npm - @bleedingdev/modern-js-create-request - Versions diffs - 3.2.0-ultramodern.120 → 3.2.0-ultramodern.121 - Mend

@bleedingdev/modern-js-create-request 3.2.0-ultramodern.120 → 3.2.0-ultramodern.121

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (21) hide show

package/dist/cjs/browser.js +85 -214
package/dist/cjs/node.js +103 -224
package/dist/cjs/policyCore.js +275 -0
package/dist/cjs/requestContext.js +8 -20
package/dist/cjs/traceparent.js +56 -0
package/dist/esm/browser.mjs +37 -185
package/dist/esm/node.mjs +44 -184
package/dist/esm/policyCore.mjs +174 -0
package/dist/esm/requestContext.mjs +1 -12
package/dist/esm/traceparent.mjs +18 -0
package/dist/esm-node/browser.mjs +37 -185
package/dist/esm-node/node.mjs +44 -184
package/dist/esm-node/policyCore.mjs +175 -0
package/dist/esm-node/requestContext.mjs +1 -12
package/dist/esm-node/traceparent.mjs +19 -0
package/dist/types/browser.d.ts +3 -23
package/dist/types/node.d.ts +3 -23
package/dist/types/policyCore.d.ts +108 -0
package/dist/types/traceparent.d.ts +10 -0
package/dist/types/types.d.ts +2 -1
package/package.json +6 -5

package/dist/cjs/node.js CHANGED Viewed

@@ -3,9 +3,15 @@ var __webpack_modules__ = {
     "./handleRes" (module) {
         module.exports = require("./handleRes.js");
     },
+    "./policyCore" (module) {
+        module.exports = require("./policyCore.js");
+    },
     "./requestContext" (module) {
         module.exports = require("./requestContext.js");
     },
+    "./traceparent" (module) {
+        module.exports = require("./traceparent.js");
+    },
     "./transport" (module) {
         module.exports = require("./transport.js");
     },
@@ -76,12 +82,13 @@ var __webpack_exports__ = {};
     var path_to_regexp__rspack_import_1 = __webpack_require__("path-to-regexp");
     var qs__rspack_import_2 = __webpack_require__("qs");
     var _handleRes__rspack_import_3 = __webpack_require__("./handleRes");
-    var _transport__rspack_import_4 = __webpack_require__("./transport");
-    var _types__rspack_import_5 = __webpack_require__("./types");
-    var _utiles__rspack_import_6 = __webpack_require__("./utiles");
-    var _requestContext__rspack_import_7 = __webpack_require__("./requestContext");
+    var _policyCore__rspack_import_4 = __webpack_require__("./policyCore");
+    var _transport__rspack_import_5 = __webpack_require__("./transport");
+    var _types__rspack_import_6 = __webpack_require__("./types");
+    var _utiles__rspack_import_7 = __webpack_require__("./utiles");
+    var _requestContext__rspack_import_8 = __webpack_require__("./requestContext");
     var __rspack_reexport = {};
-    for(const __rspack_import_key in _requestContext__rspack_import_7)if ([
+    for(const __rspack_import_key in _requestContext__rspack_import_8)if ([
         "IdentityBindingViolationError",
         "configure",
         "OperationContractViolationError",
@@ -91,10 +98,11 @@ var __webpack_exports__ = {};
         "createUploader",
         "CrossOriginEnvelopePolicyError",
         "createRequest"
-    ].indexOf(__rspack_import_key) < 0) __rspack_reexport[__rspack_import_key] = ()=>_requestContext__rspack_import_7[__rspack_import_key];
+    ].indexOf(__rspack_import_key) < 0) __rspack_reexport[__rspack_import_key] = ()=>_requestContext__rspack_import_8[__rspack_import_key];
     __webpack_require__.d(__webpack_exports__, __rspack_reexport);
+    var _traceparent__rspack_import_9 = __webpack_require__("./traceparent");
     var __rspack_reexport = {};
-    for(const __rspack_import_key in _types__rspack_import_5)if ([
+    for(const __rspack_import_key in _traceparent__rspack_import_9)if ([
         "IdentityBindingViolationError",
         "configure",
         "OperationContractViolationError",
@@ -104,7 +112,20 @@ var __webpack_exports__ = {};
         "createUploader",
         "CrossOriginEnvelopePolicyError",
         "createRequest"
-    ].indexOf(__rspack_import_key) < 0) __rspack_reexport[__rspack_import_key] = ()=>_types__rspack_import_5[__rspack_import_key];
+    ].indexOf(__rspack_import_key) < 0) __rspack_reexport[__rspack_import_key] = ()=>_traceparent__rspack_import_9[__rspack_import_key];
+    __webpack_require__.d(__webpack_exports__, __rspack_reexport);
+    var __rspack_reexport = {};
+    for(const __rspack_import_key in _types__rspack_import_6)if ([
+        "IdentityBindingViolationError",
+        "configure",
+        "OperationContractViolationError",
+        "default",
+        "ProducerClientNotInitializedError",
+        "ProducerDomainNotConfiguredError",
+        "createUploader",
+        "CrossOriginEnvelopePolicyError",
+        "createRequest"
+    ].indexOf(__rspack_import_key) < 0) __rspack_reexport[__rspack_import_key] = ()=>_types__rspack_import_6[__rspack_import_key];
     __webpack_require__.d(__webpack_exports__, __rspack_reexport);
     const realRequest = new Map();
     const realAllowedHeaders = new Map();
@@ -115,163 +136,59 @@ var __webpack_exports__ = {};
     const realIdentityBinding = new Map();
     const realOperationContract = new Map();
     const domainMap = new Map();
-    const isEmptyDomain = (domain)=>'string' != typeof domain || '' === domain.trim();
-    const TRACEPARENT_HEADER = 'traceparent';
-    const OPERATION_CONTEXT_DETAIL_HEADER = _types__rspack_import_5.BFF_OPERATION_CONTEXT_DETAIL_HEADER;
-    const TRACEPARENT_REGEX = /^00-([0-9a-f]{32})-([0-9a-f]{16})-[0-9a-f]{2}$/i;
-    const isStrictDefaultRequestIdEnabled = ()=>'true' === process.env.MODERN_BFF_STRICT_DEFAULT_REQUEST_ID;
-    const isSecuredRequestId = (requestId)=>'default' !== requestId || isStrictDefaultRequestIdEnabled();
-    const firstHeaderValue = (value)=>Array.isArray(value) ? value[0] : value;
-    const findHeaderKey = (headers, header)=>{
-        const normalized = header.toLowerCase();
-        return Object.keys(headers).find((key)=>key.toLowerCase() === normalized);
-    };
-    const readHeader = (headers, header)=>{
-        const key = findHeaderKey(headers, header);
-        return 'string' == typeof key ? headers[key] : void 0;
-    };
-    const writeHeader = (headers, header, value)=>{
-        if (void 0 === value) return;
-        const key = findHeaderKey(headers, header);
-        if ('string' == typeof key && key !== header) delete headers[key];
-        headers[header] = value;
-    };
-    const deleteHeader = (headers, header)=>{
-        const key = findHeaderKey(headers, header);
-        if ('string' == typeof key) delete headers[key];
-    };
-    const toOrigin = (value)=>{
-        if (!value) return;
-        try {
-            return new URL(value).origin;
-        } catch (error) {
-            return;
-        }
-    };
-    const parseTraceparent = (value)=>{
-        const traceparent = firstHeaderValue(value);
-        if ('string' != typeof traceparent) return;
-        const match = traceparent.trim().match(TRACEPARENT_REGEX);
-        if (!match) return;
-        const [, traceId, spanId] = match;
-        if (!traceId || !spanId) return;
-        return {
-            traceId: traceId.toLowerCase(),
-            spanId: spanId.toLowerCase()
-        };
-    };
+    const OPERATION_CONTEXT_DETAIL_HEADER = _types__rspack_import_6.BFF_OPERATION_CONTEXT_DETAIL_HEADER;
     const resolveSourceOrigin = (headers)=>{
-        const origin = toOrigin(firstHeaderValue(headers.origin));
+        const origin = (0, _policyCore__rspack_import_4.toOrigin)((0, _policyCore__rspack_import_4.firstHeaderValue)(headers.origin));
         if (origin) return origin;
-        const referer = toOrigin(firstHeaderValue(headers.referer));
+        const referer = (0, _policyCore__rspack_import_4.toOrigin)((0, _policyCore__rspack_import_4.firstHeaderValue)(headers.referer));
         if (referer) return referer;
-        const host = firstHeaderValue(headers.host);
+        const host = (0, _policyCore__rspack_import_4.firstHeaderValue)(headers.host);
         if (!host) return;
-        const proto = firstHeaderValue(headers['x-forwarded-proto']) || 'http';
+        const proto = (0, _policyCore__rspack_import_4.firstHeaderValue)(headers['x-forwarded-proto']) || 'http';
         return `${proto}://${host}`;
     };
-    const extractPathParamNames = (path)=>Array.from(path.matchAll(/:([A-Za-z0-9_]+)/g)).map(([, key])=>key);
+    const readIncomingWebHeaders = ()=>{
+        try {
+            return _modern_js_runtime_utils_node__rspack_import_0.storage.useContext().headers || {};
+        } catch (error) {
+            return {};
+        }
+    };
     const originFetch = (...params)=>{
         const [, init] = params;
         if (init?.method?.toLowerCase() === 'get') init.body = void 0;
         return fetch(...params).then(_handleRes__rspack_import_3.handleRes);
     };
-    const buildOperationContext = ({ requestId, method, path, operationContext, traceparent })=>{
-        const routePath = operationContext?.routePath || path;
-        const operationMethod = (operationContext?.method || method || 'GET').toUpperCase();
-        const rawOperationId = operationContext?.operationId || `${operationMethod}:${routePath}`;
-        const operationId = rawOperationId.startsWith(`${requestId}:`) ? rawOperationId : `${requestId}:${rawOperationId}`;
-        const traceparentValue = operationContext?.traceparent || ('string' == typeof firstHeaderValue(traceparent) ? String(firstHeaderValue(traceparent)) : void 0);
-        const parsedTraceContext = operationContext?.traceId && operationContext?.spanId ? {
-            traceId: operationContext.traceId,
-            spanId: operationContext.spanId
-        } : parseTraceparent(traceparentValue);
-        return {
+    const attachEnvelopeHeaderIfRequired = (headers, requestId, url, webRequestHeaders)=>{
+        const shouldRequireEnvelope = realRequireEnvelope.get(requestId) ?? (0, _policyCore__rspack_import_4.isSecuredRequestId)(requestId);
+        if (!shouldRequireEnvelope) return;
+        headers[_types__rspack_import_6.BFF_ENVELOPE_HEADER] = (0, _policyCore__rspack_import_4.buildEnvelopeHeaderValue)({
             requestId,
-            operationId,
-            routePath,
-            method: operationMethod,
-            ...operationContext?.schemaHash ? {
-                schemaHash: operationContext.schemaHash
-            } : {},
-            ...'number' == typeof operationContext?.operationVersion ? {
-                operationVersion: operationContext.operationVersion
-            } : {},
-            ...traceparentValue ? {
-                traceparent: traceparentValue
-            } : {},
-            ...parsedTraceContext ? {
-                traceId: parsedTraceContext.traceId,
-                spanId: parsedTraceContext.spanId
-            } : {}
-        };
-    };
-    class ProducerClientNotInitializedError extends Error {
-        constructor(requestId){
-            super(`Producer client "${requestId}" is not initialized. Call initProducerClient() (or configure()) before using generated APIs for this requestId.`), this.code = 'BFF_PRODUCER_CLIENT_NOT_INITIALIZED';
-            this.name = 'ProducerClientNotInitializedError';
-        }
-    }
-    class ProducerDomainNotConfiguredError extends Error {
-        constructor(requestId){
-            super(`Producer client "${requestId}" must provide setDomain() during configure().`), this.code = 'BFF_PRODUCER_DOMAIN_NOT_CONFIGURED';
-            this.name = 'ProducerDomainNotConfiguredError';
-        }
-    }
-    class CrossOriginEnvelopePolicyError extends Error {
-        constructor(requestId, sourceOrigin, targetOrigin){
-            super(`Cross-origin envelope is not allowed for producer "${requestId}" (${sourceOrigin || 'unknown-origin'} -> ${targetOrigin || 'unknown-origin'}). Configure allowCrossOriginEnvelope to explicitly allow this flow.`), this.code = 'BFF_CROSS_ORIGIN_ENVELOPE_NOT_ALLOWED';
-            this.name = 'CrossOriginEnvelopePolicyError';
-        }
-    }
-    class IdentityBindingViolationError extends Error {
-        constructor(violation){
-            super(`Identity header "${violation.header}" for producer "${violation.requestId}" was rejected by server-derived identity binding.`), this.code = 'BFF_IDENTITY_BINDING_VIOLATION';
-            this.name = 'IdentityBindingViolationError';
-            this.violation = violation;
-        }
-    }
-    class OperationContractViolationError extends Error {
-        constructor(violation){
-            super(`Operation contract violation "${violation.reason}" for producer "${violation.requestId}" operation "${violation.operationId}".`), this.code = 'BFF_OPERATION_CONTRACT_VIOLATION';
-            this.name = 'OperationContractViolationError';
-            this.violation = violation;
-        }
-    }
-    const validateOperationContract = (requestId, contextPayload)=>{
-        const operationContract = realOperationContract.get(requestId);
-        const operationContractEnabled = operationContract?.enabled ?? isSecuredRequestId(requestId);
-        if (!operationContractEnabled) return;
-        const strict = operationContract?.strict ?? true;
-        const requireSchemaHash = operationContract?.requireSchemaHash ?? true;
-        const requireOperationVersion = operationContract?.requireOperationVersion ?? true;
-        const maybeReportViolation = (reason)=>{
-            const violation = {
-                requestId,
-                target: 'server',
-                operationId: contextPayload.operationId,
-                routePath: contextPayload.routePath,
-                method: contextPayload.method,
-                schemaHash: 'string' == typeof contextPayload.schemaHash ? contextPayload.schemaHash : void 0,
-                operationVersion: 'number' == typeof contextPayload.operationVersion ? contextPayload.operationVersion : void 0,
-                reason
-            };
-            operationContract?.onViolation?.(violation);
-            if (strict) throw new OperationContractViolationError(violation);
-        };
-        if (requireSchemaHash && 'string' != typeof contextPayload.schemaHash) maybeReportViolation('missing_schema_hash');
-        if (requireOperationVersion && 'number' != typeof contextPayload.operationVersion) maybeReportViolation('missing_operation_version');
+            target: 'server',
+            sourceOrigin: resolveSourceOrigin(webRequestHeaders),
+            targetOrigin: (0, _policyCore__rspack_import_4.toOrigin)(url),
+            traceContext: (0, _policyCore__rspack_import_4.parseTraceparentValue)((0, _policyCore__rspack_import_4.readHeader)(headers, _policyCore__rspack_import_4.TRACEPARENT_HEADER)),
+            allowCrossOriginEnvelope: realAllowCrossOriginEnvelope.get(requestId)
+        });
     };
-    const getConfiguredRequest = (requestId, fallback)=>{
-        const configuredRequest = realRequest.get(requestId);
-        if (configuredRequest) return configuredRequest;
-        if ('default' !== requestId) throw new ProducerClientNotInitializedError(requestId);
-        return fallback;
+    const attachSecuredOperationHeaders = (headers, requestId, method, path, operationContext)=>{
+        if (!(0, _policyCore__rspack_import_4.isSecuredRequestId)(requestId)) return;
+        (0, _policyCore__rspack_import_4.attachOperationContextHeaders)({
+            headers,
+            requestId,
+            target: 'server',
+            method,
+            path,
+            operationContext,
+            operationContract: realOperationContract.get(requestId),
+            operationContextHeader: _types__rspack_import_6.BFF_OPERATION_CONTEXT_HEADER,
+            operationContextDetailHeader: OPERATION_CONTEXT_DETAIL_HEADER
+        });
     };
     const configure = (options)=>{
         const { request, interceptor, allowedHeaders, resolveHeaders, transport, requireEnvelope, allowCrossOriginEnvelope, identityBinding, operationContract, setDomain, requestId = 'default' } = options;
         const hasExistingDomain = domainMap.has(requestId);
-        if ('default' !== requestId && !setDomain && !hasExistingDomain) throw new ProducerDomainNotConfiguredError(requestId);
+        if ('default' !== requestId && !setDomain && !hasExistingDomain) throw new _policyCore__rspack_import_4.ProducerDomainNotConfiguredError(requestId);
         let configuredRequest = request || originFetch;
         if (interceptor && !request) configuredRequest = interceptor(fetch);
         if (Array.isArray(allowedHeaders)) realAllowedHeaders.set(requestId, allowedHeaders);
@@ -286,7 +203,7 @@ var __webpack_exports__ = {};
                 target: 'server',
                 requestId
             });
-            if ('default' !== requestId && isEmptyDomain(resolvedDomain)) throw new ProducerDomainNotConfiguredError(requestId);
+            if ('default' !== requestId && (0, _policyCore__rspack_import_4.isEmptyDomain)(resolvedDomain)) throw new _policyCore__rspack_import_4.ProducerDomainNotConfiguredError(requestId);
             if ('string' == typeof resolvedDomain) domainMap.set(requestId, resolvedDomain);
         }
         realRequest.set(requestId, configuredRequest);
@@ -309,21 +226,16 @@ var __webpack_exports__ = {};
         const getFinalPath = (0, path_to_regexp__rspack_import_1.compile)(path, {
             encode: encodeURIComponent
         });
-        const keyNames = extractPathParamNames(path);
+        const keyNames = (0, _policyCore__rspack_import_4.extractPathParamNames)(path);
         const sender = (...args)=>{
-            const fetcher = getConfiguredRequest(requestId, fetch1);
-            let webRequestHeaders = {};
-            try {
-                webRequestHeaders = _modern_js_runtime_utils_node__rspack_import_0.storage.useContext().headers || {};
-            } catch (error) {
-                webRequestHeaders = {};
-            }
+            const fetcher = (0, _policyCore__rspack_import_4.resolveConfiguredRequest)(realRequest, requestId, fetch1);
+            const webRequestHeaders = readIncomingWebHeaders();
             let body;
             let headers;
             let url;
             if ('inputParams' === httpMethodDecider) {
                 const configDomain = domainMap.get(requestId);
-                if ('default' !== requestId && isEmptyDomain(configDomain)) throw new ProducerDomainNotConfiguredError(requestId);
+                if ('default' !== requestId && (0, _policyCore__rspack_import_4.isEmptyDomain)(configDomain)) throw new _policyCore__rspack_import_4.ProducerDomainNotConfiguredError(requestId);
                 url = `${configDomain || `http://127.0.0.1:${port}`}${path}`;
                 body = args;
                 headers = {
@@ -347,17 +259,17 @@ var __webpack_exports__ = {};
                     ...payload.headers
                 } : {};
                 const identityBinding = realIdentityBinding.get(requestId);
-                const identityBindingEnabled = identityBinding?.enabled ?? isSecuredRequestId(requestId);
-                const identityBindingStrict = identityBinding?.strict ?? isSecuredRequestId(requestId);
-                const protectedIdentityHeaders = (identityBinding?.protectedHeaders || _types__rspack_import_5.BFF_DEFAULT_PROTECTED_IDENTITY_HEADERS).map((header)=>header.toLowerCase());
+                const identityBindingEnabled = identityBinding?.enabled ?? (0, _policyCore__rspack_import_4.isSecuredRequestId)(requestId);
+                const identityBindingStrict = identityBinding?.strict ?? (0, _policyCore__rspack_import_4.isSecuredRequestId)(requestId);
+                const protectedIdentityHeaders = (identityBinding?.protectedHeaders || _types__rspack_import_6.BFF_DEFAULT_PROTECTED_IDENTITY_HEADERS).map((header)=>header.toLowerCase());
                 const targetAllowedHeaders = realAllowedHeaders.get(requestId) || [];
                 const forwardedHeaders = {};
                 for (const key of targetAllowedHeaders)if (void 0 !== webRequestHeaders[key]) forwardedHeaders[key] = webRequestHeaders[key];
                 if (identityBindingEnabled) {
                     const derivedIdentityHeaders = {};
                     for (const header of protectedIdentityHeaders){
-                        const incomingHeaderValue = readHeader(webRequestHeaders, header);
-                        if (void 0 !== incomingHeaderValue) writeHeader(derivedIdentityHeaders, header, incomingHeaderValue);
+                        const incomingHeaderValue = (0, _policyCore__rspack_import_4.readHeader)(webRequestHeaders, header);
+                        if (void 0 !== incomingHeaderValue) (0, _policyCore__rspack_import_4.writeHeader)(derivedIdentityHeaders, header, incomingHeaderValue);
                     }
                     const customDerivedHeaders = identityBinding?.deriveHeaders?.({
                         requestId,
@@ -370,26 +282,26 @@ var __webpack_exports__ = {};
                         ]
                     });
                     if (customDerivedHeaders && 'object' == typeof customDerivedHeaders) for (const header of protectedIdentityHeaders){
-                        const customValue = readHeader(customDerivedHeaders, header);
-                        if (void 0 !== customValue) writeHeader(derivedIdentityHeaders, header, customValue);
+                        const customValue = (0, _policyCore__rspack_import_4.readHeader)(customDerivedHeaders, header);
+                        if (void 0 !== customValue) (0, _policyCore__rspack_import_4.writeHeader)(derivedIdentityHeaders, header, customValue);
                     }
                     for (const header of protectedIdentityHeaders){
-                        const attemptedValue = readHeader(headers, header);
+                        const attemptedValue = (0, _policyCore__rspack_import_4.readHeader)(headers, header);
                         if (void 0 === attemptedValue) continue;
                         const violation = {
                             requestId,
                             target: 'server',
                             header,
                             attemptedValue,
-                            derivedValue: readHeader(derivedIdentityHeaders, header),
+                            derivedValue: (0, _policyCore__rspack_import_4.readHeader)(derivedIdentityHeaders, header),
                             reason: identityBindingStrict ? 'client_override_rejected' : 'client_override_blocked'
                         };
                         identityBinding?.onViolation?.(violation);
-                        if (identityBindingStrict) throw new IdentityBindingViolationError(violation);
-                        deleteHeader(headers, header);
+                        if (identityBindingStrict) throw new _policyCore__rspack_import_4.IdentityBindingViolationError(violation);
+                        (0, _policyCore__rspack_import_4.deleteHeader)(headers, header);
                     }
                     Object.keys(derivedIdentityHeaders).forEach((header)=>{
-                        writeHeader(forwardedHeaders, header, derivedIdentityHeaders[header]);
+                        (0, _policyCore__rspack_import_4.writeHeader)(forwardedHeaders, header, derivedIdentityHeaders[header]);
                     });
                 }
                 const resolveHeaders = realResolveHeaders.get(requestId);
@@ -421,57 +333,19 @@ var __webpack_exports__ = {};
                     body = 'object' == typeof payload.formUrlencoded ? (0, qs__rspack_import_2.stringify)(payload.formUrlencoded) : payload.formUrlencoded;
                 }
                 const configDomain = domainMap.get(requestId);
-                if ('default' !== requestId && isEmptyDomain(configDomain)) throw new ProducerDomainNotConfiguredError(requestId);
+                if ('default' !== requestId && (0, _policyCore__rspack_import_4.isEmptyDomain)(configDomain)) throw new _policyCore__rspack_import_4.ProducerDomainNotConfiguredError(requestId);
                 url = `${configDomain || `http://127.0.0.1:${port}`}${finalPath}`;
             }
-            if (void 0 === readHeader(headers, TRACEPARENT_HEADER)) {
-                const incomingTraceparent = firstHeaderValue(readHeader(webRequestHeaders, TRACEPARENT_HEADER));
-                if ('string' == typeof incomingTraceparent) writeHeader(headers, TRACEPARENT_HEADER, incomingTraceparent);
-            }
-            if (void 0 === readHeader(headers, TRACEPARENT_HEADER) && operationContext?.traceparent) writeHeader(headers, TRACEPARENT_HEADER, operationContext.traceparent);
-            const shouldRequireEnvelope = realRequireEnvelope.get(requestId) ?? isSecuredRequestId(requestId);
-            if (shouldRequireEnvelope) {
-                const sourceOrigin = resolveSourceOrigin(webRequestHeaders);
-                const targetOrigin = toOrigin(url);
-                const traceContext = parseTraceparent(readHeader(headers, TRACEPARENT_HEADER));
-                const isCrossOrigin = Boolean(sourceOrigin) && Boolean(targetOrigin) && sourceOrigin !== targetOrigin;
-                if (isCrossOrigin) {
-                    const policy = realAllowCrossOriginEnvelope.get(requestId);
-                    const isAllowed = 'function' == typeof policy ? policy({
-                        requestId,
-                        sourceOrigin,
-                        targetOrigin,
-                        target: 'server'
-                    }) : true === policy;
-                    if (!isAllowed) throw new CrossOriginEnvelopePolicyError(requestId, sourceOrigin, targetOrigin);
-                }
-                headers[_types__rspack_import_5.BFF_ENVELOPE_HEADER] = JSON.stringify({
-                    requestId,
-                    target: 'server',
-                    timestamp: Date.now(),
-                    sourceOrigin,
-                    targetOrigin,
-                    ...traceContext ? {
-                        traceId: traceContext.traceId,
-                        spanId: traceContext.spanId
-                    } : {}
-                });
-            }
-            if (isSecuredRequestId(requestId)) {
-                const contextPayload = buildOperationContext({
-                    requestId,
-                    method,
-                    path,
-                    operationContext,
-                    traceparent: readHeader(headers, TRACEPARENT_HEADER)
-                });
-                validateOperationContract(requestId, contextPayload);
-                if (void 0 === readHeader(headers, _types__rspack_import_5.BFF_OPERATION_CONTEXT_HEADER)) writeHeader(headers, _types__rspack_import_5.BFF_OPERATION_CONTEXT_HEADER, contextPayload.operationId);
-                writeHeader(headers, OPERATION_CONTEXT_DETAIL_HEADER, JSON.stringify(contextPayload));
+            if (void 0 === (0, _policyCore__rspack_import_4.readHeader)(headers, _policyCore__rspack_import_4.TRACEPARENT_HEADER)) {
+                const incomingTraceparent = (0, _policyCore__rspack_import_4.firstHeaderValue)((0, _policyCore__rspack_import_4.readHeader)(webRequestHeaders, _policyCore__rspack_import_4.TRACEPARENT_HEADER));
+                if ('string' == typeof incomingTraceparent) (0, _policyCore__rspack_import_4.writeHeader)(headers, _policyCore__rspack_import_4.TRACEPARENT_HEADER, incomingTraceparent);
             }
+            if (void 0 === (0, _policyCore__rspack_import_4.readHeader)(headers, _policyCore__rspack_import_4.TRACEPARENT_HEADER) && operationContext?.traceparent) (0, _policyCore__rspack_import_4.writeHeader)(headers, _policyCore__rspack_import_4.TRACEPARENT_HEADER, operationContext.traceparent);
+            attachEnvelopeHeaderIfRequired(headers, requestId, url, webRequestHeaders);
+            attachSecuredOperationHeaders(headers, requestId, method, path, operationContext);
             if ('get' === method.toLowerCase()) body = void 0;
             headers.accept = "application/json,*/*;q=0.8";
-            return (0, _transport__rspack_import_4.executeWithResilience)({
+            return (0, _transport__rspack_import_5.executeWithResilience)({
                 requestId,
                 target: 'server',
                 method,
@@ -487,12 +361,17 @@ var __webpack_exports__ = {};
         };
         return sender;
     };
-    const createUploader = ({ path, requestId = 'default' })=>{
+    const createUploader = ({ path, requestId = 'default', operationContext })=>{
         const sender = (...args)=>{
-            const fetcher = getConfiguredRequest(requestId, originFetch);
-            const { body, headers } = (0, _utiles__rspack_import_6.getUploadPayload)(args);
+            const fetcher = (0, _policyCore__rspack_import_4.resolveConfiguredRequest)(realRequest, requestId, originFetch);
+            const { body, headers: uploadHeaders } = (0, _utiles__rspack_import_7.getUploadPayload)(args);
+            const headers = {
+                ...uploadHeaders
+            };
             const configDomain = domainMap.get(requestId);
             const finalURL = `${configDomain || ''}${path}`;
+            attachEnvelopeHeaderIfRequired(headers, requestId, finalURL, readIncomingWebHeaders());
+            attachSecuredOperationHeaders(headers, requestId, 'POST', path, operationContext);
             return fetcher(finalURL, {
                 method: 'POST',
                 body,
@@ -502,11 +381,11 @@ var __webpack_exports__ = {};
         return sender;
     };
     __webpack_require__.d(__webpack_exports__, {
-        CrossOriginEnvelopePolicyError: ()=>CrossOriginEnvelopePolicyError,
-        IdentityBindingViolationError: ()=>IdentityBindingViolationError,
-        OperationContractViolationError: ()=>OperationContractViolationError,
-        ProducerClientNotInitializedError: ()=>ProducerClientNotInitializedError,
-        ProducerDomainNotConfiguredError: ()=>ProducerDomainNotConfiguredError
+        CrossOriginEnvelopePolicyError: ()=>_policyCore__rspack_import_4.CrossOriginEnvelopePolicyError,
+        IdentityBindingViolationError: ()=>_policyCore__rspack_import_4.IdentityBindingViolationError,
+        OperationContractViolationError: ()=>_policyCore__rspack_import_4.OperationContractViolationError,
+        ProducerClientNotInitializedError: ()=>_policyCore__rspack_import_4.ProducerClientNotInitializedError,
+        ProducerDomainNotConfiguredError: ()=>_policyCore__rspack_import_4.ProducerDomainNotConfiguredError
     }, {
         configure: configure,
         createRequest: createRequest,