@bleedingdev/modern-js-create-request 3.2.0-ultramodern.98 → 3.4.0-ultramodern.0

package/dist/esm/browser.mjs

@@ -1,10 +1,12 @@
 import { compile } from "path-to-regexp";
 import { stringify } from "qs";
 import { handleRes } from "./handleRes.mjs";
+import { CrossOriginEnvelopePolicyError, IdentityBindingViolationError, OperationContractViolationError, ProducerClientNotInitializedError, ProducerDomainNotConfiguredError, TRACEPARENT_HEADER, attachOperationContextHeaders, buildEnvelopeHeaderValue, deleteHeader, extractPathParamNames, isEmptyDomain, isSecuredRequestId, parseTraceparentValue, readHeader, resolveConfiguredRequest, toOrigin, writeHeader } from "./policyCore.mjs";
 import { executeWithResilience } from "./transport.mjs";
 import { BFF_DEFAULT_PROTECTED_IDENTITY_HEADERS, BFF_ENVELOPE_HEADER, BFF_OPERATION_CONTEXT_DETAIL_HEADER, BFF_OPERATION_CONTEXT_HEADER } from "./types.mjs";
 import { getUploadPayload } from "./utiles.mjs";
 export * from "./requestContext.mjs";
+export * from "./traceparent.mjs";
 export * from "./types.mjs";
 const realRequest = new Map();
 const realAllowedHeaders = new Map();
@@ -14,154 +16,38 @@ const realTransportResilience = new Map();
 const realIdentityBinding = new Map();
 const realOperationContract = new Map();
 const domainMap = new Map();
-const isEmptyDomain = (domain)=>'string' != typeof domain || '' === domain.trim();
-const TRACEPARENT_HEADER = 'traceparent';
 const OPERATION_CONTEXT_DETAIL_HEADER = BFF_OPERATION_CONTEXT_DETAIL_HEADER;
-const TRACEPARENT_REGEX = /^00-([0-9a-f]{32})-([0-9a-f]{16})-[0-9a-f]{2}$/i;
-const readProcessEnv = (key)=>{
-    if ("u" < typeof process || void 0 === process.env || 'string' != typeof process.env[key]) return;
-    return process.env[key];
-};
-const isStrictDefaultRequestIdEnabled = ()=>'true' === readProcessEnv('MODERN_BFF_STRICT_DEFAULT_REQUEST_ID');
-const isSecuredRequestId = (requestId)=>'default' !== requestId || isStrictDefaultRequestIdEnabled();
-const firstHeaderValue = (value)=>Array.isArray(value) ? value[0] : value;
-const findHeaderKey = (headers, header)=>{
-    const normalized = header.toLowerCase();
-    return Object.keys(headers).find((key)=>key.toLowerCase() === normalized);
-};
-const readHeader = (headers, header)=>{
-    const key = findHeaderKey(headers, header);
-    return 'string' == typeof key ? headers[key] : void 0;
-};
-const writeHeader = (headers, header, value)=>{
-    if (void 0 === value) return;
-    const key = findHeaderKey(headers, header);
-    if ('string' == typeof key && key !== header) delete headers[key];
-    headers[header] = value;
-};
-const deleteHeader = (headers, header)=>{
-    const key = findHeaderKey(headers, header);
-    if ('string' == typeof key) delete headers[key];
-};
-const toOrigin = (value)=>{
-    if (!value) return;
-    try {
-        return new URL(value).origin;
-    } catch (error) {
-        return;
-    }
-};
-const parseTraceparent = (value)=>{
-    const traceparent = firstHeaderValue(value);
-    if ('string' != typeof traceparent) return;
-    const match = traceparent.trim().match(TRACEPARENT_REGEX);
-    if (!match) return;
-    const [, traceId, spanId] = match;
-    if (!traceId || !spanId) return;
-    return {
-        traceId: traceId.toLowerCase(),
-        spanId: spanId.toLowerCase()
-    };
-};
-const extractPathParamNames = (path)=>Array.from(path.matchAll(/:([A-Za-z0-9_]+)/g)).flatMap(([, key])=>key ? [
-            key
-        ] : []);
+const resolveBrowserOrigin = ()=>"u" > typeof window ? window.location.origin : void 0;
 const originFetch = (...params)=>{
     const [url, init] = params;
     if (init?.method?.toLowerCase() === 'get') init.body = void 0;
     return fetch(url, init).then(handleRes);
 };
-const buildOperationContext = ({ requestId, method, path, operationContext, traceparent })=>{
-    const routePath = operationContext?.routePath || path;
-    const operationMethod = (operationContext?.method || method || 'GET').toUpperCase();
-    const rawOperationId = operationContext?.operationId || `${operationMethod}:${routePath}`;
-    const operationId = rawOperationId.startsWith(`${requestId}:`) ? rawOperationId : `${requestId}:${rawOperationId}`;
-    const traceparentValue = operationContext?.traceparent || ('string' == typeof firstHeaderValue(traceparent) ? String(firstHeaderValue(traceparent)) : void 0);
-    const parsedTraceContext = operationContext?.traceId && operationContext?.spanId ? {
-        traceId: operationContext.traceId,
-        spanId: operationContext.spanId
-    } : parseTraceparent(traceparentValue);
-    return {
+const attachEnvelopeHeaderIfRequired = (headers, requestId, finalURL)=>{
+    const shouldRequireEnvelope = realRequireEnvelope.get(requestId) ?? isSecuredRequestId(requestId);
+    if (!shouldRequireEnvelope) return;
+    headers[BFF_ENVELOPE_HEADER] = buildEnvelopeHeaderValue({
         requestId,
-        operationId,
-        routePath,
-        method: operationMethod,
-        ...operationContext?.schemaHash ? {
-            schemaHash: operationContext.schemaHash
-        } : {},
-        ...'number' == typeof operationContext?.operationVersion ? {
-            operationVersion: operationContext.operationVersion
-        } : {},
-        ...traceparentValue ? {
-            traceparent: traceparentValue
-        } : {},
-        ...parsedTraceContext ? {
-            traceId: parsedTraceContext.traceId,
-            spanId: parsedTraceContext.spanId
-        } : {}
-    };
-};
-class ProducerClientNotInitializedError extends Error {
-    constructor(requestId){
-        super(`Producer client "${requestId}" is not initialized. Call initProducerClient() (or configure()) before using generated APIs for this requestId.`), this.code = 'BFF_PRODUCER_CLIENT_NOT_INITIALIZED';
-        this.name = 'ProducerClientNotInitializedError';
-    }
-}
-class ProducerDomainNotConfiguredError extends Error {
-    constructor(requestId){
-        super(`Producer client "${requestId}" must provide setDomain() during configure().`), this.code = 'BFF_PRODUCER_DOMAIN_NOT_CONFIGURED';
-        this.name = 'ProducerDomainNotConfiguredError';
-    }
-}
-class CrossOriginEnvelopePolicyError extends Error {
-    constructor(requestId, sourceOrigin, targetOrigin){
-        super(`Cross-origin envelope is not allowed for producer "${requestId}" (${sourceOrigin || 'unknown-origin'} -> ${targetOrigin || 'unknown-origin'}). Configure allowCrossOriginEnvelope to explicitly allow this flow.`), this.code = 'BFF_CROSS_ORIGIN_ENVELOPE_NOT_ALLOWED';
-        this.name = 'CrossOriginEnvelopePolicyError';
-    }
-}
-class IdentityBindingViolationError extends Error {
-    constructor(violation){
-        super(`Identity header "${violation.header}" for producer "${violation.requestId}" was rejected by server-derived identity binding.`), this.code = 'BFF_IDENTITY_BINDING_VIOLATION';
-        this.name = 'IdentityBindingViolationError';
-        this.violation = violation;
-    }
-}
-class OperationContractViolationError extends Error {
-    constructor(violation){
-        super(`Operation contract violation "${violation.reason}" for producer "${violation.requestId}" operation "${violation.operationId}".`), this.code = 'BFF_OPERATION_CONTRACT_VIOLATION';
-        this.name = 'OperationContractViolationError';
-        this.violation = violation;
-    }
-}
-const validateOperationContract = (requestId, contextPayload)=>{
-    const operationContract = realOperationContract.get(requestId);
-    const operationContractEnabled = operationContract?.enabled ?? isSecuredRequestId(requestId);
-    if (!operationContractEnabled) return;
-    const strict = operationContract?.strict ?? true;
-    const requireSchemaHash = operationContract?.requireSchemaHash ?? true;
-    const requireOperationVersion = operationContract?.requireOperationVersion ?? true;
-    const maybeReportViolation = (reason)=>{
-        const violation = {
-            requestId,
-            target: 'browser',
-            operationId: contextPayload.operationId,
-            routePath: contextPayload.routePath,
-            method: contextPayload.method,
-            schemaHash: 'string' == typeof contextPayload.schemaHash ? contextPayload.schemaHash : void 0,
-            operationVersion: 'number' == typeof contextPayload.operationVersion ? contextPayload.operationVersion : void 0,
-            reason
-        };
-        operationContract?.onViolation?.(violation);
-        if (strict) throw new OperationContractViolationError(violation);
-    };
-    if (requireSchemaHash && 'string' != typeof contextPayload.schemaHash) maybeReportViolation('missing_schema_hash');
-    if (requireOperationVersion && 'number' != typeof contextPayload.operationVersion) maybeReportViolation('missing_operation_version');
+        target: 'browser',
+        sourceOrigin: resolveBrowserOrigin(),
+        targetOrigin: toOrigin(finalURL),
+        traceContext: parseTraceparentValue(readHeader(headers, TRACEPARENT_HEADER)),
+        allowCrossOriginEnvelope: realAllowCrossOriginEnvelope.get(requestId)
+    });
 };
-const getConfiguredRequest = (requestId, fallback)=>{
-    const configuredRequest = realRequest.get(requestId);
-    if (configuredRequest) return configuredRequest;
-    if ('default' !== requestId) throw new ProducerClientNotInitializedError(requestId);
-    return fallback;
+const attachSecuredOperationHeaders = (headers, requestId, method, path, operationContext)=>{
+    if (!isSecuredRequestId(requestId)) return;
+    attachOperationContextHeaders({
+        headers,
+        requestId,
+        target: 'browser',
+        method,
+        path,
+        operationContext,
+        operationContract: realOperationContract.get(requestId),
+        operationContextHeader: BFF_OPERATION_CONTEXT_HEADER,
+        operationContextDetailHeader: OPERATION_CONTEXT_DETAIL_HEADER
+    });
 };
 const configure = (options)=>{
     const { request, interceptor, allowedHeaders, transport, requireEnvelope, allowCrossOriginEnvelope, identityBinding, operationContract, setDomain, requestId = 'default' } = options;
@@ -205,7 +91,7 @@ const createRequest = (...args)=>{
     });
     const keyNames = extractPathParamNames(path);
     const sender = async (...args)=>{
-        const fetcher = getConfiguredRequest(requestId, fetch1);
+        const fetcher = resolveConfiguredRequest(realRequest, requestId, fetch1);
         let body;
         let finalURL;
         let headers;
@@ -288,47 +174,8 @@ const createRequest = (...args)=>{
         const configDomain = domainMap.get(requestId);
         if ('default' !== requestId && isEmptyDomain(configDomain)) throw new ProducerDomainNotConfiguredError(requestId);
         finalURL = `${configDomain || ''}${finalURL}`;
-        const shouldRequireEnvelope = realRequireEnvelope.get(requestId) ?? isSecuredRequestId(requestId);
-        if (shouldRequireEnvelope) {
-            const sourceOrigin = "u" > typeof window ? window.location.origin : void 0;
-            const targetOrigin = toOrigin(finalURL);
-            const traceContext = parseTraceparent(readHeader(headers, TRACEPARENT_HEADER));
-            const isCrossOrigin = Boolean(sourceOrigin) && Boolean(targetOrigin) && sourceOrigin !== targetOrigin;
-            if (isCrossOrigin) {
-                const policy = realAllowCrossOriginEnvelope.get(requestId);
-                const isAllowed = 'function' == typeof policy ? policy({
-                    requestId,
-                    sourceOrigin,
-                    targetOrigin,
-                    target: 'browser'
-                }) : true === policy;
-                if (!isAllowed) throw new CrossOriginEnvelopePolicyError(requestId, sourceOrigin, targetOrigin);
-            }
-            headers[BFF_ENVELOPE_HEADER] = JSON.stringify({
-                requestId,
-                target: 'browser',
-                timestamp: Date.now(),
-                sourceOrigin,
-                targetOrigin,
-                ...traceContext ? {
-                    traceId: traceContext.traceId,
-                    spanId: traceContext.spanId
-                } : {}
-            });
-        }
-        if (isSecuredRequestId(requestId)) {
-            if (void 0 === readHeader(headers, TRACEPARENT_HEADER) && operationContext?.traceparent) writeHeader(headers, TRACEPARENT_HEADER, operationContext.traceparent);
-            const contextPayload = buildOperationContext({
-                requestId,
-                method,
-                path,
-                operationContext,
-                traceparent: readHeader(headers, TRACEPARENT_HEADER)
-            });
-            validateOperationContract(requestId, contextPayload);
-            if (void 0 === readHeader(headers, BFF_OPERATION_CONTEXT_HEADER)) writeHeader(headers, BFF_OPERATION_CONTEXT_HEADER, contextPayload.operationId);
-            writeHeader(headers, OPERATION_CONTEXT_DETAIL_HEADER, JSON.stringify(contextPayload));
-        }
+        attachEnvelopeHeaderIfRequired(headers, requestId, finalURL);
+        attachSecuredOperationHeaders(headers, requestId, method, path, operationContext);
         return executeWithResilience({
             requestId,
             target: 'browser',
@@ -345,16 +192,21 @@ const createRequest = (...args)=>{
     };
     return sender;
 };
-const createUploader = ({ path, domain, requestId = 'default' })=>{
+const createUploader = ({ path, domain, requestId = 'default', operationContext })=>{
     const getFinalPath = compile(path, {
         encode: encodeURIComponent
     });
     const sender = (...args)=>{
-        const fetcher = getConfiguredRequest(requestId, originFetch);
-        const { body, headers, params } = getUploadPayload(args);
+        const fetcher = resolveConfiguredRequest(realRequest, requestId, originFetch);
+        const { body, headers: uploadHeaders, params } = getUploadPayload(args);
+        const headers = {
+            ...uploadHeaders
+        };
         const finalPath = getFinalPath(params);
         const configDomain = domainMap.get(requestId);
         const finalURL = `${configDomain || domain || ''}${finalPath}`;
+        attachEnvelopeHeaderIfRequired(headers, requestId, finalURL);
+        attachSecuredOperationHeaders(headers, requestId, 'POST', path, operationContext);
         return fetcher(finalURL, {
             method: 'POST',
             body,

package/dist/esm/node.mjs

@@ -2,10 +2,12 @@ import { storage } from "@modern-js/runtime-utils/node";
 import { compile } from "path-to-regexp";
 import { stringify } from "qs";
 import { handleRes } from "./handleRes.mjs";
+import { CrossOriginEnvelopePolicyError, IdentityBindingViolationError, OperationContractViolationError, ProducerClientNotInitializedError, ProducerDomainNotConfiguredError, TRACEPARENT_HEADER, attachOperationContextHeaders, buildEnvelopeHeaderValue, deleteHeader, extractPathParamNames, firstHeaderValue, isEmptyDomain, isSecuredRequestId, parseTraceparentValue, readHeader, resolveConfiguredRequest, toOrigin, writeHeader } from "./policyCore.mjs";
 import { executeWithResilience } from "./transport.mjs";
 import { BFF_DEFAULT_PROTECTED_IDENTITY_HEADERS, BFF_ENVELOPE_HEADER, BFF_OPERATION_CONTEXT_DETAIL_HEADER, BFF_OPERATION_CONTEXT_HEADER } from "./types.mjs";
 import { getUploadPayload } from "./utiles.mjs";
 export * from "./requestContext.mjs";
+export * from "./traceparent.mjs";
 export * from "./types.mjs";
 const realRequest = new Map();
 const realAllowedHeaders = new Map();
@@ -16,51 +18,7 @@ const realTransportResilience = new Map();
 const realIdentityBinding = new Map();
 const realOperationContract = new Map();
 const domainMap = new Map();
-const isEmptyDomain = (domain)=>'string' != typeof domain || '' === domain.trim();
-const TRACEPARENT_HEADER = 'traceparent';
 const OPERATION_CONTEXT_DETAIL_HEADER = BFF_OPERATION_CONTEXT_DETAIL_HEADER;
-const TRACEPARENT_REGEX = /^00-([0-9a-f]{32})-([0-9a-f]{16})-[0-9a-f]{2}$/i;
-const isStrictDefaultRequestIdEnabled = ()=>'true' === process.env.MODERN_BFF_STRICT_DEFAULT_REQUEST_ID;
-const isSecuredRequestId = (requestId)=>'default' !== requestId || isStrictDefaultRequestIdEnabled();
-const firstHeaderValue = (value)=>Array.isArray(value) ? value[0] : value;
-const findHeaderKey = (headers, header)=>{
-    const normalized = header.toLowerCase();
-    return Object.keys(headers).find((key)=>key.toLowerCase() === normalized);
-};
-const readHeader = (headers, header)=>{
-    const key = findHeaderKey(headers, header);
-    return 'string' == typeof key ? headers[key] : void 0;
-};
-const writeHeader = (headers, header, value)=>{
-    if (void 0 === value) return;
-    const key = findHeaderKey(headers, header);
-    if ('string' == typeof key && key !== header) delete headers[key];
-    headers[header] = value;
-};
-const deleteHeader = (headers, header)=>{
-    const key = findHeaderKey(headers, header);
-    if ('string' == typeof key) delete headers[key];
-};
-const toOrigin = (value)=>{
-    if (!value) return;
-    try {
-        return new URL(value).origin;
-    } catch (error) {
-        return;
-    }
-};
-const parseTraceparent = (value)=>{
-    const traceparent = firstHeaderValue(value);
-    if ('string' != typeof traceparent) return;
-    const match = traceparent.trim().match(TRACEPARENT_REGEX);
-    if (!match) return;
-    const [, traceId, spanId] = match;
-    if (!traceId || !spanId) return;
-    return {
-        traceId: traceId.toLowerCase(),
-        spanId: spanId.toLowerCase()
-    };
-};
 const resolveSourceOrigin = (headers)=>{
     const origin = toOrigin(firstHeaderValue(headers.origin));
     if (origin) return origin;
@@ -71,103 +29,43 @@ const resolveSourceOrigin = (headers)=>{
     const proto = firstHeaderValue(headers['x-forwarded-proto']) || 'http';
     return `${proto}://${host}`;
 };
-const extractPathParamNames = (path)=>Array.from(path.matchAll(/:([A-Za-z0-9_]+)/g)).map(([, key])=>key);
+const readIncomingWebHeaders = ()=>{
+    try {
+        return storage.useContext().headers || {};
+    } catch (error) {
+        return {};
+    }
+};
 const originFetch = (...params)=>{
     const [, init] = params;
     if (init?.method?.toLowerCase() === 'get') init.body = void 0;
     return fetch(...params).then(handleRes);
 };
-const buildOperationContext = ({ requestId, method, path, operationContext, traceparent })=>{
-    const routePath = operationContext?.routePath || path;
-    const operationMethod = (operationContext?.method || method || 'GET').toUpperCase();
-    const rawOperationId = operationContext?.operationId || `${operationMethod}:${routePath}`;
-    const operationId = rawOperationId.startsWith(`${requestId}:`) ? rawOperationId : `${requestId}:${rawOperationId}`;
-    const traceparentValue = operationContext?.traceparent || ('string' == typeof firstHeaderValue(traceparent) ? String(firstHeaderValue(traceparent)) : void 0);
-    const parsedTraceContext = operationContext?.traceId && operationContext?.spanId ? {
-        traceId: operationContext.traceId,
-        spanId: operationContext.spanId
-    } : parseTraceparent(traceparentValue);
-    return {
+const attachEnvelopeHeaderIfRequired = (headers, requestId, url, webRequestHeaders)=>{
+    const shouldRequireEnvelope = realRequireEnvelope.get(requestId) ?? isSecuredRequestId(requestId);
+    if (!shouldRequireEnvelope) return;
+    headers[BFF_ENVELOPE_HEADER] = buildEnvelopeHeaderValue({
         requestId,
-        operationId,
-        routePath,
-        method: operationMethod,
-        ...operationContext?.schemaHash ? {
-            schemaHash: operationContext.schemaHash
-        } : {},
-        ...'number' == typeof operationContext?.operationVersion ? {
-            operationVersion: operationContext.operationVersion
-        } : {},
-        ...traceparentValue ? {
-            traceparent: traceparentValue
-        } : {},
-        ...parsedTraceContext ? {
-            traceId: parsedTraceContext.traceId,
-            spanId: parsedTraceContext.spanId
-        } : {}
-    };
-};
-class ProducerClientNotInitializedError extends Error {
-    constructor(requestId){
-        super(`Producer client "${requestId}" is not initialized. Call initProducerClient() (or configure()) before using generated APIs for this requestId.`), this.code = 'BFF_PRODUCER_CLIENT_NOT_INITIALIZED';
-        this.name = 'ProducerClientNotInitializedError';
-    }
-}
-class ProducerDomainNotConfiguredError extends Error {
-    constructor(requestId){
-        super(`Producer client "${requestId}" must provide setDomain() during configure().`), this.code = 'BFF_PRODUCER_DOMAIN_NOT_CONFIGURED';
-        this.name = 'ProducerDomainNotConfiguredError';
-    }
-}
-class CrossOriginEnvelopePolicyError extends Error {
-    constructor(requestId, sourceOrigin, targetOrigin){
-        super(`Cross-origin envelope is not allowed for producer "${requestId}" (${sourceOrigin || 'unknown-origin'} -> ${targetOrigin || 'unknown-origin'}). Configure allowCrossOriginEnvelope to explicitly allow this flow.`), this.code = 'BFF_CROSS_ORIGIN_ENVELOPE_NOT_ALLOWED';
-        this.name = 'CrossOriginEnvelopePolicyError';
-    }
-}
-class IdentityBindingViolationError extends Error {
-    constructor(violation){
-        super(`Identity header "${violation.header}" for producer "${violation.requestId}" was rejected by server-derived identity binding.`), this.code = 'BFF_IDENTITY_BINDING_VIOLATION';
-        this.name = 'IdentityBindingViolationError';
-        this.violation = violation;
-    }
-}
-class OperationContractViolationError extends Error {
-    constructor(violation){
-        super(`Operation contract violation "${violation.reason}" for producer "${violation.requestId}" operation "${violation.operationId}".`), this.code = 'BFF_OPERATION_CONTRACT_VIOLATION';
-        this.name = 'OperationContractViolationError';
-        this.violation = violation;
-    }
-}
-const validateOperationContract = (requestId, contextPayload)=>{
-    const operationContract = realOperationContract.get(requestId);
-    const operationContractEnabled = operationContract?.enabled ?? isSecuredRequestId(requestId);
-    if (!operationContractEnabled) return;
-    const strict = operationContract?.strict ?? true;
-    const requireSchemaHash = operationContract?.requireSchemaHash ?? true;
-    const requireOperationVersion = operationContract?.requireOperationVersion ?? true;
-    const maybeReportViolation = (reason)=>{
-        const violation = {
-            requestId,
-            target: 'server',
-            operationId: contextPayload.operationId,
-            routePath: contextPayload.routePath,
-            method: contextPayload.method,
-            schemaHash: 'string' == typeof contextPayload.schemaHash ? contextPayload.schemaHash : void 0,
-            operationVersion: 'number' == typeof contextPayload.operationVersion ? contextPayload.operationVersion : void 0,
-            reason
-        };
-        operationContract?.onViolation?.(violation);
-        if (strict) throw new OperationContractViolationError(violation);
-    };
-    if (requireSchemaHash && 'string' != typeof contextPayload.schemaHash) maybeReportViolation('missing_schema_hash');
-    if (requireOperationVersion && 'number' != typeof contextPayload.operationVersion) maybeReportViolation('missing_operation_version');
+        target: 'server',
+        sourceOrigin: resolveSourceOrigin(webRequestHeaders),
+        targetOrigin: toOrigin(url),
+        traceContext: parseTraceparentValue(readHeader(headers, TRACEPARENT_HEADER)),
+        allowCrossOriginEnvelope: realAllowCrossOriginEnvelope.get(requestId)
+    });
 };
-const getConfiguredRequest = (requestId, fallback)=>{
-    const configuredRequest = realRequest.get(requestId);
-    if (configuredRequest) return configuredRequest;
-    if ('default' !== requestId) throw new ProducerClientNotInitializedError(requestId);
-    return fallback;
+const attachSecuredOperationHeaders = (headers, requestId, method, path, operationContext)=>{
+    if (!isSecuredRequestId(requestId)) return;
+    attachOperationContextHeaders({
+        headers,
+        requestId,
+        target: 'server',
+        method,
+        path,
+        operationContext,
+        operationContract: realOperationContract.get(requestId),
+        operationContextHeader: BFF_OPERATION_CONTEXT_HEADER,
+        operationContextDetailHeader: OPERATION_CONTEXT_DETAIL_HEADER
+    });
 };
 const configure = (options)=>{
     const { request, interceptor, allowedHeaders, resolveHeaders, transport, requireEnvelope, allowCrossOriginEnvelope, identityBinding, operationContract, setDomain, requestId = 'default' } = options;
@@ -212,13 +110,8 @@ const createRequest = (...args)=>{
     });
     const keyNames = extractPathParamNames(path);
     const sender = (...args)=>{
-        const fetcher = getConfiguredRequest(requestId, fetch1);
-        let webRequestHeaders = {};
-        try {
-            webRequestHeaders = storage.useContext().headers || {};
-        } catch (error) {
-            webRequestHeaders = {};
-        }
+        const fetcher = resolveConfiguredRequest(realRequest, requestId, fetch1);
+        const webRequestHeaders = readIncomingWebHeaders();
         let body;
         let headers;
         let url;
@@ -330,46 +223,8 @@ const createRequest = (...args)=>{
             if ('string' == typeof incomingTraceparent) writeHeader(headers, TRACEPARENT_HEADER, incomingTraceparent);
         }
         if (void 0 === readHeader(headers, TRACEPARENT_HEADER) && operationContext?.traceparent) writeHeader(headers, TRACEPARENT_HEADER, operationContext.traceparent);
-        const shouldRequireEnvelope = realRequireEnvelope.get(requestId) ?? isSecuredRequestId(requestId);
-        if (shouldRequireEnvelope) {
-            const sourceOrigin = resolveSourceOrigin(webRequestHeaders);
-            const targetOrigin = toOrigin(url);
-            const traceContext = parseTraceparent(readHeader(headers, TRACEPARENT_HEADER));
-            const isCrossOrigin = Boolean(sourceOrigin) && Boolean(targetOrigin) && sourceOrigin !== targetOrigin;
-            if (isCrossOrigin) {
-                const policy = realAllowCrossOriginEnvelope.get(requestId);
-                const isAllowed = 'function' == typeof policy ? policy({
-                    requestId,
-                    sourceOrigin,
-                    targetOrigin,
-                    target: 'server'
-                }) : true === policy;
-                if (!isAllowed) throw new CrossOriginEnvelopePolicyError(requestId, sourceOrigin, targetOrigin);
-            }
-            headers[BFF_ENVELOPE_HEADER] = JSON.stringify({
-                requestId,
-                target: 'server',
-                timestamp: Date.now(),
-                sourceOrigin,
-                targetOrigin,
-                ...traceContext ? {
-                    traceId: traceContext.traceId,
-                    spanId: traceContext.spanId
-                } : {}
-            });
-        }
-        if (isSecuredRequestId(requestId)) {
-            const contextPayload = buildOperationContext({
-                requestId,
-                method,
-                path,
-                operationContext,
-                traceparent: readHeader(headers, TRACEPARENT_HEADER)
-            });
-            validateOperationContract(requestId, contextPayload);
-            if (void 0 === readHeader(headers, BFF_OPERATION_CONTEXT_HEADER)) writeHeader(headers, BFF_OPERATION_CONTEXT_HEADER, contextPayload.operationId);
-            writeHeader(headers, OPERATION_CONTEXT_DETAIL_HEADER, JSON.stringify(contextPayload));
-        }
+        attachEnvelopeHeaderIfRequired(headers, requestId, url, webRequestHeaders);
+        attachSecuredOperationHeaders(headers, requestId, method, path, operationContext);
         if ('get' === method.toLowerCase()) body = void 0;
         headers.accept = "application/json,*/*;q=0.8";
         return executeWithResilience({
@@ -388,12 +243,17 @@ const createRequest = (...args)=>{
     };
     return sender;
 };
-const createUploader = ({ path, requestId = 'default' })=>{
+const createUploader = ({ path, requestId = 'default', operationContext })=>{
     const sender = (...args)=>{
-        const fetcher = getConfiguredRequest(requestId, originFetch);
-        const { body, headers } = getUploadPayload(args);
+        const fetcher = resolveConfiguredRequest(realRequest, requestId, originFetch);
+        const { body, headers: uploadHeaders } = getUploadPayload(args);
+        const headers = {
+            ...uploadHeaders
+        };
         const configDomain = domainMap.get(requestId);
         const finalURL = `${configDomain || ''}${path}`;
+        attachEnvelopeHeaderIfRequired(headers, requestId, finalURL, readIncomingWebHeaders());
+        attachSecuredOperationHeaders(headers, requestId, 'POST', path, operationContext);
         return fetcher(finalURL, {
             method: 'POST',
             body,