npm - @salesforce/lds-runtime-aura - Versions diffs - 1.441.0 → 1.443.0 - Mend

@salesforce/lds-runtime-aura 1.441.0 → 1.443.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/dist/ldsEngineCreator.js CHANGED Viewed

@@ -22,7 +22,7 @@ import { instrument, getRecordAvatarsAdapterFactory, getRecordAdapterFactory, co
 import { getInstrumentation } from 'o11y/client';
 import { findExecutableOperation, buildGraphQLInputExtension, addTypenameToDocument } from 'force/luvioGraphqlNormalization';
 import { print, resolveAndValidateGraphQLConfig, toGraphQLErrorResponse } from 'force/luvioOnestoreGraphqlParser';
-import { setServices } from 'force/luvioServiceProvisioner1';
+import getServices, { setServices } from 'force/luvioServiceProvisioner1';
 import { assertIsValid, JsonSchemaViolationError, MissingRequiredPropertyError } from 'force/luvioJsonschemaValidate5';
 import { dispatchGlobalEvent, executeGlobalControllerRawResponse } from 'aura';
 import auraNetworkAdapter, { dispatchAuraAction, defaultActionConfig, instrument as instrument$1, forceRecordTransactionsDisabled as forceRecordTransactionsDisabled$1, ldsNetworkAdapterInstrument, CrudEventState, CrudEventType, UIAPI_RECORDS_PATH, UIAPI_RELATED_LIST_RECORDS_BATCH_PATH, UIAPI_RELATED_LIST_RECORDS_PATH } from 'force/ldsNetwork';
@@ -36,7 +36,6 @@ import { instrument as instrument$5 } from '@lwc/state';
 import { withRegistration, register, setDefaultLuvio } from 'force/ldsEngine';
 import applyPredictionRequestLimit from '@salesforce/gate/lds.pdl.applyRequestLimit';
 import { pageScopedCache } from 'instrumentation/utility';
-import { createStorage, clearStorages } from 'force/ldsDurableStorage';
 import lightningConnectEnabled from '@salesforce/gate/ui.services.LightningConnect.enabled';
 import bypassAppRestrictionEnabled from '@salesforce/gate/ui.services.LightningConnect.BypassAppRestriction.enabled';
 import csrfValidationEnabled from '@salesforce/gate/ui.services.LightningConnect.CsrfValidation.enabled';
@@ -47,6 +46,7 @@ import useHttpUiapiOneRuntimePublic from '@salesforce/gate/lds.useHttpUiapiOneRu
 import useHttpUiapiOneRuntimePrivate from '@salesforce/gate/lds.useHttpUiapiOneRuntimePrivate';
 import disableCreateContentDocumentAndVersionHTTPLexRuntime from '@salesforce/gate/lds.lex.http.disableCreateContentDocumentAndVersion';
 import useHotspotLimit from '@salesforce/gate/lds.pdl.useHotspotLimit';
+import { createStorage, clearStorages } from 'force/ldsDurableStorage';
 import { registerSubRequestNetworkAdapter } from 'force/ldsNetwork';
 const { create: create$1, freeze, keys: keys$2, entries: entries$1 } = Object;
@@ -2644,7 +2644,7 @@ function buildServiceDescriptor$d(luvio) {
         },
     };
 }
-// version: 1.441.0-5e7d04c146
+// version: 1.443.0-be70f6bb6e
 class AuraGraphQLNormalizedCacheControlCommand extends AuraNormalizedCacheControlCommand {
   constructor(config, documentRootType, services) {
@@ -2982,7 +2982,7 @@ function buildServiceDescriptor$9(notifyRecordUpdateAvailable, getNormalizedLuvi
         },
     };
 }
-// version: 1.441.0-5e7d04c146
+// version: 1.443.0-be70f6bb6e
 class RetryService {
   constructor(defaultRetryPolicy) {
@@ -3134,6 +3134,50 @@ function buildServiceDescriptor$8(defaultRetryPolicy) {
   };
 }
+class BasicRenewableResourceManager {
+  constructor(config) {
+    this.config = config;
+  }
+  get() {
+    return this.config.storage.get().then((cached) => cached !== void 0 ? cached : this.fetchAndStore());
+  }
+  refresh(staleValue) {
+    if (staleValue === void 0) {
+      return this.fetchAndStore();
+    }
+    return this.config.storage.get().then(
+      (current) => current !== void 0 && current !== staleValue ? current : this.fetchAndStore()
+    );
+  }
+  clear() {
+    return this.config.storage.clear();
+  }
+  /**
+   * Single in-flight fetch shared by all concurrent `get`/`refresh` callers.
+   * Overwrites storage on a successful fetch of a defined value only; a
+   * rejected fetch or a resolved-`undefined` leaves the cached value intact.
+   */
+  fetchAndStore() {
+    if (this.inFlightFetch) return this.inFlightFetch;
+    const pending = this.config.fetch().then(
+      (fetched) => fetched === void 0 ? fetched : this.config.storage.set(fetched).then(() => fetched)
+    );
+    this.inFlightFetch = pending;
+    const releaseSlot = () => {
+      if (this.inFlightFetch === pending) this.inFlightFetch = void 0;
+    };
+    pending.then(releaseSlot, releaseSlot);
+    return pending;
+  }
+}
+function buildRenewableResourceManagerDescriptor(type, service) {
+  return {
+    version: "1.0",
+    service,
+    type
+  };
+}
 function isUserVisibleError(error) {
   return error instanceof Error && "type" in error && error.type === "user-visible";
 }
@@ -3990,13 +4034,13 @@ function buildLWCGraphQLWireBindingsServiceDescriptor() {
     };
 }
-function e$1(e2) {
+function e(e2) {
   this.message = e2;
 }
-e$1.prototype = new Error(), e$1.prototype.name = "InvalidCharacterError";
+e.prototype = new Error(), e.prototype.name = "InvalidCharacterError";
 var r = "undefined" != typeof window && window.atob && window.atob.bind(window) || function(r2) {
   var t2 = String(r2).replace(/=+$/, "");
-  if (t2.length % 4 == 1) throw new e$1("'atob' failed: The string to be decoded is not correctly encoded.");
+  if (t2.length % 4 == 1) throw new e("'atob' failed: The string to be decoded is not correctly encoded.");
   for (var n2, o2, a = 0, i = 0, c = ""; o2 = t2.charAt(i++); ~o2 && (n2 = a % 4 ? 64 * n2 + o2 : o2, a++ % 4) ? c += String.fromCharCode(255 & n2 >> (-2 * a & 6)) : 0) o2 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=".indexOf(o2);
   return c;
 };
@@ -4025,19 +4069,19 @@ function t(e2) {
     return r(t2);
   }
 }
-function n$1(e2) {
+function n(e2) {
   this.message = e2;
 }
 function o(e2, r2) {
-  if ("string" != typeof e2) throw new n$1("Invalid token specified");
+  if ("string" != typeof e2) throw new n("Invalid token specified");
   var o2 = true === (r2 = r2 || {}).header ? 0 : 1;
   try {
     return JSON.parse(t(e2.split(".")[o2]));
   } catch (e3) {
-    throw new n$1("Invalid token specified: " + e3.message);
+    throw new n("Invalid token specified: " + e3.message);
   }
 }
-n$1.prototype = new Error(), n$1.prototype.name = "InvalidTokenError";
+n.prototype = new Error(), n.prototype.name = "InvalidTokenError";
 class JwtToken {
   /**
    * Create a new JwtToken.
@@ -4864,8 +4908,6 @@ function generateRequestId$1() {
     }
 }
-function e(e){this.message=e;}e.prototype=new Error,e.prototype.name="InvalidCharacterError";"undefined"!=typeof window&&window.atob&&window.atob.bind(window)||function(r){var t=String(r).replace(/=+$/,"");if(t.length%4==1)throw new e("'atob' failed: The string to be decoded is not correctly encoded.");for(var n,o,a=0,i=0,c="";o=t.charAt(i++);~o&&(n=a%4?64*n+o:o,a++%4)?c+=String.fromCharCode(255&n>>(-2*a&6)):0)o="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=".indexOf(o);return c};function n(e){this.message=e;}n.prototype=new Error,n.prototype.name="InvalidTokenError";
 /**
  * Observability / Critical Availability Program (230+)
  *
@@ -5675,9 +5717,28 @@ function getEnvironmentSetting(name) {
     }
     return undefined;
 }
-// version: 1.441.0-0055bd971e
+// version: 1.443.0-3de9a44799
+/**
+ * Helpers for reaching the Aura framework from the LDS Aura runtime.
+ *
+ * `window.$A` is only present when the runtime is hosted inside LEX; in tests
+ * and non-Aura runtimes it is absent. Centralizing the guarded access keeps the
+ * `$A` lookup in one place instead of duplicating the `environmentHasAura`
+ * check across modules.
+ */
+/**
+ * Returns `$A.clientService` when running inside an Aura environment, or
+ * `undefined` otherwise. Defensive: never throws.
+ */
+function getAuraClientService() {
+    if (typeof window === 'undefined' || typeof window.$A === 'undefined') {
+        return undefined;
+    }
+    return window.$A.clientService;
+}
-const environmentHasAura = typeof window !== 'undefined' && typeof window.$A !== 'undefined';
+const auraClientService = getAuraClientService();
 const defaultConfig = {
     maxAllowedParallelXHRCounts: 9,
     forceRecordTransactionsDisabled: false,
@@ -5688,10 +5749,11 @@ const configServiceDescriptor = buildServiceDescriptor$1({
     default: defaultConfig,
 });
 const configService = configServiceDescriptor.service;
-if (environmentHasAura) {
+if (auraClientService?.maxAllowedParallelXHRCounts) {
     configService.set('lex', (config) => {
         config.maxAllowedParallelXHRCounts =
-            window['$A'].clientService.maxAllowedParallelXHRCounts();
+            auraClientService.maxAllowedParallelXHRCounts?.() ??
+                defaultConfig.maxAllowedParallelXHRCounts;
         config.forceRecordTransactionsDisabled = getEnvironmentSetting(EnvironmentSettings.ForceRecordTransactionsDisabled);
     });
 }
@@ -6121,146 +6183,91 @@ function buildLexRuntimeLuvio5xxStatusResponseInterceptor() {
     };
 }
-const CSRF_TOKEN_KEY = 'salesforce_csrf_token';
-const CSRF_STORAGE_NAME = 'ldsCSRFToken';
-const BASE_URI = '/services/data/v68.0';
-const UI_API_BASE_URI = `${BASE_URI}/ui-api`;
-const CSRF_TOKEN_ENDPOINT = `${UI_API_BASE_URI}/session/csrf`;
-const CSRF_STORAGE_CONFIG = {
-    name: CSRF_STORAGE_NAME,
-    persistent: true,
-    secure: true,
-    maxSize: 1024,
-    expiration: 24 * 60 * 60,
-    clearOnInit: false,
-    debugLogging: false,
-};
 /**
- * Manages CSRF token fetching and caching for secure requests.
- * Implements a singleton pattern to ensure consistent token management across the application.
+ * Normalizes Connect REST error envelopes into the Aura Shape A
+ * (ConnectInJava) shape, so consumers can read `response.body.errorCode`
+ * regardless of transport.
+ *
+ * - HTTP error envelope (this path): `[{ errorCode, message }, ...]`
+ * - Aura Shape A: `{ errorCode, message, statusCode, ... }`
+ *
+ * The full array is preserved at `body.enhancedErrorInfo.allErrors` since
+ * Connect can return multiple errors per response.
+ *
+ * Aura Shape B (`{ error: "..." }`) is an Aura-only fallback that never
+ * appears on the HTTP path, so no normalization is needed for it here.
+ *
+ * Ordering: must run AFTER any other interceptor that inspects the raw
+ * error body shape (e.g. the 5xx interceptor's ErrorId extraction reads
+ * `body[0].message` from the array form).
  */
-class CsrfTokenManager {
-    constructor() {
-        this.tokenPromise = null;
-        this.refreshInFlight = null;
-        // Initialize AuraStorage
-        this.storage = createStorage(CSRF_STORAGE_CONFIG);
-    }
-    static getInstance() {
-        if (!CsrfTokenManager.instance) {
-            CsrfTokenManager.instance = new CsrfTokenManager();
-        }
-        return CsrfTokenManager.instance;
-    }
-    /**
-     * Obtain a CSRF token, either from AuraStorage or by fetching a fresh one.
-     *
-     * @private
-     */
-    async loadOrFetchToken() {
-        // First try to get token from AuraStorage
-        if (this.storage) {
-            try {
-                const cachedToken = await this.storage.get(CSRF_TOKEN_KEY);
-                if (typeof cachedToken === 'string' && cachedToken) {
-                    return cachedToken;
-                }
-            }
-            catch {
-                // If storage read fails, continue to fetch
-            }
-        }
-        // No cached token, fetch from server
-        return this.fetchFreshToken();
-    }
-    /**
-     * Call API endpoint to acquire a CSRF token and cache it.
-     *
-     * @private
-     */
-    async fetchFreshToken() {
-        try {
-            const response = await fetch(CSRF_TOKEN_ENDPOINT, {
-                method: 'GET',
-                credentials: 'same-origin',
-            });
-            if (!response.ok) {
-                return undefined;
-            }
-            const data = await response.json();
-            const token = data.csrfToken;
-            if (token && this.storage) {
-                // Cache the token in AuraStorage
-                try {
-                    await this.storage.set(CSRF_TOKEN_KEY, token);
-                }
-                catch {
-                    // Non-fatal: token is still available even if caching fails
-                }
-            }
-            return token;
-        }
-        catch {
-            return undefined;
-        }
-    }
-    /**
-     * Returns the current token value as a Promise.
-     * Lazy-loads the token on first call (from cache or by fetching).
-     */
-    async getToken() {
-        // Lazy initialization: only fetch token when actually needed
-        if (!this.tokenPromise) {
-            this.tokenPromise = this.loadOrFetchToken();
-        }
-        return this.tokenPromise;
-    }
-    /**
-     * Obtains and returns a new token value as a promise.
-     * This will clear the cached token and fetch a fresh one.
-     *
-     * Concurrent calls coalesce onto a single in-flight refresh — important when
-     * multiple requests fail with INVALID_ACCESS_TOKEN simultaneously and each
-     * retry policy independently calls refreshToken(). Without this, every caller
-     * triggers its own /session/csrf round-trip.
-     */
-    refreshToken() {
-        if (this.refreshInFlight) {
-            return this.refreshInFlight;
+function buildLuvioErrorBodyNormalizationInterceptor() {
+    return async (response) => {
+        if (!response.ok && Array.isArray(response.body)) {
+            const allErrors = response.body;
+            response.body = {
+                ...allErrors[0],
+                statusCode: response.status,
+                enhancedErrorInfo: {
+                    allErrors,
+                },
+            };
         }
-        const refresh = (async () => {
-            if (this.storage) {
-                try {
-                    await this.storage.remove(CSRF_TOKEN_KEY);
-                }
-                catch {
-                    // Non-fatal: continue with refresh even if clear fails
-                }
-            }
-            return this.fetchFreshToken();
-        })();
-        this.refreshInFlight = refresh;
-        this.tokenPromise = refresh;
-        // Clear the in-flight reference once settled (success or failure) so
-        // subsequent token expirations can trigger a fresh refresh.
-        refresh.finally(() => {
-            if (this.refreshInFlight === refresh) {
-                this.refreshInFlight = null;
-            }
+        return response;
+    };
+}
+/**
+ * Service name the CSRF token manager is registered under by
+ * `initializeOneStore` (see `buildRenewableResourceManagerDescriptor`).
+ */
+const CSRF_TOKEN_MANAGER_SERVICE = 'csrfTokenManager';
+const CSRF_TOKEN_MANAGER_REQUEST = {
+    [CSRF_TOKEN_MANAGER_SERVICE]: {
+        type: CSRF_TOKEN_MANAGER_SERVICE,
+        version: '1.0',
+    },
+};
+let cached;
+/**
+ * Resolves the CSRF token manager from the service provisioner.
+ *
+ * The manager is registered during `initializeOneStore`, which runs before any
+ * request flows; the interceptors and retry policies that call this resolve
+ * lazily (per request / per retry), so the service is always available by then.
+ *
+ * The resolved promise is memoized so resolution happens once rather than per
+ * request. A rejection is NOT memoized — `getServices` rejects when the service
+ * is unavailable, and caching that would permanently wedge CSRF handling — so a
+ * later call retries the resolution.
+ */
+function getCsrfTokenManager() {
+    if (!cached) {
+        cached = Promise.resolve(getServices(CSRF_TOKEN_MANAGER_REQUEST))
+            .then((services) => services[CSRF_TOKEN_MANAGER_SERVICE])
+            .catch((error) => {
+            cached = undefined;
+            throw error;
         });
-        return refresh;
-    }
-    /**
-     * Reset the singleton instance (useful for testing).
-     * @internal
-     */
-    static resetInstance() {
-        CsrfTokenManager.instance = null;
     }
+    return cached;
 }
-CsrfTokenManager.instance = null;
 const CSRF_TOKEN_HEADER = 'X-CSRF-Token';
+/**
+ * Resolves the CSRF token manager and returns the current token. Returns
+ * `undefined` if the manager cannot be resolved (service not yet provisioned)
+ * or has no token, so a request is never blocked by token resolution.
+ */
+async function getCsrfToken() {
+    try {
+        const manager = await getCsrfTokenManager();
+        return await manager.get();
+    }
+    catch {
+        return undefined;
+    }
+}
 /**
  * Checks if all required gates are enabled for CSRF token interceptor.
  *
@@ -6303,7 +6310,6 @@ function isCsrfMethod(method) {
  * @returns A RequestInterceptor function for FetchParameters
  */
 function buildCsrfTokenInterceptor() {
-    const csrfTokenManager = CsrfTokenManager.getInstance();
     return async (fetchArgs) => {
         // Check if all required gates are enabled before running
         if (!areCsrfGatesEnabled()) {
@@ -6320,7 +6326,7 @@ function buildCsrfTokenInterceptor() {
         }
         // Only add CSRF token for mutating operations
         if (isCsrfMethod(method)) {
-            const token = await csrfTokenManager.getToken();
+            const token = await getCsrfToken();
             if (token) {
                 // eslint-disable-next-line no-param-reassign
                 fetchArgs = setHeader(CSRF_TOKEN_HEADER, token, fetchArgs);
@@ -6337,7 +6343,6 @@ function buildCsrfTokenInterceptor() {
  * @returns A request interceptor function for Luvio ResourceRequest objects
  */
 function buildLuvioCsrfTokenInterceptor() {
-    const csrfTokenManager = CsrfTokenManager.getInstance();
     return async (resourceRequest) => {
         // Check if all required gates are enabled before running
         if (!areCsrfGatesEnabled()) {
@@ -6351,7 +6356,7 @@ function buildLuvioCsrfTokenInterceptor() {
         if (isCsrfMethod(resourceRequest.method)) {
             // Don't overwrite existing CSRF token header if it already exists
             if (!resourceRequest.headers[CSRF_TOKEN_HEADER]) {
-                const token = await csrfTokenManager.getToken();
+                const token = await getCsrfToken();
                 if (token) {
                     resourceRequest.headers[CSRF_TOKEN_HEADER] = token;
                 }
@@ -6391,6 +6396,39 @@ function buildLuvioEntityEncodingInterceptor() {
     };
 }
+const FIRST_PARTY_HEADER = 'X-Salesforce-First-Party';
+const FIRST_PARTY_VALUE = 'platform-ui';
+/**
+ * Builds a request interceptor that adds the LDS first party header to every
+ * outbound request.
+ *
+ * @returns A RequestInterceptor function for FetchParameters
+ */
+function buildFirstPartyHeaderInterceptor() {
+    return async (fetchArgs) => {
+        const returnedFetchArgs = setHeader(FIRST_PARTY_HEADER, FIRST_PARTY_VALUE, fetchArgs);
+        return resolvedPromiseLike$2(returnedFetchArgs);
+    };
+}
+/**
+ * Builds a Luvio request interceptor that adds the LDS first party header to
+ * every outbound `ResourceRequest`. See {@link buildFirstPartyHeaderInterceptor} for
+ * the header semantics.
+ *
+ * @returns A request interceptor for Luvio ResourceRequest objects
+ */
+function buildLuvioFirstPartyHeaderInterceptor() {
+    return async (resourceRequest) => {
+        if (!resourceRequest.headers) {
+            resourceRequest.headers = {};
+        }
+        if (!resourceRequest.headers[FIRST_PARTY_HEADER]) {
+            resourceRequest.headers[FIRST_PARTY_HEADER] = FIRST_PARTY_VALUE;
+        }
+        return resolvedPromiseLike$2(resourceRequest);
+    };
+}
 function createInstrumentationIdContext() {
     return () => ({
         instrumentationId: generateRequestId(),
@@ -6620,7 +6658,6 @@ class LuvioCsrfTokenRetryPolicy extends RetryPolicy {
     constructor(config = DEFAULT_CONFIG$3) {
         super();
         this.config = config;
-        this.csrfTokenManager = CsrfTokenManager.getInstance();
     }
     setRequestContext(context) {
         this.requestContext = context;
@@ -6642,11 +6679,20 @@ class LuvioCsrfTokenRetryPolicy extends RetryPolicy {
         if (!this.requestContext) {
             return;
         }
-        const newToken = await this.csrfTokenManager.refreshToken();
+        let newToken;
+        try {
+            const manager = await getCsrfTokenManager();
+            newToken = await manager.refresh();
+        }
+        catch {
+            // Manager unavailable — drop the stale token below so the request
+            // interceptor refetches on the retry.
+            newToken = undefined;
+        }
         const req = this.requestContext.request;
         const { [CSRF_TOKEN_HEADER]: _stale, ...remainingHeaders } = req.headers ?? {};
         // If refresh failed, drop the stale token entirely so the request interceptor
-        // will fetch a fresh one via getToken() on the retry.
+        // will fetch a fresh one via get() on the retry.
         const headers = newToken
             ? { ...remainingHeaders, [CSRF_TOKEN_HEADER]: newToken }
             : remainingHeaders;
@@ -7151,12 +7197,14 @@ const composedFetchNetworkAdapter = {
             buildLuvioTransportMarksSendInterceptor(),
             buildLuvioPageScopedCacheRequestInterceptor(),
             buildLuvioCsrfTokenInterceptor(),
+            buildLuvioFirstPartyHeaderInterceptor(),
             buildLuvioEntityEncodingInterceptor(),
         ],
         retry: buildLuvioFetchRetryInterceptor(),
         response: [
             buildLexRuntimeLuvio5xxStatusResponseInterceptor(),
             buildLexRuntimeLuvioAuthExpirationRedirectResponseInterceptor(),
+            buildLuvioErrorBodyNormalizationInterceptor(),
             buildLuvioTransportMarksReceiveInterceptor(),
             buildLuvioActionMarksReceiveInterceptor(),
         ],
@@ -7201,7 +7249,6 @@ class CsrfTokenRetryPolicy extends RetryPolicy {
     constructor(config = DEFAULT_CONFIG$1) {
         super();
         this.config = config;
-        this.csrfTokenManager = CsrfTokenManager.getInstance();
     }
     /**
      * Allows the fetch service to pass mutable request context.
@@ -7253,7 +7300,15 @@ class CsrfTokenRetryPolicy extends RetryPolicy {
      */
     async prepareRetry(_result, _context) {
         // Refresh the CSRF token (we already know this is a CSRF error from shouldRetry)
-        const newToken = await this.csrfTokenManager.refreshToken();
+        let newToken;
+        try {
+            const manager = await getCsrfTokenManager();
+            newToken = await manager.refresh();
+        }
+        catch {
+            // Manager unavailable — the retry will fail again, which is expected.
+            newToken = undefined;
+        }
         if (!newToken || !this.requestContext) {
             // If we can't get a new token or don't have request context,
             // the retry will fail again but that's expected
@@ -10086,6 +10141,7 @@ function getLexRuntimeDefaultInterceptorConfig(logger) {
             buildTransportMarksSendInterceptor(),
             buildCsrfTokenInterceptor(),
             buildEntityEncodingInterceptor(),
+            buildFirstPartyHeaderInterceptor(),
         ],
         retry: buildCsrfRetryInterceptor(),
         response: [
@@ -10197,6 +10253,149 @@ class FetchThrottlingRetryPolicy extends RetryPolicy {
     }
 }
+const CSRF_TOKEN_KEY = 'salesforce_csrf_token';
+const CSRF_STORAGE_NAME = 'ldsCSRFToken';
+const BASE_URI = '/services/data/v68.0';
+const UI_API_BASE_URI = `${BASE_URI}/ui-api`;
+const CSRF_TOKEN_ENDPOINT = `${UI_API_BASE_URI}/session/csrf`;
+const CSRF_STORAGE_CONFIG = {
+    name: CSRF_STORAGE_NAME,
+    persistent: true,
+    secure: true,
+    maxSize: 1024,
+    expiration: 24 * 60 * 60,
+    clearOnInit: false,
+    debugLogging: false,
+};
+/**
+ * Reads the CSRF token Aura preloads onto the bootstrap payload. When the
+ * Connect Framework CSRF token is minted at template-render time it is exposed
+ * via `$A.clientService.getConnectCsrfToken()`. Reading it here lets the first
+ * state-changing request skip the cold `/ui-api/session/csrf` round trip.
+ *
+ * Defensive against a missing getter or server killswitch: returns `undefined`,
+ * never throws.
+ */
+function readPreloadedToken() {
+    const clientService = getAuraClientService();
+    if (typeof clientService?.getConnectCsrfToken !== 'function') {
+        return undefined;
+    }
+    try {
+        const token = clientService.getConnectCsrfToken();
+        return typeof token === 'string' && token ? token : undefined;
+    }
+    catch {
+        return undefined;
+    }
+}
+/**
+ * Fetches a fresh CSRF token from the server. Resolves `undefined` (not a
+ * rejection) on any non-ok response, missing token, or network/parse error so
+ * the manager treats it as "no value" and leaves any cached token intact. The
+ * CSRF retry policy — not this fetch — owns retry semantics.
+ */
+async function fetchFreshToken() {
+    try {
+        const response = await fetch(CSRF_TOKEN_ENDPOINT, {
+            method: 'GET',
+            credentials: 'same-origin',
+        });
+        if (!response.ok) {
+            return undefined;
+        }
+        const data = await response.json();
+        const token = data.csrfToken;
+        return typeof token === 'string' && token ? token : undefined;
+    }
+    catch {
+        return undefined;
+    }
+}
+/**
+ * Adapts the durable AuraStorage backing store to the {@link ResourceStorage}
+ * contract the renewable-resource manager expects.
+ *
+ * The Aura-preloaded token is written into the store **once at creation** (only
+ * when the store is otherwise empty), so the first `get()` finds it and the
+ * first mutation skips the network. Seeding the store — rather than having
+ * `get()` fall back to the preload on every empty read — means a later
+ * `clear()` (logout / org switch) is not silently resurrected by the preload.
+ *
+ * Every operation awaits the one-time seed so reads and writes observe a
+ * consistent store. Storage read/write failures are non-fatal.
+ */
+function buildCsrfResourceStorage() {
+    const storage = createStorage(CSRF_STORAGE_CONFIG);
+    // Pre-seed the preloaded token into the store, once, if the store is empty.
+    const seeded = (async () => {
+        const preloadedToken = readPreloadedToken();
+        if (!storage || !preloadedToken) {
+            return;
+        }
+        try {
+            const existing = await storage.get(CSRF_TOKEN_KEY);
+            if (typeof existing !== 'string' || !existing) {
+                await storage.set(CSRF_TOKEN_KEY, preloadedToken);
+            }
+        }
+        catch {
+            // Non-fatal: fall back to fetching a fresh token on first use.
+        }
+    })();
+    return {
+        get: async () => {
+            await seeded;
+            if (storage) {
+                try {
+                    const cached = await storage.get(CSRF_TOKEN_KEY);
+                    if (typeof cached === 'string' && cached) {
+                        return cached;
+                    }
+                }
+                catch {
+                    // Non-fatal: treat as a cache miss so the manager fetches.
+                }
+            }
+            return undefined;
+        },
+        set: async (value) => {
+            await seeded;
+            if (storage) {
+                try {
+                    await storage.set(CSRF_TOKEN_KEY, value);
+                }
+                catch {
+                    // Non-fatal: token is still usable even if caching fails.
+                }
+            }
+        },
+        clear: async () => {
+            await seeded;
+            if (storage) {
+                try {
+                    await storage.remove(CSRF_TOKEN_KEY);
+                }
+                catch {
+                    // Non-fatal: continue even if the clear fails.
+                }
+            }
+        },
+    };
+}
+/**
+ * Builds the CSRF token manager: a {@link BasicRenewableResourceManager} that
+ * lazily caches the token in durable storage, coalesces concurrent fetches onto
+ * a single in-flight request, and dedups refresh storms. Registered as a
+ * provisioner service (`csrfTokenManager`) by `initializeOneStore`.
+ */
+function buildCsrfTokenManager() {
+    return new BasicRenewableResourceManager({
+        fetch: fetchFreshToken,
+        storage: buildCsrfResourceStorage(),
+    });
+}
 /* eslint-disable no-console */
 /**
  * Default storage configuration for the durable cache
@@ -10791,6 +10990,7 @@ function initializeOneStore(luvio) {
     const retryPolicy = new ComposedRetryPolicy([throttlingPolicy, csrfPolicy]);
     const retryServiceDescriptor = buildServiceDescriptor$8(retryPolicy);
     const retryService = retryServiceDescriptor.service;
+    const csrfTokenManagerServiceDescriptor = buildRenewableResourceManagerDescriptor(CSRF_TOKEN_MANAGER_SERVICE, buildCsrfTokenManager());
     const prefetchSfapJwtServiceDescriptor = {
         type: 'prefetchSfapJwt',
         version: '1.0',
@@ -10838,6 +11038,7 @@ function initializeOneStore(luvio) {
         buildLWCGraphQLWireBindingsServiceDescriptor(),
         configServiceDescriptor,
         prefetchSfapJwtServiceDescriptor,
+        csrfTokenManagerServiceDescriptor,
     ];
     setServices(services);
 }
@@ -10857,4 +11058,4 @@ function ldsEngineCreator() {
 }
 export { LexRequestStrategy, PdlPrefetcherEventType, PdlRequestPriority, buildPredictorForContext, configService, ldsEngineCreator as default, initializeLDS, initializeOneStore, notifyUpdateAvailableFactory, registerRequestStrategy, saveRequestAsPrediction, subscribeToPrefetcherEvents, unregisterRequestStrategy, whenPredictionsReady };
-// version: 1.441.0-5e7d04c146
+// version: 1.443.0-be70f6bb6e

package/dist/types/aura-utils.d.ts ADDED Viewed

@@ -0,0 +1,21 @@
+/**
+ * Helpers for reaching the Aura framework from the LDS Aura runtime.
+ *
+ * `window.$A` is only present when the runtime is hosted inside LEX; in tests
+ * and non-Aura runtimes it is absent. Centralizing the guarded access keeps the
+ * `$A` lookup in one place instead of duplicating the `environmentHasAura`
+ * check across modules.
+ */
+/**
+ * The subset of the Aura client service LDS reaches for. Methods are optional
+ * because availability depends on the host's Aura version and server gates.
+ */
+export interface AuraClientService {
+    maxAllowedParallelXHRCounts?: () => number;
+    getConnectCsrfToken?: () => unknown;
+}
+/**
+ * Returns `$A.clientService` when running inside an Aura environment, or
+ * `undefined` otherwise. Defensive: never throws.
+ */
+export declare function getAuraClientService(): AuraClientService | undefined;

package/dist/types/fetch-service-descriptors/jwt-authorized-fetch-service.d.ts CHANGED Viewed

@@ -8,8 +8,4 @@ export declare function buildJwtAuthorizedSfapFetchServiceDescriptor(logger: Log
  * copilot commands.
  */
 export declare function buildCopilotFetchServiceDescriptor(logger: LoggerService): FetchServiceDescriptor;
-export declare const lightningJwtResolver: {
-    getJwt(): Promise<any>;
-};
-export declare function buildJwtAuthorizedLightningFetchServiceDescriptor(): FetchServiceDescriptor;
 export declare function buildUnauthorizedFetchServiceDescriptor(): FetchServiceDescriptor;

package/dist/types/request-interceptors/csrf-manager.d.ts CHANGED Viewed

@@ -1,45 +1,8 @@
+import { type RenewableResourceManager } from '@conduit-client/service-renewable-resource-manager/v1';
 /**
- * Manages CSRF token fetching and caching for secure requests.
- * Implements a singleton pattern to ensure consistent token management across the application.
+ * Builds the CSRF token manager: a {@link BasicRenewableResourceManager} that
+ * lazily caches the token in durable storage, coalesces concurrent fetches onto
+ * a single in-flight request, and dedups refresh storms. Registered as a
+ * provisioner service (`csrfTokenManager`) by `initializeOneStore`.
  */
-declare class CsrfTokenManager {
-    private static instance;
-    private tokenPromise;
-    private refreshInFlight;
-    private storage;
-    private constructor();
-    static getInstance(): CsrfTokenManager;
-    /**
-     * Obtain a CSRF token, either from AuraStorage or by fetching a fresh one.
-     *
-     * @private
-     */
-    private loadOrFetchToken;
-    /**
-     * Call API endpoint to acquire a CSRF token and cache it.
-     *
-     * @private
-     */
-    private fetchFreshToken;
-    /**
-     * Returns the current token value as a Promise.
-     * Lazy-loads the token on first call (from cache or by fetching).
-     */
-    getToken(): Promise<string | undefined>;
-    /**
-     * Obtains and returns a new token value as a promise.
-     * This will clear the cached token and fetch a fresh one.
-     *
-     * Concurrent calls coalesce onto a single in-flight refresh — important when
-     * multiple requests fail with INVALID_ACCESS_TOKEN simultaneously and each
-     * retry policy independently calls refreshToken(). Without this, every caller
-     * triggers its own /session/csrf round-trip.
-     */
-    refreshToken(): Promise<string | undefined>;
-    /**
-     * Reset the singleton instance (useful for testing).
-     * @internal
-     */
-    static resetInstance(): void;
-}
-export { CsrfTokenManager };
+export declare function buildCsrfTokenManager(): RenewableResourceManager<string>;

package/dist/types/request-interceptors/csrf-service.d.ts ADDED Viewed

@@ -0,0 +1,19 @@
+import type { RenewableResourceManager } from '@conduit-client/service-renewable-resource-manager/v1';
+/**
+ * Service name the CSRF token manager is registered under by
+ * `initializeOneStore` (see `buildRenewableResourceManagerDescriptor`).
+ */
+export declare const CSRF_TOKEN_MANAGER_SERVICE = "csrfTokenManager";
+/**
+ * Resolves the CSRF token manager from the service provisioner.
+ *
+ * The manager is registered during `initializeOneStore`, which runs before any
+ * request flows; the interceptors and retry policies that call this resolve
+ * lazily (per request / per retry), so the service is always available by then.
+ *
+ * The resolved promise is memoized so resolution happens once rather than per
+ * request. A rejection is NOT memoized — `getServices` rejects when the service
+ * is unavailable, and caching that would permanently wedge CSRF handling — so a
+ * later call retries the resolution.
+ */
+export declare function getCsrfTokenManager(): Promise<RenewableResourceManager<string>>;

package/dist/types/request-interceptors/first-party-header.d.ts ADDED Viewed

@@ -0,0 +1,17 @@
+import { type RequestInterceptor } from '@conduit-client/service-fetch-network/v1';
+import type { ResourceRequest } from '@luvio/engine';
+/**
+ * Builds a request interceptor that adds the LDS first party header to every
+ * outbound request.
+ *
+ * @returns A RequestInterceptor function for FetchParameters
+ */
+export declare function buildFirstPartyHeaderInterceptor(): RequestInterceptor;
+/**
+ * Builds a Luvio request interceptor that adds the LDS first party header to
+ * every outbound `ResourceRequest`. See {@link buildFirstPartyHeaderInterceptor} for
+ * the header semantics.
+ *
+ * @returns A request interceptor for Luvio ResourceRequest objects
+ */
+export declare function buildLuvioFirstPartyHeaderInterceptor(): (resourceRequest: ResourceRequest) => Promise<ResourceRequest>;

package/dist/types/response-interceptors/error-body-normalization.d.ts ADDED Viewed

@@ -0,0 +1,20 @@
+import type { ResponseInterceptor as LuvioResponseInterceptor } from '@salesforce/lds-network-fetch';
+/**
+ * Normalizes Connect REST error envelopes into the Aura Shape A
+ * (ConnectInJava) shape, so consumers can read `response.body.errorCode`
+ * regardless of transport.
+ *
+ * - HTTP error envelope (this path): `[{ errorCode, message }, ...]`
+ * - Aura Shape A: `{ errorCode, message, statusCode, ... }`
+ *
+ * The full array is preserved at `body.enhancedErrorInfo.allErrors` since
+ * Connect can return multiple errors per response.
+ *
+ * Aura Shape B (`{ error: "..." }`) is an Aura-only fallback that never
+ * appears on the HTTP path, so no normalization is needed for it here.
+ *
+ * Ordering: must run AFTER any other interceptor that inspects the raw
+ * error body shape (e.g. the 5xx interceptor's ErrorId extraction reads
+ * `body[0].message` from the array form).
+ */
+export declare function buildLuvioErrorBodyNormalizationInterceptor(): LuvioResponseInterceptor;

package/dist/types/retry-policies/csrf-token-retry-policy.d.ts CHANGED Viewed

@@ -26,7 +26,6 @@ export interface MutableFetchRequest {
  */
 export declare class CsrfTokenRetryPolicy extends RetryPolicy<Response> {
     private config;
-    private csrfTokenManager;
     private requestContext?;
     constructor(config?: CsrfTokenRetryPolicyConfig);
     /**

package/dist/types/retry-policies/luvio-csrf-token-retry-policy.d.ts CHANGED Viewed

@@ -12,7 +12,6 @@ export interface MutableLuvioRequest {
 }
 export declare class LuvioCsrfTokenRetryPolicy extends RetryPolicy<FetchResponse<any>> {
     private config;
-    private csrfTokenManager;
     private requestContext?;
     constructor(config?: LuvioCsrfTokenRetryPolicyConfig);
     setRequestContext(context: MutableLuvioRequest): void;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
     "name": "@salesforce/lds-runtime-aura",
-    "version": "1.441.0",
+    "version": "1.443.0",
     "license": "SEE LICENSE IN LICENSE.txt",
     "description": "LDS engine for Aura runtime.",
     "main": "dist/ldsEngineCreator.js",
@@ -34,60 +34,61 @@
         "release:corejar": "yarn build && ../core-build/scripts/core.js --name=lds-runtime-aura"
     },
     "devDependencies": {
-        "@conduit-client/service-provisioner": "3.21.0",
-        "@conduit-client/tools-core": "3.21.0",
-        "@salesforce/lds-adapters-apex": "^1.441.0",
-        "@salesforce/lds-adapters-uiapi": "^1.441.0",
-        "@salesforce/lds-ads-bridge": "^1.441.0",
-        "@salesforce/lds-aura-storage": "^1.441.0",
-        "@salesforce/lds-bindings": "^1.441.0",
-        "@salesforce/lds-instrumentation": "^1.441.0",
-        "@salesforce/lds-network-adapter": "^1.441.0",
-        "@salesforce/lds-network-aura": "^1.441.0",
-        "@salesforce/lds-network-fetch": "^1.441.0",
+        "@conduit-client/service-provisioner": "3.22.0",
+        "@conduit-client/tools-core": "3.22.0",
+        "@salesforce/lds-adapters-apex": "^1.443.0",
+        "@salesforce/lds-adapters-uiapi": "^1.443.0",
+        "@salesforce/lds-ads-bridge": "^1.443.0",
+        "@salesforce/lds-aura-storage": "^1.443.0",
+        "@salesforce/lds-bindings": "^1.443.0",
+        "@salesforce/lds-instrumentation": "^1.443.0",
+        "@salesforce/lds-network-adapter": "^1.443.0",
+        "@salesforce/lds-network-aura": "^1.443.0",
+        "@salesforce/lds-network-fetch": "^1.443.0",
         "jwt-encode": "1.0.1"
     },
     "dependencies": {
-        "@conduit-client/command-aura-graphql-normalized-cache-control": "3.21.0",
-        "@conduit-client/command-aura-network": "3.21.0",
-        "@conduit-client/command-aura-normalized-cache-control": "3.21.0",
-        "@conduit-client/command-aura-resource-cache-control": "3.21.0",
-        "@conduit-client/command-fetch-network": "3.21.0",
-        "@conduit-client/command-http-graphql-normalized-cache-control": "3.21.0",
-        "@conduit-client/command-http-normalized-cache-control": "3.21.0",
-        "@conduit-client/command-ndjson": "3.21.0",
-        "@conduit-client/command-network": "3.21.0",
-        "@conduit-client/command-sse": "3.21.0",
-        "@conduit-client/command-streaming": "3.21.0",
-        "@conduit-client/service-aura-network": "3.21.0",
-        "@conduit-client/service-bindings-imperative": "3.21.0",
-        "@conduit-client/service-bindings-lwc": "3.21.0",
-        "@conduit-client/service-cache": "3.21.0",
-        "@conduit-client/service-cache-control": "3.21.0",
-        "@conduit-client/service-cache-inclusion-policy": "3.21.0",
-        "@conduit-client/service-config": "3.21.0",
-        "@conduit-client/service-feature-flags": "3.21.0",
-        "@conduit-client/service-fetch-network": "3.21.0",
-        "@conduit-client/service-instrument-command": "3.21.0",
-        "@conduit-client/service-pubsub": "3.21.0",
-        "@conduit-client/service-store": "3.21.0",
-        "@conduit-client/utils": "3.21.0",
+        "@conduit-client/command-aura-graphql-normalized-cache-control": "3.22.0",
+        "@conduit-client/command-aura-network": "3.22.0",
+        "@conduit-client/command-aura-normalized-cache-control": "3.22.0",
+        "@conduit-client/command-aura-resource-cache-control": "3.22.0",
+        "@conduit-client/command-fetch-network": "3.22.0",
+        "@conduit-client/command-http-graphql-normalized-cache-control": "3.22.0",
+        "@conduit-client/command-http-normalized-cache-control": "3.22.0",
+        "@conduit-client/command-ndjson": "3.22.0",
+        "@conduit-client/command-network": "3.22.0",
+        "@conduit-client/command-sse": "3.22.0",
+        "@conduit-client/command-streaming": "3.22.0",
+        "@conduit-client/service-aura-network": "3.22.0",
+        "@conduit-client/service-bindings-imperative": "3.22.0",
+        "@conduit-client/service-bindings-lwc": "3.22.0",
+        "@conduit-client/service-cache": "3.22.0",
+        "@conduit-client/service-cache-control": "3.22.0",
+        "@conduit-client/service-cache-inclusion-policy": "3.22.0",
+        "@conduit-client/service-config": "3.22.0",
+        "@conduit-client/service-feature-flags": "3.22.0",
+        "@conduit-client/service-fetch-network": "3.22.0",
+        "@conduit-client/service-instrument-command": "3.22.0",
+        "@conduit-client/service-pubsub": "3.22.0",
+        "@conduit-client/service-renewable-resource-manager": "3.22.0",
+        "@conduit-client/service-store": "3.22.0",
+        "@conduit-client/utils": "3.22.0",
         "@luvio/network-adapter-composable": "0.160.5",
         "@luvio/network-adapter-fetch": "0.160.5",
         "@lwc/state": "^0.29.0",
-        "@salesforce/lds-adapters-onestore-graphql": "^1.441.0",
+        "@salesforce/lds-adapters-onestore-graphql": "^1.443.0",
         "@salesforce/lds-adapters-uiapi-lex": "^1.415.0",
-        "@salesforce/lds-durable-storage": "^1.441.0",
-        "@salesforce/lds-luvio-service": "^1.441.0",
-        "@salesforce/lds-luvio-uiapi-records-service": "^1.441.0"
+        "@salesforce/lds-durable-storage": "^1.443.0",
+        "@salesforce/lds-luvio-service": "^1.443.0",
+        "@salesforce/lds-luvio-uiapi-records-service": "^1.443.0"
     },
     "luvioBundlesize": [
         {
             "path": "./dist/ldsEngineCreator.js",
             "maxSize": {
-                "none": "383 kB",
+                "none": "390 kB",
                 "min": "190 kB",
-                "compressed": "63.5 kB"
+                "compressed": "65.5 kB"
             }
         }
     ],