@bleedingdev/modern-js-create-request 3.2.0-ultramodern.120 → 3.2.0-ultramodern.122

package/dist/cjs/policyCore.js

@@ -0,0 +1,275 @@
+"use strict";
+var __webpack_require__ = {};
+(()=>{
+    __webpack_require__.d = (exports1, getters, values)=>{
+        var define = (defs, kind)=>{
+            for(var key in defs)if (__webpack_require__.o(defs, key) && !__webpack_require__.o(exports1, key)) Object.defineProperty(exports1, key, {
+                enumerable: true,
+                [kind]: defs[key]
+            });
+        };
+        define(getters, "get");
+        define(values, "value");
+    };
+})();
+(()=>{
+    __webpack_require__.o = (obj, prop)=>Object.prototype.hasOwnProperty.call(obj, prop);
+})();
+(()=>{
+    __webpack_require__.r = (exports1)=>{
+        if ("u" > typeof Symbol && Symbol.toStringTag) Object.defineProperty(exports1, Symbol.toStringTag, {
+            value: 'Module'
+        });
+        Object.defineProperty(exports1, '__esModule', {
+            value: true
+        });
+    };
+})();
+var __webpack_exports__ = {};
+__webpack_require__.r(__webpack_exports__);
+__webpack_require__.d(__webpack_exports__, {
+    CrossOriginEnvelopePolicyError: ()=>CrossOriginEnvelopePolicyError,
+    IdentityBindingViolationError: ()=>IdentityBindingViolationError,
+    OperationContractViolationError: ()=>OperationContractViolationError,
+    ProducerClientNotInitializedError: ()=>ProducerClientNotInitializedError,
+    ProducerDomainNotConfiguredError: ()=>ProducerDomainNotConfiguredError,
+    TRACEPARENT_HEADER: ()=>TRACEPARENT_HEADER,
+    attachOperationContextHeaders: ()=>attachOperationContextHeaders,
+    buildEnvelopeHeaderValue: ()=>buildEnvelopeHeaderValue,
+    buildOperationContext: ()=>buildOperationContext,
+    deleteHeader: ()=>deleteHeader,
+    extractPathParamNames: ()=>extractPathParamNames,
+    findHeaderKey: ()=>findHeaderKey,
+    firstHeaderValue: ()=>firstHeaderValue,
+    isEmptyDomain: ()=>isEmptyDomain,
+    isSecuredRequestId: ()=>isSecuredRequestId,
+    isStrictDefaultRequestIdEnabled: ()=>isStrictDefaultRequestIdEnabled,
+    parseTraceparentValue: ()=>parseTraceparentValue,
+    readHeader: ()=>readHeader,
+    resolveConfiguredRequest: ()=>resolveConfiguredRequest,
+    toOrigin: ()=>toOrigin,
+    validateOperationContract: ()=>validateOperationContract,
+    writeHeader: ()=>writeHeader
+});
+const external_traceparent_js_namespaceObject = require("./traceparent.js");
+const TRACEPARENT_HEADER = 'traceparent';
+const readProcessEnv = (key)=>{
+    if ("u" < typeof process || void 0 === process.env || 'string' != typeof process.env[key]) return;
+    return process.env[key];
+};
+const isStrictDefaultRequestIdEnabled = ()=>'true' === readProcessEnv('MODERN_BFF_STRICT_DEFAULT_REQUEST_ID');
+const isSecuredRequestId = (requestId)=>'default' !== requestId || isStrictDefaultRequestIdEnabled();
+const isEmptyDomain = (domain)=>'string' != typeof domain || '' === domain.trim();
+const firstHeaderValue = (value)=>Array.isArray(value) ? value[0] : value;
+const findHeaderKey = (headers, header)=>{
+    const normalized = header.toLowerCase();
+    return Object.keys(headers).find((key)=>key.toLowerCase() === normalized);
+};
+const readHeader = (headers, header)=>{
+    const key = findHeaderKey(headers, header);
+    return 'string' == typeof key ? headers[key] : void 0;
+};
+const writeHeader = (headers, header, value)=>{
+    if (void 0 === value) return;
+    const key = findHeaderKey(headers, header);
+    if ('string' == typeof key && key !== header) delete headers[key];
+    headers[header] = value;
+};
+const deleteHeader = (headers, header)=>{
+    const key = findHeaderKey(headers, header);
+    if ('string' == typeof key) delete headers[key];
+};
+const toOrigin = (value)=>{
+    if (!value) return;
+    try {
+        return new URL(value).origin;
+    } catch (error) {
+        return;
+    }
+};
+const parseTraceparentValue = (value)=>(0, external_traceparent_js_namespaceObject.parseTraceparent)(firstHeaderValue(value));
+const extractPathParamNames = (path)=>Array.from(path.matchAll(/:([A-Za-z0-9_]+)/g)).flatMap(([, key])=>key ? [
+            key
+        ] : []);
+const buildOperationContext = ({ requestId, method, path, operationContext, traceparent })=>{
+    const routePath = operationContext?.routePath || path;
+    const operationMethod = (operationContext?.method || method || 'GET').toUpperCase();
+    const rawOperationId = operationContext?.operationId || `${operationMethod}:${routePath}`;
+    const operationId = rawOperationId.startsWith(`${requestId}:`) ? rawOperationId : `${requestId}:${rawOperationId}`;
+    const traceparentValue = operationContext?.traceparent || ('string' == typeof firstHeaderValue(traceparent) ? String(firstHeaderValue(traceparent)) : void 0);
+    const parsedTraceContext = operationContext?.traceId && operationContext?.spanId ? {
+        traceId: operationContext.traceId,
+        spanId: operationContext.spanId
+    } : parseTraceparentValue(traceparentValue);
+    return {
+        requestId,
+        operationId,
+        routePath,
+        method: operationMethod,
+        ...operationContext?.schemaHash ? {
+            schemaHash: operationContext.schemaHash
+        } : {},
+        ...'number' == typeof operationContext?.operationVersion ? {
+            operationVersion: operationContext.operationVersion
+        } : {},
+        ...traceparentValue ? {
+            traceparent: traceparentValue
+        } : {},
+        ...parsedTraceContext ? {
+            traceId: parsedTraceContext.traceId,
+            spanId: parsedTraceContext.spanId
+        } : {}
+    };
+};
+class ProducerClientNotInitializedError extends Error {
+    constructor(requestId){
+        super(`Producer client "${requestId}" is not initialized. Call initProducerClient() (or configure()) before using generated APIs for this requestId.`), this.code = 'BFF_PRODUCER_CLIENT_NOT_INITIALIZED';
+        this.name = 'ProducerClientNotInitializedError';
+    }
+}
+class ProducerDomainNotConfiguredError extends Error {
+    constructor(requestId){
+        super(`Producer client "${requestId}" must provide setDomain() during configure().`), this.code = 'BFF_PRODUCER_DOMAIN_NOT_CONFIGURED';
+        this.name = 'ProducerDomainNotConfiguredError';
+    }
+}
+class CrossOriginEnvelopePolicyError extends Error {
+    constructor(requestId, sourceOrigin, targetOrigin){
+        super(`Cross-origin envelope is not allowed for producer "${requestId}" (${sourceOrigin || 'unknown-origin'} -> ${targetOrigin || 'unknown-origin'}). Configure allowCrossOriginEnvelope to explicitly allow this flow.`), this.code = 'BFF_CROSS_ORIGIN_ENVELOPE_NOT_ALLOWED';
+        this.name = 'CrossOriginEnvelopePolicyError';
+    }
+}
+class IdentityBindingViolationError extends Error {
+    constructor(violation){
+        super(`Identity header "${violation.header}" for producer "${violation.requestId}" was rejected by server-derived identity binding.`), this.code = 'BFF_IDENTITY_BINDING_VIOLATION';
+        this.name = 'IdentityBindingViolationError';
+        this.violation = violation;
+    }
+}
+class OperationContractViolationError extends Error {
+    constructor(violation){
+        super(`Operation contract violation "${violation.reason}" for producer "${violation.requestId}" operation "${violation.operationId}".`), this.code = 'BFF_OPERATION_CONTRACT_VIOLATION';
+        this.name = 'OperationContractViolationError';
+        this.violation = violation;
+    }
+}
+const validateOperationContract = ({ requestId, target, contextPayload, operationContract })=>{
+    const operationContractEnabled = operationContract?.enabled ?? isSecuredRequestId(requestId);
+    if (!operationContractEnabled) return;
+    const strict = operationContract?.strict ?? true;
+    const requireSchemaHash = operationContract?.requireSchemaHash ?? true;
+    const requireOperationVersion = operationContract?.requireOperationVersion ?? true;
+    const maybeReportViolation = (reason)=>{
+        const violation = {
+            requestId,
+            target,
+            operationId: contextPayload.operationId,
+            routePath: contextPayload.routePath,
+            method: contextPayload.method,
+            schemaHash: 'string' == typeof contextPayload.schemaHash ? contextPayload.schemaHash : void 0,
+            operationVersion: 'number' == typeof contextPayload.operationVersion ? contextPayload.operationVersion : void 0,
+            reason
+        };
+        operationContract?.onViolation?.(violation);
+        if (strict) throw new OperationContractViolationError(violation);
+    };
+    if (requireSchemaHash && 'string' != typeof contextPayload.schemaHash) maybeReportViolation('missing_schema_hash');
+    if (requireOperationVersion && 'number' != typeof contextPayload.operationVersion) maybeReportViolation('missing_operation_version');
+};
+const resolveConfiguredRequest = (configuredRequests, requestId, fallback)=>{
+    const configuredRequest = configuredRequests.get(requestId);
+    if (configuredRequest) return configuredRequest;
+    if ('default' !== requestId) throw new ProducerClientNotInitializedError(requestId);
+    return fallback;
+};
+const buildEnvelopeHeaderValue = ({ requestId, target, sourceOrigin, targetOrigin, traceContext, allowCrossOriginEnvelope })=>{
+    const isCrossOrigin = Boolean(sourceOrigin) && Boolean(targetOrigin) && sourceOrigin !== targetOrigin;
+    if (isCrossOrigin) {
+        const isAllowed = 'function' == typeof allowCrossOriginEnvelope ? allowCrossOriginEnvelope({
+            requestId,
+            sourceOrigin,
+            targetOrigin,
+            target
+        }) : true === allowCrossOriginEnvelope;
+        if (!isAllowed) throw new CrossOriginEnvelopePolicyError(requestId, sourceOrigin, targetOrigin);
+    }
+    return JSON.stringify({
+        requestId,
+        target,
+        timestamp: Date.now(),
+        sourceOrigin,
+        targetOrigin,
+        ...traceContext ? {
+            traceId: traceContext.traceId,
+            spanId: traceContext.spanId
+        } : {}
+    });
+};
+const attachOperationContextHeaders = ({ headers, requestId, target, method, path, operationContext, operationContract, operationContextHeader, operationContextDetailHeader })=>{
+    if (void 0 === readHeader(headers, TRACEPARENT_HEADER) && operationContext?.traceparent) writeHeader(headers, TRACEPARENT_HEADER, operationContext.traceparent);
+    const contextPayload = buildOperationContext({
+        requestId,
+        method,
+        path,
+        operationContext,
+        traceparent: readHeader(headers, TRACEPARENT_HEADER)
+    });
+    validateOperationContract({
+        requestId,
+        target,
+        contextPayload,
+        operationContract
+    });
+    if (void 0 === readHeader(headers, operationContextHeader)) writeHeader(headers, operationContextHeader, contextPayload.operationId);
+    writeHeader(headers, operationContextDetailHeader, JSON.stringify(contextPayload));
+    return contextPayload;
+};
+exports.CrossOriginEnvelopePolicyError = __webpack_exports__.CrossOriginEnvelopePolicyError;
+exports.IdentityBindingViolationError = __webpack_exports__.IdentityBindingViolationError;
+exports.OperationContractViolationError = __webpack_exports__.OperationContractViolationError;
+exports.ProducerClientNotInitializedError = __webpack_exports__.ProducerClientNotInitializedError;
+exports.ProducerDomainNotConfiguredError = __webpack_exports__.ProducerDomainNotConfiguredError;
+exports.TRACEPARENT_HEADER = __webpack_exports__.TRACEPARENT_HEADER;
+exports.attachOperationContextHeaders = __webpack_exports__.attachOperationContextHeaders;
+exports.buildEnvelopeHeaderValue = __webpack_exports__.buildEnvelopeHeaderValue;
+exports.buildOperationContext = __webpack_exports__.buildOperationContext;
+exports.deleteHeader = __webpack_exports__.deleteHeader;
+exports.extractPathParamNames = __webpack_exports__.extractPathParamNames;
+exports.findHeaderKey = __webpack_exports__.findHeaderKey;
+exports.firstHeaderValue = __webpack_exports__.firstHeaderValue;
+exports.isEmptyDomain = __webpack_exports__.isEmptyDomain;
+exports.isSecuredRequestId = __webpack_exports__.isSecuredRequestId;
+exports.isStrictDefaultRequestIdEnabled = __webpack_exports__.isStrictDefaultRequestIdEnabled;
+exports.parseTraceparentValue = __webpack_exports__.parseTraceparentValue;
+exports.readHeader = __webpack_exports__.readHeader;
+exports.resolveConfiguredRequest = __webpack_exports__.resolveConfiguredRequest;
+exports.toOrigin = __webpack_exports__.toOrigin;
+exports.validateOperationContract = __webpack_exports__.validateOperationContract;
+exports.writeHeader = __webpack_exports__.writeHeader;
+for(var __rspack_i in __webpack_exports__)if (-1 === [
+    "CrossOriginEnvelopePolicyError",
+    "IdentityBindingViolationError",
+    "OperationContractViolationError",
+    "ProducerClientNotInitializedError",
+    "ProducerDomainNotConfiguredError",
+    "TRACEPARENT_HEADER",
+    "attachOperationContextHeaders",
+    "buildEnvelopeHeaderValue",
+    "buildOperationContext",
+    "deleteHeader",
+    "extractPathParamNames",
+    "findHeaderKey",
+    "firstHeaderValue",
+    "isEmptyDomain",
+    "isSecuredRequestId",
+    "isStrictDefaultRequestIdEnabled",
+    "parseTraceparentValue",
+    "readHeader",
+    "resolveConfiguredRequest",
+    "toOrigin",
+    "validateOperationContract",
+    "writeHeader"
+].indexOf(__rspack_i)) exports[__rspack_i] = __webpack_exports__[__rspack_i];
+Object.defineProperty(exports, '__esModule', {
+    value: true
+});

package/dist/cjs/requestContext.js

@@ -27,9 +27,15 @@ var __webpack_require__ = {};
 })();
 var __webpack_exports__ = {};
 __webpack_require__.r(__webpack_exports__);
+__webpack_require__.d(__webpack_exports__, {
+    BFF_LOCALE_HEADER: ()=>BFF_LOCALE_HEADER,
+    BFF_TRACEPARENT_HEADER: ()=>BFF_TRACEPARENT_HEADER,
+    createRequestContextHeaders: ()=>createRequestContextHeaders,
+    createRequestContextSnapshot: ()=>createRequestContextSnapshot
+});
+const external_traceparent_js_namespaceObject = require("./traceparent.js");
 const BFF_LOCALE_HEADER = 'accept-language';
 const BFF_TRACEPARENT_HEADER = 'traceparent';
-const TRACEPARENT_REGEX = /^00-([0-9a-f]{32})-([0-9a-f]{16})-[0-9a-f]{2}$/i;
 const readHeader = (headers, header)=>{
     if (!headers) return;
     const normalized = header.toLowerCase();
@@ -39,17 +45,6 @@ const readHeader = (headers, header)=>{
     return Array.isArray(value) ? value[0] : value;
 };
 const readString = (value)=>'string' == typeof value && value.length > 0 ? value : void 0;
-function parseTraceparent(traceparent) {
-    if (!traceparent) return;
-    const match = traceparent.trim().match(TRACEPARENT_REGEX);
-    if (!match) return;
-    const [, traceId, spanId] = match;
-    if (!traceId || !spanId) return;
-    return {
-        traceId: traceId.toLowerCase(),
-        spanId: spanId.toLowerCase()
-    };
-}
 function createOperationContextSnapshot(operationContext, safeContext) {
     if (!operationContext) return;
     const snapshot = {
@@ -75,7 +70,7 @@ function createRequestContextSnapshot(input = {}) {
     const parsedTraceparent = input.operationContext?.traceId && input.operationContext?.spanId ? {
         traceId: input.operationContext.traceId,
         spanId: input.operationContext.spanId
-    } : parseTraceparent(traceparent);
+    } : (0, external_traceparent_js_namespaceObject.parseTraceparent)(traceparent);
     const headers = {};
     if (locale) headers[BFF_LOCALE_HEADER] = locale;
     if (traceparent) headers[BFF_TRACEPARENT_HEADER] = traceparent;
@@ -111,13 +106,6 @@ function createRequestContextSnapshot(input = {}) {
 function createRequestContextHeaders(input = {}) {
     return createRequestContextSnapshot(input).headers;
 }
-__webpack_require__.d(__webpack_exports__, {
-    createRequestContextHeaders: ()=>createRequestContextHeaders,
-    createRequestContextSnapshot: ()=>createRequestContextSnapshot
-}, {
-    BFF_LOCALE_HEADER: BFF_LOCALE_HEADER,
-    BFF_TRACEPARENT_HEADER: BFF_TRACEPARENT_HEADER
-});
 exports.BFF_LOCALE_HEADER = __webpack_exports__.BFF_LOCALE_HEADER;
 exports.BFF_TRACEPARENT_HEADER = __webpack_exports__.BFF_TRACEPARENT_HEADER;
 exports.createRequestContextHeaders = __webpack_exports__.createRequestContextHeaders;

package/dist/cjs/traceparent.js

@@ -0,0 +1,56 @@
+"use strict";
+var __webpack_require__ = {};
+(()=>{
+    __webpack_require__.d = (exports1, getters, values)=>{
+        var define = (defs, kind)=>{
+            for(var key in defs)if (__webpack_require__.o(defs, key) && !__webpack_require__.o(exports1, key)) Object.defineProperty(exports1, key, {
+                enumerable: true,
+                [kind]: defs[key]
+            });
+        };
+        define(getters, "get");
+        define(values, "value");
+    };
+})();
+(()=>{
+    __webpack_require__.o = (obj, prop)=>Object.prototype.hasOwnProperty.call(obj, prop);
+})();
+(()=>{
+    __webpack_require__.r = (exports1)=>{
+        if ("u" > typeof Symbol && Symbol.toStringTag) Object.defineProperty(exports1, Symbol.toStringTag, {
+            value: 'Module'
+        });
+        Object.defineProperty(exports1, '__esModule', {
+            value: true
+        });
+    };
+})();
+var __webpack_exports__ = {};
+__webpack_require__.r(__webpack_exports__);
+const TRACEPARENT_REGEX = /^00-([0-9a-f]{32})-([0-9a-f]{16})-([0-9a-f]{2})$/i;
+const isAllZeroHex = (value)=>/^0+$/.test(value);
+function parseTraceparent(traceparent) {
+    if (!traceparent) return;
+    const match = traceparent.trim().match(TRACEPARENT_REGEX);
+    if (!match) return;
+    const [, rawTraceId, rawSpanId, rawFlags] = match;
+    if (!rawTraceId || !rawSpanId || !rawFlags) return;
+    const traceId = rawTraceId.toLowerCase();
+    const spanId = rawSpanId.toLowerCase();
+    if (isAllZeroHex(traceId) || isAllZeroHex(spanId)) return;
+    return {
+        traceId,
+        spanId,
+        sampled: (0x1 & Number.parseInt(rawFlags, 16)) === 1
+    };
+}
+__webpack_require__.d(__webpack_exports__, {
+    parseTraceparent: ()=>parseTraceparent
+});
+exports.parseTraceparent = __webpack_exports__.parseTraceparent;
+for(var __rspack_i in __webpack_exports__)if (-1 === [
+    "parseTraceparent"
+].indexOf(__rspack_i)) exports[__rspack_i] = __webpack_exports__[__rspack_i];
+Object.defineProperty(exports, '__esModule', {
+    value: true
+});

package/dist/esm/browser.mjs

@@ -1,10 +1,12 @@
 import { compile } from "path-to-regexp";
 import { stringify } from "qs";
 import { handleRes } from "./handleRes.mjs";
+import { CrossOriginEnvelopePolicyError, IdentityBindingViolationError, OperationContractViolationError, ProducerClientNotInitializedError, ProducerDomainNotConfiguredError, TRACEPARENT_HEADER, attachOperationContextHeaders, buildEnvelopeHeaderValue, deleteHeader, extractPathParamNames, isEmptyDomain, isSecuredRequestId, parseTraceparentValue, readHeader, resolveConfiguredRequest, toOrigin, writeHeader } from "./policyCore.mjs";
 import { executeWithResilience } from "./transport.mjs";
 import { BFF_DEFAULT_PROTECTED_IDENTITY_HEADERS, BFF_ENVELOPE_HEADER, BFF_OPERATION_CONTEXT_DETAIL_HEADER, BFF_OPERATION_CONTEXT_HEADER } from "./types.mjs";
 import { getUploadPayload } from "./utiles.mjs";
 export * from "./requestContext.mjs";
+export * from "./traceparent.mjs";
 export * from "./types.mjs";
 const realRequest = new Map();
 const realAllowedHeaders = new Map();
@@ -14,154 +16,38 @@ const realTransportResilience = new Map();
 const realIdentityBinding = new Map();
 const realOperationContract = new Map();
 const domainMap = new Map();
-const isEmptyDomain = (domain)=>'string' != typeof domain || '' === domain.trim();
-const TRACEPARENT_HEADER = 'traceparent';
 const OPERATION_CONTEXT_DETAIL_HEADER = BFF_OPERATION_CONTEXT_DETAIL_HEADER;
-const TRACEPARENT_REGEX = /^00-([0-9a-f]{32})-([0-9a-f]{16})-[0-9a-f]{2}$/i;
-const readProcessEnv = (key)=>{
-    if ("u" < typeof process || void 0 === process.env || 'string' != typeof process.env[key]) return;
-    return process.env[key];
-};
-const isStrictDefaultRequestIdEnabled = ()=>'true' === readProcessEnv('MODERN_BFF_STRICT_DEFAULT_REQUEST_ID');
-const isSecuredRequestId = (requestId)=>'default' !== requestId || isStrictDefaultRequestIdEnabled();
-const firstHeaderValue = (value)=>Array.isArray(value) ? value[0] : value;
-const findHeaderKey = (headers, header)=>{
-    const normalized = header.toLowerCase();
-    return Object.keys(headers).find((key)=>key.toLowerCase() === normalized);
-};
-const readHeader = (headers, header)=>{
-    const key = findHeaderKey(headers, header);
-    return 'string' == typeof key ? headers[key] : void 0;
-};
-const writeHeader = (headers, header, value)=>{
-    if (void 0 === value) return;
-    const key = findHeaderKey(headers, header);
-    if ('string' == typeof key && key !== header) delete headers[key];
-    headers[header] = value;
-};
-const deleteHeader = (headers, header)=>{
-    const key = findHeaderKey(headers, header);
-    if ('string' == typeof key) delete headers[key];
-};
-const toOrigin = (value)=>{
-    if (!value) return;
-    try {
-        return new URL(value).origin;
-    } catch (error) {
-        return;
-    }
-};
-const parseTraceparent = (value)=>{
-    const traceparent = firstHeaderValue(value);
-    if ('string' != typeof traceparent) return;
-    const match = traceparent.trim().match(TRACEPARENT_REGEX);
-    if (!match) return;
-    const [, traceId, spanId] = match;
-    if (!traceId || !spanId) return;
-    return {
-        traceId: traceId.toLowerCase(),
-        spanId: spanId.toLowerCase()
-    };
-};
-const extractPathParamNames = (path)=>Array.from(path.matchAll(/:([A-Za-z0-9_]+)/g)).flatMap(([, key])=>key ? [
-            key
-        ] : []);
+const resolveBrowserOrigin = ()=>"u" > typeof window ? window.location.origin : void 0;
 const originFetch = (...params)=>{
     const [url, init] = params;
     if (init?.method?.toLowerCase() === 'get') init.body = void 0;
     return fetch(url, init).then(handleRes);
 };
-const buildOperationContext = ({ requestId, method, path, operationContext, traceparent })=>{
-    const routePath = operationContext?.routePath || path;
-    const operationMethod = (operationContext?.method || method || 'GET').toUpperCase();
-    const rawOperationId = operationContext?.operationId || `${operationMethod}:${routePath}`;
-    const operationId = rawOperationId.startsWith(`${requestId}:`) ? rawOperationId : `${requestId}:${rawOperationId}`;
-    const traceparentValue = operationContext?.traceparent || ('string' == typeof firstHeaderValue(traceparent) ? String(firstHeaderValue(traceparent)) : void 0);
-    const parsedTraceContext = operationContext?.traceId && operationContext?.spanId ? {
-        traceId: operationContext.traceId,
-        spanId: operationContext.spanId
-    } : parseTraceparent(traceparentValue);
-    return {
+const attachEnvelopeHeaderIfRequired = (headers, requestId, finalURL)=>{
+    const shouldRequireEnvelope = realRequireEnvelope.get(requestId) ?? isSecuredRequestId(requestId);
+    if (!shouldRequireEnvelope) return;
+    headers[BFF_ENVELOPE_HEADER] = buildEnvelopeHeaderValue({
         requestId,
-        operationId,
-        routePath,
-        method: operationMethod,
-        ...operationContext?.schemaHash ? {
-            schemaHash: operationContext.schemaHash
-        } : {},
-        ...'number' == typeof operationContext?.operationVersion ? {
-            operationVersion: operationContext.operationVersion
-        } : {},
-        ...traceparentValue ? {
-            traceparent: traceparentValue
-        } : {},
-        ...parsedTraceContext ? {
-            traceId: parsedTraceContext.traceId,
-            spanId: parsedTraceContext.spanId
-        } : {}
-    };
-};
-class ProducerClientNotInitializedError extends Error {
-    constructor(requestId){
-        super(`Producer client "${requestId}" is not initialized. Call initProducerClient() (or configure()) before using generated APIs for this requestId.`), this.code = 'BFF_PRODUCER_CLIENT_NOT_INITIALIZED';
-        this.name = 'ProducerClientNotInitializedError';
-    }
-}
-class ProducerDomainNotConfiguredError extends Error {
-    constructor(requestId){
-        super(`Producer client "${requestId}" must provide setDomain() during configure().`), this.code = 'BFF_PRODUCER_DOMAIN_NOT_CONFIGURED';
-        this.name = 'ProducerDomainNotConfiguredError';
-    }
-}
-class CrossOriginEnvelopePolicyError extends Error {
-    constructor(requestId, sourceOrigin, targetOrigin){
-        super(`Cross-origin envelope is not allowed for producer "${requestId}" (${sourceOrigin || 'unknown-origin'} -> ${targetOrigin || 'unknown-origin'}). Configure allowCrossOriginEnvelope to explicitly allow this flow.`), this.code = 'BFF_CROSS_ORIGIN_ENVELOPE_NOT_ALLOWED';
-        this.name = 'CrossOriginEnvelopePolicyError';
-    }
-}
-class IdentityBindingViolationError extends Error {
-    constructor(violation){
-        super(`Identity header "${violation.header}" for producer "${violation.requestId}" was rejected by server-derived identity binding.`), this.code = 'BFF_IDENTITY_BINDING_VIOLATION';
-        this.name = 'IdentityBindingViolationError';
-        this.violation = violation;
-    }
-}
-class OperationContractViolationError extends Error {
-    constructor(violation){
-        super(`Operation contract violation "${violation.reason}" for producer "${violation.requestId}" operation "${violation.operationId}".`), this.code = 'BFF_OPERATION_CONTRACT_VIOLATION';
-        this.name = 'OperationContractViolationError';
-        this.violation = violation;
-    }
-}
-const validateOperationContract = (requestId, contextPayload)=>{
-    const operationContract = realOperationContract.get(requestId);
-    const operationContractEnabled = operationContract?.enabled ?? isSecuredRequestId(requestId);
-    if (!operationContractEnabled) return;
-    const strict = operationContract?.strict ?? true;
-    const requireSchemaHash = operationContract?.requireSchemaHash ?? true;
-    const requireOperationVersion = operationContract?.requireOperationVersion ?? true;
-    const maybeReportViolation = (reason)=>{
-        const violation = {
-            requestId,
-            target: 'browser',
-            operationId: contextPayload.operationId,
-            routePath: contextPayload.routePath,
-            method: contextPayload.method,
-            schemaHash: 'string' == typeof contextPayload.schemaHash ? contextPayload.schemaHash : void 0,
-            operationVersion: 'number' == typeof contextPayload.operationVersion ? contextPayload.operationVersion : void 0,
-            reason
-        };
-        operationContract?.onViolation?.(violation);
-        if (strict) throw new OperationContractViolationError(violation);
-    };
-    if (requireSchemaHash && 'string' != typeof contextPayload.schemaHash) maybeReportViolation('missing_schema_hash');
-    if (requireOperationVersion && 'number' != typeof contextPayload.operationVersion) maybeReportViolation('missing_operation_version');
+        target: 'browser',
+        sourceOrigin: resolveBrowserOrigin(),
+        targetOrigin: toOrigin(finalURL),
+        traceContext: parseTraceparentValue(readHeader(headers, TRACEPARENT_HEADER)),
+        allowCrossOriginEnvelope: realAllowCrossOriginEnvelope.get(requestId)
+    });
 };
-const getConfiguredRequest = (requestId, fallback)=>{
-    const configuredRequest = realRequest.get(requestId);
-    if (configuredRequest) return configuredRequest;
-    if ('default' !== requestId) throw new ProducerClientNotInitializedError(requestId);
-    return fallback;
+const attachSecuredOperationHeaders = (headers, requestId, method, path, operationContext)=>{
+    if (!isSecuredRequestId(requestId)) return;
+    attachOperationContextHeaders({
+        headers,
+        requestId,
+        target: 'browser',
+        method,
+        path,
+        operationContext,
+        operationContract: realOperationContract.get(requestId),
+        operationContextHeader: BFF_OPERATION_CONTEXT_HEADER,
+        operationContextDetailHeader: OPERATION_CONTEXT_DETAIL_HEADER
+    });
 };
 const configure = (options)=>{
     const { request, interceptor, allowedHeaders, transport, requireEnvelope, allowCrossOriginEnvelope, identityBinding, operationContract, setDomain, requestId = 'default' } = options;
@@ -205,7 +91,7 @@ const createRequest = (...args)=>{
     });
     const keyNames = extractPathParamNames(path);
     const sender = async (...args)=>{
-        const fetcher = getConfiguredRequest(requestId, fetch1);
+        const fetcher = resolveConfiguredRequest(realRequest, requestId, fetch1);
         let body;
         let finalURL;
         let headers;
@@ -288,47 +174,8 @@ const createRequest = (...args)=>{
         const configDomain = domainMap.get(requestId);
         if ('default' !== requestId && isEmptyDomain(configDomain)) throw new ProducerDomainNotConfiguredError(requestId);
         finalURL = `${configDomain || ''}${finalURL}`;
-        const shouldRequireEnvelope = realRequireEnvelope.get(requestId) ?? isSecuredRequestId(requestId);
-        if (shouldRequireEnvelope) {
-            const sourceOrigin = "u" > typeof window ? window.location.origin : void 0;
-            const targetOrigin = toOrigin(finalURL);
-            const traceContext = parseTraceparent(readHeader(headers, TRACEPARENT_HEADER));
-            const isCrossOrigin = Boolean(sourceOrigin) && Boolean(targetOrigin) && sourceOrigin !== targetOrigin;
-            if (isCrossOrigin) {
-                const policy = realAllowCrossOriginEnvelope.get(requestId);
-                const isAllowed = 'function' == typeof policy ? policy({
-                    requestId,
-                    sourceOrigin,
-                    targetOrigin,
-                    target: 'browser'
-                }) : true === policy;
-                if (!isAllowed) throw new CrossOriginEnvelopePolicyError(requestId, sourceOrigin, targetOrigin);
-            }
-            headers[BFF_ENVELOPE_HEADER] = JSON.stringify({
-                requestId,
-                target: 'browser',
-                timestamp: Date.now(),
-                sourceOrigin,
-                targetOrigin,
-                ...traceContext ? {
-                    traceId: traceContext.traceId,
-                    spanId: traceContext.spanId
-                } : {}
-            });
-        }
-        if (isSecuredRequestId(requestId)) {
-            if (void 0 === readHeader(headers, TRACEPARENT_HEADER) && operationContext?.traceparent) writeHeader(headers, TRACEPARENT_HEADER, operationContext.traceparent);
-            const contextPayload = buildOperationContext({
-                requestId,
-                method,
-                path,
-                operationContext,
-                traceparent: readHeader(headers, TRACEPARENT_HEADER)
-            });
-            validateOperationContract(requestId, contextPayload);
-            if (void 0 === readHeader(headers, BFF_OPERATION_CONTEXT_HEADER)) writeHeader(headers, BFF_OPERATION_CONTEXT_HEADER, contextPayload.operationId);
-            writeHeader(headers, OPERATION_CONTEXT_DETAIL_HEADER, JSON.stringify(contextPayload));
-        }
+        attachEnvelopeHeaderIfRequired(headers, requestId, finalURL);
+        attachSecuredOperationHeaders(headers, requestId, method, path, operationContext);
         return executeWithResilience({
             requestId,
             target: 'browser',
@@ -345,16 +192,21 @@ const createRequest = (...args)=>{
     };
     return sender;
 };
-const createUploader = ({ path, domain, requestId = 'default' })=>{
+const createUploader = ({ path, domain, requestId = 'default', operationContext })=>{
     const getFinalPath = compile(path, {
         encode: encodeURIComponent
     });
     const sender = (...args)=>{
-        const fetcher = getConfiguredRequest(requestId, originFetch);
-        const { body, headers, params } = getUploadPayload(args);
+        const fetcher = resolveConfiguredRequest(realRequest, requestId, originFetch);
+        const { body, headers: uploadHeaders, params } = getUploadPayload(args);
+        const headers = {
+            ...uploadHeaders
+        };
         const finalPath = getFinalPath(params);
         const configDomain = domainMap.get(requestId);
         const finalURL = `${configDomain || domain || ''}${finalPath}`;
+        attachEnvelopeHeaderIfRequired(headers, requestId, finalURL);
+        attachSecuredOperationHeaders(headers, requestId, 'POST', path, operationContext);
         return fetcher(finalURL, {
             method: 'POST',
             body,