Migrate issueSyncToken serverless endpoint to lambdas/account-scoped

[Copilot]

Migrates issueSyncToken from the Twilio Serverless runtime into the lambdas/account-scoped package, placing the handler at the root of src/ per the issue spec. Also wires up the client-side call in plugin-hrm-form to support toggling between the legacy serverless endpoint and the new lambda via a feature flag.

Changes

lambdas/account-scoped

• src/issueSyncToken.ts — New handler issuing a Twilio Sync JWT (SyncGrant) for the authenticated worker's identity. Uses getSyncServiceSid from @tech-matters/twilio-configuration and shared API key/secret helpers. Errors propagate to the top-level handler rather than being caught locally.
• src/router.ts — Registers issueSyncToken route with validateFlexTokenRequest({ tokenMode: 'agent' }) pipeline (mirrors the original TokenValidator wrapper).
• src/validation/flexToken.ts — Adds identity?: string to TokenValidatorResponse to expose the caller identity from the validated Flex token.
• src/webchatAuthentication/createToken.ts — Exports getApiKey alongside the existing getApiSecret to avoid duplication; createToken updated to use the exported helper.
• tests/unit/issueSyncToken.test.ts — Unit tests covering success path and missing identity (400).

plugin-hrm-form

• src/services/SyncService.ts — Moves the issueSyncToken client call from ServerlessService.ts into SyncService.ts (as a private function). Reads the use_twilio_lambda_to_issue_sync_token feature flag to toggle between the legacy serverless endpoint and the new lambda endpoint.
• src/services/ServerlessService.ts — Removes issueSyncToken (now handled in SyncService.ts).
• src/types/FeatureFlags.ts — Adds use_twilio_lambda_to_issue_sync_token: boolean flag to enable the new lambda endpoint for issuing sync tokens.

Checklist

• Corresponding issue has been opened
• New tests added
• Feature flags added
• Strings are localized
• Tested for chat contacts
• Tested for call contacts

Other Related Issues

None

Verification steps

1. Deploy to a dev environment and confirm the POST /lambda/twilio/account-scoped/{accountSid}/issueSyncToken endpoint returns a valid Twilio Sync JWT when called with a valid Flex agent token.
2. Set use_twilio_lambda_to_issue_sync_token: true in the Flex service configuration feature flags and confirm the plugin uses the new lambda endpoint.
3. Confirm that without the flag (or with it set to false), the legacy serverless endpoint is used.

AFTER YOU MERGE

1. Cut a release tag using the Github workflow. Wait for it to complete and notify in the #aselo-deploys Slack channel.
2. Comment on the ticket with the release tag version AND any additional instructions required to configure an environment to test the changes.
3. Only then move the ticket into the QA column in JIRA

You are responsible for ensuring the above steps are completed. If you move a ticket into QA without advising what version to test, the QA team will assume the latest tag has the changes. If it does not, the following confusion is on you! :-P

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Migrate the last two remaining serverless endpoints into the lambdas/account-scoped</issue_title>
<issue_description>## Description

Migrate the following twilio serverless endpoint into the lambdas/account-scoped

https://github.com/techmatters/serverless/blob/master/functions/issueSyncToken.ts

place this in the root of the source directory

Additional context

Follow the same patterns as for other endpoints that have been migrated

For example, https://github.com/techmatters/serverless/blob/master/functions/getTaskAndReservations.ts was recently migrated to https://github.com/techmatters/flex-plugins/blob/master/lambdas/account-scoped/src/task/getTaskAndReservations.ts

Note how when a TokenValidator wrapper is used in the serverless version, a validateFlexTokenRequest item needs to be added to the request pipeline for the route in account-scoped
</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Migrate the last two remaining serverless endpoints into the lambdas/account-scoped #3994

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

[stephenhand]

Fit the linter error in the test file

[stephenhand]

This try ... catch wrapper is redundant as it duplicates the error handling further up the stack

[Copilot]

Removed the try/catch — errors now propagate to the top-level handler in index.ts. Updated the corresponding test to expect a rejects.toThrow instead. Done in b8250d7.

[Copilot]

Fit the linter error in the test file

Fixed in b8250d7 — the import list is now formatted across separate lines as prettier requires.

[stephenhand]

Move the issueSyncToken client method from ServerlessService.ts to SyncService.ts

Add a feature flag called use_twilio_lambda_to_issue_sync_token to toggle using the legacy or new endpoint for issuing sync tokens. If the flag is set, use the new endpoint

[Copilot]

Move the issueSyncToken client method from ServerlessService.ts to SyncService.ts

Add a feature flag called use_twilio_lambda_to_issue_sync_token to toggle using the legacy or new endpoint for issui...

Done in 9981e0c:

• issueSyncToken moved from ServerlessService.ts to SyncService.ts as a private function (no longer exported since it's only used internally by setUpSyncClient)
• use_twilio_lambda_to_issue_sync_token feature flag added to FeatureFlags.ts
• When the flag is set, fetchProtectedApi is called with useTwilioLambda: true, routing to the new lambda endpoint; otherwise it uses the legacy serverless endpoint