@bleedingdev/modern-js-plugin-bff 3.2.0-ultramodern.120 → 3.2.0-ultramodern.121

package/dist/cjs/runtime/data-platform/index.js

@@ -53,6 +53,7 @@ __webpack_require__.d(__webpack_exports__, {
     validateRequestEnvelope: ()=>validateRequestEnvelope,
     validateSelectionPlan: ()=>validateSelectionPlan
 });
+const create_request_namespaceObject = require("@modern-js/create-request");
 const api_namespaceObject = require("@opentelemetry/api");
 const DATA_BATCH_TRANSPORT_OTEL_EVENT = 'modernjs.data.batch';
 function createDataBatchTransportTelemetryAttributes(event) {
@@ -78,7 +79,6 @@ function emitDataBatchTransportEvent(onEvent, event) {
 const DEFAULT_DATA_ENVELOPE_HEADER = 'x-modernjs-data-envelope';
 const DEFAULT_DATA_BATCH_ENDPOINT = '/_data/batch';
 const DEFAULT_DATA_BATCH_HEADER = 'x-modernjs-data-batch';
-const TRACEPARENT_REGEX = /^00-([0-9a-f]{32})-([0-9a-f]{16})-([0-9a-f]{2})$/i;
 function isPlainObject(value) {
     if ('object' != typeof value || null === value || Array.isArray(value)) return false;
     const proto = Object.getPrototypeOf(value);
@@ -175,18 +175,7 @@ function isValidHex(value, length) {
     return value.length === length && /^[0-9a-f]+$/.test(value);
 }
 function parseTraceparentHeader(header) {
-    const match = header.trim().match(TRACEPARENT_REGEX);
-    if (!match) return null;
-    const traceId = match[1].toLowerCase();
-    const spanId = match[2].toLowerCase();
-    const flags = match[3].toLowerCase();
-    if (isAllZeroHex(traceId) || isAllZeroHex(spanId)) return null;
-    const sampled = (0x1 & Number.parseInt(flags, 16)) === 1;
-    return {
-        traceId,
-        spanId,
-        sampled
-    };
+    return (0, create_request_namespaceObject.parseTraceparent)(header) ?? null;
 }
 function formatTraceparentHeader(trace) {
     const traceId = trace.traceId.toLowerCase();

package/dist/cjs/runtime/effect/adapter.js

@@ -39,10 +39,15 @@ __webpack_require__.r(__webpack_exports__);
 __webpack_require__.d(__webpack_exports__, {
     EffectAdapter: ()=>EffectAdapter
 });
+const bff_core_namespaceObject = require("@modern-js/bff-core");
 const utils_namespaceObject = require("@modern-js/utils");
+const httpapi_namespaceObject = require("effect/unstable/httpapi");
 const external_path_namespaceObject = require("path");
 var external_path_default = /*#__PURE__*/ __webpack_require__.n(external_path_namespaceObject);
+const crossProjectServerPolicy_js_namespaceObject = require("../../utils/crossProjectServerPolicy.js");
+const external_safe_failure_js_namespaceObject = require("../safe-failure.js");
 const external_context_js_namespaceObject = require("./context.js");
+const external_endpoint_contracts_js_namespaceObject = require("./endpoint-contracts.js");
 const external_module_js_namespaceObject = require("./module.js");
 const before = [
     'custom-server-hook',
@@ -88,10 +93,73 @@ class EffectAdapter {
         const entryWithoutExt = configuredEntry ? external_path_default().isAbsolute(configuredEntry) ? configuredEntry : external_path_default().resolve(appDirectory || process.cwd(), configuredEntry) : defaultEntry;
         return (0, utils_namespaceObject.findExists)(JS_OR_TS_EXTS.map((ext)=>`${entryWithoutExt}${ext}`));
     }
+    isApiRequestPath(requestPath, prefix, enableHandleWeb) {
+        if (!enableHandleWeb) return true;
+        const normalized = normalizePrefix(prefix);
+        if (!normalized) return true;
+        return requestPath === normalized || requestPath.startsWith(`${normalized}/`);
+    }
+    async collectLambdaContractSources() {
+        try {
+            const serverContext = this.api.getServerContext();
+            const appDir = serverContext.distDirectory || serverContext.appDirectory;
+            if (!appDir) return [];
+            const apiDir = 'string' == typeof serverContext.apiDirectory ? serverContext.apiDirectory : external_path_default().resolve(appDir, utils_namespaceObject.API_DIR);
+            const lambdaDir = 'string' == typeof serverContext.lambdaDirectory ? serverContext.lambdaDirectory : external_path_default().join(apiDir, 'lambda');
+            if (!await utils_namespaceObject.fs.pathExists(lambdaDir)) return [];
+            const apiRouter = new bff_core_namespaceObject.ApiRouter({
+                appDir,
+                apiDir,
+                lambdaDir,
+                prefix: this.prefix,
+                httpMethodDecider: this.api.getServerConfig()?.bff?.httpMethodDecider
+            });
+            const handlerInfos = await apiRouter.getApiHandlers();
+            return handlerInfos.map((info)=>({
+                    name: info.name,
+                    httpMethod: info.httpMethod,
+                    routePath: info.routePath,
+                    filename: info.filename,
+                    handler: info.handler
+                }));
+        } catch (error) {
+            utils_namespaceObject.logger.warn(`[BFF][Effect] Failed to derive lambda operation contracts for the cross-project policy: ${String(error)}`);
+            return [];
+        }
+    }
+    async refreshCrossProjectPolicy(mod) {
+        let contractSources = [];
+        if (mod) try {
+            const api = await (0, external_endpoint_contracts_js_namespaceObject.extractHttpApiFromModule)(mod, httpapi_namespaceObject.HttpApi.isHttpApi);
+            if (api) {
+                const reflect = (apiValue, handlers)=>httpapi_namespaceObject.HttpApi.reflect(apiValue, {
+                        onGroup: handlers.onGroup ?? (()=>{}),
+                        onEndpoint: handlers.onEndpoint
+                    });
+                contractSources = (0, external_endpoint_contracts_js_namespaceObject.toOperationContractSources)((0, external_endpoint_contracts_js_namespaceObject.collectEffectEndpoints)(reflect, api, this.prefix));
+            }
+        } catch (error) {
+            utils_namespaceObject.logger.warn(`[BFF][Effect] Failed to reflect HttpApi endpoints for the cross-project policy: ${String(error)}`);
+        }
+        let policy = (0, crossProjectServerPolicy_js_namespaceObject.resolveAdapterCrossProjectPolicy)(this.api, contractSources);
+        if (policy?.enabled) {
+            const lambdaSources = await this.collectLambdaContractSources();
+            if (lambdaSources.length > 0) {
+                contractSources = [
+                    ...contractSources,
+                    ...lambdaSources
+                ];
+                policy = (0, crossProjectServerPolicy_js_namespaceObject.resolveAdapterCrossProjectPolicy)(this.api, contractSources);
+            }
+        }
+        this.crossProjectPolicy = policy;
+        if (this.crossProjectPolicy?.enabled && 0 === contractSources.length) utils_namespaceObject.logger.warn('[BFF][Effect] Cross-project policy is enabled but no HttpApi endpoints could be reflected; operation-contract matching is disabled for this server (envelope and operation-context checks still apply).');
+    }
     async loadEffectHandlerFromModule(mod) {
         return (0, external_module_js_namespaceObject.resolveEffectBffModuleHandler)(mod, {
             openapi: this.api.getServerConfig()?.bff?.effect?.openapi,
             dataPlatform: this.api.getServerConfig()?.bff?.effect?.dataPlatform,
+            validateRequest: (request)=>(0, crossProjectServerPolicy_js_namespaceObject.checkCrossProjectPolicyForRequest)(request, this.crossProjectPolicy),
             onWarning: (message)=>{
                 utils_namespaceObject.logger.warn(message);
             }
@@ -121,6 +189,7 @@ class EffectAdapter {
             this.handler = null;
             return;
         }
+        await this.refreshCrossProjectPolicy(mod);
         const loaded = await this.loadEffectHandlerFromModule(mod);
         if (!loaded) {
             utils_namespaceObject.logger.warn(`[BFF][Effect] Invalid Effect entry module: ${entryFile}. Export { api, layer } or handler.`);
@@ -129,6 +198,7 @@ class EffectAdapter {
         }
         this.handler = loaded.handler;
         this.dispose = loaded.dispose || null;
+        this.policyEnforcedInMiddleware = !loaded.appliesRequestValidator;
     }
     async disposeCurrentHandler() {
         if (!this.dispose) return;
@@ -152,15 +222,7 @@ class EffectAdapter {
         } catch (configError) {
             utils_namespaceObject.logger.error(`Error in serverConfig.onError handler: ${configError}`);
         }
-        const status = 'object' == typeof error && null !== error && 'status' in error && 'number' == typeof error.status ? error.status : 500;
-        return new Response(JSON.stringify({
-            message: error instanceof Error ? error.message : '[BFF] Internal Server Error'
-        }), {
-            status,
-            headers: {
-                'content-type': 'application/json; charset=utf-8'
-            }
-        });
+        return (0, external_safe_failure_js_namespaceObject.createSafeFailureResponse)(error);
     }
     ensureJsonContext(c) {
         const maybeJsonContext = c;
@@ -187,6 +249,8 @@ class EffectAdapter {
         this.effectMiddleware = null;
         this.handler = null;
         this.dispose = null;
+        this.prefix = '/api';
+        this.policyEnforcedInMiddleware = false;
         this.registerMiddleware = async (options)=>{
             const { prefix, enableHandleWeb } = options;
             const { bffRuntimeFramework, middlewares: globalMiddlewares } = this.api.getServerContext();
@@ -194,6 +258,7 @@ class EffectAdapter {
                 this.isEffect = false;
                 return;
             }
+            this.prefix = prefix || this.prefix;
             await this.reloadHandler();
             this.effectMiddleware = {
                 name: 'effect-bff-handler',
@@ -206,6 +271,10 @@ class EffectAdapter {
                         if (enableHandleWeb) return void await next();
                         return this.handleRuntimeError(new Error('[BFF][Effect] Missing Effect entry. Define api/effect/index or configure bff.effect.entry.'), c);
                     }
+                    if (this.crossProjectPolicy?.enabled && this.policyEnforcedInMiddleware && this.isApiRequestPath(c.req.path, prefix, enableHandleWeb)) {
+                        const denial = (0, crossProjectServerPolicy_js_namespaceObject.checkCrossProjectPolicyForRequest)(c.req.raw, this.crossProjectPolicy);
+                        if (denial) return denial;
+                    }
                     let response;
                     try {
                         const effectRequest = createRequestForMountedPrefix(c.req.raw, prefix);

package/dist/cjs/runtime/effect/edge.js

@@ -1,5 +1,8 @@
 "use strict";
 var __webpack_modules__ = {
+    "../safe-failure" (module) {
+        module.exports = require("../safe-failure.js");
+    },
     "./handler" (module) {
         module.exports = require("./handler.js");
     },
@@ -57,16 +60,17 @@ function __webpack_require__(moduleId) {
 var __webpack_exports__ = {};
 (()=>{
     __webpack_require__.r(__webpack_exports__);
-    var _module__rspack_import_0 = __webpack_require__("./module");
-    var _operation_context__rspack_import_1 = __webpack_require__("./operation-context");
-    var _handler__rspack_import_2 = __webpack_require__("./handler");
+    var _safe_failure__rspack_import_0 = __webpack_require__("../safe-failure");
+    var _module__rspack_import_1 = __webpack_require__("./module");
+    var _operation_context__rspack_import_2 = __webpack_require__("./operation-context");
+    var _handler__rspack_import_3 = __webpack_require__("./handler");
     var __rspack_reexport = {};
-    for(const __rspack_import_key in _handler__rspack_import_2)if ([
+    for(const __rspack_import_key in _handler__rspack_import_3)if ([
         "default",
         "dispatchEffectBffRequest",
         "createEffectOperationContext",
         "createEffectBffEdgeHandler"
-    ].indexOf(__rspack_import_key) < 0) __rspack_reexport[__rspack_import_key] = ()=>_handler__rspack_import_2[__rspack_import_key];
+    ].indexOf(__rspack_import_key) < 0) __rspack_reexport[__rspack_import_key] = ()=>_handler__rspack_import_3[__rspack_import_key];
     __webpack_require__.d(__webpack_exports__, __rspack_reexport);
     function normalizePrefix(prefix) {
         if (!prefix || '/' === prefix) return '';
@@ -97,7 +101,7 @@ var __webpack_exports__ = {};
             env: options.env || {},
             path: originalPath,
             method,
-            operationContext: (0, _operation_context__rspack_import_1.createEffectOperationContext)({
+            operationContext: (0, _operation_context__rspack_import_2.createEffectOperationContext)({
                 request: effectRequest,
                 env: options.env || {},
                 path: originalPath,
@@ -106,15 +110,7 @@ var __webpack_exports__ = {};
         };
     }
     function createRuntimeErrorResponse(error) {
-        const status = 'object' == typeof error && null !== error && 'status' in error && 'number' == typeof error.status ? error.status : 500;
-        return new Response(JSON.stringify({
-            message: error instanceof Error ? error.message : '[BFF] Internal Server Error'
-        }), {
-            status,
-            headers: {
-                'content-type': 'application/json; charset=utf-8'
-            }
-        });
+        return (0, _safe_failure__rspack_import_0.createSafeFailureResponse)(error);
     }
     async function dispatchEffectBffRequest(handler, request, options = {}) {
         const requestPathname = new URL(request.url).pathname;
@@ -137,7 +133,7 @@ var __webpack_exports__ = {};
         }
     }
     async function createEffectBffEdgeHandler(options) {
-        const loaded = await (0, _module__rspack_import_0.resolveEffectBffModuleHandler)(options.module, {
+        const loaded = await (0, _module__rspack_import_1.resolveEffectBffModuleHandler)(options.module, {
             openapi: options.openapi,
             dataPlatform: options.dataPlatform,
             onWarning: options.onWarning
@@ -156,7 +152,7 @@ var __webpack_exports__ = {};
     }
     __webpack_require__.d(__webpack_exports__, {
         createEffectBffEdgeHandler: ()=>createEffectBffEdgeHandler,
-        createEffectOperationContext: ()=>_operation_context__rspack_import_1.createEffectOperationContext,
+        createEffectOperationContext: ()=>_operation_context__rspack_import_2.createEffectOperationContext,
         dispatchEffectBffRequest: ()=>dispatchEffectBffRequest
     });
 })();

package/dist/cjs/runtime/effect/endpoint-contracts.js

@@ -0,0 +1,130 @@
+"use strict";
+var __webpack_require__ = {};
+(()=>{
+    __webpack_require__.d = (exports1, getters, values)=>{
+        var define = (defs, kind)=>{
+            for(var key in defs)if (__webpack_require__.o(defs, key) && !__webpack_require__.o(exports1, key)) Object.defineProperty(exports1, key, {
+                enumerable: true,
+                [kind]: defs[key]
+            });
+        };
+        define(getters, "get");
+        define(values, "value");
+    };
+})();
+(()=>{
+    __webpack_require__.o = (obj, prop)=>Object.prototype.hasOwnProperty.call(obj, prop);
+})();
+(()=>{
+    __webpack_require__.r = (exports1)=>{
+        if ("u" > typeof Symbol && Symbol.toStringTag) Object.defineProperty(exports1, Symbol.toStringTag, {
+            value: 'Module'
+        });
+        Object.defineProperty(exports1, '__esModule', {
+            value: true
+        });
+    };
+})();
+var __webpack_exports__ = {};
+__webpack_require__.r(__webpack_exports__);
+__webpack_require__.d(__webpack_exports__, {
+    collectEffectEndpoints: ()=>collectEffectEndpoints,
+    createEffectEndpointContractHash: ()=>createEffectEndpointContractHash,
+    createEffectOperationContractSource: ()=>createEffectOperationContractSource,
+    ensureLeadingSlash: ()=>ensureLeadingSlash,
+    extractHttpApiFromModule: ()=>extractHttpApiFromModule,
+    getEffectRoutePath: ()=>getEffectRoutePath,
+    normalizeEffectPrefix: ()=>normalizeEffectPrefix,
+    resolveEffectApiId: ()=>resolveEffectApiId,
+    toOperationContractSources: ()=>toOperationContractSources
+});
+const bff_core_namespaceObject = require("@modern-js/bff-core");
+function ensureLeadingSlash(pathname) {
+    return pathname.startsWith('/') ? pathname : `/${pathname}`;
+}
+function normalizeEffectPrefix(prefix) {
+    if ('/' === prefix) return '';
+    return ensureLeadingSlash(prefix || '/api');
+}
+function getEffectRoutePath(prefix, endpointPath) {
+    const normalizedPrefix = normalizeEffectPrefix(prefix);
+    const normalizedEndpointPath = ensureLeadingSlash(endpointPath);
+    const finalEndpointPath = '/' === normalizedEndpointPath ? '' : endpointPath;
+    if (!normalizedPrefix && !finalEndpointPath) return '/';
+    return `${normalizedPrefix}${finalEndpointPath || ''}`;
+}
+function resolveEffectApiId(api) {
+    const fallback = 'EffectHttpApi';
+    if ('identifier' in api && 'string' == typeof api.identifier && api.identifier) return api.identifier;
+    return fallback;
+}
+function collectEffectEndpoints(reflect, api, prefix) {
+    const endpoints = [];
+    const apiId = resolveEffectApiId(api);
+    reflect(api, {
+        onGroup: ()=>{},
+        onEndpoint: ({ group, endpoint })=>{
+            endpoints.push({
+                apiId,
+                groupName: String(group.identifier),
+                endpointName: String(endpoint.name),
+                method: String(endpoint.method).toUpperCase(),
+                routePath: getEffectRoutePath(prefix, String(endpoint.path))
+            });
+        }
+    });
+    return endpoints.sort((a, b)=>{
+        if (a.groupName === b.groupName) return a.endpointName.localeCompare(b.endpointName);
+        return a.groupName.localeCompare(b.groupName);
+    });
+}
+function toOperationContractSources(endpoints) {
+    return endpoints.map(createEffectOperationContractSource);
+}
+function createEffectOperationContractSource(endpoint) {
+    return {
+        name: endpoint.endpointName,
+        httpMethod: endpoint.method,
+        routePath: endpoint.routePath
+    };
+}
+function isRecord(value) {
+    return 'object' == typeof value && null !== value;
+}
+async function extractHttpApiFromModule(mod, isHttpApi) {
+    if (!isRecord(mod)) return null;
+    if (isHttpApi(mod.api)) return mod.api;
+    const entry = mod.default;
+    if (isRecord(entry) && isHttpApi(entry.api)) return entry.api;
+    if ('function' == typeof entry && 0 === entry.length) {
+        const output = await entry();
+        if (isRecord(output) && isHttpApi(output.api)) return output.api;
+    }
+    return null;
+}
+function createEffectEndpointContractHash(endpoint, requestId) {
+    return (0, bff_core_namespaceObject.createOperationContractHash)(createEffectOperationContractSource(endpoint), requestId);
+}
+exports.collectEffectEndpoints = __webpack_exports__.collectEffectEndpoints;
+exports.createEffectEndpointContractHash = __webpack_exports__.createEffectEndpointContractHash;
+exports.createEffectOperationContractSource = __webpack_exports__.createEffectOperationContractSource;
+exports.ensureLeadingSlash = __webpack_exports__.ensureLeadingSlash;
+exports.extractHttpApiFromModule = __webpack_exports__.extractHttpApiFromModule;
+exports.getEffectRoutePath = __webpack_exports__.getEffectRoutePath;
+exports.normalizeEffectPrefix = __webpack_exports__.normalizeEffectPrefix;
+exports.resolveEffectApiId = __webpack_exports__.resolveEffectApiId;
+exports.toOperationContractSources = __webpack_exports__.toOperationContractSources;
+for(var __rspack_i in __webpack_exports__)if (-1 === [
+    "collectEffectEndpoints",
+    "createEffectEndpointContractHash",
+    "createEffectOperationContractSource",
+    "ensureLeadingSlash",
+    "extractHttpApiFromModule",
+    "getEffectRoutePath",
+    "normalizeEffectPrefix",
+    "resolveEffectApiId",
+    "toOperationContractSources"
+].indexOf(__rspack_i)) exports[__rspack_i] = __webpack_exports__[__rspack_i];
+Object.defineProperty(exports, '__esModule', {
+    value: true
+});

package/dist/cjs/runtime/effect/handler.js

@@ -100,6 +100,8 @@ var __webpack_exports__ = {};
         "Effect",
         "defineEffectRpcBff",
         "createHttpApiHandler",
+        "EFFECT_VALIDATOR_AWARE_FACTORY",
+        "isValidatorAwareHandlerFactory",
         "Option"
     ].indexOf(__rspack_import_key) < 0) __rspack_reexport[__rspack_import_key] = ()=>effect_unstable_http__rspack_import_2[__rspack_import_key];
     __webpack_require__.d(__webpack_exports__, __rspack_reexport);
@@ -115,6 +117,8 @@ var __webpack_exports__ = {};
         "Effect",
         "defineEffectRpcBff",
         "createHttpApiHandler",
+        "EFFECT_VALIDATOR_AWARE_FACTORY",
+        "isValidatorAwareHandlerFactory",
         "Option"
     ].indexOf(__rspack_import_key) < 0) __rspack_reexport[__rspack_import_key] = ()=>effect_unstable_httpapi__rspack_import_3[__rspack_import_key];
     __webpack_require__.d(__webpack_exports__, __rspack_reexport);
@@ -130,10 +134,16 @@ var __webpack_exports__ = {};
         "Effect",
         "defineEffectRpcBff",
         "createHttpApiHandler",
+        "EFFECT_VALIDATOR_AWARE_FACTORY",
+        "isValidatorAwareHandlerFactory",
         "Option"
     ].indexOf(__rspack_import_key) < 0) __rspack_reexport[__rspack_import_key] = ()=>effect_unstable_rpc__rspack_import_4[__rspack_import_key];
     __webpack_require__.d(__webpack_exports__, __rspack_reexport);
     const emptyEffectServiceContext = effect_Context__rspack_import_0.empty();
+    const EFFECT_VALIDATOR_AWARE_FACTORY = Symbol.for('modernjs.effect.validatorAware');
+    function isValidatorAwareHandlerFactory(factory) {
+        return 'function' == typeof factory && true === factory[EFFECT_VALIDATOR_AWARE_FACTORY];
+    }
     function normalizeOpenApiPath(pathname) {
         if (!pathname.startsWith('/')) return `/${pathname}`;
         return pathname;
@@ -389,16 +399,38 @@ var __webpack_exports__ = {};
                 layer: definition.layer,
                 openapi: options?.openapi,
                 rpc: mergedRpcOptions,
-                dataPlatform: mergeDataPlatformOptions(definition.dataPlatform, options?.dataPlatform)
+                dataPlatform: mergeDataPlatformOptions(definition.dataPlatform, options?.dataPlatform),
+                validateRequest: options?.validateRequest
             });
         };
-        const client = void 0;
+        Object.defineProperty(createHandler, EFFECT_VALIDATOR_AWARE_FACTORY, {
+            value: true
+        });
+        const client = createLoaderMaterializedClientPlaceholder();
         return {
             ...definition,
             createHandler,
             client
         };
     }
+    const LOADER_CLIENT_IGNORED_KEYS = new Set([
+        'then',
+        'catch',
+        'finally',
+        'toJSON',
+        '$$typeof'
+    ]);
+    function createLoaderMaterializedClientPlaceholder() {
+        const explain = (property)=>{
+            throw new Error(`[BFF][Effect] effectBff.client.${String(property)} is not available here: the typed client only exists when this module is imported through the "@api/effect/*" transformed path (the BFF loader replaces it with generated client code). On the server, use HttpApiClient or call the Effect layer directly.`);
+        };
+        return new Proxy(Object.create(null), {
+            get (_target, property) {
+                if ('symbol' == typeof property || LOADER_CLIENT_IGNORED_KEYS.has(property)) return;
+                return explain(property);
+            }
+        });
+    }
     function defineEffectRpcBff(definition) {
         const createHandler = (options)=>createRpcApiHandler({
                 ...definition,
@@ -425,6 +457,8 @@ var __webpack_exports__ = {};
         const envelopeHeader = options.dataPlatform?.envelopeHeader || _data_platform__rspack_import_5.DEFAULT_DATA_ENVELOPE_HEADER;
         const normalizedEnvelopeHeader = envelopeHeader.toLowerCase();
         const withDataPlatformValidation = async (request, context)=>{
+            const policyDenial = options.validateRequest?.(request);
+            if (policyDenial) return policyDenial;
             const validationError = validateDataPlatformRequestEnvelope(request, options.dataPlatform);
             if (validationError) return validationError;
             return httpApiHandler.handler(request, context ?? emptyEffectServiceContext);
@@ -546,7 +580,11 @@ var __webpack_exports__ = {};
         const rpcHandler = createRpcApiHandler(options.rpc);
         return {
             handler: async (request, context)=>{
-                if (isRpcRequest(request, rpcPath)) return rpcHandler.handler(request, context ?? emptyEffectServiceContext);
+                if (isRpcRequest(request, rpcPath)) {
+                    const policyDenial = options.validateRequest?.(request);
+                    if (policyDenial) return policyDenial;
+                    return rpcHandler.handler(request, context ?? emptyEffectServiceContext);
+                }
                 return handleHttpApiRequest(request);
             },
             dispose: async ()=>{
@@ -567,10 +605,14 @@ var __webpack_exports__ = {};
         Schema: ()=>effect_Schema__rspack_import_9,
         createHttpApiHandler: ()=>createHttpApiHandler,
         defineEffectBff: ()=>defineEffectBff,
-        defineEffectRpcBff: ()=>defineEffectRpcBff
+        defineEffectRpcBff: ()=>defineEffectRpcBff,
+        isValidatorAwareHandlerFactory: ()=>isValidatorAwareHandlerFactory
+    }, {
+        EFFECT_VALIDATOR_AWARE_FACTORY: EFFECT_VALIDATOR_AWARE_FACTORY
     });
 })();
 exports.Config = __webpack_exports__.Config;
+exports.EFFECT_VALIDATOR_AWARE_FACTORY = __webpack_exports__.EFFECT_VALIDATOR_AWARE_FACTORY;
 exports.Effect = __webpack_exports__.Effect;
 exports.HttpApiBuilder = __webpack_exports__.HttpApiBuilder;
 exports.HttpTraceContext = __webpack_exports__.HttpTraceContext;
@@ -580,8 +622,10 @@ exports.Schema = __webpack_exports__.Schema;
 exports.createHttpApiHandler = __webpack_exports__.createHttpApiHandler;
 exports.defineEffectBff = __webpack_exports__.defineEffectBff;
 exports.defineEffectRpcBff = __webpack_exports__.defineEffectRpcBff;
+exports.isValidatorAwareHandlerFactory = __webpack_exports__.isValidatorAwareHandlerFactory;
 for(var __rspack_i in __webpack_exports__)if (-1 === [
     "Config",
+    "EFFECT_VALIDATOR_AWARE_FACTORY",
     "Effect",
     "HttpApiBuilder",
     "HttpTraceContext",
@@ -590,7 +634,8 @@ for(var __rspack_i in __webpack_exports__)if (-1 === [
     "Schema",
     "createHttpApiHandler",
     "defineEffectBff",
-    "defineEffectRpcBff"
+    "defineEffectRpcBff",
+    "isValidatorAwareHandlerFactory"
 ].indexOf(__rspack_i)) exports[__rspack_i] = __webpack_exports__[__rspack_i];
 Object.defineProperty(exports, '__esModule', {
     value: true

package/dist/cjs/runtime/effect/module.js

@@ -52,10 +52,13 @@ const emptyEffectServiceContext = Context_namespaceObject.empty();
 function callEffectBffRequestHandler(handler, request, context) {
     return void 0 === context ? handler(request) : handler(request, context);
 }
-function createLoadedHandler(webHandler) {
+function createLoadedHandler(webHandler, appliesRequestValidator) {
     return {
         handler: (request, context)=>callEffectBffRequestHandler(webHandler.handler, request, context),
-        dispose: webHandler.dispose
+        dispose: webHandler.dispose,
+        ...appliesRequestValidator ? {
+            appliesRequestValidator: true
+        } : {}
     };
 }
 function createLoadedHttpApiHandler(webHandler) {
@@ -64,7 +67,8 @@ function createLoadedHttpApiHandler(webHandler) {
             const effectContext = isEffectServiceContext(context) ? context : emptyEffectServiceContext;
             return webHandler.handler(request, effectContext);
         },
-        dispose: webHandler.dispose
+        dispose: webHandler.dispose,
+        appliesRequestValidator: true
     };
 }
 function resolveNormalizedEffectBffModuleHandler(normalizedModule, options = {}) {
@@ -90,11 +94,15 @@ function resolveNormalizedEffectBffModuleHandler(normalizedModule, options = {})
         handler: normalizedModule.handler
     };
     if ('function' == typeof normalizedModule.createHandler) {
-        const webHandler = normalizedModule.createHandler({
+        const factory = normalizedModule.createHandler;
+        const validatorAware = (0, external_handler_js_namespaceObject.isValidatorAwareHandlerFactory)(factory);
+        if (!validatorAware && void 0 !== options.validateRequest) options.onWarning?.('[BFF][Effect] Custom createHandler export detected: it cannot be verified to apply validateRequest (cross-project policy), so the policy is enforced by the adapter middleware on the outer request. Batched calls will be denied at the batch POST (it carries no per-operation contract); export defineEffectBff(...) to get per-batch-item enforcement.');
+        const webHandler = factory({
             openapi: options.openapi,
-            dataPlatform: options.dataPlatform
+            dataPlatform: options.dataPlatform,
+            validateRequest: options.validateRequest
         });
-        return createLoadedHandler(webHandler);
+        return createLoadedHandler(webHandler, validatorAware);
     }
     if (isEffectApiDefinition(normalizedModule)) {
         options.onWarning?.('[BFF][Effect] Detected { api, layer } export without createHandler. Prefer `defineEffectBff(...)` from @modern-js/plugin-bff/server to avoid module instance mismatch.');
@@ -102,7 +110,8 @@ function resolveNormalizedEffectBffModuleHandler(normalizedModule, options = {})
             api: normalizedModule.api,
             layer: normalizedModule.layer,
             openapi: options.openapi,
-            dataPlatform: options.dataPlatform
+            dataPlatform: options.dataPlatform,
+            validateRequest: options.validateRequest
         });
         return createLoadedHttpApiHandler(webHandler);
     }

package/dist/cjs/runtime/effect/operation-context.js

@@ -31,7 +31,6 @@ __webpack_require__.d(__webpack_exports__, {
     createEffectOperationContext: ()=>createEffectOperationContext
 });
 const create_request_namespaceObject = require("@modern-js/create-request");
-const TRACEPARENT_REGEX = /^00-([0-9a-f]{32})-([0-9a-f]{16})-[0-9a-f]{2}$/i;
 const readHeader = (headers, header)=>{
     const value = headers.get(header);
     return value && value.length > 0 ? value : void 0;
@@ -40,17 +39,6 @@ const copyStringField = (target, details, key)=>{
     const value = details[key];
     if ('string' == typeof value && value.length > 0) target[key] = value;
 };
-const parseTraceparent = (traceparent)=>{
-    if (!traceparent) return;
-    const match = traceparent.trim().match(TRACEPARENT_REGEX);
-    if (!match) return;
-    const [, traceId, spanId] = match;
-    if (!traceId || !spanId) return;
-    return {
-        traceId: traceId.toLowerCase(),
-        spanId: spanId.toLowerCase()
-    };
-};
 const readOperationContextDetails = (request)=>{
     const rawDetails = readHeader(request.headers, create_request_namespaceObject.BFF_OPERATION_CONTEXT_DETAIL_HEADER);
     if (!rawDetails) return {};
@@ -78,7 +66,7 @@ const createEffectOperationContext = ({ request, path, method })=>{
     const parsedTraceparent = details.traceId && details.spanId ? {
         traceId: details.traceId,
         spanId: details.spanId
-    } : parseTraceparent(traceparent);
+    } : (0, create_request_namespaceObject.parseTraceparent)(traceparent);
     const locale = readHeader(request.headers, create_request_namespaceObject.BFF_LOCALE_HEADER);
     const headerOperationId = readHeader(request.headers, create_request_namespaceObject.BFF_OPERATION_CONTEXT_HEADER);
     return {