@bleedingdev/modern-js-create-request 3.2.0-ultramodern.99 → 3.4.0-ultramodern.1

package/dist/esm/policyCore.mjs

@@ -0,0 +1,174 @@
+import { parseTraceparent } from "./traceparent.mjs";
+const TRACEPARENT_HEADER = 'traceparent';
+const readProcessEnv = (key)=>{
+    if ("u" < typeof process || void 0 === process.env || 'string' != typeof process.env[key]) return;
+    return process.env[key];
+};
+const isStrictDefaultRequestIdEnabled = ()=>'true' === readProcessEnv('MODERN_BFF_STRICT_DEFAULT_REQUEST_ID');
+const isSecuredRequestId = (requestId)=>'default' !== requestId || isStrictDefaultRequestIdEnabled();
+const isEmptyDomain = (domain)=>'string' != typeof domain || '' === domain.trim();
+const firstHeaderValue = (value)=>Array.isArray(value) ? value[0] : value;
+const findHeaderKey = (headers, header)=>{
+    const normalized = header.toLowerCase();
+    return Object.keys(headers).find((key)=>key.toLowerCase() === normalized);
+};
+const readHeader = (headers, header)=>{
+    const key = findHeaderKey(headers, header);
+    return 'string' == typeof key ? headers[key] : void 0;
+};
+const writeHeader = (headers, header, value)=>{
+    if (void 0 === value) return;
+    const key = findHeaderKey(headers, header);
+    if ('string' == typeof key && key !== header) delete headers[key];
+    headers[header] = value;
+};
+const deleteHeader = (headers, header)=>{
+    const key = findHeaderKey(headers, header);
+    if ('string' == typeof key) delete headers[key];
+};
+const toOrigin = (value)=>{
+    if (!value) return;
+    try {
+        return new URL(value).origin;
+    } catch (error) {
+        return;
+    }
+};
+const parseTraceparentValue = (value)=>parseTraceparent(firstHeaderValue(value));
+const extractPathParamNames = (path)=>Array.from(path.matchAll(/:([A-Za-z0-9_]+)/g)).flatMap(([, key])=>key ? [
+            key
+        ] : []);
+const buildOperationContext = ({ requestId, method, path, operationContext, traceparent })=>{
+    const routePath = operationContext?.routePath || path;
+    const operationMethod = (operationContext?.method || method || 'GET').toUpperCase();
+    const rawOperationId = operationContext?.operationId || `${operationMethod}:${routePath}`;
+    const operationId = rawOperationId.startsWith(`${requestId}:`) ? rawOperationId : `${requestId}:${rawOperationId}`;
+    const traceparentValue = operationContext?.traceparent || ('string' == typeof firstHeaderValue(traceparent) ? String(firstHeaderValue(traceparent)) : void 0);
+    const parsedTraceContext = operationContext?.traceId && operationContext?.spanId ? {
+        traceId: operationContext.traceId,
+        spanId: operationContext.spanId
+    } : parseTraceparentValue(traceparentValue);
+    return {
+        requestId,
+        operationId,
+        routePath,
+        method: operationMethod,
+        ...operationContext?.schemaHash ? {
+            schemaHash: operationContext.schemaHash
+        } : {},
+        ...'number' == typeof operationContext?.operationVersion ? {
+            operationVersion: operationContext.operationVersion
+        } : {},
+        ...traceparentValue ? {
+            traceparent: traceparentValue
+        } : {},
+        ...parsedTraceContext ? {
+            traceId: parsedTraceContext.traceId,
+            spanId: parsedTraceContext.spanId
+        } : {}
+    };
+};
+class ProducerClientNotInitializedError extends Error {
+    constructor(requestId){
+        super(`Producer client "${requestId}" is not initialized. Call initProducerClient() (or configure()) before using generated APIs for this requestId.`), this.code = 'BFF_PRODUCER_CLIENT_NOT_INITIALIZED';
+        this.name = 'ProducerClientNotInitializedError';
+    }
+}
+class ProducerDomainNotConfiguredError extends Error {
+    constructor(requestId){
+        super(`Producer client "${requestId}" must provide setDomain() during configure().`), this.code = 'BFF_PRODUCER_DOMAIN_NOT_CONFIGURED';
+        this.name = 'ProducerDomainNotConfiguredError';
+    }
+}
+class CrossOriginEnvelopePolicyError extends Error {
+    constructor(requestId, sourceOrigin, targetOrigin){
+        super(`Cross-origin envelope is not allowed for producer "${requestId}" (${sourceOrigin || 'unknown-origin'} -> ${targetOrigin || 'unknown-origin'}). Configure allowCrossOriginEnvelope to explicitly allow this flow.`), this.code = 'BFF_CROSS_ORIGIN_ENVELOPE_NOT_ALLOWED';
+        this.name = 'CrossOriginEnvelopePolicyError';
+    }
+}
+class IdentityBindingViolationError extends Error {
+    constructor(violation){
+        super(`Identity header "${violation.header}" for producer "${violation.requestId}" was rejected by server-derived identity binding.`), this.code = 'BFF_IDENTITY_BINDING_VIOLATION';
+        this.name = 'IdentityBindingViolationError';
+        this.violation = violation;
+    }
+}
+class OperationContractViolationError extends Error {
+    constructor(violation){
+        super(`Operation contract violation "${violation.reason}" for producer "${violation.requestId}" operation "${violation.operationId}".`), this.code = 'BFF_OPERATION_CONTRACT_VIOLATION';
+        this.name = 'OperationContractViolationError';
+        this.violation = violation;
+    }
+}
+const validateOperationContract = ({ requestId, target, contextPayload, operationContract })=>{
+    const operationContractEnabled = operationContract?.enabled ?? isSecuredRequestId(requestId);
+    if (!operationContractEnabled) return;
+    const strict = operationContract?.strict ?? true;
+    const requireSchemaHash = operationContract?.requireSchemaHash ?? true;
+    const requireOperationVersion = operationContract?.requireOperationVersion ?? true;
+    const maybeReportViolation = (reason)=>{
+        const violation = {
+            requestId,
+            target,
+            operationId: contextPayload.operationId,
+            routePath: contextPayload.routePath,
+            method: contextPayload.method,
+            schemaHash: 'string' == typeof contextPayload.schemaHash ? contextPayload.schemaHash : void 0,
+            operationVersion: 'number' == typeof contextPayload.operationVersion ? contextPayload.operationVersion : void 0,
+            reason
+        };
+        operationContract?.onViolation?.(violation);
+        if (strict) throw new OperationContractViolationError(violation);
+    };
+    if (requireSchemaHash && 'string' != typeof contextPayload.schemaHash) maybeReportViolation('missing_schema_hash');
+    if (requireOperationVersion && 'number' != typeof contextPayload.operationVersion) maybeReportViolation('missing_operation_version');
+};
+const resolveConfiguredRequest = (configuredRequests, requestId, fallback)=>{
+    const configuredRequest = configuredRequests.get(requestId);
+    if (configuredRequest) return configuredRequest;
+    if ('default' !== requestId) throw new ProducerClientNotInitializedError(requestId);
+    return fallback;
+};
+const buildEnvelopeHeaderValue = ({ requestId, target, sourceOrigin, targetOrigin, traceContext, allowCrossOriginEnvelope })=>{
+    const isCrossOrigin = Boolean(sourceOrigin) && Boolean(targetOrigin) && sourceOrigin !== targetOrigin;
+    if (isCrossOrigin) {
+        const isAllowed = 'function' == typeof allowCrossOriginEnvelope ? allowCrossOriginEnvelope({
+            requestId,
+            sourceOrigin,
+            targetOrigin,
+            target
+        }) : true === allowCrossOriginEnvelope;
+        if (!isAllowed) throw new CrossOriginEnvelopePolicyError(requestId, sourceOrigin, targetOrigin);
+    }
+    return JSON.stringify({
+        requestId,
+        target,
+        timestamp: Date.now(),
+        sourceOrigin,
+        targetOrigin,
+        ...traceContext ? {
+            traceId: traceContext.traceId,
+            spanId: traceContext.spanId
+        } : {}
+    });
+};
+const attachOperationContextHeaders = ({ headers, requestId, target, method, path, operationContext, operationContract, operationContextHeader, operationContextDetailHeader })=>{
+    if (void 0 === readHeader(headers, TRACEPARENT_HEADER) && operationContext?.traceparent) writeHeader(headers, TRACEPARENT_HEADER, operationContext.traceparent);
+    const contextPayload = buildOperationContext({
+        requestId,
+        method,
+        path,
+        operationContext,
+        traceparent: readHeader(headers, TRACEPARENT_HEADER)
+    });
+    validateOperationContract({
+        requestId,
+        target,
+        contextPayload,
+        operationContract
+    });
+    if (void 0 === readHeader(headers, operationContextHeader)) writeHeader(headers, operationContextHeader, contextPayload.operationId);
+    writeHeader(headers, operationContextDetailHeader, JSON.stringify(contextPayload));
+    return contextPayload;
+};
+export { CrossOriginEnvelopePolicyError, IdentityBindingViolationError, OperationContractViolationError, ProducerClientNotInitializedError, ProducerDomainNotConfiguredError, TRACEPARENT_HEADER, attachOperationContextHeaders, buildEnvelopeHeaderValue, buildOperationContext, deleteHeader, extractPathParamNames, findHeaderKey, firstHeaderValue, isEmptyDomain, isSecuredRequestId, isStrictDefaultRequestIdEnabled, parseTraceparentValue, readHeader, resolveConfiguredRequest, toOrigin, validateOperationContract, writeHeader };

package/dist/esm/requestContext.mjs

@@ -1,6 +1,6 @@
+import { parseTraceparent } from "./traceparent.mjs";
 const BFF_LOCALE_HEADER = 'accept-language';
 const BFF_TRACEPARENT_HEADER = 'traceparent';
-const TRACEPARENT_REGEX = /^00-([0-9a-f]{32})-([0-9a-f]{16})-[0-9a-f]{2}$/i;
 const readHeader = (headers, header)=>{
     if (!headers) return;
     const normalized = header.toLowerCase();
@@ -10,17 +10,6 @@ const readHeader = (headers, header)=>{
     return Array.isArray(value) ? value[0] : value;
 };
 const readString = (value)=>'string' == typeof value && value.length > 0 ? value : void 0;
-function parseTraceparent(traceparent) {
-    if (!traceparent) return;
-    const match = traceparent.trim().match(TRACEPARENT_REGEX);
-    if (!match) return;
-    const [, traceId, spanId] = match;
-    if (!traceId || !spanId) return;
-    return {
-        traceId: traceId.toLowerCase(),
-        spanId: spanId.toLowerCase()
-    };
-}
 function createOperationContextSnapshot(operationContext, safeContext) {
     if (!operationContext) return;
     const snapshot = {

package/dist/esm/traceparent.mjs

@@ -0,0 +1,18 @@
+const TRACEPARENT_REGEX = /^00-([0-9a-f]{32})-([0-9a-f]{16})-([0-9a-f]{2})$/i;
+const isAllZeroHex = (value)=>/^0+$/.test(value);
+function parseTraceparent(traceparent) {
+    if (!traceparent) return;
+    const match = traceparent.trim().match(TRACEPARENT_REGEX);
+    if (!match) return;
+    const [, rawTraceId, rawSpanId, rawFlags] = match;
+    if (!rawTraceId || !rawSpanId || !rawFlags) return;
+    const traceId = rawTraceId.toLowerCase();
+    const spanId = rawSpanId.toLowerCase();
+    if (isAllZeroHex(traceId) || isAllZeroHex(spanId)) return;
+    return {
+        traceId,
+        spanId,
+        sampled: (0x1 & Number.parseInt(rawFlags, 16)) === 1
+    };
+}
+export { parseTraceparent };

package/dist/esm-node/browser.mjs

@@ -2,10 +2,12 @@ import "node:module";
 import { compile } from "path-to-regexp";
 import { stringify } from "qs";
 import { handleRes } from "./handleRes.mjs";
+import { CrossOriginEnvelopePolicyError, IdentityBindingViolationError, OperationContractViolationError, ProducerClientNotInitializedError, ProducerDomainNotConfiguredError, TRACEPARENT_HEADER, attachOperationContextHeaders, buildEnvelopeHeaderValue, deleteHeader, extractPathParamNames, isEmptyDomain, isSecuredRequestId, parseTraceparentValue, readHeader, resolveConfiguredRequest, toOrigin, writeHeader } from "./policyCore.mjs";
 import { executeWithResilience } from "./transport.mjs";
 import { BFF_DEFAULT_PROTECTED_IDENTITY_HEADERS, BFF_ENVELOPE_HEADER, BFF_OPERATION_CONTEXT_DETAIL_HEADER, BFF_OPERATION_CONTEXT_HEADER } from "./types.mjs";
 import { getUploadPayload } from "./utiles.mjs";
 export * from "./requestContext.mjs";
+export * from "./traceparent.mjs";
 export * from "./types.mjs";
 const realRequest = new Map();
 const realAllowedHeaders = new Map();
@@ -15,154 +17,38 @@ const realTransportResilience = new Map();
 const realIdentityBinding = new Map();
 const realOperationContract = new Map();
 const domainMap = new Map();
-const isEmptyDomain = (domain)=>'string' != typeof domain || '' === domain.trim();
-const TRACEPARENT_HEADER = 'traceparent';
 const OPERATION_CONTEXT_DETAIL_HEADER = BFF_OPERATION_CONTEXT_DETAIL_HEADER;
-const TRACEPARENT_REGEX = /^00-([0-9a-f]{32})-([0-9a-f]{16})-[0-9a-f]{2}$/i;
-const readProcessEnv = (key)=>{
-    if ("u" < typeof process || void 0 === process.env || 'string' != typeof process.env[key]) return;
-    return process.env[key];
-};
-const isStrictDefaultRequestIdEnabled = ()=>'true' === readProcessEnv('MODERN_BFF_STRICT_DEFAULT_REQUEST_ID');
-const isSecuredRequestId = (requestId)=>'default' !== requestId || isStrictDefaultRequestIdEnabled();
-const firstHeaderValue = (value)=>Array.isArray(value) ? value[0] : value;
-const findHeaderKey = (headers, header)=>{
-    const normalized = header.toLowerCase();
-    return Object.keys(headers).find((key)=>key.toLowerCase() === normalized);
-};
-const readHeader = (headers, header)=>{
-    const key = findHeaderKey(headers, header);
-    return 'string' == typeof key ? headers[key] : void 0;
-};
-const writeHeader = (headers, header, value)=>{
-    if (void 0 === value) return;
-    const key = findHeaderKey(headers, header);
-    if ('string' == typeof key && key !== header) delete headers[key];
-    headers[header] = value;
-};
-const deleteHeader = (headers, header)=>{
-    const key = findHeaderKey(headers, header);
-    if ('string' == typeof key) delete headers[key];
-};
-const toOrigin = (value)=>{
-    if (!value) return;
-    try {
-        return new URL(value).origin;
-    } catch (error) {
-        return;
-    }
-};
-const parseTraceparent = (value)=>{
-    const traceparent = firstHeaderValue(value);
-    if ('string' != typeof traceparent) return;
-    const match = traceparent.trim().match(TRACEPARENT_REGEX);
-    if (!match) return;
-    const [, traceId, spanId] = match;
-    if (!traceId || !spanId) return;
-    return {
-        traceId: traceId.toLowerCase(),
-        spanId: spanId.toLowerCase()
-    };
-};
-const extractPathParamNames = (path)=>Array.from(path.matchAll(/:([A-Za-z0-9_]+)/g)).flatMap(([, key])=>key ? [
-            key
-        ] : []);
+const resolveBrowserOrigin = ()=>"u" > typeof window ? window.location.origin : void 0;
 const originFetch = (...params)=>{
     const [url, init] = params;
     if (init?.method?.toLowerCase() === 'get') init.body = void 0;
     return fetch(url, init).then(handleRes);
 };
-const buildOperationContext = ({ requestId, method, path, operationContext, traceparent })=>{
-    const routePath = operationContext?.routePath || path;
-    const operationMethod = (operationContext?.method || method || 'GET').toUpperCase();
-    const rawOperationId = operationContext?.operationId || `${operationMethod}:${routePath}`;
-    const operationId = rawOperationId.startsWith(`${requestId}:`) ? rawOperationId : `${requestId}:${rawOperationId}`;
-    const traceparentValue = operationContext?.traceparent || ('string' == typeof firstHeaderValue(traceparent) ? String(firstHeaderValue(traceparent)) : void 0);
-    const parsedTraceContext = operationContext?.traceId && operationContext?.spanId ? {
-        traceId: operationContext.traceId,
-        spanId: operationContext.spanId
-    } : parseTraceparent(traceparentValue);
-    return {
+const attachEnvelopeHeaderIfRequired = (headers, requestId, finalURL)=>{
+    const shouldRequireEnvelope = realRequireEnvelope.get(requestId) ?? isSecuredRequestId(requestId);
+    if (!shouldRequireEnvelope) return;
+    headers[BFF_ENVELOPE_HEADER] = buildEnvelopeHeaderValue({
         requestId,
-        operationId,
-        routePath,
-        method: operationMethod,
-        ...operationContext?.schemaHash ? {
-            schemaHash: operationContext.schemaHash
-        } : {},
-        ...'number' == typeof operationContext?.operationVersion ? {
-            operationVersion: operationContext.operationVersion
-        } : {},
-        ...traceparentValue ? {
-            traceparent: traceparentValue
-        } : {},
-        ...parsedTraceContext ? {
-            traceId: parsedTraceContext.traceId,
-            spanId: parsedTraceContext.spanId
-        } : {}
-    };
-};
-class ProducerClientNotInitializedError extends Error {
-    constructor(requestId){
-        super(`Producer client "${requestId}" is not initialized. Call initProducerClient() (or configure()) before using generated APIs for this requestId.`), this.code = 'BFF_PRODUCER_CLIENT_NOT_INITIALIZED';
-        this.name = 'ProducerClientNotInitializedError';
-    }
-}
-class ProducerDomainNotConfiguredError extends Error {
-    constructor(requestId){
-        super(`Producer client "${requestId}" must provide setDomain() during configure().`), this.code = 'BFF_PRODUCER_DOMAIN_NOT_CONFIGURED';
-        this.name = 'ProducerDomainNotConfiguredError';
-    }
-}
-class CrossOriginEnvelopePolicyError extends Error {
-    constructor(requestId, sourceOrigin, targetOrigin){
-        super(`Cross-origin envelope is not allowed for producer "${requestId}" (${sourceOrigin || 'unknown-origin'} -> ${targetOrigin || 'unknown-origin'}). Configure allowCrossOriginEnvelope to explicitly allow this flow.`), this.code = 'BFF_CROSS_ORIGIN_ENVELOPE_NOT_ALLOWED';
-        this.name = 'CrossOriginEnvelopePolicyError';
-    }
-}
-class IdentityBindingViolationError extends Error {
-    constructor(violation){
-        super(`Identity header "${violation.header}" for producer "${violation.requestId}" was rejected by server-derived identity binding.`), this.code = 'BFF_IDENTITY_BINDING_VIOLATION';
-        this.name = 'IdentityBindingViolationError';
-        this.violation = violation;
-    }
-}
-class OperationContractViolationError extends Error {
-    constructor(violation){
-        super(`Operation contract violation "${violation.reason}" for producer "${violation.requestId}" operation "${violation.operationId}".`), this.code = 'BFF_OPERATION_CONTRACT_VIOLATION';
-        this.name = 'OperationContractViolationError';
-        this.violation = violation;
-    }
-}
-const validateOperationContract = (requestId, contextPayload)=>{
-    const operationContract = realOperationContract.get(requestId);
-    const operationContractEnabled = operationContract?.enabled ?? isSecuredRequestId(requestId);
-    if (!operationContractEnabled) return;
-    const strict = operationContract?.strict ?? true;
-    const requireSchemaHash = operationContract?.requireSchemaHash ?? true;
-    const requireOperationVersion = operationContract?.requireOperationVersion ?? true;
-    const maybeReportViolation = (reason)=>{
-        const violation = {
-            requestId,
-            target: 'browser',
-            operationId: contextPayload.operationId,
-            routePath: contextPayload.routePath,
-            method: contextPayload.method,
-            schemaHash: 'string' == typeof contextPayload.schemaHash ? contextPayload.schemaHash : void 0,
-            operationVersion: 'number' == typeof contextPayload.operationVersion ? contextPayload.operationVersion : void 0,
-            reason
-        };
-        operationContract?.onViolation?.(violation);
-        if (strict) throw new OperationContractViolationError(violation);
-    };
-    if (requireSchemaHash && 'string' != typeof contextPayload.schemaHash) maybeReportViolation('missing_schema_hash');
-    if (requireOperationVersion && 'number' != typeof contextPayload.operationVersion) maybeReportViolation('missing_operation_version');
+        target: 'browser',
+        sourceOrigin: resolveBrowserOrigin(),
+        targetOrigin: toOrigin(finalURL),
+        traceContext: parseTraceparentValue(readHeader(headers, TRACEPARENT_HEADER)),
+        allowCrossOriginEnvelope: realAllowCrossOriginEnvelope.get(requestId)
+    });
 };
-const getConfiguredRequest = (requestId, fallback)=>{
-    const configuredRequest = realRequest.get(requestId);
-    if (configuredRequest) return configuredRequest;
-    if ('default' !== requestId) throw new ProducerClientNotInitializedError(requestId);
-    return fallback;
+const attachSecuredOperationHeaders = (headers, requestId, method, path, operationContext)=>{
+    if (!isSecuredRequestId(requestId)) return;
+    attachOperationContextHeaders({
+        headers,
+        requestId,
+        target: 'browser',
+        method,
+        path,
+        operationContext,
+        operationContract: realOperationContract.get(requestId),
+        operationContextHeader: BFF_OPERATION_CONTEXT_HEADER,
+        operationContextDetailHeader: OPERATION_CONTEXT_DETAIL_HEADER
+    });
 };
 const configure = (options)=>{
     const { request, interceptor, allowedHeaders, transport, requireEnvelope, allowCrossOriginEnvelope, identityBinding, operationContract, setDomain, requestId = 'default' } = options;
@@ -206,7 +92,7 @@ const createRequest = (...args)=>{
     });
     const keyNames = extractPathParamNames(path);
     const sender = async (...args)=>{
-        const fetcher = getConfiguredRequest(requestId, fetch1);
+        const fetcher = resolveConfiguredRequest(realRequest, requestId, fetch1);
         let body;
         let finalURL;
         let headers;
@@ -289,47 +175,8 @@ const createRequest = (...args)=>{
         const configDomain = domainMap.get(requestId);
         if ('default' !== requestId && isEmptyDomain(configDomain)) throw new ProducerDomainNotConfiguredError(requestId);
         finalURL = `${configDomain || ''}${finalURL}`;
-        const shouldRequireEnvelope = realRequireEnvelope.get(requestId) ?? isSecuredRequestId(requestId);
-        if (shouldRequireEnvelope) {
-            const sourceOrigin = "u" > typeof window ? window.location.origin : void 0;
-            const targetOrigin = toOrigin(finalURL);
-            const traceContext = parseTraceparent(readHeader(headers, TRACEPARENT_HEADER));
-            const isCrossOrigin = Boolean(sourceOrigin) && Boolean(targetOrigin) && sourceOrigin !== targetOrigin;
-            if (isCrossOrigin) {
-                const policy = realAllowCrossOriginEnvelope.get(requestId);
-                const isAllowed = 'function' == typeof policy ? policy({
-                    requestId,
-                    sourceOrigin,
-                    targetOrigin,
-                    target: 'browser'
-                }) : true === policy;
-                if (!isAllowed) throw new CrossOriginEnvelopePolicyError(requestId, sourceOrigin, targetOrigin);
-            }
-            headers[BFF_ENVELOPE_HEADER] = JSON.stringify({
-                requestId,
-                target: 'browser',
-                timestamp: Date.now(),
-                sourceOrigin,
-                targetOrigin,
-                ...traceContext ? {
-                    traceId: traceContext.traceId,
-                    spanId: traceContext.spanId
-                } : {}
-            });
-        }
-        if (isSecuredRequestId(requestId)) {
-            if (void 0 === readHeader(headers, TRACEPARENT_HEADER) && operationContext?.traceparent) writeHeader(headers, TRACEPARENT_HEADER, operationContext.traceparent);
-            const contextPayload = buildOperationContext({
-                requestId,
-                method,
-                path,
-                operationContext,
-                traceparent: readHeader(headers, TRACEPARENT_HEADER)
-            });
-            validateOperationContract(requestId, contextPayload);
-            if (void 0 === readHeader(headers, BFF_OPERATION_CONTEXT_HEADER)) writeHeader(headers, BFF_OPERATION_CONTEXT_HEADER, contextPayload.operationId);
-            writeHeader(headers, OPERATION_CONTEXT_DETAIL_HEADER, JSON.stringify(contextPayload));
-        }
+        attachEnvelopeHeaderIfRequired(headers, requestId, finalURL);
+        attachSecuredOperationHeaders(headers, requestId, method, path, operationContext);
         return executeWithResilience({
             requestId,
             target: 'browser',
@@ -346,16 +193,21 @@ const createRequest = (...args)=>{
     };
     return sender;
 };
-const createUploader = ({ path, domain, requestId = 'default' })=>{
+const createUploader = ({ path, domain, requestId = 'default', operationContext })=>{
     const getFinalPath = compile(path, {
         encode: encodeURIComponent
     });
     const sender = (...args)=>{
-        const fetcher = getConfiguredRequest(requestId, originFetch);
-        const { body, headers, params } = getUploadPayload(args);
+        const fetcher = resolveConfiguredRequest(realRequest, requestId, originFetch);
+        const { body, headers: uploadHeaders, params } = getUploadPayload(args);
+        const headers = {
+            ...uploadHeaders
+        };
         const finalPath = getFinalPath(params);
         const configDomain = domainMap.get(requestId);
         const finalURL = `${configDomain || domain || ''}${finalPath}`;
+        attachEnvelopeHeaderIfRequired(headers, requestId, finalURL);
+        attachSecuredOperationHeaders(headers, requestId, 'POST', path, operationContext);
         return fetcher(finalURL, {
             method: 'POST',
             body,