@adcp/sdk 8.1.0-beta.13 → 8.1.0-beta.14

package/dist/lib/upstream-recorder/recorder.js

@@ -4,11 +4,17 @@
  * surface and `./README` (file header on `index.ts`) for the why.
  */
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.PayloadDigestError = void 0;
 exports.createUpstreamRecorder = createUpstreamRecorder;
+exports.computePayloadDigestSha256 = computePayloadDigestSha256;
 exports.toQueryUpstreamTrafficResponse = toQueryUpstreamTrafficResponse;
 const node_async_hooks_1 = require("node:async_hooks");
+const node_crypto_1 = require("node:crypto");
 const redact_secrets_1 = require("../utils/redact-secrets");
 const glob_1 = require("../utils/glob");
+const jcs_1 = require("../utils/jcs");
+const json_depth_1 = require("../utils/json-depth");
+const constants_1 = require("./constants");
 const types_1 = require("./types");
 const DEFAULT_BUFFER_SIZE = 1000;
 const DEFAULT_TTL_MS = 60 * 60 * 1000; // 1h
@@ -16,6 +22,23 @@ const DEFAULT_QUERY_LIMIT = 100;
 const DEFAULT_MAX_PAYLOAD_BYTES = 65_536; // mirrors spec's `recorded_calls[].payload.maxLength`
 const MAX_BUFFER_SIZE = 100_000;
 const MAX_TTL_MS = 24 * 60 * 60 * 1000; // 24h
+const VALID_PURPOSES = new Set([
+    'platform_primary',
+    'measurement',
+    'attribution',
+    'creative_serving',
+    'identity',
+    'other',
+]);
+class PayloadDigestError extends Error {
+    cause;
+    constructor(message, cause) {
+        super(message);
+        this.name = 'PayloadDigestError';
+        this.cause = cause;
+    }
+}
+exports.PayloadDigestError = PayloadDigestError;
 function clamp(n, lo, hi, fallback) {
     if (typeof n !== 'number' || !Number.isFinite(n))
         return fallback;
@@ -47,7 +70,7 @@ function createUpstreamRecorder(options = {}) {
     // is the explicit acknowledgment escape hatch for the rare adopters
     // who legitimately want recording in prod.
     warnIfEnabledInProduction();
-    const redactPattern = options.redactPattern ?? redact_secrets_1.SECRET_KEY_PATTERN;
+    const redactPattern = (0, redact_secrets_1.normalizeSecretKeyPattern)(options.redactPattern ?? redact_secrets_1.SECRET_KEY_PATTERN);
     const bufferSize = clamp(options.bufferSize, 1, MAX_BUFFER_SIZE, DEFAULT_BUFFER_SIZE);
     const ttlMs = clamp(options.ttlMs, 1, MAX_TTL_MS, DEFAULT_TTL_MS);
     const maxPayloadBytes = clamp(options.maxPayloadBytes, 0, 16 * 1024 * 1024, DEFAULT_MAX_PAYLOAD_BYTES);
@@ -94,7 +117,7 @@ function createUpstreamRecorder(options = {}) {
         const out = {};
         for (const [k, v] of Object.entries(headers)) {
             const lower = k.toLowerCase();
-            out[lower] = redactPattern.test(lower) ? '[redacted]' : v;
+            out[lower] = (0, redact_secrets_1.secretKeyPatternMatches)(redactPattern, lower) ? '[redacted]' : v;
         }
         return out;
     }
@@ -108,44 +131,20 @@ function createUpstreamRecorder(options = {}) {
      * is misleading downstream.
      */
     function applyRedactionToPayload(payload, contentType) {
-        if (payload === undefined || payload === null)
-            return { value: payload, bytes: 0 };
-        // Binary-shaped bodies — replace with a marker. Adopters that need
-        // the raw bytes recorded for diagnostics can stringify before
-        // calling `record()`.
-        if (typeof Buffer !== 'undefined' && Buffer.isBuffer(payload)) {
-            return { value: `[binary ${payload.length} bytes]`, bytes: payload.length };
-        }
-        if (typeof Blob !== 'undefined' && payload instanceof Blob) {
-            return { value: `[binary ${payload.size} bytes]`, bytes: payload.size };
-        }
-        if (payload instanceof ArrayBuffer) {
-            return { value: `[binary ${payload.byteLength} bytes]`, bytes: payload.byteLength };
-        }
-        if (ArrayBuffer.isView(payload)) {
-            return { value: `[binary ${payload.byteLength} bytes]`, bytes: payload.byteLength };
-        }
-        if (typeof payload === 'string') {
-            // Form-urlencoded redaction: parse, redact, re-stringify so
-            // `access_token=...` bodies don't slip through unredacted.
-            if (isFormUrlEncoded(contentType)) {
-                const redacted = redactFormUrlEncoded(payload, redactPattern);
-                return { value: cap(redacted, maxPayloadBytes), bytes: byteLengthOf(redacted) };
-            }
-            return { value: cap(payload, maxPayloadBytes), bytes: byteLengthOf(payload) };
-        }
-        const redacted = (0, redact_secrets_1.redactSecrets)(payload, redactPattern);
-        const json = safeStringify(redacted);
-        if (json && maxPayloadBytes > 0 && byteLengthOf(json) > maxPayloadBytes) {
-            return { value: `[truncated ${byteLengthOf(json)} bytes]`, bytes: byteLengthOf(json) };
-        }
-        return { value: redacted, bytes: json ? byteLengthOf(json) : 0 };
+        const value = normalizeRecordedPayload(payload, contentType, redactPattern, maxPayloadBytes);
+        return { value, bytes: payloadWireLength(value) };
     }
     function classifyPurpose(method, url, host, path, headers) {
         if (!purpose)
             return undefined;
         try {
-            return purpose({ method, url, host, path, headers });
+            const value = purpose({ method, url, host, path, headers });
+            if (value === undefined)
+                return undefined;
+            if (typeof value === 'string' && VALID_PURPOSES.has(value))
+                return value;
+            emitError({ kind: 'classifier_invalid_purpose', purpose: typeof value === 'string' ? value : String(value) });
+            return undefined;
         }
         catch (err) {
             emitError({ kind: 'classifier_threw', err });
@@ -167,7 +166,7 @@ function createUpstreamRecorder(options = {}) {
             }
             const redactedHeaders = applyRedactionToHeaders(input.headers);
             const purposeTag = classifyPurpose(input.method, url, host, pathPart, redactedHeaders);
-            const { value: payload } = applyRedactionToPayload(input.payload, input.content_type);
+            const { value: payload, bytes: payloadLength } = applyRedactionToPayload(input.payload, input.content_type);
             return {
                 method: input.method,
                 endpoint: `${input.method} ${url}`,
@@ -175,7 +174,9 @@ function createUpstreamRecorder(options = {}) {
                 host,
                 path: pathPart,
                 content_type: input.content_type,
+                attestation_mode: 'raw',
                 payload,
+                payload_length: payloadLength,
                 timestamp: new Date(nowMs).toISOString(),
                 ...(input.status_code !== undefined && { status_code: input.status_code }),
                 ...(purposeTag !== undefined && { purpose: purposeTag }),
@@ -294,14 +295,27 @@ function createUpstreamRecorder(options = {}) {
                 return false;
             return true;
         });
-        const total = matched.length;
-        const items = matched.slice(0, limit).map(e => e.call);
+        const items = [];
+        let total = 0;
+        let dropped_count = 0;
+        for (const entry of matched) {
+            const projected = safeProjectRecordedCall(entry.call, params, emitError);
+            if (!projected) {
+                if (params.attestationMode === 'digest')
+                    dropped_count++;
+                continue;
+            }
+            total++;
+            if (items.length < limit)
+                items.push(projected);
+        }
         const since_timestamp = params.sinceTimestamp ?? matched[0]?.call.timestamp ?? new Date(nowMs - ttlMs).toISOString();
         return {
             items,
             total,
             truncated: total > items.length,
             since_timestamp,
+            dropped_count,
         };
     }
     function clear() {
@@ -330,6 +344,336 @@ function createUpstreamRecorder(options = {}) {
         enabled: true,
     };
 }
+function safeProjectRecordedCall(call, params, emitError) {
+    try {
+        return projectRecordedCall(call, params, emitError);
+    }
+    catch (err) {
+        emitError?.({ kind: 'digest_canonicalization_failed', method: call.method, endpoint: call.endpoint, err });
+        return null;
+    }
+}
+function projectRecordedCall(call, params, emitError) {
+    if (params.attestationMode !== 'digest')
+        return call;
+    const payloadBytes = canonicalPayloadBytes(call.payload, call.content_type);
+    const payloadDigest = sha256Hex(payloadBytes);
+    const identifierDigests = normalizeIdentifierDigests(params.identifierValueDigests);
+    const identifierScanPayload = identifierDigests.length > 0
+        ? parseJsonStringPayloadForScan(call.payload, call.content_type, emitError)
+        : undefined;
+    const matchedIdentifierDigests = identifierDigests.length > 0 && identifierScanPayload !== undefined
+        ? collectMatchedStringLeafDigests(identifierScanPayload, new Set(identifierDigests))
+        : undefined;
+    const identifier_match_proofs = identifierDigests.length > 0 && matchedIdentifierDigests
+        ? identifierDigests.map(digest => ({
+            identifier_value_sha256: digest,
+            found: matchedIdentifierDigests.has(digest),
+        }))
+        : undefined;
+    return {
+        method: call.method,
+        endpoint: call.endpoint,
+        url: call.url,
+        host: call.host,
+        path: call.path,
+        content_type: call.content_type,
+        attestation_mode: 'digest',
+        payload_digest_sha256: payloadDigest,
+        payload_length: byteLengthOf(payloadBytes),
+        timestamp: call.timestamp,
+        ...(call.status_code !== undefined && { status_code: call.status_code }),
+        ...(call.purpose !== undefined && { purpose: call.purpose }),
+        ...(identifier_match_proofs !== undefined && { identifier_match_proofs }),
+    };
+}
+function normalizeIdentifierDigests(input) {
+    if (!Array.isArray(input))
+        return [];
+    const out = [];
+    for (const value of input) {
+        if (typeof value !== 'string' || !/^[a-f0-9]{64}$/.test(value))
+            continue;
+        if (!out.includes(value))
+            out.push(value);
+        if (out.length >= constants_1.IDENTIFIER_DIGEST_LIMIT)
+            break;
+    }
+    return out;
+}
+function collectMatchedStringLeafDigests(root, wantedDigests) {
+    const matched = new Set();
+    const stack = [{ value: root, depth: 0 }];
+    while (stack.length > 0) {
+        const { value, depth } = stack.pop();
+        if (depth > json_depth_1.MAX_JSON_DEPTH)
+            continue;
+        if (typeof value === 'string') {
+            const digest = sha256Hex(value);
+            if (wantedDigests.has(digest)) {
+                matched.add(digest);
+                if (matched.size === wantedDigests.size)
+                    break;
+            }
+        }
+        else if (Array.isArray(value)) {
+            for (const item of value)
+                stack.push({ value: item, depth: depth + 1 });
+        }
+        else if (value !== null && typeof value === 'object') {
+            for (const item of Object.values(value)) {
+                stack.push({ value: item, depth: depth + 1 });
+            }
+        }
+    }
+    return matched;
+}
+function parseJsonStringPayloadForScan(payload, contentType, emitError) {
+    if (!isJsonContentType(contentType))
+        return undefined;
+    if (typeof payload !== 'string')
+        return payload;
+    try {
+        return JSON.parse(payload);
+    }
+    catch (err) {
+        emitError?.({ kind: 'json_payload_parse_failed', content_type: contentType, err });
+        return payload;
+    }
+}
+function canonicalPayloadBytes(payload, contentType) {
+    if (isJsonContentType(contentType)) {
+        if (typeof payload === 'string') {
+            let parsed;
+            try {
+                parsed = JSON.parse(payload);
+            }
+            catch {
+                return payload;
+            }
+            return canonicalJsonStringify(parsed);
+        }
+        return canonicalJsonStringify(payload);
+    }
+    if (typeof payload === 'string')
+        return payload;
+    return safeStringify(payload) ?? '';
+}
+function canonicalJsonStringify(value) {
+    assertJsonDepth(value);
+    return (0, jcs_1.canonicalize)(value);
+}
+function assertJsonDepth(root) {
+    const stack = [{ value: root, depth: 0 }];
+    while (stack.length > 0) {
+        const { value, depth } = stack.pop();
+        if (depth > json_depth_1.MAX_JSON_DEPTH) {
+            throw new RangeError(`JSON payload exceeds max canonicalization depth ${json_depth_1.MAX_JSON_DEPTH}`);
+        }
+        if (Array.isArray(value)) {
+            for (const item of value)
+                stack.push({ value: item, depth: depth + 1 });
+        }
+        else if (value !== null && typeof value === 'object') {
+            for (const item of Object.values(value)) {
+                stack.push({ value: item, depth: depth + 1 });
+            }
+        }
+    }
+}
+function sha256Hex(value) {
+    return (0, node_crypto_1.createHash)('sha256').update(value, 'utf8').digest('hex');
+}
+function computePayloadDigestSha256(payload, contentType = 'application/json', options = redact_secrets_1.SECRET_KEY_PATTERN) {
+    const redactPattern = options instanceof RegExp || options === false
+        ? options === false
+            ? false
+            : (0, redact_secrets_1.normalizeSecretKeyPattern)(options)
+        : options?.prenormalized
+            ? false
+            : options?.redactPattern === false
+                ? false
+                : (0, redact_secrets_1.normalizeSecretKeyPattern)(options?.redactPattern ?? redact_secrets_1.SECRET_KEY_PATTERN);
+    const prenormalizedSafetyPattern = typeof options === 'object' &&
+        options !== null &&
+        !(options instanceof RegExp) &&
+        options.redactPattern instanceof RegExp
+        ? (0, redact_secrets_1.normalizeSecretKeyPattern)(options.redactPattern)
+        : redact_secrets_1.SECRET_KEY_PATTERN;
+    const maxPayloadBytes = typeof options === 'object' && options !== null && !(options instanceof RegExp)
+        ? clamp(options.maxPayloadBytes, 0, 16 * 1024 * 1024, DEFAULT_MAX_PAYLOAD_BYTES)
+        : DEFAULT_MAX_PAYLOAD_BYTES;
+    try {
+        if (typeof options === 'object' &&
+            options !== null &&
+            !(options instanceof RegExp) &&
+            options.redactPattern === false &&
+            options.prenormalized !== true) {
+            throw new PayloadDigestError('PayloadDigestOptions.redactPattern=false requires prenormalized=true');
+        }
+        const payloadForDigest = redactPattern === false
+            ? assertPrenormalizedPayloadSafe(payload, contentType, prenormalizedSafetyPattern)
+            : normalizeRecordedPayload(normalizeFetchPayloadInput(payload, contentType), contentType, redactPattern, maxPayloadBytes);
+        return sha256Hex(canonicalPayloadBytes(payloadForDigest, contentType));
+    }
+    catch (err) {
+        if (err instanceof PayloadDigestError)
+            throw err;
+        throw new PayloadDigestError(err instanceof Error ? err.message : 'Payload digest canonicalization failed', err);
+    }
+}
+function assertPrenormalizedPayloadSafe(payload, contentType, pattern) {
+    let scanTarget = payload;
+    if (typeof payload === 'string' && isJsonContentType(contentType)) {
+        try {
+            scanTarget = JSON.parse(payload);
+        }
+        catch {
+            throw new PayloadDigestError('Prenormalized JSON payload is malformed; hash the recorder-normalized payload or omit prenormalized.');
+        }
+    }
+    else if (typeof payload === 'string' && isFormUrlEncoded(contentType)) {
+        assertPrenormalizedFormUrlEncodedSafe(payload, pattern);
+        return payload;
+    }
+    const unsafePath = findUnredactedSecretPath(scanTarget, pattern);
+    if (unsafePath) {
+        throw new PayloadDigestError(`Prenormalized payload contains unredacted secret-shaped key "${unsafePath}"; hash the recorder-normalized payload or omit prenormalized.`);
+    }
+    return payload;
+}
+function assertPrenormalizedFormUrlEncodedSafe(body, pattern) {
+    const seenSecretKeys = new Set();
+    const params = Array.from(new URLSearchParams(body));
+    for (const [key] of params) {
+        if (!(0, redact_secrets_1.secretKeyPatternMatches)(pattern, key))
+            continue;
+        const normalizedKey = key.toLowerCase();
+        if (seenSecretKeys.has(normalizedKey)) {
+            throw new PayloadDigestError(`Prenormalized form payload contains duplicate secret-shaped key "${key}"; hash the recorder-normalized payload or omit prenormalized.`);
+        }
+        seenSecretKeys.add(normalizedKey);
+    }
+    for (const [key, value] of params) {
+        if (!(0, redact_secrets_1.secretKeyPatternMatches)(pattern, key))
+            continue;
+        if (!isSafelyRedactedSecretValue(value)) {
+            throw new PayloadDigestError(`Prenormalized payload contains unredacted secret-shaped key "${key}"; hash the recorder-normalized payload or omit prenormalized.`);
+        }
+    }
+}
+function findUnredactedSecretPath(value, pattern) {
+    const stack = [{ value, path: '' }];
+    const seen = new WeakSet();
+    while (stack.length > 0) {
+        const { value: current, path } = stack.pop();
+        if (!current || typeof current !== 'object')
+            continue;
+        if (seen.has(current))
+            continue;
+        seen.add(current);
+        if (Array.isArray(current)) {
+            for (let i = current.length - 1; i >= 0; i--) {
+                stack.push({ value: current[i], path: `${path}[${i}]` });
+            }
+            continue;
+        }
+        const entries = Object.entries(current);
+        for (let i = entries.length - 1; i >= 0; i--) {
+            const [key, childValue] = entries[i];
+            const childPath = path ? `${path}.${key}` : key;
+            if ((0, redact_secrets_1.secretKeyPatternMatches)(pattern, key) && !isSafelyRedactedSecretValue(childValue))
+                return childPath;
+            stack.push({ value: childValue, path: childPath });
+        }
+    }
+    return null;
+}
+function isSafelyRedactedSecretValue(value) {
+    return value === '[redacted]' || value === null;
+}
+function normalizeFetchPayloadInput(payload, contentType) {
+    if (payload === undefined)
+        return undefined;
+    if (typeof payload === 'string') {
+        if (!isJsonContentType(contentType))
+            return payload;
+        try {
+            return JSON.parse(payload);
+        }
+        catch {
+            return payload;
+        }
+    }
+    if (payload instanceof URLSearchParams)
+        return payload.toString();
+    if (typeof FormData !== 'undefined' && payload instanceof FormData) {
+        const out = {};
+        payload.forEach((v, k) => {
+            out[k] = typeof v === 'string' ? v : '[file]';
+        });
+        return out;
+    }
+    return payload;
+}
+function normalizeRecordedPayload(payload, contentType, redactPattern, maxPayloadBytes) {
+    if (payload === undefined) {
+        // Raw-mode `RecordedCall.payload` is required by the 3.1 controller
+        // response schema. GET/HEAD-style calls with no body therefore emit an
+        // empty object instead of omitting the field.
+        return {};
+    }
+    if (payload === null)
+        return payload;
+    // Binary-shaped bodies — replace with a marker. Adopters that need
+    // the raw bytes recorded for diagnostics can stringify before
+    // calling `record()`.
+    if (typeof Buffer !== 'undefined' && Buffer.isBuffer(payload)) {
+        return `[binary ${payload.length} bytes]`;
+    }
+    if (typeof Blob !== 'undefined' && payload instanceof Blob) {
+        return `[binary ${payload.size} bytes]`;
+    }
+    if (payload instanceof ArrayBuffer) {
+        return `[binary ${payload.byteLength} bytes]`;
+    }
+    if (ArrayBuffer.isView(payload)) {
+        return `[binary ${payload.byteLength} bytes]`;
+    }
+    if (typeof payload === 'string') {
+        if (isJsonContentType(contentType)) {
+            let parsed;
+            try {
+                parsed = JSON.parse(payload);
+            }
+            catch {
+                // Malformed JSON strings remain raw strings so diagnostics keep the
+                // original body shape instead of pretending the payload was absent.
+                return cap(redactJsonLikeSecretValues(payload, redactPattern), maxPayloadBytes);
+            }
+            const redacted = (0, redact_secrets_1.redactSecrets)(parsed, redactPattern);
+            assertJsonDepth(redacted);
+            const json = safeStringify(redacted);
+            if (json && maxPayloadBytes > 0 && byteLengthOf(json) > maxPayloadBytes) {
+                return `[truncated ${byteLengthOf(json)} bytes]`;
+            }
+            return redacted;
+        }
+        // Form-urlencoded redaction: parse, redact, re-stringify so
+        // `access_token=...` bodies don't slip through unredacted.
+        if (isFormUrlEncoded(contentType)) {
+            return cap(redactFormUrlEncoded(payload, redactPattern), maxPayloadBytes);
+        }
+        return cap(payload, maxPayloadBytes);
+    }
+    const redacted = (0, redact_secrets_1.redactSecrets)(payload, redactPattern);
+    assertJsonDepth(redacted);
+    const json = safeStringify(redacted);
+    if (json && maxPayloadBytes > 0 && byteLengthOf(json) > maxPayloadBytes) {
+        return `[truncated ${byteLengthOf(json)} bytes]`;
+    }
+    return redacted;
+}
 /**
  * Project a `recorder.query()` result onto the spec wire shape returned
  * by `comply_test_controller`'s `query_upstream_traffic` scenario
@@ -375,7 +719,8 @@ function makeNoopRecorder() {
             items: [],
             total: 0,
             truncated: false,
-            since_timestamp: params.sinceTimestamp ?? '',
+            since_timestamp: params.sinceTimestamp ?? new Date(0).toISOString(),
+            dropped_count: 0,
         }),
         clear: () => undefined,
         debug: () => ({
@@ -419,7 +764,13 @@ async function readBody(input, init, contentType) {
     }
     else if (input instanceof Request) {
         try {
-            raw = await input.clone().text();
+            const clone = input.clone();
+            if (contentTypeBase(contentType) === 'multipart/form-data') {
+                raw = await clone.formData();
+            }
+            else {
+                raw = await clone.text();
+            }
         }
         catch {
             raw = undefined;
@@ -459,23 +810,23 @@ async function readBody(input, init, contentType) {
     return String(raw);
 }
 function isJsonContentType(contentType) {
-    if (!contentType)
-        return false;
-    const base = contentType.split(';')[0]?.trim().toLowerCase() ?? '';
+    const base = contentTypeBase(contentType);
     return base === 'application/json' || /\+json$/.test(base);
 }
 function isFormUrlEncoded(contentType) {
+    return contentTypeBase(contentType) === 'application/x-www-form-urlencoded';
+}
+function contentTypeBase(contentType) {
     if (!contentType)
-        return false;
-    const base = contentType.split(';')[0]?.trim().toLowerCase() ?? '';
-    return base === 'application/x-www-form-urlencoded';
+        return '';
+    return contentType.split(';')[0]?.trim().toLowerCase() ?? '';
 }
 function redactFormUrlEncoded(body, pattern) {
     try {
         const params = new URLSearchParams(body);
         const out = new URLSearchParams();
         params.forEach((v, k) => {
-            out.append(k, pattern.test(k.toLowerCase()) ? '[redacted]' : v);
+            out.append(k, (0, redact_secrets_1.secretKeyPatternMatches)(pattern, k.toLowerCase()) ? '[redacted]' : v);
         });
         return out.toString();
     }
@@ -483,6 +834,102 @@ function redactFormUrlEncoded(body, pattern) {
         return body;
     }
 }
+function redactJsonLikeSecretValues(body, pattern) {
+    // Best-effort diagnostic scrub for malformed JSON strings. The output is
+    // not guaranteed to be valid JSON; the invariant is that secret-shaped keys
+    // with scalar/string values are not stored verbatim. Because malformed JSON
+    // has no trustworthy parse tree, object/array-valued secret entries are
+    // replaced wholesale rather than traversed.
+    let out = '';
+    let i = 0;
+    while (i < body.length) {
+        if (body[i] !== '"') {
+            out += body[i++];
+            continue;
+        }
+        const keyToken = readJsonStringToken(body, i);
+        if (!keyToken) {
+            out += body.slice(i);
+            break;
+        }
+        let colon = keyToken.end;
+        while (colon < body.length && isJsonWhitespace(body[colon]))
+            colon++;
+        if (body[colon] !== ':') {
+            out += body.slice(i, keyToken.end);
+            i = keyToken.end;
+            continue;
+        }
+        let key;
+        try {
+            key = JSON.parse(keyToken.literal);
+        }
+        catch {
+            out += body.slice(i, keyToken.end);
+            i = keyToken.end;
+            continue;
+        }
+        const valueStart = colon + 1;
+        let value = valueStart;
+        while (value < body.length && isJsonWhitespace(body[value]))
+            value++;
+        out += body.slice(i, value);
+        if (typeof key !== 'string' || !(0, redact_secrets_1.secretKeyPatternMatches)(pattern, key)) {
+            i = value;
+            continue;
+        }
+        out += '"[redacted]"';
+        i = skipJsonLikeValue(body, value);
+    }
+    return out;
+}
+function readJsonStringToken(input, start) {
+    for (let i = start + 1; i < input.length; i++) {
+        const ch = input[i];
+        if (ch === '"')
+            return { literal: input.slice(start, i + 1), end: i + 1 };
+        if (ch === '\\')
+            i++;
+    }
+    return null;
+}
+function skipJsonLikeValue(input, start) {
+    if (input[start] === '"') {
+        const token = readJsonStringToken(input, start);
+        return token?.end ?? input.length;
+    }
+    if (input[start] === '[' || input[start] === '{') {
+        const opener = input[start];
+        const closer = opener === '[' ? ']' : '}';
+        let depth = 0;
+        for (let i = start; i < input.length; i++) {
+            const ch = input[i];
+            if (ch === '"') {
+                const token = readJsonStringToken(input, i);
+                if (!token)
+                    return input.length;
+                i = token.end - 1;
+                continue;
+            }
+            if (ch === opener)
+                depth++;
+            if (ch === closer) {
+                depth--;
+                if (depth === 0)
+                    return i + 1;
+            }
+        }
+        return input.length;
+    }
+    let i = start;
+    while (i < input.length && input[i] !== ',' && input[i] !== '}' && input[i] !== ']' && !isJsonWhitespace(input[i])) {
+        i++;
+    }
+    return i;
+}
+function isJsonWhitespace(ch) {
+    return ch === ' ' || ch === '\n' || ch === '\r' || ch === '\t';
+}
 function safeStringify(value) {
     try {
         return JSON.stringify(value);
@@ -497,6 +944,12 @@ function byteLengthOf(s) {
     // Fallback — rough UTF-16 count.
     return s.length;
 }
+function payloadWireLength(value) {
+    if (typeof value === 'string')
+        return byteLengthOf(value);
+    const json = safeStringify(value);
+    return json ? byteLengthOf(json) : 0;
+}
 function cap(s, maxBytes) {
     if (maxBytes <= 0)
         return s;