@salesforce/lds-runtime-aura 1.442.0 → 1.444.0

package/dist/types/aura-utils.d.ts

@@ -0,0 +1,28 @@
+/**
+ * Helpers for reaching the Aura framework from the LDS Aura runtime.
+ *
+ * `window.$A` is only present when the runtime is hosted inside LEX; in tests
+ * and non-Aura runtimes it is absent. Centralizing the guarded access keeps the
+ * `$A` lookup in one place instead of duplicating the `environmentHasAura`
+ * check across modules.
+ */
+import { dispatchGlobalEvent as auraDispatchGlobalEvent } from 'aura';
+/**
+ * Fires an Aura application-level event (e.g. `aura:invalidSession`). Thin
+ * pass-through to the `aura` framework module so callers depend on this util
+ * rather than importing `aura` directly.
+ */
+export declare function dispatchGlobalEvent(...args: Parameters<typeof auraDispatchGlobalEvent>): void;
+/**
+ * The subset of the Aura client service LDS reaches for. Methods are optional
+ * because availability depends on the host's Aura version and server gates.
+ */
+export interface AuraClientService {
+    maxAllowedParallelXHRCounts?: () => number;
+    getConnectCsrfToken?: () => unknown;
+}
+/**
+ * Returns `$A.clientService` when running inside an Aura environment, or
+ * `undefined` otherwise. Defensive: never throws.
+ */
+export declare function getAuraClientService(): AuraClientService | undefined;

package/dist/types/fetch-service-descriptors/jwt-authorized-fetch-service.d.ts

@@ -1,5 +1,8 @@
+import { type JwtResolver } from '@conduit-client/jwt-manager';
 import { type FetchServiceDescriptor } from '@conduit-client/service-fetch-network/v1';
+import { type ExtraInfo } from '../network-sfap';
 import { type LoggerService } from '@conduit-client/utils';
+export declare function buildDispatchingSfapJwtResolver(legacyResolver: JwtResolver<ExtraInfo>, parameterizedResolver: JwtResolver<ExtraInfo>): JwtResolver<ExtraInfo>;
 export declare function prefetchSfapJwt(): Promise<undefined>;
 export declare function buildJwtAuthorizedSfapFetchServiceDescriptor(logger: LoggerService): FetchServiceDescriptor;
 /**

package/dist/types/network-sfap.d.ts

@@ -2,6 +2,7 @@ import type { FetchResponse, ResourceRequest, ResourceRequestContext } from '@lu
 import type { JwtResolver } from '@conduit-client/jwt-manager';
 export declare const SFAPController = "SalesforceApiPlatformController";
 export declare const SFAPJwtMethod = "getSFAPLightningJwtService";
+export declare const SFAPJwtPostMethod = "postSFAPLightningJwtService";
 export type ExtraInfo = {
     baseUri: string;
 };

package/dist/types/parameterized-sfap-jwt-aura-resolver.d.ts

@@ -0,0 +1,34 @@
+import type { JwtMintParams, JwtResolver } from '@conduit-client/jwt-manager';
+import { type ParameterizedSfapExtraInfo } from './sfap-jwt-mint-params';
+/**
+ * Parameterized SFAP JWT resolver that mints over **Aura transport** instead of a
+ * direct HTTP `fetch`.
+ *
+ * It dispatches the SFAP Lightning JWT Service's parameterized POST via its
+ * auto-generated Aura controller method
+ * `SalesforceApiPlatformController.postSFAPLightningJwtService` (generated by
+ * `@ConnectSignature(..., generateAuraMethod = true)` on the Connect resource).
+ * The mint inputs ride as the single `requestBody` named param, in the same
+ * `{ scopes, dynamicParameters: { items } }` shape the HTTP resolver POSTs — built
+ * by the shared {@link buildRequestBody}, so the two transports stay in lockstep.
+ *
+ * Why Aura (not the HTTP resolver): the mint endpoint is a same-origin core
+ * resource, and routing it over Aura keeps session/CSRF handling inside the Aura
+ * stack rather than issuing a credentialed cross-cutting `fetch` from the client.
+ * This mirrors the legacy parameterless `platformSfapJwtResolver` in
+ * `network-sfap.ts`, which already mints over Aura via the `getSFAPLightningJwtService`
+ * generated method — this is the parameterized sibling of that call.
+ *
+ * A `JwtResolver` is invoked directly by `JwtManager` (not through Luvio's
+ * `appRouter`/`ResourceRequest` pipeline), so the correct mechanism is a direct
+ * named-controller `dispatchAuraAction`, not the `auraNetworkAdapter`/connect-route
+ * table. The SFAP JWT endpoint is not registered as a connect-over-Aura route, and
+ * a resolver has no `ResourceRequest` for the router to look up.
+ */
+export declare class ParameterizedSfapJwtAuraResolver implements JwtResolver<ParameterizedSfapExtraInfo> {
+    getJwt(params?: JwtMintParams): Promise<{
+        jwt: string;
+        extraInfo: ParameterizedSfapExtraInfo;
+    }>;
+}
+export declare function buildParameterizedSfapJwtAuraResolver(): ParameterizedSfapJwtAuraResolver;

package/dist/types/request-interceptors/csrf-manager.d.ts

@@ -1,45 +1,8 @@
+import { type RenewableResourceManager } from '@conduit-client/service-renewable-resource-manager/v1';
 /**
- * Manages CSRF token fetching and caching for secure requests.
- * Implements a singleton pattern to ensure consistent token management across the application.
+ * Builds the CSRF token manager: a {@link BasicRenewableResourceManager} that
+ * lazily caches the token in durable storage, coalesces concurrent fetches onto
+ * a single in-flight request, and dedups refresh storms. Registered as a
+ * provisioner service (`csrfTokenManager`) by `initializeOneStore`.
  */
-declare class CsrfTokenManager {
-    private static instance;
-    private tokenPromise;
-    private refreshInFlight;
-    private storage;
-    private constructor();
-    static getInstance(): CsrfTokenManager;
-    /**
-     * Obtain a CSRF token, either from AuraStorage or by fetching a fresh one.
-     *
-     * @private
-     */
-    private loadOrFetchToken;
-    /**
-     * Call API endpoint to acquire a CSRF token and cache it.
-     *
-     * @private
-     */
-    private fetchFreshToken;
-    /**
-     * Returns the current token value as a Promise.
-     * Lazy-loads the token on first call (from cache or by fetching).
-     */
-    getToken(): Promise<string | undefined>;
-    /**
-     * Obtains and returns a new token value as a promise.
-     * This will clear the cached token and fetch a fresh one.
-     *
-     * Concurrent calls coalesce onto a single in-flight refresh — important when
-     * multiple requests fail with INVALID_ACCESS_TOKEN simultaneously and each
-     * retry policy independently calls refreshToken(). Without this, every caller
-     * triggers its own /session/csrf round-trip.
-     */
-    refreshToken(): Promise<string | undefined>;
-    /**
-     * Reset the singleton instance (useful for testing).
-     * @internal
-     */
-    static resetInstance(): void;
-}
-export { CsrfTokenManager };
+export declare function buildCsrfTokenManager(): RenewableResourceManager<string>;

package/dist/types/request-interceptors/csrf-service.d.ts

@@ -0,0 +1,19 @@
+import type { RenewableResourceManager } from '@conduit-client/service-renewable-resource-manager/v1';
+/**
+ * Service name the CSRF token manager is registered under by
+ * `initializeOneStore` (see `buildRenewableResourceManagerDescriptor`).
+ */
+export declare const CSRF_TOKEN_MANAGER_SERVICE = "csrfTokenManager";
+/**
+ * Resolves the CSRF token manager from the service provisioner.
+ *
+ * The manager is registered during `initializeOneStore`, which runs before any
+ * request flows; the interceptors and retry policies that call this resolve
+ * lazily (per request / per retry), so the service is always available by then.
+ *
+ * The resolved promise is memoized so resolution happens once rather than per
+ * request. A rejection is NOT memoized — `getServices` rejects when the service
+ * is unavailable, and caching that would permanently wedge CSRF handling — so a
+ * later call retries the resolution.
+ */
+export declare function getCsrfTokenManager(): Promise<RenewableResourceManager<string>>;

package/dist/types/request-interceptors/first-party-header.d.ts

@@ -0,0 +1,17 @@
+import { type RequestInterceptor } from '@conduit-client/service-fetch-network/v1';
+import type { ResourceRequest } from '@luvio/engine';
+/**
+ * Builds a request interceptor that adds the LDS first party header to every
+ * outbound request.
+ *
+ * @returns A RequestInterceptor function for FetchParameters
+ */
+export declare function buildFirstPartyHeaderInterceptor(): RequestInterceptor;
+/**
+ * Builds a Luvio request interceptor that adds the LDS first party header to
+ * every outbound `ResourceRequest`. See {@link buildFirstPartyHeaderInterceptor} for
+ * the header semantics.
+ *
+ * @returns A request interceptor for Luvio ResourceRequest objects
+ */
+export declare function buildLuvioFirstPartyHeaderInterceptor(): (resourceRequest: ResourceRequest) => Promise<ResourceRequest>;

package/dist/types/request-interceptors/jwt-parameterization.d.ts

@@ -0,0 +1,50 @@
+import type { FetchParameters, RequestInterceptor } from '@conduit-client/service-fetch-network/v1';
+import { type JwtRequestModifier } from '@conduit-client/service-fetch-network/v1';
+import type { JwtManager } from '@conduit-client/jwt-manager';
+import type { ExtraInfo } from '../network-sfap';
+/**
+ * The context-seed key under which a custom command forwards its JWT mint
+ * parameters. The framework's `buildServiceDescriptor` merges the request init's
+ * `__contextSeed` onto the per-request interceptor context, so this interceptor
+ * reads the params off `context[JWT_MINT_PARAMS_SEED_KEY]`.
+ *
+ * This is a cross-team contract: the custom command writes this key, this
+ * interceptor reads it. It is intentionally an opaque key — OneStore does not
+ * define it and never inspects the param shape; the typed shape lives in the
+ * resolver.
+ */
+export declare const JWT_MINT_PARAMS_SEED_KEY = "jwtMintParams";
+/**
+ * Returns `true` if the fetch arguments already carry an `Authorization` header,
+ * across the three shapes the framework's `setHeader` handles: a `Request`
+ * resource's own headers, an `options.headers` `Headers` instance, or a plain
+ * record. The descriptor's guarded legacy interceptor uses this to skip when the
+ * parameterized interceptor has already authorized the request — avoiding a second
+ * mint and the throw `setHeaderAuthorization` raises on an existing header.
+ */
+export declare function hasAuthorizationHeader([resource, options]: FetchParameters): boolean;
+/**
+ * Builds the request interceptor that bridges the per-request context seed to the
+ * dispatching SFAP JwtManager for the **parameterized** mint path.
+ *
+ * For a parameterized SFAP command, the context carries `jwtMintParams`. This
+ * interceptor reads them, calls `jwtManager.getJwt(params)` (which the dispatching
+ * resolver routes to the parameterized resolver), attaches the `Authorization`
+ * header, and rewrites the request URL via the minted `baseUri`. The presence of
+ * that `Authorization` header is the signal the descriptor's guarded legacy
+ * interceptor uses to skip — so the legacy path does not mint a second time.
+ *
+ * For a legacy parameterless command the context carries no `jwtMintParams`, so
+ * this interceptor **early-returns on its first line** and the request flows
+ * unchanged to the legacy `buildJwtRequestHeaderInterceptor` — guaranteeing zero
+ * behavior change for non-opted-in adapters.
+ *
+ * Lives in `lds-lightning-platform` (not OneStore) beside the existing SFAP/CSRF
+ * interceptors, per the JWT-parameterization ADR §5: OneStore provides only the
+ * generic interceptor mechanism and the opaque context-seed channel; the service-
+ * specific bridge is a runtime-layer concern.
+ *
+ * @param jwtManager - the dispatching SFAP JwtManager
+ * @param jwtRequestModifier - applies the minted `extraInfo.baseUri` to the request URL
+ */
+export declare function buildJwtParameterizationInterceptor(jwtManager: JwtManager<unknown, ExtraInfo>, jwtRequestModifier?: JwtRequestModifier): RequestInterceptor;

package/dist/types/response-interceptors/error-body-normalization.d.ts

@@ -0,0 +1,20 @@
+import type { ResponseInterceptor as LuvioResponseInterceptor } from '@salesforce/lds-network-fetch';
+/**
+ * Normalizes Connect REST error envelopes into the Aura Shape A
+ * (ConnectInJava) shape, so consumers can read `response.body.errorCode`
+ * regardless of transport.
+ *
+ * - HTTP error envelope (this path): `[{ errorCode, message }, ...]`
+ * - Aura Shape A: `{ errorCode, message, statusCode, ... }`
+ *
+ * The full array is preserved at `body.enhancedErrorInfo.allErrors` since
+ * Connect can return multiple errors per response.
+ *
+ * Aura Shape B (`{ error: "..." }`) is an Aura-only fallback that never
+ * appears on the HTTP path, so no normalization is needed for it here.
+ *
+ * Ordering: must run AFTER any other interceptor that inspects the raw
+ * error body shape (e.g. the 5xx interceptor's ErrorId extraction reads
+ * `body[0].message` from the array form).
+ */
+export declare function buildLuvioErrorBodyNormalizationInterceptor(): LuvioResponseInterceptor;

package/dist/types/response-interceptors/{lex-runtime-auth-expiration-redirect.d.ts → lex-runtime-session-expiration.d.ts}

@@ -1,5 +1,5 @@
 import type { LoggerService } from '@conduit-client/utils';
 import type { ResponseInterceptor } from '@conduit-client/service-fetch-network/v1';
 import type { ResponseInterceptor as LuvioResponseInterceptor } from '@salesforce/lds-network-fetch';
-export declare function buildLexRuntimeAuthExpirationRedirectResponseInterceptor(logger: LoggerService): ResponseInterceptor;
-export declare function buildLexRuntimeLuvioAuthExpirationRedirectResponseInterceptor(): LuvioResponseInterceptor;
+export declare function buildLexRuntimeSessionExpirationResponseInterceptor(logger: LoggerService): ResponseInterceptor;
+export declare function buildLexRuntimeLuvioSessionExpirationResponseInterceptor(): LuvioResponseInterceptor;

package/dist/types/retry-policies/csrf-token-retry-policy.d.ts

@@ -26,7 +26,6 @@ export interface MutableFetchRequest {
  */
 export declare class CsrfTokenRetryPolicy extends RetryPolicy<Response> {
     private config;
-    private csrfTokenManager;
     private requestContext?;
     constructor(config?: CsrfTokenRetryPolicyConfig);
     /**

package/dist/types/retry-policies/luvio-csrf-token-retry-policy.d.ts

@@ -12,7 +12,6 @@ export interface MutableLuvioRequest {
 }
 export declare class LuvioCsrfTokenRetryPolicy extends RetryPolicy<FetchResponse<any>> {
     private config;
-    private csrfTokenManager;
     private requestContext?;
     constructor(config?: LuvioCsrfTokenRetryPolicyConfig);
     setRequestContext(context: MutableLuvioRequest): void;

package/dist/types/sfap-jwt-mint-params.d.ts

@@ -0,0 +1,69 @@
+import type { JwtMintParams } from '@conduit-client/jwt-manager';
+/**
+ * Typed shape of the params the SFAP Lightning JWT Service understands.
+ * Lives in the resolver layer because OneStore is param-shape-agnostic; it
+ * sees only an opaque `JwtMintParams` bag and stable-JSON-stringifies it for
+ * cache keying.
+ */
+export type SfapJwtMintParams = {
+    scopes?: string[];
+    dynamicParams?: Record<string, string>;
+};
+/**
+ * The `extraInfo` the SFAP JWT resolver returns alongside the minted token: the
+ * per-tenant base URI the downstream SFAP API request is rewritten to.
+ */
+export type ParameterizedSfapExtraInfo = {
+    baseUri: string;
+};
+type DynamicParameterItem = {
+    name: string;
+    value: string;
+};
+/**
+ * The SFAP Lightning JWT Service mint request body. Sent as the `requestBody`
+ * named param of the `postSFAPLightningJwtService` Aura controller method.
+ * Matches the server's `SFAPLightningJwtServiceInputRepresentation`: `scopes` is
+ * a single space-delimited string; `dynamicParameters` is `{ items: [{ name, value }] }`.
+ */
+export type SfapJwtRequestBody = {
+    scopes?: string;
+    dynamicParameters?: {
+        items: DynamicParameterItem[];
+    };
+};
+/**
+ * Normalize SFAP-shaped params into the opaque `JwtMintParams` bag that callers
+ * hand to `JwtManager.getJwt(params)`. Scopes are sorted because they are
+ * semantically a set — without this, `['a', 'b']` and `['b', 'a']` would cache
+ * as separate entries (OneStore treats arrays as ordered under stable-JSON
+ * serialization; see ADR "JWT Parameterization" §2).
+ *
+ * MANDATORY CONSUMER ENTRY POINT. Every consumer that mints a parameterized
+ * SFAP JWT MUST assemble its params through this function before calling the
+ * manager. The cache key is derived by `JwtManager` from the caller's params
+ * (`cacheKeyFor(params)`) *before* the resolver runs — so the resolver cannot
+ * normalize after the fact. Set-stable caching therefore depends on the caller
+ * routing params through here. Do NOT sort inside the resolver: that would only
+ * reorder the wire body, not the cache key, and mutating the caller's params
+ * mid-call would desync the in-flight-dedup key from the stored-token key.
+ */
+export declare function buildSfapJwtMintParams(params: SfapJwtMintParams): JwtMintParams;
+export type SfapParamsResult = {
+    params: SfapJwtMintParams;
+} | {
+    error: string;
+};
+/**
+ * Validate and narrow an opaque `JwtMintParams` bag to the SFAP-shaped subset the
+ * resolver forwards. Returns `{ error }` (surfaced as a resolver rejection) for a
+ * malformed bag rather than throwing.
+ */
+export declare function coerceToSfapParams(params: JwtMintParams): SfapParamsResult;
+/**
+ * Build the SFAP mint request body from the coerced params: `scopes` joined into a
+ * single space-delimited string, `dynamicParams` mapped to `dynamicParameters.items`.
+ * Empty scopes / dynamic params are omitted.
+ */
+export declare function buildRequestBody(params: SfapJwtMintParams): SfapJwtRequestBody;
+export {};

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@salesforce/lds-runtime-aura",
-    "version": "1.442.0",
+    "version": "1.444.0",
     "license": "SEE LICENSE IN LICENSE.txt",
     "description": "LDS engine for Aura runtime.",
     "main": "dist/ldsEngineCreator.js",
@@ -34,60 +34,62 @@
         "release:corejar": "yarn build && ../core-build/scripts/core.js --name=lds-runtime-aura"
     },
     "devDependencies": {
-        "@conduit-client/service-provisioner": "3.21.0",
-        "@conduit-client/tools-core": "3.21.0",
-        "@salesforce/lds-adapters-apex": "^1.442.0",
-        "@salesforce/lds-adapters-uiapi": "^1.442.0",
-        "@salesforce/lds-ads-bridge": "^1.442.0",
-        "@salesforce/lds-aura-storage": "^1.442.0",
-        "@salesforce/lds-bindings": "^1.442.0",
-        "@salesforce/lds-instrumentation": "^1.442.0",
-        "@salesforce/lds-network-adapter": "^1.442.0",
-        "@salesforce/lds-network-aura": "^1.442.0",
-        "@salesforce/lds-network-fetch": "^1.442.0",
+        "@conduit-client/service-provisioner": "3.23.1",
+        "@conduit-client/tools-core": "3.23.1",
+        "@salesforce/lds-adapters-apex": "^1.444.0",
+        "@salesforce/lds-adapters-uiapi": "^1.444.0",
+        "@salesforce/lds-ads-bridge": "^1.444.0",
+        "@salesforce/lds-aura-storage": "^1.444.0",
+        "@salesforce/lds-bindings": "^1.444.0",
+        "@salesforce/lds-instrumentation": "^1.444.0",
+        "@salesforce/lds-network-adapter": "^1.444.0",
+        "@salesforce/lds-network-aura": "^1.444.0",
+        "@salesforce/lds-network-fetch": "^1.444.0",
         "jwt-encode": "1.0.1"
     },
     "dependencies": {
-        "@conduit-client/command-aura-graphql-normalized-cache-control": "3.21.0",
-        "@conduit-client/command-aura-network": "3.21.0",
-        "@conduit-client/command-aura-normalized-cache-control": "3.21.0",
-        "@conduit-client/command-aura-resource-cache-control": "3.21.0",
-        "@conduit-client/command-fetch-network": "3.21.0",
-        "@conduit-client/command-http-graphql-normalized-cache-control": "3.21.0",
-        "@conduit-client/command-http-normalized-cache-control": "3.21.0",
-        "@conduit-client/command-ndjson": "3.21.0",
-        "@conduit-client/command-network": "3.21.0",
-        "@conduit-client/command-sse": "3.21.0",
-        "@conduit-client/command-streaming": "3.21.0",
-        "@conduit-client/service-aura-network": "3.21.0",
-        "@conduit-client/service-bindings-imperative": "3.21.0",
-        "@conduit-client/service-bindings-lwc": "3.21.0",
-        "@conduit-client/service-cache": "3.21.0",
-        "@conduit-client/service-cache-control": "3.21.0",
-        "@conduit-client/service-cache-inclusion-policy": "3.21.0",
-        "@conduit-client/service-config": "3.21.0",
-        "@conduit-client/service-feature-flags": "3.21.0",
-        "@conduit-client/service-fetch-network": "3.21.0",
-        "@conduit-client/service-instrument-command": "3.21.0",
-        "@conduit-client/service-pubsub": "3.21.0",
-        "@conduit-client/service-store": "3.21.0",
-        "@conduit-client/utils": "3.21.0",
-        "@luvio/network-adapter-composable": "0.160.5",
-        "@luvio/network-adapter-fetch": "0.160.5",
+        "@conduit-client/command-aura-graphql-normalized-cache-control": "3.23.1",
+        "@conduit-client/command-aura-network": "3.23.1",
+        "@conduit-client/command-aura-normalized-cache-control": "3.23.1",
+        "@conduit-client/command-aura-resource-cache-control": "3.23.1",
+        "@conduit-client/command-fetch-network": "3.23.1",
+        "@conduit-client/command-http-graphql-normalized-cache-control": "3.23.1",
+        "@conduit-client/command-http-normalized-cache-control": "3.23.1",
+        "@conduit-client/command-ndjson": "3.23.1",
+        "@conduit-client/command-network": "3.23.1",
+        "@conduit-client/command-sse": "3.23.1",
+        "@conduit-client/command-streaming": "3.23.1",
+        "@conduit-client/jwt-manager": "3.23.1",
+        "@conduit-client/service-aura-network": "3.23.1",
+        "@conduit-client/service-bindings-imperative": "3.23.1",
+        "@conduit-client/service-bindings-lwc": "3.23.1",
+        "@conduit-client/service-cache": "3.23.1",
+        "@conduit-client/service-cache-control": "3.23.1",
+        "@conduit-client/service-cache-inclusion-policy": "3.23.1",
+        "@conduit-client/service-config": "3.23.1",
+        "@conduit-client/service-feature-flags": "3.23.1",
+        "@conduit-client/service-fetch-network": "3.23.1",
+        "@conduit-client/service-instrument-command": "3.23.1",
+        "@conduit-client/service-pubsub": "3.23.1",
+        "@conduit-client/service-renewable-resource-manager": "3.23.1",
+        "@conduit-client/service-store": "3.23.1",
+        "@conduit-client/utils": "3.23.1",
+        "@luvio/network-adapter-composable": "0.161.0",
+        "@luvio/network-adapter-fetch": "0.161.0",
         "@lwc/state": "^0.29.0",
-        "@salesforce/lds-adapters-onestore-graphql": "^1.442.0",
+        "@salesforce/lds-adapters-onestore-graphql": "^1.444.0",
         "@salesforce/lds-adapters-uiapi-lex": "^1.415.0",
-        "@salesforce/lds-durable-storage": "^1.442.0",
-        "@salesforce/lds-luvio-service": "^1.442.0",
-        "@salesforce/lds-luvio-uiapi-records-service": "^1.442.0"
+        "@salesforce/lds-durable-storage": "^1.444.0",
+        "@salesforce/lds-luvio-service": "^1.444.0",
+        "@salesforce/lds-luvio-uiapi-records-service": "^1.444.0"
     },
     "luvioBundlesize": [
         {
             "path": "./dist/ldsEngineCreator.js",
             "maxSize": {
-                "none": "383 kB",
+                "none": "410 kB",
                 "min": "190 kB",
-                "compressed": "64.5 kB"
+                "compressed": "71 kB"
             }
         }
     ],