@bleedingdev/modern-js-create-request 3.2.0-ultramodern.120 → 3.2.0-ultramodern.122

package/dist/esm-node/policyCore.mjs

@@ -0,0 +1,175 @@
+import "node:module";
+import { parseTraceparent } from "./traceparent.mjs";
+const TRACEPARENT_HEADER = 'traceparent';
+const readProcessEnv = (key)=>{
+    if ("u" < typeof process || void 0 === process.env || 'string' != typeof process.env[key]) return;
+    return process.env[key];
+};
+const isStrictDefaultRequestIdEnabled = ()=>'true' === readProcessEnv('MODERN_BFF_STRICT_DEFAULT_REQUEST_ID');
+const isSecuredRequestId = (requestId)=>'default' !== requestId || isStrictDefaultRequestIdEnabled();
+const isEmptyDomain = (domain)=>'string' != typeof domain || '' === domain.trim();
+const firstHeaderValue = (value)=>Array.isArray(value) ? value[0] : value;
+const findHeaderKey = (headers, header)=>{
+    const normalized = header.toLowerCase();
+    return Object.keys(headers).find((key)=>key.toLowerCase() === normalized);
+};
+const readHeader = (headers, header)=>{
+    const key = findHeaderKey(headers, header);
+    return 'string' == typeof key ? headers[key] : void 0;
+};
+const writeHeader = (headers, header, value)=>{
+    if (void 0 === value) return;
+    const key = findHeaderKey(headers, header);
+    if ('string' == typeof key && key !== header) delete headers[key];
+    headers[header] = value;
+};
+const deleteHeader = (headers, header)=>{
+    const key = findHeaderKey(headers, header);
+    if ('string' == typeof key) delete headers[key];
+};
+const toOrigin = (value)=>{
+    if (!value) return;
+    try {
+        return new URL(value).origin;
+    } catch (error) {
+        return;
+    }
+};
+const parseTraceparentValue = (value)=>parseTraceparent(firstHeaderValue(value));
+const extractPathParamNames = (path)=>Array.from(path.matchAll(/:([A-Za-z0-9_]+)/g)).flatMap(([, key])=>key ? [
+            key
+        ] : []);
+const buildOperationContext = ({ requestId, method, path, operationContext, traceparent })=>{
+    const routePath = operationContext?.routePath || path;
+    const operationMethod = (operationContext?.method || method || 'GET').toUpperCase();
+    const rawOperationId = operationContext?.operationId || `${operationMethod}:${routePath}`;
+    const operationId = rawOperationId.startsWith(`${requestId}:`) ? rawOperationId : `${requestId}:${rawOperationId}`;
+    const traceparentValue = operationContext?.traceparent || ('string' == typeof firstHeaderValue(traceparent) ? String(firstHeaderValue(traceparent)) : void 0);
+    const parsedTraceContext = operationContext?.traceId && operationContext?.spanId ? {
+        traceId: operationContext.traceId,
+        spanId: operationContext.spanId
+    } : parseTraceparentValue(traceparentValue);
+    return {
+        requestId,
+        operationId,
+        routePath,
+        method: operationMethod,
+        ...operationContext?.schemaHash ? {
+            schemaHash: operationContext.schemaHash
+        } : {},
+        ...'number' == typeof operationContext?.operationVersion ? {
+            operationVersion: operationContext.operationVersion
+        } : {},
+        ...traceparentValue ? {
+            traceparent: traceparentValue
+        } : {},
+        ...parsedTraceContext ? {
+            traceId: parsedTraceContext.traceId,
+            spanId: parsedTraceContext.spanId
+        } : {}
+    };
+};
+class ProducerClientNotInitializedError extends Error {
+    constructor(requestId){
+        super(`Producer client "${requestId}" is not initialized. Call initProducerClient() (or configure()) before using generated APIs for this requestId.`), this.code = 'BFF_PRODUCER_CLIENT_NOT_INITIALIZED';
+        this.name = 'ProducerClientNotInitializedError';
+    }
+}
+class ProducerDomainNotConfiguredError extends Error {
+    constructor(requestId){
+        super(`Producer client "${requestId}" must provide setDomain() during configure().`), this.code = 'BFF_PRODUCER_DOMAIN_NOT_CONFIGURED';
+        this.name = 'ProducerDomainNotConfiguredError';
+    }
+}
+class CrossOriginEnvelopePolicyError extends Error {
+    constructor(requestId, sourceOrigin, targetOrigin){
+        super(`Cross-origin envelope is not allowed for producer "${requestId}" (${sourceOrigin || 'unknown-origin'} -> ${targetOrigin || 'unknown-origin'}). Configure allowCrossOriginEnvelope to explicitly allow this flow.`), this.code = 'BFF_CROSS_ORIGIN_ENVELOPE_NOT_ALLOWED';
+        this.name = 'CrossOriginEnvelopePolicyError';
+    }
+}
+class IdentityBindingViolationError extends Error {
+    constructor(violation){
+        super(`Identity header "${violation.header}" for producer "${violation.requestId}" was rejected by server-derived identity binding.`), this.code = 'BFF_IDENTITY_BINDING_VIOLATION';
+        this.name = 'IdentityBindingViolationError';
+        this.violation = violation;
+    }
+}
+class OperationContractViolationError extends Error {
+    constructor(violation){
+        super(`Operation contract violation "${violation.reason}" for producer "${violation.requestId}" operation "${violation.operationId}".`), this.code = 'BFF_OPERATION_CONTRACT_VIOLATION';
+        this.name = 'OperationContractViolationError';
+        this.violation = violation;
+    }
+}
+const validateOperationContract = ({ requestId, target, contextPayload, operationContract })=>{
+    const operationContractEnabled = operationContract?.enabled ?? isSecuredRequestId(requestId);
+    if (!operationContractEnabled) return;
+    const strict = operationContract?.strict ?? true;
+    const requireSchemaHash = operationContract?.requireSchemaHash ?? true;
+    const requireOperationVersion = operationContract?.requireOperationVersion ?? true;
+    const maybeReportViolation = (reason)=>{
+        const violation = {
+            requestId,
+            target,
+            operationId: contextPayload.operationId,
+            routePath: contextPayload.routePath,
+            method: contextPayload.method,
+            schemaHash: 'string' == typeof contextPayload.schemaHash ? contextPayload.schemaHash : void 0,
+            operationVersion: 'number' == typeof contextPayload.operationVersion ? contextPayload.operationVersion : void 0,
+            reason
+        };
+        operationContract?.onViolation?.(violation);
+        if (strict) throw new OperationContractViolationError(violation);
+    };
+    if (requireSchemaHash && 'string' != typeof contextPayload.schemaHash) maybeReportViolation('missing_schema_hash');
+    if (requireOperationVersion && 'number' != typeof contextPayload.operationVersion) maybeReportViolation('missing_operation_version');
+};
+const resolveConfiguredRequest = (configuredRequests, requestId, fallback)=>{
+    const configuredRequest = configuredRequests.get(requestId);
+    if (configuredRequest) return configuredRequest;
+    if ('default' !== requestId) throw new ProducerClientNotInitializedError(requestId);
+    return fallback;
+};
+const buildEnvelopeHeaderValue = ({ requestId, target, sourceOrigin, targetOrigin, traceContext, allowCrossOriginEnvelope })=>{
+    const isCrossOrigin = Boolean(sourceOrigin) && Boolean(targetOrigin) && sourceOrigin !== targetOrigin;
+    if (isCrossOrigin) {
+        const isAllowed = 'function' == typeof allowCrossOriginEnvelope ? allowCrossOriginEnvelope({
+            requestId,
+            sourceOrigin,
+            targetOrigin,
+            target
+        }) : true === allowCrossOriginEnvelope;
+        if (!isAllowed) throw new CrossOriginEnvelopePolicyError(requestId, sourceOrigin, targetOrigin);
+    }
+    return JSON.stringify({
+        requestId,
+        target,
+        timestamp: Date.now(),
+        sourceOrigin,
+        targetOrigin,
+        ...traceContext ? {
+            traceId: traceContext.traceId,
+            spanId: traceContext.spanId
+        } : {}
+    });
+};
+const attachOperationContextHeaders = ({ headers, requestId, target, method, path, operationContext, operationContract, operationContextHeader, operationContextDetailHeader })=>{
+    if (void 0 === readHeader(headers, TRACEPARENT_HEADER) && operationContext?.traceparent) writeHeader(headers, TRACEPARENT_HEADER, operationContext.traceparent);
+    const contextPayload = buildOperationContext({
+        requestId,
+        method,
+        path,
+        operationContext,
+        traceparent: readHeader(headers, TRACEPARENT_HEADER)
+    });
+    validateOperationContract({
+        requestId,
+        target,
+        contextPayload,
+        operationContract
+    });
+    if (void 0 === readHeader(headers, operationContextHeader)) writeHeader(headers, operationContextHeader, contextPayload.operationId);
+    writeHeader(headers, operationContextDetailHeader, JSON.stringify(contextPayload));
+    return contextPayload;
+};
+export { CrossOriginEnvelopePolicyError, IdentityBindingViolationError, OperationContractViolationError, ProducerClientNotInitializedError, ProducerDomainNotConfiguredError, TRACEPARENT_HEADER, attachOperationContextHeaders, buildEnvelopeHeaderValue, buildOperationContext, deleteHeader, extractPathParamNames, findHeaderKey, firstHeaderValue, isEmptyDomain, isSecuredRequestId, isStrictDefaultRequestIdEnabled, parseTraceparentValue, readHeader, resolveConfiguredRequest, toOrigin, validateOperationContract, writeHeader };

package/dist/esm-node/requestContext.mjs

@@ -1,7 +1,7 @@
 import "node:module";
+import { parseTraceparent } from "./traceparent.mjs";
 const BFF_LOCALE_HEADER = 'accept-language';
 const BFF_TRACEPARENT_HEADER = 'traceparent';
-const TRACEPARENT_REGEX = /^00-([0-9a-f]{32})-([0-9a-f]{16})-[0-9a-f]{2}$/i;
 const readHeader = (headers, header)=>{
     if (!headers) return;
     const normalized = header.toLowerCase();
@@ -11,17 +11,6 @@ const readHeader = (headers, header)=>{
     return Array.isArray(value) ? value[0] : value;
 };
 const readString = (value)=>'string' == typeof value && value.length > 0 ? value : void 0;
-function parseTraceparent(traceparent) {
-    if (!traceparent) return;
-    const match = traceparent.trim().match(TRACEPARENT_REGEX);
-    if (!match) return;
-    const [, traceId, spanId] = match;
-    if (!traceId || !spanId) return;
-    return {
-        traceId: traceId.toLowerCase(),
-        spanId: spanId.toLowerCase()
-    };
-}
 function createOperationContextSnapshot(operationContext, safeContext) {
     if (!operationContext) return;
     const snapshot = {

package/dist/esm-node/traceparent.mjs

@@ -0,0 +1,19 @@
+import "node:module";
+const TRACEPARENT_REGEX = /^00-([0-9a-f]{32})-([0-9a-f]{16})-([0-9a-f]{2})$/i;
+const isAllZeroHex = (value)=>/^0+$/.test(value);
+function parseTraceparent(traceparent) {
+    if (!traceparent) return;
+    const match = traceparent.trim().match(TRACEPARENT_REGEX);
+    if (!match) return;
+    const [, rawTraceId, rawSpanId, rawFlags] = match;
+    if (!rawTraceId || !rawSpanId || !rawFlags) return;
+    const traceId = rawTraceId.toLowerCase();
+    const spanId = rawSpanId.toLowerCase();
+    if (isAllZeroHex(traceId) || isAllZeroHex(spanId)) return;
+    return {
+        traceId,
+        spanId,
+        sampled: (0x1 & Number.parseInt(rawFlags, 16)) === 1
+    };
+}
+export { parseTraceparent };

package/dist/types/browser.d.ts

@@ -1,28 +1,8 @@
-import type { IdentityBindingViolation, IOptions, OperationContractViolation, RequestCreator, UploadCreator } from './types';
-export declare class ProducerClientNotInitializedError extends Error {
-    readonly code = "BFF_PRODUCER_CLIENT_NOT_INITIALIZED";
-    constructor(requestId: string);
-}
-export declare class ProducerDomainNotConfiguredError extends Error {
-    readonly code = "BFF_PRODUCER_DOMAIN_NOT_CONFIGURED";
-    constructor(requestId: string);
-}
-export declare class CrossOriginEnvelopePolicyError extends Error {
-    readonly code = "BFF_CROSS_ORIGIN_ENVELOPE_NOT_ALLOWED";
-    constructor(requestId: string, sourceOrigin?: string, targetOrigin?: string);
-}
-export declare class IdentityBindingViolationError extends Error {
-    readonly code = "BFF_IDENTITY_BINDING_VIOLATION";
-    readonly violation: IdentityBindingViolation;
-    constructor(violation: IdentityBindingViolation);
-}
-export declare class OperationContractViolationError extends Error {
-    readonly code = "BFF_OPERATION_CONTRACT_VIOLATION";
-    readonly violation: OperationContractViolation;
-    constructor(violation: OperationContractViolation);
-}
+import type { IOptions, RequestCreator, UploadCreator } from './types';
+export { CrossOriginEnvelopePolicyError, IdentityBindingViolationError, OperationContractViolationError, ProducerClientNotInitializedError, ProducerDomainNotConfiguredError, } from './policyCore';
 export declare const configure: (options: IOptions) => void;
 export declare const createRequest: RequestCreator;
 export declare const createUploader: UploadCreator;
 export * from './requestContext';
+export * from './traceparent';
 export * from './types';

package/dist/types/node.d.ts

@@ -1,29 +1,9 @@
-import type { IdentityBindingViolation, IOptions, OperationContractViolation, RequestCreator, UploadCreator } from './types';
+import type { IOptions, RequestCreator, UploadCreator } from './types';
+export { CrossOriginEnvelopePolicyError, IdentityBindingViolationError, OperationContractViolationError, ProducerClientNotInitializedError, ProducerDomainNotConfiguredError, } from './policyCore';
 type Fetch = typeof fetch;
-export declare class ProducerClientNotInitializedError extends Error {
-    readonly code = "BFF_PRODUCER_CLIENT_NOT_INITIALIZED";
-    constructor(requestId: string);
-}
-export declare class ProducerDomainNotConfiguredError extends Error {
-    readonly code = "BFF_PRODUCER_DOMAIN_NOT_CONFIGURED";
-    constructor(requestId: string);
-}
-export declare class CrossOriginEnvelopePolicyError extends Error {
-    readonly code = "BFF_CROSS_ORIGIN_ENVELOPE_NOT_ALLOWED";
-    constructor(requestId: string, sourceOrigin?: string, targetOrigin?: string);
-}
-export declare class IdentityBindingViolationError extends Error {
-    readonly code = "BFF_IDENTITY_BINDING_VIOLATION";
-    readonly violation: IdentityBindingViolation;
-    constructor(violation: IdentityBindingViolation);
-}
-export declare class OperationContractViolationError extends Error {
-    readonly code = "BFF_OPERATION_CONTRACT_VIOLATION";
-    readonly violation: OperationContractViolation;
-    constructor(violation: OperationContractViolation);
-}
 export declare const configure: (options: IOptions<Fetch>) => void;
 export declare const createRequest: RequestCreator<Fetch>;
 export declare const createUploader: UploadCreator;
 export * from './requestContext';
+export * from './traceparent';
 export * from './types';

package/dist/types/policyCore.d.ts

@@ -0,0 +1,108 @@
+import type { IdentityBindingViolation, OperationContext, OperationContractOptions, OperationContractViolation, TransportTarget } from './types';
+export declare const TRACEPARENT_HEADER = "traceparent";
+export declare const isStrictDefaultRequestIdEnabled: () => boolean;
+export declare const isSecuredRequestId: (requestId: string) => boolean;
+export declare const isEmptyDomain: (domain?: string) => boolean;
+export declare const firstHeaderValue: (value: unknown) => any;
+export declare const findHeaderKey: (headers: Record<string, any>, header: string) => string | undefined;
+export declare const readHeader: (headers: Record<string, any>, header: string) => any;
+export declare const writeHeader: (headers: Record<string, any>, header: string, value: unknown) => void;
+export declare const deleteHeader: (headers: Record<string, any>, header: string) => void;
+export declare const toOrigin: (value?: string) => string | undefined;
+export declare const parseTraceparentValue: (value: unknown) => import("./traceparent").TraceparentContext | undefined;
+export declare const extractPathParamNames: (path: string) => string[];
+export declare const buildOperationContext: ({ requestId, method, path, operationContext, traceparent, }: {
+    requestId: string;
+    method: string;
+    path: string;
+    operationContext?: OperationContext | undefined;
+    traceparent?: unknown;
+}) => {
+    requestId: string;
+    operationId: string;
+    routePath: string;
+    method: string;
+    schemaHash?: string | undefined;
+    operationVersion?: number | undefined;
+    traceparent?: string | undefined;
+    traceId?: string | undefined;
+    spanId?: string | undefined;
+};
+export type OperationContextPayload = ReturnType<typeof buildOperationContext>;
+export declare class ProducerClientNotInitializedError extends Error {
+    readonly code = "BFF_PRODUCER_CLIENT_NOT_INITIALIZED";
+    constructor(requestId: string);
+}
+export declare class ProducerDomainNotConfiguredError extends Error {
+    readonly code = "BFF_PRODUCER_DOMAIN_NOT_CONFIGURED";
+    constructor(requestId: string);
+}
+export declare class CrossOriginEnvelopePolicyError extends Error {
+    readonly code = "BFF_CROSS_ORIGIN_ENVELOPE_NOT_ALLOWED";
+    constructor(requestId: string, sourceOrigin?: string, targetOrigin?: string);
+}
+export declare class IdentityBindingViolationError extends Error {
+    readonly code = "BFF_IDENTITY_BINDING_VIOLATION";
+    readonly violation: IdentityBindingViolation;
+    constructor(violation: IdentityBindingViolation);
+}
+export declare class OperationContractViolationError extends Error {
+    readonly code = "BFF_OPERATION_CONTRACT_VIOLATION";
+    readonly violation: OperationContractViolation;
+    constructor(violation: OperationContractViolation);
+}
+export declare const validateOperationContract: ({ requestId, target, contextPayload, operationContract, }: {
+    requestId: string;
+    target: TransportTarget;
+    contextPayload: OperationContextPayload;
+    operationContract: OperationContractOptions | undefined;
+}) => void;
+export declare const resolveConfiguredRequest: <F>(configuredRequests: Map<string, F>, requestId: string, fallback: F) => F;
+/**
+ * Builds the JSON value for the `x-modernjs-bff-envelope` header and throws
+ * when the cross-origin envelope policy denies the flow. Returns the
+ * serialized envelope.
+ */
+export declare const buildEnvelopeHeaderValue: ({ requestId, target, sourceOrigin, targetOrigin, traceContext, allowCrossOriginEnvelope, }: {
+    requestId: string;
+    target: TransportTarget;
+    sourceOrigin: string | undefined;
+    targetOrigin: string | undefined;
+    traceContext: {
+        traceId: string;
+        spanId: string;
+    } | null | undefined;
+    allowCrossOriginEnvelope: boolean | ((options: {
+        requestId: string;
+        sourceOrigin?: string;
+        targetOrigin?: string;
+        target: TransportTarget;
+    }) => boolean) | undefined;
+}) => string;
+/**
+ * Derives the operation context for a secured requestId, validates it against
+ * the configured operation contract and writes the `x-operation-id` and
+ * `x-modernjs-bff-operation-context` headers (without clobbering caller
+ * provided values for the id header).
+ */
+export declare const attachOperationContextHeaders: ({ headers, requestId, target, method, path, operationContext, operationContract, operationContextHeader, operationContextDetailHeader, }: {
+    headers: Record<string, any>;
+    requestId: string;
+    target: TransportTarget;
+    method: string;
+    path: string;
+    operationContext: OperationContext | undefined;
+    operationContract: OperationContractOptions | undefined;
+    operationContextHeader: string;
+    operationContextDetailHeader: string;
+}) => {
+    requestId: string;
+    operationId: string;
+    routePath: string;
+    method: string;
+    schemaHash?: string | undefined;
+    operationVersion?: number | undefined;
+    traceparent?: string | undefined;
+    traceId?: string | undefined;
+    spanId?: string | undefined;
+};

package/dist/types/traceparent.d.ts

@@ -0,0 +1,10 @@
+export type TraceparentContext = {
+    traceId: string;
+    spanId: string;
+    sampled: boolean;
+};
+/**
+ * Parse a W3C trace context `traceparent` header (version 00).
+ * All-zero trace ids and span ids are rejected per the W3C spec.
+ */
+export declare function parseTraceparent(traceparent: string | undefined | null): TraceparentContext | undefined;

package/dist/types/types.d.ts

@@ -105,7 +105,7 @@ export type CrossProjectOperationContract = {
     schemaHash?: string;
     operationVersion?: number;
 };
-export type CrossProjectPolicyViolationReason = 'missing_envelope' | 'invalid_envelope' | 'missing_request_id' | 'namespace_not_allowed' | 'missing_operation_context' | 'operation_context_mismatch' | 'missing_operation_context_details' | 'invalid_operation_context_details' | 'operation_context_details_request_id_mismatch' | 'missing_operation_schema_hash' | 'missing_operation_version' | 'unknown_operation_contract' | 'operation_schema_hash_mismatch' | 'operation_version_mismatch';
+export type CrossProjectPolicyViolationReason = 'missing_envelope' | 'invalid_envelope' | 'missing_request_id' | 'namespace_not_allowed' | 'missing_operation_context' | 'operation_context_mismatch' | 'missing_operation_context_details' | 'invalid_operation_context_details' | 'operation_context_details_request_id_mismatch' | 'missing_operation_schema_hash' | 'missing_operation_version' | 'unknown_operation_contract' | 'operation_schema_hash_mismatch' | 'operation_version_mismatch' | 'producer_identity_mismatch';
 export type CrossProjectPolicyViolation = {
     code: 'BFF_CROSS_PROJECT_POLICY_DENIED';
     reason: CrossProjectPolicyViolationReason;
@@ -154,6 +154,7 @@ export type UploadCreatorOptions = {
     path: string;
     domain?: string;
     requestId?: string;
+    operationContext?: OperationContext;
 };
 export type UploadCreator = (options: UploadCreatorOptions) => Sender;
 export type IOptions<F = typeof fetch> = {

package/package.json

@@ -17,7 +17,7 @@
     "modern",
     "modern.js"
   ],
-  "version": "3.2.0-ultramodern.120",
+  "version": "3.2.0-ultramodern.122",
   "modern:source": "./src/node.ts",
   "types": "./dist/types/browser.d.ts",
   "main": "./dist/cjs/node.js",
@@ -40,6 +40,7 @@
     "./server": {
       "types": "./dist/types/node.d.ts",
       "modern:source": "./src/node.ts",
+      "require": "./dist/cjs/node.js",
       "default": "./dist/esm/node.mjs"
     }
   },
@@ -61,8 +62,8 @@
     "encoding": "^0.1.13",
     "path-to-regexp": "^8.4.2",
     "qs": "^6.15.2",
-    "@modern-js/runtime-utils": "npm:@bleedingdev/modern-js-runtime-utils@3.2.0-ultramodern.120",
-    "@modern-js/utils": "npm:@bleedingdev/modern-js-utils@3.2.0-ultramodern.120"
+    "@modern-js/runtime-utils": "npm:@bleedingdev/modern-js-runtime-utils@3.2.0-ultramodern.122",
+    "@modern-js/utils": "npm:@bleedingdev/modern-js-utils@3.2.0-ultramodern.122"
   },
   "devDependencies": {
     "@rslib/core": "0.22.0",
@@ -71,7 +72,7 @@
     "@typescript/native-preview": "7.0.0-dev.20260610.1",
     "happy-dom": "^20.10.2",
     "nock": "^14.0.15",
-    "@modern-js/types": "npm:@bleedingdev/modern-js-types@3.2.0-ultramodern.120",
+    "@modern-js/types": "npm:@bleedingdev/modern-js-types@3.2.0-ultramodern.122",
     "@scripts/rstest-config": "2.66.0"
   },
   "sideEffects": false,