@naylence/runtime 0.4.0 → 0.4.2

package/dist/node/node.mjs

@@ -3591,7 +3591,7 @@ class WebSocketConnectionGrantImpl {
         this.purpose = 'connection';
     }
 }
-const FACTORY_META$1f = {
+const FACTORY_META$1g = {
     base: CONNECTOR_FACTORY_BASE_TYPE,
     key: 'WebSocketConnector',
 };
@@ -3962,7 +3962,7 @@ class WebSocketConnectorFactory extends ConnectorFactory {
 
 var websocketConnectorFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
-    FACTORY_META: FACTORY_META$1f,
+    FACTORY_META: FACTORY_META$1g,
     WebSocketConnectorFactory: WebSocketConnectorFactory,
     default: WebSocketConnectorFactory,
     setWebSocketConnectorSslLoader: setWebSocketConnectorSslLoader
@@ -4038,6 +4038,7 @@ const MODULES = [
     "./node/node-identity-policy-profile-factory.js",
     "./node/token-subject-node-identity-policy-factory.js",
     "./placement/static-node-placement-strategy-factory.js",
+    "./security/auth/authorization-profile-factory.js",
     "./security/auth/bearer-token-header-auth-injection-strategy-factory.js",
     "./security/auth/default-authorizer-factory.js",
     "./security/auth/default-policy-authorizer-factory.js",
@@ -4120,6 +4121,7 @@ const MODULE_LOADERS = {
     "./node/node-identity-policy-profile-factory.js": () => Promise.resolve().then(function () { return nodeIdentityPolicyProfileFactory; }),
     "./node/token-subject-node-identity-policy-factory.js": () => Promise.resolve().then(function () { return tokenSubjectNodeIdentityPolicyFactory; }),
     "./placement/static-node-placement-strategy-factory.js": () => Promise.resolve().then(function () { return staticNodePlacementStrategyFactory; }),
+    "./security/auth/authorization-profile-factory.js": () => Promise.resolve().then(function () { return authorizationProfileFactory; }),
     "./security/auth/bearer-token-header-auth-injection-strategy-factory.js": () => Promise.resolve().then(function () { return bearerTokenHeaderAuthInjectionStrategyFactory; }),
     "./security/auth/default-authorizer-factory.js": () => Promise.resolve().then(function () { return defaultAuthorizerFactory; }),
     "./security/auth/default-policy-authorizer-factory.js": () => Promise.resolve().then(function () { return defaultPolicyAuthorizerFactory; }),
@@ -4433,12 +4435,12 @@ async function ensureRuntimeFactoriesRegistered(registry = Registry) {
 }
 
 // This file is auto-generated during build - do not edit manually
-// Generated from package.json version: 0.4.0
+// Generated from package.json version: 0.4.2
 /**
  * The package version, injected at build time.
  * @internal
  */
-const VERSION = '0.4.0';
+const VERSION = '0.4.2';
 
 let initialized = false;
 const runtimePlugin = {
@@ -4553,7 +4555,7 @@ class EnvCredentialProviderFactory extends CredentialProviderFactory {
         return new EnvCredentialProvider(resolved.varName);
     }
 }
-const FACTORY_META$1e = {
+const FACTORY_META$1f = {
     base: CREDENTIAL_PROVIDER_FACTORY_BASE_TYPE,
     key: 'EnvCredentialProvider',
 };
@@ -4561,7 +4563,7 @@ const FACTORY_META$1e = {
 var envCredentialProviderFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
     EnvCredentialProviderFactory: EnvCredentialProviderFactory,
-    FACTORY_META: FACTORY_META$1e,
+    FACTORY_META: FACTORY_META$1f,
     default: EnvCredentialProviderFactory,
     normalizeEnvConfig: normalizeEnvConfig
 });
@@ -4659,14 +4661,14 @@ class PromptCredentialProviderFactory extends CredentialProviderFactory {
         return new PromptCredentialProvider(resolved.credentialName);
     }
 }
-const FACTORY_META$1d = {
+const FACTORY_META$1e = {
     base: CREDENTIAL_PROVIDER_FACTORY_BASE_TYPE,
     key: 'PromptCredentialProvider',
 };
 
 var promptCredentialProviderFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
-    FACTORY_META: FACTORY_META$1d,
+    FACTORY_META: FACTORY_META$1e,
     PromptCredentialProviderFactory: PromptCredentialProviderFactory,
     default: PromptCredentialProviderFactory,
     normalizePromptConfig: normalizePromptConfig
@@ -4720,14 +4722,14 @@ class SecretStoreCredentialProviderFactory extends CredentialProviderFactory {
         return new SecretStoreCredentialProvider(resolved.secretName);
     }
 }
-const FACTORY_META$1c = {
+const FACTORY_META$1d = {
     base: CREDENTIAL_PROVIDER_FACTORY_BASE_TYPE,
     key: 'SecretStoreCredentialProvider',
 };
 
 var secretStoreCredentialProviderFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
-    FACTORY_META: FACTORY_META$1c,
+    FACTORY_META: FACTORY_META$1d,
     SecretStoreCredentialProviderFactory: SecretStoreCredentialProviderFactory,
     default: SecretStoreCredentialProviderFactory,
     normalizeSecretStoreConfig: normalizeSecretStoreConfig
@@ -4776,14 +4778,14 @@ class StaticCredentialProviderFactory extends CredentialProviderFactory {
         return new StaticCredentialProvider(resolved.credentialValue);
     }
 }
-const FACTORY_META$1b = {
+const FACTORY_META$1c = {
     base: CREDENTIAL_PROVIDER_FACTORY_BASE_TYPE,
     key: 'StaticCredentialProvider',
 };
 
 var staticCredentialProviderFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
-    FACTORY_META: FACTORY_META$1b,
+    FACTORY_META: FACTORY_META$1c,
     StaticCredentialProviderFactory: StaticCredentialProviderFactory,
     default: StaticCredentialProviderFactory,
     normalizeStaticConfig: normalizeStaticConfig
@@ -5074,12 +5076,12 @@ const BASE_PROFILE_MAP = {
     [PROFILE_NAME_INDEXEDDB]: INDEXEDDB_PROFILE_CONFIG,
 };
 // Extended profile map - can be augmented by Node.js environment
-const PROFILE_MAP$6 = {
+const PROFILE_MAP$7 = {
     ...BASE_PROFILE_MAP,
 };
 // Function to register additional profiles (used by Node.js build)
 function registerStorageProfile(name, config) {
-    PROFILE_MAP$6[name] = config;
+    PROFILE_MAP$7[name] = config;
 }
 // Export the SQLite configs so they can be registered from node-index.ts
 const SQLITE_PROFILES = {
@@ -5098,9 +5100,9 @@ class StorageProfileFactory extends StorageProviderFactory {
             type: 'StorageProfile',
         });
         const profileName = (parsed.profile ?? PROFILE_NAME_MEMORY).toLowerCase();
-        const profileConfig = PROFILE_MAP$6[profileName];
+        const profileConfig = PROFILE_MAP$7[profileName];
         if (!profileConfig) {
-            throw new Error(`Unknown storage profile '${profileName}'. Supported profiles: ${Object.keys(PROFILE_MAP$6).join(', ')}`);
+            throw new Error(`Unknown storage profile '${profileName}'. Supported profiles: ${Object.keys(PROFILE_MAP$7).join(', ')}`);
         }
         const createOptions = {
             ...options,
@@ -14857,44 +14859,12 @@ class ConnectionRetryPolicyFactory extends AbstractResourceFactory {
     }
 }
 
-const TOKEN_PROVIDER_FACTORY_BASE_TYPE = 'TokenProviderFactory';
-class TokenProviderFactory extends AbstractResourceFactory {
-    static async createTokenProvider(config, options = {}) {
-        if (config) {
-            const provider = await createResource$1(TOKEN_PROVIDER_FACTORY_BASE_TYPE, config, options);
-            if (!provider) {
-                throw new Error('Failed to create token provider from configuration');
-            }
-            return provider;
-        }
-        let provider = null;
-        try {
-            provider = await createDefaultResource(TOKEN_PROVIDER_FACTORY_BASE_TYPE, null, options);
-        }
-        catch (error) {
-            const message = 'Failed to create default token provider' +
-                (error instanceof Error && error.message ? `: ${error.message}` : '');
-            throw new Error(message);
-        }
-        if (!provider) {
-            throw new Error('Failed to create default token provider');
-        }
-        return provider;
-    }
-}
-
-function isTokenProvider(candidate) {
-    return (typeof candidate === 'object' &&
-        candidate !== null &&
-        typeof candidate.getToken === 'function');
-}
-function isIdentityExposingTokenProvider(candidate) {
-    return (isTokenProvider(candidate) &&
-        typeof candidate.getIdentity ===
-            'function');
-}
-
-const logger$14 = getLogger('naylence.fame.node.default_node_identity_policy');
+/**
+ * Default node identity policy that preserves the current node ID.
+ *
+ * This policy does NOT derive identity from tokens or grants.
+ * For token-subject-based identity, use TokenSubjectNodeIdentityPolicy.
+ */
 class DefaultNodeIdentityPolicy {
     async resolveInitialNodeId(context) {
         if (context.configuredId) {
@@ -14906,44 +14876,10 @@ class DefaultNodeIdentityPolicy {
         return await generateIdAsync({ mode: 'fingerprint' });
     }
     async resolveAdmissionNodeId(context) {
-        // Try to extract identity from grants first
-        if (context.grants && context.grants.length > 0) {
-            for (const grant of context.grants) {
-                try {
-                    const auth = grant.auth;
-                    if (!auth) {
-                        continue;
-                    }
-                    const tokenProviderConfig = (auth.tokenProvider ??
-                        auth.token_provider);
-                    if (!tokenProviderConfig ||
-                        typeof tokenProviderConfig.type !== 'string') {
-                        continue;
-                    }
-                    const provider = await TokenProviderFactory.createTokenProvider(tokenProviderConfig);
-                    if (isIdentityExposingTokenProvider(provider)) {
-                        const identity = await provider.getIdentity();
-                        if (identity && identity.subject) {
-                            logger$14.debug('identity_extracted_from_grant', {
-                                identity_id: identity.subject,
-                                grant_type: grant.type,
-                            });
-                            return identity.subject;
-                        }
-                    }
-                }
-                catch (error) {
-                    logger$14.warning('identity_extraction_failed', {
-                        error: error instanceof Error ? error.message : String(error),
-                        grant_type: grant.type,
-                    });
-                }
-            }
-        }
-        if (!context.currentNodeId) {
-            return await generateIdAsync({ mode: 'fingerprint' });
+        if (context.currentNodeId) {
+            return context.currentNodeId;
         }
-        return context.currentNodeId;
+        return await generateIdAsync({ mode: 'fingerprint' });
     }
 }
 
@@ -15017,7 +14953,7 @@ class AttachmentKeyValidator {
     }
 }
 
-const logger$13 = getLogger('naylence.fame.node.admission.default_node_attach_client');
+const logger$14 = getLogger('naylence.fame.node.admission.default_node_attach_client');
 const HANDSHAKE_POLL_INTERVAL_MS = 20;
 class DefaultNodeAttachClient {
     constructor(options = {}) {
@@ -15041,7 +14977,7 @@ class DefaultNodeAttachClient {
                 }
                 else {
                     // Silently ignore frames from other agents during concurrent handshakes
-                    logger$13.debug('handshake_ignoring_frame_from_different_system', {
+                    logger$14.debug('handshake_ignoring_frame_from_different_system', {
                         frame_type: envelope.frame.type,
                         frame_system_id: frameSystemId,
                         expected_system_id: this.expectedSystemId,
@@ -15084,7 +15020,7 @@ class DefaultNodeAttachClient {
             }
         }
         catch (error) {
-            logger$13.debug('stickiness_offer_skipped', {
+            logger$14.debug('stickiness_offer_skipped', {
                 error: error instanceof Error ? error.message : String(error),
             });
         }
@@ -15105,7 +15041,7 @@ class DefaultNodeAttachClient {
             if (!processedEnvelope) {
                 throw new Error('Envelope was blocked by onForwardUpstream event');
             }
-            logger$13.debug('sending_node_attach_envelope', {
+            logger$14.debug('sending_node_attach_envelope', {
                 envp_id: processedEnvelope.id ?? envelope.id ?? null,
                 frame_type: processedEnvelope.frame?.type ?? 'unknown',
                 trace_id: processedEnvelope.traceId ?? envelope.traceId ?? null,
@@ -15141,7 +15077,7 @@ class DefaultNodeAttachClient {
             try {
                 const keyInfos = await this.attachmentKeyValidator.validateKeys(parentKeys);
                 if (Array.isArray(keyInfos) && keyInfos.length > 0) {
-                    logger$13.debug('parent_certificate_validation_passed', {
+                    logger$14.debug('parent_certificate_validation_passed', {
                         parent_id: parentId,
                         correlation_id: corrId,
                         validated_keys: keyInfos.length,
@@ -15150,7 +15086,7 @@ class DefaultNodeAttachClient {
             }
             catch (error) {
                 if (error instanceof KeyValidationError) {
-                    logger$13.error('parent_certificate_validation_failed', {
+                    logger$14.error('parent_certificate_validation_failed', {
                         parent_id: parentId,
                         correlation_id: corrId,
                         error_code: error.code,
@@ -15164,12 +15100,12 @@ class DefaultNodeAttachClient {
             }
         }
         else {
-            logger$13.debug('parent_certificate_validation_skipped', {
+            logger$14.debug('parent_certificate_validation_skipped', {
                 parent_id: parentId,
                 reason: 'no_validator',
             });
         }
-        logger$13.debug('processing_node_attach_ack', {
+        logger$14.debug('processing_node_attach_ack', {
             parent_id: ackFrame.targetSystemId,
         });
         this.inHandshake = false;
@@ -15200,7 +15136,7 @@ class DefaultNodeAttachClient {
             }
         }
         catch (error) {
-            logger$13.debug('stickiness_accept_skipped', {
+            logger$14.debug('stickiness_accept_skipped', {
                 error: error instanceof Error ? error.message : String(error),
             });
         }
@@ -15254,7 +15190,7 @@ class DefaultNodeAttachClient {
                 // NodeAttach frames during handshake are expected in multi-agent scenarios
                 // where multiple agents attach concurrently to the same channel
                 if (envelope.frame.type === 'NodeAttach') {
-                    logger$13.debug('handshake_ignoring_concurrent_attach', {
+                    logger$14.debug('handshake_ignoring_concurrent_attach', {
                         frame_type: envelope.frame.type,
                         frame_system_id: envelope.frame?.systemId ??
                             'unknown',
@@ -15262,7 +15198,7 @@ class DefaultNodeAttachClient {
                 }
                 else {
                     // Other unexpected frames are still logged as errors
-                    logger$13.error('unexpected_frame_during_handshake', {
+                    logger$14.error('unexpected_frame_during_handshake', {
                         frame_type: envelope.frame.type,
                     });
                 }
@@ -15402,7 +15338,7 @@ class TraceEmitterFactory extends AbstractResourceFactory {
 // void import('./trace-emitter-profile-factory.js');
 
 const BINDING_STORE_NAMESPACE = '__binding_store';
-const logger$12 = getLogger('naylence.fame.node.factory_commons');
+const logger$13 = getLogger('naylence.fame.node.factory_commons');
 function isPlainRecord$2(value) {
     return Boolean(value) && typeof value === 'object' && !Array.isArray(value);
 }
@@ -15596,7 +15532,7 @@ async function resolveNodeIdentityPolicy(config, options) {
         return await NodeIdentityPolicyFactory.createNodeIdentityPolicy(config ?? undefined, cloneCreateOptions(options));
     }
     catch (error) {
-        logger$12.warning('node_identity_policy_creation_failed', {
+        logger$13.warning('node_identity_policy_creation_failed', {
             error: error instanceof Error ? error.message : String(error),
         });
         return null;
@@ -15607,7 +15543,7 @@ async function resolveConnectionRetryPolicy(config, options) {
         return await ConnectionRetryPolicyFactory.createConnectionRetryPolicy(config ?? undefined, cloneCreateOptions(options));
     }
     catch (error) {
-        logger$12.warning('connection_retry_policy_creation_failed', {
+        logger$13.warning('connection_retry_policy_creation_failed', {
             error: error instanceof Error ? error.message : String(error),
         });
         return null;
@@ -15619,7 +15555,7 @@ async function resolveStorageProvider(config, options) {
             return await StorageProviderFactory.createStorageProvider(config, cloneCreateOptions(options));
         }
         catch (error) {
-            logger$12.warning('storage_provider_creation_failed', {
+            logger$13.warning('storage_provider_creation_failed', {
                 error: error instanceof Error ? error.message : String(error),
             });
         }
@@ -15641,7 +15577,7 @@ async function resolveAdmissionClient(config, options, identityPolicy) {
         return await AdmissionClientFactory.createAdmissionClient((config ?? null), createOptions);
     }
     catch (error) {
-        logger$12.warning('admission_client_creation_failed', {
+        logger$13.warning('admission_client_creation_failed', {
             error: error instanceof Error ? error.message : String(error),
         });
         return null;
@@ -15668,7 +15604,7 @@ async function resolveReplicaStickinessManager(hasParent, requestedLogicals, opt
         return await ReplicaStickinessManagerFactory.createReplicaStickinessManager(undefined, cloneCreateOptions(options));
     }
     catch (error) {
-        logger$12.debug('replica_stickiness_manager_unavailable', { error });
+        logger$13.debug('replica_stickiness_manager_unavailable', { error });
         return null;
     }
 }
@@ -15677,7 +15613,7 @@ async function resolveAttachmentKeyValidator(config, options) {
         return await AttachmentKeyValidatorFactory.createAttachmentKeyValidator(config ?? undefined, cloneCreateOptions(options));
     }
     catch (error) {
-        logger$12.warning('attachment_key_validator_creation_failed', {
+        logger$13.warning('attachment_key_validator_creation_failed', {
             error: error instanceof Error ? error.message : String(error),
         });
         return null;
@@ -15695,7 +15631,7 @@ async function resolveDeliveryPolicy(config, options) {
         return await DeliveryPolicyFactory.createDeliveryPolicy(config ?? undefined, cloneCreateOptions(options));
     }
     catch (error) {
-        logger$12.warning('delivery_policy_creation_failed', {
+        logger$13.warning('delivery_policy_creation_failed', {
             error: error instanceof Error ? error.message : String(error),
         });
         return null;
@@ -15709,7 +15645,7 @@ async function resolveTransportListeners(configs, eventListeners, options) {
         return await TransportListenerFactory.createTransportListeners(configs, eventListeners, cloneCreateOptions(options));
     }
     catch (error) {
-        logger$12.warning('transport_listener_creation_failed', {
+        logger$13.warning('transport_listener_creation_failed', {
             error: error instanceof Error ? error.message : String(error),
         });
         return [];
@@ -15720,7 +15656,7 @@ async function resolveTraceEmitter(config, options) {
         return await TraceEmitterFactory.createTraceEmitter(config ?? undefined, cloneCreateOptions(options));
     }
     catch (error) {
-        logger$12.warning('trace_emitter_creation_failed', {
+        logger$13.warning('trace_emitter_creation_failed', {
             error: error instanceof Error ? error.message : String(error),
         });
         return null;
@@ -15776,7 +15712,7 @@ async function createSecurityManagerFromConfig(config, overrides, options) {
         return manager ?? null;
     }
     catch (error) {
-        logger$12.warning('security_manager_creation_failed', {
+        logger$13.warning('security_manager_creation_failed', {
             error: error instanceof Error ? error.message : String(error),
         });
         return null;
@@ -15805,7 +15741,7 @@ async function resolveCryptoProvider(config, options) {
     // This happens with overlay security profiles that need envelope signing
     if (requiresCryptoProvider(config)) {
         try {
-            logger$12.debug('auto_creating_crypto_provider', {
+            logger$13.debug('auto_creating_crypto_provider', {
                 reason: 'overlay_security_requires_signing',
             });
             // Dynamically import to avoid circular dependencies
@@ -15825,7 +15761,7 @@ async function resolveCryptoProvider(config, options) {
             });
         }
         catch (error) {
-            logger$12.error('failed_to_auto_create_crypto_provider', {
+            logger$13.error('failed_to_auto_create_crypto_provider', {
                 error: error instanceof Error ? error.message : String(error),
             });
             throw error;
@@ -16376,7 +16312,7 @@ class NodeLikeFactory extends AbstractResourceFactory {
 //   registerFactory(NODE_LIKE_FACTORY_BASE_TYPE, type, factory);
 // }
 
-const FACTORY_META$1a = {
+const FACTORY_META$1b = {
     base: NODE_LIKE_FACTORY_BASE_TYPE,
     key: 'Node',
 };
@@ -16418,7 +16354,7 @@ class NodeFactory extends NodeLikeFactory {
 
 var nodeFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
-    FACTORY_META: FACTORY_META$1a,
+    FACTORY_META: FACTORY_META$1b,
     NodeFactory: NodeFactory,
     default: NodeFactory
 });
@@ -16995,7 +16931,7 @@ function normalizeSecurityRequirements(value) {
     };
 }
 
-const logger$11 = getLogger('naylence.fame.node.envelope_security_handler');
+const logger$12 = getLogger('naylence.fame.node.envelope_security_handler');
 const ENCRYPTION_OPTION_ALIAS_PAIRS = [
     ['recipKid', 'recip_kid'],
     ['recipientKeyId', 'recipient_key_id'],
@@ -17044,7 +16980,7 @@ class EnvelopeSecurityHandler {
         const shouldSign = this.securityPolicy
             ? await this.securityPolicy.shouldSignEnvelope(envelope, context, this.node)
             : false;
-        logger$11.debug('checking_signing', {
+        logger$12.debug('checking_signing', {
             has_signer: Boolean(this.envelopeSigner),
             should_sign: shouldSign,
             envp_id: envelope.id,
@@ -17066,7 +17002,7 @@ class EnvelopeSecurityHandler {
         const shouldEncrypt = this.securityPolicy
             ? await this.securityPolicy.shouldEncryptEnvelope(envelope, context, this.node)
             : false;
-        logger$11.debug('checking_encryption', {
+        logger$12.debug('checking_encryption', {
             has_encryption_manager: Boolean(this.encryptionManager),
             should_encrypt: shouldEncrypt,
             envp_id: envelope.id,
@@ -17074,7 +17010,7 @@ class EnvelopeSecurityHandler {
         });
         if (this.encryptionManager && this.securityPolicy) {
             if (envelope.sec?.enc) {
-                logger$11.debug('skipping_encryption_already_encrypted', {
+                logger$12.debug('skipping_encryption_already_encrypted', {
                     envp_id: envelope.id,
                     destination: envelope.to ? String(envelope.to) : undefined,
                 });
@@ -17087,7 +17023,7 @@ class EnvelopeSecurityHandler {
                     CryptoLevel.PLAINTEXT;
                 desiredCryptoLevel =
                     await this.securityPolicy.decideResponseCryptoLevel(requestCryptoLevel, envelope, context);
-                logger$11.debug('response_crypto_level_decided', {
+                logger$12.debug('response_crypto_level_decided', {
                     envp_id: envelope.id,
                     crypto_level: desiredCryptoLevel,
                     destination: envelope.to ? String(envelope.to) : undefined,
@@ -17098,7 +17034,7 @@ class EnvelopeSecurityHandler {
             else {
                 desiredCryptoLevel =
                     await this.securityPolicy.decideOutboundCryptoLevel(envelope, context, this.node);
-                logger$11.debug('outbound_crypto_level_decided', {
+                logger$12.debug('outbound_crypto_level_decided', {
                     envp_id: envelope.id,
                     frame_type: envelope.frame.type,
                     crypto_level: desiredCryptoLevel,
@@ -17106,11 +17042,11 @@ class EnvelopeSecurityHandler {
                 });
             }
             if (desiredCryptoLevel === CryptoLevel.SEALED) {
-                logger$11.debug('applying_sealed_encryption', { envp_id: envelope.id });
+                logger$12.debug('applying_sealed_encryption', { envp_id: envelope.id });
                 return await this.handleSealedEncryption(envelope, context);
             }
             if (desiredCryptoLevel === CryptoLevel.CHANNEL) {
-                logger$11.debug('applying_channel_encryption', { envp_id: envelope.id });
+                logger$12.debug('applying_channel_encryption', { envp_id: envelope.id });
                 return await this.handleChannelEncryption(envelope, context);
             }
         }
@@ -17161,7 +17097,7 @@ class EnvelopeSecurityHandler {
                 frameType === 'KeyAnnounce' ||
                 frameType === 'SecureOpen' ||
                 frameType === 'SecureAccept') {
-                logger$11.error('critical_frame_unsigned_rejected', {
+                logger$12.error('critical_frame_unsigned_rejected', {
                     envp_id: envelope.id,
                     frame_type: frameType,
                     reason: 'critical_frames_must_be_signed',
@@ -17169,7 +17105,7 @@ class EnvelopeSecurityHandler {
                 return [envelope, false];
             }
             const action = this.securityPolicy.getUnsignedViolationAction(envelope, context);
-            logger$11.warning('unsigned_envelope_violation', {
+            logger$12.warning('unsigned_envelope_violation', {
                 envp_id: envelope.id,
                 frame_type: frameType,
                 action,
@@ -17181,26 +17117,26 @@ class EnvelopeSecurityHandler {
         return [envelope, true];
     }
     async handleChannelHandshakeComplete(channelId, destination) {
-        logger$11.debug('channel_handshake_completed', {
+        logger$12.debug('channel_handshake_completed', {
             channel_id: channelId,
             destination,
         });
         if (this.encryptionManager?.notifyChannelEstablished) {
             await this.encryptionManager.notifyChannelEstablished(channelId);
-            logger$11.debug('notified_encryption_manager_channel_ready', {
+            logger$12.debug('notified_encryption_manager_channel_ready', {
                 channel_id: channelId,
             });
         }
     }
     async handleChannelHandshakeFailed(channelId, destination, reason = 'handshake_failed') {
-        logger$11.debug('channel_handshake_failed', {
+        logger$12.debug('channel_handshake_failed', {
             channel_id: channelId,
             destination,
             reason,
         });
         if (this.encryptionManager?.notifyChannelFailed) {
             await this.encryptionManager.notifyChannelFailed(channelId, reason);
-            logger$11.debug('notified_encryption_manager_channel_failed', {
+            logger$12.debug('notified_encryption_manager_channel_failed', {
                 channel_id: channelId,
                 reason,
             });
@@ -17247,7 +17183,7 @@ class EnvelopeSecurityHandler {
                 checkPayload: false,
             });
             if (verified) {
-                logger$11.debug('envelope_verified', {
+                logger$12.debug('envelope_verified', {
                     envp_id: envelope.id,
                     sid: envelope.sid,
                     kid,
@@ -17258,7 +17194,7 @@ class EnvelopeSecurityHandler {
         }
         this.keyManagementHandler.queuePendingSignedEnvelope(kid, envelope, context);
         await this.keyManagementHandler.maybeRequestSigningKey(kid, context.originType, fromSystemId);
-        logger$11.debug('queued_envelope_missing_signing_key', {
+        logger$12.debug('queued_envelope_missing_signing_key', {
             kid,
             envp_id: envelope.id,
         });
@@ -17266,7 +17202,7 @@ class EnvelopeSecurityHandler {
     }
     async handleSealedEncryption(envelope, context) {
         if (!envelope.to) {
-            logger$11.warning('sealed_encryption_requested_but_no_destination', {
+            logger$12.warning('sealed_encryption_requested_but_no_destination', {
                 envp_id: envelope.id,
             });
             return true;
@@ -17278,20 +17214,20 @@ class EnvelopeSecurityHandler {
                 : undefined;
             if (options) {
                 if (options.encryptionType === 'channel') {
-                    logger$11.warning('policy_returned_channel_for_sealed_request', {
+                    logger$12.warning('policy_returned_channel_for_sealed_request', {
                         envp_id: envelope.id,
                     });
                     return await this.handleToBeEncryptedEnvelopeWithOptions(envelope, context, normalizeEncryptionOptions({
                         requestAddress: envelope.to,
                     }));
                 }
-                logger$11.debug('using_sealed_encryption_options', {
+                logger$12.debug('using_sealed_encryption_options', {
                     envp_id: envelope.id,
                     options,
                 });
                 return await this.handleToBeEncryptedEnvelopeWithOptions(envelope, context, options);
             }
-            logger$11.debug('no_encryption_options_requesting_key', {
+            logger$12.debug('no_encryption_options_requesting_key', {
                 envp_id: envelope.id,
             });
             return await this.handleToBeEncryptedEnvelopeWithOptions(envelope, context, normalizeEncryptionOptions({
@@ -17299,7 +17235,7 @@ class EnvelopeSecurityHandler {
             }));
         }
         catch (error) {
-            logger$11.debug('sealed_key_lookup_failed_requesting', {
+            logger$12.debug('sealed_key_lookup_failed_requesting', {
                 envp_id: envelope.id,
                 error: error instanceof Error ? error.message : String(error),
             });
@@ -17310,7 +17246,7 @@ class EnvelopeSecurityHandler {
     }
     async handleChannelEncryption(envelope, context) {
         if (!envelope.to) {
-            logger$11.warning('channel_encryption_requested_but_no_destination', {
+            logger$12.warning('channel_encryption_requested_but_no_destination', {
                 envp_id: envelope.id,
             });
             return true;
@@ -17325,13 +17261,13 @@ class EnvelopeSecurityHandler {
             return true;
         }
         if (context.originType !== DeliveryOriginType.LOCAL) {
-            logger$11.warning('envelope_encryption_rejected_non_local', {
+            logger$12.warning('envelope_encryption_rejected_non_local', {
                 origin: context.originType,
             });
             return true;
         }
         if (!isDataFrame$4(envelope.frame)) {
-            logger$11.trace('skipping_encryption_non_dataframe', {
+            logger$12.trace('skipping_encryption_non_dataframe', {
                 envp_id: envelope.id,
                 frame_type: envelope.frame.type,
             });
@@ -17342,7 +17278,7 @@ class EnvelopeSecurityHandler {
             ? normalizeEncryptionOptions(rawOptions)
             : undefined;
         if (!options) {
-            logger$11.warning('no_encryption_options_provided', {
+            logger$12.warning('no_encryption_options_provided', {
                 envp_id: envelope.id,
             });
             return true;
@@ -17354,13 +17290,13 @@ class EnvelopeSecurityHandler {
             return true;
         }
         if (context.originType !== DeliveryOriginType.LOCAL) {
-            logger$11.warning('envelope_encryption_rejected_non_local', {
+            logger$12.warning('envelope_encryption_rejected_non_local', {
                 origin: context.originType,
             });
             return true;
         }
         if (!isDataFrame$4(envelope.frame)) {
-            logger$11.trace('skipping_encryption_non_dataframe', {
+            logger$12.trace('skipping_encryption_non_dataframe', {
                 envp_id: envelope.id,
                 frame_type: envelope.frame.type,
             });
@@ -17377,7 +17313,7 @@ class EnvelopeSecurityHandler {
         // Skip encryption if envelope is already encrypted
         // This prevents re-queuing when replayed envelopes go through security again
         if (envelope.sec?.enc) {
-            logger$11.debug('skipping_encryption_already_encrypted', {
+            logger$12.debug('skipping_encryption_already_encrypted', {
                 envp_id: envelope.id,
                 destination: envelope.to ? String(envelope.to) : undefined,
             });
@@ -17386,14 +17322,14 @@ class EnvelopeSecurityHandler {
         try {
             const result = await this.encryptionManager.encryptEnvelope(envelope, normalizedOptions);
             if (result.status === EncryptionStatus.QUEUED) {
-                logger$11.debug('envelope_queued_for_encryption', {
+                logger$12.debug('envelope_queued_for_encryption', {
                     envp_id: envelope.id,
                 });
                 await this.handleEncryptionQueueing(envelope, context, normalizedOptions);
                 return false;
             }
             if (result.status === EncryptionStatus.OK) {
-                logger$11.debug('envelope_encrypted', { envp_id: envelope.id });
+                logger$12.debug('envelope_encrypted', { envp_id: envelope.id });
                 if (result.envelope) {
                     envelope.frame = result.envelope.frame;
                     envelope.sec = result.envelope.sec;
@@ -17401,17 +17337,17 @@ class EnvelopeSecurityHandler {
                 return true;
             }
             if (result.status === EncryptionStatus.SKIPPED) {
-                logger$11.debug('envelope_encryption_skipped', { envp_id: envelope.id });
+                logger$12.debug('envelope_encryption_skipped', { envp_id: envelope.id });
                 return true;
             }
-            logger$11.warning('unknown_encryption_status', {
+            logger$12.warning('unknown_encryption_status', {
                 envp_id: envelope.id,
                 status: result.status,
             });
             return true;
         }
         catch (error) {
-            logger$11.error('encryption_failed', {
+            logger$12.error('encryption_failed', {
                 envp_id: envelope.id,
                 error: error instanceof Error ? error.message : String(error),
             });
@@ -17450,7 +17386,7 @@ class EnvelopeSecurityHandler {
             return;
         }
         if (normalizedOptions.encryptionType === 'channel') {
-            logger$11.debug('channel_encryption_queueing_handled_internally', {
+            logger$12.debug('channel_encryption_queueing_handled_internally', {
                 envp_id: envelope.id,
                 destination: normalizedOptions.destination
                     ? String(normalizedOptions.destination)
@@ -17458,13 +17394,13 @@ class EnvelopeSecurityHandler {
             });
             return;
         }
-        logger$11.warning('unknown_encryption_queueing_options', {
+        logger$12.warning('unknown_encryption_queueing_options', {
             envp_id: envelope.id,
             options: normalizedOptions,
         });
     }
     async handleFailedChannelEnvelopeCleanup(destination, reason) {
-        logger$11.debug('channel_handshake_failure_cleanup_attempted', {
+        logger$12.debug('channel_handshake_failure_cleanup_attempted', {
             destination,
             reason,
             note: 'envelope_cleanup_handled_by_encryption_manager',
@@ -17475,7 +17411,7 @@ class EnvelopeSecurityHandler {
     }
 }
 
-const logger$10 = getLogger('naylence.fame.node.secure_channel_frame_handler');
+const logger$11 = getLogger('naylence.fame.node.secure_channel_frame_handler');
 function isPlainRecord$1(value) {
     if (typeof value !== 'object' || value === null) {
         return false;
@@ -17565,7 +17501,7 @@ class SecureChannelFrameHandler {
         assertSecureChannelManager(this.secureChannelManager);
         const frame = envelope.frame;
         assertFrameType(frame, 'SecureOpen');
-        logger$10.debug('received_secure_open', {
+        logger$11.debug('received_secure_open', {
             cid: frame.cid,
             algorithm: frame.alg,
         });
@@ -17588,13 +17524,13 @@ class SecureChannelFrameHandler {
                 stickySid: envelope.sid ?? undefined,
                 expectedResponseType: FameResponseType.NONE,
             };
-            logger$10.debug('stickiness_requested_for_channel_encryption', {
+            logger$11.debug('stickiness_requested_for_channel_encryption', {
                 cid: frame.cid,
                 reason: 'secure_channel_established',
             });
         }
         await this.sendCallback(responseEnvelope, responseContext);
-        logger$10.debug('sent_secure_accept', { cid: frame.cid, ok: acceptFrame.ok });
+        logger$11.debug('sent_secure_accept', { cid: frame.cid, ok: acceptFrame.ok });
         if (acceptFrame.ok && this.envelopeSecurityHandler) {
             const destination = extractDestinationFromChannelId(frame.cid);
             if (destination) {
@@ -17606,13 +17542,13 @@ class SecureChannelFrameHandler {
         assertSecureChannelManager(this.secureChannelManager);
         const frame = envelope.frame;
         assertFrameType(frame, 'SecureAccept');
-        logger$10.debug('received_secure_accept', { cid: frame.cid, ok: frame.ok });
+        logger$11.debug('received_secure_accept', { cid: frame.cid, ok: frame.ok });
         const success = await this.secureChannelManager.handleAcceptFrame(frame);
         if (!success) {
-            logger$10.warning('failed_to_complete_channel', { cid: frame.cid });
+            logger$11.warning('failed_to_complete_channel', { cid: frame.cid });
         }
         else {
-            logger$10.debug('channel_established', { cid: frame.cid });
+            logger$11.debug('channel_established', { cid: frame.cid });
             if (this.envelopeSecurityHandler) {
                 const destination = extractDestinationFromChannelId(frame.cid);
                 if (destination) {
@@ -17624,7 +17560,7 @@ class SecureChannelFrameHandler {
             const destination = extractDestinationFromChannelId(frame.cid);
             if (destination) {
                 await this.envelopeSecurityHandler.handleChannelHandshakeFailed(frame.cid, destination, 'negative_secure_accept');
-                logger$10.debug('notified_handshake_failure', {
+                logger$11.debug('notified_handshake_failure', {
                     cid: frame.cid,
                     destination,
                 });
@@ -17635,7 +17571,7 @@ class SecureChannelFrameHandler {
         assertSecureChannelManager(this.secureChannelManager);
         const frame = envelope.frame;
         assertFrameType(frame, 'SecureClose');
-        logger$10.debug('received_secure_close', {
+        logger$11.debug('received_secure_close', {
             cid: frame.cid,
             reason: frame.reason,
         });
@@ -17693,7 +17629,7 @@ function createNodeDeliveryContext(options = {}) {
 class FameEnvironmentContext {
 }
 
-const FACTORY_META$19 = {
+const FACTORY_META$1a = {
     base: NODE_IDENTITY_POLICY_FACTORY_BASE_TYPE,
     key: 'DefaultNodeIdentityPolicy',
 };
@@ -17711,11 +17647,48 @@ class DefaultNodeIdentityPolicyFactory extends NodeIdentityPolicyFactory {
 var defaultNodeIdentityPolicyFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
     DefaultNodeIdentityPolicyFactory: DefaultNodeIdentityPolicyFactory,
-    FACTORY_META: FACTORY_META$19,
+    FACTORY_META: FACTORY_META$1a,
     default: DefaultNodeIdentityPolicyFactory
 });
 
-const logger$$ = getLogger('naylence.fame.node.token_subject_node_identity_policy');
+const TOKEN_PROVIDER_FACTORY_BASE_TYPE = 'TokenProviderFactory';
+class TokenProviderFactory extends AbstractResourceFactory {
+    static async createTokenProvider(config, options = {}) {
+        if (config) {
+            const provider = await createResource$1(TOKEN_PROVIDER_FACTORY_BASE_TYPE, config, options);
+            if (!provider) {
+                throw new Error('Failed to create token provider from configuration');
+            }
+            return provider;
+        }
+        let provider = null;
+        try {
+            provider = await createDefaultResource(TOKEN_PROVIDER_FACTORY_BASE_TYPE, null, options);
+        }
+        catch (error) {
+            const message = 'Failed to create default token provider' +
+                (error instanceof Error && error.message ? `: ${error.message}` : '');
+            throw new Error(message);
+        }
+        if (!provider) {
+            throw new Error('Failed to create default token provider');
+        }
+        return provider;
+    }
+}
+
+function isTokenProvider(candidate) {
+    return (typeof candidate === 'object' &&
+        candidate !== null &&
+        typeof candidate.getToken === 'function');
+}
+function isIdentityExposingTokenProvider(candidate) {
+    return (isTokenProvider(candidate) &&
+        typeof candidate.getIdentity ===
+            'function');
+}
+
+const logger$10 = getLogger('naylence.fame.node.token_subject_node_identity_policy');
 class TokenSubjectNodeIdentityPolicy {
     async resolveInitialNodeId(context) {
         if (context.configuredId) {
@@ -17727,7 +17700,7 @@ class TokenSubjectNodeIdentityPolicy {
         return generateIdAsync();
     }
     async resolveAdmissionNodeId(context) {
-        logger$$.debug('resolve_admission_node_id_start', {
+        logger$10.debug('resolve_admission_node_id_start', {
             grantsCount: context.grants?.length ?? 0,
             currentNodeId: context.currentNodeId,
         });
@@ -17736,31 +17709,31 @@ class TokenSubjectNodeIdentityPolicy {
                 try {
                     const auth = grant.auth;
                     if (!auth) {
-                        logger$$.debug('skipping_grant_no_auth', { grantType: grant.type });
+                        logger$10.debug('skipping_grant_no_auth', { grantType: grant.type });
                         continue;
                     }
                     const tokenProviderConfig = (auth.tokenProvider ??
                         auth.token_provider);
                     if (!tokenProviderConfig ||
                         typeof tokenProviderConfig.type !== 'string') {
-                        logger$$.debug('skipping_grant_invalid_token_provider_config', {
+                        logger$10.debug('skipping_grant_invalid_token_provider_config', {
                             grantType: grant.type,
                             config: tokenProviderConfig,
                         });
                         continue;
                     }
-                    logger$$.debug('creating_token_provider', {
+                    logger$10.debug('creating_token_provider', {
                         type: tokenProviderConfig.type,
                     });
                     const provider = await TokenProviderFactory.createTokenProvider(tokenProviderConfig);
                     const isExposing = isIdentityExposingTokenProvider(provider);
-                    logger$$.debug('token_provider_created', {
+                    logger$10.debug('token_provider_created', {
                         type: tokenProviderConfig.type,
                         isIdentityExposing: isExposing,
                     });
                     if (isExposing) {
                         const identity = await provider.getIdentity();
-                        logger$$.debug('retrieved_identity', { identity });
+                        logger$10.debug('retrieved_identity', { identity });
                         if (identity && identity.subject) {
                             const hashedSubject = await generateIdAsync({
                                 mode: 'fingerprint',
@@ -17768,7 +17741,7 @@ class TokenSubjectNodeIdentityPolicy {
                                 length: 8,
                             });
                             const newNodeId = `${hashedSubject}-${context.currentNodeId}`;
-                            logger$$.info('resolved_identity_from_token', {
+                            logger$10.info('resolved_identity_from_token', {
                                 subject: identity.subject,
                                 hashedSubject,
                                 newNodeId,
@@ -17776,17 +17749,17 @@ class TokenSubjectNodeIdentityPolicy {
                             return newNodeId;
                         }
                         else {
-                            logger$$.debug('identity_missing_subject', { identity });
+                            logger$10.debug('identity_missing_subject', { identity });
                         }
                     }
                 }
                 catch (err) {
-                    logger$$.warning('failed_to_extract_identity_from_grant', { error: err });
+                    logger$10.warning('failed_to_extract_identity_from_grant', { error: err });
                 }
             }
         }
         else {
-            logger$$.debug('no_grants_available');
+            logger$10.debug('no_grants_available');
         }
         return context.currentNodeId;
     }
@@ -17797,7 +17770,7 @@ var tokenSubjectNodeIdentityPolicy = /*#__PURE__*/Object.freeze({
     TokenSubjectNodeIdentityPolicy: TokenSubjectNodeIdentityPolicy
 });
 
-const FACTORY_META$18 = {
+const FACTORY_META$19 = {
     base: NODE_IDENTITY_POLICY_FACTORY_BASE_TYPE,
     key: 'TokenSubjectNodeIdentityPolicy',
 };
@@ -17816,27 +17789,27 @@ class TokenSubjectNodeIdentityPolicyFactory extends NodeIdentityPolicyFactory {
 
 var tokenSubjectNodeIdentityPolicyFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
-    FACTORY_META: FACTORY_META$18,
+    FACTORY_META: FACTORY_META$19,
     TokenSubjectNodeIdentityPolicyFactory: TokenSubjectNodeIdentityPolicyFactory,
     default: TokenSubjectNodeIdentityPolicyFactory
 });
 
-const logger$_ = getLogger('naylence.fame.node.node_identity_policy_profile_factory');
-const PROFILE_NAME_DEFAULT = 'default';
+const logger$$ = getLogger('naylence.fame.node.node_identity_policy_profile_factory');
+const PROFILE_NAME_DEFAULT$1 = 'default';
 const PROFILE_NAME_TOKEN_SUBJECT = 'token-subject';
 const PROFILE_NAME_TOKEN_SUBJECT_ALIAS = 'token_subject';
-const DEFAULT_PROFILE = {
+const DEFAULT_PROFILE$1 = {
     type: 'DefaultNodeIdentityPolicy',
 };
 const TOKEN_SUBJECT_PROFILE = {
     type: 'TokenSubjectNodeIdentityPolicy',
 };
-const PROFILE_MAP$5 = {
-    [PROFILE_NAME_DEFAULT]: DEFAULT_PROFILE,
+const PROFILE_MAP$6 = {
+    [PROFILE_NAME_DEFAULT$1]: DEFAULT_PROFILE$1,
     [PROFILE_NAME_TOKEN_SUBJECT]: TOKEN_SUBJECT_PROFILE,
     [PROFILE_NAME_TOKEN_SUBJECT_ALIAS]: TOKEN_SUBJECT_PROFILE,
 };
-const FACTORY_META$17 = {
+const FACTORY_META$18 = {
     base: NODE_IDENTITY_POLICY_FACTORY_BASE_TYPE,
     key: 'NodeIdentityPolicyProfile',
 };
@@ -17846,17 +17819,17 @@ class NodeIdentityPolicyProfileFactory extends NodeIdentityPolicyFactory {
         this.type = 'NodeIdentityPolicyProfile';
     }
     async create(config) {
-        const normalized = normalizeConfig$w(config);
-        const profileConfig = resolveProfileConfig$4(normalized.profile);
-        logger$_.debug('enabling_node_identity_policy_profile', {
+        const normalized = normalizeConfig$x(config);
+        const profileConfig = resolveProfileConfig$5(normalized.profile);
+        logger$$.debug('enabling_node_identity_policy_profile', {
             profile: normalized.profile,
         });
         return NodeIdentityPolicyFactory.createNodeIdentityPolicy(profileConfig);
     }
 }
-function normalizeConfig$w(config) {
+function normalizeConfig$x(config) {
     if (!config) {
-        return { profile: PROFILE_NAME_DEFAULT };
+        return { profile: PROFILE_NAME_DEFAULT$1 };
     }
     const candidate = config;
     const profileValue = typeof candidate.profile === 'string' && candidate.profile.trim().length > 0
@@ -17867,24 +17840,24 @@ function normalizeConfig$w(config) {
             : typeof candidate.profileName === 'string' &&
                 candidate.profileName.trim().length > 0
                 ? candidate.profileName
-                : PROFILE_NAME_DEFAULT;
+                : PROFILE_NAME_DEFAULT$1;
     const normalizedProfile = profileValue.trim().toLowerCase();
     return { profile: normalizedProfile };
 }
-function resolveProfileConfig$4(profileName) {
-    const profile = PROFILE_MAP$5[profileName];
+function resolveProfileConfig$5(profileName) {
+    const profile = PROFILE_MAP$6[profileName];
     if (!profile) {
         throw new Error(`Unknown node identity policy profile: ${profileName}`);
     }
-    return deepClone$4(profile);
+    return deepClone$5(profile);
 }
-function deepClone$4(value) {
+function deepClone$5(value) {
     return JSON.parse(JSON.stringify(value));
 }
 
 var nodeIdentityPolicyProfileFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
-    FACTORY_META: FACTORY_META$17,
+    FACTORY_META: FACTORY_META$18,
     NodeIdentityPolicyProfileFactory: NodeIdentityPolicyProfileFactory,
     default: NodeIdentityPolicyProfileFactory
 });
@@ -17937,8 +17910,8 @@ class DefaultConnectionRetryPolicy {
     }
 }
 
-const logger$Z = getLogger('naylence.fame.node.default-connection-retry-policy-factory');
-const FACTORY_META$16 = {
+const logger$_ = getLogger('naylence.fame.node.default-connection-retry-policy-factory');
+const FACTORY_META$17 = {
     base: CONNECTION_RETRY_POLICY_FACTORY_BASE_TYPE,
     key: 'DefaultConnectionRetryPolicy',
 };
@@ -17959,7 +17932,7 @@ class DefaultConnectionRetryPolicyFactory extends ConnectionRetryPolicyFactory {
             }
         }
         const policy = new DefaultConnectionRetryPolicy(options);
-        logger$Z.debug('connection_retry_policy_created', {
+        logger$_.debug('connection_retry_policy_created', {
             maxInitialAttempts: policy.maxInitialAttempts,
         });
         return policy;
@@ -17969,7 +17942,7 @@ class DefaultConnectionRetryPolicyFactory extends ConnectionRetryPolicyFactory {
 var defaultConnectionRetryPolicyFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
     DefaultConnectionRetryPolicyFactory: DefaultConnectionRetryPolicyFactory,
-    FACTORY_META: FACTORY_META$16,
+    FACTORY_META: FACTORY_META$17,
     default: DefaultConnectionRetryPolicyFactory
 });
 
@@ -17984,7 +17957,7 @@ class LoadBalancerStickinessManagerFactory extends AbstractResourceFactory {
     }
 }
 
-const logger$Y = getLogger('naylence.fame.sentinel.load_balancing.composite_load_balancing_strategy');
+const logger$Z = getLogger('naylence.fame.sentinel.load_balancing.composite_load_balancing_strategy');
 class CompositeLoadBalancingStrategy {
     constructor(strategies) {
         if (!strategies.length) {
@@ -18001,7 +17974,7 @@ class CompositeLoadBalancingStrategy {
             try {
                 const result = strategy.choose(poolKey, segments, envelope);
                 if (result !== null) {
-                    logger$Y.debug('composite_strategy_success', {
+                    logger$Z.debug('composite_strategy_success', {
                         envelopeId: envelope.id,
                         poolKey,
                         strategyIndex: index,
@@ -18012,7 +17985,7 @@ class CompositeLoadBalancingStrategy {
                 }
             }
             catch (error) {
-                logger$Y.warning('composite_strategy_error', {
+                logger$Z.warning('composite_strategy_error', {
                     envelopeId: envelope.id,
                     poolKey,
                     strategyIndex: index,
@@ -18021,7 +17994,7 @@ class CompositeLoadBalancingStrategy {
                 });
             }
         }
-        logger$Y.debug('composite_strategy_all_failed', {
+        logger$Z.debug('composite_strategy_all_failed', {
             envelopeId: envelope.id,
             poolKey,
             strategyCount: this.strategies.length,
@@ -18030,7 +18003,7 @@ class CompositeLoadBalancingStrategy {
     }
 }
 
-const logger$X = getLogger('naylence.fame.sentinel.load_balancing.sticky_load_balancing_strategy');
+const logger$Y = getLogger('naylence.fame.sentinel.load_balancing.sticky_load_balancing_strategy');
 class StickyLoadBalancingStrategy {
     constructor(stickinessManager) {
         this.lastChosenReplica = null;
@@ -18045,7 +18018,7 @@ class StickyLoadBalancingStrategy {
         }
         const stickyReplica = this.stickinessManager.getStickyReplicaSegment(envelope, segments);
         if (stickyReplica && segments.includes(stickyReplica)) {
-            logger$X.debug('routing_via_stickiness', {
+            logger$Y.debug('routing_via_stickiness', {
                 envelopeId: envelope.id,
                 poolKey,
                 replicaId: stickyReplica,
@@ -18055,7 +18028,7 @@ class StickyLoadBalancingStrategy {
             this.lastChosenReplica = stickyReplica;
             return stickyReplica;
         }
-        logger$X.debug('no_stickiness_match_fallback', {
+        logger$Y.debug('no_stickiness_match_fallback', {
             envelopeId: envelope.id,
             poolKey,
             aftPresent: Boolean(envelope.aft),
@@ -18143,7 +18116,7 @@ class RouteStoreFactory extends AbstractResourceFactory {
         return store ?? null;
     }
 }
-const FACTORY_META$15 = {
+const FACTORY_META$16 = {
     base: ROUTE_STORE_FACTORY_BASE_TYPE,
     key: 'InMemoryRouteStore',
 };
@@ -18161,7 +18134,7 @@ class InMemoryRouteStoreFactory extends RouteStoreFactory {
 
 var routeStoreFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
-    FACTORY_META: FACTORY_META$15,
+    FACTORY_META: FACTORY_META$16,
     InMemoryRouteStoreFactory: InMemoryRouteStoreFactory,
     ROUTE_STORE_FACTORY_BASE_TYPE: ROUTE_STORE_FACTORY_BASE_TYPE,
     RouteStoreFactory: RouteStoreFactory,
@@ -18393,7 +18366,7 @@ function resolveRecordArray(primary, secondary) {
     return pickRecordArray(candidate) ?? undefined;
 }
 
-const logger$W = getLogger('naylence.fame.sentinel.route_manager');
+const logger$X = getLogger('naylence.fame.sentinel.route_manager');
 const DEFAULT_CONNECTOR_CLEANUP_DELAY_MS$1 = 200;
 function normalizeRouteManagerOptions(options) {
     const { route_store, get_id, cleanup_delay_ms, retain_address_bindings_on_disconnect, ...rest } = options;
@@ -18477,7 +18450,7 @@ class RouteManager extends TaskSpawner {
                 await this.safeStop(entry.connector);
             }
             catch (error) {
-                logger$W.debug('pending_route_stop_failed', {
+                logger$X.debug('pending_route_stop_failed', {
                     error: error instanceof Error ? error.message : String(error),
                 });
             }
@@ -18500,7 +18473,7 @@ class RouteManager extends TaskSpawner {
             this.cancelPendingCleanup(segment);
             this.downstreamRoutes.set(segment, route);
         });
-        logger$W.debug('registered_downstream_route', { route: segment });
+        logger$X.debug('registered_downstream_route', { route: segment });
     }
     async unregisterDownstreamRoute(segment, options) {
         const normalizedOptions = normalizeRouteRemovalOptions(options);
@@ -18516,7 +18489,7 @@ class RouteManager extends TaskSpawner {
             this.cancelPendingCleanup(segment);
             this._peer_routes.set(segment, route);
         });
-        logger$W.debug('registered_peer_route', { route: segment });
+        logger$X.debug('registered_peer_route', { route: segment });
     }
     async unregisterPeerRoute(segment, options) {
         const normalizedOptions = normalizeRouteRemovalOptions(options);
@@ -18534,11 +18507,11 @@ class RouteManager extends TaskSpawner {
         await Promise.all(entryTuples.map(async ([segment, entry]) => {
             const normalized = this.normalizeEntry(entry);
             if (!normalized.connectorConfig) {
-                logger$W.warning('route_restore_missing_config', { segment });
+                logger$X.warning('route_restore_missing_config', { segment });
                 return;
             }
             if (normalized.attachExpiresAt && normalized.attachExpiresAt < now) {
-                logger$W.debug('skipping_expired_route', { segment });
+                logger$X.debug('skipping_expired_route', { segment });
                 return;
             }
             const authorization = this.parseAuthorization(normalized.metadata);
@@ -18571,7 +18544,7 @@ class RouteManager extends TaskSpawner {
                 }
                 catch (error) {
                     if (this.isTransientError(error)) {
-                        logger$W.warning('transient_restore_failure', {
+                        logger$X.warning('transient_restore_failure', {
                             segment,
                             attempt,
                             error: error instanceof Error ? error.message : String(error),
@@ -18580,7 +18553,7 @@ class RouteManager extends TaskSpawner {
                         backoff *= 2;
                         continue;
                     }
-                    logger$W.error('failed_to_restore_route', {
+                    logger$X.error('failed_to_restore_route', {
                         segment,
                         error: error instanceof Error ? error.message : String(error),
                     });
@@ -18609,13 +18582,13 @@ class RouteManager extends TaskSpawner {
         await this._downstream_route_store
             .delete(segment)
             .catch((error) => {
-            logger$W.warning('route_expiration_delete_failed', {
+            logger$X.warning('route_expiration_delete_failed', {
                 segment,
                 error: error instanceof Error ? error.message : String(error),
             });
         });
         this.purgeRouteReferences(segment);
-        logger$W.debug('expired_route', { route: segment });
+        logger$X.debug('expired_route', { route: segment });
     }
     async removeDownstreamRoute(segment, options) {
         const normalizedOptions = normalizeRouteRemovalOptions(options);
@@ -18673,7 +18646,7 @@ class RouteManager extends TaskSpawner {
             this.purgeRouteReferences(segment);
         }
         await store.delete(segment).catch((error) => {
-            logger$W.warning('route_delete_failed', {
+            logger$X.warning('route_delete_failed', {
                 segment,
                 error: error instanceof Error ? error.message : String(error),
             });
@@ -18692,7 +18665,7 @@ class RouteManager extends TaskSpawner {
             caller_stack: captureStack ? captureCallerStack() : undefined,
             retained_addresses: retainAddresses,
         };
-        logger$W.debug('removed_route', removalMeta);
+        logger$X.debug('removed_route', removalMeta);
     }
     purgeRouteReferences(segment) {
         for (const [address, info] of this._downstream_addresses_routes.entries()) {
@@ -18747,10 +18720,10 @@ class RouteManager extends TaskSpawner {
             }
             catch (error) {
                 if (combined.signal.aborted) {
-                    logger$W.debug('connector_cleanup_cancelled', { segment });
+                    logger$X.debug('connector_cleanup_cancelled', { segment });
                 }
                 else {
-                    logger$W.debug('connector_cleanup_delay_failed', {
+                    logger$X.debug('connector_cleanup_delay_failed', {
                         segment,
                         error: error instanceof Error ? error.message : String(error),
                     });
@@ -18773,7 +18746,7 @@ class RouteManager extends TaskSpawner {
         }
         catch (error) {
             if (error instanceof Error) {
-                logger$W.debug('connector_stop_ignored', { error: error.message });
+                logger$X.debug('connector_stop_ignored', { error: error.message });
             }
         }
         for (const [flowId, peer] of this.flowRoutes.entries()) {
@@ -18798,12 +18771,12 @@ class RouteManager extends TaskSpawner {
             }
         }
         catch (error) {
-            logger$W.error('janitor_loop_error', {
+            logger$X.error('janitor_loop_error', {
                 error: error instanceof Error ? error.message : String(error),
             });
         }
         finally {
-            logger$W.debug('janitor_loop_exited');
+            logger$X.debug('janitor_loop_exited');
         }
     }
     async scanStoreForExpirations(store, now, kind) {
@@ -18823,13 +18796,13 @@ class RouteManager extends TaskSpawner {
                 }
             });
             await store.delete(segment).catch((error) => {
-                logger$W.warning('route_auto_expire_delete_failed', {
+                logger$X.warning('route_auto_expire_delete_failed', {
                     segment,
                     error: error instanceof Error ? error.message : String(error),
                 });
             });
             this.purgeRouteReferences(segment);
-            logger$W.debug('auto_expired_route', { segment });
+            logger$X.debug('auto_expired_route', { segment });
         }));
     }
     parseAuthorization(metadata) {
@@ -18852,7 +18825,7 @@ class RouteManager extends TaskSpawner {
             return { ...base, ...extraFields };
         }
         catch (error) {
-            logger$W.error('corrupt_route_metadata', {
+            logger$X.error('corrupt_route_metadata', {
                 error: error instanceof Error ? error.message : String(error),
             });
             return null;
@@ -18928,12 +18901,12 @@ function captureCallerStack(skip = 3, depth = 6) {
     return frames.map((frame) => frame.trim()).join(' | ');
 }
 
-const logger$V = getLogger('naylence.fame.sentinel.router');
+const logger$W = getLogger('naylence.fame.sentinel.router');
 const ZERO_EPH_PUB_BASE64 = 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=';
 class Drop {
     async execute(envelope, router, state, context) {
         await emitDeliveryNack(envelope, router, state, 'NO_ROUTE', context ?? undefined);
-        logger$V.debug('dropped_envelope', Object.assign(summarizeEnvelope(envelope, ''), {
+        logger$W.debug('dropped_envelope', Object.assign(summarizeEnvelope(envelope, ''), {
             localAddresses: Array.from(state.local.values()),
             downstreamRoutes: Array.from(state.downstreamAddressRoutes.entries()),
             peerRoutes: Array.from(state.peerAddressRoutes.entries()),
@@ -18963,7 +18936,7 @@ class ForwardChild {
         }
         catch (error) {
             if (error instanceof FameTransportClose) {
-                logger$V.error('transport_closed_forward_child', {
+                logger$W.error('transport_closed_forward_child', {
                     segment: this.segment,
                     error: error.message,
                 });
@@ -18995,7 +18968,7 @@ class ForwardPeer {
         }
         catch (error) {
             if (error instanceof FameTransportClose) {
-                logger$V.error('transport_closed_forward_peer', {
+                logger$W.error('transport_closed_forward_peer', {
                     segment: this.segment,
                     error: error.message,
                 });
@@ -19030,7 +19003,7 @@ class Deny {
     async execute(envelope, router, state, context) {
         const { internalReason, deniedAction, matchedRule, context: extraContext, disclosure = 'opaque', } = this.options;
         // Log detailed denial internally
-        logger$V.warning('route_authorization_denied', {
+        logger$W.warning('route_authorization_denied', {
             envp_id: envelope.id,
             frame_type: envelope.frame?.type ?? null,
             to: envelope.to?.toString() ?? null,
@@ -19076,7 +19049,7 @@ function mapRoutingActionToAuthorizationAction(action) {
         return null;
     }
     // Unknown RoutingAction: return null, caller should deny by default
-    logger$V.warning('unknown_routing_action_for_authorization', {
+    logger$W.warning('unknown_routing_action_for_authorization', {
         action_type: action?.constructor?.name ?? 'unknown',
     });
     return null;
@@ -19109,7 +19082,7 @@ async function emitDeliveryNack(envelope, routingNode, state, code, context) {
         return;
     }
     if (!state.envelopeFactory) {
-        logger$V.warning('router_missing_envelope_factory', summarizeEnvelope(envelope));
+        logger$W.warning('router_missing_envelope_factory', summarizeEnvelope(envelope));
         return;
     }
     const nackFrame = createNackFrame(envelope, code);
@@ -19140,7 +19113,7 @@ async function emitDeliveryNack(envelope, routingNode, state, code, context) {
         }
     }
     catch (error) {
-        logger$V.warning('nack_forward_failed', {
+        logger$W.warning('nack_forward_failed', {
             error: error instanceof Error ? error.message : String(error),
             ...summarizeEnvelope(envelope),
         });
@@ -19346,7 +19319,7 @@ class HRWLoadBalancingStrategy {
     }
 }
 
-const logger$U = getLogger('naylence.fame.sentinel.capability_aware_routing_policy');
+const logger$V = getLogger('naylence.fame.sentinel.capability_aware_routing_policy');
 function normalizeOptions$i(options) {
     if (!options || typeof options !== 'object') {
         return {};
@@ -19398,7 +19371,7 @@ class CapabilityAwareRoutingPolicy {
             if (chosenSegment) {
                 return new ForwardChild(chosenSegment);
             }
-            logger$U.warning('capability_policy_lb_failed', {
+            logger$V.warning('capability_policy_lb_failed', {
                 segments: providerSegments,
                 capabilities,
                 ...summarizeEnvelope(envelope),
@@ -19427,7 +19400,7 @@ class CapabilityAwareRoutingPolicy {
             }
         }
         catch (error) {
-            logger$U.warning('capability_policy_resolve_failed', {
+            logger$V.warning('capability_policy_resolve_failed', {
                 error: error instanceof Error ? error.message : String(error),
             });
         }
@@ -19664,7 +19637,7 @@ function toFameAddress(address) {
     return address instanceof FameAddress ? address : new FameAddress(address);
 }
 
-const logger$T = getLogger('naylence.fame.sentinel.node_attach_frame_handler');
+const logger$U = getLogger('naylence.fame.sentinel.node_attach_frame_handler');
 const DOWNSTREAM_ORIGINS = new Set([
     DeliveryOriginType.DOWNSTREAM,
     DeliveryOriginType.PEER,
@@ -19757,7 +19730,7 @@ class NodeAttachFrameHandler extends TaskSpawner {
         this.maxTtlSec = options.maxTtlSec ?? null;
     }
     async acceptNodeAttach(envelope, context) {
-        logger$T.debug('handling_node_attach_request');
+        logger$U.debug('handling_node_attach_request');
         const normalizedContext = this.normalizeContext(context);
         const frame = this.normalizeNodeAttachFrame(envelope.frame);
         if (frame.type !== 'NodeAttach') {
@@ -19802,14 +19775,14 @@ class NodeAttachFrameHandler extends TaskSpawner {
         let isRebind = false;
         if (frame.originType === DeliveryOriginType.DOWNSTREAM) {
             const hasExistingRoute = this.routeManager.downstreamRoutes.has(attachedSystemId);
-            logger$T.debug('checking_for_existing_route', {
+            logger$U.debug('checking_for_existing_route', {
                 system_id: attachedSystemId,
                 has_existing: hasExistingRoute,
                 existing_routes: Array.from(this.routeManager.downstreamRoutes.keys()),
             });
             if (hasExistingRoute) {
                 isRebind = true;
-                logger$T.warning('rebinding_existing_downstream_route', {
+                logger$U.warning('rebinding_existing_downstream_route', {
                     system_id: attachedSystemId,
                 });
                 oldAssignedPath = buildAssignedPath$1(this.routingNode.physicalPath, attachedSystemId);
@@ -19828,7 +19801,7 @@ class NodeAttachFrameHandler extends TaskSpawner {
                     meta: { systemId: attachedSystemId },
                 })
                     .catch((error) => {
-                    logger$T.warning('failed_to_unregister_downstream_route_before_rebind', {
+                    logger$U.warning('failed_to_unregister_downstream_route_before_rebind', {
                         system_id: attachedSystemId,
                         error: error instanceof Error ? error.message : String(error),
                     });
@@ -19845,7 +19818,7 @@ class NodeAttachFrameHandler extends TaskSpawner {
                             for (const address of orphanedAddresses) {
                                 encryptionMgr.clearChannelCacheForDestination(address);
                             }
-                            logger$T.debug('cleared_channel_cache_for_rebind', {
+                            logger$U.debug('cleared_channel_cache_for_rebind', {
                                 system_id: attachedSystemId,
                                 addresses: orphanedAddresses,
                             });
@@ -19857,7 +19830,7 @@ class NodeAttachFrameHandler extends TaskSpawner {
                                     encryptionMgr.removeChannelsForDestination(address);
                             }
                             if (totalRemoved > 0) {
-                                logger$T.debug('removed_channel_states_for_rebind', {
+                                logger$U.debug('removed_channel_states_for_rebind', {
                                     system_id: attachedSystemId,
                                     channels_removed: totalRemoved,
                                 });
@@ -19865,7 +19838,7 @@ class NodeAttachFrameHandler extends TaskSpawner {
                         }
                     }
                     catch (error) {
-                        logger$T.warning('failed_to_cleanup_channels_for_rebind', {
+                        logger$U.warning('failed_to_cleanup_channels_for_rebind', {
                             system_id: attachedSystemId,
                             error: error instanceof Error ? error.message : String(error),
                         });
@@ -19888,7 +19861,7 @@ class NodeAttachFrameHandler extends TaskSpawner {
                     meta: { systemId: attachedSystemId },
                 })
                     .catch((error) => {
-                    logger$T.warning('failed_to_unregister_peer_route_before_rebind', {
+                    logger$U.warning('failed_to_unregister_peer_route_before_rebind', {
                         system_id: attachedSystemId,
                         error: error instanceof Error ? error.message : String(error),
                     });
@@ -19926,7 +19899,7 @@ class NodeAttachFrameHandler extends TaskSpawner {
                 ? { stickiness: negotiatedStickiness }
                 : {}),
         });
-        logger$T.debug('sending_node_attach_ack', {
+        logger$U.debug('sending_node_attach_ack', {
             env_id: ackEnvelope.id ?? 'unknown',
         });
         await this.sendAndNotify(connector, ackEnvelope, attachedSystemId, normalizedContext);
@@ -19973,7 +19946,7 @@ class NodeAttachFrameHandler extends TaskSpawner {
             return this.stickinessManager.negotiate(stickiness);
         }
         catch (error) {
-            logger$T.debug('stickiness_negotiate_skipped', {
+            logger$U.debug('stickiness_negotiate_skipped', {
                 error: error instanceof Error ? error.message : String(error),
             });
             return null;
@@ -19989,13 +19962,13 @@ class NodeAttachFrameHandler extends TaskSpawner {
         }
         if (!attachExpiresAt || earliestKeyExpiry < attachExpiresAt) {
             if (attachExpiresAt) {
-                logger$T.warning('attachment_ttl_limited_by_key_expiry', {
+                logger$U.warning('attachment_ttl_limited_by_key_expiry', {
                     limited_attach_expires_at: earliestKeyExpiry.toISOString(),
                     original_attach_expires_at: attachExpiresAt.toISOString(),
                 });
             }
             else {
-                logger$T.debug('attachment_ttl_set_by_key_expiry', {
+                logger$U.debug('attachment_ttl_set_by_key_expiry', {
                     attach_expires_at: earliestKeyExpiry.toISOString(),
                     reason: 'no_max_ttl_configured',
                 });
@@ -20006,7 +19979,7 @@ class NodeAttachFrameHandler extends TaskSpawner {
     }
     async validateAttachmentKeys(frame, envelope, connector, context, systemId) {
         if (!this.attachmentKeyValidator) {
-            logger$T.debug('child_key_validation_skipped', {
+            logger$U.debug('child_key_validation_skipped', {
                 child_id: systemId,
                 reason: 'no_validator',
             });
@@ -20022,7 +19995,7 @@ class NodeAttachFrameHandler extends TaskSpawner {
                 }
             }
             if (keyInfos.length > 0) {
-                logger$T.debug('node_attach_key_validation_passed', {
+                logger$U.debug('node_attach_key_validation_passed', {
                     system_id: systemId,
                     instance_id: frame.instanceId,
                     correlation_id: envelope.corrId,
@@ -20042,13 +20015,13 @@ class NodeAttachFrameHandler extends TaskSpawner {
                     reason: `Certificate validation failed: ${error.message}`,
                 });
                 await this.sendAndNotify(connector, rejectionAck, systemId, context).catch((sendError) => {
-                    logger$T.error('failed_sending_negative_attach_ack', {
+                    logger$U.error('failed_sending_negative_attach_ack', {
                         error: sendError instanceof Error
                             ? sendError.message
                             : String(sendError),
                     });
                 });
-                logger$T.error('node_attach_key_validation_failed', {
+                logger$U.error('node_attach_key_validation_failed', {
                     system_id: systemId,
                     instance_id: frame.instanceId,
                     correlation_id: envelope.corrId,
@@ -20114,10 +20087,10 @@ class NodeAttachFrameHandler extends TaskSpawner {
         try {
             await delay(delaySeconds * 1000);
             await connector.close(1008, 'attach-unauthorized');
-            logger$T.debug('closed_unauthorized_connection');
+            logger$U.debug('closed_unauthorized_connection');
         }
         catch (error) {
-            logger$T.error('failed_to_close_unauthorized_connection', {
+            logger$U.error('failed_to_close_unauthorized_connection', {
                 error: error instanceof Error ? error.message : String(error),
             });
         }
@@ -20230,7 +20203,7 @@ class NodeAttachFrameHandler extends TaskSpawner {
     }
 }
 
-const logger$S = getLogger('naylence.fame.sentinel.address_bind_frame_handler');
+const logger$T = getLogger('naylence.fame.sentinel.address_bind_frame_handler');
 const RESERVED_ADDRESS_NAMES = new Set(['__sys__', '__rpc__']);
 function pickManagerField(manager, keys) {
     const record = manager;
@@ -20554,7 +20527,7 @@ class AddressBindFrameHandler {
         if (this.routingNode.forwardToPeers) {
             await this.routingNode.forwardToPeers(envelope, undefined, [sourceSystemId], context);
         }
-        logger$S.debug('address_bound', {
+        logger$T.debug('address_bound', {
             address: addressStr,
             segment: sourceSystemId,
         });
@@ -20652,7 +20625,7 @@ class AddressBindFrameHandler {
             }
             await this.routingNode.forwardToRoute(sourceSystemId, ackEnvelope, ackContext);
         }
-        logger$S.debug('address_unbound', {
+        logger$T.debug('address_unbound', {
             address: addressStr,
             segment: sourceSystemId,
         });
@@ -20670,7 +20643,7 @@ class AddressBindFrameHandler {
     }
 }
 
-const logger$R = getLogger('naylence.fame.sentinel.node_heartbeat_frame_handler');
+const logger$S = getLogger('naylence.fame.sentinel.node_heartbeat_frame_handler');
 function normalizeOptions$h(options) {
     if (!options || typeof options !== 'object') {
         throw new Error('NodeHeartbeatFrameHandler requires a routingNode option');
@@ -20707,7 +20680,7 @@ class NodeHeartbeatFrameHandler {
         if (!frame || frame.type !== 'NodeHeartbeat') {
             throw new Error(`Invalid envelope frame. Expected: NodeHeartbeatFrame, actual: ${frame?.type ?? 'unknown'}`);
         }
-        logger$R.trace('handling_heartbeat', {
+        logger$S.trace('handling_heartbeat', {
             hb_system_id: frame.systemId ?? 'unknown',
             hb_env_id: envelope.id ?? 'unknown',
             hb_corr_id: envelope.corrId ?? 'unknown',
@@ -20735,7 +20708,7 @@ class NodeHeartbeatFrameHandler {
             ...(envelope.corrId ? { corrId: envelope.corrId } : {}),
             ...(envelope.traceId ? { traceId: envelope.traceId } : {}),
         });
-        logger$R.debug('sending_heartbeat_ack', {
+        logger$S.debug('sending_heartbeat_ack', {
             hb_ack_env_id: ackEnvelope.id ?? 'unknown',
             hb_ack_corr_id: ackEnvelope.corrId ?? 'unknown',
         });
@@ -20763,7 +20736,7 @@ class NodeHeartbeatFrameHandler {
     }
 }
 
-const logger$Q = getLogger('naylence.fame.sentinel.capability_frame_handler');
+const logger$R = getLogger('naylence.fame.sentinel.capability_frame_handler');
 class CapabilityFrameHandler {
     constructor(options) {
         this.capabilityRoutes = new Map();
@@ -20790,7 +20763,7 @@ class CapabilityFrameHandler {
         const segment = this.getSourceSystemId(context);
         const downstreamRoutes = getDownstreamRoutes(this.routeManager);
         if (!segment || !hasRoute(downstreamRoutes, segment)) {
-            logger$Q.debug('capability_advertise_unknown_segment', { segment });
+            logger$R.debug('capability_advertise_unknown_segment', { segment });
             return;
         }
         const addressKey = this.normalizeAddress(frame.address);
@@ -20823,7 +20796,7 @@ class CapabilityFrameHandler {
         }
         const segment = this.getSourceSystemId(context);
         if (!segment) {
-            logger$Q.debug('capability_withdraw_missing_segment');
+            logger$R.debug('capability_withdraw_missing_segment');
             return;
         }
         const addressKey = this.normalizeAddress(frame.address);
@@ -20877,7 +20850,7 @@ class CapabilityFrameHandler {
     async forwardAckToSegment(segment, ackFrame, originalEnvelope, ackContext) {
         const envelopeFactory = this.routingNode.envelopeFactory;
         if (!envelopeFactory) {
-            logger$Q.warning('missing_envelope_factory_for_capability_ack');
+            logger$R.warning('missing_envelope_factory_for_capability_ack');
             return;
         }
         const ackEnvelope = envelopeFactory.createEnvelope({
@@ -20940,7 +20913,7 @@ function getStickySid(context) {
     return typed.stickySid ?? typed.sticky_sid ?? undefined;
 }
 
-const logger$P = getLogger('naylence.fame.sentinel.credit_update_frame_handler');
+const logger$Q = getLogger('naylence.fame.sentinel.credit_update_frame_handler');
 function normalizeOptions$g(options) {
     if (!options || typeof options !== 'object') {
         throw new Error('CreditUpdateFrameHandler requires a routeManager option');
@@ -20960,12 +20933,12 @@ class CreditUpdateFrameHandler {
     async acceptCreditUpdate(envelope, context) {
         const flowId = envelope.flowId;
         if (!flowId) {
-            logger$P.warning('credit_update_missing_flow_id');
+            logger$Q.warning('credit_update_missing_flow_id');
             return;
         }
         const targetConnector = this.routeManager.getFlowRoute(flowId);
         if (!targetConnector) {
-            logger$P.warning('credit_update_unknown_flow', { flowId });
+            logger$Q.warning('credit_update_unknown_flow', { flowId });
             return;
         }
         if (context?.fromConnector && context.fromConnector === targetConnector) {
@@ -20975,7 +20948,7 @@ class CreditUpdateFrameHandler {
     }
 }
 
-const logger$O = getLogger('naylence.fame.sentinel.sentinel');
+const logger$P = getLogger('naylence.fame.sentinel.sentinel');
 const ALLOWED_BEFORE_ATTACH = new Set(['NodeAttach']);
 const SYSTEM_INBOX = '__sys__';
 const RESERVED_UPSTREAM_ADDRESS_NAMES = new Set(['__sys__', '__rpc__']);
@@ -21069,7 +21042,7 @@ class Sentinel extends FameNode {
                 routeStore = createPersistentRouteStore(this.storageProvider);
             }
             catch (error) {
-                logger$O.warning('persistent_route_store_unavailable', {
+                logger$P.warning('persistent_route_store_unavailable', {
                     error: error instanceof Error ? error.message : String(error),
                 });
                 routeStore = getDefaultRouteStore();
@@ -21151,7 +21124,7 @@ class Sentinel extends FameNode {
     bumpRoutingEpoch() {
         const previousEpoch = this.routingEpochValue;
         this.routingEpochValue = generateId();
-        logger$O.debug('routing_epoch_bumped', {
+        logger$P.debug('routing_epoch_bumped', {
             previous_epoch: previousEpoch,
             new_epoch: this.routingEpochValue,
         });
@@ -21242,7 +21215,7 @@ class Sentinel extends FameNode {
     }
     async forwardToRoute(nextSegment, envelope, context) {
         if (this.originMatches(context, nextSegment, DeliveryOriginType.DOWNSTREAM)) {
-            logger$O.debug('downstream_loop_detected', {
+            logger$P.debug('downstream_loop_detected', {
                 envp_id: envelope.id,
                 segment: nextSegment,
             });
@@ -21255,14 +21228,14 @@ class Sentinel extends FameNode {
             }
             const connector = this.routeManager.downstreamRoutes.get(nextSegment);
             if (!connector) {
-                logger$O.warning('no_route_for_child_segment', { segment: nextSegment });
+                logger$P.warning('no_route_for_child_segment', { segment: nextSegment });
                 await this.emitDeliveryNack(processed, {
                     code: 'CHILD_UNREACHABLE',
                     context: context ?? null,
                 });
                 return;
             }
-            logger$O.debug('forwarding_downstream', {
+            logger$P.debug('forwarding_downstream', {
                 ...summarizeEnvelope(processed, ''),
                 route: nextSegment,
             });
@@ -21279,7 +21252,7 @@ class Sentinel extends FameNode {
     }
     async forwardToPeer(peerSegment, envelope, context) {
         if (this.originMatches(context, peerSegment, DeliveryOriginType.PEER)) {
-            logger$O.debug('peer_loop_detected', {
+            logger$P.debug('peer_loop_detected', {
                 envp_id: envelope.id,
                 segment: peerSegment,
             });
@@ -21290,7 +21263,7 @@ class Sentinel extends FameNode {
         }
         const connector = this.routeManager._peer_routes.get(peerSegment);
         if (!connector) {
-            logger$O.warning('no_route_for_peer_segment', {
+            logger$P.warning('no_route_for_peer_segment', {
                 peer_segment: peerSegment,
             });
             await this.emitDeliveryNack(processed, {
@@ -21333,7 +21306,7 @@ class Sentinel extends FameNode {
     }
     async forwardUpstream(envelope, context) {
         if (context?.originType === DeliveryOriginType.UPSTREAM) {
-            logger$O.debug('skipping_forward_upstream', {
+            logger$P.debug('skipping_forward_upstream', {
                 envp_id: envelope.id,
                 origin_type: context.originType,
             });
@@ -21453,7 +21426,7 @@ class Sentinel extends FameNode {
                 }
                 catch (error) {
                     if (!combined.signal.aborted) {
-                        logger$O.debug('attach_timeout_delay_failed', {
+                        logger$P.debug('attach_timeout_delay_failed', {
                             system_id: systemId,
                             error: error instanceof Error ? error.message : String(error),
                         });
@@ -21480,12 +21453,12 @@ class Sentinel extends FameNode {
                     await connector.stop();
                 }
                 catch (error) {
-                    logger$O.debug('attach_timeout_stop_failed', {
+                    logger$P.debug('attach_timeout_stop_failed', {
                         system_id: systemId,
                         error: error instanceof Error ? error.message : String(error),
                     });
                 }
-                logger$O.warning('attach_timeout_expired', {
+                logger$P.warning('attach_timeout_expired', {
                     system_id: systemId,
                     timeout_ms: timeoutMs,
                 });
@@ -21539,7 +21512,7 @@ class Sentinel extends FameNode {
                     return new FameAddress(addressKey);
                 }
                 catch (error) {
-                    logger$O.debug('invalid_capability_address', {
+                    logger$P.debug('invalid_capability_address', {
                         capability,
                         address: addressKey,
                         error: error instanceof Error ? error.message : String(error),
@@ -21695,7 +21668,7 @@ class Sentinel extends FameNode {
     }
     async propagateAddressBindingsUpstream() {
         if (!this.hasParent) {
-            logger$O.warning('No upstream defined to rebind addresses');
+            logger$P.warning('No upstream defined to rebind addresses');
             return;
         }
         const entries = Array.from(this.routeManager._downstream_addresses_routes.entries());
@@ -21718,7 +21691,7 @@ class Sentinel extends FameNode {
                 await this.bindAddressUpstream(new FameAddress(address), info);
             }
             catch (error) {
-                logger$O.error('rebind_failed', {
+                logger$P.error('rebind_failed', {
                     address,
                     error: error instanceof Error ? error.message : String(error),
                 });
@@ -21816,7 +21789,7 @@ class Sentinel extends FameNode {
             }
             catch (error) {
                 // Hook threw => treat as denial, execute Drop
-                logger$O.warning('routing_action_hook_error', {
+                logger$P.warning('routing_action_hook_error', {
                     envp_id: envelope.id,
                     error: error instanceof Error ? error.message : String(error),
                 });
@@ -21840,7 +21813,7 @@ class Sentinel extends FameNode {
         }
         const abortSignal = signal ?? null;
         if (abortSignal?.aborted) {
-            logger$O.info('shutdown_signal_received', { signal: 'abort' });
+            logger$P.info('shutdown_signal_received', { signal: 'abort' });
             return;
         }
         // Build fabric options, preferring rootConfig if provided
@@ -21856,7 +21829,7 @@ class Sentinel extends FameNode {
         if (node !== null) {
             fabricCreateOptions.node = node;
         }
-        logger$O.debug('fabric_create_options', {
+        logger$P.debug('fabric_create_options', {
             hasRootConfig: 'rootConfig' in fabricCreateOptions,
             hasNode: 'node' in fabricCreateOptions,
             rootConfigKeys: fabricCreateOptions.rootConfig
@@ -21889,7 +21862,7 @@ class Sentinel extends FameNode {
         const registerSignalListeners = () => {
             for (const sig of signals) {
                 const listener = () => {
-                    logger$O.info('shutdown_signal_received', { signal: sig });
+                    logger$P.info('shutdown_signal_received', { signal: sig });
                     cleanupListeners();
                     stopResolve();
                 };
@@ -21898,7 +21871,7 @@ class Sentinel extends FameNode {
             }
             if (abortSignal) {
                 abortListener = () => {
-                    logger$O.info('shutdown_signal_received', { signal: 'abort' });
+                    logger$P.info('shutdown_signal_received', { signal: 'abort' });
                     cleanupListeners();
                     stopResolve();
                 };
@@ -21911,12 +21884,12 @@ class Sentinel extends FameNode {
             await providedFabric.enter();
             try {
                 registerSignalListeners();
-                logger$O.info('sentinel_live', {
+                logger$P.info('sentinel_live', {
                     message: 'Node is live! Press Ctrl+C to stop.',
                 });
                 try {
                     await stopPromise;
-                    logger$O.info('sentinel_shutdown_begin');
+                    logger$P.info('sentinel_shutdown_begin');
                 }
                 finally {
                     cleanupListeners();
@@ -21930,19 +21903,19 @@ class Sentinel extends FameNode {
             // Use withFabric pattern for automatic lifecycle management
             await withFabric(fabricCreateOptions, async () => {
                 registerSignalListeners();
-                logger$O.info('sentinel_live', {
+                logger$P.info('sentinel_live', {
                     message: 'Node is live! Press Ctrl+C to stop.',
                 });
                 try {
                     await stopPromise;
-                    logger$O.info('sentinel_shutdown_begin');
+                    logger$P.info('sentinel_shutdown_begin');
                 }
                 finally {
                     cleanupListeners();
                 }
             });
         }
-        logger$O.info('sentinel_shutdown_complete');
+        logger$P.info('sentinel_shutdown_complete');
     }
 }
 function normalizeServeLogLevel(level) {
@@ -22087,7 +22060,7 @@ function isPlainRecord(value) {
     return Boolean(value) && typeof value === 'object' && !Array.isArray(value);
 }
 
-const FACTORY_META$14 = {
+const FACTORY_META$15 = {
     base: NODE_LIKE_FACTORY_BASE_TYPE,
     key: 'Sentinel',
 };
@@ -22271,7 +22244,7 @@ class SentinelFactory extends NodeLikeFactory {
 
 var sentinelFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
-    FACTORY_META: FACTORY_META$14,
+    FACTORY_META: FACTORY_META$15,
     SentinelFactory: SentinelFactory,
     default: SentinelFactory
 });
@@ -22354,7 +22327,7 @@ function createConnectorConfig(config) {
  * Browser-local connector that routes binary frames between peers via an in-page EventTarget.
  * Relies on BaseAsyncConnector for flow control and shutdown behavior.
  */
-const logger$N = getLogger('naylence.fame.connector.inpage_connector');
+const logger$O = getLogger('naylence.fame.connector.inpage_connector');
 const INPAGE_CONNECTOR_TYPE = 'inpage-connector';
 const DEFAULT_CHANNEL$6 = 'naylence-fabric';
 const DEFAULT_INBOX_CAPACITY$6 = 2048;
@@ -22452,7 +22425,7 @@ class InPageConnector extends BaseAsyncConnector {
         }
         this.localNodeId = normalizedLocalNodeId;
         this.targetNodeId = InPageConnector.normalizeTargetNodeId(config.initialTargetNodeId);
-        logger$N.debug('inpage_connector_initialized', {
+        logger$O.debug('inpage_connector_initialized', {
             channel: this.channelName,
             connector_id: this.connectorId,
             local_node_id: this.localNodeId,
@@ -22461,7 +22434,7 @@ class InPageConnector extends BaseAsyncConnector {
         });
         this.onMsg = (event) => {
             if (!this.listenerRegistered) {
-                logger$N.warning('inpage_message_after_unregister', {
+                logger$O.warning('inpage_message_after_unregister', {
                     channel: this.channelName,
                     connector_id: this.connectorId,
                     timestamp: new Date().toISOString(),
@@ -22470,7 +22443,7 @@ class InPageConnector extends BaseAsyncConnector {
             }
             const messageEvent = event;
             const message = messageEvent.data;
-            logger$N.debug('inpage_raw_event', {
+            logger$O.debug('inpage_raw_event', {
                 channel: this.channelName,
                 connector_id: this.connectorId,
                 message_type: message && typeof message === 'object'
@@ -22490,7 +22463,7 @@ class InPageConnector extends BaseAsyncConnector {
                 : null;
             const senderNodeId = InPageConnector.normalizeNodeId(busMessage.senderNodeId);
             if (!senderId || !senderNodeId) {
-                logger$N.debug('inpage_message_rejected', {
+                logger$O.debug('inpage_message_rejected', {
                     channel: this.channelName,
                     connector_id: this.connectorId,
                     reason: 'missing_sender_metadata',
@@ -22498,7 +22471,7 @@ class InPageConnector extends BaseAsyncConnector {
                 return;
             }
             if (senderId === this.connectorId || senderNodeId === this.localNodeId) {
-                logger$N.debug('inpage_message_rejected', {
+                logger$O.debug('inpage_message_rejected', {
                     channel: this.channelName,
                     connector_id: this.connectorId,
                     reason: 'self_echo',
@@ -22512,14 +22485,14 @@ class InPageConnector extends BaseAsyncConnector {
             }
             const payload = InPageConnector.coercePayload(busMessage.payload);
             if (!payload) {
-                logger$N.debug('inpage_payload_rejected', {
+                logger$O.debug('inpage_payload_rejected', {
                     channel: this.channelName,
                     connector_id: this.connectorId,
                     reason: 'unrecognized_payload_type',
                 });
                 return;
             }
-            logger$N.debug('inpage_message_received', {
+            logger$O.debug('inpage_message_received', {
                 channel: this.channelName,
                 sender_id: senderId,
                 sender_node_id: senderNodeId,
@@ -22548,14 +22521,14 @@ class InPageConnector extends BaseAsyncConnector {
             }
             catch (error) {
                 if (error instanceof QueueFullError) {
-                    logger$N.warning('inpage_receive_queue_full', {
+                    logger$O.warning('inpage_receive_queue_full', {
                         channel: this.channelName,
                         inbox_capacity: this.inboxCapacity,
                         inbox_remaining_capacity: this.inbox.remainingCapacity,
                     });
                 }
                 else {
-                    logger$N.error('inpage_receive_error', {
+                    logger$O.error('inpage_receive_error', {
                         channel: this.channelName,
                         error: error instanceof Error ? error.message : String(error),
                     });
@@ -22567,7 +22540,7 @@ class InPageConnector extends BaseAsyncConnector {
         // Setup visibility change monitoring
         this.visibilityChangeHandler = () => {
             const isHidden = document.hidden;
-            logger$N.debug('inpage_visibility_changed', {
+            logger$O.debug('inpage_visibility_changed', {
                 channel: this.channelName,
                 connector_id: this.connectorId,
                 visibility: isHidden ? 'hidden' : 'visible',
@@ -22576,7 +22549,7 @@ class InPageConnector extends BaseAsyncConnector {
             // Pause/resume connector based on visibility
             if (isHidden && this.state === ConnectorState.STARTED) {
                 this.pause().catch((err) => {
-                    logger$N.warning('inpage_pause_failed', {
+                    logger$O.warning('inpage_pause_failed', {
                         channel: this.channelName,
                         connector_id: this.connectorId,
                         error: err instanceof Error ? err.message : String(err),
@@ -22585,7 +22558,7 @@ class InPageConnector extends BaseAsyncConnector {
             }
             else if (!isHidden && this.state === ConnectorState.PAUSED) {
                 this.resume().catch((err) => {
-                    logger$N.warning('inpage_resume_failed', {
+                    logger$O.warning('inpage_resume_failed', {
                         channel: this.channelName,
                         connector_id: this.connectorId,
                         error: err instanceof Error ? err.message : String(err),
@@ -22599,7 +22572,7 @@ class InPageConnector extends BaseAsyncConnector {
             // Track page lifecycle events to detect browser unload/discard
             if (typeof window !== 'undefined') {
                 const lifecycleLogger = (event) => {
-                    logger$N.info('inpage_page_lifecycle', {
+                    logger$O.info('inpage_page_lifecycle', {
                         channel: this.channelName,
                         connector_id: this.connectorId,
                         event_type: event.type,
@@ -22615,7 +22588,7 @@ class InPageConnector extends BaseAsyncConnector {
                 document.addEventListener('resume', lifecycleLogger);
             }
             // Log initial state with detailed visibility info
-            logger$N.debug('inpage_initial_visibility', {
+            logger$O.debug('inpage_initial_visibility', {
                 channel: this.channelName,
                 connector_id: this.connectorId,
                 visibility: document.hidden ? 'hidden' : 'visible',
@@ -22633,7 +22606,7 @@ class InPageConnector extends BaseAsyncConnector {
         await super.start(inboundHandler);
         // After transitioning to STARTED, check if tab is already hidden
         if (typeof document !== 'undefined' && document.hidden) {
-            logger$N.debug('inpage_start_in_hidden_tab', {
+            logger$O.debug('inpage_start_in_hidden_tab', {
                 channel: this.channelName,
                 connector_id: this.connectorId,
                 document_hidden: document.hidden,
@@ -22643,7 +22616,7 @@ class InPageConnector extends BaseAsyncConnector {
             });
             // Immediately pause if tab is hidden at start time
             await this.pause().catch((err) => {
-                logger$N.warning('inpage_initial_pause_failed', {
+                logger$O.warning('inpage_initial_pause_failed', {
                     channel: this.channelName,
                     connector_id: this.connectorId,
                     error: err instanceof Error ? err.message : String(err),
@@ -22673,14 +22646,14 @@ class InPageConnector extends BaseAsyncConnector {
         }
         catch (error) {
             if (error instanceof QueueFullError) {
-                logger$N.warning('inpage_push_queue_full', {
+                logger$O.warning('inpage_push_queue_full', {
                     channel: this.channelName,
                     inbox_capacity: this.inboxCapacity,
                     inbox_remaining_capacity: this.inbox.remainingCapacity,
                 });
                 throw error;
             }
-            logger$N.error('inpage_push_failed', {
+            logger$O.error('inpage_push_failed', {
                 channel: this.channelName,
                 error: error instanceof Error ? error.message : String(error),
             });
@@ -22690,7 +22663,7 @@ class InPageConnector extends BaseAsyncConnector {
     async _transportSendBytes(data) {
         ensureBrowserEnvironment$2();
         const targetNodeId = this.targetNodeId ?? '*';
-        logger$N.debug('inpage_message_sending', {
+        logger$O.debug('inpage_message_sending', {
             channel: this.channelName,
             sender_id: this.connectorId,
             sender_node_id: this.localNodeId,
@@ -22714,7 +22687,7 @@ class InPageConnector extends BaseAsyncConnector {
         return item;
     }
     async _transportClose(code, reason) {
-        logger$N.debug('inpage_transport_closing', {
+        logger$O.debug('inpage_transport_closing', {
             channel: this.channelName,
             connector_id: this.connectorId,
             code,
@@ -22723,14 +22696,14 @@ class InPageConnector extends BaseAsyncConnector {
             timestamp: new Date().toISOString(),
         });
         if (this.listenerRegistered) {
-            logger$N.debug('inpage_removing_listener', {
+            logger$O.debug('inpage_removing_listener', {
                 channel: this.channelName,
                 connector_id: this.connectorId,
                 timestamp: new Date().toISOString(),
             });
             getSharedBus$1().removeEventListener(this.channelName, this.onMsg);
             this.listenerRegistered = false;
-            logger$N.debug('inpage_listener_removed', {
+            logger$O.debug('inpage_listener_removed', {
                 channel: this.channelName,
                 connector_id: this.connectorId,
                 timestamp: new Date().toISOString(),
@@ -22762,7 +22735,7 @@ class InPageConnector extends BaseAsyncConnector {
             if (targetNodeId &&
                 targetNodeId !== '*' &&
                 targetNodeId !== this.localNodeId) {
-                logger$N.debug('inpage_message_rejected', {
+                logger$O.debug('inpage_message_rejected', {
                     channel: this.channelName,
                     connector_id: this.connectorId,
                     reason: 'wildcard_target_mismatch',
@@ -22778,7 +22751,7 @@ class InPageConnector extends BaseAsyncConnector {
         if (expectedSender &&
             expectedSender !== '*' &&
             senderNodeId !== expectedSender) {
-            logger$N.debug('inpage_message_rejected', {
+            logger$O.debug('inpage_message_rejected', {
                 channel: this.channelName,
                 connector_id: this.connectorId,
                 reason: 'unexpected_sender',
@@ -22791,7 +22764,7 @@ class InPageConnector extends BaseAsyncConnector {
         if (targetNodeId &&
             targetNodeId !== '*' &&
             targetNodeId !== this.localNodeId) {
-            logger$N.debug('inpage_message_rejected', {
+            logger$O.debug('inpage_message_rejected', {
                 channel: this.channelName,
                 connector_id: this.connectorId,
                 reason: 'unexpected_target',
@@ -22816,7 +22789,7 @@ class InPageConnector extends BaseAsyncConnector {
         return 'unknown';
     }
     logInboxSnapshot(event, extra = {}) {
-        logger$N.debug(event, {
+        logger$O.debug(event, {
             channel: this.channelName,
             connector_id: this.connectorId,
             connector_state: this.state,
@@ -22835,7 +22808,7 @@ class InPageConnector extends BaseAsyncConnector {
             return;
         }
         this.targetNodeId = normalized;
-        logger$N.debug('inpage_target_updated', {
+        logger$O.debug('inpage_target_updated', {
             channel: this.channelName,
             connector_id: this.connectorId,
             local_node_id: this.localNodeId,
@@ -22845,7 +22818,7 @@ class InPageConnector extends BaseAsyncConnector {
     }
     setWildcardTarget() {
         this.targetNodeId = '*';
-        logger$N.debug('inpage_target_updated', {
+        logger$O.debug('inpage_target_updated', {
             channel: this.channelName,
             connector_id: this.connectorId,
             local_node_id: this.localNodeId,
@@ -23039,6 +23012,185 @@ class AuthorizerFactory extends AbstractResourceFactory {
     }
 }
 
+const logger$N = getLogger('naylence.fame.security.auth.authorization_profile_factory');
+const PROFILE_NAME_DEFAULT = 'jwt';
+const PROFILE_NAME_OAUTH2 = 'oauth2';
+const PROFILE_NAME_OAUTH2_GATED = 'oauth2-gated';
+const PROFILE_NAME_OAUTH2_CALLBACK = 'oauth2-callback';
+const PROFILE_NAME_NOOP$2 = 'noop';
+const ENV_VAR_JWT_TRUSTED_ISSUER$1 = 'FAME_JWT_TRUSTED_ISSUER';
+const ENV_VAR_JWT_ALGORITHM$3 = 'FAME_JWT_ALGORITHM';
+const ENV_VAR_JWT_AUDIENCE$3 = 'FAME_JWT_AUDIENCE';
+const ENV_VAR_JWKS_URL$1 = 'FAME_JWKS_URL';
+const ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY$1 = 'FAME_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY';
+const ENV_VAR_TRUSTED_CLIENT_SCOPE$1 = 'FAME_TRUSTED_CLIENT_SCOPE';
+const ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER$1 = 'FAME_JWT_REVERSE_AUTH_TRUSTED_ISSUER';
+const ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE$1 = 'FAME_JWT_REVERSE_AUTH_AUDIENCE';
+const ENV_VAR_HMAC_SECRET$1 = 'FAME_HMAC_SECRET';
+const DEFAULT_REVERSE_AUTH_ISSUER = 'reverse-auth.naylence.ai';
+const DEFAULT_REVERSE_AUTH_AUDIENCE = 'dev.naylence.ai';
+const DEFAULT_PROFILE = {
+    type: 'DefaultAuthorizer',
+    verifier: {
+        type: 'JWKSJWTTokenVerifier',
+        jwks_url: Expressions.env(ENV_VAR_JWKS_URL$1),
+        issuer: Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER$1),
+    },
+};
+const OAUTH2_PROFILE = {
+    type: 'OAuth2Authorizer',
+    issuer: Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER$1),
+    required_scopes: ['node.connect'],
+    require_scope: true,
+    default_ttl_sec: 3600,
+    max_ttl_sec: 86400,
+    algorithm: Expressions.env(ENV_VAR_JWT_ALGORITHM$3, 'RS256'),
+    audience: Expressions.env(ENV_VAR_JWT_AUDIENCE$3),
+};
+const OAUTH2_GATED_PROFILE = {
+    ...OAUTH2_PROFILE,
+    enforce_token_subject_node_identity: Expressions.env(ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY$1, 'false'),
+    trusted_client_scope: Expressions.env(ENV_VAR_TRUSTED_CLIENT_SCOPE$1, 'node.trusted'),
+};
+const OAUTH2_CALLBACK_PROFILE = {
+    type: 'OAuth2Authorizer',
+    issuer: Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER$1, DEFAULT_REVERSE_AUTH_ISSUER),
+    audience: Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE$1),
+    require_scope: true,
+    default_ttl_sec: 3600,
+    max_ttl_sec: 86400,
+    reverse_auth_ttl_sec: 86400,
+    token_verifier_config: {
+        type: 'JWTTokenVerifier',
+        algorithm: 'HS256',
+        hmac_secret: Expressions.env(ENV_VAR_HMAC_SECRET$1),
+        issuer: Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER$1, DEFAULT_REVERSE_AUTH_ISSUER),
+        ttl_sec: 86400,
+    },
+    token_issuer_config: {
+        type: 'JWTTokenIssuer',
+        algorithm: 'HS256',
+        hmac_secret: Expressions.env(ENV_VAR_HMAC_SECRET$1),
+        kid: 'hmac-reverse-auth-key',
+        issuer: Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER$1, DEFAULT_REVERSE_AUTH_ISSUER),
+        ttl_sec: 86400,
+        audience: Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE$1, DEFAULT_REVERSE_AUTH_AUDIENCE),
+    },
+};
+const NOOP_PROFILE$2 = {
+    type: 'NoopAuthorizer',
+};
+const PROFILE_MAP$5 = {
+    [PROFILE_NAME_DEFAULT]: DEFAULT_PROFILE,
+    [PROFILE_NAME_OAUTH2]: OAUTH2_PROFILE,
+    [PROFILE_NAME_OAUTH2_GATED]: OAUTH2_GATED_PROFILE,
+    [PROFILE_NAME_OAUTH2_CALLBACK]: OAUTH2_CALLBACK_PROFILE,
+    [PROFILE_NAME_NOOP$2]: NOOP_PROFILE$2,
+};
+const PROFILE_ALIASES$1 = {
+    jwt: PROFILE_NAME_DEFAULT,
+    jwks: PROFILE_NAME_DEFAULT,
+    default: PROFILE_NAME_DEFAULT,
+    oauth2: PROFILE_NAME_OAUTH2,
+    oidc: PROFILE_NAME_OAUTH2,
+    'oauth2-gated': PROFILE_NAME_OAUTH2_GATED,
+    oauth2_gated: PROFILE_NAME_OAUTH2_GATED,
+    'oauth2-callback': PROFILE_NAME_OAUTH2_CALLBACK,
+    oauth2_callback: PROFILE_NAME_OAUTH2_CALLBACK,
+    'reverse-auth': PROFILE_NAME_OAUTH2_CALLBACK,
+    noop: PROFILE_NAME_NOOP$2,
+    'no-op': PROFILE_NAME_NOOP$2,
+    no_op: PROFILE_NAME_NOOP$2,
+};
+const FACTORY_META$14 = {
+    base: AUTHORIZER_FACTORY_BASE_TYPE,
+    key: 'AuthorizationProfile',
+};
+class AuthorizationProfileFactory extends AuthorizerFactory {
+    constructor() {
+        super(...arguments);
+        this.type = 'AuthorizationProfile';
+    }
+    async create(config, ...factoryArgs) {
+        const normalized = normalizeConfig$w(config);
+        const profileConfig = resolveProfileConfig$4(normalized.profile);
+        logger$N.debug('enabling_authorization_profile', {
+            profile: normalized.profile,
+        });
+        const authorizer = await AuthorizerFactory.createAuthorizer(profileConfig, { factoryArgs });
+        if (!authorizer) {
+            throw new Error(`Failed to create authorizer for profile: ${normalized.profile}`);
+        }
+        return authorizer;
+    }
+}
+function normalizeConfig$w(config) {
+    if (!config) {
+        return { profile: PROFILE_NAME_OAUTH2 };
+    }
+    const candidate = config;
+    const profileValue = resolveProfileName$2(candidate);
+    const canonicalProfile = canonicalizeProfileName$1(profileValue);
+    candidate.profile = canonicalProfile;
+    return { profile: canonicalProfile };
+}
+function resolveProfileName$2(candidate) {
+    const direct = coerceProfileString$2(candidate.profile);
+    if (direct) {
+        return direct;
+    }
+    const legacyKeys = ['profile_name', 'profileName'];
+    for (const legacyKey of legacyKeys) {
+        const legacyValue = coerceProfileString$2(candidate[legacyKey]);
+        if (legacyValue) {
+            return legacyValue;
+        }
+    }
+    return PROFILE_NAME_OAUTH2;
+}
+function coerceProfileString$2(value) {
+    if (typeof value !== 'string') {
+        return null;
+    }
+    const trimmed = value.trim();
+    return trimmed.length > 0 ? trimmed : null;
+}
+function canonicalizeProfileName$1(value) {
+    const normalized = value.replace(/[\s_]+/g, '-').toLowerCase();
+    return PROFILE_ALIASES$1[normalized] ?? normalized;
+}
+function resolveProfileConfig$4(profileName) {
+    const profile = PROFILE_MAP$5[profileName];
+    if (!profile) {
+        throw new Error(`Unknown authorization profile: ${profileName}`);
+    }
+    return deepClone$4(profile);
+}
+function deepClone$4(value) {
+    return JSON.parse(JSON.stringify(value));
+}
+
+var authorizationProfileFactory = /*#__PURE__*/Object.freeze({
+    __proto__: null,
+    AuthorizationProfileFactory: AuthorizationProfileFactory,
+    ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY: ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY$1,
+    ENV_VAR_HMAC_SECRET: ENV_VAR_HMAC_SECRET$1,
+    ENV_VAR_JWKS_URL: ENV_VAR_JWKS_URL$1,
+    ENV_VAR_JWT_ALGORITHM: ENV_VAR_JWT_ALGORITHM$3,
+    ENV_VAR_JWT_AUDIENCE: ENV_VAR_JWT_AUDIENCE$3,
+    ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE: ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE$1,
+    ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER: ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER$1,
+    ENV_VAR_JWT_TRUSTED_ISSUER: ENV_VAR_JWT_TRUSTED_ISSUER$1,
+    ENV_VAR_TRUSTED_CLIENT_SCOPE: ENV_VAR_TRUSTED_CLIENT_SCOPE$1,
+    FACTORY_META: FACTORY_META$14,
+    PROFILE_NAME_DEFAULT: PROFILE_NAME_DEFAULT,
+    PROFILE_NAME_NOOP: PROFILE_NAME_NOOP$2,
+    PROFILE_NAME_OAUTH2: PROFILE_NAME_OAUTH2,
+    PROFILE_NAME_OAUTH2_CALLBACK: PROFILE_NAME_OAUTH2_CALLBACK,
+    PROFILE_NAME_OAUTH2_GATED: PROFILE_NAME_OAUTH2_GATED,
+    default: AuthorizationProfileFactory
+});
+
 function isAuthInjectionStrategy(candidate) {
     return (typeof candidate === 'object' &&
         candidate !== null &&
@@ -30535,14 +30687,13 @@ const ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER = 'FAME_JWT_REVERSE_AUTH_TRUSTED_I
 const ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = 'FAME_JWT_REVERSE_AUTH_AUDIENCE';
 const ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY = 'FAME_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY';
 const ENV_VAR_TRUSTED_CLIENT_SCOPE = 'FAME_TRUSTED_CLIENT_SCOPE';
+const ENV_VAR_AUTHORIZATION_PROFILE = 'FAME_AUTHORIZATION_PROFILE';
 const PROFILE_NAME_STRICT_OVERLAY = 'strict-overlay';
 const PROFILE_NAME_OVERLAY = 'overlay';
 const PROFILE_NAME_OVERLAY_CALLBACK = 'overlay-callback';
 const PROFILE_NAME_GATED = 'gated';
 const PROFILE_NAME_GATED_CALLBACK = 'gated-callback';
 const PROFILE_NAME_OPEN$1 = 'open';
-const DEFAULT_REVERSE_AUTH_ISSUER = 'reverse-auth.naylence.ai';
-const DEFAULT_REVERSE_AUTH_AUDIENCE = 'dev.naylence.ai';
 const STRICT_OVERLAY_PROFILE = {
     type: 'DefaultSecurityManager',
     security_policy: {
@@ -30588,12 +30739,8 @@ const STRICT_OVERLAY_PROFILE = {
         },
     },
     authorizer: {
-        type: 'DefaultAuthorizer',
-        verifier: {
-            type: 'JWKSJWTTokenVerifier',
-            jwks_url: Expressions.env(ENV_VAR_JWKS_URL),
-            issuer: Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER),
-        },
+        type: 'AuthorizationProfile',
+        profile: Expressions.env(ENV_VAR_AUTHORIZATION_PROFILE, 'jwt'),
     },
 };
 const OVERLAY_PROFILE = {
@@ -30640,14 +30787,8 @@ const OVERLAY_PROFILE = {
         },
     },
     authorizer: {
-        type: 'OAuth2Authorizer',
-        issuer: Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER),
-        required_scopes: ['node.connect'],
-        require_scope: true,
-        default_ttl_sec: 3600,
-        max_ttl_sec: 86400,
-        algorithm: Expressions.env(ENV_VAR_JWT_ALGORITHM$2, 'RS256'),
-        audience: Expressions.env(ENV_VAR_JWT_AUDIENCE$2),
+        type: 'AuthorizationProfile',
+        profile: Expressions.env(ENV_VAR_AUTHORIZATION_PROFILE, 'oauth2'),
     },
 };
 const OVERLAY_CALLBACK_PROFILE = {
@@ -30694,29 +30835,8 @@ const OVERLAY_CALLBACK_PROFILE = {
         },
     },
     authorizer: {
-        type: 'OAuth2Authorizer',
-        issuer: Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, DEFAULT_REVERSE_AUTH_ISSUER),
-        audience: Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE),
-        require_scope: true,
-        default_ttl_sec: 3600,
-        max_ttl_sec: 86400,
-        reverse_auth_ttl_sec: 86400,
-        token_verifier_config: {
-            type: 'JWTTokenVerifier',
-            algorithm: 'HS256',
-            hmac_secret: Expressions.env(ENV_VAR_HMAC_SECRET),
-            issuer: Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, DEFAULT_REVERSE_AUTH_ISSUER),
-            ttl_sec: 86400,
-        },
-        token_issuer_config: {
-            type: 'JWTTokenIssuer',
-            algorithm: 'HS256',
-            hmac_secret: Expressions.env(ENV_VAR_HMAC_SECRET),
-            kid: 'hmac-reverse-auth-key',
-            issuer: Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, DEFAULT_REVERSE_AUTH_ISSUER),
-            ttl_sec: 86400,
-            audience: Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE, DEFAULT_REVERSE_AUTH_AUDIENCE),
-        },
+        type: 'AuthorizationProfile',
+        profile: Expressions.env(ENV_VAR_AUTHORIZATION_PROFILE, 'oauth2-callback'),
     },
 };
 const GATED_PROFILE = {
@@ -30762,16 +30882,8 @@ const GATED_PROFILE = {
         },
     },
     authorizer: {
-        type: 'OAuth2Authorizer',
-        issuer: Expressions.env(ENV_VAR_JWT_TRUSTED_ISSUER),
-        required_scopes: ['node.connect'],
-        require_scope: true,
-        default_ttl_sec: 3600,
-        max_ttl_sec: 86400,
-        algorithm: Expressions.env(ENV_VAR_JWT_ALGORITHM$2, 'RS256'),
-        audience: Expressions.env(ENV_VAR_JWT_AUDIENCE$2),
-        enforce_token_subject_node_identity: Expressions.env(ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY, 'false'),
-        trusted_client_scope: Expressions.env(ENV_VAR_TRUSTED_CLIENT_SCOPE, 'node.trusted'),
+        type: 'AuthorizationProfile',
+        profile: Expressions.env(ENV_VAR_AUTHORIZATION_PROFILE, 'oauth2-gated'),
     },
 };
 const GATED_CALLBACK_PROFILE = {
@@ -30817,29 +30929,8 @@ const GATED_CALLBACK_PROFILE = {
         },
     },
     authorizer: {
-        type: 'OAuth2Authorizer',
-        issuer: Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, DEFAULT_REVERSE_AUTH_ISSUER),
-        audience: Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE),
-        require_scope: true,
-        default_ttl_sec: 3600,
-        max_ttl_sec: 86400,
-        reverse_auth_ttl_sec: 86400,
-        token_verifier_config: {
-            type: 'JWTTokenVerifier',
-            algorithm: 'HS256',
-            hmac_secret: Expressions.env(ENV_VAR_HMAC_SECRET),
-            issuer: Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, DEFAULT_REVERSE_AUTH_ISSUER),
-            ttl_sec: 86400,
-        },
-        token_issuer_config: {
-            type: 'JWTTokenIssuer',
-            algorithm: 'HS256',
-            hmac_secret: Expressions.env(ENV_VAR_HMAC_SECRET),
-            kid: 'hmac-reverse-auth-key',
-            issuer: Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, DEFAULT_REVERSE_AUTH_ISSUER),
-            ttl_sec: 86400,
-            audience: Expressions.env(ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE, DEFAULT_REVERSE_AUTH_AUDIENCE),
-        },
+        type: 'AuthorizationProfile',
+        profile: Expressions.env(ENV_VAR_AUTHORIZATION_PROFILE, 'oauth2-callback'),
     },
 };
 const OPEN_PROFILE$1 = {
@@ -30848,7 +30939,8 @@ const OPEN_PROFILE$1 = {
         type: 'NoSecurityPolicy',
     },
     authorizer: {
-        type: 'NoopAuthorizer',
+        type: 'AuthorizationProfile',
+        profile: Expressions.env(ENV_VAR_AUTHORIZATION_PROFILE, 'noop'),
     },
 };
 const PROFILE_MAP$4 = {
@@ -30977,6 +31069,7 @@ function deepClone$3(value) {
 
 var nodeSecurityProfileFactory = /*#__PURE__*/Object.freeze({
     __proto__: null,
+    ENV_VAR_AUTHORIZATION_PROFILE: ENV_VAR_AUTHORIZATION_PROFILE,
     ENV_VAR_DEFAULT_ENCRYPTION_LEVEL: ENV_VAR_DEFAULT_ENCRYPTION_LEVEL,
     ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY: ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY,
     ENV_VAR_HMAC_SECRET: ENV_VAR_HMAC_SECRET,
@@ -45779,4 +45872,4 @@ var otelSetup = /*#__PURE__*/Object.freeze({
     setupOtel: setupOtel
 });
 
-export { ADMISSION_CLIENT_FACTORY_BASE_TYPE, ATTACHMENT_KEY_VALIDATOR_FACTORY_BASE_TYPE, AUTHORIZATION_POLICY_FACTORY_BASE_TYPE, AUTHORIZATION_POLICY_SOURCE_FACTORY_BASE_TYPE, AUTHORIZER_FACTORY_BASE_TYPE, AUTH_INJECTION_STRATEGY_FACTORY_BASE_TYPE, AnsiColor, AsyncLock, AttachmentKeyValidator, AuthInjectionStrategyFactory, AuthorizationPolicyFactory, AuthorizationPolicySourceFactory, AuthorizerFactory, BROADCAST_CHANNEL_CONNECTION_GRANT_TYPE, BackPressureFull, BaseAsyncConnector, BaseNodeEventListener, BasicAuthorizationPolicy, BasicAuthorizationPolicyFactory, BindingManager, BindingStoreEntryRecord, BrowserAutoKeyCredentialProvider, BrowserWrappedKeyCredentialProvider, CERTIFICATE_MANAGER_FACTORY_BASE_TYPE, CONNECTION_RETRY_POLICY_FACTORY_BASE_TYPE, CREDENTIAL_PROVIDER_FACTORY_BASE_TYPE, CRYPTO_LEVEL_SECURITY_ORDER, CertificateManagerFactory, ConnectionRetryPolicyFactory, ConnectorConfigDefaults, ConnectorFactory, ConsoleMetricsEmitter, CryptoLevel, FACTORY_META$10 as DEFAULT_WELCOME_FACTORY_META, DefaultConnectionRetryPolicy, DefaultConnectionRetryPolicyFactory, DefaultCryptoProvider, DefaultHttpServer, DefaultKeyManager, DefaultNodeIdentityPolicy, DefaultNodeIdentityPolicyFactory, DefaultSecurityManager, DefaultSecurityPolicy, DefaultWelcomeService, DefaultWelcomeServiceFactory, DevFixedKeyCredentialProvider, ENCRYPTION_MANAGER_FACTORY_BASE_TYPE, ENVELOPE_SIGNER_FACTORY_BASE_TYPE, ENVELOPE_VERIFIER_FACTORY_BASE_TYPE, ENV_VAR_DEFAULT_ENCRYPTION_LEVEL, ENV_VAR_HMAC_SECRET, ENV_VAR_JWKS_URL, ENV_VAR_JWT_ALGORITHM$2 as ENV_VAR_JWT_ALGORITHM, ENV_VAR_JWT_AUDIENCE$2 as ENV_VAR_JWT_AUDIENCE, ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE, ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, ENV_VAR_JWT_TRUSTED_ISSUER, ENV_VAR_SESSION_MAX_INITIAL_ATTEMPTS, ENV_VAR_SHOW_ENVELOPES$1 as ENV_VAR_SHOW_ENVELOPES, EdDSAEnvelopeSigner, EncryptedKeyValueStore, EncryptedStorageProviderBase, EncryptedValue, EncryptionConfiguration, EncryptionManagerFactory, EncryptionResult, EncryptionStatus, EnvCredentialProvider, EnvelopeContext, EnvelopeListenerManager, EnvelopeSecurityHandler, EnvelopeSignerFactory, EnvelopeVerifierFactory, FACTORY_META$11 as FACTORY_META, FAME_FABRIC_FACTORY_BASE_TYPE, FIXED_PREFIX_LEN, FameAuthorizedDeliveryContextSchema, FameConnectError, FameEnvironmentContext, FameError, FameMessageTooLarge, FameNode, FameNodeAuthorizationContextSchema, FameProtocolError, FameTransportClose, FlowController, GRANT_PURPOSE_NODE_ATTACH, HTTP_CONNECTION_GRANT_TYPE, HTTP_STATELESS_CONNECTOR_TYPE, HttpListener, HttpStatelessConnector, INPAGE_CONNECTION_GRANT_TYPE, INPAGE_CONNECTOR_TYPE, InMemoryBinding, InMemoryFanoutBroker, InMemoryKeyValueStore, InMemoryReadWriteChannel, InMemoryStorageProvider, InPageConnector, InPageListener, InProcessFameFabric, InProcessFameFabricFactory, IndexedDBKeyValueStore, IndexedDBStorageProvider, InvalidPassphraseError, JWKValidationError, KEY_MANAGER_FACTORY_BASE_TYPE, KEY_STORE_FACTORY_BASE_TYPE, KNOWN_POLICY_FIELDS, KNOWN_RULE_FIELDS, KeyInfo, KeyManagementHandler, KeyManagerFactory, KeyStore, KeyStoreFactory, KeyValidationError, LOAD_BALANCER_STICKINESS_MANAGER_FACTORY_BASE_TYPE, LoadBalancerStickinessManagerFactory, LogLevel, LogLevelNames, MAX_SCOPE_NESTING_DEPTH, MemoryMetricsEmitter, NODE_IDENTITY_POLICY_FACTORY_BASE_TYPE, NODE_LIKE_FACTORY_BASE_TYPE, NODE_PLACEMENT_STRATEGY_FACTORY_BASE_TYPE, NoOpMetricsEmitter, NoSecurityPolicy, NodeFactory, NodeIdentityPolicyFactory, NodeIdentityPolicyProfileFactory, NodePlacementStrategyFactory, NoneCredentialProvider, NoopEncryptionManager, NoopKeyValidator, NoopTrustStoreProvider, NotAuthorized, PROFILE_NAME_GATED, PROFILE_NAME_GATED_CALLBACK, PROFILE_NAME_OPEN$1 as PROFILE_NAME_OPEN, PROFILE_NAME_OVERLAY, PROFILE_NAME_OVERLAY_CALLBACK, PROFILE_NAME_STRICT_OVERLAY, PromptCredentialProvider, QueueFullError, REPLICA_STICKINESS_MANAGER_FACTORY_BASE_TYPE, REQUIRED_FIELDS_BY_KTY, ReplicaStickinessManagerFactory, RootSessionManager, RouteManager, RpcMixin, RpcProxy, SEALED_ENVELOPE_NONCE_LENGTH, SEALED_ENVELOPE_OVERHEAD, SEALED_ENVELOPE_PRIVATE_KEY_LENGTH, SEALED_ENVELOPE_PUBLIC_KEY_LENGTH, SEALED_ENVELOPE_TAG_LENGTH, SECURE_CHANNEL_MANAGER_FACTORY_BASE_TYPE, SECURITY_MANAGER_FACTORY_BASE_TYPE, SECURITY_POLICY_FACTORY_BASE_TYPE, SQLiteKeyValueStore, SQLiteStorageProvider, STORAGE_PROVIDER_FACTORY_BASE_TYPE, SecretSource, SecretStoreCredentialProvider, SecureChannelFrameHandler, SecureChannelManagerFactory, SecurityAction, SecurityRequirements, Sentinel, SentinelFactory, SessionKeyCredentialProvider, SignaturePolicy, SigningConfig as SigningConfigClass, SigningConfiguration, SimpleLoadBalancerStickinessManager, SimpleLoadBalancerStickinessManagerFactory, StaticCredentialProvider, StorageAESEncryptionManager, TOKEN_ISSUER_FACTORY_BASE_TYPE, TOKEN_PROVIDER_FACTORY_BASE_TYPE, TOKEN_VERIFIER_FACTORY_BASE_TYPE, TRANSPORT_LISTENER_FACTORY_BASE_TYPE, TRANSPORT_PROVISIONER_FACTORY_BASE_TYPE, TRUST_STORE_PROVIDER_FACTORY_BASE_TYPE, TaskSpawner, TokenIssuerFactory, TokenProviderFactory, TokenSubjectNodeIdentityPolicy, TokenSubjectNodeIdentityPolicyFactory, TokenVerifierFactory, TransportListener, TransportListenerFactory, TransportProvisionerFactory, TrustStoreProviderFactory, TtlValidationError, UpstreamSessionManager, VALID_ACTIONS, VALID_CURVES_BY_KTY, VALID_EFFECTS, VALID_KEY_USES, VALID_ORIGIN_TYPES, VERSION, WEBSOCKET_CONNECTION_GRANT_TYPE, WELCOME_SERVICE_FACTORY_BASE_TYPE, WebSocketCloseCode, WebSocketConnector, WebSocketListener, WebSocketState, WelcomeServiceFactory, _NoopFlowController, __runtimePluginLoader, addEnvelopeFields, addLogLevel, addTimestamp, assertConnectionGrant, assertGrant, assertNotRegexPattern, basicConfig, broadcastChannelGrantToConnectorConfig, camelToSnakeCase, canonicalJson, capitalizeFirstLetter, color, compareCryptoLevels, compileGlobOnlyScopeRequirement, compileGlobPattern, compilePattern, compileScopeRequirement, compiledPathPattern, consoleTransport, convertWildcardLogicalToDnsConstraint, createConnectorConfig, createEd25519Keypair, createHostLogicalUri, createJwksRouter, createLogicalUri, createNodeDeliveryContext, createApp as createOAuth2ServerApp, createOAuth2TokenRouter, createOpenIDConfigurationRouter, createResource, createRpcProxy, createRsaKeypair, createTransportCloseError, createX25519Keypair, credentialToString, currentTraceId$1 as currentTraceId, debounce, decodeBase64Url, decodeFameDataPayload, deepMerge, defaultJsonEncoder, delay, dropEmpty, enableLogging, encodeUtf8, ensureRuntimeFactoriesRegistered, evaluateScopeRequirement, extractId, extractPoolAddressBase, extractPoolBase, filterKeysByUse, formatTimestamp, formatTimestampForConsole$1 as formatTimestampForConsole, frameDigest, getCompiledGlobPattern, getCurrentEnvelope, getFabricForNode, getFameRoot, getHttpListenerInstance, getInPageListenerInstance, getKeyProvider, getKeyStore, getLogger, getWebsocketListenerInstance, hasCryptoSupport, hostnameToLogical, hostnamesToLogicals, httpGrantToConnectorConfig, immutableHeaders, inPageGrantToConnectorConfig, isAuthInjectionStrategy, isBroadcastChannelConnectionGrant, isConnectionGrant, isConnectorConfig, isEnvelopeLoggingEnabled, isFameError, isFameErrorType, isGrant, isHttpConnectionGrant, isIdentityExposingTokenProvider, isInPageConnectionGrant, isNodeLike, isPlainObject$4 as isPlainObject, isPoolAddress, isPoolLogical, isRegexPattern, isRegisterable, isTokenExpired, isTokenProvider, isTokenValid, isWebSocketConnectionGrant, jsonDumps, logicalPatternsToDnsConstraints, logicalToHostname, logicalsToHostnames, matchPattern, matchesPoolAddress, matchesPoolLogical, maybeAwait, nodeWelcomeRouter, nodeWelcomeRouterPlugin, normalizeBroadcastChannelConnectionGrant, normalizeEncryptionConfig, normalizeEnvelopeSnapshot, normalizeExtendedFameConfig, normalizeHttpConnectionGrant, normalizeInPageConnectionGrant, normalizeInboundCryptoRules, normalizeInboundSigningRules, normalizeOutboundCryptoRules, normalizeOutboundSigningRules, normalizePath, normalizeResponseCryptoRules, normalizeResponseSigningRules, normalizeScopeRequirement, normalizeSecretSource, normalizeSecurityRequirements, normalizeSigningConfig, normalizeWebSocketConnectionGrant, objectToBytes, operation, parseSealedEnvelope, pinoTransport, prettyModel$1 as prettyModel, registerDefaultFactories, registerDefaultKeyStoreFactory, registerNodePlacementStrategyFactory, registerRuntimeFactories, requireCryptoSupport, retryWithBackoff, main as runOAuth2Server, safeColor, safeImport, sealedDecrypt, sealedEncrypt, secureDigest, setKeyStore, showEnvelopes$1 as showEnvelopes, sleep, snakeToCamelCase, stringifyNonPrimitives, supportsColor, throttle, urlsafeBase64Decode, urlsafeBase64Encode, validateCacheTtlSec, validateEncryptionKey, validateHostLogical, validateHostLogicals, validateJwkComplete, validateJwkStructure, validateJwkUseField, validateJwtTokenTtlSec, validateKeyCorrelationTtlSec, validateLogical, validateLogicalSegment, validateOAuth2TtlSec, validateSigningKey, validateTtlSec, waitForAll, waitForAllSettled, waitForAny, websocketGrantToConnectorConfig, withEnvelopeContext, withEnvelopeContextAsync, withLegacySnakeCaseKeys, withLock, withTimeout };
+export { ADMISSION_CLIENT_FACTORY_BASE_TYPE, ATTACHMENT_KEY_VALIDATOR_FACTORY_BASE_TYPE, AUTHORIZATION_POLICY_FACTORY_BASE_TYPE, AUTHORIZATION_POLICY_SOURCE_FACTORY_BASE_TYPE, AUTHORIZER_FACTORY_BASE_TYPE, AUTH_INJECTION_STRATEGY_FACTORY_BASE_TYPE, ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY$1 as AUTH_PROFILE_ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY, ENV_VAR_HMAC_SECRET$1 as AUTH_PROFILE_ENV_VAR_HMAC_SECRET, ENV_VAR_JWKS_URL$1 as AUTH_PROFILE_ENV_VAR_JWKS_URL, ENV_VAR_JWT_ALGORITHM$3 as AUTH_PROFILE_ENV_VAR_JWT_ALGORITHM, ENV_VAR_JWT_AUDIENCE$3 as AUTH_PROFILE_ENV_VAR_JWT_AUDIENCE, ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE$1 as AUTH_PROFILE_ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE, ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER$1 as AUTH_PROFILE_ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, ENV_VAR_JWT_TRUSTED_ISSUER$1 as AUTH_PROFILE_ENV_VAR_JWT_TRUSTED_ISSUER, ENV_VAR_TRUSTED_CLIENT_SCOPE$1 as AUTH_PROFILE_ENV_VAR_TRUSTED_CLIENT_SCOPE, PROFILE_NAME_DEFAULT as AUTH_PROFILE_NAME_DEFAULT, PROFILE_NAME_NOOP$2 as AUTH_PROFILE_NAME_NOOP, PROFILE_NAME_OAUTH2 as AUTH_PROFILE_NAME_OAUTH2, PROFILE_NAME_OAUTH2_CALLBACK as AUTH_PROFILE_NAME_OAUTH2_CALLBACK, PROFILE_NAME_OAUTH2_GATED as AUTH_PROFILE_NAME_OAUTH2_GATED, AnsiColor, AsyncLock, AttachmentKeyValidator, AuthInjectionStrategyFactory, AuthorizationPolicyFactory, AuthorizationPolicySourceFactory, AuthorizationProfileFactory, AuthorizerFactory, BROADCAST_CHANNEL_CONNECTION_GRANT_TYPE, BackPressureFull, BaseAsyncConnector, BaseNodeEventListener, BasicAuthorizationPolicy, BasicAuthorizationPolicyFactory, BindingManager, BindingStoreEntryRecord, BrowserAutoKeyCredentialProvider, BrowserWrappedKeyCredentialProvider, CERTIFICATE_MANAGER_FACTORY_BASE_TYPE, CONNECTION_RETRY_POLICY_FACTORY_BASE_TYPE, CREDENTIAL_PROVIDER_FACTORY_BASE_TYPE, CRYPTO_LEVEL_SECURITY_ORDER, CertificateManagerFactory, ConnectionRetryPolicyFactory, ConnectorConfigDefaults, ConnectorFactory, ConsoleMetricsEmitter, CryptoLevel, FACTORY_META$10 as DEFAULT_WELCOME_FACTORY_META, DefaultConnectionRetryPolicy, DefaultConnectionRetryPolicyFactory, DefaultCryptoProvider, DefaultHttpServer, DefaultKeyManager, DefaultNodeIdentityPolicy, DefaultNodeIdentityPolicyFactory, DefaultSecurityManager, DefaultSecurityPolicy, DefaultWelcomeService, DefaultWelcomeServiceFactory, DevFixedKeyCredentialProvider, ENCRYPTION_MANAGER_FACTORY_BASE_TYPE, ENVELOPE_SIGNER_FACTORY_BASE_TYPE, ENVELOPE_VERIFIER_FACTORY_BASE_TYPE, ENV_VAR_AUTHORIZATION_PROFILE, ENV_VAR_DEFAULT_ENCRYPTION_LEVEL, ENV_VAR_HMAC_SECRET, ENV_VAR_JWKS_URL, ENV_VAR_JWT_ALGORITHM$2 as ENV_VAR_JWT_ALGORITHM, ENV_VAR_JWT_AUDIENCE$2 as ENV_VAR_JWT_AUDIENCE, ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE, ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, ENV_VAR_JWT_TRUSTED_ISSUER, ENV_VAR_SESSION_MAX_INITIAL_ATTEMPTS, ENV_VAR_SHOW_ENVELOPES$1 as ENV_VAR_SHOW_ENVELOPES, EdDSAEnvelopeSigner, EncryptedKeyValueStore, EncryptedStorageProviderBase, EncryptedValue, EncryptionConfiguration, EncryptionManagerFactory, EncryptionResult, EncryptionStatus, EnvCredentialProvider, EnvelopeContext, EnvelopeListenerManager, EnvelopeSecurityHandler, EnvelopeSignerFactory, EnvelopeVerifierFactory, FACTORY_META$11 as FACTORY_META, FAME_FABRIC_FACTORY_BASE_TYPE, FIXED_PREFIX_LEN, FameAuthorizedDeliveryContextSchema, FameConnectError, FameEnvironmentContext, FameError, FameMessageTooLarge, FameNode, FameNodeAuthorizationContextSchema, FameProtocolError, FameTransportClose, FlowController, GRANT_PURPOSE_NODE_ATTACH, HTTP_CONNECTION_GRANT_TYPE, HTTP_STATELESS_CONNECTOR_TYPE, HttpListener, HttpStatelessConnector, INPAGE_CONNECTION_GRANT_TYPE, INPAGE_CONNECTOR_TYPE, InMemoryBinding, InMemoryFanoutBroker, InMemoryKeyValueStore, InMemoryReadWriteChannel, InMemoryStorageProvider, InPageConnector, InPageListener, InProcessFameFabric, InProcessFameFabricFactory, IndexedDBKeyValueStore, IndexedDBStorageProvider, InvalidPassphraseError, JWKValidationError, KEY_MANAGER_FACTORY_BASE_TYPE, KEY_STORE_FACTORY_BASE_TYPE, KNOWN_POLICY_FIELDS, KNOWN_RULE_FIELDS, KeyInfo, KeyManagementHandler, KeyManagerFactory, KeyStore, KeyStoreFactory, KeyValidationError, LOAD_BALANCER_STICKINESS_MANAGER_FACTORY_BASE_TYPE, LoadBalancerStickinessManagerFactory, LogLevel, LogLevelNames, MAX_SCOPE_NESTING_DEPTH, MemoryMetricsEmitter, NODE_IDENTITY_POLICY_FACTORY_BASE_TYPE, NODE_LIKE_FACTORY_BASE_TYPE, NODE_PLACEMENT_STRATEGY_FACTORY_BASE_TYPE, NoOpMetricsEmitter, NoSecurityPolicy, NodeFactory, NodeIdentityPolicyFactory, NodeIdentityPolicyProfileFactory, NodePlacementStrategyFactory, NoneCredentialProvider, NoopEncryptionManager, NoopKeyValidator, NoopTrustStoreProvider, NotAuthorized, PROFILE_NAME_GATED, PROFILE_NAME_GATED_CALLBACK, PROFILE_NAME_OPEN$1 as PROFILE_NAME_OPEN, PROFILE_NAME_OVERLAY, PROFILE_NAME_OVERLAY_CALLBACK, PROFILE_NAME_STRICT_OVERLAY, PromptCredentialProvider, QueueFullError, REPLICA_STICKINESS_MANAGER_FACTORY_BASE_TYPE, REQUIRED_FIELDS_BY_KTY, ReplicaStickinessManagerFactory, RootSessionManager, RouteManager, RpcMixin, RpcProxy, SEALED_ENVELOPE_NONCE_LENGTH, SEALED_ENVELOPE_OVERHEAD, SEALED_ENVELOPE_PRIVATE_KEY_LENGTH, SEALED_ENVELOPE_PUBLIC_KEY_LENGTH, SEALED_ENVELOPE_TAG_LENGTH, SECURE_CHANNEL_MANAGER_FACTORY_BASE_TYPE, SECURITY_MANAGER_FACTORY_BASE_TYPE, SECURITY_POLICY_FACTORY_BASE_TYPE, SQLiteKeyValueStore, SQLiteStorageProvider, STORAGE_PROVIDER_FACTORY_BASE_TYPE, SecretSource, SecretStoreCredentialProvider, SecureChannelFrameHandler, SecureChannelManagerFactory, SecurityAction, SecurityRequirements, Sentinel, SentinelFactory, SessionKeyCredentialProvider, SignaturePolicy, SigningConfig as SigningConfigClass, SigningConfiguration, SimpleLoadBalancerStickinessManager, SimpleLoadBalancerStickinessManagerFactory, StaticCredentialProvider, StorageAESEncryptionManager, TOKEN_ISSUER_FACTORY_BASE_TYPE, TOKEN_PROVIDER_FACTORY_BASE_TYPE, TOKEN_VERIFIER_FACTORY_BASE_TYPE, TRANSPORT_LISTENER_FACTORY_BASE_TYPE, TRANSPORT_PROVISIONER_FACTORY_BASE_TYPE, TRUST_STORE_PROVIDER_FACTORY_BASE_TYPE, TaskSpawner, TokenIssuerFactory, TokenProviderFactory, TokenSubjectNodeIdentityPolicy, TokenSubjectNodeIdentityPolicyFactory, TokenVerifierFactory, TransportListener, TransportListenerFactory, TransportProvisionerFactory, TrustStoreProviderFactory, TtlValidationError, UpstreamSessionManager, VALID_ACTIONS, VALID_CURVES_BY_KTY, VALID_EFFECTS, VALID_KEY_USES, VALID_ORIGIN_TYPES, VERSION, WEBSOCKET_CONNECTION_GRANT_TYPE, WELCOME_SERVICE_FACTORY_BASE_TYPE, WebSocketCloseCode, WebSocketConnector, WebSocketListener, WebSocketState, WelcomeServiceFactory, _NoopFlowController, __runtimePluginLoader, addEnvelopeFields, addLogLevel, addTimestamp, assertConnectionGrant, assertGrant, assertNotRegexPattern, basicConfig, broadcastChannelGrantToConnectorConfig, camelToSnakeCase, canonicalJson, capitalizeFirstLetter, color, compareCryptoLevels, compileGlobOnlyScopeRequirement, compileGlobPattern, compilePattern, compileScopeRequirement, compiledPathPattern, consoleTransport, convertWildcardLogicalToDnsConstraint, createConnectorConfig, createEd25519Keypair, createHostLogicalUri, createJwksRouter, createLogicalUri, createNodeDeliveryContext, createApp as createOAuth2ServerApp, createOAuth2TokenRouter, createOpenIDConfigurationRouter, createResource, createRpcProxy, createRsaKeypair, createTransportCloseError, createX25519Keypair, credentialToString, currentTraceId$1 as currentTraceId, debounce, decodeBase64Url, decodeFameDataPayload, deepMerge, defaultJsonEncoder, delay, dropEmpty, enableLogging, encodeUtf8, ensureRuntimeFactoriesRegistered, evaluateScopeRequirement, extractId, extractPoolAddressBase, extractPoolBase, filterKeysByUse, formatTimestamp, formatTimestampForConsole$1 as formatTimestampForConsole, frameDigest, getCompiledGlobPattern, getCurrentEnvelope, getFabricForNode, getFameRoot, getHttpListenerInstance, getInPageListenerInstance, getKeyProvider, getKeyStore, getLogger, getWebsocketListenerInstance, hasCryptoSupport, hostnameToLogical, hostnamesToLogicals, httpGrantToConnectorConfig, immutableHeaders, inPageGrantToConnectorConfig, isAuthInjectionStrategy, isBroadcastChannelConnectionGrant, isConnectionGrant, isConnectorConfig, isEnvelopeLoggingEnabled, isFameError, isFameErrorType, isGrant, isHttpConnectionGrant, isIdentityExposingTokenProvider, isInPageConnectionGrant, isNodeLike, isPlainObject$4 as isPlainObject, isPoolAddress, isPoolLogical, isRegexPattern, isRegisterable, isTokenExpired, isTokenProvider, isTokenValid, isWebSocketConnectionGrant, jsonDumps, logicalPatternsToDnsConstraints, logicalToHostname, logicalsToHostnames, matchPattern, matchesPoolAddress, matchesPoolLogical, maybeAwait, nodeWelcomeRouter, nodeWelcomeRouterPlugin, normalizeBroadcastChannelConnectionGrant, normalizeEncryptionConfig, normalizeEnvelopeSnapshot, normalizeExtendedFameConfig, normalizeHttpConnectionGrant, normalizeInPageConnectionGrant, normalizeInboundCryptoRules, normalizeInboundSigningRules, normalizeOutboundCryptoRules, normalizeOutboundSigningRules, normalizePath, normalizeResponseCryptoRules, normalizeResponseSigningRules, normalizeScopeRequirement, normalizeSecretSource, normalizeSecurityRequirements, normalizeSigningConfig, normalizeWebSocketConnectionGrant, objectToBytes, operation, parseSealedEnvelope, pinoTransport, prettyModel$1 as prettyModel, registerDefaultFactories, registerDefaultKeyStoreFactory, registerNodePlacementStrategyFactory, registerRuntimeFactories, requireCryptoSupport, retryWithBackoff, main as runOAuth2Server, safeColor, safeImport, sealedDecrypt, sealedEncrypt, secureDigest, setKeyStore, showEnvelopes$1 as showEnvelopes, sleep, snakeToCamelCase, stringifyNonPrimitives, supportsColor, throttle, urlsafeBase64Decode, urlsafeBase64Encode, validateCacheTtlSec, validateEncryptionKey, validateHostLogical, validateHostLogicals, validateJwkComplete, validateJwkStructure, validateJwkUseField, validateJwtTokenTtlSec, validateKeyCorrelationTtlSec, validateLogical, validateLogicalSegment, validateOAuth2TtlSec, validateSigningKey, validateTtlSec, waitForAll, waitForAllSettled, waitForAny, websocketGrantToConnectorConfig, withEnvelopeContext, withEnvelopeContextAsync, withLegacySnakeCaseKeys, withLock, withTimeout };