@salesforce/lds-runtime-aura 1.443.0 → 1.444.0

package/dist/ldsEngineCreator.js

@@ -24,7 +24,7 @@ import { findExecutableOperation, buildGraphQLInputExtension, addTypenameToDocum
 import { print, resolveAndValidateGraphQLConfig, toGraphQLErrorResponse } from 'force/luvioOnestoreGraphqlParser';
 import getServices, { setServices } from 'force/luvioServiceProvisioner1';
 import { assertIsValid, JsonSchemaViolationError, MissingRequiredPropertyError } from 'force/luvioJsonschemaValidate5';
-import { dispatchGlobalEvent, executeGlobalControllerRawResponse } from 'aura';
+import { dispatchGlobalEvent as dispatchGlobalEvent$1, executeGlobalControllerRawResponse } from 'aura';
 import auraNetworkAdapter, { dispatchAuraAction, defaultActionConfig, instrument as instrument$1, forceRecordTransactionsDisabled as forceRecordTransactionsDisabled$1, ldsNetworkAdapterInstrument, CrudEventState, CrudEventType, UIAPI_RECORDS_PATH, UIAPI_RELATED_LIST_RECORDS_BATCH_PATH, UIAPI_RELATED_LIST_RECORDS_PATH } from 'force/ldsNetwork';
 import { ThirdPartyTracker } from 'instrumentation:thirdPartyTracker';
 import { markStart, markEnd, counter, registerCacheStats, perfStart, perfEnd, registerPeriodicLogger, interaction, timer, mark } from 'instrumentation/service';
@@ -234,6 +234,19 @@ var HttpStatusCode$1 = /* @__PURE__ */ ((HttpStatusCode2) => {
   HttpStatusCode2[HttpStatusCode2["GatewayTimeout"] = 504] = "GatewayTimeout";
   return HttpStatusCode2;
 })(HttpStatusCode$1 || {});
+function getFetchResponseFromAuraError(err2) {
+  if (err2.data !== void 0 && err2.data.statusCode !== void 0) {
+    let data = {};
+    data = err2.data;
+    if (err2.id !== void 0) {
+      data.id = err2.id;
+    }
+    return new FetchResponse(data.statusCode, data);
+  }
+  return new FetchResponse(500, {
+    error: err2.message
+  });
+}
 async function coerceResponseToFetchResponse(response) {
   const { status } = response;
   const responseHeaders = {};
@@ -388,7 +401,7 @@ class AuraNetworkCommand extends NetworkCommand$1 {
     );
   }
   coerceAuraErrors(auraErrors) {
-    return toError(auraErrors[0]);
+    return new UserVisibleError(getFetchResponseFromAuraError(auraErrors[0]));
   }
   /**
    * Customize how non-2xx fetch fallback responses are converted into errors.
@@ -573,7 +586,10 @@ function deepEquals$1(x, y) {
     }
     for (let i = 0; i < xkeys.length; ++i) {
       const key = xkeys[i];
-      if (!deepEquals$1(x[key], y[key])) {
+      if (!deepEquals$1(
+        x[key],
+        y[key]
+      )) {
         return false;
       }
     }
@@ -2644,7 +2660,7 @@ function buildServiceDescriptor$d(luvio) {
         },
     };
 }
-// version: 1.443.0-be70f6bb6e
+// version: 1.444.0-a7f42f9edf
 
 class AuraGraphQLNormalizedCacheControlCommand extends AuraNormalizedCacheControlCommand {
   constructor(config, documentRootType, services) {
@@ -2982,7 +2998,7 @@ function buildServiceDescriptor$9(notifyRecordUpdateAvailable, getNormalizedLuvi
         },
     };
 }
-// version: 1.443.0-be70f6bb6e
+// version: 1.444.0-a7f42f9edf
 
 class RetryService {
   constructor(defaultRetryPolicy) {
@@ -3408,7 +3424,10 @@ class GraphQLImperativeBindingsService {
           const options = {
             acceptedOperations: ["query"]
           };
-          const result = resolveAndValidateGraphQLConfig(params[0], options);
+          const result = resolveAndValidateGraphQLConfig(
+            params[0],
+            options
+          );
           if (result?.isErr()) {
             return result.error;
           }
@@ -3605,7 +3624,10 @@ class GraphQLMutationBindingsService {
           const options = {
             acceptedOperations: ["mutation"]
           };
-          const result2 = resolveAndValidateGraphQLConfig(params[0], options);
+          const result2 = resolveAndValidateGraphQLConfig(
+            params[0],
+            options
+          );
           if (result2?.isErr()) {
             return {
               data: void 0,
@@ -4667,7 +4689,7 @@ var TypeCheckShapes;
     TypeCheckShapes[TypeCheckShapes["Integer"] = 3] = "Integer";
     TypeCheckShapes[TypeCheckShapes["Unsupported"] = 4] = "Unsupported";
 })(TypeCheckShapes || (TypeCheckShapes = {}));
-// engine version: 0.160.5-e6ada846
+// engine version: 0.161.0-fe06f180
 
 const { keys: keys$1 } = Object;
 
@@ -4762,6 +4784,10 @@ const SALESFORCE_API_BASE_URI_FLAG = 'api.salesforce.com';
 const X_REQUEST_ID_HEADER = 'x-request-id';
 const SFAPController = 'SalesforceApiPlatformController';
 const SFAPJwtMethod = 'getSFAPLightningJwtService';
+// Parameterized mint: the POST signature's auto-generated Aura method
+// (`@ConnectSignature(..., generateAuraMethod = true)` on the SFAP Lightning JWT
+// Service Connect resource). Takes a single `requestBody` named param.
+const SFAPJwtPostMethod = 'postSFAPLightningJwtService';
 /**
  * We expect jwt info and baseUri to be present in the response.
  *
@@ -4908,6 +4934,144 @@ function generateRequestId$1() {
     }
 }
 
+/**
+ * Normalize SFAP-shaped params into the opaque `JwtMintParams` bag that callers
+ * hand to `JwtManager.getJwt(params)`. Scopes are sorted because they are
+ * semantically a set — without this, `['a', 'b']` and `['b', 'a']` would cache
+ * as separate entries (OneStore treats arrays as ordered under stable-JSON
+ * serialization; see ADR "JWT Parameterization" §2).
+ *
+ * MANDATORY CONSUMER ENTRY POINT. Every consumer that mints a parameterized
+ * SFAP JWT MUST assemble its params through this function before calling the
+ * manager. The cache key is derived by `JwtManager` from the caller's params
+ * (`cacheKeyFor(params)`) *before* the resolver runs — so the resolver cannot
+ * normalize after the fact. Set-stable caching therefore depends on the caller
+ * routing params through here. Do NOT sort inside the resolver: that would only
+ * reorder the wire body, not the cache key, and mutating the caller's params
+ * mid-call would desync the in-flight-dedup key from the stored-token key.
+ */
+/**
+ * Validate and narrow an opaque `JwtMintParams` bag to the SFAP-shaped subset the
+ * resolver forwards. Returns `{ error }` (surfaced as a resolver rejection) for a
+ * malformed bag rather than throwing.
+ */
+function coerceToSfapParams(params) {
+    const scopes = params.scopes;
+    const dynamicParams = params.dynamicParams;
+    if (scopes !== undefined && !isStringArray(scopes)) {
+        return { error: 'SFAP JWT params.scopes must be a string[] when provided.' };
+    }
+    if (dynamicParams !== undefined && !isStringRecord(dynamicParams)) {
+        return {
+            error: 'SFAP JWT params.dynamicParams must be a Record<string, string> when provided.',
+        };
+    }
+    return { params: { scopes, dynamicParams } };
+}
+function isStringArray(value) {
+    return Array.isArray(value) && value.every((s) => typeof s === 'string');
+}
+function isStringRecord(value) {
+    if (typeof value !== 'object' || value === null || Array.isArray(value)) {
+        return false;
+    }
+    return Object.values(value).every((v) => typeof v === 'string');
+}
+/**
+ * Build the SFAP mint request body from the coerced params: `scopes` joined into a
+ * single space-delimited string, `dynamicParams` mapped to `dynamicParameters.items`.
+ * Empty scopes / dynamic params are omitted.
+ */
+function buildRequestBody(params) {
+    const body = {};
+    if (params.scopes && params.scopes.length > 0) {
+        body.scopes = params.scopes.join(' ');
+    }
+    if (params.dynamicParams) {
+        const items = Object.entries(params.dynamicParams).map(([name, value]) => ({ name, value }));
+        if (items.length > 0) {
+            body.dynamicParameters = { items };
+        }
+    }
+    return body;
+}
+
+/**
+ * Parameterized SFAP JWT resolver that mints over **Aura transport** instead of a
+ * direct HTTP `fetch`.
+ *
+ * It dispatches the SFAP Lightning JWT Service's parameterized POST via its
+ * auto-generated Aura controller method
+ * `SalesforceApiPlatformController.postSFAPLightningJwtService` (generated by
+ * `@ConnectSignature(..., generateAuraMethod = true)` on the Connect resource).
+ * The mint inputs ride as the single `requestBody` named param, in the same
+ * `{ scopes, dynamicParameters: { items } }` shape the HTTP resolver POSTs — built
+ * by the shared {@link buildRequestBody}, so the two transports stay in lockstep.
+ *
+ * Why Aura (not the HTTP resolver): the mint endpoint is a same-origin core
+ * resource, and routing it over Aura keeps session/CSRF handling inside the Aura
+ * stack rather than issuing a credentialed cross-cutting `fetch` from the client.
+ * This mirrors the legacy parameterless `platformSfapJwtResolver` in
+ * `network-sfap.ts`, which already mints over Aura via the `getSFAPLightningJwtService`
+ * generated method — this is the parameterized sibling of that call.
+ *
+ * A `JwtResolver` is invoked directly by `JwtManager` (not through Luvio's
+ * `appRouter`/`ResourceRequest` pipeline), so the correct mechanism is a direct
+ * named-controller `dispatchAuraAction`, not the `auraNetworkAdapter`/connect-route
+ * table. The SFAP JWT endpoint is not registered as a connect-over-Aura route, and
+ * a resolver has no `ResourceRequest` for the router to look up.
+ */
+class ParameterizedSfapJwtAuraResolver {
+    getJwt(params) {
+        return new Promise((resolve, reject) => {
+            if (params === undefined) {
+                // Misuse: the dispatching resolver routes parameterless calls to the
+                // legacy resolver. Reject so production fails loudly here.
+                reject('ParameterizedSfapJwtAuraResolver requires JwtMintParams. The legacy parameterless path should be served by platformSfapJwtResolver.');
+                return;
+            }
+            const coerced = coerceToSfapParams(params);
+            if ('error' in coerced) {
+                reject(coerced.error);
+                return;
+            }
+            // The mint inputs become the single `requestBody` named param of the
+            // generated Aura method (Aura binds top-level keys to the controller
+            // method's named args). Reuses the HTTP resolver's body builder so both
+            // transports send an identical shape.
+            const requestBody = buildRequestBody(coerced.params);
+            // No fetchImpl / requestInterceptor / CSRF / credentials handling here —
+            // the Aura stack owns session + CSRF. Matches the legacy resolver's call.
+            dispatchAuraAction(`${SFAPController}.${SFAPJwtPostMethod}`, { requestBody }, defaultActionConfig)
+                .then((response) => {
+                const body = response.body;
+                if (!body || typeof body.jwt !== 'string' || typeof body.baseUri !== 'string') {
+                    // Never serialize the body into the error — it may carry a JWT.
+                    reject('SFAP JWT response missing required fields (jwt, baseUri)');
+                    return;
+                }
+                resolve({ jwt: body.jwt, extraInfo: { baseUri: body.baseUri } });
+            })
+                .catch((error) => {
+                // Error mapping ported from the legacy platformSfapJwtResolver
+                // (network-sfap.ts): plain Errors carry a message; non-500
+                // AuraFetchResponses are ConnectInJava errors with a typed body;
+                // 500s carry an { error } body.
+                if (error instanceof Error) {
+                    reject(error.message);
+                    return;
+                }
+                const { status } = error;
+                if (status !== HttpStatusCode$2.ServerError) {
+                    reject(error.body.message);
+                    return;
+                }
+                reject(error.body.error);
+            });
+        });
+    }
+}
+
 /**
  * Observability / Critical Availability Program (230+)
  *
@@ -5658,7 +5822,9 @@ class PrioritizedConfigService {
   // ConfigService.set
   set(priority, setter) {
     this.validated = false;
-    return setter(this.prioritizedConfigData[priority]);
+    return setter(
+      this.prioritizedConfigData[priority]
+    );
   }
   // returns the highest priority value for a given path, undefined if no value
   // is defined for the path at any priority
@@ -5717,7 +5883,7 @@ function getEnvironmentSetting(name) {
     }
     return undefined;
 }
-// version: 1.443.0-3de9a44799
+// version: 1.444.0-86f5a57eb3
 
 /**
  * Helpers for reaching the Aura framework from the LDS Aura runtime.
@@ -5727,6 +5893,14 @@ function getEnvironmentSetting(name) {
  * `$A` lookup in one place instead of duplicating the `environmentHasAura`
  * check across modules.
  */
+/**
+ * Fires an Aura application-level event (e.g. `aura:invalidSession`). Thin
+ * pass-through to the `aura` framework module so callers depend on this util
+ * rather than importing `aura` directly.
+ */
+function dispatchGlobalEvent(...args) {
+    dispatchGlobalEvent$1(...args);
+}
 /**
  * Returns `$A.clientService` when running inside an Aura environment, or
  * `undefined` otherwise. Defensive: never throws.
@@ -5997,34 +6171,54 @@ function buildLuvioPageScopedCacheRequestInterceptor() {
     };
 }
 
-function buildLexRuntimeAuthExpirationRedirectResponseInterceptor(logger) {
+// Two distinct session-expiration cases on the LEX runtime path:
+// - 401 + INVALID_SESSION_ID — auth token rejected
+// - 403 + `x-sfdc-csrf-failure: true` — CSRF token rejected, session is dead
+// Both fire `aura:invalidSession`, which routes the user back to login.
+//
+// 403 access denials (INSUFFICIENT_ACCESS / INSUFFICIENT_ACCESS_OR_READONLY) are
+// intentionally NOT handled here — `aura:noAccess` without a `redirectURL`
+// triggers AuraClientService.hardRefresh() which is too heavy-handed for routine
+// "feature not enabled for this org" responses. The wire layer surfaces those
+// as normal errors; onestore PR #838 (`aura-network-command`) handles the
+// gack-noise on the Aura action path.
+function isSessionExpired(status, headers, body) {
+    if (status === 403) {
+        return headers && headers['x-sfdc-csrf-failure'] === 'true';
+    }
+    if (status === 401) {
+        // Connect REST returns errors as `[{ errorCode, ... }, ...]`; Aura Shape A
+        // uses `{ errorCode, ... }`. This interceptor runs before
+        // `buildLuvioErrorBodyNormalizationInterceptor`, so handle both.
+        const errorCode = Array.isArray(body)
+            ? body[0] && body[0].errorCode
+            : body && body.errorCode;
+        return errorCode === 'INVALID_SESSION_ID';
+    }
+    return false;
+}
+function buildLexRuntimeSessionExpirationResponseInterceptor(logger) {
     return async (response) => {
-        if (response.status === 401) {
-            try {
-                const coercedResponse = (await coerceResponseToFetchResponse(response.clone()));
-                if (coercedResponse.body.errorCode === 'INVALID_SESSION_ID') {
-                    logger.warn(`Received ${response.status} status code from LEX runtime service`);
-                    // Fire the event asynchronously, similar to the legacy setTimeout pattern
-                    window.setTimeout(() => {
-                        dispatchGlobalEvent('aura:invalidSession');
-                    }, 0);
-                }
-            }
-            catch (error) {
-                logger.warn(`Error parsing response from LEX runtime service: ${error}`);
+        const { status } = response;
+        if (status !== 401 && status !== 403)
+            return response;
+        try {
+            const coerced = (await coerceResponseToFetchResponse(response.clone()));
+            if (isSessionExpired(status, coerced.headers, coerced.body)) {
+                logger.warn(`Received ${status} status code from LEX runtime service`);
+                window.setTimeout(() => dispatchGlobalEvent('aura:invalidSession'), 0);
             }
         }
+        catch (error) {
+            logger.warn(`Error parsing response from LEX runtime service: ${error}`);
+        }
         return response;
     };
 }
-function buildLexRuntimeLuvioAuthExpirationRedirectResponseInterceptor() {
+function buildLexRuntimeLuvioSessionExpirationResponseInterceptor() {
     return async (response) => {
-        if (response.status === 401) {
-            if (response.body.errorCode === 'INVALID_SESSION_ID') {
-                window.setTimeout(() => {
-                    dispatchGlobalEvent('aura:invalidSession');
-                }, 0);
-            }
+        if (isSessionExpired(response.status, response.headers, response.body)) {
+            window.setTimeout(() => dispatchGlobalEvent('aura:invalidSession'), 0);
         }
         return response;
     };
@@ -7203,7 +7397,7 @@ const composedFetchNetworkAdapter = {
         retry: buildLuvioFetchRetryInterceptor(),
         response: [
             buildLexRuntimeLuvio5xxStatusResponseInterceptor(),
-            buildLexRuntimeLuvioAuthExpirationRedirectResponseInterceptor(),
+            buildLexRuntimeLuvioSessionExpirationResponseInterceptor(),
             buildLuvioErrorBodyNormalizationInterceptor(),
             buildLuvioTransportMarksReceiveInterceptor(),
             buildLuvioActionMarksReceiveInterceptor(),
@@ -7369,9 +7563,106 @@ function buildCsrfRetryInterceptor() {
     };
 }
 
+/**
+ * The context-seed key under which a custom command forwards its JWT mint
+ * parameters. The framework's `buildServiceDescriptor` merges the request init's
+ * `__contextSeed` onto the per-request interceptor context, so this interceptor
+ * reads the params off `context[JWT_MINT_PARAMS_SEED_KEY]`.
+ *
+ * This is a cross-team contract: the custom command writes this key, this
+ * interceptor reads it. It is intentionally an opaque key — OneStore does not
+ * define it and never inspects the param shape; the typed shape lives in the
+ * resolver.
+ */
+const JWT_MINT_PARAMS_SEED_KEY = 'jwtMintParams';
+/**
+ * Returns `true` if the fetch arguments already carry an `Authorization` header,
+ * across the three shapes the framework's `setHeader` handles: a `Request`
+ * resource's own headers, an `options.headers` `Headers` instance, or a plain
+ * record. The descriptor's guarded legacy interceptor uses this to skip when the
+ * parameterized interceptor has already authorized the request — avoiding a second
+ * mint and the throw `setHeaderAuthorization` raises on an existing header.
+ */
+function hasAuthorizationHeader([resource, options]) {
+    if (resource instanceof Request && resource.headers.has('Authorization')) {
+        return true;
+    }
+    const headers = options?.headers;
+    if (headers === undefined) {
+        return false;
+    }
+    if (headers instanceof Headers) {
+        return headers.has('Authorization');
+    }
+    if (Array.isArray(headers)) {
+        return headers.some(([name]) => name.toLowerCase() === 'authorization');
+    }
+    return Reflect.has(headers, 'Authorization');
+}
+/**
+ * Builds the request interceptor that bridges the per-request context seed to the
+ * dispatching SFAP JwtManager for the **parameterized** mint path.
+ *
+ * For a parameterized SFAP command, the context carries `jwtMintParams`. This
+ * interceptor reads them, calls `jwtManager.getJwt(params)` (which the dispatching
+ * resolver routes to the parameterized resolver), attaches the `Authorization`
+ * header, and rewrites the request URL via the minted `baseUri`. The presence of
+ * that `Authorization` header is the signal the descriptor's guarded legacy
+ * interceptor uses to skip — so the legacy path does not mint a second time.
+ *
+ * For a legacy parameterless command the context carries no `jwtMintParams`, so
+ * this interceptor **early-returns on its first line** and the request flows
+ * unchanged to the legacy `buildJwtRequestHeaderInterceptor` — guaranteeing zero
+ * behavior change for non-opted-in adapters.
+ *
+ * Lives in `lds-lightning-platform` (not OneStore) beside the existing SFAP/CSRF
+ * interceptors, per the JWT-parameterization ADR §5: OneStore provides only the
+ * generic interceptor mechanism and the opaque context-seed channel; the service-
+ * specific bridge is a runtime-layer concern.
+ *
+ * @param jwtManager - the dispatching SFAP JwtManager
+ * @param jwtRequestModifier - applies the minted `extraInfo.baseUri` to the request URL
+ */
+function buildJwtParameterizationInterceptor(jwtManager, jwtRequestModifier = (_extraInfo, fetchArgs) => fetchArgs) {
+    return (fetchArgs, context) => {
+        const jwtContext = context;
+        const mintParams = jwtContext?.[JWT_MINT_PARAMS_SEED_KEY];
+        // No mint params → not a parameterized request. Do nothing; the legacy
+        // interceptor handles it. This MUST be the first statement so non-opted-in
+        // SFAP commands observe no work at all.
+        if (mintParams === undefined) {
+            return resolvedPromiseLike$2(fetchArgs);
+        }
+        return resolvedPromiseLike$2(jwtManager.getJwt(mintParams)).then((token) => {
+            const fetchArgsWithAuthorization = setHeaderAuthorization(token, fetchArgs);
+            return token.extraInfo
+                ? jwtRequestModifier(token.extraInfo, fetchArgsWithAuthorization)
+                : fetchArgsWithAuthorization;
+        });
+    };
+}
+
 const SFAP_BASE_URL = 'api.salesforce.com';
+function buildDispatchingSfapJwtResolver(legacyResolver, parameterizedResolver) {
+    return {
+        getJwt(params) {
+            if (params === undefined) {
+                return legacyResolver.getJwt();
+            }
+            return parameterizedResolver.getJwt(params);
+        },
+    };
+}
+// The parameterized mint is dispatched over **Aura transport**:
+// the resolver calls the SFAP Lightning JWT Service's auto-generated Aura method
+// `SalesforceApiPlatformController.postSFAPLightningJwtService`, so session + CSRF
+// are handled inside the Aura stack. This mirrors the legacy parameterless
+// `platformSfapJwtResolver`, which already mints over Aura. The minted JWT is then
+// attached as a Bearer token on the downstream SFAP API request (which stays HTTP).
+const parameterizedSfapJwtResolver = new ParameterizedSfapJwtAuraResolver();
+const sfapJwtResolver = buildDispatchingSfapJwtResolver(platformSfapJwtResolver, parameterizedSfapJwtResolver);
 const sfapJwtRepository = new JwtRepository();
-const sfapJwtManager = new JwtManager(sfapJwtRepository, platformSfapJwtResolver);
+const sfapJwtManager = new JwtManager(sfapJwtRepository, sfapJwtResolver);
 function prefetchSfapJwt() {
     const maybePromise = sfapJwtManager.getJwt();
     if ('then' in maybePromise) {
@@ -7382,8 +7673,12 @@ function prefetchSfapJwt() {
 function buildJwtAuthorizedSfapFetchServiceDescriptor(logger) {
     const jwtAuthorizedFetchService = buildServiceDescriptor$2({
         createContext: createInstrumentationIdContext(),
-        request: [buildThirdPartyTrackerRegisterInterceptor(), buildJwtRequestInterceptor(logger)],
-        retry: buildCsrfRetryInterceptor(),
+        request: [
+            buildThirdPartyTrackerRegisterInterceptor(),
+            buildJwtParameterizationInterceptor(sfapJwtManager, buildSfapJwtRequestModifier(logger)),
+            // Guarded so it is skipped once the parameterized interceptor handled the request.
+            buildGuardedLegacyJwtRequestInterceptor(logger),
+        ],
         finally: [buildThirdPartyTrackerFinishInterceptor()],
     });
     return {
@@ -7463,8 +7758,13 @@ function buildUnauthorizedFetchServiceDescriptor() {
         tags: { authenticationScopes: '' },
     };
 }
-function buildJwtRequestInterceptor(logger) {
-    const jwtRequestModifier = ({ baseUri }, [resource, request]) => {
+/**
+ * The `JwtRequestModifier` shared by both the legacy and parameterized SFAP
+ * interceptors: it rewrites the request URL's host/protocol to the minted
+ * `extraInfo.baseUri` (only for `api.salesforce.com` resources).
+ */
+function buildSfapJwtRequestModifier(logger) {
+    return ({ baseUri }, [resource, request]) => {
         if (typeof resource !== 'string' && !(resource instanceof URL)) {
             // istanbul ignore else: this will not be tested in NODE_ENV = production for test coverage
             if (process.env.NODE_ENV !== 'production') {
@@ -7482,8 +7782,22 @@ function buildJwtRequestInterceptor(logger) {
         url.protocol = overrideUrl.protocol;
         return [url, request];
     };
-    const jwtRequestHeaderInterceptor = buildJwtRequestHeaderInterceptor(sfapJwtManager, jwtRequestModifier);
-    return jwtRequestHeaderInterceptor;
+}
+function buildJwtRequestInterceptor(logger) {
+    return buildJwtRequestHeaderInterceptor(sfapJwtManager, buildSfapJwtRequestModifier(logger));
+}
+/**
+ * Wraps the legacy `buildJwtRequestHeaderInterceptor` with a pass-through guard:
+ * when the parameterized interceptor has already authorized the request (an
+ * `Authorization` header is present), this returns `args` untouched so the legacy
+ * interceptor does not mint a second time or attempt to set a duplicate
+ * Authorization header (which `setHeaderAuthorization` throws on). For every legacy
+ * (non-parameterized) request no Authorization header is present yet, so the legacy
+ * interceptor runs exactly as before — a strict pass-through.
+ */
+function buildGuardedLegacyJwtRequestInterceptor(logger) {
+    const legacyInterceptor = buildJwtRequestInterceptor(logger);
+    return (args) => hasAuthorizationHeader(args) ? resolvedPromiseLike$2(args) : legacyInterceptor(args);
 }
 
 const PDL_EXECUTE_ASYNC_OPTIONS = {
@@ -10146,7 +10460,7 @@ function getLexRuntimeDefaultInterceptorConfig(logger) {
         retry: buildCsrfRetryInterceptor(),
         response: [
             buildLexRuntime5xxStatusResponseInterceptor(logger),
-            buildLexRuntimeAuthExpirationRedirectResponseInterceptor(logger),
+            buildLexRuntimeSessionExpirationResponseInterceptor(logger),
             buildTransportMarksReceiveInterceptor(),
             buildActionMarksReceiveInterceptor(),
         ],
@@ -10163,7 +10477,7 @@ function buildLexRuntimeAllow5xxFetchServiceDescriptor(logger, retryService) {
         ...config,
         // Omit 5xx interceptor - allow 5xx responses to pass through
         response: [
-            buildLexRuntimeAuthExpirationRedirectResponseInterceptor(logger),
+            buildLexRuntimeSessionExpirationResponseInterceptor(logger),
             buildTransportMarksReceiveInterceptor(),
             buildActionMarksReceiveInterceptor(),
         ],
@@ -11058,4 +11372,4 @@ function ldsEngineCreator() {
 }
 
 export { LexRequestStrategy, PdlPrefetcherEventType, PdlRequestPriority, buildPredictorForContext, configService, ldsEngineCreator as default, initializeLDS, initializeOneStore, notifyUpdateAvailableFactory, registerRequestStrategy, saveRequestAsPrediction, subscribeToPrefetcherEvents, unregisterRequestStrategy, whenPredictionsReady };
-// version: 1.443.0-be70f6bb6e
+// version: 1.444.0-a7f42f9edf

package/dist/types/aura-utils.d.ts

@@ -6,6 +6,13 @@
  * `$A` lookup in one place instead of duplicating the `environmentHasAura`
  * check across modules.
  */
+import { dispatchGlobalEvent as auraDispatchGlobalEvent } from 'aura';
+/**
+ * Fires an Aura application-level event (e.g. `aura:invalidSession`). Thin
+ * pass-through to the `aura` framework module so callers depend on this util
+ * rather than importing `aura` directly.
+ */
+export declare function dispatchGlobalEvent(...args: Parameters<typeof auraDispatchGlobalEvent>): void;
 /**
  * The subset of the Aura client service LDS reaches for. Methods are optional
  * because availability depends on the host's Aura version and server gates.

package/dist/types/fetch-service-descriptors/jwt-authorized-fetch-service.d.ts

@@ -1,5 +1,8 @@
+import { type JwtResolver } from '@conduit-client/jwt-manager';
 import { type FetchServiceDescriptor } from '@conduit-client/service-fetch-network/v1';
+import { type ExtraInfo } from '../network-sfap';
 import { type LoggerService } from '@conduit-client/utils';
+export declare function buildDispatchingSfapJwtResolver(legacyResolver: JwtResolver<ExtraInfo>, parameterizedResolver: JwtResolver<ExtraInfo>): JwtResolver<ExtraInfo>;
 export declare function prefetchSfapJwt(): Promise<undefined>;
 export declare function buildJwtAuthorizedSfapFetchServiceDescriptor(logger: LoggerService): FetchServiceDescriptor;
 /**

package/dist/types/network-sfap.d.ts

@@ -2,6 +2,7 @@ import type { FetchResponse, ResourceRequest, ResourceRequestContext } from '@lu
 import type { JwtResolver } from '@conduit-client/jwt-manager';
 export declare const SFAPController = "SalesforceApiPlatformController";
 export declare const SFAPJwtMethod = "getSFAPLightningJwtService";
+export declare const SFAPJwtPostMethod = "postSFAPLightningJwtService";
 export type ExtraInfo = {
     baseUri: string;
 };

package/dist/types/parameterized-sfap-jwt-aura-resolver.d.ts

@@ -0,0 +1,34 @@
+import type { JwtMintParams, JwtResolver } from '@conduit-client/jwt-manager';
+import { type ParameterizedSfapExtraInfo } from './sfap-jwt-mint-params';
+/**
+ * Parameterized SFAP JWT resolver that mints over **Aura transport** instead of a
+ * direct HTTP `fetch`.
+ *
+ * It dispatches the SFAP Lightning JWT Service's parameterized POST via its
+ * auto-generated Aura controller method
+ * `SalesforceApiPlatformController.postSFAPLightningJwtService` (generated by
+ * `@ConnectSignature(..., generateAuraMethod = true)` on the Connect resource).
+ * The mint inputs ride as the single `requestBody` named param, in the same
+ * `{ scopes, dynamicParameters: { items } }` shape the HTTP resolver POSTs — built
+ * by the shared {@link buildRequestBody}, so the two transports stay in lockstep.
+ *
+ * Why Aura (not the HTTP resolver): the mint endpoint is a same-origin core
+ * resource, and routing it over Aura keeps session/CSRF handling inside the Aura
+ * stack rather than issuing a credentialed cross-cutting `fetch` from the client.
+ * This mirrors the legacy parameterless `platformSfapJwtResolver` in
+ * `network-sfap.ts`, which already mints over Aura via the `getSFAPLightningJwtService`
+ * generated method — this is the parameterized sibling of that call.
+ *
+ * A `JwtResolver` is invoked directly by `JwtManager` (not through Luvio's
+ * `appRouter`/`ResourceRequest` pipeline), so the correct mechanism is a direct
+ * named-controller `dispatchAuraAction`, not the `auraNetworkAdapter`/connect-route
+ * table. The SFAP JWT endpoint is not registered as a connect-over-Aura route, and
+ * a resolver has no `ResourceRequest` for the router to look up.
+ */
+export declare class ParameterizedSfapJwtAuraResolver implements JwtResolver<ParameterizedSfapExtraInfo> {
+    getJwt(params?: JwtMintParams): Promise<{
+        jwt: string;
+        extraInfo: ParameterizedSfapExtraInfo;
+    }>;
+}
+export declare function buildParameterizedSfapJwtAuraResolver(): ParameterizedSfapJwtAuraResolver;

package/dist/types/request-interceptors/jwt-parameterization.d.ts

@@ -0,0 +1,50 @@
+import type { FetchParameters, RequestInterceptor } from '@conduit-client/service-fetch-network/v1';
+import { type JwtRequestModifier } from '@conduit-client/service-fetch-network/v1';
+import type { JwtManager } from '@conduit-client/jwt-manager';
+import type { ExtraInfo } from '../network-sfap';
+/**
+ * The context-seed key under which a custom command forwards its JWT mint
+ * parameters. The framework's `buildServiceDescriptor` merges the request init's
+ * `__contextSeed` onto the per-request interceptor context, so this interceptor
+ * reads the params off `context[JWT_MINT_PARAMS_SEED_KEY]`.
+ *
+ * This is a cross-team contract: the custom command writes this key, this
+ * interceptor reads it. It is intentionally an opaque key — OneStore does not
+ * define it and never inspects the param shape; the typed shape lives in the
+ * resolver.
+ */
+export declare const JWT_MINT_PARAMS_SEED_KEY = "jwtMintParams";
+/**
+ * Returns `true` if the fetch arguments already carry an `Authorization` header,
+ * across the three shapes the framework's `setHeader` handles: a `Request`
+ * resource's own headers, an `options.headers` `Headers` instance, or a plain
+ * record. The descriptor's guarded legacy interceptor uses this to skip when the
+ * parameterized interceptor has already authorized the request — avoiding a second
+ * mint and the throw `setHeaderAuthorization` raises on an existing header.
+ */
+export declare function hasAuthorizationHeader([resource, options]: FetchParameters): boolean;
+/**
+ * Builds the request interceptor that bridges the per-request context seed to the
+ * dispatching SFAP JwtManager for the **parameterized** mint path.
+ *
+ * For a parameterized SFAP command, the context carries `jwtMintParams`. This
+ * interceptor reads them, calls `jwtManager.getJwt(params)` (which the dispatching
+ * resolver routes to the parameterized resolver), attaches the `Authorization`
+ * header, and rewrites the request URL via the minted `baseUri`. The presence of
+ * that `Authorization` header is the signal the descriptor's guarded legacy
+ * interceptor uses to skip — so the legacy path does not mint a second time.
+ *
+ * For a legacy parameterless command the context carries no `jwtMintParams`, so
+ * this interceptor **early-returns on its first line** and the request flows
+ * unchanged to the legacy `buildJwtRequestHeaderInterceptor` — guaranteeing zero
+ * behavior change for non-opted-in adapters.
+ *
+ * Lives in `lds-lightning-platform` (not OneStore) beside the existing SFAP/CSRF
+ * interceptors, per the JWT-parameterization ADR §5: OneStore provides only the
+ * generic interceptor mechanism and the opaque context-seed channel; the service-
+ * specific bridge is a runtime-layer concern.
+ *
+ * @param jwtManager - the dispatching SFAP JwtManager
+ * @param jwtRequestModifier - applies the minted `extraInfo.baseUri` to the request URL
+ */
+export declare function buildJwtParameterizationInterceptor(jwtManager: JwtManager<unknown, ExtraInfo>, jwtRequestModifier?: JwtRequestModifier): RequestInterceptor;

package/dist/types/response-interceptors/{lex-runtime-auth-expiration-redirect.d.ts → lex-runtime-session-expiration.d.ts}

@@ -1,5 +1,5 @@
 import type { LoggerService } from '@conduit-client/utils';
 import type { ResponseInterceptor } from '@conduit-client/service-fetch-network/v1';
 import type { ResponseInterceptor as LuvioResponseInterceptor } from '@salesforce/lds-network-fetch';
-export declare function buildLexRuntimeAuthExpirationRedirectResponseInterceptor(logger: LoggerService): ResponseInterceptor;
-export declare function buildLexRuntimeLuvioAuthExpirationRedirectResponseInterceptor(): LuvioResponseInterceptor;
+export declare function buildLexRuntimeSessionExpirationResponseInterceptor(logger: LoggerService): ResponseInterceptor;
+export declare function buildLexRuntimeLuvioSessionExpirationResponseInterceptor(): LuvioResponseInterceptor;

package/dist/types/sfap-jwt-mint-params.d.ts

@@ -0,0 +1,69 @@
+import type { JwtMintParams } from '@conduit-client/jwt-manager';
+/**
+ * Typed shape of the params the SFAP Lightning JWT Service understands.
+ * Lives in the resolver layer because OneStore is param-shape-agnostic; it
+ * sees only an opaque `JwtMintParams` bag and stable-JSON-stringifies it for
+ * cache keying.
+ */
+export type SfapJwtMintParams = {
+    scopes?: string[];
+    dynamicParams?: Record<string, string>;
+};
+/**
+ * The `extraInfo` the SFAP JWT resolver returns alongside the minted token: the
+ * per-tenant base URI the downstream SFAP API request is rewritten to.
+ */
+export type ParameterizedSfapExtraInfo = {
+    baseUri: string;
+};
+type DynamicParameterItem = {
+    name: string;
+    value: string;
+};
+/**
+ * The SFAP Lightning JWT Service mint request body. Sent as the `requestBody`
+ * named param of the `postSFAPLightningJwtService` Aura controller method.
+ * Matches the server's `SFAPLightningJwtServiceInputRepresentation`: `scopes` is
+ * a single space-delimited string; `dynamicParameters` is `{ items: [{ name, value }] }`.
+ */
+export type SfapJwtRequestBody = {
+    scopes?: string;
+    dynamicParameters?: {
+        items: DynamicParameterItem[];
+    };
+};
+/**
+ * Normalize SFAP-shaped params into the opaque `JwtMintParams` bag that callers
+ * hand to `JwtManager.getJwt(params)`. Scopes are sorted because they are
+ * semantically a set — without this, `['a', 'b']` and `['b', 'a']` would cache
+ * as separate entries (OneStore treats arrays as ordered under stable-JSON
+ * serialization; see ADR "JWT Parameterization" §2).
+ *
+ * MANDATORY CONSUMER ENTRY POINT. Every consumer that mints a parameterized
+ * SFAP JWT MUST assemble its params through this function before calling the
+ * manager. The cache key is derived by `JwtManager` from the caller's params
+ * (`cacheKeyFor(params)`) *before* the resolver runs — so the resolver cannot
+ * normalize after the fact. Set-stable caching therefore depends on the caller
+ * routing params through here. Do NOT sort inside the resolver: that would only
+ * reorder the wire body, not the cache key, and mutating the caller's params
+ * mid-call would desync the in-flight-dedup key from the stored-token key.
+ */
+export declare function buildSfapJwtMintParams(params: SfapJwtMintParams): JwtMintParams;
+export type SfapParamsResult = {
+    params: SfapJwtMintParams;
+} | {
+    error: string;
+};
+/**
+ * Validate and narrow an opaque `JwtMintParams` bag to the SFAP-shaped subset the
+ * resolver forwards. Returns `{ error }` (surfaced as a resolver rejection) for a
+ * malformed bag rather than throwing.
+ */
+export declare function coerceToSfapParams(params: JwtMintParams): SfapParamsResult;
+/**
+ * Build the SFAP mint request body from the coerced params: `scopes` joined into a
+ * single space-delimited string, `dynamicParams` mapped to `dynamicParameters.items`.
+ * Empty scopes / dynamic params are omitted.
+ */
+export declare function buildRequestBody(params: SfapJwtMintParams): SfapJwtRequestBody;
+export {};

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@salesforce/lds-runtime-aura",
-    "version": "1.443.0",
+    "version": "1.444.0",
     "license": "SEE LICENSE IN LICENSE.txt",
     "description": "LDS engine for Aura runtime.",
     "main": "dist/ldsEngineCreator.js",
@@ -34,61 +34,62 @@
         "release:corejar": "yarn build && ../core-build/scripts/core.js --name=lds-runtime-aura"
     },
     "devDependencies": {
-        "@conduit-client/service-provisioner": "3.22.0",
-        "@conduit-client/tools-core": "3.22.0",
-        "@salesforce/lds-adapters-apex": "^1.443.0",
-        "@salesforce/lds-adapters-uiapi": "^1.443.0",
-        "@salesforce/lds-ads-bridge": "^1.443.0",
-        "@salesforce/lds-aura-storage": "^1.443.0",
-        "@salesforce/lds-bindings": "^1.443.0",
-        "@salesforce/lds-instrumentation": "^1.443.0",
-        "@salesforce/lds-network-adapter": "^1.443.0",
-        "@salesforce/lds-network-aura": "^1.443.0",
-        "@salesforce/lds-network-fetch": "^1.443.0",
+        "@conduit-client/service-provisioner": "3.23.1",
+        "@conduit-client/tools-core": "3.23.1",
+        "@salesforce/lds-adapters-apex": "^1.444.0",
+        "@salesforce/lds-adapters-uiapi": "^1.444.0",
+        "@salesforce/lds-ads-bridge": "^1.444.0",
+        "@salesforce/lds-aura-storage": "^1.444.0",
+        "@salesforce/lds-bindings": "^1.444.0",
+        "@salesforce/lds-instrumentation": "^1.444.0",
+        "@salesforce/lds-network-adapter": "^1.444.0",
+        "@salesforce/lds-network-aura": "^1.444.0",
+        "@salesforce/lds-network-fetch": "^1.444.0",
         "jwt-encode": "1.0.1"
     },
     "dependencies": {
-        "@conduit-client/command-aura-graphql-normalized-cache-control": "3.22.0",
-        "@conduit-client/command-aura-network": "3.22.0",
-        "@conduit-client/command-aura-normalized-cache-control": "3.22.0",
-        "@conduit-client/command-aura-resource-cache-control": "3.22.0",
-        "@conduit-client/command-fetch-network": "3.22.0",
-        "@conduit-client/command-http-graphql-normalized-cache-control": "3.22.0",
-        "@conduit-client/command-http-normalized-cache-control": "3.22.0",
-        "@conduit-client/command-ndjson": "3.22.0",
-        "@conduit-client/command-network": "3.22.0",
-        "@conduit-client/command-sse": "3.22.0",
-        "@conduit-client/command-streaming": "3.22.0",
-        "@conduit-client/service-aura-network": "3.22.0",
-        "@conduit-client/service-bindings-imperative": "3.22.0",
-        "@conduit-client/service-bindings-lwc": "3.22.0",
-        "@conduit-client/service-cache": "3.22.0",
-        "@conduit-client/service-cache-control": "3.22.0",
-        "@conduit-client/service-cache-inclusion-policy": "3.22.0",
-        "@conduit-client/service-config": "3.22.0",
-        "@conduit-client/service-feature-flags": "3.22.0",
-        "@conduit-client/service-fetch-network": "3.22.0",
-        "@conduit-client/service-instrument-command": "3.22.0",
-        "@conduit-client/service-pubsub": "3.22.0",
-        "@conduit-client/service-renewable-resource-manager": "3.22.0",
-        "@conduit-client/service-store": "3.22.0",
-        "@conduit-client/utils": "3.22.0",
-        "@luvio/network-adapter-composable": "0.160.5",
-        "@luvio/network-adapter-fetch": "0.160.5",
+        "@conduit-client/command-aura-graphql-normalized-cache-control": "3.23.1",
+        "@conduit-client/command-aura-network": "3.23.1",
+        "@conduit-client/command-aura-normalized-cache-control": "3.23.1",
+        "@conduit-client/command-aura-resource-cache-control": "3.23.1",
+        "@conduit-client/command-fetch-network": "3.23.1",
+        "@conduit-client/command-http-graphql-normalized-cache-control": "3.23.1",
+        "@conduit-client/command-http-normalized-cache-control": "3.23.1",
+        "@conduit-client/command-ndjson": "3.23.1",
+        "@conduit-client/command-network": "3.23.1",
+        "@conduit-client/command-sse": "3.23.1",
+        "@conduit-client/command-streaming": "3.23.1",
+        "@conduit-client/jwt-manager": "3.23.1",
+        "@conduit-client/service-aura-network": "3.23.1",
+        "@conduit-client/service-bindings-imperative": "3.23.1",
+        "@conduit-client/service-bindings-lwc": "3.23.1",
+        "@conduit-client/service-cache": "3.23.1",
+        "@conduit-client/service-cache-control": "3.23.1",
+        "@conduit-client/service-cache-inclusion-policy": "3.23.1",
+        "@conduit-client/service-config": "3.23.1",
+        "@conduit-client/service-feature-flags": "3.23.1",
+        "@conduit-client/service-fetch-network": "3.23.1",
+        "@conduit-client/service-instrument-command": "3.23.1",
+        "@conduit-client/service-pubsub": "3.23.1",
+        "@conduit-client/service-renewable-resource-manager": "3.23.1",
+        "@conduit-client/service-store": "3.23.1",
+        "@conduit-client/utils": "3.23.1",
+        "@luvio/network-adapter-composable": "0.161.0",
+        "@luvio/network-adapter-fetch": "0.161.0",
         "@lwc/state": "^0.29.0",
-        "@salesforce/lds-adapters-onestore-graphql": "^1.443.0",
+        "@salesforce/lds-adapters-onestore-graphql": "^1.444.0",
         "@salesforce/lds-adapters-uiapi-lex": "^1.415.0",
-        "@salesforce/lds-durable-storage": "^1.443.0",
-        "@salesforce/lds-luvio-service": "^1.443.0",
-        "@salesforce/lds-luvio-uiapi-records-service": "^1.443.0"
+        "@salesforce/lds-durable-storage": "^1.444.0",
+        "@salesforce/lds-luvio-service": "^1.444.0",
+        "@salesforce/lds-luvio-uiapi-records-service": "^1.444.0"
     },
     "luvioBundlesize": [
         {
             "path": "./dist/ldsEngineCreator.js",
             "maxSize": {
-                "none": "390 kB",
+                "none": "410 kB",
                 "min": "190 kB",
-                "compressed": "65.5 kB"
+                "compressed": "71 kB"
             }
         }
     ],