,
@@ -15151,7 +15087,7 @@ class DefaultNodeAttachClient {
             }
             catch (error) {
                 if (error instanceof KeyValidationError) {
-                    logger$13.error('parent_certificate_validation_failed', {
+                    logger$14.error('parent_certificate_validation_failed', {
                         parent_id: parentId,
                         correlation_id: corrId,
                         error_code: error.code,
@@ -15165,12 +15101,12 @@ class DefaultNodeAttachClient {
             }
         }
         else {
-            logger$13.debug('parent_certificate_validation_skipped', {
+            logger$14.debug('parent_certificate_validation_skipped', {
                 parent_id: parentId,
                 reason: 'no_validator',
             });
         }
-        logger$13.debug('processing_node_attach_ack', {
+        logger$14.debug('processing_node_attach_ack', {
             parent_id: ackFrame.targetSystemId,
         });
         this.inHandshake = false;
@@ -15201,7 +15137,7 @@ class DefaultNodeAttachClient {
             }
         }
         catch (error) {
-            logger$13.debug('stickiness_accept_skipped', {
+            logger$14.debug('stickiness_accept_skipped', {
                 error: error instanceof Error ? error.message : String(error),
             });
         }
@@ -15255,7 +15191,7 @@ class DefaultNodeAttachClient {
                 // NodeAttach frames during handshake are expected in multi-agent scenarios
                 // where multiple agents attach concurrently to the same channel
                 if (envelope.frame.type === 'NodeAttach') {
-                    logger$13.debug('handshake_ignoring_concurrent_attach', {
+                    logger$14.debug('handshake_ignoring_concurrent_attach', {
                         frame_type: envelope.frame.type,
                         frame_system_id: envelope.frame?.systemId ??
                             'unknown',
@@ -15263,7 +15199,7 @@ class DefaultNodeAttachClient {
                 }
                 else {
                     // Other unexpected frames are still logged as errors
-                    logger$13.error('unexpected_frame_during_handshake', {
+                    logger$14.error('unexpected_frame_during_handshake', {
                         frame_type: envelope.frame.type,
                     });
                 }
@@ -15403,7 +15339,7 @@ class TraceEmitterFactory extends factory.AbstractResourceFactory {
 // void import('./trace-emitter-profile-factory.js');
 
 const BINDING_STORE_NAMESPACE = '__binding_store';
-const logger$12 = getLogger('naylence.fame.node.factory_commons');
+const logger$13 = getLogger('naylence.fame.node.factory_commons');
 function isPlainRecord$2(value) {
     return Boolean(value) && typeof value === 'object' && !Array.isArray(value);
 }
@@ -15597,7 +15533,7 @@ async function resolveNodeIdentityPolicy(config, options) {
         return await NodeIdentityPolicyFactory.createNodeIdentityPolicy(config ?? undefined, cloneCreateOptions(options));
     }
     catch (error) {
-        logger$12.warning('node_identity_policy_creation_failed', {
+        logger$13.warning('node_identity_policy_creation_failed', {
             error: error instanceof Error ? error.message : String(error),
         });
         return null;
@@ -15608,7 +15544,7 @@ async function resolveConnectionRetryPolicy(config, options) {
         return await ConnectionRetryPolicyFactory.createConnectionRetryPolicy(config ?? undefined, cloneCreateOptions(options));
     }
     catch (error) {
-        logger$12.warning('connection_retry_policy_creation_failed', {
+        logger$13.warning('connection_retry_policy_creation_failed', {
             error: error instanceof Error ? error.message : String(error),
         });
         return null;
@@ -15620,7 +15556,7 @@ async function resolveStorageProvider(config, options) {
             return await StorageProviderFactory.createStorageProvider(config, cloneCreateOptions(options));
         }
         catch (error) {
-            logger$12.warning('storage_provider_creation_failed', {
+            logger$13.warning('storage_provider_creation_failed', {
                 error: error instanceof Error ? error.message : String(error),
             });
         }
@@ -15642,7 +15578,7 @@ async function resolveAdmissionClient(config, options, identityPolicy) {
         return await AdmissionClientFactory.createAdmissionClient((config ?? null), createOptions);
     }
     catch (error) {
-        logger$12.warning('admission_client_creation_failed', {
+        logger$13.warning('admission_client_creation_failed', {
             error: error instanceof Error ? error.message : String(error),
         });
         return null;
@@ -15669,7 +15605,7 @@ async function resolveReplicaStickinessManager(hasParent, requestedLogicals, opt
         return await ReplicaStickinessManagerFactory.createReplicaStickinessManager(undefined, cloneCreateOptions(options));
     }
     catch (error) {
-        logger$12.debug('replica_stickiness_manager_unavailable', { error });
+        logger$13.debug('replica_stickiness_manager_unavailable', { error });
         return null;
     }
 }
@@ -15678,7 +15614,7 @@ async function resolveAttachmentKeyValidator(config, options) {
         return await AttachmentKeyValidatorFactory.createAttachmentKeyValidator(config ?? undefined, cloneCreateOptions(options));
     }
     catch (error) {
-        logger$12.warning('attachment_key_validator_creation_failed', {
+        logger$13.warning('attachment_key_validator_creation_failed', {
             error: error instanceof Error ? error.message : String(error),
         });
         return null;
@@ -15696,7 +15632,7 @@ async function resolveDeliveryPolicy(config, options) {
         return await DeliveryPolicyFactory.createDeliveryPolicy(config ?? undefined, cloneCreateOptions(options));
     }
     catch (error) {
-        logger$12.warning('delivery_policy_creation_failed', {
+        logger$13.warning('delivery_policy_creation_failed', {
             error: error instanceof Error ? error.message : String(error),
         });
         return null;
@@ -15710,7 +15646,7 @@ async function resolveTransportListeners(configs, eventListeners, options) {
         return await TransportListenerFactory.createTransportListeners(configs, eventListeners, cloneCreateOptions(options));
     }
     catch (error) {
-        logger$12.warning('transport_listener_creation_failed', {
+        logger$13.warning('transport_listener_creation_failed', {
             error: error instanceof Error ? error.message : String(error),
         });
         return [];
@@ -15721,7 +15657,7 @@ async function resolveTraceEmitter(config, options) {
         return await TraceEmitterFactory.createTraceEmitter(config ?? undefined, cloneCreateOptions(options));
     }
     catch (error) {
-        logger$12.warning('trace_emitter_creation_failed', {
+        logger$13.warning('trace_emitter_creation_failed', {
             error: error instanceof Error ? error.message : String(error),
         });
         return null;
@@ -15777,7 +15713,7 @@ async function createSecurityManagerFromConfig(config, overrides, options) {
         return manager ?? null;
     }
     catch (error) {
-        logger$12.warning('security_manager_creation_failed', {
+        logger$13.warning('security_manager_creation_failed', {
             error: error instanceof Error ? error.message : String(error),
         });
         return null;
@@ -15806,7 +15742,7 @@ async function resolveCryptoProvider(config, options) {
     // This happens with overlay security profiles that need envelope signing
     if (requiresCryptoProvider(config)) {
         try {
-            logger$12.debug('auto_creating_crypto_provider', {
+            logger$13.debug('auto_creating_crypto_provider', {
                 reason: 'overlay_security_requires_signing',
             });
             // Dynamically import to avoid circular dependencies
@@ -15826,7 +15762,7 @@ async function resolveCryptoProvider(config, options) {
             });
         }
         catch (error) {
-            logger$12.error('failed_to_auto_create_crypto_provider', {
+            logger$13.error('failed_to_auto_create_crypto_provider', {
                 error: error instanceof Error ? error.message : String(error),
             });
             throw error;
@@ -16377,7 +16313,7 @@ class NodeLikeFactory extends factory.AbstractResourceFactory {
 //   registerFactory(NODE_LIKE_FACTORY_BASE_TYPE, type, factory);
 // }
 
-const FACTORY_META$1a = {
+const FACTORY_META$1b = {
     base: NODE_LIKE_FACTORY_BASE_TYPE,
     key: 'Node',
 };
@@ -16419,7 +16355,7 @@ class NodeFactory extends NodeLikeFactory {
 
 var nodeFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
-    FACTORY_META: FACTORY_META$1a,
+    FACTORY_META: FACTORY_META$1b,
     NodeFactory: NodeFactory,
     default: NodeFactory
 });
@@ -16996,7 +16932,7 @@ function normalizeSecurityRequirements(value) {
     };
 }
 
-const logger$11 = getLogger('naylence.fame.node.envelope_security_handler');
+const logger$12 = getLogger('naylence.fame.node.envelope_security_handler');
 const ENCRYPTION_OPTION_ALIAS_PAIRS = [
     ['recipKid', 'recip_kid'],
     ['recipientKeyId', 'recipient_key_id'],
@@ -17045,7 +16981,7 @@ class EnvelopeSecurityHandler {
         const shouldSign = this.securityPolicy
             ? await this.securityPolicy.shouldSignEnvelope(envelope, context, this.node)
             : false;
-        logger$11.debug('checking_signing', {
+        logger$12.debug('checking_signing', {
             has_signer: Boolean(this.envelopeSigner),
             should_sign: shouldSign,
             envp_id: envelope.id,
@@ -17067,7 +17003,7 @@ class EnvelopeSecurityHandler {
         const shouldEncrypt = this.securityPolicy
             ? await this.securityPolicy.shouldEncryptEnvelope(envelope, context, this.node)
             : false;
-        logger$11.debug('checking_encryption', {
+        logger$12.debug('checking_encryption', {
             has_encryption_manager: Boolean(this.encryptionManager),
             should_encrypt: shouldEncrypt,
             envp_id: envelope.id,
@@ -17075,7 +17011,7 @@ class EnvelopeSecurityHandler {
         });
         if (this.encryptionManager && this.securityPolicy) {
             if (envelope.sec?.enc) {
-                logger$11.debug('skipping_encryption_already_encrypted', {
+                logger$12.debug('skipping_encryption_already_encrypted', {
                     envp_id: envelope.id,
                     destination: envelope.to ? String(envelope.to) : undefined,
                 });
@@ -17088,7 +17024,7 @@ class EnvelopeSecurityHandler {
                     exports.CryptoLevel.PLAINTEXT;
                 desiredCryptoLevel =
                     await this.securityPolicy.decideResponseCryptoLevel(requestCryptoLevel, envelope, context);
-                logger$11.debug('response_crypto_level_decided', {
+                logger$12.debug('response_crypto_level_decided', {
                     envp_id: envelope.id,
                     crypto_level: desiredCryptoLevel,
                     destination: envelope.to ? String(envelope.to) : undefined,
@@ -17099,7 +17035,7 @@ class EnvelopeSecurityHandler {
             else {
                 desiredCryptoLevel =
                     await this.securityPolicy.decideOutboundCryptoLevel(envelope, context, this.node);
-                logger$11.debug('outbound_crypto_level_decided', {
+                logger$12.debug('outbound_crypto_level_decided', {
                     envp_id: envelope.id,
                     frame_type: envelope.frame.type,
                     crypto_level: desiredCryptoLevel,
@@ -17107,11 +17043,11 @@ class EnvelopeSecurityHandler {
                 });
             }
             if (desiredCryptoLevel === exports.CryptoLevel.SEALED) {
-                logger$11.debug('applying_sealed_encryption', { envp_id: envelope.id });
+                logger$12.debug('applying_sealed_encryption', { envp_id: envelope.id });
                 return await this.handleSealedEncryption(envelope, context);
             }
             if (desiredCryptoLevel === exports.CryptoLevel.CHANNEL) {
-                logger$11.debug('applying_channel_encryption', { envp_id: envelope.id });
+                logger$12.debug('applying_channel_encryption', { envp_id: envelope.id });
                 return await this.handleChannelEncryption(envelope, context);
             }
         }
@@ -17162,7 +17098,7 @@ class EnvelopeSecurityHandler {
                 frameType === 'KeyAnnounce' ||
                 frameType === 'SecureOpen' ||
                 frameType === 'SecureAccept') {
-                logger$11.error('critical_frame_unsigned_rejected', {
+                logger$12.error('critical_frame_unsigned_rejected', {
                     envp_id: envelope.id,
                     frame_type: frameType,
                     reason: 'critical_frames_must_be_signed',
@@ -17170,7 +17106,7 @@ class EnvelopeSecurityHandler {
                 return [envelope, false];
             }
             const action = this.securityPolicy.getUnsignedViolationAction(envelope, context);
-            logger$11.warning('unsigned_envelope_violation', {
+            logger$12.warning('unsigned_envelope_violation', {
                 envp_id: envelope.id,
                 frame_type: frameType,
                 action,
@@ -17182,26 +17118,26 @@ class EnvelopeSecurityHandler {
         return [envelope, true];
     }
     async handleChannelHandshakeComplete(channelId, destination) {
-        logger$11.debug('channel_handshake_completed', {
+        logger$12.debug('channel_handshake_completed', {
             channel_id: channelId,
             destination,
         });
         if (this.encryptionManager?.notifyChannelEstablished) {
             await this.encryptionManager.notifyChannelEstablished(channelId);
-            logger$11.debug('notified_encryption_manager_channel_ready', {
+            logger$12.debug('notified_encryption_manager_channel_ready', {
                 channel_id: channelId,
             });
         }
     }
     async handleChannelHandshakeFailed(channelId, destination, reason = 'handshake_failed') {
-        logger$11.debug('channel_handshake_failed', {
+        logger$12.debug('channel_handshake_failed', {
             channel_id: channelId,
             destination,
             reason,
         });
         if (this.encryptionManager?.notifyChannelFailed) {
             await this.encryptionManager.notifyChannelFailed(channelId, reason);
-            logger$11.debug('notified_encryption_manager_channel_failed', {
+            logger$12.debug('notified_encryption_manager_channel_failed', {
                 channel_id: channelId,
                 reason,
             });
@@ -17248,7 +17184,7 @@ class EnvelopeSecurityHandler {
                 checkPayload: false,
             });
             if (verified) {
-                logger$11.debug('envelope_verified', {
+                logger$12.debug('envelope_verified', {
                     envp_id: envelope.id,
                     sid: envelope.sid,
                     kid,
@@ -17259,7 +17195,7 @@ class EnvelopeSecurityHandler {
         }
         this.keyManagementHandler.queuePendingSignedEnvelope(kid, envelope, context);
         await this.keyManagementHandler.maybeRequestSigningKey(kid, context.originType, fromSystemId);
-        logger$11.debug('queued_envelope_missing_signing_key', {
+        logger$12.debug('queued_envelope_missing_signing_key', {
             kid,
             envp_id: envelope.id,
         });
@@ -17267,7 +17203,7 @@ class EnvelopeSecurityHandler {
     }
     async handleSealedEncryption(envelope, context) {
         if (!envelope.to) {
-            logger$11.warning('sealed_encryption_requested_but_no_destination', {
+            logger$12.warning('sealed_encryption_requested_but_no_destination', {
                 envp_id: envelope.id,
             });
             return true;
@@ -17279,20 +17215,20 @@ class EnvelopeSecurityHandler {
                 : undefined;
             if (options) {
                 if (options.encryptionType === 'channel') {
-                    logger$11.warning('policy_returned_channel_for_sealed_request', {
+                    logger$12.warning('policy_returned_channel_for_sealed_request', {
                         envp_id: envelope.id,
                     });
                     return await this.handleToBeEncryptedEnvelopeWithOptions(envelope, context, normalizeEncryptionOptions({
                         requestAddress: envelope.to,
                     }));
                 }
-                logger$11.debug('using_sealed_encryption_options', {
+                logger$12.debug('using_sealed_encryption_options', {
                     envp_id: envelope.id,
                     options,
                 });
                 return await this.handleToBeEncryptedEnvelopeWithOptions(envelope, context, options);
             }
-            logger$11.debug('no_encryption_options_requesting_key', {
+            logger$12.debug('no_encryption_options_requesting_key', {
                 envp_id: envelope.id,
             });
             return await this.handleToBeEncryptedEnvelopeWithOptions(envelope, context, normalizeEncryptionOptions({
@@ -17300,7 +17236,7 @@ class EnvelopeSecurityHandler {
             }));
         }
         catch (error) {
-            logger$11.debug('sealed_key_lookup_failed_requesting', {
+            logger$12.debug('sealed_key_lookup_failed_requesting', {
                 envp_id: envelope.id,
                 error: error instanceof Error ? error.message : String(error),
             });
@@ -17311,7 +17247,7 @@ class EnvelopeSecurityHandler {
     }
     async handleChannelEncryption(envelope, context) {
         if (!envelope.to) {
-            logger$11.warning('channel_encryption_requested_but_no_destination', {
+            logger$12.warning('channel_encryption_requested_but_no_destination', {
                 envp_id: envelope.id,
             });
             return true;
@@ -17326,13 +17262,13 @@ class EnvelopeSecurityHandler {
             return true;
         }
         if (context.originType !== core.DeliveryOriginType.LOCAL) {
-            logger$11.warning('envelope_encryption_rejected_non_local', {
+            logger$12.warning('envelope_encryption_rejected_non_local', {
                 origin: context.originType,
             });
             return true;
         }
         if (!isDataFrame$4(envelope.frame)) {
-            logger$11.trace('skipping_encryption_non_dataframe', {
+            logger$12.trace('skipping_encryption_non_dataframe', {
                 envp_id: envelope.id,
                 frame_type: envelope.frame.type,
             });
@@ -17343,7 +17279,7 @@ class EnvelopeSecurityHandler {
             ? normalizeEncryptionOptions(rawOptions)
             : undefined;
         if (!options) {
-            logger$11.warning('no_encryption_options_provided', {
+            logger$12.warning('no_encryption_options_provided', {
                 envp_id: envelope.id,
             });
             return true;
@@ -17355,13 +17291,13 @@ class EnvelopeSecurityHandler {
             return true;
         }
         if (context.originType !== core.DeliveryOriginType.LOCAL) {
-            logger$11.warning('envelope_encryption_rejected_non_local', {
+            logger$12.warning('envelope_encryption_rejected_non_local', {
                 origin: context.originType,
             });
             return true;
         }
         if (!isDataFrame$4(envelope.frame)) {
-            logger$11.trace('skipping_encryption_non_dataframe', {
+            logger$12.trace('skipping_encryption_non_dataframe', {
                 envp_id: envelope.id,
                 frame_type: envelope.frame.type,
             });
@@ -17378,7 +17314,7 @@ class EnvelopeSecurityHandler {
         // Skip encryption if envelope is already encrypted
         // This prevents re-queuing when replayed envelopes go through security again
         if (envelope.sec?.enc) {
-            logger$11.debug('skipping_encryption_already_encrypted', {
+            logger$12.debug('skipping_encryption_already_encrypted', {
                 envp_id: envelope.id,
                 destination: envelope.to ? String(envelope.to) : undefined,
             });
@@ -17387,14 +17323,14 @@ class EnvelopeSecurityHandler {
         try {
             const result = await this.encryptionManager.encryptEnvelope(envelope, normalizedOptions);
             if (result.status === exports.EncryptionStatus.QUEUED) {
-                logger$11.debug('envelope_queued_for_encryption', {
+                logger$12.debug('envelope_queued_for_encryption', {
                     envp_id: envelope.id,
                 });
                 await this.handleEncryptionQueueing(envelope, context, normalizedOptions);
                 return false;
             }
             if (result.status === exports.EncryptionStatus.OK) {
-                logger$11.debug('envelope_encrypted', { envp_id: envelope.id });
+                logger$12.debug('envelope_encrypted', { envp_id: envelope.id });
                 if (result.envelope) {
                     envelope.frame = result.envelope.frame;
                     envelope.sec = result.envelope.sec;
@@ -17402,17 +17338,17 @@ class EnvelopeSecurityHandler {
                 return true;
             }
             if (result.status === exports.EncryptionStatus.SKIPPED) {
-                logger$11.debug('envelope_encryption_skipped', { envp_id: envelope.id });
+                logger$12.debug('envelope_encryption_skipped', { envp_id: envelope.id });
                 return true;
             }
-            logger$11.warning('unknown_encryption_status', {
+            logger$12.warning('unknown_encryption_status', {
                 envp_id: envelope.id,
                 status: result.status,
             });
             return true;
         }
         catch (error) {
-            logger$11.error('encryption_failed', {
+            logger$12.error('encryption_failed', {
                 envp_id: envelope.id,
                 error: error instanceof Error ? error.message : String(error),
             });
@@ -17451,7 +17387,7 @@ class EnvelopeSecurityHandler {
             return;
         }
         if (normalizedOptions.encryptionType === 'channel') {
-            logger$11.debug('channel_encryption_queueing_handled_internally', {
+            logger$12.debug('channel_encryption_queueing_handled_internally', {
                 envp_id: envelope.id,
                 destination: normalizedOptions.destination
                     ? String(normalizedOptions.destination)
@@ -17459,13 +17395,13 @@ class EnvelopeSecurityHandler {
             });
             return;
         }
-        logger$11.warning('unknown_encryption_queueing_options', {
+        logger$12.warning('unknown_encryption_queueing_options', {
             envp_id: envelope.id,
             options: normalizedOptions,
         });
     }
     async handleFailedChannelEnvelopeCleanup(destination, reason) {
-        logger$11.debug('channel_handshake_failure_cleanup_attempted', {
+        logger$12.debug('channel_handshake_failure_cleanup_attempted', {
             destination,
             reason,
             note: 'envelope_cleanup_handled_by_encryption_manager',
@@ -17476,7 +17412,7 @@ class EnvelopeSecurityHandler {
     }
 }
 
-const logger$10 = getLogger('naylence.fame.node.secure_channel_frame_handler');
+const logger$11 = getLogger('naylence.fame.node.secure_channel_frame_handler');
 function isPlainRecord$1(value) {
     if (typeof value !== 'object' || value === null) {
         return false;
@@ -17566,7 +17502,7 @@ class SecureChannelFrameHandler {
         assertSecureChannelManager(this.secureChannelManager);
         const frame = envelope.frame;
         assertFrameType(frame, 'SecureOpen');
-        logger$10.debug('received_secure_open', {
+        logger$11.debug('received_secure_open', {
             cid: frame.cid,
             algorithm: frame.alg,
         });
@@ -17589,13 +17525,13 @@ class SecureChannelFrameHandler {
                 stickySid: envelope.sid ?? undefined,
                 expectedResponseType: core.FameResponseType.NONE,
             };
-            logger$10.debug('stickiness_requested_for_channel_encryption', {
+            logger$11.debug('stickiness_requested_for_channel_encryption', {
                 cid: frame.cid,
                 reason: 'secure_channel_established',
             });
         }
         await this.sendCallback(responseEnvelope, responseContext);
-        logger$10.debug('sent_secure_accept', { cid: frame.cid, ok: acceptFrame.ok });
+        logger$11.debug('sent_secure_accept', { cid: frame.cid, ok: acceptFrame.ok });
         if (acceptFrame.ok && this.envelopeSecurityHandler) {
             const destination = extractDestinationFromChannelId(frame.cid);
             if (destination) {
@@ -17607,13 +17543,13 @@ class SecureChannelFrameHandler {
         assertSecureChannelManager(this.secureChannelManager);
         const frame = envelope.frame;
         assertFrameType(frame, 'SecureAccept');
-        logger$10.debug('received_secure_accept', { cid: frame.cid, ok: frame.ok });
+        logger$11.debug('received_secure_accept', { cid: frame.cid, ok: frame.ok });
         const success = await this.secureChannelManager.handleAcceptFrame(frame);
         if (!success) {
-            logger$10.warning('failed_to_complete_channel', { cid: frame.cid });
+            logger$11.warning('failed_to_complete_channel', { cid: frame.cid });
         }
         else {
-            logger$10.debug('channel_established', { cid: frame.cid });
+            logger$11.debug('channel_established', { cid: frame.cid });
             if (this.envelopeSecurityHandler) {
                 const destination = extractDestinationFromChannelId(frame.cid);
                 if (destination) {
@@ -17625,7 +17561,7 @@ class SecureChannelFrameHandler {
             const destination = extractDestinationFromChannelId(frame.cid);
             if (destination) {
                 await this.envelopeSecurityHandler.handleChannelHandshakeFailed(frame.cid, destination, 'negative_secure_accept');
-                logger$10.debug('notified_handshake_failure', {
+                logger$11.debug('notified_handshake_failure', {
                     cid: frame.cid,
                     destination,
                 });
@@ -17636,7 +17572,7 @@ class SecureChannelFrameHandler {
         assertSecureChannelManager(this.secureChannelManager);
         const frame = envelope.frame;
         assertFrameType(frame, 'SecureClose');
-        logger$10.debug('received_secure_close', {
+        logger$11.debug('received_secure_close', {
             cid: frame.cid,
             reason: frame.reason,
         });
@@ -17694,7 +17630,7 @@ function createNodeDeliveryContext(options = {}) {
 class FameEnvironmentContext {
 }
 
-const FACTORY_META$19 = {
+const FACTORY_META$1a = {
     base: NODE_IDENTITY_POLICY_FACTORY_BASE_TYPE,
     key: 'DefaultNodeIdentityPolicy',
 };
@@ -17712,11 +17648,48 @@ class DefaultNodeIdentityPolicyFactory extends NodeIdentityPolicyFactory {
 var defaultNodeIdentityPolicyFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
     DefaultNodeIdentityPolicyFactory: DefaultNodeIdentityPolicyFactory,
-    FACTORY_META: FACTORY_META$19,
+    FACTORY_META: FACTORY_META$1a,
     default: DefaultNodeIdentityPolicyFactory
 });
 
-const logger$$ = getLogger('naylence.fame.node.token_subject_node_identity_policy');
+const TOKEN_PROVIDER_FACTORY_BASE_TYPE = 'TokenProviderFactory';
+class TokenProviderFactory extends factory.AbstractResourceFactory {
+    static async createTokenProvider(config, options = {}) {
+        if (config) {
+            const provider = await factory.createResource(TOKEN_PROVIDER_FACTORY_BASE_TYPE, config, options);
+            if (!provider) {
+                throw new Error('Failed to create token provider from configuration');
+            }
+            return provider;
+        }
+        let provider = null;
+        try {
+            provider = await factory.createDefaultResource(TOKEN_PROVIDER_FACTORY_BASE_TYPE, null, options);
+        }
+        catch (error) {
+            const message = 'Failed to create default token provider' +
+                (error instanceof Error && error.message ? `: ${error.message}` : '');
+            throw new Error(message);
+        }
+        if (!provider) {
+            throw new Error('Failed to create default token provider');
+        }
+        return provider;
+    }
+}
+
+function isTokenProvider(candidate) {
+    return (typeof candidate === 'object' &&
+        candidate !== null &&
+        typeof candidate.getToken === 'function');
+}
+function isIdentityExposingTokenProvider(candidate) {
+    return (isTokenProvider(candidate) &&
+        typeof candidate.getIdentity ===
+            'function');
+}
+
+const logger$10 = getLogger('naylence.fame.node.token_subject_node_identity_policy');
 class TokenSubjectNodeIdentityPolicy {
     async resolveInitialNodeId(context) {
         if (context.configuredId) {
@@ -17728,7 +17701,7 @@ class TokenSubjectNodeIdentityPolicy {
         return core.generateIdAsync();
     }
     async resolveAdmissionNodeId(context) {
-        logger$$.debug('resolve_admission_node_id_start', {
+        logger$10.debug('resolve_admission_node_id_start', {
             grantsCount: context.grants?.length ?? 0,
             currentNodeId: context.currentNodeId,
         });
@@ -17737,31 +17710,31 @@ class TokenSubjectNodeIdentityPolicy {
                 try {
                     const auth = grant.auth;
                     if (!auth) {
-                        logger$$.debug('skipping_grant_no_auth', { grantType: grant.type });
+                        logger$10.debug('skipping_grant_no_auth', { grantType: grant.type });
                         continue;
                     }
                     const tokenProviderConfig = (auth.tokenProvider ??
                         auth.token_provider);
                     if (!tokenProviderConfig ||
                         typeof tokenProviderConfig.type !== 'string') {
-                        logger$$.debug('skipping_grant_invalid_token_provider_config', {
+                        logger$10.debug('skipping_grant_invalid_token_provider_config', {
                             grantType: grant.type,
                             config: tokenProviderConfig,
                         });
                         continue;
                     }
-                    logger$$.debug('creating_token_provider', {
+                    logger$10.debug('creating_token_provider', {
                         type: tokenProviderConfig.type,
                     });
                     const provider = await TokenProviderFactory.createTokenProvider(tokenProviderConfig);
                     const isExposing = isIdentityExposingTokenProvider(provider);
-                    logger$$.debug('token_provider_created', {
+                    logger$10.debug('token_provider_created', {
                         type: tokenProviderConfig.type,
                         isIdentityExposing: isExposing,
                     });
                     if (isExposing) {
                         const identity = await provider.getIdentity();
-                        logger$$.debug('retrieved_identity', { identity });
+                        logger$10.debug('retrieved_identity', { identity });
                         if (identity && identity.subject) {
                             const hashedSubject = await core.generateIdAsync({
                                 mode: 'fingerprint',
@@ -17769,7 +17742,7 @@ class TokenSubjectNodeIdentityPolicy {
                                 length: 8,
                             });
                             const newNodeId = `${hashedSubject}-${context.currentNodeId}`;
-                            logger$$.info('resolved_identity_from_token', {
+                            logger$10.info('resolved_identity_from_token', {
                                 subject: identity.subject,
                                 hashedSubject,
                                 newNodeId,
@@ -17777,17 +17750,17 @@ class TokenSubjectNodeIdentityPolicy {
                             return newNodeId;
                         }
                         else {
-                            logger$$.debug('identity_missing_subject', { identity });
+                            logger$10.debug('identity_missing_subject', { identity });
                         }
                     }
                 }
                 catch (err) {
-                    logger$$.warning('failed_to_extract_identity_from_grant', { error: err });
+                    logger$10.warning('failed_to_extract_identity_from_grant', { error: err });
                 }
             }
         }
         else {
-            logger$$.debug('no_grants_available');
+            logger$10.debug('no_grants_available');
         }
         return context.currentNodeId;
     }
@@ -17798,7 +17771,7 @@ var tokenSubjectNodeIdentityPolicy = /*#__PURE__*/Object.freeze({
     TokenSubjectNodeIdentityPolicy: TokenSubjectNodeIdentityPolicy
 });
 
-const FACTORY_META$18 = {
+const FACTORY_META$19 = {
     base: NODE_IDENTITY_POLICY_FACTORY_BASE_TYPE,
     key: 'TokenSubjectNodeIdentityPolicy',
 };
@@ -17817,27 +17790,27 @@ class TokenSubjectNodeIdentityPolicyFactory extends NodeIdentityPolicyFactory {
 
 var tokenSubjectNodeIdentityPolicyFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
-    FACTORY_META: FACTORY_META$18,
+    FACTORY_META: FACTORY_META$19,
     TokenSubjectNodeIdentityPolicyFactory: TokenSubjectNodeIdentityPolicyFactory,
     default: TokenSubjectNodeIdentityPolicyFactory
 });
 
-const logger$_ = getLogger('naylence.fame.node.node_identity_policy_profile_factory');
-const PROFILE_NAME_DEFAULT = 'default';
+const logger$$ = getLogger('naylence.fame.node.node_identity_policy_profile_factory');
+const PROFILE_NAME_DEFAULT$1 = 'default';
 const PROFILE_NAME_TOKEN_SUBJECT = 'token-subject';
 const PROFILE_NAME_TOKEN_SUBJECT_ALIAS = 'token_subject';
-const DEFAULT_PROFILE = {
+const DEFAULT_PROFILE$1 = {
     type: 'DefaultNodeIdentityPolicy',
 };
 const TOKEN_SUBJECT_PROFILE = {
     type: 'TokenSubjectNodeIdentityPolicy',
 };
-const PROFILE_MAP$5 = {
-    [PROFILE_NAME_DEFAULT]: DEFAULT_PROFILE,
+const PROFILE_MAP$6 = {
+    [PROFILE_NAME_DEFAULT$1]: DEFAULT_PROFILE$1,
     [PROFILE_NAME_TOKEN_SUBJECT]: TOKEN_SUBJECT_PROFILE,
     [PROFILE_NAME_TOKEN_SUBJECT_ALIAS]: TOKEN_SUBJECT_PROFILE,
 };
-const FACTORY_META$17 = {
+const FACTORY_META$18 = {
     base: NODE_IDENTITY_POLICY_FACTORY_BASE_TYPE,
     key: 'NodeIdentityPolicyProfile',
 };
@@ -17847,17 +17820,17 @@ class NodeIdentityPolicyProfileFactory extends NodeIdentityPolicyFactory {
         this.type = 'NodeIdentityPolicyProfile';
     }
     async create(config) {
-        const normalized = normalizeConfig$w(config);
-        const profileConfig = resolveProfileConfig$4(normalized.profile);
-        logger$_.debug('enabling_node_identity_policy_profile', {
+        const normalized = normalizeConfig$x(config);
+        const profileConfig = resolveProfileConfig$5(normalized.profile);
+        logger$$.debug('enabling_node_identity_policy_profile', {
             profile: normalized.profile,
         });
         return NodeIdentityPolicyFactory.createNodeIdentityPolicy(profileConfig);
     }
 }
-function normalizeConfig$w(config) {
+function normalizeConfig$x(config) {
     if (!config) {
-        return { profile: PROFILE_NAME_DEFAULT };
+        return { profile: PROFILE_NAME_DEFAULT$1 };
     }
     const candidate = config;
     const profileValue = typeof candidate.profile === 'string' && candidate.profile.trim().length > 0
@@ -17868,24 +17841,24 @@ function normalizeConfig$w(config) {
             : typeof candidate.profileName === 'string' &&
                 candidate.profileName.trim().length > 0
                 ? candidate.profileName
-                : PROFILE_NAME_DEFAULT;
+                : PROFILE_NAME_DEFAULT$1;
     const normalizedProfile = profileValue.trim().toLowerCase();
     return { profile: normalizedProfile };
 }
-function resolveProfileConfig$4(profileName) {
-    const profile = PROFILE_MAP$5[profileName];
+function resolveProfileConfig$5(profileName) {
+    const profile = PROFILE_MAP$6[profileName];
     if (!profile) {
         throw new Error(`Unknown node identity policy profile: ${profileName}`);
     }
-    return deepClone$4(profile);
+    return deepClone$5(profile);
 }
-function deepClone$4(value) {
+function deepClone$5(value) {
     return JSON.parse(JSON.stringify(value));
 }
 
 var nodeIdentityPolicyProfileFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
-    FACTORY_META: FACTORY_META$17,
+    FACTORY_META: FACTORY_META$18,
     NodeIdentityPolicyProfileFactory: NodeIdentityPolicyProfileFactory,
     default: NodeIdentityPolicyProfileFactory
 });
@@ -17938,8 +17911,8 @@ class DefaultConnectionRetryPolicy {
     }
 }
 
-const logger$Z = getLogger('naylence.fame.node.default-connection-retry-policy-factory');
-const FACTORY_META$16 = {
+const logger$_ = getLogger('naylence.fame.node.default-connection-retry-policy-factory');
+const FACTORY_META$17 = {
     base: CONNECTION_RETRY_POLICY_FACTORY_BASE_TYPE,
     key: 'DefaultConnectionRetryPolicy',
 };
@@ -17960,7 +17933,7 @@ class DefaultConnectionRetryPolicyFactory extends ConnectionRetryPolicyFactory {
             }
         }
         const policy = new DefaultConnectionRetryPolicy(options);
-        logger$Z.debug('connection_retry_policy_created', {
+        logger$_.debug('connection_retry_policy_created', {
             maxInitialAttempts: policy.maxInitialAttempts,
         });
         return policy;
@@ -17970,7 +17943,7 @@ class DefaultConnectionRetryPolicyFactory extends ConnectionRetryPolicyFactory {
 var defaultConnectionRetryPolicyFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
     DefaultConnectionRetryPolicyFactory: DefaultConnectionRetryPolicyFactory,
-    FACTORY_META: FACTORY_META$16,
+    FACTORY_META: FACTORY_META$17,
     default: DefaultConnectionRetryPolicyFactory
 });
 
@@ -17985,7 +17958,7 @@ class LoadBalancerStickinessManagerFactory extends factory.AbstractResourceFacto
     }
 }
 
-const logger$Y = getLogger('naylence.fame.sentinel.load_balancing.composite_load_balancing_strategy');
+const logger$Z = getLogger('naylence.fame.sentinel.load_balancing.composite_load_balancing_strategy');
 class CompositeLoadBalancingStrategy {
     constructor(strategies) {
         if (!strategies.length) {
@@ -18002,7 +17975,7 @@ class CompositeLoadBalancingStrategy {
             try {
                 const result = strategy.choose(poolKey, segments, envelope);
                 if (result !== null) {
-                    logger$Y.debug('composite_strategy_success', {
+                    logger$Z.debug('composite_strategy_success', {
                         envelopeId: envelope.id,
                         poolKey,
                         strategyIndex: index,
@@ -18013,7 +17986,7 @@ class CompositeLoadBalancingStrategy {
                 }
             }
             catch (error) {
-                logger$Y.warning('composite_strategy_error', {
+                logger$Z.warning('composite_strategy_error', {
                     envelopeId: envelope.id,
                     poolKey,
                     strategyIndex: index,
@@ -18022,7 +17995,7 @@ class CompositeLoadBalancingStrategy {
                 });
             }
         }
-        logger$Y.debug('composite_strategy_all_failed', {
+        logger$Z.debug('composite_strategy_all_failed', {
             envelopeId: envelope.id,
             poolKey,
             strategyCount: this.strategies.length,
@@ -18031,7 +18004,7 @@ class CompositeLoadBalancingStrategy {
     }
 }
 
-const logger$X = getLogger('naylence.fame.sentinel.load_balancing.sticky_load_balancing_strategy');
+const logger$Y = getLogger('naylence.fame.sentinel.load_balancing.sticky_load_balancing_strategy');
 class StickyLoadBalancingStrategy {
     constructor(stickinessManager) {
         this.lastChosenReplica = null;
@@ -18046,7 +18019,7 @@ class StickyLoadBalancingStrategy {
         }
         const stickyReplica = this.stickinessManager.getStickyReplicaSegment(envelope, segments);
         if (stickyReplica && segments.includes(stickyReplica)) {
-            logger$X.debug('routing_via_stickiness', {
+            logger$Y.debug('routing_via_stickiness', {
                 envelopeId: envelope.id,
                 poolKey,
                 replicaId: stickyReplica,
@@ -18056,7 +18029,7 @@ class StickyLoadBalancingStrategy {
             this.lastChosenReplica = stickyReplica;
             return stickyReplica;
         }
-        logger$X.debug('no_stickiness_match_fallback', {
+        logger$Y.debug('no_stickiness_match_fallback', {
             envelopeId: envelope.id,
             poolKey,
             aftPresent: Boolean(envelope.aft),
@@ -18144,7 +18117,7 @@ class RouteStoreFactory extends factory.AbstractResourceFactory {
         return store ?? null;
     }
 }
-const FACTORY_META$15 = {
+const FACTORY_META$16 = {
     base: ROUTE_STORE_FACTORY_BASE_TYPE,
     key: 'InMemoryRouteStore',
 };
@@ -18162,7 +18135,7 @@ class InMemoryRouteStoreFactory extends RouteStoreFactory {
 
 var routeStoreFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
-    FACTORY_META: FACTORY_META$15,
+    FACTORY_META: FACTORY_META$16,
     InMemoryRouteStoreFactory: InMemoryRouteStoreFactory,
     ROUTE_STORE_FACTORY_BASE_TYPE: ROUTE_STORE_FACTORY_BASE_TYPE,
     RouteStoreFactory: RouteStoreFactory,
@@ -18394,7 +18367,7 @@ function resolveRecordArray(primary, secondary) {
     return pickRecordArray(candidate) ?? undefined;
 }
 
-const logger$W = getLogger('naylence.fame.sentinel.route_manager');
+const logger$X = getLogger('naylence.fame.sentinel.route_manager');
 const DEFAULT_CONNECTOR_CLEANUP_DELAY_MS$1 = 200;
 function normalizeRouteManagerOptions(options) {
     const { route_store, get_id, cleanup_delay_ms, retain_address_bindings_on_disconnect, ...rest } = options;
@@ -18478,7 +18451,7 @@ class RouteManager extends TaskSpawner {
                 await this.safeStop(entry.connector);
             }
             catch (error) {
-                logger$W.debug('pending_route_stop_failed', {
+                logger$X.debug('pending_route_stop_failed', {
                     error: error instanceof Error ? error.message : String(error),
                 });
             }
@@ -18501,7 +18474,7 @@ class RouteManager extends TaskSpawner {
             this.cancelPendingCleanup(segment);
             this.downstreamRoutes.set(segment, route);
         });
-        logger$W.debug('registered_downstream_route', { route: segment });
+        logger$X.debug('registered_downstream_route', { route: segment });
     }
     async unregisterDownstreamRoute(segment, options) {
         const normalizedOptions = normalizeRouteRemovalOptions(options);
@@ -18517,7 +18490,7 @@ class RouteManager extends TaskSpawner {
             this.cancelPendingCleanup(segment);
             this._peer_routes.set(segment, route);
         });
-        logger$W.debug('registered_peer_route', { route: segment });
+        logger$X.debug('registered_peer_route', { route: segment });
     }
     async unregisterPeerRoute(segment, options) {
         const normalizedOptions = normalizeRouteRemovalOptions(options);
@@ -18535,11 +18508,11 @@ class RouteManager extends TaskSpawner {
         await Promise.all(entryTuples.map(async ([segment, entry]) => {
             const normalized = this.normalizeEntry(entry);
             if (!normalized.connectorConfig) {
-                logger$W.warning('route_restore_missing_config', { segment });
+                logger$X.warning('route_restore_missing_config', { segment });
                 return;
             }
             if (normalized.attachExpiresAt && normalized.attachExpiresAt < now) {
-                logger$W.debug('skipping_expired_route', { segment });
+                logger$X.debug('skipping_expired_route', { segment });
                 return;
             }
             const authorization = this.parseAuthorization(normalized.metadata);
@@ -18572,7 +18545,7 @@ class RouteManager extends TaskSpawner {
                 }
                 catch (error) {
                     if (this.isTransientError(error)) {
-                        logger$W.warning('transient_restore_failure', {
+                        logger$X.warning('transient_restore_failure', {
                             segment,
                             attempt,
                             error: error instanceof Error ? error.message : String(error),
@@ -18581,7 +18554,7 @@ class RouteManager extends TaskSpawner {
                         backoff *= 2;
                         continue;
                     }
-                    logger$W.error('failed_to_restore_route', {
+                    logger$X.error('failed_to_restore_route', {
                         segment,
                         error: error instanceof Error ? error.message : String(error),
                     });
@@ -18610,13 +18583,13 @@ class RouteManager extends TaskSpawner {
         await this._downstream_route_store
             .delete(segment)
             .catch((error) => {
-            logger$W.warning('route_expiration_delete_failed', {
+            logger$X.warning('route_expiration_delete_failed', {
                 segment,
                 error: error instanceof Error ? error.message : String(error),
             });
         });
         this.purgeRouteReferences(segment);
-        logger$W.debug('expired_route', { route: segment });
+        logger$X.debug('expired_route', { route: segment });
     }
     async removeDownstreamRoute(segment, options) {
         const normalizedOptions = normalizeRouteRemovalOptions(options);
@@ -18674,7 +18647,7 @@ class RouteManager extends TaskSpawner {
             this.purgeRouteReferences(segment);
         }
         await store.delete(segment).catch((error) => {
-            logger$W.warning('route_delete_failed', {
+            logger$X.warning('route_delete_failed', {
                 segment,
                 error: error instanceof Error ? error.message : String(error),
             });
@@ -18693,7 +18666,7 @@ class RouteManager extends TaskSpawner {
             caller_stack: captureStack ? captureCallerStack() : undefined,
             retained_addresses: retainAddresses,
         };
-        logger$W.debug('removed_route', removalMeta);
+        logger$X.debug('removed_route', removalMeta);
     }
     purgeRouteReferences(segment) {
         for (const [address, info] of this._downstream_addresses_routes.entries()) {
@@ -18748,10 +18721,10 @@ class RouteManager extends TaskSpawner {
             }
             catch (error) {
                 if (combined.signal.aborted) {
-                    logger$W.debug('connector_cleanup_cancelled', { segment });
+                    logger$X.debug('connector_cleanup_cancelled', { segment });
                 }
                 else {
-                    logger$W.debug('connector_cleanup_delay_failed', {
+                    logger$X.debug('connector_cleanup_delay_failed', {
                         segment,
                         error: error instanceof Error ? error.message : String(error),
                     });
@@ -18774,7 +18747,7 @@ class RouteManager extends TaskSpawner {
         }
         catch (error) {
             if (error instanceof Error) {
-                logger$W.debug('connector_stop_ignored', { error: error.message });
+                logger$X.debug('connector_stop_ignored', { error: error.message });
             }
         }
         for (const [flowId, peer] of this.flowRoutes.entries()) {
@@ -18799,12 +18772,12 @@ class RouteManager extends TaskSpawner {
             }
         }
         catch (error) {
-            logger$W.error('janitor_loop_error', {
+            logger$X.error('janitor_loop_error', {
                 error: error instanceof Error ? error.message : String(error),
             });
         }
         finally {
-            logger$W.debug('janitor_loop_exited');
+            logger$X.debug('janitor_loop_exited');
         }
     }
     async scanStoreForExpirations(store, now, kind) {
@@ -18824,13 +18797,13 @@ class RouteManager extends TaskSpawner {
                 }
             });
             await store.delete(segment).catch((error) => {
-                logger$W.warning('route_auto_expire_delete_failed', {
+                logger$X.warning('route_auto_expire_delete_failed', {
                     segment,
                     error: error instanceof Error ? error.message : String(error),
                 });
             });
             this.purgeRouteReferences(segment);
-            logger$W.debug('auto_expired_route', { segment });
+            logger$X.debug('auto_expired_route', { segment });
         }));
     }
     parseAuthorization(metadata) {
@@ -18853,7 +18826,7 @@ class RouteManager extends TaskSpawner {
             return { ...base, ...extraFields };
         }
         catch (error) {
-            logger$W.error('corrupt_route_metadata', {
+            logger$X.error('corrupt_route_metadata', {
                 error: error instanceof Error ? error.message : String(error),
             });
             return null;
@@ -18929,12 +18902,12 @@ function captureCallerStack(skip = 3, depth = 6) {
     return frames.map((frame) => frame.trim()).join(' | ');
 }
 
-const logger$V = getLogger('naylence.fame.sentinel.router');
+const logger$W = getLogger('naylence.fame.sentinel.router');
 const ZERO_EPH_PUB_BASE64 = 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=';
 class Drop {
     async execute(envelope, router, state, context) {
         await emitDeliveryNack(envelope, router, state, 'NO_ROUTE', context ?? undefined);
-        logger$V.debug('dropped_envelope', Object.assign(summarizeEnvelope(envelope, ''), {
+        logger$W.debug('dropped_envelope', Object.assign(summarizeEnvelope(envelope, ''), {
             localAddresses: Array.from(state.local.values()),
             downstreamRoutes: Array.from(state.downstreamAddressRoutes.entries()),
             peerRoutes: Array.from(state.peerAddressRoutes.entries()),
@@ -18964,7 +18937,7 @@ class ForwardChild {
         }
         catch (error) {
             if (error instanceof FameTransportClose) {
-                logger$V.error('transport_closed_forward_child', {
+                logger$W.error('transport_closed_forward_child', {
                     segment: this.segment,
                     error: error.message,
                 });
@@ -18996,7 +18969,7 @@ class ForwardPeer {
         }
         catch (error) {
             if (error instanceof FameTransportClose) {
-                logger$V.error('transport_closed_forward_peer', {
+                logger$W.error('transport_closed_forward_peer', {
                     segment: this.segment,
                     error: error.message,
                 });
@@ -19031,7 +19004,7 @@ class Deny {
     async execute(envelope, router, state, context) {
         const { internalReason, deniedAction, matchedRule, context: extraContext, disclosure = 'opaque', } = this.options;
         // Log detailed denial internally
-        logger$V.warning('route_authorization_denied', {
+        logger$W.warning('route_authorization_denied', {
             envp_id: envelope.id,
             frame_type: envelope.frame?.type ?? null,
             to: envelope.to?.toString() ?? null,
@@ -19077,7 +19050,7 @@ function mapRoutingActionToAuthorizationAction(action) {
         return null;
     }
     // Unknown RoutingAction: return null, caller should deny by default
-    logger$V.warning('unknown_routing_action_for_authorization', {
+    logger$W.warning('unknown_routing_action_for_authorization', {
         action_type: action?.constructor?.name ?? 'unknown',
     });
     return null;
@@ -19110,7 +19083,7 @@ async function emitDeliveryNack(envelope, routingNode, state, code, context) {
         return;
     }
     if (!state.envelopeFactory) {
-        logger$V.warning('router_missing_envelope_factory', summarizeEnvelope(envelope));
+        logger$W.warning('router_missing_envelope_factory', summarizeEnvelope(envelope));
         return;
     }
     const nackFrame = createNackFrame(envelope, code);
@@ -19141,7 +19114,7 @@ async function emitDeliveryNack(envelope, routingNode, state, code, context) {
         }
     }
     catch (error) {
-        logger$V.warning('nack_forward_failed', {
+        logger$W.warning('nack_forward_failed', {
             error: error instanceof Error ? error.message : String(error),
             ...summarizeEnvelope(envelope),
         });
@@ -19347,7 +19320,7 @@ class HRWLoadBalancingStrategy {
     }
 }
 
-const logger$U = getLogger('naylence.fame.sentinel.capability_aware_routing_policy');
+const logger$V = getLogger('naylence.fame.sentinel.capability_aware_routing_policy');
 function normalizeOptions$i(options) {
     if (!options || typeof options !== 'object') {
         return {};
@@ -19399,7 +19372,7 @@ class CapabilityAwareRoutingPolicy {
             if (chosenSegment) {
                 return new ForwardChild(chosenSegment);
             }
-            logger$U.warning('capability_policy_lb_failed', {
+            logger$V.warning('capability_policy_lb_failed', {
                 segments: providerSegments,
                 capabilities,
                 ...summarizeEnvelope(envelope),
@@ -19428,7 +19401,7 @@ class CapabilityAwareRoutingPolicy {
             }
         }
         catch (error) {
-            logger$U.warning('capability_policy_resolve_failed', {
+            logger$V.warning('capability_policy_resolve_failed', {
                 error: error instanceof Error ? error.message : String(error),
             });
         }
@@ -19665,7 +19638,7 @@ function toFameAddress(address) {
     return address instanceof core.FameAddress ? address : new core.FameAddress(address);
 }
 
-const logger$T = getLogger('naylence.fame.sentinel.node_attach_frame_handler');
+const logger$U = getLogger('naylence.fame.sentinel.node_attach_frame_handler');
 const DOWNSTREAM_ORIGINS = new Set([
     core.DeliveryOriginType.DOWNSTREAM,
     core.DeliveryOriginType.PEER,
@@ -19758,7 +19731,7 @@ class NodeAttachFrameHandler extends TaskSpawner {
         this.maxTtlSec = options.maxTtlSec ?? null;
     }
     async acceptNodeAttach(envelope, context) {
-        logger$T.debug('handling_node_attach_request');
+        logger$U.debug('handling_node_attach_request');
         const normalizedContext = this.normalizeContext(context);
         const frame = this.normalizeNodeAttachFrame(envelope.frame);
         if (frame.type !== 'NodeAttach') {
@@ -19803,14 +19776,14 @@ class NodeAttachFrameHandler extends TaskSpawner {
         let isRebind = false;
         if (frame.originType === core.DeliveryOriginType.DOWNSTREAM) {
             const hasExistingRoute = this.routeManager.downstreamRoutes.has(attachedSystemId);
-            logger$T.debug('checking_for_existing_route', {
+            logger$U.debug('checking_for_existing_route', {
                 system_id: attachedSystemId,
                 has_existing: hasExistingRoute,
                 existing_routes: Array.from(this.routeManager.downstreamRoutes.keys()),
             });
             if (hasExistingRoute) {
                 isRebind = true;
-                logger$T.warning('rebinding_existing_downstream_route', {
+                logger$U.warning('rebinding_existing_downstream_route', {
                     system_id: attachedSystemId,
                 });
                 oldAssignedPath = buildAssignedPath$1(this.routingNode.physicalPath, attachedSystemId);
@@ -19829,7 +19802,7 @@ class NodeAttachFrameHandler extends TaskSpawner {
                     meta: { systemId: attachedSystemId },
                 })
                     .catch((error) => {
-                    logger$T.warning('failed_to_unregister_downstream_route_before_rebind', {
+                    logger$U.warning('failed_to_unregister_downstream_route_before_rebind', {
                         system_id: attachedSystemId,
                         error: error instanceof Error ? error.message : String(error),
                     });
@@ -19846,7 +19819,7 @@ class NodeAttachFrameHandler extends TaskSpawner {
                             for (const address of orphanedAddresses) {
                                 encryptionMgr.clearChannelCacheForDestination(address);
                             }
-                            logger$T.debug('cleared_channel_cache_for_rebind', {
+                            logger$U.debug('cleared_channel_cache_for_rebind', {
                                 system_id: attachedSystemId,
                                 addresses: orphanedAddresses,
                             });
@@ -19858,7 +19831,7 @@ class NodeAttachFrameHandler extends TaskSpawner {
                                     encryptionMgr.removeChannelsForDestination(address);
                             }
                             if (totalRemoved > 0) {
-                                logger$T.debug('removed_channel_states_for_rebind', {
+                                logger$U.debug('removed_channel_states_for_rebind', {
                                     system_id: attachedSystemId,
                                     channels_removed: totalRemoved,
                                 });
@@ -19866,7 +19839,7 @@ class NodeAttachFrameHandler extends TaskSpawner {
                         }
                     }
                     catch (error) {
-                        logger$T.warning('failed_to_cleanup_channels_for_rebind', {
+                        logger$U.warning('failed_to_cleanup_channels_for_rebind', {
                             system_id: attachedSystemId,
                             error: error instanceof Error ? error.message : String(error),
                         });
@@ -19889,7 +19862,7 @@ class NodeAttachFrameHandler extends TaskSpawner {
                     meta: { systemId: attachedSystemId },
                 })
                     .catch((error) => {
-                    logger$T.warning('failed_to_unregister_peer_route_before_rebind', {
+                    logger$U.warning('failed_to_unregister_peer_route_before_rebind', {
                         system_id: attachedSystemId,
                         error: error instanceof Error ? error.message : String(error),
                     });
@@ -19927,7 +19900,7 @@ class NodeAttachFrameHandler extends TaskSpawner {
                 ? { stickiness: negotiatedStickiness }
                 : {}),
         });
-        logger$T.debug('sending_node_attach_ack', {
+        logger$U.debug('sending_node_attach_ack', {
             env_id: ackEnvelope.id ?? 'unknown',
         });
         await this.sendAndNotify(connector, ackEnvelope, attachedSystemId, normalizedContext);
@@ -19974,7 +19947,7 @@ class NodeAttachFrameHandler extends TaskSpawner {
             return this.stickinessManager.negotiate(stickiness);
         }
         catch (error) {
-            logger$T.debug('stickiness_negotiate_skipped', {
+            logger$U.debug('stickiness_negotiate_skipped', {
                 error: error instanceof Error ? error.message : String(error),
             });
             return null;
@@ -19990,13 +19963,13 @@ class NodeAttachFrameHandler extends TaskSpawner {
         }
         if (!attachExpiresAt || earliestKeyExpiry < attachExpiresAt) {
             if (attachExpiresAt) {
-                logger$T.warning('attachment_ttl_limited_by_key_expiry', {
+                logger$U.warning('attachment_ttl_limited_by_key_expiry', {
                     limited_attach_expires_at: earliestKeyExpiry.toISOString(),
                     original_attach_expires_at: attachExpiresAt.toISOString(),
                 });
             }
             else {
-                logger$T.debug('attachment_ttl_set_by_key_expiry', {
+                logger$U.debug('attachment_ttl_set_by_key_expiry', {
                     attach_expires_at: earliestKeyExpiry.toISOString(),
                     reason: 'no_max_ttl_configured',
                 });
@@ -20007,7 +19980,7 @@ class NodeAttachFrameHandler extends TaskSpawner {
     }
     async validateAttachmentKeys(frame, envelope, connector, context, systemId) {
         if (!this.attachmentKeyValidator) {
-            logger$T.debug('child_key_validation_skipped', {
+            logger$U.debug('child_key_validation_skipped', {
                 child_id: systemId,
                 reason: 'no_validator',
             });
@@ -20023,7 +19996,7 @@ class NodeAttachFrameHandler extends TaskSpawner {
                 }
             }
             if (keyInfos.length > 0) {
-                logger$T.debug('node_attach_key_validation_passed', {
+                logger$U.debug('node_attach_key_validation_passed', {
                     system_id: systemId,
                     instance_id: frame.instanceId,
                     correlation_id: envelope.corrId,
@@ -20043,13 +20016,13 @@ class NodeAttachFrameHandler extends TaskSpawner {
                     reason: `Certificate validation failed: ${error.message}`,
                 });
                 await this.sendAndNotify(connector, rejectionAck, systemId, context).catch((sendError) => {
-                    logger$T.error('failed_sending_negative_attach_ack', {
+                    logger$U.error('failed_sending_negative_attach_ack', {
                         error: sendError instanceof Error
                             ? sendError.message
                             : String(sendError),
                     });
                 });
-                logger$T.error('node_attach_key_validation_failed', {
+                logger$U.error('node_attach_key_validation_failed', {
                     system_id: systemId,
                     instance_id: frame.instanceId,
                     correlation_id: envelope.corrId,
@@ -20115,10 +20088,10 @@ class NodeAttachFrameHandler extends TaskSpawner {
         try {
             await delay(delaySeconds * 1000);
             await connector.close(1008, 'attach-unauthorized');
-            logger$T.debug('closed_unauthorized_connection');
+            logger$U.debug('closed_unauthorized_connection');
         }
         catch (error) {
-            logger$T.error('failed_to_close_unauthorized_connection', {
+            logger$U.error('failed_to_close_unauthorized_connection', {
                 error: error instanceof Error ? error.message : String(error),
             });
         }
@@ -20231,7 +20204,7 @@ class NodeAttachFrameHandler extends TaskSpawner {
     }
 }
 
-const logger$S = getLogger('naylence.fame.sentinel.address_bind_frame_handler');
+const logger$T = getLogger('naylence.fame.sentinel.address_bind_frame_handler');
 const RESERVED_ADDRESS_NAMES = new Set(['__sys__', '__rpc__']);
 function pickManagerField(manager, keys) {
     const record = manager;
@@ -20555,7 +20528,7 @@ class AddressBindFrameHandler {
         if (this.routingNode.forwardToPeers) {
             await this.routingNode.forwardToPeers(envelope, undefined, [sourceSystemId], context);
         }
-        logger$S.debug('address_bound', {
+        logger$T.debug('address_bound', {
             address: addressStr,
             segment: sourceSystemId,
         });
@@ -20653,7 +20626,7 @@ class AddressBindFrameHandler {
             }
             await this.routingNode.forwardToRoute(sourceSystemId, ackEnvelope, ackContext);
         }
-        logger$S.debug('address_unbound', {
+        logger$T.debug('address_unbound', {
             address: addressStr,
             segment: sourceSystemId,
         });
@@ -20671,7 +20644,7 @@ class AddressBindFrameHandler {
     }
 }
 
-const logger$R = getLogger('naylence.fame.sentinel.node_heartbeat_frame_handler');
+const logger$S = getLogger('naylence.fame.sentinel.node_heartbeat_frame_handler');
 function normalizeOptions$h(options) {
     if (!options || typeof options !== 'object') {
         throw new Error('NodeHeartbeatFrameHandler requires a routingNode option');
@@ -20708,7 +20681,7 @@ class NodeHeartbeatFrameHandler {
         if (!frame || frame.type !== 'NodeHeartbeat') {
             throw new Error(`Invalid envelope frame. Expected: NodeHeartbeatFrame, actual: ${frame?.type ?? 'unknown'}`);
         }
-        logger$R.trace('handling_heartbeat', {
+        logger$S.trace('handling_heartbeat', {
             hb_system_id: frame.systemId ?? 'unknown',
             hb_env_id: envelope.id ?? 'unknown',
             hb_corr_id: envelope.corrId ?? 'unknown',
@@ -20736,7 +20709,7 @@ class NodeHeartbeatFrameHandler {
             ...(envelope.corrId ? { corrId: envelope.corrId } : {}),
             ...(envelope.traceId ? { traceId: envelope.traceId } : {}),
         });
-        logger$R.debug('sending_heartbeat_ack', {
+        logger$S.debug('sending_heartbeat_ack', {
             hb_ack_env_id: ackEnvelope.id ?? 'unknown',
             hb_ack_corr_id: ackEnvelope.corrId ?? 'unknown',
         });
@@ -20764,7 +20737,7 @@ class NodeHeartbeatFrameHandler {
     }
 }
 
-const logger$Q = getLogger('naylence.fame.sentinel.capability_frame_handler');
+const logger$R = getLogger('naylence.fame.sentinel.capability_frame_handler');
 class CapabilityFrameHandler {
     constructor(options) {
         this.capabilityRoutes = new Map();
@@ -20791,7 +20764,7 @@ class CapabilityFrameHandler {
         const segment = this.getSourceSystemId(context);
         const downstreamRoutes = getDownstreamRoutes(this.routeManager);
         if (!segment || !hasRoute(downstreamRoutes, segment)) {
-            logger$Q.debug('capability_advertise_unknown_segment', { segment });
+            logger$R.debug('capability_advertise_unknown_segment', { segment });
             return;
         }
         const addressKey = this.normalizeAddress(frame.address);
@@ -20824,7 +20797,7 @@ class CapabilityFrameHandler {
         }
         const segment = this.getSourceSystemId(context);
         if (!segment) {
-            logger$Q.debug('capability_withdraw_missing_segment');
+            logger$R.debug('capability_withdraw_missing_segment');
             return;
         }
         const addressKey = this.normalizeAddress(frame.address);
@@ -20878,7 +20851,7 @@ class CapabilityFrameHandler {
     async forwardAckToSegment(segment, ackFrame, originalEnvelope, ackContext) {
         const envelopeFactory = this.routingNode.envelopeFactory;
         if (!envelopeFactory) {
-            logger$Q.warning('missing_envelope_factory_for_capability_ack');
+            logger$R.warning('missing_envelope_factory_for_capability_ack');
             return;
         }
         const ackEnvelope = envelopeFactory.createEnvelope({
@@ -20941,7 +20914,7 @@ function getStickySid(context) {
     return typed.stickySid ?? typed.sticky_sid ?? undefined;
 }
 
-const logger$P = getLogger('naylence.fame.sentinel.credit_update_frame_handler');
+const logger$Q = getLogger('naylence.fame.sentinel.credit_update_frame_handler');
 function normalizeOptions$g(options) {
     if (!options || typeof options !== 'object') {
         throw new Error('CreditUpdateFrameHandler requires a routeManager option');
@@ -20961,12 +20934,12 @@ class CreditUpdateFrameHandler {
     async acceptCreditUpdate(envelope, context) {
         const flowId = envelope.flowId;
         if (!flowId) {
-            logger$P.warning('credit_update_missing_flow_id');
+            logger$Q.warning('credit_update_missing_flow_id');
             return;
         }
         const targetConnector = this.routeManager.getFlowRoute(flowId);
         if (!targetConnector) {
-            logger$P.warning('credit_update_unknown_flow', { flowId });
+            logger$Q.warning('credit_update_unknown_flow', { flowId });
             return;
         }
         if (context?.fromConnector && context.fromConnector === targetConnector) {
@@ -20976,7 +20949,7 @@ class CreditUpdateFrameHandler {
     }
 }
 
-const logger$O = getLogger('naylence.fame.sentinel.sentinel');
+const logger$P = getLogger('naylence.fame.sentinel.sentinel');
 const ALLOWED_BEFORE_ATTACH = new Set(['NodeAttach']);
 const SYSTEM_INBOX = '__sys__';
 const RESERVED_UPSTREAM_ADDRESS_NAMES = new Set(['__sys__', '__rpc__']);
@@ -21070,7 +21043,7 @@ class Sentinel extends FameNode {
                 routeStore = createPersistentRouteStore(this.storageProvider);
             }
             catch (error) {
-                logger$O.warning('persistent_route_store_unavailable', {
+                logger$P.warning('persistent_route_store_unavailable', {
                     error: error instanceof Error ? error.message : String(error),
                 });
                 routeStore = getDefaultRouteStore();
@@ -21152,7 +21125,7 @@ class Sentinel extends FameNode {
     bumpRoutingEpoch() {
         const previousEpoch = this.routingEpochValue;
         this.routingEpochValue = core.generateId();
-        logger$O.debug('routing_epoch_bumped', {
+        logger$P.debug('routing_epoch_bumped', {
             previous_epoch: previousEpoch,
             new_epoch: this.routingEpochValue,
         });
@@ -21243,7 +21216,7 @@ class Sentinel extends FameNode {
     }
     async forwardToRoute(nextSegment, envelope, context) {
         if (this.originMatches(context, nextSegment, core.DeliveryOriginType.DOWNSTREAM)) {
-            logger$O.debug('downstream_loop_detected', {
+            logger$P.debug('downstream_loop_detected', {
                 envp_id: envelope.id,
                 segment: nextSegment,
             });
@@ -21256,14 +21229,14 @@ class Sentinel extends FameNode {
             }
             const connector = this.routeManager.downstreamRoutes.get(nextSegment);
             if (!connector) {
-                logger$O.warning('no_route_for_child_segment', { segment: nextSegment });
+                logger$P.warning('no_route_for_child_segment', { segment: nextSegment });
                 await this.emitDeliveryNack(processed, {
                     code: 'CHILD_UNREACHABLE',
                     context: context ?? null,
                 });
                 return;
             }
-            logger$O.debug('forwarding_downstream', {
+            logger$P.debug('forwarding_downstream', {
                 ...summarizeEnvelope(processed, ''),
                 route: nextSegment,
             });
@@ -21280,7 +21253,7 @@ class Sentinel extends FameNode {
     }
     async forwardToPeer(peerSegment, envelope, context) {
         if (this.originMatches(context, peerSegment, core.DeliveryOriginType.PEER)) {
-            logger$O.debug('peer_loop_detected', {
+            logger$P.debug('peer_loop_detected', {
                 envp_id: envelope.id,
                 segment: peerSegment,
             });
@@ -21291,7 +21264,7 @@ class Sentinel extends FameNode {
         }
         const connector = this.routeManager._peer_routes.get(peerSegment);
         if (!connector) {
-            logger$O.warning('no_route_for_peer_segment', {
+            logger$P.warning('no_route_for_peer_segment', {
                 peer_segment: peerSegment,
             });
             await this.emitDeliveryNack(processed, {
@@ -21334,7 +21307,7 @@ class Sentinel extends FameNode {
     }
     async forwardUpstream(envelope, context) {
         if (context?.originType === core.DeliveryOriginType.UPSTREAM) {
-            logger$O.debug('skipping_forward_upstream', {
+            logger$P.debug('skipping_forward_upstream', {
                 envp_id: envelope.id,
                 origin_type: context.originType,
             });
@@ -21454,7 +21427,7 @@ class Sentinel extends FameNode {
                 }
                 catch (error) {
                     if (!combined.signal.aborted) {
-                        logger$O.debug('attach_timeout_delay_failed', {
+                        logger$P.debug('attach_timeout_delay_failed', {
                             system_id: systemId,
                             error: error instanceof Error ? error.message : String(error),
                         });
@@ -21481,12 +21454,12 @@ class Sentinel extends FameNode {
                     await connector.stop();
                 }
                 catch (error) {
-                    logger$O.debug('attach_timeout_stop_failed', {
+                    logger$P.debug('attach_timeout_stop_failed', {
                         system_id: systemId,
                         error: error instanceof Error ? error.message : String(error),
                     });
                 }
-                logger$O.warning('attach_timeout_expired', {
+                logger$P.warning('attach_timeout_expired', {
                     system_id: systemId,
                     timeout_ms: timeoutMs,
                 });
@@ -21540,7 +21513,7 @@ class Sentinel extends FameNode {
                     return new core.FameAddress(addressKey);
                 }
                 catch (error) {
-                    logger$O.debug('invalid_capability_address', {
+                    logger$P.debug('invalid_capability_address', {
                         capability,
                         address: addressKey,
                         error: error instanceof Error ? error.message : String(error),
@@ -21696,7 +21669,7 @@ class Sentinel extends FameNode {
     }
     async propagateAddressBindingsUpstream() {
         if (!this.hasParent) {
-            logger$O.warning('No upstream defined to rebind addresses');
+            logger$P.warning('No upstream defined to rebind addresses');
             return;
         }
         const entries = Array.from(this.routeManager._downstream_addresses_routes.entries());
@@ -21719,7 +21692,7 @@ class Sentinel extends FameNode {
                 await this.bindAddressUpstream(new core.FameAddress(address), info);
             }
             catch (error) {
-                logger$O.error('rebind_failed', {
+                logger$P.error('rebind_failed', {
                     address,
                     error: error instanceof Error ? error.message : String(error),
                 });
@@ -21817,7 +21790,7 @@ class Sentinel extends FameNode {
             }
             catch (error) {
                 // Hook threw => treat as denial, execute Drop
-                logger$O.warning('routing_action_hook_error', {
+                logger$P.warning('routing_action_hook_error', {
                     envp_id: envelope.id,
                     error: error instanceof Error ? error.message : String(error),
                 });
@@ -21841,7 +21814,7 @@ class Sentinel extends FameNode {
         }
         const abortSignal = signal ?? null;
         if (abortSignal?.aborted) {
-            logger$O.info('shutdown_signal_received', { signal: 'abort' });
+            logger$P.info('shutdown_signal_received', { signal: 'abort' });
             return;
         }
         // Build fabric options, preferring rootConfig if provided
@@ -21857,7 +21830,7 @@ class Sentinel extends FameNode {
         if (node !== null) {
             fabricCreateOptions.node = node;
         }
-        logger$O.debug('fabric_create_options', {
+        logger$P.debug('fabric_create_options', {
             hasRootConfig: 'rootConfig' in fabricCreateOptions,
             hasNode: 'node' in fabricCreateOptions,
             rootConfigKeys: fabricCreateOptions.rootConfig
@@ -21890,7 +21863,7 @@ class Sentinel extends FameNode {
         const registerSignalListeners = () => {
             for (const sig of signals) {
                 const listener = () => {
-                    logger$O.info('shutdown_signal_received', { signal: sig });
+                    logger$P.info('shutdown_signal_received', { signal: sig });
                     cleanupListeners();
                     stopResolve();
                 };
@@ -21899,7 +21872,7 @@ class Sentinel extends FameNode {
             }
             if (abortSignal) {
                 abortListener = () => {
-                    logger$O.info('shutdown_signal_received', { signal: 'abort' });
+                    logger$P.info('shutdown_signal_received', { signal: 'abort' });
                     cleanupListeners();
                     stopResolve();
                 };
@@ -21912,12 +21885,12 @@ class Sentinel extends FameNode {
             await providedFabric.enter();
             try {
                 registerSignalListeners();
-                logger$O.info('sentinel_live', {
+                logger$P.info('sentinel_live', {
                     message: 'Node is live! Press Ctrl+C to stop.',
                 });
                 try {
                     await stopPromise;
-                    logger$O.info('sentinel_shutdown_begin');
+                    logger$P.info('sentinel_shutdown_begin');
                 }
                 finally {
                     cleanupListeners();
@@ -21931,19 +21904,19 @@ class Sentinel extends FameNode {
             // Use withFabric pattern for automatic lifecycle management
             await core.withFabric(fabricCreateOptions, async () => {
                 registerSignalListeners();
-                logger$O.info('sentinel_live', {
+                logger$P.info('sentinel_live', {
                     message: 'Node is live! Press Ctrl+C to stop.',
                 });
                 try {
                     await stopPromise;
-                    logger$O.info('sentinel_shutdown_begin');
+                    logger$P.info('sentinel_shutdown_begin');
                 }
                 finally {
                     cleanupListeners();
                 }
             });
         }
-        logger$O.info('sentinel_shutdown_complete');
+        logger$P.info('sentinel_shutdown_complete');
     }
 }
 function normalizeServeLogLevel(level) {
@@ -22088,7 +22061,7 @@ function isPlainRecord(value) {
     return Boolean(value) && typeof value === 'object' && !Array.isArray(value);
 }
 
-const FACTORY_META$14 = {
+const FACTORY_META$15 = {
     base: NODE_LIKE_FACTORY_BASE_TYPE,
     key: 'Sentinel',
 };
@@ -22272,7 +22245,7 @@ class SentinelFactory extends NodeLikeFactory {
 
 var sentinelFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
-    FACTORY_META: FACTORY_META$14,
+    FACTORY_META: FACTORY_META$15,
     SentinelFactory: SentinelFactory,
     default: SentinelFactory
 });
@@ -22355,7 +22328,7 @@ function createConnectorConfig(config) {
  * Browser-local connector that routes binary frames between peers via an in-page EventTarget.
  * Relies on BaseAsyncConnector for flow control and shutdown behavior.
  */
-const logger$N = getLogger('naylence.fame.connector.inpage_connector');
+const logger$O = getLogger('naylence.fame.connector.inpage_connector');
 const INPAGE_CONNECTOR_TYPE = 'inpage-connector';
 const DEFAULT_CHANNEL$6 = 'naylence-fabric';
 const DEFAULT_INBOX_CAPACITY$6 = 2048;
@@ -22453,7 +22426,7 @@ class InPageConnector extends BaseAsyncConnector {
         }
         this.localNodeId = normalizedLocalNodeId;
         this.targetNodeId = InPageConnector.normalizeTargetNodeId(config.initialTargetNodeId);
-        logger$N.debug('inpage_connector_initialized', {
+        logger$O.debug('inpage_connector_initialized', {
             channel: this.channelName,
             connector_id: this.connectorId,
             local_node_id: this.localNodeId,
@@ -22462,7 +22435,7 @@ class InPageConnector extends BaseAsyncConnector {
         });
         this.onMsg = (event) => {
             if (!this.listenerRegistered) {
-                logger$N.warning('inpage_message_after_unregister', {
+                logger$O.warning('inpage_message_after_unregister', {
                     channel: this.channelName,
                     connector_id: this.connectorId,
                     timestamp: new Date().toISOString(),
@@ -22471,7 +22444,7 @@ class InPageConnector extends BaseAsyncConnector {
             }
             const messageEvent = event;
             const message = messageEvent.data;
-            logger$N.debug('inpage_raw_event', {
+            logger$O.debug('inpage_raw_event', {
                 channel: this.channelName,
                 connector_id: this.connectorId,
                 message_type: message && typeof message === 'object'
@@ -22491,7 +22464,7 @@ class InPageConnector extends BaseAsyncConnector {
                 : null;
             const senderNodeId = InPageConnector.normalizeNodeId(busMessage.senderNodeId);
             if (!senderId || !senderNodeId) {
-                logger$N.debug('inpage_message_rejected', {
+                logger$O.debug('inpage_message_rejected', {
                     channel: this.channelName,
                     connector_id: this.connectorId,
                     reason: 'missing_sender_metadata',
@@ -22499,7 +22472,7 @@ class InPageConnector extends BaseAsyncConnector {
                 return;
             }
             if (senderId === this.connectorId || senderNodeId === this.localNodeId) {
-                logger$N.debug('inpage_message_rejected', {
+                logger$O.debug('inpage_message_rejected', {
                     channel: this.channelName,
                     connector_id: this.connectorId,
                     reason: 'self_echo',
@@ -22513,14 +22486,14 @@ class InPageConnector extends BaseAsyncConnector {
             }
             const payload = InPageConnector.coercePayload(busMessage.payload);
             if (!payload) {
-                logger$N.debug('inpage_payload_rejected', {
+                logger$O.debug('inpage_payload_rejected', {
                     channel: this.channelName,
                     connector_id: this.connectorId,
                     reason: 'unrecognized_payload_type',
                 });
                 return;
             }
-            logger$N.debug('inpage_message_received', {
+            logger$O.debug('inpage_message_received', {
                 channel: this.channelName,
                 sender_id: senderId,
                 sender_node_id: senderNodeId,
@@ -22549,14 +22522,14 @@ class InPageConnector extends BaseAsyncConnector {
             }
             catch (error) {
                 if (error instanceof QueueFullError) {
-                    logger$N.warning('inpage_receive_queue_full', {
+                    logger$O.warning('inpage_receive_queue_full', {
                         channel: this.channelName,
                         inbox_capacity: this.inboxCapacity,
                         inbox_remaining_capacity: this.inbox.remainingCapacity,
                     });
                 }
                 else {
-                    logger$N.error('inpage_receive_error', {
+                    logger$O.error('inpage_receive_error', {
                         channel: this.channelName,
                         error: error instanceof Error ? error.message : String(error),
                     });
@@ -22568,7 +22541,7 @@ class InPageConnector extends BaseAsyncConnector {
         // Setup visibility change monitoring
         this.visibilityChangeHandler = () => {
             const isHidden = document.hidden;
-            logger$N.debug('inpage_visibility_changed', {
+            logger$O.debug('inpage_visibility_changed', {
                 channel: this.channelName,
                 connector_id: this.connectorId,
                 visibility: isHidden ? 'hidden' : 'visible',
@@ -22577,7 +22550,7 @@ class InPageConnector extends BaseAsyncConnector {
             // Pause/resume connector based on visibility
             if (isHidden && this.state === core.ConnectorState.STARTED) {
                 this.pause().catch((err) => {
-                    logger$N.warning('inpage_pause_failed', {
+                    logger$O.warning('inpage_pause_failed', {
                         channel: this.channelName,
                         connector_id: this.connectorId,
                         error: err instanceof Error ? err.message : String(err),
@@ -22586,7 +22559,7 @@ class InPageConnector extends BaseAsyncConnector {
             }
             else if (!isHidden && this.state === core.ConnectorState.PAUSED) {
                 this.resume().catch((err) => {
-                    logger$N.warning('inpage_resume_failed', {
+                    logger$O.warning('inpage_resume_failed', {
                         channel: this.channelName,
                         connector_id: this.connectorId,
                         error: err instanceof Error ? err.message : String(err),
@@ -22600,7 +22573,7 @@ class InPageConnector extends BaseAsyncConnector {
             // Track page lifecycle events to detect browser unload/discard
             if (typeof window !== 'undefined') {
                 const lifecycleLogger = (event) => {
-                    logger$N.info('inpage_page_lifecycle', {
+                    logger$O.info('inpage_page_lifecycle', {
                         channel: this.channelName,
                         connector_id: this.connectorId,
                         event_type: event.type,
@@ -22616,7 +22589,7 @@ class InPageConnector extends BaseAsyncConnector {
                 document.addEventListener('resume', lifecycleLogger);
             }
             // Log initial state with detailed visibility info
-            logger$N.debug('inpage_initial_visibility', {
+            logger$O.debug('inpage_initial_visibility', {
                 channel: this.channelName,
                 connector_id: this.connectorId,
                 visibility: document.hidden ? 'hidden' : 'visible',
@@ -22634,7 +22607,7 @@ class InPageConnector extends BaseAsyncConnector {
         await super.start(inboundHandler);
         // After transitioning to STARTED, check if tab is already hidden
         if (typeof document !== 'undefined' && document.hidden) {
-            logger$N.debug('inpage_start_in_hidden_tab', {
+            logger$O.debug('inpage_start_in_hidden_tab', {
                 channel: this.channelName,
                 connector_id: this.connectorId,
                 document_hidden: document.hidden,
@@ -22644,7 +22617,7 @@ class InPageConnector extends BaseAsyncConnector {
             });
             // Immediately pause if tab is hidden at start time
             await this.pause().catch((err) => {
-                logger$N.warning('inpage_initial_pause_failed', {
+                logger$O.warning('inpage_initial_pause_failed', {
                     channel: this.channelName,
                     connector_id: this.connectorId,
                     error: err instanceof Error ? err.message : String(err),
@@ -22674,14 +22647,14 @@ class InPageConnector extends BaseAsyncConnector {
         }
         catch (error) {
             if (error instanceof QueueFullError) {
-                logger$N.warning('inpage_push_queue_full', {
+                logger$O.warning('inpage_push_queue_full', {
                     channel: this.channelName,
                     inbox_capacity: this.inboxCapacity,
                     inbox_remaining_capacity: this.inbox.remainingCapacity,
                 });
                 throw error;
             }
-            logger$N.error('inpage_push_failed', {
+            logger$O.error('inpage_push_failed', {
                 channel: this.channelName,
                 error: error instanceof Error ? error.message : String(error),
             });
@@ -22691,7 +22664,7 @@ class InPageConnector extends BaseAsyncConnector {
     async _transportSendBytes(data) {
         ensureBrowserEnvironment$2();
         const targetNodeId = this.targetNodeId ?? '*';
-        logger$N.debug('inpage_message_sending', {
+        logger$O.debug('inpage_message_sending', {
             channel: this.channelName,
             sender_id: this.connectorId,
             sender_node_id: this.localNodeId,
@@ -22715,7 +22688,7 @@ class InPageConnector extends BaseAsyncConnector {
         return item;
     }
     async _transportClose(code, reason) {
-        logger$N.debug('inpage_transport_closing', {
+        logger$O.debug('inpage_transport_closing', {
             channel: this.channelName,
             connector_id: this.connectorId,
             code,
@@ -22724,14 +22697,14 @@ class InPageConnector extends BaseAsyncConnector {
             timestamp: new Date().toISOString(),
         });
         if (this.listenerRegistered) {
-            logger$N.debug('inpage_removing_listener', {
+            logger$O.debug('inpage_removing_listener', {
                 channel: this.channelName,
                 connector_id: this.connectorId,
                 timestamp: new Date().toISOString(),
             });
             getSharedBus$1().removeEventListener(this.channelName, this.onMsg);
             this.listenerRegistered = false;
-            logger$N.debug('inpage_listener_removed', {
+            logger$O.debug('inpage_listener_removed', {
                 channel: this.channelName,
                 connector_id: this.connectorId,
                 timestamp: new Date().toISOString(),
@@ -22763,7 +22736,7 @@ class InPageConnector extends BaseAsyncConnector {
             if (targetNodeId &&
                 targetNodeId !== '*' &&
                 targetNodeId !== this.localNodeId) {
-                logger$N.debug('inpage_message_rejected', {
+                logger$O.debug('inpage_message_rejected', {
                     channel: this.channelName,
                     connector_id: this.connectorId,
                     reason: 'wildcard_target_mismatch',
@@ -22779,7 +22752,7 @@ class InPageConnector extends BaseAsyncConnector {
         if (expectedSender &&
             expectedSender !== '*' &&
             senderNodeId !== expectedSender) {
-            logger$N.debug('inpage_message_rejected', {
+            logger$O.debug('inpage_message_rejected', {
                 channel: this.channelName,
                 connector_id: this.connectorId,
                 reason: 'unexpected_sender',
@@ -22792,7 +22765,7 @@ class InPageConnector extends BaseAsyncConnector {
         if (targetNodeId &&
             targetNodeId !== '*' &&
             targetNodeId !== this.localNodeId) {
-            logger$N.debug('inpage_message_rejected', {
+            logger$O.debug('inpage_message_rejected', {
                 channel: this.channelName,
                 connector_id: this.connectorId,
                 reason: 'unexpected_target',
@@ -22817,7 +22790,7 @@ class InPageConnector extends BaseAsyncConnector {
         return 'unknown';
     }
     logInboxSnapshot(event, extra = {}) {
-        logger$N.debug(event, {
+        logger$O.debug(event, {
             channel: this.channelName,
             connector_id: this.connectorId,
             connector_state: this.state,
@@ -22836,7 +22809,7 @@ class InPageConnector extends BaseAsyncConnector {
             return;
         }
         this.targetNodeId = normalized;
-        logger$N.debug('inpage_target_updated', {
+        logger$O.debug('inpage_target_updated', {
             channel: this.channelName,
             connector_id: this.connectorId,
             local_node_id: this.localNodeId,
@@ -22846,7 +22819,7 @@ class InPageConnector extends BaseAsyncConnector {
     }
     setWildcardTarget() {
         this.targetNodeId = '*';
-        logger$N.debug('inpage_target_updated', {
+        logger$O.debug('inpage_target_updated', {
             channel: this.channelName,
             connector_id: this.connectorId,
             local_node_id: this.localNodeId,
@@ -23040,6 +23013,185 @@ class AuthorizerFactory extends factory.AbstractResourceFactory {
     }
 }
 
+const logger$N = getLogger('naylence.fame.security.auth.authorization_profile_factory');
+const PROFILE_NAME_DEFAULT = 'jwt';
+const PROFILE_NAME_OAUTH2 = 'oauth2';
+const PROFILE_NAME_OAUTH2_GATED = 'oauth2-gated';
+const PROFILE_NAME_OAUTH2_CALLBACK = 'oauth2-callback';
+const PROFILE_NAME_NOOP$2 = 'noop';
+const ENV_VAR_JWT_TRUSTED_ISSUER$1 = 'FAME_JWT_TRUSTED_ISSUER';
+const ENV_VAR_JWT_ALGORITHM$3 = 'FAME_JWT_ALGORITHM';
+const ENV_VAR_JWT_AUDIENCE$3 = 'FAME_JWT_AUDIENCE';
+const ENV_VAR_JWKS_URL$1 = 'FAME_JWKS_URL';
+const ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY$1 = 'FAME_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY';
+const ENV_VAR_TRUSTED_CLIENT_SCOPE$1 = 'FAME_TRUSTED_CLIENT_SCOPE';
+const ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER$1 = 'FAME_JWT_REVERSE_AUTH_TRUSTED_ISSUER';
+const ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE$1 = 'FAME_JWT_REVERSE_AUTH_AUDIENCE';
+const ENV_VAR_HMAC_SECRET$1 = 'FAME_HMAC_SECRET';
+const DEFAULT_REVERSE_AUTH_ISSUER = 'reverse-auth.naylence.ai';
+const DEFAULT_REVERSE_AUTH_AUDIENCE = 'dev.naylence.ai';
+const DEFAULT_PROFILE = {
+    type: 'DefaultAuthorizer',
+    verifier: {
+        type: 'JWKSJWTTokenVerifier',
+        jwks_url: factory.Expressions.env(ENV_VAR_JWKS_URL$1),
+        issuer: factory.Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER$1),
+    },
+};
+const OAUTH2_PROFILE = {
+    type: 'OAuth2Authorizer',
+    issuer: factory.Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER$1),
+    required_scopes: ['node.connect'],
+    require_scope: true,
+    default_ttl_sec: 3600,
+    max_ttl_sec: 86400,
+    algorithm: factory.Expressions.env(ENV_VAR_JWT_ALGORITHM$3, 'RS256'),
+    audience: factory.Expressions.env(ENV_VAR_JWT_AUDIENCE$3),
+};
+const OAUTH2_GATED_PROFILE = {
+    ...OAUTH2_PROFILE,
+    enforce_token_subject_node_identity: factory.Expressions.env(ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY$1, 'false'),
+    trusted_client_scope: factory.Expressions.env(ENV_VAR_TRUSTED_CLIENT_SCOPE$1, 'node.trusted'),
+};
+const OAUTH2_CALLBACK_PROFILE = {
+    type: 'OAuth2Authorizer',
+    issuer: factory.Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER$1, DEFAULT_REVERSE_AUTH_ISSUER),
+    audience: factory.Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE$1),
+    require_scope: true,
+    default_ttl_sec: 3600,
+    max_ttl_sec: 86400,
+    reverse_auth_ttl_sec: 86400,
+    token_verifier_config: {
+        type: 'JWTTokenVerifier',
+        algorithm: 'HS256',
+        hmac_secret: factory.Expressions.env(ENV_VAR_HMAC_SECRET$1),
+        issuer: factory.Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER$1, DEFAULT_REVERSE_AUTH_ISSUER),
+        ttl_sec: 86400,
+    },
+    token_issuer_config: {
+        type: 'JWTTokenIssuer',
+        algorithm: 'HS256',
+        hmac_secret: factory.Expressions.env(ENV_VAR_HMAC_SECRET$1),
+        kid: 'hmac-reverse-auth-key',
+        issuer: factory.Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER$1, DEFAULT_REVERSE_AUTH_ISSUER),
+        ttl_sec: 86400,
+        audience: factory.Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE$1, DEFAULT_REVERSE_AUTH_AUDIENCE),
+    },
+};
+const NOOP_PROFILE$2 = {
+    type: 'NoopAuthorizer',
+};
+const PROFILE_MAP$5 = {
+    [PROFILE_NAME_DEFAULT]: DEFAULT_PROFILE,
+    [PROFILE_NAME_OAUTH2]: OAUTH2_PROFILE,
+    [PROFILE_NAME_OAUTH2_GATED]: OAUTH2_GATED_PROFILE,
+    [PROFILE_NAME_OAUTH2_CALLBACK]: OAUTH2_CALLBACK_PROFILE,
+    [PROFILE_NAME_NOOP$2]: NOOP_PROFILE$2,
+};
+const PROFILE_ALIASES$1 = {
+    jwt: PROFILE_NAME_DEFAULT,
+    jwks: PROFILE_NAME_DEFAULT,
+    default: PROFILE_NAME_DEFAULT,
+    oauth2: PROFILE_NAME_OAUTH2,
+    oidc: PROFILE_NAME_OAUTH2,
+    'oauth2-gated': PROFILE_NAME_OAUTH2_GATED,
+    oauth2_gated: PROFILE_NAME_OAUTH2_GATED,
+    'oauth2-callback': PROFILE_NAME_OAUTH2_CALLBACK,
+    oauth2_callback: PROFILE_NAME_OAUTH2_CALLBACK,
+    'reverse-auth': PROFILE_NAME_OAUTH2_CALLBACK,
+    noop: PROFILE_NAME_NOOP$2,
+    'no-op': PROFILE_NAME_NOOP$2,
+    no_op: PROFILE_NAME_NOOP$2,
+};
+const FACTORY_META$14 = {
+    base: AUTHORIZER_FACTORY_BASE_TYPE,
+    key: 'AuthorizationProfile',
+};
+class AuthorizationProfileFactory extends AuthorizerFactory {
+    constructor() {
+        super(...arguments);
+        this.type = 'AuthorizationProfile';
+    }
+    async create(config, ...factoryArgs) {
+        const normalized = normalizeConfig$w(config);
+        const profileConfig = resolveProfileConfig$4(normalized.profile);
+        logger$N.debug('enabling_authorization_profile', {
+            profile: normalized.profile,
+        });
+        const authorizer = await AuthorizerFactory.createAuthorizer(profileConfig, { factoryArgs });
+        if (!authorizer) {
+            throw new Error(`Failed to create authorizer for profile: ${normalized.profile}`);
+        }
+        return authorizer;
+    }
+}
+function normalizeConfig$w(config) {
+    if (!config) {
+        return { profile: PROFILE_NAME_OAUTH2 };
+    }
+    const candidate = config;
+    const profileValue = resolveProfileName$2(candidate);
+    const canonicalProfile = canonicalizeProfileName$1(profileValue);
+    candidate.profile = canonicalProfile;
+    return { profile: canonicalProfile };
+}
+function resolveProfileName$2(candidate) {
+    const direct = coerceProfileString$2(candidate.profile);
+    if (direct) {
+        return direct;
+    }
+    const legacyKeys = ['profile_name', 'profileName'];
+    for (const legacyKey of legacyKeys) {
+        const legacyValue = coerceProfileString$2(candidate[legacyKey]);
+        if (legacyValue) {
+            return legacyValue;
+        }
+    }
+    return PROFILE_NAME_OAUTH2;
+}
+function coerceProfileString$2(value) {
+    if (typeof value !== 'string') {
+        return null;
+    }
+    const trimmed = value.trim();
+    return trimmed.length > 0 ? trimmed : null;
+}
+function canonicalizeProfileName$1(value) {
+    const normalized = value.replace(/[\s_]+/g, '-').toLowerCase();
+    return PROFILE_ALIASES$1[normalized] ?? normalized;
+}
+function resolveProfileConfig$4(profileName) {
+    const profile = PROFILE_MAP$5[profileName];
+    if (!profile) {
+        throw new Error(`Unknown authorization profile: ${profileName}`);
+    }
+    return deepClone$4(profile);
+}
+function deepClone$4(value) {
+    return JSON.parse(JSON.stringify(value));
+}
+
+var authorizationProfileFactory = /*#__PURE__*/Object.freeze({
+    __proto__: null,
+    AuthorizationProfileFactory: AuthorizationProfileFactory,
+    ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY: ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY$1,
+    ENV_VAR_HMAC_SECRET: ENV_VAR_HMAC_SECRET$1,
+    ENV_VAR_JWKS_URL: ENV_VAR_JWKS_URL$1,
+    ENV_VAR_JWT_ALGORITHM: ENV_VAR_JWT_ALGORITHM$3,
+    ENV_VAR_JWT_AUDIENCE: ENV_VAR_JWT_AUDIENCE$3,
+    ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE: ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE$1,
+    ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER: ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER$1,
+    ENV_VAR_JWT_TRUSTED_ISSUER: ENV_VAR_JWT_TRUSTED_ISSUER$1,
+    ENV_VAR_TRUSTED_CLIENT_SCOPE: ENV_VAR_TRUSTED_CLIENT_SCOPE$1,
+    FACTORY_META: FACTORY_META$14,
+    PROFILE_NAME_DEFAULT: PROFILE_NAME_DEFAULT,
+    PROFILE_NAME_NOOP: PROFILE_NAME_NOOP$2,
+    PROFILE_NAME_OAUTH2: PROFILE_NAME_OAUTH2,
+    PROFILE_NAME_OAUTH2_CALLBACK: PROFILE_NAME_OAUTH2_CALLBACK,
+    PROFILE_NAME_OAUTH2_GATED: PROFILE_NAME_OAUTH2_GATED,
+    default: AuthorizationProfileFactory
+});
+
 function isAuthInjectionStrategy(candidate) {
     return (typeof candidate === 'object' &&
         candidate !== null &&
@@ -30536,14 +30688,13 @@ const ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER = 'FAME_JWT_REVERSE_AUTH_TRUSTED_I
 const ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = 'FAME_JWT_REVERSE_AUTH_AUDIENCE';
 const ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY = 'FAME_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY';
 const ENV_VAR_TRUSTED_CLIENT_SCOPE = 'FAME_TRUSTED_CLIENT_SCOPE';
+const ENV_VAR_AUTHORIZATION_PROFILE = 'FAME_AUTHORIZATION_PROFILE';
 const PROFILE_NAME_STRICT_OVERLAY = 'strict-overlay';
 const PROFILE_NAME_OVERLAY = 'overlay';
 const PROFILE_NAME_OVERLAY_CALLBACK = 'overlay-callback';
 const PROFILE_NAME_GATED = 'gated';
 const PROFILE_NAME_GATED_CALLBACK = 'gated-callback';
 const PROFILE_NAME_OPEN$1 = 'open';
-const DEFAULT_REVERSE_AUTH_ISSUER = 'reverse-auth.naylence.ai';
-const DEFAULT_REVERSE_AUTH_AUDIENCE = 'dev.naylence.ai';
 const STRICT_OVERLAY_PROFILE = {
     type: 'DefaultSecurityManager',
     security_policy: {
@@ -30589,12 +30740,8 @@ const STRICT_OVERLAY_PROFILE = {
         },
     },
     authorizer: {
-        type: 'DefaultAuthorizer',
-        verifier: {
-            type: 'JWKSJWTTokenVerifier',
-            jwks_url: factory.Expressions.env(ENV_VAR_JWKS_URL),
-            issuer: factory.Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER),
-        },
+        type: 'AuthorizationProfile',
+        profile: factory.Expressions.env(ENV_VAR_AUTHORIZATION_PROFILE, 'jwt'),
     },
 };
 const OVERLAY_PROFILE = {
@@ -30641,14 +30788,8 @@ const OVERLAY_PROFILE = {
         },
     },
     authorizer: {
-        type: 'OAuth2Authorizer',
-        issuer: factory.Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER),
-        required_scopes: ['node.connect'],
-        require_scope: true,
-        default_ttl_sec: 3600,
-        max_ttl_sec: 86400,
-        algorithm: factory.Expressions.env(ENV_VAR_JWT_ALGORITHM$2, 'RS256'),
-        audience: factory.Expressions.env(ENV_VAR_JWT_AUDIENCE$2),
+        type: 'AuthorizationProfile',
+        profile: factory.Expressions.env(ENV_VAR_AUTHORIZATION_PROFILE, 'oauth2'),
     },
 };
 const OVERLAY_CALLBACK_PROFILE = {
@@ -30695,29 +30836,8 @@ const OVERLAY_CALLBACK_PROFILE = {
         },
     },
     authorizer: {
-        type: 'OAuth2Authorizer',
-        issuer: factory.Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, DEFAULT_REVERSE_AUTH_ISSUER),
-        audience: factory.Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE),
-        require_scope: true,
-        default_ttl_sec: 3600,
-        max_ttl_sec: 86400,
-        reverse_auth_ttl_sec: 86400,
-        token_verifier_config: {
-            type: 'JWTTokenVerifier',
-            algorithm: 'HS256',
-            hmac_secret: factory.Expressions.env(ENV_VAR_HMAC_SECRET),
-            issuer: factory.Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, DEFAULT_REVERSE_AUTH_ISSUER),
-            ttl_sec: 86400,
-        },
-        token_issuer_config: {
-            type: 'JWTTokenIssuer',
-            algorithm: 'HS256',
-            hmac_secret: factory.Expressions.env(ENV_VAR_HMAC_SECRET),
-            kid: 'hmac-reverse-auth-key',
-            issuer: factory.Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, DEFAULT_REVERSE_AUTH_ISSUER),
-            ttl_sec: 86400,
-            audience: factory.Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE, DEFAULT_REVERSE_AUTH_AUDIENCE),
-        },
+        type: 'AuthorizationProfile',
+        profile: factory.Expressions.env(ENV_VAR_AUTHORIZATION_PROFILE, 'oauth2-callback'),
     },
 };
 const GATED_PROFILE = {
@@ -30763,16 +30883,8 @@ const GATED_PROFILE = {
         },
     },
     authorizer: {
-        type: 'OAuth2Authorizer',
-        issuer: factory.Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER),
-        required_scopes: ['node.connect'],
-        require_scope: true,
-        default_ttl_sec: 3600,
-        max_ttl_sec: 86400,
-        algorithm: factory.Expressions.env(ENV_VAR_JWT_ALGORITHM$2, 'RS256'),
-        audience: factory.Expressions.env(ENV_VAR_JWT_AUDIENCE$2),
-        enforce_token_subject_node_identity: factory.Expressions.env(ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY, 'false'),
-        trusted_client_scope: factory.Expressions.env(ENV_VAR_TRUSTED_CLIENT_SCOPE, 'node.trusted'),
+        type: 'AuthorizationProfile',
+        profile: factory.Expressions.env(ENV_VAR_AUTHORIZATION_PROFILE, 'oauth2-gated'),
     },
 };
 const GATED_CALLBACK_PROFILE = {
@@ -30818,29 +30930,8 @@ const GATED_CALLBACK_PROFILE = {
         },
     },
     authorizer: {
-        type: 'OAuth2Authorizer',
-        issuer: factory.Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, DEFAULT_REVERSE_AUTH_ISSUER),
-        audience: factory.Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE),
-        require_scope: true,
-        default_ttl_sec: 3600,
-        max_ttl_sec: 86400,
-        reverse_auth_ttl_sec: 86400,
-        token_verifier_config: {
-            type: 'JWTTokenVerifier',
-            algorithm: 'HS256',
-            hmac_secret: factory.Expressions.env(ENV_VAR_HMAC_SECRET),
-            issuer: factory.Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, DEFAULT_REVERSE_AUTH_ISSUER),
-            ttl_sec: 86400,
-        },
-        token_issuer_config: {
-            type: 'JWTTokenIssuer',
-            algorithm: 'HS256',
-            hmac_secret: factory.Expressions.env(ENV_VAR_HMAC_SECRET),
-            kid: 'hmac-reverse-auth-key',
-            issuer: factory.Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, DEFAULT_REVERSE_AUTH_ISSUER),
-            ttl_sec: 86400,
-            audience: factory.Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE, DEFAULT_REVERSE_AUTH_AUDIENCE),
-        },
+        type: 'AuthorizationProfile',
+        profile: factory.Expressions.env(ENV_VAR_AUTHORIZATION_PROFILE, 'oauth2-callback'),
     },
 };
 const OPEN_PROFILE$1 = {
@@ -30849,7 +30940,8 @@ const OPEN_PROFILE$1 = {
         type: 'NoSecurityPolicy',
     },
     authorizer: {
-        type: 'NoopAuthorizer',
+        type: 'AuthorizationProfile',
+        profile: factory.Expressions.env(ENV_VAR_AUTHORIZATION_PROFILE, 'noop'),
     },
 };
 const PROFILE_MAP$4 = {
@@ -30978,6 +31070,7 @@ function deepClone$3(value) {
 
 var nodeSecurityProfileFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
+    ENV_VAR_AUTHORIZATION_PROFILE: ENV_VAR_AUTHORIZATION_PROFILE,
     ENV_VAR_DEFAULT_ENCRYPTION_LEVEL: ENV_VAR_DEFAULT_ENCRYPTION_LEVEL,
     ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY: ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY,
     ENV_VAR_HMAC_SECRET: ENV_VAR_HMAC_SECRET,
@@ -45786,11 +45879,26 @@ exports.AUTHORIZATION_POLICY_FACTORY_BASE_TYPE = AUTHORIZATION_POLICY_FACTORY_BA
 exports.AUTHORIZATION_POLICY_SOURCE_FACTORY_BASE_TYPE = AUTHORIZATION_POLICY_SOURCE_FACTORY_BASE_TYPE;
 exports.AUTHORIZER_FACTORY_BASE_TYPE = AUTHORIZER_FACTORY_BASE_TYPE;
 exports.AUTH_INJECTION_STRATEGY_FACTORY_BASE_TYPE = AUTH_INJECTION_STRATEGY_FACTORY_BASE_TYPE;
+exports.AUTH_PROFILE_ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY = ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY$1;
+exports.AUTH_PROFILE_ENV_VAR_HMAC_SECRET = ENV_VAR_HMAC_SECRET$1;
+exports.AUTH_PROFILE_ENV_VAR_JWKS_URL = ENV_VAR_JWKS_URL$1;
+exports.AUTH_PROFILE_ENV_VAR_JWT_ALGORITHM = ENV_VAR_JWT_ALGORITHM$3;
+exports.AUTH_PROFILE_ENV_VAR_JWT_AUDIENCE = ENV_VAR_JWT_AUDIENCE$3;
+exports.AUTH_PROFILE_ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE$1;
+exports.AUTH_PROFILE_ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER = ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER$1;
+exports.AUTH_PROFILE_ENV_VAR_JWT_TRUSTED_ISSUER = ENV_VAR_JWT_TRUSTED_ISSUER$1;
+exports.AUTH_PROFILE_ENV_VAR_TRUSTED_CLIENT_SCOPE = ENV_VAR_TRUSTED_CLIENT_SCOPE$1;
+exports.AUTH_PROFILE_NAME_DEFAULT = PROFILE_NAME_DEFAULT;
+exports.AUTH_PROFILE_NAME_NOOP = PROFILE_NAME_NOOP$2;
+exports.AUTH_PROFILE_NAME_OAUTH2 = PROFILE_NAME_OAUTH2;
+exports.AUTH_PROFILE_NAME_OAUTH2_CALLBACK = PROFILE_NAME_OAUTH2_CALLBACK;
+exports.AUTH_PROFILE_NAME_OAUTH2_GATED = PROFILE_NAME_OAUTH2_GATED;
 exports.AsyncLock = AsyncLock;
 exports.AttachmentKeyValidator = AttachmentKeyValidator;
 exports.AuthInjectionStrategyFactory = AuthInjectionStrategyFactory;
 exports.AuthorizationPolicyFactory = AuthorizationPolicyFactory;
 exports.AuthorizationPolicySourceFactory = AuthorizationPolicySourceFactory;
+exports.AuthorizationProfileFactory = AuthorizationProfileFactory;
 exports.AuthorizerFactory = AuthorizerFactory;
 exports.BROADCAST_CHANNEL_CONNECTION_GRANT_TYPE = BROADCAST_CHANNEL_CONNECTION_GRANT_TYPE;
 exports.BackPressureFull = BackPressureFull;
@@ -45827,6 +45935,7 @@ exports.DevFixedKeyCredentialProvider = DevFixedKeyCredentialProvider;
 exports.ENCRYPTION_MANAGER_FACTORY_BASE_TYPE = ENCRYPTION_MANAGER_FACTORY_BASE_TYPE;
 exports.ENVELOPE_SIGNER_FACTORY_BASE_TYPE = ENVELOPE_SIGNER_FACTORY_BASE_TYPE;
 exports.ENVELOPE_VERIFIER_FACTORY_BASE_TYPE = ENVELOPE_VERIFIER_FACTORY_BASE_TYPE;
+exports.ENV_VAR_AUTHORIZATION_PROFILE = ENV_VAR_AUTHORIZATION_PROFILE;
 exports.ENV_VAR_DEFAULT_ENCRYPTION_LEVEL = ENV_VAR_DEFAULT_ENCRYPTION_LEVEL;
 exports.ENV_VAR_HMAC_SECRET = ENV_VAR_HMAC_SECRET;
 exports.ENV_VAR_JWKS_URL = ENV_VAR_JWKS_URL;