@salesforce/lds-runtime-aura 1.442.0 → 1.444.0

package/dist/ldsEngineCreator.js

@@ -22,9 +22,9 @@ import { instrument, getRecordAvatarsAdapterFactory, getRecordAdapterFactory, co
 import { getInstrumentation } from 'o11y/client';
 import { findExecutableOperation, buildGraphQLInputExtension, addTypenameToDocument } from 'force/luvioGraphqlNormalization';
 import { print, resolveAndValidateGraphQLConfig, toGraphQLErrorResponse } from 'force/luvioOnestoreGraphqlParser';
-import { setServices } from 'force/luvioServiceProvisioner1';
+import getServices, { setServices } from 'force/luvioServiceProvisioner1';
 import { assertIsValid, JsonSchemaViolationError, MissingRequiredPropertyError } from 'force/luvioJsonschemaValidate5';
-import { dispatchGlobalEvent, executeGlobalControllerRawResponse } from 'aura';
+import { dispatchGlobalEvent as dispatchGlobalEvent$1, executeGlobalControllerRawResponse } from 'aura';
 import auraNetworkAdapter, { dispatchAuraAction, defaultActionConfig, instrument as instrument$1, forceRecordTransactionsDisabled as forceRecordTransactionsDisabled$1, ldsNetworkAdapterInstrument, CrudEventState, CrudEventType, UIAPI_RECORDS_PATH, UIAPI_RELATED_LIST_RECORDS_BATCH_PATH, UIAPI_RELATED_LIST_RECORDS_PATH } from 'force/ldsNetwork';
 import { ThirdPartyTracker } from 'instrumentation:thirdPartyTracker';
 import { markStart, markEnd, counter, registerCacheStats, perfStart, perfEnd, registerPeriodicLogger, interaction, timer, mark } from 'instrumentation/service';
@@ -36,7 +36,6 @@ import { instrument as instrument$5 } from '@lwc/state';
 import { withRegistration, register, setDefaultLuvio } from 'force/ldsEngine';
 import applyPredictionRequestLimit from '@salesforce/gate/lds.pdl.applyRequestLimit';
 import { pageScopedCache } from 'instrumentation/utility';
-import { createStorage, clearStorages } from 'force/ldsDurableStorage';
 import lightningConnectEnabled from '@salesforce/gate/ui.services.LightningConnect.enabled';
 import bypassAppRestrictionEnabled from '@salesforce/gate/ui.services.LightningConnect.BypassAppRestriction.enabled';
 import csrfValidationEnabled from '@salesforce/gate/ui.services.LightningConnect.CsrfValidation.enabled';
@@ -47,6 +46,7 @@ import useHttpUiapiOneRuntimePublic from '@salesforce/gate/lds.useHttpUiapiOneRu
 import useHttpUiapiOneRuntimePrivate from '@salesforce/gate/lds.useHttpUiapiOneRuntimePrivate';
 import disableCreateContentDocumentAndVersionHTTPLexRuntime from '@salesforce/gate/lds.lex.http.disableCreateContentDocumentAndVersion';
 import useHotspotLimit from '@salesforce/gate/lds.pdl.useHotspotLimit';
+import { createStorage, clearStorages } from 'force/ldsDurableStorage';
 import { registerSubRequestNetworkAdapter } from 'force/ldsNetwork';
 
 const { create: create$1, freeze, keys: keys$2, entries: entries$1 } = Object;
@@ -234,6 +234,19 @@ var HttpStatusCode$1 = /* @__PURE__ */ ((HttpStatusCode2) => {
   HttpStatusCode2[HttpStatusCode2["GatewayTimeout"] = 504] = "GatewayTimeout";
   return HttpStatusCode2;
 })(HttpStatusCode$1 || {});
+function getFetchResponseFromAuraError(err2) {
+  if (err2.data !== void 0 && err2.data.statusCode !== void 0) {
+    let data = {};
+    data = err2.data;
+    if (err2.id !== void 0) {
+      data.id = err2.id;
+    }
+    return new FetchResponse(data.statusCode, data);
+  }
+  return new FetchResponse(500, {
+    error: err2.message
+  });
+}
 async function coerceResponseToFetchResponse(response) {
   const { status } = response;
   const responseHeaders = {};
@@ -388,7 +401,7 @@ class AuraNetworkCommand extends NetworkCommand$1 {
     );
   }
   coerceAuraErrors(auraErrors) {
-    return toError(auraErrors[0]);
+    return new UserVisibleError(getFetchResponseFromAuraError(auraErrors[0]));
   }
   /**
    * Customize how non-2xx fetch fallback responses are converted into errors.
@@ -573,7 +586,10 @@ function deepEquals$1(x, y) {
     }
     for (let i = 0; i < xkeys.length; ++i) {
       const key = xkeys[i];
-      if (!deepEquals$1(x[key], y[key])) {
+      if (!deepEquals$1(
+        x[key],
+        y[key]
+      )) {
         return false;
       }
     }
@@ -2644,7 +2660,7 @@ function buildServiceDescriptor$d(luvio) {
         },
     };
 }
-// version: 1.442.0-e47893165a
+// version: 1.444.0-a7f42f9edf
 
 class AuraGraphQLNormalizedCacheControlCommand extends AuraNormalizedCacheControlCommand {
   constructor(config, documentRootType, services) {
@@ -2982,7 +2998,7 @@ function buildServiceDescriptor$9(notifyRecordUpdateAvailable, getNormalizedLuvi
         },
     };
 }
-// version: 1.442.0-e47893165a
+// version: 1.444.0-a7f42f9edf
 
 class RetryService {
   constructor(defaultRetryPolicy) {
@@ -3134,6 +3150,50 @@ function buildServiceDescriptor$8(defaultRetryPolicy) {
   };
 }
 
+class BasicRenewableResourceManager {
+  constructor(config) {
+    this.config = config;
+  }
+  get() {
+    return this.config.storage.get().then((cached) => cached !== void 0 ? cached : this.fetchAndStore());
+  }
+  refresh(staleValue) {
+    if (staleValue === void 0) {
+      return this.fetchAndStore();
+    }
+    return this.config.storage.get().then(
+      (current) => current !== void 0 && current !== staleValue ? current : this.fetchAndStore()
+    );
+  }
+  clear() {
+    return this.config.storage.clear();
+  }
+  /**
+   * Single in-flight fetch shared by all concurrent `get`/`refresh` callers.
+   * Overwrites storage on a successful fetch of a defined value only; a
+   * rejected fetch or a resolved-`undefined` leaves the cached value intact.
+   */
+  fetchAndStore() {
+    if (this.inFlightFetch) return this.inFlightFetch;
+    const pending = this.config.fetch().then(
+      (fetched) => fetched === void 0 ? fetched : this.config.storage.set(fetched).then(() => fetched)
+    );
+    this.inFlightFetch = pending;
+    const releaseSlot = () => {
+      if (this.inFlightFetch === pending) this.inFlightFetch = void 0;
+    };
+    pending.then(releaseSlot, releaseSlot);
+    return pending;
+  }
+}
+function buildRenewableResourceManagerDescriptor(type, service) {
+  return {
+    version: "1.0",
+    service,
+    type
+  };
+}
+
 function isUserVisibleError(error) {
   return error instanceof Error && "type" in error && error.type === "user-visible";
 }
@@ -3364,7 +3424,10 @@ class GraphQLImperativeBindingsService {
           const options = {
             acceptedOperations: ["query"]
           };
-          const result = resolveAndValidateGraphQLConfig(params[0], options);
+          const result = resolveAndValidateGraphQLConfig(
+            params[0],
+            options
+          );
           if (result?.isErr()) {
             return result.error;
           }
@@ -3561,7 +3624,10 @@ class GraphQLMutationBindingsService {
           const options = {
             acceptedOperations: ["mutation"]
           };
-          const result2 = resolveAndValidateGraphQLConfig(params[0], options);
+          const result2 = resolveAndValidateGraphQLConfig(
+            params[0],
+            options
+          );
           if (result2?.isErr()) {
             return {
               data: void 0,
@@ -4623,7 +4689,7 @@ var TypeCheckShapes;
     TypeCheckShapes[TypeCheckShapes["Integer"] = 3] = "Integer";
     TypeCheckShapes[TypeCheckShapes["Unsupported"] = 4] = "Unsupported";
 })(TypeCheckShapes || (TypeCheckShapes = {}));
-// engine version: 0.160.5-e6ada846
+// engine version: 0.161.0-fe06f180
 
 const { keys: keys$1 } = Object;
 
@@ -4718,6 +4784,10 @@ const SALESFORCE_API_BASE_URI_FLAG = 'api.salesforce.com';
 const X_REQUEST_ID_HEADER = 'x-request-id';
 const SFAPController = 'SalesforceApiPlatformController';
 const SFAPJwtMethod = 'getSFAPLightningJwtService';
+// Parameterized mint: the POST signature's auto-generated Aura method
+// (`@ConnectSignature(..., generateAuraMethod = true)` on the SFAP Lightning JWT
+// Service Connect resource). Takes a single `requestBody` named param.
+const SFAPJwtPostMethod = 'postSFAPLightningJwtService';
 /**
  * We expect jwt info and baseUri to be present in the response.
  *
@@ -4864,6 +4934,144 @@ function generateRequestId$1() {
     }
 }
 
+/**
+ * Normalize SFAP-shaped params into the opaque `JwtMintParams` bag that callers
+ * hand to `JwtManager.getJwt(params)`. Scopes are sorted because they are
+ * semantically a set — without this, `['a', 'b']` and `['b', 'a']` would cache
+ * as separate entries (OneStore treats arrays as ordered under stable-JSON
+ * serialization; see ADR "JWT Parameterization" §2).
+ *
+ * MANDATORY CONSUMER ENTRY POINT. Every consumer that mints a parameterized
+ * SFAP JWT MUST assemble its params through this function before calling the
+ * manager. The cache key is derived by `JwtManager` from the caller's params
+ * (`cacheKeyFor(params)`) *before* the resolver runs — so the resolver cannot
+ * normalize after the fact. Set-stable caching therefore depends on the caller
+ * routing params through here. Do NOT sort inside the resolver: that would only
+ * reorder the wire body, not the cache key, and mutating the caller's params
+ * mid-call would desync the in-flight-dedup key from the stored-token key.
+ */
+/**
+ * Validate and narrow an opaque `JwtMintParams` bag to the SFAP-shaped subset the
+ * resolver forwards. Returns `{ error }` (surfaced as a resolver rejection) for a
+ * malformed bag rather than throwing.
+ */
+function coerceToSfapParams(params) {
+    const scopes = params.scopes;
+    const dynamicParams = params.dynamicParams;
+    if (scopes !== undefined && !isStringArray(scopes)) {
+        return { error: 'SFAP JWT params.scopes must be a string[] when provided.' };
+    }
+    if (dynamicParams !== undefined && !isStringRecord(dynamicParams)) {
+        return {
+            error: 'SFAP JWT params.dynamicParams must be a Record<string, string> when provided.',
+        };
+    }
+    return { params: { scopes, dynamicParams } };
+}
+function isStringArray(value) {
+    return Array.isArray(value) && value.every((s) => typeof s === 'string');
+}
+function isStringRecord(value) {
+    if (typeof value !== 'object' || value === null || Array.isArray(value)) {
+        return false;
+    }
+    return Object.values(value).every((v) => typeof v === 'string');
+}
+/**
+ * Build the SFAP mint request body from the coerced params: `scopes` joined into a
+ * single space-delimited string, `dynamicParams` mapped to `dynamicParameters.items`.
+ * Empty scopes / dynamic params are omitted.
+ */
+function buildRequestBody(params) {
+    const body = {};
+    if (params.scopes && params.scopes.length > 0) {
+        body.scopes = params.scopes.join(' ');
+    }
+    if (params.dynamicParams) {
+        const items = Object.entries(params.dynamicParams).map(([name, value]) => ({ name, value }));
+        if (items.length > 0) {
+            body.dynamicParameters = { items };
+        }
+    }
+    return body;
+}
+
+/**
+ * Parameterized SFAP JWT resolver that mints over **Aura transport** instead of a
+ * direct HTTP `fetch`.
+ *
+ * It dispatches the SFAP Lightning JWT Service's parameterized POST via its
+ * auto-generated Aura controller method
+ * `SalesforceApiPlatformController.postSFAPLightningJwtService` (generated by
+ * `@ConnectSignature(..., generateAuraMethod = true)` on the Connect resource).
+ * The mint inputs ride as the single `requestBody` named param, in the same
+ * `{ scopes, dynamicParameters: { items } }` shape the HTTP resolver POSTs — built
+ * by the shared {@link buildRequestBody}, so the two transports stay in lockstep.
+ *
+ * Why Aura (not the HTTP resolver): the mint endpoint is a same-origin core
+ * resource, and routing it over Aura keeps session/CSRF handling inside the Aura
+ * stack rather than issuing a credentialed cross-cutting `fetch` from the client.
+ * This mirrors the legacy parameterless `platformSfapJwtResolver` in
+ * `network-sfap.ts`, which already mints over Aura via the `getSFAPLightningJwtService`
+ * generated method — this is the parameterized sibling of that call.
+ *
+ * A `JwtResolver` is invoked directly by `JwtManager` (not through Luvio's
+ * `appRouter`/`ResourceRequest` pipeline), so the correct mechanism is a direct
+ * named-controller `dispatchAuraAction`, not the `auraNetworkAdapter`/connect-route
+ * table. The SFAP JWT endpoint is not registered as a connect-over-Aura route, and
+ * a resolver has no `ResourceRequest` for the router to look up.
+ */
+class ParameterizedSfapJwtAuraResolver {
+    getJwt(params) {
+        return new Promise((resolve, reject) => {
+            if (params === undefined) {
+                // Misuse: the dispatching resolver routes parameterless calls to the
+                // legacy resolver. Reject so production fails loudly here.
+                reject('ParameterizedSfapJwtAuraResolver requires JwtMintParams. The legacy parameterless path should be served by platformSfapJwtResolver.');
+                return;
+            }
+            const coerced = coerceToSfapParams(params);
+            if ('error' in coerced) {
+                reject(coerced.error);
+                return;
+            }
+            // The mint inputs become the single `requestBody` named param of the
+            // generated Aura method (Aura binds top-level keys to the controller
+            // method's named args). Reuses the HTTP resolver's body builder so both
+            // transports send an identical shape.
+            const requestBody = buildRequestBody(coerced.params);
+            // No fetchImpl / requestInterceptor / CSRF / credentials handling here —
+            // the Aura stack owns session + CSRF. Matches the legacy resolver's call.
+            dispatchAuraAction(`${SFAPController}.${SFAPJwtPostMethod}`, { requestBody }, defaultActionConfig)
+                .then((response) => {
+                const body = response.body;
+                if (!body || typeof body.jwt !== 'string' || typeof body.baseUri !== 'string') {
+                    // Never serialize the body into the error — it may carry a JWT.
+                    reject('SFAP JWT response missing required fields (jwt, baseUri)');
+                    return;
+                }
+                resolve({ jwt: body.jwt, extraInfo: { baseUri: body.baseUri } });
+            })
+                .catch((error) => {
+                // Error mapping ported from the legacy platformSfapJwtResolver
+                // (network-sfap.ts): plain Errors carry a message; non-500
+                // AuraFetchResponses are ConnectInJava errors with a typed body;
+                // 500s carry an { error } body.
+                if (error instanceof Error) {
+                    reject(error.message);
+                    return;
+                }
+                const { status } = error;
+                if (status !== HttpStatusCode$2.ServerError) {
+                    reject(error.body.message);
+                    return;
+                }
+                reject(error.body.error);
+            });
+        });
+    }
+}
+
 /**
  * Observability / Critical Availability Program (230+)
  *
@@ -5614,7 +5822,9 @@ class PrioritizedConfigService {
   // ConfigService.set
   set(priority, setter) {
     this.validated = false;
-    return setter(this.prioritizedConfigData[priority]);
+    return setter(
+      this.prioritizedConfigData[priority]
+    );
   }
   // returns the highest priority value for a given path, undefined if no value
   // is defined for the path at any priority
@@ -5673,9 +5883,36 @@ function getEnvironmentSetting(name) {
     }
     return undefined;
 }
-// version: 1.442.0-d73ebfc396
+// version: 1.444.0-86f5a57eb3
+
+/**
+ * Helpers for reaching the Aura framework from the LDS Aura runtime.
+ *
+ * `window.$A` is only present when the runtime is hosted inside LEX; in tests
+ * and non-Aura runtimes it is absent. Centralizing the guarded access keeps the
+ * `$A` lookup in one place instead of duplicating the `environmentHasAura`
+ * check across modules.
+ */
+/**
+ * Fires an Aura application-level event (e.g. `aura:invalidSession`). Thin
+ * pass-through to the `aura` framework module so callers depend on this util
+ * rather than importing `aura` directly.
+ */
+function dispatchGlobalEvent(...args) {
+    dispatchGlobalEvent$1(...args);
+}
+/**
+ * Returns `$A.clientService` when running inside an Aura environment, or
+ * `undefined` otherwise. Defensive: never throws.
+ */
+function getAuraClientService() {
+    if (typeof window === 'undefined' || typeof window.$A === 'undefined') {
+        return undefined;
+    }
+    return window.$A.clientService;
+}
 
-const environmentHasAura = typeof window !== 'undefined' && typeof window.$A !== 'undefined';
+const auraClientService = getAuraClientService();
 const defaultConfig = {
     maxAllowedParallelXHRCounts: 9,
     forceRecordTransactionsDisabled: false,
@@ -5686,10 +5923,11 @@ const configServiceDescriptor = buildServiceDescriptor$1({
     default: defaultConfig,
 });
 const configService = configServiceDescriptor.service;
-if (environmentHasAura) {
+if (auraClientService?.maxAllowedParallelXHRCounts) {
     configService.set('lex', (config) => {
         config.maxAllowedParallelXHRCounts =
-            window['$A'].clientService.maxAllowedParallelXHRCounts();
+            auraClientService.maxAllowedParallelXHRCounts?.() ??
+                defaultConfig.maxAllowedParallelXHRCounts;
         config.forceRecordTransactionsDisabled = getEnvironmentSetting(EnvironmentSettings.ForceRecordTransactionsDisabled);
     });
 }
@@ -5933,34 +6171,54 @@ function buildLuvioPageScopedCacheRequestInterceptor() {
     };
 }
 
-function buildLexRuntimeAuthExpirationRedirectResponseInterceptor(logger) {
+// Two distinct session-expiration cases on the LEX runtime path:
+// - 401 + INVALID_SESSION_ID — auth token rejected
+// - 403 + `x-sfdc-csrf-failure: true` — CSRF token rejected, session is dead
+// Both fire `aura:invalidSession`, which routes the user back to login.
+//
+// 403 access denials (INSUFFICIENT_ACCESS / INSUFFICIENT_ACCESS_OR_READONLY) are
+// intentionally NOT handled here — `aura:noAccess` without a `redirectURL`
+// triggers AuraClientService.hardRefresh() which is too heavy-handed for routine
+// "feature not enabled for this org" responses. The wire layer surfaces those
+// as normal errors; onestore PR #838 (`aura-network-command`) handles the
+// gack-noise on the Aura action path.
+function isSessionExpired(status, headers, body) {
+    if (status === 403) {
+        return headers && headers['x-sfdc-csrf-failure'] === 'true';
+    }
+    if (status === 401) {
+        // Connect REST returns errors as `[{ errorCode, ... }, ...]`; Aura Shape A
+        // uses `{ errorCode, ... }`. This interceptor runs before
+        // `buildLuvioErrorBodyNormalizationInterceptor`, so handle both.
+        const errorCode = Array.isArray(body)
+            ? body[0] && body[0].errorCode
+            : body && body.errorCode;
+        return errorCode === 'INVALID_SESSION_ID';
+    }
+    return false;
+}
+function buildLexRuntimeSessionExpirationResponseInterceptor(logger) {
     return async (response) => {
-        if (response.status === 401) {
-            try {
-                const coercedResponse = (await coerceResponseToFetchResponse(response.clone()));
-                if (coercedResponse.body.errorCode === 'INVALID_SESSION_ID') {
-                    logger.warn(`Received ${response.status} status code from LEX runtime service`);
-                    // Fire the event asynchronously, similar to the legacy setTimeout pattern
-                    window.setTimeout(() => {
-                        dispatchGlobalEvent('aura:invalidSession');
-                    }, 0);
-                }
-            }
-            catch (error) {
-                logger.warn(`Error parsing response from LEX runtime service: ${error}`);
+        const { status } = response;
+        if (status !== 401 && status !== 403)
+            return response;
+        try {
+            const coerced = (await coerceResponseToFetchResponse(response.clone()));
+            if (isSessionExpired(status, coerced.headers, coerced.body)) {
+                logger.warn(`Received ${status} status code from LEX runtime service`);
+                window.setTimeout(() => dispatchGlobalEvent('aura:invalidSession'), 0);
             }
         }
+        catch (error) {
+            logger.warn(`Error parsing response from LEX runtime service: ${error}`);
+        }
         return response;
     };
 }
-function buildLexRuntimeLuvioAuthExpirationRedirectResponseInterceptor() {
+function buildLexRuntimeLuvioSessionExpirationResponseInterceptor() {
     return async (response) => {
-        if (response.status === 401) {
-            if (response.body.errorCode === 'INVALID_SESSION_ID') {
-                window.setTimeout(() => {
-                    dispatchGlobalEvent('aura:invalidSession');
-                }, 0);
-            }
+        if (isSessionExpired(response.status, response.headers, response.body)) {
+            window.setTimeout(() => dispatchGlobalEvent('aura:invalidSession'), 0);
         }
         return response;
     };
@@ -6119,146 +6377,91 @@ function buildLexRuntimeLuvio5xxStatusResponseInterceptor() {
     };
 }
 
-const CSRF_TOKEN_KEY = 'salesforce_csrf_token';
-const CSRF_STORAGE_NAME = 'ldsCSRFToken';
-const BASE_URI = '/services/data/v68.0';
-const UI_API_BASE_URI = `${BASE_URI}/ui-api`;
-const CSRF_TOKEN_ENDPOINT = `${UI_API_BASE_URI}/session/csrf`;
-const CSRF_STORAGE_CONFIG = {
-    name: CSRF_STORAGE_NAME,
-    persistent: true,
-    secure: true,
-    maxSize: 1024,
-    expiration: 24 * 60 * 60,
-    clearOnInit: false,
-    debugLogging: false,
-};
 /**
- * Manages CSRF token fetching and caching for secure requests.
- * Implements a singleton pattern to ensure consistent token management across the application.
+ * Normalizes Connect REST error envelopes into the Aura Shape A
+ * (ConnectInJava) shape, so consumers can read `response.body.errorCode`
+ * regardless of transport.
+ *
+ * - HTTP error envelope (this path): `[{ errorCode, message }, ...]`
+ * - Aura Shape A: `{ errorCode, message, statusCode, ... }`
+ *
+ * The full array is preserved at `body.enhancedErrorInfo.allErrors` since
+ * Connect can return multiple errors per response.
+ *
+ * Aura Shape B (`{ error: "..." }`) is an Aura-only fallback that never
+ * appears on the HTTP path, so no normalization is needed for it here.
+ *
+ * Ordering: must run AFTER any other interceptor that inspects the raw
+ * error body shape (e.g. the 5xx interceptor's ErrorId extraction reads
+ * `body[0].message` from the array form).
  */
-class CsrfTokenManager {
-    constructor() {
-        this.tokenPromise = null;
-        this.refreshInFlight = null;
-        // Initialize AuraStorage
-        this.storage = createStorage(CSRF_STORAGE_CONFIG);
-    }
-    static getInstance() {
-        if (!CsrfTokenManager.instance) {
-            CsrfTokenManager.instance = new CsrfTokenManager();
-        }
-        return CsrfTokenManager.instance;
-    }
-    /**
-     * Obtain a CSRF token, either from AuraStorage or by fetching a fresh one.
-     *
-     * @private
-     */
-    async loadOrFetchToken() {
-        // First try to get token from AuraStorage
-        if (this.storage) {
-            try {
-                const cachedToken = await this.storage.get(CSRF_TOKEN_KEY);
-                if (typeof cachedToken === 'string' && cachedToken) {
-                    return cachedToken;
-                }
-            }
-            catch {
-                // If storage read fails, continue to fetch
-            }
-        }
-        // No cached token, fetch from server
-        return this.fetchFreshToken();
-    }
-    /**
-     * Call API endpoint to acquire a CSRF token and cache it.
-     *
-     * @private
-     */
-    async fetchFreshToken() {
-        try {
-            const response = await fetch(CSRF_TOKEN_ENDPOINT, {
-                method: 'GET',
-                credentials: 'same-origin',
-            });
-            if (!response.ok) {
-                return undefined;
-            }
-            const data = await response.json();
-            const token = data.csrfToken;
-            if (token && this.storage) {
-                // Cache the token in AuraStorage
-                try {
-                    await this.storage.set(CSRF_TOKEN_KEY, token);
-                }
-                catch {
-                    // Non-fatal: token is still available even if caching fails
-                }
-            }
-            return token;
-        }
-        catch {
-            return undefined;
-        }
-    }
-    /**
-     * Returns the current token value as a Promise.
-     * Lazy-loads the token on first call (from cache or by fetching).
-     */
-    async getToken() {
-        // Lazy initialization: only fetch token when actually needed
-        if (!this.tokenPromise) {
-            this.tokenPromise = this.loadOrFetchToken();
-        }
-        return this.tokenPromise;
-    }
-    /**
-     * Obtains and returns a new token value as a promise.
-     * This will clear the cached token and fetch a fresh one.
-     *
-     * Concurrent calls coalesce onto a single in-flight refresh — important when
-     * multiple requests fail with INVALID_ACCESS_TOKEN simultaneously and each
-     * retry policy independently calls refreshToken(). Without this, every caller
-     * triggers its own /session/csrf round-trip.
-     */
-    refreshToken() {
-        if (this.refreshInFlight) {
-            return this.refreshInFlight;
+function buildLuvioErrorBodyNormalizationInterceptor() {
+    return async (response) => {
+        if (!response.ok && Array.isArray(response.body)) {
+            const allErrors = response.body;
+            response.body = {
+                ...allErrors[0],
+                statusCode: response.status,
+                enhancedErrorInfo: {
+                    allErrors,
+                },
+            };
         }
-        const refresh = (async () => {
-            if (this.storage) {
-                try {
-                    await this.storage.remove(CSRF_TOKEN_KEY);
-                }
-                catch {
-                    // Non-fatal: continue with refresh even if clear fails
-                }
-            }
-            return this.fetchFreshToken();
-        })();
-        this.refreshInFlight = refresh;
-        this.tokenPromise = refresh;
-        // Clear the in-flight reference once settled (success or failure) so
-        // subsequent token expirations can trigger a fresh refresh.
-        refresh.finally(() => {
-            if (this.refreshInFlight === refresh) {
-                this.refreshInFlight = null;
-            }
+        return response;
+    };
+}
+
+/**
+ * Service name the CSRF token manager is registered under by
+ * `initializeOneStore` (see `buildRenewableResourceManagerDescriptor`).
+ */
+const CSRF_TOKEN_MANAGER_SERVICE = 'csrfTokenManager';
+const CSRF_TOKEN_MANAGER_REQUEST = {
+    [CSRF_TOKEN_MANAGER_SERVICE]: {
+        type: CSRF_TOKEN_MANAGER_SERVICE,
+        version: '1.0',
+    },
+};
+let cached;
+/**
+ * Resolves the CSRF token manager from the service provisioner.
+ *
+ * The manager is registered during `initializeOneStore`, which runs before any
+ * request flows; the interceptors and retry policies that call this resolve
+ * lazily (per request / per retry), so the service is always available by then.
+ *
+ * The resolved promise is memoized so resolution happens once rather than per
+ * request. A rejection is NOT memoized — `getServices` rejects when the service
+ * is unavailable, and caching that would permanently wedge CSRF handling — so a
+ * later call retries the resolution.
+ */
+function getCsrfTokenManager() {
+    if (!cached) {
+        cached = Promise.resolve(getServices(CSRF_TOKEN_MANAGER_REQUEST))
+            .then((services) => services[CSRF_TOKEN_MANAGER_SERVICE])
+            .catch((error) => {
+            cached = undefined;
+            throw error;
         });
-        return refresh;
-    }
-    /**
-     * Reset the singleton instance (useful for testing).
-     * @internal
-     */
-    static resetInstance() {
-        CsrfTokenManager.instance = null;
     }
+    return cached;
 }
-CsrfTokenManager.instance = null;
 
 const CSRF_TOKEN_HEADER = 'X-CSRF-Token';
+/**
+ * Resolves the CSRF token manager and returns the current token. Returns
+ * `undefined` if the manager cannot be resolved (service not yet provisioned)
+ * or has no token, so a request is never blocked by token resolution.
+ */
+async function getCsrfToken() {
+    try {
+        const manager = await getCsrfTokenManager();
+        return await manager.get();
+    }
+    catch {
+        return undefined;
+    }
+}
 /**
  * Checks if all required gates are enabled for CSRF token interceptor.
  *
@@ -6301,7 +6504,6 @@ function isCsrfMethod(method) {
  * @returns A RequestInterceptor function for FetchParameters
  */
 function buildCsrfTokenInterceptor() {
-    const csrfTokenManager = CsrfTokenManager.getInstance();
     return async (fetchArgs) => {
         // Check if all required gates are enabled before running
         if (!areCsrfGatesEnabled()) {
@@ -6318,7 +6520,7 @@ function buildCsrfTokenInterceptor() {
         }
         // Only add CSRF token for mutating operations
         if (isCsrfMethod(method)) {
-            const token = await csrfTokenManager.getToken();
+            const token = await getCsrfToken();
             if (token) {
                 // eslint-disable-next-line no-param-reassign
                 fetchArgs = setHeader(CSRF_TOKEN_HEADER, token, fetchArgs);
@@ -6335,7 +6537,6 @@ function buildCsrfTokenInterceptor() {
  * @returns A request interceptor function for Luvio ResourceRequest objects
  */
 function buildLuvioCsrfTokenInterceptor() {
-    const csrfTokenManager = CsrfTokenManager.getInstance();
     return async (resourceRequest) => {
         // Check if all required gates are enabled before running
         if (!areCsrfGatesEnabled()) {
@@ -6349,7 +6550,7 @@ function buildLuvioCsrfTokenInterceptor() {
         if (isCsrfMethod(resourceRequest.method)) {
             // Don't overwrite existing CSRF token header if it already exists
             if (!resourceRequest.headers[CSRF_TOKEN_HEADER]) {
-                const token = await csrfTokenManager.getToken();
+                const token = await getCsrfToken();
                 if (token) {
                     resourceRequest.headers[CSRF_TOKEN_HEADER] = token;
                 }
@@ -6389,6 +6590,39 @@ function buildLuvioEntityEncodingInterceptor() {
     };
 }
 
+const FIRST_PARTY_HEADER = 'X-Salesforce-First-Party';
+const FIRST_PARTY_VALUE = 'platform-ui';
+/**
+ * Builds a request interceptor that adds the LDS first party header to every
+ * outbound request.
+ *
+ * @returns A RequestInterceptor function for FetchParameters
+ */
+function buildFirstPartyHeaderInterceptor() {
+    return async (fetchArgs) => {
+        const returnedFetchArgs = setHeader(FIRST_PARTY_HEADER, FIRST_PARTY_VALUE, fetchArgs);
+        return resolvedPromiseLike$2(returnedFetchArgs);
+    };
+}
+/**
+ * Builds a Luvio request interceptor that adds the LDS first party header to
+ * every outbound `ResourceRequest`. See {@link buildFirstPartyHeaderInterceptor} for
+ * the header semantics.
+ *
+ * @returns A request interceptor for Luvio ResourceRequest objects
+ */
+function buildLuvioFirstPartyHeaderInterceptor() {
+    return async (resourceRequest) => {
+        if (!resourceRequest.headers) {
+            resourceRequest.headers = {};
+        }
+        if (!resourceRequest.headers[FIRST_PARTY_HEADER]) {
+            resourceRequest.headers[FIRST_PARTY_HEADER] = FIRST_PARTY_VALUE;
+        }
+        return resolvedPromiseLike$2(resourceRequest);
+    };
+}
+
 function createInstrumentationIdContext() {
     return () => ({
         instrumentationId: generateRequestId(),
@@ -6618,7 +6852,6 @@ class LuvioCsrfTokenRetryPolicy extends RetryPolicy {
     constructor(config = DEFAULT_CONFIG$3) {
         super();
         this.config = config;
-        this.csrfTokenManager = CsrfTokenManager.getInstance();
     }
     setRequestContext(context) {
         this.requestContext = context;
@@ -6640,11 +6873,20 @@ class LuvioCsrfTokenRetryPolicy extends RetryPolicy {
         if (!this.requestContext) {
             return;
         }
-        const newToken = await this.csrfTokenManager.refreshToken();
+        let newToken;
+        try {
+            const manager = await getCsrfTokenManager();
+            newToken = await manager.refresh();
+        }
+        catch {
+            // Manager unavailable — drop the stale token below so the request
+            // interceptor refetches on the retry.
+            newToken = undefined;
+        }
         const req = this.requestContext.request;
         const { [CSRF_TOKEN_HEADER]: _stale, ...remainingHeaders } = req.headers ?? {};
         // If refresh failed, drop the stale token entirely so the request interceptor
-        // will fetch a fresh one via getToken() on the retry.
+        // will fetch a fresh one via get() on the retry.
         const headers = newToken
             ? { ...remainingHeaders, [CSRF_TOKEN_HEADER]: newToken }
             : remainingHeaders;
@@ -7149,12 +7391,14 @@ const composedFetchNetworkAdapter = {
             buildLuvioTransportMarksSendInterceptor(),
             buildLuvioPageScopedCacheRequestInterceptor(),
             buildLuvioCsrfTokenInterceptor(),
+            buildLuvioFirstPartyHeaderInterceptor(),
             buildLuvioEntityEncodingInterceptor(),
         ],
         retry: buildLuvioFetchRetryInterceptor(),
         response: [
             buildLexRuntimeLuvio5xxStatusResponseInterceptor(),
-            buildLexRuntimeLuvioAuthExpirationRedirectResponseInterceptor(),
+            buildLexRuntimeLuvioSessionExpirationResponseInterceptor(),
+            buildLuvioErrorBodyNormalizationInterceptor(),
             buildLuvioTransportMarksReceiveInterceptor(),
             buildLuvioActionMarksReceiveInterceptor(),
         ],
@@ -7199,7 +7443,6 @@ class CsrfTokenRetryPolicy extends RetryPolicy {
     constructor(config = DEFAULT_CONFIG$1) {
         super();
         this.config = config;
-        this.csrfTokenManager = CsrfTokenManager.getInstance();
     }
     /**
      * Allows the fetch service to pass mutable request context.
@@ -7251,7 +7494,15 @@ class CsrfTokenRetryPolicy extends RetryPolicy {
      */
     async prepareRetry(_result, _context) {
         // Refresh the CSRF token (we already know this is a CSRF error from shouldRetry)
-        const newToken = await this.csrfTokenManager.refreshToken();
+        let newToken;
+        try {
+            const manager = await getCsrfTokenManager();
+            newToken = await manager.refresh();
+        }
+        catch {
+            // Manager unavailable — the retry will fail again, which is expected.
+            newToken = undefined;
+        }
         if (!newToken || !this.requestContext) {
             // If we can't get a new token or don't have request context,
             // the retry will fail again but that's expected
@@ -7312,9 +7563,106 @@ function buildCsrfRetryInterceptor() {
     };
 }
 
+/**
+ * The context-seed key under which a custom command forwards its JWT mint
+ * parameters. The framework's `buildServiceDescriptor` merges the request init's
+ * `__contextSeed` onto the per-request interceptor context, so this interceptor
+ * reads the params off `context[JWT_MINT_PARAMS_SEED_KEY]`.
+ *
+ * This is a cross-team contract: the custom command writes this key, this
+ * interceptor reads it. It is intentionally an opaque key — OneStore does not
+ * define it and never inspects the param shape; the typed shape lives in the
+ * resolver.
+ */
+const JWT_MINT_PARAMS_SEED_KEY = 'jwtMintParams';
+/**
+ * Returns `true` if the fetch arguments already carry an `Authorization` header,
+ * across the three shapes the framework's `setHeader` handles: a `Request`
+ * resource's own headers, an `options.headers` `Headers` instance, or a plain
+ * record. The descriptor's guarded legacy interceptor uses this to skip when the
+ * parameterized interceptor has already authorized the request — avoiding a second
+ * mint and the throw `setHeaderAuthorization` raises on an existing header.
+ */
+function hasAuthorizationHeader([resource, options]) {
+    if (resource instanceof Request && resource.headers.has('Authorization')) {
+        return true;
+    }
+    const headers = options?.headers;
+    if (headers === undefined) {
+        return false;
+    }
+    if (headers instanceof Headers) {
+        return headers.has('Authorization');
+    }
+    if (Array.isArray(headers)) {
+        return headers.some(([name]) => name.toLowerCase() === 'authorization');
+    }
+    return Reflect.has(headers, 'Authorization');
+}
+/**
+ * Builds the request interceptor that bridges the per-request context seed to the
+ * dispatching SFAP JwtManager for the **parameterized** mint path.
+ *
+ * For a parameterized SFAP command, the context carries `jwtMintParams`. This
+ * interceptor reads them, calls `jwtManager.getJwt(params)` (which the dispatching
+ * resolver routes to the parameterized resolver), attaches the `Authorization`
+ * header, and rewrites the request URL via the minted `baseUri`. The presence of
+ * that `Authorization` header is the signal the descriptor's guarded legacy
+ * interceptor uses to skip — so the legacy path does not mint a second time.
+ *
+ * For a legacy parameterless command the context carries no `jwtMintParams`, so
+ * this interceptor **early-returns on its first line** and the request flows
+ * unchanged to the legacy `buildJwtRequestHeaderInterceptor` — guaranteeing zero
+ * behavior change for non-opted-in adapters.
+ *
+ * Lives in `lds-lightning-platform` (not OneStore) beside the existing SFAP/CSRF
+ * interceptors, per the JWT-parameterization ADR §5: OneStore provides only the
+ * generic interceptor mechanism and the opaque context-seed channel; the service-
+ * specific bridge is a runtime-layer concern.
+ *
+ * @param jwtManager - the dispatching SFAP JwtManager
+ * @param jwtRequestModifier - applies the minted `extraInfo.baseUri` to the request URL
+ */
+function buildJwtParameterizationInterceptor(jwtManager, jwtRequestModifier = (_extraInfo, fetchArgs) => fetchArgs) {
+    return (fetchArgs, context) => {
+        const jwtContext = context;
+        const mintParams = jwtContext?.[JWT_MINT_PARAMS_SEED_KEY];
+        // No mint params → not a parameterized request. Do nothing; the legacy
+        // interceptor handles it. This MUST be the first statement so non-opted-in
+        // SFAP commands observe no work at all.
+        if (mintParams === undefined) {
+            return resolvedPromiseLike$2(fetchArgs);
+        }
+        return resolvedPromiseLike$2(jwtManager.getJwt(mintParams)).then((token) => {
+            const fetchArgsWithAuthorization = setHeaderAuthorization(token, fetchArgs);
+            return token.extraInfo
+                ? jwtRequestModifier(token.extraInfo, fetchArgsWithAuthorization)
+                : fetchArgsWithAuthorization;
+        });
+    };
+}
+
 const SFAP_BASE_URL = 'api.salesforce.com';
+function buildDispatchingSfapJwtResolver(legacyResolver, parameterizedResolver) {
+    return {
+        getJwt(params) {
+            if (params === undefined) {
+                return legacyResolver.getJwt();
+            }
+            return parameterizedResolver.getJwt(params);
+        },
+    };
+}
+// The parameterized mint is dispatched over **Aura transport**:
+// the resolver calls the SFAP Lightning JWT Service's auto-generated Aura method
+// `SalesforceApiPlatformController.postSFAPLightningJwtService`, so session + CSRF
+// are handled inside the Aura stack. This mirrors the legacy parameterless
+// `platformSfapJwtResolver`, which already mints over Aura. The minted JWT is then
+// attached as a Bearer token on the downstream SFAP API request (which stays HTTP).
+const parameterizedSfapJwtResolver = new ParameterizedSfapJwtAuraResolver();
+const sfapJwtResolver = buildDispatchingSfapJwtResolver(platformSfapJwtResolver, parameterizedSfapJwtResolver);
 const sfapJwtRepository = new JwtRepository();
-const sfapJwtManager = new JwtManager(sfapJwtRepository, platformSfapJwtResolver);
+const sfapJwtManager = new JwtManager(sfapJwtRepository, sfapJwtResolver);
 function prefetchSfapJwt() {
     const maybePromise = sfapJwtManager.getJwt();
     if ('then' in maybePromise) {
@@ -7325,8 +7673,12 @@ function prefetchSfapJwt() {
 function buildJwtAuthorizedSfapFetchServiceDescriptor(logger) {
     const jwtAuthorizedFetchService = buildServiceDescriptor$2({
         createContext: createInstrumentationIdContext(),
-        request: [buildThirdPartyTrackerRegisterInterceptor(), buildJwtRequestInterceptor(logger)],
-        retry: buildCsrfRetryInterceptor(),
+        request: [
+            buildThirdPartyTrackerRegisterInterceptor(),
+            buildJwtParameterizationInterceptor(sfapJwtManager, buildSfapJwtRequestModifier(logger)),
+            // Guarded so it is skipped once the parameterized interceptor handled the request.
+            buildGuardedLegacyJwtRequestInterceptor(logger),
+        ],
         finally: [buildThirdPartyTrackerFinishInterceptor()],
     });
     return {
@@ -7406,8 +7758,13 @@ function buildUnauthorizedFetchServiceDescriptor() {
         tags: { authenticationScopes: '' },
     };
 }
-function buildJwtRequestInterceptor(logger) {
-    const jwtRequestModifier = ({ baseUri }, [resource, request]) => {
+/**
+ * The `JwtRequestModifier` shared by both the legacy and parameterized SFAP
+ * interceptors: it rewrites the request URL's host/protocol to the minted
+ * `extraInfo.baseUri` (only for `api.salesforce.com` resources).
+ */
+function buildSfapJwtRequestModifier(logger) {
+    return ({ baseUri }, [resource, request]) => {
         if (typeof resource !== 'string' && !(resource instanceof URL)) {
             // istanbul ignore else: this will not be tested in NODE_ENV = production for test coverage
             if (process.env.NODE_ENV !== 'production') {
@@ -7425,8 +7782,22 @@ function buildJwtRequestInterceptor(logger) {
         url.protocol = overrideUrl.protocol;
         return [url, request];
     };
-    const jwtRequestHeaderInterceptor = buildJwtRequestHeaderInterceptor(sfapJwtManager, jwtRequestModifier);
-    return jwtRequestHeaderInterceptor;
+}
+function buildJwtRequestInterceptor(logger) {
+    return buildJwtRequestHeaderInterceptor(sfapJwtManager, buildSfapJwtRequestModifier(logger));
+}
+/**
+ * Wraps the legacy `buildJwtRequestHeaderInterceptor` with a pass-through guard:
+ * when the parameterized interceptor has already authorized the request (an
+ * `Authorization` header is present), this returns `args` untouched so the legacy
+ * interceptor does not mint a second time or attempt to set a duplicate
+ * Authorization header (which `setHeaderAuthorization` throws on). For every legacy
+ * (non-parameterized) request no Authorization header is present yet, so the legacy
+ * interceptor runs exactly as before — a strict pass-through.
+ */
+function buildGuardedLegacyJwtRequestInterceptor(logger) {
+    const legacyInterceptor = buildJwtRequestInterceptor(logger);
+    return (args) => hasAuthorizationHeader(args) ? resolvedPromiseLike$2(args) : legacyInterceptor(args);
 }
 
 const PDL_EXECUTE_ASYNC_OPTIONS = {
@@ -10084,11 +10455,12 @@ function getLexRuntimeDefaultInterceptorConfig(logger) {
             buildTransportMarksSendInterceptor(),
             buildCsrfTokenInterceptor(),
             buildEntityEncodingInterceptor(),
+            buildFirstPartyHeaderInterceptor(),
         ],
         retry: buildCsrfRetryInterceptor(),
         response: [
             buildLexRuntime5xxStatusResponseInterceptor(logger),
-            buildLexRuntimeAuthExpirationRedirectResponseInterceptor(logger),
+            buildLexRuntimeSessionExpirationResponseInterceptor(logger),
             buildTransportMarksReceiveInterceptor(),
             buildActionMarksReceiveInterceptor(),
         ],
@@ -10105,7 +10477,7 @@ function buildLexRuntimeAllow5xxFetchServiceDescriptor(logger, retryService) {
         ...config,
         // Omit 5xx interceptor - allow 5xx responses to pass through
         response: [
-            buildLexRuntimeAuthExpirationRedirectResponseInterceptor(logger),
+            buildLexRuntimeSessionExpirationResponseInterceptor(logger),
             buildTransportMarksReceiveInterceptor(),
             buildActionMarksReceiveInterceptor(),
         ],
@@ -10195,6 +10567,149 @@ class FetchThrottlingRetryPolicy extends RetryPolicy {
     }
 }
 
+const CSRF_TOKEN_KEY = 'salesforce_csrf_token';
+const CSRF_STORAGE_NAME = 'ldsCSRFToken';
+const BASE_URI = '/services/data/v68.0';
+const UI_API_BASE_URI = `${BASE_URI}/ui-api`;
+const CSRF_TOKEN_ENDPOINT = `${UI_API_BASE_URI}/session/csrf`;
+const CSRF_STORAGE_CONFIG = {
+    name: CSRF_STORAGE_NAME,
+    persistent: true,
+    secure: true,
+    maxSize: 1024,
+    expiration: 24 * 60 * 60,
+    clearOnInit: false,
+    debugLogging: false,
+};
+/**
+ * Reads the CSRF token Aura preloads onto the bootstrap payload. When the
+ * Connect Framework CSRF token is minted at template-render time it is exposed
+ * via `$A.clientService.getConnectCsrfToken()`. Reading it here lets the first
+ * state-changing request skip the cold `/ui-api/session/csrf` round trip.
+ *
+ * Defensive against a missing getter or server killswitch: returns `undefined`,
+ * never throws.
+ */
+function readPreloadedToken() {
+    const clientService = getAuraClientService();
+    if (typeof clientService?.getConnectCsrfToken !== 'function') {
+        return undefined;
+    }
+    try {
+        const token = clientService.getConnectCsrfToken();
+        return typeof token === 'string' && token ? token : undefined;
+    }
+    catch {
+        return undefined;
+    }
+}
+/**
+ * Fetches a fresh CSRF token from the server. Resolves `undefined` (not a
+ * rejection) on any non-ok response, missing token, or network/parse error so
+ * the manager treats it as "no value" and leaves any cached token intact. The
+ * CSRF retry policy — not this fetch — owns retry semantics.
+ */
+async function fetchFreshToken() {
+    try {
+        const response = await fetch(CSRF_TOKEN_ENDPOINT, {
+            method: 'GET',
+            credentials: 'same-origin',
+        });
+        if (!response.ok) {
+            return undefined;
+        }
+        const data = await response.json();
+        const token = data.csrfToken;
+        return typeof token === 'string' && token ? token : undefined;
+    }
+    catch {
+        return undefined;
+    }
+}
+/**
+ * Adapts the durable AuraStorage backing store to the {@link ResourceStorage}
+ * contract the renewable-resource manager expects.
+ *
+ * The Aura-preloaded token is written into the store **once at creation** (only
+ * when the store is otherwise empty), so the first `get()` finds it and the
+ * first mutation skips the network. Seeding the store — rather than having
+ * `get()` fall back to the preload on every empty read — means a later
+ * `clear()` (logout / org switch) is not silently resurrected by the preload.
+ *
+ * Every operation awaits the one-time seed so reads and writes observe a
+ * consistent store. Storage read/write failures are non-fatal.
+ */
+function buildCsrfResourceStorage() {
+    const storage = createStorage(CSRF_STORAGE_CONFIG);
+    // Pre-seed the preloaded token into the store, once, if the store is empty.
+    const seeded = (async () => {
+        const preloadedToken = readPreloadedToken();
+        if (!storage || !preloadedToken) {
+            return;
+        }
+        try {
+            const existing = await storage.get(CSRF_TOKEN_KEY);
+            if (typeof existing !== 'string' || !existing) {
+                await storage.set(CSRF_TOKEN_KEY, preloadedToken);
+            }
+        }
+        catch {
+            // Non-fatal: fall back to fetching a fresh token on first use.
+        }
+    })();
+    return {
+        get: async () => {
+            await seeded;
+            if (storage) {
+                try {
+                    const cached = await storage.get(CSRF_TOKEN_KEY);
+                    if (typeof cached === 'string' && cached) {
+                        return cached;
+                    }
+                }
+                catch {
+                    // Non-fatal: treat as a cache miss so the manager fetches.
+                }
+            }
+            return undefined;
+        },
+        set: async (value) => {
+            await seeded;
+            if (storage) {
+                try {
+                    await storage.set(CSRF_TOKEN_KEY, value);
+                }
+                catch {
+                    // Non-fatal: token is still usable even if caching fails.
+                }
+            }
+        },
+        clear: async () => {
+            await seeded;
+            if (storage) {
+                try {
+                    await storage.remove(CSRF_TOKEN_KEY);
+                }
+                catch {
+                    // Non-fatal: continue even if the clear fails.
+                }
+            }
+        },
+    };
+}
+/**
+ * Builds the CSRF token manager: a {@link BasicRenewableResourceManager} that
+ * lazily caches the token in durable storage, coalesces concurrent fetches onto
+ * a single in-flight request, and dedups refresh storms. Registered as a
+ * provisioner service (`csrfTokenManager`) by `initializeOneStore`.
+ */
+function buildCsrfTokenManager() {
+    return new BasicRenewableResourceManager({
+        fetch: fetchFreshToken,
+        storage: buildCsrfResourceStorage(),
+    });
+}
+
 /* eslint-disable no-console */
 /**
  * Default storage configuration for the durable cache
@@ -10789,6 +11304,7 @@ function initializeOneStore(luvio) {
     const retryPolicy = new ComposedRetryPolicy([throttlingPolicy, csrfPolicy]);
     const retryServiceDescriptor = buildServiceDescriptor$8(retryPolicy);
     const retryService = retryServiceDescriptor.service;
+    const csrfTokenManagerServiceDescriptor = buildRenewableResourceManagerDescriptor(CSRF_TOKEN_MANAGER_SERVICE, buildCsrfTokenManager());
     const prefetchSfapJwtServiceDescriptor = {
         type: 'prefetchSfapJwt',
         version: '1.0',
@@ -10836,6 +11352,7 @@ function initializeOneStore(luvio) {
         buildLWCGraphQLWireBindingsServiceDescriptor(),
         configServiceDescriptor,
         prefetchSfapJwtServiceDescriptor,
+        csrfTokenManagerServiceDescriptor,
     ];
     setServices(services);
 }
@@ -10855,4 +11372,4 @@ function ldsEngineCreator() {
 }
 
 export { LexRequestStrategy, PdlPrefetcherEventType, PdlRequestPriority, buildPredictorForContext, configService, ldsEngineCreator as default, initializeLDS, initializeOneStore, notifyUpdateAvailableFactory, registerRequestStrategy, saveRequestAsPrediction, subscribeToPrefetcherEvents, unregisterRequestStrategy, whenPredictionsReady };
-// version: 1.442.0-e47893165a
+// version: 1.444.0-a7f42f9edf