@salesforce/lds-runtime-aura 1.428.0-dev11 → 1.428.0-dev12

package/dist/ldsEngineCreator.js

@@ -1590,9 +1590,12 @@ const _FetchNetworkCommand = class _FetchNetworkCommand extends NetworkCommand {
     this.services = services;
     this.additionalNullResponses = [];
   }
-  fetch() {
+  fetch(contextSeed) {
     try {
-      return this.convertFetchResponseToData(this.services.fetch(...this.fetchParams));
+      const [input, init] = this.fetchParams;
+      const initWithSeed = contextSeed === void 0 ? init : { ...init, __contextSeed: contextSeed };
+      const fetchCall = initWithSeed === void 0 ? this.services.fetch(input) : this.services.fetch(input, initWithSeed);
+      return this.convertFetchResponseToData(fetchCall);
     } catch (reason) {
       return resolvedPromiseLike$2(err$1(toError(reason)));
     }
@@ -2760,7 +2763,7 @@ function buildServiceDescriptor$d(luvio) {
         },
     };
 }
-// version: 1.428.0-dev11-659d2de2fa
+// version: 1.428.0-dev12-f80887e01b
 
 /*!
  * Copyright (c) 2022, Salesforce, Inc.,
@@ -3113,7 +3116,7 @@ function buildServiceDescriptor$9(notifyRecordUpdateAvailable, getNormalizedLuvi
         },
     };
 }
-// version: 1.428.0-dev11-659d2de2fa
+// version: 1.428.0-dev12-f80887e01b
 
 /*!
  * Copyright (c) 2022, Salesforce, Inc.,
@@ -4201,11 +4204,13 @@ class JwtToken {
    * @param _token - The JWT string.
    * @param _decodedInfo - The decoded information from the JWT.
    * @param _extraInfo - Any additional information associated with the JWT.
+   * @param _mintParams - The parameters used to mint this token. Undefined for legacy parameterless tokens.
    */
-  constructor(_token, _decodedInfo, _extraInfo) {
+  constructor(_token, _decodedInfo, _extraInfo, _mintParams) {
     this._token = _token;
     this._decodedInfo = _decodedInfo;
     this._extraInfo = _extraInfo;
+    this._mintParams = _mintParams;
   }
   /**
    * Get the JWT string.
@@ -4231,6 +4236,14 @@ class JwtToken {
   get decodedInfo() {
     return this._decodedInfo;
   }
+  /**
+   * Get the mint parameters used to produce this token.
+   *
+   * @returns The mint parameters, or undefined for legacy parameterless tokens.
+   */
+  get mintParams() {
+    return this._mintParams;
+  }
   /**
    * Get the remaining time in seconds until the JWT expires.
    *
@@ -4248,6 +4261,12 @@ class JwtToken {
     return this.tokenRemainingSeconds <= 0;
   }
 }
+function cacheKeyFor(params) {
+  if (params === void 0) {
+    return "jwt:";
+  }
+  return `jwt:${stableJSONStringify$2(params) ?? ""}`;
+}
 let defaultLogger = {
   trace: () => {
   },
@@ -4281,85 +4300,146 @@ class JwtRepository {
     this.limitInSeconds = limitInSeconds;
     this.defaultTokenTTLInSeconds = defaultTokenTTLInSeconds;
     this.logger = logger;
+    this._tokens = /* @__PURE__ */ new Map();
+    this.timeoutHandlers = /* @__PURE__ */ new Map();
     this.observers = [];
   }
   /**
-   * Get the current token.
+   * Get the legacy (parameterless) token. Equivalent to `getToken()` with
+   * no args. Preserved for backward compatibility with code that reads the
+   * `token` property directly.
    */
   get token() {
-    return this._token;
+    return this.getToken();
+  }
+  /**
+   * Get the cached token for the given mint params.
+   *
+   * @param params - The mint params identifying the token. Omit for the legacy global token.
+   */
+  getToken(params) {
+    return this._tokens.get(cacheKeyFor(params));
   }
   /**
-   * Set the current token.
+   * Set the cached token for the given mint params.
    *
    * @param token - JWT token as a string.
    * @param extraInfo - Optional extra information.
+   * @param params - The mint params identifying the token. Omit for the legacy global token.
    */
-  setToken(token, extraInfo) {
+  setToken(token, extraInfo, params) {
     const decodedInfo = computeDecodedInfo(
       token,
       this.defaultTokenTTLInSeconds,
       this.logger
     );
-    this._token = new JwtToken(token, decodedInfo, extraInfo);
-    this.observeTokenExpiration();
-    return this._token;
+    const key = cacheKeyFor(params);
+    const jwtToken = new JwtToken(token, decodedInfo, extraInfo, params);
+    this._tokens.set(key, jwtToken);
+    this.observeTokenExpiration(key);
+    return jwtToken;
+  }
+  /**
+   * Remove the cached token for the given mint params.
+   *
+   * @param params - The mint params identifying the token. Omit to remove
+   * only the legacy global-key entry (matches today's behavior of "remove
+   * the only token there is").
+   */
+  removeToken(params) {
+    const key = cacheKeyFor(params);
+    this._tokens.delete(key);
+    this.clearTimeoutHandler(key);
   }
   /**
-   * Remove the current token.
+   * Remove every cached token and clear every near-expiry timer. Used by
+   * test teardown and full auth-reset paths that previously called
+   * `removeToken()` to clear the single token.
    */
-  removeToken() {
-    this._token = void 0;
-    this.clearTimeoutHandler();
+  clearAllTokens() {
+    for (const key of Array.from(this.timeoutHandlers.keys())) {
+      this.clearTimeoutHandler(key);
+    }
+    this._tokens.clear();
   }
   /**
-   * Subscribe to the token nearing its expiration.
+   * Subscribe to any cached token nearing its expiration.
+   *
+   * The callback receives the specific token whose timer fired. Use
+   * `token.mintParams` to determine which token-set the expiry belongs to.
    *
-   * @param cb - Callback function to execute when token is nearing expiration.
+   * Already-cached tokens are armed at subscribe time. Tokens added later
+   * via `setToken` arm their own timers from inside `setToken`, so this
+   * loop only needs to cover the existing entries.
+   *
+   * @param cb - Callback function to execute when a token is nearing expiration.
    */
   subscribeToTokenNearExpiration(cb) {
     this.observers.push(cb);
-    this.observeTokenExpiration();
+    for (const key of this._tokens.keys()) {
+      this.observeTokenExpiration(key);
+    }
     return () => {
       this.observers = this.observers.filter((observer) => observer !== cb);
+      if (this.observers.length === 0) {
+        for (const key of Array.from(this.timeoutHandlers.keys())) {
+          this.clearTimeoutHandler(key);
+        }
+      }
     };
   }
   /**
-   * Clear the timeout handler.
+   * Number of currently cached tokens. Exposed for size observability so
+   * runtime callers can emit a metric on cache growth and detect adapters
+   * that misuse `dynamicParams` for per-request values.
    */
-  clearTimeoutHandler() {
-    if (this.timeoutHandler !== void 0) {
-      clearTimeout(this.timeoutHandler);
+  get size() {
+    return this._tokens.size;
+  }
+  /**
+   * Clear the timeout handler for a specific cache key.
+   */
+  clearTimeoutHandler(key) {
+    const handler = this.timeoutHandlers.get(key);
+    if (handler !== void 0) {
+      clearTimeout(handler);
+      this.timeoutHandlers.delete(key);
     }
   }
   /**
-   * Observe and handle token expiration.
+   * Observe and handle expiration of the token at the given cache key.
    */
-  observeTokenExpiration() {
-    this.clearTimeoutHandler();
-    if (this.observers.length === 0 || this.token === void 0) {
+  observeTokenExpiration(key) {
+    this.clearTimeoutHandler(key);
+    const token = this._tokens.get(key);
+    if (this.observers.length === 0 || token === void 0) {
       return;
     }
-    this.timeoutHandler = setTimeout(
-      () => this.notifyTokenIsExpiring(),
-      this.computeTimeoutTimeInMs()
+    const handler = setTimeout(
+      () => this.notifyTokenIsExpiring(key),
+      this.computeTimeoutTimeInMs(token)
     );
+    this.timeoutHandlers.set(key, handler);
   }
   /**
-   * Compute the timeout time in milliseconds.
+   * Compute the timeout time in milliseconds for the given token.
    */
-  computeTimeoutTimeInMs() {
-    const remainingSeconds = this.token.tokenRemainingSeconds;
-    let timeoutTimeInSeconds = remainingSeconds - this.limitInSeconds;
+  computeTimeoutTimeInMs(token) {
+    const remainingSeconds = token.tokenRemainingSeconds;
+    const timeoutTimeInSeconds = remainingSeconds - this.limitInSeconds;
     return timeoutTimeInSeconds < 0 ? 0 : timeoutTimeInSeconds * 1e3;
   }
   /**
-   * Notify all observers that the token is expiring.
+   * Notify all observers that the token at the given cache key is expiring.
    */
-  notifyTokenIsExpiring() {
+  notifyTokenIsExpiring(key) {
+    const token = this._tokens.get(key);
+    if (token === void 0) {
+      return;
+    }
     this.observers.forEach((cb) => {
       try {
-        cb.call(void 0, this.token);
+        cb.call(void 0, token);
       } catch (e2) {
         this.logger.error(e2.message);
       }
@@ -4377,57 +4457,68 @@ class JwtManager {
   constructor(jwtRepository, resolver, options) {
     this.jwtRepository = jwtRepository;
     this.resolver = resolver;
+    this.inflightPromises = /* @__PURE__ */ new Map();
     if (options == null ? void 0 : options.keepTokenUpdated) {
-      jwtRepository.subscribeToTokenNearExpiration(() => this.refreshToken());
+      jwtRepository.subscribeToTokenNearExpiration(
+        (token) => this.refreshToken(token.mintParams)
+      );
     }
   }
   /**
-   * Method to get a JWT token.
-   * If there's a token request in progress, it will return the Promise of this request.
-   * If the current token is undefined or expired, it will initiate a token refresh.
-   * Otherwise, it will return the current token.
+   * Method to get a JWT token for the given mint params.
    *
-   * @returns {JwtToken<T, ExtraInfo> | Promise<JwtToken<T, ExtraInfo>>} The current token or the Promise of a token request.
+   * If a request for the same params is in flight, returns its promise. If
+   * a cached token for those params exists and is not expired, returns it
+   * synchronously. Otherwise initiates a refresh.
+   *
+   * @param params - Optional mint parameters. Omit for the legacy parameterless token.
+   * @returns The cached token (sync) or a promise that resolves to the refreshed token.
    */
-  getJwt() {
-    if (this.inflightPromise) {
-      return this.inflightPromise;
+  getJwt(params) {
+    const key = cacheKeyFor(params);
+    const inflight = this.inflightPromises.get(key);
+    if (inflight) {
+      return inflight;
     }
-    const token = this.jwtRepository.token;
+    const token = this.jwtRepository.getToken(params);
     if (token === void 0 || token.isExpired) {
-      return this.refreshToken();
+      return this.refreshToken(params);
     }
     return token;
   }
   /**
-   * Method to refresh a JWT token.
-   * If a refresh request is already in progress, it will return the Promise of this request.
-   * Otherwise, it will start a new refresh request and return its Promise.
+   * Method to refresh a JWT token for the given mint params.
    *
-   * @returns {Promise<JwtToken<T, ExtraInfo>>} Promise of the refreshed token.
+   * @param params - Optional mint parameters. Omit for the legacy parameterless token.
+   * @returns Promise of the refreshed token.
    */
-  refreshToken() {
-    if (this.inflightPromise === void 0) {
-      this.inflightPromise = new Promise((resolve, reject) => {
-        this.resolver.getJwt().then(({ jwt, extraInfo }) => {
-          this.inflightPromise = void 0;
-          const token = this.jwtRepository.setToken(jwt, extraInfo);
-          resolve(token);
-        }).catch((reason) => {
-          this.inflightPromise = void 0;
-          reject(reason);
-        });
+  refreshToken(params) {
+    const key = cacheKeyFor(params);
+    const existing = this.inflightPromises.get(key);
+    if (existing !== void 0) {
+      return existing;
+    }
+    const resolverPromise = params === void 0 ? this.resolver.getJwt() : this.resolver.getJwt(params);
+    const promise = new Promise((resolve, reject) => {
+      resolverPromise.then(({ jwt, extraInfo }) => {
+        this.inflightPromises.delete(key);
+        const token = this.jwtRepository.setToken(jwt, extraInfo, params);
+        resolve(token);
+      }).catch((reason) => {
+        this.inflightPromises.delete(key);
+        reject(reason);
       });
-    }
-    return this.inflightPromise;
+    });
+    this.inflightPromises.set(key, promise);
+    return promise;
   }
   /**
-   * Method to check if a token refresh is in progress.
+   * Method to check if any token refresh is in progress.
    *
-   * @returns {boolean} true if a token refresh is in progress, false otherwise.
+   * @returns {boolean} true if at least one refresh is in flight, false otherwise.
    */
   get isRefreshingToken() {
-    return this.inflightPromise !== void 0;
+    return this.inflightPromises.size > 0;
   }
 }
 
@@ -4445,9 +4536,18 @@ function buildServiceDescriptor$2(interceptors = {
   return {
     type: "fetch",
     version: "1.0",
-    service: function(...args) {
+    service: function(input, init) {
       var _a;
-      const context = (_a = interceptors.createContext) == null ? void 0 : _a.call(interceptors);
+      let contextSeed;
+      let cleanInit = init;
+      if (init !== void 0 && "__contextSeed" in init) {
+        const { __contextSeed, ...initWithoutSeed } = init;
+        contextSeed = __contextSeed;
+        cleanInit = Object.keys(initWithoutSeed).length === 0 ? void 0 : initWithoutSeed;
+      }
+      const fetchArgs = cleanInit === void 0 ? [input] : [input, cleanInit];
+      const baseContext = (_a = interceptors.createContext) == null ? void 0 : _a.call(interceptors);
+      const context = contextSeed === void 0 ? baseContext : { ...baseContext, ...contextSeed };
       const {
         request: requestInterceptors = [],
         retry: retryInterceptor = void 0,
@@ -4455,17 +4555,17 @@ function buildServiceDescriptor$2(interceptors = {
         finally: finallyInterceptors = []
       } = interceptors;
       const pending = requestInterceptors.reduce(
-        (previousPromise, interceptor) => previousPromise.then((args2) => interceptor(args2, context)),
-        resolvedPromiseLike$2(args)
+        (previousPromise, interceptor) => previousPromise.then((args) => interceptor(args, context)),
+        resolvedPromiseLike$2(fetchArgs)
       );
-      return Promise.resolve(pending).then((args2) => {
+      return Promise.resolve(pending).then((args) => {
         if (retryInterceptor) {
-          return retryInterceptor(args2, retryService, context);
+          return retryInterceptor(args, retryService, context);
         } else {
           if (retryService) {
-            return retryService.applyRetry(() => fetch(...args2));
+            return retryService.applyRetry(() => fetch(...args));
           }
-          return fetch(...args2);
+          return fetch(...args);
         }
       }).then((response) => {
         return responseInterceptors.reduce(
@@ -4780,6 +4880,10 @@ const SALESFORCE_API_BASE_URI_FLAG = 'api.salesforce.com';
 const X_REQUEST_ID_HEADER = 'x-request-id';
 const SFAPController = 'SalesforceApiPlatformController';
 const SFAPJwtMethod = 'getSFAPLightningJwtService';
+// Parameterized mint: the POST signature's auto-generated Aura method
+// (`@ConnectSignature(..., generateAuraMethod = true)` on the SFAP Lightning JWT
+// Service Connect resource). Takes a single `requestBody` named param.
+const SFAPJwtPostMethod = 'postSFAPLightningJwtService';
 /**
  * We expect jwt info and baseUri to be present in the response.
  *
@@ -4926,6 +5030,144 @@ function generateRequestId$1() {
     }
 }
 
+/**
+ * Normalize SFAP-shaped params into the opaque `JwtMintParams` bag that callers
+ * hand to `JwtManager.getJwt(params)`. Scopes are sorted because they are
+ * semantically a set — without this, `['a', 'b']` and `['b', 'a']` would cache
+ * as separate entries (OneStore treats arrays as ordered under stable-JSON
+ * serialization; see ADR "JWT Parameterization" §2).
+ *
+ * MANDATORY CONSUMER ENTRY POINT. Every consumer that mints a parameterized
+ * SFAP JWT MUST assemble its params through this function before calling the
+ * manager. The cache key is derived by `JwtManager` from the caller's params
+ * (`cacheKeyFor(params)`) *before* the resolver runs — so the resolver cannot
+ * normalize after the fact. Set-stable caching therefore depends on the caller
+ * routing params through here. Do NOT sort inside the resolver: that would only
+ * reorder the wire body, not the cache key, and mutating the caller's params
+ * mid-call would desync the in-flight-dedup key from the stored-token key.
+ */
+/**
+ * Validate and narrow an opaque `JwtMintParams` bag to the SFAP-shaped subset the
+ * resolver forwards. Returns `{ error }` (surfaced as a resolver rejection) for a
+ * malformed bag rather than throwing.
+ */
+function coerceToSfapParams(params) {
+    const scopes = params.scopes;
+    const dynamicParams = params.dynamicParams;
+    if (scopes !== undefined && !isStringArray(scopes)) {
+        return { error: 'SFAP JWT params.scopes must be a string[] when provided.' };
+    }
+    if (dynamicParams !== undefined && !isStringRecord(dynamicParams)) {
+        return {
+            error: 'SFAP JWT params.dynamicParams must be a Record<string, string> when provided.',
+        };
+    }
+    return { params: { scopes, dynamicParams } };
+}
+function isStringArray(value) {
+    return Array.isArray(value) && value.every((s) => typeof s === 'string');
+}
+function isStringRecord(value) {
+    if (typeof value !== 'object' || value === null || Array.isArray(value)) {
+        return false;
+    }
+    return Object.values(value).every((v) => typeof v === 'string');
+}
+/**
+ * Build the SFAP mint request body from the coerced params: `scopes` joined into a
+ * single space-delimited string, `dynamicParams` mapped to `dynamicParameters.items`.
+ * Empty scopes / dynamic params are omitted.
+ */
+function buildRequestBody(params) {
+    const body = {};
+    if (params.scopes && params.scopes.length > 0) {
+        body.scopes = params.scopes.join(' ');
+    }
+    if (params.dynamicParams) {
+        const items = Object.entries(params.dynamicParams).map(([name, value]) => ({ name, value }));
+        if (items.length > 0) {
+            body.dynamicParameters = { items };
+        }
+    }
+    return body;
+}
+
+/**
+ * Parameterized SFAP JWT resolver that mints over **Aura transport** instead of a
+ * direct HTTP `fetch`.
+ *
+ * It dispatches the SFAP Lightning JWT Service's parameterized POST via its
+ * auto-generated Aura controller method
+ * `SalesforceApiPlatformController.postSFAPLightningJwtService` (generated by
+ * `@ConnectSignature(..., generateAuraMethod = true)` on the Connect resource).
+ * The mint inputs ride as the single `requestBody` named param, in the same
+ * `{ scopes, dynamicParameters: { items } }` shape the HTTP resolver POSTs — built
+ * by the shared {@link buildRequestBody}, so the two transports stay in lockstep.
+ *
+ * Why Aura (not the HTTP resolver): the mint endpoint is a same-origin core
+ * resource, and routing it over Aura keeps session/CSRF handling inside the Aura
+ * stack rather than issuing a credentialed cross-cutting `fetch` from the client.
+ * This mirrors the legacy parameterless `platformSfapJwtResolver` in
+ * `network-sfap.ts`, which already mints over Aura via the `getSFAPLightningJwtService`
+ * generated method — this is the parameterized sibling of that call.
+ *
+ * A `JwtResolver` is invoked directly by `JwtManager` (not through Luvio's
+ * `appRouter`/`ResourceRequest` pipeline), so the correct mechanism is a direct
+ * named-controller `dispatchAuraAction`, not the `auraNetworkAdapter`/connect-route
+ * table. The SFAP JWT endpoint is not registered as a connect-over-Aura route, and
+ * a resolver has no `ResourceRequest` for the router to look up.
+ */
+class ParameterizedSfapJwtAuraResolver {
+    getJwt(params) {
+        return new Promise((resolve, reject) => {
+            if (params === undefined) {
+                // Misuse: the dispatching resolver routes parameterless calls to the
+                // legacy resolver. Reject so production fails loudly here.
+                reject('ParameterizedSfapJwtAuraResolver requires JwtMintParams. The legacy parameterless path should be served by platformSfapJwtResolver.');
+                return;
+            }
+            const coerced = coerceToSfapParams(params);
+            if ('error' in coerced) {
+                reject(coerced.error);
+                return;
+            }
+            // The mint inputs become the single `requestBody` named param of the
+            // generated Aura method (Aura binds top-level keys to the controller
+            // method's named args). Reuses the HTTP resolver's body builder so both
+            // transports send an identical shape.
+            const requestBody = buildRequestBody(coerced.params);
+            // No fetchImpl / requestInterceptor / CSRF / credentials handling here —
+            // the Aura stack owns session + CSRF. Matches the legacy resolver's call.
+            dispatchAuraAction(`${SFAPController}.${SFAPJwtPostMethod}`, { requestBody }, defaultActionConfig)
+                .then((response) => {
+                const body = response.body;
+                if (!body || typeof body.jwt !== 'string' || typeof body.baseUri !== 'string') {
+                    // Never serialize the body into the error — it may carry a JWT.
+                    reject('SFAP JWT response missing required fields (jwt, baseUri)');
+                    return;
+                }
+                resolve({ jwt: body.jwt, extraInfo: { baseUri: body.baseUri } });
+            })
+                .catch((error) => {
+                // Error mapping ported from the legacy platformSfapJwtResolver
+                // (network-sfap.ts): plain Errors carry a message; non-500
+                // AuraFetchResponses are ConnectInJava errors with a typed body;
+                // 500s carry an { error } body.
+                if (error instanceof Error) {
+                    reject(error.message);
+                    return;
+                }
+                const { status } = error;
+                if (status !== HttpStatusCode$2.ServerError) {
+                    reject(error.body.message);
+                    return;
+                }
+                reject(error.body.error);
+            });
+        });
+    }
+}
+
 function e(e){this.message=e;}e.prototype=new Error,e.prototype.name="InvalidCharacterError";"undefined"!=typeof window&&window.atob&&window.atob.bind(window)||function(r){var t=String(r).replace(/=+$/,"");if(t.length%4==1)throw new e("'atob' failed: The string to be decoded is not correctly encoded.");for(var n,o,a=0,i=0,c="";o=t.charAt(i++);~o&&(n=a%4?64*n+o:o,a++%4)?c+=String.fromCharCode(255&n>>(-2*a&6)):0)o="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=".indexOf(o);return c};function n(e){this.message=e;}n.prototype=new Error,n.prototype.name="InvalidTokenError";
 
 /**
@@ -5742,7 +5984,7 @@ function getEnvironmentSetting(name) {
     }
     return undefined;
 }
-// version: 1.428.0-dev11-659d2de2fa
+// version: 1.428.0-dev12-f80887e01b
 
 const environmentHasAura = typeof window !== 'undefined' && typeof window.$A !== 'undefined';
 const defaultConfig = {
@@ -7016,9 +7258,106 @@ function buildCsrfRetryInterceptor() {
     };
 }
 
+/**
+ * The context-seed key under which a custom command forwards its JWT mint
+ * parameters. The framework's `buildServiceDescriptor` merges the request init's
+ * `__contextSeed` onto the per-request interceptor context, so this interceptor
+ * reads the params off `context[JWT_MINT_PARAMS_SEED_KEY]`.
+ *
+ * This is a cross-team contract: the custom command writes this key, this
+ * interceptor reads it. It is intentionally an opaque key — OneStore does not
+ * define it and never inspects the param shape; the typed shape lives in the
+ * resolver.
+ */
+const JWT_MINT_PARAMS_SEED_KEY = 'jwtMintParams';
+/**
+ * Returns `true` if the fetch arguments already carry an `Authorization` header,
+ * across the three shapes the framework's `setHeader` handles: a `Request`
+ * resource's own headers, an `options.headers` `Headers` instance, or a plain
+ * record. The descriptor's guarded legacy interceptor uses this to skip when the
+ * parameterized interceptor has already authorized the request — avoiding a second
+ * mint and the throw `setHeaderAuthorization` raises on an existing header.
+ */
+function hasAuthorizationHeader([resource, options]) {
+    if (resource instanceof Request && resource.headers.has('Authorization')) {
+        return true;
+    }
+    const headers = options?.headers;
+    if (headers === undefined) {
+        return false;
+    }
+    if (headers instanceof Headers) {
+        return headers.has('Authorization');
+    }
+    if (Array.isArray(headers)) {
+        return headers.some(([name]) => name.toLowerCase() === 'authorization');
+    }
+    return Reflect.has(headers, 'Authorization');
+}
+/**
+ * Builds the request interceptor that bridges the per-request context seed to the
+ * dispatching SFAP JwtManager for the **parameterized** mint path.
+ *
+ * For a parameterized SFAP command, the context carries `jwtMintParams`. This
+ * interceptor reads them, calls `jwtManager.getJwt(params)` (which the dispatching
+ * resolver routes to the parameterized resolver), attaches the `Authorization`
+ * header, and rewrites the request URL via the minted `baseUri`. The presence of
+ * that `Authorization` header is the signal the descriptor's guarded legacy
+ * interceptor uses to skip — so the legacy path does not mint a second time.
+ *
+ * For a legacy parameterless command the context carries no `jwtMintParams`, so
+ * this interceptor **early-returns on its first line** and the request flows
+ * unchanged to the legacy `buildJwtRequestHeaderInterceptor` — guaranteeing zero
+ * behavior change for non-opted-in adapters.
+ *
+ * Lives in `lds-lightning-platform` (not OneStore) beside the existing SFAP/CSRF
+ * interceptors, per the JWT-parameterization ADR §5: OneStore provides only the
+ * generic interceptor mechanism and the opaque context-seed channel; the service-
+ * specific bridge is a runtime-layer concern.
+ *
+ * @param jwtManager - the dispatching SFAP JwtManager
+ * @param jwtRequestModifier - applies the minted `extraInfo.baseUri` to the request URL
+ */
+function buildJwtParameterizationInterceptor(jwtManager, jwtRequestModifier = (_extraInfo, fetchArgs) => fetchArgs) {
+    return (fetchArgs, context) => {
+        const jwtContext = context;
+        const mintParams = jwtContext?.[JWT_MINT_PARAMS_SEED_KEY];
+        // No mint params → not a parameterized request. Do nothing; the legacy
+        // interceptor handles it. This MUST be the first statement so non-opted-in
+        // SFAP commands observe no work at all.
+        if (mintParams === undefined) {
+            return resolvedPromiseLike$2(fetchArgs);
+        }
+        return resolvedPromiseLike$2(jwtManager.getJwt(mintParams)).then((token) => {
+            const fetchArgsWithAuthorization = setHeaderAuthorization(token, fetchArgs);
+            return token.extraInfo
+                ? jwtRequestModifier(token.extraInfo, fetchArgsWithAuthorization)
+                : fetchArgsWithAuthorization;
+        });
+    };
+}
+
 const SFAP_BASE_URL = 'api.salesforce.com';
+function buildDispatchingSfapJwtResolver(legacyResolver, parameterizedResolver) {
+    return {
+        getJwt(params) {
+            if (params === undefined) {
+                return legacyResolver.getJwt();
+            }
+            return parameterizedResolver.getJwt(params);
+        },
+    };
+}
+// The parameterized mint is dispatched over **Aura transport**:
+// the resolver calls the SFAP Lightning JWT Service's auto-generated Aura method
+// `SalesforceApiPlatformController.postSFAPLightningJwtService`, so session + CSRF
+// are handled inside the Aura stack. This mirrors the legacy parameterless
+// `platformSfapJwtResolver`, which already mints over Aura. The minted JWT is then
+// attached as a Bearer token on the downstream SFAP API request (which stays HTTP).
+const parameterizedSfapJwtResolver = new ParameterizedSfapJwtAuraResolver();
+const sfapJwtResolver = buildDispatchingSfapJwtResolver(platformSfapJwtResolver, parameterizedSfapJwtResolver);
 const sfapJwtRepository = new JwtRepository();
-const sfapJwtManager = new JwtManager(sfapJwtRepository, platformSfapJwtResolver);
+const sfapJwtManager = new JwtManager(sfapJwtRepository, sfapJwtResolver);
 function prefetchSfapJwt() {
     const maybePromise = sfapJwtManager.getJwt();
     if ('then' in maybePromise) {
@@ -7029,8 +7368,12 @@ function prefetchSfapJwt() {
 function buildJwtAuthorizedSfapFetchServiceDescriptor(logger) {
     const jwtAuthorizedFetchService = buildServiceDescriptor$2({
         createContext: createInstrumentationIdContext(),
-        request: [buildThirdPartyTrackerRegisterInterceptor(), buildJwtRequestInterceptor(logger)],
-        retry: buildCsrfRetryInterceptor(),
+        request: [
+            buildThirdPartyTrackerRegisterInterceptor(),
+            buildJwtParameterizationInterceptor(sfapJwtManager, buildSfapJwtRequestModifier(logger)),
+            // Guarded so it is skipped once the parameterized interceptor handled the request.
+            buildGuardedLegacyJwtRequestInterceptor(logger),
+        ],
         finally: [buildThirdPartyTrackerFinishInterceptor()],
     });
     return {
@@ -7110,8 +7453,13 @@ function buildUnauthorizedFetchServiceDescriptor() {
         tags: { authenticationScopes: '' },
     };
 }
-function buildJwtRequestInterceptor(logger) {
-    const jwtRequestModifier = ({ baseUri }, [resource, request]) => {
+/**
+ * The `JwtRequestModifier` shared by both the legacy and parameterized SFAP
+ * interceptors: it rewrites the request URL's host/protocol to the minted
+ * `extraInfo.baseUri` (only for `api.salesforce.com` resources).
+ */
+function buildSfapJwtRequestModifier(logger) {
+    return ({ baseUri }, [resource, request]) => {
         if (typeof resource !== 'string' && !(resource instanceof URL)) {
             // istanbul ignore else: this will not be tested in NODE_ENV = production for test coverage
             if (process.env.NODE_ENV !== 'production') {
@@ -7129,8 +7477,22 @@ function buildJwtRequestInterceptor(logger) {
         url.protocol = overrideUrl.protocol;
         return [url, request];
     };
-    const jwtRequestHeaderInterceptor = buildJwtRequestHeaderInterceptor(sfapJwtManager, jwtRequestModifier);
-    return jwtRequestHeaderInterceptor;
+}
+function buildJwtRequestInterceptor(logger) {
+    return buildJwtRequestHeaderInterceptor(sfapJwtManager, buildSfapJwtRequestModifier(logger));
+}
+/**
+ * Wraps the legacy `buildJwtRequestHeaderInterceptor` with a pass-through guard:
+ * when the parameterized interceptor has already authorized the request (an
+ * `Authorization` header is present), this returns `args` untouched so the legacy
+ * interceptor does not mint a second time or attempt to set a duplicate
+ * Authorization header (which `setHeaderAuthorization` throws on). For every legacy
+ * (non-parameterized) request no Authorization header is present yet, so the legacy
+ * interceptor runs exactly as before — a strict pass-through.
+ */
+function buildGuardedLegacyJwtRequestInterceptor(logger) {
+    const legacyInterceptor = buildJwtRequestInterceptor(logger);
+    return (args) => hasAuthorizationHeader(args) ? resolvedPromiseLike$2(args) : legacyInterceptor(args);
 }
 
 const PDL_EXECUTE_ASYNC_OPTIONS = {
@@ -10580,4 +10942,4 @@ function ldsEngineCreator() {
 }
 
 export { LexRequestStrategy, PdlPrefetcherEventType, PdlRequestPriority, buildPredictorForContext, configService, ldsEngineCreator as default, initializeLDS, initializeOneStore, notifyUpdateAvailableFactory, registerRequestStrategy, saveRequestAsPrediction, subscribeToPrefetcherEvents, unregisterRequestStrategy, whenPredictionsReady };
-// version: 1.428.0-dev11-b4d8cf1aec
+// version: 1.428.0-dev12-1c6599e2b3

package/dist/types/fetch-service-descriptors/jwt-authorized-fetch-service.d.ts

@@ -1,5 +1,8 @@
+import { type JwtResolver } from '@conduit-client/jwt-manager';
 import { type FetchServiceDescriptor } from '@conduit-client/service-fetch-network/v1';
+import { type ExtraInfo } from '../network-sfap';
 import { type LoggerService } from '@conduit-client/utils';
+export declare function buildDispatchingSfapJwtResolver(legacyResolver: JwtResolver<ExtraInfo>, parameterizedResolver: JwtResolver<ExtraInfo>): JwtResolver<ExtraInfo>;
 export declare function prefetchSfapJwt(): Promise<undefined>;
 export declare function buildJwtAuthorizedSfapFetchServiceDescriptor(logger: LoggerService): FetchServiceDescriptor;
 /**

package/dist/types/network-sfap.d.ts

@@ -2,6 +2,7 @@ import type { FetchResponse, ResourceRequest, ResourceRequestContext } from '@lu
 import type { JwtResolver } from '@conduit-client/jwt-manager';
 export declare const SFAPController = "SalesforceApiPlatformController";
 export declare const SFAPJwtMethod = "getSFAPLightningJwtService";
+export declare const SFAPJwtPostMethod = "postSFAPLightningJwtService";
 export type ExtraInfo = {
     baseUri: string;
 };

package/dist/types/parameterized-sfap-jwt-aura-resolver.d.ts

@@ -0,0 +1,34 @@
+import type { JwtMintParams, JwtResolver } from '@conduit-client/jwt-manager';
+import { type ParameterizedSfapExtraInfo } from './sfap-jwt-mint-params';
+/**
+ * Parameterized SFAP JWT resolver that mints over **Aura transport** instead of a
+ * direct HTTP `fetch`.
+ *
+ * It dispatches the SFAP Lightning JWT Service's parameterized POST via its
+ * auto-generated Aura controller method
+ * `SalesforceApiPlatformController.postSFAPLightningJwtService` (generated by
+ * `@ConnectSignature(..., generateAuraMethod = true)` on the Connect resource).
+ * The mint inputs ride as the single `requestBody` named param, in the same
+ * `{ scopes, dynamicParameters: { items } }` shape the HTTP resolver POSTs — built
+ * by the shared {@link buildRequestBody}, so the two transports stay in lockstep.
+ *
+ * Why Aura (not the HTTP resolver): the mint endpoint is a same-origin core
+ * resource, and routing it over Aura keeps session/CSRF handling inside the Aura
+ * stack rather than issuing a credentialed cross-cutting `fetch` from the client.
+ * This mirrors the legacy parameterless `platformSfapJwtResolver` in
+ * `network-sfap.ts`, which already mints over Aura via the `getSFAPLightningJwtService`
+ * generated method — this is the parameterized sibling of that call.
+ *
+ * A `JwtResolver` is invoked directly by `JwtManager` (not through Luvio's
+ * `appRouter`/`ResourceRequest` pipeline), so the correct mechanism is a direct
+ * named-controller `dispatchAuraAction`, not the `auraNetworkAdapter`/connect-route
+ * table. The SFAP JWT endpoint is not registered as a connect-over-Aura route, and
+ * a resolver has no `ResourceRequest` for the router to look up.
+ */
+export declare class ParameterizedSfapJwtAuraResolver implements JwtResolver<ParameterizedSfapExtraInfo> {
+    getJwt(params?: JwtMintParams): Promise<{
+        jwt: string;
+        extraInfo: ParameterizedSfapExtraInfo;
+    }>;
+}
+export declare function buildParameterizedSfapJwtAuraResolver(): ParameterizedSfapJwtAuraResolver;

package/dist/types/request-interceptors/jwt-parameterization.d.ts

@@ -0,0 +1,50 @@
+import type { FetchParameters, RequestInterceptor } from '@conduit-client/service-fetch-network/v1';
+import { type JwtRequestModifier } from '@conduit-client/service-fetch-network/v1';
+import type { JwtManager } from '@conduit-client/jwt-manager';
+import type { ExtraInfo } from '../network-sfap';
+/**
+ * The context-seed key under which a custom command forwards its JWT mint
+ * parameters. The framework's `buildServiceDescriptor` merges the request init's
+ * `__contextSeed` onto the per-request interceptor context, so this interceptor
+ * reads the params off `context[JWT_MINT_PARAMS_SEED_KEY]`.
+ *
+ * This is a cross-team contract: the custom command writes this key, this
+ * interceptor reads it. It is intentionally an opaque key — OneStore does not
+ * define it and never inspects the param shape; the typed shape lives in the
+ * resolver.
+ */
+export declare const JWT_MINT_PARAMS_SEED_KEY = "jwtMintParams";
+/**
+ * Returns `true` if the fetch arguments already carry an `Authorization` header,
+ * across the three shapes the framework's `setHeader` handles: a `Request`
+ * resource's own headers, an `options.headers` `Headers` instance, or a plain
+ * record. The descriptor's guarded legacy interceptor uses this to skip when the
+ * parameterized interceptor has already authorized the request — avoiding a second
+ * mint and the throw `setHeaderAuthorization` raises on an existing header.
+ */
+export declare function hasAuthorizationHeader([resource, options]: FetchParameters): boolean;
+/**
+ * Builds the request interceptor that bridges the per-request context seed to the
+ * dispatching SFAP JwtManager for the **parameterized** mint path.
+ *
+ * For a parameterized SFAP command, the context carries `jwtMintParams`. This
+ * interceptor reads them, calls `jwtManager.getJwt(params)` (which the dispatching
+ * resolver routes to the parameterized resolver), attaches the `Authorization`
+ * header, and rewrites the request URL via the minted `baseUri`. The presence of
+ * that `Authorization` header is the signal the descriptor's guarded legacy
+ * interceptor uses to skip — so the legacy path does not mint a second time.
+ *
+ * For a legacy parameterless command the context carries no `jwtMintParams`, so
+ * this interceptor **early-returns on its first line** and the request flows
+ * unchanged to the legacy `buildJwtRequestHeaderInterceptor` — guaranteeing zero
+ * behavior change for non-opted-in adapters.
+ *
+ * Lives in `lds-lightning-platform` (not OneStore) beside the existing SFAP/CSRF
+ * interceptors, per the JWT-parameterization ADR §5: OneStore provides only the
+ * generic interceptor mechanism and the opaque context-seed channel; the service-
+ * specific bridge is a runtime-layer concern.
+ *
+ * @param jwtManager - the dispatching SFAP JwtManager
+ * @param jwtRequestModifier - applies the minted `extraInfo.baseUri` to the request URL
+ */
+export declare function buildJwtParameterizationInterceptor(jwtManager: JwtManager<unknown, ExtraInfo>, jwtRequestModifier?: JwtRequestModifier): RequestInterceptor;

package/dist/types/sfap-jwt-mint-params.d.ts

@@ -0,0 +1,69 @@
+import type { JwtMintParams } from '@conduit-client/jwt-manager';
+/**
+ * Typed shape of the params the SFAP Lightning JWT Service understands.
+ * Lives in the resolver layer because OneStore is param-shape-agnostic; it
+ * sees only an opaque `JwtMintParams` bag and stable-JSON-stringifies it for
+ * cache keying.
+ */
+export type SfapJwtMintParams = {
+    scopes?: string[];
+    dynamicParams?: Record<string, string>;
+};
+/**
+ * The `extraInfo` the SFAP JWT resolver returns alongside the minted token: the
+ * per-tenant base URI the downstream SFAP API request is rewritten to.
+ */
+export type ParameterizedSfapExtraInfo = {
+    baseUri: string;
+};
+type DynamicParameterItem = {
+    name: string;
+    value: string;
+};
+/**
+ * The SFAP Lightning JWT Service mint request body. Sent as the `requestBody`
+ * named param of the `postSFAPLightningJwtService` Aura controller method.
+ * Matches the server's `SFAPLightningJwtServiceInputRepresentation`: `scopes` is
+ * a single space-delimited string; `dynamicParameters` is `{ items: [{ name, value }] }`.
+ */
+export type SfapJwtRequestBody = {
+    scopes?: string;
+    dynamicParameters?: {
+        items: DynamicParameterItem[];
+    };
+};
+/**
+ * Normalize SFAP-shaped params into the opaque `JwtMintParams` bag that callers
+ * hand to `JwtManager.getJwt(params)`. Scopes are sorted because they are
+ * semantically a set — without this, `['a', 'b']` and `['b', 'a']` would cache
+ * as separate entries (OneStore treats arrays as ordered under stable-JSON
+ * serialization; see ADR "JWT Parameterization" §2).
+ *
+ * MANDATORY CONSUMER ENTRY POINT. Every consumer that mints a parameterized
+ * SFAP JWT MUST assemble its params through this function before calling the
+ * manager. The cache key is derived by `JwtManager` from the caller's params
+ * (`cacheKeyFor(params)`) *before* the resolver runs — so the resolver cannot
+ * normalize after the fact. Set-stable caching therefore depends on the caller
+ * routing params through here. Do NOT sort inside the resolver: that would only
+ * reorder the wire body, not the cache key, and mutating the caller's params
+ * mid-call would desync the in-flight-dedup key from the stored-token key.
+ */
+export declare function buildSfapJwtMintParams(params: SfapJwtMintParams): JwtMintParams;
+export type SfapParamsResult = {
+    params: SfapJwtMintParams;
+} | {
+    error: string;
+};
+/**
+ * Validate and narrow an opaque `JwtMintParams` bag to the SFAP-shaped subset the
+ * resolver forwards. Returns `{ error }` (surfaced as a resolver rejection) for a
+ * malformed bag rather than throwing.
+ */
+export declare function coerceToSfapParams(params: JwtMintParams): SfapParamsResult;
+/**
+ * Build the SFAP mint request body from the coerced params: `scopes` joined into a
+ * single space-delimited string, `dynamicParams` mapped to `dynamicParameters.items`.
+ * Empty scopes / dynamic params are omitted.
+ */
+export declare function buildRequestBody(params: SfapJwtMintParams): SfapJwtRequestBody;
+export {};

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@salesforce/lds-runtime-aura",
-    "version": "1.428.0-dev11",
+    "version": "1.428.0-dev12",
     "license": "SEE LICENSE IN LICENSE.txt",
     "description": "LDS engine for Aura runtime",
     "main": "dist/ldsEngineCreator.js",
@@ -34,59 +34,60 @@
         "release:corejar": "yarn build && ../core-build/scripts/core.js --name=lds-runtime-aura"
     },
     "devDependencies": {
-        "@conduit-client/service-provisioner": "3.18.1-dev2",
-        "@conduit-client/tools-core": "3.18.1-dev2",
-        "@salesforce/lds-adapters-apex": "^1.428.0-dev11",
-        "@salesforce/lds-adapters-uiapi": "^1.428.0-dev11",
-        "@salesforce/lds-ads-bridge": "^1.428.0-dev11",
-        "@salesforce/lds-aura-storage": "^1.428.0-dev11",
-        "@salesforce/lds-bindings": "^1.428.0-dev11",
-        "@salesforce/lds-instrumentation": "^1.428.0-dev11",
-        "@salesforce/lds-network-aura": "^1.428.0-dev11",
-        "@salesforce/lds-network-fetch": "^1.428.0-dev11",
+        "@conduit-client/service-provisioner": "3.19.0-dev3",
+        "@conduit-client/tools-core": "3.19.0-dev3",
+        "@salesforce/lds-adapters-apex": "^1.428.0-dev12",
+        "@salesforce/lds-adapters-uiapi": "^1.428.0-dev12",
+        "@salesforce/lds-ads-bridge": "^1.428.0-dev12",
+        "@salesforce/lds-aura-storage": "^1.428.0-dev12",
+        "@salesforce/lds-bindings": "^1.428.0-dev12",
+        "@salesforce/lds-instrumentation": "^1.428.0-dev12",
+        "@salesforce/lds-network-aura": "^1.428.0-dev12",
+        "@salesforce/lds-network-fetch": "^1.428.0-dev12",
         "jwt-encode": "1.0.1"
     },
     "dependencies": {
-        "@conduit-client/command-aura-graphql-normalized-cache-control": "3.18.1-dev2",
-        "@conduit-client/command-aura-network": "3.18.1-dev2",
-        "@conduit-client/command-aura-normalized-cache-control": "3.18.1-dev2",
-        "@conduit-client/command-aura-resource-cache-control": "3.18.1-dev2",
-        "@conduit-client/command-fetch-network": "3.18.1-dev2",
-        "@conduit-client/command-http-graphql-normalized-cache-control": "3.18.1-dev2",
-        "@conduit-client/command-http-normalized-cache-control": "3.18.1-dev2",
-        "@conduit-client/command-ndjson": "3.18.1-dev2",
-        "@conduit-client/command-network": "3.18.1-dev2",
-        "@conduit-client/command-sse": "3.18.1-dev2",
-        "@conduit-client/command-streaming": "3.18.1-dev2",
-        "@conduit-client/service-aura-network": "3.18.1-dev2",
-        "@conduit-client/service-bindings-imperative": "3.18.1-dev2",
-        "@conduit-client/service-bindings-lwc": "3.18.1-dev2",
-        "@conduit-client/service-cache": "3.18.1-dev2",
-        "@conduit-client/service-cache-control": "3.18.1-dev2",
-        "@conduit-client/service-cache-inclusion-policy": "3.18.1-dev2",
-        "@conduit-client/service-config": "3.18.1-dev2",
-        "@conduit-client/service-feature-flags": "3.18.1-dev2",
-        "@conduit-client/service-fetch-network": "3.18.1-dev2",
-        "@conduit-client/service-instrument-command": "3.18.1-dev2",
-        "@conduit-client/service-pubsub": "3.18.1-dev2",
-        "@conduit-client/service-store": "3.18.1-dev2",
-        "@conduit-client/utils": "3.18.1-dev2",
+        "@conduit-client/command-aura-graphql-normalized-cache-control": "3.19.0-dev3",
+        "@conduit-client/command-aura-network": "3.19.0-dev3",
+        "@conduit-client/command-aura-normalized-cache-control": "3.19.0-dev3",
+        "@conduit-client/command-aura-resource-cache-control": "3.19.0-dev3",
+        "@conduit-client/command-fetch-network": "3.19.0-dev3",
+        "@conduit-client/command-http-graphql-normalized-cache-control": "3.19.0-dev3",
+        "@conduit-client/command-http-normalized-cache-control": "3.19.0-dev3",
+        "@conduit-client/command-ndjson": "3.19.0-dev3",
+        "@conduit-client/command-network": "3.19.0-dev3",
+        "@conduit-client/command-sse": "3.19.0-dev3",
+        "@conduit-client/command-streaming": "3.19.0-dev3",
+        "@conduit-client/jwt-manager": "3.19.0-dev3",
+        "@conduit-client/service-aura-network": "3.19.0-dev3",
+        "@conduit-client/service-bindings-imperative": "3.19.0-dev3",
+        "@conduit-client/service-bindings-lwc": "3.19.0-dev3",
+        "@conduit-client/service-cache": "3.19.0-dev3",
+        "@conduit-client/service-cache-control": "3.19.0-dev3",
+        "@conduit-client/service-cache-inclusion-policy": "3.19.0-dev3",
+        "@conduit-client/service-config": "3.19.0-dev3",
+        "@conduit-client/service-feature-flags": "3.19.0-dev3",
+        "@conduit-client/service-fetch-network": "3.19.0-dev3",
+        "@conduit-client/service-instrument-command": "3.19.0-dev3",
+        "@conduit-client/service-pubsub": "3.19.0-dev3",
+        "@conduit-client/service-store": "3.19.0-dev3",
+        "@conduit-client/utils": "3.19.0-dev3",
         "@luvio/network-adapter-composable": "0.160.3",
         "@luvio/network-adapter-fetch": "0.160.3",
         "@lwc/state": "^0.29.0",
-        "@salesforce/lds-adapters-onestore-graphql": "^1.428.0-dev11",
+        "@salesforce/lds-adapters-onestore-graphql": "^1.428.0-dev12",
         "@salesforce/lds-adapters-uiapi-lex": "^1.415.0",
-        "@salesforce/lds-durable-storage": "^1.428.0-dev11",
-        "@salesforce/lds-luvio-service": "^1.428.0-dev11",
-        "@salesforce/lds-luvio-uiapi-records-service": "^1.428.0-dev11"
+        "@salesforce/lds-durable-storage": "^1.428.0-dev12",
+        "@salesforce/lds-luvio-service": "^1.428.0-dev12",
+        "@salesforce/lds-luvio-uiapi-records-service": "^1.428.0-dev12"
     },
     "luvioBundlesize": [
         {
             "path": "./dist/ldsEngineCreator.js",
             "maxSize": {
-                "none": "370 kB",
+                "none": "410 kB",
                 "min": "190 kB",
-                "compressed": "61.9 kB"
+                "compressed": "71 kB"
             }
         }
     ],